Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
PojavLauncherTeam
GitHub Repository: PojavLauncherTeam/openjdk-multiarch-jdk8u
 Path: blob/aarch64-shenandoah-jdk8u272-b10/jdk/src/share/classes/sun/security/validator/SymantecTLSPolicy.java
38831 views
1
/*

2
 * Copyright (c) 2018, 2019, Oracle and/or its affiliates. All rights reserved.

3
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.

4
 *

5
 * This code is free software; you can redistribute it and/or modify it

6
 * under the terms of the GNU General Public License version 2 only, as

7
 * published by the Free Software Foundation.  Oracle designates this

8
 * particular file as subject to the "Classpath" exception as provided

9
 * by Oracle in the LICENSE file that accompanied this code.

10
 *

11
 * This code is distributed in the hope that it will be useful, but WITHOUT

12
 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or

13
 * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License

14
 * version 2 for more details (a copy is included in the LICENSE file that

15
 * accompanied this code).

16
 *

17
 * You should have received a copy of the GNU General Public License version

18
 * 2 along with this work; if not, write to the Free Software Foundation,

19
 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.

20
 *

21
 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA

22
 * or visit www.oracle.com if you need additional information or have any

23
 * questions.

24
 */

25
package sun.security.validator;

26


27
import java.security.cert.X509Certificate;

28
import java.time.LocalDate;

29
import java.time.Month;

30
import java.time.ZoneOffset;

31
import java.util.Arrays;

32
import java.util.Date;

33
import java.util.HashMap;

34
import java.util.HashSet;

35
import java.util.Map;

36
import java.util.Set;

37


38
import sun.security.x509.X509CertImpl;

39


40
/**

41
 * This class checks if Symantec issued TLS Server certificates should be

42
 * restricted.

43
 */

44
final class SymantecTLSPolicy {

45
    private static final LocalDate DECEMBER_31_2019 =

46
        LocalDate.of(2019, Month.DECEMBER, 31);

47
    // SHA-256 certificate fingerprints of subCAs with later distrust dates

48
    private static final Map<String, LocalDate> EXEMPT_SUBCAS = new HashMap();

49
    static {

50
        // Subject DN: C=US, O=Apple Inc., OU=Certification Authority,

51
        //             CN=Apple IST CA 2 - G1

52
        // Issuer DN: CN=GeoTrust Global CA, O=GeoTrust Inc., C=US

53
        EXEMPT_SUBCAS.put("AC2B922ECFD5E01711772FEA8ED372DE9D1E2245FCE3F57A9CDBEC77296A424B",

54
                          DECEMBER_31_2019);

55


56


57
        // Subject DN: C=US, O=Apple Inc., OU=Certification Authority,

58
        //             CN=Apple IST CA 8 - G1

59
        // Issuer DN: CN=GeoTrust Primary Certification Authority - G2,

60
        //            OU=(c) 2007 GeoTrust Inc. - For authorized use only,

61
        //            O=GeoTrust Inc., C=US

62
        EXEMPT_SUBCAS.put("A4FE7C7F15155F3F0AEF7AAA83CF6E06DEB97CA3F909DF920AC1490882D488ED",

63
                          DECEMBER_31_2019);

64
    }

65


66
    // SHA-256 certificate fingerprints of distrusted roots

67
    private static final Set<String> FINGERPRINTS = new HashSet<>(Arrays.asList(

