Merge

f2316894 · mullan · afbd4917 · d0119e91 · f2316894
显示空白变更内容
内联并排

Showing with 11 addition and 3 deletion

src/share/classes/sun/security/validator/PKIXValidator.java src/share/classes/sun/security/validator/PKIXValidator.java +11 -3

未找到文件。
--- a/src/share/classes/sun/security/validator/PKIXValidator.java
+++ b/src/share/classes/sun/security/validator/PKIXValidator.java
@@ -150,9 +150,17 @@ public final class PKIXValidator extends Validator {
                ("null or zero-length certificate chain");
        }
        if (TRY_VALIDATOR) {
-            // check if chain contains trust anchor
+            // check that chain is in correct order and check if chain contains
+            // trust anchor
+            X500Principal prevIssuer = null;
            for (int i = 0; i < chain.length; i++) {
-                if (trustedCerts.contains(chain[i])) {
+                X509Certificate cert = chain[i];
+                if (i != 0 &&
+                    !cert.getSubjectX500Principal().equals(prevIssuer)) {
+                    // chain is not ordered correctly, call builder instead
+                    return doBuild(chain, otherCerts);
+                }
+                if (trustedCerts.contains(cert)) {
                    if (i == 0) {
                        return new X509Certificate[] {chain[0]};
                    }
@@ -161,6 +169,7 @@ public final class PKIXValidator extends Validator {
                    System.arraycopy(chain, 0, newChain, 0, i);
                    return doValidate(newChain);
                }
+                prevIssuer = cert.getIssuerX500Principal();
            }
            // apparently issued by trust anchor?
@@ -303,5 +312,4 @@ public final class PKIXValidator extends Validator {
                ("PKIX path building failed: " + e.toString(), e);
        }
    }
 }