Mercurial > hg > openjdk > jdk8u > jdk
changeset 12143:3bc671481026 jdk8u121-b06
8154015: Apply algorithm constraints to timestamped code
Reviewed-by: ascarpino
author | robm |
---|---|
date | Wed, 12 Oct 2016 13:29:35 +0100 |
parents | 5b2b1dadd53c |
children | 8a6bb113ff3a |
files | src/share/classes/sun/security/provider/certpath/AlgorithmChecker.java src/share/classes/sun/security/provider/certpath/PKIX.java src/share/classes/sun/security/provider/certpath/PKIXCertPathValidator.java src/share/classes/sun/security/util/CertConstraintParameters.java src/share/classes/sun/security/util/DisabledAlgorithmConstraints.java src/share/classes/sun/security/validator/PKIXValidator.java src/share/classes/sun/security/validator/Validator.java |
diffstat | 7 files changed, 93 insertions(+), 30 deletions(-) [+] |
line wrap: on
line diff
--- a/src/share/classes/sun/security/provider/certpath/AlgorithmChecker.java Thu Oct 20 18:16:35 2016 +0100 +++ b/src/share/classes/sun/security/provider/certpath/AlgorithmChecker.java Wed Oct 12 13:29:35 2016 +0100 @@ -27,6 +27,7 @@ import java.security.AlgorithmConstraints; import java.security.CryptoPrimitive; +import java.security.Timestamp; import java.util.Collection; import java.util.Collections; import java.util.Date; @@ -77,6 +78,7 @@ private final PublicKey trustedPubKey; private final Date pkixdate; private PublicKey prevPubKey; + private final Timestamp jarTimestamp; private final static Set<CryptoPrimitive> SIGNATURE_PRIMITIVE_SET = Collections.unmodifiableSet(EnumSet.of(CryptoPrimitive.SIGNATURE)); @@ -142,6 +144,29 @@ this.trustedPubKey = null; this.constraints = constraints; this.pkixdate = null; + this.jarTimestamp = null; + } + + /** + * Create a new {@code AlgorithmChecker} with the given + * {@code Timestamp}. + * <p> + * Note that this constructor will be used to check a certification + * path for signed JAR files that are timestamped. + * + * @param jarTimestamp Timestamp passed for JAR timestamp constraint + * checking. Set to null if not applicable. + */ + public AlgorithmChecker(Timestamp jarTimestamp) { + this.prevPubKey = null; + this.trustedPubKey = null; + this.constraints = certPathDefaultConstraints; + if (jarTimestamp == null) { + throw new IllegalArgumentException( + "Timestamp cannot be null"); + } + this.pkixdate = jarTimestamp.getTimestamp(); + this.jarTimestamp = jarTimestamp; } /** @@ -179,6 +204,7 @@ this.prevPubKey = trustedPubKey; this.constraints = constraints; this.pkixdate = pkixdate; + this.jarTimestamp = null; } /** @@ -209,6 +235,10 @@ return AnchorCertificates.contains(cert); } + Timestamp getJarTimestamp() { + return jarTimestamp; + } + @Override public void init(boolean forward) throws CertPathValidatorException { // Note that this class does not support forward mode. @@ -296,8 +326,7 @@ // permits() will throw exception on failure. certPathDefaultConstraints.permits(primitives, new CertConstraintParameters((X509Certificate)cert, - trustedMatch, pkixdate)); - // new CertConstraintParameters(x509Cert, trustedMatch)); + trustedMatch, pkixdate, jarTimestamp)); // If there is no previous key, set one and exit if (prevPubKey == null) { prevPubKey = currPubKey; @@ -442,7 +471,7 @@ * Check the signature algorithm with the specified public key. * * @param key the public key to verify the CRL signature - * @param crl the target CRL + * @param algorithmId signature algorithm Algorithm ID */ static void check(PublicKey key, AlgorithmId algorithmId) throws CertPathValidatorException {
