jdk-sandbox: jdk/src/java.base/share/classes/sun/security/provider/certpath/AlgorithmChecker.java@2ee9017c7597 (annotated)

4190 227655c2ff8c 6861062: Disable MD2 support xuelei parents: diff changeset	1	/*
13806 b18118646a65 7195409: CertPath/CertPathValidatorTest/KeyParamsInheritanceTest fails with NullPointerException mullan parents: 8163 diff changeset	2	* Copyright (c) 2009, 2012, Oracle and/or its affiliates. All rights reserved.
4190 227655c2ff8c 6861062: Disable MD2 support xuelei parents: diff changeset	3	* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
227655c2ff8c 6861062: Disable MD2 support xuelei parents: diff changeset	4	*
227655c2ff8c 6861062: Disable MD2 support xuelei parents: diff changeset	5	* This code is free software; you can redistribute it and/or modify it
227655c2ff8c 6861062: Disable MD2 support xuelei parents: diff changeset	6	* under the terms of the GNU General Public License version 2 only, as
5506 202f599c92aa 6943119: Rebrand source copyright notices ohair parents: 4190 diff changeset	7	* published by the Free Software Foundation. Oracle designates this
4190 227655c2ff8c 6861062: Disable MD2 support xuelei parents: diff changeset	8	* particular file as subject to the "Classpath" exception as provided
5506 202f599c92aa 6943119: Rebrand source copyright notices ohair parents: 4190 diff changeset	9	* by Oracle in the LICENSE file that accompanied this code.
4190 227655c2ff8c 6861062: Disable MD2 support xuelei parents: diff changeset	10	*
227655c2ff8c 6861062: Disable MD2 support xuelei parents: diff changeset	11	* This code is distributed in the hope that it will be useful, but WITHOUT
227655c2ff8c 6861062: Disable MD2 support xuelei parents: diff changeset	12	* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
227655c2ff8c 6861062: Disable MD2 support xuelei parents: diff changeset	13	* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
227655c2ff8c 6861062: Disable MD2 support xuelei parents: diff changeset	14	* version 2 for more details (a copy is included in the LICENSE file that
227655c2ff8c 6861062: Disable MD2 support xuelei parents: diff changeset	15	* accompanied this code).
227655c2ff8c 6861062: Disable MD2 support xuelei parents: diff changeset	16	*
227655c2ff8c 6861062: Disable MD2 support xuelei parents: diff changeset	17	* You should have received a copy of the GNU General Public License version
227655c2ff8c 6861062: Disable MD2 support xuelei parents: diff changeset	18	* 2 along with this work; if not, write to the Free Software Foundation,
227655c2ff8c 6861062: Disable MD2 support xuelei parents: diff changeset	19	* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
227655c2ff8c 6861062: Disable MD2 support xuelei parents: diff changeset	20	*
5506 202f599c92aa 6943119: Rebrand source copyright notices ohair parents: 4190 diff changeset	21	* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
202f599c92aa 6943119: Rebrand source copyright notices ohair parents: 4190 diff changeset	22	* or visit www.oracle.com if you need additional information or have any
202f599c92aa 6943119: Rebrand source copyright notices ohair parents: 4190 diff changeset	23	* questions.
4190 227655c2ff8c 6861062: Disable MD2 support xuelei parents: diff changeset	24	*/
227655c2ff8c 6861062: Disable MD2 support xuelei parents: diff changeset	25
227655c2ff8c 6861062: Disable MD2 support xuelei parents: diff changeset	26	package sun.security.provider.certpath;
227655c2ff8c 6861062: Disable MD2 support xuelei parents: diff changeset	27
7040 659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	28	import java.security.AlgorithmConstraints;
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	29	import java.security.CryptoPrimitive;
4190 227655c2ff8c 6861062: Disable MD2 support xuelei parents: diff changeset	30	import java.util.Collection;
7040 659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	31	import java.util.Collections;
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	32	import java.util.Set;
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	33	import java.util.EnumSet;
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	34	import java.util.HashSet;
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	35	import java.math.BigInteger;
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	36	import java.security.PublicKey;
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	37	import java.security.KeyFactory;
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	38	import java.security.AlgorithmParameters;
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	39	import java.security.NoSuchAlgorithmException;
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	40	import java.security.GeneralSecurityException;
4190 227655c2ff8c 6861062: Disable MD2 support xuelei parents: diff changeset	41	import java.security.cert.Certificate;
7040 659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	42	import java.security.cert.X509CRL;
4190 227655c2ff8c 6861062: Disable MD2 support xuelei parents: diff changeset	43	import java.security.cert.X509Certificate;
7040 659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	44	import java.security.cert.PKIXCertPathChecker;
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	45	import java.security.cert.TrustAnchor;
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	46	import java.security.cert.CRLException;
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	47	import java.security.cert.CertificateException;
4190 227655c2ff8c 6861062: Disable MD2 support xuelei parents: diff changeset	48	import java.security.cert.CertPathValidatorException;
