37 import java.security.cert.CertPathValidatorException; |
37 import java.security.cert.CertPathValidatorException; |
38 import java.security.cert.Certificate; |
38 import java.security.cert.Certificate; |
39 import java.security.cert.CertificateException; |
39 import java.security.cert.CertificateException; |
40 import java.security.cert.X509Certificate; |
40 import java.security.cert.X509Certificate; |
41 import java.util.*; |
41 import java.util.*; |
42 import static java.util.Locale.ENGLISH; |
|
43 import java.util.concurrent.atomic.AtomicLong; |
42 import java.util.concurrent.atomic.AtomicLong; |
44 import javax.net.ssl.*; |
43 import javax.net.ssl.*; |
45 import sun.security.provider.certpath.AlgorithmChecker; |
44 import sun.security.provider.certpath.AlgorithmChecker; |
46 import sun.security.validator.Validator; |
45 import sun.security.validator.Validator; |
47 |
46 |
290 final String keyAlgorithm; |
289 final String keyAlgorithm; |
291 |
290 |
292 // In TLS 1.2, the signature algorithm has been obsoleted by the |
291 // In TLS 1.2, the signature algorithm has been obsoleted by the |
293 // supported_signature_algorithms, and the certificate type no longer |
292 // supported_signature_algorithms, and the certificate type no longer |
294 // restricts the algorithm used to sign the certificate. |
293 // restricts the algorithm used to sign the certificate. |
|
294 // |
295 // However, because we don't support certificate type checking other |
295 // However, because we don't support certificate type checking other |
296 // than rsa_sign, dss_sign and ecdsa_sign, we don't have to check the |
296 // than rsa_sign, dss_sign and ecdsa_sign, we don't have to check the |
297 // protocol version here. |
297 // protocol version here. |
298 final String sigKeyAlgorithm; |
298 final String sigKeyAlgorithm; |
299 |
299 |
321 chain[1].getPublicKey().getAlgorithm()); |
321 chain[1].getPublicKey().getAlgorithm()); |
322 } else { |
322 } else { |
323 // Check the signature algorithm of the certificate itself. |
323 // Check the signature algorithm of the certificate itself. |
324 // Look for the "withRSA" in "SHA1withRSA", etc. |
324 // Look for the "withRSA" in "SHA1withRSA", etc. |
325 X509Certificate issuer = (X509Certificate)chain[0]; |
325 X509Certificate issuer = (X509Certificate)chain[0]; |
326 String sigAlgName = issuer.getSigAlgName().toUpperCase(ENGLISH); |
326 String sigAlgName = |
327 String pattern = "WITH" + sigKeyAlgorithm.toUpperCase(ENGLISH); |
327 issuer.getSigAlgName().toUpperCase(Locale.ENGLISH); |
|
328 String pattern = |
|
329 "WITH" + sigKeyAlgorithm.toUpperCase(Locale.ENGLISH); |
328 return sigAlgName.contains(pattern); |
330 return sigAlgName.contains(pattern); |
329 } |
331 } |
330 } |
332 } |
331 } |
333 } |
332 |
334 |
432 List<EntryStatus> results = getAliases(i, keyTypeList, |
434 List<EntryStatus> results = getAliases(i, keyTypeList, |
433 issuerSet, true, checkType, constraints, |
435 issuerSet, true, checkType, constraints, |
434 null, null); |
436 null, null); |
435 if (results != null) { |
437 if (results != null) { |
436 if (allResults == null) { |
438 if (allResults == null) { |
437 allResults = new ArrayList<EntryStatus>(); |
439 allResults = new ArrayList<>(); |
438 } |
440 } |
439 allResults.addAll(results); |
441 allResults.addAll(results); |
440 } |
442 } |
441 } catch (Exception e) { |
443 } catch (Exception e) { |
442 // ignore |
444 // ignore |
537 |
539 |
538 private static boolean getBit(boolean[] keyUsage, int bit) { |
540 private static boolean getBit(boolean[] keyUsage, int bit) { |
539 return (bit < keyUsage.length) && keyUsage[bit]; |
541 return (bit < keyUsage.length) && keyUsage[bit]; |
