jdk-sandbox: jdk/src/java.base/share/classes/sun/security/validator/SimpleValidator.java@2ee9017c7597 (annotated)

2 90ce3da70b43 Initial load duke parents: diff changeset	1	/*
31688 42c9b194a469 8073894: Getting to the root of certificate chains mullan parents: 25859 diff changeset	2	* Copyright (c) 2002, 2015, Oracle and/or its affiliates. All rights reserved.
2 90ce3da70b43 Initial load duke parents: diff changeset	3	* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
90ce3da70b43 Initial load duke parents: diff changeset	4	*
90ce3da70b43 Initial load duke parents: diff changeset	5	* This code is free software; you can redistribute it and/or modify it
90ce3da70b43 Initial load duke parents: diff changeset	6	* under the terms of the GNU General Public License version 2 only, as
5506 202f599c92aa 6943119: Rebrand source copyright notices ohair parents: 4190 diff changeset	7	* published by the Free Software Foundation. Oracle designates this
2 90ce3da70b43 Initial load duke parents: diff changeset	8	* particular file as subject to the "Classpath" exception as provided
5506 202f599c92aa 6943119: Rebrand source copyright notices ohair parents: 4190 diff changeset	9	* by Oracle in the LICENSE file that accompanied this code.
2 90ce3da70b43 Initial load duke parents: diff changeset	10	*
90ce3da70b43 Initial load duke parents: diff changeset	11	* This code is distributed in the hope that it will be useful, but WITHOUT
90ce3da70b43 Initial load duke parents: diff changeset	12	* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
90ce3da70b43 Initial load duke parents: diff changeset	13	* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
90ce3da70b43 Initial load duke parents: diff changeset	14	* version 2 for more details (a copy is included in the LICENSE file that
90ce3da70b43 Initial load duke parents: diff changeset	15	* accompanied this code).
90ce3da70b43 Initial load duke parents: diff changeset	16	*
90ce3da70b43 Initial load duke parents: diff changeset	17	* You should have received a copy of the GNU General Public License version
90ce3da70b43 Initial load duke parents: diff changeset	18	* 2 along with this work; if not, write to the Free Software Foundation,
90ce3da70b43 Initial load duke parents: diff changeset	19	* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
90ce3da70b43 Initial load duke parents: diff changeset	20	*
5506 202f599c92aa 6943119: Rebrand source copyright notices ohair parents: 4190 diff changeset	21	* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
202f599c92aa 6943119: Rebrand source copyright notices ohair parents: 4190 diff changeset	22	* or visit www.oracle.com if you need additional information or have any
202f599c92aa 6943119: Rebrand source copyright notices ohair parents: 4190 diff changeset	23	* questions.
2 90ce3da70b43 Initial load duke parents: diff changeset	24	*/
90ce3da70b43 Initial load duke parents: diff changeset	25
90ce3da70b43 Initial load duke parents: diff changeset	26	package sun.security.validator;
90ce3da70b43 Initial load duke parents: diff changeset	27
90ce3da70b43 Initial load duke parents: diff changeset	28	import java.io.IOException;
90ce3da70b43 Initial load duke parents: diff changeset	29	import java.util.*;
90ce3da70b43 Initial load duke parents: diff changeset	30
90ce3da70b43 Initial load duke parents: diff changeset	31	import java.security.*;
90ce3da70b43 Initial load duke parents: diff changeset	32	import java.security.cert.*;
90ce3da70b43 Initial load duke parents: diff changeset	33
90ce3da70b43 Initial load duke parents: diff changeset	34	import javax.security.auth.x500.X500Principal;
90ce3da70b43 Initial load duke parents: diff changeset	35
90ce3da70b43 Initial load duke parents: diff changeset	36	import sun.security.x509.X509CertImpl;
90ce3da70b43 Initial load duke parents: diff changeset	37	import sun.security.x509.NetscapeCertTypeExtension;
90ce3da70b43 Initial load duke parents: diff changeset	38	import sun.security.util.DerValue;
90ce3da70b43 Initial load duke parents: diff changeset	39	import sun.security.util.DerInputStream;
90ce3da70b43 Initial load duke parents: diff changeset	40	import sun.security.util.ObjectIdentifier;
90ce3da70b43 Initial load duke parents: diff changeset	41
4190 227655c2ff8c 6861062: Disable MD2 support xuelei parents: 2926 diff changeset	42	import sun.security.provider.certpath.AlgorithmChecker;
11900 9b1d5bef8038 7123519: problems with certification path xuelei parents: 8163 diff changeset	43	import sun.security.provider.certpath.UntrustedChecker;
4190 227655c2ff8c 6861062: Disable MD2 support xuelei parents: 2926 diff changeset	44
2 90ce3da70b43 Initial load duke parents: diff changeset	45	/**
90ce3da70b43 Initial load duke parents: diff changeset	46	* A simple validator implementation. It is based on code from the JSSE
90ce3da70b43 Initial load duke parents: diff changeset	47	* X509TrustManagerImpl. This implementation is designed for compatibility with
90ce3da70b43 Initial load duke parents: diff changeset	48	* deployed certificates and previous J2SE versions. It will never support
90ce3da70b43 Initial load duke parents: diff changeset	49	* more advanced features and will be deemphasized in favor of the PKIX
90ce3da70b43 Initial load duke parents: diff changeset	50	* validator going forward.
7040 659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	51	* <p>
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	52	* {@code SimpleValidator} objects are immutable once they have been created.
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	53	* Please DO NOT add methods that can change the state of an instance once
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	54	* it has been created.
