提交 61f0aca6 编写于 作者: R robm

8154015: Apply algorithm constraints to timestamped code

Reviewed-by: ascarpino
上级 4070e594
......@@ -27,6 +27,7 @@ package sun.security.provider.certpath;
import java.security.AlgorithmConstraints;
import java.security.CryptoPrimitive;
import java.security.Timestamp;
import java.util.Collection;
import java.util.Collections;
import java.util.Date;
......@@ -77,6 +78,7 @@ final public class AlgorithmChecker extends PKIXCertPathChecker {
private final PublicKey trustedPubKey;
private final Date pkixdate;
private PublicKey prevPubKey;
private final Timestamp jarTimestamp;
private final static Set<CryptoPrimitive> SIGNATURE_PRIMITIVE_SET =
Collections.unmodifiableSet(EnumSet.of(CryptoPrimitive.SIGNATURE));
......@@ -142,6 +144,29 @@ final public class AlgorithmChecker extends PKIXCertPathChecker {
this.trustedPubKey = null;
this.constraints = constraints;
this.pkixdate = null;
this.jarTimestamp = null;
}
/**
* Create a new {@code AlgorithmChecker} with the given
* {@code Timestamp}.
* <p>
* Note that this constructor will be used to check a certification
* path for signed JAR files that are timestamped.
*
* @param jarTimestamp Timestamp passed for JAR timestamp constraint
* checking. Set to null if not applicable.
*/
public AlgorithmChecker(Timestamp jarTimestamp) {
this.prevPubKey = null;
this.trustedPubKey = null;
this.constraints = certPathDefaultConstraints;
if (jarTimestamp == null) {
throw new IllegalArgumentException(
"Timestamp cannot be null");
}
this.pkixdate = jarTimestamp.getTimestamp();
this.jarTimestamp = jarTimestamp;
}
/**
......@@ -179,6 +204,7 @@ final public class AlgorithmChecker extends PKIXCertPathChecker {
this.prevPubKey = trustedPubKey;
this.constraints = constraints;
this.pkixdate = pkixdate;
this.jarTimestamp = null;
}
/**
......@@ -209,6 +235,10 @@ final public class AlgorithmChecker extends PKIXCertPathChecker {
return AnchorCertificates.contains(cert);
}
Timestamp getJarTimestamp() {
return jarTimestamp;
}
@Override
public void init(boolean forward) throws CertPathValidatorException {
// Note that this class does not support forward mode.
......@@ -296,8 +326,7 @@ final public class AlgorithmChecker extends PKIXCertPathChecker {
// permits() will throw exception on failure.
certPathDefaultConstraints.permits(primitives,
new CertConstraintParameters((X509Certificate)cert,
trustedMatch, pkixdate));
// new CertConstraintParameters(x509Cert, trustedMatch));
trustedMatch, pkixdate, jarTimestamp));
// If there is no previous key, set one and exit
if (prevPubKey == null) {
prevPubKey = currPubKey;
......@@ -442,7 +471,7 @@ final public class AlgorithmChecker extends PKIXCertPathChecker {
* Check the signature algorithm with the specified public key.
*
* @param key the public key to verify the CRL signature
* @param crl the target CRL
* @param algorithmId signature algorithm Algorithm ID
*/
static void check(PublicKey key, AlgorithmId algorithmId)
throws CertPathValidatorException {
......
/*
* Copyright (c) 2012, 2015, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2012, 2016, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
......@@ -26,6 +26,7 @@ package sun.security.provider.certpath;
import java.security.InvalidAlgorithmParameterException;
import java.security.PublicKey;
import java.security.Timestamp;
import java.security.cert.*;
import java.security.interfaces.DSAPublicKey;
import java.util.*;
......@@ -85,6 +86,7 @@ class PKIX {
private CertSelector constraints;
private Set<TrustAnchor> anchors;
private List<X509Certificate> certs;
private Timestamp timestamp;
ValidatorParams(CertPath cp, PKIXParameters params)
throws InvalidAlgorithmParameterException
......@@ -100,6 +102,10 @@ class PKIX {
ValidatorParams(PKIXParameters params)
throws InvalidAlgorithmParameterException
{
if (params instanceof PKIXTimestampParameters) {
timestamp = ((PKIXTimestampParameters) params).getTimestamp();
}
this.anchors = params.getTrustAnchors();
// Make sure that none of the trust anchors include name constraints
// (not supported).
......@@ -189,6 +195,10 @@ class PKIX {
PKIXParameters getPKIXParameters() {
return params;
}
Timestamp timestamp() {
return timestamp;
}
}
static class BuilderParams extends ValidatorParams {
......
/*
* Copyright (c) 2000, 2015, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
......@@ -172,7 +172,11 @@ public final class PKIXCertPathValidator extends CertPathValidatorSpi {
List<PKIXCertPathChecker> certPathCheckers = new ArrayList<>();
// add standard checkers that we will be using
certPathCheckers.add(untrustedChecker);
if (params.timestamp() == null) {
certPathCheckers.add(new AlgorithmChecker(anchor, params.date()));
} else {
certPathCheckers.add(new AlgorithmChecker(params.timestamp()));
}
certPathCheckers.add(new KeyChecker(certPathLen,
params.targetCertConstraints()));
certPathCheckers.add(new ConstraintsChecker(certPathLen));
......@@ -189,8 +193,14 @@ public final class PKIXCertPathValidator extends CertPathValidatorSpi {
rootNode);
certPathCheckers.add(pc);
// default value for date is current time
BasicChecker bc = new BasicChecker(anchor, params.date(),
BasicChecker bc;
if (params.timestamp() == null) {
bc = new BasicChecker(anchor, params.date(), params.sigProvider(),
false);
} else {
bc = new BasicChecker(anchor, params.timestamp().getTimestamp(),
params.sigProvider(), false);
}
certPathCheckers.add(bc);
boolean revCheckerAdded = false;
......
