8076117: EndEntityChecker should not process custom extensions after PKIX validation

Reviewed-by: xuelei, mullan
2015-04-14 13:02:23 -07:00 · 2015-04-14 13:02:23 -07:00 · 31a7b46b00
commit 31a7b46b00
parent 8130b5c80f
3 changed files with 258 additions and 35 deletions
--- a/jdk/src/java.base/share/classes/sun/security/validator/EndEntityChecker.java
+++ b/jdk/src/java.base/share/classes/sun/security/validator/EndEntityChecker.java
@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2002, 2008, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2002, 2015, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@ -132,26 +132,33 @@ class EndEntityChecker {
        return new EndEntityChecker(type, variant);
    }
-    void check(X509Certificate cert, Object parameter)
+    void check(X509Certificate cert, Object parameter,
-            throws CertificateException {
+            boolean checkUnresolvedCritExts) throws CertificateException {
        if (variant.equals(Validator.VAR_GENERIC)) {
-            // no checks
+            return; // no checks
-            return;
+        }
-        } else if (variant.equals(Validator.VAR_TLS_SERVER)) {
+
-            checkTLSServer(cert, (String)parameter);
+        Set<String> exts = getCriticalExtensions(cert);
        if (variant.equals(Validator.VAR_TLS_SERVER)) {
            checkTLSServer(cert, (String)parameter, exts);
        } else if (variant.equals(Validator.VAR_TLS_CLIENT)) {
-            checkTLSClient(cert);
+            checkTLSClient(cert, exts);
        } else if (variant.equals(Validator.VAR_CODE_SIGNING)) {
-            checkCodeSigning(cert);
+            checkCodeSigning(cert, exts);
        } else if (variant.equals(Validator.VAR_JCE_SIGNING)) {
-            checkCodeSigning(cert);
+            checkCodeSigning(cert, exts);
        } else if (variant.equals(Validator.VAR_PLUGIN_CODE_SIGNING)) {
-            checkCodeSigning(cert);
+            checkCodeSigning(cert, exts);
        } else if (variant.equals(Validator.VAR_TSA_SERVER)) {
-            checkTSAServer(cert);
+            checkTSAServer(cert, exts);
        } else {
            throw new CertificateException("Unknown variant: " + variant);
        }
        // if neither VAR_GENERIC variant nor unknown variant
        if (checkUnresolvedCritExts) {
            checkRemainingExtensions(exts);
        }
    }
    /**
@ -219,10 +226,8 @@ class EndEntityChecker {
     * authentication.
     * @throws CertificateException if not.
     */
-    private void checkTLSClient(X509Certificate cert)
+    private void checkTLSClient(X509Certificate cert, Set<String> exts)
            throws CertificateException {
        Set<String> exts = getCriticalExtensions(cert);
        if (checkKeyUsage(cert, KU_SIGNATURE) == false) {
            throw new ValidatorException
                ("KeyUsage does not allow digital signatures",
@ -245,8 +250,6 @@ class EndEntityChecker {
        exts.remove(SimpleValidator.OID_KEY_USAGE);
        exts.remove(SimpleValidator.OID_EXTENDED_KEY_USAGE);
        exts.remove(SimpleValidator.OID_NETSCAPE_CERT_TYPE);
        checkRemainingExtensions(exts);
    }
    /**
@ -255,10 +258,8 @@ class EndEntityChecker {
     * specification for details.
     * @throws CertificateException if not.
     */
-    private void checkTLSServer(X509Certificate cert, String parameter)
+    private void checkTLSServer(X509Certificate cert, String parameter,
-            throws CertificateException {
+            Set<String> exts) throws CertificateException {
        Set<String> exts = getCriticalExtensions(cert);
        if (KU_SERVER_ENCRYPTION.contains(parameter)) {
            if (checkKeyUsage(cert, KU_KEY_ENCIPHERMENT) == false) {
                throw new ValidatorException
@ -303,18 +304,14 @@ class EndEntityChecker {
        exts.remove(SimpleValidator.OID_KEY_USAGE);
        exts.remove(SimpleValidator.OID_EXTENDED_KEY_USAGE);
        exts.remove(SimpleValidator.OID_NETSCAPE_CERT_TYPE);
        checkRemainingExtensions(exts);
    }
    /**
     * Check whether this certificate can be used for code signing.
     * @throws CertificateException if not.
