SSLSocketImpl(SSLContextImpl context, boolean serverMode, CipherSuiteList suites, byte clientAuth, boolean sessionCreation, ProtocolList protocols, String identificationProtocol, AlgorithmConstraints algorithmConstraints, Collection<SNIMatcher> sniMatchers, boolean preferLocalCipherSuites) throws IOException { super(); doClientAuth = clientAuth; enableSessionCreation = sessionCreation; this.identificationProtocol = identificationProtocol; this.algorithmConstraints = algorithmConstraints; this.sniMatchers = sniMatchers; this.preferLocalCipherSuites = preferLocalCipherSuites; init(context, serverMode); /* * Override what was picked out for us. */ enabledCipherSuites = suites; enabledProtocols = protocols; }
static Collection<SignatureAndHashAlgorithm> getSupportedAlgorithms(AlgorithmConstraints constraints) { Collection<SignatureAndHashAlgorithm> supported = new ArrayList<>(); synchronized (priorityMap) { for (SignatureAndHashAlgorithm sigAlg : priorityMap.values()) { if (sigAlg.priority <= SUPPORTED_ALG_PRIORITY_MAX_NUM && constraints.permits(SIGNATURE_PRIMITIVE_SET, sigAlg.algorithm, null)) { supported.add(sigAlg); } } } return supported; }
/** * Create a new <code>AlgorithmChecker</code> with the * given <code>TrustAnchor</code> and <code>AlgorithmConstraints</code>. * * @param anchor the trust anchor selected to validate the target * certificate * @param constraints the algorithm constraints (or null) * * @throws IllegalArgumentException if the <code>anchor</code> is null */ public AlgorithmChecker(TrustAnchor anchor, AlgorithmConstraints constraints) { if (anchor == null) { throw new IllegalArgumentException( "The trust anchor cannot be null"); } if (anchor.getTrustedCert() != null) { this.trustedPubKey = anchor.getTrustedCert().getPublicKey(); } else { this.trustedPubKey = anchor.getCAPublicKey(); } this.prevPubKey = trustedPubKey; this.constraints = constraints; }
static SupportedEllipticCurvesExtension createExtension( AlgorithmConstraints constraints) { ArrayList<Integer> idList = new ArrayList<>(supportedCurveIds.length); for (int curveId : supportedCurveIds) { if (constraints.permits( EnumSet.of(CryptoPrimitive.KEY_AGREEMENT), "EC", idToParams.get(curveId))) { idList.add(curveId); } } if (!idList.isEmpty()) { int[] ids = new int[idList.size()]; int i = 0; for (Integer id : idList) { ids[i++] = id; } return new SupportedEllipticCurvesExtension(ids); } return null; }
/** * Create a new <code>AlgorithmChecker</code> with the * given <code>TrustAnchor</code> and <code>AlgorithmConstraints</code>. * * @param anchor the trust anchor selected to validate the target * certificate * @param constraints the algorithm constraints (or null) * * @throws IllegalArgumentException if the <code>anchor</code> is null */ public AlgorithmChecker(TrustAnchor anchor, AlgorithmConstraints constraints) { if (anchor == null) { throw new IllegalArgumentException( "The trust anchor cannot be null"); } if (anchor.getTrustedCert() != null) { this.trustedPubKey = anchor.getTrustedCert().getPublicKey(); // Check for anchor certificate restrictions trustedMatch = checkFingerprint(anchor.getTrustedCert()); if (trustedMatch && debug != null) { debug.println("trustedMatch = true"); } } else { this.trustedPubKey = anchor.getCAPublicKey(); } this.prevPubKey = trustedPubKey; this.constraints = constraints; }
/** * Validate the given certificate chain. * * @param chain the target certificate chain * @param otherCerts a Collection of additional X509Certificates that * could be helpful for path building (or null) * @param responseList a List of zero or more byte arrays, each * one being a DER-encoded OCSP response (per RFC 6960). Entries * in the List must match the order of the certificates in the * chain parameter. It is possible that fewer responses may be * in the list than are elements in {@code chain} and a missing * response for a matching element in {@code chain} can be * represented with a zero-length byte array. * @param constraints algorithm constraints for certification path * processing * @param parameter