author | redestad |
Thu, 13 Dec 2018 15:31:05 +0100 | |
changeset 53018 | 8bf9268df0e2 |
parent 47216 | 71c04702a3d5 |
permissions | -rw-r--r-- |
31689 | 1 |
/* |
45394
6b54e8cd9b3d
8178728: Check the AlgorithmParameters in algorithm constraints
xuelei
parents:
41956
diff
changeset
|
2 |
* Copyright (c) 2015, 2017, Oracle and/or its affiliates. All rights reserved. |
31689 | 3 |
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. |
4 |
* |
|
5 |
* This code is free software; you can redistribute it and/or modify it |
|
6 |
* under the terms of the GNU General Public License version 2 only, as |
|
7 |
* published by the Free Software Foundation. Oracle designates this |
|
8 |
* particular file as subject to the "Classpath" exception as provided |
|
9 |
* by Oracle in the LICENSE file that accompanied this code. |
|
10 |
* |
|
11 |
* This code is distributed in the hope that it will be useful, but WITHOUT |
|
12 |
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or |
|
13 |
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License |
|
14 |
* version 2 for more details (a copy is included in the LICENSE file that |
|
15 |
* accompanied this code). |
|
16 |
* |
|
17 |
* You should have received a copy of the GNU General Public License version |
|
18 |
* 2 along with this work; if not, write to the Free Software Foundation, |
|
19 |
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. |
|
20 |
* |
|
21 |
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA |
|
22 |
* or visit www.oracle.com if you need additional information or have any |
|
23 |
* questions. |
|
24 |
*/ |
|
25 |
||
26 |
package sun.security.util; |
|
27 |
||
28 |
import java.util.HashSet; |
|
29 |
import java.util.Set; |
|
45394
6b54e8cd9b3d
8178728: Check the AlgorithmParameters in algorithm constraints
xuelei
parents:
41956
diff
changeset
|
30 |
import java.util.Arrays; |
6b54e8cd9b3d
8178728: Check the AlgorithmParameters in algorithm constraints
xuelei
parents:
41956
diff
changeset
|
31 |
import java.util.Collection; |
31689 | 32 |
import java.util.regex.Pattern; |
33 |
||
34 |
/** |
|
35 |
* The class decomposes standard algorithms into sub-elements. |
|
36 |
*/ |
|
37 |
public class AlgorithmDecomposer { |
|
38 |
||
34534
0d45108a3e62
8136410: AlgorithmDecomposer is not parsing padding correctly
xuelei
parents:
31689
diff
changeset
|
39 |
// '(?<!padd)in': match 'in' but not preceded with 'padd'. |
41956
69deb06bb8f1
8168911: Increased number of classes initialized during initialization of SignatureFileVerifier
redestad
parents:
37726
diff
changeset
|
40 |
private static final Pattern PATTERN = |
34534
0d45108a3e62
8136410: AlgorithmDecomposer is not parsing padding correctly
xuelei
parents:
31689
diff
changeset
|
41 |
Pattern.compile("with|and|(?<!padd)in", Pattern.CASE_INSENSITIVE); |
31689 | 42 |
|
37726
bbecfff95ec3
8140422: Add mechanism to allow non default root CAs to be not subject to algorithm restrictions
ascarpino
parents:
34534
diff
changeset
|
43 |
private static Set<String> decomposeImpl(String algorithm) { |
41956
69deb06bb8f1
8168911: Increased number of classes initialized during initialization of SignatureFileVerifier
redestad
parents:
37726
diff
changeset
|
44 |
Set<String> elements = new HashSet<>(); |
31689 | 45 |
|
46 |
// algorithm/mode/padding |
|
41956
69deb06bb8f1
8168911: Increased number of classes initialized during initialization of SignatureFileVerifier
redestad
parents:
37726
diff
changeset
|
47 |
String[] transTokens = algorithm.split("/"); |
31689 | 48 |
|
41956
69deb06bb8f1
8168911: Increased number of classes initialized during initialization of SignatureFileVerifier
redestad
parents:
37726
diff
changeset
|
49 |
for (String transToken : transTokens) { |
69deb06bb8f1
8168911: Increased number of classes initialized during initialization of SignatureFileVerifier
redestad
parents:
37726
diff
