1 /* |
1 /* |
2 * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved. |
2 * Copyright (c) 2018, 2019, Oracle and/or its affiliates. All rights reserved. |
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. |
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. |
4 * |
4 * |
5 * This code is free software; you can redistribute it and/or modify it |
5 * This code is free software; you can redistribute it and/or modify it |
6 * under the terms of the GNU General Public License version 2 only, as |
6 * under the terms of the GNU General Public License version 2 only, as |
7 * published by the Free Software Foundation. Oracle designates this |
7 * published by the Free Software Foundation. Oracle designates this |
37 * jdk.security.caDistrustPolicies security property for more information. |
37 * jdk.security.caDistrustPolicies security property for more information. |
38 */ |
38 */ |
39 enum CADistrustPolicy { |
39 enum CADistrustPolicy { |
40 /** |
40 /** |
41 * Distrust TLS Server certificates anchored by a Symantec root CA and |
41 * Distrust TLS Server certificates anchored by a Symantec root CA and |
42 * issued after April 16, 2019. If enabled, this policy is currently |
42 * issued after April 16, 2019 (with exceptions for a couple of subordinate |
43 * enforced by the PKIX and SunX509 TrustManager implementations of the |
43 * CAs, see the jdk.security.caDistrustPolicies definition in the |
44 * SunJSSE provider implementation. |
44 * java.security file for more details). If enabled, this policy is |
|
45 * currently enforced by the PKIX and SunX509 TrustManager implementations |
|
46 * of the SunJSSE provider implementation. |
45 */ |
47 */ |
46 SYMANTEC_TLS { |
48 SYMANTEC_TLS { |
47 void checkDistrust(String variant, X509Certificate anchor, |
49 void checkDistrust(String variant, X509Certificate[] chain) |
48 X509Certificate ee) throws ValidatorException { |
50 throws ValidatorException { |
49 if (!variant.equals(Validator.VAR_TLS_SERVER)) { |
51 if (!variant.equals(Validator.VAR_TLS_SERVER)) { |
50 return; |
52 return; |
51 } |
53 } |
52 SymantecTLSPolicy.checkDistrust(anchor, ee); |
54 SymantecTLSPolicy.checkDistrust(chain); |
53 } |
55 } |
54 }; |
56 }; |
55 |
57 |
56 /** |
58 /** |
57 * Checks if the end-entity certificate is distrusted. |
59 * Checks if the end-entity certificate is distrusted. |
58 * |
60 * |
59 * @param variant the type of certificate being checked |
61 * @param variant the type of certificate being checked |
60 * @param anchor the trust anchor certificate |
62 * @param chain the end-entity's certificate chain. The end entity cert |
61 * @param ee the end-entity certificate to check |
63 * is at index 0, the trust anchor at index n-1. |
62 * @throws ValidatorException if the end-entity certificate is distrusted |
64 * @throws ValidatorException if the end-entity certificate is distrusted |
63 */ |
65 */ |
64 abstract void checkDistrust(String variant, |
66 abstract void checkDistrust(String variant, |
65 X509Certificate anchor, |
67 X509Certificate[] chain) |
66 X509Certificate ee) throws ValidatorException; |
68 throws ValidatorException; |
67 |
69 |
68 // The policies set in the jdk.security.caDistrustPolicies property. |
70 // The policies set in the jdk.security.caDistrustPolicies property. |
69 static final EnumSet<CADistrustPolicy> POLICIES = parseProperty(); |
71 static final EnumSet<CADistrustPolicy> POLICIES = parseProperty(); |
70 private static EnumSet<CADistrustPolicy> parseProperty() { |
72 private static EnumSet<CADistrustPolicy> parseProperty() { |
71 String property = AccessController.doPrivileged( |
73 String property = AccessController.doPrivileged( |