Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
PojavLauncherTeam
GitHub Repository: PojavLauncherTeam/jdk17u
 Path: blob/master/src/java.base/share/classes/sun/security/provider/certpath/PKIX.java
67848 views
1
/*

2
 * Copyright (c) 2012, 2020, Oracle and/or its affiliates. All rights reserved.

3
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.

4
 *

5
 * This code is free software; you can redistribute it and/or modify it

6
 * under the terms of the GNU General Public License version 2 only, as

7
 * published by the Free Software Foundation.  Oracle designates this

8
 * particular file as subject to the "Classpath" exception as provided

9
 * by Oracle in the LICENSE file that accompanied this code.

10
 *

11
 * This code is distributed in the hope that it will be useful, but WITHOUT

12
 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or

13
 * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License

14
 * version 2 for more details (a copy is included in the LICENSE file that

15
 * accompanied this code).

16
 *

17
 * You should have received a copy of the GNU General Public License version

18
 * 2 along with this work; if not, write to the Free Software Foundation,

19
 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.

20
 *

21
 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA

22
 * or visit www.oracle.com if you need additional information or have any

23
 * questions.

24
 */

25
package sun.security.provider.certpath;

26


27
import java.security.InvalidAlgorithmParameterException;

28
import java.security.PublicKey;

29
import java.security.Timestamp;

30
import java.security.cert.*;

31
import java.security.interfaces.DSAPublicKey;

32
import java.util.*;

33
import javax.security.auth.x500.X500Principal;

34


35
import sun.security.util.Debug;

36
import sun.security.validator.Validator;

37


38
/**

39
 * Common utility methods and classes used by the PKIX CertPathValidator and

40
 * CertPathBuilder implementation.

41
 */

42
class PKIX {

43


44
    private static final Debug debug = Debug.getInstance("certpath");

45


46
    private PKIX() { }

47


48
    static boolean isDSAPublicKeyWithoutParams(PublicKey publicKey) {

49
        return (publicKey instanceof DSAPublicKey &&

50
               ((DSAPublicKey)publicKey).getParams() == null);

51
    }

52


53
    static ValidatorParams checkParams(CertPath cp, CertPathParameters params)

54
        throws InvalidAlgorithmParameterException

55
    {

56
        if (!(params instanceof PKIXParameters)) {

57
            throw new InvalidAlgorithmParameterException("inappropriate "

58
                + "params, must be an instance of PKIXParameters");

59
        }

60
        return new ValidatorParams(cp, (PKIXParameters)params);

61
    }

62


63
    static BuilderParams checkBuilderParams(CertPathParameters params)

64
        throws InvalidAlgorithmParameterException

65
    {

66
        if (!(params instanceof PKIXBuilderParameters)) {

67
            throw new InvalidAlgorithmParameterException("inappropriate "

68
                + "params, must be an instance of PKIXBuilderParameters");

69
        }

70
        return new BuilderParams((PKIXBuilderParameters)params);

71
    }

72


73
    /**

74
     * PKIXParameters that are shared by the PKIX CertPathValidator

75
     * implementation. Provides additional functionality and avoids

76
     * unnecessary cloning.

77
     */

78
    static class ValidatorParams {

79
        private final PKIXParameters params;

80
        private CertPath certPath;

81
        private List<PKIXCertPathChecker> checkers;

82
        private List<CertStore> stores;

83
        private boolean gotDate;

84
        private Date date;

85
        private Set<String> policies;

86
        private boolean gotConstraints;

87
        private CertSelector constraints;

88
        private Set<TrustAnchor> anchors;

89
        private List<X509Certificate> certs;

90
        private Timestamp timestamp;

91
        private Date timestampDate;

92
        private String variant = Validator.VAR_GENERIC;

93


94
        ValidatorParams(CertPath cp, PKIXParameters params)

95
            throws InvalidAlgorithmParameterException

96
        {

97
            this(params);

98
            if (!cp.getType().equals("X.509") && !cp.getType().equals("X509")) {

99
                throw new InvalidAlgorithmParameterException("inappropriate "

100
                    + "CertPath type specified, must be X.509 or X509");

101
            }

102
            this.certPath = cp;

103
        }

104


105
        ValidatorParams(PKIXParameters params)

106
            throws InvalidAlgorithmParameterException

107
        {

108
            if (params instanceof PKIXExtendedParameters) {

109
                timestamp = ((PKIXExtendedParameters) params).getTimestamp();

110
                variant = ((PKIXExtendedParameters) params).getVariant();

111
            }

112


113
            this.anchors = params.getTrustAnchors();

114
            // Make sure that none of the trust anchors include name constraints

115
            // (not supported).

