1 /*
2 * Copyright (c) 2016, 2017, Oracle and/or its affiliates. All rights reserved.
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4 *
5 * This code is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License version 2 only, as
7 * published by the Free Software Foundation. Oracle designates this
8 * particular file as subject to the "Classpath" exception as provided
9 * by Oracle in the LICENSE file that accompanied this code.
10 *
11 * This code is distributed in the hope that it will be useful, but WITHOUT
12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * version 2 for more details (a copy is included in the LICENSE file that
15 * accompanied this code).
16 *
17 * You should have received a copy of the GNU General Public License version
18 * 2 along with this work; if not, write to the Free Software Foundation,
19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
20 *
21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
22 * or visit www.oracle.com if you need additional information or have any
23 * questions.
24 */
25
26 package sun.security.util;
27
28 import sun.security.validator.Validator;
29
30 import java.security.AlgorithmParameters;
31 import java.security.Key;
32 import java.security.Timestamp;
33 import java.security.cert.X509Certificate;
34 import java.security.interfaces.ECKey;
35 import java.util.Date;
36
37 /**
38 * This class contains parameters for checking against constraints that extend
39 * past the publicly available parameters in java.security.AlgorithmConstraints.
40
41 * This is currently on passed between between PKIX, AlgorithmChecker,
42 * and DisabledAlgorithmConstraints.
43 */
44 public class ConstraintsParameters {
45 /*
46 * The below 3 values are used the same as the permit() methods
47 * published in java.security.AlgorithmConstraints.
48 */
49 // Algorithm string to be checked against constraints
50 private final String algorithm;
51 // AlgorithmParameters to the algorithm being checked
52 private final AlgorithmParameters algParams;
53 // Key being checked against constraints
54 private final Key key;
55
56 /*
57 * New values that are checked against constraints that the current public
58 * API does not support.
59 */
60 // A certificate being passed to check against constraints.
61 private final X509Certificate cert;
62 // This is true if the trust anchor in the certificate chain matches a cert
63 // in AnchorCertificates
64 private final boolean trustedMatch;
65 // PKIXParameter date
66 private final Date pkixDate;
67 // Timestamp of the signed JAR file
68 private final Timestamp jarTimestamp;
69 private final String variant;
70 // Named Curve
71 private final String[] curveStr;
72 private static final String[] EMPTYLIST = new String[0];
73
74 public ConstraintsParameters(X509Certificate c, boolean match,
75 Date pkixdate, Timestamp jarTime, String variant) {
76 cert = c;
77 trustedMatch = match;
78 pkixDate = pkixdate;
79 jarTimestamp = jarTime;
80 this.variant = (variant == null ? Validator.VAR_GENERIC : variant);
81 algorithm = null;
82 algParams = null;
83 key = null;
84 if (c != null) {
85 curveStr = getNamedCurveFromKey(c.getPublicKey());
86 } else {
87 curveStr = EMPTYLIST;
88 }
89 }
90
91 public ConstraintsParameters(String algorithm, AlgorithmParameters params,
92 Key key, String variant) {
93 this.algorithm = algorithm;
94 algParams = params;
95 this.key = key;
96 curveStr = getNamedCurveFromKey(key);
97 cert = null;
98 trustedMatch = false;
99 pkixDate = null;
100 jarTimestamp = null;
101 this.variant = (variant == null ? Validator.VAR_GENERIC : variant);
102 }
103
104
105 public ConstraintsParameters(X509Certificate c) {
106 this(c, false, null, null,
107 Validator.VAR_GENERIC);
108 }
109
110 public ConstraintsParameters(Timestamp jarTime) {
111 this(null, false, null, jarTime, Validator.VAR_GENERIC);
112 }
113
114 public String getAlgorithm() {
115 return algorithm;
116 }
117
118 public AlgorithmParameters getAlgParams() {
119 return algParams;
120 }
121
122 public Key getKey() {
123 return key;
124 }
125
126 // Returns if the trust anchor has a match if anchor checking is enabled.
127 public boolean isTrustedMatch() {
128 return trustedMatch;
129 }
130
131 public X509Certificate getCertificate() {
132 return cert;
133 }
134
135 public Date getPKIXParamDate() {
136 return pkixDate;
137 }
138
139 public Timestamp getJARTimestamp() {
140 return jarTimestamp;
141 }
142
143 public String getVariant() {
144 return variant;
145 }
146
147 public String[] getNamedCurve() {
148 return curveStr;
149 }
150
151 public static String[] getNamedCurveFromKey(Key key) {
152 if (key instanceof ECKey) {
153 NamedCurve nc = CurveDB.lookup(((ECKey)key).getParams());
154 return (nc == null ? EMPTYLIST : CurveDB.getNamesByOID(nc.getObjectId()));
155 } else {
156 return EMPTYLIST;
157 }
158 }
159
160 public String toString() {
161 StringBuilder s = new StringBuilder();
162 s.append("Cert: ");
163 if (cert != null) {
164 s.append(cert.toString());
165 s.append("\nSigAlgo: ");
166 s.append(cert.getSigAlgName());
167 } else {
168 s.append("None");
169 }
170 s.append("\nAlgParams: ");
171 if (getAlgParams() != null) {
172 getAlgParams().toString();
173 } else {
174 s.append("None");
175 }
176 s.append("\nNamedCurves: ");
177 for (String c : getNamedCurve()) {
178 s.append(c + " ");
179 }
180 s.append("\nVariant: " + getVariant());
181 return s.toString();
182 }
183
184 }