2 90ce3da70b43 Initial load duke parents: diff changeset	55	*
90ce3da70b43 Initial load duke parents: diff changeset	56	* @author Andreas Sterbenz
90ce3da70b43 Initial load duke parents: diff changeset	57	*/
90ce3da70b43 Initial load duke parents: diff changeset	58	public final class SimpleValidator extends Validator {
90ce3da70b43 Initial load duke parents: diff changeset	59
90ce3da70b43 Initial load duke parents: diff changeset	60	// Constants for the OIDs we need
90ce3da70b43 Initial load duke parents: diff changeset	61
32649 2ee9017c7597 8136583: Core libraries should use blessed modifier order martin parents: 32032 diff changeset	62	static final String OID_BASIC_CONSTRAINTS = "2.5.29.19";
2 90ce3da70b43 Initial load duke parents: diff changeset	63
32649 2ee9017c7597 8136583: Core libraries should use blessed modifier order martin parents: 32032 diff changeset	64	static final String OID_NETSCAPE_CERT_TYPE = "2.16.840.1.113730.1.1";
2 90ce3da70b43 Initial load duke parents: diff changeset	65
32649 2ee9017c7597 8136583: Core libraries should use blessed modifier order martin parents: 32032 diff changeset	66	static final String OID_KEY_USAGE = "2.5.29.15";
2 90ce3da70b43 Initial load duke parents: diff changeset	67
32649 2ee9017c7597 8136583: Core libraries should use blessed modifier order martin parents: 32032 diff changeset	68	static final String OID_EXTENDED_KEY_USAGE = "2.5.29.37";
2 90ce3da70b43 Initial load duke parents: diff changeset	69
32649 2ee9017c7597 8136583: Core libraries should use blessed modifier order martin parents: 32032 diff changeset	70	static final String OID_EKU_ANY_USAGE = "2.5.29.37.0";
2 90ce3da70b43 Initial load duke parents: diff changeset	71
32649 2ee9017c7597 8136583: Core libraries should use blessed modifier order martin parents: 32032 diff changeset	72	static final ObjectIdentifier OBJID_NETSCAPE_CERT_TYPE =
2 90ce3da70b43 Initial load duke parents: diff changeset	73	NetscapeCertTypeExtension.NetscapeCertType_Id;
90ce3da70b43 Initial load duke parents: diff changeset	74
32649 2ee9017c7597 8136583: Core libraries should use blessed modifier order martin parents: 32032 diff changeset	75	private static final String NSCT_SSL_CA =
2 90ce3da70b43 Initial load duke parents: diff changeset	76	NetscapeCertTypeExtension.SSL_CA;
90ce3da70b43 Initial load duke parents: diff changeset	77
32649 2ee9017c7597 8136583: Core libraries should use blessed modifier order martin parents: 32032 diff changeset	78	private static final String NSCT_CODE_SIGNING_CA =
2 90ce3da70b43 Initial load duke parents: diff changeset	79	NetscapeCertTypeExtension.OBJECT_SIGNING_CA;
90ce3da70b43 Initial load duke parents: diff changeset	80
90ce3da70b43 Initial load duke parents: diff changeset	81	/**
90ce3da70b43 Initial load duke parents: diff changeset	82	* The trusted certificates as:
90ce3da70b43 Initial load duke parents: diff changeset	83	* Map (X500Principal)subject of trusted cert -> List of X509Certificate
90ce3da70b43 Initial load duke parents: diff changeset	84	* The list is used because there may be multiple certificates
90ce3da70b43 Initial load duke parents: diff changeset	85	* with an identical subject DN.
90ce3da70b43 Initial load duke parents: diff changeset	86	*/
7040 659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	87	private final Map<X500Principal, List<X509Certificate>>
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	88	trustedX500Principals;
2 90ce3da70b43 Initial load duke parents: diff changeset	89
90ce3da70b43 Initial load duke parents: diff changeset	90	/**
90ce3da70b43 Initial load duke parents: diff changeset	91	* Set of the trusted certificates. Present only for
90ce3da70b43 Initial load duke parents: diff changeset	92	* getTrustedCertificates().
90ce3da70b43 Initial load duke parents: diff changeset	93	*/
7040 659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	94	private final Collection<X509Certificate> trustedCerts;
2 90ce3da70b43 Initial load duke parents: diff changeset	95
90ce3da70b43 Initial load duke parents: diff changeset	96	SimpleValidator(String variant, Collection<X509Certificate> trustedCerts) {
90ce3da70b43 Initial load duke parents: diff changeset	97	super(TYPE_SIMPLE, variant);
90ce3da70b43 Initial load duke parents: diff changeset	98	this.trustedCerts = trustedCerts;
90ce3da70b43 Initial load duke parents: diff changeset	99	trustedX500Principals =
90ce3da70b43 Initial load duke parents: diff changeset	100	new HashMap<X500Principal, List<X509Certificate>>();
90ce3da70b43 Initial load duke parents: diff changeset	101	for (X509Certificate cert : trustedCerts) {
90ce3da70b43 Initial load duke parents: diff changeset	102	X500Principal principal = cert.getSubjectX500Principal();
90ce3da70b43 Initial load duke parents: diff changeset	103	List<X509Certificate> list = trustedX500Principals.get(principal);
90ce3da70b43 Initial load duke parents: diff changeset	104	if (list == null) {
90ce3da70b43 Initial load duke parents: diff changeset	105	// this actually should be a set, but duplicate entries
90ce3da70b43 Initial load duke parents: diff changeset	106	// are not a problem and we can avoid the Set overhead
90ce3da70b43 Initial load duke parents: diff changeset	107	list = new ArrayList<X509Certificate>(2);
90ce3da70b43 Initial load duke parents: diff changeset	108	trustedX500Principals.put(principal, list);
90ce3da70b43 Initial load duke parents: diff changeset	109	}
90ce3da70b43 Initial load duke parents: diff changeset	110	list.add(cert);
90ce3da70b43 Initial load duke parents: diff changeset	111	}
90ce3da70b43 Initial load duke parents: diff changeset	112	}
90ce3da70b43 Initial load duke parents: diff changeset	113
90ce3da70b43 Initial load duke parents: diff changeset	114	public Collection<X509Certificate> getTrustedCertificates() {
90ce3da70b43 Initial load duke parents: diff changeset	115	return trustedCerts;
90ce3da70b43 Initial load duke parents: diff changeset	116	}
90ce3da70b43 Initial load duke parents: diff changeset	117
90ce3da70b43 Initial load duke parents: diff changeset	118	/**
90ce3da70b43 Initial load duke parents: diff changeset	119	* Perform simple validation of chain. The arguments otherCerts and
90ce3da70b43 Initial load duke parents: diff changeset	120	* parameter are ignored.