116
            for (TrustAnchor anchor : this.anchors) {

117
                if (anchor.getNameConstraints() != null) {

118
                    throw new InvalidAlgorithmParameterException

119
                        ("name constraints in trust anchor not supported");

120
                }

121
            }

122
            this.params = params;

123
        }

124


125
        CertPath certPath() {

126
            return certPath;

127
        }

128
        // called by CertPathBuilder after path has been built

129
        void setCertPath(CertPath cp) {

130
            this.certPath = cp;

131
        }

132
        List<X509Certificate> certificates() {

133
            if (certs == null) {

134
                if (certPath == null) {

135
                    certs = Collections.emptyList();

136
                } else {

137
                    // Reverse the ordering for validation so that the target

138
                    // cert is the last certificate

139
                    @SuppressWarnings("unchecked")

140
                    List<X509Certificate> xc = new ArrayList<>

141
                        ((List<X509Certificate>)certPath.getCertificates());

142
                    Collections.reverse(xc);

143
                    certs = xc;

144
                }

145
            }

146
            return certs;

147
        }

148
        List<PKIXCertPathChecker> certPathCheckers() {

149
            if (checkers == null)

150
                checkers = params.getCertPathCheckers();

151
            return checkers;

152
        }

153
        List<CertStore> certStores() {

154
            if (stores == null)

155
                stores = params.getCertStores();

156
            return stores;

157
        }

158
        // The date() param is used when enforcing the validity period

159
        // of certificates and when checking the time period of revocation data.

160
        // The main difference between the date() and timestamp() method is

161
        // that the date() method only uses the timestamp (if specified)

162
        // for certificates in a code signer's chain.

163
        Date date() {

164
            if (!gotDate) {

165
                // Use timestamp if checking signed code that is

166
                // timestamped, otherwise use date parameter.

167
                // Note that TSA server certificates do not use the

168
                // timestamp, which means that an expired TSA certificate

169
                // is considered a validation failure. This policy means

170
                // that signed and timestamped code is valid until the TSA

171
                // certificate expires (assuming all other checks are valid).

172
                if (timestamp != null &&

173
                    (variant.equals(Validator.VAR_CODE_SIGNING) ||

174
                     variant.equals(Validator.VAR_PLUGIN_CODE_SIGNING))) {

175
                    date = timestamp.getTimestamp();

176
                } else {

177
                    date = params.getDate();

178
                    if (date == null)

179
                        date = new Date();

180
                }

181
                gotDate = true;

182
            }

183
            return date;

184
        }

185
        Set<String> initialPolicies() {

186
            if (policies == null)

187
                policies = params.getInitialPolicies();

188
            return policies;

189
        }

190
        CertSelector targetCertConstraints() {

191
            if (!gotConstraints) {

192
                constraints = params.getTargetCertConstraints();

193
                gotConstraints = true;

194
            }

195
            return constraints;

196
        }

197
        Set<TrustAnchor> trustAnchors() {

198
            return anchors;

199
        }

200
        boolean revocationEnabled() {

201
            return params.isRevocationEnabled();

202
        }

203
        boolean policyMappingInhibited() {

204
            return params.isPolicyMappingInhibited();

205
        }

206
        boolean explicitPolicyRequired() {

207
            return params.isExplicitPolicyRequired();

208
        }

209
        boolean policyQualifiersRejected() {

210
            return params.getPolicyQualifiersRejected();

211
        }

212
        String sigProvider() { return params.getSigProvider(); }

213
        boolean anyPolicyInhibited() { return params.isAnyPolicyInhibited(); }

214


215
        // in rare cases we need access to the original params, for example

216
        // in order to clone CertPathCheckers before building a new chain

217
        PKIXParameters getPKIXParameters() {

218
            return params;

219
        }

220


221
        String variant() {

222
            return variant;

223
        }

224
        // The timestamp() param is passed as the date param when creating an

225
        // AlgorithmChecker. An AlgorithmChecker always uses the timestamp

226
        // if specified in order to enforce the denyAfter constraint.

