Back to index...

	/*
	* Copyright (c) 2020, Oracle and/or its affiliates. All rights reserved.
	* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
	*
	* This code is free software; you can redistribute it and/or modify it
	* under the terms of the GNU General Public License version 2 only, as
	* published by the Free Software Foundation. Oracle designates this
	* particular file as subject to the "Classpath" exception as provided
	* by Oracle in the LICENSE file that accompanied this code.
	*
	* This code is distributed in the hope that it will be useful, but WITHOUT
	* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
	* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
	* version 2 for more details (a copy is included in the LICENSE file that
	* accompanied this code).
	*
	* You should have received a copy of the GNU General Public License version
	* 2 along with this work; if not, write to the Free Software Foundation,
	* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
	*
	* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
	* or visit www.oracle.com if you need additional information or have any
	* questions.
	*/

	package sun.security.ssl;

	import java.io.IOException;
	import java.nio.ByteBuffer;
	import java.security.cert.X509Certificate;
	import java.text.MessageFormat;
	import java.util.*;
	import javax.net.ssl.SSLProtocolException;
	import javax.security.auth.x500.X500Principal;
	import sun.security.ssl.SSLExtension.ExtensionConsumer;
	import sun.security.ssl.SSLExtension.SSLExtensionSpec;
	import sun.security.ssl.SSLHandshake.HandshakeMessage;

	/**
	* Pack of the "certificate_authorities" extensions.
	*/
	final class CertificateAuthoritiesExtension {
	static final HandshakeProducer chNetworkProducer =
	new CHCertificateAuthoritiesProducer();
	static final ExtensionConsumer chOnLoadConsumer =
	new CHCertificateAuthoritiesConsumer();

	static final HandshakeProducer crNetworkProducer =
	new CRCertificateAuthoritiesProducer();
	static final ExtensionConsumer crOnLoadConsumer =
	new CRCertificateAuthoritiesConsumer();

	static final SSLStringizer ssStringizer =
	new CertificateAuthoritiesStringizer();

	/**
	* The "certificate_authorities" extension.
	*/
	static final class CertificateAuthoritiesSpec implements SSLExtensionSpec {
	final List<byte[]> authorities; // certificate authorities

	private CertificateAuthoritiesSpec(List<byte[]> authorities) {
	this.authorities = authorities;
	}

	private CertificateAuthoritiesSpec(HandshakeContext hc,
	ByteBuffer m) throws IOException {
	if (m.remaining() < 3) { // 2: the length of the list
	// 1: at least one byte authorities
	throw hc.conContext.fatal(Alert.DECODE_ERROR,
	new SSLProtocolException(
	"Invalid certificate_authorities extension: " +
	"insufficient data"));
	}

	int listLen = Record.getInt16(m);
	if (listLen == 0) {
	throw hc.conContext.fatal(Alert.DECODE_ERROR,
	"Invalid certificate_authorities extension: " +
	"no certificate authorities");
	}

	if (listLen > m.remaining()) {
	throw hc.conContext.fatal(Alert.DECODE_ERROR,
	"Invalid certificate_authorities extension: " +
	"insufficient data");
	}

	this.authorities = new LinkedList<>();
	while (listLen > 0) {
	// opaque DistinguishedName<1..2^16-1>;
	byte[] encoded = Record.getBytes16(m);
	listLen -= (2 + encoded.length);
	authorities.add(encoded);
	}
	}

	private static List<byte[]> getEncodedAuthorities(
	X509Certificate[] trustedCerts) {
	List<byte[]> authorities = new ArrayList<>(trustedCerts.length);
	int sizeAccount = 0;
	for (X509Certificate cert : trustedCerts) {
	X500Principal x500Principal = cert.getSubjectX500Principal();
	byte[] encodedPrincipal = x500Principal.getEncoded();
	sizeAccount += encodedPrincipal.length;
	if (sizeAccount > 0xFFFF) { // the size limit of this extension
	// If there too many trusts CAs such that they exceed the
	// size limit of the extension, enabling this extension
	// does not really make sense as there is no way to
	// indicate the peer certificate selection accurately.
	// In such cases, the extension is just ignored, rather
	// than fatal close, for better compatibility and
	// interoperability.
	return Collections.emptyList();
	}