90ce3da70b43 Initial load duke parents: diff changeset	121	*/
7040 659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	122	@Override
2 90ce3da70b43 Initial load duke parents: diff changeset	123	X509Certificate[] engineValidate(X509Certificate[] chain,
7040 659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	124	Collection<X509Certificate> otherCerts,
32032 22badc53802f 8046321: OCSP Stapling for TLS jnimeh parents: 31688 diff changeset	125	List<byte[]> responseList,
7040 659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	126	AlgorithmConstraints constraints,
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	127	Object parameter) throws CertificateException {
2 90ce3da70b43 Initial load duke parents: diff changeset	128	if ((chain == null) \|\| (chain.length == 0)) {
90ce3da70b43 Initial load duke parents: diff changeset	129	throw new CertificateException
90ce3da70b43 Initial load duke parents: diff changeset	130	("null or zero-length certificate chain");
90ce3da70b43 Initial load duke parents: diff changeset	131	}
90ce3da70b43 Initial load duke parents: diff changeset	132
90ce3da70b43 Initial load duke parents: diff changeset	133	// make sure chain includes a trusted cert
90ce3da70b43 Initial load duke parents: diff changeset	134	chain = buildTrustedChain(chain);
90ce3da70b43 Initial load duke parents: diff changeset	135
10709 d865c9f21240 7092375: Security Libraries don't build with javac -Werror xuelei parents: 10336 diff changeset	136	@SuppressWarnings("deprecation")
2 90ce3da70b43 Initial load duke parents: diff changeset	137	Date date = validationDate;
90ce3da70b43 Initial load duke parents: diff changeset	138	if (date == null) {
90ce3da70b43 Initial load duke parents: diff changeset	139	date = new Date();
90ce3da70b43 Initial load duke parents: diff changeset	140	}
7040 659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	141
11900 9b1d5bef8038 7123519: problems with certification path xuelei parents: 8163 diff changeset	142	// create distrusted certificates checker
9b1d5bef8038 7123519: problems with certification path xuelei parents: 8163 diff changeset	143	UntrustedChecker untrustedChecker = new UntrustedChecker();
9b1d5bef8038 7123519: problems with certification path xuelei parents: 8163 diff changeset	144
31688 42c9b194a469 8073894: Getting to the root of certificate chains mullan parents: 25859 diff changeset	145	// check if anchor is untrusted
42c9b194a469 8073894: Getting to the root of certificate chains mullan parents: 25859 diff changeset	146	X509Certificate anchorCert = chain[chain.length - 1];
42c9b194a469 8073894: Getting to the root of certificate chains mullan parents: 25859 diff changeset	147	try {
42c9b194a469 8073894: Getting to the root of certificate chains mullan parents: 25859 diff changeset	148	untrustedChecker.check(anchorCert);
42c9b194a469 8073894: Getting to the root of certificate chains mullan parents: 25859 diff changeset	149	} catch (CertPathValidatorException cpve) {
42c9b194a469 8073894: Getting to the root of certificate chains mullan parents: 25859 diff changeset	150	throw new ValidatorException(
42c9b194a469 8073894: Getting to the root of certificate chains mullan parents: 25859 diff changeset	151	"Untrusted certificate: "+ anchorCert.getSubjectX500Principal(),
42c9b194a469 8073894: Getting to the root of certificate chains mullan parents: 25859 diff changeset	152	ValidatorException.T_UNTRUSTED_CERT, anchorCert, cpve);
42c9b194a469 8073894: Getting to the root of certificate chains mullan parents: 25859 diff changeset	153	}
42c9b194a469 8073894: Getting to the root of certificate chains mullan parents: 25859 diff changeset	154
7040 659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	155	// create default algorithm constraints checker
31688 42c9b194a469 8073894: Getting to the root of certificate chains mullan parents: 25859 diff changeset	156	TrustAnchor anchor = new TrustAnchor(anchorCert, null);
7040 659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	157	AlgorithmChecker defaultAlgChecker = new AlgorithmChecker(anchor);
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	158
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	159	// create application level algorithm constraints checker
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	160	AlgorithmChecker appAlgChecker = null;
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	161	if (constraints != null) {
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	162	appAlgChecker = new AlgorithmChecker(anchor, constraints);
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	163	}
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	164
2 90ce3da70b43 Initial load duke parents: diff changeset	165	// verify top down, starting at the certificate issued by
90ce3da70b43 Initial load duke parents: diff changeset	166	// the trust anchor
2926 6fbaec35c792 6822460: support self-issued certificate xuelei parents: 2 diff changeset	167	int maxPathLength = chain.length - 1;
2 90ce3da70b43 Initial load duke parents: diff changeset	168	for (int i = chain.length - 2; i >= 0; i--) {
90ce3da70b43 Initial load duke parents: diff changeset	169	X509Certificate issuerCert = chain[i + 1];
90ce3da70b43 Initial load duke parents: diff changeset	170	X509Certificate cert = chain[i];
90ce3da70b43 Initial load duke parents: diff changeset	171
11900 9b1d5bef8038 7123519: problems with certification path xuelei parents: 8163 diff changeset	172	// check untrusted certificate
9b1d5bef8038 7123519: problems with certification path xuelei parents: 8163 diff changeset	173	try {
9b1d5bef8038 7123519: problems with certification path xuelei parents: 8163 diff changeset	174	// Untrusted checker does not care about the unresolved
9b1d5bef8038 7123519: problems with certification path xuelei parents: 8163 diff changeset	175	// critical extensions.
