jdk-sandbox: comparison jdk/src/java.base/share/classes/sun/security/provider/certpath/AlgorithmChecker.java

equal deleted inserted replaced

-:ee6b5bd26bf9
+:fe8c324ba97c
 /*
-* Copyright (c) 2009, 2016, Oracle and/or its affiliates. All rights reserved.
+* Copyright (c) 2009, 2017, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
 * under the terms of the GNU General Public License version 2 only, as
 * published by the Free Software Foundation.  Oracle designates this
 package sun.security.provider.certpath;
 import java.security.AlgorithmConstraints;
 import java.security.CryptoPrimitive;
 import java.security.Timestamp;
+import java.security.cert.CertPathValidator;
 import java.util.Collection;
 import java.util.Collections;
 import java.util.Date;
 import java.util.Set;
 import java.util.EnumSet;
 import java.security.interfaces.DSAParams;
 import java.security.interfaces.DSAPublicKey;
 import java.security.spec.DSAPublicKeySpec;
 import sun.security.util.AnchorCertificates;
-import sun.security.util.CertConstraintParameters;
+import sun.security.util.ConstraintsParameters;
 import sun.security.util.Debug;
 import sun.security.util.DisabledAlgorithmConstraints;
+import sun.security.validator.Validator;
 import sun.security.x509.X509CertImpl;
 import sun.security.x509.X509CRLImpl;
 import sun.security.x509.AlgorithmId;
 /**
 private final AlgorithmConstraints constraints;
 private final PublicKey trustedPubKey;
 private final Date pkixdate;
 private PublicKey prevPubKey;
 private final Timestamp jarTimestamp;
+private final String variant;
 private static final Set<CryptoPrimitive> SIGNATURE_PRIMITIVE_SET =
 Collections.unmodifiableSet(EnumSet.of(CryptoPrimitive.SIGNATURE));
 private static final Set<CryptoPrimitive> KU_PRIMITIVE_SET =
 * constraints specified in security property
 * "jdk.certpath.disabledAlgorithms".
 *
 * @param anchor the trust anchor selected to validate the target
 *     certificate
-*/
+* @param variant is the Validator variants of the operation. A null value
-public AlgorithmChecker(TrustAnchor anchor) {
+*                passed will set it to Validator.GENERIC.
-this(anchor, certPathDefaultConstraints, null);
+*/
-}
+public AlgorithmChecker(TrustAnchor anchor, String variant) {
+this(anchor, certPathDefaultConstraints, null, variant);
-/**
+}
-* Create a new {@code AlgorithmChecker} with the
-* given {@code TrustAnchor} and {@code AlgorithmConstraints}.
+/**
-*
+* Create a new {@code AlgorithmChecker} with the given
-* @param anchor the trust anchor selected to validate the target
+* {@code AlgorithmConstraints}, {@code Timestamp}, and/or {@code Variant}.
-*     certificate
+* <p>
+* Note that this constructor can initialize a variation of situations where
+* the AlgorithmConstraints, Timestamp, or Variant maybe known.
+*
 * @param constraints the algorithm constraints (or null)
-*
+* @param jarTimestamp Timestamp passed for JAR timestamp constraint
-* @throws IllegalArgumentException if the {@code anchor} is null
+*                     checking. Set to null if not applicable.
-*/
+* @param variant is the Validator variants of the operation. A null value
-public AlgorithmChecker(TrustAnchor anchor,
+*                passed will set it to Validator.GENERIC.
-AlgorithmConstraints constraints) {
+*/
-this(anchor, constraints, null);
+public AlgorithmChecker(AlgorithmConstraints constraints,
-}
+Timestamp jarTimestamp, String variant) {
-/**
-* Create a new {@code AlgorithmChecker} with the
-* given {@code AlgorithmConstraints}.
-* <p>
-* Note that this constructor will be used to check a certification
-* path where the trust anchor is unknown, or a certificate list which may
-* contain the trust anchor. This constructor is used by SunJSSE.
-*
-* @param constraints the algorithm constraints (or null)
-*/
-public AlgorithmChecker(AlgorithmConstraints constraints) {
 this.prevPubKey = null;
 this.trustedPubKey = null;
-this.constraints = constraints;
+this.constraints = (constraints == null ? certPathDefaultConstraints :
-this.pkixdate = null;
+constraints);
-this.jarTimestamp = null;
+this.pkixdate = (jarTimestamp != null ? jarTimestamp.getTimestamp() :
-}
+null);
-/**
-* Create a new {@code AlgorithmChecker} with the given
-* {@code Timestamp}.
