# HG changeset patch # User ascarpino # Date 1486584508 28800 # Node ID fe8c324ba97cedfe9532637dcc2de631f9a2fc8d # Parent ee6b5bd26bf92155d0abf25ac475303b749733fb 8160655: Fix denyAfter and usage types for security properties Reviewed-by: mullan, xuelei diff -r ee6b5bd26bf9 -r fe8c324ba97c jdk/src/java.base/share/classes/sun/security/pkcs/SignerInfo.java --- a/jdk/src/java.base/share/classes/sun/security/pkcs/SignerInfo.java Wed Feb 08 12:27:45 2017 -0700 +++ b/jdk/src/java.base/share/classes/sun/security/pkcs/SignerInfo.java Wed Feb 08 12:08:28 2017 -0800 @@ -1,5 +1,5 @@ /* - * Copyright (c) 1996, 2016, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1996, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -37,6 +37,7 @@ import java.security.Signature; import java.security.SignatureException; import java.security.Timestamp; +import java.security.cert.CertPathValidatorException; import java.security.cert.CertificateException; import java.security.cert.CertificateFactory; import java.security.cert.CertPath; @@ -48,6 +49,7 @@ import java.util.Set; import sun.security.timestamp.TimestampToken; +import sun.security.util.ConstraintsParameters; import sun.security.util.Debug; import sun.security.util.DerEncoder; import sun.security.util.DerInputStream; @@ -321,6 +323,8 @@ data = content.getContentBytes(); } + ConstraintsParameters cparams = + new ConstraintsParameters(timestamp); String digestAlgname = getDigestAlgorithmId().getName(); byte[] dataSigned; @@ -347,11 +351,11 @@ if (messageDigest == null) // fail if there is no message digest return null; - // check that algorithm is not restricted - if (!JAR_DISABLED_CHECK.permits(DIGEST_PRIMITIVE_SET, - digestAlgname, null)) { - throw new SignatureException("Digest check failed. " + - "Disabled algorithm used: " + digestAlgname); + // check that digest algorithm is not restricted + try { + JAR_DISABLED_CHECK.permits(digestAlgname, cparams); + } catch (CertPathValidatorException e) { + throw new SignatureException(e.getMessage(), e); } MessageDigest md = MessageDigest.getInstance(digestAlgname); @@ -385,17 +389,18 @@ String algname = AlgorithmId.makeSigAlg( digestAlgname, encryptionAlgname); - // check that algorithm is not restricted - if (!JAR_DISABLED_CHECK.permits(SIG_PRIMITIVE_SET, algname, null)) { - throw new SignatureException("Signature check failed. " + - "Disabled algorithm used: " + algname); + // check that jar signature algorithm is not restricted + try { + JAR_DISABLED_CHECK.permits(algname, cparams); + } catch (CertPathValidatorException e) { + throw new SignatureException(e.getMessage(), e); } X509Certificate cert = getCertificate(block); - PublicKey key = cert.getPublicKey(); if (cert == null) { return null; } + PublicKey key = cert.getPublicKey(); // check if the public key is restricted if (!JAR_DISABLED_CHECK.permits(SIG_PRIMITIVE_SET, key)) { diff -r ee6b5bd26bf9 -r fe8c324ba97c jdk/src/java.base/share/classes/sun/security/provider/certpath/AlgorithmChecker.java --- a/jdk/src/java.base/share/classes/sun/security/provider/certpath/AlgorithmChecker.java Wed Feb 08 12:27:45 2017 -0700 +++ b/jdk/src/java.base/share/classes/sun/security/provider/certpath/AlgorithmChecker.java Wed Feb 08 12:08:28 2017 -0800 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2009, 2016, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2009, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -28,6 +28,7 @@ import java.security.AlgorithmConstraints; import java.security.CryptoPrimitive; import java.security.Timestamp; +import java.security.cert.CertPathValidator; import java.util.Collection; import java.util.Collections; import java.util.Date; @@ -53,9 +54,10 @@ import java.security.spec.DSAPublicKeySpec; import sun.security.util.AnchorCertificates; -import sun.security.util.CertConstraintParameters; +import sun.security.util.ConstraintsParameters; import sun.security.util.Debug; import sun.security.util.DisabledAlgorithmConstraints; +import sun.security.validator.Validator; import sun.security.x509.X509CertImpl; import sun.security.x509.X509CRLImpl; import sun.security.x509.AlgorithmId; @@ -79,6 +81,7 @@ private final Date pkixdate; private PublicKey prevPubKey; private final Timestamp jarTimestamp; + private final String variant; private static final Set SIGNATURE_PRIMITIVE_SET = Collections.unmodifiableSet(EnumSet.of(CryptoPrimitive.SIGNATURE)); @@ -109,64 +112,36 @@ * * @param anchor the trust anchor selected to validate the target * certificate - */ - public AlgorithmChecker(TrustAnchor anchor) { - this(anchor, certPathDefaultConstraints, null); - } - - /** - * Create a new {@code AlgorithmChecker} with the - * given {@code TrustAnchor} and {@code AlgorithmConstraints}. - * - * @param anchor the trust anchor selected to validate the target - * certificate - * @param constraints the algorithm constraints (or null) - * - * @throws IllegalArgumentException if the {@code anchor} is null + * @param variant is the Validator variants of the operation. A null value + * passed will set it to Validator.GENERIC. */ - public AlgorithmChecker(TrustAnchor anchor, - AlgorithmConstraints constraints) { - this(anchor, constraints, null); - } - - /** - * Create a new {@code AlgorithmChecker} with the - * given {@code AlgorithmConstraints}. - *

- * Note that this constructor will be used to check a certification - * path where the trust anchor is unknown, or a certificate list which may - * contain the trust anchor. This constructor is used by SunJSSE. - * - * @param constraints the algorithm constraints (or null) - */ - public AlgorithmChecker(AlgorithmConstraints constraints) { - this.prevPubKey = null; - this.trustedPubKey = null; - this.constraints = constraints; - this.pkixdate = null; - this.jarTimestamp = null; + public AlgorithmChecker(TrustAnchor anchor, String variant) { + this(anchor, certPathDefaultConstraints, null, variant); } /** * Create a new {@code AlgorithmChecker} with the given - * {@code Timestamp}. + * {@code AlgorithmConstraints}, {@code Timestamp}, and/or {@code Variant}. *

- * Note that this constructor will be used to check a certification - * path for signed JAR files that are timestamped. + * Note that this constructor can initialize a variation of situations where + * the AlgorithmConstraints, Timestamp, or Variant maybe known. * + * @param constraints the algorithm constraints (or null) * @param jarTimestamp Timestamp passed for JAR timestamp constraint * checking. Set to null if not applicable. + * @param variant is the Validator variants of the operation. A null value + * passed will set it to Validator.GENERIC. */ - public AlgorithmChecker(Timestamp jarTimestamp) { + public AlgorithmChecker(AlgorithmConstraints constraints, + Timestamp jarTimestamp, String variant) { this.prevPubKey = null; this.trustedPubKey = null; - this.constraints = certPathDefaultConstraints; - if (jarTimestamp == null) { - throw new IllegalArgumentException( - "Timestamp cannot be null"); - } - this.pkixdate = jarTimestamp.getTimestamp(); + this.constraints = (constraints == null ? certPathDefaultConstraints : + constraints); + this.pkixdate = (jarTimestamp != null ? jarTimestamp.getTimestamp() : + null); this.jarTimestamp = jarTimestamp; + this.variant = (variant == null ? Validator.VAR_GENERIC : variant); } /** @@ -178,12 +153,13 @@ * @param constraints the algorithm constraints (or null) * @param pkixdate Date the constraints are checked against. The value is * either the PKIXParameter date or null for the current date. + * @param variant is the Validator variants of the operation. A null value + * passed will set it to Validator.GENERIC. * * @throws IllegalArgumentException if the {@code anchor} is null */ public AlgorithmChecker(TrustAnchor anchor, - AlgorithmConstraints constraints, - Date pkixdate) { + AlgorithmConstraints constraints, Date pkixdate, String variant) { if (anchor != null) { if (anchor.getTrustedCert() != null) { @@ -207,6 +183,7 @@ this.constraints = constraints; this.pkixdate = pkixdate; this.jarTimestamp = null; + this.variant = (variant == null ? Validator.VAR_GENERIC : variant); } /** @@ -217,11 +194,13 @@ * certificate * @param pkixdate Date the constraints are checked against. The value is * either the PKIXParameter date or null for the current date. + * @param variant is the Validator variants of the operation. A null value + * passed will set it to Validator.GENERIC. * * @throws IllegalArgumentException if the {@code anchor} is null */ - public AlgorithmChecker(TrustAnchor anchor, Date pkixdate) { - this(anchor, certPathDefaultConstraints, pkixdate); + public AlgorithmChecker(TrustAnchor anchor, Date pkixdate, String variant) { + this(anchor, certPathDefaultConstraints, pkixdate, variant); } // Check this 'cert' for restrictions in the AnchorCertificates @@ -286,6 +265,28 @@ null, null, -1, PKIXReason.INVALID_KEY_USAGE); } + X509CertImpl x509Cert; + AlgorithmId algorithmId; + try { + x509Cert = X509CertImpl.toImpl((X509Certificate)cert); + algorithmId = (AlgorithmId)x509Cert.get(X509CertImpl.SIG_ALG); + } catch (CertificateException ce) { + throw new CertPathValidatorException(ce); + } + + AlgorithmParameters currSigAlgParams = algorithmId.getParameters(); + PublicKey currPubKey = cert.getPublicKey(); + String currSigAlg = x509Cert.getSigAlgName(); + + // Check the signature algorithm and parameters against constraints. + if (!constraints.permits(SIGNATURE_PRIMITIVE_SET, currSigAlg, + currSigAlgParams)) { + throw new CertPathValidatorException( + "Algorithm constraints check failed on signature " + + "algorithm: " + currSigAlg, null, null, -1, + BasicReason.ALGORITHM_CONSTRAINED); + } + // Assume all key usage bits are set if key usage is not present Set primitives = KU_PRIMITIVE_SET; @@ -322,101 +323,74 @@ } } - PublicKey currPubKey = cert.getPublicKey(); - - if (constraints instanceof DisabledAlgorithmConstraints) { - // Check against DisabledAlgorithmConstraints certpath constraints. - // permits() will throw exception on failure. - ((DisabledAlgorithmConstraints)constraints).permits(primitives, - new CertConstraintParameters((X509Certificate)cert, - trustedMatch, pkixdate, jarTimestamp)); - // If there is no previous key, set one and exit - if (prevPubKey == null) { - prevPubKey = currPubKey; - return; - } - } + ConstraintsParameters cp = + new ConstraintsParameters((X509Certificate)cert, + trustedMatch, pkixdate, jarTimestamp, variant); - X509CertImpl x509Cert; - AlgorithmId algorithmId; - try { - x509Cert = X509CertImpl.toImpl((X509Certificate)cert); - algorithmId = (AlgorithmId)x509Cert.get(X509CertImpl.SIG_ALG); - } catch (CertificateException ce) { - throw new CertPathValidatorException(ce); - } - - AlgorithmParameters currSigAlgParams = algorithmId.getParameters(); - String currSigAlg = x509Cert.getSigAlgName(); + // Check against local constraints if it is DisabledAlgorithmConstraints + if (constraints instanceof DisabledAlgorithmConstraints) { + ((DisabledAlgorithmConstraints)constraints).permits(currSigAlg, cp); + // DisabledAlgorithmsConstraints does not check primitives, so key + // additional key check. - // If 'constraints' is not of DisabledAlgorithmConstraints, check all - // everything individually - if (!