Back to index...

	/*
	* Copyright (c) 2020, Oracle and/or its affiliates. All rights reserved.
	* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
	*
	* This code is free software; you can redistribute it and/or modify it
	* under the terms of the GNU General Public License version 2 only, as
	* published by the Free Software Foundation. Oracle designates this
	* particular file as subject to the "Classpath" exception as provided
	* by Oracle in the LICENSE file that accompanied this code.
	*
	* This code is distributed in the hope that it will be useful, but WITHOUT
	* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
	* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
	* version 2 for more details (a copy is included in the LICENSE file that
	* accompanied this code).
	*
	* You should have received a copy of the GNU General Public License version
	* 2 along with this work; if not, write to the Free Software Foundation,
	* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
	*
	* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
	* or visit www.oracle.com if you need additional information or have any
	* questions.
	*/

	package sun.security.util;

	import java.security.CodeSigner;
	import java.security.Key;
	import java.security.Timestamp;
	import java.security.cert.CertPath;
	import java.security.cert.X509Certificate;
	import java.util.Date;
	import java.util.HashSet;
	import java.util.List;
	import java.util.Set;
	import sun.security.util.AnchorCertificates;
	import sun.security.util.ConstraintsParameters;
	import sun.security.validator.Validator;

	/**
	* This class contains parameters for checking signed JARs against
	* constraints specified in the jdk.jar.disabledAlgorithms security
	* property.
	*/
	public class JarConstraintsParameters implements ConstraintsParameters {

	// true if chain is anchored by a JDK root CA
	private boolean anchorIsJdkCA;
	private boolean anchorIsJdkCASet;
	// The timestamp of the signed JAR file, if timestamped
	private Date timestamp;
	// The keys of the signers
	private final Set<Key> keys;
	// The certs in the signers' chains that are issued by the trust anchor
	private final Set<X509Certificate> certsIssuedByAnchor;
	// The extended exception message
	private String message;

	/**
	* Create a JarConstraintsParameters.
	*
	* @param signers the CodeSigners that signed the JAR
	*/
	public JarConstraintsParameters(CodeSigner[] signers) {
	this.keys = new HashSet<>();
	this.certsIssuedByAnchor = new HashSet<>();
	Date latestTimestamp = null;
	boolean skipTimestamp = false;

	// Iterate over the signers and extract the keys, the latest
	// timestamp, and the last certificate of each chain which can be
	// used for checking if the signer's certificate chains back to a
	// JDK root CA
	for (CodeSigner signer : signers) {
	init(signer.getSignerCertPath());
	Timestamp timestamp = signer.getTimestamp();
	if (timestamp == null) {
	// this means one of the signers doesn't have a timestamp
	// and the JAR should be treated as if it isn't timestamped
	latestTimestamp = null;
	skipTimestamp = true;
	} else {
	// add the key and last cert of TSA too
	init(timestamp.getSignerCertPath());
	if (!skipTimestamp) {
	Date timestampDate = timestamp.getTimestamp();
	if (latestTimestamp == null) {
	latestTimestamp = timestampDate;
	} else {
	if (latestTimestamp.before(timestampDate)) {
	latestTimestamp = timestampDate;
	}
	}
	}
	}
	}
	this.timestamp = latestTimestamp;
	}

	// extract last certificate and key from chain
	private void init(CertPath cp) {
	@SuppressWarnings("unchecked")
	List<X509Certificate> chain =
	(List<X509Certificate>)cp.getCertificates();
	if (!chain.isEmpty()) {
	this.certsIssuedByAnchor.add(chain.get(chain.size() - 1));
	this.keys.add(chain.get(0).getPublicKey());
	}
	}

	@Override
	public String getVariant() {
	return Validator.VAR_GENERIC;
	}

	/**
	* Since loading the cacerts keystore can be an expensive operation,
	* this is only performed if this method is called during a "jdkCA"
	* constraints check of a disabled algorithm, and the result is cached.
	*
	* @return true if at least one of the certificates are issued by a
	* JDK root CA
	*/
	@Override
	public boolean anchorIsJdkCA() {
	if (anchorIsJdkCASet) {
	return anchorIsJdkCA;
	}
	for (X509Certificate cert : certsIssuedByAnchor) {
	if (AnchorCertificates.issuerOf(cert)) {
	anchorIsJdkCA = true;
	break;
	}
	}
	anchorIsJdkCASet = true;
	return anchorIsJdkCA;
	}

	@Override
	public Date getDate() {
	return timestamp;
	}

	@Override
	public Set<Key> getKeys() {
	return keys;
	}

	/**
	* Sets the extended error message. Note: this should be used
	* carefully as it is specific to the attribute/entry/file being checked.
	*
	* @param file the name of the signature related file being verified
	* @param target the attribute containing the algorithm that is being
	* checked
	*/
	public void setExtendedExceptionMsg(String file, String target) {
	message = " used" + (target != null ? " with " + target : "") +
	" in " + file + " file.";
	}

	@Override
	public String extendedExceptionMsg() {
	return message;
	}

	@Override
	public String toString() {
	StringBuilder sb = new StringBuilder("[\n");
	sb.append("\n Variant: ").append(getVariant());
	sb.append("\n Certs Issued by Anchor:");
	for (X509Certificate cert : certsIssuedByAnchor) {
	sb.append("\n Cert Issuer: ")
	.append(cert.getIssuerX500Principal());
	sb.append("\n Cert Subject: ")
	.append(cert.getSubjectX500Principal());
	}
	for (Key key : keys) {
	sb.append("\n Key: ").append(key.getAlgorithm());
	}
	if (timestamp != null) {
	sb.append("\n Timestamp: ").append(timestamp);
	}
	sb.append("\n]");
	return sb.toString();
	}
	}

Back to index...