--- old/src/share/classes/sun/security/util/DisabledAlgorithmConstraints.java 2020-12-03 17:39:32.050684463 +0300 +++ new/src/share/classes/sun/security/util/DisabledAlgorithmConstraints.java 2020-12-03 17:39:31.914685739 +0300 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2010, 2017, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2010, 2019, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -60,19 +60,23 @@ public class DisabledAlgorithmConstraints extends AbstractAlgorithmConstraints { private static final Debug debug = Debug.getInstance("certpath"); - // the known security property, jdk.certpath.disabledAlgorithms + // Disabled algorithm security property for certificate path public static final String PROPERTY_CERTPATH_DISABLED_ALGS = "jdk.certpath.disabledAlgorithms"; - // the known security property, jdk.tls.disabledAlgorithms + // Disabled algorithm security property for TLS public static final String PROPERTY_TLS_DISABLED_ALGS = "jdk.tls.disabledAlgorithms"; - // the known security property, jdk.jar.disabledAlgorithms + // Disabled algorithm security property for jar public static final String PROPERTY_JAR_DISABLED_ALGS = "jdk.jar.disabledAlgorithms"; - private final String[] disabledAlgorithms; + // Property for disabled EC named curves + private static final String PROPERTY_DISABLED_EC_CURVES = + "jdk.disabled.namedCurves"; + + private final List disabledAlgorithms; private final Constraints algorithmConstraints; /** @@ -97,6 +101,24 @@ AlgorithmDecomposer decomposer) { super(decomposer); disabledAlgorithms = getAlgorithms(propertyName); + + // Check for alias + int ecindex = -1, i = 0; + for (String s : disabledAlgorithms) { + if (s.regionMatches(true, 0,"include ", 0, 8)) { + if (s.regionMatches(true, 8, PROPERTY_DISABLED_EC_CURVES, 0, + PROPERTY_DISABLED_EC_CURVES.length())) { + ecindex = i; + break; + } + } + i++; + } + if (ecindex > -1) { + disabledAlgorithms.remove(ecindex); + disabledAlgorithms.addAll(ecindex, + getAlgorithms(PROPERTY_DISABLED_EC_CURVES)); + } algorithmConstraints = new Constraints(disabledAlgorithms); } @@ -164,6 +186,19 @@ public final void permits(String algorithm, ConstraintsParameters cp) throws CertPathValidatorException { + + // Check if named curves in the ConstraintParameters are disabled. + if (cp.getNamedCurve() != null) { + for (String curve : cp.getNamedCurve()) { + if (!checkAlgorithm(disabledAlgorithms, curve, decomposer)) { + throw new CertPathValidatorException( + "Algorithm constraints check failed on disabled " + + "algorithm: " + curve, + null, null, -1, BasicReason.ALGORITHM_CONSTRAINED); + } + } + } + algorithmConstraints.permits(algorithm, cp); } @@ -199,6 +234,13 @@ return false; } + // If this is an elliptic curve, check disabled the named curve. + for (String curve : ConstraintsParameters.getNamedCurveFromKey(key)) { + if (!permits(primitives, curve, null)) { + return false; + } + } + // check the key constraints return algorithmConstraints.permits(key); } @@ -230,7 +272,7 @@ "denyAfter\\s+(\\d{4})-(\\d{2})-(\\d{2})"); } - public Constraints(String[] constraintArray) { + public Constraints(List constraintArray) { for (String constraintEntry : constraintArray) { if (constraintEntry == null || constraintEntry.isEmpty()) { continue; @@ -258,7 +300,9 @@ alias.toUpperCase(Locale.ENGLISH), constraintList); } - if (space <= 0) { + // If there is no whitespace, it is a algorithm name; however, + // if there is a whitespace, could be a multi-word EC curve too. + if (space <= 0 || CurveDB.lookup(constraintEntry) != null) { constraintList.add(new DisabledConstraint(algorithm)); continue; } @@ -357,7 +401,7 @@ for (Constraint constraint : list) { if (!constraint.permits(key)) { if (debug != null) { - debug.println("keySizeConstraint: failed key " + + debug.println("Constraints: failed key size" + "constraint check " + KeyUtil.getKeySize(key)); } return false; @@ -376,7 +420,7 @@ for (Constraint constraint : list) { if (!constraint.permits(aps)) { if (debug != null) { - debug.println("keySizeConstraint: failed algorithm " + + debug.println("Constraints: failed algorithm " + "parameters constraint check " + aps); } @@ -393,8 +437,7 @@ X509Certificate cert = cp.getCertificate(); if (debug != null) { - debug.println("Constraints.permits(): " + algorithm + - " Variant: " + cp.getVariant()); + debug.println("Constraints.permits(): " + cp.toString()); } // Get all signature algorithms to check for constraints @@ -408,8 +451,8 @@ if (cert != null) { algorithms.add(cert.getPublicKey().getAlgorithm()); } - if (cp.getPublicKey() != null) { - algorithms.add(cp.getPublicKey().getAlgorithm()); + if (cp.getKey() != null) { + algorithms.add(cp.getKey().getAlgorithm()); } // Check all applicable constraints for (String alg : algorithms) { @@ -548,10 +591,7 @@ * the constraint denies the operation. */ boolean next(Key key) { - if (nextConstraint != null && nextConstraint.permits(key)) { - return true; - } - return false; + return nextConstraint != null && nextConstraint.permits(key); } String extendedMsg(ConstraintsParameters cp) { @@ -803,8 +843,8 @@ public void permits(ConstraintsParameters cp) throws CertPathValidatorException { Key key = null; - if (cp.getPublicKey() != null) { - key = cp.getPublicKey(); + if (cp.getKey() != null) { + key = cp.getKey(); } else if (cp.getCertificate() != null) { key = cp.getCertificate().getPublicKey(); }