archive/jdk
1
0
Fork 0
mirror of https://github.com/openjdk/jdk.git synced 2025-08-27 06:45:07 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

8292033: Move jdk.X509Certificate event logic to JCA layer

Browse source 
Reviewed-by: mullan
This commit is contained in:
Sean Coffey 2022-11-09 21:46:56 +00:00
parent 1b94ae13d3
commit 102b2b32fe
12 changed files with 186 additions and 88 deletions
Download patch file Download diff file Expand all files Collapse all files

12
src/java.base/share/classes/java/security/cert/CertificateFactory.java
View file

@ -26,14 +26,14 @@
package java.security.cert;
import java.io.InputStream;
import java.util.Collection;
import java.util.Iterator;
import java.util.List;
import java.util.Objects;
import java.security.Provider;
import java.security.Security;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.util.Collection;
import java.util.Iterator;
import java.util.List;
import java.util.Objects;
import sun.security.jca.*;
import sun.security.jca.GetInstance.Instance;
@ -352,7 +352,9 @@ public class CertificateFactory {
public final Certificate generateCertificate(InputStream inStream)
throws CertificateException
{
return certFacSpi.engineGenerateCertificate(inStream);
Certificate c = certFacSpi.engineGenerateCertificate(inStream);
JCAUtil.tryCommitCertEvent(c);
return c;
}
/**

11
src/java.base/share/classes/jdk/internal/event/X509CertificateEvent.java
View file

@ -1,5 +1,5 @@
/*
* Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2018, 2022, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -31,6 +31,15 @@ package jdk.internal.event;
*/
public final class X509CertificateEvent extends Event {
private static final X509CertificateEvent EVENT = new X509CertificateEvent();
/**
* Returns {@code true} if event is enabled, {@code false} otherwise.
*/
public static boolean isTurnedOn() {
return EVENT.isEnabled();
}
public String algorithm;
public String serialNumber;
public String subject;

46
src/java.base/share/classes/sun/security/jca/JCAUtil.java
View file

@ -25,7 +25,14 @@
package sun.security.jca;
import java.security.PublicKey;
import java.security.SecureRandom;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import jdk.internal.event.EventHelper;
import jdk.internal.event.X509CertificateEvent;
import sun.security.util.KeyUtil;
/**
* Collection of static utility methods used by the security framework.
@ -90,6 +97,45 @@ public final class JCAUtil {
}
}
return result;
}
public static void tryCommitCertEvent(Certificate cert) {
if ((X509CertificateEvent.isTurnedOn() || EventHelper.isLoggingSecurity()) &&
(cert instanceof X509Certificate x509)) {
PublicKey pKey = x509.getPublicKey();
String algId = x509.getSigAlgName();
String serNum = x509.getSerialNumber().toString(16);
String subject = x509.getSubjectX500Principal().toString();
String issuer = x509.getIssuerX500Principal().toString();
String keyType = pKey.getAlgorithm();
int length = KeyUtil.getKeySize(pKey);
int hashCode = x509.hashCode();
long beginDate = x509.getNotBefore().getTime();
long endDate = x509.getNotAfter().getTime();
if (X509CertificateEvent.isTurnedOn()) {
X509CertificateEvent xce = new X509CertificateEvent();
xce.algorithm = algId;
xce.serialNumber = serNum;
xce.subject = subject;
xce.issuer = issuer;
xce.keyType = keyType;
xce.keyLength = length;
xce.certificateId = hashCode;
xce.validFrom = beginDate;
xce.validUntil = endDate;
xce.commit();
}
if (EventHelper.isLoggingSecurity()) {
EventHelper.logX509CertificateEvent(algId,
serNum,
subject,
issuer,
keyType,
length,
hashCode,
beginDate,
endDate);
}
}
}
}

