|  |  | 
|  |  | 
|  |  | 
|  |  | 
|  |  | 
|  |  | 
|  |  | 
|  |  | 
|  |  | 
|  |  | 
|  |  | 
|  |  | 
|  |  | 
|  |  | 
|  |  | 
|  |  | 
|  |  | 
|  |  | 
|  |  | 
|  |  | 
|  |  | 
|  |  | 
|  |  | 
|  |  */ | 
|  |  | 
|  | package sun.security.util; | 
|  |  | 
|  | import sun.security.validator.Validator; | 
|  |  | 
|  | import java.io.ByteArrayOutputStream; | 
|  | import java.io.PrintStream; | 
|  | import java.security.AlgorithmParameters; | 
|  | import java.security.CryptoPrimitive; | 
|  | import java.security.Key; | 
|  | import java.security.cert.CertPathValidatorException; | 
|  | import java.security.cert.CertPathValidatorException.BasicReason; | 
|  | import java.security.interfaces.ECKey; | 
|  | import java.security.spec.AlgorithmParameterSpec; | 
|  | import java.security.spec.InvalidParameterSpecException; | 
|  | import java.security.spec.MGF1ParameterSpec; | 
|  | import java.security.spec.PSSParameterSpec; | 
|  | import java.text.SimpleDateFormat; | 
|  | import java.util.ArrayList; | 
|  | import java.util.Arrays; | 
|  | import java.util.Calendar; | 
|  | import java.util.Date; | 
|  | import java.util.HashMap; | 
|  | import java.util.HashSet; | 
|  | import java.util.List; | 
|  | import java.util.Locale; | 
|  | import java.util.Map; | 
|  | import java.util.Set; | 
|  | import java.util.Collection; | 
|  | import java.util.Collections; | 
|  | import java.util.StringTokenizer; | 
|  | import java.util.TimeZone; | 
|  | import java.util.regex.Pattern; | 
|  | import java.util.regex.Matcher; | 
|  |  | 
|  |  | 
|  |  | 
|  |  | 
|  |  | 
|  |  | 
|  |  */ | 
|  | public class DisabledAlgorithmConstraints extends AbstractAlgorithmConstraints { | 
|  |     private static final Debug debug = Debug.getInstance("certpath"); | 
|  |  | 
|  |      | 
|  |     public static final String PROPERTY_CERTPATH_DISABLED_ALGS = | 
|  |             "jdk.certpath.disabledAlgorithms"; | 
|  |  | 
|  |      | 
|  |     public static final String PROPERTY_SECURITY_LEGACY_ALGS = | 
|  |             "jdk.security.legacyAlgorithms"; | 
|  |  | 
|  |      | 
|  |     public static final String PROPERTY_TLS_DISABLED_ALGS = | 
|  |             "jdk.tls.disabledAlgorithms"; | 
|  |  | 
|  |      | 
|  |     public static final String PROPERTY_JAR_DISABLED_ALGS = | 
|  |             "jdk.jar.disabledAlgorithms"; | 
|  |  | 
|  |      | 
|  |     private static final String PROPERTY_DISABLED_EC_CURVES = | 
|  |             "jdk.disabled.namedCurves"; | 
|  |  | 
|  |     private static class CertPathHolder { | 
|  |         static final DisabledAlgorithmConstraints CONSTRAINTS = | 
|  |             new DisabledAlgorithmConstraints(PROPERTY_CERTPATH_DISABLED_ALGS); | 
|  |     } | 
|  |  | 
|  |     private static class JarHolder { | 
|  |         static final DisabledAlgorithmConstraints CONSTRAINTS = | 
|  |             new DisabledAlgorithmConstraints(PROPERTY_JAR_DISABLED_ALGS); | 
|  |     } | 
|  |  | 
|  |     private final List<String> disabledAlgorithms; | 
|  |     private final Constraints algorithmConstraints; | 
|  |  | 
|  |     public static DisabledAlgorithmConstraints certPathConstraints() { | 
|  |         return CertPathHolder.CONSTRAINTS; | 
|  |     } | 
|  |  | 
|  |     public static DisabledAlgorithmConstraints jarConstraints() { | 
|  |         return JarHolder.CONSTRAINTS; | 
|  |     } | 
|  |  | 
|  |      | 
|  |  | 
|  |  | 
|  |  | 
|  |  | 
|  |      */ | 
|  |     public DisabledAlgorithmConstraints(String propertyName) { | 
|  |         this(propertyName, new AlgorithmDecomposer()); | 
|  |     } | 
|  |  | 
|  |      | 
|  |  | 
|  |  | 
|  |  | 
|  |  | 
|  |  | 
|  |  | 
|  |      */ | 
|  |     public DisabledAlgorithmConstraints(String propertyName, | 
|  |             AlgorithmDecomposer decomposer) { | 
|  |         super(decomposer); | 
|  |         disabledAlgorithms = getAlgorithms(propertyName); | 
|  |  | 
|  |          | 
|  |         int ecindex = -1, i = 0; | 
|  |         for (String s : disabledAlgorithms) { | 
|  |             if (s.regionMatches(true, 0,"include ", 0, 8)) { | 
|  |                 if (s.regionMatches(true, 8, PROPERTY_DISABLED_EC_CURVES, 0, | 
|  |                         PROPERTY_DISABLED_EC_CURVES.length())) { | 
|  |                     ecindex = i; | 
|  |                     break; | 
|  |                 } | 
|  |             } | 
|  |             i++; | 
|  |         } | 
|  |         if (ecindex > -1) { | 
|  |             disabledAlgorithms.remove(ecindex); | 
|  |             disabledAlgorithms.addAll(ecindex, | 
|  |                     getAlgorithms(PROPERTY_DISABLED_EC_CURVES)); | 
|  |         } | 
