author | mullan |
Tue, 22 Jan 2019 09:27:19 -0500 | |
changeset 53428 | f443de1cee05 |
parent 52948 | 04c9b7111aac |
permissions | -rw-r--r-- |
52948
04c9b7111aac
8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents:
diff
changeset
|
1 |
/* |
53428
f443de1cee05
8216280: Allow later Symantec Policy distrust date for two Apple SubCAs
mullan
parents:
52948
diff
changeset
|
2 |
* Copyright (c) 2018, 2019, Oracle and/or its affiliates. All rights reserved. |
52948
04c9b7111aac
8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents:
diff
changeset
|
3 |
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. |
04c9b7111aac
8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents:
diff
changeset
|
4 |
* |
04c9b7111aac
8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents:
diff
changeset
|
5 |
* This code is free software; you can redistribute it and/or modify it |
04c9b7111aac
8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents:
diff
changeset
|
6 |
* under the terms of the GNU General Public License version 2 only, as |
04c9b7111aac
8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents:
diff
changeset
|
7 |
* published by the Free Software Foundation. Oracle designates this |
04c9b7111aac
8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents:
diff
changeset
|
8 |
* particular file as subject to the "Classpath" exception as provided |
04c9b7111aac
8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents:
diff
changeset
|
9 |
* by Oracle in the LICENSE file that accompanied this code. |
04c9b7111aac
8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents:
diff
changeset
|
10 |
* |
04c9b7111aac
8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents:
diff
changeset
|
11 |
* This code is distributed in the hope that it will be useful, but WITHOUT |
04c9b7111aac
8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents:
diff
changeset
|
12 |
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or |
04c9b7111aac
8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents:
diff
changeset
|
13 |
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License |
04c9b7111aac
8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents:
diff
changeset
|
14 |
* version 2 for more details (a copy is included in the LICENSE file that |
04c9b7111aac
8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents:
diff
changeset
|
15 |
* accompanied this code). |
04c9b7111aac
8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents:
diff
changeset
|
16 |
* |
04c9b7111aac
8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents:
diff
changeset
|
17 |
* You should have received a copy of the GNU General Public License version |
04c9b7111aac
8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents:
diff
changeset
|
18 |
* 2 along with this work; if not, write to the Free Software Foundation, |
04c9b7111aac
8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents:
diff
changeset
|
19 |
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. |
04c9b7111aac
8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents:
diff
changeset
|
20 |
* |
04c9b7111aac
8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents:
diff
changeset
|
21 |
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA |
04c9b7111aac
8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents:
diff
changeset
|
22 |
* or visit www.oracle.com if you need additional information or have any |
04c9b7111aac
8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents:
diff
changeset
|
23 |
* questions. |
04c9b7111aac
8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents:
diff
changeset
|
24 |
*/ |
04c9b7111aac
8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents:
diff
changeset
|
25 |
package sun.security.validator; |
04c9b7111aac
8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents:
diff
changeset
|
26 |
|
04c9b7111aac
8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents:
diff
changeset
|
27 |
import java.security.cert.X509Certificate; |
04c9b7111aac
8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents:
diff
changeset
|
28 |
import java.time.LocalDate; |
04c9b7111aac
8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents:
