Path: blob/aarch64-shenandoah-jdk8u272-b10/jdk/src/share/classes/sun/security/validator/CADistrustPolicy.java
38831 views
/*1* Copyright (c) 2019, Oracle and/or its affiliates. All rights reserved.2* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.3*4* This code is free software; you can redistribute it and/or modify it5* under the terms of the GNU General Public License version 2 only, as6* published by the Free Software Foundation. Oracle designates this7* particular file as subject to the "Classpath" exception as provided8* by Oracle in the LICENSE file that accompanied this code.9*10* This code is distributed in the hope that it will be useful, but WITHOUT11* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or12* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License13* version 2 for more details (a copy is included in the LICENSE file that14* accompanied this code).15*16* You should have received a copy of the GNU General Public License version17* 2 along with this work; if not, write to the Free Software Foundation,18* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.19*20* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA21* or visit www.oracle.com if you need additional information or have any22* questions.23*/24package sun.security.validator;2526import java.security.AccessController;27import java.security.PrivilegedAction;28import java.security.Security;29import java.security.cert.X509Certificate;30import java.util.EnumSet;3132import sun.security.util.Debug;3334/**35* Policies for distrusting a certificate authority (CA). See the36* jdk.security.caDistrustPolicies security property for more information.37*/38enum CADistrustPolicy {39/**40* Distrust TLS Server certificates anchored by a Symantec root CA and41* issued after April 16, 2019 (with exceptions for a couple of subordinate42* CAs, see the jdk.security.caDistrustPolicies definition in the43* java.security file for more details). If enabled, this policy is44* currently enforced by the PKIX and SunX509 TrustManager implementations45* of the SunJSSE provider implementation.46*/47SYMANTEC_TLS {48void checkDistrust(String variant, X509Certificate[] chain)49throws ValidatorException {50if (!variant.equals(Validator.VAR_TLS_SERVER)) {51return;52}53SymantecTLSPolicy.checkDistrust(chain);54}55};5657/**58* Checks if the end-entity certificate is distrusted.59*60* @param variant the type of certificate being checked61* @param chain the end-entity's certificate chain. The end entity cert62* is at index 0, the trust anchor at index n-1.63* @throws ValidatorException if the end-entity certificate is distrusted64*/65abstract void checkDistrust(String variant,66X509Certificate[] chain)67throws ValidatorException;6869// The policies set in the jdk.security.caDistrustPolicies property.70static final EnumSet<CADistrustPolicy> POLICIES = parseProperty();71private static EnumSet<CADistrustPolicy> parseProperty() {72String property = AccessController.doPrivileged(73new PrivilegedAction<String>() {74@Override75public String run() {76return Security.getProperty(77"jdk.security.caDistrustPolicies");78}79});80EnumSet<CADistrustPolicy> set = EnumSet.noneOf(CADistrustPolicy.class);81// if property is null or empty, the restrictions are not enforced82if (property == null || property.isEmpty()) {83return set;84}85String[] policies = property.split(",");86for (String policy : policies) {87policy = policy.trim();88try {89CADistrustPolicy caPolicy =90Enum.valueOf(CADistrustPolicy.class, policy);91set.add(caPolicy);92} catch (IllegalArgumentException iae) {93// ignore unknown values but log it94Debug debug = Debug.getInstance("certpath");95if (debug != null) {96debug.println("Unknown value for the " +97"jdk.security.caDistrustPolicies property: "98+ policy);99}100}101}102return set;103}104}105106107