changeset
|
50 |
if (transToken == null || transToken.isEmpty()) { |
31689 | 51 |
continue; |
52 |
} |
|
53 |
||
54 |
// PBEWith<digest>And<encryption> |
|
55 |
// PBEWith<prf>And<encryption> |
|
56 |
// OAEPWith<digest>And<mgf>Padding |
|
57 |
// <digest>with<encryption> |
|
58 |
// <digest>with<encryption>and<mgf> |
|
59 |
// <digest>with<encryption>in<format> |
|
41956
69deb06bb8f1
8168911: Increased number of classes initialized during initialization of SignatureFileVerifier
redestad
parents:
37726
diff
changeset
|
60 |
String[] tokens = PATTERN.split(transToken); |
31689 | 61 |
|
62 |
for (String token : tokens) { |
|
41956
69deb06bb8f1
8168911: Increased number of classes initialized during initialization of SignatureFileVerifier
redestad
parents:
37726
diff
changeset
|
63 |
if (token == null || token.isEmpty()) { |
31689 | 64 |
continue; |
65 |
} |
|
66 |
||
67 |
elements.add(token); |
|
68 |
} |
|
69 |
} |
|
37726
bbecfff95ec3
8140422: Add mechanism to allow non default root CAs to be not subject to algorithm restrictions
ascarpino
parents:
34534
diff
changeset
|
70 |
return elements; |
bbecfff95ec3
8140422: Add mechanism to allow non default root CAs to be not subject to algorithm restrictions
ascarpino
parents:
34534
diff
changeset
|
71 |
} |
bbecfff95ec3
8140422: Add mechanism to allow non default root CAs to be not subject to algorithm restrictions
ascarpino
parents:
34534
diff
changeset
|
72 |
|
bbecfff95ec3
8140422: Add mechanism to allow non default root CAs to be not subject to algorithm restrictions
ascarpino
parents:
34534
diff
changeset
|
73 |
/** |
bbecfff95ec3
8140422: Add mechanism to allow non default root CAs to be not subject to algorithm restrictions
ascarpino
parents:
34534
diff
changeset
|
74 |
* Decompose the standard algorithm name into sub-elements. |
bbecfff95ec3
8140422: Add mechanism to allow non default root CAs to be not subject to algorithm restrictions
ascarpino
parents:
34534
diff
changeset
|
75 |
* <p> |
bbecfff95ec3
8140422: Add mechanism to allow non default root CAs to be not subject to algorithm restrictions
ascarpino
parents:
34534
diff
changeset
|
76 |
* For example, we need to decompose "SHA1WithRSA" into "SHA1" and "RSA" |
bbecfff95ec3
8140422: Add mechanism to allow non default root CAs to be not subject to algorithm restrictions
ascarpino
parents:
34534
diff
changeset
|
77 |
* so that we can check the "SHA1" and "RSA" algorithm constraints |
bbecfff95ec3
8140422: Add mechanism to allow non default root CAs to be not subject to algorithm restrictions
ascarpino
parents:
34534
diff
changeset
|
78 |
* separately. |
bbecfff95ec3
8140422: Add mechanism to allow non default root CAs to be not subject to algorithm restrictions
ascarpino
parents:
34534
diff
changeset
|
79 |
* <p> |
bbecfff95ec3
8140422: Add mechanism to allow non default root CAs to be not subject to algorithm restrictions
ascarpino
parents:
34534
diff
changeset
|
80 |
* Please override the method if need to support more name pattern. |
bbecfff95ec3
8140422: Add mechanism to allow non default root CAs to be not subject to algorithm restrictions
ascarpino
parents:
34534
diff
changeset
|
81 |
*/ |
bbecfff95ec3
8140422: Add mechanism to allow non default root CAs to be not subject to algorithm restrictions
ascarpino
parents:
34534
diff
changeset
|
82 |
public Set<String> decompose(String algorithm) { |
53018
8bf9268df0e2
8215281: Use String.isEmpty() when applicable in java.base
redestad
parents:
47216
diff
changeset
|
83 |
if (algorithm == null || algorithm.isEmpty()) { |
37726
bbecfff95ec3
8140422: Add mechanism to allow non default root CAs to be not subject to algorithm restrictions
ascarpino
parents:
34534
diff
changeset
|
84 |
return new HashSet<>(); |
bbecfff95ec3
8140422: Add mechanism to allow non default root CAs to be not subject to algorithm restrictions
ascarpino
parents:
34534
diff