diff
changeset
|
29 |
import java.time.Month; |
04c9b7111aac
8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents:
diff
changeset
|
30 |
import java.time.ZoneOffset; |
04c9b7111aac
8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents:
diff
changeset
|
31 |
import java.util.Date; |
53428
f443de1cee05
8216280: Allow later Symantec Policy distrust date for two Apple SubCAs
mullan
parents:
52948
diff
changeset
|
32 |
import java.util.Map; |
52948
04c9b7111aac
8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents:
diff
changeset
|
33 |
import java.util.Set; |
04c9b7111aac
8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents:
diff
changeset
|
34 |
|
04c9b7111aac
8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents:
diff
changeset
|
35 |
import sun.security.x509.X509CertImpl; |
04c9b7111aac
8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents:
diff
changeset
|
36 |
|
04c9b7111aac
8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents:
diff
changeset
|
37 |
/** |
04c9b7111aac
8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents:
diff
changeset
|
38 |
* This class checks if Symantec issued TLS Server certificates should be |
04c9b7111aac
8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents:
diff
changeset
|
39 |
* restricted. |
04c9b7111aac
8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents:
diff
changeset
|
40 |
*/ |
04c9b7111aac
8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents:
diff
changeset
|
41 |
final class SymantecTLSPolicy { |
04c9b7111aac
8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents:
diff
changeset
|
42 |
|
04c9b7111aac
8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents:
diff
changeset
|
43 |
// SHA-256 certificate fingerprints of distrusted roots |
04c9b7111aac
8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents:
diff
changeset
|
44 |
private static final Set<String> FINGERPRINTS = Set.of( |
04c9b7111aac
8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents:
diff
changeset
|
45 |
// cacerts alias: geotrustglobalca |
04c9b7111aac
8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents:
diff
changeset
|
46 |
// DN: CN=GeoTrust Global CA, O=GeoTrust Inc., C=US |
04c9b7111aac
8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents:
diff
changeset
|
47 |
"FF856A2D251DCD88D36656F450126798CFABAADE40799C722DE4D2B5DB36A73A", |
04c9b7111aac
8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents:
diff
changeset
|
48 |
// cacerts alias: geotrustprimaryca |
04c9b7111aac
8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents:
diff
changeset
|
49 |
// DN: CN=GeoTrust Primary Certification Authority, |
04c9b7111aac
8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents:
diff
changeset
|
50 |
// O=GeoTrust Inc., C=US |
04c9b7111aac
8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents:
diff
changeset
|
51 |
"37D51006C512EAAB626421F1EC8C92013FC5F82AE98EE533EB4619B8DEB4D06C", |
04c9b7111aac
8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents:
diff
changeset
|
52 |
// cacerts alias: geotrustprimarycag2 |
04c9b7111aac
8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents:
diff
changeset
|
53 |
// DN: CN=GeoTrust Primary Certification Authority - G2, |
04c9b7111aac
8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents:
diff
changeset
|
54 |
// OU=(c) 2007 GeoTrust Inc. - For authorized use only, |
04c9b7111aac
8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents:
diff
changeset
|
55 |
// O=GeoTrust Inc., C=US |
04c9b7111aac
8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents:
diff
changeset
|
56 |
"5EDB7AC43B82A06A8761E8D7BE4979EBF2611F7DD79BF91C1C6B566A219ED766", |
04c9b7111aac
8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents:
diff
changeset
|
57 |
// cacerts alias: geotrustprimarycag3 |
04c9b7111aac
8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents:
diff
changeset
|
58 |
// DN: CN=GeoTrust Primary Certification Authority - G3, |
04c9b7111aac
8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents:
diff
changeset
|
59 |
// OU=(c) 2008 GeoTrust Inc. - For authorized use only, |
04c9b7111aac
8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents:
diff
changeset
|
