java.security.AlgorithmConstraints Java Examples

static EllipticCurvesExtension createExtension(
            AlgorithmConstraints constraints) {

    ArrayList<Integer> idList = new ArrayList<>(supportedCurveIds.length);
    for (int curveId : supportedCurveIds) {
        if (constraints.permits(
                EnumSet.of(CryptoPrimitive.KEY_AGREEMENT),
                            "EC", idToParams.get(curveId))) {
            idList.add(curveId);
        }
    }

    if (!idList.isEmpty()) {
        int[] ids = new int[idList.size()];
        int i = 0;
        for (Integer id : idList) {
            ids[i++] = id;
        }

        return new EllipticCurvesExtension(ids);
    }

    return null;
}
 

private static AlgorithmConstraints getUserSpecifiedConstraints(
        SSLEngine engine) {
    if (engine != null) {
        // Note that the KeyManager or TrustManager implementation may be
        // not implemented in the same provider as SSLSocket/SSLEngine.
        // Please check the instance before casting to use SSLEngineImpl.
        if (engine instanceof SSLEngineImpl) {
            HandshakeContext hc =
                    ((SSLEngineImpl)engine).conContext.handshakeContext;
            if (hc != null) {
                return hc.sslConfig.userSpecifiedAlgorithmConstraints;
            }
        }

        return engine.getSSLParameters().getAlgorithmConstraints();
    }

    return null;
}
 

static Collection<SignatureAndHashAlgorithm>
        getSupportedAlgorithms(AlgorithmConstraints constraints) {

    Collection<SignatureAndHashAlgorithm> supported = new ArrayList<>();
    synchronized (priorityMap) {
        for (SignatureAndHashAlgorithm sigAlg : priorityMap.values()) {
            if (sigAlg.priority <= SUPPORTED_ALG_PRIORITY_MAX_NUM &&
                    constraints.permits(SIGNATURE_PRIMITIVE_SET,
                            sigAlg.algorithm, null)) {
                supported.add(sigAlg);
            }
        }
    }

    return supported;
}
 

static NamedGroup getPreferredGroup(
        ProtocolVersion negotiatedProtocol,
        AlgorithmConstraints constraints, NamedGroupType type) {
    for (NamedGroup namedGroup : supportedNamedGroups) {
        if ((namedGroup.type == type) &&
                namedGroup.isAvailable(negotiatedProtocol) &&
                constraints.permits(
                        EnumSet.of(CryptoPrimitive.KEY_AGREEMENT),
                        namedGroup.algorithm,
                        namedGroupParams.get(namedGroup))) {
            return namedGroup;
        }
    }

    return null;
}
 

static NamedGroup getPreferredGroup(
        ProtocolVersion negotiatedProtocol,
        AlgorithmConstraints constraints, NamedGroupType type,
        List<NamedGroup> requestedNamedGroups) {
    for (NamedGroup namedGroup : requestedNamedGroups) {
        if ((namedGroup.type == type) &&
                namedGroup.isAvailable(negotiatedProtocol) &&
                isSupported(namedGroup) &&
                constraints.permits(
                        EnumSet.of(CryptoPrimitive.KEY_AGREEMENT),
                        namedGroup.algorithm,
                        namedGroupParams.get(namedGroup))) {
            return namedGroup;
        }
    }

    return null;
}
 

static SupportedEllipticCurvesExtension createExtension(
            AlgorithmConstraints constraints) {

    ArrayList<Integer> idList = new ArrayList<>(supportedCurveIds.length);
    for (int curveId : supportedCurveIds) {
        if (constraints.permits(
                EnumSet.of(CryptoPrimitive.KEY_AGREEMENT),
                            "EC", idToParams.get(curveId))) {
            idList.add(curveId);
        }
    }

    if (!idList.isEmpty()) {
        int[] ids = new int[idList.size()];
        int i = 0;
        for (Integer id : idList) {
            ids[i++] = id;
        }

        return new SupportedEllipticCurvesExtension(ids);
    }

    return null;
}
 

SSLSocketImpl(SSLContextImpl context, boolean serverMode,
        CipherSuiteList suites, byte clientAuth,
        boolean sessionCreation, ProtocolList protocols,
        String identificationProtocol,
        AlgorithmConstraints algorithmConstraints,
        Collection<SNIMatcher> sniMatchers,
        boolean preferLocalCipherSuites) throws IOException {

    super();
    doClientAuth = clientAuth;
    enableSessionCreation = sessionCreation;
    this.identificationProtocol = identificationProtocol;
    this.algorithmConstraints = algorithmConstraints;
    this.sniMatchers = sniMatchers;
    this.preferLocalCipherSuites = preferLocalCipherSuites;
    init(context, serverMode);

