infernap12/jdk
1
0
Fork 0
mirror of https://github.com/openjdk/jdk.git synced 2026-04-27 07:10:45 +00:00
Code Issues Packages Projects Releases Wiki Activity

8371830: Enhance certificate chain validation

Browse Source 
Reviewed-by: jnibedita, rhalade, pkumaraswamy, ahgross, weijun, mullan
This commit is contained in:
Artur Barashev 2025-12-16 14:18:20 +00:00 committed by Jaikiran Pai
parent 1ac37c4f1d
commit 0fa512eb26
2 changed files with 8 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
src/java.base/share/classes/sun/security/provider/certpath/DistributionPointFetcher.java
View File

@ -1,5 +1,5 @@
/*
* Copyright (c) 2002, 2024, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2002, 2025, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -43,9 +43,7 @@ import static sun.security.x509.PKIXExtensions.IssuingDistributionPoint_Id;
/**
* Class to obtain CRLs via the CRLDistributionPoints extension.
* Note that the functionality of this class must be explicitly enabled
* via a system property, see the USE_CRLDP variable below.
*
* <p>
* This class uses the URICertStore class to fetch CRLs. The URICertStore
* class also implements CRL caching: see the class description for more
* information.

8
src/java.base/share/classes/sun/security/provider/certpath/RevocationChecker.java
View File

@ -1,5 +1,5 @@
/*
* Copyright (c) 2012, 2024, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2012, 2025, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -1007,13 +1007,17 @@ class RevocationChecker extends PKIXRevocationChecker {
// any way to convey them back to the application.
// That's the default, so no need to write code.
builderParams.setDate(params.date());
builderParams.setCertPathCheckers(params.certPathCheckers());
builderParams.setSigProvider(params.sigProvider());
// Skip revocation during this build to detect circular
// references. But check revocation afterwards, using the
// key (or any other that works).
builderParams.setRevocationEnabled(false);
// Remove itself from params to avoid circular reference.
builderParams.setCertPathCheckers(params.certPathCheckers()
.stream()
.filter(checker -> checker != this)
.toList());
// check for AuthorityInformationAccess extension
if (Builder.USE_AIA) {