an additional parameter object to pass specific data. * This parameter object maybe one of the two below: * 1) TLS_SERVER variant validators, where it must be non null and * the name of the TLS key exchange algorithm being used * (see JSSE X509TrustManager specification). * 2) {@code Timestamp} object from a signed JAR file. * @return a non-empty chain that was used to validate the path. The * end entity cert is at index 0, the trust anchor at index n-1. */ public final X509Certificate[] validate(X509Certificate[] chain, Collection<X509Certificate> otherCerts, List<byte[]> responseList, AlgorithmConstraints constraints, Object parameter) throws CertificateException { chain = engineValidate(chain, otherCerts, responseList, constraints, parameter); // omit EE extension check if EE cert is also trust anchor if (chain.length > 1) { // EndEntityChecker does not need to check unresolved critical // extensions when validating with a TYPE_PKIX Validator. // A TYPE_PKIX Validator will already have run checks on all // certs' extensions, including checks by any PKIXCertPathCheckers // included in the PKIXParameters, so the extra checks would be // redundant. boolean checkUnresolvedCritExts = (type == TYPE_PKIX) ? false : true; endEntityChecker.check(chain[0], parameter, checkUnresolvedCritExts); } return chain; }
SSLSocketImpl(SSLContextImpl context, boolean serverMode, CipherSuiteList suites, ClientAuthType clientAuth, boolean sessionCreation, ProtocolList protocols, String identificationProtocol, AlgorithmConstraints algorithmConstraints, Collection<SNIMatcher> sniMatchers, boolean preferLocalCipherSuites, String[] applicationProtocols) throws IOException { super(); doClientAuth = clientAuth; enableSessionCreation = sessionCreation; this.identificationProtocol = identificationProtocol; this.algorithmConstraints = algorithmConstraints; this.sniMatchers = sniMatchers; this.preferLocalCipherSuites = preferLocalCipherSuites; this.applicationProtocols = applicationProtocols; init(context, serverMode); /* * Override what was picked out for us. */ enabledCipherSuites = suites; enabledProtocols = protocols; }
NamedGroup getPreferredGroup( AlgorithmConstraints constraints, NamedGroupType type) { for (int groupId : requestedNamedGroupIds) { NamedGroup namedGroup = NamedGroup.valueOf(groupId); if ((namedGroup != null) && (namedGroup.type == type) && SupportedGroupsExtension.supports(namedGroup) && constraints.permits(EnumSet.of(CryptoPrimitive.KEY_AGREEMENT), namedGroup.algorithm, namedGroupParams.get(namedGroup))) { return namedGroup; } } return null; }
/** * Validate the given certificate chain. * * @param chain the target certificate chain * @param otherCerts a Collection of additional X509Certificates that * could be helpful for path building (or null) * @param responseList a List of zero or more byte arrays, each * one being a DER-encoded OCSP response (per RFC 6960). Entries * in the List must match the order of the certificates in the * chain parameter. It is possible that fewer responses may be * in the list than are elements in {@code chain} and a missing * response for a matching element in {@code chain} can be * represented with a zero-length byte array. * @param constraints algorithm constraints for certification path * processing * @param parameter an additional parameter with variant specific meaning. * Currently, it is only defined for TLS_SERVER variant validators, * where it must be non null and the name of the TLS key exchange * algorithm being used (see JSSE X509TrustManager specification). * In the future, it could be used to pass in a PKCS#7 object for * code signing to check time stamps. * @return a non-empty chain that was used to validate the path. The * end entity cert is at index 0, the trust anchor at index n-1. */ public final X509Certificate[] validate(X509Certificate[] chain, Collection<X509Certificate> otherCerts, List<byte[]> responseList, AlgorithmConstraints constraints, Object parameter) throws CertificateException { chain = engineValidate(chain, otherCerts, responseList, constraints, parameter); // omit EE extension check if EE cert is also trust anchor if (chain.length > 1) { // EndEntityChecker does not need to check unresolved critical // extensions when validating with a TYPE_PKIX Validator. // A TYPE_PKIX Validator will already have run checks on all // certs' extensions, including checks by any PKIXCertPathCheckers // included in the PKIXParameters, so the extra checks would be // redundant. boolean checkUnresolvedCritExts = (type == TYPE_PKIX) ? false : true; endEntityChecker.check(chain[0], parameter, checkUnresolvedCritExts); } return chain; }
