/*

 * Copyright (c) 2010, 2016, Oracle and/or its affiliates. All rights reserved.

 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.

 *

 * This code is free software; you can redistribute it and/or modify it

 * under the terms of the GNU General Public License version 2 only, as

 * published by the Free Software Foundation.  Oracle designates this

 * particular file as subject to the "Classpath" exception as provided

 * by Oracle in the LICENSE file that accompanied this code.

 *

 * This code is distributed in the hope that it will be useful, but WITHOUT

 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or

 * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License

 * version 2 for more details (a copy is included in the LICENSE file that

 * accompanied this code).

 *

 * You should have received a copy of the GNU General Public License version

 * 2 along with this work; if not, write to the Free Software Foundation,

 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.

 *

 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA

 * or visit www.oracle.com if you need additional information or have any

 * questions.

 */

package sun.security.util;

import java.security.CryptoPrimitive;

import java.security.AlgorithmParameters;

import java.security.Key;

import java.security.cert.CertPathValidatorException;

import java.security.cert.CertPathValidatorException.BasicReason;

import java.security.cert.X509Certificate;

import java.text.SimpleDateFormat;

import java.util.Calendar;

import java.util.Date;

import java.util.HashMap;

import java.util.HashSet;

import java.util.Locale;

import java.util.Map;

import java.util.Set;

import java.util.TimeZone;

import java.util.regex.Pattern;

import java.util.regex.Matcher;

/**

 * Algorithm constraints for disabled algorithms property

 *

 * See the "jdk.certpath.disabledAlgorithms" specification in java.security

 * for the syntax of the disabled algorithm string.

 */

public class DisabledAlgorithmConstraints extends AbstractAlgorithmConstraints {

    private static final Debug debug = Debug.getInstance("certpath");

    // the known security property, jdk.certpath.disabledAlgorithms

    public static final String PROPERTY_CERTPATH_DISABLED_ALGS =

            "jdk.certpath.disabledAlgorithms";

    // the known security property, jdk.tls.disabledAlgorithms

    public static final String PROPERTY_TLS_DISABLED_ALGS =

            "jdk.tls.disabledAlgorithms";

    private final String[] disabledAlgorithms;

    private final Constraints algorithmConstraints;

    /**

     * Initialize algorithm constraints with the specified security property.

     *

     * @param propertyName the security property name that define the disabled

     *        algorithm constraints

     */

    public DisabledAlgorithmConstraints(String propertyName) {

        this(propertyName, new AlgorithmDecomposer());

    }

    public DisabledAlgorithmConstraints(String propertyName,

            AlgorithmDecomposer decomposer) {

        super(decomposer);

        disabledAlgorithms = getAlgorithms(propertyName);

        algorithmConstraints = new Constraints(disabledAlgorithms);

    }

    /*

     * This only checks if the algorithm has been completely disabled.  If

     * there are keysize or other limit, this method allow the algorithm.

     */

    @Override

    public final boolean permits(Set<CryptoPrimitive> primitives,

            String algorithm, AlgorithmParameters parameters) {

        if (primitives == null || primitives.isEmpty()) {

            throw new IllegalArgumentException(

                        "No cryptographic primitive specified");

        }

        return checkAlgorithm(disabledAlgorithms, algorithm, decomposer);

    }

    /*

     * Checks if the key algorithm has been disabled or constraints have been

     * placed on the key.

     */

    @Override

    public final boolean permits(Set<CryptoPrimitive> primitives, Key key) {

        return checkConstraints(primitives, "", key, null);

    }

    /*

     * Checks if the key algorithm has been disabled or if constraints have

     * been placed on the key.

     */

    @Override

    public final boolean permits(Set<CryptoPrimitive> primitives,

            String algorithm, Key key, AlgorithmParameters parameters) {

        if (algorithm == null || algorithm.length() == 0) {

            throw new IllegalArgumentException("No algorithm name specified");

        }

        return checkConstraints(primitives, algorithm, key, parameters);

    }

    /*

     * Check if a x509Certificate object is permitted.  Check if all

     * algorithms are allowed, certificate constraints, and the

     * public key against key constraints.