(constraints instanceof DisabledAlgorithmConstraints)) { - // Check the current signature algorithm - if (!constraints.permits( - SIGNATURE_PRIMITIVE_SET, - currSigAlg, currSigAlgParams)) { - throw new CertPathValidatorException( - "Algorithm constraints check failed on signature " + - "algorithm: " + currSigAlg, null, null, -1, - BasicReason.ALGORITHM_CONSTRAINED); - } - + } else { + // Perform the default constraints checking anyway. + certPathDefaultConstraints.permits(currSigAlg, cp); + // Call locally set constraints to check key with primitives. if (!constraints.permits(primitives, currPubKey)) { throw new CertPathValidatorException( - "Algorithm constraints check failed on keysize: " + - sun.security.util.KeyUtil.getKeySize(currPubKey), + "Algorithm constraints check failed on key " + + currPubKey.getAlgorithm() + " with size of " + + sun.security.util.KeyUtil.getKeySize(currPubKey) + + "bits", null, null, -1, BasicReason.ALGORITHM_CONSTRAINED); } } + // If there is no previous key, set one and exit + if (prevPubKey == null) { + prevPubKey = currPubKey; + return; + } + // Check with previous cert for signature algorithm and public key - if (prevPubKey != null) { - if (!constraints.permits( - SIGNATURE_PRIMITIVE_SET, - currSigAlg, prevPubKey, currSigAlgParams)) { - throw new CertPathValidatorException( + if (!constraints.permits( + SIGNATURE_PRIMITIVE_SET, + currSigAlg, prevPubKey, currSigAlgParams)) { + throw new CertPathValidatorException( "Algorithm constraints check failed on " + "signature algorithm: " + currSigAlg, null, null, -1, BasicReason.ALGORITHM_CONSTRAINED); + } + + // Inherit key parameters from previous key + if (PKIX.isDSAPublicKeyWithoutParams(currPubKey)) { + // Inherit DSA parameters from previous key + if (!(prevPubKey instanceof DSAPublicKey)) { + throw new CertPathValidatorException("Input key is not " + + "of a appropriate type for inheriting parameters"); } - // Inherit key parameters from previous key - if (PKIX.isDSAPublicKeyWithoutParams(currPubKey)) { - // Inherit DSA parameters from previous key - if (!(prevPubKey instanceof DSAPublicKey)) { - throw new CertPathValidatorException("Input key is not " + - "of a appropriate type for inheriting parameters"); - } - - DSAParams params = ((DSAPublicKey)prevPubKey).getParams(); - if (params == null) { - throw new CertPathValidatorException( + DSAParams params = ((DSAPublicKey)prevPubKey).getParams(); + if (params == null) { + throw new CertPathValidatorException( "Key parameters missing from public key."); - } + } - try { - BigInteger y = ((DSAPublicKey)currPubKey).getY(); - KeyFactory kf = KeyFactory.getInstance("DSA"); - DSAPublicKeySpec ks = new DSAPublicKeySpec(y, - params.getP(), - params.getQ(), - params.getG()); - currPubKey = kf.generatePublic(ks); - } catch (GeneralSecurityException e) { - throw new CertPathValidatorException("Unable to generate " + + try { + BigInteger y = ((DSAPublicKey)currPubKey).getY(); + KeyFactory kf = KeyFactory.getInstance("DSA"); + DSAPublicKeySpec ks = new DSAPublicKeySpec(y, params.getP(), + params.getQ(), params.getG()); + currPubKey = kf.generatePublic(ks); + } catch (GeneralSecurityException e) { + throw new CertPathValidatorException("Unable to generate " + "key with inherited parameters: " + e.getMessage(), e); - } } } // reset the previous public key prevPubKey = currPubKey; - - // check the extended key usage, ignore the check now - // List extendedKeyUsages = x509Cert.getExtendedKeyUsage(); - - // DO NOT remove any unresolved critical extensions } /** @@ -456,8 +430,10 @@ * * @param key the public key to verify the CRL signature * @param crl the target CRL + * @param variant is the Validator variants of the operation. A null value + * passed will set it to Validator.GENERIC. */ - static void check(PublicKey key, X509CRL crl) + static void check(PublicKey key, X509CRL crl, String variant) throws CertPathValidatorException { X509CRLImpl x509CRLImpl = null; @@ -468,7 +444,7 @@ } AlgorithmId algorithmId = x509CRLImpl.getSigAlgId(); - check(key, algorithmId); + check(key, algorithmId, variant); } /** @@ -476,20 +452,16 @@ * * @param key the public key to verify the CRL signature * @param algorithmId signature algorithm Algorithm ID + * @param variant is the Validator variants of the operation. A null value + * passed will set it to Validator.GENERIC. */ - static void check(PublicKey key, AlgorithmId algorithmId) + static void check(PublicKey key, AlgorithmId algorithmId, String variant) throws CertPathValidatorException { String sigAlgName = algorithmId.getName(); AlgorithmParameters sigAlgParams = algorithmId.getParameters(); - if (!certPathDefaultConstraints.permits( - SIGNATURE_PRIMITIVE_SET, sigAlgName, key, sigAlgParams)) { - throw new CertPathValidatorException( - "Algorithm constraints check failed on signature algorithm: " + - sigAlgName + " is disabled", - null, null, -1, BasicReason.ALGORITHM_CONSTRAINED); - } + certPathDefaultConstraints.permits(new ConstraintsParameters( + sigAlgName, sigAlgParams, key, variant)); } - } diff -r ee6b5bd26bf9 -r fe8c324ba97c jdk/src/java.base/share/classes/sun/security/provider/certpath/DistributionPointFetcher.java --- a/jdk/src/java.base/share/classes/sun/security/provider/certpath/DistributionPointFetcher.java Wed Feb 08 12:27:45 2017 -0700 +++ b/jdk/src/java.base/share/classes/sun/security/provider/certpath/DistributionPointFetcher.java Wed Feb 08 12:08:28 2017 -0800 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2002, 2015, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2002, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -33,6 +33,7 @@ import java.util.*; import sun.security.util.Debug; +import sun.security.validator.Validator; import static sun.security.x509.PKIXExtensions.*; import sun.security.x509.*; @@ -66,6 +67,20 @@ * an X509CRLSelector with certificateChecking set. */ public static Collection getCRLs(X509CRLSelector selector, + boolean signFlag, PublicKey prevKey, String provider, + List certStores, boolean[] reasonsMask, + Set trustAnchors, Date validity, String variant) + throws CertStoreException + { + return getCRLs(selector, signFlag, prevKey, null, provider, certStores, + reasonsMask, trustAnchors, validity, variant); + } + /** + * Return the X509CRLs matching this selector. The selector must be + * an X509CRLSelector with certificateChecking set. + */ + // Called by com.sun.deploy.security.RevocationChecker + public static Collection getCRLs(X509CRLSelector selector, boolean signFlag, PublicKey prevKey, String provider, @@ -76,7 +91,7 @@ throws CertStoreException { return getCRLs(selector, signFlag, prevKey, null, provider, certStores, - reasonsMask, trustAnchors, validity); + reasonsMask, trustAnchors, validity, Validator.VAR_GENERIC); } /** @@ -91,7 +106,8 @@ List certStores, boolean[] reasonsMask, Set trustAnchors, - Date validity) + Date validity, + String variant) throws CertStoreException { X509Certificate cert = selector.getCertificateChecking(); @@ -120,7 +136,7 @@ DistributionPoint point = t.next(); Collection crls = getCRLs(selector, certImpl, point, reasonsMask, signFlag, prevKey, prevCert, provider, - certStores, trustAnchors, validity); + certStores, trustAnchors, validity, variant); results.addAll(crls); } if (debug != null) { @@ -145,7 +161,7 @@ X509CertImpl certImpl, DistributionPoint point, boolean[] reasonsMask, boolean signFlag, PublicKey prevKey, X509Certificate prevCert, String provider, List certStores, - Set trustAnchors, Date validity) + Set trustAnchors, Date validity, String variant) throws CertStoreException { // check for full name @@ -208,7 +224,7 @@ selector.setIssuerNames(null); if (selector.match(crl) && verifyCRL(certImpl, point, crl, reasonsMask, signFlag, prevKey, prevCert, provider, - trustAnchors, certStores, validity)) { + trustAnchors, certStores, validity, variant)) { crls.add(crl); } } catch (IOException | CRLException e) { @@ -316,7 +332,7 @@ X509CRL crl, boolean[] reasonsMask, boolean signFlag, PublicKey prevKey, X509Certificate prevCert, String provider, Set trustAnchors, List certStores, - Date validity) throws CRLException, IOException { + Date validity, String variant) throws CRLException, IOException { if (debug != null) { debug.println("DistributionPointFetcher.verifyCRL: " + @@ -663,7 +679,7 @@ // check the crl signature algorithm try { - AlgorithmChecker.check(prevKey, crl); + AlgorithmChecker.check(prevKey, crl, variant); } catch (CertPathValidatorException cpve) { if (debug != null) { debug.println("CRL signature algorithm check failed: " + cpve); diff -r ee6b5bd26bf9 -r fe8c324ba97c jdk/src/java.base/share/classes/sun/security/provider/certpath/OCSP.java --- a/jdk/src/java.base/share/classes/sun/security/provider/certpath/OCSP.java Wed Feb 08 12:27:45 2017 -0700 +++ b/jdk/src/java.base/share/classes/sun/security/provider/certpath/OCSP.java Wed Feb 08 12:08:28 2017 -0800 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2009, 2016, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2009, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -45,6 +45,7 @@ import sun.security.action.GetIntegerAction; import sun.security.util.Debug; +import sun.security.validator.Validator; import sun.security.x509.AccessDescription; import sun.security.x509.AuthorityInfoAccessExtension; import sun.security.x509.GeneralName; @@ -94,42 +95,6 @@ private