Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
openanolis
dragonwell8_jdk
提交
667891fe
D
dragonwell8_jdk
项目概览
openanolis
/
dragonwell8_jdk
通知
3
Star
2
Fork
0
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
D
dragonwell8_jdk
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
提交
Issue看板
体验新版 GitCode,发现更多精彩内容 >>
提交
667891fe
编写于
2月 16, 2018
作者:
I
igerasim
浏览文件
操作
浏览文件
下载
电子邮件补丁
差异文件
8076117: EndEntityChecker should not process custom extensions after PKIX validation
Reviewed-by: xuelei, mullan
上级
2cb4d769
变更
3
隐藏空白更改
内联
并排
Showing
3 changed file
with
258 addition
and
35 deletion
+258
-35
src/share/classes/sun/security/validator/EndEntityChecker.java
...hare/classes/sun/security/validator/EndEntityChecker.java
+24
-33
src/share/classes/sun/security/validator/Validator.java
src/share/classes/sun/security/validator/Validator.java
+13
-2
test/sun/security/validator/EndEntityExtensionCheck.java
test/sun/security/validator/EndEntityExtensionCheck.java
+221
-0
未找到文件。
src/share/classes/sun/security/validator/EndEntityChecker.java
浏览文件 @
667891fe
/*
* Copyright (c) 2002, 20
08
, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2002, 20
15
, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
...
...
@@ -132,26 +132,33 @@ class EndEntityChecker {
return
new
EndEntityChecker
(
type
,
variant
);
}
void
check
(
X509Certificate
cert
,
Object
parameter
)
throws
CertificateException
{
void
check
(
X509Certificate
cert
,
Object
parameter
,
boolean
checkUnresolvedCritExts
)
throws
CertificateException
{
if
(
variant
.
equals
(
Validator
.
VAR_GENERIC
))
{
// no checks
return
;
}
else
if
(
variant
.
equals
(
Validator
.
VAR_TLS_SERVER
))
{
checkTLSServer
(
cert
,
(
String
)
parameter
);
return
;
// no checks
}
Set
<
String
>
exts
=
getCriticalExtensions
(
cert
);
if
(
variant
.
equals
(
Validator
.
VAR_TLS_SERVER
))
{
checkTLSServer
(
cert
,
(
String
)
parameter
,
exts
);
}
else
if
(
variant
.
equals
(
Validator
.
VAR_TLS_CLIENT
))
{
checkTLSClient
(
cert
);
checkTLSClient
(
cert
,
exts
);
}
else
if
(
variant
.
equals
(
Validator
.
VAR_CODE_SIGNING
))
{
checkCodeSigning
(
cert
);
checkCodeSigning
(
cert
,
exts
);
}
else
if
(
variant
.
equals
(
Validator
.
VAR_JCE_SIGNING
))
{
checkCodeSigning
(
cert
);
checkCodeSigning
(
cert
,
exts
);
}
else
if
(
variant
.
equals
(
Validator
.
VAR_PLUGIN_CODE_SIGNING
))
{
checkCodeSigning
(
cert
);
checkCodeSigning
(
cert
,
exts
);
}
else
if
(
variant
.
equals
(
Validator
.
VAR_TSA_SERVER
))
{
checkTSAServer
(
cert
);
checkTSAServer
(
cert
,
exts
);
}
else
{
throw
new
CertificateException
(
"Unknown variant: "
+
variant
);
}
// if neither VAR_GENERIC variant nor unknown variant
if
(
checkUnresolvedCritExts
)
{
checkRemainingExtensions
(
exts
);
}
}
/**
...
...
@@ -219,10 +226,8 @@ class EndEntityChecker {
* authentication.
* @throws CertificateException if not.
*/
private
void
checkTLSClient
(
X509Certificate
cert
)
private
void
checkTLSClient
(
X509Certificate
cert
,
Set
<
String
>
exts
)
throws
CertificateException
{
Set
<
String
>
exts
=
getCriticalExtensions
(
cert
);
if
(
checkKeyUsage
(
cert
,
KU_SIGNATURE
)
==
false
)
{
throw
new
ValidatorException
(
"KeyUsage does not allow digital signatures"
,
...
