diff options
Diffstat (limited to 'src/share/classes/sun/security/pkcs12/PKCS12KeyStore.java')
-rw-r--r-- | src/share/classes/sun/security/pkcs12/PKCS12KeyStore.java | 29 |
1 files changed, 28 insertions, 1 deletions
diff --git a/src/share/classes/sun/security/pkcs12/PKCS12KeyStore.java b/src/share/classes/sun/security/pkcs12/PKCS12KeyStore.java index 35564498c..bdedcd091 100644 --- a/src/share/classes/sun/security/pkcs12/PKCS12KeyStore.java +++ b/src/share/classes/sun/security/pkcs12/PKCS12KeyStore.java @@ -707,6 +707,11 @@ public final class PKCS12KeyStore extends KeyStoreSpi { entry.protectedPrivKey = key.clone(); if (chain != null) { + // validate cert-chain + if ((chain.length > 1) && (!validateChain(chain))) { + throw new KeyStoreException("Certificate chain is " + + "not valid"); + } entry.chain = chain.clone(); certificateCount += chain.length; @@ -1448,7 +1453,12 @@ public final class PKCS12KeyStore extends KeyStoreSpi { if (!(issuerDN.equals(subjectDN))) return false; } - return true; + + // Check for loops in the chain. If there are repeated certs, + // the Set of certs in the chain will contain fewer certs than + // the chain + Set<Certificate> set = new HashSet<>(Arrays.asList(certChain)); + return set.size() == certChain.length; } @@ -2022,7 +2032,24 @@ public final class PKCS12KeyStore extends KeyStoreSpi { ArrayList<X509Certificate> chain = new ArrayList<X509Certificate>(); X509Certificate cert = findMatchedCertificate(entry); + + mainloop: while (cert != null) { + // Check for loops in the certificate chain + if (!chain.isEmpty()) { + for (X509Certificate chainCert : chain) { + if (cert.equals(chainCert)) { + if (debug != null) { + debug.println("Loop detected in " + + "certificate chain. Skip adding " + + "repeated cert to chain. Subject: " + + cert.getSubjectX500Principal() + .toString()); + } + break mainloop; + } + } + } chain.add(cert); X500Principal issuerDN = cert.getIssuerX500Principal(); if (issuerDN.equals(cert.getSubjectX500Principal())) { |