Skip to content
Permalink
Browse files
8269039: Disable SHA-1 Signed JARs
Reviewed-by: weijun
  • Loading branch information
seanjmullan committed Sep 21, 2021
1 parent 42d5d2a commit 6d91a3eb7bd1e1403cfb67f7eb8ce06d7e08e7a7
Showing 27 changed files with 452 additions and 352 deletions.
@@ -318,7 +318,8 @@
jdk.crypto.ec,
jdk.security.auth;
exports sun.security.provider.certpath to
java.naming;
java.naming,
jdk.jartool;
exports sun.security.rsa to
jdk.crypto.cryptoki;
exports sun.security.timestamp to
@@ -1,5 +1,5 @@
/*
* Copyright (c) 2009, 2020, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2009, 2021, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -131,7 +131,7 @@ public AlgorithmChecker(AlgorithmConstraints constraints, String variant) {
* certificate
* @param constraints the algorithm constraints (or null)
* @param date the date specified by the PKIXParameters date, or the
* JAR timestamp if jar files are being validated and the
* timestamp if JAR files are being validated and the
* JAR is timestamped. May be null if no timestamp or
* PKIXParameter date is set.
* @param variant the Validator variant of the operation. A null value
@@ -160,17 +160,19 @@ public AlgorithmChecker(TrustAnchor anchor,

/**
* Create a new {@code AlgorithmChecker} with the given {@code TrustAnchor},
* {@code PKIXParameter} date, and {@code varient}
* {@code PKIXParameter} date, and {@code variant}.
*
* @param anchor the trust anchor selected to validate the target
* certificate
* @param pkixdate Date the constraints are checked against. The value is
* either the PKIXParameters date or null for the current date.
* @param date the date specified by the PKIXParameters date, or the
* timestamp if JAR files are being validated and the
* JAR is timestamped. May be null if no timestamp or
* PKIXParameter date is set.
* @param variant the Validator variant of the operation. A null value
* passed will set it to Validator.GENERIC.
*/
public AlgorithmChecker(TrustAnchor anchor, Date pkixdate, String variant) {
this(anchor, certPathDefaultConstraints, pkixdate, variant);
public AlgorithmChecker(TrustAnchor anchor, Date date, String variant) {
this(anchor, certPathDefaultConstraints, date, variant);
}

@Override
@@ -1,5 +1,5 @@
/*
* Copyright (c) 2020, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2020, 2021, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -39,7 +39,7 @@
* constraints specified in the jdk.certpath.disabledAlgorithms security
* property.
*/
class CertPathConstraintsParameters implements ConstraintsParameters {
public class CertPathConstraintsParameters implements ConstraintsParameters {
// The public key of the certificate
private final Key key;
// The certificate's trust anchor which will be checked against the
@@ -103,7 +103,7 @@ public String extendedExceptionMsg() {
@Override
public String toString() {
StringBuilder sb = new StringBuilder("[\n");
sb.append("\n Variant: ").append(variant);
sb.append(" Variant: ").append(variant);
if (anchor != null) {
sb.append("\n Anchor: ").append(anchor);
}
@@ -88,6 +88,7 @@ static class ValidatorParams {
private Set<TrustAnchor> anchors;
private List<X509Certificate> certs;
private Timestamp timestamp;
private Date timestampDate;
private String variant = Validator.VAR_GENERIC;

