8371830: Enhance certificate chain validation

Aleksei Voitylov · RealCLanger · commit 4a8a9f1068b7 · 2026-04-15T17:22:40.000+02:00
Reviewed-by: abakhtin, mbaesken
Backport-of: 970e7df70e5f9044f6fe872d6d166c82fe68ebdc
diff --git a/src/java.base/share/classes/sun/security/provider/certpath/DistributionPointFetcher.java b/src/java.base/share/classes/sun/security/provider/certpath/DistributionPointFetcher.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2002, 2024, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2002, 2025, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -43,9 +43,7 @@
 
 /**
  * Class to obtain CRLs via the CRLDistributionPoints extension.
- * Note that the functionality of this class must be explicitly enabled
- * via a system property, see the USE_CRLDP variable below.
- *
+ * <p>
  * This class uses the URICertStore class to fetch CRLs. The URICertStore
  * class also implements CRL caching: see the class description for more
  * information.
diff --git a/src/java.base/share/classes/sun/security/provider/certpath/RevocationChecker.java b/src/java.base/share/classes/sun/security/provider/certpath/RevocationChecker.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2012, 2023, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2012, 2025, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -1022,13 +1022,17 @@ private void buildToNewKey(X509Certificate currCert,
         // any way to convey them back to the application.
         // That's the default, so no need to write code.
         builderParams.setDate(params.date());
-        builderParams.setCertPathCheckers(params.certPathCheckers());
         builderParams.setSigProvider(params.sigProvider());
 
         // Skip revocation during this build to detect circular
         // references. But check revocation afterwards, using the
         // key (or any other that works).
         builderParams.setRevocationEnabled(false);
+        // Remove itself from params to avoid circular reference.
+        builderParams.setCertPathCheckers(params.certPathCheckers()
+                .stream()
+                .filter(checker -> checker != this)
+                .toList());
 
         // check for AuthorityInformationAccess extension
         if (Builder.USE_AIA) {
