Skip to main content
aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorThomas Watson2010-05-12 17:28:29 -0400
committerThomas Watson2010-05-12 17:28:29 -0400
commitb07b8ba7ead3eb15ec59a97433b728fac7da5e03 (patch)
treeb3632dd9809842544584ab552c267b215860f2ee /bundles/org.eclipse.osgi
parentadc641505372b3c862530906dfbcdac9f573fccb (diff)
downloadrt.equinox.framework-b07b8ba7ead3eb15ec59a97433b728fac7da5e03.tar.gz
rt.equinox.framework-b07b8ba7ead3eb15ec59a97433b728fac7da5e03.tar.xz
rt.equinox.framework-b07b8ba7ead3eb15ec59a97433b728fac7da5e03.zip
Bug 309059 - Eclipse foundation certificate not trusted by latest Oracle VMsv20100512
Diffstat (limited to 'bundles/org.eclipse.osgi')
-rw-r--r--bundles/org.eclipse.osgi/security/src/org/eclipse/osgi/internal/service/security/KeyStoreTrustEngine.java37
1 files changed, 23 insertions, 14 deletions
diff --git a/bundles/org.eclipse.osgi/security/src/org/eclipse/osgi/internal/service/security/KeyStoreTrustEngine.java b/bundles/org.eclipse.osgi/security/src/org/eclipse/osgi/internal/service/security/KeyStoreTrustEngine.java
index c74c1f26f..83fdd3646 100644
--- a/bundles/org.eclipse.osgi/security/src/org/eclipse/osgi/internal/service/security/KeyStoreTrustEngine.java
+++ b/bundles/org.eclipse.osgi/security/src/org/eclipse/osgi/internal/service/security/KeyStoreTrustEngine.java
@@ -110,27 +110,19 @@ public class KeyStoreTrustEngine extends TrustEngine {
try {
Certificate rootCert = null;
-
KeyStore store = getKeyStore();
for (int i = 0; i < certChain.length; i++) {
if (certChain[i] instanceof X509Certificate) {
- if (i == certChain.length - 1) { //this is the last certificate in the chain
+ if (i == certChain.length - 1) {
+ // this is the last certificate in the chain
+ // determine if we have a valid root
X509Certificate cert = (X509Certificate) certChain[i];
if (cert.getSubjectDN().equals(cert.getIssuerDN())) {
- certChain[i].verify(certChain[i].getPublicKey());
- rootCert = certChain[i]; // this is a self-signed certificate
+ cert.verify(cert.getPublicKey());
+ rootCert = cert; // this is a self-signed certificate
} else {
// try to find a parent, we have an incomplete chain
- synchronized (store) {
- for (Enumeration e = store.aliases(); e.hasMoreElements();) {
- Certificate nextCert = store.getCertificate((String) e.nextElement());
- if (nextCert instanceof X509Certificate && ((X509Certificate) nextCert).getSubjectDN().equals(cert.getIssuerDN())) {
- cert.verify(nextCert.getPublicKey());
- rootCert = nextCert;
- break;
- }
- }
- }
+ return findAlternativeRoot(cert, store);
}
} else {
X509Certificate nextX509Cert = (X509Certificate) certChain[i + 1];
@@ -147,6 +139,10 @@ public class KeyStoreTrustEngine extends TrustEngine {
if (alias != null)
return store.getCertificate(alias);
}
+ // if we have reached the end and the last cert is not found to be a valid root CA
+ // then we need to back off the root CA and try to find an alternative
+ if (certChain.length > 1 && i == certChain.length - 1 && certChain[i - 1] instanceof X509Certificate)
+ return findAlternativeRoot((X509Certificate) certChain[i - 1], store);
}
}
} catch (KeyStoreException e) {
@@ -158,6 +154,19 @@ public class KeyStoreTrustEngine extends TrustEngine {
return null;
}
+ private Certificate findAlternativeRoot(X509Certificate cert, KeyStore store) throws InvalidKeyException, KeyStoreException, NoSuchAlgorithmException, NoSuchProviderException, SignatureException, CertificateException {
+ synchronized (store) {
+ for (Enumeration e = store.aliases(); e.hasMoreElements();) {
+ Certificate nextCert = store.getCertificate((String) e.nextElement());
+ if (nextCert instanceof X509Certificate && ((X509Certificate) nextCert).getSubjectDN().equals(cert.getIssuerDN())) {
+ cert.verify(nextCert.getPublicKey());
+ return nextCert;
+ }
+ }
+ return null;
+ }
+ }
+
protected String doAddTrustAnchor(Certificate cert, String alias) throws IOException, GeneralSecurityException {
if (isReadOnly())
throw new IOException(SignedContentMessages.Default_Trust_Read_Only);

Back to the top