9b1d5bef8038 7123519: problems with certification path xuelei parents: 8163 diff changeset	176	untrustedChecker.check(cert, Collections.<String>emptySet());
9b1d5bef8038 7123519: problems with certification path xuelei parents: 8163 diff changeset	177	} catch (CertPathValidatorException cpve) {
9b1d5bef8038 7123519: problems with certification path xuelei parents: 8163 diff changeset	178	throw new ValidatorException(
9b1d5bef8038 7123519: problems with certification path xuelei parents: 8163 diff changeset	179	"Untrusted certificate: " + cert.getSubjectX500Principal(),
9b1d5bef8038 7123519: problems with certification path xuelei parents: 8163 diff changeset	180	ValidatorException.T_UNTRUSTED_CERT, cert, cpve);
9b1d5bef8038 7123519: problems with certification path xuelei parents: 8163 diff changeset	181	}
9b1d5bef8038 7123519: problems with certification path xuelei parents: 8163 diff changeset	182
4190 227655c2ff8c 6861062: Disable MD2 support xuelei parents: 2926 diff changeset	183	// check certificate algorithm
227655c2ff8c 6861062: Disable MD2 support xuelei parents: 2926 diff changeset	184	try {
8163 d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: 7040 diff changeset	185	// Algorithm checker does not care about the unresolved
d9bcc1208691 7011497: new CertPathValidatorException.BasicReason enum constant for constrained algorithm xuelei parents: 7040 diff changeset	186	// critical extensions.
7040 659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	187	defaultAlgChecker.check(cert, Collections.<String>emptySet());
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	188	if (appAlgChecker != null) {
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	189	appAlgChecker.check(cert, Collections.<String>emptySet());
659824c2a550 6792180: Enhance to reject weak algorithms or conform to crypto recommendations xuelei parents: 5506 diff changeset	190	}
4190 227655c2ff8c 6861062: Disable MD2 support xuelei parents: 2926 diff changeset	191	} catch (CertPathValidatorException cpve) {
227655c2ff8c 6861062: Disable MD2 support xuelei parents: 2926 diff changeset	192	throw new ValidatorException
227655c2ff8c 6861062: Disable MD2 support xuelei parents: 2926 diff changeset	193	(ValidatorException.T_ALGORITHM_DISABLED, cert, cpve);
227655c2ff8c 6861062: Disable MD2 support xuelei parents: 2926 diff changeset	194	}
2 90ce3da70b43 Initial load duke parents: diff changeset	195
90ce3da70b43 Initial load duke parents: diff changeset	196	// no validity check for code signing certs
90ce3da70b43 Initial load duke parents: diff changeset	197	if ((variant.equals(VAR_CODE_SIGNING) == false)
90ce3da70b43 Initial load duke parents: diff changeset	198	&& (variant.equals(VAR_JCE_SIGNING) == false)) {
90ce3da70b43 Initial load duke parents: diff changeset	199	cert.checkValidity(date);
90ce3da70b43 Initial load duke parents: diff changeset	200	}
90ce3da70b43 Initial load duke parents: diff changeset	201
90ce3da70b43 Initial load duke parents: diff changeset	202	// check name chaining
90ce3da70b43 Initial load duke parents: diff changeset	203	if (cert.getIssuerX500Principal().equals(
90ce3da70b43 Initial load duke parents: diff changeset	204	issuerCert.getSubjectX500Principal()) == false) {
90ce3da70b43 Initial load duke parents: diff changeset	205	throw new ValidatorException
90ce3da70b43 Initial load duke parents: diff changeset	206	(ValidatorException.T_NAME_CHAINING, cert);
90ce3da70b43 Initial load duke parents: diff changeset	207	}
90ce3da70b43 Initial load duke parents: diff changeset	208
90ce3da70b43 Initial load duke parents: diff changeset	209	// check signature
90ce3da70b43 Initial load duke parents: diff changeset	210	try {
90ce3da70b43 Initial load duke parents: diff changeset	211	cert.verify(issuerCert.getPublicKey());
90ce3da70b43 Initial load duke parents: diff changeset	212	} catch (GeneralSecurityException e) {
90ce3da70b43 Initial load duke parents: diff changeset	213	throw new ValidatorException
90ce3da70b43 Initial load duke parents: diff changeset	214	(ValidatorException.T_SIGNATURE_ERROR, cert, e);
90ce3da70b43 Initial load duke parents: diff changeset	215	}
90ce3da70b43 Initial load duke parents: diff changeset	216
90ce3da70b43 Initial load duke parents: diff changeset	217	// check extensions for CA certs
90ce3da70b43 Initial load duke parents: diff changeset	218	if (i != 0) {
2926 6fbaec35c792 6822460: support self-issued certificate xuelei parents: 2 diff changeset	219	maxPathLength = checkExtensions(cert, maxPathLength);
2 90ce3da70b43 Initial load duke parents: diff changeset	220	}
90ce3da70b43 Initial load duke parents: diff changeset	221	}
90ce3da70b43 Initial load duke parents: diff changeset	222
90ce3da70b43 Initial load duke parents: diff changeset	223	return chain;
90ce3da70b43 Initial load duke parents: diff changeset	224	}
90ce3da70b43 Initial load duke parents: diff changeset	225
2926 6fbaec35c792 6822460: support self-issued certificate xuelei parents: 2 diff changeset	226	private int checkExtensions(X509Certificate cert, int maxPathLen)
