/*

 * Copyright (c) 2010, 2017, Oracle and/or its affiliates. All rights reserved.

 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.

 *

 * This code is free software; you can redistribute it and/or modify it

 * under the terms of the GNU General Public License version 2 only, as

 * published by the Free Software Foundation.  Oracle designates this

 * particular file as subject to the "Classpath" exception as provided

 * by Oracle in the LICENSE file that accompanied this code.

 *

 * This code is distributed in the hope that it will be useful, but WITHOUT

 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or

 * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License

 * version 2 for more details (a copy is included in the LICENSE file that

 * accompanied this code).

 *

 * You should have received a copy of the GNU General Public License version

 * 2 along with this work; if not, write to the Free Software Foundation,

 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.

 *

 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA

 * or visit www.oracle.com if you need additional information or have any

 * questions.

 */

package sun.security.util;

import sun.security.validator.Validator;

import java.io.ByteArrayOutputStream;

import java.io.PrintStream;

import java.security.CryptoPrimitive;

import java.security.AlgorithmParameters;

import java.security.Key;

import java.security.cert.CertPathValidatorException;

import java.security.cert.CertPathValidatorException.BasicReason;

import java.security.cert.X509Certificate;

import java.text.SimpleDateFormat;

import java.util.ArrayList;

import java.util.Calendar;

import java.util.Date;

import java.util.HashMap;

import java.util.HashSet;

import java.util.List;

import java.util.Locale;

import java.util.Map;

import java.util.Set;

import java.util.Collection;

import java.util.StringTokenizer;

import java.util.TimeZone;

import java.util.regex.Pattern;

import java.util.regex.Matcher;

/**

 * Algorithm constraints for disabled algorithms property

 *

 * See the "jdk.certpath.disabledAlgorithms" specification in java.security

 * for the syntax of the disabled algorithm string.

 */

public class DisabledAlgorithmConstraints extends AbstractAlgorithmConstraints {

    private static final Debug debug = Debug.getInstance("certpath");

    // the known security property, jdk.certpath.disabledAlgorithms

    public static final String PROPERTY_CERTPATH_DISABLED_ALGS =

            "jdk.certpath.disabledAlgorithms";

    // the known security property, jdk.tls.disabledAlgorithms

    public static final String PROPERTY_TLS_DISABLED_ALGS =

            "jdk.tls.disabledAlgorithms";

    // the known security property, jdk.jar.disabledAlgorithms

    public static final String PROPERTY_JAR_DISABLED_ALGS =

            "jdk.jar.disabledAlgorithms";

    private final String[] disabledAlgorithms;

    private final Constraints algorithmConstraints;

    /**

     * Initialize algorithm constraints with the specified security property.

     *

     * @param propertyName the security property name that define the disabled

     *        algorithm constraints

     */

    public DisabledAlgorithmConstraints(String propertyName) {

        this(propertyName, new AlgorithmDecomposer());

    }

    /**

     * Initialize algorithm constraints with the specified security property

     * for a specific usage type.

     *

     * @param propertyName the security property name that define the disabled

     *        algorithm constraints

     * @param decomposer an alternate AlgorithmDecomposer.

     */

    public DisabledAlgorithmConstraints(String propertyName,

            AlgorithmDecomposer decomposer) {

        super(decomposer);

        disabledAlgorithms = getAlgorithms(propertyName);

        algorithmConstraints = new Constraints(disabledAlgorithms);

    }

    /*

     * This only checks if the algorithm has been completely disabled.  If

     * there are keysize or other limit, this method allow the algorithm.

     */

    @Override

    public final boolean permits(Set<CryptoPrimitive> primitives,

            String algorithm, AlgorithmParameters parameters) {

        if (!checkAlgorithm(disabledAlgorithms, algorithm, decomposer)) {

            return false;

        }

        if (parameters != null) {

            return algorithmConstraints.permits(algorithm, parameters);

        }

        return true;

    }

    /*

     * Checks if the key algorithm has been disabled or constraints have been

     * placed on the key.

     */

    @Override

    public final boolean permits(Set<CryptoPrimitive> primitives, Key key) {

        return checkConstraints(primitives, "", key, null);

    }

    /*

     * Checks if the key algorithm has been disabled or if constraints have

     * been placed on the key.

     */

    @Override

    public final boolean permits(Set<CryptoPrimitive> primitives,

            String algorithm, Key key, AlgorithmParameters parameters) {

        if (algorithm == null || algorithm.length() == 0) {

            throw new IllegalArgumentException("No algorithm name specified");

        }

        return checkConstraints(primitives, algorithm, key, parameters);

    }

    public final void permits(ConstraintsParameters cp)

            throws CertPathValidatorException {

        permits(cp.getAlgorithm(), cp);

    }

    public final void permits(String algorithm, Key key,

            AlgorithmParameters params, String variant)

            throws CertPathValidatorException {

        permits(algorithm, new ConstraintsParameters(algorithm, params, key,

                (variant == null) ? Validator.VAR_GENERIC : variant));

    }

    /*

     * Check if a x509Certificate object is permitted.  Check if all

     * algorithms are allowed, certificate constraints, and the

     * public key against key constraints.

