1 /* 2 * Copyright (c) 2016, 2017, Oracle and/or its affiliates. All rights reserved. 3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 4 * 5 * This code is free software; you can redistribute it and/or modify it 6 * under the terms of the GNU General Public License version 2 only, as 7 * published by the Free Software Foundation. Oracle designates this 8 * particular file as subject to the "Classpath" exception as provided 9 * by Oracle in the LICENSE file that accompanied this code. 10 * 11 * This code is distributed in the hope that it will be useful, but WITHOUT 12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 14 * version 2 for more details (a copy is included in the LICENSE file that 15 * accompanied this code). 16 * 17 * You should have received a copy of the GNU General Public License version 18 * 2 along with this work; if not, write to the Free Software Foundation, 19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 20 * 21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 22 * or visit www.oracle.com if you need additional information or have any 23 * questions. 24 */ 25 26 package sun.security.util; 27 28 import sun.security.validator.Validator; 29 30 import java.security.AlgorithmParameters; 31 import java.security.Key; 32 import java.security.Timestamp; 33 import java.security.cert.X509Certificate; 34 import java.security.interfaces.ECKey; 35 import java.util.Date; 36 37 /** 38 * This class contains parameters for checking against constraints that extend 39 * past the publicly available parameters in java.security.AlgorithmConstraints. 40 41 * This is currently on passed between between PKIX, AlgorithmChecker, 42 * and DisabledAlgorithmConstraints. 43 */ 44 public class ConstraintsParameters { 45 /* 46 * The below 3 values are used the same as the permit() methods 47 * published in java.security.AlgorithmConstraints. 48 */ 49 // Algorithm string to be checked against constraints 50 private final String algorithm; 51 // AlgorithmParameters to the algorithm being checked 52 private final AlgorithmParameters algParams; 53 // Key being checked against constraints 54 private final Key key; 55 56 /* 57 * New values that are checked against constraints that the current public 58 * API does not support. 59 */ 60 // A certificate being passed to check against constraints. 61 private final X509Certificate cert; 62 // This is true if the trust anchor in the certificate chain matches a cert 63 // in AnchorCertificates 64 private final boolean trustedMatch; 65 // PKIXParameter date 66 private final Date pkixDate; 67 // Timestamp of the signed JAR file 68 private final Timestamp jarTimestamp; 69 private final String variant; 70 // Named Curve 71 private final String[] curveStr; 72 private static final String[] EMPTYLIST = new String[0]; 73 74 public ConstraintsParameters(X509Certificate c, boolean match, 75 Date pkixdate, Timestamp jarTime, String variant) { 76 cert = c; 77 trustedMatch = match; 78 pkixDate = pkixdate; 79 jarTimestamp = jarTime; 80 this.variant = (variant == null ? Validator.VAR_GENERIC : variant); 81 algorithm = null; 82 algParams = null; 83 key = null; 84 if (c != null) { 85 curveStr = getNamedCurveFromKey(c.getPublicKey()); 86 } else { 87 curveStr = EMPTYLIST; 88 } 89 } 90 91 public ConstraintsParameters(String algorithm, AlgorithmParameters params, 92 Key key, String variant) { 93 this.algorithm = algorithm; 94 algParams = params; 95 this.key = key; 96 curveStr = getNamedCurveFromKey(key); 97 cert = null; 98 trustedMatch = false; 99 pkixDate = null; 100 jarTimestamp = null; 101 this.variant = (variant == null ? Validator.VAR_GENERIC : variant); 102 } 103 104 105 public ConstraintsParameters(X509Certificate c) { 106 this(c, false, null, null, 107 Validator.VAR_GENERIC); 108 } 109 110 public ConstraintsParameters(Timestamp jarTime) { 111 this(null, false, null, jarTime, Validator.VAR_GENERIC); 112 } 113 114 public String getAlgorithm() { 115 return algorithm; 116 } 117 118 public AlgorithmParameters getAlgParams() { 119 return algParams; 120 } 121 122 public Key getKey() { 123 return key; 124 } 125 126 // Returns if the trust anchor has a match if anchor checking is enabled. 127 public boolean isTrustedMatch() { 128 return trustedMatch; 129 } 130 131 public X509Certificate getCertificate() { 132 return cert; 133 } 134 135 public Date getPKIXParamDate() { 136 return pkixDate; 137 } 138 139 public Timestamp getJARTimestamp() { 140 return jarTimestamp; 141 } 142 143 public String getVariant() { 144 return variant; 145 } 146 147 public String[] getNamedCurve() { 148 return curveStr; 149 } 150 151 public static String[] getNamedCurveFromKey(Key key) { 152 if (key instanceof ECKey) { 153 NamedCurve nc = CurveDB.lookup(((ECKey)key).getParams()); 154 return (nc == null ? EMPTYLIST : CurveDB.getNamesByOID(nc.getObjectId())); 155 } else { 156 return EMPTYLIST; 157 } 158 } 159 160 public String toString() { 161 StringBuilder s = new StringBuilder(); 162 s.append("Cert: "); 163 if (cert != null) { 164 s.append(cert.toString()); 165 s.append("\nSigAlgo: "); 166 s.append(cert.getSigAlgName()); 167 } else { 168 s.append("None"); 169 } 170 s.append("\nAlgParams: "); 171 if (getAlgParams() != null) { 172 getAlgParams().toString(); 173 } else { 174 s.append("None"); 175 } 176 s.append("\nNamedCurves: "); 177 for (String c : getNamedCurve()) { 178 s.append(c + " "); 179 } 180 s.append("\nVariant: " + getVariant()); 181 return s.toString(); 182 } 183 184 }