68
        // cacerts alias: geotrustglobalca

69
        // DN: CN=GeoTrust Global CA, O=GeoTrust Inc., C=US

70
        "FF856A2D251DCD88D36656F450126798CFABAADE40799C722DE4D2B5DB36A73A",

71
        // cacerts alias: geotrustprimaryca

72
        // DN: CN=GeoTrust Primary Certification Authority,

73
        //     O=GeoTrust Inc., C=US

74
        "37D51006C512EAAB626421F1EC8C92013FC5F82AE98EE533EB4619B8DEB4D06C",

75
        // cacerts alias: geotrustprimarycag2

76
        // DN: CN=GeoTrust Primary Certification Authority - G2,

77
        //     OU=(c) 2007 GeoTrust Inc. - For authorized use only,

78
        //     O=GeoTrust Inc., C=US

79
        "5EDB7AC43B82A06A8761E8D7BE4979EBF2611F7DD79BF91C1C6B566A219ED766",

80
        // cacerts alias: geotrustprimarycag3

81
        // DN: CN=GeoTrust Primary Certification Authority - G3,

82
        //     OU=(c) 2008 GeoTrust Inc. - For authorized use only,

83
        //     O=GeoTrust Inc., C=US

84
        "B478B812250DF878635C2AA7EC7D155EAA625EE82916E2CD294361886CD1FBD4",

85
        // cacerts alias: geotrustuniversalca

86
        // DN: CN=GeoTrust Universal CA, O=GeoTrust Inc., C=US

87
        "A0459B9F63B22559F5FA5D4C6DB3F9F72FF19342033578F073BF1D1B46CBB912",

88
        // cacerts alias: thawteprimaryrootca

89
        // DN: CN=thawte Primary Root CA,

90
        //     OU="(c) 2006 thawte, Inc. - For authorized use only",

91
        //     OU=Certification Services Division, O="thawte, Inc.", C=US

92
        "8D722F81A9C113C0791DF136A2966DB26C950A971DB46B4199F4EA54B78BFB9F",

93
        // cacerts alias: thawteprimaryrootcag2

94
        // DN: CN=thawte Primary Root CA - G2,

95
        //     OU="(c) 2007 thawte, Inc. - For authorized use only",

96
        //     O="thawte, Inc.", C=US

97
        "A4310D50AF18A6447190372A86AFAF8B951FFB431D837F1E5688B45971ED1557",

98
        // cacerts alias: thawteprimaryrootcag3

99
        // DN: CN=thawte Primary Root CA - G3,

100
        //     OU="(c) 2008 thawte, Inc. - For authorized use only",

101
        //     OU=Certification Services Division, O="thawte, Inc.", C=US

102
        "4B03F45807AD70F21BFC2CAE71C9FDE4604C064CF5FFB686BAE5DBAAD7FDD34C",

103
        // cacerts alias: thawtepremiumserverca

104
        // DN: [email protected],

105
        //     CN=Thawte Premium Server CA, OU=Certification Services Division,

106
        //     O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA

107
        "3F9F27D583204B9E09C8A3D2066C4B57D3A2479C3693650880505698105DBCE9",

108
        // cacerts alias: verisignclass2g2ca

109
        // DN: OU=VeriSign Trust Network,

110
        //     OU="(c) 1998 VeriSign, Inc. - For authorized use only",

111
        //     OU=Class 2 Public Primary Certification Authority - G2,

112
        //     O="VeriSign, Inc.", C=US

113
        "3A43E220FE7F3EA9653D1E21742EAC2B75C20FD8980305BC502CAF8C2D9B41A1",

114
        // cacerts alias: verisignclass3ca

115
        // DN: OU=Class 3 Public Primary Certification Authority,

116
        //     O="VeriSign, Inc.", C=US

117
        "A4B6B3996FC2F306B3FD8681BD63413D8C5009CC4FA329C2CCF0E2FA1B140305",

118
        // cacerts alias: verisignclass3g2ca

119
        // DN: OU=VeriSign Trust Network,

120
        //     OU="(c) 1998 VeriSign, Inc. - For authorized use only",

121
        //     OU=Class 3 Public Primary Certification Authority - G2,

122
        //     O="VeriSign, Inc.", C=US

123
        "83CE3C1229688A593D485F81973C0F9195431EDA37CC5E36430E79C7A888638B",

124
        // cacerts alias: verisignclass3g3ca

125
        // DN: CN=VeriSign Class 3 Public Primary Certification Authority - G3,