60 |
// O=GeoTrust Inc., C=US |
04c9b7111aac
8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents:
diff
changeset
|
61 |
"B478B812250DF878635C2AA7EC7D155EAA625EE82916E2CD294361886CD1FBD4", |
04c9b7111aac
8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents:
diff
changeset
|
62 |
// cacerts alias: geotrustuniversalca |
04c9b7111aac
8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents:
diff
changeset
|
63 |
// DN: CN=GeoTrust Universal CA, O=GeoTrust Inc., C=US |
04c9b7111aac
8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents:
diff
changeset
|
64 |
"A0459B9F63B22559F5FA5D4C6DB3F9F72FF19342033578F073BF1D1B46CBB912", |
04c9b7111aac
8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents:
diff
changeset
|
65 |
// cacerts alias: thawteprimaryrootca |
04c9b7111aac
8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents:
diff
changeset
|
66 |
// DN: CN=thawte Primary Root CA, |
04c9b7111aac
8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents:
diff
changeset
|
67 |
// OU="(c) 2006 thawte, Inc. - For authorized use only", |
04c9b7111aac
8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents:
diff
changeset
|
68 |
// OU=Certification Services Division, O="thawte, Inc.", C=US |
04c9b7111aac
8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents:
diff
changeset
|
69 |
"8D722F81A9C113C0791DF136A2966DB26C950A971DB46B4199F4EA54B78BFB9F", |
04c9b7111aac
8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents:
diff
changeset
|
70 |
// cacerts alias: thawteprimaryrootcag2 |
04c9b7111aac
8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents:
diff
changeset
|
71 |
// DN: CN=thawte Primary Root CA - G2, |
04c9b7111aac
8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents:
diff
changeset
|
72 |
// OU="(c) 2007 thawte, Inc. - For authorized use only", |
04c9b7111aac
8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents:
diff
changeset
|
73 |
// O="thawte, Inc.", C=US |
04c9b7111aac
8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents:
diff
changeset
|
74 |
"A4310D50AF18A6447190372A86AFAF8B951FFB431D837F1E5688B45971ED1557", |
04c9b7111aac
8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents:
diff
changeset
|
75 |
// cacerts alias: thawteprimaryrootcag3 |
04c9b7111aac
8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents:
diff
changeset
|
76 |
// DN: CN=thawte Primary Root CA - G3, |
04c9b7111aac
8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents:
diff
changeset
|
77 |
// OU="(c) 2008 thawte, Inc. - For authorized use only", |
04c9b7111aac
8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents:
diff
changeset
|
78 |
// OU=Certification Services Division, O="thawte, Inc.", C=US |
04c9b7111aac
8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents:
diff
changeset
|
79 |
"4B03F45807AD70F21BFC2CAE71C9FDE4604C064CF5FFB686BAE5DBAAD7FDD34C", |
04c9b7111aac
8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents:
diff
changeset
|
80 |
// cacerts alias: thawtepremiumserverca |
04c9b7111aac
8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents:
diff
changeset
|
81 |
// DN: EMAILADDRESS=premium-server@thawte.com, |
04c9b7111aac
8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents:
diff
changeset
|
82 |
// CN=Thawte Premium Server CA, OU=Certification Services Division, |
04c9b7111aac
8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents:
diff
changeset
|
83 |
// O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA |
04c9b7111aac
8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents:
diff
changeset
|
84 |
"3F9F27D583204B9E09C8A3D2066C4B57D3A2479C3693650880505698105DBCE9", |
04c9b7111aac
8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents:
diff
changeset
|
85 |
// cacerts alias: verisignclass2g2ca |
04c9b7111aac
8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents:
diff
changeset
|
86 |
// DN: OU=VeriSign Trust Network, |
04c9b7111aac
8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents:
diff
changeset
|
87 |
// OU="(c) 1998 VeriSign, Inc. - For authorized use only", |
04c9b7111aac
8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents:
diff
changeset
|
88 |
// OU=Class 2 Public Primary Certification Authority - G2, |
