From d109f68ebd657de9ad523d6d8e634e49963c67fb Mon Sep 17 00:00:00 2001
From: Xue-Lei Andrew Fan <xuelei@openjdk.org>
Date: Wed, 27 Jul 2016 02:23:16 +0000
Subject: [PATCH] 8151465: SSLSession may not return a valid chain

Reviewed-by: mullan, ahgross
---
 .../share/classes/com/sun/net/ssl/HttpsURLConnection.java | 4 ++++
 .../classes/javax/net/ssl/HandshakeCompletedEvent.java    | 8 +++++++-
 .../share/classes/javax/net/ssl/HttpsURLConnection.java   | 5 ++++-
 .../java.base/share/classes/javax/net/ssl/SSLSession.java | 8 +++++++-
 4 files changed, 22 insertions(+), 3 deletions(-)

diff --git a/jdk/src/java.base/share/classes/com/sun/net/ssl/HttpsURLConnection.java b/jdk/src/java.base/share/classes/com/sun/net/ssl/HttpsURLConnection.java
index d376fc395fe..895b17ac578 100644
--- a/jdk/src/java.base/share/classes/com/sun/net/ssl/HttpsURLConnection.java
+++ b/jdk/src/java.base/share/classes/com/sun/net/ssl/HttpsURLConnection.java
@@ -69,6 +69,10 @@ class HttpsURLConnection extends HttpURLConnection
     /**
      * Returns the server's X.509 certificate chain, or null if
      * the server did not authenticate.
+     * <P>
+     * Note: The returned value may not be a valid certificate chain
+     * and should not be relied on for trust decisions.
+     *
      * @return the server certificate chain
      */
     public abstract Certificate[] getServerCertificates()
diff --git a/jdk/src/java.base/share/classes/javax/net/ssl/HandshakeCompletedEvent.java b/jdk/src/java.base/share/classes/javax/net/ssl/HandshakeCompletedEvent.java
index 1317f0021f4..67e8d7548a7 100644
--- a/jdk/src/java.base/share/classes/javax/net/ssl/HandshakeCompletedEvent.java
+++ b/jdk/src/java.base/share/classes/javax/net/ssl/HandshakeCompletedEvent.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 2015, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2016, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -120,6 +120,9 @@ public class HandshakeCompletedEvent extends EventObject
      * Note: This method can be used only when using certificate-based
      * cipher suites; using it with non-certificate-based cipher suites,
      * such as Kerberos, will throw an SSLPeerUnverifiedException.
+     * <P>
+     * Note: The returned value may not be a valid certificate chain
+     * and should not be relied on for trust decisions.
      *
      * @return an ordered array of the peer certificates,
      *          with the peer's own certificate first followed by
@@ -140,6 +143,9 @@ public class HandshakeCompletedEvent extends EventObject
      * Note: This method can be used only when using certificate-based
      * cipher suites; using it with non-certificate-based cipher suites,
      * such as Kerberos, will throw an SSLPeerUnverifiedException.
+     * <P>
+     * Note: The returned value may not be a valid certificate chain
+     * and should not be relied on for trust decisions.
      *
      * <p><em>Note: this method exists for compatibility with previous
      * releases. New applications should use
diff --git a/jdk/src/java.base/share/classes/javax/net/ssl/HttpsURLConnection.java b/jdk/src/java.base/share/classes/javax/net/ssl/HttpsURLConnection.java
index 7c775321640..7d93ef274c6 100644
--- a/jdk/src/java.base/share/classes/javax/net/ssl/HttpsURLConnection.java
+++ b/jdk/src/java.base/share/classes/javax/net/ssl/HttpsURLConnection.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1999, 2012, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1999, 2016, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -104,6 +104,9 @@ class HttpsURLConnection extends HttpURLConnection
      * Note: This method can be used only when using certificate-based
      * cipher suites; using it with non-certificate-based cipher suites,
      * such as Kerberos, will throw an SSLPeerUnverifiedException.
+     * <P>
+     * Note: The returned value may not be a valid certificate chain
+     * and should not be relied on for trust decisions.
      *
      * @return an ordered array of server certificates,
      *          with the peer's own certificate first followed by
diff --git a/jdk/src/java.base/share/classes/javax/net/ssl/SSLSession.java b/jdk/src/java.base/share/classes/javax/net/ssl/SSLSession.java
index 2a04e159728..a355d187889 100644
--- a/jdk/src/java.base/share/classes/javax/net/ssl/SSLSession.java
+++ b/jdk/src/java.base/share/classes/javax/net/ssl/SSLSession.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 2015, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2016, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -219,6 +219,9 @@ public interface SSLSession {
      * Note: This method can be used only when using certificate-based
      * cipher suites; using it with non-certificate-based cipher suites,
      * such as Kerberos, will throw an SSLPeerUnverifiedException.
+     * <P>
+     * Note: The returned value may not be a valid certificate chain
+     * and should not be relied on for trust decisions.
      *
      * @return an ordered array of peer certificates,
      *          with the peer's own certificate first followed by any
@@ -259,6 +262,9 @@ public interface SSLSession {
      * Note: This method can be used only when using certificate-based
      * cipher suites; using it with non-certificate-based cipher suites,
      * such as Kerberos, will throw an SSLPeerUnverifiedException.
+     * <P>
+     * Note: The returned value may not be a valid certificate chain
+     * and should not be relied on for trust decisions.
      *
      * <p><em>Note: this method exists for compatibility with previous
      * releases. New applications should use