提交 7459aba3 编写于 作者: A alvdavi

8230318: Better trust store usage

Reviewed-by: andrew
上级 3c504251
...@@ -32,6 +32,7 @@ import java.security.cert.*; ...@@ -32,6 +32,7 @@ import java.security.cert.*;
import javax.security.auth.x500.X500Principal; import javax.security.auth.x500.X500Principal;
import sun.security.action.GetBooleanAction; import sun.security.action.GetBooleanAction;
import sun.security.action.GetPropertyAction;
import sun.security.provider.certpath.AlgorithmChecker; import sun.security.provider.certpath.AlgorithmChecker;
import sun.security.provider.certpath.PKIXExtendedParameters; import sun.security.provider.certpath.PKIXExtendedParameters;
...@@ -64,6 +65,18 @@ public final class PKIXValidator extends Validator { ...@@ -64,6 +65,18 @@ public final class PKIXValidator extends Validator {
// enable use of the validator if possible // enable use of the validator if possible
private final static boolean TRY_VALIDATOR = true; private final static boolean TRY_VALIDATOR = true;
/**
* System property that if set (or set to "true"), allows trust anchor
* certificates to be used if they do not have the proper CA extensions.
* Set to false if prop is not set, or set to any other value.
*/
private static final boolean ALLOW_NON_CA_ANCHOR = allowNonCaAnchor();
private static boolean allowNonCaAnchor() {
String prop = GetPropertyAction
.privilegedGetProperty("jdk.security.allowNonCaAnchor");
return prop != null && (prop.isEmpty() || prop.equalsIgnoreCase("true"));
}
private final Set<X509Certificate> trustedCerts; private final Set<X509Certificate> trustedCerts;
private final PKIXBuilderParameters parameterTemplate; private final PKIXBuilderParameters parameterTemplate;
private int certPathLength = -1; private int certPathLength = -1;
...@@ -322,15 +335,18 @@ public final class PKIXValidator extends Validator { ...@@ -322,15 +335,18 @@ public final class PKIXValidator extends Validator {
private static X509Certificate[] toArray(CertPath path, TrustAnchor anchor) private static X509Certificate[] toArray(CertPath path, TrustAnchor anchor)
throws CertificateException { throws CertificateException {
List<? extends java.security.cert.Certificate> list =
path.getCertificates();
X509Certificate[] chain = new X509Certificate[list.size() + 1];
list.toArray(chain);
X509Certificate trustedCert = anchor.getTrustedCert(); X509Certificate trustedCert = anchor.getTrustedCert();
if (trustedCert == null) { if (trustedCert == null) {
throw new ValidatorException throw new ValidatorException
("TrustAnchor must be specified as certificate"); ("TrustAnchor must be specified as certificate");
} }
verifyTrustAnchor(trustedCert);
List<? extends java.security.cert.Certificate> list =
path.getCertificates();
X509Certificate[] chain = new X509Certificate[list.size() + 1];
list.toArray(chain);
chain[chain.length - 1] = trustedCert; chain[chain.length - 1] = trustedCert;
return chain; return chain;
} }
...@@ -365,6 +381,41 @@ public final class PKIXValidator extends Validator { ...@@ -365,6 +381,41 @@ public final class PKIXValidator extends Validator {
} }
} }
/**
* Verify that a trust anchor certificate is a CA certificate.