SSLSocketImpl(SSLContextImpl context, boolean serverMode, CipherSuiteList suites, ClientAuthType clientAuth, boolean sessionCreation, ProtocolList protocols, String identificationProtocol, AlgorithmConstraints algorithmConstraints, Collection<SNIMatcher> sniMatchers, boolean preferLocalCipherSuites) throws IOException { super(); doClientAuth = clientAuth; enableSessionCreation = sessionCreation; this.identificationProtocol = identificationProtocol; this.algorithmConstraints = algorithmConstraints; this.sniMatchers = sniMatchers; this.preferLocalCipherSuites = preferLocalCipherSuites; init(context, serverMode); /* * Override what was picked out for us. */ enabledCipherSuites = suites; enabledProtocols = protocols; }
/** * Create a new {@code AlgorithmChecker} with the * given {@code TrustAnchor} and {@code AlgorithmConstraints}. * * @param anchor the trust anchor selected to validate the target * certificate * @param constraints the algorithm constraints (or null) * @param pkixdate Date the constraints are checked against. The value is * either the PKIXParameter date or null for the current date. * * @throws IllegalArgumentException if the {@code anchor} is null */ public AlgorithmChecker(TrustAnchor anchor, AlgorithmConstraints constraints, Date pkixdate) { if (anchor == null) { throw new IllegalArgumentException( "The trust anchor cannot be null"); } if (anchor.getTrustedCert() != null) { this.trustedPubKey = anchor.getTrustedCert().getPublicKey(); // Check for anchor certificate restrictions trustedMatch = checkFingerprint(anchor.getTrustedCert()); if (trustedMatch && debug != null) { debug.println("trustedMatch = true"); } } else { this.trustedPubKey = anchor.getCAPublicKey(); } this.prevPubKey = trustedPubKey; this.constraints = constraints; this.pkixdate = pkixdate; }
SSLSocketImpl(SSLContextImpl context, boolean serverMode, CipherSuiteList suites, byte clientAuth, boolean sessionCreation, ProtocolList protocols, String identificationProtocol, AlgorithmConstraints algorithmConstraints) throws IOException { super(); doClientAuth = clientAuth; enableSessionCreation = sessionCreation; this.identificationProtocol = identificationProtocol; this.algorithmConstraints = algorithmConstraints; init(context, serverMode); /* * Override what was picked out for us. */ enabledCipherSuites = suites; enabledProtocols = protocols; }
/** * Set the algorithm constraints. Called from the constructor or * SSLSocketImpl/SSLEngineImpl.setAlgorithmConstraints() (if the * handshake is not yet in progress). */ void setAlgorithmConstraints(AlgorithmConstraints algorithmConstraints) { activeCipherSuites = null; activeProtocols = null; this.algorithmConstraints = new SSLAlgorithmConstraints(algorithmConstraints); this.localSupportedSignAlgs = null; }
private static int getPreferredCurve(int[] curves, AlgorithmConstraints constraints) { for (int curveId : curves) { if (isSupported(curveId) && constraints.permits( EnumSet.of(CryptoPrimitive.KEY_AGREEMENT), "EC", idToParams.get(curveId))) { return curveId; } } return -1; }
static Collection<SignatureAndHashAlgorithm> getSupportedAlgorithms(AlgorithmConstraints constraints) { Collection<SignatureAndHashAlgorithm> supported = new ArrayList<>(); for (SignatureAndHashAlgorithm sigAlg : priorityMap.values()) { if (sigAlg.priority <= SUPPORTED_ALG_PRIORITY_MAX_NUM && constraints.permits(SIGNATURE_PRIMITIVE_SET, sigAlg.algorithm, null)) { supported.add(sigAlg); } } return supported; }
