8269039: Disable SHA-1 Signed JARs

Reviewed-by: mbalao
Backport-of: 6d91a3eb7bd1e1403cfb67f7eb8ce06d7e08e7a7

Author: Alexey Bakhtin

jdk/src/share/classes/sun/security/provider/certpath/AlgorithmChecker.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2009, 2020, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2009, 2021, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -131,7 +131,7 @@ public AlgorithmChecker(AlgorithmConstraints constraints, String variant) {
      *     certificate
      * @param constraints the algorithm constraints (or null)
      * @param date the date specified by the PKIXParameters date, or the
-     *             JAR timestamp if jar files are being validated and the
+     *             timestamp if JAR files are being validated and the
      *             JAR is timestamped. May be null if no timestamp or
      *             PKIXParameter date is set.
      * @param variant the Validator variant of the operation. A null value
@@ -160,17 +160,19 @@ public AlgorithmChecker(TrustAnchor anchor,
 
     /**
      * Create a new {@code AlgorithmChecker} with the given {@code TrustAnchor},
-     * {@code PKIXParameter} date, and {@code varient}
+     * {@code PKIXParameter} date, and {@code variant}.
      *
      * @param anchor the trust anchor selected to validate the target
      *     certificate
-     * @param pkixdate Date the constraints are checked against. The value is
-     *             either the PKIXParameters date or null for the current date.
+     * @param date the date specified by the PKIXParameters date, or the
+     *             timestamp if JAR files are being validated and the
+     *             JAR is timestamped. May be null if no timestamp or
+     *             PKIXParameter date is set.
      * @param variant the Validator variant of the operation. A null value
      *                passed will set it to Validator.GENERIC.
      */
-    public AlgorithmChecker(TrustAnchor anchor, Date pkixdate, String variant) {
-        this(anchor, certPathDefaultConstraints, pkixdate, variant);
+    public AlgorithmChecker(TrustAnchor anchor, Date date, String variant) {
+        this(anchor, certPathDefaultConstraints, date, variant);
     }
 
     @Override

jdk/src/share/classes/sun/security/provider/certpath/CertPathConstraintsParameters.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2020, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2020, 2021, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -40,7 +40,7 @@
  * constraints specified in the jdk.certpath.disabledAlgorithms security
  * property.
  */
-class CertPathConstraintsParameters implements ConstraintsParameters {
+public class CertPathConstraintsParameters implements ConstraintsParameters {
     // The public key of the certificate
     private final Key key;
     // The certificate's trust anchor which will be checked against the
@@ -105,7 +105,7 @@ public String extendedExceptionMsg() {
     @Override
     public String toString() {
         StringBuilder sb = new StringBuilder("[\n");
-        sb.append("\n  Variant: ").append(variant);
+        sb.append("  Variant: ").append(variant);
         if (anchor != null) {
             sb.append("\n  Anchor: ").append(anchor);
         }

jdk/src/share/classes/sun/security/provider/certpath/PKIX.java

@@ -88,6 +88,7 @@ static class ValidatorParams {
         private Set<TrustAnchor> anchors;
         private List<X509Certificate> certs;
         private Timestamp timestamp;
+        private Date timestampDate;
         private String variant = Validator.VAR_GENERIC;
 
         ValidatorParams(CertPath cp, PKIXParameters params)
@@ -154,10 +155,20 @@ List<CertStore> certStores() {
                 stores = params.getCertStores();
             return stores;
         }
+        // The date() param is used when enforcing the validity period
+        // of certificates and when checking the time period of revocation data.
+        // The main difference between the date() and timestamp() method is
+        // that the date() method only uses the timestamp (if specified)
+        // for certificates in a code signer's chain.
         Date date() {
             if (!gotDate) {
-                // use timestamp if checking signed code that is
-                // timestamped, otherwise use date parameter
+                // Use timestamp if checking signed code that is
+                // timestamped, otherwise use date parameter.
+                // Note that TSA server certificates do not use the
+                // timestamp, which means that an expired TSA certificate
+                // is considered a validation failure. This policy means
+                // that signed and timestamped code is valid until the TSA
+                // certificate expires (assuming all other checks are valid).
                 if (timestamp != null &&
                     (variant.equals(Validator.VAR_CODE_SIGNING) ||
                      variant.equals(Validator.VAR_PLUGIN_CODE_SIGNING))) {
@@ -210,6 +221,17 @@ PKIXParameters getPKIXParameters() {
         String variant() {
             return variant;
         }
+        // The timestamp() param is passed as the date param when creating an
+        // AlgorithmChecker. An AlgorithmChecker always uses the timestamp
+        // if specified in order to enforce the denyAfter constraint.
+        Date timestamp() {
+            // return timestamp date if set, otherwise use date parameter
+            if (timestampDate == null) {
+                timestampDate = (timestamp != null)
+                    ? timestamp.getTimestamp() : date();
+            }
+            return timestampDate;
+        }
     }
 
     static class BuilderParams extends ValidatorParams {

jdk/src/share/classes/sun/security/provider/certpath/PKIXCertPathValidator.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2000, 2020, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2000, 2021, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -172,8 +172,8 @@ private static PKIXCertPathValidatorResult validate(TrustAnchor anchor,
         List<PKIXCertPathChecker> certPathCheckers = new ArrayList<>();
         // add standard checkers that we will be using
         certPathCheckers.add(untrustedChecker);
-        certPathCheckers.add(new AlgorithmChecker(anchor, null, params.date(),
-                params.variant()));
+        certPathCheckers.add(new AlgorithmChecker(anchor, null,
+                params.timestamp(), params.variant()));
         certPathCheckers.add(new KeyChecker(certPathLen,
                                             params.targetCertConstraints()));
         certPathCheckers.add(new ConstraintsChecker(certPathLen));

jdk/src/share/classes/sun/security/provider/certpath/SunCertPathBuilder.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2000, 2021, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -344,7 +344,7 @@ private void depthFirstSearchForward(X500Principal dN,
 
                 // add the algorithm checker
                 checkers.add(new AlgorithmChecker(builder.trustAnchor,
-                        buildParams.date(), buildParams.variant()));
+                        buildParams.timestamp(), buildParams.variant()));
 
                 BasicChecker basicChecker = null;
                 if (nextState.keyParamsNeeded()) {