1 /* 2 * Copyright (c) 2012, Oracle and/or its affiliates. All rights reserved. 3 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. 4 * 5 * This code is free software; you can redistribute it and/or modify it 6 * under the terms of the GNU General Public License version 2 only, as 7 * published by the Free Software Foundation. Oracle designates this 8 * particular file as subject to the "Classpath" exception as provided 9 * by Oracle in the LICENSE file that accompanied this code. 10 * 11 * This code is distributed in the hope that it will be useful, but WITHOUT 12 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 13 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License 14 * version 2 for more details (a copy is included in the LICENSE file that 15 * accompanied this code). 16 * 17 * You should have received a copy of the GNU General Public License version 18 * 2 along with this work; if not, write to the Free Software Foundation, 19 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. 20 * 21 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA 22 * or visit www.oracle.com if you need additional information or have any 23 * questions. 24 */ 25 package sun.security.provider.certpath; 26 27 import java.security.InvalidAlgorithmParameterException; 28 import java.security.KeyStore; 29 import java.security.PublicKey; 30 import java.security.cert.*; 31 import java.security.interfaces.DSAPublicKey; 32 import java.util.*; 33 import javax.security.auth.x500.X500Principal; 34 35 import sun.security.util.Debug; 36 37 /** 38 * Common utility methods and classes used by the PKIX CertPathValidator and 39 * CertPathBuilder implementation. 40 */ 41 class PKIX { 42 43 private static final Debug debug = Debug.getInstance("certpath"); 44 PKIX()45 private PKIX() { } 46 isDSAPublicKeyWithoutParams(PublicKey publicKey)47 static boolean isDSAPublicKeyWithoutParams(PublicKey publicKey) { 48 return (publicKey instanceof DSAPublicKey && 49 ((DSAPublicKey)publicKey).getParams() == null); 50 } 51 checkParams(CertPath cp, CertPathParameters params)52 static ValidatorParams checkParams(CertPath cp, CertPathParameters params) 53 throws InvalidAlgorithmParameterException 54 { 55 if (!(params instanceof PKIXParameters)) { 56 throw new InvalidAlgorithmParameterException("inappropriate " 57 + "params, must be an instance of PKIXParameters"); 58 } 59 return new ValidatorParams(cp, (PKIXParameters)params); 60 } 61 checkBuilderParams(CertPathParameters params)62 static BuilderParams checkBuilderParams(CertPathParameters params) 63 throws InvalidAlgorithmParameterException 64 { 65 if (!(params instanceof PKIXBuilderParameters)) { 66 throw new InvalidAlgorithmParameterException("inappropriate " 67 + "params, must be an instance of PKIXBuilderParameters"); 68 } 69 return new BuilderParams((PKIXBuilderParameters)params); 70 } 71 72 /** 73 * PKIXParameters that are shared by the PKIX CertPathValidator 74 * implementation. Provides additional functionality and avoids 75 * unnecessary cloning. 76 */ 77 static class ValidatorParams { 78 private final PKIXParameters params; 79 private CertPath certPath; 80 private List<PKIXCertPathChecker> checkers; 81 private List<CertStore> stores; 82 private boolean gotDate; 83 private Date date; 84 private Set<String> policies; 85 private boolean gotConstraints; 86 private CertSelector constraints; 87 private Set<TrustAnchor> anchors; 88 private List<X509Certificate> certs; 89 ValidatorParams(CertPath cp, PKIXParameters params)90 ValidatorParams(CertPath cp, PKIXParameters params) 91 throws InvalidAlgorithmParameterException 92 { 93 this(params); 94 if (!cp.getType().equals("X.509") && !cp.getType().equals("X509")) { 95 throw new InvalidAlgorithmParameterException("inappropriate " 96 + "CertPath type specified, must be X.509 or X509"); 97 } 98 this.certPath = cp; 99 } 100 ValidatorParams(PKIXParameters params)101 ValidatorParams(PKIXParameters params) 102 throws InvalidAlgorithmParameterException 103 { 104 this.anchors = params.getTrustAnchors(); 105 // Make sure that none of the trust anchors include name constraints 106 // (not supported). 107 for (TrustAnchor anchor : this.anchors) { 108 if (anchor.getNameConstraints() != null) { 109 throw new InvalidAlgorithmParameterException 110 ("name constraints in trust anchor not supported"); 111 } 112 } 113 this.params = params; 114 } 115 certPath()116 CertPath certPath() { 117 return certPath; 118 } 119 // called by CertPathBuilder after path has been built setCertPath(CertPath cp)120 void setCertPath(CertPath cp) { 121 this.certPath = cp; 122 } certificates()123 List<X509Certificate> certificates() { 124 if (certs == null) { 125 if (certPath == null) { 126 certs = Collections.emptyList(); 127 } else { 128 // Reverse the ordering for validation so that the target 129 // cert is the last certificate 130 @SuppressWarnings("unchecked") 131 List<X509Certificate> xc = new ArrayList<> 132 ((List<X509Certificate>)certPath.getCertificates()); 133 Collections.reverse(xc); 134 certs = xc; 135 } 136 } 137 return certs; 138 } certPathCheckers()139 List<PKIXCertPathChecker> certPathCheckers() { 140 if (checkers == null) 141 checkers = params.getCertPathCheckers(); 142 return checkers; 143 } certStores()144 List<CertStore> certStores() { 145 if (stores == null) 146 stores = params.getCertStores(); 147 return stores; 148 } date()149 Date date() { 150 if (!gotDate) { 151 date = params.getDate(); 152 