1 /*
2 * Copyright (c) 2002, 2015, Oracle and/or its affiliates. All rights reserved.
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4 *
5 * This code is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License version 2 only, as
7 * published by the Free Software Foundation. Oracle designates this
8 * particular file as subject to the "Classpath" exception as provided
9 * by Oracle in the LICENSE file that accompanied this code.
10 *
11 * This code is distributed in the hope that it will be useful, but WITHOUT
12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * version 2 for more details (a copy is included in the LICENSE file that
15 * accompanied this code).
16 *
17 * You should have received a copy of the GNU General Public License version
18 * 2 along with this work; if not, write to the Free Software Foundation,
19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
20 *
21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
22 * or visit www.oracle.com if you need additional information or have any
115
116 // TLS key exchange algorithms requiring keyAgreement key usage
117 private final static Collection<String> KU_SERVER_KEY_AGREEMENT =
118 Arrays.asList("DH_DSS", "DH_RSA", "ECDH_ECDSA", "ECDH_RSA");
119
120 // variant of this end entity cert checker
121 private final String variant;
122
123 // type of the validator this checker belongs to
124 private final String type;
125
126 private EndEntityChecker(String type, String variant) {
127 this.type = type;
128 this.variant = variant;
129 }
130
131 static EndEntityChecker getInstance(String type, String variant) {
132 return new EndEntityChecker(type, variant);
133 }
134
135 void check(X509Certificate cert, Object parameter,
136 boolean checkUnresolvedCritExts) throws CertificateException {
137 if (variant.equals(Validator.VAR_GENERIC)) {
138 return; // no checks
139 }
140
141 Set<String> exts = getCriticalExtensions(cert);
142 if (variant.equals(Validator.VAR_TLS_SERVER)) {
143 checkTLSServer(cert, (String)parameter, exts);
144 } else if (variant.equals(Validator.VAR_TLS_CLIENT)) {
145 checkTLSClient(cert, exts);
146 } else if (variant.equals(Validator.VAR_CODE_SIGNING)) {
147 checkCodeSigning(cert, exts);
148 } else if (variant.equals(Validator.VAR_JCE_SIGNING)) {
149 checkCodeSigning(cert, exts);
150 } else if (variant.equals(Validator.VAR_PLUGIN_CODE_SIGNING)) {
151 checkCodeSigning(cert, exts);
152 } else if (variant.equals(Validator.VAR_TSA_SERVER)) {
153 checkTSAServer(cert, exts);
154 } else {
155 throw new CertificateException("Unknown variant: " + variant);
156 }
157
158 // if neither VAR_GENERIC variant nor unknown variant
159 if (checkUnresolvedCritExts) {
160 checkRemainingExtensions(exts);
161 }
162 }
163
164 /**
165 * Utility method returning the Set of critical extensions for
166 * certificate cert (never null).
167 */
168 private Set<String> getCriticalExtensions(X509Certificate cert) {
169 Set<String> exts = cert.getCriticalExtensionOIDs();
170 if (exts == null) {
171 exts = Collections.emptySet();
172 }
173 return exts;
174 }
175
176 /**
177 * Utility method checking if there are any unresolved critical extensions.
178 * @throws CertificateException if so.
179 */
180 private void checkRemainingExtensions(Set<String> exts)
181 throws CertificateException {
|
1 /*
2 * Copyright (c) 2002, 2019, Oracle and/or its affiliates. All rights reserved.
3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4 *
5 * This code is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License version 2 only, as
7 * published by the Free Software Foundation. Oracle designates this
8 * particular file as subject to the "Classpath" exception as provided
9 * by Oracle in the LICENSE file that accompanied this code.
10 *
11 * This code is distributed in the hope that it will be useful, but WITHOUT
12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * version 2 for more details (a copy is included in the LICENSE file that
15 * accompanied this code).
16 *
17 * You should have received a copy of the GNU General Public License version
18 * 2 along with this work; if not, write to the Free Software Foundation,
19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
20 *
21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
22 * or visit www.oracle.com if you need additional information or have any
115
116 // TLS key exchange algorithms requiring keyAgreement key usage
117 private final static Collection<String> KU_SERVER_KEY_AGREEMENT =
118 Arrays.asList("DH_DSS", "DH_RSA", "ECDH_ECDSA", "ECDH_RSA");
119
120 // variant of this end entity cert checker
121 private final String variant;
122
123 // type of the validator this checker belongs to
124 private final String type;
125
126 private EndEntityChecker(String type, String variant) {
127 this.type = type;
128 this.variant = variant;
129 }
130
131 static EndEntityChecker getInstance(String type, String variant) {
132 return new EndEntityChecker(type, variant);
133 }
134
135 void check(X509Certificate[] chain, Object parameter,
136 boolean checkUnresolvedCritExts)
137 throws CertificateException {
138 if (variant.equals(Validator.VAR_GENERIC)) {
139 return; // no checks
140 }
141
142 Set<String> exts = getCriticalExtensions(chain[0]);
143 if (variant.equals(Validator.VAR_TLS_SERVER)) {
144 checkTLSServer(chain[0], (String)parameter, exts);
145 } else if (variant.equals(Validator.VAR_TLS_CLIENT)) {
146 checkTLSClient(chain[0], exts);
147 } else if (variant.equals(Validator.VAR_CODE_SIGNING)) {
148 checkCodeSigning(chain[0], exts);
149 } else if (variant.equals(Validator.VAR_JCE_SIGNING)) {
150 checkCodeSigning(chain[0], exts);
151 } else if (variant.equals(Validator.VAR_PLUGIN_CODE_SIGNING)) {
152 checkCodeSigning(chain[0], exts);
153 } else if (variant.equals(Validator.VAR_TSA_SERVER)) {
154 checkTSAServer(chain[0], exts);
155 } else {
156 throw new CertificateException("Unknown variant: " + variant);
157 }
158
159 // if neither VAR_GENERIC variant nor unknown variant
160 if (checkUnresolvedCritExts) {
161 checkRemainingExtensions(exts);
162 }
163
164 // check if certificate should be distrusted according to policies
165 // set in the jdk.security.caDistrustPolicies security property
166 for (CADistrustPolicy policy : CADistrustPolicy.POLICIES) {
167 policy.checkDistrust(variant, chain);
168 }
169 }
170
171 /**
172 * Utility method returning the Set of critical extensions for
173 * certificate cert (never null).
174 */
175 private Set<String> getCriticalExtensions(X509Certificate cert) {
176 Set<String> exts = cert.getCriticalExtensionOIDs();
177 if (exts == null) {
178 exts = Collections.emptySet();
179 }
180 return exts;
181 }
182
183 /**
184 * Utility method checking if there are any unresolved critical extensions.
185 * @throws CertificateException if so.
186 */
187 private void checkRemainingExtensions(Set<String> exts)
188 throws CertificateException {
|