8227758: More valid PKIX processing

Reviewed-by: andrew

2 files changed, 26 insertions, 28 deletions

diff --git a/src/share/classes/sun/security/validator/PKIXValidator.java b/src/share/classes/sun/security/validator/PKIXValidator.java
index 9be502626e..f46017dd81 100644
--- a/src/share/classes/sun/security/validator/PKIXValidator.java
+++ b/src/share/classes/sun/security/validator/PKIXValidator.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2002, 2017, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2002, 2019, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -209,6 +209,7 @@ public final class PKIXValidator extends Validator {
                 ("null or zero-length certificate chain");
         }
 
+
         // Use PKIXExtendedParameters for timestamp and variant additions
         PKIXBuilderParameters pkixParameters = null;
         try {
@@ -234,29 +235,30 @@ public final class PKIXValidator extends Validator {
             for (int i = 0; i < chain.length; i++) {
                 X509Certificate cert = chain[i];
                 X500Principal dn = cert.getSubjectX500Principal();
-                if (i != 0 &&
-                    !dn.equals(prevIssuer)) {
-                    // chain is not ordered correctly, call builder instead
-                    return doBuild(chain, otherCerts, pkixParameters);
-                }
 
-                // Check if chain[i] is already trusted. It may be inside
-                // trustedCerts, or has the same dn and public key as a cert
-                // inside trustedCerts. The latter happens when a CA has
-                // updated its cert with a stronger signature algorithm in JRE
-                // but the weak one is still in circulation.
-
-                if (trustedCerts.contains(cert) ||          // trusted cert
-                        (trustedSubjects.containsKey(dn) && // replacing ...
-                         trustedSubjects.get(dn).contains(  // ... weak cert
-                            cert.getPublicKey()))) {
-                    if (i == 0) {
+                if (i == 0) {
+                    if (trustedCerts.contains(cert)) {
                         return new X509Certificate[] {chain[0]};
                     }
-                    // Remove and call validator on partial chain [0 .. i-1]
-                    X509Certificate[] newChain = new X509Certificate[i];
-                    System.arraycopy(chain, 0, newChain, 0, i);
-                    return doValidate(newChain, pkixParameters);
+                } else {
+                    if (!dn.equals(prevIssuer)) {
+                        // chain is not ordered correctly, call builder instead
+                        return doBuild(chain, otherCerts, pkixParameters);
+                    }
+                    // Check if chain[i] is already trusted. It may be inside
+                    // trustedCerts, or has the same dn and public key as a cert
+                    // inside trustedCerts. The latter happens when a CA has
+                    // updated its cert with a stronger signature algorithm in JRE
+                    // but the weak one is still in circulation.
+                    if (trustedCerts.contains(cert) ||          // trusted cert
+                            (trustedSubjects.containsKey(dn) && // replacing ...
+                             trustedSubjects.get(dn).contains(  // ... weak cert
+                                cert.getPublicKey()))) {
+                        // Remove and call validator on partial chain [0 .. i-1]
+                        X509Certificate[] newChain = new X509Certificate[i];
+                        System.arraycopy(chain, 0, newChain, 0, i);
+                        return doValidate(newChain, pkixParameters);
+                    }
                 }
                 prevIssuer = cert.getIssuerX500Principal();
             }
diff --git a/test/sun/security/tools/jarsigner/concise_jarsigner.sh b/test/sun/security/tools/jarsigner/concise_jarsigner.sh
index b9ec9e8323..e299eb05a7 100644
--- a/test/sun/security/tools/jarsigner/concise_jarsigner.sh
+++ b/test/sun/security/tools/jarsigner/concise_jarsigner.sh
@@ -22,7 +22,7 @@
 #
 
 # @test
-# @bug 6802846 8172529
+# @bug 6802846 8172529 8227758
 # @summary jarsigner needs enhanced cert validation(options)
 #
 # @run shell/timeout=240 concise_jarsigner.sh
@@ -207,15 +207,11 @@ $JARSIGNER -strict -keystore $KS -storepass changeit a.jar altchain
 $JARSIGNER -strict -keystore $KS -storepass changeit -certchain certchain a.jar altchain
 [ $? = 0 ] || exit $LINENO
 
-# if ca2 is removed, -certchain still work because altchain is a self-signed entry and
-# it is trusted by jarsigner
+# if ca2 is removed and cert is imported, -certchain won't work because this certificate
+# entry is not trusted
 # save ca2.cert for easy replay
 $KT -exportcert -file ca2.cert -alias ca2
 $KT -delete -alias ca2
-$JARSIGNER -strict -keystore $KS -storepass changeit -certchain certchain a.jar altchain
-[ $? = 0 ] || exit $LINENO
-
-# if cert is imported, -certchain won't work because this certificate entry is not trusted
 $KT -importcert -file certchain -alias altchain -noprompt
 $JARSIGNER -strict -keystore $KS -storepass changeit -certchain certchain a.jar altchain
 [ $? = 4 ] || exit $LINENO