--- /dev/null 2019-02-27 13:47:01.000000000 -0800 +++ new/src/share/classes/sun/security/validator/CADistrustPolicy.java 2019-02-27 13:47:01.000000000 -0800 @@ -0,0 +1,105 @@ +/* + * Copyright (c) 2019, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. Oracle designates this + * particular file as subject to the "Classpath" exception as provided + * by Oracle in the LICENSE file that accompanied this code. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ +package sun.security.validator; + +import java.security.AccessController; +import java.security.PrivilegedAction; +import java.security.Security; +import java.security.cert.X509Certificate; +import java.util.EnumSet; + +import sun.security.util.Debug; + +/** + * Policies for distrusting a certificate authority (CA). See the + * jdk.security.caDistrustPolicies security property for more information. + */ +enum CADistrustPolicy { + /** + * Distrust TLS Server certificates anchored by a Symantec root CA and + * issued after April 16, 2019 (with exceptions for a couple of subordinate + * CAs, see the jdk.security.caDistrustPolicies definition in the + * java.security file for more details). If enabled, this policy is + * currently enforced by the PKIX and SunX509 TrustManager implementations + * of the SunJSSE provider implementation. + */ + SYMANTEC_TLS { + void checkDistrust(String variant, X509Certificate[] chain) + throws ValidatorException { + if (!variant.equals(Validator.VAR_TLS_SERVER)) { + return; + } + SymantecTLSPolicy.checkDistrust(chain); + } + }; + + /** + * Checks if the end-entity certificate is distrusted. + * + * @param variant the type of certificate being checked + * @param chain the end-entity's certificate chain. The end entity cert + * is at index 0, the trust anchor at index n-1. + * @throws ValidatorException if the end-entity certificate is distrusted + */ + abstract void checkDistrust(String variant, + X509Certificate[] chain) + throws ValidatorException; + + // The policies set in the jdk.security.caDistrustPolicies property. + static final EnumSet POLICIES = parseProperty(); + private static EnumSet parseProperty() { + String property = AccessController.doPrivileged( + new PrivilegedAction() { + @Override + public String run() { + return Security.getProperty( + "jdk.security.caDistrustPolicies"); + } + }); + EnumSet set = EnumSet.noneOf(CADistrustPolicy.class); + // if property is null or empty, the restrictions are not enforced + if (property == null || property.isEmpty()) { + return set; + } + String[] policies = property.split(","); + for (String policy : policies) { + policy = policy.trim(); + try { + CADistrustPolicy caPolicy = + Enum.valueOf(CADistrustPolicy.class, policy); + set.add(caPolicy); + } catch (IllegalArgumentException iae) { + // ignore unknown values but log it + Debug debug = Debug.getInstance("certpath"); + if (debug != null) { + debug.println("Unknown value for the " + + "jdk.security.caDistrustPolicies property: " + + policy); + } + } + } + return set; + } +}