1 /* 2 * Copyright (c) 2010, 2015, Oracle and/or its affiliates. All rights reserved. 3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 4 * 5 * This code is free software; you can redistribute it and/or modify it 6 * under the terms of the GNU General Public License version 2 only, as 7 * published by the Free Software Foundation. Oracle designates this 8 * particular file as subject to the "Classpath" exception as provided 9 * by Oracle in the LICENSE file that accompanied this code. 10 * 11 * This code is distributed in the hope that it will be useful, but WITHOUT 12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 14 * version 2 for more details (a copy is included in the LICENSE file that 15 * accompanied this code). 16 * 17 * You should have received a copy of the GNU General Public License version 18 * 2 along with this work; if not, write to the Free Software Foundation, 19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 20 * 21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 22 * or visit www.oracle.com if you need additional information or have any 23 * questions. 24 */ 25 26 package sun.security.ssl; 27 28 import java.security.AlgorithmConstraints; 29 import java.security.CryptoPrimitive; 30 import java.security.AlgorithmParameters; 31 32 import javax.net.ssl.*; 33 34 import java.security.Key; 35 36 import java.util.Set; 37 38 import sun.security.util.DisabledAlgorithmConstraints; 39 import static sun.security.util.DisabledAlgorithmConstraints.*; 40 import sun.security.ssl.CipherSuite.*; 41 42 /** 43 * Algorithm constraints for disabled algorithms property 44 * 45 * See the "jdk.certpath.disabledAlgorithms" specification in java.security 46 * for the syntax of the disabled algorithm string. 47 */ 48 final class SSLAlgorithmConstraints implements AlgorithmConstraints { 49 50 private static final AlgorithmConstraints tlsDisabledAlgConstraints = 51 new DisabledAlgorithmConstraints(PROPERTY_TLS_DISABLED_ALGS, 52 new SSLAlgorithmDecomposer()); 53 54 private static final AlgorithmConstraints x509DisabledAlgConstraints = 55 new DisabledAlgorithmConstraints(PROPERTY_CERTPATH_DISABLED_ALGS, 56 new SSLAlgorithmDecomposer(true)); 57 58 private AlgorithmConstraints userAlgConstraints = null; 59 private AlgorithmConstraints peerAlgConstraints = null; 60 61 private boolean enabledX509DisabledAlgConstraints = true; 62 63 // the default algorithm constraints 64 static final AlgorithmConstraints DEFAULT = 65 new SSLAlgorithmConstraints(null); 66 67 // the default SSL only algorithm constraints 68 static final AlgorithmConstraints DEFAULT_SSL_ONLY = 69 new SSLAlgorithmConstraints((SSLSocket)null, false); 70 71 SSLAlgorithmConstraints(AlgorithmConstraints algorithmConstraints) { 72 userAlgConstraints = algorithmConstraints; 73 } 74 75 SSLAlgorithmConstraints(SSLSocket socket, 76 boolean withDefaultCertPathConstraints) { 77 if (socket != null) { 78 userAlgConstraints = 79 socket.getSSLParameters().getAlgorithmConstraints(); 80 } 81 82 if (!withDefaultCertPathConstraints) { 83 enabledX509DisabledAlgConstraints = false; 84 } 85 } 86 87 SSLAlgorithmConstraints(SSLEngine engine, 88 boolean withDefaultCertPathConstraints) { 89 if (engine != null) { 90 userAlgConstraints = 91 engine.getSSLParameters().getAlgorithmConstraints(); 92 } 93 94 if (!withDefaultCertPathConstraints) { 95 enabledX509DisabledAlgConstraints = false; 96 } 97 } 98 99 SSLAlgorithmConstraints(SSLSocket socket, String[] supportedAlgorithms, 100 boolean withDefaultCertPathConstraints) { 101 if (socket != null) { 102 userAlgConstraints = 103 socket.getSSLParameters().getAlgorithmConstraints(); 104 