archive/jdk
1
0
Fork 0
mirror of https://github.com/openjdk/jdk.git synced 2025-08-26 06:14:49 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

8346587: Distrust TLS server certificates anchored by Camerfirma Root CAs

Browse source 
Reviewed-by: mullan
This commit is contained in:
Mark Powers 2025-01-24 23:05:34 +00:00
parent dec93675ab
commit 907350e9e8
8 changed files with 392 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

18
src/java.base/share/classes/sun/security/validator/CADistrustPolicy.java
View file

@ -1,5 +1,5 @@
/*
* Copyright (c) 2018, 2024, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2018, 2025, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -67,6 +67,22 @@ enum CADistrustPolicy {
}
EntrustTLSPolicy.checkDistrust(chain);
}
},
/**
* Distrust TLS Server certificates anchored by a CAMERFIRMA root CA and
* issued after April 15, 2025. If enabled, this policy is currently
* enforced by the PKIX and SunX509 TrustManager implementations
* of the SunJSSE provider implementation.
*/
CAMERFIRMA_TLS {
void checkDistrust(String variant, X509Certificate[] chain)
throws ValidatorException {
if (!variant.equals(Validator.VAR_TLS_SERVER)) {
return;
}
CamerfirmaTLSPolicy.checkDistrust(chain);
}
};
/**

114
src/java.base/share/classes/sun/security/validator/CamerfirmaTLSPolicy.java Normal file
View file

@ -0,0 +1,114 @@
/*
* Copyright (c) 2025, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation. Oracle designates this
* particular file as subject to the "Classpath" exception as provided
* by Oracle in the LICENSE file that accompanied this code.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
package sun.security.validator;
import java.security.cert.X509Certificate;
import java.time.LocalDate;
import java.time.Month;
import java.time.ZoneOffset;
import java.util.Date;
import java.util.Map;
import java.util.Set;
import sun.security.util.Debug;
import sun.security.x509.X509CertImpl;
/**
* This class checks if Camerfirma issued TLS Server certificates should be
* restricted.
*/
final class CamerfirmaTLSPolicy {
private static final Debug debug = Debug.getInstance("certpath");
// SHA-256 certificate fingerprints of distrusted roots
private static final Set<String> FINGERPRINTS = Set.of(
// cacerts alias: camerfirmachamberscommerceca
// DN: CN=Chambers of Commerce Root,
// OU=http://www.chambersign.org,
// O=AC Camerfirma SA CIF A82743287, C=EU
"0C258A12A5674AEF25F28BA7DCFAECEEA348E541E6F5CC4EE63B71B361606AC3",
// cacerts alias: camerfirmachambersca
// DN: CN=Chambers of Commerce Root - 2008,
// O=AC Camerfirma S.A., SERIALNUMBER=A82743287,
// L=Madrid (see current address at www.camerfirma.com/address),
// C=EU
"063E4AFAC491DFD332F3089B8542E94617D893D7FE944E10A7937EE29D9693C0",
// cacerts alias: camerfirmachambersignca
// DN: CN=Global Chambersign Root - 2008,
// O=AC Camerfirma S.A., SERIALNUMBER=A82743287,
// L=Madrid (see current address at www.camerfirma.com/address),
// C=EU
"136335439334A7698016A0D324DE72284E079D7B5220BB8FBD747816EEBEBACA"
);
// Any TLS Server certificate that is anchored by one of the Camerfirma
// roots above and is issued after this date will be distrusted.
private static final LocalDate APRIL_15_2025 =
LocalDate.of(2025, Month.APRIL, 15);
/**
* This method assumes the eeCert is a TLS Server Cert and chains back to
* the anchor.
*
* @param chain the end-entity's certificate chain. The end entity cert
* is at index 0, the trust anchor at index n-1.
* @throws ValidatorException if the certificate is distrusted
*/
static void checkDistrust(X509Certificate[] chain)
throws ValidatorException {
X509Certificate anchor = chain[chain.length-1];
String fp = fingerprint(anchor);
if (fp == null) {
throw new ValidatorException("Cannot generate fingerprint for "
+ "trust anchor of TLS server certificate");
}
if (FINGERPRINTS.contains(fp)) {
Date notBefore = chain[0].getNotBefore();
LocalDate ldNotBefore = LocalDate.ofInstant(notBefore.toInstant(),
ZoneOffset.UTC);
// reject if certificate is issued after April 15, 2025
checkNotBefore(ldNotBefore, APRIL_15_2025, anchor);
}
}
private static String fingerprint(X509Certificate cert) {
return X509CertImpl.getFingerprint("SHA-256", cert, debug);
}
private static void checkNotBefore(LocalDate notBeforeDate,
LocalDate distrustDate, X509Certificate anchor)
throws ValidatorException {
if (notBeforeDate.isAfter(distrustDate)) {
throw new ValidatorException
("TLS Server certificate issued after " + distrustDate +
" and anchored by a distrusted legacy Camerfirma root CA: "
+ anchor.getSubjectX500Principal(),
ValidatorException.T_UNTRUSTED_CERT, anchor);
}
}
private CamerfirmaTLSPolicy() {}
}