|  |         algorithmConstraints = new Constraints(propertyName, disabledAlgorithms); | 
|  |     } | 
|  |  | 
|  |      | 
|  |  | 
|  |  | 
|  |      */ | 
|  |     @Override | 
|  |     public final boolean permits(Set<CryptoPrimitive> primitives, | 
|  |             String algorithm, AlgorithmParameters parameters) { | 
|  |         if (!checkAlgorithm(disabledAlgorithms, algorithm, decomposer)) { | 
|  |             return false; | 
|  |         } | 
|  |  | 
|  |         if (parameters != null) { | 
|  |             return algorithmConstraints.permits(algorithm, parameters); | 
|  |         } | 
|  |  | 
|  |         return true; | 
|  |     } | 
|  |  | 
|  |      | 
|  |  | 
|  |  | 
|  |      */ | 
|  |     @Override | 
|  |     public final boolean permits(Set<CryptoPrimitive> primitives, Key key) { | 
|  |         return checkConstraints(primitives, "", key, null); | 
|  |     } | 
|  |  | 
|  |      | 
|  |  | 
|  |  | 
|  |      */ | 
|  |     @Override | 
|  |     public final boolean permits(Set<CryptoPrimitive> primitives, | 
|  |             String algorithm, Key key, AlgorithmParameters parameters) { | 
|  |  | 
|  |         if (algorithm == null || algorithm.length() == 0) { | 
|  |             throw new IllegalArgumentException("No algorithm name specified"); | 
|  |         } | 
|  |  | 
|  |         return checkConstraints(primitives, algorithm, key, parameters); | 
|  |     } | 
|  |  | 
|  |     public final void permits(String algorithm, AlgorithmParameters ap, | 
|  |         ConstraintsParameters cp) throws CertPathValidatorException { | 
|  |  | 
|  |         permits(algorithm, cp); | 
|  |         if (ap != null) { | 
|  |             permits(ap, cp); | 
|  |         } | 
|  |     } | 
|  |  | 
|  |     private void permits(AlgorithmParameters ap, ConstraintsParameters cp) | 
|  |         throws CertPathValidatorException { | 
|  |  | 
|  |         switch (ap.getAlgorithm().toUpperCase(Locale.ENGLISH)) { | 
|  |             case "RSASSA-PSS": | 
|  |                 permitsPSSParams(ap, cp); | 
|  |                 break; | 
|  |             default: | 
|  |                 // unknown algorithm, just ignore | 
|  |         } | 
|  |     } | 
|  |  | 
|  |     private void permitsPSSParams(AlgorithmParameters ap, | 
|  |         ConstraintsParameters cp) throws CertPathValidatorException { | 
|  |  | 
|  |         try { | 
|  |             PSSParameterSpec pssParams = | 
|  |                 ap.getParameterSpec(PSSParameterSpec.class); | 
|  |             String digestAlg = pssParams.getDigestAlgorithm(); | 
|  |             permits(digestAlg, cp); | 
|  |             AlgorithmParameterSpec mgfParams = pssParams.getMGFParameters(); | 
|  |             if (mgfParams instanceof MGF1ParameterSpec) { | 
|  |                 String mgfDigestAlg = | 
|  |                     ((MGF1ParameterSpec)mgfParams).getDigestAlgorithm(); | 
|  |                 if (!mgfDigestAlg.equalsIgnoreCase(digestAlg)) { | 
|  |                     permits(mgfDigestAlg, cp); | 
|  |                 } | 
|  |             } | 
|  |         } catch (InvalidParameterSpecException ipse) { | 
|  |             // ignore | 
|  |         } | 
|  |     } | 
|  |  | 
|  |     public final void permits(String algorithm, ConstraintsParameters cp) | 
|  |             throws CertPathValidatorException { | 
|  |  | 
|  |          | 
|  |         for (Key key : cp.getKeys()) { | 
|  |             for (String curve : getNamedCurveFromKey(key)) { | 
|  |                 if (!checkAlgorithm(disabledAlgorithms, curve, decomposer)) { | 
|  |                     throw new CertPathValidatorException( | 
|  |                             "Algorithm constraints check failed on disabled " + | 
|  |                                     "algorithm: " + curve, | 
|  |                             null, null, -1, BasicReason.ALGORITHM_CONSTRAINED); | 
|  |                 } | 
|  |             } | 
|  |         } | 
|  |  | 
|  |         algorithmConstraints.permits(algorithm, cp); | 
|  |     } | 
|  |  | 
|  |     private static List<String> getNamedCurveFromKey(Key key) { | 
|  |         if (key instanceof ECKey) { | 
|  |             NamedCurve nc = CurveDB.lookup(((ECKey)key).getParams()); | 
|  |             return (nc == null ? Collections.emptyList() | 
|  |                                : Arrays.asList(CurveDB.getNamesByOID(nc.getObjectId()))); | 
|  |         } else { | 
|  |             return Collections.emptyList(); | 
|  |         } | 
|  |     } | 
|  |  | 
|  |      | 
|  |     private boolean checkConstraints(Set<CryptoPrimitive> primitives, | 
|  |             String algorithm, Key key, AlgorithmParameters parameters) { | 
|  |  | 
