From 4b9948c9d43bd53c764304c164a42e7dcd3e3844 Mon Sep 17 00:00:00 2001 From: mullan Date: Mon, 7 Nov 2016 07:19:52 -0500 Subject: [PATCH] 8169072: Backout JDK-8154015 Reviewed-by: ascarpino, igerasim --- .../provider/certpath/AlgorithmChecker.java | 35 ++----------------- .../sun/security/provider/certpath/PKIX.java | 12 +------ .../certpath/PKIXCertPathValidator.java | 14 ++------ .../util/CertConstraintParameters.java | 12 ++----- .../util/DisabledAlgorithmConstraints.java | 4 +-- .../sun/security/validator/PKIXValidator.java | 23 ++++-------- .../sun/security/validator/Validator.java | 23 +++++++----- 7 files changed, 30 insertions(+), 93 deletions(-) diff --git a/src/share/classes/sun/security/provider/certpath/AlgorithmChecker.java b/src/share/classes/sun/security/provider/certpath/AlgorithmChecker.java index 7c9d1e9b5..cf2ac9929 100644 --- a/src/share/classes/sun/security/provider/certpath/AlgorithmChecker.java +++ b/src/share/classes/sun/security/provider/certpath/AlgorithmChecker.java @@ -27,7 +27,6 @@ package sun.security.provider.certpath; import java.security.AlgorithmConstraints; import java.security.CryptoPrimitive; -import java.security.Timestamp; import java.util.Collection; import java.util.Collections; import java.util.Date; @@ -78,7 +77,6 @@ final public class AlgorithmChecker extends PKIXCertPathChecker { private final PublicKey trustedPubKey; private final Date pkixdate; private PublicKey prevPubKey; - private final Timestamp jarTimestamp; private final static Set SIGNATURE_PRIMITIVE_SET = Collections.unmodifiableSet(EnumSet.of(CryptoPrimitive.SIGNATURE)); @@ -144,29 +142,6 @@ final public class AlgorithmChecker extends PKIXCertPathChecker { this.trustedPubKey = null; this.constraints = constraints; this.pkixdate = null; - this.jarTimestamp = null; - } - - /** - * Create a new {@code AlgorithmChecker} with the given - * {@code Timestamp}. - *

- * Note that this constructor will be used to check a certification - * path for signed JAR files that are timestamped. - * - * @param jarTimestamp Timestamp passed for JAR timestamp constraint - * checking. Set to null if not applicable. - */ - public AlgorithmChecker(Timestamp jarTimestamp) { - this.prevPubKey = null; - this.trustedPubKey = null; - this.constraints = certPathDefaultConstraints; - if (jarTimestamp == null) { - throw new IllegalArgumentException( - "Timestamp cannot be null"); - } - this.pkixdate = jarTimestamp.getTimestamp(); - this.jarTimestamp = jarTimestamp; } /** @@ -204,7 +179,6 @@ final public class AlgorithmChecker extends PKIXCertPathChecker { this.prevPubKey = trustedPubKey; this.constraints = constraints; this.pkixdate = pkixdate; - this.jarTimestamp = null; } /** @@ -235,10 +209,6 @@ final public class AlgorithmChecker extends PKIXCertPathChecker { return AnchorCertificates.contains(cert); } - Timestamp getJarTimestamp() { - return jarTimestamp; - } - @Override public void init(boolean forward) throws CertPathValidatorException { // Note that this class does not support forward mode. @@ -326,7 +296,8 @@ final public class AlgorithmChecker extends PKIXCertPathChecker { // permits() will throw exception on failure. certPathDefaultConstraints.permits(primitives, new CertConstraintParameters((X509Certificate)cert, - trustedMatch, pkixdate, jarTimestamp)); + trustedMatch, pkixdate)); + // new CertConstraintParameters(x509Cert, trustedMatch)); // If there is no previous key, set one and exit if (prevPubKey == null) { prevPubKey = currPubKey; @@ -471,7 +442,7 @@ final public class AlgorithmChecker extends PKIXCertPathChecker { * Check the signature algorithm with the specified public key. * * @param key the public key to verify the CRL signature - * @param algorithmId signature algorithm Algorithm ID + * @param crl the target CRL */ static void check(PublicKey key, AlgorithmId algorithmId) throws CertPathValidatorException { diff --git a/src/share/classes/sun/security/provider/certpath/PKIX.java b/src/share/classes/sun/security/provider/certpath/PKIX.java index f6b0b2ed6..e33d4a21a 100644 --- a/src/share/classes/sun/security/provider/certpath/PKIX.java +++ b/src/share/classes/sun/security/provider/certpath/PKIX.