32 import javax.net.ssl.*; |
32 import javax.net.ssl.*; |
33 |
33 |
34 import java.security.Key; |
34 import java.security.Key; |
35 |
35 |
36 import java.util.Set; |
36 import java.util.Set; |
37 import java.util.HashSet; |
|
38 |
37 |
39 import sun.security.util.DisabledAlgorithmConstraints; |
38 import sun.security.util.DisabledAlgorithmConstraints; |
|
39 import static sun.security.util.DisabledAlgorithmConstraints.*; |
40 import sun.security.ssl.CipherSuite.*; |
40 import sun.security.ssl.CipherSuite.*; |
41 |
41 |
42 /** |
42 /** |
43 * Algorithm constraints for disabled algorithms property |
43 * Algorithm constraints for disabled algorithms property |
44 * |
44 * |
45 * See the "jdk.certpath.disabledAlgorithms" specification in java.security |
45 * See the "jdk.certpath.disabledAlgorithms" specification in java.security |
46 * for the syntax of the disabled algorithm string. |
46 * for the syntax of the disabled algorithm string. |
47 */ |
47 */ |
48 final class SSLAlgorithmConstraints implements AlgorithmConstraints { |
48 final class SSLAlgorithmConstraints implements AlgorithmConstraints { |
|
49 |
49 private final static AlgorithmConstraints tlsDisabledAlgConstraints = |
50 private final static AlgorithmConstraints tlsDisabledAlgConstraints = |
50 new TLSDisabledAlgConstraints(); |
51 new DisabledAlgorithmConstraints(PROPERTY_TLS_DISABLED_ALGS, |
|
52 new SSLAlgorithmDecomposer()); |
|
53 |
51 private final static AlgorithmConstraints x509DisabledAlgConstraints = |
54 private final static AlgorithmConstraints x509DisabledAlgConstraints = |
52 new X509DisabledAlgConstraints(); |
55 new DisabledAlgorithmConstraints(PROPERTY_CERTPATH_DISABLED_ALGS, |
|
56 new SSLAlgorithmDecomposer(true)); |
|
57 |
53 private AlgorithmConstraints userAlgConstraints = null; |
58 private AlgorithmConstraints userAlgConstraints = null; |
54 private AlgorithmConstraints peerAlgConstraints = null; |
59 private AlgorithmConstraints peerAlgConstraints = null; |
55 |
60 |
56 private boolean enabledX509DisabledAlgConstraints = true; |
61 private boolean enabledX509DisabledAlgConstraints = true; |
57 |
62 |
264 } |
269 } |
265 |
270 |
266 return permits(primitives, algorithm, parameters); |
271 return permits(primitives, algorithm, parameters); |
267 } |
272 } |
268 } |
273 } |
269 |
|
270 static private class BasicDisabledAlgConstraints |
|
271 extends DisabledAlgorithmConstraints { |
|
272 BasicDisabledAlgConstraints(String propertyName) { |
|
273 super(propertyName); |
|
274 } |
|
275 |
|
276 protected Set<String> decomposes(KeyExchange keyExchange, |
|
277 boolean forCertPathOnly) { |
|
278 Set<String> components = new HashSet<>(); |
|
279 switch (keyExchange) { |
|
280 case K_NULL: |
|
281 if (!forCertPathOnly) { |
|
282 components.add("NULL"); |
|
283 } |
|
284 break; |
|
285 case K_RSA: |
|
286 components.add("RSA"); |
|
287 break; |
|
288 case K_RSA_EXPORT: |
|
289 components.add("RSA"); |
|
290 components.add("RSA_EXPORT"); |
|
291 break; |
|
292 case K_DH_RSA: |
|
293 components.add("RSA"); |
|
294 components.add("DH"); |
|
295 components.add("DiffieHellman"); |
|
296 components.add("DH_RSA"); |
|
297 break; |
|
298 case K_DH_DSS: |
|
299 components.add("DSA"); |
|
300 components.add("DSS"); |
|
301 components.add("DH"); |
|
302 components.add("DiffieHellman"); |
|
303 components.add("DH_DSS"); |
|
304 break; |
|
305 case K_DHE_DSS: |
|
306 components.add("DSA"); |
|
307 components.add("DSS"); |
|
308 components.add("DH"); |
|
309 components.add("DHE"); |
|
310 components.add("DiffieHellman"); |
|
311 components.add("DHE_DSS"); |
|
312 break; |
|
313 case K_DHE_RSA: |
|
314 components.add("RSA"); |
|
315 components.add("DH"); |
|
316 components.add("DHE"); |
|
317 components.add("DiffieHellman"); |
|
318 components.add("DHE_RSA"); |
|
319 break; |
|
320 case K_DH_ANON: |
|
321 if (!forCertPathOnly) { |
|
322 components.add("ANON"); |
|
323 components.add("DH"); |
|
324 components.add("DiffieHellman"); |
|
325 components.add("DH_ANON"); |
|
326 } |
|
327 break; |
|
328 case K_ECDH_ECDSA: |
|
329 components.add("ECDH"); |
|
330 components.add("ECDSA"); |
|
331 components.add("ECDH_ECDSA"); |
|
332 break; |
|
333 case K_ECDH_RSA: |
|
334 components.add("ECDH"); |
|
335 components.add("RSA"); |