     *

     * Uses new style permit() which throws exceptions.

     */

    public final void permits(Set<CryptoPrimitive> primitives,

            CertConstraintParameters cp) throws CertPathValidatorException {

        checkConstraints(primitives, cp);

    }

    /*

     * Check if Certificate object is within the constraints.

     * Uses new style permit() which throws exceptions.

     */

    public final void permits(Set<CryptoPrimitive> primitives,

            X509Certificate cert) throws CertPathValidatorException {

        checkConstraints(primitives, new CertConstraintParameters(cert));

    }

    // Check if a string is contained inside the property

    public boolean checkProperty(String param) {

        param = param.toLowerCase(Locale.ENGLISH);

        for (String block : disabledAlgorithms) {

            if (block.toLowerCase(Locale.ENGLISH).indexOf(param) >= 0) {

                return true;

            }

        }

        return false;

    }

    // Check algorithm constraints with key and algorithm

    private boolean checkConstraints(Set<CryptoPrimitive> primitives,

            String algorithm, Key key, AlgorithmParameters parameters) {

        // check the key parameter, it cannot be null.

        if (key == null) {

            throw new IllegalArgumentException("The key cannot be null");

        }

        // check the signature algorithm

        if (algorithm != null && algorithm.length() != 0) {

            if (!permits(primitives, algorithm, parameters)) {

                return false;

            }

        }

        // check the key algorithm

        if (!permits(primitives, key.getAlgorithm(), null)) {

            return false;

        }

        // check the key constraints

        return algorithmConstraints.permits(key);

    }

    /*

     * Check algorithm constraints with Certificate

     * Uses new style permit() which throws exceptions.

     */

    private void checkConstraints(Set<CryptoPrimitive> primitives,

            CertConstraintParameters cp) throws CertPathValidatorException {

        X509Certificate cert = cp.getCertificate();

        String algorithm = cert.getSigAlgName();

        // Check signature algorithm is not disabled

        if (!permits(primitives, algorithm, null)) {

            throw new CertPathValidatorException(

                    "Algorithm constraints check failed on disabled "+

                            "signature algorithm: " + algorithm,

                    null, null, -1, BasicReason.ALGORITHM_CONSTRAINED);

        }

        // Check key algorithm is not disabled

        if (!permits(primitives, cert.getPublicKey().getAlgorithm(), null)) {

            throw new CertPathValidatorException(

                    "Algorithm constraints check failed on disabled "+

                            "public key algorithm: " + algorithm,

                    null, null, -1, BasicReason.ALGORITHM_CONSTRAINED);

        }

        // Check the certificate and key constraints

        algorithmConstraints.permits(cp);

    }

    /**

     * Key and Certificate Constraints

     *

     * The complete disabling of an algorithm is not handled by Constraints or

     * Constraint classes.  That is addressed with

     *   permit(Set<CryptoPrimitive>, String, AlgorithmParameters)

     *

     * When passing a Key to permit(), the boolean return values follow the

     * same as the interface class AlgorithmConstraints.permit().  This is to

     * maintain compatibility:

     * 'true' means the operation is allowed.

     * 'false' means it failed the constraints and is disallowed.

     *

     * When passing CertConstraintParameters through permit(), an exception

     * will be thrown on a failure to better identify why the operation was

     * disallowed.

