< prev index next >

src/share/classes/sun/security/validator/EndEntityChecker.java

Print this page
rev 13454 : 8207258: Distrust TLS server certificates anchored by Symantec Root CAs
Reviewed-by: shade
rev 13455 : 8216280: Allow later Symantec Policy distrust date for two Apple SubCAs
Reviewed-by: shade
   1 /*
   2  * Copyright (c) 2002, 2015, Oracle and/or its affiliates. All rights reserved.
   3  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
   4  *
   5  * This code is free software; you can redistribute it and/or modify it
   6  * under the terms of the GNU General Public License version 2 only, as
   7  * published by the Free Software Foundation.  Oracle designates this
   8  * particular file as subject to the "Classpath" exception as provided
   9  * by Oracle in the LICENSE file that accompanied this code.
  10  *
  11  * This code is distributed in the hope that it will be useful, but WITHOUT
  12  * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  13  * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  14  * version 2 for more details (a copy is included in the LICENSE file that
  15  * accompanied this code).
  16  *
  17  * You should have received a copy of the GNU General Public License version
  18  * 2 along with this work; if not, write to the Free Software Foundation,
  19  * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
  20  *
  21  * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
  22  * or visit www.oracle.com if you need additional information or have any


 115 
 116     // TLS key exchange algorithms requiring keyAgreement key usage
 117     private final static Collection<String> KU_SERVER_KEY_AGREEMENT =
 118         Arrays.asList("DH_DSS", "DH_RSA", "ECDH_ECDSA", "ECDH_RSA");
 119 
 120     // variant of this end entity cert checker
 121     private final String variant;
 122 
 123     // type of the validator this checker belongs to
 124     private final String type;
 125 
 126     private EndEntityChecker(String type, String variant) {
 127         this.type = type;
 128         this.variant = variant;
 129     }
 130 
 131     static EndEntityChecker getInstance(String type, String variant) {
 132         return new EndEntityChecker(type, variant);
 133     }
 134 
 135     void check(X509Certificate cert, Object parameter,
 136             boolean checkUnresolvedCritExts) throws CertificateException {

 137         if (variant.equals(Validator.VAR_GENERIC)) {
 138             return; // no checks
 139         }
 140 
 141         Set<String> exts = getCriticalExtensions(cert);
 142         if (variant.equals(Validator.VAR_TLS_SERVER)) {
 143             checkTLSServer(cert, (String)parameter, exts);
 144         } else if (variant.equals(Validator.VAR_TLS_CLIENT)) {
 145             checkTLSClient(cert, exts);
 146         } else if (variant.equals(Validator.VAR_CODE_SIGNING)) {
 147             checkCodeSigning(cert, exts);
 148         } else if (variant.equals(Validator.VAR_JCE_SIGNING)) {
 149             checkCodeSigning(cert, exts);
 150         } else if (variant.equals(Validator.VAR_PLUGIN_CODE_SIGNING)) {
 151             checkCodeSigning(cert, exts);
 152         } else if (variant.equals(Validator.VAR_TSA_SERVER)) {
 153             checkTSAServer(cert, exts);
 154         } else {
 155             throw new CertificateException("Unknown variant: " + variant);
 156         }
 157 
 158         // if neither VAR_GENERIC variant nor unknown variant
 159         if (checkUnresolvedCritExts) {
 160             checkRemainingExtensions(exts);
 161         }






 162     }
 163 
 164     /**
 165      * Utility method returning the Set of critical extensions for
 166      * certificate cert (never null).
 167      */
 168     private Set<String> getCriticalExtensions(X509Certificate cert) {
 169         Set<String> exts = cert.getCriticalExtensionOIDs();
 170         if (exts == null) {
 171             exts = Collections.emptySet();
 172         }
 173         return exts;
 174     }
 175 
 176     /**
 177      * Utility method checking if there are any unresolved critical extensions.
 178      * @throws CertificateException if so.
 179      */
 180     private void checkRemainingExtensions(Set<String> exts)
 181             throws CertificateException {