	if (encodedPrincipal.length != 0) {
	authorities.add(encodedPrincipal);
	}
	}

	return authorities;
	}

	X500Principal[] getAuthorities() {
	X500Principal[] principals = new X500Principal[authorities.size()];
	int i = 0;
	for (byte[] encoded : authorities) {
	principals[i++] = new X500Principal(encoded);
	}

	return principals;
	}

	@Override
	public String toString() {
	MessageFormat messageFormat = new MessageFormat(
	"\"certificate authorities\": '['\n{0}']'", Locale.ENGLISH);
	StringBuilder builder = new StringBuilder(512);
	for (byte[] encoded : authorities) {
	X500Principal principal = new X500Principal(encoded);
	builder.append(principal.toString());
	builder.append("\n");
	}
	Object[] messageFields = {
	Utilities.indent(builder.toString())
	};

	return messageFormat.format(messageFields);
	}
	}

	private static final
	class CertificateAuthoritiesStringizer implements SSLStringizer {
	@Override
	public String toString(HandshakeContext hc, ByteBuffer buffer) {
	try {
	return (new CertificateAuthoritiesSpec(hc, buffer))
	.toString();
	} catch (IOException ioe) {
	// For debug logging only, so please swallow exceptions.
	return ioe.getMessage();
	}
	}
	}

	/**
	* Network data producer of a "certificate_authorities" extension in
	* the ClientHello handshake message.
	*/
	private static final
	class CHCertificateAuthoritiesProducer implements HandshakeProducer {

	// Prevent instantiation of this class.
	private CHCertificateAuthoritiesProducer() {
	// blank
	}

	@Override
	public byte[] produce(ConnectionContext context,
	HandshakeMessage message) throws IOException {
	// The producing happens in client side only.
	ClientHandshakeContext chc = (ClientHandshakeContext)context;

	// Is it a supported and enabled extension?
	if (!chc.sslConfig.isAvailable(
	SSLExtension.CH_CERTIFICATE_AUTHORITIES)) {
	if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
	SSLLogger.fine(
	"Ignore unavailable " +
	"certificate_authorities extension");
	}

	return null; // ignore the extension
	}

	// Produce the extension.
	X509Certificate[] caCerts =
	chc.sslContext.getX509TrustManager().getAcceptedIssuers();
	if (caCerts.length == 0) {
	if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
	SSLLogger.fine(
	"No available certificate authorities");
	}

	return null; // ignore the extension
	}

	List<byte[]> encodedCAs =
	CertificateAuthoritiesSpec.getEncodedAuthorities(caCerts);
	if (encodedCAs.isEmpty()) {
	if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
	SSLLogger.warning(
	"The number of CAs exceeds the maximum size" +
	"of the certificate_authorities extension");
	}

	return null; // ignore the extension
	}

	CertificateAuthoritiesSpec spec =
	new CertificateAuthoritiesSpec(encodedCAs);

	int vectorLen = 0;
	for (byte[] encoded : spec.authorities) {
	vectorLen += encoded.length + 2;
	}

	byte[] extData = new byte[vectorLen + 2];
	ByteBuffer m = ByteBuffer.wrap(extData);
	Record.putInt16(m, vectorLen);
	for (byte[] encoded : spec.authorities) {
	Record.putBytes16(m, encoded);
	}

	// Update the context.
	chc.handshakeExtensions.put(
	SSLExtension.CH_CERTIFICATE_AUTHORITIES, spec);

	return extData;
	}
	}

	/**
	* Network data consumer of a "certificate_authorities" extension in
	* the ClientHello handshake message.
	*/
	private static final
	class CHCertificateAuthoritiesConsumer implements ExtensionConsumer {

	// Prevent instantiation of this class.
	private CHCertificateAuthoritiesConsumer() {
	// blank
	}

	@Override
	public void consume(ConnectionContext context,
	HandshakeMessage message, ByteBuffer buffer) throws IOException {

	// The consuming happens in server side only.
	ServerHandshakeContext shc = (ServerHandshakeContext)context;

