author | ascarpino |
Mon, 02 May 2016 16:45:38 -0700 | |
changeset 37726 | bbecfff95ec3 |
parent 34534 | 0d45108a3e62 |
child 41956 | 69deb06bb8f1 |
permissions | -rw-r--r-- |
31689 | 1 |
/* |
37726
bbecfff95ec3
8140422: Add mechanism to allow non default root CAs to be not subject to algorithm restrictions
ascarpino
parents:
34534
diff
changeset
|
2 |
* Copyright (c) 2015, 2016, Oracle and/or its affiliates. All rights reserved. |
31689 | 3 |
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. |
4 |
* |
|
5 |
* This code is free software; you can redistribute it and/or modify it |
|
6 |
* under the terms of the GNU General Public License version 2 only, as |
|
7 |
* published by the Free Software Foundation. Oracle designates this |
|
8 |
* particular file as subject to the "Classpath" exception as provided |
|
9 |
* by Oracle in the LICENSE file that accompanied this code. |
|
10 |
* |
|
11 |
* This code is distributed in the hope that it will be useful, but WITHOUT |
|
12 |
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or |
|
13 |
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License |
|
14 |
* version 2 for more details (a copy is included in the LICENSE file that |
|
15 |
* accompanied this code). |
|
16 |
* |
|
17 |
* You should have received a copy of the GNU General Public License version |
|
18 |
* 2 along with this work; if not, write to the Free Software Foundation, |
|
19 |
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. |
|
20 |
* |
|
21 |
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA |
|
22 |
* or visit www.oracle.com if you need additional information or have any |
|
23 |
* questions. |
|
24 |
*/ |
|
25 |
||
26 |
package sun.security.util; |
|
27 |
||
28 |
import java.util.HashSet; |
|
29 |
import java.util.Set; |
|
30 |
import java.util.regex.Pattern; |
|
31 |
||
32 |
/** |
|
33 |
* The class decomposes standard algorithms into sub-elements. |
|
34 |
*/ |
|
35 |
public class AlgorithmDecomposer { |
|
36 |
||
37 |
private static final Pattern transPattern = Pattern.compile("/"); |
|
34534
0d45108a3e62
8136410: AlgorithmDecomposer is not parsing padding correctly
xuelei
parents:
31689
diff
changeset
|
38 |
|
0d45108a3e62
8136410: AlgorithmDecomposer is not parsing padding correctly
xuelei
parents:
31689
diff
changeset
|
39 |
// '(?<!padd)in': match 'in' but not preceded with 'padd'. |
31689 | 40 |
private static final Pattern pattern = |
34534
0d45108a3e62
8136410: AlgorithmDecomposer is not parsing padding correctly
xuelei
parents:
31689
diff
changeset
|
41 |
Pattern.compile("with|and|(?<!padd)in", Pattern.CASE_INSENSITIVE); |
31689 | 42 |
|
37726
bbecfff95ec3
8140422: Add mechanism to allow non default root CAs to be not subject to algorithm restrictions
ascarpino
parents:
34534
diff
changeset
|
43 |
private static Set<String> decomposeImpl(String algorithm) { |
31689 | 44 |
|
45 |
// algorithm/mode/padding |
|
46 |
String[] transTockens = transPattern.split(algorithm); |
|
47 |
||
48 |
Set<String> elements = new HashSet<>(); |
|
49 |
for (String transTocken : transTockens) { |
|
50 |
if (transTocken == null || transTocken.length() == 0) { |
|
51 |
continue; |
|
52 |
} |
|
53 |
||
54 |
// PBEWith<digest>And<encryption> |
|
55 |
// PBEWith<prf>And<encryption> |
|
56 |
// OAEPWith<digest>And<mgf>Padding |
|
57 |
// <digest>with<encryption> |
|
58 |
// <digest>with<encryption>and<mgf> |
|
59 |
// <digest>with<encryption>in<format> |
|
60 |
String[] tokens = pattern.split(transTocken); |
|
61 |
||
62 |
for (String token : tokens) { |
|
63 |
if (token == null || token.length() == 0) { |
|
64 |
continue; |
|
65 |
} |
|
66 |
||
67 |
elements.add(token); |
|
68 |
} |
|
69 |
} |
|
37726
bbecfff95ec3
8140422: Add mechanism to allow non default root CAs to be not subject to algorithm restrictions
ascarpino
parents:
34534
diff
changeset
|
70 |
return elements; |
bbecfff95ec3
8140422: Add mechanism to allow non default root CAs to be not subject to algorithm restrictions
