From 61f0aca612529d6d54b913281800548f7721acd3 Mon Sep 17 00:00:00 2001 From: robm Date: Wed, 12 Oct 2016 13:29:35 +0100 Subject: [PATCH] 8154015: Apply algorithm constraints to timestamped code Reviewed-by: ascarpino --- .../provider/certpath/AlgorithmChecker.java | 35 +++++++++++++++++-- .../sun/security/provider/certpath/PKIX.java | 12 ++++++- .../certpath/PKIXCertPathValidator.java | 14 ++++++-- .../util/CertConstraintParameters.java | 12 +++++-- .../util/DisabledAlgorithmConstraints.java | 4 ++- .../sun/security/validator/PKIXValidator.java | 23 ++++++++---- .../sun/security/validator/Validator.java | 23 +++++------- 7 files changed, 93 insertions(+), 30 deletions(-) diff --git a/src/share/classes/sun/security/provider/certpath/AlgorithmChecker.java b/src/share/classes/sun/security/provider/certpath/AlgorithmChecker.java index cf2ac9929..7c9d1e9b5 100644 --- a/src/share/classes/sun/security/provider/certpath/AlgorithmChecker.java +++ b/src/share/classes/sun/security/provider/certpath/AlgorithmChecker.java @@ -27,6 +27,7 @@ package sun.security.provider.certpath; import java.security.AlgorithmConstraints; import java.security.CryptoPrimitive; +import java.security.Timestamp; import java.util.Collection; import java.util.Collections; import java.util.Date; @@ -77,6 +78,7 @@ final public class AlgorithmChecker extends PKIXCertPathChecker { private final PublicKey trustedPubKey; private final Date pkixdate; private PublicKey prevPubKey; + private final Timestamp jarTimestamp; private final static Set SIGNATURE_PRIMITIVE_SET = Collections.unmodifiableSet(EnumSet.of(CryptoPrimitive.SIGNATURE)); @@ -142,6 +144,29 @@ final public class AlgorithmChecker extends PKIXCertPathChecker { this.trustedPubKey = null; this.constraints = constraints; this.pkixdate = null; + this.jarTimestamp = null; + } + + /** + * Create a new {@code AlgorithmChecker} with the given + * {@code Timestamp}. + *

+ * Note that this constructor will be used to check a certification + * path for signed JAR files that are timestamped. + * + * @param jarTimestamp Timestamp passed for JAR timestamp constraint + * checking. Set to null if not applicable. + */ + public AlgorithmChecker(Timestamp jarTimestamp) { + this.prevPubKey = null; + this.trustedPubKey = null; + this.constraints = certPathDefaultConstraints; + if (jarTimestamp == null) { + throw new IllegalArgumentException( + "Timestamp cannot be null"); + } + this.pkixdate = jarTimestamp.getTimestamp(); + this.jarTimestamp = jarTimestamp; } /** @@ -179,6 +204,7 @@ final public class AlgorithmChecker extends PKIXCertPathChecker { this.prevPubKey = trustedPubKey; this.constraints = constraints; this.pkixdate = pkixdate; + this.jarTimestamp = null; } /** @@ -209,6 +235,10 @@ final public class AlgorithmChecker extends PKIXCertPathChecker { return AnchorCertificates.contains(cert); } + Timestamp getJarTimestamp() { + return jarTimestamp; + } + @Override public void init(boolean forward) throws CertPathValidatorException { // Note that this class does not support forward mode. @@ -296,8 +326,7 @@ final public class AlgorithmChecker extends PKIXCertPathChecker { // permits() will throw exception on failure. certPathDefaultConstraints.permits(primitives, new CertConstraintParameters((X509Certificate)cert, - trustedMatch, pkixdate)); - // new CertConstraintParameters(x509Cert, trustedMatch)); + trustedMatch, pkixdate, jarTimestamp)); // If there is no previous key, set one and exit if (prevPubKey == null) { prevPubKey = currPubKey; @@ -442,7 +471,7 @@ final public class AlgorithmChecker extends PKIXCertPathChecker { * Check the signature algorithm with the specified public key. * * @param key the public key to verify the CRL signature - * @param crl the target CRL + * @param algorithmId signature algorithm Algorithm ID */ static void check(PublicKey key, AlgorithmId algorithmId) throws CertPathValidatorException { diff --git a/src/share/classes/sun/security/provider/certpath/PKIX.java b/src/share/classes/sun/security/provider/certpath/PKIX.java index e33d4a21a..f6b0b2ed6 100644 --- a/src/share/classes/sun/security/provider/certpath/PKIX.java +++ b/src/share/classes/sun/security/provider/certpath/PKIX.