	// Is it a supported and enabled extension?
	if (!shc.sslConfig.isAvailable(
	SSLExtension.CH_CERTIFICATE_AUTHORITIES)) {
	if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
	SSLLogger.fine(
	"Ignore unavailable " +
	"certificate_authorities extension");
	}

	return; // ignore the extension
	}

	// Parse the extension.
	CertificateAuthoritiesSpec spec =
	new CertificateAuthoritiesSpec(shc, buffer);

	// Update the context.
	shc.peerSupportedAuthorities = spec.getAuthorities();
	shc.handshakeExtensions.put(
	SSLExtension.CH_CERTIFICATE_AUTHORITIES, spec);

	// No impact on session resumption.
	}
	}

	/**
	* Network data producer of a "certificate_authorities" extension in
	* the CertificateRequest handshake message.
	*/
	private static final
	class CRCertificateAuthoritiesProducer implements HandshakeProducer {

	// Prevent instantiation of this class.
	private CRCertificateAuthoritiesProducer() {
	// blank
	}

	@Override
	public byte[] produce(ConnectionContext context,
	HandshakeMessage message) throws IOException {
	// The producing happens in server side only.
	ServerHandshakeContext shc = (ServerHandshakeContext)context;

	// Is it a supported and enabled extension?
	if (!shc.sslConfig.isAvailable(
	SSLExtension.CR_CERTIFICATE_AUTHORITIES)) {
	if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
	SSLLogger.fine(
	"Ignore unavailable " +
	"certificate_authorities extension");
	}

	return null; // ignore the extension
	}

	// Produce the extension.
	X509Certificate[] caCerts =
	shc.sslContext.getX509TrustManager().getAcceptedIssuers();
	if (caCerts.length == 0) {
	if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
	SSLLogger.fine(
	"No available certificate authorities");
	}

	return null; // ignore the extension
	}

	List<byte[]> encodedCAs =
	CertificateAuthoritiesSpec.getEncodedAuthorities(caCerts);
	if (encodedCAs.isEmpty()) {
	if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
	SSLLogger.warning(
	"Too many certificate authorities to use " +
	"the certificate_authorities extension");
	}

	return null; // ignore the extension
	}

	CertificateAuthoritiesSpec spec =
	new CertificateAuthoritiesSpec(encodedCAs);

	int vectorLen = 0;
	for (byte[] encoded : spec.authorities) {
	vectorLen += encoded.length + 2;
	}

	byte[] extData = new byte[vectorLen + 2];
	ByteBuffer m = ByteBuffer.wrap(extData);
	Record.putInt16(m, vectorLen);
	for (byte[] encoded : spec.authorities) {
	Record.putBytes16(m, encoded);
	}

	// Update the context.
	shc.handshakeExtensions.put(
	SSLExtension.CR_CERTIFICATE_AUTHORITIES, spec);

	return extData;
	}
	}

	/**
	* Network data consumer of a "certificate_authorities" extension in
	* the CertificateRequest handshake message.
	*/
	private static final
	class CRCertificateAuthoritiesConsumer implements ExtensionConsumer {

	// Prevent instantiation of this class.
	private CRCertificateAuthoritiesConsumer() {
	// blank
	}

	@Override
	public void consume(ConnectionContext context,
	HandshakeMessage message, ByteBuffer buffer) throws IOException {

	// The consuming happens in client side only.
	ClientHandshakeContext chc = (ClientHandshakeContext)context;

	// Is it a supported and enabled extension?
	if (!chc.sslConfig.isAvailable(
	SSLExtension.CR_CERTIFICATE_AUTHORITIES)) {
	if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
	SSLLogger.fine(
	"Ignore unavailable " +
	"certificate_authorities extension");
	}

	return; // ignore the extension
	}

	// Parse the extension.
	CertificateAuthoritiesSpec spec =
	new CertificateAuthoritiesSpec(chc, buffer);

	// Update the context.
	chc.peerSupportedAuthorities = spec.getAuthorities();
	chc.handshakeExtensions.put(
	SSLExtension.CR_CERTIFICATE_AUTHORITIES, spec);

	// No impact on session resumption.
	}
	}
	}

Back to index...