|
| 1 | +/* |
| 2 | + * Copyright (c) 2026, Oracle and/or its affiliates. All rights reserved. |
| 3 | + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. |
| 4 | + * |
| 5 | + * This code is free software; you can redistribute it and/or modify it |
| 6 | + * under the terms of the GNU General Public License version 2 only, as |
| 7 | + * published by the Free Software Foundation. Oracle designates this |
| 8 | + * particular file as subject to the "Classpath" exception as provided |
| 9 | + * by Oracle in the LICENSE file that accompanied this code. |
| 10 | + * |
| 11 | + * This code is distributed in the hope that it will be useful, but WITHOUT |
| 12 | + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or |
| 13 | + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License |
| 14 | + * version 2 for more details (a copy is included in the LICENSE file that |
| 15 | + * accompanied this code). |
| 16 | + * |
| 17 | + * You should have received a copy of the GNU General Public License version |
| 18 | + * 2 along with this work; if not, write to the Free Software Foundation, |
| 19 | + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. |
| 20 | + * |
| 21 | + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA |
| 22 | + * or visit www.oracle.com if you need additional information or have any |
| 23 | + * questions. |
| 24 | + */ |
| 25 | +package sun.security.validator; |
| 26 | + |
| 27 | +import java.security.cert.X509Certificate; |
| 28 | +import java.time.LocalDate; |
| 29 | +import java.time.Month; |
| 30 | +import java.time.ZoneOffset; |
| 31 | +import java.util.Date; |
| 32 | +import java.util.Map; |
| 33 | +import java.util.Set; |
| 34 | + |
| 35 | +import sun.security.util.Debug; |
| 36 | +import sun.security.x509.X509CertImpl; |
| 37 | + |
| 38 | +/** |
| 39 | + * This class checks if Chunghwa issued TLS Server certificates should be |
| 40 | + * restricted. |
| 41 | + */ |
| 42 | +final class ChunghwaTLSPolicy { |
| 43 | + |
| 44 | + private static final Debug debug = Debug.getInstance("certpath"); |
| 45 | + |
| 46 | + // SHA-256 certificate fingerprint of distrusted root for TLS |
| 47 | + // cacerts alias: chunghwaepkirootca |
| 48 | + // DN: OU=ePKI Root Certification Authority, |
| 49 | + // O="Chunghwa Telecom Co., Ltd.", C=TW |
| 50 | + private static final String FINGERPRINT = |
| 51 | + "C0A6F4DC63A24BFDCF54EF2A6A082A0A72DE35803E2FF5FF527AE5D87206DFD5"; |
| 52 | + |
| 53 | + // Any TLS Server certificate that is anchored by the Chunghwa |
| 54 | + // root above and is issued after this date will be distrusted. |
| 55 | + private static final LocalDate MARCH_17_2026 = |
| 56 | + LocalDate.of(2026, Month.MARCH, 17); |
| 57 | + |
| 58 | + /** |
| 59 | + * This method assumes the eeCert is a TLS Server Cert and chains back to |
| 60 | + * the anchor. |
| 61 | + * |
| 62 | + * @param chain the end-entity's certificate chain. The end entity cert |
| 63 | + * is at index 0, the trust anchor at index n-1. |
| 64 | + * @throws ValidatorException if the certificate is distrusted |
| 65 | + */ |
| 66 | + static void checkDistrust(X509Certificate[] chain) |
| 67 | + throws ValidatorException { |
| 68 | + X509Certificate anchor = chain[chain.length-1]; |
| 69 | + String fp = fingerprint(anchor); |
| 70 | + if (fp == null) { |
| 71 | + throw new ValidatorException("Cannot generate fingerprint for " |
| 72 | + + "trust anchor of TLS server certificate"); |
| 73 | + } |
| 74 | + if (FINGERPRINT.equalsIgnoreCase(fp)) { |
| 75 | + Date notBefore = chain[0].getNotBefore(); |
| 76 | + LocalDate ldNotBefore = LocalDate.ofInstant(notBefore.toInstant(), |
| 77 | + ZoneOffset.UTC); |
| 78 | + // reject if certificate is issued after March 17, 2026 |
| 79 | + checkNotBefore(ldNotBefore, MARCH_17_2026, anchor); |
| 80 | + } |
| 81 | + } |
| 82 | + |
| 83 | + private static String fingerprint(X509Certificate cert) { |
| 84 | + return X509CertImpl.getFingerprint("SHA-256", cert, debug); |
| 85 | + } |
| 86 | + |
| 87 | + // Check whether the certificate's notBeforeDate is after the |
| 88 | + // distrust date for the anchor (root CA). Throw ValidatorException |
| 89 | + // if it is after the distrust date. |
| 90 | + private static void checkNotBefore(LocalDate notBeforeDate, |
| 91 | + LocalDate distrustDate, X509Certificate anchor) |
| 92 | + throws ValidatorException { |
| 93 | + if (notBeforeDate.isAfter(distrustDate)) { |
| 94 | + throw new ValidatorException |
| 95 | + ("TLS Server certificate issued after " + distrustDate + |
| 96 | + " and anchored by a distrusted legacy Chunghwa root CA: " |
| 97 | + + anchor.getSubjectX500Principal(), |
| 98 | + ValidatorException.T_UNTRUSTED_CERT, anchor); |
| 99 | + } |
| 100 | + } |
| 101 | + |
| 102 | + private ChunghwaTLSPolicy() {} |
| 103 | +} |
0 commit comments