8309966: Enhanced TLS connections

Backport-of: d25ee81f56d67f2c51ba8b8c59f470c6f88ae47f

src/java.base/share/classes/java/security/cert/CertPathHelperImpl.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2002, 2020, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2002, 2023, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -25,12 +25,10 @@
 
 package java.security.cert;
 
-import java.util.*;
+import java.util.Date;
 
 import sun.security.provider.certpath.CertPathHelper;
 
-import sun.security.x509.GeneralNameInterface;
-
 /**
  * Helper class that allows the Sun CertPath provider to access
  * implementation dependent APIs in CertPath framework.
@@ -55,11 +53,6 @@ static synchronized void initialize() {
         }
     }
 
-    protected void implSetPathToNames(X509CertSelector sel,
-            Set<GeneralNameInterface> names) {
-        sel.setPathToNamesInternal(names);
-    }
-
     protected void implSetDateAndTime(X509CRLSelector sel, Date date, long skew) {
         sel.setDateAndTime(date, skew);
     }

src/java.base/share/classes/java/security/cert/X509CertSelector.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2000, 2022, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2000, 2023, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -87,10 +87,6 @@ public class X509CertSelector implements CertSelector {
     private static final ObjectIdentifier ANY_EXTENDED_KEY_USAGE =
         ObjectIdentifier.of(KnownOIDs.anyExtendedKeyUsage);
 
-    static {
-        CertPathHelperImpl.initialize();
-    }
-
     private BigInteger serialNumber;
     private X500Principal issuer;
     private X500Principal subject;
@@ -1127,14 +1123,6 @@ public void setPathToNames(Collection<List<?>> names) throws IOException {
         }
     }
 
-    // called from CertPathHelper
-    void setPathToNamesInternal(Set<GeneralNameInterface> names) {
-        // set names to non-null dummy value
-        // this breaks getPathToNames()
-        pathToNames = Collections.<List<?>>emptySet();
-        pathToGeneralNames = names;
-    }
-
     /**
      * Adds a name to the pathToNames criterion. The {@code X509Certificate}
      * must not include name constraints that would prohibit building a

src/java.base/share/classes/sun/security/provider/certpath/CertPathHelper.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2002, 2022, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2002, 2023, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -26,14 +26,10 @@
 package sun.security.provider.certpath;
 
 import java.util.Date;
-import java.util.Set;
 
 import java.security.cert.TrustAnchor;
-import java.security.cert.X509CertSelector;
 import java.security.cert.X509CRLSelector;
 
-import sun.security.x509.GeneralNameInterface;
-
 /**
  * Helper class that allows access to JDK specific known-public methods in the
  * java.security.cert package. It relies on a subclass in the
@@ -55,18 +51,10 @@ protected CertPathHelper() {
         // empty
     }
 
-    protected abstract void implSetPathToNames(X509CertSelector sel,
-            Set<GeneralNameInterface> names);
-
     protected abstract void implSetDateAndTime(X509CRLSelector sel, Date date, long skew);
 
     protected abstract boolean implIsJdkCA(TrustAnchor anchor);
 
-    static void setPathToNames(X509CertSelector sel,
-            Set<GeneralNameInterface> names) {
-        instance.implSetPathToNames(sel, names);
-    }
-
     public static void setDateAndTime(X509CRLSelector sel, Date date, long skew) {
         instance.implSetDateAndTime(sel, date, skew);
     }

src/java.base/share/classes/sun/security/provider/certpath/ForwardBuilder.java

@@ -47,7 +47,6 @@
 import sun.security.x509.AuthorityInfoAccessExtension;
 import sun.security.x509.AuthorityKeyIdentifierExtension;
 import static sun.security.x509.PKIXExtensions.*;
-import sun.security.x509.SubjectAlternativeNameExtension;
 import sun.security.x509.X500Name;
 import sun.security.x509.X509CertImpl;
 
@@ -257,14 +256,6 @@ private void getMatchingCACerts(ForwardState currentState,
              */
             caSelector.setSubject(currentState.issuerDN);
 
-            /*
-             * Match on subjectNamesTraversed (both DNs and AltNames)
-             * (checks that current cert's name constraints permit it
-             * to certify all the DNs and AltNames that have been traversed)
-             */
-            CertPathHelper.setPathToNames
-                (caSelector, currentState.subjectNamesTraversed);
-
             /*
              * check the validity period
              */
@@ -697,19 +688,6 @@ void verifyCert(X509Certificate cert, State currentState,
         // Don't bother to verify untrusted certificate more.
         currState.untrustedChecker.check(cert, Collections.emptySet());
 
-        /*
-         * Abort if we encounter the same certificate or a certificate with
-         * the same public key, subject DN, and subjectAltNames as a cert
-         * that is already in path.
-         */
-        for (X509Certificate cpListCert : certPathList) {
-            if (repeated(cpListCert, cert)) {
-                throw new CertPathValidatorException(
-                    "cert with repeated subject, public key, and " +
-                    "subjectAltNames detected");
-            }
-        }
-
         /* check if trusted cert */
         boolean isTrustedCert = trustedCerts.contains(cert);
 
@@ -787,49 +765,6 @@ void verifyCert(X509Certificate cert, State currentState,
         }
     }
 
