7025073: Stricter check on trust anchor makes VerifyCACerts.java test fail

Summary: loosen the check for version 1 and 2 X.509 certificate Reviewed-by: mullan, weijun

7025073: Stricter check on trust anchor makes VerifyCACerts.java test fail
Summary: loosen the check for version 1 and 2 X.509 certificate Reviewed-by: mullan, weijun
ec9ff2a5 · xuelei · b7c0645f · ec9ff2a5 · ec9ff2a5
2 changed file
--- a/src/share/classes/sun/security/provider/certpath/AdaptableX509CertSelector.java
+++ b/src/share/classes/sun/security/provider/certpath/AdaptableX509CertSelector.java
@@ -46,10 +46,16 @@ import sun.security.x509.AuthorityKeyIdentifierExtension;
 */
 class AdaptableX509CertSelector extends X509CertSelector {
    // The start date of a validity period.
-    private Date startDate = null;
+    private Date startDate;
    // The end date of a validity period.
-    private Date endDate = null;
+    private Date endDate;
+    // Is subject key identifier sensitive?
+    private boolean isSKIDSensitive = false;
+    // Is serial number sensitive?
+    private boolean isSNSensitive = false;
    AdaptableX509CertSelector() {
        super();
@@ -97,15 +103,24 @@ class AdaptableX509CertSelector extends X509CertSelector {
        if (akidext != null) {
            KeyIdentifier akid = (KeyIdentifier)akidext.get(akidext.KEY_ID);
            if (akid != null) {
+                // Do not override the previous setting
+                if (getSubjectKeyIdentifier() == null) {
                    DerOutputStream derout = new DerOutputStream();
                    derout.putOctetString(akid.getIdentifier());
                    super.setSubjectKeyIdentifier(derout.toByteArray());
+                    isSKIDSensitive = true;
+                }
            }
            SerialNumber asn =
                (SerialNumber)akidext.get(akidext.SERIAL_NUMBER);
            if (asn != null) {
+                // Do not override the previous setting
+                if (getSerialNumber() == null) {
                    super.setSerialNumber(asn.getNumber());
+                    isSNSensitive = true;
+                }
            }
            // the subject criterion should be set by the caller.
@@ -148,11 +163,25 @@ class AdaptableX509CertSelector extends X509CertSelector {
            }
        }
-        if (version < 3 || xcert.getExtensionValue("2.5.29.14") == null) {
        // If no SubjectKeyIdentifier extension, don't bother to check it.
+        if (isSKIDSensitive &&
+            (version < 3 || xcert.getExtensionValue("2.5.29.14") == null)) {
            setSubjectKeyIdentifier(null);
        }
+        // In practice, a CA may replace its root certificate and require that
+        // the existing certificate is still valid, even if the AKID extension
+        // does not match the replacement root certificate fields.
+        //
+        // Conservatively, we only support the replacement for version 1 and
+        // version 2 certificate. As for version 2, the certificate extension
+        // may contain sensitive information (for example, policies), the
+        // AKID need to be respected to seek the exact certificate in case
+        // of key or certificate abuse.
+        if (isSNSensitive && version < 3) {
+            setSerialNumber(null);
+        }
        return super.match(cert);
    }

--- a/src/share/classes/sun/security/provider/certpath/ForwardBuilder.java
+++ b/src/share/classes/sun/security/provider/certpath/ForwardBuilder.java
@@ -243,12 +243,6 @@ class ForwardBuilder extends Builder {
                    caTargetSelector.setPolicy(getMatchingPolicies());
            }
-            /*
-             * Require CA certs with a pathLenConstraint that allows
-             * at least as many CA certs that have already been traversed
-             */
-            caTargetSelector.setBasicConstraints(currentState.traversedCACerts);
            sel = caTargetSelector;
        } else {
@@ -282,12 +276,6 @@ class ForwardBuilder extends Builder {
            CertPathHelper.setPathToNames
                (caSelector, currentState.subjectNamesTraversed);
-            /*
-             * Require CA certs with a pathLenConstraint that allows
-             * at least as many CA certs that have already been traversed
-             */
-            caSelector.setBasicConstraints(currentState.traversedCACerts);
            /*
             * Facilitate certification path construction with authority
             * key identifier and subject key identifier.
@@ -305,6 +293,14 @@ class ForwardBuilder extends Builder {
            sel = caSelector;
        }
+        /*
+         * For compatibility, conservatively, we don't check the path
+         * length constraint of trusted anchors.  Please don't set the
+         * basic constraints criterion unless the trusted certificate
+         * matching is completed.
+         */
+        sel.setBasicConstraints(-1);
        for (X509Certificate trustedCert : trustedCerts) {
            if (sel.match(trustedCert)) {
                if (debug != null) {
@@ -323,6 +319,12 @@ class ForwardBuilder extends Builder {
         */
        sel.setCertificateValid(date);
+        /*
+         * Require CA certs with a pathLenConstraint that allows
+         * at least as many CA certs that have already been traversed
+         */
+        sel.setBasicConstraints(currentState.traversedCACerts);
        /*
         * If we have already traversed as many CA certs as the maxPathLength
         * will allow us to, then we don't bother looking through these