jdk-sandbox: comparison jdk/src/java.base/share/classes/sun/security/util/DisabledAlgorithmConstraints.java

equal deleted inserted replaced

-:ee6b5bd26bf9
+:fe8c324ba97c
 /*
-* Copyright (c) 2010, 2016, Oracle and/or its affiliates. All rights reserved.
+* Copyright (c) 2010, 2017, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
 * under the terms of the GNU General Public License version 2 only, as
 * published by the Free Software Foundation.  Oracle designates this
 * questions.
 */
 package sun.security.util;
+import sun.security.validator.Validator;
 import java.security.CryptoPrimitive;
 import java.security.AlgorithmParameters;
 import java.security.Key;
 import java.security.cert.CertPathValidatorException;
 import java.security.cert.CertPathValidatorException.BasicReason;
 import java.security.cert.X509Certificate;
 import java.text.SimpleDateFormat;
+import java.util.ArrayList;
 import java.util.Calendar;
 import java.util.Date;
 import java.util.HashMap;
 import java.util.HashSet;
+import java.util.List;
 import java.util.Locale;
 import java.util.Map;
 import java.util.Set;
 import java.util.StringTokenizer;
 import java.util.TimeZone;
 * there are keysize or other limit, this method allow the algorithm.
 */
 @Override
 public final boolean permits(Set<CryptoPrimitive> primitives,
 String algorithm, AlgorithmParameters parameters) {
-if (primitives == null || primitives.isEmpty()) {
-throw new IllegalArgumentException(
-"No cryptographic primitive specified");
-}
 return checkAlgorithm(disabledAlgorithms, algorithm, decomposer);
 }
 /*
 * Checks if the key algorithm has been disabled or constraints have been
 if (algorithm == null || algorithm.length() == 0) {
 throw new IllegalArgumentException("No algorithm name specified");
 }
 return checkConstraints(primitives, algorithm, key, parameters);
+}
+public final void permits(ConstraintsParameters cp)
+throws CertPathValidatorException {
+permits(cp.getAlgorithm(), cp);
+}
+public final void permits(String algorithm, Key key,
+AlgorithmParameters params, String variant)
+throws CertPathValidatorException {
+permits(algorithm, new ConstraintsParameters(algorithm, params, key,
+(variant == null) ? Validator.VAR_GENERIC : variant));
 }
 /*
 * Check if a x509Certificate object is permitted.  Check if all
 * algorithms are allowed, certificate constraints, and the
 * public key against key constraints.
 *
 * Uses new style permit() which throws exceptions.
 */
-public final void permits(Set<CryptoPrimitive> primitives,
-CertConstraintParameters cp) throws CertPathValidatorException {
+public final void permits(String algorithm, ConstraintsParameters cp)
-checkConstraints(primitives, cp);
+throws CertPathValidatorException {
-}
+algorithmConstraints.permits(algorithm, cp);
-/*
-* Check if Certificate object is within the constraints.
-* Uses new style permit() which throws exceptions.
-*/
-public final void permits(Set<CryptoPrimitive> primitives,
-X509Certificate cert) throws CertPathValidatorException {
-checkConstraints(primitives, new CertConstraintParameters(cert));
 }
 // Check if a string is contained inside the property
 public boolean checkProperty(String param) {
 param = param.toLowerCase(Locale.ENGLISH);
 // check the key parameter, it cannot be null.
 if (key == null) {
 throw new IllegalArgumentException("The key cannot be null");
 }
-// check the signature algorithm
+// check the signature algorithm with parameters
 if (algorithm != null && algorithm.length() != 0) {
 if (!permits(primitives, algorithm, parameters)) {
 return false;
 }
 }
 // check the key constraints
 return algorithmConstraints.permits(key);
 }
-/*
-* Check algorithm constraints with Certificate
-* Uses new style permit() which throws exceptions.
-*/
-private void checkConstraints(Set<CryptoPrimitive> primitives,
-CertConstraintParameters cp) throws CertPathValidatorException {
-X509Certificate cert = cp.getCertificate();
-String algorithm = cert.getSigAlgName();
-// Check signature algorithm is not disabled
-if (!permits(primitives, algorithm, null)) {
-throw new CertPathValidatorException(
-"Algorithm constraints check failed on disabled "+
-"signature algorithm: " + algorithm,
-null, null, -1, BasicReason.ALGORITHM_CONSTRAINED);
-}
-// Check key algorithm is not disabled
-if (!permits(primitives, cert.getPublicKey().getAlgorithm(), null)) {
-throw new CertPathValidatorException(
-"Algorithm constraints check failed on disabled "+
-"public key algorithm: " + algorithm,
-null, null, -1, BasicReason.ALGORITHM_CONSTRAINED);
-}
-// Check the certificate and key constraints
-algorithmConstraints.permits(cp);
-}
 /**
 * Key and Certificate Constraints
 *
 * The complete disabling of an algorithm is not handled by Constraints or
 * same as the interface class AlgorithmConstraints.permit().  This is to
 * maintain compatibility:
 * 'true' means the operation is allowed.
