|
28 | 28 | package org.jruby.ext.openssl.x509store; |
29 | 29 |
|
30 | 30 | import java.security.GeneralSecurityException; |
| 31 | +import java.security.Principal; |
31 | 32 | import java.security.PublicKey; |
32 | 33 | import java.security.cert.X509CRL; |
33 | 34 | import java.security.cert.X509Certificate; |
|
38 | 39 | import java.util.Date; |
39 | 40 | import java.util.HashSet; |
40 | 41 | import java.util.List; |
| 42 | +import java.util.ListIterator; |
41 | 43 | import java.util.Set; |
42 | 44 |
|
43 | 45 | import org.bouncycastle.asn1.ASN1InputStream; |
44 | 46 | import org.bouncycastle.asn1.ASN1Integer; |
45 | 47 | import org.bouncycastle.asn1.ASN1Sequence; |
46 | 48 | import org.jruby.ext.openssl.SecurityHelper; |
47 | 49 |
|
| 50 | +import javax.security.auth.x500.X500Principal; |
| 51 | + |
48 | 52 | /** |
49 | 53 | * c: X509_STORE_CTX |
50 | 54 | * |
@@ -661,6 +665,22 @@ public int verifyCertificate() throws Exception { |
661 | 665 | List<X509AuxCertificate> sktmp = null; |
662 | 666 | if ( untrusted != null ) { |
663 | 667 | sktmp = new ArrayList<X509AuxCertificate>(untrusted); |
| 668 | + |
| 669 | + // replace certs in untrusted with trusted versions if found |
| 670 | + X509Object[] objTmp = {null}; |
| 671 | + for (ListIterator<X509AuxCertificate> iter = sktmp.listIterator(); iter.hasNext();) { |
| 672 | + X509AuxCertificate skCert = iter.next(); |
| 673 | + X500Principal principal = skCert.cert.getSubjectX500Principal(); |
| 674 | + int ok = getBySubject(X509Utils.X509_LU_X509, new Name(principal), objTmp); |
| 675 | + if (ok == X509Utils.X509_LU_X509) { |
| 676 | + // replace old with new and clear rest of untrusted |
| 677 | + iter.set(((Certificate) objTmp[0]).x509); |
| 678 | + while (iter.hasNext()) { |
| 679 | + iter.next(); |
| 680 | + iter.remove(); |
| 681 | + } |
| 682 | + } |
| 683 | + } |
664 | 684 | } |
665 | 685 | num = chain.size(); |
666 | 686 | x = chain.get(num - 1); |
|
0 commit comments