Path: blob/master/src/java.base/share/classes/sun/security/validator/CADistrustPolicy.java
41159 views
/*1* Copyright (c) 2018, 2021, Oracle and/or its affiliates. All rights reserved.2* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.3*4* This code is free software; you can redistribute it and/or modify it5* under the terms of the GNU General Public License version 2 only, as6* published by the Free Software Foundation. Oracle designates this7* particular file as subject to the "Classpath" exception as provided8* by Oracle in the LICENSE file that accompanied this code.9*10* This code is distributed in the hope that it will be useful, but WITHOUT11* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or12* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License13* version 2 for more details (a copy is included in the LICENSE file that14* accompanied this code).15*16* You should have received a copy of the GNU General Public License version17* 2 along with this work; if not, write to the Free Software Foundation,18* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.19*20* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA21* or visit www.oracle.com if you need additional information or have any22* questions.23*/24package sun.security.validator;2526import java.security.AccessController;27import java.security.PrivilegedAction;28import java.security.Security;29import java.security.cert.X509Certificate;30import java.util.EnumSet;3132import sun.security.util.Debug;3334/**35* Policies for distrusting a certificate authority (CA). See the36* jdk.security.caDistrustPolicies security property for more information.37*/38enum CADistrustPolicy {39/**40* Distrust TLS Server certificates anchored by a Symantec root CA and41* issued after April 16, 2019 (with exceptions for a couple of subordinate42* CAs, see the jdk.security.caDistrustPolicies definition in the43* java.security file for more details). If enabled, this policy is44* currently enforced by the PKIX and SunX509 TrustManager implementations45* of the SunJSSE provider implementation.46*/47SYMANTEC_TLS {48void checkDistrust(String variant, X509Certificate[] chain)49throws ValidatorException {50if (!variant.equals(Validator.VAR_TLS_SERVER)) {51return;52}53SymantecTLSPolicy.checkDistrust(chain);54}55};5657/**58* Checks if the end-entity certificate is distrusted.59*60* @param variant the type of certificate being checked61* @param chain the end-entity's certificate chain. The end entity cert62* is at index 0, the trust anchor at index n-1.63* @throws ValidatorException if the end-entity certificate is distrusted64*/65abstract void checkDistrust(String variant,66X509Certificate[] chain)67throws ValidatorException;6869// The policies set in the jdk.security.caDistrustPolicies property.70static final EnumSet<CADistrustPolicy> POLICIES = parseProperty();71private static EnumSet<CADistrustPolicy> parseProperty() {72@SuppressWarnings("removal")73String property = AccessController.doPrivileged(74new PrivilegedAction<>() {75@Override76public String run() {77return Security.getProperty(78"jdk.security.caDistrustPolicies");79}80});81EnumSet<CADistrustPolicy> set = EnumSet.noneOf(CADistrustPolicy.class);82// if property is null or empty, the restrictions are not enforced83if (property == null || property.isEmpty()) {84return set;85}86String[] policies = property.split(",");87for (String policy : policies) {88policy = policy.trim();89try {90CADistrustPolicy caPolicy =91Enum.valueOf(CADistrustPolicy.class, policy);92set.add(caPolicy);93} catch (IllegalArgumentException iae) {94// ignore unknown values but log it95Debug debug = Debug.getInstance("certpath");96if (debug != null) {97debug.println("Unknown value for the " +98"jdk.security.caDistrustPolicies property: "99+ policy);100}101}102}103return set;104}105}106107108