Mercurial > hg > openjdk > jdk8u > jdk
view src/share/classes/sun/security/ssl/CertificateAuthoritiesExtension.java @ 14455:821ac4be0e8f
8206925: Support the certificate_authorities extension
Reviewed-by: mullan
| author | xuelei |
|---|---|
| date | Wed, 27 May 2020 09:46:40 -0700 |
| parents | |
| children |
line wrap: on
line source
/* * Copyright (c) 2020, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License version 2 only, as * published by the Free Software Foundation. Oracle designates this * particular file as subject to the "Classpath" exception as provided * by Oracle in the LICENSE file that accompanied this code. * * This code is distributed in the hope that it will be useful, but WITHOUT * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * version 2 for more details (a copy is included in the LICENSE file that * accompanied this code). * * You should have received a copy of the GNU General Public License version * 2 along with this work; if not, write to the Free Software Foundation, * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. * * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA * or visit www.oracle.com if you need additional information or have any * questions. */ package sun.security.ssl; import java.io.IOException; import java.nio.ByteBuffer; import java.security.cert.X509Certificate; import java.text.MessageFormat; import java.util.*; import javax.net.ssl.SSLProtocolException; import javax.security.auth.x500.X500Principal; import sun.security.ssl.SSLExtension.ExtensionConsumer; import sun.security.ssl.SSLExtension.SSLExtensionSpec; import sun.security.ssl.SSLHandshake.HandshakeMessage; /** * Pack of the "certificate_authorities" extensions. */ final class CertificateAuthoritiesExtension { static final HandshakeProducer chNetworkProducer = new CHCertificateAuthoritiesProducer(); static final ExtensionConsumer chOnLoadConsumer = new CHCertificateAuthoritiesConsumer(); static final HandshakeProducer crNetworkProducer = new CRCertificateAuthoritiesProducer(); static final ExtensionConsumer crOnLoadConsumer = new CRCertificateAuthoritiesConsumer(); static final SSLStringizer ssStringizer = new CertificateAuthoritiesStringizer(); /** * The "certificate_authorities" extension. */ static final class CertificateAuthoritiesSpec implements SSLExtensionSpec { final List<byte[]> authorities; // certificate authorities private CertificateAuthoritiesSpec(List<byte[]> authorities) { this.authorities = authorities; } private CertificateAuthoritiesSpec(ByteBuffer m) throws IOException { if (m.remaining() < 3) { // 2: the length of the list // 1: at least one byte authorities throw new SSLProtocolException( "Invalid certificate_authorities extension: " + "insufficient data"); } int listLen = Record.getInt16(m); if (listLen == 0) { throw new SSLProtocolException( "Invalid certificate_authorities extension: " + "no certificate authorities"); } if (listLen > m.remaining()) { throw new SSLProtocolException( "Invalid certificate_authorities extension: " + "insufficient data"); } this.authorities = new LinkedList<>(); while (listLen > 0) { // opaque DistinguishedName<1..2^16-1>; byte[] encoded = Record.getBytes16(m); listLen -= (2 + encoded.length); authorities.add(encoded); } } private static List<byte[]> getEncodedAuthorities( X509Certificate[] trustedCerts) { List<byte[]> authorities = new ArrayList<>(trustedCerts.length); int sizeAccount = 0; for (X509Certificate cert : trustedCerts) { X500Principal x500Principal = cert.getSubjectX500Principal(); byte[] encodedPrincipal = x500Principal.getEncoded(); sizeAccount += encodedPrincipal.length; if (sizeAccount > 0xFFFF) { // the size limit of this extension // If there too many trusts CAs such that they exceed the // size limit of the extension, enabling this extension // does not really make sense as there is no way to // indicate the peer certificate selection accurately. // In such cases, the extension is just ignored, rather // than fatal close, for better compatibility and // interoperability. return Collections.emptyList(); } if (encodedPrincipal.length != 0) { authorities.add(encodedPrincipal); } } return authorities; } X500Principal[] getAuthorities() { X500Principal[] principals = new X500Principal[authorities.size()]; int i = 0; for (byte[] encoded : authorities) { principals[i++] = new X500Principal(encoded); } return principals; } @Override public String toString() { MessageFormat messageFormat = new MessageFormat( "\"certificate authorities\": '['\n{0}']'", Locale.ENGLISH); StringBuilder builder = new StringBuilder(512); for (byte[] encoded : authorities) { X500Principal principal = new X500Principal(encoded); builder.append(principal.toString()); builder.append("\n"); } Object[] messageFields = { Utilities.indent(builder.toString()) }; return messageFormat.format(messageFields); } } private static final class CertificateAuthoritiesStringizer implements SSLStringizer { @Override public String toString(ByteBuffer buffer) { try { return (new CertificateAuthoritiesSpec(buffer)) .toString(); } catch (IOException ioe) { // For debug logging only, so please swallow exceptions. return ioe.getMessage(); } } } /** * Network data producer of a "certificate_authorities" extension in * the ClientHello handshake message. */ private static final class CHCertificateAuthoritiesProducer implements HandshakeProducer { // Prevent instantiation of this class. private CHCertificateAuthoritiesProducer() { // blank } @Override public byte[] produce(ConnectionContext context, HandshakeMessage message) throws IOException { // The producing happens in client