changeset
|
85 |
} |
bbecfff95ec3
8140422: Add mechanism to allow non default root CAs to be not subject to algorithm restrictions
ascarpino
parents:
34534
diff
changeset
|
86 |
|
bbecfff95ec3
8140422: Add mechanism to allow non default root CAs to be not subject to algorithm restrictions
ascarpino
parents:
34534
diff
changeset
|
87 |
Set<String> elements = decomposeImpl(algorithm); |
31689 | 88 |
|
89 |
// In Java standard algorithm name specification, for different |
|
90 |
// purpose, the SHA-1 and SHA-2 algorithm names are different. For |
|
91 |
// example, for MessageDigest, the standard name is "SHA-256", while |
|
92 |
// for Signature, the digest algorithm component is "SHA256" for |
|
93 |
// signature algorithm "SHA256withRSA". So we need to check both |
|
94 |
// "SHA-256" and "SHA256" to make the right constraint checking. |
|
95 |
||
96 |
// handle special name: SHA-1 and SHA1 |
|
97 |
if (elements.contains("SHA1") && !elements.contains("SHA-1")) { |
|
98 |
elements.add("SHA-1"); |
|
99 |
} |
|
100 |
if (elements.contains("SHA-1") && !elements.contains("SHA1")) { |
|
101 |
elements.add("SHA1"); |
|
102 |
} |
|
103 |
||
104 |
// handle special name: SHA-224 and SHA224 |
|
105 |
if (elements.contains("SHA224") && !elements.contains("SHA-224")) { |
|
106 |
elements.add("SHA-224"); |
|
107 |
} |
|
108 |
if (elements.contains("SHA-224") && !elements.contains("SHA224")) { |
|
109 |
elements.add("SHA224"); |
|
110 |
} |
|
111 |
||
112 |
// handle special name: SHA-256 and SHA256 |
|
113 |
if (elements.contains("SHA256") && !elements.contains("SHA-256")) { |
|
114 |
elements.add("SHA-256"); |
|
115 |
} |
|
116 |
if (elements.contains("SHA-256") && !elements.contains("SHA256")) { |
|
117 |
elements.add("SHA256"); |
|
118 |
} |
|
119 |
||
120 |
// handle special name: SHA-384 and SHA384 |
|
121 |
if (elements.contains("SHA384") && !elements.contains("SHA-384")) { |
|
122 |
elements.add("SHA-384"); |
|
123 |
} |
|
124 |
if (elements.contains("SHA-384") && !elements.contains("SHA384")) { |
|
125 |
elements.add("SHA384"); |
|
126 |
} |
|
127 |
||
128 |
// handle special name: SHA-512 and SHA512 |
|
129 |
if (elements.contains("SHA512") && !elements.contains("SHA-512")) { |
|
130 |
elements.add("SHA-512"); |
|
131 |
} |
|
132 |
if (elements.contains("SHA-512") && !elements.contains("SHA512")) { |
|
133 |
elements.add("SHA512"); |
|
134 |
} |
|
135 |
||
136 |
return elements; |
|
137 |
} |
|
138 |
||
45394
6b54e8cd9b3d
8178728: Check the AlgorithmParameters in algorithm constraints
xuelei
parents:
41956
diff
changeset
|
139 |
/** |
6b54e8cd9b3d
8178728: Check the AlgorithmParameters in algorithm constraints
xuelei
parents:
41956
diff
changeset
|
140 |
* Get aliases of the specified algorithm. |
6b54e8cd9b3d
8178728: Check the AlgorithmParameters in algorithm constraints
xuelei
parents:
41956
diff
changeset
|
141 |
* |
6b54e8cd9b3d
8178728: Check the AlgorithmParameters in algorithm constraints
xuelei
parents:
41956
diff
changeset
|
142 |
* May support more algorithms in the future. |
6b54e8cd9b3d
8178728: Check the AlgorithmParameters in algorithm constraints
xuelei
parents:
41956
diff
changeset
|
143 |
*/ |
6b54e8cd9b3d
8178728: Check the AlgorithmParameters in algorithm constraints
xuelei
parents:
41956
diff
changeset
|
144 |
public static Collection<String> getAliases(String algorithm) { |
6b54e8cd9b3d
8178728: Check the AlgorithmParameters in algorithm constraints
xuelei
parents:
41956
diff
changeset
|
145 |
String[] aliases; |
6b54e8cd9b3d
8178728: Check the AlgorithmParameters in algorithm constraints
xuelei
parents:
41956
diff
changeset
|
146 |
if (algorithm.equalsIgnoreCase("DH") || |
6b54e8cd9b3d
8178728: Check the AlgorithmParameters in algorithm constraints
xuelei
parents:
41956
diff
changeset
|
147 |
algorithm.equalsIgnoreCase("DiffieHellman")) { |
6b54e8cd9b3d
8178728: Check the AlgorithmParameters in algorithm constraints