*/
private static void verifyTrustAnchor(X509Certificate trustedCert)
throws ValidatorException {
// skip check if jdk.security.allowNonCAAnchor system property is set
if (ALLOW_NON_CA_ANCHOR) {
return;
}
// allow v1 trust anchor certificates
if (trustedCert.getVersion() < 3) {
return;
}
// check that the BasicConstraints cA field is not set to false
if (trustedCert.getBasicConstraints() == -1) {
throw new ValidatorException
("TrustAnchor with subject \"" +
trustedCert.getSubjectX500Principal() +
"\" is not a CA certificate");
}
// check that the KeyUsage extension, if included, asserts the
// keyCertSign bit
boolean[] keyUsageBits = trustedCert.getKeyUsage();
if (keyUsageBits != null && !keyUsageBits[5]) {
throw new ValidatorException
("TrustAnchor with subject \"" +
trustedCert.getSubjectX500Principal() +
"\" does not have keyCertSign bit set in KeyUsage extension");
}
}
private X509Certificate[] doBuild(X509Certificate[] chain, private X509Certificate[] doBuild(X509Certificate[] chain,
Collection<X509Certificate> otherCerts, Collection<X509Certificate> otherCerts,
PKIXBuilderParameters params) throws CertificateException { PKIXBuilderParameters params) throws CertificateException {
......
...@@ -87,6 +87,7 @@ public class TsacertOptionTest { ...@@ -87,6 +87,7 @@ public class TsacertOptionTest {
"-storepass", PASSWORD, "-storepass", PASSWORD,
"-keypass", PASSWORD, "-keypass", PASSWORD,
"-dname", "CN=CA", "-dname", "CN=CA",
"-ext", "bc:c",
"-validity", Integer.toString(VALIDITY)).shouldHaveExitValue(0); "-validity", Integer.toString(VALIDITY)).shouldHaveExitValue(0);
ProcessTools.executeCommand(KEYTOOL, ProcessTools.executeCommand(KEYTOOL,
"-genkey", "-genkey",
......
...@@ -42,7 +42,7 @@ public class Warning { ...@@ -42,7 +42,7 @@ public class Warning {
Files.deleteIfExists(Paths.get("ks")); Files.deleteIfExists(Paths.get("ks"));
newCert("ca", "-validity 365000"); newCert("ca", "-validity 365000", "-ext bc:c");
recreateJar(); recreateJar();
......
...@@ -224,8 +224,8 @@ $JARSIGNER -verify a.jar ...@@ -224,8 +224,8 @@ $JARSIGNER -verify a.jar
# ========================================================== # ==========================================================
$KT -genkeypair -alias ee -dname CN=ee $KT -genkeypair -alias ee -dname CN=ee
$KT -genkeypair -alias caone -dname CN=caone $KT -genkeypair -alias caone -dname CN=caone -ext bc:c
$KT -genkeypair -alias catwo -dname CN=catwo $KT -genkeypair -alias catwo -dname CN=catwo -ext bc:c
$KT -certreq -alias ee | $KT -gencert -alias catwo -rfc > ee.cert $KT -certreq -alias ee | $KT -gencert -alias catwo -rfc > ee.cert
$KT -certreq -alias catwo | $KT -gencert -alias caone -sigalg MD5withRSA -rfc > catwo.cert $KT -certreq -alias catwo | $KT -gencert -alias caone -sigalg MD5withRSA -rfc > catwo.cert
......
...@@ -53,7 +53,7 @@ rm $KS $JFILE ...@@ -53,7 +53,7 @@ rm $KS $JFILE
echo A > A echo A > A
$JAR cvf $JFILE A $JAR cvf $JFILE A
$KT -alias ca -dname CN=ca -keyalg ec -genkey -validity 300 || exit 11 $KT -alias ca -dname CN=ca -keyalg ec -genkey -validity 300 -ext bc:c || exit 11
$KT -alias a -dname CN=a -keyalg ec -genkey || exit 11 $KT -alias a -dname CN=a -keyalg ec -genkey || exit 11
$KT -alias a -certreq | $KT -gencert -alias ca -validity 300 | $KT -import -alias a || exit 111 $KT -alias a -certreq | $KT -gencert -alias ca -validity 300 | $KT -import -alias a || exit 111
......
