diff --git a/jdk/src/share/classes/sun/security/ssl/HandshakeContext.java b/jdk/src/share/classes/sun/security/ssl/HandshakeContext.java index 265525ac69c..9980f2bbcf7 100644 --- a/jdk/src/share/classes/sun/security/ssl/HandshakeContext.java +++ b/jdk/src/share/classes/sun/security/ssl/HandshakeContext.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2018, 2019, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2018, 2022, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -163,7 +163,7 @@ protected HandshakeContext(SSLContextImpl sslContext, this.conContext = conContext; this.sslConfig = (SSLConfiguration)conContext.sslConfig.clone(); - this.algorithmConstraints = new SSLAlgorithmConstraints( + this.algorithmConstraints = SSLAlgorithmConstraints.wrap( sslConfig.userSpecifiedAlgorithmConstraints); this.activeProtocols = getActiveProtocols(sslConfig.enabledProtocols, sslConfig.enabledCipherSuites, algorithmConstraints); diff --git a/jdk/src/share/classes/sun/security/ssl/SSLAlgorithmConstraints.java b/jdk/src/share/classes/sun/security/ssl/SSLAlgorithmConstraints.java index e827247b792..59662ab8fd2 100644 --- a/jdk/src/share/classes/sun/security/ssl/SSLAlgorithmConstraints.java +++ b/jdk/src/share/classes/sun/security/ssl/SSLAlgorithmConstraints.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2010, 2018, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2010, 2022, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -57,46 +57,98 @@ final class SSLAlgorithmConstraints implements AlgorithmConstraints { // the default algorithm constraints static final AlgorithmConstraints DEFAULT = - new SSLAlgorithmConstraints(null); + new SSLAlgorithmConstraints(null, true); // the default SSL only algorithm constraints static final AlgorithmConstraints DEFAULT_SSL_ONLY = - new SSLAlgorithmConstraints((SSLSocket)null, false); + new SSLAlgorithmConstraints(null, false); - SSLAlgorithmConstraints(AlgorithmConstraints userSpecifiedConstraints) { - this.userSpecifiedConstraints = userSpecifiedConstraints; - this.peerSpecifiedConstraints = null; - this.enabledX509DisabledAlgConstraints = true; + private SSLAlgorithmConstraints(AlgorithmConstraints userSpecifiedConstraints, + boolean enabledX509DisabledAlgConstraints) { + this(userSpecifiedConstraints, null, enabledX509DisabledAlgConstraints); } - SSLAlgorithmConstraints(SSLSocket socket, + private SSLAlgorithmConstraints( + AlgorithmConstraints userSpecifiedConstraints, + SupportedSignatureAlgorithmConstraints peerSpecifiedConstraints, boolean withDefaultCertPathConstraints) { - this.userSpecifiedConstraints = getUserSpecifiedConstraints(socket); - this.peerSpecifiedConstraints = null; + this.userSpecifiedConstraints = userSpecifiedConstraints; + this.peerSpecifiedConstraints = peerSpecifiedConstraints; this.enabledX509DisabledAlgConstraints = withDefaultCertPathConstraints; } - SSLAlgorithmConstraints(SSLEngine engine, + /** + * Returns a SSLAlgorithmConstraints instance that checks the provided + * {@code userSpecifiedConstraints} in addition to standard checks. + * Returns a singleton instance if parameter is null or DEFAULT. + * @param userSpecifiedConstraints additional constraints to check + * @return a SSLAlgorithmConstraints instance + */ + static AlgorithmConstraints wrap(AlgorithmConstraints userSpecifiedConstraints) { + return wrap(userSpecifiedConstraints, true); + } + + private static AlgorithmConstraints wrap( + AlgorithmConstraints userSpecifiedConstraints, boolean withDefaultCertPathConstraints) { - this.userSpecifiedConstraints = getUserSpecifiedConstraints(engine); - this.peerSpecifiedConstraints = null; - this.enabledX509DisabledAlgConstraints = withDefaultCertPathConstraints; + if (nullIfDefault(userSpecifiedConstraints) == null) { + return withDefaultCertPathConstraints ? DEFAULT : DEFAULT_SSL_ONLY; + } + return new SSLAlgorithmConstraints(userSpecifiedConstraints, + withDefaultCertPathConstraints); + } + + /** + * Returns a SSLAlgorithmConstraints instance that checks the constraints + * configured for the given {@code socket} in addition to standard checks. + * Returns a singleton instance if the constraints are null or DEFAULT. + * @param socket socket with configured constraints + * @return a SSLAlgorithmConstraints instance + */ + static AlgorithmConstraints forSocket(SSLSocket socket, + boolean withDefaultCertPathConstraints) { + AlgorithmConstraints userSpecifiedConstraints = + getUserSpecifiedConstraints(socket); + return wrap(userSpecifiedConstraints, withDefaultCertPathConstraints); } - SSLAlgorithmConstraints(SSLSocket socket, String[] supportedAlgorithms, + static SSLAlgorithmConstraints forSocket( + SSLSocket socket, + String[] supportedAlgorithms, boolean withDefaultCertPathConstraints) { - this.userSpecifiedConstraints = getUserSpecifiedConstraints(socket); - this.peerSpecifiedConstraints = - new SupportedSignatureAlgorithmConstraints(supportedAlgorithms); - this.enabledX509DisabledAlgConstraints = withDefaultCertPathConstraints; + return new SSLAlgorithmConstraints( + nullIfDefault(getUserSpecifiedConstraints(socket)), + new SupportedSignatureAlgorithmConstraints(supportedAlgorithms), + withDefaultCertPathConstraints); + } + + /** + * Returns a SSLAlgorithmConstraints instance that checks the constraints + * configured for the given {@code engine} in addition to standard checks. + * Returns a singleton instance if the constraints are null or DEFAULT. + * @param engine engine with configured constraints + * @return a SSLAlgorithmConstraints instance + */ + static AlgorithmConstraints forEngine(SSLEngine engine, + boolean withDefaultCertPathConstraints) { + AlgorithmConstraints userSpecifiedConstraints = + getUserSpecifiedConstraints(engine); + return wrap(userSpecifiedConstraints, withDefaultCertPathConstraints); } - SSLAlgorithmConstraints(SSLEngine engine, String[] supportedAlgorithms, + static SSLAlgorithmConstraints forEngine( + SSLEngine engine, + String[] supportedAlgorithms, boolean withDefaultCertPathConstraints) { - this.userSpecifiedConstraints = getUserSpecifiedConstraints(engine); - this.peerSpecifiedConstraints = - new SupportedSignatureAlgorithmConstraints(supportedAlgorithms); - this.enabledX509DisabledAlgConstraints = withDefaultCertPathConstraints; + return new SSLAlgorithmConstraints( + nullIfDefault(getUserSpecifiedConstraints(engine)), + new SupportedSignatureAlgorithmConstraints(supportedAlgorithms), + withDefaultCertPathConstraints); + } + + private static AlgorithmConstraints nullIfDefault( + AlgorithmConstraints constraints) { + return constraints == DEFAULT ? null : constraints; } private static AlgorithmConstraints getUserSpecifiedConstraints( diff --git a/jdk/src/share/classes/sun/security/ssl/SSLContextImpl.java b/jdk/src/share/classes/sun/security/ssl/SSLContextImpl.java index 820e10164fc..9c7daad461a 100644 --- a/jdk/src/share/classes/sun/security/ssl/SSLContextImpl.java +++ b/jdk/src/share/classes/sun/security/ssl/SSLContextImpl.java @@ -1302,14 +1302,14 @@ private void checkAdditionalTrust(X509Certificate[] chain, String[] peerSupportedSignAlgs = extSession.getLocalSupportedSignatureAlgorithms(); - constraints = new SSLAlgorithmConstraints( + constraints = SSLAlgorithmConstraints.forSocket( sslSocket, peerSupportedSignAlgs, true); } else { constraints = - new