|  |          | 
|  |         if (key == null) { | 
|  |             throw new IllegalArgumentException("The key cannot be null"); | 
|  |         } | 
|  |  | 
|  |          | 
|  |         if (algorithm != null && algorithm.length() != 0) { | 
|  |             if (!permits(primitives, algorithm, parameters)) { | 
|  |                 return false; | 
|  |             } | 
|  |         } | 
|  |  | 
|  |          | 
|  |         if (!permits(primitives, key.getAlgorithm(), null)) { | 
|  |             return false; | 
|  |         } | 
|  |  | 
|  |          | 
|  |         for (String curve : getNamedCurveFromKey(key)) { | 
|  |             if (!permits(primitives, curve, null)) { | 
|  |                 return false; | 
|  |             } | 
|  |         } | 
|  |  | 
|  |          | 
|  |         return algorithmConstraints.permits(key); | 
|  |     } | 
|  |  | 
|  |  | 
|  |     /** | 
|  |      * Key and Certificate Constraints | 
|  |      * | 
|  |      * The complete disabling of an algorithm is not handled by Constraints or | 
|  |      * Constraint classes.  That is addressed with | 
|  |      *   permit(Set<CryptoPrimitive>, String, AlgorithmParameters) | 
|  |      * | 
|  |      * When passing a Key to permit(), the boolean return values follow the | 
|  |      * same as the interface class AlgorithmConstraints.permit().  This is to | 
|  |      * maintain compatibility: | 
|  |      * 'true' means the operation is allowed. | 
|  |      * 'false' means it failed the constraints and is disallowed. | 
|  |      * | 
|  |      * When passing ConstraintsParameters through permit(), an exception | 
|  |      * will be thrown on a failure to better identify why the operation was | 
|  |      * disallowed. | 
|  |      */ | 
|  |  | 
|  |     private static class Constraints { | 
|  |         private Map<String, List<Constraint>> constraintsMap = new HashMap<>(); | 
|  |  | 
|  |         private static class Holder { | 
|  |             private static final Pattern DENY_AFTER_PATTERN = Pattern.compile( | 
|  |                     "denyAfter\\s+(\\d{4})-(\\d{2})-(\\d{2})"); | 
|  |         } | 
|  |  | 
|  |         public Constraints(String propertyName, List<String> constraintArray) { | 
|  |             for (String constraintEntry : constraintArray) { | 
|  |                 if (constraintEntry == null || constraintEntry.isEmpty()) { | 
|  |                     continue; | 
|  |                 } | 
|  |  | 
|  |                 constraintEntry = constraintEntry.trim(); | 
|  |                 if (debug != null) { | 
|  |                     debug.println("Constraints: " + constraintEntry); | 
|  |                 } | 
|  |  | 
|  |                 // Check if constraint is a complete disabling of an | 
|  |                  | 
|  |                 int space = constraintEntry.indexOf(' '); | 
|  |                 String algorithm = AlgorithmDecomposer.hashName( | 
|  |                         ((space > 0 ? constraintEntry.substring(0, space) : | 
|  |                                 constraintEntry))); | 
|  |                 List<Constraint> constraintList = | 
|  |                         constraintsMap.getOrDefault( | 
|  |                                 algorithm.toUpperCase(Locale.ENGLISH), | 
|  |                                 new ArrayList<>(1)); | 
|  |  | 
|  |                  | 
|  |                 for (String alias : AlgorithmDecomposer.getAliases(algorithm)) { | 
|  |                     constraintsMap.putIfAbsent( | 
|  |                             alias.toUpperCase(Locale.ENGLISH), constraintList); | 
|  |                 } | 
|  |  | 
|  |                 // If there is no whitespace, it is a algorithm name; however, | 
|  |                  | 
|  |                 if (space <= 0 || CurveDB.lookup(constraintEntry) != null) { | 
|  |                     constraintList.add(new DisabledConstraint(algorithm)); | 
|  |                     continue; | 
|  |                 } | 
|  |  | 
|  |                 String policy = constraintEntry.substring(space + 1); | 
|  |  | 
|  |                  | 
|  |                 Constraint c, lastConstraint = null; | 
|  |                  | 
|  |                 boolean jdkCALimit = false; | 
|  |                  | 
|  |                 boolean denyAfterLimit = false; | 
|  |  | 
|  |                 for (String entry : policy.split("&")) { | 
|  |                     entry = entry.trim(); | 
|  |  | 
|  |                     Matcher matcher; | 
|  |                     if (entry.startsWith("keySize")) { | 
|  |                         if (debug != null) { | 
|  |                             debug.println("Constraints set to keySize: " + | 