...@@ -57,7 +57,7 @@ rm $KS $JFILE 2> /dev/null ...@@ -57,7 +57,7 @@ rm $KS $JFILE 2> /dev/null
echo "Key: Value" > manifest echo "Key: Value" > manifest
$JAR cvfm $JFILE manifest $JAR cvfm $JFILE manifest
$KT -alias ca -dname CN=ca -genkey -validity 300 || exit 1 $KT -alias ca -dname CN=ca -genkey -validity 300 -ext bc:c || exit 1
$KT -alias a -dname CN=a -genkey -validity 300 || exit 2 $KT -alias a -dname CN=a -genkey -validity 300 || exit 2
$KT -alias a -certreq | $KT -gencert -alias ca -validity 300 | $KT -import -alias a || exit 3 $KT -alias a -certreq | $KT -gencert -alias ca -validity 300 | $KT -import -alias a || exit 3
$JARSIGNER -keystore $KS -storepass changeit $JFILE a -debug -strict || exit 4 $JARSIGNER -keystore $KS -storepass changeit $JFILE a -debug -strict || exit 4
......
/* /*
* Copyright (c) 2013, 2018, Oracle and/or its affiliates. All rights reserved. * Copyright (c) 2013, 2019, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
* *
* This code is free software; you can redistribute it and/or modify it * This code is free software; you can redistribute it and/or modify it
...@@ -53,7 +53,7 @@ public class BadExtendedKeyUsageTest extends Test { ...@@ -53,7 +53,7 @@ public class BadExtendedKeyUsageTest extends Test {
// create a certificate whose signer certificate's // create a certificate whose signer certificate's
// ExtendedKeyUsage extension doesn't allow code signing // ExtendedKeyUsage extension doesn't allow code signing
// create key pair for jar signing // create key pair for jar signing
createAlias(CA_KEY_ALIAS); createAlias(CA_KEY_ALIAS, "-ext", "bc:c");
createAlias(KEY_ALIAS); createAlias(KEY_ALIAS);
issueCert( issueCert(
......
/* /*
* Copyright (c) 2013, 2018, Oracle and/or its affiliates. All rights reserved. * Copyright (c) 2013, 2019, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
* *
* This code is free software; you can redistribute it and/or modify it * This code is free software; you can redistribute it and/or modify it
...@@ -53,7 +53,7 @@ public class BadKeyUsageTest extends Test { ...@@ -53,7 +53,7 @@ public class BadKeyUsageTest extends Test {
// create a certificate whose signer certificate's KeyUsage extension // create a certificate whose signer certificate's KeyUsage extension
// doesn't allow code signing // doesn't allow code signing
createAlias(CA_KEY_ALIAS); createAlias(CA_KEY_ALIAS, "-ext", "bc:c");
createAlias(KEY_ALIAS); createAlias(KEY_ALIAS);
issueCert( issueCert(
......
/* /*
* Copyright (c) 2013, 2018, Oracle and/or its affiliates. All rights reserved. * Copyright (c) 2013, 2019, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
* *
* This code is free software; you can redistribute it and/or modify it * This code is free software; you can redistribute it and/or modify it
...@@ -54,7 +54,7 @@ public class BadNetscapeCertTypeTest extends Test { ...@@ -54,7 +54,7 @@ public class BadNetscapeCertTypeTest extends Test {
// create a certificate whose signer certificate's // create a certificate whose signer certificate's
// NetscapeCertType extension doesn't allow code signing // NetscapeCertType extension doesn't allow code signing
// create key pair for jar signing // create key pair for jar signing
createAlias(CA_KEY_ALIAS); createAlias(CA_KEY_ALIAS, "-ext", "bc:c");
createAlias(KEY_ALIAS); createAlias(KEY_ALIAS);
issueCert( issueCert(
......
/* /*
* Copyright (c) 2013, 2018, Oracle and/or its affiliates. All rights reserved. * Copyright (c) 2013, 2019, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
* *
* This code is free software; you can redistribute it and/or modify it * This code is free software; you can redistribute it and/or modify it
...@@ -54,7 +54,7 @@ public class ChainNotValidatedTest extends Test { ...@@ -54,7 +54,7 @@ public class ChainNotValidatedTest extends Test {
// Root CA is not checked at all. If the intermediate CA has // Root CA is not checked at all. If the intermediate CA has
// BasicConstraints extension set to true, it will be valid. // BasicConstraints extension set to true, it will be valid.