49
src/java.base/share/classes/sun/security/provider/X509Factory.java
View file

@ -26,20 +26,16 @@
package sun.security.provider;
import java.io.*;
import java.security.PublicKey;
import java.security.cert.*;
import java.util.*;
import jdk.internal.event.EventHelper;
import jdk.internal.event.X509CertificateEvent;
import sun.security.pkcs.PKCS7;
import sun.security.pkcs.ParsingException;
import sun.security.provider.certpath.X509CertPath;
import sun.security.provider.certpath.X509CertificatePair;
import sun.security.util.Cache;
import sun.security.util.DerValue;
import sun.security.util.KeyUtil;
import sun.security.x509.X509CRLImpl;
import sun.security.x509.X509CertImpl;
@ -116,8 +112,6 @@ public class X509Factory extends CertificateFactorySpi {
}
cert = new X509CertImpl(encoding);
addToCache(certCache, cert.getEncodedInternal(), cert);
// record cert details if necessary
commitEvent(cert);
return cert;
}
@ -478,7 +472,7 @@ public class X509Factory extends CertificateFactorySpi {
}
} catch (ParsingException e) {
while (data != null) {
coll.add(new X509CertImpl(data));
coll.add(X509CertImpl.newX509CertImpl(data));
data = readOneBlock(pbis);
}
}
@ -772,43 +766,4 @@ public class X509Factory extends CertificateFactorySpi {
}
return tag;
}
private static void commitEvent(X509CertImpl info) {
X509CertificateEvent xce = new X509CertificateEvent();
if (xce.shouldCommit() || EventHelper.isLoggingSecurity()) {
PublicKey pKey = info.getPublicKey();
String algId = info.getSigAlgName();
String serNum = info.getSerialNumber().toString(16);
String subject = info.getSubjectDN().getName();
String issuer = info.getIssuerDN().getName();
String keyType = pKey.getAlgorithm();
int length = KeyUtil.getKeySize(pKey);
int hashCode = info.hashCode();
long beginDate = info.getNotBefore().getTime();
long endDate = info.getNotAfter().getTime();
if (xce.shouldCommit()) {
xce.algorithm = algId;
xce.serialNumber = serNum;
xce.subject = subject;
xce.issuer = issuer;
xce.keyType = keyType;
xce.keyLength = length;
xce.certificateId = hashCode;
xce.validFrom = beginDate;
xce.validUntil = endDate;
xce.commit();
}
if (EventHelper.isLoggingSecurity()) {
EventHelper.logX509CertificateEvent(algId,
serNum,
subject,
issuer,
keyType,
length,
hashCode,
beginDate,
endDate);
}
}
}
}

2
src/java.base/share/classes/sun/security/provider/certpath/OCSPResponse.java
View file

@ -356,7 +356,7 @@ public final class OCSPResponse {
try {
for (int i = 0; i < derCerts.length; i++) {
X509CertImpl cert =
new X509CertImpl(derCerts[i].toByteArray());
X509CertImpl.newX509CertImpl(derCerts[i].toByteArray());
certs.add(cert);
if (debug != null) {

6
src/java.base/share/classes/sun/security/provider/certpath/X509CertificatePair.java
View file

@ -1,5 +1,5 @@
/*
* Copyright (c) 2000, 2012, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2000, 2022, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -240,7 +240,7 @@ public class X509CertificatePair {
}
opt = opt.data.getDerValue();
forward = X509Factory.intern
(new X509CertImpl(opt.toByteArray()));
(X509CertImpl.newX509CertImpl(opt.toByteArray()));
}
break;
case TAG_REVERSE:
@ -251,7 +251,7 @@ public class X509CertificatePair {
}
opt = opt.data.getDerValue();
reverse = X509Factory.intern
(new X509CertImpl(opt.toByteArray()));
(X509CertImpl.newX509CertImpl(opt.toByteArray()));
}
break;
default:

8
src/java.base/share/classes/sun/security/x509/X509CertImpl.java
View file

@ -41,6 +41,7 @@ import java.util.concurrent.ConcurrentHashMap;
import javax.security.auth.x500.X500Principal;
import sun.security.jca.JCAUtil;
import sun.security.util.*;
import sun.security.provider.X509Factory;
@ -266,6 +267,13 @@ public class X509CertImpl extends X509Certificate implements DerEncoder {
}
}
// helper method to record certificate, if necessary, after construction
public static X509CertImpl newX509CertImpl(byte[] certData) throws CertificateException {
var cert = new X509CertImpl(certData);
JCAUtil.tryCommitCertEvent(cert);
return cert;
}
/**
* Appends the certificate to an output stream.
*