     */
-    private void checkCodeSigning(X509Certificate cert)
+    private void checkCodeSigning(X509Certificate cert, Set<String> exts)
            throws CertificateException {
        Set<String> exts = getCriticalExtensions(cert);
        if (checkKeyUsage(cert, KU_SIGNATURE) == false) {
            throw new ValidatorException
                ("KeyUsage does not allow digital signatures",
@ -341,8 +338,6 @@ class EndEntityChecker {
        // remove extensions we checked
        exts.remove(SimpleValidator.OID_KEY_USAGE);
        exts.remove(SimpleValidator.OID_EXTENDED_KEY_USAGE);
        checkRemainingExtensions(exts);
    }
    /**
@ -350,10 +345,8 @@ class EndEntityChecker {
     * server (see RFC 3161, section 2.3).
     * @throws CertificateException if not.
     */
-    private void checkTSAServer(X509Certificate cert)
+    private void checkTSAServer(X509Certificate cert, Set<String> exts)
            throws CertificateException {
        Set<String> exts = getCriticalExtensions(cert);
        if (checkKeyUsage(cert, KU_SIGNATURE) == false) {
            throw new ValidatorException
                ("KeyUsage does not allow digital signatures",
@ -376,7 +369,5 @@ class EndEntityChecker {
        // remove extensions we checked
        exts.remove(SimpleValidator.OID_KEY_USAGE);
        exts.remove(SimpleValidator.OID_EXTENDED_KEY_USAGE);
        checkRemainingExtensions(exts);
    }
 }
--- a/jdk/src/java.base/share/classes/sun/security/validator/Validator.java
+++ b/jdk/src/java.base/share/classes/sun/security/validator/Validator.java
@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2002, 2010, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2002, 2015, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@ -143,6 +143,7 @@ public abstract class Validator {
     */
    public final static String VAR_PLUGIN_CODE_SIGNING = "plugin code signing";
    private final String type;
    final EndEntityChecker endEntityChecker;
    final String variant;
@ -154,6 +155,7 @@ public abstract class Validator {
    volatile Date validationDate;
    Validator(String type, String variant) {
        this.type = type;
        this.variant = variant;
        endEntityChecker = EndEntityChecker.getInstance(type, variant);
    }
@ -261,7 +263,16 @@ public abstract class Validator {
        // omit EE extension check if EE cert is also trust anchor
        if (chain.length > 1) {
-            endEntityChecker.check(chain[0], parameter);
+            // EndEntityChecker does not need to check unresolved critical
            // extensions when validating with a TYPE_PKIX Validator.
            // A TYPE_PKIX Validator will already have run checks on all
            // certs' extensions, including checks by any PKIXCertPathCheckers
            // included in the PKIXParameters, so the extra checks would be
            // redundant.
            boolean checkUnresolvedCritExts =
                    (type == TYPE_PKIX) ? false : true;
            endEntityChecker.check(chain[0], parameter,
                                   checkUnresolvedCritExts);
        }
        return chain;
--- a/jdk/test/sun/security/validator/EndEntityExtensionCheck.java
+++ b/jdk/test/sun/security/validator/EndEntityExtensionCheck.java
@ -0,0 +1,221 @@
 /*
 * Copyright (c) 2015, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
 * under the terms of the GNU General Public License version 2 only, as
 * published by the Free Software Foundation.
 *
 * This code is distributed in the hope that it will be useful, but WITHOUT
 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
 * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
 * version 2 for more details (a copy is included in the LICENSE file that
 * accompanied this code).
 *
 * You should have received a copy of the GNU General Public License version
 * 2 along with this work; if not, write to the Free Software Foundation,
 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
 *
 * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
 * or visit www.oracle.com if you need additional information or have any
 * questions.