ValidatorParams(CertPath cp, PKIXParameters params)
@@ -154,10 +155,20 @@ List<CertStore> certStores() {
stores = params.getCertStores();
return stores;
}
// The date() param is used when enforcing the validity period
// of certificates and when checking the time period of revocation data.
// The main difference between the date() and timestamp() method is
// that the date() method only uses the timestamp (if specified)
// for certificates in a code signer's chain.
Date date() {
if (!gotDate) {
// use timestamp if checking signed code that is
// timestamped, otherwise use date parameter
// Use timestamp if checking signed code that is
// timestamped, otherwise use date parameter.
// Note that TSA server certificates do not use the
// timestamp, which means that an expired TSA certificate
// is considered a validation failure. This policy means
// that signed and timestamped code is valid until the TSA
// certificate expires (assuming all other checks are valid).
if (timestamp != null &&
variant.equals(Validator.VAR_CODE_SIGNING)) {
date = timestamp.getTimestamp();
@@ -209,6 +220,17 @@ PKIXParameters getPKIXParameters() {
String variant() {
return variant;
}
// The timestamp() param is passed as the date param when creating an
// AlgorithmChecker. An AlgorithmChecker always uses the timestamp
// if specified in order to enforce the denyAfter constraint.
Date timestamp() {
// return timestamp date if set, otherwise use date parameter
if (timestampDate == null) {
timestampDate = (timestamp != null)
? timestamp.getTimestamp() : date();
}
return timestampDate;
}
}

static class BuilderParams extends ValidatorParams {
@@ -1,5 +1,5 @@
/*
* Copyright (c) 2000, 2020, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2000, 2021, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -176,8 +176,8 @@ private static PKIXCertPathValidatorResult validate(TrustAnchor anchor,
List<PKIXCertPathChecker> certPathCheckers = new ArrayList<>();
// add standard checkers that we will be using
certPathCheckers.add(untrustedChecker);
certPathCheckers.add(new AlgorithmChecker(anchor, null, params.date(),
params.variant()));
certPathCheckers.add(new AlgorithmChecker(anchor, null,
params.timestamp(), params.variant()));
certPathCheckers.add(new KeyChecker(certPathLen,
params.targetCertConstraints()));
certPathCheckers.add(new ConstraintsChecker(certPathLen));
@@ -1,5 +1,5 @@
/*
* Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2000, 2021, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -344,7 +344,7 @@ private void depthFirstSearchForward(X500Principal dN,

// add the algorithm checker
checkers.add(new AlgorithmChecker(builder.trustAnchor,
buildParams.date(), buildParams.variant()));
buildParams.timestamp(), buildParams.variant()));

BasicChecker basicChecker = null;
if (nextState.keyParamsNeeded()) {
@@ -39,7 +39,6 @@
import java.security.spec.MGF1ParameterSpec;
import java.security.spec.NamedParameterSpec;
import java.security.spec.PSSParameterSpec;
import java.text.SimpleDateFormat;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Calendar;
@@ -688,8 +687,6 @@ public void permits(ConstraintsParameters cp)
*/
private static class DenyAfterConstraint extends Constraint {
private Date denyAfterDate;
private static final SimpleDateFormat dateFormat =
new SimpleDateFormat("EEE, MMM d HH:mm:ss z yyyy");

DenyAfterConstraint(String algo, int year, int month, int day) {
Calendar c;
@@ -723,7 +720,7 @@ private static class DenyAfterConstraint extends Constraint {
denyAfterDate = c.getTime();
if (debug != null) {
debug.println("DenyAfterConstraint date set to: " +
dateFormat.format(denyAfterDate));
denyAfterDate);
}
}