126
        //     OU="(c) 1999 VeriSign, Inc. - For authorized use only",

127
        //     OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

128
        "EB04CF5EB1F39AFA762F2BB120F296CBA520C1B97DB1589565B81CB9A17B7244",

129
        // cacerts alias: verisignclass3g4ca

130
        // DN: CN=VeriSign Class 3 Public Primary Certification Authority - G4,

131
        //     OU="(c) 2007 VeriSign, Inc. - For authorized use only",

132
        //     OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

133
        "69DDD7EA90BB57C93E135DC85EA6FCD5480B603239BDC454FC758B2A26CF7F79",

134
        // cacerts alias: verisignclass3g5ca

135
        // DN: CN=VeriSign Class 3 Public Primary Certification Authority - G5,

136
        //     OU="(c) 2006 VeriSign, Inc. - For authorized use only",

137
        //     OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

138
        "9ACFAB7E43C8D880D06B262A94DEEEE4B4659989C3D0CAF19BAF6405E41AB7DF",

139
        // cacerts alias: verisignuniversalrootca

140
        // DN: CN=VeriSign Universal Root Certification Authority,

141
        //     OU="(c) 2008 VeriSign, Inc. - For authorized use only",

142
        //     OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US

143
        "2399561127A57125DE8CEFEA610DDF2FA078B5C8067F4E828290BFB860E84B3C"

144
    ));

145


146
    // Any TLS Server certificate that is anchored by one of the Symantec

147
    // roots above and is issued after this date will be distrusted.

148
    private static final LocalDate APRIL_16_2019 =

149
        LocalDate.of(2019, Month.APRIL, 16);

150


151
    /**

152
     * This method assumes the eeCert is a TLS Server Cert and chains back to

153
     * the anchor.

154
     *

155
     * @param chain the end-entity's certificate chain. The end entity cert

156
     *              is at index 0, the trust anchor at index n-1.

157
     * @throws ValidatorException if the certificate is distrusted

158
     */

159
    static void checkDistrust(X509Certificate[] chain)

160
                              throws ValidatorException {

161
        X509Certificate anchor = chain[chain.length-1];

162
        if (FINGERPRINTS.contains(fingerprint(anchor))) {

163
            Date notBefore = chain[0].getNotBefore();

164
            LocalDate ldNotBefore = notBefore.toInstant().atZone(ZoneOffset.UTC).toLocalDate();

165


166
            // check if chain goes through one of the subCAs

167
            if (chain.length > 2) {

168
                X509Certificate subCA = chain[chain.length - 2];

169
                LocalDate distrustDate = EXEMPT_SUBCAS.get(fingerprint(subCA));

170
                if (distrustDate != null) {

171
                    // reject if certificate is issued after specified date

172
                    checkNotBefore(ldNotBefore, distrustDate, anchor);

173
                    return; // success

174
                }

175
            }

176
            // reject if certificate is issued after April 16, 2019

177
            checkNotBefore(ldNotBefore, APRIL_16_2019, anchor);

178
        }

179
    }

180


181
    private static String fingerprint(X509Certificate cert) {

182
        return (cert instanceof X509CertImpl)

183
               ? ((X509CertImpl)cert).getFingerprint("SHA-256")

184
               : X509CertImpl.getFingerprint("SHA-256", cert);

185
    }

186


187
    private static void checkNotBefore(LocalDate notBeforeDate,

188
            LocalDate distrustDate, X509Certificate anchor)

189
            throws ValidatorException {

190
        if (notBeforeDate.isAfter(distrustDate)) {

191
            throw new ValidatorException

192
                    ("TLS Server certificate issued after " + distrustDate +

193
                     " and anchored by a distrusted legacy Symantec root CA: "

194
                     + anchor.getSubjectX500Principal(),

195
                     ValidatorException.T_UNTRUSTED_CERT, anchor);

196
        }

197
    }

198
    private SymantecTLSPolicy() {}

199
}

200


201