    /*
     * Override what was picked out for us.
     */
    enabledCipherSuites = suites;
    enabledProtocols = protocols;
}
 

/**
 * Create a new <code>AlgorithmChecker</code> with the
 * given <code>TrustAnchor</code> and <code>AlgorithmConstraints</code>.
 *
 * @param anchor the trust anchor selected to validate the target
 *     certificate
 * @param constraints the algorithm constraints (or null)
 *
 * @throws IllegalArgumentException if the <code>anchor</code> is null
 */
public AlgorithmChecker(TrustAnchor anchor,
        AlgorithmConstraints constraints) {

    if (anchor == null) {
        throw new IllegalArgumentException(
                    "The trust anchor cannot be null");
    }

    if (anchor.getTrustedCert() != null) {
        this.trustedPubKey = anchor.getTrustedCert().getPublicKey();
        // Check for anchor certificate restrictions
        trustedMatch = checkFingerprint(anchor.getTrustedCert());
        if (trustedMatch && debug != null) {
            debug.println("trustedMatch = true");
        }
    } else {
        this.trustedPubKey = anchor.getCAPublicKey();
    }

    this.prevPubKey = trustedPubKey;
    this.constraints = constraints;
}
 

/**
 * Create a new <code>AlgorithmChecker</code> with the
 * given <code>TrustAnchor</code> and <code>AlgorithmConstraints</code>.
 *
 * @param anchor the trust anchor selected to validate the target
 *     certificate
 * @param constraints the algorithm constraints (or null)
 *
 * @throws IllegalArgumentException if the <code>anchor</code> is null
 */
public AlgorithmChecker(TrustAnchor anchor,
        AlgorithmConstraints constraints) {

    if (anchor == null) {
        throw new IllegalArgumentException(
                    "The trust anchor cannot be null");
    }

    if (anchor.getTrustedCert() != null) {
        this.trustedPubKey = anchor.getTrustedCert().getPublicKey();
    } else {
        this.trustedPubKey = anchor.getCAPublicKey();
    }

    this.prevPubKey = trustedPubKey;
    this.constraints = constraints;
}
 

private static AlgorithmConstraints getUserSpecifiedConstraints(
        SSLSocket socket) {
    if (socket != null) {
        // Note that the KeyManager or TrustManager implementation may be
        // not implemented in the same provider as SSLSocket/SSLEngine.
        // Please check the instance before casting to use SSLSocketImpl.
        if (socket instanceof SSLSocketImpl) {
            HandshakeContext hc =
                    ((SSLSocketImpl)socket).conContext.handshakeContext;
            if (hc != null) {
                return hc.sslConfig.userSpecifiedAlgorithmConstraints;
            }
        }

        return socket.getSSLParameters().getAlgorithmConstraints();
    }

    return null;
}
 

static EllipticCurvesExtension createExtension(
            AlgorithmConstraints constraints) {

    ArrayList<Integer> idList = new ArrayList<>(supportedCurveIds.length);
    for (int curveId : supportedCurveIds) {
        if (constraints.permits(
                EnumSet.of(CryptoPrimitive.KEY_AGREEMENT),
                            "EC", idToParams.get(curveId))) {
            idList.add(curveId);
        }
    }

    if (!idList.isEmpty()) {
        int[] ids = new int[idList.size()];
        int i = 0;
        for (Integer id : idList) {
            ids[i++] = id;
        }

