< prev index next >
src/share/classes/sun/security/util/ConstraintsParameters.java
Print this page
rev 14231 : 8233228: Disable weak named curves by default in TLS, CertPath, and Signed JAR
Reviewed-by: mullan, xuelei, weijun
@@ -29,10 +29,11 @@
import java.security.AlgorithmParameters;
import java.security.Key;
import java.security.Timestamp;
import java.security.cert.X509Certificate;
+import java.security.interfaces.ECKey;
import java.util.Date;
/**
* This class contains parameters for checking against constraints that extend
* past the publicly available parameters in java.security.AlgorithmConstraints.
@@ -47,12 +48,12 @@
*/
// Algorithm string to be checked against constraints
private final String algorithm;
// AlgorithmParameters to the algorithm being checked
private final AlgorithmParameters algParams;
- // Public Key being checked against constraints
- private final Key publicKey;
+ // Key being checked against constraints
+ private final Key key;
/*
* New values that are checked against constraints that the current public
* API does not support.
*/
@@ -64,28 +65,37 @@
// PKIXParameter date
private final Date pkixDate;
// Timestamp of the signed JAR file
private final Timestamp jarTimestamp;
private final String variant;
+ // Named Curve
+ private final String[] curveStr;
+ private static final String[] EMPTYLIST = new String[0];
public ConstraintsParameters(X509Certificate c, boolean match,
Date pkixdate, Timestamp jarTime, String variant) {
cert = c;
trustedMatch = match;
pkixDate = pkixdate;
jarTimestamp = jarTime;
this.variant = (variant == null ? Validator.VAR_GENERIC : variant);
algorithm = null;
algParams = null;
- publicKey = null;
+ key = null;
+ if (c != null) {
+ curveStr = getNamedCurveFromKey(c.getPublicKey());
+ } else {
+ curveStr = EMPTYLIST;
+ }
}
public ConstraintsParameters(String algorithm, AlgorithmParameters params,
Key key, String variant) {
this.algorithm = algorithm;
algParams = params;
- this.publicKey = key;
+ this.key = key;
+ curveStr = getNamedCurveFromKey(key);
cert = null;
trustedMatch = false;
pkixDate = null;
jarTimestamp = null;
this.variant = (variant == null ? Validator.VAR_GENERIC : variant);
@@ -107,13 +117,14 @@
public AlgorithmParameters getAlgParams() {
return algParams;
}
- public Key getPublicKey() {
- return publicKey;
+ public Key getKey() {
+ return key;
}
+
// Returns if the trust anchor has a match if anchor checking is enabled.
public boolean isTrustedMatch() {
return trustedMatch;
}
@@ -130,6 +141,44 @@
}
public String getVariant() {
return variant;
}
+
+ public String[] getNamedCurve() {
+ return curveStr;
+ }
+
+ public static String[] getNamedCurveFromKey(Key key) {
+ if (key instanceof ECKey) {
+ NamedCurve nc = CurveDB.lookup(((ECKey)key).getParams());
+ return (nc == null ? EMPTYLIST : CurveDB.getNamesByOID(nc.getObjectId()));
+ } else {
+ return EMPTYLIST;
+ }
+ }
+
+ public String toString() {
+ StringBuilder s = new StringBuilder();
+ s.append("Cert: ");
+ if (cert != null) {
+ s.append(cert.toString());
+ s.append("\nSigAlgo: ");
+ s.append(cert.getSigAlgName());
+ } else {
+ s.append("None");
+ }
+ s.append("\nAlgParams: ");
+ if (getAlgParams() != null) {
+ getAlgParams().toString();
+ } else {
+ s.append("None");
+ }
+ s.append("\nNamedCurves: ");
+ for (String c : getNamedCurve()) {
+ s.append(c + " ");
+ }
+ s.append("\nVariant: " + getVariant());
+ return s.toString();
+ }
+
}
< prev index next >