Mercurial > hg > openjdk > jdk8u > jdk
changeset 13206:e03fff229002 jdk8u162-b36
8076117: EndEntityChecker should not process custom extensions after PKIX validation
Reviewed-by: xuelei, mullan
| author | igerasim |
|---|---|
| date | Fri, 16 Feb 2018 09:43:14 -0800 |
| parents | 1e6fc1097919 |
| children | 815cd7e077de |
| files | src/share/classes/sun/security/validator/EndEntityChecker.java src/share/classes/sun/security/validator/Validator.java test/sun/security/validator/EndEntityExtensionCheck.java |
| diffstat | 3 files changed, 258 insertions(+), 35 deletions(-) [+] |
line wrap: on
line diff
--- a/src/share/classes/sun/security/validator/EndEntityChecker.java Fri Nov 24 13:18:36 2017 +0530 +++ b/src/share/classes/sun/security/validator/EndEntityChecker.java Fri Feb 16 09:43:14 2018 -0800 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2002, 2008, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2002, 2015, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -132,26 +132,33 @@ return new EndEntityChecker(type, variant); } - void check(X509Certificate cert, Object parameter) - throws CertificateException { + void check(X509Certificate cert, Object parameter, + boolean checkUnresolvedCritExts) throws CertificateException { if (variant.equals(Validator.VAR_GENERIC)) { - // no checks - return; - } else if (variant.equals(Validator.VAR_TLS_SERVER)) { - checkTLSServer(cert, (String)parameter); + return; // no checks + } + + Set<String> exts = getCriticalExtensions(cert); + if (variant.equals(Validator.VAR_TLS_SERVER)) { + checkTLSServer(cert, (String)parameter, exts); } else if (variant.equals(Validator.VAR_TLS_CLIENT)) { - checkTLSClient(cert); + checkTLSClient(cert, exts); } else if (variant.equals(Validator.VAR_CODE_SIGNING)) { - checkCodeSigning(cert); + checkCodeSigning(cert, exts); } else if (variant.equals(Validator.VAR_JCE_SIGNING)) { - checkCodeSigning(cert); + checkCodeSigning(cert, exts); } else if (variant.equals(Validator.VAR_PLUGIN_CODE_SIGNING)) { - checkCodeSigning(cert); + checkCodeSigning(cert, exts); } else if (variant.equals(Validator.VAR_TSA_SERVER)) { - checkTSAServer(cert); + checkTSAServer(cert, exts); } else { throw new CertificateException("Unknown variant: " + variant); } + + // if neither VAR_GENERIC variant nor unknown variant + if (checkUnresolvedCritExts) { + checkRemainingExtensions(exts); + } } /** @@ -219,10 +226,8 @@ * authentication. * @throws CertificateException if not. */ - private void checkTLSClient(X509Certificate cert) + private void checkTLSClient(X509Certificate cert, Set<String> exts) throws CertificateException { - Set<String> exts = getCriticalExtensions(cert); - if (checkKeyUsage(cert, KU_SIGNATURE) == false) { throw new ValidatorException ("KeyUsage does not allow digital signatures", @@ -245,8 +250,6 @@ exts.remove(SimpleValidator.OID_KEY_USAGE); exts.remove(SimpleValidator.OID_EXTENDED_KEY_USAGE); exts.remove(SimpleValidator.OID_NETSCAPE_CERT_TYPE); - - checkRemainingExtensions(exts); } /** @@ -255,10 +258,8 @@ * specification for details. * @throws CertificateException if not. */ - private void checkTLSServer(X509Certificate cert, String parameter) - throws CertificateException { - Set<String> exts = getCriticalExtensions(cert); - + private void checkTLSServer(X509Certificate cert, String parameter, + Set<String> exts) throws CertificateException { if (KU_SERVER_ENCRYPTION.contains(parameter)) { if (checkKeyUsage(cert, KU_KEY_ENCIPHERMENT) == false) { throw