27 |
27 |
28 import java.security.AlgorithmConstraints; |
28 import java.security.AlgorithmConstraints; |
29 import java.security.CryptoPrimitive; |
29 import java.security.CryptoPrimitive; |
30 import java.util.Collection; |
30 import java.util.Collection; |
31 import java.util.Collections; |
31 import java.util.Collections; |
|
32 import java.util.Date; |
32 import java.util.Set; |
33 import java.util.Set; |
33 import java.util.EnumSet; |
34 import java.util.EnumSet; |
34 import java.math.BigInteger; |
35 import java.math.BigInteger; |
35 import java.security.PublicKey; |
36 import java.security.PublicKey; |
36 import java.security.KeyFactory; |
37 import java.security.KeyFactory; |
57 import sun.security.x509.X509CertImpl; |
58 import sun.security.x509.X509CertImpl; |
58 import sun.security.x509.X509CRLImpl; |
59 import sun.security.x509.X509CRLImpl; |
59 import sun.security.x509.AlgorithmId; |
60 import sun.security.x509.AlgorithmId; |
60 |
61 |
61 /** |
62 /** |
62 * A <code>PKIXCertPathChecker</code> implementation to check whether a |
63 * A {@code PKIXCertPathChecker} implementation to check whether a |
63 * specified certificate contains the required algorithm constraints. |
64 * specified certificate contains the required algorithm constraints. |
64 * <p> |
65 * <p> |
65 * Certificate fields such as the subject public key, the signature |
66 * Certificate fields such as the subject public key, the signature |
66 * algorithm, key usage, extended key usage, etc. need to conform to |
67 * algorithm, key usage, extended key usage, etc. need to conform to |
67 * the specified algorithm constraints. |
68 * the specified algorithm constraints. |
72 public final class AlgorithmChecker extends PKIXCertPathChecker { |
73 public final class AlgorithmChecker extends PKIXCertPathChecker { |
73 private static final Debug debug = Debug.getInstance("certpath"); |
74 private static final Debug debug = Debug.getInstance("certpath"); |
74 |
75 |
75 private final AlgorithmConstraints constraints; |
76 private final AlgorithmConstraints constraints; |
76 private final PublicKey trustedPubKey; |
77 private final PublicKey trustedPubKey; |
|
78 private final Date pkixdate; |
77 private PublicKey prevPubKey; |
79 private PublicKey prevPubKey; |
78 |
80 |
79 private static final Set<CryptoPrimitive> SIGNATURE_PRIMITIVE_SET = |
81 private static final Set<CryptoPrimitive> SIGNATURE_PRIMITIVE_SET = |
80 Collections.unmodifiableSet(EnumSet.of(CryptoPrimitive.SIGNATURE)); |
82 Collections.unmodifiableSet(EnumSet.of(CryptoPrimitive.SIGNATURE)); |
81 |
83 |
97 // If anchor checking enabled, this will be true if the trust anchor |
99 // If anchor checking enabled, this will be true if the trust anchor |
98 // has a match in the cacerts file |
100 // has a match in the cacerts file |
99 private boolean trustedMatch = false; |
101 private boolean trustedMatch = false; |
100 |
102 |
101 /** |
103 /** |
102 * Create a new <code>AlgorithmChecker</code> with the algorithm |
104 * Create a new {@code AlgorithmChecker} with the algorithm |
103 * constraints specified in security property |
105 * constraints specified in security property |
104 * "jdk.certpath.disabledAlgorithms". |
106 * "jdk.certpath.disabledAlgorithms". |
105 * |
107 * |
106 * @param anchor the trust anchor selected to validate the target |
108 * @param anchor the trust anchor selected to validate the target |
107 * certificate |
109 * certificate |
108 */ |
110 */ |
109 public AlgorithmChecker(TrustAnchor anchor) { |
111 public AlgorithmChecker(TrustAnchor anchor) { |
110 this(anchor, certPathDefaultConstraints); |
112 this(anchor, certPathDefaultConstraints, null); |
111 } |
113 } |
112 |
114 |
113 /** |
115 /** |
114 * Create a new <code>AlgorithmChecker</code> with the |
116 * Create a new {@code AlgorithmChecker} with the |
|
117 * given {@code TrustAnchor} and {@code AlgorithmConstraints}. |
|
118 * |
|
119 * @param anchor the trust anchor selected to validate the target |
|
120 * certificate |
|
121 * @param constraints the algorithm constraints (or null) |
|
122 * |
|
123 * @throws IllegalArgumentException if the {@code anchor} is null |
|
124 */ |
|
125 public AlgorithmChecker(TrustAnchor anchor, |
|
126 AlgorithmConstraints constraints) { |
|
127 this(anchor, constraints, null); |
|
128 } |
|
129 |
|
130 /** |
|
131 * Create a new {@code AlgorithmChecker} with the |
115 * given {@code AlgorithmConstraints}. |
132 * given {@code AlgorithmConstraints}. |
116 * <p> |
133 * <p> |
