6899503: Security code issue using Verisign root certificate

Add support for reordering out-of-order certificate chains Reviewed-by: vinnie, xuelei
2009-11-23 12:36:54 -05:00 · 2009-11-23 12:36:54 -05:00 · 3932bb1884
commit 3932bb1884
parent 4da1e67db3
1 changed files with 11 additions and 3 deletions
--- a/jdk/src/share/classes/sun/security/validator/PKIXValidator.java
+++ b/jdk/src/share/classes/sun/security/validator/PKIXValidator.java
@ -150,9 +150,17 @@ public final class PKIXValidator extends Validator {
                ("null or zero-length certificate chain");
        }
        if (TRY_VALIDATOR) {
-            // check if chain contains trust anchor
+            // check that chain is in correct order and check if chain contains
+            // trust anchor
+            X500Principal prevIssuer = null;
            for (int i = 0; i < chain.length; i++) {
-                if (trustedCerts.contains(chain[i])) {
+                X509Certificate cert = chain[i];
+                if (i != 0 &&
+                    !cert.getSubjectX500Principal().equals(prevIssuer)) {
+                    // chain is not ordered correctly, call builder instead
+                    return doBuild(chain, otherCerts);
+                }
+                if (trustedCerts.contains(cert)) {
                    if (i == 0) {
                        return new X509Certificate[] {chain[0]};
                    }
@ -161,6 +169,7 @@ public final class PKIXValidator extends Validator {
                    System.arraycopy(chain, 0, newChain, 0, i);
                    return doValidate(newChain);
                }
+                prevIssuer = cert.getIssuerX500Principal();
            }

            // apparently issued by trust anchor?
@ -303,5 +312,4 @@ public final class PKIXValidator extends Validator {
                ("PKIX path building failed: " + e.toString(), e);
        }
    }
-
 }