......@@ -25,6 +25,7 @@
package sun.security.util;
import java.security.Timestamp;
import java.security.cert.X509Certificate;
import java.util.Date;
......@@ -40,16 +41,19 @@ public class CertConstraintParameters {
private final boolean trustedMatch;
// PKIXParameter date
private final Date pkixDate;
// Timestamp of the signed JAR file
private final Timestamp jarTimestamp;
public CertConstraintParameters(X509Certificate c, boolean match,
Date pkixdate) {
Date pkixdate, Timestamp jarTime) {
cert = c;
trustedMatch = match;
pkixDate = pkixdate;
jarTimestamp = jarTime;
}
public CertConstraintParameters(X509Certificate c) {
this(c, false, null);
this(c, false, null, null);
}
// Returns if the trust anchor has a match if anchor checking is enabled.
......@@ -65,4 +69,8 @@ public class CertConstraintParameters {
return pkixDate;
}
public Timestamp getJARTimestamp() {
return jarTimestamp;
}
}
......@@ -606,7 +606,9 @@ public class DisabledAlgorithmConstraints extends AbstractAlgorithmConstraints {
throws CertPathValidatorException {
Date currentDate;
if (cp.getPKIXParamDate() != null) {
if (cp.getJARTimestamp() != null) {
currentDate = cp.getJARTimestamp().getTimestamp();
} else if (cp.getPKIXParamDate() != null) {
currentDate = cp.getPKIXParamDate();
} else {
currentDate = new Date();
......
/*
* Copyright (c) 2002, 2011, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2002, 2016, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
......@@ -33,6 +33,7 @@ import java.security.cert.*;
import javax.security.auth.x500.X500Principal;
import sun.security.action.GetBooleanAction;
import sun.security.provider.certpath.AlgorithmChecker;
import sun.security.provider.certpath.PKIXTimestampParameters;
/**
* Validator implementation built on the PKIX CertPath API. This
......@@ -208,13 +209,23 @@ public final class PKIXValidator extends Validator {
("null or zero-length certificate chain");
}
// Check if 'parameter' affects 'pkixParameters'
PKIXBuilderParameters pkixParameters = null;
if (parameter instanceof Timestamp && plugin) {
try {
pkixParameters = new PKIXTimestampParameters(
(PKIXBuilderParameters) parameterTemplate.clone(),
(Timestamp) parameter);
} catch (InvalidAlgorithmParameterException e) {
// ignore exception
}
} else {
pkixParameters = (PKIXBuilderParameters) parameterTemplate.clone();
}
// add new algorithm constraints checker
PKIXBuilderParameters pkixParameters =
(PKIXBuilderParameters) parameterTemplate.clone();
AlgorithmChecker algorithmChecker = null;
if (constraints != null) {
algorithmChecker = new AlgorithmChecker(constraints);
pkixParameters.addCertPathChecker(algorithmChecker);
pkixParameters.addCertPathChecker(new AlgorithmChecker(constraints));
}
if (TRY_VALIDATOR) {
......
/*
* Copyright (c) 2002, 2010, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2002, 2016, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
......@@ -219,14 +219,7 @@ public abstract class Validator {
* Validate the given certificate chain. If otherCerts is non-null, it is
* a Collection of additional X509Certificates that could be helpful for
* path building.
* <p>
* Parameter is an additional parameter with variant specific meaning.
* Currently, it is only defined for TLS_SERVER variant validators, where
* it must be non null and the name of the TLS key exchange algorithm being
* used (see JSSE X509TrustManager specification). In the future, it
* could be used to pass in a PKCS#7 object for code signing to check time
* stamps.
* <p>
*
* @return a non-empty chain that was used to validate the path. The
* end entity cert is at index 0, the trust anchor at index n-1.
*/
......@@ -244,12 +237,12 @@ public abstract class Validator {
* could be helpful for path building (or null)
* @param constraints algorithm constraints for certification path
* processing
* @param parameter an additional parameter with variant specific meaning.
* Currently, it is only defined for TLS_SERVER variant validators,
* where it must be non null and the name of the TLS key exchange
* algorithm being used (see JSSE X509TrustManager specification).
* In the future, it could be used to pass in a PKCS#7 object for
* code signing to check time stamps.
* @param parameter an additional parameter object to pass specific data.
* This parameter object maybe one of the two below:
* 1) TLS_SERVER variant validators, where it must be non null and
* the name of the TLS key exchange algorithm being used
* (see JSSE X509TrustManager specification).
* 2) {@code Timestamp} object from a signed JAR file.
* @return a non-empty chain that was used to validate the path. The
* end entity cert is at index 0, the trust anchor at index n-1.
*/
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册