2 90ce3da70b43 Initial load duke parents: diff changeset	227	throws CertificateException {
90ce3da70b43 Initial load duke parents: diff changeset	228	Set<String> critSet = cert.getCriticalExtensionOIDs();
90ce3da70b43 Initial load duke parents: diff changeset	229	if (critSet == null) {
90ce3da70b43 Initial load duke parents: diff changeset	230	critSet = Collections.<String>emptySet();
90ce3da70b43 Initial load duke parents: diff changeset	231	}
90ce3da70b43 Initial load duke parents: diff changeset	232
90ce3da70b43 Initial load duke parents: diff changeset	233	// Check the basic constraints extension
2926 6fbaec35c792 6822460: support self-issued certificate xuelei parents: 2 diff changeset	234	int pathLenConstraint =
6fbaec35c792 6822460: support self-issued certificate xuelei parents: 2 diff changeset	235	checkBasicConstraints(cert, critSet, maxPathLen);
2 90ce3da70b43 Initial load duke parents: diff changeset	236
90ce3da70b43 Initial load duke parents: diff changeset	237	// Check the key usage and extended key usage extensions
90ce3da70b43 Initial load duke parents: diff changeset	238	checkKeyUsage(cert, critSet);
90ce3da70b43 Initial load duke parents: diff changeset	239
90ce3da70b43 Initial load duke parents: diff changeset	240	// check Netscape certificate type extension
90ce3da70b43 Initial load duke parents: diff changeset	241	checkNetscapeCertType(cert, critSet);
90ce3da70b43 Initial load duke parents: diff changeset	242
90ce3da70b43 Initial load duke parents: diff changeset	243	if (!critSet.isEmpty()) {
90ce3da70b43 Initial load duke parents: diff changeset	244	throw new ValidatorException
90ce3da70b43 Initial load duke parents: diff changeset	245	("Certificate contains unknown critical extensions: " + critSet,
90ce3da70b43 Initial load duke parents: diff changeset	246	ValidatorException.T_CA_EXTENSIONS, cert);
90ce3da70b43 Initial load duke parents: diff changeset	247	}
2926 6fbaec35c792 6822460: support self-issued certificate xuelei parents: 2 diff changeset	248
6fbaec35c792 6822460: support self-issued certificate xuelei parents: 2 diff changeset	249	return pathLenConstraint;
2 90ce3da70b43 Initial load duke parents: diff changeset	250	}
90ce3da70b43 Initial load duke parents: diff changeset	251
90ce3da70b43 Initial load duke parents: diff changeset	252	private void checkNetscapeCertType(X509Certificate cert,
90ce3da70b43 Initial load duke parents: diff changeset	253	Set<String> critSet) throws CertificateException {
90ce3da70b43 Initial load duke parents: diff changeset	254	if (variant.equals(VAR_GENERIC)) {
90ce3da70b43 Initial load duke parents: diff changeset	255	// nothing
90ce3da70b43 Initial load duke parents: diff changeset	256	} else if (variant.equals(VAR_TLS_CLIENT)
90ce3da70b43 Initial load duke parents: diff changeset	257	\|\| variant.equals(VAR_TLS_SERVER)) {
90ce3da70b43 Initial load duke parents: diff changeset	258	if (getNetscapeCertTypeBit(cert, NSCT_SSL_CA) == false) {
90ce3da70b43 Initial load duke parents: diff changeset	259	throw new ValidatorException
90ce3da70b43 Initial load duke parents: diff changeset	260	("Invalid Netscape CertType extension for SSL CA "
90ce3da70b43 Initial load duke parents: diff changeset	261	+ "certificate",
90ce3da70b43 Initial load duke parents: diff changeset	262	ValidatorException.T_CA_EXTENSIONS, cert);
90ce3da70b43 Initial load duke parents: diff changeset	263	}
90ce3da70b43 Initial load duke parents: diff changeset	264	critSet.remove(OID_NETSCAPE_CERT_TYPE);
90ce3da70b43 Initial load duke parents: diff changeset	265	} else if (variant.equals(VAR_CODE_SIGNING)
90ce3da70b43 Initial load duke parents: diff changeset	266	\|\| variant.equals(VAR_JCE_SIGNING)) {
90ce3da70b43 Initial load duke parents: diff changeset	267	if (getNetscapeCertTypeBit(cert, NSCT_CODE_SIGNING_CA) == false) {
90ce3da70b43 Initial load duke parents: diff changeset	268	throw new ValidatorException
90ce3da70b43 Initial load duke parents: diff changeset	269	("Invalid Netscape CertType extension for code "
90ce3da70b43 Initial load duke parents: diff changeset	270	+ "signing CA certificate",
90ce3da70b43 Initial load duke parents: diff changeset	271	ValidatorException.T_CA_EXTENSIONS, cert);
90ce3da70b43 Initial load duke parents: diff changeset	272	}
90ce3da70b43 Initial load duke parents: diff changeset	273	critSet.remove(OID_NETSCAPE_CERT_TYPE);
90ce3da70b43 Initial load duke parents: diff changeset	274	} else {
90ce3da70b43 Initial load duke parents: diff changeset	275	throw new CertificateException("Unknown variant " + variant);
90ce3da70b43 Initial load duke parents: diff changeset	276	}
90ce3da70b43 Initial load duke parents: diff changeset	277	}
90ce3da70b43 Initial load duke parents: diff changeset	278
90ce3da70b43 Initial load duke parents: diff changeset	279	/**
90ce3da70b43 Initial load duke parents: diff changeset	280	* Get the value of the specified bit in the Netscape certificate type
90ce3da70b43 Initial load duke parents: diff changeset	281	* extension. If the extension is not present at all, we return true.
