Initial revision.

seanjmullan · Aug 20, 2021 · d49ba3f · d49ba3f
1 parent bdb50ca
commit d49ba3f
Show file tree

Hide file tree

Showing 27 changed files with 429 additions and 342 deletions.
diff --git a/src/java.base/share/classes/module-info.java b/src/java.base/share/classes/module-info.java
@@ -318,7 +318,8 @@
         jdk.crypto.ec,
         jdk.security.auth;
     exports sun.security.provider.certpath to
-        java.naming;
+        java.naming,
+        jdk.jartool;
     exports sun.security.rsa to
         jdk.crypto.cryptoki;
     exports sun.security.timestamp to

diff --git a/src/java.base/share/classes/sun/security/provider/certpath/AlgorithmChecker.java b/src/java.base/share/classes/sun/security/provider/certpath/AlgorithmChecker.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2009, 2020, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2009, 2021, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -131,7 +131,7 @@ public AlgorithmChecker(AlgorithmConstraints constraints, String variant) {
      *     certificate
      * @param constraints the algorithm constraints (or null)
      * @param date the date specified by the PKIXParameters date, or the
-     *             JAR timestamp if jar files are being validated and the
+     *             timestamp if JAR files are being validated and the
      *             JAR is timestamped. May be null if no timestamp or
      *             PKIXParameter date is set.
      * @param variant the Validator variant of the operation. A null value
@@ -160,17 +160,19 @@ public AlgorithmChecker(TrustAnchor anchor,
 
     /**
      * Create a new {@code AlgorithmChecker} with the given {@code TrustAnchor},
-     * {@code PKIXParameter} date, and {@code varient}
+     * {@code PKIXParameter} date, and {@code variant}.
      *
      * @param anchor the trust anchor selected to validate the target
      *     certificate
-     * @param pkixdate Date the constraints are checked against. The value is
-     *             either the PKIXParameters date or null for the current date.
+     * @param date the date specified by the PKIXParameters date, or the
+     *             timestamp if JAR files are being validated and the
+     *             JAR is timestamped. May be null if no timestamp or
+     *             PKIXParameter date is set.
      * @param variant the Validator variant of the operation. A null value
      *                passed will set it to Validator.GENERIC.
      */
-    public AlgorithmChecker(TrustAnchor anchor, Date pkixdate, String variant) {
-        this(anchor, certPathDefaultConstraints, pkixdate, variant);
+    public AlgorithmChecker(TrustAnchor anchor, Date date, String variant) {
+        this(anchor, certPathDefaultConstraints, date, variant);
     }
 
     @Override

diff --git a/...java.base/share/classes/sun/security/provider/certpath/CertPathConstraintsParameters.java b/...java.base/share/classes/sun/security/provider/certpath/CertPathConstraintsParameters.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2020, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2020, 2021, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -39,7 +39,7 @@
  * constraints specified in the jdk.certpath.disabledAlgorithms security
  * property.
  */
-class CertPathConstraintsParameters implements ConstraintsParameters {
+public class CertPathConstraintsParameters implements ConstraintsParameters {
     // The public key of the certificate
     private final Key key;
     // The certificate's trust anchor which will be checked against the

diff --git a/src/java.base/share/classes/sun/security/provider/certpath/PKIX.java b/src/java.base/share/classes/sun/security/provider/certpath/PKIX.java
@@ -88,6 +88,7 @@ static class ValidatorParams {
         private Set<TrustAnchor> anchors;
         private List<X509Certificate> certs;
         private Timestamp timestamp;
+        private Date timestampDate;
         private String variant = Validator.VAR_GENERIC;
 
         ValidatorParams(CertPath cp, PKIXParameters params)
@@ -209,6 +210,14 @@ PKIXParameters getPKIXParameters() {
         String variant() {
             return variant;
         }
+        Date timestamp() {
+            // return timestamp date if set, otherwise use date parameter
+            if (timestampDate == null) {
+                timestampDate = (timestamp != null)
+                    ? timestamp.getTimestamp() : date();
+            }
+            return timestampDate;
+        }
     }
 
     static class BuilderParams extends ValidatorParams {

diff --git a/src/java.base/share/classes/sun/security/provider/certpath/PKIXCertPathValidator.java b/src/java.base/share/classes/sun/security/provider/certpath/PKIXCertPathValidator.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2000, 2020, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2000, 2021, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -176,8 +176,8 @@ private static PKIXCertPathValidatorResult validate(TrustAnchor anchor,
         List<PKIXCertPathChecker> certPathCheckers = new ArrayList<>();
         // add standard checkers that we will be using
         certPathCheckers.add(untrustedChecker);
-        certPathCheckers.add(new AlgorithmChecker(anchor, null, params.date(),
-                params.variant()));
+        certPathCheckers.add(new AlgorithmChecker(anchor, null,
+                params.timestamp(), params.variant()));
         certPathCheckers.add(new KeyChecker(certPathLen,
                                             params.targetCertConstraints()));
         certPathCheckers.add(new ConstraintsChecker(certPathLen));

diff --git a/src/java.base/share/classes/sun/security/provider/certpath/SunCertPathBuilder.java b/src/java.base/share/classes/sun/security/provider/certpath/SunCertPathBuilder.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2000, 2021, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -344,7 +344,7 @@ private void depthFirstSearchForward(X500Principal dN,
 