OCSP() {} - /** - * Obtains the revocation status of a certificate using OCSP using the most - * common defaults. The OCSP responder URI is retrieved from the - * certificate's AIA extension. The OCSP responder certificate is assumed - * to be the issuer's certificate (or issued by the issuer CA). - * - * @param cert the certificate to be checked - * @param issuerCert the issuer certificate - * @return the RevocationStatus - * @throws IOException if there is an exception connecting to or - * communicating with the OCSP responder - * @throws CertPathValidatorException if an exception occurs while - * encoding the OCSP Request or validating the OCSP Response - */ - public static RevocationStatus check(X509Certificate cert, - X509Certificate issuerCert) - throws IOException, CertPathValidatorException { - CertId certId = null; - URI responderURI = null; - try { - X509CertImpl certImpl = X509CertImpl.toImpl(cert); - responderURI = getResponderURI(certImpl); - if (responderURI == null) { - throw new CertPathValidatorException - ("No OCSP Responder URI in certificate"); - } - certId = new CertId(issuerCert, certImpl.getSerialNumberObject()); - } catch (CertificateException | IOException e) { - throw new CertPathValidatorException - ("Exception while encoding OCSPRequest", e); - } - OCSPResponse ocspResponse = check(Collections.singletonList(certId), - responderURI, new OCSPResponse.IssuerInfo(issuerCert), null, null, - Collections.emptyList()); - return (RevocationStatus)ocspResponse.getSingleResponse(certId); - } /** * Obtains the revocation status of a certificate using OCSP. @@ -146,6 +111,8 @@ * @throws CertPathValidatorException if an exception occurs while * encoding the OCSP Request or validating the OCSP Response */ + + // Called by com.sun.deploy.security.TrustDecider public static RevocationStatus check(X509Certificate cert, X509Certificate issuerCert, URI responderURI, @@ -154,27 +121,27 @@ throws IOException, CertPathValidatorException { return check(cert, issuerCert, responderURI, responderCert, date, - Collections.emptyList()); + Collections.emptyList(), Validator.VAR_GENERIC); } - // Called by com.sun.deploy.security.TrustDecider + public static RevocationStatus check(X509Certificate cert, - X509Certificate issuerCert, - URI responderURI, - X509Certificate responderCert, - Date date, List extensions) + X509Certificate issuerCert, URI responderURI, + X509Certificate responderCert, Date date, List extensions, + String variant) throws IOException, CertPathValidatorException { - return check(cert, responderURI, null, issuerCert, responderCert, date, extensions); + return check(cert, responderURI, null, issuerCert, responderCert, date, + extensions, variant); } public static RevocationStatus check(X509Certificate cert, URI responderURI, TrustAnchor anchor, X509Certificate issuerCert, X509Certificate responderCert, Date date, - List extensions) + List extensions, String variant) throws IOException, CertPathValidatorException { - CertId certId = null; + CertId certId; try { X509CertImpl certImpl = X509CertImpl.toImpl(cert); certId = new CertId(issuerCert, certImpl.getSerialNumberObject()); @@ -184,7 +151,7 @@ } OCSPResponse ocspResponse = check(Collections.singletonList(certId), responderURI, new OCSPResponse.IssuerInfo(anchor, issuerCert), - responderCert, date, extensions); + responderCert, date, extensions, variant); return (RevocationStatus) ocspResponse.getSingleResponse(certId); } @@ -206,10 +173,10 @@ * @throws CertPathValidatorException if an exception occurs while * encoding the OCSP Request or validating the OCSP Response */ - static OCSPResponse check(List certIds, URI responderURI, + static OCSPResponse check(List certIds, URI responderURI, OCSPResponse.IssuerInfo issuerInfo, X509Certificate responderCert, Date date, - List extensions) + List extensions, String variant) throws IOException, CertPathValidatorException { byte[] nonce = null; @@ -226,7 +193,7 @@ // verify the response ocspResponse.verify(certIds, issuerInfo, responderCert, date, - nonce); + nonce, variant); } catch (IOException ioe) { throw new CertPathValidatorException( "Unable to determine revocation status due to network error", diff -r ee6b5bd26bf9 -r fe8c324ba97c jdk/src/java.base/share/classes/sun/security/provider/certpath/OCSPResponse.java --- a/jdk/src/java.base/share/classes/sun/security/provider/certpath/OCSPResponse.java Wed Feb 08 12:27:45 2017 -0700 +++ b/jdk/src/java.base/share/classes/sun/security/provider/certpath/OCSPResponse.java Wed Feb 08 12:08:28 2017 -0800 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2003, 2016, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2003, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -41,7 +41,6 @@ import java.util.HashMap; import java.util.List; import java.util.Map; -import java.util.Objects; import java.util.Set; import javax.security.auth.x500.X500Principal; @@ -375,7 +374,8 @@ } void verify(List certIds, IssuerInfo issuerInfo, - X509Certificate responderCert, Date date, byte[] nonce) + X509Certificate responderCert, Date date, byte[] nonce, + String variant) throws CertPathValidatorException { switch (responseStatus) { @@ -508,7 +508,8 @@ // Check algorithm constraints specified in security property // "jdk.certpath.disabledAlgorithms". AlgorithmChecker algChecker = - new AlgorithmChecker(issuerInfo.getAnchor(), date); + new AlgorithmChecker(issuerInfo.getAnchor(), date, + variant); algChecker.init(false); algChecker.check(signerCert, Collections.emptySet()); @@ -568,7 +569,7 @@ if (signerCert != null) { // Check algorithm constraints specified in security property // "jdk.certpath.disabledAlgorithms". - AlgorithmChecker.check(signerCert.getPublicKey(), sigAlgId); + AlgorithmChecker.check(signerCert.getPublicKey(), sigAlgId, variant); if (!verifySignature(signerCert)) { throw new CertPathValidatorException( diff -r ee6b5bd26bf9 -r fe8c324ba97c jdk/src/java.base/share/classes/sun/security/provider/certpath/PKIX.java --- a/jdk/src/java.base/share/classes/sun/security/provider/certpath/PKIX.java Wed Feb 08 12:27:45 2017 -0700 +++ b/jdk/src/java.base/share/classes/sun/security/provider/certpath/PKIX.java Wed Feb 08 12:08:28 2017 -0800 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2012, 2016, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2012, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -87,6 +87,7 @@ private Set anchors; private List certs; private Timestamp timestamp; + private String variant; ValidatorParams(CertPath cp, PKIXParameters params) throws InvalidAlgorithmParameterException @@ -102,8 +103,9 @@ ValidatorParams(PKIXParameters params) throws InvalidAlgorithmParameterException { - if (params instanceof PKIXTimestampParameters) { - timestamp = ((PKIXTimestampParameters) params).getTimestamp(); + if (params instanceof PKIXExtendedParameters) { + timestamp = ((PKIXExtendedParameters) params).getTimestamp(); + variant = ((PKIXExtendedParameters) params).getVariant(); } this.anchors = params.getTrustAnchors(); @@ -199,6 +201,10 @@ Timestamp timestamp() { return timestamp; } + + String variant() { + return variant; + } } static class BuilderParams extends ValidatorParams { diff -r ee6b5bd26bf9 -r fe8c324ba97c jdk/src/java.base/share/classes/sun/security/provider/certpath/PKIXCertPathValidator.java --- a/jdk/src/java.base/share/classes/sun/security/provider/certpath/PKIXCertPathValidator.java Wed Feb 08 12:27:45 2017 -0700 +++ b/jdk/src/java.base/share/classes/sun/security/provider/certpath/PKIXCertPathValidator.java Wed Feb 08 12:08:28 2017 -0800 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -173,9 +173,10 @@ // add standard checkers that we will be using certPathCheckers.add(untrustedChecker); if (params.timestamp() == null) { - certPathCheckers.add(new AlgorithmChecker(anchor, params.date())); + certPathCheckers.add(new AlgorithmChecker(anchor, params.date(), null)); } else { - certPathCheckers.add(new AlgorithmChecker(params.timestamp())); + certPathCheckers.add(new AlgorithmChecker(null, + params.timestamp(), params.variant())); } certPathCheckers.add(new KeyChecker(certPathLen, params.targetCertConstraints())); diff -r ee6b5bd26bf9 -r fe8c324ba97c jdk/src/java.base/share/classes/sun/security/provider/certpath/PKIXExtendedParameters.java --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/jdk/src/java.base/share/classes/sun/security/provider/certpath/PKIXExtendedParameters.java Wed Feb 08 12:08:28 2017 -0800 @@ -0,0 +1,226 @@ +/* + * Copyright (c) 2016, 2017, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. Oracle designates this + * particular file as subject to the "Classpath" exception as provided + * by Oracle in the LICENSE file that accompanied this code. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + + +package sun.security.provider.certpath; + +import java.security.InvalidAlgorithmParameterException; +import java.security.Timestamp; +import java.security.cert.CertSelector; +import java.security.cert.CertStore; +import java.security.cert.PKIXBuilderParameters; +import java.security.cert.PKIXCertPathChecker; +import java.security.cert.TrustAnchor; +import java.util.Date; +import java.util.List; +import java.util.Set; + +/** + * This class is a wrapper for PKIXBuilderParameters so that a Timestamp object + * and a string for the variant type, can be passed when doing certpath + * checking. + */ + +public class PKIXExtendedParameters extends PKIXBuilderParameters { + + private final PKIXBuilderParameters p; + private Timestamp jarTimestamp; + private final String variant; + + public PKIXExtendedParameters(PKIXBuilderParameters params, + Timestamp timestamp, String variant) + throws InvalidAlgorithmParameterException { + super(params.getTrustAnchors(), null); + p = params; + jarTimestamp = timestamp; + this.variant = variant; + } + + public Timestamp getTimestamp() { + return jarTimestamp; + } + public void setTimestamp(Timestamp t) { + jarTimestamp = t; + } + + public String getVariant() { + return variant; + } + + @Override + public void setDate(Date d) { + p.setDate(d); + } + + @Override + public void addCertPathChecker(PKIXCertPathChecker c) { + p.addCertPathChecker(c); + } + + @Override + public void setMaxPathLength(int maxPathLength) { + p.setMaxPathLength(maxPathLength); + } + + @Override + public int getMaxPathLength() { + return p.getMaxPathLength(); + } + + @Override + public String toString() { + return p.toString(); + } + + @Override + public Set getTrustAnchors() { + return p.getTrustAnchors(); + } + + @Override + public void setTrustAnchors(Set trustAnchors) + throws InvalidAlgorithmParameterException { + // To avoid problems with PKIXBuilderParameter's constructors + if (p == null) { + return; + } + p.setTrustAnchors(trustAnchors); + } + + @Override + public Set getInitialPolicies() { + return p.getInitialPolicies(); + } + + @Override + public void setInitialPolicies(Set initialPolicies) { + p.setInitialPolicies(initialPolicies); + } + + @Override + public void setCertStores(List stores) { + p.setCertStores(stores); + } + + @Override + public void addCertStore(CertStore store) { + p.addCertStore(store); + } + + @Override + public List getCertStores() { + return p.getCertStores(); + } + + @Override + public void setRevocationEnabled(boolean val) { + p.setRevocationEnabled(val); + } + + @Override + public boolean isRevocationEnabled() { + return p.isRevocationEnabled(); + } + + @Override + public void setExplicitPolicyRequired(boolean val) { + p.setExplicitPolicyRequired(val); + } + + @Override + public boolean isExplicitPolicyRequired() { + return p.isExplicitPolicyRequired(); + } + + @Override + public void setPolicyMappingInhibited(boolean val) { + p.setPolicyMappingInhibited(val); + } + + @Override + public boolean isPolicyMappingInhibited() { + return p.isPolicyMappingInhibited(); + } + + @Override + public void setAnyPolicyInhibited(boolean val) { + p.setAnyPolicyInhibited(val); + } + + @Override + public boolean isAnyPolicyInhibited() { + return p.isAnyPolicyInhibited(); + } + + @Override + public void setPolicyQualifiersRejected(boolean qualifiersRejected) { + p.setPolicyQualifiersRejected(qualifiersRejected); + } + + @Override + public boolean getPolicyQualifiersRejected() { + return p.getPolicyQualifiersRejected(); + } + + @Override + public Date getDate() { + return p.getDate(); + } + + @Override + public void setCertPathCheckers(List checkers) { + p.setCertPathCheckers(checkers); + } + + @Override + public List getCertPathCheckers() { + return p.getCertPathCheckers(); + } + + @Override + public String getSigProvider() { + return p.getSigProvider(); + } + + @Override + public void setSigProvider(String sigProvider) { + p.setSigProvider(sigProvider); + } + + @Override + public CertSelector getTargetCertConstraints() { + return p.getTargetCertConstraints(); + } + + @Override + public void setTargetCertConstraints(CertSelector selector) { + // To avoid problems with PKIXBuilderParameter's constructors + if (p == null) { + return; + } + p.setTargetCertConstraints(selector); + } + +} diff -r ee6b5bd26bf9 -r fe8c324ba97c jdk/src/java.base/share/classes/sun/security/provider/certpath/PKIXTimestampParameters.java --- a/jdk/src/java.base/share/classes/sun/security/provider/certpath/PKIXTimestampParameters.java Wed Feb 08 12:27:45 2017 -0700 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,218 +0,0 @@ -/* - * Copyright (c) 2016, Oracle and/or its affiliates. All rights reserved. - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License version 2 only, as - * published by the Free Software Foundation. Oracle designates this - * particular file as subject to the "Classpath" exception as provided - * by Oracle in the LICENSE file that accompanied this code. - * - * This code is distributed in the hope that it will be useful, but WITHOUT - * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or - * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * version 2 for more details (a copy is included in the LICENSE file that - * accompanied this code). - * - * You should have received a copy of the GNU General Public License version - * 2 along with this work; if not, write to the Free Software Foundation, - * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. - * - * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA - * or visit www.oracle.com if you need additional information or have any - * questions. - */ - - -package sun.security.provider.certpath; - -import java.security.InvalidAlgorithmParameterException; -import java.security.Timestamp; -import java.security.cert.CertSelector; -import java.security.cert.CertStore; -import java.security.cert.PKIXBuilderParameters; -import java.security.cert.PKIXCertPathChecker; -import java.security.cert.TrustAnchor; -import java.util.Date; -import java.util.List; -import java.util.Set; - -/** - * This class is a wrapper for PKIXBuilderParameters so that a Timestamp object - * can be passed alone when PKIXCertPath is checking signed jar files. - */ - -public class PKIXTimestampParameters extends PKIXBuilderParameters { - - private final PKIXBuilderParameters p; - private Timestamp jarTimestamp; - - public PKIXTimestampParameters(PKIXBuilderParameters params, - Timestamp timestamp) throws InvalidAlgorithmParameterException { - super(params.getTrustAnchors(), null); - p = params; - jarTimestamp = timestamp; - } - - public Timestamp getTimestamp() { - return jarTimestamp; - } - public void setTimestamp(Timestamp t) { - jarTimestamp = t; - } - - @Override - public void setDate(Date d) { - p.setDate(d); - } - - @Override - public void addCertPathChecker(PKIXCertPathChecker c) { - p.addCertPathChecker(c); - } - - @Override - public void setMaxPathLength(int maxPathLength) { - p.setMaxPathLength(maxPathLength); - } - - @Override - public int getMaxPathLength() { - return p.getMaxPathLength(); - } - - @Override - public String toString() { - return p.toString(); - } - - @Override - public Set getTrustAnchors() { - return p.getTrustAnchors(); - } - - @Override - public void setTrustAnchors(Set trustAnchors) - throws InvalidAlgorithmParameterException { - // To avoid problems with PKIXBuilderParameter's constructors - if (p == null) { - return; - } - p.setTrustAnchors(trustAnchors); - } - - @Override - public Set getInitialPolicies() { - return p.getInitialPolicies(); - } - - @Override - public void setInitialPolicies(Set initialPolicies) { - p.setInitialPolicies(initialPolicies); - } - - @Override - public void setCertStores(List stores) { - p.setCertStores(stores); - } - - @Override - public void addCertStore(CertStore store) { - p.addCertStore(store); - } - - @Override - public List getCertStores() { - return p.getCertStores(); - } - - @Override - public void setRevocationEnabled(boolean val) { - p.setRevocationEnabled(val); - } - - @Override - public boolean isRevocationEnabled() { - return p.isRevocationEnabled(); - } - - @Override - public void setExplicitPolicyRequired(boolean val) { - p.setExplicitPolicyRequired(val); - } - - @Override - public boolean isExplicitPolicyRequired() { - return p.isExplicitPolicyRequired(); - } - - @Override - public void setPolicyMappingInhibited(boolean val) { - p.setPolicyMappingInhibited(val); - } - - @Override - public boolean isPolicyMappingInhibited() { - return p.isPolicyMappingInhibited(); - } - - @Override - public void setAnyPolicyInhibited(boolean val) { - p.setAnyPolicyInhibited(val); - } - - @Override - public boolean isAnyPolicyInhibited() { - return p.isAnyPolicyInhibited(); - } - - @Override - public void setPolicyQualifiersRejected(boolean qualifiersRejected) { - p.setPolicyQualifiersRejected(qualifiersRejected); - } - - @Override - public boolean getPolicyQualifiersRejected() { - return p.getPolicyQualifiersRejected(); - } - - @Override - public Date getDate() { - return p.getDate(); - } - - @Override - public void setCertPathCheckers(List checkers) { - p.setCertPathCheckers(checkers); - } - - @Override - public List getCertPathCheckers() { - return p.getCertPathCheckers(); - } - - @Override - public String getSigProvider() { - return p.getSigProvider(); - } - - @Override - public void setSigProvider(String sigProvider) { - p.setSigProvider(sigProvider); - } - - @Override - public CertSelector getTargetCertConstraints() { - return p.getTargetCertConstraints(); - } - - @Override - public void setTargetCertConstraints(CertSelector selector) { - // To avoid problems with PKIXBuilderParameter's constructors - if (p == null) { - return; - } - p.setTargetCertConstraints(selector); - } - -} diff -r ee6b5bd26bf9 -r fe8c324ba97c jdk/src/java.base/share/classes/sun/security/provider/certpath/RevocationChecker.java --- a/jdk/src/java.base/share/classes/sun/security/provider/certpath/RevocationChecker.java Wed Feb 08 12:27:45 2017 -0700 +++ b/jdk/src/java.base/share/classes/sun/security/provider/certpath/RevocationChecker.java Wed Feb 08 12:08:28 2017 -0800 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2012, 2016, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2012, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -579,7 +579,7 @@ approvedCRLs.addAll(DistributionPointFetcher.getCRLs( sel, signFlag, prevKey, prevCert, params.sigProvider(), certStores, - reasonsMask, anchors, null)); + reasonsMask, anchors, null, params.variant())); } } catch (CertStoreException e) { if (e instanceof CertStoreTypeException) { @@ -727,7 +727,7 @@ } } response.verify(Collections.singletonList(certId), issuerInfo, - responderCert, params.date(), nonce); + responderCert, params.date(), nonce, params.variant()); } else { URI responderURI = (this.responderURI != null) @@ -741,7 +741,7 @@ response = OCSP.check(Collections.singletonList(certId), responderURI, issuerInfo, responderCert, null, - ocspExtensions); + ocspExtensions, params.variant()); } } catch (IOException e) { throw new CertPathValidatorException( @@ -853,7 +853,7 @@ if (DistributionPointFetcher.verifyCRL( certImpl, point, crl, reasonsMask, signFlag, prevKey, null, params.sigProvider(), anchors, - certStores, params.date())) + certStores, params.date(), params.variant())) { results.add(crl); } diff -r ee6b5bd26bf9 -r fe8c324ba97c jdk/src/java.base/share/classes/sun/security/provider/certpath/SunCertPathBuilder.java --- a/jdk/src/java.base/share/classes/sun/security/provider/certpath/SunCertPathBuilder.java Wed Feb 08 12:27:45 2017 -0700 +++ b/jdk/src/java.base/share/classes/sun/security/provider/certpath/SunCertPathBuilder.java Wed Feb 08 12:08:28 2017 -0800 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2000, 