8233228: Disable weak named curves by default in TLS, CertPath, and Signed JAR

Reviewed-by: mullan, xuelei, weijun

src/java.base/share/classes/sun/security/util/ConstraintsParameters.java

@@ -31,6 +31,9 @@ import java.security.AlgorithmParameters;
 import java.security.Key;
 import java.security.Timestamp;
 import java.security.cert.X509Certificate;
+import java.security.interfaces.ECKey;
+import java.security.interfaces.XECKey;
+import java.security.spec.NamedParameterSpec;
 import java.util.Date;
 
 /**
@@ -49,8 +52,8 @@ public class ConstraintsParameters {
     private final String algorithm;
     // AlgorithmParameters to the algorithm being checked
     private final AlgorithmParameters algParams;
-    // Public Key being checked against constraints
-    private final Key publicKey;
+    // Key being checked against constraints
+    private final Key key;
 
     /*
      * New values that are checked against constraints that the current public
@@ -66,6 +69,9 @@ public class ConstraintsParameters {
     // Timestamp of the signed JAR file
     private final Timestamp jarTimestamp;
     private final String variant;
+    // Named Curve
+    private final String[] curveStr;
+    private static final String[] EMPTYLIST = new String[0];
 
     public ConstraintsParameters(X509Certificate c, boolean match,
             Date pkixdate, Timestamp jarTime, String variant) {
@@ -76,14 +82,20 @@ public class ConstraintsParameters {
         this.variant = (variant == null ? Validator.VAR_GENERIC : variant);
         algorithm = null;
         algParams = null;
-        publicKey = null;
+        key = null;
+        if (c != null) {
+            curveStr = getNamedCurveFromKey(c.getPublicKey());
+        } else {
+            curveStr = EMPTYLIST;
+        }
     }
 
     public ConstraintsParameters(String algorithm, AlgorithmParameters params,
             Key key, String variant) {
         this.algorithm = algorithm;
         algParams = params;
-        this.publicKey = key;
+        this.key = key;
+        curveStr = getNamedCurveFromKey(key);
         cert = null;
         trustedMatch = false;
         pkixDate = null;
@@ -109,9 +121,10 @@ public class ConstraintsParameters {
         return algParams;
     }
 
-    public Key getPublicKey() {
-        return publicKey;
+    public Key getKey() {
+        return key;
     }
+
     // Returns if the trust anchor has a match if anchor checking is enabled.
     public boolean isTrustedMatch() {
         return trustedMatch;
@@ -132,4 +145,47 @@ public class ConstraintsParameters {
     public String getVariant() {
         return variant;
     }
+
+    public String[] getNamedCurve() {
+        return curveStr;
+    }
+
+    public static String[] getNamedCurveFromKey(Key key) {
+        if (key instanceof ECKey) {
+            NamedCurve nc = CurveDB.lookup(((ECKey)key).getParams());
+            return (nc == null ? EMPTYLIST : CurveDB.getNamesByOID(nc.getObjectId()));
+        } else if (key instanceof XECKey) {
+            String[] s = {
+                    ((NamedParameterSpec)((XECKey)key).getParams()).getName()
+            };
+            return s;
+        } else {
+            return EMPTYLIST;
+        }
+    }
+
+    public String toString() {
+        StringBuilder s = new StringBuilder();
+        s.append("Cert:       ");
+        if (cert != null) {
+            s.append(cert.toString());
+            s.append("\nSigAlgo:    ");
+            s.append(cert.getSigAlgName());
+        } else {
+            s.append("None");
+        }
+        s.append("\nAlgParams:  ");
+        if (getAlgParams() != null) {
+            getAlgParams().toString();
+        } else {
+            s.append("None");
+        }
+        s.append("\nNamedCurves: ");
+        for (String c : getNamedCurve()) {
+            s.append(c + " ");
+        }
+        s.append("\nVariant:    " + getVariant());
+        return s.toString();
+    }
+
 }