8207258: Distrust TLS server certificates anchored by Symantec Root CAs

Summary: Add class CADistrustPolicy and distrust Symantec.
Reviewed-by: weijun

4 files changed, 323 insertions, 12 deletions

diff --git a/src/share/classes/sun/security/validator/CADistrustPolicy.java b/src/share/classes/sun/security/validator/CADistrustPolicy.java
new file mode 100644
index 0000000000..b1b59b2015
--- /dev/null
+++ b/src/share/classes/sun/security/validator/CADistrustPolicy.java
@@ -0,0 +1,105 @@
+/*
+ * Copyright (c) 2019, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+package sun.security.validator;
+
+import java.security.AccessController;
+import java.security.PrivilegedAction;
+import java.security.Security;
+import java.security.cert.X509Certificate;
+import java.util.EnumSet;
+
+import sun.security.util.Debug;
+
+/**
+ * Policies for distrusting a certificate authority (CA). See the
+ * jdk.security.caDistrustPolicies security property for more information.
+ */
+enum CADistrustPolicy {
+    /**
+     * Distrust TLS Server certificates anchored by a Symantec root CA and
+     * issued after April 16, 2019 (with exceptions for a couple of subordinate
+     * CAs, see the jdk.security.caDistrustPolicies definition in the
+     * java.security file for more details). If enabled, this policy is
+     * currently enforced by the PKIX and SunX509 TrustManager implementations
+     * of the SunJSSE provider implementation.
+     */
+    SYMANTEC_TLS {
+        void checkDistrust(String variant, X509Certificate[] chain)
+                           throws ValidatorException {
+            if (!variant.equals(Validator.VAR_TLS_SERVER)) {
+                return;
+            }
+            SymantecTLSPolicy.checkDistrust(chain);
+        }
+    };
+
+    /**
+     * Checks if the end-entity certificate is distrusted.
+     *
+     * @param variant the type of certificate being checked
+     * @param chain the end-entity's certificate chain. The end entity cert
+     *              is at index 0, the trust anchor at index n-1.
+     * @throws ValidatorException if the end-entity certificate is distrusted
+     */
+    abstract void checkDistrust(String variant,
+                                X509Certificate[] chain)
+                                throws ValidatorException;
+
+    // The policies set in the jdk.security.caDistrustPolicies property.
+    static final EnumSet<CADistrustPolicy> POLICIES = parseProperty();
+    private static EnumSet<CADistrustPolicy> parseProperty() {
+        String property = AccessController.doPrivileged(
+            new PrivilegedAction<String>() {
+                @Override
+                public String run() {
+                    return Security.getProperty(
+                        "jdk.security.caDistrustPolicies");
+                }
+            });
+        EnumSet<CADistrustPolicy> set = EnumSet.noneOf(CADistrustPolicy.class);
+        // if property is null or empty, the restrictions are not enforced
+        if (property == null || property.isEmpty()) {
+            return set;
+        }
+        String[] policies = property.split(",");
+        for (String policy : policies) {
+            policy = policy.trim();
+            try {
+                CADistrustPolicy caPolicy =
+                    Enum.valueOf(CADistrustPolicy.class, policy);
+                set.add(caPolicy);
+            } catch (IllegalArgumentException iae) {
+                // ignore unknown values but log it
+                Debug debug = Debug.getInstance("certpath");
+                if (debug != null) {
+                    debug.println("Unknown value for the " +
+                                  "jdk.security.caDistrustPolicies property: "
+                                  + policy);
+                }
+            }
+        }
+        return set;
+    }
+}
diff --git a/src/share/classes/sun/security/validator/EndEntityChecker.java b/src/share/classes/sun/security/validator/EndEntityChecker.java
index 0ecdaa18b5..9e9d3e6293 100644
--- a/src/share/classes/sun/security/validator/EndEntityChecker.java
+++ b/src/share/classes/sun/security/validator/EndEntityChecker.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2002, 2015, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2002, 2019, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -132,25 +132,26 @@ class EndEntityChecker {
         return new EndEntityChecker(type, variant);
     }
 
-    void check(X509Certificate cert, Object parameter,
-            boolean checkUnresolvedCritExts) throws CertificateException {
+    void check(X509Certificate[] chain, Object parameter,
+            boolean checkUnresolvedCritExts)
+            throws CertificateException {
         if (variant.equals(Validator.VAR_GENERIC)) {
             return; // no checks
         }
 