|  |                                     entry); | 
|  |                         } | 
|  |                         StringTokenizer tokens = new StringTokenizer(entry); | 
|  |                         if (!"keySize".equals(tokens.nextToken())) { | 
|  |                             throw new IllegalArgumentException("Error in " + | 
|  |                                     "security property. Constraint unknown: " + | 
|  |                                     entry); | 
|  |                         } | 
|  |                         c = new KeySizeConstraint(algorithm, | 
|  |                                 KeySizeConstraint.Operator.of(tokens.nextToken()), | 
|  |                                 Integer.parseInt(tokens.nextToken())); | 
|  |  | 
|  |                     } else if (entry.equalsIgnoreCase("jdkCA")) { | 
|  |                         if (debug != null) { | 
|  |                             debug.println("Constraints set to jdkCA."); | 
|  |                         } | 
|  |                         if (jdkCALimit) { | 
|  |                             throw new IllegalArgumentException("Only one " + | 
|  |                                     "jdkCA entry allowed in property. " + | 
|  |                                     "Constraint: " + constraintEntry); | 
|  |                         } | 
|  |                         c = new jdkCAConstraint(algorithm); | 
|  |                         jdkCALimit = true; | 
|  |  | 
|  |                     } else if (entry.startsWith("denyAfter") && | 
|  |                             (matcher = Holder.DENY_AFTER_PATTERN.matcher(entry)) | 
|  |                                     .matches()) { | 
|  |                         if (debug != null) { | 
|  |                             debug.println("Constraints set to denyAfter"); | 
|  |                         } | 
|  |                         if (denyAfterLimit) { | 
|  |                             throw new IllegalArgumentException("Only one " + | 
|  |                                     "denyAfter entry allowed in property. " + | 
|  |                                     "Constraint: " + constraintEntry); | 
|  |                         } | 
|  |                         int year = Integer.parseInt(matcher.group(1)); | 
|  |                         int month = Integer.parseInt(matcher.group(2)); | 
|  |                         int day = Integer.parseInt(matcher.group(3)); | 
|  |                         c = new DenyAfterConstraint(algorithm, year, month, | 
|  |                                 day); | 
|  |                         denyAfterLimit = true; | 
|  |                     } else if (entry.startsWith("usage")) { | 
|  |                         String s[] = (entry.substring(5)).trim().split(" "); | 
|  |                         c = new UsageConstraint(algorithm, s); | 
|  |                         if (debug != null) { | 
|  |                             debug.println("Constraints usage length is " + s.length); | 
|  |                         } | 
|  |                     } else { | 
|  |                         throw new IllegalArgumentException("Error in security" + | 
|  |                                 " property. Constraint unknown: " + entry); | 
|  |                     } | 
|  |  | 
|  |                     // Link multiple conditions for a single constraint | 
|  |                      | 
|  |                     if (lastConstraint == null) { | 
|  |                         constraintList.add(c); | 
|  |                     } else { | 
|  |                         lastConstraint.nextConstraint = c; | 
|  |                     } | 
|  |                     lastConstraint = c; | 
|  |                 } | 
|  |             } | 
|  |         } | 
|  |  | 
|  |          | 
|  |         private List<Constraint> getConstraints(String algorithm) { | 
|  |             return constraintsMap.get(algorithm.toUpperCase(Locale.ENGLISH)); | 
|  |         } | 
|  |  | 
|  |          | 
|  |         public boolean permits(Key key) { | 
|  |             List<Constraint> list = getConstraints(key.getAlgorithm()); | 
|  |             if (list == null) { | 
|  |                 return true; | 
|  |             } | 
|  |             for (Constraint constraint : list) { | 
|  |                 if (!constraint.permits(key)) { | 
|  |                     if (debug != null) { | 
|  |                         debug.println("Constraints: failed key size" + | 
|  |                                 "constraint check " + KeyUtil.getKeySize(key)); | 
|  |                     } | 
|  |                     return false; | 
|  |                 } | 
|  |             } | 
|  |             return true; | 
|  |         } | 