peerAlgConstraints = 105 new SupportedSignatureAlgorithmConstraints(supportedAlgorithms); 106 } 107 108 if (!withDefaultCertPathConstraints) { 109 enabledX509DisabledAlgConstraints = false; 110 } 111 } 112 113 SSLAlgorithmConstraints(SSLEngine engine, String[] supportedAlgorithms, 114 boolean withDefaultCertPathConstraints) { 115 if (engine != null) { 116 userAlgConstraints = 117 engine.getSSLParameters().getAlgorithmConstraints(); 118 peerAlgConstraints = 119 new SupportedSignatureAlgorithmConstraints(supportedAlgorithms); 120 } 121 122 if (!withDefaultCertPathConstraints) { 123 enabledX509DisabledAlgConstraints = false; 124 } 125 } 126 127 @Override 128 public boolean permits(Set<CryptoPrimitive> primitives, 129 String algorithm, AlgorithmParameters parameters) { 130 131 boolean permitted = true; 132 133 if (peerAlgConstraints != null) { 134 permitted = peerAlgConstraints.permits( 135 primitives, algorithm, parameters); 136 } 137 138 if (permitted && userAlgConstraints != null) { 139 permitted = userAlgConstraints.permits( 140 primitives, algorithm, parameters); 141 } 142 143 if (permitted) { 144 permitted = tlsDisabledAlgConstraints.permits( 145 primitives, algorithm, parameters); 146 } 147 148 if (permitted && enabledX509DisabledAlgConstraints) { 149 permitted = x509DisabledAlgConstraints.permits( 150 primitives, algorithm, parameters); 151 } 152 153 return permitted; 154 } 155 156 @Override 157 public boolean permits(Set<CryptoPrimitive> primitives, Key key) { 158 159 boolean permitted = true; 160 161 if (peerAlgConstraints != null) { 162 permitted = peerAlgConstraints.permits(primitives, key); 163 } 164 165 if (permitted && userAlgConstraints != null) { 166 permitted = userAlgConstraints.permits(primitives, key); 167 } 168 169 if (permitted) { 170 permitted = tlsDisabledAlgConstraints.permits(primitives, key); 171 } 172 173 if (permitted && enabledX509DisabledAlgConstraints) { 174 permitted = x509DisabledAlgConstraints.permits(primitives, key); 175 } 176 177 return permitted; 178 } 179 180 @Override 181 public boolean permits(Set<CryptoPrimitive> primitives, 182 String algorithm, Key key, AlgorithmParameters parameters) { 183 184 boolean permitted = true; 185 186 if (peerAlgConstraints != null) { 187 permitted = peerAlgConstraints.permits( 188 primitives, algorithm, key, parameters); 189 } 190 191 if (permitted && userAlgConstraints != null) { 192 permitted = userAlgConstraints.permits( 193 primitives, algorithm, key, parameters); 194 } 195 196 if (permitted) { 197 permitted = tlsDisabledAlgConstraints.permits( 198 primitives, algorithm, key, parameters); 199 } 200 201 if (permitted && enabledX509DisabledAlgConstraints) { 202 permitted = x509DisabledAlgConstraints.permits( 203 primitives, algorithm, key, parameters); 204 } 205 206 return permitted; 207 } 208 209 210 private static class SupportedSignatureAlgorithmConstraints 211 implements AlgorithmConstraints { 212 // supported signature algorithms | 1 /* 2 * Copyright (c) 2010, 2018, Oracle and/or its affiliates. All rights reserved. 3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 4 * 5 * This code is free software; you can redistribute it and/or modify it 6 * under the terms of the GNU General Public License version 2 only, as 7 * published by the Free Software Foundation. Oracle designates this 8 * particular file as subject to the "Classpath" exception as provided 9 * by Oracle in the LICENSE file that accompanied this code. 10 * 11 * This code is distributed in the hope that it will be useful, but WITHOUT 12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 14 * version 2 for more details (a copy is included in the LICENSE file that 15 * accompanied this code). 