540 } |
542 } |
541 |
543 |
542 // check if this certificate is appropriate for this type of use |
544 // Check if this certificate is appropriate for this type of use |
543 // first check extensions, if they match, check expiration |
545 // first check extensions, if they match, check expiration. |
544 // note: we may want to move this code into the sun.security.validator |
546 // |
|
547 // Note: we may want to move this code into the sun.security.validator |
545 // package |
548 // package |
546 CheckResult check(X509Certificate cert, Date date, |
549 CheckResult check(X509Certificate cert, Date date, |
547 List<SNIServerName> serverNames, String idAlgorithm) { |
550 List<SNIServerName> serverNames, String idAlgorithm) { |
548 |
551 |
549 if (this == NONE) { |
552 if (this == NONE) { |
563 |
566 |
564 // check key usage |
567 // check key usage |
565 boolean[] ku = cert.getKeyUsage(); |
568 boolean[] ku = cert.getKeyUsage(); |
566 if (ku != null) { |
569 if (ku != null) { |
567 String algorithm = cert.getPublicKey().getAlgorithm(); |
570 String algorithm = cert.getPublicKey().getAlgorithm(); |
568 boolean kuSignature = getBit(ku, 0); |
571 boolean supportsDigitalSignature = getBit(ku, 0); |
569 switch (algorithm) { |
572 switch (algorithm) { |
570 case "RSA": |
573 case "RSA": |
571 // require either signature bit |
574 // require either signature bit |
572 // or if server also allow key encipherment bit |
575 // or if server also allow key encipherment bit |
573 if (kuSignature == false) { |
576 if (!supportsDigitalSignature) { |
574 if (this == CLIENT || getBit(ku, 2) == false) { |
577 if (this == CLIENT || getBit(ku, 2) == false) { |
575 return CheckResult.EXTENSION_MISMATCH; |
578 return CheckResult.EXTENSION_MISMATCH; |
576 } |
579 } |
577 } |
580 } |
578 break; |
581 break; |
|
582 case "RSASSA-PSS": |
|
583 if (!supportsDigitalSignature && (this == SERVER)) { |
|
584 return CheckResult.EXTENSION_MISMATCH; |
|
585 } |
|
586 break; |
579 case "DSA": |
587 case "DSA": |
580 // require signature bit |
588 // require signature bit |
581 if (kuSignature == false) { |
589 if (!supportsDigitalSignature) { |
582 return CheckResult.EXTENSION_MISMATCH; |
590 return CheckResult.EXTENSION_MISMATCH; |
583 } |
591 } |
584 break; |
592 break; |
585 case "DH": |
593 case "DH": |
586 // require keyagreement bit |
594 // require keyagreement bit |
588 return CheckResult.EXTENSION_MISMATCH; |
596 return CheckResult.EXTENSION_MISMATCH; |
589 } |
597 } |
590 break; |
598 break; |
591 case "EC": |
599 case "EC": |
592 // require signature bit |
600 // require signature bit |
593 if (kuSignature == false) { |
601 if (!supportsDigitalSignature) { |
594 return CheckResult.EXTENSION_MISMATCH; |
602 return CheckResult.EXTENSION_MISMATCH; |
595 } |
603 } |
596 // For servers, also require key agreement. |
604 // For servers, also require key agreement. |
597 // This is not totally accurate as the keyAgreement |
605 // This is not totally accurate as the keyAgreement |
598 // bit is only necessary for static ECDH key |
606 // bit is only necessary for static ECDH key |
809 // if we have a good match and do not need all matches, |
817 // if we have a good match and do not need all matches, |
810 // return immediately |
818 // return immediately |
811 return Collections.singletonList(status); |
819 return Collections.singletonList(status); |
812 } else { |
820 } else { |
813 if (results == null) { |
821 if (results == null) { |
814 results = new ArrayList<EntryStatus>(); |
822 results = new ArrayList<>(); |
815 } |
823 } |
816 results.add(status); |
824 results.add(status); |
817 } |
825 } |
818 } |
826 } |
819 return results; |
827 return results; |