 * 'false' means it failed the constraints and is disallowed.
 *
-* When passing CertConstraintParameters through permit(), an exception
+* When passing ConstraintsParameters through permit(), an exception
 * will be thrown on a failure to better identify why the operation was
 * disallowed.
 */
 private static class Constraints {
-private Map<String, Set<Constraint>> constraintsMap = new HashMap<>();
+private Map<String, List<Constraint>> constraintsMap = new HashMap<>();
 private static class Holder {
 private static final Pattern DENY_AFTER_PATTERN = Pattern.compile(
 "denyAfter\\s+(\\d{4})-(\\d{2})-(\\d{2})");
 }
 debug.println("Constraints: " + constraintEntry);
 }
 // Check if constraint is a complete disabling of an
 // algorithm or has conditions.
-String algorithm;
-String policy;
 int space = constraintEntry.indexOf(' ');
-if (space > 0) {
+String algorithm = AlgorithmDecomposer.hashName(
-algorithm = AlgorithmDecomposer.hashName(
+((space > 0 ? constraintEntry.substring(0, space) :
-constraintEntry.substring(0, space).
+constraintEntry).
-toUpperCase(Locale.ENGLISH));
+toUpperCase(Locale.ENGLISH)));
-policy = constraintEntry.substring(space + 1);
+List<Constraint> constraintList =
-} else {
+constraintsMap.getOrDefault(algorithm,
-algorithm = constraintEntry.toUpperCase(Locale.ENGLISH);
+new ArrayList<>(1));
-if (!constraintsMap.containsKey(algorithm)) {
+constraintsMap.putIfAbsent(algorithm, constraintList);
-constraintsMap.putIfAbsent(algorithm,
+if (space <= 0) {
-new HashSet<>());
+constraintList.add(new DisabledConstraint(algorithm));
-}
 continue;
 }
+String policy = constraintEntry.substring(space + 1);
 // Convert constraint conditions into Constraint classes
 Constraint c, lastConstraint = null;
 // Allow only one jdkCA entry per constraint entry
 boolean jdkCALimit = false;
 "Constraint: " + constraintEntry);
 }
 c = new jdkCAConstraint(algorithm);
 jdkCALimit = true;
-} else if(entry.startsWith("denyAfter") &&
+} else if (entry.startsWith("denyAfter") &&
 (matcher = Holder.DENY_AFTER_PATTERN.matcher(entry))
 .matches()) {
 if (debug != null) {
 debug.println("Constraints set to denyAfter");
 }
 int month = Integer.parseInt(matcher.group(2));
 int day = Integer.parseInt(matcher.group(3));
 c = new DenyAfterConstraint(algorithm, year, month,
 day);
 denyAfterLimit = true;
+} else if (entry.startsWith("usage")) {
+String s[] = (entry.substring(5)).trim().split(" ");
+c = new UsageConstraint(algorithm, s);
+if (debug != null) {
+debug.println("Constraints usage length is " + s.length);
+}
 } else {
 throw new IllegalArgumentException("Error in security" +
 " property. Constraint unknown: " + entry);
 }
 // Link multiple conditions for a single constraint
 // into a linked list.
 if (lastConstraint == null) {
-if (!constraintsMap.containsKey(algorithm)) {
+constraintList.add(c);
-constraintsMap.putIfAbsent(algorithm,
-new HashSet<>());
-}
-constraintsMap.get(algorithm).add(c);
 } else {
 lastConstraint.nextConstraint = c;
 }
 lastConstraint = c;
 }
 }
 }
 // Get applicable constraints based off the signature algorithm
-private Set<Constraint> getConstraints(String algorithm) {
+private List<Constraint> getConstraints(String algorithm) {
 return constraintsMap.get(algorithm);
 }
 // Check if KeySizeConstraints permit the specified key
 public boolean permits(Key key) {
-Set<Constraint> set = getConstraints(key.getAlgorithm());
+List<Constraint> list = getConstraints(key.getAlgorithm());
-if (set == null) {
+if (list == null) {
 return true;
 }
-for (Constraint constraint : set) {
+for (Constraint constraint : list) {
 if (!constraint.permits(key)) {
 if (debug != null) {
 debug.println("keySizeConstraint: failed key " +
 "constraint check " + KeyUtil.getKeySize(key));
 }
 }
 return true;
 }
 // Check if constraints permit this cert.