04c9b7111aac
8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents:
diff
changeset
|
89 |
// O="VeriSign, Inc.", C=US |
04c9b7111aac
8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents:
diff
changeset
|
90 |
"3A43E220FE7F3EA9653D1E21742EAC2B75C20FD8980305BC502CAF8C2D9B41A1", |
04c9b7111aac
8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents:
diff
changeset
|
91 |
// cacerts alias: verisignclass3ca |
04c9b7111aac
8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents:
diff
changeset
|
92 |
// DN: OU=Class 3 Public Primary Certification Authority, |
04c9b7111aac
8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents:
diff
changeset
|
93 |
// O="VeriSign, Inc.", C=US |
04c9b7111aac
8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents:
diff
changeset
|
94 |
"A4B6B3996FC2F306B3FD8681BD63413D8C5009CC4FA329C2CCF0E2FA1B140305", |
04c9b7111aac
8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents:
diff
changeset
|
95 |
// cacerts alias: verisignclass3g2ca |
04c9b7111aac
8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents:
diff
changeset
|
96 |
// DN: OU=VeriSign Trust Network, |
04c9b7111aac
8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents:
diff
changeset
|
97 |
// OU="(c) 1998 VeriSign, Inc. - For authorized use only", |
04c9b7111aac
8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents:
diff
changeset
|
98 |
// OU=Class 3 Public Primary Certification Authority - G2, |
04c9b7111aac
8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents:
diff
changeset
|
99 |
// O="VeriSign, Inc.", C=US |
04c9b7111aac
8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents:
diff
changeset
|
100 |
"83CE3C1229688A593D485F81973C0F9195431EDA37CC5E36430E79C7A888638B", |
04c9b7111aac
8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents:
diff
changeset
|
101 |
// cacerts alias: verisignclass3g3ca |
04c9b7111aac
8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents:
diff
changeset
|
102 |
// DN: CN=VeriSign Class 3 Public Primary Certification Authority - G3, |
04c9b7111aac
8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents:
diff
changeset
|
103 |
// OU="(c) 1999 VeriSign, Inc. - For authorized use only", |
04c9b7111aac
8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents:
diff
changeset
|
104 |
// OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US |
04c9b7111aac
8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents:
diff
changeset
|
105 |
"EB04CF5EB1F39AFA762F2BB120F296CBA520C1B97DB1589565B81CB9A17B7244", |
04c9b7111aac
8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents:
diff
changeset
|
106 |
// cacerts alias: verisignclass3g4ca |
04c9b7111aac
8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents:
diff
changeset
|
107 |
// DN: CN=VeriSign Class 3 Public Primary Certification Authority - G4, |
04c9b7111aac
8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents:
diff
changeset
|
108 |
// OU="(c) 2007 VeriSign, Inc. - For authorized use only", |
04c9b7111aac
8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents:
diff
changeset
|
109 |
// OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US |
04c9b7111aac
8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents:
diff
changeset
|
110 |
"69DDD7EA90BB57C93E135DC85EA6FCD5480B603239BDC454FC758B2A26CF7F79", |
04c9b7111aac
8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents:
diff
changeset
|
111 |
// cacerts alias: verisignclass3g5ca |
04c9b7111aac
8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents:
diff
changeset
|
112 |
// DN: CN=VeriSign Class 3 Public Primary Certification Authority - G5, |
04c9b7111aac
8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents:
diff
changeset
|
113 |
// OU="(c) 2006 VeriSign, Inc. - For authorized use only", |
04c9b7111aac
8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents:
diff
changeset
|
114 |
// OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US |
04c9b7111aac
8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents:
diff
changeset
|
115 |
"9ACFAB7E43C8D880D06B262A94DEEEE4B4659989C3D0CAF19BAF6405E41AB7DF", |
04c9b7111aac
8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents:
diff
changeset
|
116 |
