betaversion for a workaround to solve problem with Java8 >= 141 and SHA1 certificates in certificate chain

1 files changed, 226 insertions, 0 deletions

diff --git a/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/validation/MOASSLAlgorithmChecker.java b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/validation/MOASSLAlgorithmChecker.java
new file mode 100644
index 000000000..990b5d3b1
--- /dev/null
+++ b/id/server/moa-id-commons/src/main/java/at/gv/egovernment/moa/id/commons/validation/MOASSLAlgorithmChecker.java
@@ -0,0 +1,226 @@
+/*
+ * Copyright 2014 Federal Chancellery Austria
+ * MOA-ID has been developed in a cooperation between BRZ, the Federal
+ * Chancellery Austria - ICT staff unit, and Graz University of Technology.
+ *
+ * Licensed under the EUPL, Version 1.1 or - as soon they will be approved by
+ * the European Commission - subsequent versions of the EUPL (the "Licence");
+ * You may not use this work except in compliance with the Licence.
+ * You may obtain a copy of the Licence at:
+ * http://www.osor.eu/eupl/
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the Licence is distributed on an "AS IS" basis,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the Licence for the specific language governing permissions and
+ * limitations under the Licence.
+ *
+ * This product combines work with different licenses. See the "NOTICE" text
+ * file for details on the various modules and licenses.
+ * The "NOTICE" text file is part of the distribution. Any derivative works
+ * that you distribute must include a readable copy of the "NOTICE" text file.
+ */
+package at.gv.egovernment.moa.id.commons.validation;
+
+import java.math.BigInteger;
+import java.security.AlgorithmConstraints;
+import java.security.AlgorithmParameters;
+import java.security.CryptoPrimitive;
+import java.security.GeneralSecurityException;
+import java.security.KeyFactory;
+import java.security.PublicKey;
+import java.security.cert.CertPathValidatorException;
+import java.security.cert.Certificate;
+import java.security.cert.CertificateException;
+import java.security.cert.CertificateParsingException;
+import java.security.cert.PKIXCertPathChecker;
+import java.security.cert.PKIXReason;
+import java.security.cert.X509Certificate;
+import java.security.interfaces.DSAParams;
+import java.security.interfaces.DSAPublicKey;
+import java.security.spec.DSAPublicKeySpec;
+import java.util.Collection;
+import java.util.Collections;
+import java.util.EnumSet;
+import java.util.Set;
+
+import sun.security.util.DisabledAlgorithmConstraints;
+import sun.security.x509.X509CertImpl;
+
+/**
+ * @author tlenz
+ *
+ */
+public class MOASSLAlgorithmChecker extends PKIXCertPathChecker {
+
+	private final AlgorithmConstraints constraints;
+	private final PublicKey trustedPubKey;
+	private PublicKey prevPubKey;
+	private static final Set<CryptoPrimitive> SIGNATURE_PRIMITIVE_SET = Collections.unmodifiableSet(EnumSet.of(CryptoPrimitive.SIGNATURE));	 
+	private static final Set<CryptoPrimitive> KU_PRIMITIVE_SET = Collections.unmodifiableSet(EnumSet.of(CryptoPrimitive.SIGNATURE, CryptoPrimitive.KEY_ENCAPSULATION, CryptoPrimitive.PUBLIC_KEY_ENCRYPTION, CryptoPrimitive.KEY_AGREEMENT));
+	
+	private static final DisabledAlgorithmConstraints certPathDefaultConstraints = new DisabledAlgorithmConstraints("jdk.certpath.disabledAlgorithms");
+
+	/**
+	 * 
+	 */
+	public MOASSLAlgorithmChecker() {
+		this.prevPubKey = null;
+		this.trustedPubKey = null;
+		this.constraints = certPathDefaultConstraints;
+		
+	}
+	
+	public MOASSLAlgorithmChecker(AlgorithmConstraints paramAlgorithmConstraints) {
+		this.prevPubKey = null;
+		this.trustedPubKey = null;
+		this.constraints = paramAlgorithmConstraints;
+	}
+	
+	
+	/* (non-Javadoc)
+	 * @see java.security.cert.PKIXCertPathChecker#init(boolean)
+	 */
+	@Override
+	public void init(boolean forward) throws CertPathValidatorException {
+		if (!(forward)) {
+			if (this.trustedPubKey != null)
+				this.prevPubKey = this.trustedPubKey;
+			
+			else
+				this.prevPubKey = null;
+			
+		} else 
+			throw new CertPathValidatorException("forward checking not supported");
+
+	}
+
+	/* (non-Javadoc)
+	 * @see java.security.cert.PKIXCertPathChecker#isForwardCheckingSupported()
+	 */
+	@Override
+	public boolean isForwardCheckingSupported() {
+		return false;
+		
+	}
+
+	/* (non-Javadoc)
+	 * @see java.security.cert.PKIXCertPathChecker#getSupportedExtensions()