|  |  | 
|  |          | 
|  |         public boolean permits(String algorithm, AlgorithmParameters aps) { | 
|  |             List<Constraint> list = getConstraints(algorithm); | 
|  |             if (list == null) { | 
|  |                 return true; | 
|  |             } | 
|  |  | 
|  |             for (Constraint constraint : list) { | 
|  |                 if (!constraint.permits(aps)) { | 
|  |                     if (debug != null) { | 
|  |                         debug.println("Constraints: failed algorithm " + | 
|  |                                 "parameters constraint check " + aps); | 
|  |                     } | 
|  |  | 
|  |                     return false; | 
|  |                 } | 
|  |             } | 
|  |  | 
|  |             return true; | 
|  |         } | 
|  |  | 
|  |         public void permits(String algorithm, ConstraintsParameters cp) | 
|  |                 throws CertPathValidatorException { | 
|  |  | 
|  |             if (debug != null) { | 
|  |                 debug.println("Constraints.permits(): " + algorithm + ", " | 
|  |                               + cp.toString()); | 
|  |             } | 
|  |  | 
|  |              | 
|  |             Set<String> algorithms = new HashSet<>(); | 
|  |             if (algorithm != null) { | 
|  |                 algorithms.addAll(AlgorithmDecomposer.decomposeOneHash(algorithm)); | 
|  |                 algorithms.add(algorithm); | 
|  |             } | 
|  |  | 
|  |             for (Key key : cp.getKeys()) { | 
|  |                 algorithms.add(key.getAlgorithm()); | 
|  |             } | 
|  |  | 
|  |              | 
|  |             for (String alg : algorithms) { | 
|  |                 List<Constraint> list = getConstraints(alg); | 
|  |                 if (list == null) { | 
|  |                     continue; | 
|  |                 } | 
|  |                 for (Constraint constraint : list) { | 
|  |                     constraint.permits(cp); | 
|  |                 } | 
|  |             } | 
|  |         } | 
|  |     } | 
|  |  | 
|  |      | 
|  |  | 
|  |  | 
|  |  | 
|  |  | 
|  |  | 
|  |  | 
|  |  | 
|  |      */ | 
|  |     private abstract static class Constraint { | 
|  |         String algorithm; | 
|  |         Constraint nextConstraint = null; | 
|  |  | 
|  |          | 
|  |         enum Operator { | 
|  |             EQ,          | 
|  |             NE,          | 
|  |             LT,          | 
|  |             LE,          | 
|  |             GT,          | 
|  |             GE;          | 
|  |  | 
|  |             static Operator of(String s) { | 
|  |                 switch (s) { | 
|  |                     case "==": | 
|  |                         return EQ; | 
|  |                     case "!=": | 
|  |                         return NE; | 
|  |                     case "<": | 
|  |                         return LT; | 
|  |                     case "<=": | 
|  |                         return LE; | 
|  |                     case ">": | 
|  |                         return GT; | 
|  |                     case ">=": | 
|  |                         return GE; | 
|  |                 } | 
|  |  | 
|  |                 throw new IllegalArgumentException("Error in security " + | 
|  |                         "property. " + s + " is not a legal Operator"); | 
|  |             } | 
|  |         } | 
|  |  | 
|  |          | 
|  |  | 
|  |  | 
|  |  | 
|  |  | 
|  |  | 
|  |  | 
|  |  | 
|  |  | 
|  |          */ | 
|  |         public boolean permits(Key key) { | 
|  |             return true; | 
|  |         } | 
|  |  | 
|  |          | 
|  |  | 
|  |  | 
|  |  | 
|  |  | 
|  |  | 
|  |  | 
|  |          */ | 
|  |         public boolean permits(AlgorithmParameters parameters) { | 
|  |             return true; | 
|  |         } | 
|  |  | 
|  |          | 
|  |  | 
|  |  | 
|  |  | 
|  |  | 
|  |  | 
|  |  | 
|  |  | 
|  |  | 
|  |  | 
|  |  | 
|  |          */ | 
|  |         public abstract void permits(ConstraintsParameters cp) | 
|  |                 throws CertPathValidatorException; | 
|  |  | 
|  |          | 
|  |  | 
|  |  | 
|  |  | 
|  |  | 
|  |  | 
|  |  | 
|  |  | 
|  |  | 
|  |  | 
|  |  | 
|  |  | 
|  |  | 
|  |  | 
|  |  | 
|  |          */ | 
|  |         boolean next(ConstraintsParameters cp) | 
|  |                 throws CertPathValidatorException { | 
|  |             if (nextConstraint != null) { | 
|  |                 nextConstraint.permits(cp); | 
|  |                 return true; | 
|  |             } | 
|  |             return false; | 
|  |         } | 
|  |  | 
|  |          | 
|  |  | 
|  |  | 
|  |  | 
|  |  | 
|  |  | 
|  |  | 
|  |  | 
|  |  | 