8163 d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: 7040 diff changeset	49	import java.security.cert.CertPathValidatorException.BasicReason;
d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: 7040 diff changeset	50	import java.security.cert.PKIXReason;
7040 659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	51	import java.io.IOException;
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	52	import java.security.interfaces.*;
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	53	import java.security.spec.*;
4190 227655c2ff8c 6861062: Disable MD2 support xuelei parents: diff changeset	54
7040 659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	55	import sun.security.util.DisabledAlgorithmConstraints;
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	56	import sun.security.x509.X509CertImpl;
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	57	import sun.security.x509.X509CRLImpl;
4190 227655c2ff8c 6861062: Disable MD2 support xuelei parents: diff changeset	58	import sun.security.x509.AlgorithmId;
227655c2ff8c 6861062: Disable MD2 support xuelei parents: diff changeset	59
227655c2ff8c 6861062: Disable MD2 support xuelei parents: diff changeset	60	/**
7040 659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	61	* A <code>PKIXCertPathChecker</code> implementation to check whether a
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	62	* specified certificate contains the required algorithm constraints.
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	63	* <p>
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	64	* Certificate fields such as the subject public key, the signature
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	65	* algorithm, key usage, extended key usage, etc. need to conform to
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	66	* the specified algorithm constraints.
4190 227655c2ff8c 6861062: Disable MD2 support xuelei parents: diff changeset	67	*
7040 659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	68	* @see PKIXCertPathChecker
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	69	* @see PKIXParameters
4190 227655c2ff8c 6861062: Disable MD2 support xuelei parents: diff changeset	70	*/
32649 2ee9017c7597 8136583: Core libraries should use blessed modifier order martin parents: 25859 diff changeset	71	public final class AlgorithmChecker extends PKIXCertPathChecker {
4190 227655c2ff8c 6861062: Disable MD2 support xuelei parents: diff changeset	72
7040 659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	73	private final AlgorithmConstraints constraints;
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	74	private final PublicKey trustedPubKey;
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	75	private PublicKey prevPubKey;
4190 227655c2ff8c 6861062: Disable MD2 support xuelei parents: diff changeset	76
32649 2ee9017c7597 8136583: Core libraries should use blessed modifier order martin parents: 25859 diff changeset	77	private static final Set<CryptoPrimitive> SIGNATURE_PRIMITIVE_SET =
23897 911b1eb93667 8029745: Enhance algorithm checking juh parents: 13806 diff changeset	78	Collections.unmodifiableSet(EnumSet.of(CryptoPrimitive.SIGNATURE));
7040 659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	79
32649 2ee9017c7597 8136583: Core libraries should use blessed modifier order martin parents: 25859 diff changeset	80	private static final DisabledAlgorithmConstraints
7040 659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	81	certPathDefaultConstraints = new DisabledAlgorithmConstraints(
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	82	DisabledAlgorithmConstraints.PROPERTY_CERTPATH_DISABLED_ALGS);
4190 227655c2ff8c 6861062: Disable MD2 support xuelei parents: diff changeset	83
227655c2ff8c 6861062: Disable MD2 support xuelei parents: diff changeset	84	/**
7040 659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	85	* Create a new <code>AlgorithmChecker</code> with the algorithm
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	86	* constraints specified in security property
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	87	* "jdk.certpath.disabledAlgorithms".
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	88	*
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	89	* @param anchor the trust anchor selected to validate the target
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	90	* certificate
4190 227655c2ff8c 6861062: Disable MD2 support xuelei parents: diff changeset	91	*/
7040 659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	92	public AlgorithmChecker(TrustAnchor anchor) {
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	93	this(anchor, certPathDefaultConstraints);
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	94	}
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	95
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	96	/**
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	97	* Create a new <code>AlgorithmChecker</code> with the
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	98	* given {@code AlgorithmConstraints}.
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	99	* <p>
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	100	* Note that this constructor will be used to check a certification
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	101	* path where the trust anchor is unknown, or a certificate list which may
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	102	* contain the trust anchor. This constructor is used by SunJSSE.