90ce3da70b43 Initial load duke parents: diff changeset	282	*/
90ce3da70b43 Initial load duke parents: diff changeset	283	static boolean getNetscapeCertTypeBit(X509Certificate cert, String type) {
90ce3da70b43 Initial load duke parents: diff changeset	284	try {
90ce3da70b43 Initial load duke parents: diff changeset	285	NetscapeCertTypeExtension ext;
90ce3da70b43 Initial load duke parents: diff changeset	286	if (cert instanceof X509CertImpl) {
90ce3da70b43 Initial load duke parents: diff changeset	287	X509CertImpl certImpl = (X509CertImpl)cert;
90ce3da70b43 Initial load duke parents: diff changeset	288	ObjectIdentifier oid = OBJID_NETSCAPE_CERT_TYPE;
90ce3da70b43 Initial load duke parents: diff changeset	289	ext = (NetscapeCertTypeExtension)certImpl.getExtension(oid);
90ce3da70b43 Initial load duke parents: diff changeset	290	if (ext == null) {
90ce3da70b43 Initial load duke parents: diff changeset	291	return true;
90ce3da70b43 Initial load duke parents: diff changeset	292	}
90ce3da70b43 Initial load duke parents: diff changeset	293	} else {
90ce3da70b43 Initial load duke parents: diff changeset	294	byte[] extVal = cert.getExtensionValue(OID_NETSCAPE_CERT_TYPE);
90ce3da70b43 Initial load duke parents: diff changeset	295	if (extVal == null) {
90ce3da70b43 Initial load duke parents: diff changeset	296	return true;
90ce3da70b43 Initial load duke parents: diff changeset	297	}
90ce3da70b43 Initial load duke parents: diff changeset	298	DerInputStream in = new DerInputStream(extVal);
90ce3da70b43 Initial load duke parents: diff changeset	299	byte[] encoded = in.getOctetString();
90ce3da70b43 Initial load duke parents: diff changeset	300	encoded = new DerValue(encoded).getUnalignedBitString()
90ce3da70b43 Initial load duke parents: diff changeset	301	.toByteArray();
90ce3da70b43 Initial load duke parents: diff changeset	302	ext = new NetscapeCertTypeExtension(encoded);
90ce3da70b43 Initial load duke parents: diff changeset	303	}
10336 0bb1999251f8 7064075: Security libraries don't build with javac -Xlint:all,-deprecation -Werror jjg parents: 8163 diff changeset	304	Boolean val = ext.get(type);
2 90ce3da70b43 Initial load duke parents: diff changeset	305	return val.booleanValue();
90ce3da70b43 Initial load duke parents: diff changeset	306	} catch (IOException e) {
90ce3da70b43 Initial load duke parents: diff changeset	307	return false;
90ce3da70b43 Initial load duke parents: diff changeset	308	}
90ce3da70b43 Initial load duke parents: diff changeset	309	}
90ce3da70b43 Initial load duke parents: diff changeset	310
2926 6fbaec35c792 6822460: support self-issued certificate xuelei parents: 2 diff changeset	311	private int checkBasicConstraints(X509Certificate cert,
6fbaec35c792 6822460: support self-issued certificate xuelei parents: 2 diff changeset	312	Set<String> critSet, int maxPathLen) throws CertificateException {
2 90ce3da70b43 Initial load duke parents: diff changeset	313
90ce3da70b43 Initial load duke parents: diff changeset	314	critSet.remove(OID_BASIC_CONSTRAINTS);
90ce3da70b43 Initial load duke parents: diff changeset	315	int constraints = cert.getBasicConstraints();
90ce3da70b43 Initial load duke parents: diff changeset	316	// reject, if extension missing or not a CA (constraints == -1)
90ce3da70b43 Initial load duke parents: diff changeset	317	if (constraints < 0) {
90ce3da70b43 Initial load duke parents: diff changeset	318	throw new ValidatorException("End user tried to act as a CA",
90ce3da70b43 Initial load duke parents: diff changeset	319	ValidatorException.T_CA_EXTENSIONS, cert);
90ce3da70b43 Initial load duke parents: diff changeset	320	}
2926 6fbaec35c792 6822460: support self-issued certificate xuelei parents: 2 diff changeset	321
6fbaec35c792 6822460: support self-issued certificate xuelei parents: 2 diff changeset	322	// if the certificate is self-issued, ignore the pathLenConstraint
6fbaec35c792 6822460: support self-issued certificate xuelei parents: 2 diff changeset	323	// checking.