new ValidatorException @@ -303,18 +304,14 @@ exts.remove(SimpleValidator.OID_KEY_USAGE); exts.remove(SimpleValidator.OID_EXTENDED_KEY_USAGE); exts.remove(SimpleValidator.OID_NETSCAPE_CERT_TYPE); - - checkRemainingExtensions(exts); } /** * Check whether this certificate can be used for code signing. * @throws CertificateException if not. */ - private void checkCodeSigning(X509Certificate cert) + private void checkCodeSigning(X509Certificate cert, Set<String> exts) throws CertificateException { - Set<String> exts = getCriticalExtensions(cert); - if (checkKeyUsage(cert, KU_SIGNATURE) == false) { throw new ValidatorException ("KeyUsage does not allow digital signatures", @@ -341,8 +338,6 @@ // remove extensions we checked exts.remove(SimpleValidator.OID_KEY_USAGE); exts.remove(SimpleValidator.OID_EXTENDED_KEY_USAGE); - - checkRemainingExtensions(exts); } /** @@ -350,10 +345,8 @@ * server (see RFC 3161, section 2.3). * @throws CertificateException if not. */ - private void checkTSAServer(X509Certificate cert) + private void checkTSAServer(X509Certificate cert, Set<String> exts) throws CertificateException { - Set<String> exts = getCriticalExtensions(cert); - if (checkKeyUsage(cert, KU_SIGNATURE) == false) { throw new ValidatorException ("KeyUsage does not allow digital signatures", @@ -376,7 +369,5 @@ // remove extensions we checked exts.remove(SimpleValidator.OID_KEY_USAGE); exts.remove(SimpleValidator.OID_EXTENDED_KEY_USAGE); - - checkRemainingExtensions(exts); } }
--- a/src/share/classes/sun/security/validator/Validator.java Fri Nov 24 13:18:36 2017 +0530 +++ b/src/share/classes/sun/security/validator/Validator.java Fri Feb 16 09:43:14 2018 -0800 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2002, 2010, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2002, 2015, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -143,6 +143,7 @@ */ public final static String VAR_PLUGIN_CODE_SIGNING = "plugin code signing"; + private final String type; final EndEntityChecker endEntityChecker; final String variant; @@ -154,6 +155,7 @@ volatile Date validationDate; Validator(String type, String variant) { + this.type = type; this.variant = variant; endEntityChecker = EndEntityChecker.getInstance(type, variant); } @@ -261,7 +263,16 @@ // omit EE extension check if EE cert is also trust anchor if (chain.length > 1) { - endEntityChecker.check(chain[0], parameter); + // EndEntityChecker does not need to check unresolved critical + // extensions when validating with a TYPE_PKIX Validator. + // A TYPE_PKIX Validator will already have run checks on all + // certs' extensions, including checks by any PKIXCertPathCheckers + // included in the PKIXParameters, so the extra checks would be + // redundant. + boolean checkUnresolvedCritExts = + (type == TYPE_PKIX) ? false : true; + endEntityChecker.check(chain[0], parameter, + checkUnresolvedCritExts); } return chain;
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/test/sun/security/validator/EndEntityExtensionCheck.java Fri Feb 16 09:43:14 2018 -0800 @@ -0,0 +1,221 @@ +/* + * Copyright (c) 2015, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +/* + * @test + * @bug 8076117 + * @summary EndEntityChecker should not process custom extensions + * after PKIX validation + */ + +import java.io.ByteArrayInputStream; +import java.io.File; +import java.io.FileInputStream; +import java.security.KeyStore; +import java.security.cert.CertPathValidatorException; +import