16 * 17 * You should have received a copy of the GNU General Public License version 18 * 2 along with this work; if not, write to the Free Software Foundation, 19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 20 * 21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 22 * or visit www.oracle.com if you need additional information or have any 23 * questions. 24 */ 25 26 package sun.security.ssl; 27 28 import java.security.AlgorithmConstraints; 29 import java.security.AlgorithmParameters; 30 import java.security.CryptoPrimitive; 31 import java.security.Key; 32 import java.util.Set; 33 import javax.net.ssl.*; 34 import sun.security.util.DisabledAlgorithmConstraints; 35 import static sun.security.util.DisabledAlgorithmConstraints.*; 36 37 /** 38 * Algorithm constraints for disabled algorithms property 39 * 40 * See the "jdk.certpath.disabledAlgorithms" specification in java.security 41 * for the syntax of the disabled algorithm string. 42 */ 43 final class SSLAlgorithmConstraints implements AlgorithmConstraints { 44 45 private static final AlgorithmConstraints tlsDisabledAlgConstraints = 46 new DisabledAlgorithmConstraints(PROPERTY_TLS_DISABLED_ALGS, 47 new SSLAlgorithmDecomposer()); 48 49 private static final AlgorithmConstraints x509DisabledAlgConstraints = 50 new DisabledAlgorithmConstraints(PROPERTY_CERTPATH_DISABLED_ALGS, 51 new SSLAlgorithmDecomposer(true)); 52 53 private final AlgorithmConstraints userSpecifiedConstraints; 54 private final AlgorithmConstraints peerSpecifiedConstraints; 55 56 private final boolean enabledX509DisabledAlgConstraints; 57 58 // the default algorithm constraints 59 static final AlgorithmConstraints DEFAULT = 60 new SSLAlgorithmConstraints(null); 61 62 // the default SSL only algorithm constraints 63 static final AlgorithmConstraints DEFAULT_SSL_ONLY = 64 new SSLAlgorithmConstraints((SSLSocket)null, false); 65 66 SSLAlgorithmConstraints(AlgorithmConstraints userSpecifiedConstraints) { 67 this.userSpecifiedConstraints = userSpecifiedConstraints; 68 this.peerSpecifiedConstraints = null; 69 this.enabledX509DisabledAlgConstraints = true; 70 } 71 72 SSLAlgorithmConstraints(SSLSocket socket, 73 boolean withDefaultCertPathConstraints) { 74 AlgorithmConstraints configuredConstraints = null; 75 if (socket != null) { 76 HandshakeContext hc = 77 ((SSLSocketImpl)socket).conContext.handshakeContext; 78 if (hc != null) { 79 configuredConstraints = hc.sslConfig.algorithmConstraints; 80 } else { 81 configuredConstraints = null; 82 } 83 } 84 this.userSpecifiedConstraints = configuredConstraints; 85 this.peerSpecifiedConstraints = null; 86 this.enabledX509DisabledAlgConstraints = withDefaultCertPathConstraints; 87 } 88 89 SSLAlgorithmConstraints(SSLEngine engine, 90 boolean withDefaultCertPathConstraints) { 91 AlgorithmConstraints configuredConstraints = null; 92 if (engine != null) { 93 HandshakeContext hc = 94 ((SSLEngineImpl)engine).conContext.handshakeContext; 95 if (hc != null) { 96 configuredConstraints = hc.sslConfig.algorithmConstraints; 97 } else { 98 configuredConstraints = null; 99 } 100 } 101 this.userSpecifiedConstraints = configuredConstraints; 102 this.peerSpecifiedConstraints = null; 103 this.enabledX509DisabledAlgConstraints = withDefaultCertPathConstraints; 104 } 105 106 SSLAlgorithmConstraints(SSLSocket socket, String[] supportedAlgorithms, 107 boolean withDefaultCertPathConstraints) { 108 AlgorithmConstraints configuredConstraints = null; 109 AlgorithmConstraints negotiatedConstraints = null; 110 if (socket != null) { 111 HandshakeContext hc = 112 ((SSLSocketImpl)socket).conContext.handshakeContext; 