diff -r ee6b5bd26bf9 -r fe8c324ba97c jdk/src/java.base/share/classes/sun/security/provider/certpath/AlgorithmChecker.java --- a/jdk/src/java.base/share/classes/sun/security/provider/certpath/AlgorithmChecker.java Wed Feb 08 12:27:45 2017 -0700 +++ b/jdk/src/java.base/share/classes/sun/security/provider/certpath/AlgorithmChecker.java Wed Feb 08 12:08:28 2017 -0800 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2009, 2016, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2009, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -28,6 +28,7 @@ import java.security.AlgorithmConstraints; import java.security.CryptoPrimitive; import java.security.Timestamp; +import java.security.cert.CertPathValidator; import java.util.Collection; import java.util.Collections; import java.util.Date; @@ -53,9 +54,10 @@ import java.security.spec.DSAPublicKeySpec; import sun.security.util.AnchorCertificates; -import sun.security.util.CertConstraintParameters; +import sun.security.util.ConstraintsParameters; import sun.security.util.Debug; import sun.security.util.DisabledAlgorithmConstraints; +import sun.security.validator.Validator; import sun.security.x509.X509CertImpl; import sun.security.x509.X509CRLImpl; import sun.security.x509.AlgorithmId; @@ -79,6 +81,7 @@ private final Date pkixdate; private PublicKey prevPubKey; private final Timestamp jarTimestamp; + private final String variant; private static final Set SIGNATURE_PRIMITIVE_SET = Collections.unmodifiableSet(EnumSet.of(CryptoPrimitive.SIGNATURE)); @@ -109,64 +112,36 @@ * * @param anchor the trust anchor selected to validate the target * certificate - */ - public AlgorithmChecker(TrustAnchor anchor) { - this(anchor, certPathDefaultConstraints, null); - } - - /** - * Create a new {@code AlgorithmChecker} with the - * given {@code TrustAnchor} and {@code AlgorithmConstraints}. - * - * @param anchor the trust anchor selected to validate the target - * certificate - * @param constraints the algorithm constraints (or null) - * - * @throws IllegalArgumentException if the {@code anchor} is null + * @param variant is the Validator variants of the operation. A null value + * passed will set it to Validator.GENERIC. */ - public AlgorithmChecker(TrustAnchor anchor, - AlgorithmConstraints constraints) { - this(anchor, constraints, null); - } - - /** - * Create a new {@code AlgorithmChecker} with the - * given {@code AlgorithmConstraints}. - *

- * Note that this constructor will be used to check a certification - * path where the trust anchor is unknown, or a certificate list which may - * contain the trust anchor. This constructor is used by SunJSSE. - * - * @param constraints the algorithm constraints (or null) - */ - public AlgorithmChecker(AlgorithmConstraints constraints) { - this.prevPubKey = null; - this.trustedPubKey = null; - this.constraints = constraints; - this.pkixdate = null; - this.jarTimestamp = null; + public AlgorithmChecker(TrustAnchor anchor, String variant) { + this(anchor, certPathDefaultConstraints, null, variant); } /** * Create a new {@code AlgorithmChecker} with the given - * {@code Timestamp}. + * {@code AlgorithmConstraints}, {@code Timestamp}, and/or {@code Variant}. *

- * Note that this constructor will be used to check a certification - * path for signed JAR files that are timestamped. + * Note that this constructor can initialize a variation of situations where + * the AlgorithmConstraints, Timestamp, or Variant maybe known. * + * @param constraints the algorithm constraints (or null) * @param jarTimestamp Timestamp passed for JAR timestamp constraint * checking. Set to null if not applicable. + * @param variant is the Validator variants of the operation. A null value + * passed will set it to Validator.GENERIC. */ - public AlgorithmChecker(Timestamp jarTimestamp) { + public AlgorithmChecker(AlgorithmConstraints constraints, + Timestamp jarTimestamp, String variant) { this.prevPubKey = null; this.trustedPubKey = null; - this.constraints = certPathDefaultConstraints; - if (jarTimestamp == null) { - throw new IllegalArgumentException( - "Timestamp cannot be null"); - } - this.pkixdate = jarTimestamp.getTimestamp(); + this.constraints = (constraints == null ? certPathDefaultConstraints : + constraints); + this.pkixdate = (jarTimestamp != null ? jarTimestamp.getTimestamp() : + null); this.jarTimestamp = jarTimestamp; + this.variant = (variant == null ? Validator.VAR_GENERIC : variant); } /** @@ -178,12 +153,13 @@ * @param