SSLAlgorithmConstraints(sslSocket, true); + SSLAlgorithmConstraints.forSocket(sslSocket, true); } } else { - constraints = new SSLAlgorithmConstraints(sslSocket, true); + constraints = SSLAlgorithmConstraints.forSocket(sslSocket, true); } checkAlgorithmConstraints(chain, constraints, checkClientTrusted); @@ -1342,14 +1342,14 @@ private void checkAdditionalTrust(X509Certificate[] chain, String[] peerSupportedSignAlgs = extSession.getLocalSupportedSignatureAlgorithms(); - constraints = new SSLAlgorithmConstraints( + constraints = SSLAlgorithmConstraints.forEngine( engine, peerSupportedSignAlgs, true); } else { constraints = - new SSLAlgorithmConstraints(engine, true); + SSLAlgorithmConstraints.forEngine(engine, true); } } else { - constraints = new SSLAlgorithmConstraints(engine, true); + constraints = SSLAlgorithmConstraints.forEngine(engine, true); } checkAlgorithmConstraints(chain, constraints, checkClientTrusted); diff --git a/jdk/src/share/classes/sun/security/ssl/X509KeyManagerImpl.java b/jdk/src/share/classes/sun/security/ssl/X509KeyManagerImpl.java index bac96e321e5..bf7ac162c1f 100644 --- a/jdk/src/share/classes/sun/security/ssl/X509KeyManagerImpl.java +++ b/jdk/src/share/classes/sun/security/ssl/X509KeyManagerImpl.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2004, 2018, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2004, 2022, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -197,15 +197,15 @@ private AlgorithmConstraints getAlgorithmConstraints(Socket socket) { extSession.getPeerSupportedSignatureAlgorithms(); } - return new SSLAlgorithmConstraints( + return SSLAlgorithmConstraints.forSocket( sslSocket, peerSupportedSignAlgs, true); } } - return new SSLAlgorithmConstraints(sslSocket, true); + return SSLAlgorithmConstraints.forSocket(sslSocket, true); } - return new SSLAlgorithmConstraints((SSLSocket)null, true); + return SSLAlgorithmConstraints.DEFAULT; } // Gets algorithm constraints of the engine. @@ -223,13 +223,13 @@ private AlgorithmConstraints getAlgorithmConstraints(SSLEngine engine) { extSession.getPeerSupportedSignatureAlgorithms(); } - return new SSLAlgorithmConstraints( + return SSLAlgorithmConstraints.forEngine( engine, peerSupportedSignAlgs, true); } } } - return new SSLAlgorithmConstraints(engine, true); + return SSLAlgorithmConstraints.forEngine(engine, true); } // we construct the alias we return to JSSE as seen in the code below diff --git a/jdk/src/share/classes/sun/security/ssl/X509TrustManagerImpl.java b/jdk/src/share/classes/sun/security/ssl/X509TrustManagerImpl.java index f52c3007981..c4e68158585 100644 --- a/jdk/src/share/classes/sun/security/ssl/X509TrustManagerImpl.java +++ b/jdk/src/share/classes/sun/security/ssl/X509TrustManagerImpl.java @@ -207,10 +207,10 @@ private void checkTrusted(X509Certificate[] chain, String[] localSupportedSignAlgs = extSession.getLocalSupportedSignatureAlgorithms(); - constraints = new SSLAlgorithmConstraints( + constraints = SSLAlgorithmConstraints.forSocket( sslSocket, localSupportedSignAlgs, false); } else { - constraints = new SSLAlgorithmConstraints(sslSocket, false); + constraints = SSLAlgorithmConstraints.forSocket(sslSocket, false); } // Grab any stapled OCSP responses for use in validation @@ -262,10 +262,10 @@ private void checkTrusted(X509Certificate[] chain, String[] localSupportedSignAlgs = extSession.getLocalSupportedSignatureAlgorithms(); - constraints = new SSLAlgorithmConstraints( + constraints = SSLAlgorithmConstraints.forEngine( engine, localSupportedSignAlgs, false); } else { - constraints = new SSLAlgorithmConstraints(engine, false); + constraints = SSLAlgorithmConstraints.forEngine(engine, false); } // Grab any stapled OCSP responses for use in validation