     */

    private static class Constraints {

        private Map<String, Set<Constraint>> constraintsMap = new HashMap<>();

        private static final Pattern keySizePattern = Pattern.compile(

                "keySize\\s*(<=|<|==|!=|>|>=)\\s*(\\d+)");

        private static final Pattern denyAfterPattern = Pattern.compile(

                "denyAfter\\s+(\\d{4})-(\\d{2})-(\\d{2})");

        public Constraints(String[] constraintArray) {

            for (String constraintEntry : constraintArray) {

                if (constraintEntry == null || constraintEntry.isEmpty()) {

                    continue;

                }

                constraintEntry = constraintEntry.trim();

                if (debug != null) {

                    debug.println("Constraints: " + constraintEntry);

                }

                // Check if constraint is a complete disabling of an

                // algorithm or has conditions.

                String algorithm;

                String policy;

                int space = constraintEntry.indexOf(' ');

                if (space > 0) {

                    algorithm = AlgorithmDecomposer.hashName(

                            constraintEntry.substring(0, space).

                                    toUpperCase(Locale.ENGLISH));

                    policy = constraintEntry.substring(space + 1);

                } else {

                    constraintsMap.computeIfAbsent(

                            constraintEntry.toUpperCase(Locale.ENGLISH),

                            k -> new HashSet<>());

                    continue;

                }

                // Convert constraint conditions into Constraint classes

                Constraint c, lastConstraint = null;

                // Allow only one jdkCA entry per constraint entry

                boolean jdkCALimit = false;

                // Allow only one denyAfter entry per constraint entry

                boolean denyAfterLimit = false;

                for (String entry : policy.split("&")) {

                    entry = entry.trim();

                    Matcher matcher = keySizePattern.matcher(entry);

                    if (matcher.matches()) {

                        if (debug != null) {

                            debug.println("Constraints set to keySize: " +

                                    entry);

                        }

                        c = new KeySizeConstraint(algorithm,

                                KeySizeConstraint.Operator.of(matcher.group(1)),

                                Integer.parseInt(matcher.group(2)));

                    } else if (entry.equalsIgnoreCase("jdkCA")) {

                        if (debug != null) {

                            debug.println("Constraints set to jdkCA.");

                        }

                        if (jdkCALimit) {

                            throw new IllegalArgumentException("Only one " +

                                    "jdkCA entry allowed in property. " +

                                    "Constraint: " + constraintEntry);

                        }

                        c = new jdkCAConstraint(algorithm);

                        jdkCALimit = true;

                    } else if(matcher.usePattern(denyAfterPattern).matches()) {

                        if (debug != null) {

                            debug.println("Constraints set to denyAfter");

                        }

                        if (denyAfterLimit) {

                            throw new IllegalArgumentException("Only one " +

                                    "denyAfter entry allowed in property. " +

                                    "Constraint: " + constraintEntry);

                        }

                        int year = Integer.parseInt(matcher.group(1));

                        int month = Integer.parseInt(matcher.group(2));

                        int day = Integer.parseInt(matcher.group(3));

                        c = new DenyAfterConstraint(algorithm, year, month,

                                day);

                        denyAfterLimit = true;

                    } else {

                        throw new IllegalArgumentException("Error in security" +

                                " property. Constraint unknown: " + entry);

                    }

                    // Link multiple conditions for a single constraint

                    // into a linked list.

                    if (lastConstraint == null) {

                        if (!constraintsMap.containsKey(algorithm)) {

                            constraintsMap.putIfAbsent(algorithm,

                                    new HashSet<>());

                        }

                        constraintsMap.get(algorithm).add(c);

                    } else {

                        lastConstraint.nextConstraint = c;

                    }

                    lastConstraint = c;

                }

            }

        }

        // Get applicable constraints based off the signature algorithm

        private Set<Constraint> getConstraints(String algorithm) {

            return constraintsMap.get(algorithm);

        }

        // Check if KeySizeConstraints permit the specified key

        public boolean permits(Key key) {

            Set<Constraint> set = getConstraints(key.getAlgorithm());

            if (set == null) {

                return true;

            }

            for (Constraint constraint : set) {

                if (!constraint.permits(key)) {

                    if (debug != null) {

                        debug.println("keySizeConstraint: failed key " +

                                "constraint check " + KeyUtil.getKeySize(key));