2015, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -344,7 +344,7 @@ // add the algorithm checker checkers.add(new AlgorithmChecker(builder.trustAnchor, - buildParams.date())); + buildParams.date(), null)); BasicChecker basicChecker = null; if (nextState.keyParamsNeeded()) { diff -r ee6b5bd26bf9 -r fe8c324ba97c jdk/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java --- a/jdk/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java Wed Feb 08 12:27:45 2017 -0700 +++ b/jdk/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java Wed Feb 08 12:08:28 2017 -0800 @@ -1,5 +1,5 @@ /* - * Copyright (c) 1999, 2016, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1999, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -37,6 +37,7 @@ import sun.security.provider.certpath.AlgorithmChecker; import sun.security.action.GetPropertyAction; +import sun.security.validator.Validator; public abstract class SSLContextImpl extends SSLContextSpi { @@ -1436,7 +1437,7 @@ constraints = new SSLAlgorithmConstraints(sslSocket, true); } - checkAlgorithmConstraints(chain, constraints); + checkAlgorithmConstraints(chain, constraints, isClient); } } @@ -1478,12 +1479,12 @@ constraints = new SSLAlgorithmConstraints(engine, true); } - checkAlgorithmConstraints(chain, constraints); + checkAlgorithmConstraints(chain, constraints, isClient); } } private void checkAlgorithmConstraints(X509Certificate[] chain, - AlgorithmConstraints constraints) throws CertificateException { + AlgorithmConstraints constraints, boolean isClient) throws CertificateException { try { // Does the certificate chain end with a trusted certificate? @@ -1501,7 +1502,9 @@ // A forward checker, need to check from trust to target if (checkedLength >= 0) { - AlgorithmChecker checker = new AlgorithmChecker(constraints); + AlgorithmChecker checker = + new AlgorithmChecker(constraints, null, + (isClient ? Validator.VAR_TLS_CLIENT : Validator.VAR_TLS_SERVER)); checker.init(false); for (int i = checkedLength; i >= 0; i--) { Certificate cert = chain[i]; diff -r ee6b5bd26bf9 -r fe8c324ba97c jdk/src/java.base/share/classes/sun/security/ssl/X509KeyManagerImpl.java --- a/jdk/src/java.base/share/classes/sun/security/ssl/X509KeyManagerImpl.java Wed Feb 08 12:27:45 2017 -0700 +++ b/jdk/src/java.base/share/classes/sun/security/ssl/X509KeyManagerImpl.java Wed Feb 08 12:08:28 2017 -0800 @@ -39,6 +39,7 @@ import javax.net.ssl.*; import sun.security.provider.certpath.AlgorithmChecker; +import sun.security.validator.Validator; /** * The new X509 key manager implementation. The main differences to the @@ -661,6 +662,15 @@ return CheckResult.OK; } + + public String getValidator() { + if (this == CLIENT) { + return Validator.VAR_TLS_CLIENT; + } else if (this == SERVER) { + return Validator.VAR_TLS_SERVER; + } + return Validator.VAR_GENERIC; + } } // enum for the result of the extension check @@ -774,7 +784,8 @@ // check the algorithm constraints if (constraints != null && - !conformsToAlgorithmConstraints(constraints, chain)) { + !conformsToAlgorithmConstraints(constraints, chain, + checkType.getValidator())) { if (useDebug) { debug.println("Ignoring alias " + alias + @@ -811,9 +822,10 @@ } private static boolean conformsToAlgorithmConstraints( - AlgorithmConstraints constraints, Certificate[] chain) { + AlgorithmConstraints constraints, Certificate[] chain, + String variant) { - AlgorithmChecker checker = new AlgorithmChecker(constraints); + AlgorithmChecker checker = new AlgorithmChecker(constraints, null, variant); try { checker.init(false); } catch (CertPathValidatorException cpve) { diff -r ee6b5bd26bf9 -r fe8c324ba97c jdk/src/java.base/share/classes/sun/security/util/CertConstraintParameters.java --- a/jdk/src/java.base/share/classes/sun/security/util/CertConstraintParameters.java Wed Feb 08 12:27:45 2017 -0700 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,76 +0,0 @@ -/* - * Copyright (c) 2016, Oracle and/or its affiliates. All rights reserved. - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License version 2 only, as - * published by the Free Software Foundation. Oracle designates this - * particular file as subject to the "Classpath" exception as provided - * by Oracle in the LICENSE file that accompanied this code. - * - * This code is distributed in the hope that it will be useful, but WITHOUT - * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or - * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * version 2 for more details (a copy is included in the LICENSE file that - * accompanied this code). - * - * You should have received a copy of the GNU General Public License version - * 2 along with this work; if not, write to the Free Software Foundation, - * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. - * - * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA - * or visit www.oracle.com if you need additional information or have any - * questions. - */ - -package sun.security.util; - -import java.security.Timestamp; -import java.security.cert.X509Certificate; -import java.util.Date; - -/** - * This class is a wrapper for keeping state and passing objects between PKIX, - * AlgorithmChecker, and DisabledAlgorithmConstraints. - */ -public class CertConstraintParameters { - // A certificate being passed to check against constraints. - private final X509Certificate cert; - // This is true if the trust anchor in the certificate chain matches a cert - // in AnchorCertificates - private final boolean trustedMatch; - // PKIXParameter date - private final Date pkixDate; - // Timestamp of the signed JAR file - private final Timestamp jarTimestamp; - - public CertConstraintParameters(X509Certificate c, boolean match, - Date pkixdate, Timestamp jarTime) { - cert = c; - trustedMatch = match; - pkixDate = pkixdate; - jarTimestamp = jarTime; - } - - public CertConstraintParameters(X509Certificate c) { - this(c, false, null, null); - } - - // Returns if the trust anchor has a match if anchor checking is enabled. - public boolean isTrustedMatch() { - return trustedMatch; - } - - public X509Certificate getCertificate() { - return cert; - } - - public Date getPKIXParamDate() { - return pkixDate; - } - - public Timestamp getJARTimestamp() { - return jarTimestamp; - } - -} diff -r ee6b5bd26bf9 -r fe8c324ba97c jdk/src/java.base/share/classes/sun/security/util/ConstraintsParameters.java --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/jdk/src/java.base/share/classes/sun/security/util/ConstraintsParameters.java Wed Feb 08 12:08:28 2017 -0800 @@ -0,0 +1,135 @@ +/* + * Copyright (c) 2016, 2017 Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. Oracle designates this + * particular file as subject to the "Classpath" exception as provided + * by Oracle in the LICENSE file that accompanied this code. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +package sun.security.util; + +import sun.security.validator.Validator; + +import java.security.AlgorithmParameters; +import java.security.Key; +import java.security.Timestamp; +import java.security.cert.X509Certificate; +import java.util.Date; + +/** + * This class contains parameters for checking against constraints that extend + * past the publicly available parameters in java.security.AlgorithmConstraints. + + * This is currently on passed between between PKIX, AlgorithmChecker, + * and DisabledAlgorithmConstraints. + */ +public class ConstraintsParameters { + /* + * The below 3 values are used the same as the permit() methods + * published in java.security.AlgorithmConstraints. + */ + // Algorithm string to be checked against constraints + private final String algorithm; + // AlgorithmParameters to the algorithm being checked + private final AlgorithmParameters algParams; + // Public Key being checked against constraints + private final Key publicKey; + + /* + * New values that are checked against constraints that the current public + * API does not support. + */ + // A certificate being passed to check against constraints. + private final X509Certificate cert; + // This is true if the trust anchor in the certificate chain matches a cert + // in AnchorCertificates + private final boolean trustedMatch; + // PKIXParameter date + private final Date pkixDate; + // Timestamp of the signed JAR file + private final Timestamp jarTimestamp; + private final String variant; + + public ConstraintsParameters(X509Certificate c, boolean match, + Date pkixdate, Timestamp jarTime, String variant) { + cert = c; + trustedMatch = match; + pkixDate = pkixdate; + jarTimestamp = jarTime; + this.variant = (variant == null ? Validator.VAR_GENERIC : variant); + algorithm = null; + algParams = null; + publicKey = null; + } + + public ConstraintsParameters(String algorithm, AlgorithmParameters params, + Key key, String variant) { + this.algorithm = algorithm; + algParams = params; + this.publicKey = key; + cert = null; + trustedMatch = false; + pkixDate = null; + jarTimestamp = null; + this.variant = (variant == null ? Validator.VAR_GENERIC : variant); + } + + + public ConstraintsParameters(X509Certificate c) { + this(c, false, null, null, + Validator.VAR_GENERIC); + } + + public ConstraintsParameters(Timestamp jarTime) { + this(null, false, null, jarTime, Validator.VAR_GENERIC); + } + + public String getAlgorithm() { + return algorithm; + } + + public AlgorithmParameters getAlgParams() { + return algParams; + } + + public Key getPublicKey() { + return publicKey; + } + // Returns if the trust anchor has a match if anchor checking is enabled. + public boolean isTrustedMatch() { + return trustedMatch; + } + + public X509Certificate getCertificate() { + return cert; + } + + public Date getPKIXParamDate() { + return pkixDate; + } + + public Timestamp getJARTimestamp() { + return jarTimestamp; + } + + public String getVariant() { + return variant; + } +} diff -r ee6b5bd26bf9 -r fe8c324ba97c jdk/src/java.base/share/classes/sun/security/util/DisabledAlgorithmConstraints.java --- a/jdk/src/java.base/share/classes/sun/security/util/DisabledAlgorithmConstraints.java Wed Feb 08 12:27:45 2017 -0700 +++ b/jdk/src/java.base/share/classes/sun/security/util/DisabledAlgorithmConstraints.java Wed Feb 08 12:08:28 2017 -0800 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2010, 