1 /* 2 * Copyright (c) 2016, 2019, Oracle and/or its affiliates. All rights reserved. 3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 4 * 5 * This code is free software; you can redistribute it and/or modify it 6 * under the terms of the GNU General Public License version 2 only, as 7 * published by the Free Software Foundation. Oracle designates this 8 * particular file as subject to the "Classpath" exception as provided 9 * by Oracle in the LICENSE file that accompanied this code. 10 * 11 * This code is distributed in the hope that it will be useful, but WITHOUT 12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 14 * version 2 for more details (a copy is included in the LICENSE file that 15 * accompanied this code). 16 * 17 * You should have received a copy of the GNU General Public License version 18 * 2 along with this work; if not, write to the Free Software Foundation, 19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 20 * 21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 22 * or visit www.oracle.com if you need additional information or have any 23 * questions. 24 */ 25 26 package sun.security.util; 27 28 import sun.security.validator.Validator; 29 30 import java.security.AlgorithmParameters; 31 import java.security.Key; 32 import java.security.Timestamp; 33 import java.security.cert.X509Certificate; 34 import java.security.interfaces.ECKey; 35 import java.security.interfaces.XECKey; 36 import java.security.spec.NamedParameterSpec; 37 import java.util.Date; 38 39 /** 40 * This class contains parameters for checking against constraints that extend 41 * past the publicly available parameters in java.security.AlgorithmConstraints. 42 * 43 * This is currently passed between PKIX, AlgorithmChecker, 44 * and DisabledAlgorithmConstraints. 45 */ 46 public class ConstraintsParameters { 47 /* 48 * The below 3 values are used the same as the permit() methods 49 * published in java.security.AlgorithmConstraints. 50 */ 51 // Algorithm string to be checked against constraints 52 private final String algorithm; 53 // AlgorithmParameters to the algorithm being checked 54 private final AlgorithmParameters algParams; 55 // Key being checked against constraints 56 private final Key key; 57 58 /* 59 * New values that are checked against constraints that the current public 60 * API does not support. 61 */ 62 // A certificate being passed to check against constraints. 63 private final X509Certificate cert; 64 // This is true if the trust anchor in the certificate chain matches a cert 65 // in AnchorCertificates 66 private final boolean trustedMatch; 67 // PKIXParameter date 68 private final Date pkixDate; 69 // Timestamp of the signed JAR file 70 private final Timestamp jarTimestamp; 71 private final String variant; 72 // Named Curve 73 private final String[] curveStr; 74 private static final String[] EMPTYLIST = new String[0]; 75 ConstraintsParameters(X509Certificate c, boolean match, Date pkixdate, Timestamp jarTime, String variant)76 public ConstraintsParameters(X509Certificate c, boolean match, 77 Date pkixdate, Timestamp jarTime, String variant) { 78 cert = c; 79 trustedMatch = match; 80 pkixDate = pkixdate; 81 jarTimestamp = jarTime; 82 this.variant = (variant == null ? Validator.VAR_GENERIC : variant); 83 algorithm = null; 84 algParams = null; 85 key = null; 86 if (c != null) { 87 curveStr = getNamedCurveFromKey(c.getPublicKey()); 88 } else { 89 curveStr = EMPTYLIST; 90 } 91 } 92 ConstraintsParameters(String algorithm, AlgorithmParameters params, Key key, String variant)93 public ConstraintsParameters(String algorithm, AlgorithmParameters params, 94 Key key, String variant) { 95 this.algorithm = algorithm; 96 algParams = params; 97 this.key = key; 98 curveStr = getNamedCurveFromKey(key); 99 cert = null; 100 trustedMatch = false; 101 pkixDate = null; 102 jarTimestamp = null; 103 this.variant = (variant == null ? Validator.VAR_GENERIC : variant); 104 } 105 106 ConstraintsParameters(X509Certificate c)107 public ConstraintsParameters(X509Certificate c) { 108 this(c, false, null, null, 109 Validator.VAR_GENERIC); 110 } 111 ConstraintsParameters(Timestamp jarTime)112 public ConstraintsParameters(Timestamp jarTime) { 113 this(null, false, null, jarTime, Validator.VAR_GENERIC); 114 } 115 getAlgorithm()116 public String getAlgorithm() { 117 return algorithm; 118 } 119 getAlgParams()120 public AlgorithmParameters getAlgParams() { 121 return algParams; 122 } 123 getKey()124 public Key getKey() { 125 return key; 126 } 127 128 // Returns if the trust anchor has a match if anchor checking is enabled. isTrustedMatch()129 public boolean isTrustedMatch() { 130 return trustedMatch; 131 } 132 getCertificate()133 public X509Certificate getCertificate() { 134 return cert; 135 } 136 getPKIXParamDate()137 public Date getPKIXParamDate() { 138 return pkixDate; 139 } 140 getJARTimestamp()141 public Timestamp getJARTimestamp() { 142 return jarTimestamp; 143 } 144 getVariant()145 public String getVariant() { 146 return variant; 147 } 148 getNamedCurve()149 public String[] getNamedCurve() { 150 return curveStr; 151 } 152 getNamedCurveFromKey(Key key)153 public static String[] getNamedCurveFromKey(Key key) { 154 if (key instanceof ECKey) { 155 NamedCurve nc = CurveDB.lookup(((ECKey)key).getParams()); 156 return (nc == null ? EMPTYLIST : CurveDB.getNamesByOID(nc.getObjectId())); 157 } else if (key instanceof XECKey) { 158 String[] s = { 159 ((NamedParameterSpec)((XECKey)key).getParams()).getName() 160 }; 161 return s; 162 } else { 163 return EMPTYLIST; 164 } 165 } 166 toString()167 public String toString() { 168 StringBuilder s = new StringBuilder(); 169 s.append("Cert: "); 170 if (cert != null) { 171 s.append(cert.toString()); 172 s.append("\nSigAlgo: "); 173 s.append(cert.getSigAlgName()); 174 } else { 175 s.append("None"); 176 } 177 s.append("\nAlgParams: "); 178 if (getAlgParams() != null) { 179 getAlgParams().toString(); 180 } else { 181 s.append("None"); 182 } 183 s.append("\nNamedCurves: "); 184 for (String c : getNamedCurve()) { 185 s.append(c + " "); 186 } 187 s.append("\nVariant: " + getVariant()); 188 return s.toString(); 189 } 190 191 } 192