< prev index next >
src/share/classes/sun/security/validator/EndEntityChecker.java
Print this page
rev 13457 : 8207258: Distrust TLS server certificates anchored by Symantec Root CAs
Reviewed-by: weijun, shade
rev 13458 : 8216280: Allow later Symantec Policy distrust date for two Apple SubCAs
Reviewed-by: coffeys, shade
@@ -1,7 +1,7 @@
/*
- * Copyright (c) 2002, 2015, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2002, 2019, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation. Oracle designates this
@@ -130,37 +130,44 @@
static EndEntityChecker getInstance(String type, String variant) {
return new EndEntityChecker(type, variant);
}
- void check(X509Certificate cert, Object parameter,
- boolean checkUnresolvedCritExts) throws CertificateException {
+ void check(X509Certificate[] chain, Object parameter,
+ boolean checkUnresolvedCritExts)
+ throws CertificateException {
if (variant.equals(Validator.VAR_GENERIC)) {
return; // no checks
}
- Set<String> exts = getCriticalExtensions(cert);
+ Set<String> exts = getCriticalExtensions(chain[0]);
if (variant.equals(Validator.VAR_TLS_SERVER)) {
- checkTLSServer(cert, (String)parameter, exts);
+ checkTLSServer(chain[0], (String)parameter, exts);
} else if (variant.equals(Validator.VAR_TLS_CLIENT)) {
- checkTLSClient(cert, exts);
+ checkTLSClient(chain[0], exts);
} else if (variant.equals(Validator.VAR_CODE_SIGNING)) {
- checkCodeSigning(cert, exts);
+ checkCodeSigning(chain[0], exts);
} else if (variant.equals(Validator.VAR_JCE_SIGNING)) {
- checkCodeSigning(cert, exts);
+ checkCodeSigning(chain[0], exts);
} else if (variant.equals(Validator.VAR_PLUGIN_CODE_SIGNING)) {
- checkCodeSigning(cert, exts);
+ checkCodeSigning(chain[0], exts);
} else if (variant.equals(Validator.VAR_TSA_SERVER)) {
- checkTSAServer(cert, exts);
+ checkTSAServer(chain[0], exts);
} else {
throw new CertificateException("Unknown variant: " + variant);
}
// if neither VAR_GENERIC variant nor unknown variant
if (checkUnresolvedCritExts) {
checkRemainingExtensions(exts);
}
+
+ // check if certificate should be distrusted according to policies
+ // set in the jdk.security.caDistrustPolicies security property
+ for (CADistrustPolicy policy : CADistrustPolicy.POLICIES) {
+ policy.checkDistrust(variant, chain);
+ }
}
/**
* Utility method returning the Set of critical extensions for
* certificate cert (never null).
< prev index next >