...
@@ -245,8 +250,6 @@ class EndEntityChecker {
exts
.
remove
(
SimpleValidator
.
OID_KEY_USAGE
);
exts
.
remove
(
SimpleValidator
.
OID_EXTENDED_KEY_USAGE
);
exts
.
remove
(
SimpleValidator
.
OID_NETSCAPE_CERT_TYPE
);
checkRemainingExtensions
(
exts
);
}
/**
...
...
@@ -255,10 +258,8 @@ class EndEntityChecker {
* specification for details.
* @throws CertificateException if not.
*/
private
void
checkTLSServer
(
X509Certificate
cert
,
String
parameter
)
throws
CertificateException
{
Set
<
String
>
exts
=
getCriticalExtensions
(
cert
);
private
void
checkTLSServer
(
X509Certificate
cert
,
String
parameter
,
Set
<
String
>
exts
)
throws
CertificateException
{
if
(
KU_SERVER_ENCRYPTION
.
contains
(
parameter
))
{
if
(
checkKeyUsage
(
cert
,
KU_KEY_ENCIPHERMENT
)
==
false
)
{
throw
new
ValidatorException
...
...
@@ -303,18 +304,14 @@ class EndEntityChecker {
exts
.
remove
(
SimpleValidator
.
OID_KEY_USAGE
);
exts
.
remove
(
SimpleValidator
.
OID_EXTENDED_KEY_USAGE
);
exts
.
remove
(
SimpleValidator
.
OID_NETSCAPE_CERT_TYPE
);
checkRemainingExtensions
(
exts
);
}
/**
* Check whether this certificate can be used for code signing.
* @throws CertificateException if not.
*/
private
void
checkCodeSigning
(
X509Certificate
cert
)
private
void
checkCodeSigning
(
X509Certificate
cert
,
Set
<
String
>
exts
)
throws
CertificateException
{
Set
<
String
>
exts
=
getCriticalExtensions
(
cert
);
if
(
checkKeyUsage
(
cert
,
KU_SIGNATURE
)
==
false
)
{
throw
new
ValidatorException
(
"KeyUsage does not allow digital signatures"
,
...
...
@@ -341,8 +338,6 @@ class EndEntityChecker {
// remove extensions we checked
exts
.
remove
(
SimpleValidator
.
OID_KEY_USAGE
);
exts
.
remove
(
SimpleValidator
.
OID_EXTENDED_KEY_USAGE
);
checkRemainingExtensions
(
exts
);
}
/**
...
...
@@ -350,10 +345,8 @@ class EndEntityChecker {
* server (see RFC 3161, section 2.3).
* @throws CertificateException if not.
*/
private
void
checkTSAServer
(
X509Certificate
cert
)
private
void
checkTSAServer
(
X509Certificate
cert
,
Set
<
String
>
exts
)
throws
CertificateException
{
Set
<
String
>
exts
=
getCriticalExtensions
(
cert
);
if
(
checkKeyUsage
(
cert
,
KU_SIGNATURE
)
==
false
)
{
throw
new
ValidatorException
(
"KeyUsage does not allow digital signatures"
,
...
...
@@ -376,7 +369,5 @@ class EndEntityChecker {
// remove extensions we checked
exts
.
remove
(
SimpleValidator
.
OID_KEY_USAGE
);
exts
.
remove
(
SimpleValidator
.
OID_EXTENDED_KEY_USAGE
);
checkRemainingExtensions
(
exts
);
}
}
src/share/classes/sun/security/validator/Validator.java
浏览文件 @
667891fe
/*
* Copyright (c) 2002, 201
0
, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2002, 201
5
, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
...
...
@@ -143,6 +143,7 @@ public abstract class Validator {
*/
public
final
static
String
VAR_PLUGIN_CODE_SIGNING
=
"plugin code signing"
;
private
final
String
type
;
final
EndEntityChecker
endEntityChecker
;
final
String
variant
;
...
...
@@ -154,6 +155,7 @@ public abstract class Validator {
volatile
Date
validationDate
;
Validator
(
String
type
,
String
variant
)
{
this
.
type
=
type
;
this
.
variant
=
variant
;
endEntityChecker
=
EndEntityChecker
.
getInstance
(
type
,
variant
);
}
...