constraints the algorithm constraints (or null) * @param pkixdate Date the constraints are checked against. The value is * either the PKIXParameter date or null for the current date. + * @param variant is the Validator variants of the operation. A null value + * passed will set it to Validator.GENERIC. * * @throws IllegalArgumentException if the {@code anchor} is null */ public AlgorithmChecker(TrustAnchor anchor, - AlgorithmConstraints constraints, - Date pkixdate) { + AlgorithmConstraints constraints, Date pkixdate, String variant) { if (anchor != null) { if (anchor.getTrustedCert() != null) { @@ -207,6 +183,7 @@ this.constraints = constraints; this.pkixdate = pkixdate; this.jarTimestamp = null; + this.variant = (variant == null ? Validator.VAR_GENERIC : variant); } /** @@ -217,11 +194,13 @@ * certificate * @param pkixdate Date the constraints are checked against. The value is * either the PKIXParameter date or null for the current date. + * @param variant is the Validator variants of the operation. A null value + * passed will set it to Validator.GENERIC. * * @throws IllegalArgumentException if the {@code anchor} is null */ - public AlgorithmChecker(TrustAnchor anchor, Date pkixdate) { - this(anchor, certPathDefaultConstraints, pkixdate); + public AlgorithmChecker(TrustAnchor anchor, Date pkixdate, String variant) { + this(anchor, certPathDefaultConstraints, pkixdate, variant); } // Check this 'cert' for restrictions in the AnchorCertificates @@ -286,6 +265,28 @@ null, null, -1, PKIXReason.INVALID_KEY_USAGE); } + X509CertImpl x509Cert; + AlgorithmId algorithmId; + try { + x509Cert = X509CertImpl.toImpl((X509Certificate)cert); + algorithmId = (AlgorithmId)x509Cert.get(X509CertImpl.SIG_ALG); + } catch (CertificateException ce) { + throw new CertPathValidatorException(ce); + } + + AlgorithmParameters currSigAlgParams = algorithmId.getParameters(); + PublicKey currPubKey = cert.getPublicKey(); + String currSigAlg = x509Cert.getSigAlgName(); + + // Check the signature algorithm and parameters against constraints. + if (!constraints.permits(SIGNATURE_PRIMITIVE_SET, currSigAlg, + currSigAlgParams)) { + throw new CertPathValidatorException( + "Algorithm constraints check failed on signature " + + "algorithm: " + currSigAlg, null, null, -1, + BasicReason.ALGORITHM_CONSTRAINED); + } + // Assume all key usage bits are set if key usage is not present Set primitives = KU_PRIMITIVE_SET; @@ -322,101 +323,74 @@ } } - PublicKey currPubKey = cert.getPublicKey(); - - if (constraints instanceof DisabledAlgorithmConstraints) { - // Check against DisabledAlgorithmConstraints certpath constraints. - // permits() will throw exception on failure. - ((DisabledAlgorithmConstraints)constraints).permits(primitives, - new CertConstraintParameters((X509Certificate)cert, - trustedMatch, pkixdate, jarTimestamp)); - // If there is no previous key, set one and exit - if (prevPubKey == null) { - prevPubKey = currPubKey; - return; - } - } + ConstraintsParameters cp = + new ConstraintsParameters((X509Certificate)cert, + trustedMatch, pkixdate, jarTimestamp, variant); - X509CertImpl x509Cert; - AlgorithmId algorithmId; - try { - x509Cert = X509CertImpl.toImpl((X509Certificate)cert); - algorithmId = (AlgorithmId)x509Cert.get(X509CertImpl.SIG_ALG); - } catch (CertificateException ce) { - throw new CertPathValidatorException(ce); - } - - AlgorithmParameters currSigAlgParams = algorithmId.getParameters(); - String currSigAlg = x509Cert.getSigAlgName(); + // Check against local constraints if it is DisabledAlgorithmConstraints + if (constraints instanceof DisabledAlgorithmConstraints) { + ((DisabledAlgorithmConstraints)constraints).permits(currSigAlg, cp); + // DisabledAlgorithmsConstraints does not check primitives, so key + // additional key check. - // If 'constraints' is not of DisabledAlgorithmConstraints, check all - // everything individually - if (!