        return new EllipticCurvesExtension(ids);
    }

    return null;
}
 

/**
 * Validate the given certificate chain.
 *
 * @param chain the target certificate chain
 * @param otherCerts a Collection of additional X509Certificates that
 *        could be helpful for path building (or null)
 * @param constraints algorithm constraints for certification path
 *        processing
 * @param parameter an additional parameter with variant specific meaning.
 *        Currently, it is only defined for TLS_SERVER variant validators,
 *        where it must be non null and the name of the TLS key exchange
 *        algorithm being used (see JSSE X509TrustManager specification).
 *        In the future, it could be used to pass in a PKCS#7 object for
 *        code signing to check time stamps.
 * @return a non-empty chain that was used to validate the path. The
 *        end entity cert is at index 0, the trust anchor at index n-1.
 */
public final X509Certificate[] validate(X509Certificate[] chain,
            Collection<X509Certificate> otherCerts,
            AlgorithmConstraints constraints,
            Object parameter) throws CertificateException {
    chain = engineValidate(chain, otherCerts, constraints, parameter);

    // omit EE extension check if EE cert is also trust anchor
    if (chain.length > 1) {
        // EndEntityChecker does not need to check unresolved critical
        // extensions when validating with a TYPE_PKIX Validator.
        // A TYPE_PKIX Validator will already have run checks on all
        // certs' extensions, including checks by any PKIXCertPathCheckers
        // included in the PKIXParameters, so the extra checks would be
        // redundant.
        boolean checkUnresolvedCritExts =
                (type == TYPE_PKIX) ? false : true;
        endEntityChecker.check(chain, parameter,
                               checkUnresolvedCritExts);
    }

    return chain;
}
 

static void checkConstraints(AlgorithmConstraints constraints,
        ECPublicKey publicKey,
        byte[] encodedPoint) throws SSLHandshakeException {

    try {
        ECParameterSpec params = publicKey.getParams();
        ECPoint point =
                JsseJce.decodePoint(encodedPoint, params.getCurve());
        ECPublicKeySpec spec = new ECPublicKeySpec(point, params);

        KeyFactory kf = JsseJce.getKeyFactory("EC");
        ECPublicKey peerPublicKey =
                (ECPublicKey)kf.generatePublic(spec);

        // check constraints of ECPublicKey
        if (!constraints.permits(
                EnumSet.of(CryptoPrimitive.KEY_AGREEMENT),
                peerPublicKey)) {
            throw new SSLHandshakeException(
                "ECPublicKey does not comply to algorithm constraints");
        }
    } catch (GeneralSecurityException | java.io.IOException e) {
        throw (SSLHandshakeException) new SSLHandshakeException(
                "Could not generate ECPublicKey").initCause(e);
    }
}
 

/**
 * Validate the given certificate chain.
 *
 * @param chain the target certificate chain
 * @param otherCerts a Collection of additional X509Certificates that
 *        could be helpful for path building (or null)
 * @param constraints algorithm constraints for certification path
 *        processing
 * @param parameter an additional parameter with variant specific meaning.
 *        Currently, it is only defined for TLS_SERVER variant validators,
 *        where it must be non null and the name of the TLS key exchange
 *        algorithm being used (see JSSE X509TrustManager specification).
 *        In the future, it could be used to pass in a PKCS#7 object for
 *        code signing to check time stamps.
 * @return a non-empty chain that was used to validate the path. The
 *        end entity cert is at index 0, the trust anchor at index n-1.
 */
public final X509Certificate[] validate(X509Certificate[] chain,
            Collection<X509Certificate> otherCerts,
            AlgorithmConstraints constraints,
            Object parameter) throws CertificateException {
    chain = engineValidate(chain, otherCerts, constraints, parameter);

    // omit EE extension check if EE cert is also trust anchor
    if (chain.length > 1) {
        // EndEntityChecker does not need to check unresolved critical
        // extensions when validating with a TYPE_PKIX Validator.
        // A TYPE_PKIX Validator will already have run checks on all
        // certs' extensions, including checks by any PKIXCertPathCheckers
        // included in the PKIXParameters, so the extra checks would be
        // redundant.
        boolean checkUnresolvedCritExts =
                (type == TYPE_PKIX) ? false : true;
        endEntityChecker.check(chain, parameter,
                               checkUnresolvedCritExts);
    }

    return chain;
}
 

private static AlgorithmConstraints getConstraints(SSLSocket socket) {
    if (socket != null) {
        // Note that the KeyManager or TrustManager implementation may be
        // not implemented in the same provider as SSLSocket/SSLEngine.
        // Please check the instance before casting to use SSLSocketImpl.
        if (socket instanceof SSLSocketImpl) {
            HandshakeContext hc =
                    ((SSLSocketImpl)socket).conContext.handshakeContext;
            if (hc != null) {
                return hc.sslConfig.algorithmConstraints;
            }
        } else {
            return socket.getSSLParameters().getAlgorithmConstraints();
        }
    }