--- a/src/share/classes/sun/security/provider/certpath/PKIX.java Thu Oct 20 18:16:35 2016 +0100 +++ b/src/share/classes/sun/security/provider/certpath/PKIX.java Wed Oct 12 13:29:35 2016 +0100 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2012, 2015, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2012, 2016, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -26,6 +26,7 @@ import java.security.InvalidAlgorithmParameterException; import java.security.PublicKey; +import java.security.Timestamp; import java.security.cert.*; import java.security.interfaces.DSAPublicKey; import java.util.*; @@ -85,6 +86,7 @@ private CertSelector constraints; private Set<TrustAnchor> anchors; private List<X509Certificate> certs; + private Timestamp timestamp; ValidatorParams(CertPath cp, PKIXParameters params) throws InvalidAlgorithmParameterException @@ -100,6 +102,10 @@ ValidatorParams(PKIXParameters params) throws InvalidAlgorithmParameterException { + if (params instanceof PKIXTimestampParameters) { + timestamp = ((PKIXTimestampParameters) params).getTimestamp(); + } + this.anchors = params.getTrustAnchors(); // Make sure that none of the trust anchors include name constraints // (not supported). @@ -189,6 +195,10 @@ PKIXParameters getPKIXParameters() { return params; } + + Timestamp timestamp() { + return timestamp; + } } static class BuilderParams extends ValidatorParams {
--- a/src/share/classes/sun/security/provider/certpath/PKIXCertPathValidator.java Thu Oct 20 18:16:35 2016 +0100 +++ b/src/share/classes/sun/security/provider/certpath/PKIXCertPathValidator.java Wed Oct 12 13:29:35 2016 +0100 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2000, 2015, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -172,7 +172,11 @@ List<PKIXCertPathChecker> certPathCheckers = new ArrayList<>(); // add standard checkers that we will be using certPathCheckers.add(untrustedChecker); + if (params.timestamp() == null) { certPathCheckers.add(new AlgorithmChecker(anchor, params.date())); + } else { + certPathCheckers.add(new AlgorithmChecker(params.timestamp())); + } certPathCheckers.add(new KeyChecker(certPathLen, params.targetCertConstraints())); certPathCheckers.add(new ConstraintsChecker(certPathLen)); @@ -189,8 +193,14 @@ rootNode); certPathCheckers.add(pc); // default value for date is current time - BasicChecker bc = new BasicChecker(anchor, params.date(), + BasicChecker bc; + if (params.timestamp() == null) { + bc = new BasicChecker(anchor, params.date(), params.sigProvider(), + false); + } else { + bc = new BasicChecker(anchor, params.timestamp().getTimestamp(), params.sigProvider(), false); + } certPathCheckers.add(bc); boolean revCheckerAdded = false;
--- a/src/share/classes/sun/security/util/CertConstraintParameters.java Thu Oct 20 18:16:35 2016 +0100 +++ b/src/share/classes/sun/security/util/CertConstraintParameters.java Wed Oct 12 13:29:35 2016 +0100 @@ -25,6 +25,7 @@ package sun.security.util; +import java.security.Timestamp; import java.security.cert.X509Certificate; import java.util.Date; @@ -40,16 +41,19 @@ private final boolean trustedMatch; // PKIXParameter date private final Date pkixDate; + // Timestamp of the signed JAR file + private final Timestamp jarTimestamp; public CertConstraintParameters(X509Certificate c, boolean match, - Date pkixdate) { + Date pkixdate, Timestamp jarTime) { cert = c; trustedMatch = match; pkixDate = pkixdate; + jarTimestamp = jarTime; } public CertConstraintParameters(X509Certificate c) { - this(c, false, null); + this(c, false, null, null); } // Returns if the trust anchor has a match if anchor checking is enabled. @@ -65,4 +69,8 @@ return pkixDate; } + public Timestamp getJARTimestamp() { + return jarTimestamp; } + +}
--- a/src/share/classes/sun/security/util/DisabledAlgorithmConstraints.java Thu Oct 20 18:16:35 2016 +0100 +++ b/src/share/classes/sun/security/util/DisabledAlgorithmConstraints.java Wed Oct 12 13:29:35 2016 +0100 @@ -606,7 +606,9 @@ throws CertPathValidatorException { Date currentDate; - if (cp.getPKIXParamDate() != null) { + if (cp.getJARTimestamp() != null) { + currentDate = cp.getJARTimestamp().getTimestamp(); + } else if (cp.getPKIXParamDate() != null) { currentDate = cp.getPKIXParamDate(); } else { currentDate = new Date();
