1 /*
2  * Copyright (c) 2016, 2019, Oracle and/or its affiliates. All rights reserved.
3  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4  *
5  * This code is free software; you can redistribute it and/or modify it
6  * under the terms of the GNU General Public License version 2 only, as
7  * published by the Free Software Foundation.  Oracle designates this
8  * particular file as subject to the "Classpath" exception as provided
9  * by Oracle in the LICENSE file that accompanied this code.
10  *
11  * This code is distributed in the hope that it will be useful, but WITHOUT
12  * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
13  * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
14  * version 2 for more details (a copy is included in the LICENSE file that
15  * accompanied this code).
16  *
17  * You should have received a copy of the GNU General Public License version
18  * 2 along with this work; if not, write to the Free Software Foundation,
19  * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
20  *
21  * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
22  * or visit www.oracle.com if you need additional information or have any
23  * questions.
24  */
25 
26 package sun.security.util;
27 
28 import sun.security.validator.Validator;
29 
30 import java.security.AlgorithmParameters;
31 import java.security.Key;
32 import java.security.Timestamp;
33 import java.security.cert.X509Certificate;
34 import java.security.interfaces.ECKey;
35 import java.security.interfaces.XECKey;
36 import java.security.spec.NamedParameterSpec;
37 import java.util.Date;
38 
39 /**
40  * This class contains parameters for checking against constraints that extend
41  * past the publicly available parameters in java.security.AlgorithmConstraints.
42  *
43  * This is currently passed between PKIX, AlgorithmChecker,
44  * and DisabledAlgorithmConstraints.
45  */
46 public class ConstraintsParameters {
47     /*
48      * The below 3 values are used the same as the permit() methods
49      * published in java.security.AlgorithmConstraints.
50      */
51     // Algorithm string to be checked against constraints
52     private final String algorithm;
53     // AlgorithmParameters to the algorithm being checked
54     private final AlgorithmParameters algParams;
55     // Key being checked against constraints
56     private final Key key;
57 
58     /*
59      * New values that are checked against constraints that the current public
60      * API does not support.
61      */
62     // A certificate being passed to check against constraints.
63     private final X509Certificate cert;
64     // This is true if the trust anchor in the certificate chain matches a cert
65     // in AnchorCertificates
66     private final boolean trustedMatch;
67     // PKIXParameter date
68     private final Date pkixDate;
69     // Timestamp of the signed JAR file
70     private final Timestamp jarTimestamp;
71     private final String variant;
72     // Named Curve
73     private final String[] curveStr;
74     private static final String[] EMPTYLIST = new String[0];
75 
ConstraintsParameters(X509Certificate c, boolean match, Date pkixdate, Timestamp jarTime, String variant)76     public ConstraintsParameters(X509Certificate c, boolean match,
77             Date pkixdate, Timestamp jarTime, String variant) {
78         cert = c;
79         trustedMatch = match;
80         pkixDate = pkixdate;
81         jarTimestamp = jarTime;
82         this.variant = (variant == null ? Validator.VAR_GENERIC : variant);
83         algorithm = null;
84         algParams = null;
85         key = null;
86         if (c != null) {
87             curveStr = getNamedCurveFromKey(c.getPublicKey());
88         } else {
89             curveStr = EMPTYLIST;
90         }
91     }
92 
ConstraintsParameters(String algorithm, AlgorithmParameters params, Key key, String variant)93     public ConstraintsParameters(String algorithm, AlgorithmParameters params,
94             Key key, String variant) {
95         this.algorithm = algorithm;
96         algParams = params;
97         this.key = key;
98         curveStr = getNamedCurveFromKey(key);
99         cert = null;
100         trustedMatch = false;
101         pkixDate = null;
102         jarTimestamp = null;
103         this.variant = (variant == null ? Validator.VAR_GENERIC : variant);
104     }
105 
106 
ConstraintsParameters(X509Certificate c)107     public ConstraintsParameters(X509Certificate c) {
108         this(c, false, null, null,
109                 Validator.VAR_GENERIC);
110     }
111 
ConstraintsParameters(Timestamp jarTime)112     public ConstraintsParameters(Timestamp jarTime) {
113         this(null, false, null, jarTime, Validator.VAR_GENERIC);
114     }
115 
getAlgorithm()116     public String getAlgorithm() {
117         return algorithm;
118     }
119 
getAlgParams()120     public AlgorithmParameters getAlgParams() {
121         return algParams;
122     }
123 
getKey()124     public Key getKey() {
125         return key;
126     }
127 
128     // Returns if the trust anchor has a match if anchor checking is enabled.
isTrustedMatch()129     public boolean isTrustedMatch() {
130         return trustedMatch;
131     }
132 
getCertificate()133     public X509Certificate getCertificate() {
134         return cert;
135     }
136 
getPKIXParamDate()137     public Date getPKIXParamDate() {
138         return pkixDate;
139     }
140 
getJARTimestamp()141     public Timestamp getJARTimestamp() {
142         return jarTimestamp;
143     }
144 
getVariant()145     public String getVariant() {
146         return variant;
147     }
148 
getNamedCurve()149     public String[] getNamedCurve() {
150         return curveStr;
151     }
152 
getNamedCurveFromKey(Key key)153     public static String[] getNamedCurveFromKey(Key key) {
154         if (key instanceof ECKey) {
155             NamedCurve nc = CurveDB.lookup(((ECKey)key).getParams());
156             return (nc == null ? EMPTYLIST : CurveDB.getNamesByOID(nc.getObjectId()));
157         } else if (key instanceof XECKey) {
158             String[] s = {
159                     ((NamedParameterSpec)((XECKey)key).getParams()).getName()
160             };
161             return s;
162         } else {
163             return EMPTYLIST;
164         }
165     }
166 
toString()167     public String toString() {
168         StringBuilder s = new StringBuilder();
169         s.append("Cert:       ");
170         if (cert != null) {
171             s.append(cert.toString());
172             s.append("\nSigAlgo:    ");
173             s.append(cert.getSigAlgName());
174         } else {
175             s.append("None");
176         }
177         s.append("\nAlgParams:  ");
178         if (getAlgParams() != null) {
179             getAlgParams().toString();
180         } else {
181             s.append("None");
182         }
183         s.append("\nNamedCurves: ");
184         for (String c : getNamedCurve()) {
185             s.append(c + " ");
186         }
187         s.append("\nVariant:    " + getVariant());
188         return s.toString();
189     }
190 
191 }
192