    return null;
}
 

SSLSocketImpl(SSLContextImpl context, boolean serverMode,
        CipherSuiteList suites, byte clientAuth,
        boolean sessionCreation, ProtocolList protocols,
        String identificationProtocol,
        AlgorithmConstraints algorithmConstraints,
        Collection<SNIMatcher> sniMatchers,
        boolean preferLocalCipherSuites) throws IOException {

    super();
    doClientAuth = clientAuth;
    enableSessionCreation = sessionCreation;
    this.identificationProtocol = identificationProtocol;
    this.algorithmConstraints = algorithmConstraints;
    this.sniMatchers = sniMatchers;
    this.preferLocalCipherSuites = preferLocalCipherSuites;
    init(context, serverMode);

    /*
     * Override what was picked out for us.
     */
    enabledCipherSuites = suites;
    enabledProtocols = protocols;
}
 

private AlgorithmConstraints getAlgorithmConstraints(SSLEngine engine) {
    if (engine != null) {
        SSLSession session = engine.getHandshakeSession();
        if (session != null) {
            if (ProtocolVersion.useTLS12PlusSpec(session.getProtocol())) {
                String[] peerSupportedSignAlgs = null;

                if (session instanceof ExtendedSSLSession) {
                    ExtendedSSLSession extSession =
                        (ExtendedSSLSession)session;
                    peerSupportedSignAlgs =
                        extSession.getPeerSupportedSignatureAlgorithms();
                }

                return new SSLAlgorithmConstraints(
                    engine, peerSupportedSignAlgs, true);
            }
        }
    }

    return new SSLAlgorithmConstraints(engine, true);
}
 

/**
 * Validate the given certificate chain.
 *
 * @param chain the target certificate chain
 * @param otherCerts a Collection of additional X509Certificates that
 *        could be helpful for path building (or null)
 * @param responseList a List of zero or more byte arrays, each
 *        one being a DER-encoded OCSP response (per RFC 6960).  Entries
 *        in the List must match the order of the certificates in the
 *        chain parameter.  It is possible that fewer responses may be
 *        in the list than are elements in {@code chain} and a missing
 *        response for a matching element in {@code chain} can be
 *        represented with a zero-length byte array.
 * @param constraints algorithm constraints for certification path
 *        processing
 * @param parameter an additional parameter object to pass specific data.
 *        This parameter object maybe one of the two below:
 *        1) TLS_SERVER variant validators, where it must be non null and
 *        the name of the TLS key exchange algorithm being used
 *        (see JSSE X509TrustManager specification).
 *        2) {@code Timestamp} object from a signed JAR file.
 * @return a non-empty chain that was used to validate the path. The
 *        end entity cert is at index 0, the trust anchor at index n-1.
 */
public final X509Certificate[] validate(X509Certificate[] chain,
            Collection<X509Certificate> otherCerts,
            List<byte[]> responseList,
            AlgorithmConstraints constraints,
            Object parameter) throws CertificateException {
    chain = engineValidate(chain, otherCerts, responseList, constraints,
            parameter);

    // omit EE extension check if EE cert is also trust anchor
    if (chain.length > 1) {
        // EndEntityChecker does not need to check unresolved critical
        // extensions when validating with a TYPE_PKIX Validator.
        // A TYPE_PKIX Validator will already have run checks on all
        // certs' extensions, including checks by any PKIXCertPathCheckers
        // included in the PKIXParameters, so the extra checks would be
        // redundant.
        boolean checkUnresolvedCritExts =
                (type == TYPE_PKIX) ? false : true;
        endEntityChecker.check(chain[0], parameter,
                               checkUnresolvedCritExts);
    }

    return chain;
}
 

static EllipticCurvesExtension createExtension(
            AlgorithmConstraints constraints) {