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2012, 2015, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2012, 2016, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -26,6 +26,7 @@ package sun.security.provider.certpath; import java.security.InvalidAlgorithmParameterException; import java.security.PublicKey; +import java.security.Timestamp; import java.security.cert.*; import java.security.interfaces.DSAPublicKey; import java.util.*; @@ -85,6 +86,7 @@ class PKIX { private CertSelector constraints; private Set anchors; private List certs; + private Timestamp timestamp; ValidatorParams(CertPath cp, PKIXParameters params) throws InvalidAlgorithmParameterException @@ -100,6 +102,10 @@ class PKIX { ValidatorParams(PKIXParameters params) throws InvalidAlgorithmParameterException { + if (params instanceof PKIXTimestampParameters) { + timestamp = ((PKIXTimestampParameters) params).getTimestamp(); + } + this.anchors = params.getTrustAnchors(); // Make sure that none of the trust anchors include name constraints // (not supported). @@ -189,6 +195,10 @@ class PKIX { PKIXParameters getPKIXParameters() { return params; } + + Timestamp timestamp() { + return timestamp; + } } static class BuilderParams extends ValidatorParams { diff --git a/src/share/classes/sun/security/provider/certpath/PKIXCertPathValidator.java b/src/share/classes/sun/security/provider/certpath/PKIXCertPathValidator.java index 934fc10b5..79259eea6 100644 --- a/src/share/classes/sun/security/provider/certpath/PKIXCertPathValidator.java +++ b/src/share/classes/sun/security/provider/certpath/PKIXCertPathValidator.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2000, 2015, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -172,7 +172,11 @@ public final class PKIXCertPathValidator extends CertPathValidatorSpi { List certPathCheckers = new ArrayList<>(); // add standard checkers that we will be using certPathCheckers.add(untrustedChecker); + if (params.timestamp() == null) { certPathCheckers.add(new AlgorithmChecker(anchor, params.date())); + } else { + certPathCheckers.add(new AlgorithmChecker(params.timestamp())); + } certPathCheckers.add(new KeyChecker(certPathLen, params.targetCertConstraints())); certPathCheckers.add(new ConstraintsChecker(certPathLen)); @@ -189,8 +193,14 @@ public final class PKIXCertPathValidator extends CertPathValidatorSpi { rootNode); certPathCheckers.add(pc); // default value for date is current time - BasicChecker bc = new BasicChecker(anchor, params.date(), + BasicChecker bc; + if (params.timestamp() == null) { + bc = new BasicChecker(anchor, params.date(), params.sigProvider(), + false); + } else { + bc = new BasicChecker(anchor, params.timestamp().getTimestamp(), params.sigProvider(), false); + } certPathCheckers.add(bc); boolean revCheckerAdded = false; diff --git a/src/share/classes/sun/security/util/CertConstraintParameters.java b/src/share/classes/sun/security/util/CertConstraintParameters.java index 00a94c539..a9ba871fe 100644 --- a/src/share/classes/sun/security/util/CertConstraintParameters.java +++ b/src/share/classes/sun/security/util/CertConstraintParameters.java @@ -25,6 +25,7 @@ package sun.security.util; +import java.security.Timestamp; import java.security.cert.X509Certificate; import java.util.Date; @@ -40,16 +41,19 @@ public class CertConstraintParameters { private final boolean trustedMatch; // PKIXParameter date private final Date pkixDate; + // Timestamp of the signed JAR file + private final Timestamp jarTimestamp; public CertConstraintParameters(X509Certificate c, boolean match, - Date pkixdate) { + Date pkixdate, Timestamp jarTime) { cert = c; trustedMatch = match; pkixDate = pkixdate; + jarTimestamp = jarTime; } public CertConstraintParameters(X509Certificate c) { - this(c, false, null); + this(c, false, null, null); } // Returns if the trust anchor has a match if anchor checking is enabled. @@ -65,4 +69,8 @@ public class CertConstraintParameters { return pkixDate; } + public Timestamp getJARTimestamp() { + return jarTimestamp; +} + } diff --git a/src/share/classes/sun/security/util/DisabledAlgorithmConstraints.java b/src/share/classes/sun/security/util/DisabledAlgorithmConstraints.java index c5825f009..9fa06dc9c 100644 --- a/src/share/classes/sun/security/util/DisabledAlgorithmConstraints.java +++ b/src/share/classes/sun/security/util/DisabledAlgorithmConstraints.java @@ -606,7 +606,9 @@ public class DisabledAlgorithmConstraints extends AbstractAlgorithmConstraints { throws CertPathValidatorException { Date currentDate; - if (cp.getPKIXParamDate() != null) { + if (cp.getJARTimestamp() != null) { + currentDate = cp.getJARTimestamp().getTimestamp(); + } else if (cp.getPKIXParamDate() != null) { currentDate = cp.getPKIXParamDate(); } else { currentDate = new Date(); diff --git a/src/share/classes/sun/security/validator/PKIXValidator.java b/src/share/classes/sun/security/validator/PKIXValidator.java index 51761e1bd..7b8261194 100644 --- a/src/share/classes/sun/security/validator/PKIXValidator.java +++ b/src/share/classes/sun/security/validator/PKIXValidator.