 */
 /*
 * @test
 * @bug 8076117
 * @summary EndEntityChecker should not process custom extensions
 *          after PKIX validation
 */
 import java.io.ByteArrayInputStream;
 import java.io.File;
 import java.io.FileInputStream;
 import java.security.KeyStore;
 import java.security.cert.CertPathValidatorException;
 import java.security.cert.Certificate;
 import java.security.cert.CertificateException;
 import java.security.cert.CertificateFactory;
 import java.security.cert.PKIXBuilderParameters;
 import java.security.cert.PKIXCertPathChecker;
 import java.security.cert.TrustAnchor;
 import java.security.cert.X509Certificate;
 import java.util.Collection;
 import java.util.Date;
 import java.util.HashSet;
 import java.util.Set;
 import sun.security.validator.KeyStores;
 import sun.security.validator.Validator;
 public class EndEntityExtensionCheck {
    /*
     * Owner: CN=TestCA
     * Issuer: CN=TestCA
     */
    private static final String CA =
        "-----BEGIN CERTIFICATE-----\n" +
        "MIICgDCCAj2gAwIBAgIEC18hWjALBgcqhkjOOAQDBQAwETEPMA0GA1UEAxMGVGVz\n" +
        "dENBMB4XDTE1MDQwNzIyMzUyMFoXDTI1MDQwNjIyMzUyMFowETEPMA0GA1UEAxMG\n" +
        "VGVzdENBMIIBuDCCASwGByqGSM44BAEwggEfAoGBAP1/U4EddRIpUt9KnC7s5Of2\n" +
        "EbdSPO9EAMMeP4C2USZpRV1AIlH7WT2NWPq/xfW6MPbLm1Vs14E7gB00b/JmYLdr\n" +
        "mVClpJ+f6AR7ECLCT7up1/63xhv4O1fnxqimFQ8E+4P208UewwI1VBNaFpEy9nXz\n" +
        "rith1yrv8iIDGZ3RSAHHAhUAl2BQjxUjC8yykrmCouuEC/BYHPUCgYEA9+Gghdab\n" +
        "Pd7LvKtcNrhXuXmUr7v6OuqC+VdMCz0HgmdRWVeOutRZT+ZxBxCBgLRJFnEj6Ewo\n" +
        "FhO3zwkyjMim4TwWeotUfI0o4KOuHiuzpnWRbqN/C/ohNWLx+2J6ASQ7zKTxvqhR\n" +
        "kImog9/hWuWfBpKLZl6Ae1UlZAFMO/7PSSoDgYUAAoGBAJOWy2hVy4iNwsi/idWG\n" +
        "oksr9IZxQIFR2YavoUmD+rIgfYUpiCihzftDLMMaNYqp9PPxuOyoIPGPbwmKpAs5\n" +
        "nq6gLwH2lSsN+EwyV2SJ0J26PHiMuRNZWWfKR3cpEqbQVb0CmvqSpj8zYfamPzp7\n" +
        "eXSWwahzgLCGJM3SgCfDFC0uoyEwHzAdBgNVHQ4EFgQU7tLD8FnWM+r6jBr+mCXs\n" +
        "8G5yBpgwCwYHKoZIzjgEAwUAAzAAMC0CFQCHCtzC3S0ST0EZBucikVui4WXD8QIU\n" +
        "L3Oxy6989/FhZlZWJlhqc1ungEQ=\n" +
        "-----END CERTIFICATE-----";
    /*
     * Owner: CN=TestEE
     * Issuer: CN=TestCA
     * Contains a custom critical extension with OID 1.2.3.4:
     *    #1: ObjectId: 1.2.3.4 Criticality=true
     *    0000: 00 00
     */
    private static final String EE =
        "-----BEGIN CERTIFICATE-----\n" +
        "MIICrTCCAmugAwIBAgIELjciKzALBgcqhkjOOAQDBQAwETEPMA0GA1UEAxMGVGVz\n" +
        "dENBMB4XDTE1MDQwNzIzMDA1OFoXDTE1MDcwNjIzMDA1OFowETEPMA0GA1UEAxMG\n" +
        "VGVzdEVFMIIBtzCCASwGByqGSM44BAEwggEfAoGBAP1/U4EddRIpUt9KnC7s5Of2\n" +
        "EbdSPO9EAMMeP4C2USZpRV1AIlH7WT2NWPq/xfW6MPbLm1Vs14E7gB00b/JmYLdr\n" +
        "mVClpJ+f6AR7ECLCT7up1/63xhv4O1fnxqimFQ8E+4P208UewwI1VBNaFpEy9nXz\n" +
        "rith1yrv8iIDGZ3RSAHHAhUAl2BQjxUjC8yykrmCouuEC/BYHPUCgYEA9+Gghdab\n" +
        "Pd7LvKtcNrhXuXmUr7v6OuqC+VdMCz0HgmdRWVeOutRZT+ZxBxCBgLRJFnEj6Ewo\n" +
        "FhO3zwkyjMim4TwWeotUfI0o4KOuHiuzpnWRbqN/C/ohNWLx+2J6ASQ7zKTxvqhR\n" +
        "kImog9/hWuWfBpKLZl6Ae1UlZAFMO/7PSSoDgYQAAoGAN97otrAJEuUg/O97vScI\n" +
        "01xs1jqTz5o0PGpKiDDJNB3tCCUbLqXoBQBvSefQ8vYL3mmlEJLxlwfbajRmJQp0\n" +
        "tUy5SUCZHk3MdoKxSvrqYnVpYwJHFXKWs6lAawxfuWbkm9SREuepOWnVzy2ecf5z\n" +
        "hvy9mgEBfi4E9Cy8Byq2TpyjUDBOMAwGAyoDBAEB/wQCAAAwHwYDVR0jBBgwFoAU\n" +
        "7tLD8FnWM+r6jBr+mCXs8G5yBpgwHQYDVR0OBBYEFNRVqt5F+EAuJ5x1IZLDkoMs\n" +
        "mDj4MAsGByqGSM44BAMFAAMvADAsAhQyNGhxIp5IshN1zqLs4pUY214IMAIUMmTL\n" +
        "3ZMpMAjITbuHHlFNUqZ7A9s=\n" +
        "-----END CERTIFICATE-----";
    public static void main(String[] args) throws Exception {
        X509Certificate[] chain = createChain();
        /* Test 1: Test SimpleValidator
         *  SimpleValidator doesn't check for unsupported critical
         *  extensions in the end entity certificate, and leaves that up
         *  to EndEntityChecker, which should catch such extensions.
