jdk Cdiff src/share/classes/sun/security/validator/EndEntityChecker.java

src/share/classes/sun/security/validator/EndEntityChecker.java

rev 13446 : 8207258: Distrust TLS server certificates anchored by Symantec Root CAs


*** 1,7 ****
  /*
!  * Copyright (c) 2002, 2015, Oracle and/or its affiliates. All rights reserved.
   * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
   *
   * This code is free software; you can redistribute it and/or modify it
   * under the terms of the GNU General Public License version 2 only, as
   * published by the Free Software Foundation.  Oracle designates this
--- 1,7 ----
  /*
!  * Copyright (c) 2002, 2019, Oracle and/or its affiliates. All rights reserved.
   * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
   *
   * This code is free software; you can redistribute it and/or modify it
   * under the terms of the GNU General Public License version 2 only, as
   * published by the Free Software Foundation.  Oracle designates this
*** 131,141 ****
      static EndEntityChecker getInstance(String type, String variant) {
          return new EndEntityChecker(type, variant);
      }
  
      void check(X509Certificate cert, Object parameter,
!             boolean checkUnresolvedCritExts) throws CertificateException {
          if (variant.equals(Validator.VAR_GENERIC)) {
              return; // no checks
          }
  
          Set<String> exts = getCriticalExtensions(cert);
--- 131,142 ----
      static EndEntityChecker getInstance(String type, String variant) {
          return new EndEntityChecker(type, variant);
      }
  
      void check(X509Certificate cert, Object parameter,
!             boolean checkUnresolvedCritExts, X509Certificate anchor)
!             throws CertificateException {
          if (variant.equals(Validator.VAR_GENERIC)) {
              return; // no checks
          }
  
          Set<String> exts = getCriticalExtensions(cert);
*** 157,166 ****
--- 158,173 ----
  
          // if neither VAR_GENERIC variant nor unknown variant
          if (checkUnresolvedCritExts) {
              checkRemainingExtensions(exts);
          }
+ 
+         // check if certificate should be distrusted according to policies
+         // set in the jdk.security.caDistrustPolicies security property
+         for (CADistrustPolicy policy : CADistrustPolicy.POLICIES) {
+             policy.checkDistrust(variant, anchor, cert);
+         }
      }
  
      /**
       * Utility method returning the Set of critical extensions for
       * certificate cert (never null).

< prev index next >