xuelei
parents:
41956
diff
changeset
|
148 |
aliases = new String[] {"DH", "DiffieHellman"}; |
6b54e8cd9b3d
8178728: Check the AlgorithmParameters in algorithm constraints
xuelei
parents:
41956
diff
changeset
|
149 |
} else { |
6b54e8cd9b3d
8178728: Check the AlgorithmParameters in algorithm constraints
xuelei
parents:
41956
diff
changeset
|
150 |
aliases = new String[] {algorithm}; |
6b54e8cd9b3d
8178728: Check the AlgorithmParameters in algorithm constraints
xuelei
parents:
41956
diff
changeset
|
151 |
} |
6b54e8cd9b3d
8178728: Check the AlgorithmParameters in algorithm constraints
xuelei
parents:
41956
diff
changeset
|
152 |
|
6b54e8cd9b3d
8178728: Check the AlgorithmParameters in algorithm constraints
xuelei
parents:
41956
diff
changeset
|
153 |
return Arrays.asList(aliases); |
6b54e8cd9b3d
8178728: Check the AlgorithmParameters in algorithm constraints
xuelei
parents:
41956
diff
changeset
|
154 |
} |
6b54e8cd9b3d
8178728: Check the AlgorithmParameters in algorithm constraints
xuelei
parents:
41956
diff
changeset
|
155 |
|
37726
bbecfff95ec3
8140422: Add mechanism to allow non default root CAs to be not subject to algorithm restrictions
ascarpino
parents:
34534
diff
changeset
|
156 |
private static void hasLoop(Set<String> elements, String find, String replace) { |
bbecfff95ec3
8140422: Add mechanism to allow non default root CAs to be not subject to algorithm restrictions
ascarpino
parents:
34534
diff
changeset
|
157 |
if (elements.contains(find)) { |
bbecfff95ec3
8140422: Add mechanism to allow non default root CAs to be not subject to algorithm restrictions
ascarpino
parents:
34534
diff
changeset
|
158 |
if (!elements.contains(replace)) { |
bbecfff95ec3
8140422: Add mechanism to allow non default root CAs to be not subject to algorithm restrictions
ascarpino
parents:
34534
diff
changeset
|
159 |
elements.add(replace); |
bbecfff95ec3
8140422: Add mechanism to allow non default root CAs to be not subject to algorithm restrictions
ascarpino
parents:
34534
diff
changeset
|
160 |
} |
bbecfff95ec3
8140422: Add mechanism to allow non default root CAs to be not subject to algorithm restrictions
ascarpino
parents:
34534
diff
changeset
|
161 |
elements.remove(find); |
bbecfff95ec3
8140422: Add mechanism to allow non default root CAs to be not subject to algorithm restrictions
ascarpino
parents:
34534
diff
changeset
|
162 |
} |
bbecfff95ec3
8140422: Add mechanism to allow non default root CAs to be not subject to algorithm restrictions
ascarpino
parents:
34534
diff
changeset
|
163 |
} |
bbecfff95ec3
8140422: Add mechanism to allow non default root CAs to be not subject to algorithm restrictions
ascarpino
parents:
34534
diff
changeset
|
164 |
|
bbecfff95ec3
8140422: Add mechanism to allow non default root CAs to be not subject to algorithm restrictions
ascarpino
parents:
34534
diff
changeset
|
165 |
/* |
bbecfff95ec3
8140422: Add mechanism to allow non default root CAs to be not subject to algorithm restrictions
ascarpino
parents:
34534
diff
changeset
|
166 |
* This decomposes a standard name into sub-elements with a consistent |
bbecfff95ec3
8140422: Add mechanism to allow non default root CAs to be not subject to algorithm restrictions
ascarpino
parents:
34534
diff
changeset
|
167 |
* message digest algorithm name to avoid overly complicated checking. |
bbecfff95ec3
8140422: Add mechanism to allow non default root CAs to be not subject to algorithm restrictions
ascarpino
parents:
34534
diff
changeset
|
168 |
*/ |
bbecfff95ec3
8140422: Add mechanism to allow non default root CAs to be not subject to algorithm restrictions
ascarpino
parents:
34534
diff
changeset
|
169 |
public static Set<String> decomposeOneHash(String algorithm) { |
53018
8bf9268df0e2
8215281: Use String.isEmpty() when applicable in java.base
redestad
parents:
47216
diff
changeset
|
170 |
if (algorithm == null || algorithm.isEmpty()) { |