if (date == null) 153 date = new Date(); 154 gotDate = true; 155 } 156 return date; 157 } initialPolicies()158 Set<String> initialPolicies() { 159 if (policies == null) 160 policies = params.getInitialPolicies(); 161 return policies; 162 } targetCertConstraints()163 CertSelector targetCertConstraints() { 164 if (!gotConstraints) { 165 constraints = params.getTargetCertConstraints(); 166 gotConstraints = true; 167 } 168 return constraints; 169 } trustAnchors()170 Set<TrustAnchor> trustAnchors() { 171 return anchors; 172 } revocationEnabled()173 boolean revocationEnabled() { 174 return params.isRevocationEnabled(); 175 } policyMappingInhibited()176 boolean policyMappingInhibited() { 177 return params.isPolicyMappingInhibited(); 178 } explicitPolicyRequired()179 boolean explicitPolicyRequired() { 180 return params.isExplicitPolicyRequired(); 181 } policyQualifiersRejected()182 boolean policyQualifiersRejected() { 183 return params.getPolicyQualifiersRejected(); 184 } sigProvider()185 String sigProvider() { return params.getSigProvider(); } anyPolicyInhibited()186 boolean anyPolicyInhibited() { return params.isAnyPolicyInhibited(); } 187 188 // in rare cases we need access to the original params, for example 189 // in order to clone CertPathCheckers before building a new chain getPKIXParameters()190 PKIXParameters getPKIXParameters() { 191 return params; 192 } 193 } 194 195 static class BuilderParams extends ValidatorParams { 196 private PKIXBuilderParameters params; 197 private boolean buildForward = true; 198 private List<CertStore> stores; 199 private X500Principal targetSubject; 200 BuilderParams(PKIXBuilderParameters params)201 BuilderParams(PKIXBuilderParameters params) 202 throws InvalidAlgorithmParameterException 203 { 204 super(params); 205 checkParams(params); 206 } checkParams(PKIXBuilderParameters params)207 private void checkParams(PKIXBuilderParameters params) 208 throws InvalidAlgorithmParameterException 209 { 210 CertSelector sel = targetCertConstraints(); 211 if (!(sel instanceof X509CertSelector)) { 212 throw new InvalidAlgorithmParameterException("the " 213 + "targetCertConstraints parameter must be an " 214 + "X509CertSelector"); 215 } 216 if (params instanceof SunCertPathBuilderParameters) { 217 buildForward = 218 ((SunCertPathBuilderParameters)params).getBuildForward(); 219 } 220 this.params = params; 221 this.targetSubject = getTargetSubject( 222 certStores(), (X509CertSelector)targetCertConstraints()); 223 } certStores()224 @Override List<CertStore> certStores() { 225 if (stores == null) { 226 // reorder CertStores so that local CertStores are tried first 227 stores = new ArrayList<>(params.getCertStores()); 228 Collections.sort(stores, new CertStoreComparator()); 229 } 230 return stores; 231 } maxPathLength()232 int maxPathLength() { return params.getMaxPathLength(); } buildForward()233 boolean buildForward() { return buildForward; } params()234 PKIXBuilderParameters params() { return params; } targetSubject()235 X500Principal targetSubject() { return targetSubject; } 236 237 /** 238 * Returns the target subject DN from the first X509Certificate that 239 * is fetched that matches the specified X509CertSelector. 240 */ getTargetSubject(List<CertStore> stores, X509CertSelector sel)241 private static X500Principal getTargetSubject(List<CertStore> stores, 242 X509CertSelector sel) 243 throws InvalidAlgorithmParameterException 244 { 245 X500Principal subject = sel.getSubject(); 246 if (subject != null) { 247 return subject; 248 } 249 X509Certificate cert = sel.getCertificate(); 250 if (cert != null) { 251 subject = cert.getSubjectX500Principal(); 252 } 253 if (subject != null) { 254 return subject; 255 } 256 for (CertStore store : stores) { 257 try { 258 Collection<? extends Certificate> certs = 259 (Collection<? extends Certificate>) 260 store.getCertificates(sel); 261 if (!certs.isEmpty()) { 262 X509Certificate xc = 263 (X509Certificate)certs.iterator().next(); 264 return xc.getSubjectX500Principal(); 265 } 266 } catch (CertStoreException e) { 267 // ignore but log it 268 if (debug != null) { 269 debug.println("BuilderParams.getTargetSubjectDN: " + 270 "non-fatal exception retrieving certs: " + e); 271 e.printStackTrace(); 272 } 273 } 274 } 275 throw new InvalidAlgorithmParameterException 276 ("Could not determine unique target subject"); 277 } 278 } 279 280 /** 281 * A CertStoreException with additional information about the type of 282 * CertStore that generated the exception. 283 */ 284 static class CertStoreTypeException extends CertStoreException { 285 private static final long serialVersionUID = 7463352639238322556L; 286 287 private final String type; 288 CertStoreTypeException(String type, CertStoreException cse)289 CertStoreTypeException(String type, CertStoreException cse) { 290 super(cse.getMessage(), cse.getCause()); 291 this.type = type; 292 } getType()293 String getType() { 294 return type; 295 } 296 } 297 298 /** 299 * Comparator that orders CertStores so that local CertStores come before 300 * remote CertStores. 301 */ 302 private static class CertStoreComparator implements Comparator<CertStore> { 303 @Override compare(CertStore store1, CertStore store2)304 public int compare(CertStore store1, CertStore store2) { 305 if (store1.getType().equals("Collection") || 306 store1.getCertStoreParameters() instanceof 307 CollectionCertStoreParameters) { 308 return -1; 309 } else { 310 return 1; 311 } 312 } 313 } 314 } 315