side only. ClientHandshakeContext chc = (ClientHandshakeContext)context; // Is it a supported and enabled extension? if (!chc.sslConfig.isAvailable( SSLExtension.CH_CERTIFICATE_AUTHORITIES)) { if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { SSLLogger.fine( "Ignore unavailable " + "certificate_authorities extension"); } return null; // ignore the extension } // Produce the extension. X509Certificate[] caCerts = chc.sslContext.getX509TrustManager().getAcceptedIssuers(); if (caCerts.length == 0) { if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { SSLLogger.fine( "No available certificate authorities"); } return null; // ignore the extension } List<byte[]> encodedCAs = CertificateAuthoritiesSpec.getEncodedAuthorities(caCerts); if (encodedCAs.isEmpty()) { if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { SSLLogger.warning( "The number of CAs exceeds the maximum size" + "of the certificate_authorities extension"); } return null; // ignore the extension } CertificateAuthoritiesSpec spec = new CertificateAuthoritiesSpec(encodedCAs); int vectorLen = 0; for (byte[] encoded : spec.authorities) { vectorLen += encoded.length + 2; } byte[] extData = new byte[vectorLen + 2]; ByteBuffer m = ByteBuffer.wrap(extData); Record.putInt16(m, vectorLen); for (byte[] encoded : spec.authorities) { Record.putBytes16(m, encoded); } // Update the context. chc.handshakeExtensions.put( SSLExtension.CH_CERTIFICATE_AUTHORITIES, spec); return extData; } } /** * Network data consumer of a "certificate_authorities" extension in * the ClientHello handshake message. */ private static final class CHCertificateAuthoritiesConsumer implements ExtensionConsumer { // Prevent instantiation of this class. private CHCertificateAuthoritiesConsumer() { // blank } @Override public void consume(ConnectionContext context, HandshakeMessage message, ByteBuffer buffer) throws IOException { // The consuming happens in server side only. ServerHandshakeContext shc = (ServerHandshakeContext)context; // Is it a supported and enabled extension? if (!shc.sslConfig.isAvailable( SSLExtension.CH_CERTIFICATE_AUTHORITIES)) { if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { SSLLogger.fine( "Ignore unavailable " + "certificate_authorities extension"); } return; // ignore the extension } // Parse the extension. CertificateAuthoritiesSpec spec = new CertificateAuthoritiesSpec(buffer); // Update the context. shc.peerSupportedAuthorities = spec.getAuthorities(); shc.handshakeExtensions.put( SSLExtension.CH_CERTIFICATE_AUTHORITIES, spec); // No impact on session resumption. } } /** * Network data producer of a "certificate_authorities" extension in * the CertificateRequest handshake message. */ private static final class CRCertificateAuthoritiesProducer implements HandshakeProducer { // Prevent instantiation of this class. private CRCertificateAuthoritiesProducer() { // blank } @Override public byte[] produce(ConnectionContext context, HandshakeMessage message) throws IOException { // The producing happens in server side only. ServerHandshakeContext shc = (ServerHandshakeContext)context; // Is it a supported and enabled extension? if (!shc.sslConfig.isAvailable( SSLExtension.CR_CERTIFICATE_AUTHORITIES)) { if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { SSLLogger.fine( "Ignore unavailable " + "certificate_authorities extension"); } return null; // ignore the extension } // Produce the extension. X509Certificate[] caCerts = shc.sslContext.getX509TrustManager().getAcceptedIssuers(); if (caCerts.length == 0) { if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { SSLLogger.fine( "No available certificate authorities"); } return null; // ignore the extension } List<byte[]> encodedCAs = CertificateAuthoritiesSpec.getEncodedAuthorities(caCerts); if (encodedCAs.isEmpty()) { if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { SSLLogger.warning( "Too many certificate authorities to use " + "the certificate_authorities extension"); } return null; // ignore the extension } CertificateAuthoritiesSpec spec = new CertificateAuthoritiesSpec(encodedCAs); int vectorLen = 0; for (byte[] encoded : spec.authorities) { vectorLen += encoded.length + 2; } byte[] extData = new byte[vectorLen + 2]; ByteBuffer m = ByteBuffer.wrap(extData); Record.putInt16(m, vectorLen); for (byte[] encoded : spec.authorities) { Record.putBytes16(m, encoded); } // Update the context. shc.handshakeExtensions.put( SSLExtension.CR_CERTIFICATE_AUTHORITIES, spec); return extData; } } /** * Network data consumer of a "certificate_authorities" extension in * the CertificateRequest handshake message. */ private static final class CRCertificateAuthoritiesConsumer implements ExtensionConsumer { // Prevent instantiation of this class. private CRCertificateAuthoritiesConsumer() { // blank } @Override public void consume(ConnectionContext context, HandshakeMessage message, ByteBuffer buffer) throws IOException { // The consuming happens in client side only. ClientHandshakeContext chc = (ClientHandshakeContext)context; // Is it a supported and enabled extension? if (!chc.sslConfig.isAvailable( SSLExtension.CR_CERTIFICATE_AUTHORITIES)) { if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { SSLLogger.fine( "Ignore unavailable " + "certificate_authorities extension"); } return; // ignore the extension } // Parse the extension. CertificateAuthoritiesSpec spec = new CertificateAuthoritiesSpec(buffer); // Update the context. chc.peerSupportedAuthorities = spec.getAuthorities(); chc.handshakeExtensions.put( SSLExtension.CR_CERTIFICATE_AUTHORITIES, spec); // No impact on session resumption. } } }