1
/*
2
 * Copyright (c) 2020, 2021, Oracle and/or its affiliates. All rights reserved.
3
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
4
 *
5
 * This code is free software; you can redistribute it and/or modify it
6
 * under the terms of the GNU General Public License version 2 only, as
7
 * published by the Free Software Foundation.  Oracle designates this
8
 * particular file as subject to the "Classpath" exception as provided
9
 * by Oracle in the LICENSE file that accompanied this code.
10
 *
11
 * This code is distributed in the hope that it will be useful, but WITHOUT
12
 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
13
 * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
14
 * version 2 for more details (a copy is included in the LICENSE file that
15
 * accompanied this code).
16
 *
17
 * You should have received a copy of the GNU General Public License version
18
 * 2 along with this work; if not, write to the Free Software Foundation,
19
 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
20
 *
21
 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
22
 * or visit www.oracle.com if you need additional information or have any
23
 * questions.
24
 */
25

26
package sun.security.util;
27

28
import java.security.CodeSigner;
29
import java.security.Key;
30
import java.security.Timestamp;
31
import java.security.cert.CertPath;
32
import java.security.cert.X509Certificate;
33
import java.util.Date;
34
import java.util.HashSet;
35
import java.util.List;
36
import java.util.Set;
37
import sun.security.util.AnchorCertificates;
38
import sun.security.util.ConstraintsParameters;
39
import sun.security.validator.Validator;
40

41
/**
42
 * This class contains parameters for checking signed JARs against
43
 * constraints specified in the jdk.jar.disabledAlgorithms security
44
 * property.
45
 */
46
public class JarConstraintsParameters implements ConstraintsParameters {
47

48
    // true if chain is anchored by a JDK root CA
49
    private boolean anchorIsJdkCA;
50
    private boolean anchorIsJdkCASet;
51
    // The timestamp of the signed JAR file, if timestamped
52
    private Date timestamp;
53
    // The keys of the signers and TSA
54
    private final Set<Key> keys;
55
    // The certs in the signers and TSA chain that are issued by the trust anchor
56
    private final Set<X509Certificate> certsIssuedByAnchor;
57
    // The extended exception message
58
    private String message;
59

60
    /**
61
     * Create a JarConstraintsParameters.
62
     *
63
     * @param signers the CodeSigners that signed the JAR
64
     */
65
    public JarConstraintsParameters(CodeSigner[] signers) {
66
        this.keys = new HashSet<>();
67
        this.certsIssuedByAnchor = new HashSet<>();
68
        Date latestTimestamp = null;
69
        boolean skipTimestamp = false;
70

71
        // Iterate over the signers and extract the keys, the latest
72
        // timestamp, and the last certificate of each chain which can be
73
        // used for checking if the signer's certificate chains back to a
74
        // JDK root CA
75
        for (CodeSigner signer : signers) {
76
            addToCertsAndKeys(signer.getSignerCertPath());
77
            Timestamp timestamp = signer.getTimestamp();
78
            if (timestamp == null) {
79
                // this means one of the signers doesn't have a timestamp
80
                // and the JAR should be treated as if it isn't timestamped
81
                latestTimestamp = null;
82
                skipTimestamp = true;
83
            } else {
84
                // add the key and last cert of TSA too
85
                addToCertsAndKeys(timestamp.getSignerCertPath());
86
                if (!skipTimestamp) {
87
                    Date timestampDate = timestamp.getTimestamp();
88
                    if (latestTimestamp == null) {
89
                        latestTimestamp = timestampDate;
90
                    } else {
91
                        if (latestTimestamp.before(timestampDate)) {
92
                            latestTimestamp = timestampDate;
93
                        }
94
                    }
95
                }
96
            }
97
        }
98
        this.timestamp = latestTimestamp;
99
    }
100

101
    public JarConstraintsParameters(List<X509Certificate> chain, Timestamp timestamp) {
102
        this.keys = new HashSet<>();
103
        this.certsIssuedByAnchor = new HashSet<>();
104
        addToCertsAndKeys(chain);
105
        if (timestamp != null) {
106
            addToCertsAndKeys(timestamp.getSignerCertPath());
107
            this.timestamp = timestamp.getTimestamp();
108
        } else {
109
            this.timestamp = null;
110
        }
111
    }
112

113
    // extract last certificate and signer's public key from chain
114
    private void addToCertsAndKeys(CertPath cp) {
115
        @SuppressWarnings("unchecked")
116
        List<X509Certificate> chain =
117
            (List<X509Certificate>)cp.getCertificates();
118
        addToCertsAndKeys(chain);
119
    }
120

121
    private void addToCertsAndKeys(List<X509Certificate> chain) {
122
        if (!chain.isEmpty()) {
123
            this.certsIssuedByAnchor.add(chain.get(chain.size() - 1));
124
            this.keys.add(chain.get(0).getPublicKey());
125
        }
126
    }
127

128
    @Override
129
    public String getVariant() {
130
        return Validator.VAR_GENERIC;
131
    }
132

133
    /**
134
     * Since loading the cacerts keystore can be an expensive operation,
135
     * this is only performed if this method is called during a "jdkCA"
136
     * constraints check of a disabled algorithm, and the result is cached.
137
     *
138
     * @return true if at least one of the certificates are issued by a
139
     *              JDK root CA
140
     */
141
    @Override
142
    public boolean anchorIsJdkCA() {
143
        if (anchorIsJdkCASet) {
144
            return anchorIsJdkCA;
145
        }
146
        for (X509Certificate cert : certsIssuedByAnchor) {
147
            if (AnchorCertificates.issuerOf(cert)) {
148
                anchorIsJdkCA = true;
149
                break;
150
            }
151
        }
152
        anchorIsJdkCASet = true;
153
        return anchorIsJdkCA;
154
    }
155

156
    @Override
157
    public Date getDate() {
158
        return timestamp;
159
    }
160

161
    @Override
162
    public Set<Key> getKeys() {
163
        return keys;
164
    }
165

166
    /**
167
     * Sets the extended error message. Note: this should be used
168
     * carefully as it is specific to the attribute/entry/file being checked.
169
     *
170
     * @param file the name of the signature related file being verified
171
     * @param target the attribute containing the algorithm that is being
172
     *        checked
173
     */
174
    public void setExtendedExceptionMsg(String file, String target) {
175
        message = " used" + (target != null ? " with " + target : "") +
176
                  " in " + file + " file.";
177
    }
178

179
    @Override
180
    public String extendedExceptionMsg() {
181
        return message;
182
    }
183

184
    @Override
185
    public String toString() {
186
        StringBuilder sb = new StringBuilder("[\n");
187
        sb.append("  Variant: ").append(getVariant());
188
        sb.append("\n  Certs Issued by Anchor:");
189
        for (X509Certificate cert : certsIssuedByAnchor) {
190
            sb.append("\n    Cert Issuer: ")
191
              .append(cert.getIssuerX500Principal());
192
            sb.append("\n    Cert Subject: ")
193
              .append(cert.getSubjectX500Principal());
194
        }
195
        for (Key key : keys) {
196
            sb.append("\n  Key: ").append(key.getAlgorithm());
197
        }
198
        if (timestamp != null) {
199
            sb.append("\n  Timestamp: ").append(timestamp);
200
        }
201
        sb.append("\n]");
202
        return sb.toString();
203
    }
204
}
205

206