// Otherwise, chain validation will fail. // Otherwise, chain validation will fail.
createAlias(CA_KEY_ALIAS); createAlias(CA_KEY_ALIAS, "-ext", "bc:c");
createAlias(CA2_KEY_ALIAS); createAlias(CA2_KEY_ALIAS);
issueCert(CA2_KEY_ALIAS, issueCert(CA2_KEY_ALIAS,
"-ext", "-ext",
......
/* /*
* Copyright (c) 2013, 2018, Oracle and/or its affiliates. All rights reserved. * Copyright (c) 2013, 2019, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
* *
* This code is free software; you can redistribute it and/or modify it * This code is free software; you can redistribute it and/or modify it
...@@ -52,7 +52,7 @@ public class HasExpiredCertTest extends Test { ...@@ -52,7 +52,7 @@ public class HasExpiredCertTest extends Test {
JarUtils.createJar(UNSIGNED_JARFILE, FIRST_FILE); JarUtils.createJar(UNSIGNED_JARFILE, FIRST_FILE);
// create key pair for jar signing // create key pair for jar signing
createAlias(CA_KEY_ALIAS); createAlias(CA_KEY_ALIAS, "-ext", "bc:c");
createAlias(KEY_ALIAS); createAlias(KEY_ALIAS);
issueCert( issueCert(
......
/* /*
* Copyright (c) 2013, 2018, Oracle and/or its affiliates. All rights reserved. * Copyright (c) 2013, 2019, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
* *
* This code is free software; you can redistribute it and/or modify it * This code is free software; you can redistribute it and/or modify it
...@@ -52,7 +52,7 @@ public class HasExpiringCertTest extends Test { ...@@ -52,7 +52,7 @@ public class HasExpiringCertTest extends Test {
JarUtils.createJar(UNSIGNED_JARFILE, FIRST_FILE); JarUtils.createJar(UNSIGNED_JARFILE, FIRST_FILE);
// create key pair for jar signing // create key pair for jar signing
createAlias(CA_KEY_ALIAS); createAlias(CA_KEY_ALIAS, "-ext", "bc:c");
createAlias(KEY_ALIAS); createAlias(KEY_ALIAS);
issueCert( issueCert(
......
/* /*
* Copyright (c) 2013, 2018, Oracle and/or its affiliates. All rights reserved. * Copyright (c) 2013, 2019, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
* *
* This code is free software; you can redistribute it and/or modify it * This code is free software; you can redistribute it and/or modify it
...@@ -51,7 +51,7 @@ public class HasUnsignedEntryTest extends Test { ...@@ -51,7 +51,7 @@ public class HasUnsignedEntryTest extends Test {
JarUtils.createJar(UNSIGNED_JARFILE, FIRST_FILE); JarUtils.createJar(UNSIGNED_JARFILE, FIRST_FILE);
// create key pair for signing // create key pair for signing
createAlias(CA_KEY_ALIAS); createAlias(CA_KEY_ALIAS, "-ext", "bc:c");
createAlias(KEY_ALIAS); createAlias(KEY_ALIAS);
issueCert( issueCert(
KEY_ALIAS, KEY_ALIAS,
......
/* /*
* Copyright (c) 2013, 2018, Oracle and/or its affiliates. All rights reserved. * Copyright (c) 2013, 2019, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
* *
* This code is free software; you can redistribute it and/or modify it * This code is free software; you can redistribute it and/or modify it
...@@ -54,7 +54,7 @@ public class MultipleWarningsTest extends Test { ...@@ -54,7 +54,7 @@ public class MultipleWarningsTest extends Test {
// create a jar file that contains one class file // create a jar file that contains one class file
JarUtils.createJar(UNSIGNED_JARFILE, FIRST_FILE); JarUtils.createJar(UNSIGNED_JARFILE, FIRST_FILE);
createAlias(CA_KEY_ALIAS); createAlias(CA_KEY_ALIAS, "-ext", "bc:c");
// create first expired certificate // create first expired certificate
// whose ExtendedKeyUsage extension does not allow code signing // whose ExtendedKeyUsage extension does not allow code signing
......