         */
        KeyStore ks = KeyStore.getInstance("JKS");
        ks.load(null, null);
        ks.setCertificateEntry("testca", chain[chain.length - 1]);
        Validator v = Validator.getInstance(Validator.TYPE_SIMPLE,
                                            Validator.VAR_TLS_CLIENT,
                                            KeyStores.getTrustedCerts(ks));
        try {
            v.validate(chain);
            throw new Exception("Chain should not have validated " +
                                "successfully.");
        } catch (CertificateException ex) {
            // EE cert has an unsupported critical extension that is not
            // checked by SimpleValidator's extension checks, so this
            // failure is expected
        }
        /* Test 2: Test PKIXValidator without custom checker
         * PKIXValidator accepts PKIXParameters that can contain
         * custom PKIXCertPathCheckers, which would be run against
         * each cert in the chain, including EE certs.
         * Check that if PKIXValidator is not provided a custom
         * PKIXCertPathChecker for an unknown critical extension in
         * the EE cert, chain validation will fail.
         */
        TrustAnchor ta = new TrustAnchor(chain[chain.length - 1], null);
        Set<TrustAnchor> tas = new HashSet<>();
        tas.add(ta);
        PKIXBuilderParameters params = new PKIXBuilderParameters(tas, null);
        params.setDate(new Date(115, 5, 1));   // 2015-05-01
        params.setRevocationEnabled(false);
        v = Validator.getInstance(Validator.TYPE_PKIX,
                                  Validator.VAR_TLS_CLIENT,
                                  params);
        try {
            v.validate(chain);
            throw new Exception("Chain should not have validated " +
                                "successfully.");
        } catch (CertificateException ex) {
            // EE cert has an unsupported critical extension and
            // PKIXValidator was not provided any custom checker
            // for it, so this failure ie expected.
        }
        /* Test 3: Test PKIXValidator with custom checker
         * Check that PKIXValidator will successfully validate a chain
         * containing an EE cert with a critical custom extension, given
         * a corresponding PKIXCertPathChecker for the extension.
         */
        params = new PKIXBuilderParameters(tas, null);
        params.addCertPathChecker(new CustomChecker());
        params.setDate(new Date(115, 5, 1));   // 2015-05-01
        params.setRevocationEnabled(false);
        v = Validator.getInstance(Validator.TYPE_PKIX,
                                  Validator.VAR_TLS_CLIENT,
                                  params);
        v.validate(chain); // This should validate successfully
        System.out.println("Tests passed.");
    }
    public static X509Certificate[] createChain() throws Exception {
        CertificateFactory cf = CertificateFactory.getInstance("X.509");
        X509Certificate ee = (X509Certificate)
            cf.generateCertificate((new ByteArrayInputStream(EE.getBytes())));
        X509Certificate ca = (X509Certificate)
            cf.generateCertificate((new ByteArrayInputStream(CA.getBytes())));
        X509Certificate[] chain = {ee, ca};
        return chain;
    }
    /*
     * A custom PKIXCertPathChecker. Looks for a critical extension
     * in an end entity certificate with the OID 1.2.3.4.
     */
    static class CustomChecker extends PKIXCertPathChecker {
        @Override
        public void init(boolean forward) throws CertPathValidatorException {
            // nothing to do
        }
        @Override
        public boolean isForwardCheckingSupported() {
            return false;
        }
        @Override
        public Set<String> getSupportedExtensions() {
            Set<String> exts = new HashSet<>();
            exts.add("1.2.3.4");
            return exts;
        }
        @Override
        public void check(Certificate cert,
                          Collection<String> unresolvedCritExts)
                throws CertPathValidatorException {
            X509Certificate currCert = (X509Certificate)cert;
            // check that this is an EE cert
            if (currCert.getBasicConstraints() == -1) {
                if (unresolvedCritExts != null &&
                        !unresolvedCritExts.isEmpty()) {
                    unresolvedCritExts.remove("1.2.3.4");
                }
            }
        }
    }
 }