-* <p>
-* Note that this constructor will be used to check a certification
-* path for signed JAR files that are timestamped.
-*
-* @param jarTimestamp Timestamp passed for JAR timestamp constraint
-*                     checking. Set to null if not applicable.
-*/
-public AlgorithmChecker(Timestamp jarTimestamp) {
-this.prevPubKey = null;
-this.trustedPubKey = null;
-this.constraints = certPathDefaultConstraints;
-if (jarTimestamp == null) {
-throw new IllegalArgumentException(
-"Timestamp cannot be null");
-}
-this.pkixdate = jarTimestamp.getTimestamp();
 this.jarTimestamp = jarTimestamp;
+this.variant = (variant == null ? Validator.VAR_GENERIC : variant);
 }
 /**
 * Create a new {@code AlgorithmChecker} with the
 * given {@code TrustAnchor} and {@code AlgorithmConstraints}.
 * @param anchor the trust anchor selected to validate the target
 *     certificate
 * @param constraints the algorithm constraints (or null)
 * @param pkixdate Date the constraints are checked against. The value is
 *             either the PKIXParameter date or null for the current date.
+* @param variant is the Validator variants of the operation. A null value
+*                passed will set it to Validator.GENERIC.
 *
 * @throws IllegalArgumentException if the {@code anchor} is null
 */
 public AlgorithmChecker(TrustAnchor anchor,
-AlgorithmConstraints constraints,
+AlgorithmConstraints constraints, Date pkixdate, String variant) {
-Date pkixdate) {
 if (anchor != null) {
 if (anchor.getTrustedCert() != null) {
 this.trustedPubKey = anchor.getTrustedCert().getPublicKey();
 // Check for anchor certificate restrictions
 this.prevPubKey = trustedPubKey;
 this.constraints = constraints;
 this.pkixdate = pkixdate;
 this.jarTimestamp = null;
+this.variant = (variant == null ? Validator.VAR_GENERIC : variant);
 }
 /**
 * Create a new {@code AlgorithmChecker} with the
 * given {@code TrustAnchor} and {@code PKIXParameter} date.
 *
 * @param anchor the trust anchor selected to validate the target
 *     certificate
 * @param pkixdate Date the constraints are checked against. The value is
 *             either the PKIXParameter date or null for the current date.
+* @param variant is the Validator variants of the operation. A null value
+*                passed will set it to Validator.GENERIC.
 *
 * @throws IllegalArgumentException if the {@code anchor} is null
 */
-public AlgorithmChecker(TrustAnchor anchor, Date pkixdate) {
+public AlgorithmChecker(TrustAnchor anchor, Date pkixdate, String variant) {
-this(anchor, certPathDefaultConstraints, pkixdate);
+this(anchor, certPathDefaultConstraints, pkixdate, variant);
 }
 // Check this 'cert' for restrictions in the AnchorCertificates
 // trusted certificates list
 private static boolean checkFingerprint(X509Certificate cert) {
 throw new CertPathValidatorException(
 "incorrect KeyUsage extension",
 null, null, -1, PKIXReason.INVALID_KEY_USAGE);
 }
-// Assume all key usage bits are set if key usage is not present
-Set<CryptoPrimitive> primitives = KU_PRIMITIVE_SET;
-if (keyUsage != null) {
-primitives = EnumSet.noneOf(CryptoPrimitive.class);
-if (keyUsage[0] || keyUsage[1] || keyUsage[5] || keyUsage[6]) {
-// keyUsage[0]: KeyUsage.digitalSignature
-// keyUsage[1]: KeyUsage.nonRepudiation
-// keyUsage[5]: KeyUsage.keyCertSign
-// keyUsage[6]: KeyUsage.cRLSign
-primitives.add(CryptoPrimitive.SIGNATURE);
-}
-if (keyUsage[2]) {      // KeyUsage.keyEncipherment
-primitives.add(CryptoPrimitive.KEY_ENCAPSULATION);
-}
-if (keyUsage[3]) {      // KeyUsage.dataEncipherment
-primitives.add(CryptoPrimitive.PUBLIC_KEY_ENCRYPTION);
-}
-if (keyUsage[4]) {      // KeyUsage.keyAgreement
-primitives.add(CryptoPrimitive.KEY_AGREEMENT);
-}
-// KeyUsage.encipherOnly and KeyUsage.decipherOnly are
-// undefined in the absence of the keyAgreement bit.