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2012, 2016, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2012, 2015, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -26,7 +26,6 @@ package sun.security.provider.certpath; import java.security.InvalidAlgorithmParameterException; import java.security.PublicKey; -import java.security.Timestamp; import java.security.cert.*; import java.security.interfaces.DSAPublicKey; import java.util.*; @@ -86,7 +85,6 @@ class PKIX { private CertSelector constraints; private Set anchors; private List certs; - private Timestamp timestamp; ValidatorParams(CertPath cp, PKIXParameters params) throws InvalidAlgorithmParameterException @@ -102,10 +100,6 @@ class PKIX { ValidatorParams(PKIXParameters params) throws InvalidAlgorithmParameterException { - if (params instanceof PKIXTimestampParameters) { - timestamp = ((PKIXTimestampParameters) params).getTimestamp(); - } - this.anchors = params.getTrustAnchors(); // Make sure that none of the trust anchors include name constraints // (not supported). @@ -195,10 +189,6 @@ class PKIX { PKIXParameters getPKIXParameters() { return params; } - - Timestamp timestamp() { - return timestamp; - } } static class BuilderParams extends ValidatorParams { diff --git a/src/share/classes/sun/security/provider/certpath/PKIXCertPathValidator.java b/src/share/classes/sun/security/provider/certpath/PKIXCertPathValidator.java index 79259eea6..934fc10b5 100644 --- a/src/share/classes/sun/security/provider/certpath/PKIXCertPathValidator.java +++ b/src/share/classes/sun/security/provider/certpath/PKIXCertPathValidator.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2000, 2015, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -172,11 +172,7 @@ public final class PKIXCertPathValidator extends CertPathValidatorSpi { List certPathCheckers = new ArrayList<>(); // add standard checkers that we will be using certPathCheckers.add(untrustedChecker); - if (params.timestamp() == null) { certPathCheckers.add(new AlgorithmChecker(anchor, params.date())); - } else { - certPathCheckers.add(new AlgorithmChecker(params.timestamp())); - } certPathCheckers.add(new KeyChecker(certPathLen, params.targetCertConstraints())); certPathCheckers.add(new ConstraintsChecker(certPathLen)); @@ -193,14 +189,8 @@ public final class PKIXCertPathValidator extends CertPathValidatorSpi { rootNode); certPathCheckers.add(pc); // default value for date is current time - BasicChecker bc; - if (params.timestamp() == null) { - bc = new BasicChecker(anchor, params.date(), params.sigProvider(), - false); - } else { - bc = new BasicChecker(anchor, params.timestamp().getTimestamp(), + BasicChecker bc = new BasicChecker(anchor, params.date(), params.sigProvider(), false); - } certPathCheckers.add(bc); boolean revCheckerAdded = false; diff --git a/src/share/classes/sun/security/util/CertConstraintParameters.java b/src/share/classes/sun/security/util/CertConstraintParameters.java index a9ba871fe..00a94c539 100644 --- a/src/share/classes/sun/security/util/CertConstraintParameters.java +++ b/src/share/classes/sun/security/util/CertConstraintParameters.java @@ -25,7 +25,6 @@ package sun.security.util; -import java.security.Timestamp; import java.security.cert.X509Certificate; import java.util.Date; @@ -41,19 +40,16 @@ public class CertConstraintParameters { private final boolean trustedMatch; // PKIXParameter date private final Date pkixDate; - // Timestamp of the signed JAR file - private final Timestamp jarTimestamp; public CertConstraintParameters(X509Certificate c, boolean match, - Date pkixdate, Timestamp jarTime) { + Date pkixdate) { cert = c; trustedMatch = match; pkixDate = pkixdate; - jarTimestamp = jarTime; } public CertConstraintParameters(X509Certificate c) { - this(c, false, null, null); + this(c, false, null); } // Returns if the trust anchor has a match if anchor checking is enabled. @@ -69,8 +65,4 @@ public class CertConstraintParameters { return pkixDate; } - public Timestamp getJARTimestamp() { - return jarTimestamp; -} - } diff --git a/src/share/classes/sun/security/util/DisabledAlgorithmConstraints.java b/src/share/classes/sun/security/util/DisabledAlgorithmConstraints.java index 9fa06dc9c..c5825f009 100644 --- a/src/share/classes/sun/security/util/DisabledAlgorithmConstraints.java +++ b/src/share/classes/sun/security/util/DisabledAlgorithmConstraints.java @@ -606,9 +606,7 @@ public class DisabledAlgorithmConstraints extends AbstractAlgorithmConstraints { throws CertPathValidatorException { Date currentDate; - if (cp.getJARTimestamp() != null) { - currentDate = cp.getJARTimestamp().getTimestamp(); - } else if (cp.getPKIXParamDate() != null) { + if (cp.getPKIXParamDate() != null) { currentDate = cp.getPKIXParamDate(); } else { currentDate = new Date(); diff --git a/src/share/classes/sun/security/validator/PKIXValidator.java b/src/share/classes/sun/security/validator/PKIXValidator.java index 7b8261194..51761e1bd 100644 --- a/src/share/classes/sun/security/validator/PKIXValidator.java +++ b/src/share/classes/sun/security/validator/PKIXValidator.