8154015: Apply algorithm constraints to timestamped code

Reviewed-by: ascarpino

src/share/classes/sun/security/provider/certpath/AlgorithmChecker.java

@@ -27,6 +27,7 @@ package sun.security.provider.certpath;
 
 import java.security.AlgorithmConstraints;
 import java.security.CryptoPrimitive;
+import java.security.Timestamp;
 import java.util.Collection;
 import java.util.Collections;
 import java.util.Date;
@@ -77,6 +78,7 @@ final public class AlgorithmChecker extends PKIXCertPathChecker {
     private final PublicKey trustedPubKey;
     private final Date pkixdate;
     private PublicKey prevPubKey;
+    private final Timestamp jarTimestamp;
 
     private final static Set<CryptoPrimitive> SIGNATURE_PRIMITIVE_SET =
         Collections.unmodifiableSet(EnumSet.of(CryptoPrimitive.SIGNATURE));
@@ -142,6 +144,29 @@ final public class AlgorithmChecker extends PKIXCertPathChecker {
         this.trustedPubKey = null;
         this.constraints = constraints;
         this.pkixdate = null;
+        this.jarTimestamp = null;
+    }
+
+    /**
+     * Create a new {@code AlgorithmChecker} with the given
+     * {@code Timestamp}.
+     * <p>
+     * Note that this constructor will be used to check a certification
+     * path for signed JAR files that are timestamped.
+     *
+     * @param jarTimestamp Timestamp passed for JAR timestamp constraint
+     *                     checking. Set to null if not applicable.
+     */
+    public AlgorithmChecker(Timestamp jarTimestamp) {
+        this.prevPubKey = null;
+        this.trustedPubKey = null;
+        this.constraints = certPathDefaultConstraints;
+        if (jarTimestamp == null) {
+            throw new IllegalArgumentException(
+                    "Timestamp cannot be null");
+        }
+        this.pkixdate = jarTimestamp.getTimestamp();
+        this.jarTimestamp = jarTimestamp;
     }
 
     /**
@@ -179,6 +204,7 @@ final public class AlgorithmChecker extends PKIXCertPathChecker {
         this.prevPubKey = trustedPubKey;
         this.constraints = constraints;
         this.pkixdate = pkixdate;
+        this.jarTimestamp = null;
     }
 
     /**
@@ -209,6 +235,10 @@ final public class AlgorithmChecker extends PKIXCertPathChecker {
         return AnchorCertificates.contains(cert);
     }
 
+    Timestamp getJarTimestamp() {
+        return jarTimestamp;
+    }
+
     @Override
     public void init(boolean forward) throws CertPathValidatorException {
         //  Note that this class does not support forward mode.
@@ -296,8 +326,7 @@ final public class AlgorithmChecker extends PKIXCertPathChecker {
         // permits() will throw exception on failure.
         certPathDefaultConstraints.permits(primitives,
                 new CertConstraintParameters((X509Certificate)cert,
-                        trustedMatch, pkixdate));
-                // new CertConstraintParameters(x509Cert, trustedMatch));
+                        trustedMatch, pkixdate, jarTimestamp));
         // If there is no previous key, set one and exit
         if (prevPubKey == null) {
             prevPubKey = currPubKey;
@@ -442,7 +471,7 @@ final public class AlgorithmChecker extends PKIXCertPathChecker {
      * Check the signature algorithm with the specified public key.
      *
      * @param key the public key to verify the CRL signature
-     * @param crl the target CRL
+     * @param algorithmId signature algorithm Algorithm ID
      */
     static void check(PublicKey key, AlgorithmId algorithmId)
                         throws CertPathValidatorException {

src/share/classes/sun/security/provider/certpath/PKIX.java

 /*
- * Copyright (c) 2012, 2015, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2012, 2016, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -26,6 +26,7 @@ package sun.security.provider.certpath;
 
 import java.security.InvalidAlgorithmParameterException;
 import java.security.PublicKey;
+import java.security.Timestamp;
 import java.security.cert.*;
 import java.security.interfaces.DSAPublicKey;
 import java.util.*;
@@ -85,6 +86,7 @@ class PKIX {
         private CertSelector constraints;
         private Set<TrustAnchor> anchors;
         private List<X509Certificate> certs;
+        private Timestamp timestamp;
 