     *

     * Uses new style permit() which throws exceptions.

     */

    public final void permits(String algorithm, ConstraintsParameters cp)

            throws CertPathValidatorException {

        algorithmConstraints.permits(algorithm, cp);

    }

    // Check if a string is contained inside the property

    public boolean checkProperty(String param) {

        param = param.toLowerCase(Locale.ENGLISH);

        for (String block : disabledAlgorithms) {

            if (block.toLowerCase(Locale.ENGLISH).indexOf(param) >= 0) {

                return true;

            }

        }

        return false;

    }

    // Check algorithm constraints with key and algorithm

    private boolean checkConstraints(Set<CryptoPrimitive> primitives,

            String algorithm, Key key, AlgorithmParameters parameters) {

        // check the key parameter, it cannot be null.

        if (key == null) {

            throw new IllegalArgumentException("The key cannot be null");

        }

        // check the signature algorithm with parameters

        if (algorithm != null && algorithm.length() != 0) {

            if (!permits(primitives, algorithm, parameters)) {

                return false;

            }

        }

        // check the key algorithm

        if (!permits(primitives, key.getAlgorithm(), null)) {

            return false;

        }

        // check the key constraints

        return algorithmConstraints.permits(key);

    }

    /**

     * Key and Certificate Constraints

     *

     * The complete disabling of an algorithm is not handled by Constraints or

     * Constraint classes.  That is addressed with

     *   permit(Set<CryptoPrimitive>, String, AlgorithmParameters)

     *

     * When passing a Key to permit(), the boolean return values follow the

     * same as the interface class AlgorithmConstraints.permit().  This is to

     * maintain compatibility:

     * 'true' means the operation is allowed.

     * 'false' means it failed the constraints and is disallowed.

     *

     * When passing ConstraintsParameters through permit(), an exception

     * will be thrown on a failure to better identify why the operation was

     * disallowed.

     */

    private static class Constraints {

        private Map<String, List<Constraint>> constraintsMap = new HashMap<>();

        private static class Holder {

            private static final Pattern DENY_AFTER_PATTERN = Pattern.compile(

                    "denyAfter\\s+(\\d{4})-(\\d{2})-(\\d{2})");

        }

        public Constraints(String[] constraintArray) {

            for (String constraintEntry : constraintArray) {

                if (constraintEntry == null || constraintEntry.isEmpty()) {

                    continue;

                }

                constraintEntry = constraintEntry.trim();

                if (debug != null) {

                    debug.println("Constraints: " + constraintEntry);

                }

                // Check if constraint is a complete disabling of an

                // algorithm or has conditions.

                int space = constraintEntry.indexOf(' ');

                String algorithm = AlgorithmDecomposer.hashName(

                        ((space > 0 ? constraintEntry.substring(0, space) :

                                constraintEntry).

                                toUpperCase(Locale.ENGLISH)));

                List<Constraint> constraintList =

                        constraintsMap.getOrDefault(algorithm,

                                new ArrayList<>(1));

                // Consider the impact of algorithm aliases.

                for (String alias : AlgorithmDecomposer.getAliases(algorithm)) {

                    constraintsMap.putIfAbsent(alias, constraintList);

                }

                if (space <= 0) {

                    constraintList.add(new DisabledConstraint(algorithm));

                    continue;

                }

                String policy = constraintEntry.substring(space + 1);

                // Convert constraint conditions into Constraint classes

                Constraint c, lastConstraint = null;

                // Allow only one jdkCA entry per constraint entry

                boolean jdkCALimit = false;

                // Allow only one denyAfter entry per constraint entry

                boolean denyAfterLimit = false;

                for (String entry : policy.split("&")) {

                    entry = entry.trim();

                    Matcher matcher;

                    if (entry.startsWith("keySize")) {

                        if (debug != null) {

                            debug.println("Constraints set to keySize: " +

                                    entry);

                        }

                        StringTokenizer tokens = new StringTokenizer(entry);

                        if (!"keySize".equals(tokens.nextToken())) {

                            throw new IllegalArgumentException("Error in " +

                                    "security property. Constraint unknown: " +

                                    entry);

                        }

                        c = new KeySizeConstraint(algorithm,

                                KeySizeConstraint.Operator.of(tokens.nextToken()),

                                Integer.parseInt(tokens.nextToken()));

                    } else if (entry.equalsIgnoreCase("jdkCA")) {

                        if (debug != null) {

                            debug.println("Constraints set to jdkCA.");

                        }

                        if (jdkCALimit) {

                            throw new IllegalArgumentException("Only one " +

                                    "jdkCA entry allowed in property. " +

                                    "Constraint: " + constraintEntry);

                        }

                        c = new jdkCAConstraint(algorithm);

                        jdkCALimit = true;

                    } else if (entry.startsWith("denyAfter") &&

                            (matcher = Holder.DENY_AFTER_PATTERN.matcher(entry))

                                    .matches()) {

                        if (debug != null) {

                            debug.println("Constraints set to denyAfter");

