Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
openanolis
dragonwell8_jdk
提交
61f0aca6
D
dragonwell8_jdk
项目概览
openanolis
/
dragonwell8_jdk
通知
4
Star
2
Fork
0
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
D
dragonwell8_jdk
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
提交
Issue看板
提交
61f0aca6
编写于
10月 12, 2016
作者:
R
robm
浏览文件
操作
浏览文件
下载
电子邮件补丁
差异文件
8154015: Apply algorithm constraints to timestamped code
Reviewed-by: ascarpino
上级
4070e594
变更
7
隐藏空白更改
内联
并排
Showing
7 changed file
with
93 addition
and
30 deletion
+93
-30
src/share/classes/sun/security/provider/certpath/AlgorithmChecker.java
...sses/sun/security/provider/certpath/AlgorithmChecker.java
+32
-3
src/share/classes/sun/security/provider/certpath/PKIX.java
src/share/classes/sun/security/provider/certpath/PKIX.java
+11
-1
src/share/classes/sun/security/provider/certpath/PKIXCertPathValidator.java
...sun/security/provider/certpath/PKIXCertPathValidator.java
+12
-2
src/share/classes/sun/security/util/CertConstraintParameters.java
...e/classes/sun/security/util/CertConstraintParameters.java
+10
-2
src/share/classes/sun/security/util/DisabledAlgorithmConstraints.java
...asses/sun/security/util/DisabledAlgorithmConstraints.java
+3
-1
src/share/classes/sun/security/validator/PKIXValidator.java
src/share/classes/sun/security/validator/PKIXValidator.java
+17
-6
src/share/classes/sun/security/validator/Validator.java
src/share/classes/sun/security/validator/Validator.java
+8
-15
未找到文件。
src/share/classes/sun/security/provider/certpath/AlgorithmChecker.java
浏览文件 @
61f0aca6
...
...
@@ -27,6 +27,7 @@ package sun.security.provider.certpath;
import
java.security.AlgorithmConstraints
;
import
java.security.CryptoPrimitive
;
import
java.security.Timestamp
;
import
java.util.Collection
;
import
java.util.Collections
;
import
java.util.Date
;
...
...
@@ -77,6 +78,7 @@ final public class AlgorithmChecker extends PKIXCertPathChecker {
private
final
PublicKey
trustedPubKey
;
private
final
Date
pkixdate
;
private
PublicKey
prevPubKey
;
private
final
Timestamp
jarTimestamp
;
private
final
static
Set
<
CryptoPrimitive
>
SIGNATURE_PRIMITIVE_SET
=
Collections
.
unmodifiableSet
(
EnumSet
.
of
(
CryptoPrimitive
.
SIGNATURE
));
...
...
@@ -142,6 +144,29 @@ final public class AlgorithmChecker extends PKIXCertPathChecker {
this
.
trustedPubKey
=
null
;
this
.
constraints
=
constraints
;
this
.
pkixdate
=
null
;
this
.
jarTimestamp
=
null
;
}
/**
* Create a new {@code AlgorithmChecker} with the given
* {@code Timestamp}.
* <p>
* Note that this constructor will be used to check a certification
* path for signed JAR files that are timestamped.
*
* @param jarTimestamp Timestamp passed for JAR timestamp constraint
* checking. Set to null if not applicable.
*/
public
AlgorithmChecker
(
Timestamp
jarTimestamp
)
{
this
.
prevPubKey
=
null
;
this
.
trustedPubKey
=
null
;
this
.
constraints
=
certPathDefaultConstraints
;
if
(
jarTimestamp
==
null
)
{
throw
new
IllegalArgumentException
(
"Timestamp cannot be null"
);
}
this
.
pkixdate
=
jarTimestamp
.
getTimestamp
();
this
.
jarTimestamp
=
jarTimestamp
;
}
/**
...
...
@@ -179,6 +204,7 @@ final public class AlgorithmChecker extends PKIXCertPathChecker {
this
.
prevPubKey
=
trustedPubKey
;
this
.
constraints
=
constraints
;
this
.
pkixdate
=
pkixdate
;
this
.
jarTimestamp
=
null
;
}
/**
...
...
@@ -209,6 +235,10 @@ final public class AlgorithmChecker extends PKIXCertPathChecker {
return
AnchorCertificates
.
contains
(
cert
);
}
Timestamp
getJarTimestamp
()
{
return
jarTimestamp
;
}
@Override
public
void
init
(
boolean
forward
)
throws
CertPathValidatorException
{
// Note that this class does not support forward mode.
...
...
@@ -296,8 +326,7 @@ final public class AlgorithmChecker extends PKIXCertPathChecker {
// permits() will throw exception on failure.
certPathDefaultConstraints
.
permits
(
primitives
,
new
CertConstraintParameters
((
X509Certificate
)
cert
,
trustedMatch
,
pkixdate
));
// new CertConstraintParameters(x509Cert, trustedMatch));
trustedMatch
,
pkixdate
,
jarTimestamp
));
// If there is no previous key, set one and exit
if
(
prevPubKey
==
null
)
{
prevPubKey
=
currPubKey
;
...