ascarpino
parents:
34534
diff
changeset
|
71 |
} |
bbecfff95ec3
8140422: Add mechanism to allow non default root CAs to be not subject to algorithm restrictions
ascarpino
parents:
34534
diff
changeset
|
72 |
|
bbecfff95ec3
8140422: Add mechanism to allow non default root CAs to be not subject to algorithm restrictions
ascarpino
parents:
34534
diff
changeset
|
73 |
/** |
bbecfff95ec3
8140422: Add mechanism to allow non default root CAs to be not subject to algorithm restrictions
ascarpino
parents:
34534
diff
changeset
|
74 |
* Decompose the standard algorithm name into sub-elements. |
bbecfff95ec3
8140422: Add mechanism to allow non default root CAs to be not subject to algorithm restrictions
ascarpino
parents:
34534
diff
changeset
|
75 |
* <p> |
bbecfff95ec3
8140422: Add mechanism to allow non default root CAs to be not subject to algorithm restrictions
ascarpino
parents:
34534
diff
changeset
|
76 |
* For example, we need to decompose "SHA1WithRSA" into "SHA1" and "RSA" |
bbecfff95ec3
8140422: Add mechanism to allow non default root CAs to be not subject to algorithm restrictions
ascarpino
parents:
34534
diff
changeset
|
77 |
* so that we can check the "SHA1" and "RSA" algorithm constraints |
bbecfff95ec3
8140422: Add mechanism to allow non default root CAs to be not subject to algorithm restrictions
ascarpino
parents:
34534
diff
changeset
|
78 |
* separately. |
bbecfff95ec3
8140422: Add mechanism to allow non default root CAs to be not subject to algorithm restrictions
ascarpino
parents:
34534
diff
changeset
|
79 |
* <p> |
bbecfff95ec3
8140422: Add mechanism to allow non default root CAs to be not subject to algorithm restrictions
ascarpino
parents:
34534
diff
changeset
|
80 |
* Please override the method if need to support more name pattern. |
bbecfff95ec3
8140422: Add mechanism to allow non default root CAs to be not subject to algorithm restrictions
ascarpino
parents:
34534
diff
changeset
|
81 |
*/ |
bbecfff95ec3
8140422: Add mechanism to allow non default root CAs to be not subject to algorithm restrictions
ascarpino
parents:
34534
diff
changeset
|
82 |
public Set<String> decompose(String algorithm) { |
bbecfff95ec3
8140422: Add mechanism to allow non default root CAs to be not subject to algorithm restrictions
ascarpino
parents:
34534
diff
changeset
|
83 |
if (algorithm == null || algorithm.length() == 0) { |
bbecfff95ec3
8140422: Add mechanism to allow non default root CAs to be not subject to algorithm restrictions
ascarpino
parents:
34534
diff
changeset
|
84 |
return new HashSet<>(); |
bbecfff95ec3
8140422: Add mechanism to allow non default root CAs to be not subject to algorithm restrictions
ascarpino
parents:
34534
diff
changeset
|
85 |
} |
bbecfff95ec3
8140422: Add mechanism to allow non default root CAs to be not subject to algorithm restrictions
ascarpino
parents:
34534
diff
changeset
|
86 |
|
bbecfff95ec3
8140422: Add mechanism to allow non default root CAs to be not subject to algorithm restrictions
ascarpino
parents:
34534
diff
changeset
|
87 |
Set<String> elements = decomposeImpl(algorithm); |
31689 | 88 |
|
89 |
// In Java standard algorithm name specification, for different |
|
90 |
// purpose, the SHA-1 and SHA-2 algorithm names are different. For |
|
91 |
// example, for MessageDigest, the standard name is "SHA-256", while |
|
92 |
// for Signature, the digest algorithm component is "SHA256" for |
|
93 |
// signature algorithm "SHA256withRSA". So we need to check both |
|
94 |
// "SHA-256" and "SHA256" to make the right constraint checking. |
|
95 |
||
96 |
// handle special name: SHA-1 and SHA1 |
|
97 |
if (elements.contains("SHA1") && !elements.contains("SHA-1")) { |
|
98 |
elements.add("SHA-1"); |
|
99 |
} |
|
100 |
if (elements.contains("SHA-1") && !elements.contains("SHA1")) { |
|
101 |
elements.add("SHA1"); |
|
102 |
} |
|
103 |
||
104 |
// handle special name: SHA-224 and SHA224 |
|
105 |
if (elements.contains("SHA224") && !elements.contains("SHA-224")) { |