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2002, 2016, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2002, 2011, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -33,7 +33,6 @@ import java.security.cert.*; import javax.security.auth.x500.X500Principal; import sun.security.action.GetBooleanAction; import sun.security.provider.certpath.AlgorithmChecker; -import sun.security.provider.certpath.PKIXTimestampParameters; /** * Validator implementation built on the PKIX CertPath API. This @@ -209,23 +208,13 @@ public final class PKIXValidator extends Validator { ("null or zero-length certificate chain"); } - // Check if 'parameter' affects 'pkixParameters' - PKIXBuilderParameters pkixParameters = null; - if (parameter instanceof Timestamp && plugin) { - try { - pkixParameters = new PKIXTimestampParameters( - (PKIXBuilderParameters) parameterTemplate.clone(), - (Timestamp) parameter); - } catch (InvalidAlgorithmParameterException e) { - // ignore exception - } - } else { - pkixParameters = (PKIXBuilderParameters) parameterTemplate.clone(); - } - // add new algorithm constraints checker + PKIXBuilderParameters pkixParameters = + (PKIXBuilderParameters) parameterTemplate.clone(); + AlgorithmChecker algorithmChecker = null; if (constraints != null) { - pkixParameters.addCertPathChecker(new AlgorithmChecker(constraints)); + algorithmChecker = new AlgorithmChecker(constraints); + pkixParameters.addCertPathChecker(algorithmChecker); } if (TRY_VALIDATOR) { diff --git a/src/share/classes/sun/security/validator/Validator.java b/src/share/classes/sun/security/validator/Validator.java index 069782b54..863566c73 100644 --- a/src/share/classes/sun/security/validator/Validator.java +++ b/src/share/classes/sun/security/validator/Validator.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2002, 2016, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2002, 2010, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -219,7 +219,14 @@ public abstract class Validator { * Validate the given certificate chain. If otherCerts is non-null, it is * a Collection of additional X509Certificates that could be helpful for * path building. - * + *

+ * Parameter is an additional parameter with variant specific meaning. + * Currently, it is only defined for TLS_SERVER variant validators, where + * it must be non null and the name of the TLS key exchange algorithm being + * used (see JSSE X509TrustManager specification). In the future, it + * could be used to pass in a PKCS#7 object for code signing to check time + * stamps. + *

* @return a non-empty chain that was used to validate the path. The * end entity cert is at index 0, the trust anchor at index n-1. */ @@ -237,12 +244,12 @@ public abstract class Validator { * could be helpful for path building (or null) * @param constraints algorithm constraints for certification path * processing - * @param parameter an additional parameter object to pass specific data. - * This parameter object maybe one of the two below: - * 1) TLS_SERVER variant validators, where it must be non null and - * the name of the TLS key exchange algorithm being used - * (see JSSE X509TrustManager specification). - * 2) {@code Timestamp} object from a signed JAR file. + * @param parameter an additional parameter with variant specific meaning. + * Currently, it is only defined for TLS_SERVER variant validators, + * where it must be non null and the name of the TLS key exchange + * algorithm being used (see JSSE X509TrustManager specification). + * In the future, it could be used to pass in a PKCS#7 object for + * code signing to check time stamps. * @return a non-empty chain that was used to validate the path. The * end entity cert is at index 0, the trust anchor at index n-1. */ -- GitLab