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	103	*
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	104	* @param constraints the algorithm constraints (or null)
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	105	*/
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	106	public AlgorithmChecker(AlgorithmConstraints constraints) {
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	107	this.prevPubKey = null;
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	108	this.trustedPubKey = null;
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	109	this.constraints = constraints;
4190 227655c2ff8c 6861062: Disable MD2 support xuelei parents: diff changeset	110	}
227655c2ff8c 6861062: Disable MD2 support xuelei parents: diff changeset	111
227655c2ff8c 6861062: Disable MD2 support xuelei parents: diff changeset	112	/**
7040 659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	113	* Create a new <code>AlgorithmChecker</code> with the
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	114	* given <code>TrustAnchor</code> and <code>AlgorithmConstraints</code>.
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	115	*
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	116	* @param anchor the trust anchor selected to validate the target
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	117	* certificate
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	118	* @param constraints the algorithm constraints (or null)
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	119	*
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	120	* @throws IllegalArgumentException if the <code>anchor</code> is null
4190 227655c2ff8c 6861062: Disable MD2 support xuelei parents: diff changeset	121	*/
7040 659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	122	public AlgorithmChecker(TrustAnchor anchor,
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	123	AlgorithmConstraints constraints) {
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	124
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	125	if (anchor == null) {
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	126	throw new IllegalArgumentException(
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	127	"The trust anchor cannot be null");
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	128	}
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	129
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	130	if (anchor.getTrustedCert() != null) {
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	131	this.trustedPubKey = anchor.getTrustedCert().getPublicKey();
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	132	} else {
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	133	this.trustedPubKey = anchor.getCAPublicKey();
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	134	}
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	135
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	136	this.prevPubKey = trustedPubKey;
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	137	this.constraints = constraints;
4190 227655c2ff8c 6861062: Disable MD2 support xuelei parents: diff changeset	138	}
227655c2ff8c 6861062: Disable MD2 support xuelei parents: diff changeset	139
7040 659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	140	@Override
4190 227655c2ff8c 6861062: Disable MD2 support xuelei parents: diff changeset	141	public void init(boolean forward) throws CertPathValidatorException {
7040 659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	142	// Note that this class does not support forward mode.
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	143	if (!forward) {
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	144	if (trustedPubKey != null) {
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	145	prevPubKey = trustedPubKey;
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	146	} else {
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	147	prevPubKey = null;
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	148	}
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	149	} else {
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	150	throw new
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	151	CertPathValidatorException("forward checking not supported");
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	152	}
4190 227655c2ff8c 6861062: Disable MD2 support xuelei parents: diff changeset	153	}
227655c2ff8c 6861062: Disable MD2 support xuelei parents: diff changeset	154
7040 659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	155	@Override
4190 227655c2ff8c 6861062: Disable MD2 support xuelei parents: diff changeset	156	public boolean isForwardCheckingSupported() {
7040 659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	157	// Note that as this class does not support forward mode, the method
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	158	// will always returns false.
4190 227655c2ff8c 6861062: Disable MD2 support xuelei parents: diff changeset	159	return false;
227655c2ff8c 6861062: Disable MD2 support xuelei parents: diff changeset	160	}
227655c2ff8c 6861062: Disable MD2 support xuelei parents: diff changeset	161
7040 659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	162	@Override
4190 227655c2ff8c 6861062: Disable MD2 support xuelei parents: diff changeset	163	public Set<String> getSupportedExtensions() {
227655c2ff8c 6861062: Disable MD2 support xuelei parents: diff changeset	164	return null;
227655c2ff8c 6861062: Disable MD2 support xuelei parents: diff changeset	165	}
227655c2ff8c 6861062: Disable MD2 support xuelei parents: diff changeset	166
7040 659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	167	@Override
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	168	public void check(Certificate cert,
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	169	Collection<String> unresolvedCritExts)
4190 227655c2ff8c 6861062: Disable MD2 support xuelei parents: diff changeset	170	throws CertPathValidatorException {
7040 659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	171
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	172	if (!(cert instanceof X509Certificate) \|\| constraints == null) {
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	173	// ignore the check for non-x.509 certificate or null constraints
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	174	return;
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	175	}
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	176
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	177	X509CertImpl x509Cert = null;
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	178	try {
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	179	x509Cert = X509CertImpl.toImpl((X509Certificate)cert);
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	180	} catch (CertificateException ce) {
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	181	throw new CertPathValidatorException(ce);
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	182	}
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	183
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	184	PublicKey currPubKey = x509Cert.getPublicKey();
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	185	String currSigAlg = x509Cert.getSigAlgName();
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	186
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	187	AlgorithmId algorithmId = null;
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	188	try {
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	189	algorithmId = (AlgorithmId)x509Cert.get(X509CertImpl.SIG_ALG);
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	190	} catch (CertificateException ce) {
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	191	throw new CertPathValidatorException(ce);
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	192	}
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	193
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	194	AlgorithmParameters currSigAlgParams = algorithmId.getParameters();
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	195
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	196	// Check the current signature algorithm
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	197	if (!constraints.permits(
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	198	SIGNATURE_PRIMITIVE_SET,
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	199	currSigAlg, currSigAlgParams)) {
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	200	throw new CertPathValidatorException(
8163 d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: 7040 diff changeset	201	"Algorithm constraints check failed: " + currSigAlg,
d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: 7040 diff changeset	202	null, null, -1, BasicReason.ALGORITHM_CONSTRAINED);