|  |  | 
|  |  | 
|  |  | 
|  |  | 
|  |          */ | 
|  |         boolean next(Key key) { | 
|  |             return nextConstraint != null && nextConstraint.permits(key); | 
|  |         } | 
|  |     } | 
|  |  | 
|  |      | 
|  |  | 
|  |  | 
|  |      */ | 
|  |     private static class jdkCAConstraint extends Constraint { | 
|  |         jdkCAConstraint(String algo) { | 
|  |             algorithm = algo; | 
|  |         } | 
|  |  | 
|  |          | 
|  |  | 
|  |  | 
|  |  | 
|  |          */ | 
|  |         @Override | 
|  |         public void permits(ConstraintsParameters cp) | 
|  |                 throws CertPathValidatorException { | 
|  |             if (debug != null) { | 
|  |                 debug.println("jdkCAConstraints.permits(): " + algorithm); | 
|  |             } | 
|  |  | 
|  |             // Check if any certs chain back to at least one trust anchor in | 
|  |              | 
|  |             if (cp.anchorIsJdkCA()) { | 
|  |                 if (next(cp)) { | 
|  |                     return; | 
|  |                 } | 
|  |                 throw new CertPathValidatorException( | 
|  |                         "Algorithm constraints check failed on certificate " + | 
|  |                         "anchor limits. " + algorithm + cp.extendedExceptionMsg(), | 
|  |                         null, null, -1, BasicReason.ALGORITHM_CONSTRAINED); | 
|  |             } | 
|  |         } | 
|  |     } | 
|  |  | 
|  |      | 
|  |  | 
|  |  | 
|  |      */ | 
|  |     private static class DenyAfterConstraint extends Constraint { | 
|  |         private Date denyAfterDate; | 
|  |         private static final SimpleDateFormat dateFormat = | 
|  |                 new SimpleDateFormat("EEE, MMM d HH:mm:ss z yyyy"); | 
|  |  | 
|  |         DenyAfterConstraint(String algo, int year, int month, int day) { | 
|  |             Calendar c; | 
|  |  | 
|  |             algorithm = algo; | 
|  |  | 
|  |             if (debug != null) { | 
|  |                 debug.println("DenyAfterConstraint read in as:  year " + | 
|  |                         year + ", month = " + month + ", day = " + day); | 
|  |             } | 
|  |  | 
|  |             c = new Calendar.Builder().setTimeZone(TimeZone.getTimeZone("GMT")) | 
|  |                     .setDate(year, month - 1, day).build(); | 
|  |  | 
|  |             if (year > c.getActualMaximum(Calendar.YEAR) || | 
|  |                     year < c.getActualMinimum(Calendar.YEAR)) { | 
|  |                 throw new IllegalArgumentException( | 
|  |                         "Invalid year given in constraint: " + year); | 
|  |             } | 
|  |             if ((month - 1) > c.getActualMaximum(Calendar.MONTH) || | 
|  |                     (month - 1) < c.getActualMinimum(Calendar.MONTH)) { | 
|  |                 throw new IllegalArgumentException( | 
|  |                         "Invalid month given in constraint: " + month); | 
|  |             } | 
|  |             if (day > c.getActualMaximum(Calendar.DAY_OF_MONTH) || | 
|  |                     day < c.getActualMinimum(Calendar.DAY_OF_MONTH)) { | 
|  |                 throw new IllegalArgumentException( | 
|  |                         "Invalid Day of Month given in constraint: " + day); | 
|  |             } | 
|  |  | 
|  |             denyAfterDate = c.getTime(); | 
|  |             if (debug != null) { | 
|  |                 debug.println("DenyAfterConstraint date set to: " + | 
|  |                         dateFormat.format(denyAfterDate)); | 
|  |             } | 
|  |         } | 
|  |  | 
|  |          | 
|  |  | 
|  |  | 
|  |  | 
|  |  | 
|  |  | 
|  |  | 
|  |          */ | 
|  |         @Override | 
|  |         public void permits(ConstraintsParameters cp) | 
|  |                 throws CertPathValidatorException { | 
|  |             Date currentDate; | 
|  |             String errmsg; | 
|  |  | 
|  |             if (cp.getDate() != null) { | 
|  |                 currentDate = cp.getDate(); | 
|  |             } else { | 
|  |                 currentDate = new Date(); | 
|  |             } | 
|  |  | 
|  |             if (!denyAfterDate.after(currentDate)) { | 
|  |                 if (next(cp)) { | 
|  |                     return; | 
|  |                 } | 
|  |                 throw new CertPathValidatorException( | 
|  |                         "denyAfter constraint check failed: " + algorithm + | 
|  |                         " used with Constraint date: " + | 
|  |                         dateFormat.format(denyAfterDate) + "; params date: " + | 
|  |                         dateFormat.format(currentDate) + cp.extendedExceptionMsg(), | 