                    }

                    return false;

                }

            }

            return true;

        }

        // Check if constraints permit this cert.

        public void permits(CertConstraintParameters cp)

                throws CertPathValidatorException {

            X509Certificate cert = cp.getCertificate();

            if (debug != null) {

                debug.println("Constraints.permits(): " + cert.getSigAlgName());

            }

            // Get all signature algorithms to check for constraints

            Set<String> algorithms =

                    AlgorithmDecomposer.decomposeOneHash(cert.getSigAlgName());

            if (algorithms == null || algorithms.isEmpty()) {

                return;

            }

            // Attempt to add the public key algorithm to the set

            algorithms.add(cert.getPublicKey().getAlgorithm());

            // Check all applicable constraints

            for (String algorithm : algorithms) {

                Set<Constraint> set = getConstraints(algorithm);

                if (set == null) {

                    continue;

                }

                for (Constraint constraint : set) {

                    constraint.permits(cp);

                }

            }

        }

    }

    /**

     * This abstract Constraint class for algorithm-based checking

     * may contain one or more constraints.  If the '&' on the {@Security}

     * property is used, multiple constraints have been grouped together

     * requiring all the constraints to fail for the check to be disallowed.

     *

     * If the class contains multiple constraints, the next constraint

     * is stored in {@code nextConstraint} in linked-list fashion.

     */

    private abstract static class Constraint {

        String algorithm;

        Constraint nextConstraint = null;

        // operator

        enum Operator {

            EQ,         // "=="

            NE,         // "!="

            LT,         // "<"

            LE,         // "<="

            GT,         // ">"

            GE;         // ">="

            static Operator of(String s) {

                switch (s) {

                    case "==":

                        return EQ;

                    case "!=":

                        return NE;

                    case "<":

                        return LT;

                    case "<=":

                        return LE;

                    case ">":

                        return GT;

                    case ">=":

                        return GE;

                }

                throw new IllegalArgumentException("Error in security " +

                        "property. " + s + " is not a legal Operator");

            }

        }

        /**

         * Check if an algorithm constraint is permitted with a given key.

         *

         * If the check inside of {@code permit()} fails, it must call

         * {@code next()} with the same {@code Key} parameter passed if

         * multiple constraints need to be checked.

         *

         * @param key Public key

         * @return 'true' if constraint is allowed, 'false' if disallowed.

         */

        public boolean permits(Key key) {

            return true;

        }

        /**

         * Check if an algorithm constraint is permitted with a given

         * CertConstraintParameters.

         *

         * If the check inside of {@code permits()} fails, it must call

         * {@code next()} with the same {@code CertConstraintParameters}

         * parameter passed if multiple constraints need to be checked.

         *

         * @param cp CertConstraintParameter containing certificate info

         * @throws CertPathValidatorException if constraint disallows.

         *

         */

        public abstract void permits(CertConstraintParameters cp)

                throws CertPathValidatorException;

        /**

         * Recursively check if the constraints are allowed.

         *

         * If {@code nextConstraint} is non-null, this method will

         * call {@code nextConstraint}'s {@code permits()} to check if the

         * constraint is allowed or denied.  If the constraint's

         * {@code permits()} is allowed, this method will exit this and any

         * recursive next() calls, returning 'true'.  If the constraints called

         * were disallowed, the last constraint will throw

         * {@code CertPathValidatorException}.

         *

         * @param cp CertConstraintParameters

         * @return 'true' if constraint allows the operation, 'false' if

         * we are at the end of the constraint list or,

         * {@code nextConstraint} is null.

         */

        boolean next(CertConstraintParameters cp)

                throws CertPathValidatorException {

            if (nextConstraint != null) {

                nextConstraint.permits(cp);

                return true;

            }

            return false;

        }

        /**

         * Recursively check if this constraint is allowed,

         *

         * If {@code nextConstraint} is non-null, this method will