jdk-sandbox: comparison src/java.base/share/classes/sun/security/validator/CADistrustPolicy.java

equal deleted inserted replaced

-:01b519fcb8a8
+:04c9b7111aac
+/*
+* Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
+* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+*
+* This code is free software; you can redistribute it and/or modify it
+* under the terms of the GNU General Public License version 2 only, as
+* published by the Free Software Foundation.  Oracle designates this
+* particular file as subject to the "Classpath" exception as provided
+* by Oracle in the LICENSE file that accompanied this code.
+*
+* This code is distributed in the hope that it will be useful, but WITHOUT
+* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+* FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+* version 2 for more details (a copy is included in the LICENSE file that
+* accompanied this code).
+*
+* You should have received a copy of the GNU General Public License version
+* 2 along with this work; if not, write to the Free Software Foundation,
+* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+*
+* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+* or visit www.oracle.com if you need additional information or have any
+* questions.
+*/
+package sun.security.validator;
+import java.security.AccessController;
+import java.security.PrivilegedAction;
+import java.security.Security;
+import java.security.cert.X509Certificate;
+import java.util.EnumSet;
+import sun.security.util.Debug;
+/**
+* Policies for distrusting a certificate authority (CA). See the
+* jdk.security.caDistrustPolicies security property for more information.
+*/
+enum CADistrustPolicy {
+/**
+* Distrust TLS Server certificates anchored by a Symantec root CA and
+* issued after April 16, 2019. If enabled, this policy is currently
+* enforced by the PKIX and SunX509 TrustManager implementations of the
+* SunJSSE provider implementation.
+*/
+SYMANTEC_TLS {
+void checkDistrust(String variant, X509Certificate anchor,
+X509Certificate ee) throws ValidatorException {
+if (!variant.equals(Validator.VAR_TLS_SERVER)) {
+return;
+}
+SymantecTLSPolicy.checkDistrust(anchor, ee);
+}
+};
+/**
+* Checks if the end-entity certificate is distrusted.
+*
+* @param variant the type of certificate being checked
+* @param anchor the trust anchor certificate
+* @param ee the end-entity certificate to check
+* @throws ValidatorException if the end-entity certificate is distrusted
+*/
+abstract void checkDistrust(String variant,
+X509Certificate anchor,
+X509Certificate ee) throws ValidatorException;
+// The policies set in the jdk.security.caDistrustPolicies property.
+static final EnumSet<CADistrustPolicy> POLICIES = parseProperty();
+private static EnumSet<CADistrustPolicy> parseProperty() {
+String property = AccessController.doPrivileged(
+new PrivilegedAction<>() {
+@Override
+public String run() {
+return Security.getProperty(
+"jdk.security.caDistrustPolicies");
+}
+});
+EnumSet<CADistrustPolicy> set = EnumSet.noneOf(CADistrustPolicy.class);
+// if property is null or empty, the restrictions are not enforced
+if (property == null || property.isEmpty()) {
+return set;
+}
+String[] policies = property.split(",");
+for (String policy : policies) {
+policy = policy.trim();
+try {
+CADistrustPolicy caPolicy =
+Enum.valueOf(CADistrustPolicy.class, policy);
+set.add(caPolicy);
+} catch (IllegalArgumentException iae) {
+// ignore unknown values but log it
+Debug debug = Debug.getInstance("certpath");
+if (debug != null) {
+debug.println("Unknown value for the " +
+"jdk.security.caDistrustPolicies property: "
++ policy);
+}
+}
+}
+return set;
+}
+}

changeset 52948	04c9b7111aac
child 53428	f443de1cee05