113 if (hc != null) { 114 configuredConstraints = hc.sslConfig.algorithmConstraints; 115 } else { 116 configuredConstraints = null; 117 } 118 119 negotiatedConstraints = 120 new SupportedSignatureAlgorithmConstraints(supportedAlgorithms); 121 } 122 this.userSpecifiedConstraints = configuredConstraints; 123 this.peerSpecifiedConstraints = negotiatedConstraints; 124 this.enabledX509DisabledAlgConstraints = withDefaultCertPathConstraints; 125 } 126 127 SSLAlgorithmConstraints(SSLEngine engine, String[] supportedAlgorithms, 128 boolean withDefaultCertPathConstraints) { 129 AlgorithmConstraints configuredConstraints = null; 130 AlgorithmConstraints negotiatedConstraints = null; 131 if (engine != null) { 132 HandshakeContext hc = 133 ((SSLEngineImpl)engine).conContext.handshakeContext; 134 if (hc != null) { 135 configuredConstraints = hc.sslConfig.algorithmConstraints; 136 } else { 137 configuredConstraints = null; 138 } 139 140 negotiatedConstraints = 141 new SupportedSignatureAlgorithmConstraints(supportedAlgorithms); 142 } 143 this.userSpecifiedConstraints = configuredConstraints; 144 this.peerSpecifiedConstraints = negotiatedConstraints; 145 this.enabledX509DisabledAlgConstraints = withDefaultCertPathConstraints; 146 } 147 148 @Override 149 public boolean permits(Set<CryptoPrimitive> primitives, 150 String algorithm, AlgorithmParameters parameters) { 151 152 boolean permitted = true; 153 154 if (peerSpecifiedConstraints != null) { 155 permitted = peerSpecifiedConstraints.permits( 156 primitives, algorithm, parameters); 157 } 158 159 if (permitted && userSpecifiedConstraints != null) { 160 permitted = userSpecifiedConstraints.permits( 161 primitives, algorithm, parameters); 162 } 163 164 if (permitted) { 165 permitted = tlsDisabledAlgConstraints.permits( 166 primitives, algorithm, parameters); 167 } 168 169 if (permitted && enabledX509DisabledAlgConstraints) { 170 permitted = x509DisabledAlgConstraints.permits( 171 primitives, algorithm, parameters); 172 } 173 174 return permitted; 175 } 176 177 @Override 178 public boolean permits(Set<CryptoPrimitive> primitives, Key key) { 179 180 boolean permitted = true; 181 182 if (peerSpecifiedConstraints != null) { 183 permitted = peerSpecifiedConstraints.permits(primitives, key); 184 } 185 186 if (permitted && userSpecifiedConstraints != null) { 187 permitted = userSpecifiedConstraints.permits(primitives, key); 188 } 189 190 if (permitted) { 191 permitted = tlsDisabledAlgConstraints.permits(primitives, key); 192 } 193 194 if (permitted && enabledX509DisabledAlgConstraints) { 195 permitted = x509DisabledAlgConstraints.permits(primitives, key); 196 } 197 198 return permitted; 199 } 200 201 @Override 202 public boolean permits(Set<CryptoPrimitive> primitives, 203 String algorithm, Key key, AlgorithmParameters parameters) { 204 205 boolean permitted = true; 206 207 if (peerSpecifiedConstraints != null) { 208 permitted = peerSpecifiedConstraints.permits( 209 primitives, algorithm, key, parameters); 210 } 211 212 if (permitted && userSpecifiedConstraints != null) { 213 permitted = userSpecifiedConstraints.permits( 214 primitives, algorithm, key, parameters); 215 } 216 217 if (permitted) { 218 permitted = tlsDisabledAlgConstraints.permits( 219 primitives, algorithm, key, parameters); 220 } 221 222 if (permitted && enabledX509DisabledAlgConstraints) { 223 permitted = x509DisabledAlgConstraints.permits( 224 primitives, algorithm, key, parameters); 225 } 226 227 return permitted; 228 } 229 230 231 private static class SupportedSignatureAlgorithmConstraints 232 implements AlgorithmConstraints { 233 // supported signature algorithms |