-if (primitives.isEmpty()) {
-throw new CertPathValidatorException(
-"incorrect KeyUsage extension bits",
-null, null, -1, PKIXReason.INVALID_KEY_USAGE);
-}
-}
-PublicKey currPubKey = cert.getPublicKey();
-if (constraints instanceof DisabledAlgorithmConstraints) {
-// Check against DisabledAlgorithmConstraints certpath constraints.
-// permits() will throw exception on failure.
-((DisabledAlgorithmConstraints)constraints).permits(primitives,
-new CertConstraintParameters((X509Certificate)cert,
-trustedMatch, pkixdate, jarTimestamp));
-// If there is no previous key, set one and exit
-if (prevPubKey == null) {
-prevPubKey = currPubKey;
-return;
-}
-}
 X509CertImpl x509Cert;
 AlgorithmId algorithmId;
 try {
 x509Cert = X509CertImpl.toImpl((X509Certificate)cert);
 algorithmId = (AlgorithmId)x509Cert.get(X509CertImpl.SIG_ALG);
 } catch (CertificateException ce) {
 throw new CertPathValidatorException(ce);
 }
 AlgorithmParameters currSigAlgParams = algorithmId.getParameters();
+PublicKey currPubKey = cert.getPublicKey();
 String currSigAlg = x509Cert.getSigAlgName();
-// If 'constraints' is not of DisabledAlgorithmConstraints, check all
+// Check the signature algorithm and parameters against constraints.
-// everything individually
+if (!constraints.permits(SIGNATURE_PRIMITIVE_SET, currSigAlg,
-if (!(constraints instanceof DisabledAlgorithmConstraints)) {
+currSigAlgParams)) {
-// Check the current signature algorithm
+throw new CertPathValidatorException(
-if (!constraints.permits(
+"Algorithm constraints check failed on signature " +
-SIGNATURE_PRIMITIVE_SET,
+"algorithm: " + currSigAlg, null, null, -1,
-currSigAlg, currSigAlgParams)) {
+BasicReason.ALGORITHM_CONSTRAINED);
+}
+// Assume all key usage bits are set if key usage is not present
+Set<CryptoPrimitive> primitives = KU_PRIMITIVE_SET;
+if (keyUsage != null) {
+primitives = EnumSet.noneOf(CryptoPrimitive.class);
+if (keyUsage[0] || keyUsage[1] || keyUsage[5] || keyUsage[6]) {
+// keyUsage[0]: KeyUsage.digitalSignature
+// keyUsage[1]: KeyUsage.nonRepudiation
+// keyUsage[5]: KeyUsage.keyCertSign
+// keyUsage[6]: KeyUsage.cRLSign
+primitives.add(CryptoPrimitive.SIGNATURE);
+}
+if (keyUsage[2]) {      // KeyUsage.keyEncipherment
+primitives.add(CryptoPrimitive.KEY_ENCAPSULATION);
+}
+if (keyUsage[3]) {      // KeyUsage.dataEncipherment
+primitives.add(CryptoPrimitive.PUBLIC_KEY_ENCRYPTION);
+}
+if (keyUsage[4]) {      // KeyUsage.keyAgreement
+primitives.add(CryptoPrimitive.KEY_AGREEMENT);
+}
+// KeyUsage.encipherOnly and KeyUsage.decipherOnly are
+// undefined in the absence of the keyAgreement bit.
+if (primitives.isEmpty()) {
 throw new CertPathValidatorException(
-"Algorithm constraints check failed on signature " +
+"incorrect KeyUsage extension bits",
-"algorithm: " + currSigAlg, null, null, -1,
+null, null, -1, PKIXReason.INVALID_KEY_USAGE);
-BasicReason.ALGORITHM_CONSTRAINED);
+}
 }
+ConstraintsParameters cp =
+new ConstraintsParameters((X509Certificate)cert,
+trustedMatch, pkixdate, jarTimestamp, variant);
+// Check against local constraints if it is DisabledAlgorithmConstraints
+if (constraints instanceof DisabledAlgorithmConstraints) {
+((DisabledAlgorithmConstraints)constraints).permits(currSigAlg, cp);
+// DisabledAlgorithmsConstraints does not check primitives, so key
+// additional key check.
+} else {
+// Perform the default constraints checking anyway.