7040 659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	203	}
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	204
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	205	// check the key usage and key size
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	206	boolean[] keyUsage = x509Cert.getKeyUsage();
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	207	if (keyUsage != null && keyUsage.length < 9) {
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	208	throw new CertPathValidatorException(
8163 d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: 7040 diff changeset	209	"incorrect KeyUsage extension",
d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: 7040 diff changeset	210	null, null, -1, PKIXReason.INVALID_KEY_USAGE);
7040 659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	211	}
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	212
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	213	if (keyUsage != null) {
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	214	Set<CryptoPrimitive> primitives =
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	215	EnumSet.noneOf(CryptoPrimitive.class);
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	216
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	217	if (keyUsage[0] \|\| keyUsage[1] \|\| keyUsage[5] \|\| keyUsage[6]) {
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	218	// keyUsage[0]: KeyUsage.digitalSignature
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	219	// keyUsage[1]: KeyUsage.nonRepudiation
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	220	// keyUsage[5]: KeyUsage.keyCertSign
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	221	// keyUsage[6]: KeyUsage.cRLSign
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	222	primitives.add(CryptoPrimitive.SIGNATURE);
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	223	}
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	224
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	225	if (keyUsage[2]) { // KeyUsage.keyEncipherment
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	226	primitives.add(CryptoPrimitive.KEY_ENCAPSULATION);
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	227	}
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	228
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	229	if (keyUsage[3]) { // KeyUsage.dataEncipherment
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	230	primitives.add(CryptoPrimitive.PUBLIC_KEY_ENCRYPTION);
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	231	}
4190 227655c2ff8c 6861062: Disable MD2 support xuelei parents: diff changeset	232
7040 659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	233	if (keyUsage[4]) { // KeyUsage.keyAgreement
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	234	primitives.add(CryptoPrimitive.KEY_AGREEMENT);
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	235	}
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	236
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	237	// KeyUsage.encipherOnly and KeyUsage.decipherOnly are
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	238	// undefined in the absence of the keyAgreement bit.
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	239
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	240	if (!primitives.isEmpty()) {
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	241	if (!constraints.permits(primitives, currPubKey)) {
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	242	throw new CertPathValidatorException(
8163 d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: 7040 diff changeset	243	"algorithm constraints check failed",
d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: 7040 diff changeset	244	null, null, -1, BasicReason.ALGORITHM_CONSTRAINED);
7040 659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	245	}
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	246	}
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	247	}
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	248
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	249	// Check with previous cert for signature algorithm and public key
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	250	if (prevPubKey != null) {
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	251	if (currSigAlg != null) {
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	252	if (!constraints.permits(
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	253	SIGNATURE_PRIMITIVE_SET,
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	254	currSigAlg, prevPubKey, currSigAlgParams)) {
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	255	throw new CertPathValidatorException(
8163 d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: 7040 diff changeset	256	"Algorithm constraints check failed: " + currSigAlg,
d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: 7040 diff changeset	257	null, null, -1, BasicReason.ALGORITHM_CONSTRAINED);
7040 659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	258	}
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	259	}
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	260
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	261	// Inherit key parameters from previous key
13806 b18118646a65 7195409: CertPath/CertPathValidatorTest/KeyParamsInheritanceTest fails with NullPointerException mullan parents: 8163 diff changeset	262	if (PKIX.isDSAPublicKeyWithoutParams(currPubKey)) {
7040 659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	263	// Inherit DSA parameters from previous key
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	264	if (!(prevPubKey instanceof DSAPublicKey)) {
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	265	throw new CertPathValidatorException("Input key is not " +
8163 d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: 7040 diff changeset	266	"of a appropriate type for inheriting parameters");
7040 659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	267	}
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	268
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	269	DSAParams params = ((DSAPublicKey)prevPubKey).getParams();
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	270	if (params == null) {
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	271	throw new CertPathValidatorException(
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	272	"Key parameters missing");
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	273	}
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	274
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	275	try {
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	276	BigInteger y = ((DSAPublicKey)currPubKey).getY();
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	277	KeyFactory kf = KeyFactory.getInstance("DSA");
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	278	DSAPublicKeySpec ks = new DSAPublicKeySpec(y,
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	279	params.getP(),
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	280	params.getQ(),
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	281	params.getG());
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	282	currPubKey = kf.generatePublic(ks);
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	283	} catch (GeneralSecurityException e) {
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	284	throw new CertPathValidatorException("Unable to generate " +
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	285	"key with inherited parameters: " + e.getMessage(), e);
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	286	}
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	287	}
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	288	}
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	289
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	290	// reset the previous public key
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	291	prevPubKey = currPubKey;
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	292
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	293	// check the extended key usage, ignore the check now
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	294	// List<String> extendedKeyUsages = x509Cert.getExtendedKeyUsage();
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	295
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	296	// DO NOT remove any unresolved critical extensions
4190 227655c2ff8c 6861062: Disable MD2 support xuelei parents: diff changeset	297	}
227655c2ff8c 6861062: Disable MD2 support xuelei parents: diff changeset	298
7040 659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	299	/**
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	300	* Try to set the trust anchor of the checker.