-        Set<String> exts = getCriticalExtensions(cert);
+        Set<String> exts = getCriticalExtensions(chain[0]);
         if (variant.equals(Validator.VAR_TLS_SERVER)) {
-            checkTLSServer(cert, (String)parameter, exts);
+            checkTLSServer(chain[0], (String)parameter, exts);
         } else if (variant.equals(Validator.VAR_TLS_CLIENT)) {
-            checkTLSClient(cert, exts);
+            checkTLSClient(chain[0], exts);
         } else if (variant.equals(Validator.VAR_CODE_SIGNING)) {
-            checkCodeSigning(cert, exts);
+            checkCodeSigning(chain[0], exts);
         } else if (variant.equals(Validator.VAR_JCE_SIGNING)) {
-            checkCodeSigning(cert, exts);
+            checkCodeSigning(chain[0], exts);
         } else if (variant.equals(Validator.VAR_PLUGIN_CODE_SIGNING)) {
-            checkCodeSigning(cert, exts);
+            checkCodeSigning(chain[0], exts);
         } else if (variant.equals(Validator.VAR_TSA_SERVER)) {
-            checkTSAServer(cert, exts);
+            checkTSAServer(chain[0], exts);
         } else {
             throw new CertificateException("Unknown variant: " + variant);
         }
@@ -159,6 +160,12 @@ class EndEntityChecker {
         if (checkUnresolvedCritExts) {
             checkRemainingExtensions(exts);
         }
+
+        // check if certificate should be distrusted according to policies
+        // set in the jdk.security.caDistrustPolicies security property
+        for (CADistrustPolicy policy : CADistrustPolicy.POLICIES) {
+            policy.checkDistrust(variant, chain);
+        }
     }
 