                 // add the algorithm checker
                 checkers.add(new AlgorithmChecker(builder.trustAnchor,
-                        buildParams.date(), buildParams.variant()));
+                        buildParams.timestamp(), buildParams.variant()));
 
                 BasicChecker basicChecker = null;
                 if (nextState.keyParamsNeeded()) {

diff --git a/src/java.base/share/classes/sun/security/util/DisabledAlgorithmConstraints.java b/src/java.base/share/classes/sun/security/util/DisabledAlgorithmConstraints.java
@@ -39,7 +39,6 @@
 import java.security.spec.MGF1ParameterSpec;
 import java.security.spec.NamedParameterSpec;
 import java.security.spec.PSSParameterSpec;
-import java.text.SimpleDateFormat;
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.Calendar;
@@ -688,8 +687,6 @@ public void permits(ConstraintsParameters cp)
      */
     private static class DenyAfterConstraint extends Constraint {
         private Date denyAfterDate;
-        private static final SimpleDateFormat dateFormat =
-                new SimpleDateFormat("EEE, MMM d HH:mm:ss z yyyy");
 
         DenyAfterConstraint(String algo, int year, int month, int day) {
             Calendar c;
@@ -723,7 +720,7 @@ private static class DenyAfterConstraint extends Constraint {
             denyAfterDate = c.getTime();
             if (debug != null) {
                 debug.println("DenyAfterConstraint date set to: " +
-                        dateFormat.format(denyAfterDate));
+                        denyAfterDate);
             }
         }
 
@@ -754,8 +751,8 @@ public void permits(ConstraintsParameters cp)
                 throw new CertPathValidatorException(
                         "denyAfter constraint check failed: " + algorithm +
                         " used with Constraint date: " +
-                        dateFormat.format(denyAfterDate) + "; params date: " +
-                        dateFormat.format(currentDate) + cp.extendedExceptionMsg(),
+                        denyAfterDate + "; params date: " +
+                        currentDate + cp.extendedExceptionMsg(),
                         null, null, -1, BasicReason.ALGORITHM_CONSTRAINED);
             }
         }

diff --git a/src/java.base/share/classes/sun/security/util/JarConstraintsParameters.java b/src/java.base/share/classes/sun/security/util/JarConstraintsParameters.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2020, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2020, 2021, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -98,11 +98,27 @@ public JarConstraintsParameters(CodeSigner[] signers) {
         this.timestamp = latestTimestamp;
     }
 
+    public JarConstraintsParameters(List<X509Certificate> chain, Timestamp timestamp) {
+        this.keys = new HashSet<>();
+        this.certsIssuedByAnchor = new HashSet<>();
+        init(chain);
+        if (timestamp != null) {
+            init(timestamp.getSignerCertPath());
+            this.timestamp = timestamp.getTimestamp();
+        } else {
+            this.timestamp = null;
+        }
+    }
+
     // extract last certificate and key from chain
     private void init(CertPath cp) {
         @SuppressWarnings("unchecked")
         List<X509Certificate> chain =
             (List<X509Certificate>)cp.getCertificates();
+        init(chain);
+    }
+
+    private void init(List<X509Certificate> chain) {
         if (!chain.isEmpty()) {
             this.certsIssuedByAnchor.add(chain.get(chain.size() - 1));
             this.keys.add(chain.get(0).getPublicKey());

diff --git a/src/java.base/share/conf/security/java.security b/src/java.base/share/conf/security/java.security
@@ -558,7 +558,7 @@ sun.security.krb5.maxReferrals=5
 # can be included in the disabledAlgorithms properties.  These properties are
 # to help manage common actions easier across multiple disabledAlgorithm
 # properties.
-# There is one defined security property:  jdk.disabled.NamedCurves
+# There is one defined security property:  jdk.disabled.namedCurves
 # See the property for more specific details.
 #
 #
@@ -634,7 +634,8 @@ sun.security.krb5.maxReferrals=5
 #
 #
 jdk.certpath.disabledAlgorithms=MD2, MD5, SHA1 jdkCA & usage TLSServer, \
-    RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224
+    RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224, \
+    SHA1 usage SignedJAR & denyAfter 2019-01-01
 
 #
 # Legacy algorithms for certification path (CertPath) processing and
@@ -698,7 +699,7 @@ jdk.security.legacyAlgorithms=SHA1, \
 # See "jdk.certpath.disabledAlgorithms" for syntax descriptions.
 #
 jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, \
-      DSA keySize < 1024
+      DSA keySize < 1024, SHA1 denyAfter 2019-01-01
 
 #
 # Algorithm restrictions for Secure Socket Layer/Transport Layer Security