1 /*
2 * Copyright (c) 2019, Oracle and/or its affiliates. All rights reserved.
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4 *
5 * This code is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License version 2 only, as
7 * published by the Free Software Foundation. Oracle designates this
8 * particular file as subject to the "Classpath" exception as provided
9 * by Oracle in the LICENSE file that accompanied this code.
10 *
11 * This code is distributed in the hope that it will be useful, but WITHOUT
12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * version 2 for more details (a copy is included in the LICENSE file that
15 * accompanied this code).
16 *
17 * You should have received a copy of the GNU General Public License version
18 * 2 along with this work; if not, write to the Free Software Foundation,
19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
20 *
21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
22 * or visit www.oracle.com if you need additional information or have any
23 * questions.
24 */
25 package sun.security.validator;
26
27 import java.security.AccessController;
28 import java.security.PrivilegedAction;
29 import java.security.Security;
30 import java.security.cert.X509Certificate;
31 import java.util.EnumSet;
32
33 import sun.security.util.Debug;
34
35 /**
36 * Policies for distrusting a certificate authority (CA). See the
37 * jdk.security.caDistrustPolicies security property for more information.
38 */
39 enum CADistrustPolicy {
40 /**
41 * Distrust TLS Server certificates anchored by a Symantec root CA and
42 * issued after April 16, 2019 (with exceptions for a couple of subordinate
43 * CAs, see the jdk.security.caDistrustPolicies definition in the
44 * java.security file for more details). If enabled, this policy is
45 * currently enforced by the PKIX and SunX509 TrustManager implementations
46 * of the SunJSSE provider implementation.
47 */
48 SYMANTEC_TLS {
49 void checkDistrust(String variant, X509Certificate[] chain)
50 throws ValidatorException {
51 if (!variant.equals(Validator.VAR_TLS_SERVER)) {
52 return;
53 }
54 SymantecTLSPolicy.checkDistrust(chain);
55 }
56 };
57
58 /**
59 * Checks if the end-entity certificate is distrusted.
60 *
61 * @param variant the type of certificate being checked
62 * @param chain the end-entity's certificate chain. The end entity cert
63 * is at index 0, the trust anchor at index n-1.
64 * @throws ValidatorException if the end-entity certificate is distrusted
65 */
66 abstract void checkDistrust(String variant,
67 X509Certificate[] chain)
68 throws ValidatorException;
69
70 // The policies set in the jdk.security.caDistrustPolicies property.
71 static final EnumSet<CADistrustPolicy> POLICIES = parseProperty();
72 private static EnumSet<CADistrustPolicy> parseProperty() {
73 String property = AccessController.doPrivileged(
74 new PrivilegedAction<String>() {
75 @Override
76 public String run() {
77 return Security.getProperty(
78 "jdk.security.caDistrustPolicies");
79 }
80 });
81 EnumSet<CADistrustPolicy> set = EnumSet.noneOf(CADistrustPolicy.class);
82 // if property is null or empty, the restrictions are not enforced
83 if (property == null || property.isEmpty()) {
84 return set;
85 }
86 String[] policies = property.split(",");
87 for (String policy : policies) {
88 policy = policy.trim();
89 try {
90 CADistrustPolicy caPolicy =
91 Enum.valueOf(CADistrustPolicy.class, policy);
92 set.add(caPolicy);
93 } catch (IllegalArgumentException iae) {
94 // ignore unknown values but log it
95 Debug debug = Debug.getInstance("certpath");
96 if (debug != null) {
97 debug.println("Unknown value for the " +
98 "jdk.security.caDistrustPolicies property: "
99 + policy);
100 }
101 }
102 }
103 return set;
104 }
105 }