117 * Note that this constructor will be used to check a certification |
134 * Note that this constructor will be used to check a certification |
118 * path where the trust anchor is unknown, or a certificate list which may |
135 * path where the trust anchor is unknown, or a certificate list which may |
119 * contain the trust anchor. This constructor is used by SunJSSE. |
136 * contain the trust anchor. This constructor is used by SunJSSE. |
122 */ |
139 */ |
123 public AlgorithmChecker(AlgorithmConstraints constraints) { |
140 public AlgorithmChecker(AlgorithmConstraints constraints) { |
124 this.prevPubKey = null; |
141 this.prevPubKey = null; |
125 this.trustedPubKey = null; |
142 this.trustedPubKey = null; |
126 this.constraints = constraints; |
143 this.constraints = constraints; |
127 } |
144 this.pkixdate = null; |
128 |
145 } |
129 /** |
146 |
130 * Create a new <code>AlgorithmChecker</code> with the |
147 /** |
131 * given <code>TrustAnchor</code> and <code>AlgorithmConstraints</code>. |
148 * Create a new {@code AlgorithmChecker} with the |
|
149 * given {@code TrustAnchor} and {@code AlgorithmConstraints}. |
132 * |
150 * |
133 * @param anchor the trust anchor selected to validate the target |
151 * @param anchor the trust anchor selected to validate the target |
134 * certificate |
152 * certificate |
135 * @param constraints the algorithm constraints (or null) |
153 * @param constraints the algorithm constraints (or null) |
136 * |
154 * @param pkixdate Date the constraints are checked against. The value is |
137 * @throws IllegalArgumentException if the <code>anchor</code> is null |
155 * either the PKIXParameter date or null for the current date. |
|
156 * |
|
157 * @throws IllegalArgumentException if the {@code anchor} is null |
138 */ |
158 */ |
139 public AlgorithmChecker(TrustAnchor anchor, |
159 public AlgorithmChecker(TrustAnchor anchor, |
140 AlgorithmConstraints constraints) { |
160 AlgorithmConstraints constraints, |
|
161 Date pkixdate) { |
141 |
162 |
142 if (anchor == null) { |
163 if (anchor == null) { |
143 throw new IllegalArgumentException( |
164 throw new IllegalArgumentException( |
144 "The trust anchor cannot be null"); |
165 "The trust anchor cannot be null"); |
145 } |
166 } |
155 this.trustedPubKey = anchor.getCAPublicKey(); |
176 this.trustedPubKey = anchor.getCAPublicKey(); |
156 } |
177 } |
157 |
178 |
158 this.prevPubKey = trustedPubKey; |
179 this.prevPubKey = trustedPubKey; |
159 this.constraints = constraints; |
180 this.constraints = constraints; |
|
181 this.pkixdate = pkixdate; |
|
182 } |
|
183 |
|
184 /** |
|
185 * Create a new {@code AlgorithmChecker} with the |
|
186 * given {@code TrustAnchor} and {@code PKIXParameter} date. |
|
187 * |
|
188 * @param anchor the trust anchor selected to validate the target |
|
189 * certificate |
|
190 * @param pkixdate Date the constraints are checked against. The value is |
|
191 * either the PKIXParameter date or null for the current date. |
|
192 * |
|
193 * @throws IllegalArgumentException if the {@code anchor} is null |
|
194 */ |
|
195 public AlgorithmChecker(TrustAnchor anchor, Date pkixdate) { |
|
196 this(anchor, certPathDefaultConstraints, pkixdate); |
160 } |
197 } |
161 |
198 |
162 // Check this 'cert' for restrictions in the AnchorCertificates |
199 // Check this 'cert' for restrictions in the AnchorCertificates |
163 // trusted certificates list |
200 // trusted certificates list |
164 private static boolean checkFingerprint(X509Certificate cert) { |
201 private static boolean checkFingerprint(X509Certificate cert) { |
257 |
294 |
258 // Check against DisabledAlgorithmConstraints certpath constraints. |
295 // Check against DisabledAlgorithmConstraints certpath constraints. |
259 // permits() will throw exception on failure. |
296 // permits() will throw exception on failure. |
260 certPathDefaultConstraints.permits(primitives, |
297 certPathDefaultConstraints.permits(primitives, |
261 new CertConstraintParameters((X509Certificate)cert, |
298 new CertConstraintParameters((X509Certificate)cert, |
262 trustedMatch)); |
299 trustedMatch, pkixdate)); |
263 // new CertConstraintParameters(x509Cert, trustedMatch)); |
300 // new CertConstraintParameters(x509Cert, trustedMatch)); |
264 // If there is no previous key, set one and exit |
301 // If there is no previous key, set one and exit |
265 if (prevPubKey == null) { |
302 if (prevPubKey == null) { |
266 prevPubKey = currPubKey; |
303 prevPubKey = currPubKey; |
267 return; |
304 return; |