/* /*
* Copyright (c) 2013, 2018, Oracle and/or its affiliates. All rights reserved. * Copyright (c) 2013, 2019, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
* *
* This code is free software; you can redistribute it and/or modify it * This code is free software; you can redistribute it and/or modify it
...@@ -57,7 +57,7 @@ public class NoTimestampTest extends Test { ...@@ -57,7 +57,7 @@ public class NoTimestampTest extends Test {
* 24 * 60 * 60 * 1000L); * 24 * 60 * 60 * 1000L);
// create key pair // create key pair
createAlias(CA_KEY_ALIAS); createAlias(CA_KEY_ALIAS, "-ext", "bc:c");
createAlias(KEY_ALIAS); createAlias(KEY_ALIAS);
issueCert(KEY_ALIAS, issueCert(KEY_ALIAS,
"-validity", Integer.toString(VALIDITY)); "-validity", Integer.toString(VALIDITY));
......
/* /*
* Copyright (c) 2013, 2018, Oracle and/or its affiliates. All rights reserved. * Copyright (c) 2013, 2019, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
* *
* This code is free software; you can redistribute it and/or modify it * This code is free software; you can redistribute it and/or modify it
...@@ -49,7 +49,7 @@ public class NotSignedByAliasTest extends Test { ...@@ -49,7 +49,7 @@ public class NotSignedByAliasTest extends Test {
Utils.createFiles(FIRST_FILE); Utils.createFiles(FIRST_FILE);
JarUtils.createJar(UNSIGNED_JARFILE, FIRST_FILE); JarUtils.createJar(UNSIGNED_JARFILE, FIRST_FILE);
createAlias(CA_KEY_ALIAS); createAlias(CA_KEY_ALIAS, "-ext", "bc:c");
// create first key pair for signing // create first key pair for signing
createAlias(FIRST_KEY_ALIAS); createAlias(FIRST_KEY_ALIAS);
......
/* /*
* Copyright (c) 2013, 2018, Oracle and/or its affiliates. All rights reserved. * Copyright (c) 2013, 2019, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
* *
* This code is free software; you can redistribute it and/or modify it * This code is free software; you can redistribute it and/or modify it
...@@ -50,7 +50,7 @@ public class NotYetValidCertTest extends Test { ...@@ -50,7 +50,7 @@ public class NotYetValidCertTest extends Test {
JarUtils.createJar(UNSIGNED_JARFILE, FIRST_FILE); JarUtils.createJar(UNSIGNED_JARFILE, FIRST_FILE);
// create certificate that will be valid only tomorrow // create certificate that will be valid only tomorrow
createAlias(CA_KEY_ALIAS); createAlias(CA_KEY_ALIAS, "-ext", "bc:c");
createAlias(KEY_ALIAS); createAlias(KEY_ALIAS);
issueCert( issueCert(
......
/* /*
* Copyright (c) 2015, 2016, Oracle and/or its affiliates. All rights reserved. * Copyright (c) 2015, 2019, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
* *
* This code is free software; you can redistribute it and/or modify it * This code is free software; you can redistribute it and/or modify it
...@@ -26,6 +26,7 @@ ...@@ -26,6 +26,7 @@
* @bug 8076117 * @bug 8076117
* @summary EndEntityChecker should not process custom extensions * @summary EndEntityChecker should not process custom extensions
* after PKIX validation * after PKIX validation
* @run main/othervm -Djdk.security.allowNonCaAnchor EndEntityExtensionCheck
*/ */
import java.io.ByteArrayInputStream; import java.io.ByteArrayInputStream;
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册