src/share/classes/sun/security/validator/EndEntityChecker.java

rev 13457 : 8207258: Distrust TLS server certificates anchored by Symantec Root CAs
Reviewed-by: weijun, shade
rev 13458 : 8216280: Allow later Symantec Policy distrust date for two Apple SubCAs
Reviewed-by: coffeys, shade

@@ -1,7 +1,7 @@
 /*
- * Copyright (c) 2002, 2015, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2002, 2019, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License version 2 only, as
  * published by the Free Software Foundation.  Oracle designates this

@@ -130,37 +130,44 @@
 
     static EndEntityChecker getInstance(String type, String variant) {
         return new EndEntityChecker(type, variant);
     }
 
-    void check(X509Certificate cert, Object parameter,
-            boolean checkUnresolvedCritExts) throws CertificateException {
+    void check(X509Certificate[] chain, Object parameter,
+            boolean checkUnresolvedCritExts)
+            throws CertificateException {
         if (variant.equals(Validator.VAR_GENERIC)) {
             return; // no checks
         }
 
-        Set<String> exts = getCriticalExtensions(cert);
+        Set<String> exts = getCriticalExtensions(chain[0]);
         if (variant.equals(Validator.VAR_TLS_SERVER)) {
-            checkTLSServer(cert, (String)parameter, exts);
+            checkTLSServer(chain[0], (String)parameter, exts);
         } else if (variant.equals(Validator.VAR_TLS_CLIENT)) {
-            checkTLSClient(cert, exts);
+            checkTLSClient(chain[0], exts);
         } else if (variant.equals(Validator.VAR_CODE_SIGNING)) {
-            checkCodeSigning(cert, exts);
+            checkCodeSigning(chain[0], exts);
         } else if (variant.equals(Validator.VAR_JCE_SIGNING)) {
-            checkCodeSigning(cert, exts);
+            checkCodeSigning(chain[0], exts);
         } else if (variant.equals(Validator.VAR_PLUGIN_CODE_SIGNING)) {
-            checkCodeSigning(cert, exts);
+            checkCodeSigning(chain[0], exts);
         } else if (variant.equals(Validator.VAR_TSA_SERVER)) {
-            checkTSAServer(cert, exts);
+            checkTSAServer(chain[0], exts);
         } else {
             throw new CertificateException("Unknown variant: " + variant);
         }
 
         // if neither VAR_GENERIC variant nor unknown variant
         if (checkUnresolvedCritExts) {
             checkRemainingExtensions(exts);
         }
+
+        // check if certificate should be distrusted according to policies
+        // set in the jdk.security.caDistrustPolicies security property
+        for (CADistrustPolicy policy : CADistrustPolicy.POLICIES) {
+            policy.checkDistrust(variant, chain);
+        }
     }
 
     /**
      * Utility method returning the Set of critical extensions for
      * certificate cert (never null).