--- a/jdk/src/java.base/share/classes/sun/security/provider/certpath/AlgorithmChecker.java Wed Feb 08 12:27:45 2017 -0700
+++ b/jdk/src/java.base/share/classes/sun/security/provider/certpath/AlgorithmChecker.java Wed Feb 08 12:08:28 2017 -0800
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2009, 2016, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2009, 2017, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -28,6 +28,7 @@
import java.security.AlgorithmConstraints;
import java.security.CryptoPrimitive;
import java.security.Timestamp;
+import java.security.cert.CertPathValidator;
import java.util.Collection;
import java.util.Collections;
import java.util.Date;
@@ -53,9 +54,10 @@
import java.security.spec.DSAPublicKeySpec;
import sun.security.util.AnchorCertificates;
-import sun.security.util.CertConstraintParameters;
+import sun.security.util.ConstraintsParameters;
import sun.security.util.Debug;
import sun.security.util.DisabledAlgorithmConstraints;
+import sun.security.validator.Validator;
import sun.security.x509.X509CertImpl;
import sun.security.x509.X509CRLImpl;
import sun.security.x509.AlgorithmId;
@@ -79,6 +81,7 @@
private final Date pkixdate;
private PublicKey prevPubKey;
private final Timestamp jarTimestamp;
+ private final String variant;
private static final Set<CryptoPrimitive> SIGNATURE_PRIMITIVE_SET =
Collections.unmodifiableSet(EnumSet.of(CryptoPrimitive.SIGNATURE));
@@ -109,64 +112,36 @@
*
* @param anchor the trust anchor selected to validate the target
* certificate
- */
- public AlgorithmChecker(TrustAnchor anchor) {
- this(anchor, certPathDefaultConstraints, null);
- }
-
- /**
- * Create a new {@code AlgorithmChecker} with the
- * given {@code TrustAnchor} and {@code AlgorithmConstraints}.
- *
- * @param anchor the trust anchor selected to validate the target
- * certificate
- * @param constraints the algorithm constraints (or null)
- *
- * @throws IllegalArgumentException if the {@code anchor} is null
+ * @param variant is the Validator variants of the operation. A null value
+ * passed will set it to Validator.GENERIC.
*/
- public AlgorithmChecker(TrustAnchor anchor,
- AlgorithmConstraints constraints) {
- this(anchor, constraints, null);
- }
-
- /**
- * Create a new {@code AlgorithmChecker} with the
- * given {@code AlgorithmConstraints}.
- * <p>
- * Note that this constructor will be used to check a certification
- * path where the trust anchor is unknown, or a certificate list which may
- * contain the trust anchor. This constructor is used by SunJSSE.
- *
- * @param constraints the algorithm constraints (or null)
- */
- public AlgorithmChecker(AlgorithmConstraints constraints) {
- this.prevPubKey = null;
- this.trustedPubKey = null;
- this.constraints = constraints;
- this.pkixdate = null;
- this.jarTimestamp = null;
+ public AlgorithmChecker(TrustAnchor anchor, String variant) {
+ this(anchor, certPathDefaultConstraints, null, variant);
}
/**
* Create a new {@code AlgorithmChecker} with the given
- * {@code Timestamp}.
+ * {@code AlgorithmConstraints}, {@code Timestamp}, and/or {@code Variant}.
* <p>
- * Note that this constructor will be used to check a certification
- * path for signed JAR files that are timestamped.
+ * Note that this constructor can initialize a variation of situations where
+ * the AlgorithmConstraints, Timestamp, or Variant maybe known.
*
+ * @param constraints the algorithm constraints (or null)
* @param jarTimestamp Timestamp passed for JAR timestamp constraint
* checking. Set to null if not applicable.
+ * @param variant is the Validator variants of the operation. A null value
+ * passed will set it to Validator.GENERIC.
*/
- public AlgorithmChecker(Timestamp jarTimestamp) {
+ public AlgorithmChecker(AlgorithmConstraints constraints,
+ Timestamp jarTimestamp, String variant) {
this.prevPubKey = null;
this.trustedPubKey = null;
- this.constraints = certPathDefaultConstraints;
- if (jarTimestamp == null) {
- throw new IllegalArgumentException(
- "Timestamp cannot be null");
- }
- this.pkixdate = jarTimestamp.getTimestamp();
+ this.constraints = (constraints == null ? certPathDefaultConstraints :
+ constraints);
+ this.pkixdate = (jarTimestamp != null ? jarTimestamp.getTimestamp() :
+ null);
this.jarTimestamp = jarTimestamp;
+ this.variant = (variant == null ? Validator.VAR_GENERIC : variant);
}
/**
@@ -178,12 +153,13 @@
* @param constraints the algorithm constraints (or null)
* @param pkixdate Date the constraints are checked against. The value is
* either the PKIXParameter date or null for the current date.
+ * @param variant is the Validator variants of the operation. A null value
+ * passed will set it to Validator.GENERIC.