   1 /*
   2  * Copyright (c) 2002, 2019, Oracle and/or its affiliates. All rights reserved.
   3  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
   4  *
   5  * This code is free software; you can redistribute it and/or modify it
   6  * under the terms of the GNU General Public License version 2 only, as
   7  * published by the Free Software Foundation.  Oracle designates this
   8  * particular file as subject to the "Classpath" exception as provided
   9  * by Oracle in the LICENSE file that accompanied this code.
  10  *
  11  * This code is distributed in the hope that it will be useful, but WITHOUT
  12  * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  13  * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  14  * version 2 for more details (a copy is included in the LICENSE file that
  15  * accompanied this code).
  16  *
  17  * You should have received a copy of the GNU General Public License version
  18  * 2 along with this work; if not, write to the Free Software Foundation,
  19  * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
  20  *
  21  * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
  22  * or visit www.oracle.com if you need additional information or have any


 115 
 116     // TLS key exchange algorithms requiring keyAgreement key usage
 117     private final static Collection<String> KU_SERVER_KEY_AGREEMENT =
 118         Arrays.asList("DH_DSS", "DH_RSA", "ECDH_ECDSA", "ECDH_RSA");
 119 
 120     // variant of this end entity cert checker
 121     private final String variant;
 122 
 123     // type of the validator this checker belongs to
 124     private final String type;
 125 
 126     private EndEntityChecker(String type, String variant) {
 127         this.type = type;
 128         this.variant = variant;
 129     }
 130 
 131     static EndEntityChecker getInstance(String type, String variant) {
 132         return new EndEntityChecker(type, variant);
 133     }
 134 
 135     void check(X509Certificate[] chain, Object parameter,
 136             boolean checkUnresolvedCritExts)
 137             throws CertificateException {
 138         if (variant.equals(Validator.VAR_GENERIC)) {
 139             return; // no checks
 140         }
 141 
 142         Set<String> exts = getCriticalExtensions(chain[0]);
 143         if (variant.equals(Validator.VAR_TLS_SERVER)) {
 144             checkTLSServer(chain[0], (String)parameter, exts);
 145         } else if (variant.equals(Validator.VAR_TLS_CLIENT)) {
 146             checkTLSClient(chain[0], exts);
 147         } else if (variant.equals(Validator.VAR_CODE_SIGNING)) {
 148             checkCodeSigning(chain[0], exts);
 149         } else if (variant.equals(Validator.VAR_JCE_SIGNING)) {
 150             checkCodeSigning(chain[0], exts);
 151         } else if (variant.equals(Validator.VAR_PLUGIN_CODE_SIGNING)) {
 152             checkCodeSigning(chain[0], exts);
 153         } else if (variant.equals(Validator.VAR_TSA_SERVER)) {
 154             checkTSAServer(chain[0], exts);
 155         } else {
 156             throw new CertificateException("Unknown variant: " + variant);
 157         }
 158 
 159         // if neither VAR_GENERIC variant nor unknown variant
 160         if (checkUnresolvedCritExts) {
 161             checkRemainingExtensions(exts);
 162         }
 163 
 164         // check if certificate should be distrusted according to policies
 165         // set in the jdk.security.caDistrustPolicies security property
 166         for (CADistrustPolicy policy : CADistrustPolicy.POLICIES) {
 167             policy.checkDistrust(variant, chain);
 168         }
 169     }
 170 
 171     /**
 172      * Utility method returning the Set of critical extensions for
 173      * certificate cert (never null).
 174      */
 175     private Set<String> getCriticalExtensions(X509Certificate cert) {
 176         Set<String> exts = cert.getCriticalExtensionOIDs();
 177         if (exts == null) {
 178             exts = Collections.emptySet();
 179         }
 180         return exts;
 181     }
 182 
 183     /**
 184      * Utility method checking if there are any unresolved critical extensions.
 185      * @throws CertificateException if so.
 186      */
 187     private void checkRemainingExtensions(Set<String> exts)
 188             throws CertificateException {


< prev index next >