-public void permits(CertConstraintParameters cp)
+public void permits(String algorithm, ConstraintsParameters cp)
 throws CertPathValidatorException {
 X509Certificate cert = cp.getCertificate();
 if (debug != null) {
-debug.println("Constraints.permits(): " + cert.getSigAlgName());
+debug.println("Constraints.permits(): " + algorithm +
+" Variant: " + cp.getVariant());
 }
 // Get all signature algorithms to check for constraints
-Set<String> algorithms =
+Set<String> algorithms = new HashSet<>();
-AlgorithmDecomposer.decomposeOneHash(cert.getSigAlgName());
+if (algorithm != null) {
-if (algorithms == null || algorithms.isEmpty()) {
+algorithms.addAll(AlgorithmDecomposer.decomposeOneHash(algorithm));
-return;
+}
-}
+// Attempt to add the public key algorithm if cert provided
-// Attempt to add the public key algorithm to the set
+if (cert != null) {
 algorithms.add(cert.getPublicKey().getAlgorithm());
+}
+if (cp.getPublicKey() != null) {
+algorithms.add(cp.getPublicKey().getAlgorithm());
+}
 // Check all applicable constraints
-for (String algorithm : algorithms) {
+for (String alg : algorithms) {
-Set<Constraint> set = getConstraints(algorithm);
+List<Constraint> list = getConstraints(alg);
-if (set == null) {
+if (list == null) {
 continue;
 }
-for (Constraint constraint : set) {
+for (Constraint constraint : list) {
 constraint.permits(cp);
 }
 }
 }
 }
 return true;
 }
 /**
 * Check if an algorithm constraint is permitted with a given
-* CertConstraintParameters.
+* ConstraintsParameters.
 *
 * If the check inside of {@code permits()} fails, it must call
-* {@code next()} with the same {@code CertConstraintParameters}
+* {@code next()} with the same {@code ConstraintsParameters}
 * parameter passed if multiple constraints need to be checked.
 *
 * @param cp CertConstraintParameter containing certificate info
 * @throws CertPathValidatorException if constraint disallows.
 *
 */
-public abstract void permits(CertConstraintParameters cp)
+public abstract void permits(ConstraintsParameters cp)
 throws CertPathValidatorException;
 /**
 * Recursively check if the constraints are allowed.
 *
 * {@code permits()} is allowed, this method will exit this and any
 * recursive next() calls, returning 'true'.  If the constraints called
 * were disallowed, the last constraint will throw
 * {@code CertPathValidatorException}.
 *
-* @param cp CertConstraintParameters
+* @param cp ConstraintsParameters
 * @return 'true' if constraint allows the operation, 'false' if
 * we are at the end of the constraint list or,
 * {@code nextConstraint} is null.
 */
-boolean next(CertConstraintParameters cp)
+boolean next(ConstraintsParameters cp)
 throws CertPathValidatorException {
 if (nextConstraint != null) {
 nextConstraint.permits(cp);
 return true;
 }
 if (nextConstraint != null && nextConstraint.permits(key)) {
 return true;
 }
 return false;
 }
+String extendedMsg(ConstraintsParameters cp) {
+return (cp.getCertificate() == null ? "." :
+" used with certificate: " +
+cp.getCertificate().getSubjectX500Principal() +
+(cp.getVariant() != Validator.VAR_GENERIC ?
+".  Usage was " + cp.getVariant() : "."));
+}
 }
 /*
 * This class contains constraints dealing with the certificate chain
 * of the certificate.
 jdkCAConstraint(String algo) {
 algorithm = algo;
 }
 /*
-* Check if CertConstraintParameters has a trusted match, if it does
+* Check if ConstraintsParameters has a trusted match, if it does
 * call next() for any following constraints. If it does not, exit
 * as this constraint(s) does not restrict the operation.
 */
-public void permits(CertConstraintParameters cp)
+public void permits(ConstraintsParameters cp)
 throws CertPathValidatorException {
 if (debug != null) {
 debug.println("jdkCAConstraints.permits(): " + algorithm);
 }
 if (next(cp)) {
 return;
 }
 throw new CertPathValidatorException(
 "Algorithm constraints check failed on certificate " +
-"anchor limits. " + algorithm + " used with " +
+"anchor limits. " + algorithm + extendedMsg(cp),
-cp.getCertificate().getSubjectX500Principal(),
 null, null, -1, BasicReason.ALGORITHM_CONSTRAINED);
 }
 }
 }
 *
 * If the constraint disallows, call next() for any following
 * constraints. Throw an exception if this is the last constraint.