*
* @throws IllegalArgumentException if the {@code anchor} is null
*/
public AlgorithmChecker(TrustAnchor anchor,
- AlgorithmConstraints constraints,
- Date pkixdate) {
+ AlgorithmConstraints constraints, Date pkixdate, String variant) {
if (anchor != null) {
if (anchor.getTrustedCert() != null) {
@@ -207,6 +183,7 @@
this.constraints = constraints;
this.pkixdate = pkixdate;
this.jarTimestamp = null;
+ this.variant = (variant == null ? Validator.VAR_GENERIC : variant);
}
/**
@@ -217,11 +194,13 @@
* certificate
* @param pkixdate Date the constraints are checked against. The value is
* either the PKIXParameter date or null for the current date.
+ * @param variant is the Validator variants of the operation. A null value
+ * passed will set it to Validator.GENERIC.
*
* @throws IllegalArgumentException if the {@code anchor} is null
*/
- public AlgorithmChecker(TrustAnchor anchor, Date pkixdate) {
- this(anchor, certPathDefaultConstraints, pkixdate);
+ public AlgorithmChecker(TrustAnchor anchor, Date pkixdate, String variant) {
+ this(anchor, certPathDefaultConstraints, pkixdate, variant);
}
// Check this 'cert' for restrictions in the AnchorCertificates
@@ -286,6 +265,28 @@
null, null, -1, PKIXReason.INVALID_KEY_USAGE);
}
+ X509CertImpl x509Cert;
+ AlgorithmId algorithmId;
+ try {
+ x509Cert = X509CertImpl.toImpl((X509Certificate)cert);
+ algorithmId = (AlgorithmId)x509Cert.get(X509CertImpl.SIG_ALG);
+ } catch (CertificateException ce) {
+ throw new CertPathValidatorException(ce);
+ }
+
+ AlgorithmParameters currSigAlgParams = algorithmId.getParameters();
+ PublicKey currPubKey = cert.getPublicKey();
+ String currSigAlg = x509Cert.getSigAlgName();
+
+ // Check the signature algorithm and parameters against constraints.
+ if (!constraints.permits(SIGNATURE_PRIMITIVE_SET, currSigAlg,
+ currSigAlgParams)) {
+ throw new CertPathValidatorException(
+ "Algorithm constraints check failed on signature " +
+ "algorithm: " + currSigAlg, null, null, -1,
+ BasicReason.ALGORITHM_CONSTRAINED);
+ }
+
// Assume all key usage bits are set if key usage is not present
Set<CryptoPrimitive> primitives = KU_PRIMITIVE_SET;
@@ -322,101 +323,74 @@
}
}
- PublicKey currPubKey = cert.getPublicKey();
-
- if (constraints instanceof DisabledAlgorithmConstraints) {
- // Check against DisabledAlgorithmConstraints certpath constraints.
- // permits() will throw exception on failure.
- ((DisabledAlgorithmConstraints)constraints).permits(primitives,
- new CertConstraintParameters((X509Certificate)cert,
- trustedMatch, pkixdate, jarTimestamp));
- // If there is no previous key, set one and exit
- if (prevPubKey == null) {
- prevPubKey = currPubKey;
- return;
- }
- }
+ ConstraintsParameters cp =
+ new ConstraintsParameters((X509Certificate)cert,
+ trustedMatch, pkixdate, jarTimestamp, variant);
- X509CertImpl x509Cert;
- AlgorithmId algorithmId;
- try {
- x509Cert = X509CertImpl.toImpl((X509Certificate)cert);
- algorithmId = (AlgorithmId)x509Cert.get(X509CertImpl.SIG_ALG);
- } catch (CertificateException ce) {
- throw new CertPathValidatorException(ce);
- }
-
- AlgorithmParameters currSigAlgParams = algorithmId.getParameters();
- String currSigAlg = x509Cert.getSigAlgName();
+ // Check against local constraints if it is DisabledAlgorithmConstraints
+ if (constraints instanceof DisabledAlgorithmConstraints) {
+ ((DisabledAlgorithmConstraints)constraints).permits(currSigAlg, cp);
+ // DisabledAlgorithmsConstraints does not check primitives, so key
+ // additional key check.
- // If 'constraints' is not of DisabledAlgorithmConstraints, check all
- // everything individually
- if (!(constraints instanceof DisabledAlgorithmConstraints)) {
- // Check the current signature algorithm
- if (!constraints.permits(
- SIGNATURE_PRIMITIVE_SET,
- currSigAlg, currSigAlgParams)) {
- throw new CertPathValidatorException(
- "Algorithm constraints check failed on signature " +
- "algorithm: " + currSigAlg, null, null, -1,
- BasicReason.ALGORITHM_CONSTRAINED);
- }
-
+ } else {
+ // Perform the default constraints checking anyway.