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	301	* <p>
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	302	* If there is no trust anchor specified and the checker has not started,
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	303	* set the trust anchor.
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	304	*
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	305	* @param anchor the trust anchor selected to validate the target
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	306	* certificate
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	307	*/
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	308	void trySetTrustAnchor(TrustAnchor anchor) {
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	309	// Don't bother if the check has started or trust anchor has already
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	310	// specified.
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	311	if (prevPubKey == null) {
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	312	if (anchor == null) {
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	313	throw new IllegalArgumentException(
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	314	"The trust anchor cannot be null");
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	315	}
4190 227655c2ff8c 6861062: Disable MD2 support xuelei parents: diff changeset	316
7040 659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	317	// Don't bother to change the trustedPubKey.
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	318	if (anchor.getTrustedCert() != null) {
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	319	prevPubKey = anchor.getTrustedCert().getPublicKey();
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	320	} else {
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	321	prevPubKey = anchor.getCAPublicKey();
4190 227655c2ff8c 6861062: Disable MD2 support xuelei parents: diff changeset	322	}
227655c2ff8c 6861062: Disable MD2 support xuelei parents: diff changeset	323	}
227655c2ff8c 6861062: Disable MD2 support xuelei parents: diff changeset	324	}
227655c2ff8c 6861062: Disable MD2 support xuelei parents: diff changeset	325
7040 659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	326	/**
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	327	* Check the signature algorithm with the specified public key.
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	328	*
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	329	* @param key the public key to verify the CRL signature
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	330	* @param crl the target CRL
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	331	*/
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	332	static void check(PublicKey key, X509CRL crl)
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	333	throws CertPathValidatorException {
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	334
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	335	X509CRLImpl x509CRLImpl = null;
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	336	try {
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	337	x509CRLImpl = X509CRLImpl.toImpl(crl);
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	338	} catch (CRLException ce) {
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	339	throw new CertPathValidatorException(ce);
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	340	}
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	341
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	342	AlgorithmId algorithmId = x509CRLImpl.getSigAlgId();
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	343	check(key, algorithmId);
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	344	}
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	345
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	346	/**
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	347	* Check the signature algorithm with the specified public key.
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	348	*
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	349	* @param key the public key to verify the CRL signature
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	350	* @param crl the target CRL
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	351	*/
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	352	static void check(PublicKey key, AlgorithmId algorithmId)
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	353	throws CertPathValidatorException {
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	354	String sigAlgName = algorithmId.getName();
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	355	AlgorithmParameters sigAlgParams = algorithmId.getParameters();
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	356
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	357	if (!certPathDefaultConstraints.permits(
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	358	SIGNATURE_PRIMITIVE_SET, sigAlgName, key, sigAlgParams)) {
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	359	throw new CertPathValidatorException(
8163 d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: 7040 diff changeset	360	"algorithm check failed: " + sigAlgName + " is disabled",
d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: 7040 diff changeset	361	null, null, -1, BasicReason.ALGORITHM_CONSTRAINED);
7040 659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	362	}
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	363	}
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	364
4190 227655c2ff8c 6861062: Disable MD2 support xuelei parents: diff changeset	365	}
7040 659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	366

author	martin
	Tue, 15 Sep 2015 21:56:04 -0700
changeset 32649	2ee9017c7597
parent 25859	3317bb8137f4
child 33297	5970d160cbc0
permissions	-rw-r--r--