...
@@ -442,7 +471,7 @@ final public class AlgorithmChecker extends PKIXCertPathChecker {
* Check the signature algorithm with the specified public key.
*
* @param key the public key to verify the CRL signature
* @param
crl the target CRL
* @param
algorithmId signature algorithm Algorithm ID
*/
static
void
check
(
PublicKey
key
,
AlgorithmId
algorithmId
)
throws
CertPathValidatorException
{
...
...
src/share/classes/sun/security/provider/certpath/PKIX.java
浏览文件 @
61f0aca6
/*
* Copyright (c) 2012, 201
5
, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2012, 201
6
, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
...
...
@@ -26,6 +26,7 @@ package sun.security.provider.certpath;
import
java.security.InvalidAlgorithmParameterException
;
import
java.security.PublicKey
;
import
java.security.Timestamp
;
import
java.security.cert.*
;
import
java.security.interfaces.DSAPublicKey
;
import
java.util.*
;
...
...
@@ -85,6 +86,7 @@ class PKIX {
private
CertSelector
constraints
;
private
Set
<
TrustAnchor
>
anchors
;
private
List
<
X509Certificate
>
certs
;
private
Timestamp
timestamp
;
ValidatorParams
(
CertPath
cp
,
PKIXParameters
params
)
throws
InvalidAlgorithmParameterException
...
...
@@ -100,6 +102,10 @@ class PKIX {
ValidatorParams
(
PKIXParameters
params
)
throws
InvalidAlgorithmParameterException
{
if
(
params
instanceof
PKIXTimestampParameters
)
{
timestamp
=
((
PKIXTimestampParameters
)
params
).
getTimestamp
();
}
this
.
anchors
=
params
.
getTrustAnchors
();
// Make sure that none of the trust anchors include name constraints
// (not supported).
...
...
@@ -189,6 +195,10 @@ class PKIX {
PKIXParameters
getPKIXParameters
()
{
return
params
;
}
Timestamp
timestamp
()
{
return
timestamp
;
}
}
static
class
BuilderParams
extends
ValidatorParams
{
...
...
src/share/classes/sun/security/provider/certpath/PKIXCertPathValidator.java
浏览文件 @
61f0aca6
/*
* Copyright (c) 2000, 201
5
, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2000, 201
6
, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
...
...
@@ -172,7 +172,11 @@ public final class PKIXCertPathValidator extends CertPathValidatorSpi {
List
<
PKIXCertPathChecker
>
certPathCheckers
=
new
ArrayList
<>();
// add standard checkers that we will be using
certPathCheckers
.
add
(
untrustedChecker
);
if
(
params
.
timestamp
()
==
null
)
{
certPathCheckers
.
add
(
new
AlgorithmChecker
(
anchor
,
params
.
date
()));
}
else
{
certPathCheckers
.
add
(
new
AlgorithmChecker
(
params
.
timestamp
()));
}
certPathCheckers
.
add
(
new
KeyChecker
(
certPathLen
,
params
.
targetCertConstraints
()));
certPathCheckers
.
add
(
new
ConstraintsChecker
(
certPathLen
));
...
...
@@ -189,8 +193,14 @@ public final class PKIXCertPathValidator extends CertPathValidatorSpi {
rootNode
);
certPathCheckers
.
add
(
pc
);
// default value for date is current time
BasicChecker
bc
=
new
BasicChecker
(
anchor
,
params
.
date
(),
BasicChecker
bc
;
if
(
params
.
timestamp
()
==
null
)
{
bc
=
new
BasicChecker
(
anchor
,
params
.
date
(),
params
.
sigProvider
(),
false
);
}
else
{
bc
=
new
BasicChecker
(
anchor
,
params
.
timestamp
().
getTimestamp
(),
params
.
sigProvider
(),
false
);
}
certPathCheckers
.
add
(
bc
);
boolean
revCheckerAdded
=
false
;
...
...
src/share/classes/sun/security/util/CertConstraintParameters.java
浏览文件 @
61f0aca6
...
...
@@ -25,6 +25,7 @@
package
sun.security.util
;
import
java.security.Timestamp
;
import
java.security.cert.X509Certificate
;
import
java.util.Date
;
...
...
@@ -40,16 +41,19 @@ public class CertConstraintParameters {
private
final
boolean
trustedMatch
;
// PKIXParameter date
private
final
Date
pkixDate
;
// Timestamp of the signed JAR file
private
final
Timestamp
jarTimestamp
;
public
CertConstraintParameters
(
X509Certificate
c
,
boolean
match
,
Date
pkixdate
)
{
Date
pkixdate
,
Timestamp
jarTime
)
{
cert
=
c
;
trustedMatch
=
match
;
pkixDate
=
pkixdate
;
jarTimestamp
=
jarTime
;
}
public
CertConstraintParameters
(
X509Certificate
c
)
{
this
(
c
,
false
,
null
);
this
(
c
,
false
,
null
,
null
);
}
// Returns if the trust anchor has a match if anchor checking is enabled.
