src/share/classes/sun/security/validator/PKIXValidator.java

Print this page




 191         if ((chain == null) || (chain.length == 0)) {
 192             throw new CertificateException
 193                 ("null or zero-length certificate chain");
 194         }
 195 
 196         // add  new algorithm constraints checker
 197         PKIXBuilderParameters pkixParameters =
 198                     (PKIXBuilderParameters) parameterTemplate.clone();
 199         AlgorithmChecker algorithmChecker = null;
 200         if (constraints != null) {
 201             algorithmChecker = new AlgorithmChecker(constraints);
 202             pkixParameters.addCertPathChecker(algorithmChecker);
 203         }
 204 
 205             // check that chain is in correct order and check if chain contains
 206             // trust anchor
 207             X500Principal prevIssuer = null;
 208             for (int i = 0; i < chain.length; i++) {
 209                 X509Certificate cert = chain[i];
 210                 X500Principal dn = cert.getSubjectX500Principal();
 211                 if (i != 0 &&
 212                     !dn.equals(prevIssuer)) {
 213                     // chain is not ordered correctly, call builder instead
 214                     return doBuild(chain, otherCerts, pkixParameters);
 215                 }
 216 
 217                 // Check if chain[i] is already trusted. It may be inside
 218                 // trustedCerts, or has the same dn and public key as a cert
 219                 // inside trustedCerts. The latter happens when a CA has
 220                 // updated its cert with a stronger signature algorithm in JRE
 221                 // but the weak one is still in circulation.
 222 
 223                 if (trustedCerts.contains(cert) ||          // trusted cert
 224                         (trustedSubjects.containsKey(dn) && // replacing ...
 225                          trustedSubjects.get(dn).contains(  // ... weak cert
 226                             cert.getPublicKey()))) {
 227                     if (i == 0) {
 228                         return new X509Certificate[] {chain[0]};
 229                     }
 230                     // Remove and call validator on partial chain [0 .. i-1]
 231                     X509Certificate[] newChain = new X509Certificate[i];
 232                     System.arraycopy(chain, 0, newChain, 0, i);




 191         if ((chain == null) || (chain.length == 0)) {
 192             throw new CertificateException
 193                 ("null or zero-length certificate chain");
 194         }
 195 
 196         // add  new algorithm constraints checker
 197         PKIXBuilderParameters pkixParameters =
 198                     (PKIXBuilderParameters) parameterTemplate.clone();
 199         AlgorithmChecker algorithmChecker = null;
 200         if (constraints != null) {
 201             algorithmChecker = new AlgorithmChecker(constraints);
 202             pkixParameters.addCertPathChecker(algorithmChecker);
 203         }
 204 
 205         // check that chain is in correct order and check if chain contains
 206         // trust anchor
 207         X500Principal prevIssuer = null;
 208         for (int i = 0; i < chain.length; i++) {
 209             X509Certificate cert = chain[i];
 210             X500Principal dn = cert.getSubjectX500Principal();
 211             if (i != 0 && !dn.equals(prevIssuer)) {

 212                 // chain is not ordered correctly, call builder instead
 213                 return doBuild(chain, otherCerts, pkixParameters);
 214             }
 215 
 216             // Check if chain[i] is already trusted. It may be inside
 217             // trustedCerts, or has the same dn and public key as a cert
 218             // inside trustedCerts. The latter happens when a CA has
 219             // updated its cert with a stronger signature algorithm in JRE
 220             // but the weak one is still in circulation.
 221 
 222             if (trustedCerts.contains(cert) ||          // trusted cert
 223                     (trustedSubjects.containsKey(dn) && // replacing ...
 224                      trustedSubjects.get(dn).contains(  // ... weak cert
 225                         cert.getPublicKey()))) {
 226                 if (i == 0) {
 227                     return new X509Certificate[] {chain[0]};
 228                 }
 229                 // Remove and call validator on partial chain [0 .. i-1]
 230                 X509Certificate[] newChain = new X509Certificate[i];
 231                 System.arraycopy(chain, 0, newChain, 0, i);