// cacerts alias: verisignuniversalrootca |
04c9b7111aac
8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents:
diff
changeset
|
117 |
// DN: CN=VeriSign Universal Root Certification Authority, |
04c9b7111aac
8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents:
diff
changeset
|
118 |
// OU="(c) 2008 VeriSign, Inc. - For authorized use only", |
04c9b7111aac
8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents:
diff
changeset
|
119 |
// OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US |
04c9b7111aac
8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents:
diff
changeset
|
120 |
"2399561127A57125DE8CEFEA610DDF2FA078B5C8067F4E828290BFB860E84B3C" |
04c9b7111aac
8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents:
diff
changeset
|
121 |
); |
04c9b7111aac
8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents:
diff
changeset
|
122 |
|
53428
f443de1cee05
8216280: Allow later Symantec Policy distrust date for two Apple SubCAs
mullan
parents:
52948
diff
changeset
|
123 |
private static final LocalDate DECEMBER_31_2019 = |
f443de1cee05
8216280: Allow later Symantec Policy distrust date for two Apple SubCAs
mullan
parents:
52948
diff
changeset
|
124 |
LocalDate.of(2019, Month.DECEMBER, 31); |
f443de1cee05
8216280: Allow later Symantec Policy distrust date for two Apple SubCAs
mullan
parents:
52948
diff
changeset
|
125 |
// SHA-256 certificate fingerprints of subCAs with later distrust dates |
f443de1cee05
8216280: Allow later Symantec Policy distrust date for two Apple SubCAs
mullan
parents:
52948
diff
changeset
|
126 |
private static final Map<String, LocalDate> EXEMPT_SUBCAS = Map.of( |
f443de1cee05
8216280: Allow later Symantec Policy distrust date for two Apple SubCAs
mullan
parents:
52948
diff
changeset
|
127 |
// Subject DN: C=US, O=Apple Inc., OU=Certification Authority, |
f443de1cee05
8216280: Allow later Symantec Policy distrust date for two Apple SubCAs
mullan
parents:
52948
diff
changeset
|
128 |
// CN=Apple IST CA 2 - G1 |
f443de1cee05
8216280: Allow later Symantec Policy distrust date for two Apple SubCAs
mullan
parents:
52948
diff
changeset
|
129 |
// Issuer DN: CN=GeoTrust Global CA, O=GeoTrust Inc., C=US |
f443de1cee05
8216280: Allow later Symantec Policy distrust date for two Apple SubCAs
mullan
parents:
52948
diff
changeset
|
130 |
"AC2B922ECFD5E01711772FEA8ED372DE9D1E2245FCE3F57A9CDBEC77296A424B", |
f443de1cee05
8216280: Allow later Symantec Policy distrust date for two Apple SubCAs
mullan
parents:
52948
diff
changeset
|
131 |
DECEMBER_31_2019, |
f443de1cee05
8216280: Allow later Symantec Policy distrust date for two Apple SubCAs
mullan
parents:
52948
diff
changeset
|
132 |
// Subject DN: C=US, O=Apple Inc., OU=Certification Authority, |
f443de1cee05
8216280: Allow later Symantec Policy distrust date for two Apple SubCAs
mullan
parents:
52948
diff
changeset
|
133 |
// CN=Apple IST CA 8 - G1 |
f443de1cee05
8216280: Allow later Symantec Policy distrust date for two Apple SubCAs
mullan
parents:
52948
diff
changeset
|
134 |
// Issuer DN: CN=GeoTrust Primary Certification Authority - G2, |
f443de1cee05
8216280: Allow later Symantec Policy distrust date for two Apple SubCAs
mullan
parents:
52948
diff
changeset
|
135 |
// OU=(c) 2007 GeoTrust Inc. - For authorized use only, |
f443de1cee05
8216280: Allow later Symantec Policy distrust date for two Apple SubCAs
mullan
parents:
52948
diff
changeset
|
136 |
// O=GeoTrust Inc., C=US |
f443de1cee05
8216280: Allow later Symantec Policy distrust date for two Apple SubCAs
mullan
parents:
52948
diff
changeset
|
137 |
"A4FE7C7F15155F3F0AEF7AAA83CF6E06DEB97CA3F909DF920AC1490882D488ED", |
f443de1cee05
8216280: Allow later Symantec Policy distrust date for two Apple SubCAs
mullan
parents:
52948
diff
changeset
|
138 |
DECEMBER_31_2019 |
f443de1cee05
8216280: Allow later Symantec Policy distrust date for two Apple SubCAs
mullan
parents:
52948
diff
changeset
|
139 |
); |
f443de1cee05
8216280: Allow later Symantec Policy distrust date for two Apple SubCAs
mullan
parents:
52948
diff
changeset
|
140 |
|
52948
04c9b7111aac
8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents:
diff
changeset
|
141 |
// Any TLS Server certificate that is anchored by one of the Symantec |