+ certPathDefaultConstraints.permits(currSigAlg, cp);
+ // Call locally set constraints to check key with primitives.
if (!constraints.permits(primitives, currPubKey)) {
throw new CertPathValidatorException(
- "Algorithm constraints check failed on keysize: " +
- sun.security.util.KeyUtil.getKeySize(currPubKey),
+ "Algorithm constraints check failed on key " +
+ currPubKey.getAlgorithm() + " with size of " +
+ sun.security.util.KeyUtil.getKeySize(currPubKey) +
+ "bits",
null, null, -1, BasicReason.ALGORITHM_CONSTRAINED);
}
}
+ // If there is no previous key, set one and exit
+ if (prevPubKey == null) {
+ prevPubKey = currPubKey;
+ return;
+ }
+
// Check with previous cert for signature algorithm and public key
- if (prevPubKey != null) {
- if (!constraints.permits(
- SIGNATURE_PRIMITIVE_SET,
- currSigAlg, prevPubKey, currSigAlgParams)) {
- throw new CertPathValidatorException(
+ if (!constraints.permits(
+ SIGNATURE_PRIMITIVE_SET,
+ currSigAlg, prevPubKey, currSigAlgParams)) {
+ throw new CertPathValidatorException(
"Algorithm constraints check failed on " +
"signature algorithm: " + currSigAlg,
null, null, -1, BasicReason.ALGORITHM_CONSTRAINED);
+ }
+
+ // Inherit key parameters from previous key
+ if (PKIX.isDSAPublicKeyWithoutParams(currPubKey)) {
+ // Inherit DSA parameters from previous key
+ if (!(prevPubKey instanceof DSAPublicKey)) {
+ throw new CertPathValidatorException("Input key is not " +
+ "of a appropriate type for inheriting parameters");
}
- // Inherit key parameters from previous key
- if (PKIX.isDSAPublicKeyWithoutParams(currPubKey)) {
- // Inherit DSA parameters from previous key
- if (!(prevPubKey instanceof DSAPublicKey)) {
- throw new CertPathValidatorException("Input key is not " +
- "of a appropriate type for inheriting parameters");
- }
-
- DSAParams params = ((DSAPublicKey)prevPubKey).getParams();
- if (params == null) {
- throw new CertPathValidatorException(
+ DSAParams params = ((DSAPublicKey)prevPubKey).getParams();
+ if (params == null) {
+ throw new CertPathValidatorException(
"Key parameters missing from public key.");
- }
+ }
- try {
- BigInteger y = ((DSAPublicKey)currPubKey).getY();
- KeyFactory kf = KeyFactory.getInstance("DSA");
- DSAPublicKeySpec ks = new DSAPublicKeySpec(y,
- params.getP(),
- params.getQ(),
- params.getG());
- currPubKey = kf.generatePublic(ks);
- } catch (GeneralSecurityException e) {
- throw new CertPathValidatorException("Unable to generate " +
+ try {
+ BigInteger y = ((DSAPublicKey)currPubKey).getY();
+ KeyFactory kf = KeyFactory.getInstance("DSA");
+ DSAPublicKeySpec ks = new DSAPublicKeySpec(y, params.getP(),
+ params.getQ(), params.getG());
+ currPubKey = kf.generatePublic(ks);
+ } catch (GeneralSecurityException e) {
+ throw new CertPathValidatorException("Unable to generate " +
"key with inherited parameters: " + e.getMessage(), e);
- }
}
}
// reset the previous public key
prevPubKey = currPubKey;
-
- // check the extended key usage, ignore the check now
- // List<String> extendedKeyUsages = x509Cert.getExtendedKeyUsage();
-
- // DO NOT remove any unresolved critical extensions
}
/**
@@ -456,8 +430,10 @@
*
* @param key the public key to verify the CRL signature
* @param crl the target CRL
+ * @param variant is the Validator variants of the operation. A null value
+ * passed will set it to Validator.GENERIC.
*/
- static void check(PublicKey key, X509CRL crl)
+ static void check(PublicKey key, X509CRL crl, String variant)
throws CertPathValidatorException {
X509CRLImpl x509CRLImpl = null;
@@ -468,7 +444,7 @@
}
AlgorithmId algorithmId = x509CRLImpl.getSigAlgId();
- check(key, algorithmId);
+ check(key, algorithmId, variant);
}
/**
@@ -476,20 +452,16 @@
*
* @param key the public key to verify the CRL signature
* @param algorithmId signature algorithm Algorithm ID
+ * @param variant is the Validator variants of the operation. A null value
+ * passed will set it to Validator.GENERIC.
*/
- static void check(PublicKey key, AlgorithmId algorithmId)
+ static void check(PublicKey key, AlgorithmId algorithmId, String variant)
throws CertPathValidatorException {
String sigAlgName = algorithmId.getName();
AlgorithmParameters sigAlgParams = algorithmId.getParameters();
- if (!certPathDefaultConstraints.permits(
- SIGNATURE_PRIMITIVE_SET, sigAlgName, key, sigAlgParams)) {
- throw new CertPathValidatorException(
- "Algorithm constraints check failed on signature algorithm: " +
- sigAlgName + " is disabled",
- null, null, -1, BasicReason.ALGORITHM_CONSTRAINED);
- }
+ certPathDefaultConstraints.permits(new ConstraintsParameters(
+ sigAlgName, sigAlgParams, key, variant));
}
-
}