src/java.base/share/classes/sun/security/validator/Validator.java

Print this page

        

@@ -1,7 +1,7 @@
 /*
- * Copyright (c) 2002, 2010, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2002, 2015, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License version 2 only, as
  * published by the Free Software Foundation.  Oracle designates this

@@ -142,20 +142,22 @@
      * @see #getInstance
      */
     public final static String VAR_PLUGIN_CODE_SIGNING = "plugin code signing";
 
     final EndEntityChecker endEntityChecker;
+    final String type;
     final String variant;
 
     /**
      * @deprecated
      * @see #setValidationDate
      */
     @Deprecated
     volatile Date validationDate;
 
     Validator(String type, String variant) {
+        this.type = type;
         this.variant = variant;
         endEntityChecker = EndEntityChecker.getInstance(type, variant);
     }
 
     /**

@@ -259,11 +261,19 @@
                 Object parameter) throws CertificateException {
         chain = engineValidate(chain, otherCerts, constraints, parameter);
 
         // omit EE extension check if EE cert is also trust anchor
         if (chain.length > 1) {
-            endEntityChecker.check(chain[0], parameter);
+            // Only have EndEntityChecker check extra extensions when
+            // validating with a TYPE_SIMPLE Validator, which only checks
+            // extensions for CA certs. A TYPE_PKIX Validator, however, runs
+            // checks on all certs' extensions, including checks by
+            // any PKIXCertPathCheckers included in the PKIXParameters,
+            // so the extra checks would be redundant.
+            boolean checkExtraExtensions =
+                    (type == TYPE_SIMPLE) ? true : false;
+            endEntityChecker.check(chain[0], parameter, checkExtraExtensions);
         }
 
         return chain;
     }