java.security.cert.Certificate; +import java.security.cert.CertificateException; +import java.security.cert.CertificateFactory; +import java.security.cert.PKIXBuilderParameters; +import java.security.cert.PKIXCertPathChecker; +import java.security.cert.TrustAnchor; +import java.security.cert.X509Certificate; +import java.util.Collection; +import java.util.Date; +import java.util.HashSet; +import java.util.Set; +import sun.security.validator.KeyStores; +import sun.security.validator.Validator; + + +public class EndEntityExtensionCheck { + + /* + * Owner: CN=TestCA + * Issuer: CN=TestCA + */ + private static final String CA = + "-----BEGIN CERTIFICATE-----\n" + + "MIICgDCCAj2gAwIBAgIEC18hWjALBgcqhkjOOAQDBQAwETEPMA0GA1UEAxMGVGVz\n" + + "dENBMB4XDTE1MDQwNzIyMzUyMFoXDTI1MDQwNjIyMzUyMFowETEPMA0GA1UEAxMG\n" + + "VGVzdENBMIIBuDCCASwGByqGSM44BAEwggEfAoGBAP1/U4EddRIpUt9KnC7s5Of2\n" + + "EbdSPO9EAMMeP4C2USZpRV1AIlH7WT2NWPq/xfW6MPbLm1Vs14E7gB00b/JmYLdr\n" + + "mVClpJ+f6AR7ECLCT7up1/63xhv4O1fnxqimFQ8E+4P208UewwI1VBNaFpEy9nXz\n" + + "rith1yrv8iIDGZ3RSAHHAhUAl2BQjxUjC8yykrmCouuEC/BYHPUCgYEA9+Gghdab\n" + + "Pd7LvKtcNrhXuXmUr7v6OuqC+VdMCz0HgmdRWVeOutRZT+ZxBxCBgLRJFnEj6Ewo\n" + + "FhO3zwkyjMim4TwWeotUfI0o4KOuHiuzpnWRbqN/C/ohNWLx+2J6ASQ7zKTxvqhR\n" + + "kImog9/hWuWfBpKLZl6Ae1UlZAFMO/7PSSoDgYUAAoGBAJOWy2hVy4iNwsi/idWG\n" + + "oksr9IZxQIFR2YavoUmD+rIgfYUpiCihzftDLMMaNYqp9PPxuOyoIPGPbwmKpAs5\n" + + "nq6gLwH2lSsN+EwyV2SJ0J26PHiMuRNZWWfKR3cpEqbQVb0CmvqSpj8zYfamPzp7\n" + + "eXSWwahzgLCGJM3SgCfDFC0uoyEwHzAdBgNVHQ4EFgQU7tLD8FnWM+r6jBr+mCXs\n" + + "8G5yBpgwCwYHKoZIzjgEAwUAAzAAMC0CFQCHCtzC3S0ST0EZBucikVui4WXD8QIU\n" + + "L3Oxy6989/FhZlZWJlhqc1ungEQ=\n" + + "-----END CERTIFICATE-----"; + + /* + * Owner: CN=TestEE + * Issuer: CN=TestCA + * Contains a custom critical extension with OID 1.2.3.4: + * #1: ObjectId: 1.2.3.4 Criticality=true + * 0000: 00 00 + */ + private static final String EE = + "-----BEGIN CERTIFICATE-----\n" + + "MIICrTCCAmugAwIBAgIELjciKzALBgcqhkjOOAQDBQAwETEPMA0GA1UEAxMGVGVz\n" + + "dENBMB4XDTE1MDQwNzIzMDA1OFoXDTE1MDcwNjIzMDA1OFowETEPMA0GA1UEAxMG\n" + + "VGVzdEVFMIIBtzCCASwGByqGSM44BAEwggEfAoGBAP1/U4EddRIpUt9KnC7s5Of2\n" + + "EbdSPO9EAMMeP4C2USZpRV1AIlH7WT2NWPq/xfW6MPbLm1Vs14E7gB00b/JmYLdr\n" + + "mVClpJ+f6AR7ECLCT7up1/63xhv4O1fnxqimFQ8E+4P208UewwI1VBNaFpEy9nXz\n" + + "rith1yrv8iIDGZ3RSAHHAhUAl2BQjxUjC8yykrmCouuEC/BYHPUCgYEA9+Gghdab\n" + + "Pd7LvKtcNrhXuXmUr7v6OuqC+VdMCz0HgmdRWVeOutRZT+ZxBxCBgLRJFnEj6Ewo\n" + + "FhO3zwkyjMim4TwWeotUfI0o4KOuHiuzpnWRbqN/C/ohNWLx+2J6ASQ7zKTxvqhR\n" + + "kImog9/hWuWfBpKLZl6Ae1UlZAFMO/7PSSoDgYQAAoGAN97otrAJEuUg/O97vScI\n" + + "01xs1jqTz5o0PGpKiDDJNB3tCCUbLqXoBQBvSefQ8vYL3mmlEJLxlwfbajRmJQp0\n" + + "tUy5SUCZHk3MdoKxSvrqYnVpYwJHFXKWs6lAawxfuWbkm9SREuepOWnVzy2ecf5z\n" + + "hvy9mgEBfi4E9Cy8Byq2TpyjUDBOMAwGAyoDBAEB/wQCAAAwHwYDVR0jBBgwFoAU\n" + + "7tLD8FnWM+r6jBr+mCXs8G5yBpgwHQYDVR0OBBYEFNRVqt5F+EAuJ5x1IZLDkoMs\n" + + "mDj4MAsGByqGSM44BAMFAAMvADAsAhQyNGhxIp5IshN1zqLs4pUY214IMAIUMmTL\n" + + "3ZMpMAjITbuHHlFNUqZ7A9s=\n" + + "-----END CERTIFICATE-----"; + + public static void main(String[] args) throws Exception { + X509Certificate[] chain = createChain(); + + /* Test 1: Test SimpleValidator + * SimpleValidator doesn't check for unsupported critical + * extensions in the end entity certificate, and leaves that up + * to EndEntityChecker, which should catch such extensions. + */ + KeyStore ks = KeyStore.getInstance("JKS"); + ks.load(null, null); + ks.setCertificateEntry("testca", chain[chain.length - 1]); + + Validator v = Validator.getInstance(Validator.TYPE_SIMPLE, + Validator.VAR_TLS_CLIENT, + KeyStores.getTrustedCerts(ks)); + try { + v.validate(chain); + throw new Exception("Chain should not have validated " + + "successfully."); + } catch (CertificateException ex) { + // EE cert has an unsupported critical extension that is not + // checked by SimpleValidator's extension checks, so this + // failure is expected + } + + /* Test 2: Test PKIXValidator without custom checker + * PKIXValidator accepts PKIXParameters that can contain + * custom PKIXCertPathCheckers, which would be run against + * each cert in the chain, including EE certs. + * Check that if PKIXValidator is not provided a custom + * PKIXCertPathChecker for an unknown critical extension in + * the EE cert, chain validation will fail. + */ + TrustAnchor ta = new TrustAnchor(chain[chain.length - 1], null); + Set<TrustAnchor> tas = new HashSet<>(); + tas.add(ta); + PKIXBuilderParameters params = new PKIXBuilderParameters(tas, null); + params.setDate(new Date(115, 5, 1)); // 2015-05-01 + params.setRevocationEnabled(false); + + v = Validator.getInstance(Validator.TYPE_PKIX, + Validator.VAR_TLS_CLIENT, + params); + try { + v.validate(chain); + throw new Exception("Chain should not have validated " + + "successfully."); + } catch (CertificateException ex) { + // EE cert has an unsupported critical extension and + // PKIXValidator was not provided any custom checker + // for it, so this failure ie expected. + } + + /* Test 3: Test PKIXValidator with custom checker + * Check that PKIXValidator will successfully validate a chain + * containing an EE cert with a critical custom extension, given + * a corresponding PKIXCertPathChecker for the extension. + */ + params = new PKIXBuilderParameters(tas, null); + params.addCertPathChecker(new CustomChecker()); + params.setDate(new Date(115, 5, 1)); // 2015-05-01 + params.setRevocationEnabled(false); + + v = Validator.getInstance(Validator.TYPE_PKIX, + Validator.VAR_TLS_CLIENT, + params); + v.validate(chain); // This should validate successfully + + System.out.println("Tests passed."); + } + + public static X509Certificate[] createChain() throws Exception { + CertificateFactory cf = CertificateFactory.getInstance("X.509"); + X509Certificate ee = (X509Certificate) + cf.generateCertificate((new ByteArrayInputStream(EE.getBytes()))); + X509Certificate ca = (X509Certificate) + cf.generateCertificate((new ByteArrayInputStream(CA.getBytes()))); + + X509Certificate[] chain = {ee, ca}; + return chain; + } + + /* + * A custom PKIXCertPathChecker. Looks for a critical extension + * in an end entity certificate with the OID 1.2.3.4. + */ + static class CustomChecker extends PKIXCertPathChecker { + + @Override + public void init(boolean forward) throws CertPathValidatorException { + // nothing to do + } + + @Override + public boolean isForwardCheckingSupported() { + return false; + } + + @Override + public Set<String> getSupportedExtensions() { + Set<String> exts = new HashSet<>(); + exts.add("1.2.3.4"); + return exts; + } + + @Override + public void check(Certificate cert, + Collection<String> unresolvedCritExts) + throws CertPathValidatorException { + X509Certificate currCert = (X509Certificate)cert; + // check that this is an EE cert + if (currCert.getBasicConstraints() == -1) { + if (unresolvedCritExts != null && + !unresolvedCritExts.isEmpty()) { + unresolvedCritExts.remove("1.2.3.4"); + } + } + } + + } +}