6fbaec35c792 6822460: support self-issued certificate xuelei parents: 2 diff changeset	324	if (!X509CertImpl.isSelfIssued(cert)) {
12678 e40db477dd56 7166570: JSSE certificate validation has started to fail for certificate chains xuelei parents: 11902 diff changeset	325	if (maxPathLen <= 0) {
2926 6fbaec35c792 6822460: support self-issued certificate xuelei parents: 2 diff changeset	326	throw new ValidatorException("Violated path length constraints",
6fbaec35c792 6822460: support self-issued certificate xuelei parents: 2 diff changeset	327	ValidatorException.T_CA_EXTENSIONS, cert);
6fbaec35c792 6822460: support self-issued certificate xuelei parents: 2 diff changeset	328	}
6fbaec35c792 6822460: support self-issued certificate xuelei parents: 2 diff changeset	329
6fbaec35c792 6822460: support self-issued certificate xuelei parents: 2 diff changeset	330	maxPathLen--;
2 90ce3da70b43 Initial load duke parents: diff changeset	331	}
2926 6fbaec35c792 6822460: support self-issued certificate xuelei parents: 2 diff changeset	332
6fbaec35c792 6822460: support self-issued certificate xuelei parents: 2 diff changeset	333	if (maxPathLen > constraints) {
6fbaec35c792 6822460: support self-issued certificate xuelei parents: 2 diff changeset	334	maxPathLen = constraints;
6fbaec35c792 6822460: support self-issued certificate xuelei parents: 2 diff changeset	335	}
6fbaec35c792 6822460: support self-issued certificate xuelei parents: 2 diff changeset	336
6fbaec35c792 6822460: support self-issued certificate xuelei parents: 2 diff changeset	337	return maxPathLen;
2 90ce3da70b43 Initial load duke parents: diff changeset	338	}
90ce3da70b43 Initial load duke parents: diff changeset	339
90ce3da70b43 Initial load duke parents: diff changeset	340	/*
90ce3da70b43 Initial load duke parents: diff changeset	341	* Verify the key usage and extended key usage for intermediate
90ce3da70b43 Initial load duke parents: diff changeset	342	* certificates.
90ce3da70b43 Initial load duke parents: diff changeset	343	*/
90ce3da70b43 Initial load duke parents: diff changeset	344	private void checkKeyUsage(X509Certificate cert, Set<String> critSet)
90ce3da70b43 Initial load duke parents: diff changeset	345	throws CertificateException {
90ce3da70b43 Initial load duke parents: diff changeset	346
90ce3da70b43 Initial load duke parents: diff changeset	347	critSet.remove(OID_KEY_USAGE);
90ce3da70b43 Initial load duke parents: diff changeset	348	// EKU irrelevant in CA certificates
90ce3da70b43 Initial load duke parents: diff changeset	349	critSet.remove(OID_EXTENDED_KEY_USAGE);
90ce3da70b43 Initial load duke parents: diff changeset	350
90ce3da70b43 Initial load duke parents: diff changeset	351	// check key usage extension
90ce3da70b43 Initial load duke parents: diff changeset	352	boolean[] keyUsageInfo = cert.getKeyUsage();
90ce3da70b43 Initial load duke parents: diff changeset	353	if (keyUsageInfo != null) {
90ce3da70b43 Initial load duke parents: diff changeset	354	// keyUsageInfo[5] is for keyCertSign.
90ce3da70b43 Initial load duke parents: diff changeset	355	if ((keyUsageInfo.length < 6) \|\| (keyUsageInfo[5] == false)) {
90ce3da70b43 Initial load duke parents: diff changeset	356	throw new ValidatorException
90ce3da70b43 Initial load duke parents: diff changeset	357	("Wrong key usage: expected keyCertSign",
90ce3da70b43 Initial load duke parents: diff changeset	358	ValidatorException.T_CA_EXTENSIONS, cert);
90ce3da70b43 Initial load duke parents: diff changeset	359	}
90ce3da70b43 Initial load duke parents: diff changeset	360	}
90ce3da70b43 Initial load duke parents: diff changeset	361	}
90ce3da70b43 Initial load duke parents: diff changeset	362
90ce3da70b43 Initial load duke parents: diff changeset	363	/**
90ce3da70b43 Initial load duke parents: diff changeset	364	* Build a trusted certificate chain. This method always returns a chain
90ce3da70b43 Initial load duke parents: diff changeset	365	* with a trust anchor as the final cert in the chain. If no trust anchor
90ce3da70b43 Initial load duke parents: diff changeset	366	* could be found, a CertificateException is thrown.