2016, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2010, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -25,6 +25,8 @@ package sun.security.util; +import sun.security.validator.Validator; + import java.security.CryptoPrimitive; import java.security.AlgorithmParameters; import java.security.Key; @@ -32,10 +34,12 @@ import java.security.cert.CertPathValidatorException.BasicReason; import java.security.cert.X509Certificate; import java.text.SimpleDateFormat; +import java.util.ArrayList; import java.util.Calendar; import java.util.Date; import java.util.HashMap; import java.util.HashSet; +import java.util.List; import java.util.Locale; import java.util.Map; import java.util.Set; @@ -100,12 +104,6 @@ @Override public final boolean permits(Set primitives, String algorithm, AlgorithmParameters parameters) { - - if (primitives == null || primitives.isEmpty()) { - throw new IllegalArgumentException( - "No cryptographic primitive specified"); - } - return checkAlgorithm(disabledAlgorithms, algorithm, decomposer); } @@ -133,6 +131,18 @@ return checkConstraints(primitives, algorithm, key, parameters); } + public final void permits(ConstraintsParameters cp) + throws CertPathValidatorException { + permits(cp.getAlgorithm(), cp); + } + + public final void permits(String algorithm, Key key, + AlgorithmParameters params, String variant) + throws CertPathValidatorException { + permits(algorithm, new ConstraintsParameters(algorithm, params, key, + (variant == null) ? Validator.VAR_GENERIC : variant)); + } + /* * Check if a x509Certificate object is permitted. Check if all * algorithms are allowed, certificate constraints, and the @@ -140,18 +150,10 @@ * * Uses new style permit() which throws exceptions. */ - public final void permits(Set primitives, - CertConstraintParameters cp) throws CertPathValidatorException { - checkConstraints(primitives, cp); - } - /* - * Check if Certificate object is within the constraints. - * Uses new style permit() which throws exceptions. - */ - public final void permits(Set primitives, - X509Certificate cert) throws CertPathValidatorException { - checkConstraints(primitives, new CertConstraintParameters(cert)); + public final void permits(String algorithm, ConstraintsParameters cp) + throws CertPathValidatorException { + algorithmConstraints.permits(algorithm, cp); } // Check if a string is contained inside the property @@ -174,7 +176,7 @@ throw new IllegalArgumentException("The key cannot be null"); } - // check the signature algorithm + // check the signature algorithm with parameters if (algorithm != null && algorithm.length() != 0) { if (!permits(primitives, algorithm, parameters)) { return false; @@ -190,36 +192,6 @@ return algorithmConstraints.permits(key); } - /* - * Check algorithm constraints with Certificate - * Uses new style permit() which throws exceptions. - */ - private void checkConstraints(Set primitives, - CertConstraintParameters cp) throws CertPathValidatorException { - - X509Certificate cert = cp.getCertificate(); - String algorithm = cert.getSigAlgName(); - - // Check signature algorithm is not disabled - if (!permits(primitives, algorithm, null)) { - throw new CertPathValidatorException( - "Algorithm constraints check failed on disabled "+ - "signature algorithm: " + algorithm, - null, null, -1, BasicReason.ALGORITHM_CONSTRAINED); - } - - // Check key algorithm is not disabled - if (!permits(primitives, cert.getPublicKey().getAlgorithm(), null)) { - throw new CertPathValidatorException( - "Algorithm constraints check failed on disabled "+ - "public key algorithm: " + algorithm, - null, null, -1, BasicReason.ALGORITHM_CONSTRAINED); - } - - // Check the certificate and key constraints - algorithmConstraints.permits(cp); - - } /** * Key and Certificate Constraints @@ -234,13 +206,13 @@ * 'true' means the operation is allowed. * 'false' means it failed the constraints and is disallowed. * - * When passing CertConstraintParameters through permit(), an exception + * When passing ConstraintsParameters through permit(), an exception * will be thrown on a failure to better identify why the operation was * disallowed. */ private static class Constraints { - private Map> constraintsMap = new HashMap<>(); + private Map> constraintsMap = new HashMap<>(); private static class Holder { private static final Pattern DENY_AFTER_PATTERN = Pattern.compile( @@ -260,23 +232,22 @@ // Check if constraint is a complete disabling of an // algorithm or has conditions. - String algorithm; - String policy; int space = constraintEntry.indexOf(' '); - if (space > 0) { - algorithm = AlgorithmDecomposer.hashName( - constraintEntry.substring(0, space). - toUpperCase(Locale.ENGLISH)); - policy = constraintEntry.substring(space + 1); - } else { - algorithm = constraintEntry.toUpperCase(Locale.ENGLISH); - if (!constraintsMap.containsKey(algorithm)) { - constraintsMap.putIfAbsent(algorithm, - new HashSet<>()); - } + String algorithm = AlgorithmDecomposer.hashName( + ((space > 0 ? constraintEntry.substring(0, space) : + constraintEntry). + toUpperCase(Locale.ENGLISH))); + List constraintList = + constraintsMap.getOrDefault(algorithm, + new ArrayList<>(1)); + constraintsMap.putIfAbsent(algorithm, constraintList); + if (space <= 0) { + constraintList.add(new DisabledConstraint(algorithm)); continue; } + String policy = constraintEntry.substring(space + 1); + // Convert constraint conditions into Constraint classes Constraint c, lastConstraint = null; // Allow only one jdkCA entry per constraint entry @@ -315,7 +286,7 @@ c = new jdkCAConstraint(algorithm); jdkCALimit = true; - } else if(entry.startsWith("denyAfter") && + } else if (entry.startsWith("denyAfter") && (matcher = Holder.DENY_AFTER_PATTERN.matcher(entry)) .matches()) { if (debug != null) { @@ -332,6 +303,12 @@ c = new DenyAfterConstraint(algorithm, year, month, day); denyAfterLimit = true; + } else if (entry.startsWith("usage")) { + String s[] = (entry.substring(5)).trim().split(" "); + c = new UsageConstraint(algorithm, s); + if (debug != null) { + debug.println("Constraints usage length is " + s.length); + } } else { throw new IllegalArgumentException("Error in security" + " property. Constraint unknown: " + entry); @@ -340,11 +317,7 @@ // Link multiple conditions for a single constraint // into a linked list. if (lastConstraint == null) { - if (!constraintsMap.containsKey(algorithm)) { - constraintsMap.putIfAbsent(algorithm, - new HashSet<>()); - } - constraintsMap.get(algorithm).add(c); + constraintList.add(c); } else { lastConstraint.nextConstraint = c; } @@ -354,17 +327,17 @@ } // Get applicable constraints based off the signature algorithm - private Set getConstraints(String algorithm) { + private List getConstraints(String algorithm) { return constraintsMap.get(algorithm); } // Check if KeySizeConstraints permit the specified key public boolean permits(Key key) { - Set set = getConstraints(key.getAlgorithm()); - if (set == null) { + List list = getConstraints(key.getAlgorithm()); + if (list == null) { return true; } - for (Constraint constraint : set) { + for (Constraint constraint : list) { if (!constraint.permits(key)) { if (debug != null) { debug.println("keySizeConstraint: failed key " + @@ -377,31 +350,35 @@ } // Check if constraints permit this cert. - public void permits(CertConstraintParameters cp) + public void permits(String algorithm, ConstraintsParameters cp) throws CertPathValidatorException { X509Certificate cert = cp.getCertificate(); if (debug != null) { - debug.println("Constraints.permits(): " + cert.getSigAlgName()); + debug.println("Constraints.permits(): " + algorithm + + " Variant: " + cp.getVariant()); } // Get all signature algorithms to check for constraints - Set algorithms = - AlgorithmDecomposer.decomposeOneHash(cert.getSigAlgName()); - if (algorithms == null || algorithms.isEmpty()) { - return; + Set algorithms = new HashSet<>(); + if (algorithm != null) { + algorithms.addAll(AlgorithmDecomposer.decomposeOneHash(algorithm)); } - // Attempt to add the public key algorithm to the set - algorithms.add(cert.getPublicKey().getAlgorithm()); - + // Attempt to add the public key algorithm if cert provided + if (cert != null) { + algorithms.add(cert.getPublicKey().getAlgorithm()); + } + if (cp.getPublicKey() != null) { + algorithms.add(cp.getPublicKey().getAlgorithm()); + } // Check all applicable constraints - for (String algorithm : algorithms) { - Set set = getConstraints(algorithm); - if (set == null) { + for (String alg : algorithms) { + List list = getConstraints(alg); + if (list == null) { continue; } - for (Constraint constraint : set) { + for (Constraint constraint : list) { constraint.permits(cp); } } @@ -467,17 +444,17 @@ /** * Check if an algorithm constraint is permitted with a given - * CertConstraintParameters. + * ConstraintsParameters. * * If the check inside of {@code permits()} fails, it must call - * {@code next()} with the same {@code CertConstraintParameters} + * {@code next()} with the same {@code ConstraintsParameters} * parameter passed if multiple constraints need to be checked. * * @param cp CertConstraintParameter containing certificate info * @throws CertPathValidatorException if constraint disallows. * */ - public abstract void permits(CertConstraintParameters cp) + public abstract void permits(ConstraintsParameters cp) throws CertPathValidatorException; /** @@ -491,12 +468,12 @@ * were disallowed, the last constraint will throw * {@code CertPathValidatorException}. * - * @param cp CertConstraintParameters + * @param cp ConstraintsParameters * @return 'true' if constraint allows the operation, 'false' if * we are at the end of the constraint list or, * {@code nextConstraint} is null. */ - boolean next(CertConstraintParameters cp) + boolean next(ConstraintsParameters cp) throws CertPathValidatorException { if (nextConstraint != null) { nextConstraint.permits(cp); @@ -525,6 +502,14 @@ } return false; } + + String extendedMsg(ConstraintsParameters cp) { + return (cp.getCertificate() == null ? "." : + " used with certificate: " + + cp.getCertificate().getSubjectX500Principal() + + (cp.getVariant() != Validator.VAR_GENERIC ? + ". Usage was " + cp.getVariant() : ".")); + } } /* @@ -537,11 +522,11 @@ } /* - * Check if CertConstraintParameters has a trusted match, if it does + * Check if ConstraintsParameters has a trusted match, if