|  |                         null, null, -1, BasicReason.ALGORITHM_CONSTRAINED); | 
|  |             } | 
|  |         } | 
|  |  | 
|  |          | 
|  |  | 
|  |  | 
|  |          */ | 
|  |         @Override | 
|  |         public boolean permits(Key key) { | 
|  |             if (next(key)) { | 
|  |                 return true; | 
|  |             } | 
|  |             if (debug != null) { | 
|  |                 debug.println("DenyAfterConstraints.permits(): " + algorithm); | 
|  |             } | 
|  |  | 
|  |             return denyAfterDate.after(new Date()); | 
|  |         } | 
|  |     } | 
|  |  | 
|  |      | 
|  |  | 
|  |  | 
|  |      */ | 
|  |     private static class UsageConstraint extends Constraint { | 
|  |         String[] usages; | 
|  |  | 
|  |         UsageConstraint(String algorithm, String[] usages) { | 
|  |             this.algorithm = algorithm; | 
|  |             this.usages = usages; | 
|  |         } | 
|  |  | 
|  |         @Override | 
|  |         public void permits(ConstraintsParameters cp) | 
|  |                 throws CertPathValidatorException { | 
|  |             String variant = cp.getVariant(); | 
|  |             for (String usage : usages) { | 
|  |  | 
|  |                 boolean match = false; | 
|  |                 switch (usage.toLowerCase()) { | 
|  |                     case "tlsserver": | 
|  |                         match = variant.equals(Validator.VAR_TLS_SERVER); | 
|  |                         break; | 
|  |                     case "tlsclient": | 
|  |                         match = variant.equals(Validator.VAR_TLS_CLIENT); | 
|  |                         break; | 
|  |                     case "signedjar": | 
|  |                         match = | 
|  |                             variant.equals(Validator.VAR_PLUGIN_CODE_SIGNING) || | 
|  |                             variant.equals(Validator.VAR_CODE_SIGNING) || | 
|  |                             variant.equals(Validator.VAR_TSA_SERVER); | 
|  |                         break; | 
|  |                 } | 
|  |  | 
|  |                 if (debug != null) { | 
|  |                     debug.println("Checking if usage constraint \"" + usage + | 
|  |                             "\" matches \"" + cp.getVariant() + "\""); | 
|  |                     // Because usage checking can come from many places | 
|  |                      | 
|  |                     ByteArrayOutputStream ba = new ByteArrayOutputStream(); | 
|  |                     PrintStream ps = new PrintStream(ba); | 
|  |                     (new Exception()).printStackTrace(ps); | 
|  |                     debug.println(ba.toString()); | 
|  |                 } | 
|  |                 if (match) { | 
|  |                     if (next(cp)) { | 
|  |                         return; | 
|  |                     } | 
|  |                     throw new CertPathValidatorException("Usage constraint " + | 
|  |                             usage + " check failed: " + algorithm + | 
|  |                             cp.extendedExceptionMsg(), | 
|  |                             null, null, -1, BasicReason.ALGORITHM_CONSTRAINED); | 
|  |                 } | 
|  |             } | 
|  |         } | 
|  |     } | 
|  |  | 
|  |      | 
|  |  | 
|  |  | 
|  |      */ | 
|  |     private static class KeySizeConstraint extends Constraint { | 
|  |  | 
|  |         private int minSize;             | 
|  |         private int maxSize;             | 
|  |         private int prohibitedSize = -1;     | 
|  |         private int size; | 
|  |  | 
|  |         public KeySizeConstraint(String algo, Operator operator, int length) { | 
|  |             algorithm = algo; | 
|  |             switch (operator) { | 
|  |                 case EQ:       | 
|  |                     this.minSize = 0; | 
|  |                     this.maxSize = Integer.MAX_VALUE; | 
|  |                     prohibitedSize = length; | 
|  |                     break; | 
|  |                 case NE: | 
|  |                     this.minSize = length; | 
|  |                     this.maxSize = length; | 
|  |                     break; | 
|  |                 case LT: | 
|  |                     this.minSize = length; | 
|  |                     this.maxSize = Integer.MAX_VALUE; | 
|  |                     break; | 
|  |                 case LE: | 
|  |                     this.minSize = length + 1; | 
|  |                     this.maxSize = Integer.MAX_VALUE; | 
|  |                     break; | 
|  |                 case GT: | 
|  |                     this.minSize = 0; | 
|  |                     this.maxSize = length; | 
|  |                     break; | 
|  |                 case GE: | 