...
@@ -261,7 +263,16 @@ public abstract class Validator {
// omit EE extension check if EE cert is also trust anchor
if
(
chain
.
length
>
1
)
{
endEntityChecker
.
check
(
chain
[
0
],
parameter
);
// EndEntityChecker does not need to check unresolved critical
// extensions when validating with a TYPE_PKIX Validator.
// A TYPE_PKIX Validator will already have run checks on all
// certs' extensions, including checks by any PKIXCertPathCheckers
// included in the PKIXParameters, so the extra checks would be
// redundant.
boolean
checkUnresolvedCritExts
=
(
type
==
TYPE_PKIX
)
?
false
:
true
;
endEntityChecker
.
check
(
chain
[
0
],
parameter
,
checkUnresolvedCritExts
);
}
return
chain
;
...
...
test/sun/security/validator/EndEntityExtensionCheck.java
0 → 100644
浏览文件 @
667891fe
/*
* Copyright (c) 2015, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
/*
* @test
* @bug 8076117
* @summary EndEntityChecker should not process custom extensions
* after PKIX validation
*/
import
java.io.ByteArrayInputStream
;
import
java.io.File
;
import
java.io.FileInputStream
;
import
java.security.KeyStore
;
import
java.security.cert.CertPathValidatorException
;
import
java.security.cert.Certificate
;
import
java.security.cert.CertificateException
;
import
java.security.cert.CertificateFactory
;
import
java.security.cert.PKIXBuilderParameters
;
import
java.security.cert.PKIXCertPathChecker
;
import
java.security.cert.TrustAnchor
;
import
java.security.cert.X509Certificate
;
import
java.util.Collection
;
import
java.util.Date
;
import
java.util.HashSet
;
import
java.util.Set
;
import
sun.security.validator.KeyStores
;
import
sun.security.validator.Validator
;
public
class
EndEntityExtensionCheck
{
/*
* Owner: CN=TestCA
* Issuer: CN=TestCA
*/
private
static
final
String
CA
=
"-----BEGIN CERTIFICATE-----\n"
+
"MIICgDCCAj2gAwIBAgIEC18hWjALBgcqhkjOOAQDBQAwETEPMA0GA1UEAxMGVGVz\n"
+
"dENBMB4XDTE1MDQwNzIyMzUyMFoXDTI1MDQwNjIyMzUyMFowETEPMA0GA1UEAxMG\n"
+
"VGVzdENBMIIBuDCCASwGByqGSM44BAEwggEfAoGBAP1/U4EddRIpUt9KnC7s5Of2\n"
+
"EbdSPO9EAMMeP4C2USZpRV1AIlH7WT2NWPq/xfW6MPbLm1Vs14E7gB00b/JmYLdr\n"
+
"mVClpJ+f6AR7ECLCT7up1/63xhv4O1fnxqimFQ8E+4P208UewwI1VBNaFpEy9nXz\n"
+
"rith1yrv8iIDGZ3RSAHHAhUAl2BQjxUjC8yykrmCouuEC/BYHPUCgYEA9+Gghdab\n"
+
"Pd7LvKtcNrhXuXmUr7v6OuqC+VdMCz0HgmdRWVeOutRZT+ZxBxCBgLRJFnEj6Ewo\n"
+
"FhO3zwkyjMim4TwWeotUfI0o4KOuHiuzpnWRbqN/C/ohNWLx+2J6ASQ7zKTxvqhR\n"
+