|
106 |
elements.add("SHA-224"); |
|
107 |
} |
|
108 |
if (elements.contains("SHA-224") && !elements.contains("SHA224")) { |
|
109 |
elements.add("SHA224"); |
|
110 |
} |
|
111 |
||
112 |
// handle special name: SHA-256 and SHA256 |
|
113 |
if (elements.contains("SHA256") && !elements.contains("SHA-256")) { |
|
114 |
elements.add("SHA-256"); |
|
115 |
} |
|
116 |
if (elements.contains("SHA-256") && !elements.contains("SHA256")) { |
|
117 |
elements.add("SHA256"); |
|
118 |
} |
|
119 |
||
120 |
// handle special name: SHA-384 and SHA384 |
|
121 |
if (elements.contains("SHA384") && !elements.contains("SHA-384")) { |
|
122 |
elements.add("SHA-384"); |
|
123 |
} |
|
124 |
if (elements.contains("SHA-384") && !elements.contains("SHA384")) { |
|
125 |
elements.add("SHA384"); |
|
126 |
} |
|
127 |
||
128 |
// handle special name: SHA-512 and SHA512 |
|
129 |
if (elements.contains("SHA512") && !elements.contains("SHA-512")) { |
|
130 |
elements.add("SHA-512"); |
|
131 |
} |
|
132 |
if (elements.contains("SHA-512") && !elements.contains("SHA512")) { |
|
133 |
elements.add("SHA512"); |
|
134 |
} |
|
135 |
||
136 |
return elements; |
|
137 |
} |
|
138 |
||
37726
bbecfff95ec3
8140422: Add mechanism to allow non default root CAs to be not subject to algorithm restrictions
ascarpino
parents:
34534
diff
changeset
|
139 |
private static void hasLoop(Set<String> elements, String find, String replace) { |
bbecfff95ec3
8140422: Add mechanism to allow non default root CAs to be not subject to algorithm restrictions
ascarpino
parents:
34534
diff
changeset
|
140 |
if (elements.contains(find)) { |
bbecfff95ec3
8140422: Add mechanism to allow non default root CAs to be not subject to algorithm restrictions
ascarpino
parents:
34534
diff
changeset
|
141 |
if (!elements.contains(replace)) { |
bbecfff95ec3
8140422: Add mechanism to allow non default root CAs to be not subject to algorithm restrictions
ascarpino
parents:
34534
diff
changeset
|
142 |
elements.add(replace); |
bbecfff95ec3
8140422: Add mechanism to allow non default root CAs to be not subject to algorithm restrictions
ascarpino
parents:
34534
diff
changeset
|
143 |
} |
bbecfff95ec3
8140422: Add mechanism to allow non default root CAs to be not subject to algorithm restrictions
ascarpino
parents:
34534
diff
changeset
|
144 |
elements.remove(find); |
bbecfff95ec3
8140422: Add mechanism to allow non default root CAs to be not subject to algorithm restrictions
ascarpino
parents:
34534
diff
changeset
|
145 |
} |
bbecfff95ec3
8140422: Add mechanism to allow non default root CAs to be not subject to algorithm restrictions
ascarpino
parents:
34534
diff
changeset
|
146 |
} |
bbecfff95ec3
8140422: Add mechanism to allow non default root CAs to be not subject to algorithm restrictions
ascarpino
parents:
34534
diff
changeset
|
147 |
|
bbecfff95ec3
8140422: Add mechanism to allow non default root CAs to be not subject to algorithm restrictions
ascarpino
parents:
34534
diff
changeset
|
148 |
/* |
bbecfff95ec3
8140422: Add mechanism to allow non default root CAs to be not subject to algorithm restrictions
ascarpino
parents:
34534
diff
changeset
|
149 |
* This decomposes a standard name into sub-elements with a consistent |
bbecfff95ec3
8140422: Add mechanism to allow non default root CAs to be not subject to algorithm restrictions
ascarpino
parents:
34534
diff
changeset
|
150 |
* message digest algorithm name to avoid overly complicated checking. |
bbecfff95ec3
8140422: Add mechanism to allow non default root CAs to be not subject to algorithm restrictions
ascarpino
parents:
34534
diff
changeset
|
151 |
*/ |
bbecfff95ec3
8140422: Add mechanism to allow non default root CAs to be not subject to algorithm restrictions
ascarpino
parents:
34534
diff
changeset
|
152 |
public static Set<String> decomposeOneHash(String algorithm) { |
bbecfff95ec3
8140422: Add mechanism to allow non default root CAs to be not subject to algorithm restrictions