04c9b7111aac
8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents:
diff
changeset
|
142 |
// roots above and is issued after this date will be distrusted. |
04c9b7111aac
8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents:
diff
changeset
|
143 |
private static final LocalDate APRIL_16_2019 = |
04c9b7111aac
8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents:
diff
changeset
|
144 |
LocalDate.of(2019, Month.APRIL, 16); |
04c9b7111aac
8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents:
diff
changeset
|
145 |
|
04c9b7111aac
8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents:
diff
changeset
|
146 |
/** |
04c9b7111aac
8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents:
diff
changeset
|
147 |
* This method assumes the eeCert is a TLS Server Cert and chains back to |
04c9b7111aac
8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents:
diff
changeset
|
148 |
* the anchor. |
04c9b7111aac
8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents:
diff
changeset
|
149 |
* |
53428
f443de1cee05
8216280: Allow later Symantec Policy distrust date for two Apple SubCAs
mullan
parents:
52948
diff
changeset
|
150 |
* @param chain the end-entity's certificate chain. The end entity cert |
f443de1cee05
8216280: Allow later Symantec Policy distrust date for two Apple SubCAs
mullan
parents:
52948
diff
changeset
|
151 |
* is at index 0, the trust anchor at index n-1. |
52948
04c9b7111aac
8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents:
diff
changeset
|
152 |
* @throws ValidatorException if the certificate is distrusted |
04c9b7111aac
8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents:
diff
changeset
|
153 |
*/ |
53428
f443de1cee05
8216280: Allow later Symantec Policy distrust date for two Apple SubCAs
mullan
parents:
52948
diff
changeset
|
154 |
static void checkDistrust(X509Certificate[] chain) |
52948
04c9b7111aac
8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents:
diff
changeset
|
155 |
throws ValidatorException { |
53428
f443de1cee05
8216280: Allow later Symantec Policy distrust date for two Apple SubCAs
mullan
parents:
52948
diff
changeset
|
156 |
X509Certificate anchor = chain[chain.length-1]; |
f443de1cee05
8216280: Allow later Symantec Policy distrust date for two Apple SubCAs
mullan
parents:
52948
diff
changeset
|
157 |
if (FINGERPRINTS.contains(fingerprint(anchor))) { |
f443de1cee05
8216280: Allow later Symantec Policy distrust date for two Apple SubCAs
mullan
parents:
52948
diff
changeset
|
158 |
Date notBefore = chain[0].getNotBefore(); |
52948
04c9b7111aac
8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents:
diff
changeset
|
159 |
LocalDate ldNotBefore = LocalDate.ofInstant(notBefore.toInstant(), |
04c9b7111aac
8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents:
diff
changeset
|
160 |
ZoneOffset.UTC); |
53428
f443de1cee05
8216280: Allow later Symantec Policy distrust date for two Apple SubCAs
mullan
parents:
52948
diff
changeset
|
161 |
// check if chain goes through one of the subCAs |
f443de1cee05
8216280: Allow later Symantec Policy distrust date for two Apple SubCAs
mullan
parents:
52948
diff
changeset
|
162 |
if (chain.length > 2) { |
f443de1cee05
8216280: Allow later Symantec Policy distrust date for two Apple SubCAs
mullan
parents:
52948
diff
changeset
|
163 |
X509Certificate subCA = chain[chain.length-2]; |
f443de1cee05
8216280: Allow later Symantec Policy distrust date for two Apple SubCAs
mullan
parents:
52948
diff
changeset
|
164 |
LocalDate distrustDate = EXEMPT_SUBCAS.get(fingerprint(subCA)); |
f443de1cee05
8216280: Allow later Symantec Policy distrust date for two Apple SubCAs
mullan
parents:
52948
diff
changeset
|
165 |
if (distrustDate != null) { |
f443de1cee05
8216280: Allow later Symantec Policy distrust date for two Apple SubCAs
mullan
parents:
52948
diff
changeset
|
166 |
// reject if certificate is issued after specified date |
f443de1cee05
8216280: Allow later Symantec Policy distrust date for two Apple SubCAs
mullan
parents:
52948
diff
changeset
|
167 |
checkNotBefore(ldNotBefore, distrustDate, anchor); |
f443de1cee05
8216280: Allow later Symantec Policy distrust date for two Apple SubCAs
mullan
parents:
52948