(constraints instanceof DisabledAlgorithmConstraints)) { - // Check the current signature algorithm - if (!constraints.permits( - SIGNATURE_PRIMITIVE_SET, - currSigAlg, currSigAlgParams)) { - throw new CertPathValidatorException( - "Algorithm constraints check failed on signature " + - "algorithm: " + currSigAlg, null, null, -1, - BasicReason.ALGORITHM_CONSTRAINED); - } - + } else { + // Perform the default constraints checking anyway. + certPathDefaultConstraints.permits(currSigAlg, cp); + // Call locally set constraints to check key with primitives. if (!constraints.permits(primitives, currPubKey)) { throw new CertPathValidatorException( - "Algorithm constraints check failed on keysize: " + - sun.security.util.KeyUtil.getKeySize(currPubKey), + "Algorithm constraints check failed on key " + + currPubKey.getAlgorithm() + " with size of " + + sun.security.util.KeyUtil.getKeySize(currPubKey) + + "bits", null, null, -1, BasicReason.ALGORITHM_CONSTRAINED); } } + // If there is no previous key, set one and exit + if (prevPubKey == null) { + prevPubKey = currPubKey; + return; + } + // Check with previous cert for signature algorithm and public key - if (prevPubKey != null) { - if (!constraints.permits( - SIGNATURE_PRIMITIVE_SET, - currSigAlg, prevPubKey, currSigAlgParams)) { - throw new CertPathValidatorException( + if (!constraints.permits( + SIGNATURE_PRIMITIVE_SET, + currSigAlg, prevPubKey, currSigAlgParams)) { + throw new CertPathValidatorException( "Algorithm constraints check failed on " + "signature algorithm: " + currSigAlg, null, null, -1, BasicReason.ALGORITHM_CONSTRAINED); + } + + // Inherit key parameters from previous key + if (PKIX.isDSAPublicKeyWithoutParams(currPubKey)) { + // Inherit DSA parameters from previous key + if (!(prevPubKey instanceof DSAPublicKey)) { + throw new CertPathValidatorException("Input key is not " + + "of a appropriate type for inheriting parameters"); } - // Inherit key parameters from previous key - if (PKIX.isDSAPublicKeyWithoutParams(currPubKey)) { - // Inherit DSA parameters from previous key - if (!(prevPubKey instanceof DSAPublicKey)) { - throw new CertPathValidatorException("Input key is not " + - "of a appropriate type for inheriting parameters"); - } - - DSAParams params = ((DSAPublicKey)prevPubKey).getParams(); - if (params == null) { - throw new CertPathValidatorException( + DSAParams params = ((DSAPublicKey)prevPubKey).getParams(); + if (params == null) { + throw new CertPathValidatorException( "Key parameters missing from public key."); - } + } - try { - BigInteger y = ((DSAPublicKey)currPubKey).getY(); - KeyFactory kf = KeyFactory.getInstance("DSA"); - DSAPublicKeySpec ks = new DSAPublicKeySpec(y, - params.getP(), - params.getQ(), - params.getG()); - currPubKey = kf.generatePublic(ks); - } catch (GeneralSecurityException e) { - throw new CertPathValidatorException("Unable to generate " + + try { + BigInteger y = ((DSAPublicKey)currPubKey).getY(); + KeyFactory kf = KeyFactory.getInstance("DSA"); + DSAPublicKeySpec ks = new DSAPublicKeySpec(y, params.getP(), + params.getQ(), params.getG()); + currPubKey = kf.generatePublic(ks); + } catch (GeneralSecurityException e) { + throw new CertPathValidatorException("Unable to generate " + "key with inherited parameters: " + e.getMessage(), e); - } } } // reset the previous public key prevPubKey = currPubKey; - - // check the extended key usage, ignore the check now - // List extendedKeyUsages = x509Cert.getExtendedKeyUsage(); - - // DO NOT remove any unresolved critical extensions } /** @@ -456,8 +430,10 @@ * * @param key the public key to verify the CRL signature * @param crl the target CRL + * @param variant is the Validator variants of the operation. A null value + * passed will set it to Validator.GENERIC. */ - static void check(PublicKey key, X509CRL crl) + static void check(PublicKey key, X509CRL crl, String variant) throws CertPathValidatorException { X509CRLImpl x509CRLImpl = null; @@ -468,7 +444,7 @@ } AlgorithmId algorithmId = x509CRLImpl.getSigAlgId(); - check(key, algorithmId); + check(key, algorithmId, variant); } /** @@ -476,20 +452,16 @@ * * @param key the public key to verify the CRL signature * @param algorithmId signature algorithm Algorithm ID + * @param variant is the Validator variants of the operation. A null value + * passed will set it to Validator.GENERIC. */ - static void check(PublicKey key, AlgorithmId algorithmId) + static void check(PublicKey key, AlgorithmId algorithmId, String variant) throws CertPathValidatorException { String sigAlgName = algorithmId.getName(); AlgorithmParameters sigAlgParams = algorithmId.getParameters(); - if (!certPathDefaultConstraints.permits( - SIGNATURE_PRIMITIVE_SET, sigAlgName, key, sigAlgParams)) { - throw new CertPathValidatorException( - "Algorithm constraints check failed on signature algorithm: " + - sigAlgName + " is disabled", - null, null, -1, BasicReason.ALGORITHM_CONSTRAINED); - } + certPathDefaultConstraints.permits(new ConstraintsParameters( + sigAlgName, sigAlgParams, key, variant)); } - }