+certPathDefaultConstraints.permits(currSigAlg, cp);
+// Call locally set constraints to check key with primitives.
 if (!constraints.permits(primitives, currPubKey)) {
 throw new CertPathValidatorException(
-"Algorithm constraints check failed on keysize: " +
+"Algorithm constraints check failed on key " +
-sun.security.util.KeyUtil.getKeySize(currPubKey),
+currPubKey.getAlgorithm() + " with size of " +
+sun.security.util.KeyUtil.getKeySize(currPubKey) +
+"bits",
 null, null, -1, BasicReason.ALGORITHM_CONSTRAINED);
 }
 }
+// If there is no previous key, set one and exit
+if (prevPubKey == null) {
+prevPubKey = currPubKey;
+return;
+}
 // Check with previous cert for signature algorithm and public key
-if (prevPubKey != null) {
+if (!constraints.permits(
-if (!constraints.permits(
+SIGNATURE_PRIMITIVE_SET,
-SIGNATURE_PRIMITIVE_SET,
+currSigAlg, prevPubKey, currSigAlgParams)) {
-currSigAlg, prevPubKey, currSigAlgParams)) {
+throw new CertPathValidatorException(
-throw new CertPathValidatorException(
 "Algorithm constraints check failed on " +
 "signature algorithm: " + currSigAlg,
 null, null, -1, BasicReason.ALGORITHM_CONSTRAINED);
 }
 // Inherit key parameters from previous key
 if (PKIX.isDSAPublicKeyWithoutParams(currPubKey)) {
 // Inherit DSA parameters from previous key
 if (!(prevPubKey instanceof DSAPublicKey)) {
 throw new CertPathValidatorException("Input key is not " +
 "of a appropriate type for inheriting parameters");
 }
 DSAParams params = ((DSAPublicKey)prevPubKey).getParams();
 if (params == null) {
 throw new CertPathValidatorException(
 "Key parameters missing from public key.");
 }
 try {
 BigInteger y = ((DSAPublicKey)currPubKey).getY();
 KeyFactory kf = KeyFactory.getInstance("DSA");
-DSAPublicKeySpec ks = new DSAPublicKeySpec(y,
+DSAPublicKeySpec ks = new DSAPublicKeySpec(y, params.getP(),
-params.getP(),
+params.getQ(), params.getG());
-params.getQ(),
+currPubKey = kf.generatePublic(ks);
-params.getG());
+} catch (GeneralSecurityException e) {
-currPubKey = kf.generatePublic(ks);
+throw new CertPathValidatorException("Unable to generate " +
-} catch (GeneralSecurityException e) {
-throw new CertPathValidatorException("Unable to generate " +
 "key with inherited parameters: " + e.getMessage(), e);
-}
 }
 }
 // reset the previous public key
 prevPubKey = currPubKey;
-// check the extended key usage, ignore the check now
-// List<String> extendedKeyUsages = x509Cert.getExtendedKeyUsage();
-// DO NOT remove any unresolved critical extensions
 }
 /**
 * Try to set the trust anchor of the checker.
 * <p>
 /**
 * Check the signature algorithm with the specified public key.
 *
 * @param key the public key to verify the CRL signature
 * @param crl the target CRL
-*/
+* @param variant is the Validator variants of the operation. A null value
-static void check(PublicKey key, X509CRL crl)
+*                passed will set it to Validator.GENERIC.
+*/
+static void check(PublicKey key, X509CRL crl, String variant)
 throws CertPathValidatorException {
 X509CRLImpl x509CRLImpl = null;
 try {
 x509CRLImpl = X509CRLImpl.toImpl(crl);
 } catch (CRLException ce) {
 throw new CertPathValidatorException(ce);
 }
 AlgorithmId algorithmId = x509CRLImpl.getSigAlgId();
-check(key, algorithmId);
+check(key, algorithmId, variant);
 }
 /**
 * Check the signature algorithm with the specified public key.
 *
 * @param key the public key to verify the CRL signature
 * @param algorithmId signature algorithm Algorithm ID
-*/
+* @param variant is the Validator variants of the operation. A null value
-static void check(PublicKey key, AlgorithmId algorithmId)
+*                passed will set it to Validator.GENERIC.
+*/
+static void check(PublicKey key, AlgorithmId algorithmId, String variant)
 throws CertPathValidatorException {
 String sigAlgName = algorithmId.getName();
 AlgorithmParameters sigAlgParams = algorithmId.getParameters();
-if (!certPathDefaultConstraints.permits(
+certPathDefaultConstraints.permits(new ConstraintsParameters(
-SIGNATURE_PRIMITIVE_SET, sigAlgName, key, sigAlgParams)) {
+sigAlgName, sigAlgParams, key, variant));
-throw new CertPathValidatorException(
+}
-"Algorithm constraints check failed on signature algorithm: " +
-sigAlgName + " is disabled",
-null, null, -1, BasicReason.ALGORITHM_CONSTRAINED);
-}
-}
 }

changeset 43701	fe8c324ba97c
parent 42357	bd44ffcd570f
child 43807	82f979ff031f