-    /**
-     * Return true if two certificates are equal or have the same subject,
-     * public key, and subject alternative names.
-     */
-    private static boolean repeated(
-            X509Certificate currCert, X509Certificate nextCert) {
-        if (currCert.equals(nextCert)) {
-            return true;
-        }
-        return (currCert.getSubjectX500Principal().equals(
-            nextCert.getSubjectX500Principal()) &&
-            currCert.getPublicKey().equals(nextCert.getPublicKey()) &&
-            altNamesEqual(currCert, nextCert));
-    }
-
-    /**
-     * Return true if two certificates have the same subject alternative names.
-     */
-    private static boolean altNamesEqual(
-            X509Certificate currCert, X509Certificate nextCert) {
-        X509CertImpl curr, next;
-        try {
-            curr = X509CertImpl.toImpl(currCert);
-            next = X509CertImpl.toImpl(nextCert);
-        } catch (CertificateException ce) {
-            return false;
-        }
-
-        SubjectAlternativeNameExtension currAltNameExt =
-            curr.getSubjectAlternativeNameExtension();
-        SubjectAlternativeNameExtension nextAltNameExt =
-            next.getSubjectAlternativeNameExtension();
-        if (currAltNameExt != null) {
-            if (nextAltNameExt == null) {
-                return false;
-            }
-            return Arrays.equals(currAltNameExt.getExtensionValue(),
-                nextAltNameExt.getExtensionValue());
-        } else {
-            return (nextAltNameExt == null);
-        }
-    }
-
     /**
      * Verifies whether the input certificate completes the path.
      * First checks the cert against each trust anchor that was specified,

src/java.base/share/classes/sun/security/provider/certpath/ForwardState.java

@@ -31,17 +31,11 @@
 import java.security.cert.PKIXCertPathChecker;
 import java.security.cert.X509Certificate;
 import java.util.ArrayList;
-import java.util.HashSet;
 import java.util.List;
 import java.util.ListIterator;
 import javax.security.auth.x500.X500Principal;
 
 import sun.security.util.Debug;
-import sun.security.x509.SubjectAlternativeNameExtension;
-import sun.security.x509.GeneralNames;
-import sun.security.x509.GeneralName;
-import sun.security.x509.GeneralNameInterface;
-import sun.security.x509.X500Name;
 import sun.security.x509.X509CertImpl;
 
 /**
@@ -61,9 +55,6 @@ class ForwardState implements State {
     /* The last cert in the path */
     X509CertImpl cert;
 
-    /* The set of subjectDNs and subjectAltNames of all certs in the path */
-    HashSet<GeneralNameInterface> subjectNamesTraversed;
-
     /*
      * The number of intermediate CA certs which have been traversed so
      * far in the path
@@ -73,7 +64,6 @@ class ForwardState implements State {
     /* Flag indicating if state is initial (path is just starting) */
     private boolean init = true;
 
-
     /* the untrusted certificates checker */
     UntrustedChecker untrustedChecker;
 
@@ -103,8 +93,6 @@ public String toString() {
                 "\n  issuerDN of last cert: " + issuerDN +
                 "\n  traversedCACerts: " + traversedCACerts +
                 "\n  init: " + init +
-                "\n  subjectNamesTraversed: \n" +
-                subjectNamesTraversed +
                 "\n  selfIssued: " + selfIssued + "\n" +
                 "]\n";
     }
@@ -117,7 +105,6 @@ public String toString() {
     public void initState(List<PKIXCertPathChecker> certPathCheckers)
         throws CertPathValidatorException
     {
-        subjectNamesTraversed = new HashSet<>();
         traversedCACerts = 0;
 
         /*
@@ -167,33 +154,13 @@ public void updateState(X509Certificate cert)
             }
         }
 
-        /* update subjectNamesTraversed only if this is the EE cert or if
-           this cert is not self-issued */
-        if (init || !selfIssued) {
-            X500Principal subjName = cert.getSubjectX500Principal();
-            subjectNamesTraversed.add(X500Name.asX500Name(subjName));
-
-            SubjectAlternativeNameExtension subjAltNameExt
-                    = icert.getSubjectAlternativeNameExtension();
-            if (subjAltNameExt != null) {
-                GeneralNames gNames = subjAltNameExt.getNames();
-                for (GeneralName gName : gNames.names()) {
-                    subjectNamesTraversed.add(gName.getName());
-                }
-            }
-        }
-
         init = false;
     }
 
     /*
      * Clone current state. The state is cloned as each cert is
      * added to the path. This is necessary if backtracking occurs,
      * and a prior state needs to be restored.
-     *
-     * Note that this is a SMART clone. Not all fields are fully copied,
-     * because some of them will
-     * not have their contents modified by subsequent calls to updateState.
      */
     @Override
     @SuppressWarnings("unchecked") // Safe casts assuming clone() works correctly
@@ -213,13 +180,6 @@ public Object clone() {
                 }
             }
 
-            /*
-             * Shallow copy traversed names. There is no need to
-             * deep copy contents, since the elements of the Set
-             * are never modified by subsequent calls to updateState().
-             */
-            clonedState.subjectNamesTraversed
-                = (HashSet<GeneralNameInterface>)subjectNamesTraversed.clone();
             return clonedState;
         } catch (CloneNotSupportedException e) {
             throw new InternalError(e.toString(), e);