it does * call next() for any following constraints. If it does not, exit * as this constraint(s) does not restrict the operation. */ - public void permits(CertConstraintParameters cp) + public void permits(ConstraintsParameters cp) throws CertPathValidatorException { if (debug != null) { debug.println("jdkCAConstraints.permits(): " + algorithm); @@ -554,8 +539,7 @@ } throw new CertPathValidatorException( "Algorithm constraints check failed on certificate " + - "anchor limits. " + algorithm + " used with " + - cp.getCertificate().getSubjectX500Principal(), + "anchor limits. " + algorithm + extendedMsg(cp), null, null, -1, BasicReason.ALGORITHM_CONSTRAINED); } } @@ -615,7 +599,7 @@ * constraints. Throw an exception if this is the last constraint. */ @Override - public void permits(CertConstraintParameters cp) + public void permits(ConstraintsParameters cp) throws CertPathValidatorException { Date currentDate; String errmsg; @@ -628,7 +612,7 @@ errmsg = "PKIXParameter date: "; } else { currentDate = new Date(); - errmsg = "Certificate date: "; + errmsg = "Current date: "; } if (!denyAfterDate.after(currentDate)) { @@ -637,9 +621,9 @@ } throw new CertPathValidatorException( "denyAfter constraint check failed: " + algorithm + - " used with Constraint date: " + - dateFormat.format(denyAfterDate) + "; " - + errmsg + dateFormat.format(currentDate), + " used with Constraint date: " + + dateFormat.format(denyAfterDate) + "; " + errmsg + + dateFormat.format(currentDate) + extendedMsg(cp), null, null, -1, BasicReason.ALGORITHM_CONSTRAINED); } } @@ -661,6 +645,48 @@ } /* + * The usage constraint is for the "usage" keyword. It checks against the + * variant value in ConstraintsParameters. + */ + private static class UsageConstraint extends Constraint { + String[] usages; + + UsageConstraint(String algorithm, String[] usages) { + this.algorithm = algorithm; + this.usages = usages; + } + + public void permits(ConstraintsParameters cp) + throws CertPathValidatorException { + for (String usage : usages) { + + String v = null; + if (usage.compareToIgnoreCase("TLSServer") == 0) { + v = Validator.VAR_TLS_SERVER; + } else if (usage.compareToIgnoreCase("TLSClient") == 0) { + v = Validator.VAR_TLS_CLIENT; + } else if (usage.compareToIgnoreCase("SignedJAR") == 0) { + v = Validator.VAR_PLUGIN_CODE_SIGNING; + } + + if (debug != null) { + debug.println("Checking if usage constraint " + v + + " matches " + cp.getVariant()); + } + if (cp.getVariant().compareTo(v) == 0) { + if (next(cp)) { + return; + } + throw new CertPathValidatorException("Usage constraint " + + usage + " check failed: " + algorithm + + extendedMsg(cp), + null, null, -1, BasicReason.ALGORITHM_CONSTRAINED); + } + } + } + } + + /* * This class contains constraints dealing with the key size * support limits per algorithm. e.g. "keySize <= 1024" */ @@ -713,17 +739,22 @@ * constraint Any permitted constraint will exit the linked list * to allow the operation. */ - public void permits(CertConstraintParameters cp) + public void permits(ConstraintsParameters cp) throws CertPathValidatorException { - if (!permitsImpl(cp.getCertificate().getPublicKey())) { + Key key = null; + if (cp.getPublicKey() != null) { + key = cp.getPublicKey(); + } else if (cp.getCertificate() != null) { + key = cp.getCertificate().getPublicKey(); + } + if (key != null && !permitsImpl(key)) { if (nextConstraint != null) { nextConstraint.permits(cp); return; } throw new CertPathValidatorException( "Algorithm constraints check failed on keysize limits. " - + algorithm + " " + size + "bit key used with " - + cp.getCertificate().getSubjectX500Principal(), + + algorithm + " " + size + "bit key" + extendedMsg(cp), null, null, -1, BasicReason.ALGORITHM_CONSTRAINED); } } @@ -762,5 +793,26 @@ return true; } } + + /* + * This constraint is used for the complete disabling of the algorithm. + */ + private static class DisabledConstraint extends Constraint { + DisabledConstraint(String algo) { + algorithm = algo; + } + + public void permits(ConstraintsParameters cp) + throws CertPathValidatorException { + throw new CertPathValidatorException( + "Algorithm constraints check failed on disabled " + + "algorithm: " + algorithm + extendedMsg(cp), + null, null, -1, BasicReason.ALGORITHM_CONSTRAINED); + } + + public boolean permits(Key key) { + return false; + } + } } diff -r ee6b5bd26bf9 -r fe8c324ba97c jdk/src/java.base/share/classes/sun/security/util/SignatureFileVerifier.java --- a/jdk/src/java.base/share/classes/sun/security/util/SignatureFileVerifier.java Wed Feb 08 12:27:45 2017 -0700 +++ b/jdk/src/java.base/share/classes/sun/security/util/SignatureFileVerifier.java Wed Feb 08 12:08:28 2017 -0800 @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997, 2016, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1997, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -28,25 +28,23 @@ import java.io.ByteArrayInputStream; import java.io.IOException; import java.security.CodeSigner; -import java.security.CryptoPrimitive; +import java.security.GeneralSecurityException; import java.security.MessageDigest; import java.security.NoSuchAlgorithmException; import java.security.SignatureException; +import java.security.Timestamp; import java.security.cert.CertPath; import java.security.cert.X509Certificate; import java.security.cert.CertificateException; import java.security.cert.CertificateFactory; import java.util.ArrayList; import java.util.Base64; -import java.util.Collections; -import java.util.EnumSet; import java.util.HashMap; import java.util.Hashtable; import java.util.Iterator; import java.util.List; import java.util.Locale; import java.util.Map; -import java.util.Set; import java.util.jar.Attributes; import java.util.jar.JarException; import java.util.jar.JarFile; @@ -61,9 +59,6 @@ /* Are we debugging ? */ private static final Debug debug = Debug.getInstance("jar"); - private static final Set DIGEST_PRIMITIVE_SET = - Collections.unmodifiableSet(EnumSet.of(CryptoPrimitive.MESSAGE_DIGEST)); - private static final DisabledAlgorithmConstraints JAR_DISABLED_CHECK = new DisabledAlgorithmConstraints( DisabledAlgorithmConstraints.PROPERTY_JAR_DISABLED_ALGS); @@ -97,6 +92,14 @@ /* for generating certpath objects */ private CertificateFactory certificateFactory = null; + /** Algorithms that have been checked if they are weak. */ + private Map permittedAlgs= new HashMap<>(); + + /** TSA timestamp of signed jar. The newest timestamp is used. If there + * was no TSA timestamp used when signed, current time is used ("null"). + */ + private Timestamp timestamp = null; + /** * Create the named SignatureFileVerifier. * @@ -222,15 +225,8 @@ /** get digest from cache */ - private MessageDigest getDigest(String algorithm) throws SignatureException { - // check that algorithm is not restricted - if (!JAR_DISABLED_CHECK.permits(DIGEST_PRIMITIVE_SET, algorithm, null)) { - SignatureException e = - new SignatureException("SignatureFile check failed. " + - "Disabled algorithm used: " + algorithm); - throw e; - } - + private MessageDigest getDigest(String algorithm) + throws SignatureException { if (createdDigests == null) createdDigests = new HashMap<>(); @@ -302,6 +298,27 @@ if (newSigners == null) return; + /* + * Look for the latest timestamp in the signature block. If an entry + * has no timestamp, use current time (aka null). + */ + for (CodeSigner s: newSigners) { + if (debug != null) { + debug.println("Gathering timestamp for: " + s.toString()); + } + if (s.getTimestamp() == null) { + timestamp = null; + break; + } else if (timestamp == null) { + timestamp = s.getTimestamp(); + } else { + if (timestamp.getTimestamp().before( + s.getTimestamp().getTimestamp())) { + timestamp = s.getTimestamp(); + } + } + } + Iterator> entries = sf.getEntries().entrySet().iterator(); @@ -345,6 +362,68 @@ } /** + * Check if algorithm is permitted using the permittedAlgs Map. + * If the algorithm is not in the map, check against disabled algorithms and + * store the result. If the algorithm is in the map use that result. + * False is returned for weak algorithm, true for good algorithms. + */ + boolean permittedCheck(String key, String algorithm) { + Boolean permitted = permittedAlgs.get(algorithm); + if (permitted == null) { + try { + JAR_DISABLED_CHECK.permits(algorithm, + new ConstraintsParameters(timestamp)); + } catch(GeneralSecurityException e) { + permittedAlgs.put(algorithm, Boolean.FALSE); + permittedAlgs.put(key.toUpperCase(), Boolean.FALSE); + if (debug != null) { + if (e.getMessage() != null) { + debug.println(key + ": " + e.getMessage()); + } else { + debug.println(key + ": " + algorithm + + " was disabled, no exception msg given."); + e.printStackTrace(); + } + } + return false; + } + + permittedAlgs.put(algorithm, Boolean.TRUE); + return true; + } + + // Algorithm has already been checked, return the value from map. + return permitted.booleanValue(); + } + + /** + * With a given header (*-DIGEST*), return a string that lists all the + * algorithms associated with the header. + * If there are none, return "Unknown Algorithm". + */ + String getWeakAlgorithms(String header) { + String w = ""; + try { + for (String key : permittedAlgs.keySet()) { + if (key.endsWith(header)) { + w += key.substring(0, key.length() - header.length()) + " "; + } + } + } catch (RuntimeException e) { + w = "Unknown Algorithm(s). Error processing " + header + ". " + + e.getMessage(); + } + + // This means we have an error in finding weak algorithms, run in + // debug mode to see permittedAlgs map's values. + if (w.length() == 0) { + return "Unknown Algorithm(s)"; + } + + return w; + } + + /** * See if the whole manifest was signed. */ private boolean verifyManifestHash(Manifest sf, @@ -354,6 +433,7 @@ { Attributes mattr = sf.getMainAttributes(); boolean manifestSigned = false; + boolean weakAlgs = true; // go through all the attributes and process *-Digest-Manifest entries for (Map.Entry se : mattr.entrySet()) { @@ -364,6 +444,15 @@ // 16 is length of "-Digest-Manifest" String algorithm = key.substring(0, key.length()-16); + // Check if this algorithm is permitted, skip if false. + if (!permittedCheck(key, algorithm)) { + continue; + } + + // A non-weak algorithm was used, any weak algorithms found do + // not need to be reported. + weakAlgs = false; + manifestDigests.add(key); manifestDigests.add(se.getValue()); MessageDigest digest = getDigest(algorithm); @@ -373,15 +462,14 @@ Base64.getMimeDecoder().decode((String)se.getValue()); if (debug != null) { - debug.println("Signature File: Manifest digest " + - digest.getAlgorithm()); - debug.println( " sigfile " + toHex(expectedHash)); - debug.println( " computed " + toHex(computedHash)); - debug.println(); + debug.println("Signature File: Manifest digest " + + algorithm); + debug.println( " sigfile " + toHex(expectedHash)); + debug.println( " computed " + toHex(computedHash)); + debug.println(); } - if (MessageDigest.isEqual(computedHash, - expectedHash)) { + if (MessageDigest.isEqual(computedHash, expectedHash)) { manifestSigned = true; } else { //XXX: we will continue and verify each section @@ -389,15 +477,31 @@ } } } + + if (debug != null) { + debug.println("PermittedAlgs mapping: "); + for (String key : permittedAlgs.keySet()) { + debug.println(key + " : " + + permittedAlgs.get(key).toString()); + } + } + + // If there were only weak algorithms used, throw an exception. + if (weakAlgs) { + String weakAlgorithms = getWeakAlgorithms("-DIGEST-MANIFEST"); + throw new SignatureException("Manifest hash check failed " + + "(DIGEST-MANIFEST). Disabled algorithm(s) used: " + + weakAlgorithms); + } return manifestSigned; } - private boolean verifyManifestMainAttrs(Manifest sf, - ManifestDigester md) + private boolean verifyManifestMainAttrs(Manifest sf, ManifestDigester md) throws IOException, SignatureException { Attributes mattr = sf.getMainAttributes(); boolean attrsVerified = true; + boolean weakAlgs = true; // go through all the attributes and process // digest entries for the manifest main attributes @@ -408,6 +512,15 @@ String algorithm = key.substring(0, key.length() - ATTR_DIGEST.length()); + // Check if this algorithm is permitted, skip if false. + if (!permittedCheck(key, algorithm)) { + continue; + } + + // A non-weak algorithm was used, any weak algorithms found do + // not need to be reported. + weakAlgs = false; + MessageDigest digest = getDigest(algorithm); if (digest != null) { ManifestDigester.Entry mde = @@ -425,8 +538,7 @@ debug.println(); } - if (MessageDigest.isEqual(computedHash, - expectedHash)) { + if (MessageDigest.isEqual(computedHash, expectedHash)) { // good } else { // we will *not* continue and verify each section @@ -442,6 +554,23 @@ } } + if (debug != null) { + debug.println("PermittedAlgs mapping: "); + for (String key : permittedAlgs.keySet()) { + debug.println(key + " : " + + permittedAlgs.get(key).toString()); + } + } + + // If there were only weak algorithms used, throw an exception. + if (weakAlgs) { + String weakAlgorithms = getWeakAlgorithms("-DIGEST-" + + ManifestDigester.MF_MAIN_ATTRS); + throw new SignatureException("Manifest Main Attribute check " + + "failed (DIGEST-" + ManifestDigester.MF_MAIN_ATTRS + + "). " + "Disabled algorithm(s) used: " + weakAlgorithms); + } + // this method returns 'true' if either: // . manifest main attributes were not signed, or // . manifest main attributes were signed and verified @@ -464,6 +593,7 @@ { boolean oneDigestVerified = false; ManifestDigester.Entry mde = md.get(name,block.isOldStyle()); + boolean weakAlgs = true; if (mde == null) { throw new SecurityException( @@ -471,7 +601,6 @@ } if (sfAttr != null) { - //sun.security.util.HexDumpEncoder hex = new sun.security.util.HexDumpEncoder(); //hex.encodeBuffer(data, System.out); @@ -483,6 +612,15 @@ // 7 is length of "-Digest" String algorithm = key.substring(0, key.length()-7); + // Check if this algorithm is permitted, skip if false. + if (!permittedCheck(key, algorithm)) { + continue; + } + + // A non-weak algorithm was used, any weak algorithms found do + // not need to be reported. + weakAlgs = false; + MessageDigest digest = getDigest(algorithm); if (digest != null) { @@ -532,6 +670,23 @@ } } } + + if (debug != null) { + debug.println("PermittedAlgs mapping: "); + for (String key : permittedAlgs.keySet()) { + debug.println(key + " : " + + permittedAlgs.get(key).toString()); + } + } + + // If there were only weak algorithms used, throw an exception. + if (weakAlgs) { + String weakAlgorithms = getWeakAlgorithms("DIGEST"); + throw new SignatureException("Manifest Main Attribute check " + + "failed (DIGEST). " + "Disabled algorithm(s) used: " + + weakAlgorithms); + } + return oneDigestVerified; } diff -r ee6b5bd26bf9 -r fe8c324ba97c jdk/src/java.base/share/classes/sun/security/validator/PKIXValidator.java --- a/jdk/src/java.base/share/classes/sun/security/validator/PKIXValidator.java Wed Feb 08 12:27:45 2017 -0700 +++ b/jdk/src/java.base/share/classes/sun/security/validator/PKIXValidator.java Wed Feb 08 12:08:28 2017 -0800 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2002, 2016, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2002, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -33,7 +33,7 @@ import javax.security.auth.x500.X500Principal; import sun.security.action.GetBooleanAction; import sun.security.provider.certpath.AlgorithmChecker; -import sun.security.provider.certpath.PKIXTimestampParameters; +import sun.security.provider.certpath.PKIXExtendedParameters; /** * Validator implementation built on the PKIX CertPath API. This @@ -199,9 +199,9 @@ PKIXBuilderParameters pkixParameters = null; if (parameter instanceof Timestamp && plugin) { try { - pkixParameters = new PKIXTimestampParameters( + pkixParameters = new PKIXExtendedParameters( (PKIXBuilderParameters) parameterTemplate.clone(), - (Timestamp) parameter); + (Timestamp) parameter, variant); } catch (InvalidAlgorithmParameterException e) { // ignore exception } @@ -211,7 +211,8 @@ // add new algorithm constraints checker if (constraints != null) { - pkixParameters.addCertPathChecker(new AlgorithmChecker(constraints)); + pkixParameters.addCertPathChecker( + new AlgorithmChecker(constraints, null, variant)); } // attach it to the PKIXBuilderParameters. diff -r ee6b5bd26bf9 -r fe8c324ba97c jdk/src/java.base/share/classes/sun/security/validator/SimpleValidator.java --- a/jdk/src/java.base/share/classes/sun/security/validator/SimpleValidator.java Wed Feb 08 12:27:45 2017 -0700 +++ b/jdk/src/java.base/share/classes/sun/security/validator/SimpleValidator.java Wed Feb 08 12:08:28 2017 -0800 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2002, 2016, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2002, 2017, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -155,12 +155,14 @@ // create default algorithm constraints checker TrustAnchor anchor = new TrustAnchor(anchorCert, null); - AlgorithmChecker defaultAlgChecker = new AlgorithmChecker(anchor); + AlgorithmChecker defaultAlgChecker = + new AlgorithmChecker(anchor, variant); // create application level algorithm constraints checker AlgorithmChecker appAlgChecker = null; if (constraints != null) { - appAlgChecker = new AlgorithmChecker(anchor, constraints); + appAlgChecker = new AlgorithmChecker(anchor, constraints, null, + variant); } // verify top down, starting at the certificate issued by diff -r ee6b5bd26bf9 -r fe8c324ba97c jdk/src/java.base/share/conf/security/java.security --- a/jdk/src/java.base/share/conf/security/java.security Wed Feb 08 12:27:45 2017 -0700 +++ b/jdk/src/java.base/share/conf/security/java.security Wed Feb 08 12:08:28 2017 -0800 @@ -494,7 +494,8 @@ # (see below) # # Constraint: -# KeySizeConstraint | CAConstraint | DenyAfterConstraint +# KeySizeConstraint | CAConstraint | DenyAfterConstraint | +# UsageConstraint # # KeySizeConstraint: # keySize Operator KeyLength @@ -511,6 +512,9 @@ # DenyAfterConstraint: # denyAfter YYYY-MM-DD # +# UsageConstraint: +# usage [TLSServer] [TLSClient] [SignedJAR] +# # The "AlgorithmName" is the standard algorithm name of the disabled # algorithm. See "Java Cryptography Architecture Standard Algorithm Name # Documentation" for information about Standard Algorithm Names. Matching @@ -560,6 +564,19 @@ # Example: To deny usage of RSA 2048 bit certificates after Feb 3 2020, # use the following: "RSA keySize == 2048 & denyAfter 2020-02-03" # +# UsageConstraint: +# usage [TLSServer] [TLSClient] [SignedJAR] +# This constraint prohibits the specified algorithm for +# a specified usage. This should be used when disabling an algorithm +# for all usages is not practical. 'TLSServer' restricts the algorithm +# in TLS server certificate chains when server authentication is +# performed. 'TLSClient' restricts the algorithm in TLS client +# certificate chains when client authentication is performed. +# 'SignedJAR' constrains use of certificates in signed jar files. +# The usage type follows the keyword and more than one usage type can +# be specified with a whitespace delimiter. +# Example: "SHA1 usage TLSServer TLSClient" +# # When an algorithm must satisfy more than one constraint, it must be # delimited by an ampersand '&'. For example, to restrict certificates in a # chain that terminate at a distribution provided trust anchor and contain @@ -599,17 +616,20 @@ # " DisabledAlgorithm { , DisabledAlgorithm } " # # DisabledAlgorithm: -# AlgorithmName [Constraint] +# AlgorithmName [Constraint] { '&' Constraint } # # AlgorithmName: # (see below) # # Constraint: -# KeySizeConstraint +# KeySizeConstraint | DenyAfterConstraint # # KeySizeConstraint: # keySize Operator KeyLength # +# DenyAfterConstraint: +# denyAfter YYYY-MM-DD +# # Operator: # <= | < | == | != | >= | > # @@ -620,6 +640,8 @@ # implementation. It is not guaranteed to be examined and used by other # implementations. # +# See "jdk.certpath.disabledAlgorithms" for syntax descriptions. +# jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, \ DSA keySize < 1024 diff -r ee6b5bd26bf9 -r fe8c324ba97c jdk/test/sun/security/tools/jarsigner/TimestampCheck.java --- a/jdk/test/sun/security/tools/jarsigner/TimestampCheck.java Wed Feb 08 12:27:45 2017 -0700 +++ b/jdk/test/sun/security/tools/jarsigner/TimestampCheck.java Wed Feb 08 12:08:28 2017 -0800 @@ -456,7 +456,7 @@ .shouldMatch("Timestamp signature algorithm: .*key.*weak"); verify(file, "-J-Djava.security.debug=jar") .shouldHaveExitValue(0) - .shouldMatch("SignatureException:.*Disabled"); + .shouldMatch("SignatureException:.*disabled"); } static void checkHalfWeak(String file) throws Throwable {