8207258: Distrust TLS server certificates anchored by Symantec Root CAs

Reviewed-by: weijun
2025-09-20 11:04:34 +02:00 · 2018-12-11 13:22:20 -05:00 · 2018-12-11 13:22:20 -05:00 · dfd58a59ff
commit dfd58a59ff
parent e922ef3636
19 changed files with 1459 additions and 4 deletions
--- a/src/java.base/share/classes/sun/security/validator/EndEntityChecker.java
+++ b/src/java.base/share/classes/sun/security/validator/EndEntityChecker.java
@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2002, 2015, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2002, 2018, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@ -133,7 +133,9 @@ class EndEntityChecker {
    }

    void check(X509Certificate cert, Object parameter,
-            boolean checkUnresolvedCritExts) throws CertificateException {
+            boolean checkUnresolvedCritExts, X509Certificate anchor)
+            throws CertificateException {
+
        if (variant.equals(Validator.VAR_GENERIC)) {
            return; // no checks
        }
@ -159,6 +161,12 @@ class EndEntityChecker {
        if (checkUnresolvedCritExts) {
            checkRemainingExtensions(exts);
        }
+
+        // check if certificate should be distrusted according to policies
+        // set in the jdk.security.caDistrustPolicies security property
+        for (CADistrustPolicy policy : CADistrustPolicy.POLICIES) {
+            policy.checkDistrust(variant, anchor, cert);
+        }
    }

    /**