+	 */
+	@Override
+	public Set<String> getSupportedExtensions() {
+		return null;
+		
+	}
+
+	/* (non-Javadoc)
+	 * @see java.security.cert.PKIXCertPathChecker#check(java.security.cert.Certificate, java.util.Collection)
+	 */
+	@Override
+	public void check(Certificate cert, Collection<String> unresolvedCritExts) throws CertPathValidatorException {
+		if ((!(cert instanceof X509Certificate)) || (this.constraints == null)) {
+			return;	
+		
+		}
+ 
+		X509CertImpl localX509CertImpl = null;
+		try {
+			localX509CertImpl = sun.security.x509.X509CertImpl.toImpl((X509Certificate)cert);
+			
+		} catch (CertificateException localCertificateException1) {
+			throw new CertPathValidatorException(localCertificateException1);
+		
+		}
+		
+		PublicKey localPublicKey = localX509CertImpl.getPublicKey();
+		String str = localX509CertImpl.getSigAlgName();
+		 
+
+		//check algorithms
+		AlgorithmParameters localAlgorithmParameters = null;
+		try {
+			sun.security.x509.AlgorithmId localAlgorithmId = null;
+			localAlgorithmId = (sun.security.x509.AlgorithmId)localX509CertImpl.get("x509.algorithm");
+			localAlgorithmParameters = localAlgorithmId.getParameters();
+				
+			if (!(this.constraints.permits(SIGNATURE_PRIMITIVE_SET, str, localAlgorithmParameters))) {
+				throw new CertPathValidatorException("Algorithm constraints check failed: " + str, null, null, -1, CertPathValidatorException.BasicReason.ALGORITHM_CONSTRAINED);
+			
+			}
+			
+		} catch (CertificateParsingException localCertificateException2) {
+			throw new CertPathValidatorException(localCertificateException2);
+			
+		}
+ 
+
+		//check key usage
+		boolean[] arrayOfBoolean = localX509CertImpl.getKeyUsage();
+		if ((arrayOfBoolean != null) && (arrayOfBoolean.length < 9))
+			throw new CertPathValidatorException("incorrect KeyUsage extension", null, null, -1, PKIXReason.INVALID_KEY_USAGE);
+		
+		if (arrayOfBoolean != null) {
+			Set<CryptoPrimitive> cryptoPrimitives = EnumSet.noneOf(CryptoPrimitive.class);
+			if ((arrayOfBoolean[0] == true) || (arrayOfBoolean[1] == true) || (arrayOfBoolean[5] == true) || (arrayOfBoolean[6] == true)) {
+				cryptoPrimitives.add(CryptoPrimitive.SIGNATURE);
+			
+			}
+ 						
+			if (arrayOfBoolean[2] == true) {
+				cryptoPrimitives.add(CryptoPrimitive.KEY_ENCAPSULATION);
+				
+			}
+ 
+			if (arrayOfBoolean[3] == true) {
+				cryptoPrimitives.add(CryptoPrimitive.PUBLIC_KEY_ENCRYPTION);
+			
+			}
+			
+			if (arrayOfBoolean[4] == true) {
+				cryptoPrimitives.add(CryptoPrimitive.KEY_AGREEMENT);	
+			
+			}
+			
+			if ((!(cryptoPrimitives.isEmpty())) &&  (!(this.constraints.permits(cryptoPrimitives, localPublicKey)))) {	
+				throw new CertPathValidatorException("algorithm constraints check failed", null, null, -1, CertPathValidatorException.BasicReason.ALGORITHM_CONSTRAINED);
+				
+			}
+		}
+ 
+		//check pubKeys
+		if (this.prevPubKey != null) {
+			if ((str != null) && (!(this.constraints.permits(SIGNATURE_PRIMITIVE_SET, str, this.prevPubKey, localAlgorithmParameters)))) {
+				throw new CertPathValidatorException("Algorithm constraints check failed: " + str, null, null, -1, CertPathValidatorException.BasicReason.ALGORITHM_CONSTRAINED);
+				
+			}
+			
+			if ((localPublicKey instanceof DSAPublicKey) && (((DSAPublicKey)localPublicKey).getParams() == null)) {
+				if (!(this.prevPubKey instanceof DSAPublicKey)) {
+					throw new CertPathValidatorException("Input key is not of a appropriate type for inheriting parameters");
+					
+				}
+ 
+				DSAParams localObject = ((DSAPublicKey)this.prevPubKey).getParams();
+				if (localObject == null) {
+					throw new CertPathValidatorException("Key parameters missing");	
+					
+				}
+
+				try {
+					BigInteger localBigInteger = ((DSAPublicKey)localPublicKey).getY();
+					KeyFactory localKeyFactory = KeyFactory.getInstance("DSA");
+					DSAPublicKeySpec localDSAPublicKeySpec = new DSAPublicKeySpec(localBigInteger, ((DSAParams)localObject).getP(), ((DSAParams)localObject).getQ(), ((DSAParams)localObject).getG());
+					localPublicKey = localKeyFactory.generatePublic(localDSAPublicKeySpec);
+					
+				} catch (GeneralSecurityException localGeneralSecurityException) {	
+					throw new CertPathValidatorException("Unable to generate key with inherited parameters: " + localGeneralSecurityException.getMessage(), localGeneralSecurityException);
+
+				}
+			}
+		}
+		
+		this.prevPubKey = localPublicKey;
+	}
+
+
+}