@@ -754,8 +751,8 @@ public void permits(ConstraintsParameters cp)
throw new CertPathValidatorException(
"denyAfter constraint check failed: " + algorithm +
" used with Constraint date: " +
dateFormat.format(denyAfterDate) + "; params date: " +
dateFormat.format(currentDate) + cp.extendedExceptionMsg(),
denyAfterDate + "; params date: " +
currentDate + cp.extendedExceptionMsg(),
null, null, -1, BasicReason.ALGORITHM_CONSTRAINED);
}
}
@@ -1,5 +1,5 @@
/*
* Copyright (c) 2020, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2020, 2021, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -50,9 +50,9 @@ public class JarConstraintsParameters implements ConstraintsParameters {
private boolean anchorIsJdkCASet;
// The timestamp of the signed JAR file, if timestamped
private Date timestamp;
// The keys of the signers
// The keys of the signers and TSA
private final Set<Key> keys;
// The certs in the signers' chains that are issued by the trust anchor
// The certs in the signers and TSA chain that are issued by the trust anchor
private final Set<X509Certificate> certsIssuedByAnchor;
// The extended exception message
private String message;
@@ -73,7 +73,7 @@ public JarConstraintsParameters(CodeSigner[] signers) {
// used for checking if the signer's certificate chains back to a
// JDK root CA
for (CodeSigner signer : signers) {
init(signer.getSignerCertPath());
addToCertsAndKeys(signer.getSignerCertPath());
Timestamp timestamp = signer.getTimestamp();
if (timestamp == null) {
// this means one of the signers doesn't have a timestamp
@@ -82,7 +82,7 @@ public JarConstraintsParameters(CodeSigner[] signers) {
skipTimestamp = true;
} else {
// add the key and last cert of TSA too
init(timestamp.getSignerCertPath());
addToCertsAndKeys(timestamp.getSignerCertPath());
if (!skipTimestamp) {
Date timestampDate = timestamp.getTimestamp();
if (latestTimestamp == null) {
@@ -98,11 +98,27 @@ public JarConstraintsParameters(CodeSigner[] signers) {
this.timestamp = latestTimestamp;
}

// extract last certificate and key from chain
private void init(CertPath cp) {
public JarConstraintsParameters(List<X509Certificate> chain, Timestamp timestamp) {
this.keys = new HashSet<>();
this.certsIssuedByAnchor = new HashSet<>();
addToCertsAndKeys(chain);
if (timestamp != null) {
addToCertsAndKeys(timestamp.getSignerCertPath());
this.timestamp = timestamp.getTimestamp();
} else {
this.timestamp = null;
}
}

// extract last certificate and signer's public key from chain
private void addToCertsAndKeys(CertPath cp) {
@SuppressWarnings("unchecked")
List<X509Certificate> chain =
(List<X509Certificate>)cp.getCertificates();
addToCertsAndKeys(chain);
}

private void addToCertsAndKeys(List<X509Certificate> chain) {
if (!chain.isEmpty()) {
this.certsIssuedByAnchor.add(chain.get(chain.size() - 1));
this.keys.add(chain.get(0).getPublicKey());
@@ -168,7 +184,7 @@ public String extendedExceptionMsg() {
@Override
public String toString() {
StringBuilder sb = new StringBuilder("[\n");
sb.append("\n Variant: ").append(getVariant());
sb.append(" Variant: ").append(getVariant());
sb.append("\n Certs Issued by Anchor:");
for (X509Certificate cert : certsIssuedByAnchor) {
sb.append("\n Cert Issuer: ")
@@ -558,7 +558,7 @@ sun.security.krb5.maxReferrals=5
# can be included in the disabledAlgorithms properties. These properties are
# to help manage common actions easier across multiple disabledAlgorithm
# properties.
# There is one defined security property: jdk.disabled.NamedCurves
# There is one defined security property: jdk.disabled.namedCurves
# See the property for more specific details.
#
#
@@ -634,7 +634,8 @@ sun.security.krb5.maxReferrals=5
#
#
jdk.certpath.disabledAlgorithms=MD2, MD5, SHA1 jdkCA & usage TLSServer, \
RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224
RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224, \
SHA1 usage SignedJAR & denyAfter 2019-01-01

#
# Legacy algorithms for certification path (CertPath) processing and
@@ -698,7 +699,7 @@ jdk.security.legacyAlgorithms=SHA1, \
# See "jdk.certpath.disabledAlgorithms" for syntax descriptions.
#
jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, \
DSA keySize < 1024
DSA keySize < 1024, SHA1 denyAfter 2019-01-01

#
# Algorithm restrictions for Secure Socket Layer/Transport Layer Security

1 comment on commit 6d91a3e

@openjdk-notifier
Copy link

@openjdk-notifier openjdk-notifier bot commented on 6d91a3e Sep 21, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please sign in to comment.