37726
bbecfff95ec3
8140422: Add mechanism to allow non default root CAs to be not subject to algorithm restrictions
ascarpino
parents:
34534
diff
changeset
|
171 |
return new HashSet<>(); |
bbecfff95ec3
8140422: Add mechanism to allow non default root CAs to be not subject to algorithm restrictions
ascarpino
parents:
34534
diff
changeset
|
172 |
} |
bbecfff95ec3
8140422: Add mechanism to allow non default root CAs to be not subject to algorithm restrictions
ascarpino
parents:
34534
diff
changeset
|
173 |
|
bbecfff95ec3
8140422: Add mechanism to allow non default root CAs to be not subject to algorithm restrictions
ascarpino
parents:
34534
diff
changeset
|
174 |
Set<String> elements = decomposeImpl(algorithm); |
bbecfff95ec3
8140422: Add mechanism to allow non default root CAs to be not subject to algorithm restrictions
ascarpino
parents:
34534
diff
changeset
|
175 |
|
bbecfff95ec3
8140422: Add mechanism to allow non default root CAs to be not subject to algorithm restrictions
ascarpino
parents:
34534
diff
changeset
|
176 |
hasLoop(elements, "SHA-1", "SHA1"); |
bbecfff95ec3
8140422: Add mechanism to allow non default root CAs to be not subject to algorithm restrictions
ascarpino
parents:
34534
diff
changeset
|
177 |
hasLoop(elements, "SHA-224", "SHA224"); |
bbecfff95ec3
8140422: Add mechanism to allow non default root CAs to be not subject to algorithm restrictions
ascarpino
parents:
34534
diff
changeset
|
178 |
hasLoop(elements, "SHA-256", "SHA256"); |
bbecfff95ec3
8140422: Add mechanism to allow non default root CAs to be not subject to algorithm restrictions
ascarpino
parents:
34534
diff
changeset
|
179 |
hasLoop(elements, "SHA-384", "SHA384"); |
bbecfff95ec3
8140422: Add mechanism to allow non default root CAs to be not subject to algorithm restrictions
ascarpino
parents:
34534
diff
changeset
|
180 |
hasLoop(elements, "SHA-512", "SHA512"); |
bbecfff95ec3
8140422: Add mechanism to allow non default root CAs to be not subject to algorithm restrictions
ascarpino
parents:
34534
diff
changeset
|
181 |
|
bbecfff95ec3
8140422: Add mechanism to allow non default root CAs to be not subject to algorithm restrictions
ascarpino
parents:
34534
diff
changeset
|
182 |
return elements; |
bbecfff95ec3
8140422: Add mechanism to allow non default root CAs to be not subject to algorithm restrictions
ascarpino
parents:
34534
diff
changeset
|
183 |
} |
bbecfff95ec3
8140422: Add mechanism to allow non default root CAs to be not subject to algorithm restrictions
ascarpino
parents:
34534
diff
changeset
|
184 |
|
bbecfff95ec3
8140422: Add mechanism to allow non default root CAs to be not subject to algorithm restrictions
ascarpino
parents:
34534
diff
changeset
|
185 |
/* |
bbecfff95ec3
8140422: Add mechanism to allow non default root CAs to be not subject to algorithm restrictions
ascarpino
parents:
34534
diff
changeset
|
186 |
* The provided message digest algorithm name will return a consistent |
bbecfff95ec3
8140422: Add mechanism to allow non default root CAs to be not subject to algorithm restrictions
ascarpino
parents:
34534
diff
changeset
|
187 |
* naming scheme. |
bbecfff95ec3
8140422: Add mechanism to allow non default root CAs to be not subject to algorithm restrictions
ascarpino
parents:
34534
diff
changeset
|
188 |
*/ |
bbecfff95ec3
8140422: Add mechanism to allow non default root CAs to be not subject to algorithm restrictions
ascarpino
parents:
34534
diff
changeset
|
189 |
public static String hashName(String algorithm) { |
bbecfff95ec3
8140422: Add mechanism to allow non default root CAs to be not subject to algorithm restrictions
ascarpino
parents:
34534
diff
changeset
|
190 |
return algorithm.replace("-", ""); |
bbecfff95ec3
8140422: Add mechanism to allow non default root CAs to be not subject to algorithm restrictions
ascarpino
parents:
34534
diff
changeset
|
191 |
} |
31689 | 192 |
} |