         ValidatorParams(CertPath cp, PKIXParameters params)
             throws InvalidAlgorithmParameterException
@@ -100,6 +102,10 @@ class PKIX {
         ValidatorParams(PKIXParameters params)
             throws InvalidAlgorithmParameterException
         {
+            if (params instanceof PKIXTimestampParameters) {
+                timestamp = ((PKIXTimestampParameters) params).getTimestamp();
+            }
+
             this.anchors = params.getTrustAnchors();
             // Make sure that none of the trust anchors include name constraints
             // (not supported).
@@ -189,6 +195,10 @@ class PKIX {
         PKIXParameters getPKIXParameters() {
             return params;
         }
+
+        Timestamp timestamp() {
+            return timestamp;
+        }
     }
 
     static class BuilderParams extends ValidatorParams {

src/share/classes/sun/security/provider/certpath/PKIXCertPathValidator.java

 /*
- * Copyright (c) 2000, 2015, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -172,7 +172,11 @@ public final class PKIXCertPathValidator extends CertPathValidatorSpi {
         List<PKIXCertPathChecker> certPathCheckers = new ArrayList<>();
         // add standard checkers that we will be using
         certPathCheckers.add(untrustedChecker);
+        if (params.timestamp() == null) {
         certPathCheckers.add(new AlgorithmChecker(anchor, params.date()));
+        } else {
+            certPathCheckers.add(new AlgorithmChecker(params.timestamp()));
+        }
         certPathCheckers.add(new KeyChecker(certPathLen,
                                             params.targetCertConstraints()));
         certPathCheckers.add(new ConstraintsChecker(certPathLen));
@@ -189,8 +193,14 @@ public final class PKIXCertPathValidator extends CertPathValidatorSpi {
                                              rootNode);
         certPathCheckers.add(pc);
         // default value for date is current time
-        BasicChecker bc = new BasicChecker(anchor, params.date(),
+        BasicChecker bc;
+        if (params.timestamp() == null) {
+            bc = new BasicChecker(anchor, params.date(), params.sigProvider(),
+                    false);
+        } else {
+            bc = new BasicChecker(anchor, params.timestamp().getTimestamp(),
                                            params.sigProvider(), false);
+        }
         certPathCheckers.add(bc);
 
         boolean revCheckerAdded = false;

src/share/classes/sun/security/util/CertConstraintParameters.java

@@ -25,6 +25,7 @@
 
 package sun.security.util;
 
+import java.security.Timestamp;
 import java.security.cert.X509Certificate;
 import java.util.Date;
 
@@ -40,16 +41,19 @@ public class CertConstraintParameters {
     private final boolean trustedMatch;
     // PKIXParameter date
     private final Date pkixDate;
+    // Timestamp of the signed JAR file
+    private final Timestamp jarTimestamp;
 
     public CertConstraintParameters(X509Certificate c, boolean match,
-            Date pkixdate) {
+            Date pkixdate, Timestamp jarTime) {
         cert = c;
         trustedMatch = match;
         pkixDate = pkixdate;
+        jarTimestamp = jarTime;
     }
 
     public CertConstraintParameters(X509Certificate c) {
-        this(c, false, null);
+        this(c, false, null, null);
     }
 
     // Returns if the trust anchor has a match if anchor checking is enabled.
@@ -65,4 +69,8 @@ public class CertConstraintParameters {
         return pkixDate;
     }
 
+    public Timestamp getJARTimestamp() {
+        return jarTimestamp;
+}
+
 }

src/share/classes/sun/security/util/DisabledAlgorithmConstraints.java

@@ -606,7 +606,9 @@ public class DisabledAlgorithmConstraints extends AbstractAlgorithmConstraints {
                  throws CertPathValidatorException {
              Date currentDate;
 