90ce3da70b43 Initial load duke parents: diff changeset	367	*/
90ce3da70b43 Initial load duke parents: diff changeset	368	private X509Certificate[] buildTrustedChain(X509Certificate[] chain)
90ce3da70b43 Initial load duke parents: diff changeset	369	throws CertificateException {
90ce3da70b43 Initial load duke parents: diff changeset	370	List<X509Certificate> c = new ArrayList<X509Certificate>(chain.length);
90ce3da70b43 Initial load duke parents: diff changeset	371	// scan chain starting at EE cert
90ce3da70b43 Initial load duke parents: diff changeset	372	// if a trusted certificate is found, append it and return
90ce3da70b43 Initial load duke parents: diff changeset	373	for (int i = 0; i < chain.length; i++) {
90ce3da70b43 Initial load duke parents: diff changeset	374	X509Certificate cert = chain[i];
90ce3da70b43 Initial load duke parents: diff changeset	375	X509Certificate trustedCert = getTrustedCertificate(cert);
90ce3da70b43 Initial load duke parents: diff changeset	376	if (trustedCert != null) {
90ce3da70b43 Initial load duke parents: diff changeset	377	c.add(trustedCert);
90ce3da70b43 Initial load duke parents: diff changeset	378	return c.toArray(CHAIN0);
90ce3da70b43 Initial load duke parents: diff changeset	379	}
90ce3da70b43 Initial load duke parents: diff changeset	380	c.add(cert);
90ce3da70b43 Initial load duke parents: diff changeset	381	}
2926 6fbaec35c792 6822460: support self-issued certificate xuelei parents: 2 diff changeset	382
2 90ce3da70b43 Initial load duke parents: diff changeset	383	// check if we can append a trusted cert
90ce3da70b43 Initial load duke parents: diff changeset	384	X509Certificate cert = chain[chain.length - 1];
90ce3da70b43 Initial load duke parents: diff changeset	385	X500Principal subject = cert.getSubjectX500Principal();
90ce3da70b43 Initial load duke parents: diff changeset	386	X500Principal issuer = cert.getIssuerX500Principal();
2926 6fbaec35c792 6822460: support self-issued certificate xuelei parents: 2 diff changeset	387	List<X509Certificate> list = trustedX500Principals.get(issuer);
6fbaec35c792 6822460: support self-issued certificate xuelei parents: 2 diff changeset	388	if (list != null) {
6fbaec35c792 6822460: support self-issued certificate xuelei parents: 2 diff changeset	389	X509Certificate trustedCert = list.iterator().next();
6fbaec35c792 6822460: support self-issued certificate xuelei parents: 2 diff changeset	390	c.add(trustedCert);
6fbaec35c792 6822460: support self-issued certificate xuelei parents: 2 diff changeset	391	return c.toArray(CHAIN0);
2 90ce3da70b43 Initial load duke parents: diff changeset	392	}
2926 6fbaec35c792 6822460: support self-issued certificate xuelei parents: 2 diff changeset	393
2 90ce3da70b43 Initial load duke parents: diff changeset	394	// no trusted cert found, error
90ce3da70b43 Initial load duke parents: diff changeset	395	throw new ValidatorException(ValidatorException.T_NO_TRUST_ANCHOR);
90ce3da70b43 Initial load duke parents: diff changeset	396	}
90ce3da70b43 Initial load duke parents: diff changeset	397
90ce3da70b43 Initial load duke parents: diff changeset	398	/**
90ce3da70b43 Initial load duke parents: diff changeset	399	* Return a trusted certificate that matches the input certificate,
90ce3da70b43 Initial load duke parents: diff changeset	400	* or null if no such certificate can be found. This method also handles
90ce3da70b43 Initial load duke parents: diff changeset	401	* cases where a CA re-issues a trust anchor with the same public key and
90ce3da70b43 Initial load duke parents: diff changeset	402	* same subject and issuer names but a new validity period, etc.
90ce3da70b43 Initial load duke parents: diff changeset	403	*/
90ce3da70b43 Initial load duke parents: diff changeset	404	private X509Certificate getTrustedCertificate(X509Certificate cert) {
90ce3da70b43 Initial load duke parents: diff changeset	405	Principal certSubjectName = cert.getSubjectX500Principal();
90ce3da70b43 Initial load duke parents: diff changeset	406	List<X509Certificate> list = trustedX500Principals.get(certSubjectName);
90ce3da70b43 Initial load duke parents: diff changeset	407	if (list == null) {
90ce3da70b43 Initial load duke parents: diff changeset	408	return null;
90ce3da70b43 Initial load duke parents: diff changeset	409	}
90ce3da70b43 Initial load duke parents: diff changeset	410
90ce3da70b43 Initial load duke parents: diff changeset	411	Principal certIssuerName = cert.getIssuerX500Principal();
90ce3da70b43 Initial load duke parents: diff changeset	412	PublicKey certPublicKey = cert.getPublicKey();
90ce3da70b43 Initial load duke parents: diff changeset	413
90ce3da70b43 Initial load duke parents: diff changeset	414	for (X509Certificate mycert : list) {
90ce3da70b43 Initial load duke parents: diff changeset	415	if (mycert.equals(cert)) {
90ce3da70b43 Initial load duke parents: diff changeset	416	return cert;
90ce3da70b43 Initial load duke parents: diff changeset	417	}
90ce3da70b43 Initial load duke parents: diff changeset	418	if (!mycert.getIssuerX500Principal().equals(certIssuerName)) {
90ce3da70b43 Initial load duke parents: diff changeset	419	continue;
90ce3da70b43 Initial load duke parents: diff changeset	420	}
90ce3da70b43 Initial load duke parents: diff changeset	421	if (!mycert.getPublicKey().equals(certPublicKey)) {
90ce3da70b43 Initial load duke parents: diff changeset	422	continue;
90ce3da70b43 Initial load duke parents: diff changeset	423	}
90ce3da70b43 Initial load duke parents: diff changeset	424
90ce3da70b43 Initial load duke parents: diff changeset	425	// All tests pass, this must be the one to use...
90ce3da70b43 Initial load duke parents: diff changeset	426	return mycert;
90ce3da70b43 Initial load duke parents: diff changeset	427	}
90ce3da70b43 Initial load duke parents: diff changeset	428	return null;
90ce3da70b43 Initial load duke parents: diff changeset	429	}
90ce3da70b43 Initial load duke parents: diff changeset	430
90ce3da70b43 Initial load duke parents: diff changeset	431	}

author	martin
	Tue, 15 Sep 2015 21:56:04 -0700
changeset 32649	2ee9017c7597
parent 32032	22badc53802f
child 42464	38d967704a9f
permissions	-rw-r--r--