|
336 components.add("ECDH_RSA"); |
|
337 break; |
|
338 case K_ECDHE_ECDSA: |
|
339 components.add("ECDHE"); |
|
340 components.add("ECDSA"); |
|
341 components.add("ECDHE_ECDSA"); |
|
342 break; |
|
343 case K_ECDHE_RSA: |
|
344 components.add("ECDHE"); |
|
345 components.add("RSA"); |
|
346 components.add("ECDHE_RSA"); |
|
347 break; |
|
348 case K_ECDH_ANON: |
|
349 if (!forCertPathOnly) { |
|
350 components.add("ECDH"); |
|
351 components.add("ANON"); |
|
352 components.add("ECDH_ANON"); |
|
353 } |
|
354 break; |
|
355 default: |
|
356 if (ClientKeyExchangeService.find(keyExchange.name) != null) { |
|
357 if (!forCertPathOnly) { |
|
358 components.add(keyExchange.name); |
|
359 } |
|
360 } |
|
361 // otherwise ignore |
|
362 } |
|
363 |
|
364 return components; |
|
365 } |
|
366 |
|
367 protected Set<String> decomposes(BulkCipher bulkCipher) { |
|
368 Set<String> components = new HashSet<>(); |
|
369 |
|
370 if (bulkCipher.transformation != null) { |
|
371 components.addAll(super.decomposes(bulkCipher.transformation)); |
|
372 } |
|
373 |
|
374 return components; |
|
375 } |
|
376 |
|
377 protected Set<String> decomposes(MacAlg macAlg) { |
|
378 Set<String> components = new HashSet<>(); |
|
379 |
|
380 if (macAlg == CipherSuite.MacAlg.M_MD5) { |
|
381 components.add("MD5"); |
|
382 components.add("HmacMD5"); |
|
383 } else if (macAlg == CipherSuite.MacAlg.M_SHA) { |
|
384 components.add("SHA1"); |
|
385 components.add("SHA-1"); |
|
386 components.add("HmacSHA1"); |
|
387 } else if (macAlg == CipherSuite.MacAlg.M_SHA256) { |
|
388 components.add("SHA256"); |
|
389 components.add("SHA-256"); |
|
390 components.add("HmacSHA256"); |
|
391 } else if (macAlg == CipherSuite.MacAlg.M_SHA384) { |
|
392 components.add("SHA384"); |
|
393 components.add("SHA-384"); |
|
394 components.add("HmacSHA384"); |
|
395 } |
|
396 |
|
397 return components; |
|
398 } |
|
399 } |
|
400 |
|
401 static private class TLSDisabledAlgConstraints |
|
402 extends BasicDisabledAlgConstraints { |
|
403 |
|
404 TLSDisabledAlgConstraints() { |
|
405 super(DisabledAlgorithmConstraints.PROPERTY_TLS_DISABLED_ALGS); |
|
406 } |
|
407 |
|
408 @Override |
|
409 protected Set<String> decomposes(String algorithm) { |
|
410 if (algorithm.startsWith("SSL_") || algorithm.startsWith("TLS_")) { |
|
411 CipherSuite cipherSuite = null; |
|
412 try { |
|
413 cipherSuite = CipherSuite.valueOf(algorithm); |
|
414 } catch (IllegalArgumentException iae) { |
|
415 // ignore: unknown or unsupported ciphersuite |
|
416 } |
|
417 |
|
418 if (cipherSuite != null) { |
|
419 Set<String> components = new HashSet<>(); |
|
420 |
|
421 if(cipherSuite.keyExchange != null) { |
|
422 components.addAll( |
|
423 decomposes(cipherSuite.keyExchange, false)); |
|
424 } |
|
425 |
|
426 if (cipherSuite.cipher != null) { |
|
427 components.addAll(decomposes(cipherSuite.cipher)); |
|
428 } |
|
429 |
|
430 if (cipherSuite.macAlg != null) { |
|
431 components.addAll(decomposes(cipherSuite.macAlg)); |
|
432 } |
|
433 |
|
434 return components; |
|
435 } |
|
436 } |
|
437 |
|
438 return super.decomposes(algorithm); |
|
439 } |
|
440 } |
|
441 |
|
442 static private class X509DisabledAlgConstraints |
|
443 extends BasicDisabledAlgConstraints { |
|
444 |
|
445 X509DisabledAlgConstraints() { |
|
446 super(DisabledAlgorithmConstraints.PROPERTY_CERTPATH_DISABLED_ALGS); |
|
447 } |
|
448 |
|
449 @Override |
|
450 protected Set<String> decomposes(String algorithm) { |
|
451 if (algorithm.startsWith("SSL_") || algorithm.startsWith("TLS_")) { |
|
452 CipherSuite cipherSuite = null; |
|
453 try { |
|
454 cipherSuite = CipherSuite.valueOf(algorithm); |
|
455 } catch (IllegalArgumentException iae) { |
|
456 // ignore: unknown or unsupported ciphersuite |
|
457 } |
|
458 |
|
459 if (cipherSuite != null) { |
|
460 Set<String> components = new HashSet<>(); |
|
461 |
|
462 if(cipherSuite.keyExchange != null) { |
|
463 components.addAll( |
|
464 decomposes(cipherSuite.keyExchange, true)); |
|
465 } |
|
466 |
|
467 // Certification path algorithm constraints do not apply |
|
468 // to cipherSuite.cipher and cipherSuite.macAlg. |
|
469 |
|
470 return components; |
|
471 } |
|
472 } |
|
473 |
|
474 return super.decomposes(algorithm); |
|
475 } |
|
476 } |
|
477 } |
274 } |
478 |
|