diff
changeset
|
168 |
return; // success |
f443de1cee05
8216280: Allow later Symantec Policy distrust date for two Apple SubCAs
mullan
parents:
52948
diff
changeset
|
169 |
} |
52948
04c9b7111aac
8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents:
diff
changeset
|
170 |
} |
53428
f443de1cee05
8216280: Allow later Symantec Policy distrust date for two Apple SubCAs
mullan
parents:
52948
diff
changeset
|
171 |
// reject if certificate is issued after April 16, 2019 |
f443de1cee05
8216280: Allow later Symantec Policy distrust date for two Apple SubCAs
mullan
parents:
52948
diff
changeset
|
172 |
checkNotBefore(ldNotBefore, APRIL_16_2019, anchor); |
f443de1cee05
8216280: Allow later Symantec Policy distrust date for two Apple SubCAs
mullan
parents:
52948
diff
changeset
|
173 |
} |
f443de1cee05
8216280: Allow later Symantec Policy distrust date for two Apple SubCAs
mullan
parents:
52948
diff
changeset
|
174 |
} |
f443de1cee05
8216280: Allow later Symantec Policy distrust date for two Apple SubCAs
mullan
parents:
52948
diff
changeset
|
175 |
|
f443de1cee05
8216280: Allow later Symantec Policy distrust date for two Apple SubCAs
mullan
parents:
52948
diff
changeset
|
176 |
private static String fingerprint(X509Certificate cert) { |
f443de1cee05
8216280: Allow later Symantec Policy distrust date for two Apple SubCAs
mullan
parents:
52948
diff
changeset
|
177 |
return (cert instanceof X509CertImpl) |
f443de1cee05
8216280: Allow later Symantec Policy distrust date for two Apple SubCAs
mullan
parents:
52948
diff
changeset
|
178 |
? ((X509CertImpl)cert).getFingerprint("SHA-256") |
f443de1cee05
8216280: Allow later Symantec Policy distrust date for two Apple SubCAs
mullan
parents:
52948
diff
changeset
|
179 |
: X509CertImpl.getFingerprint("SHA-256", cert); |
f443de1cee05
8216280: Allow later Symantec Policy distrust date for two Apple SubCAs
mullan
parents:
52948
diff
changeset
|
180 |
} |
f443de1cee05
8216280: Allow later Symantec Policy distrust date for two Apple SubCAs
mullan
parents:
52948
diff
changeset
|
181 |
|
f443de1cee05
8216280: Allow later Symantec Policy distrust date for two Apple SubCAs
mullan
parents:
52948
diff
changeset
|
182 |
private static void checkNotBefore(LocalDate notBeforeDate, |
f443de1cee05
8216280: Allow later Symantec Policy distrust date for two Apple SubCAs
mullan
parents:
52948
diff
changeset
|
183 |
LocalDate distrustDate, X509Certificate anchor) |
f443de1cee05
8216280: Allow later Symantec Policy distrust date for two Apple SubCAs
mullan
parents:
52948
diff
changeset
|
184 |
throws ValidatorException { |
f443de1cee05
8216280: Allow later Symantec Policy distrust date for two Apple SubCAs
mullan
parents:
52948
diff
changeset
|
185 |
if (notBeforeDate.isAfter(distrustDate)) { |
f443de1cee05
8216280: Allow later Symantec Policy distrust date for two Apple SubCAs
mullan
parents:
52948
diff
changeset
|
186 |
throw new ValidatorException |
f443de1cee05
8216280: Allow later Symantec Policy distrust date for two Apple SubCAs
mullan
parents:
52948
diff
changeset
|
187 |
("TLS Server certificate issued after " + distrustDate + |
f443de1cee05
8216280: Allow later Symantec Policy distrust date for two Apple SubCAs
mullan
parents:
52948
diff
changeset
|
188 |
" and anchored by a distrusted legacy Symantec root CA: " |
f443de1cee05
8216280: Allow later Symantec Policy distrust date for two Apple SubCAs
mullan
parents:
52948
diff
changeset
|
189 |
+ anchor.getSubjectX500Principal(), |
f443de1cee05
8216280: Allow later Symantec Policy distrust date for two Apple SubCAs
mullan
parents:
52948
diff
changeset
|
190 |
ValidatorException.T_UNTRUSTED_CERT, anchor); |
52948
04c9b7111aac
8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents:
diff
changeset
|
191 |
} |
04c9b7111aac
8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents:
diff
changeset
|
192 |
} |
04c9b7111aac
8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents:
diff
changeset
|
193 |
|
04c9b7111aac
8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents:
diff
changeset
|
194 |
private SymantecTLSPolicy() {} |
04c9b7111aac
8207258: Distrust TLS server certificates anchored by Symantec Root CAs
mullan
parents:
diff
changeset
|
195 |
} |