|
| 1 | +/* |
| 2 | + * Copyright (c) 2025, Oracle and/or its affiliates. All rights reserved. |
| 3 | + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. |
| 4 | + * |
| 5 | + * This code is free software; you can redistribute it and/or modify it |
| 6 | + * under the terms of the GNU General Public License version 2 only, as |
| 7 | + * published by the Free Software Foundation. Oracle designates this |
| 8 | + * particular file as subject to the "Classpath" exception as provided |
| 9 | + * by Oracle in the LICENSE file that accompanied this code. |
| 10 | + * |
| 11 | + * This code is distributed in the hope that it will be useful, but WITHOUT |
| 12 | + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or |
| 13 | + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License |
| 14 | + * version 2 for more details (a copy is included in the LICENSE file that |
| 15 | + * accompanied this code). |
| 16 | + * |
| 17 | + * You should have received a copy of the GNU General Public License version |
| 18 | + * 2 along with this work; if not, write to the Free Software Foundation, |
| 19 | + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. |
| 20 | + * |
| 21 | + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA |
| 22 | + * or visit www.oracle.com if you need additional information or have any |
| 23 | + * questions. |
| 24 | + */ |
| 25 | +package sun.security.validator; |
| 26 | + |
| 27 | +import java.security.cert.X509Certificate; |
| 28 | +import java.time.LocalDate; |
| 29 | +import java.time.Month; |
| 30 | +import java.time.ZoneOffset; |
| 31 | +import java.util.Date; |
| 32 | +import java.util.Map; |
| 33 | +import java.util.Set; |
| 34 | + |
| 35 | +import sun.security.util.Debug; |
| 36 | +import sun.security.x509.X509CertImpl; |
| 37 | + |
| 38 | +/** |
| 39 | + * This class checks if Camerfirma issued TLS Server certificates should be |
| 40 | + * restricted. |
| 41 | + */ |
| 42 | +final class CamerfirmaTLSPolicy { |
| 43 | + |
| 44 | + private static final Debug debug = Debug.getInstance("certpath"); |
| 45 | + |
| 46 | + // SHA-256 certificate fingerprints of distrusted roots |
| 47 | + private static final Set<String> FINGERPRINTS = Set.of( |
| 48 | + // cacerts alias: camerfirmachamberscommerceca |
| 49 | + // DN: CN=Chambers of Commerce Root, |
| 50 | + // OU=http://www.chambersign.org, |
| 51 | + // O=AC Camerfirma SA CIF A82743287, C=EU |
| 52 | + "0C258A12A5674AEF25F28BA7DCFAECEEA348E541E6F5CC4EE63B71B361606AC3", |
| 53 | + // cacerts alias: camerfirmachambersca |
| 54 | + // DN: CN=Chambers of Commerce Root - 2008, |
| 55 | + // O=AC Camerfirma S.A., SERIALNUMBER=A82743287, |
| 56 | + // L=Madrid (see current address at www.camerfirma.com/address), |
| 57 | + // C=EU |
| 58 | + "063E4AFAC491DFD332F3089B8542E94617D893D7FE944E10A7937EE29D9693C0", |
| 59 | + // cacerts alias: camerfirmachambersignca |
| 60 | + // DN: CN=Global Chambersign Root - 2008, |
| 61 | + // O=AC Camerfirma S.A., SERIALNUMBER=A82743287, |
| 62 | + // L=Madrid (see current address at www.camerfirma.com/address), |
| 63 | + // C=EU |
| 64 | + "136335439334A7698016A0D324DE72284E079D7B5220BB8FBD747816EEBEBACA" |
| 65 | + ); |
| 66 | + |
| 67 | + // Any TLS Server certificate that is anchored by one of the Camerfirma |
| 68 | + // roots above and is issued after this date will be distrusted. |
| 69 | + private static final LocalDate APRIL_15_2025 = |
| 70 | + LocalDate.of(2025, Month.APRIL, 15); |
| 71 | + |
| 72 | + /** |
| 73 | + * This method assumes the eeCert is a TLS Server Cert and chains back to |
| 74 | + * the anchor. |
| 75 | + * |
| 76 | + * @param chain the end-entity's certificate chain. The end entity cert |
| 77 | + * is at index 0, the trust anchor at index n-1. |
| 78 | + * @throws ValidatorException if the certificate is distrusted |
| 79 | + */ |
| 80 | + static void checkDistrust(X509Certificate[] chain) |
| 81 | + throws ValidatorException { |
| 82 | + X509Certificate anchor = chain[chain.length-1]; |
| 83 | + String fp = fingerprint(anchor); |
| 84 | + if (fp == null) { |
| 85 | + throw new ValidatorException("Cannot generate fingerprint for " |
| 86 | + + "trust anchor of TLS server certificate"); |
| 87 | + } |
| 88 | + if (FINGERPRINTS.contains(fp)) { |
| 89 | + Date notBefore = chain[0].getNotBefore(); |
| 90 | + LocalDate ldNotBefore = LocalDate.ofInstant(notBefore.toInstant(), |
| 91 | + ZoneOffset.UTC); |
| 92 | + // reject if certificate is issued after April 15, 2025 |
| 93 | + checkNotBefore(ldNotBefore, APRIL_15_2025, anchor); |
| 94 | + } |
| 95 | + } |
| 96 | + |
| 97 | + private static String fingerprint(X509Certificate cert) { |
| 98 | + return X509CertImpl.getFingerprint("SHA-256", cert); |
| 99 | + } |
| 100 | + |
| 101 | + private static void checkNotBefore(LocalDate notBeforeDate, |
| 102 | + LocalDate distrustDate, X509Certificate anchor) |
| 103 | + throws ValidatorException { |
| 104 | + if (notBeforeDate.isAfter(distrustDate)) { |
| 105 | + throw new ValidatorException |
| 106 | + ("TLS Server certificate issued after " + distrustDate + |
| 107 | + " and anchored by a distrusted legacy Camerfirma root CA: " |
| 108 | + + anchor.getSubjectX500Principal(), |
| 109 | + ValidatorException.T_UNTRUSTED_CERT, anchor); |
| 110 | + } |
| 111 | + } |
| 112 | + |
| 113 | + private CamerfirmaTLSPolicy() {} |
| 114 | +} |
0 commit comments