src/share/classes/sun/security/validator/PKIXValidator.java

Print this page
rev 353 : 6948803: CertPath validation regression caused by SHA1 replacement root and MD2 disable feature
Reviewed-by: xuelei, mullan

@@ -150,11 +150,14 @@
                 ("null or zero-length certificate chain");
         }
         if (TRY_VALIDATOR) {
             // check if chain contains trust anchor
             for (int i = 0; i < chain.length; i++) {
-                if (trustedCerts.contains(chain[i])) {
+                X500Principal dn = chain[i].getSubjectX500Principal();
+                if (trustedSubjects.containsKey(dn)
+                        && trustedSubjects.get(dn).getPublicKey()
+                            .equals(chain[i].getPublicKey())) {
                     if (i == 0) {
                         return new X509Certificate[] {chain[0]};
                     }
                     // Remove and call validator
                     X509Certificate[] newChain = new X509Certificate[i];