"kImog9/hWuWfBpKLZl6Ae1UlZAFMO/7PSSoDgYUAAoGBAJOWy2hVy4iNwsi/idWG\n"
+
"oksr9IZxQIFR2YavoUmD+rIgfYUpiCihzftDLMMaNYqp9PPxuOyoIPGPbwmKpAs5\n"
+
"nq6gLwH2lSsN+EwyV2SJ0J26PHiMuRNZWWfKR3cpEqbQVb0CmvqSpj8zYfamPzp7\n"
+
"eXSWwahzgLCGJM3SgCfDFC0uoyEwHzAdBgNVHQ4EFgQU7tLD8FnWM+r6jBr+mCXs\n"
+
"8G5yBpgwCwYHKoZIzjgEAwUAAzAAMC0CFQCHCtzC3S0ST0EZBucikVui4WXD8QIU\n"
+
"L3Oxy6989/FhZlZWJlhqc1ungEQ=\n"
+
"-----END CERTIFICATE-----"
;
/*
* Owner: CN=TestEE
* Issuer: CN=TestCA
* Contains a custom critical extension with OID 1.2.3.4:
* #1: ObjectId: 1.2.3.4 Criticality=true
* 0000: 00 00
*/
private
static
final
String
EE
=
"-----BEGIN CERTIFICATE-----\n"
+
"MIICrTCCAmugAwIBAgIELjciKzALBgcqhkjOOAQDBQAwETEPMA0GA1UEAxMGVGVz\n"
+
"dENBMB4XDTE1MDQwNzIzMDA1OFoXDTE1MDcwNjIzMDA1OFowETEPMA0GA1UEAxMG\n"
+
"VGVzdEVFMIIBtzCCASwGByqGSM44BAEwggEfAoGBAP1/U4EddRIpUt9KnC7s5Of2\n"
+
"EbdSPO9EAMMeP4C2USZpRV1AIlH7WT2NWPq/xfW6MPbLm1Vs14E7gB00b/JmYLdr\n"
+
"mVClpJ+f6AR7ECLCT7up1/63xhv4O1fnxqimFQ8E+4P208UewwI1VBNaFpEy9nXz\n"
+
"rith1yrv8iIDGZ3RSAHHAhUAl2BQjxUjC8yykrmCouuEC/BYHPUCgYEA9+Gghdab\n"
+
"Pd7LvKtcNrhXuXmUr7v6OuqC+VdMCz0HgmdRWVeOutRZT+ZxBxCBgLRJFnEj6Ewo\n"
+
"FhO3zwkyjMim4TwWeotUfI0o4KOuHiuzpnWRbqN/C/ohNWLx+2J6ASQ7zKTxvqhR\n"
+
"kImog9/hWuWfBpKLZl6Ae1UlZAFMO/7PSSoDgYQAAoGAN97otrAJEuUg/O97vScI\n"
+
"01xs1jqTz5o0PGpKiDDJNB3tCCUbLqXoBQBvSefQ8vYL3mmlEJLxlwfbajRmJQp0\n"
+
"tUy5SUCZHk3MdoKxSvrqYnVpYwJHFXKWs6lAawxfuWbkm9SREuepOWnVzy2ecf5z\n"
+
"hvy9mgEBfi4E9Cy8Byq2TpyjUDBOMAwGAyoDBAEB/wQCAAAwHwYDVR0jBBgwFoAU\n"
+
"7tLD8FnWM+r6jBr+mCXs8G5yBpgwHQYDVR0OBBYEFNRVqt5F+EAuJ5x1IZLDkoMs\n"
+
"mDj4MAsGByqGSM44BAMFAAMvADAsAhQyNGhxIp5IshN1zqLs4pUY214IMAIUMmTL\n"
+
"3ZMpMAjITbuHHlFNUqZ7A9s=\n"
+
"-----END CERTIFICATE-----"
;
public
static
void
main
(
String
[]
args
)
throws
Exception
{
X509Certificate
[]
chain
=
createChain
();
/* Test 1: Test SimpleValidator
* SimpleValidator doesn't check for unsupported critical
* extensions in the end entity certificate, and leaves that up
* to EndEntityChecker, which should catch such extensions.
*/
KeyStore
ks
=
KeyStore
.
getInstance
(
"JKS"
);
ks
.
load
(
null
,
null
);
ks
.
setCertificateEntry
(
"testca"
,
chain
[
chain
.
length
-
1
]);
Validator
v
=
Validator
.
getInstance
(
Validator
.
TYPE_SIMPLE
,
Validator
.
VAR_TLS_CLIENT
,
KeyStores
.
getTrustedCerts
(
ks
));
try
{
v
.
validate
(
chain
);
throw
new
Exception
(
"Chain should not have validated "
+
"successfully."