 */
 @Override
-public void permits(CertConstraintParameters cp)
+public void permits(ConstraintsParameters cp)
 throws CertPathValidatorException {
 Date currentDate;
 String errmsg;
 if (cp.getJARTimestamp() != null) {
 } else if (cp.getPKIXParamDate() != null) {
 currentDate = cp.getPKIXParamDate();
 errmsg = "PKIXParameter date: ";
 } else {
 currentDate = new Date();
-errmsg = "Certificate date: ";
+errmsg = "Current date: ";
 }
 if (!denyAfterDate.after(currentDate)) {
 if (next(cp)) {
 return;
 }
 throw new CertPathValidatorException(
 "denyAfter constraint check failed: " + algorithm +
 " used with Constraint date: " +
-dateFormat.format(denyAfterDate) + "; "
+dateFormat.format(denyAfterDate) + "; " + errmsg +
-+ errmsg + dateFormat.format(currentDate),
+dateFormat.format(currentDate) + extendedMsg(cp),
 null, null, -1, BasicReason.ALGORITHM_CONSTRAINED);
 }
 }
 /*
 }
 return denyAfterDate.after(new Date());
 }
 }
+/*
+* The usage constraint is for the "usage" keyword.  It checks against the
+* variant value in ConstraintsParameters.
+*/
+private static class UsageConstraint extends Constraint {
+String[] usages;
+UsageConstraint(String algorithm, String[] usages) {
+this.algorithm = algorithm;
+this.usages = usages;
+}
+public void permits(ConstraintsParameters cp)
+throws CertPathValidatorException {
+for (String usage : usages) {
+String v = null;
+if (usage.compareToIgnoreCase("TLSServer") == 0) {
+v = Validator.VAR_TLS_SERVER;
+} else if (usage.compareToIgnoreCase("TLSClient") == 0) {
+v = Validator.VAR_TLS_CLIENT;
+} else if (usage.compareToIgnoreCase("SignedJAR") == 0) {
+v = Validator.VAR_PLUGIN_CODE_SIGNING;
+}
+if (debug != null) {
+debug.println("Checking if usage constraint " + v +
+" matches " + cp.getVariant());
+}
+if (cp.getVariant().compareTo(v) == 0) {
+if (next(cp)) {
+return;
+}
+throw new CertPathValidatorException("Usage constraint " +
+usage + " check failed: " + algorithm +
+extendedMsg(cp),
+null, null, -1, BasicReason.ALGORITHM_CONSTRAINED);
+}
+}
+}
+}
 /*
 * This class contains constraints dealing with the key size
 * support limits per algorithm.   e.g.  "keySize <= 1024"
 */
 *
 * Check if each constraint fails and check if there is a linked
 * constraint  Any permitted constraint will exit the linked list
 * to allow the operation.
 */
-public void permits(CertConstraintParameters cp)
+public void permits(ConstraintsParameters cp)
 throws CertPathValidatorException {
-if (!permitsImpl(cp.getCertificate().getPublicKey())) {
+Key key = null;
+if (cp.getPublicKey() != null) {
+key = cp.getPublicKey();
+} else if (cp.getCertificate() != null) {
+key = cp.getCertificate().getPublicKey();
+}
+if (key != null && !permitsImpl(key)) {
 if (nextConstraint != null) {
 nextConstraint.permits(cp);
 return;
 }
 throw new CertPathValidatorException(
 "Algorithm constraints check failed on keysize limits. "
-+ algorithm + " " + size + "bit key used with "
++ algorithm + " " + size + "bit key" + extendedMsg(cp),
-+ cp.getCertificate().getSubjectX500Principal(),
 null, null, -1, BasicReason.ALGORITHM_CONSTRAINED);
 }
 }
 // please don't disable such keys.
 return true;
 }
 }
+/*
+* This constraint is used for the complete disabling of the algorithm.
+*/
+private static class DisabledConstraint extends Constraint {
+DisabledConstraint(String algo) {
+algorithm = algo;
+}
+public void permits(ConstraintsParameters cp)
+throws CertPathValidatorException {
+throw new CertPathValidatorException(
+"Algorithm constraints check failed on disabled " +
+"algorithm: " + algorithm + extendedMsg(cp),
+null, null, -1, BasicReason.ALGORITHM_CONSTRAINED);
+}
+public boolean permits(Key key) {
+return false;
+}
+}
 }

changeset 43701	fe8c324ba97c
parent 41956	69deb06bb8f1
child 44158	49deb8a1ed3f