--- a/src/share/classes/sun/security/validator/PKIXValidator.java Thu Oct 20 18:16:35 2016 +0100 +++ b/src/share/classes/sun/security/validator/PKIXValidator.java Wed Oct 12 13:29:35 2016 +0100 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2002, 2011, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2002, 2016, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -33,6 +33,7 @@ import javax.security.auth.x500.X500Principal; import sun.security.action.GetBooleanAction; import sun.security.provider.certpath.AlgorithmChecker; +import sun.security.provider.certpath.PKIXTimestampParameters; /** * Validator implementation built on the PKIX CertPath API. This @@ -208,13 +209,23 @@ ("null or zero-length certificate chain"); } + // Check if 'parameter' affects 'pkixParameters' + PKIXBuilderParameters pkixParameters = null; + if (parameter instanceof Timestamp && plugin) { + try { + pkixParameters = new PKIXTimestampParameters( + (PKIXBuilderParameters) parameterTemplate.clone(), + (Timestamp) parameter); + } catch (InvalidAlgorithmParameterException e) { + // ignore exception + } + } else { + pkixParameters = (PKIXBuilderParameters) parameterTemplate.clone(); + } + // add new algorithm constraints checker - PKIXBuilderParameters pkixParameters = - (PKIXBuilderParameters) parameterTemplate.clone(); - AlgorithmChecker algorithmChecker = null; if (constraints != null) { - algorithmChecker = new AlgorithmChecker(constraints); - pkixParameters.addCertPathChecker(algorithmChecker); + pkixParameters.addCertPathChecker(new AlgorithmChecker(constraints)); } if (TRY_VALIDATOR) {
--- a/src/share/classes/sun/security/validator/Validator.java Thu Oct 20 18:16:35 2016 +0100 +++ b/src/share/classes/sun/security/validator/Validator.java Wed Oct 12 13:29:35 2016 +0100 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2002, 2010, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2002, 2016, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -219,14 +219,7 @@ * Validate the given certificate chain. If otherCerts is non-null, it is * a Collection of additional X509Certificates that could be helpful for * path building. - * <p> - * Parameter is an additional parameter with variant specific meaning. - * Currently, it is only defined for TLS_SERVER variant validators, where - * it must be non null and the name of the TLS key exchange algorithm being - * used (see JSSE X509TrustManager specification). In the future, it - * could be used to pass in a PKCS#7 object for code signing to check time - * stamps. - * <p> + * * @return a non-empty chain that was used to validate the path. The * end entity cert is at index 0, the trust anchor at index n-1. */ @@ -244,12 +237,12 @@ * could be helpful for path building (or null) * @param constraints algorithm constraints for certification path * processing - * @param parameter an additional parameter with variant specific meaning. - * Currently, it is only defined for TLS_SERVER variant validators, - * where it must be non null and the name of the TLS key exchange - * algorithm being used (see JSSE X509TrustManager specification). - * In the future, it could be used to pass in a PKCS#7 object for - * code signing to check time stamps. + * @param parameter an additional parameter object to pass specific data. + * This parameter object maybe one of the two below: + * 1) TLS_SERVER variant validators, where it must be non null and + * the name of the TLS key exchange algorithm being used + * (see JSSE X509TrustManager specification). + * 2) {@code Timestamp} object from a signed JAR file. * @return a non-empty chain that was used to validate the path. The * end entity cert is at index 0, the trust anchor at index n-1. */