Skip to content

/ mobile

Permalink
Browse files

8227758: More valid PKIX processing 

Reviewed-by: xuelei, rhalade, coffeys, mschoene
  • Loading branch information
Sean Mullan committed Aug 26, 2019
1 parent 1236be7 commit 6cb8dfa9e303849ff45fb9bb1f4c60a8c2628784
41 src/java.base/share/classes/sun/security/validator/PKIXValidator.java
View file
@@ -195,6 +195,7 @@ public PKIXBuilderParameters getParameters() { // mutable, should be private
("null or zero-length certificate chain");
}


// Use PKIXExtendedParameters for timestamp and variant additions
PKIXBuilderParameters pkixParameters = null;
try {
@@ -224,28 +225,30 @@ public PKIXBuilderParameters getParameters() { // mutable, should be private
for (int i = 0; i < chain.length; i++) {
X509Certificate cert = chain[i];
X500Principal dn = cert.getSubjectX500Principal();
if (i != 0 && !dn.equals(prevIssuer)) {
// chain is not ordered correctly, call builder instead
return doBuild(chain, otherCerts, pkixParameters);
}

// Check if chain[i] is already trusted. It may be inside
// trustedCerts, or has the same dn and public key as a cert
// inside trustedCerts. The latter happens when a CA has
// updated its cert with a stronger signature algorithm in JRE
// but the weak one is still in circulation.

if (trustedCerts.contains(cert) || // trusted cert
(trustedSubjects.containsKey(dn) && // replacing ...
trustedSubjects.get(dn).contains( // ... weak cert
cert.getPublicKey()))) {
if (i == 0) {
if (i == 0) {
if (trustedCerts.contains(cert)) {
return new X509Certificate[] {chain[0]};
}
// Remove and call validator on partial chain [0 .. i-1]
X509Certificate[] newChain = new X509Certificate[i];
System.arraycopy(chain, 0, newChain, 0, i);
return doValidate(newChain, pkixParameters);
} else {
if (!dn.equals(prevIssuer)) {
// chain is not ordered correctly, call builder instead
return doBuild(chain, otherCerts, pkixParameters);
}
// Check if chain[i] is already trusted. It may be inside
// trustedCerts, or has the same dn and public key as a cert
// inside trustedCerts. The latter happens when a CA has
// updated its cert with a stronger signature algorithm in JRE
// but the weak one is still in circulation.
if (trustedCerts.contains(cert) || // trusted cert
(trustedSubjects.containsKey(dn) && // replacing ...
trustedSubjects.get(dn).contains( // ... weak cert
cert.getPublicKey()))) {
// Remove and call validator on partial chain [0 .. i-1]
X509Certificate[] newChain = new X509Certificate[i];
System.arraycopy(chain, 0, newChain, 0, i);
return doValidate(newChain, pkixParameters);
}
}
prevIssuer = cert.getIssuerX500Principal();
}
12 test/jdk/sun/security/tools/jarsigner/ConciseJarsigner.java
View file
@@ -23,7 +23,7 @@

/*
* @test
* @bug 6802846 8172529
* @bug 6802846 8172529 8227758
* @summary jarsigner needs enhanced cert validation(options)
* @library /test/lib
* @run main/timeout=240 ConciseJarsigner
@@ -227,17 +227,11 @@ public static void main(String[] args) throws Exception {
+ "a.jar altchain")
.shouldHaveExitValue(0);

// if ca2 is removed, -certchain still work because altchain is a
// self-signed entry and it is trusted by jarsigner
// if ca2 is removed and cert is imported, -certchain won't work
// because this certificate entry is not trusted
// save ca2.cert for easy replay
kt("-exportcert -file ca2.cert -alias ca2");
kt("-delete -alias ca2");
js("-strict -keystore ks -storepass changeit "
+ "-certchain certchain a.jar altchain")
.shouldHaveExitValue(0);

// if cert is imported, -certchain won't work because this
// certificate entry is not trusted
kt("-importcert -file certchain -alias altchain -noprompt");
js("-strict -keystore ks -storepass changeit "
+ "-certchain certchain a.jar altchain")

0 comments on commit 6cb8dfa

Please sign in to comment.