227
        Date timestamp() {

228
            // return timestamp date if set, otherwise use date parameter

229
            if (timestampDate == null) {

230
                timestampDate = (timestamp != null)

231
                    ? timestamp.getTimestamp() : date();

232
            }

233
            return timestampDate;

234
        }

235
    }

236


237
    static class BuilderParams extends ValidatorParams {

238
        private PKIXBuilderParameters params;

239
        private List<CertStore> stores;

240
        private X500Principal targetSubject;

241


242
        BuilderParams(PKIXBuilderParameters params)

243
            throws InvalidAlgorithmParameterException

244
        {

245
            super(params);

246
            checkParams(params);

247
        }

248
        private void checkParams(PKIXBuilderParameters params)

249
            throws InvalidAlgorithmParameterException

250
        {

251
            CertSelector sel = targetCertConstraints();

252
            if (!(sel instanceof X509CertSelector)) {

253
                throw new InvalidAlgorithmParameterException("the "

254
                    + "targetCertConstraints parameter must be an "

255
                    + "X509CertSelector");

256
            }

257
            this.params = params;

258
            this.targetSubject = getTargetSubject(

259
                certStores(), (X509CertSelector)targetCertConstraints());

260
        }

261
        @Override List<CertStore> certStores() {

262
            if (stores == null) {

263
                // reorder CertStores so that local CertStores are tried first

264
                stores = new ArrayList<>(params.getCertStores());

265
                Collections.sort(stores, new CertStoreComparator());

266
            }

267
            return stores;

268
        }

269
        int maxPathLength() { return params.getMaxPathLength(); }

270
        PKIXBuilderParameters params() { return params; }

271
        X500Principal targetSubject() { return targetSubject; }

272


273
        /**

274
         * Returns the target subject DN from the first X509Certificate that

275
         * is fetched that matches the specified X509CertSelector.

276
         */

277
        private static X500Principal getTargetSubject(List<CertStore> stores,

278
                                                      X509CertSelector sel)

279
            throws InvalidAlgorithmParameterException

280
        {

281
            X500Principal subject = sel.getSubject();

282
            if (subject != null) {

283
                return subject;

284
            }

285
            X509Certificate cert = sel.getCertificate();

286
            if (cert != null) {

287
                subject = cert.getSubjectX500Principal();

288
            }

289
            if (subject != null) {

290
                return subject;

291
            }

292
            for (CertStore store : stores) {

293
                try {

294
                    Collection<? extends Certificate> certs =

295
                        (Collection<? extends Certificate>)

296
                            store.getCertificates(sel);

297
                    if (!certs.isEmpty()) {

298
                        X509Certificate xc =

299
                            (X509Certificate)certs.iterator().next();

300
                        return xc.getSubjectX500Principal();

301
                    }

302
                } catch (CertStoreException e) {

303
                    // ignore but log it

304
                    if (debug != null) {

305
                        debug.println("BuilderParams.getTargetSubjectDN: " +

306
                            "non-fatal exception retrieving certs: " + e);

307
                        e.printStackTrace();

308
                    }

309
                }

310
            }

311
            throw new InvalidAlgorithmParameterException

312
                ("Could not determine unique target subject");

313
        }

314
    }

315


316
    /**

317
     * A CertStoreException with additional information about the type of

318
     * CertStore that generated the exception.

319
     */

320
    static class CertStoreTypeException extends CertStoreException {

321
        @java.io.Serial

322
        private static final long serialVersionUID = 7463352639238322556L;

323


324
        private final String type;

325


326
        CertStoreTypeException(String type, CertStoreException cse) {

327
            super(cse.getMessage(), cse.getCause());

328
            this.type = type;

329
        }

330
        String getType() {

331
            return type;

332
        }

333
    }

334


335
    /**

336
     * Comparator that orders CertStores so that local CertStores come before

337
     * remote CertStores.

338
     */

339
    private static class CertStoreComparator implements Comparator<CertStore> {

340
        @Override

341
        public int compare(CertStore store1, CertStore store2) {

342
            if (store1.getType().equals("Collection") ||

343
                store1.getCertStoreParameters() instanceof

344
                CollectionCertStoreParameters) {

345
                return -1;

346
            } else {

347
                return 1;

348
            }

349
        }

350
    }

351
}

352


353