|  |                     this.minSize = 0; | 
|  |                     this.maxSize = length > 1 ? (length - 1) : 0; | 
|  |                     break; | 
|  |                 default: | 
|  |                      | 
|  |                     this.minSize = Integer.MAX_VALUE; | 
|  |                     this.maxSize = -1; | 
|  |             } | 
|  |         } | 
|  |  | 
|  |          | 
|  |  | 
|  |  | 
|  |  | 
|  |          */ | 
|  |         @Override | 
|  |         public void permits(ConstraintsParameters cp) | 
|  |                 throws CertPathValidatorException { | 
|  |             for (Key key : cp.getKeys()) { | 
|  |                 if (!permitsImpl(key)) { | 
|  |                     if (nextConstraint != null) { | 
|  |                         nextConstraint.permits(cp); | 
|  |                         continue; | 
|  |                     } | 
|  |                     throw new CertPathValidatorException( | 
|  |                         "Algorithm constraints check failed on keysize limits: " + | 
|  |                         algorithm + " " + KeyUtil.getKeySize(key) + " bit key" + | 
|  |                         cp.extendedExceptionMsg(), | 
|  |                         null, null, -1, BasicReason.ALGORITHM_CONSTRAINED); | 
|  |                 } | 
|  |             } | 
|  |         } | 
|  |  | 
|  |  | 
|  |         // Check if key constraint disable the specified key | 
|  |          | 
|  |         @Override | 
|  |         public boolean permits(Key key) { | 
|  |             // If we recursively find a constraint that permits us to use | 
|  |              | 
|  |             if (nextConstraint != null && nextConstraint.permits(key)) { | 
|  |                 return true; | 
|  |             } | 
|  |             if (debug != null) { | 
|  |                 debug.println("KeySizeConstraints.permits(): " + algorithm); | 
|  |             } | 
|  |  | 
|  |             return permitsImpl(key); | 
|  |         } | 
|  |  | 
|  |         @Override | 
|  |         public boolean permits(AlgorithmParameters parameters) { | 
|  |             String paramAlg = parameters.getAlgorithm(); | 
|  |             if (!algorithm.equalsIgnoreCase(parameters.getAlgorithm())) { | 
|  |                  | 
|  |                 Collection<String> aliases = | 
|  |                         AlgorithmDecomposer.getAliases(algorithm); | 
|  |                 if (!aliases.contains(paramAlg)) { | 
|  |                     return true; | 
|  |                 } | 
|  |             } | 
|  |  | 
|  |             int keySize = KeyUtil.getKeySize(parameters); | 
|  |             if (keySize == 0) { | 
|  |                 return false; | 
|  |             } else if (keySize > 0) { | 
|  |                 return !((keySize < minSize) || (keySize > maxSize) || | 
|  |                     (prohibitedSize == keySize)); | 
|  |             }   // Otherwise, the key size is not accessible or determined. | 
|  |                 // Conservatively, please don't disable such keys. | 
|  |  | 
|  |             return true; | 
|  |         } | 
|  |  | 
|  |         private boolean permitsImpl(Key key) { | 
|  |              | 
|  |             if (algorithm.compareToIgnoreCase(key.getAlgorithm()) != 0) { | 
|  |                 return true; | 
|  |             } | 
|  |  | 
|  |             size = KeyUtil.getKeySize(key); | 
|  |             if (size == 0) { | 
|  |                 return false;     | 
|  |             } else if (size > 0) { | 
|  |                 return !((size < minSize) || (size > maxSize) || | 
|  |                     (prohibitedSize == size)); | 
|  |             }   // Otherwise, the key size is not accessible. Conservatively, | 
|  |                 // please don't disable such keys. | 
|  |  | 
|  |             return true; | 
|  |         } | 
|  |     } | 
|  |  | 
|  |      | 
|  |  | 
|  |      */ | 
|  |     private static class DisabledConstraint extends Constraint { | 
|  |         DisabledConstraint(String algo) { | 
|  |             algorithm = algo; | 
|  |         } | 
|  |  | 
|  |         @Override | 
|  |         public void permits(ConstraintsParameters cp) | 
|  |                 throws CertPathValidatorException { | 
|  |             throw new CertPathValidatorException( | 
|  |                     "Algorithm constraints check failed on disabled " + | 
|  |                             "algorithm: " + algorithm + cp.extendedExceptionMsg(), | 
|  |                     null, null, -1, BasicReason.ALGORITHM_CONSTRAINED); | 
|  |         } | 
|  |  | 
|  |         @Override | 
|  |         public boolean permits(Key key) { | 
|  |             return false; | 
|  |         } | 
|  |     } | 
|  | } |