    ArrayList<Integer> idList = new ArrayList<>(supportedCurveIds.length);
    for (int curveId : supportedCurveIds) {
        if (constraints.permits(
                EnumSet.of(CryptoPrimitive.KEY_AGREEMENT),
                            "EC", idToParams.get(curveId))) {
            idList.add(curveId);
        }
    }

    if (!idList.isEmpty()) {
        int[] ids = new int[idList.size()];
        int i = 0;
        for (Integer id : idList) {
            ids[i++] = id;
        }

        return new EllipticCurvesExtension(ids);
    }

    return null;
}
 

SSLSocketImpl(SSLContextImpl context, boolean serverMode,
        CipherSuiteList suites, byte clientAuth,
        boolean sessionCreation, ProtocolList protocols,
        String identificationProtocol,
        AlgorithmConstraints algorithmConstraints,
        Collection<SNIMatcher> sniMatchers,
        boolean preferLocalCipherSuites) throws IOException {

    super();
    doClientAuth = clientAuth;
    enableSessionCreation = sessionCreation;
    this.identificationProtocol = identificationProtocol;
    this.algorithmConstraints = algorithmConstraints;
    this.sniMatchers = sniMatchers;
    this.preferLocalCipherSuites = preferLocalCipherSuites;
    init(context, serverMode);

    /*
     * Override what was picked out for us.
     */
    enabledCipherSuites = suites;
    enabledProtocols = protocols;
}
 

private AlgorithmConstraints getAlgorithmConstraints(javax.net.ssl.SSLEngine engine) {
    if (engine != null) {
        SSLSession session = engine.getHandshakeSession();
        if (session != null) {
            if (ProtocolVersion.useTLS12PlusSpec(session.getProtocol())) {
                String[] peerSupportedSignAlgs = null;

                if (session instanceof ExtendedSSLSession) {
                    ExtendedSSLSession extSession =
                        (ExtendedSSLSession)session;
                    peerSupportedSignAlgs =
                        extSession.getPeerSupportedSignatureAlgorithms();
                }

                return new SSLAlgorithmConstraints(
                    (org.openjsse.javax.net.ssl.SSLEngine)engine, peerSupportedSignAlgs, true);
            }
        }
    }

    return new SSLAlgorithmConstraints((org.openjsse.javax.net.ssl.SSLEngine)engine, true);
}
 

static NamedGroup getPreferredGroup(
        ProtocolVersion negotiatedProtocol,
        AlgorithmConstraints constraints, NamedGroupSpec[] types,
        List<NamedGroup> requestedNamedGroups) {
    for (NamedGroup namedGroup : requestedNamedGroups) {
        if ((NamedGroupSpec.arrayContains(types, namedGroup.spec)) &&
                namedGroup.isAvailable(negotiatedProtocol) &&
                isSupported(namedGroup) &&
                namedGroup.isPermitted(constraints)) {
            return namedGroup;
        }
    }

    return null;
}
 

static NamedGroup getPreferredGroup(
        ProtocolVersion negotiatedProtocol,
        AlgorithmConstraints constraints, NamedGroupSpec[] types) {
    for (NamedGroup namedGroup : supportedNamedGroups) {
        if ((NamedGroupSpec.arrayContains(types, namedGroup.spec)) &&
                namedGroup.isAvailable(negotiatedProtocol) &&
                namedGroup.isPermitted(constraints)) {
            return namedGroup;
        }
    }

    return null;
}
 

private static int getPreferredCurve(int[] curves,
            AlgorithmConstraints constraints) {
    for (int curveId : curves) {
        if (isSupported(curveId) && constraints.permits(
                EnumSet.of(CryptoPrimitive.KEY_AGREEMENT),
                            "EC", idToParams.get(curveId))) {
            return curveId;
        }
    }

    return -1;
}
 

/**
 * Create a new {@code AlgorithmChecker} with the
 * given {@code TrustAnchor}, {@code AlgorithmConstraints},
 * {@code Timestamp}, and {@code String} variant.
 *
 * @param anchor the trust anchor selected to validate the target
 *     certificate
 * @param constraints the algorithm constraints (or null)
 * @param pkixdate The date specified by the PKIXParameters date.  If the
 *                 PKIXParameters is null, the current date is used.  This
 *                 should be null when jar files are being checked.
 * @param jarTimestamp Timestamp passed for JAR timestamp constraint
 *                     checking. Set to null if not applicable.
 * @param variant is the Validator variants of the operation. A null value
 *                passed will set it to Validator.GENERIC.
 */
public AlgorithmChecker(TrustAnchor anchor,
        AlgorithmConstraints constraints, Date pkixdate,
        Timestamp jarTimestamp, String variant) {