ascarpino
parents:
34534
diff
changeset
|
153 |
if (algorithm == null || algorithm.length() == 0) { |
bbecfff95ec3
8140422: Add mechanism to allow non default root CAs to be not subject to algorithm restrictions
ascarpino
parents:
34534
diff
changeset
|
154 |
return new HashSet<>(); |
bbecfff95ec3
8140422: Add mechanism to allow non default root CAs to be not subject to algorithm restrictions
ascarpino
parents:
34534
diff
changeset
|
155 |
} |
bbecfff95ec3
8140422: Add mechanism to allow non default root CAs to be not subject to algorithm restrictions
ascarpino
parents:
34534
diff
changeset
|
156 |
|
bbecfff95ec3
8140422: Add mechanism to allow non default root CAs to be not subject to algorithm restrictions
ascarpino
parents:
34534
diff
changeset
|
157 |
Set<String> elements = decomposeImpl(algorithm); |
bbecfff95ec3
8140422: Add mechanism to allow non default root CAs to be not subject to algorithm restrictions
ascarpino
parents:
34534
diff
changeset
|
158 |
|
bbecfff95ec3
8140422: Add mechanism to allow non default root CAs to be not subject to algorithm restrictions
ascarpino
parents:
34534
diff
changeset
|
159 |
hasLoop(elements, "SHA-1", "SHA1"); |
bbecfff95ec3
8140422: Add mechanism to allow non default root CAs to be not subject to algorithm restrictions
ascarpino
parents:
34534
diff
changeset
|
160 |
hasLoop(elements, "SHA-224", "SHA224"); |
bbecfff95ec3
8140422: Add mechanism to allow non default root CAs to be not subject to algorithm restrictions
ascarpino
parents:
34534
diff
changeset
|
161 |
hasLoop(elements, "SHA-256", "SHA256"); |
bbecfff95ec3
8140422: Add mechanism to allow non default root CAs to be not subject to algorithm restrictions
ascarpino
parents:
34534
diff
changeset
|
162 |
hasLoop(elements, "SHA-384", "SHA384"); |
bbecfff95ec3
8140422: Add mechanism to allow non default root CAs to be not subject to algorithm restrictions
ascarpino
parents:
34534
diff
changeset
|
163 |
hasLoop(elements, "SHA-512", "SHA512"); |
bbecfff95ec3
8140422: Add mechanism to allow non default root CAs to be not subject to algorithm restrictions
ascarpino
parents:
34534
diff
changeset
|
164 |
|
bbecfff95ec3
8140422: Add mechanism to allow non default root CAs to be not subject to algorithm restrictions
ascarpino
parents:
34534
diff
changeset
|
165 |
return elements; |
bbecfff95ec3
8140422: Add mechanism to allow non default root CAs to be not subject to algorithm restrictions
ascarpino
parents:
34534
diff
changeset
|
166 |
} |
bbecfff95ec3
8140422: Add mechanism to allow non default root CAs to be not subject to algorithm restrictions
ascarpino
parents:
34534
diff
changeset
|
167 |
|
bbecfff95ec3
8140422: Add mechanism to allow non default root CAs to be not subject to algorithm restrictions
ascarpino
parents:
34534
diff
changeset
|
168 |
/* |
bbecfff95ec3
8140422: Add mechanism to allow non default root CAs to be not subject to algorithm restrictions
ascarpino
parents:
34534
diff
changeset
|
169 |
* The provided message digest algorithm name will return a consistent |
bbecfff95ec3
8140422: Add mechanism to allow non default root CAs to be not subject to algorithm restrictions
ascarpino
parents:
34534
diff
changeset
|
170 |
* naming scheme. |
bbecfff95ec3
8140422: Add mechanism to allow non default root CAs to be not subject to algorithm restrictions
ascarpino
parents:
34534
diff
changeset
|
171 |
*/ |
bbecfff95ec3
8140422: Add mechanism to allow non default root CAs to be not subject to algorithm restrictions
ascarpino
parents:
34534
diff
changeset
|
172 |
public static String hashName(String algorithm) { |
bbecfff95ec3
8140422: Add mechanism to allow non default root CAs to be not subject to algorithm restrictions
ascarpino
parents:
34534
diff
changeset
|
173 |
return algorithm.replace("-", ""); |
bbecfff95ec3
8140422: Add mechanism to allow non default root CAs to be not subject to algorithm restrictions
ascarpino
parents:
34534
diff
changeset
|
174 |
} |
31689 | 175 |
} |