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2002, 2011, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2002, 2016, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -33,6 +33,7 @@ import java.security.cert.*; import javax.security.auth.x500.X500Principal; import sun.security.action.GetBooleanAction; import sun.security.provider.certpath.AlgorithmChecker; +import sun.security.provider.certpath.PKIXTimestampParameters; /** * Validator implementation built on the PKIX CertPath API. This @@ -208,13 +209,23 @@ public final class PKIXValidator extends Validator { ("null or zero-length certificate chain"); } + // Check if 'parameter' affects 'pkixParameters' + PKIXBuilderParameters pkixParameters = null; + if (parameter instanceof Timestamp && plugin) { + try { + pkixParameters = new PKIXTimestampParameters( + (PKIXBuilderParameters) parameterTemplate.clone(), + (Timestamp) parameter); + } catch (InvalidAlgorithmParameterException e) { + // ignore exception + } + } else { + pkixParameters = (PKIXBuilderParameters) parameterTemplate.clone(); + } + // add new algorithm constraints checker - PKIXBuilderParameters pkixParameters = - (PKIXBuilderParameters) parameterTemplate.clone(); - AlgorithmChecker algorithmChecker = null; if (constraints != null) { - algorithmChecker = new AlgorithmChecker(constraints); - pkixParameters.addCertPathChecker(algorithmChecker); + pkixParameters.addCertPathChecker(new AlgorithmChecker(constraints)); } if (TRY_VALIDATOR) { diff --git a/src/share/classes/sun/security/validator/Validator.java b/src/share/classes/sun/security/validator/Validator.java index 863566c73..069782b54 100644 --- a/src/share/classes/sun/security/validator/Validator.java +++ b/src/share/classes/sun/security/validator/Validator.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2002, 2010, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2002, 2016, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -219,14 +219,7 @@ public abstract class Validator { * Validate the given certificate chain. If otherCerts is non-null, it is * a Collection of additional X509Certificates that could be helpful for * path building. - *

- * Parameter is an additional parameter with variant specific meaning. - * Currently, it is only defined for TLS_SERVER variant validators, where - * it must be non null and the name of the TLS key exchange algorithm being - * used (see JSSE X509TrustManager specification). In the future, it - * could be used to pass in a PKCS#7 object for code signing to check time - * stamps. - *

+ * * @return a non-empty chain that was used to validate the path. The * end entity cert is at index 0, the trust anchor at index n-1. */ @@ -244,12 +237,12 @@ public abstract class Validator { * could be helpful for path building (or null) * @param constraints algorithm constraints for certification path * processing - * @param parameter an additional parameter with variant specific meaning. - * Currently, it is only defined for TLS_SERVER variant validators, - * where it must be non null and the name of the TLS key exchange - * algorithm being used (see JSSE X509TrustManager specification). - * In the future, it could be used to pass in a PKCS#7 object for - * code signing to check time stamps. + * @param parameter an additional parameter object to pass specific data. + * This parameter object maybe one of the two below: + * 1) TLS_SERVER variant validators, where it must be non null and + * the name of the TLS key exchange algorithm being used + * (see JSSE X509TrustManager specification). + * 2) {@code Timestamp} object from a signed JAR file. * @return a non-empty chain that was used to validate the path. The * end entity cert is at index 0, the trust anchor at index n-1. */ -- GitLab