);
}
catch
(
CertificateException
ex
)
{
// EE cert has an unsupported critical extension that is not
// checked by SimpleValidator's extension checks, so this
// failure is expected
}
/* Test 2: Test PKIXValidator without custom checker
* PKIXValidator accepts PKIXParameters that can contain
* custom PKIXCertPathCheckers, which would be run against
* each cert in the chain, including EE certs.
* Check that if PKIXValidator is not provided a custom
* PKIXCertPathChecker for an unknown critical extension in
* the EE cert, chain validation will fail.
*/
TrustAnchor
ta
=
new
TrustAnchor
(
chain
[
chain
.
length
-
1
],
null
);
Set
<
TrustAnchor
>
tas
=
new
HashSet
<>();
tas
.
add
(
ta
);
PKIXBuilderParameters
params
=
new
PKIXBuilderParameters
(
tas
,
null
);
params
.
setDate
(
new
Date
(
115
,
5
,
1
));
// 2015-05-01
params
.
setRevocationEnabled
(
false
);
v
=
Validator
.
getInstance
(
Validator
.
TYPE_PKIX
,
Validator
.
VAR_TLS_CLIENT
,
params
);
try
{
v
.
validate
(
chain
);
throw
new
Exception
(
"Chain should not have validated "
+
"successfully."
);
}
catch
(
CertificateException
ex
)
{
// EE cert has an unsupported critical extension and
// PKIXValidator was not provided any custom checker
// for it, so this failure ie expected.
}
/* Test 3: Test PKIXValidator with custom checker
* Check that PKIXValidator will successfully validate a chain
* containing an EE cert with a critical custom extension, given
* a corresponding PKIXCertPathChecker for the extension.
*/
params
=
new
PKIXBuilderParameters
(
tas
,
null
);
params
.
addCertPathChecker
(
new
CustomChecker
());
params
.
setDate
(
new
Date
(
115
,
5
,
1
));
// 2015-05-01
params
.
setRevocationEnabled
(
false
);
v
=
Validator
.
getInstance
(
Validator
.
TYPE_PKIX
,
Validator
.
VAR_TLS_CLIENT
,
params
);
v
.
validate
(
chain
);
// This should validate successfully
System
.
out
.
println
(
"Tests passed."
);
}
public
static
X509Certificate
[]
createChain
()
throws
Exception
{
CertificateFactory
cf
=
CertificateFactory
.
getInstance
(
"X.509"
);
X509Certificate
ee
=
(
X509Certificate
)
cf
.
generateCertificate
((
new
ByteArrayInputStream
(
EE
.
getBytes
())));
X509Certificate
ca
=
(
X509Certificate
)
cf
.
generateCertificate
((
new
ByteArrayInputStream
(
CA
.
getBytes
())));
X509Certificate
[]
chain
=
{
ee
,
ca
};
return
chain
;
}
/*
* A custom PKIXCertPathChecker. Looks for a critical extension
* in an end entity certificate with the OID 1.2.3.4.
*/
static
class
CustomChecker
extends
PKIXCertPathChecker
{
@Override
public
void
init
(
boolean
forward
)
throws
CertPathValidatorException
{
// nothing to do
}
@Override
public
boolean
isForwardCheckingSupported
()
{
return
false
;
}
@Override
public
Set
<
String
>
getSupportedExtensions
()
{
Set
<
String
>
exts
=
new
HashSet
<>();
exts
.
add
(
"1.2.3.4"
);
return
exts
;
}
@Override
public
void
check
(
Certificate
cert
,
Collection
<
String
>
unresolvedCritExts
)
throws
CertPathValidatorException
{
X509Certificate
currCert
=
(
X509Certificate
)
cert
;
// check that this is an EE cert
if
(
currCert
.
getBasicConstraints
()
==
-
1
)
{
if
(
unresolvedCritExts
!=
null
&&
!
unresolvedCritExts
.
isEmpty
())
{
unresolvedCritExts
.
remove
(
"1.2.3.4"
);
}
}
}
}
}
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录