8249906: Enhance opening JARs

Reviewed-by: weijun, rhalade, mschoene
2025-08-28 15:24:43 +02:00 · 2020-10-26 18:55:15 +00:00 · 2020-10-26 18:55:15 +00:00 · 7232e3c704
commit 7232e3c704
parent 17a741d6bc
24 changed files with 766 additions and 502 deletions
--- a/src/java.base/share/classes/sun/security/util/AnchorCertificates.java
+++ b/src/java.base/share/classes/sun/security/util/AnchorCertificates.java
@ -36,6 +36,7 @@ import java.util.Enumeration;
 import java.util.HashSet;
 import java.util.Set;

+import javax.security.auth.x500.X500Principal;
 import sun.security.x509.X509CertImpl;

 /**
@ -47,9 +48,10 @@ public class AnchorCertificates {
    private static final Debug debug = Debug.getInstance("certpath");
    private static final String HASH = "SHA-256";
    private static Set<String> certs = Collections.emptySet();
+    private static Set<X500Principal> certIssuers = Collections.emptySet();

    static  {
-        AccessController.doPrivileged(new PrivilegedAction<Void>() {
+        AccessController.doPrivileged(new PrivilegedAction<>() {
            @Override
            public Void run() {
                File f = new File(FilePaths.cacerts());
@ -59,15 +61,16 @@ public class AnchorCertificates {
                    try (FileInputStream fis = new FileInputStream(f)) {
                        cacerts.load(fis, null);
                        certs = new HashSet<>();
+                        certIssuers = new HashSet<>();
                        Enumeration<String> list = cacerts.aliases();
-                        String alias;
                        while (list.hasMoreElements()) {
-                            alias = list.nextElement();
+                            String alias = list.nextElement();
                            // Check if this cert is labeled a trust anchor.
                            if (alias.contains(" [jdk")) {
                                X509Certificate cert = (X509Certificate) cacerts
                                        .getCertificate(alias);
                                certs.add(X509CertImpl.getFingerprint(HASH, cert));
+                                certIssuers.add(cert.getSubjectX500Principal());
                            }
                        }
                    }
@ -83,10 +86,10 @@ public class AnchorCertificates {
    }

    /**
-     * Checks if a certificate is a trust anchor.
+     * Checks if a certificate is a JDK trust anchor.
     *
     * @param cert the certificate to check
-     * @return true if the certificate is trusted.
+     * @return true if the certificate is a JDK trust anchor
     */
    public static boolean contains(X509Certificate cert) {
        String key = X509CertImpl.getFingerprint(HASH, cert);
@ -98,5 +101,15 @@ public class AnchorCertificates {
        return result;
    }

+    /**
+     * Checks if a JDK trust anchor is the issuer of a certificate.
+     *
+     * @param cert the certificate to check
+     * @return true if the certificate is issued by a trust anchor
+     */
+    public static boolean issuerOf(X509Certificate cert) {
+        return certIssuers.contains(cert.getIssuerX500Principal());
+    }
+
    private AnchorCertificates() {}
 }