1 /* |
1 /* |
2 * Copyright (c) 1996, 2016, Oracle and/or its affiliates. All rights reserved. |
2 * Copyright (c) 1996, 2017, Oracle and/or its affiliates. All rights reserved. |
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. |
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. |
4 * |
4 * |
5 * This code is free software; you can redistribute it and/or modify it |
5 * This code is free software; you can redistribute it and/or modify it |
6 * under the terms of the GNU General Public License version 2 only, as |
6 * under the terms of the GNU General Public License version 2 only, as |
7 * published by the Free Software Foundation. Oracle designates this |
7 * published by the Free Software Foundation. Oracle designates this |
35 import java.security.Principal; |
35 import java.security.Principal; |
36 import java.security.PublicKey; |
36 import java.security.PublicKey; |
37 import java.security.Signature; |
37 import java.security.Signature; |
38 import java.security.SignatureException; |
38 import java.security.SignatureException; |
39 import java.security.Timestamp; |
39 import java.security.Timestamp; |
|
40 import java.security.cert.CertPathValidatorException; |
40 import java.security.cert.CertificateException; |
41 import java.security.cert.CertificateException; |
41 import java.security.cert.CertificateFactory; |
42 import java.security.cert.CertificateFactory; |
42 import java.security.cert.CertPath; |
43 import java.security.cert.CertPath; |
43 import java.security.cert.X509Certificate; |
44 import java.security.cert.X509Certificate; |
44 import java.util.ArrayList; |
45 import java.util.ArrayList; |
46 import java.util.Collections; |
47 import java.util.Collections; |
47 import java.util.EnumSet; |
48 import java.util.EnumSet; |
48 import java.util.Set; |
49 import java.util.Set; |
49 |
50 |
50 import sun.security.timestamp.TimestampToken; |
51 import sun.security.timestamp.TimestampToken; |
|
52 import sun.security.util.ConstraintsParameters; |
51 import sun.security.util.Debug; |
53 import sun.security.util.Debug; |
52 import sun.security.util.DerEncoder; |
54 import sun.security.util.DerEncoder; |
53 import sun.security.util.DerInputStream; |
55 import sun.security.util.DerInputStream; |
54 import sun.security.util.DerOutputStream; |
56 import sun.security.util.DerOutputStream; |
55 import sun.security.util.DerValue; |
57 import sun.security.util.DerValue; |
319 ContentInfo content = block.getContentInfo(); |
321 ContentInfo content = block.getContentInfo(); |
320 if (data == null) { |
322 if (data == null) { |
321 data = content.getContentBytes(); |
323 data = content.getContentBytes(); |
322 } |
324 } |
323 |
325 |
|
326 ConstraintsParameters cparams = |
|
327 new ConstraintsParameters(timestamp); |
324 String digestAlgname = getDigestAlgorithmId().getName(); |
328 String digestAlgname = getDigestAlgorithmId().getName(); |
325 |
329 |
326 byte[] dataSigned; |
330 byte[] dataSigned; |
327 |
331 |
328 // if there are authenticate attributes, get the message |
332 // if there are authenticate attributes, get the message |
345 PKCS9Attribute.MESSAGE_DIGEST_OID); |
349 PKCS9Attribute.MESSAGE_DIGEST_OID); |
346 |
350 |
347 if (messageDigest == null) // fail if there is no message digest |
351 if (messageDigest == null) // fail if there is no message digest |
348 return null; |
352 return null; |
349 |
353 |
350 // check that algorithm is not restricted |
354 // check that digest algorithm is not restricted |
351 if (!JAR_DISABLED_CHECK.permits(DIGEST_PRIMITIVE_SET, |
355 try { |
352 digestAlgname, null)) { |
356 JAR_DISABLED_CHECK.permits(digestAlgname, cparams); |
353 throw new SignatureException("Digest check failed. " + |
357 } catch (CertPathValidatorException e) { |
354 "Disabled algorithm used: " + digestAlgname); |
358 throw new SignatureException(e.getMessage(), e); |
355 } |
359 } |
356 |
360 |
357 MessageDigest md = MessageDigest.getInstance(digestAlgname); |
361 MessageDigest md = MessageDigest.getInstance(digestAlgname); |
358 byte[] computedMessageDigest = md.digest(data); |
362 byte[] computedMessageDigest = md.digest(data); |
359 |
363 |
383 String tmp = AlgorithmId.getEncAlgFromSigAlg(encryptionAlgname); |
387 String tmp = AlgorithmId.getEncAlgFromSigAlg(encryptionAlgname); |
384 if (tmp != null) encryptionAlgname = tmp; |
388 if (tmp != null) encryptionAlgname = tmp; |
385 String algname = AlgorithmId.makeSigAlg( |
389 String algname = AlgorithmId.makeSigAlg( |
386 digestAlgname, encryptionAlgname); |
390 digestAlgname, encryptionAlgname); |
387 |
391 |
388 // check that algorithm is not restricted |
392 // check that jar signature algorithm is not restricted |
389 if (!JAR_DISABLED_CHECK.permits(SIG_PRIMITIVE_SET, algname, null)) { |
393 try { |
390 throw new SignatureException("Signature check failed. " + |
394 JAR_DISABLED_CHECK.permits(algname, cparams); |
391 "Disabled algorithm used: " + algname); |
395 } catch (CertPathValidatorException e) { |
|
396 throw new SignatureException(e.getMessage(), e); |
392 } |
397 } |
393 |
398 |
394 X509Certificate cert = getCertificate(block); |
399 X509Certificate cert = getCertificate(block); |
395 PublicKey key = cert.getPublicKey(); |
|
396 if (cert == null) { |
400 if (cert == null) { |
397 return null; |
401 return null; |
398 } |
402 } |
|
403 PublicKey key = cert.getPublicKey(); |
399 |
404 |
400 // check if the public key is restricted |
405 // check if the public key is restricted |
401 if (!JAR_DISABLED_CHECK.permits(SIG_PRIMITIVE_SET, key)) { |
406 if (!JAR_DISABLED_CHECK.permits(SIG_PRIMITIVE_SET, key)) { |
402 throw new SignatureException("Public key check failed. " + |
407 throw new SignatureException("Public key check failed. " + |
403 "Disabled key used: " + |
408 "Disabled key used: " + |