                        }

                        if (denyAfterLimit) {

                            throw new IllegalArgumentException("Only one " +

                                    "denyAfter entry allowed in property. " +

                                    "Constraint: " + constraintEntry);

                        }

                        int year = Integer.parseInt(matcher.group(1));

                        int month = Integer.parseInt(matcher.group(2));

                        int day = Integer.parseInt(matcher.group(3));

                        c = new DenyAfterConstraint(algorithm, year, month,

                                day);

                        denyAfterLimit = true;

                    } else if (entry.startsWith("usage")) {

                        String s[] = (entry.substring(5)).trim().split(" ");

                        c = new UsageConstraint(algorithm, s);

                        if (debug != null) {

                            debug.println("Constraints usage length is " + s.length);

                        }

                    } else {

                        throw new IllegalArgumentException("Error in security" +

                                " property. Constraint unknown: " + entry);

                    }

                    // Link multiple conditions for a single constraint

                    // into a linked list.

                    if (lastConstraint == null) {

                        constraintList.add(c);

                    } else {

                        lastConstraint.nextConstraint = c;

                    }

                    lastConstraint = c;

                }

            }

        }

        // Get applicable constraints based off the signature algorithm

        private List<Constraint> getConstraints(String algorithm) {

            return constraintsMap.get(algorithm);

        }

        // Check if KeySizeConstraints permit the specified key

        public boolean permits(Key key) {

            List<Constraint> list = getConstraints(key.getAlgorithm());

            if (list == null) {

                return true;

            }

            for (Constraint constraint : list) {

                if (!constraint.permits(key)) {

                    if (debug != null) {

                        debug.println("keySizeConstraint: failed key " +

                                "constraint check " + KeyUtil.getKeySize(key));

                    }

                    return false;

                }

            }

            return true;

        }

        // Check if constraints permit this AlgorithmParameters.

        public boolean permits(String algorithm, AlgorithmParameters aps) {

            List<Constraint> list = getConstraints(algorithm);

            if (list == null) {

                return true;

            }

            for (Constraint constraint : list) {

                if (!constraint.permits(aps)) {

                    if (debug != null) {

                        debug.println("keySizeConstraint: failed algorithm " +

                                "parameters constraint check " + aps);

                    }

                    return false;

                }

            }

            return true;

        }

        // Check if constraints permit this cert.

        public void permits(String algorithm, ConstraintsParameters cp)

                throws CertPathValidatorException {

            X509Certificate cert = cp.getCertificate();

            if (debug != null) {

                debug.println("Constraints.permits(): " + algorithm +

                        " Variant: " + cp.getVariant());

            }

            // Get all signature algorithms to check for constraints

            Set<String> algorithms = new HashSet<>();

            if (algorithm != null) {

                algorithms.addAll(AlgorithmDecomposer.decomposeOneHash(algorithm));

            }

            // Attempt to add the public key algorithm if cert provided

            if (cert != null) {

                algorithms.add(cert.getPublicKey().getAlgorithm());

            }

            if (cp.getPublicKey() != null) {

                algorithms.add(cp.getPublicKey().getAlgorithm());

            }

            // Check all applicable constraints

            for (String alg : algorithms) {

                List<Constraint> list = getConstraints(alg);

                if (list == null) {

                    continue;

                }

                for (Constraint constraint : list) {

                    constraint.permits(cp);

                }

            }

        }

    }

    /**

     * This abstract Constraint class for algorithm-based checking

     * may contain one or more constraints.  If the '&' on the {@Security}

     * property is used, multiple constraints have been grouped together

     * requiring all the constraints to fail for the check to be disallowed.

     *

     * If the class contains multiple constraints, the next constraint

     * is stored in {@code nextConstraint} in linked-list fashion.

     */

    private abstract static class Constraint {

        String algorithm;

        Constraint nextConstraint = null;

        // operator

        enum Operator {

            EQ,         // "=="

            NE,         // "!="

            LT,         // "<"

            LE,         // "<="

            GT,         // ">"

            GE;         // ">="

            static Operator of(String s) {

                switch (s) {

                    case "==":

                        return EQ;

                    case "!=":

                        return NE;

                    case "<":

                        return LT;

                    case "<=":

                        return LE;

                    case ">":

                        return GT;

                    case ">=":

                        return GE;

                }

                throw new IllegalArgumentException("Error in security " +

                        "property. " + s + " is not a legal Operator");

            }

        }

        /**

         * Check if an algorithm constraint is permitted with a given key.

         *

         * If the check inside of {@code permit()} fails, it must call

         * {@code next()} with the same {@code Key} parameter passed if

         * multiple constraints need to be checked.

         *

         * @param key Public key

         * @return 'true' if constraint is allowed, 'false' if disallowed.

         */

        public boolean permits(Key key) {

            return true;

        }

        /**

         * Check if the algorithm constraint permits a given cryptographic

         * parameters.

         *

         * @param parameters the cryptographic parameters

         * @return 'true' if the cryptographic parameters is allowed,

         *         'false' ortherwise.

         */

        public boolean permits(AlgorithmParameters parameters) {

            return true;

        }

        /**

         * Check if an algorithm constraint is permitted with a given

         * ConstraintsParameters.