-             if (cp.getPKIXParamDate() != null) {
+             if (cp.getJARTimestamp() != null) {
+                 currentDate = cp.getJARTimestamp().getTimestamp();
+             } else if (cp.getPKIXParamDate() != null) {
                  currentDate = cp.getPKIXParamDate();
              } else {
                  currentDate = new Date();

src/share/classes/sun/security/validator/PKIXValidator.java

 /*
- * Copyright (c) 2002, 2011, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2002, 2016, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -33,6 +33,7 @@ import java.security.cert.*;
 import javax.security.auth.x500.X500Principal;
 import sun.security.action.GetBooleanAction;
 import sun.security.provider.certpath.AlgorithmChecker;
+import sun.security.provider.certpath.PKIXTimestampParameters;
 
 /**
  * Validator implementation built on the PKIX CertPath API. This
@@ -208,13 +209,23 @@ public final class PKIXValidator extends Validator {
                 ("null or zero-length certificate chain");
         }
 
+        // Check if 'parameter' affects 'pkixParameters'
+        PKIXBuilderParameters pkixParameters = null;
+        if (parameter instanceof Timestamp && plugin) {
+            try {
+                pkixParameters = new PKIXTimestampParameters(
+                        (PKIXBuilderParameters) parameterTemplate.clone(),
+                        (Timestamp) parameter);
+            } catch (InvalidAlgorithmParameterException e) {
+                // ignore exception
+            }
+        } else {
+            pkixParameters = (PKIXBuilderParameters) parameterTemplate.clone();
+        }
+
         // add  new algorithm constraints checker
-        PKIXBuilderParameters pkixParameters =
-                    (PKIXBuilderParameters) parameterTemplate.clone();
-        AlgorithmChecker algorithmChecker = null;
         if (constraints != null) {
-            algorithmChecker = new AlgorithmChecker(constraints);
-            pkixParameters.addCertPathChecker(algorithmChecker);
+            pkixParameters.addCertPathChecker(new AlgorithmChecker(constraints));
         }
 
         if (TRY_VALIDATOR) {

src/share/classes/sun/security/validator/Validator.java

 /*
- * Copyright (c) 2002, 2010, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2002, 2016, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -219,14 +219,7 @@ public abstract class Validator {
      * Validate the given certificate chain. If otherCerts is non-null, it is
      * a Collection of additional X509Certificates that could be helpful for
      * path building.
-     * <p>
-     * Parameter is an additional parameter with variant specific meaning.
-     * Currently, it is only defined for TLS_SERVER variant validators, where
-     * it must be non null and the name of the TLS key exchange algorithm being
-     * used (see JSSE X509TrustManager specification). In the future, it
-     * could be used to pass in a PKCS#7 object for code signing to check time
-     * stamps.
-     * <p>
+     *
      * @return a non-empty chain that was used to validate the path. The
      * end entity cert is at index 0, the trust anchor at index n-1.
      */
@@ -244,12 +237,12 @@ public abstract class Validator {
      *        could be helpful for path building (or null)
      * @param constraints algorithm constraints for certification path
      *        processing
-     * @param parameter an additional parameter with variant specific meaning.
-     *        Currently, it is only defined for TLS_SERVER variant validators,
-     *        where it must be non null and the name of the TLS key exchange
-     *        algorithm being used (see JSSE X509TrustManager specification).
-     *        In the future, it could be used to pass in a PKCS#7 object for
-     *        code signing to check time stamps.
+     * @param parameter an additional parameter object to pass specific data.
+     *        This parameter object maybe one of the two below:
+     *        1) TLS_SERVER variant validators, where it must be non null and
+     *        the name of the TLS key exchange algorithm being used
+     *        (see JSSE X509TrustManager specification).
+     *        2) {@code Timestamp} object from a signed JAR file.
      * @return a non-empty chain that was used to validate the path. The
      *        end entity cert is at index 0, the trust anchor at index n-1.
      */