...
...
@@ -65,4 +69,8 @@ public class CertConstraintParameters {
return
pkixDate
;
}
public
Timestamp
getJARTimestamp
()
{
return
jarTimestamp
;
}
}
src/share/classes/sun/security/util/DisabledAlgorithmConstraints.java
浏览文件 @
61f0aca6
...
...
@@ -606,7 +606,9 @@ public class DisabledAlgorithmConstraints extends AbstractAlgorithmConstraints {
throws
CertPathValidatorException
{
Date
currentDate
;
if
(
cp
.
getPKIXParamDate
()
!=
null
)
{
if
(
cp
.
getJARTimestamp
()
!=
null
)
{
currentDate
=
cp
.
getJARTimestamp
().
getTimestamp
();
}
else
if
(
cp
.
getPKIXParamDate
()
!=
null
)
{
currentDate
=
cp
.
getPKIXParamDate
();
}
else
{
currentDate
=
new
Date
();
...
...
src/share/classes/sun/security/validator/PKIXValidator.java
浏览文件 @
61f0aca6
/*
* Copyright (c) 2002, 201
1
, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2002, 201
6
, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
...
...
@@ -33,6 +33,7 @@ import java.security.cert.*;
import
javax.security.auth.x500.X500Principal
;
import
sun.security.action.GetBooleanAction
;
import
sun.security.provider.certpath.AlgorithmChecker
;
import
sun.security.provider.certpath.PKIXTimestampParameters
;
/**
* Validator implementation built on the PKIX CertPath API. This
...
...
@@ -208,13 +209,23 @@ public final class PKIXValidator extends Validator {
(
"null or zero-length certificate chain"
);
}
// Check if 'parameter' affects 'pkixParameters'
PKIXBuilderParameters
pkixParameters
=
null
;
if
(
parameter
instanceof
Timestamp
&&
plugin
)
{
try
{
pkixParameters
=
new
PKIXTimestampParameters
(
(
PKIXBuilderParameters
)
parameterTemplate
.
clone
(),
(
Timestamp
)
parameter
);
}
catch
(
InvalidAlgorithmParameterException
e
)
{
// ignore exception
}
}
else
{
pkixParameters
=
(
PKIXBuilderParameters
)
parameterTemplate
.
clone
();
}
// add new algorithm constraints checker
PKIXBuilderParameters
pkixParameters
=
(
PKIXBuilderParameters
)
parameterTemplate
.
clone
();
AlgorithmChecker
algorithmChecker
=
null
;
if
(
constraints
!=
null
)
{
algorithmChecker
=
new
AlgorithmChecker
(
constraints
);
pkixParameters
.
addCertPathChecker
(
algorithmChecker
);
pkixParameters
.
addCertPathChecker
(
new
AlgorithmChecker
(
constraints
));
}
if
(
TRY_VALIDATOR
)
{
...
...
src/share/classes/sun/security/validator/Validator.java
浏览文件 @
61f0aca6
/*
* Copyright (c) 2002, 201
0
, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2002, 201
6
, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
...
...
@@ -219,14 +219,7 @@ public abstract class Validator {
* Validate the given certificate chain. If otherCerts is non-null, it is
* a Collection of additional X509Certificates that could be helpful for
* path building.
* <p>
* Parameter is an additional parameter with variant specific meaning.
* Currently, it is only defined for TLS_SERVER variant validators, where
* it must be non null and the name of the TLS key exchange algorithm being
* used (see JSSE X509TrustManager specification). In the future, it
* could be used to pass in a PKCS#7 object for code signing to check time
* stamps.
* <p>
*
* @return a non-empty chain that was used to validate the path. The
* end entity cert is at index 0, the trust anchor at index n-1.
*/
...
...
@@ -244,12 +237,12 @@ public abstract class Validator {
* could be helpful for path building (or null)
* @param constraints algorithm constraints for certification path
* processing
* @param parameter an additional parameter
with variant specific meaning
.
*
Currently, it is only defined for TLS_SERVER variant validators,
*
where it must be non null and the name of the TLS key exchange
*
algorithm being used (see JSSE X509TrustManager specification).
*
In the future, it could be used to pass in a PKCS#7 object for
*
code signing to check time stamps
.
* @param parameter an additional parameter
object to pass specific data
.
*
This parameter object maybe one of the two below:
*
1) TLS_SERVER variant validators, where it must be non null and
*
the name of the TLS key exchange algorithm being used
*
(see JSSE X509TrustManager specification).
*
2) {@code Timestamp} object from a signed JAR file
.
* @return a non-empty chain that was used to validate the path. The
* end entity cert is at index 0, the trust anchor at index n-1.
*/
...
...
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录