From 0fa512eb264761bc2dfd5428750401d1685d5909 Mon Sep 17 00:00:00 2001
From: Artur Barashev <abarashev@openjdk.org>
Date: Tue, 16 Dec 2025 14:18:20 +0000
Subject: [PATCH] 8371830: Enhance certificate chain validation

Reviewed-by: jnibedita, rhalade, pkumaraswamy, ahgross, weijun, mullan
---
 .../provider/certpath/DistributionPointFetcher.java       | 6 ++----
 .../sun/security/provider/certpath/RevocationChecker.java | 8 ++++++--
 2 files changed, 8 insertions(+), 6 deletions(-)

diff --git a/src/java.base/share/classes/sun/security/provider/certpath/DistributionPointFetcher.java b/src/java.base/share/classes/sun/security/provider/certpath/DistributionPointFetcher.java
index 31c0f4ecb9c..ed0fd0f5576 100644
--- a/src/java.base/share/classes/sun/security/provider/certpath/DistributionPointFetcher.java
+++ b/src/java.base/share/classes/sun/security/provider/certpath/DistributionPointFetcher.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2002, 2024, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2002, 2025, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -43,9 +43,7 @@ import static sun.security.x509.PKIXExtensions.IssuingDistributionPoint_Id;
 
 /**
  * Class to obtain CRLs via the CRLDistributionPoints extension.
- * Note that the functionality of this class must be explicitly enabled
- * via a system property, see the USE_CRLDP variable below.
- *
+ * <p>
  * This class uses the URICertStore class to fetch CRLs. The URICertStore
  * class also implements CRL caching: see the class description for more
  * information.
diff --git a/src/java.base/share/classes/sun/security/provider/certpath/RevocationChecker.java b/src/java.base/share/classes/sun/security/provider/certpath/RevocationChecker.java
index 297727310d4..7751f6a32bf 100644
--- a/src/java.base/share/classes/sun/security/provider/certpath/RevocationChecker.java
+++ b/src/java.base/share/classes/sun/security/provider/certpath/RevocationChecker.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2012, 2024, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2012, 2025, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -1007,13 +1007,17 @@ class RevocationChecker extends PKIXRevocationChecker {
         // any way to convey them back to the application.
         // That's the default, so no need to write code.
         builderParams.setDate(params.date());
-        builderParams.setCertPathCheckers(params.certPathCheckers());
         builderParams.setSigProvider(params.sigProvider());
 
         // Skip revocation during this build to detect circular
         // references. But check revocation afterwards, using the
         // key (or any other that works).
         builderParams.setRevocationEnabled(false);
+        // Remove itself from params to avoid circular reference.
+        builderParams.setCertPathCheckers(params.certPathCheckers()
+                .stream()
+                .filter(checker -> checker != this)
+                .toList());
 
         // check for AuthorityInformationAccess extension
         if (Builder.USE_AIA) {