    if (anchor != null) {
        if (anchor.getTrustedCert() != null) {
            this.trustedPubKey = anchor.getTrustedCert().getPublicKey();
            // Check for anchor certificate restrictions
            trustedMatch = checkFingerprint(anchor.getTrustedCert());
            if (trustedMatch && debug != null) {
                debug.println("trustedMatch = true");
            }
        } else {
            this.trustedPubKey = anchor.getCAPublicKey();
        }
    } else {
        this.trustedPubKey = null;
        if (debug != null) {
            debug.println("TrustAnchor is null, trustedMatch is false.");
        }
    }

    this.prevPubKey = this.trustedPubKey;
    this.constraints = (constraints == null ? certPathDefaultConstraints :
            constraints);
    // If we are checking jar files, set pkixdate the same as the timestamp
    // for certificate checking
    this.pkixdate = (jarTimestamp != null ? jarTimestamp.getTimestamp() :
            pkixdate);
    this.jarTimestamp = jarTimestamp;
    this.variant = (variant == null ? Validator.VAR_GENERIC : variant);
}
 

/**
 * Set the algorithm constraints. Called from the constructor or
 * SSLSocketImpl/SSLEngineImpl.setAlgorithmConstraints() (if the
 * handshake is not yet in progress).
 */
void setAlgorithmConstraints(AlgorithmConstraints algorithmConstraints) {
    activeCipherSuites = null;
    activeProtocols = null;

    this.algorithmConstraints =
        new SSLAlgorithmConstraints(algorithmConstraints);
    this.localSupportedSignAlgs = null;
}
 

private AlgorithmConstraints getAlgorithmConstraints(Socket socket) {
    if (socket != null && socket.isConnected() &&
                                    socket instanceof SSLSocket) {

        SSLSocket sslSocket = (SSLSocket)socket;
        SSLSession session = sslSocket.getHandshakeSession();

        if (session != null) {
            if (ProtocolVersion.useTLS12PlusSpec(session.getProtocol())) {
                String[] peerSupportedSignAlgs = null;

                if (session instanceof ExtendedSSLSession) {
                    ExtendedSSLSession extSession =
                        (ExtendedSSLSession)session;
                    peerSupportedSignAlgs =
                        extSession.getPeerSupportedSignatureAlgorithms();
                }

                return new SSLAlgorithmConstraints(
                    sslSocket, peerSupportedSignAlgs, true);
            }
        }

        return new SSLAlgorithmConstraints(sslSocket, true);
    }

    return new SSLAlgorithmConstraints((SSLSocket)null, true);
}
 

private static int getPreferredCurve(int[] curves,
            AlgorithmConstraints constraints) {
    for (int curveId : curves) {
        if (isSupported(curveId) && constraints.permits(
                EnumSet.of(CryptoPrimitive.KEY_AGREEMENT),
                            "EC", idToParams.get(curveId))) {
            return curveId;
        }
    }

    return -1;
}
 

/**
 * Set the algorithm constraints. Called from the constructor or
 * SSLSocketImpl/SSLEngineImpl.setAlgorithmConstraints() (if the
 * handshake is not yet in progress).
 */
void setAlgorithmConstraints(AlgorithmConstraints algorithmConstraints) {
    activeCipherSuites = null;
    activeProtocols = null;

    this.algorithmConstraints =
        new SSLAlgorithmConstraints(algorithmConstraints);
    this.localSupportedSignAlgs = null;
}
 

static Collection<SignatureAndHashAlgorithm>
        getSupportedAlgorithms(AlgorithmConstraints constraints) {

    Collection<SignatureAndHashAlgorithm> supported = new ArrayList<>();
    for (SignatureAndHashAlgorithm sigAlg : priorityMap.values()) {
        if (sigAlg.priority <= SUPPORTED_ALG_PRIORITY_MAX_NUM &&
                constraints.permits(SIGNATURE_PRIMITIVE_SET,
                        sigAlg.algorithm, null)) {
            supported.add(sigAlg);
        }
    }

    return supported;
}