     /**
diff --git a/src/share/classes/sun/security/validator/SymantecTLSPolicy.java b/src/share/classes/sun/security/validator/SymantecTLSPolicy.java
new file mode 100644
index 0000000000..14eee2bd99
--- /dev/null
+++ b/src/share/classes/sun/security/validator/SymantecTLSPolicy.java
@@ -0,0 +1,199 @@
+/*
+ * Copyright (c) 2018, 2019, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+package sun.security.validator;
+
+import java.security.cert.X509Certificate;
+import java.time.LocalDate;
+import java.time.Month;
+import java.time.ZoneOffset;
+import java.util.Arrays;
+import java.util.Date;
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.Map;
+import java.util.Set;
+
+import sun.security.x509.X509CertImpl;
+
+/**
+ * This class checks if Symantec issued TLS Server certificates should be
+ * restricted.
+ */
+final class SymantecTLSPolicy {
+    private static final LocalDate DECEMBER_31_2019 =
+        LocalDate.of(2019, Month.DECEMBER, 31);
+    // SHA-256 certificate fingerprints of subCAs with later distrust dates
+    private static final Map<String, LocalDate> EXEMPT_SUBCAS = new HashMap();
+    static {
+        // Subject DN: C=US, O=Apple Inc., OU=Certification Authority,
+        //             CN=Apple IST CA 2 - G1
+        // Issuer DN: CN=GeoTrust Global CA, O=GeoTrust Inc., C=US
+        EXEMPT_SUBCAS.put("AC2B922ECFD5E01711772FEA8ED372DE9D1E2245FCE3F57A9CDBEC77296A424B",
+                          DECEMBER_31_2019);
+
+
+        // Subject DN: C=US, O=Apple Inc., OU=Certification Authority,
+        //             CN=Apple IST CA 8 - G1
+        // Issuer DN: CN=GeoTrust Primary Certification Authority - G2,
+        //            OU=(c) 2007 GeoTrust Inc. - For authorized use only,
+        //            O=GeoTrust Inc., C=US
+        EXEMPT_SUBCAS.put("A4FE7C7F15155F3F0AEF7AAA83CF6E06DEB97CA3F909DF920AC1490882D488ED",
+                          DECEMBER_31_2019);
+    }
+
+    // SHA-256 certificate fingerprints of distrusted roots
+    private static final Set<String> FINGERPRINTS = new HashSet<>(Arrays.asList(
+        // cacerts alias: geotrustglobalca
+        // DN: CN=GeoTrust Global CA, O=GeoTrust Inc., C=US
+        "FF856A2D251DCD88D36656F450126798CFABAADE40799C722DE4D2B5DB36A73A",
+        // cacerts alias: geotrustprimaryca
+        // DN: CN=GeoTrust Primary Certification Authority,
+        //     O=GeoTrust Inc., C=US
+        "37D51006C512EAAB626421F1EC8C92013FC5F82AE98EE533EB4619B8DEB4D06C",
+        // cacerts alias: geotrustprimarycag2
+        // DN: CN=GeoTrust Primary Certification Authority - G2,
+        //     OU=(c) 2007 GeoTrust Inc. - For authorized use only,
+        //     O=GeoTrust Inc., C=US
+        "5EDB7AC43B82A06A8761E8D7BE4979EBF2611F7DD79BF91C1C6B566A219ED766",
+        // cacerts alias: geotrustprimarycag3
+        // DN: CN=GeoTrust Primary Certification Authority - G3,
+        //     OU=(c) 2008 GeoTrust Inc. - For authorized use only,
+        //     O=GeoTrust Inc., C=US
+        "B478B812250DF878635C2AA7EC7D155EAA625EE82916E2CD294361886CD1FBD4",
+        // cacerts alias: geotrustuniversalca
+        // DN: CN=GeoTrust Universal CA, O=GeoTrust Inc., C=US
+        "A0459B9F63B22559F5FA5D4C6DB3F9F72FF19342033578F073BF1D1B46CBB912",
+        // cacerts alias: thawteprimaryrootca
+        // DN: CN=thawte Primary Root CA,
+        //     OU="(c) 2006 thawte, Inc. - For authorized use only",
+        //     OU=Certification Services Division, O="thawte, Inc.", C=US
+        "8D722F81A9C113C0791DF136A2966DB26C950A971DB46B4199F4EA54B78BFB9F",
+        // cacerts alias: thawteprimaryrootcag2
+        // DN: CN=thawte Primary Root CA - G2,
+        //     OU="(c) 2007 thawte, Inc. - For authorized use only",
+        //     O="thawte, Inc.", C=US
+        "A4310D50AF18A6447190372A86AFAF8B951FFB431D837F1E5688B45971ED1557",
+        // cacerts alias: thawteprimaryrootcag3
+        // DN: CN=thawte Primary Root CA - G3,
+        //     OU="(c) 2008 thawte, Inc. - For authorized use only",
+        //     OU=Certification Services Division, O="thawte, Inc.", C=US
+        "4B03F45807AD70F21BFC2CAE71C9FDE4604C064CF5FFB686BAE5DBAAD7FDD34C",
+        // cacerts alias: thawtepremiumserverca
+        // DN: EMAILADDRESS=premium-server@thawte.com,
+        //     CN=Thawte Premium Server CA, OU=Certification Services Division,
+        //     O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA
+        "3F9F27D583204B9E09C8A3D2066C4B57D3A2479C3693650880505698105DBCE9",
+        // cacerts alias: verisignclass2g2ca
+        // DN: OU=VeriSign Trust Network,
+        //     OU="(c) 1998 VeriSign, Inc. - For authorized use only",
+        //     OU=Class 2 Public Primary Certification Authority - G2,
+        //     O="VeriSign, Inc.", C=US
+        "3A43E220FE7F3EA9653D1E21742EAC2B75C20FD8980305BC502CAF8C2D9B41A1",
+        // cacerts alias: verisignclass3ca
+        // DN: OU=Class 3 Public Primary Certification Authority,
+        //     O="VeriSign, Inc.", C=US
+        "A4B6B3996FC2F306B3FD8681BD63413D8C5009CC4FA329C2CCF0E2FA1B140305",
+        // cacerts alias: verisignclass3g2ca
+        // DN: OU=VeriSign Trust Network,
+        //     OU="(c) 1998 VeriSign, Inc. - For authorized use only",
+        //     OU=Class 3 Public Primary Certification Authority - G2,
+        //     O="VeriSign, Inc.", C=US
+        "83CE3C1229688A593D485F81973C0F9195431EDA37CC5E36430E79C7A888638B",
+        // cacerts alias: verisignclass3g3ca
+        // DN: CN=VeriSign Class 3 Public Primary Certification Authority - G3,
+        //     OU="(c) 1999 VeriSign, Inc. - For authorized use only",
+        //     OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
+        "EB04CF5EB1F39AFA762F2BB120F296CBA520C1B97DB1589565B81CB9A17B7244",
+        // cacerts alias: verisignclass3g4ca
+        // DN: CN=VeriSign Class 3 Public Primary Certification Authority - G4,
+        //     OU="(c) 2007 VeriSign, Inc. - For authorized use only",
+        //     OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
+        "69DDD7EA90BB57C93E135DC85EA6FCD5480B603239BDC454FC758B2A26CF7F79",
+        // cacerts alias: verisignclass3g5ca
+        // DN: CN=VeriSign Class 3 Public Primary Certification Authority - G5,
+        //     OU="(c) 2006 VeriSign, Inc. - For authorized use only",
+        //     OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
+        "9ACFAB7E43C8D880D06B262A94DEEEE4B4659989C3D0CAF19BAF6405E41AB7DF",
+        // cacerts alias: verisignuniversalrootca
+        // DN: CN=VeriSign Universal Root Certification Authority,
+        //     OU="(c) 2008 VeriSign, Inc. - For authorized use only",
+        //     OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
+        "2399561127A57125DE8CEFEA610DDF2FA078B5C8067F4E828290BFB860E84B3C"
+    ));
+
+    // Any TLS Server certificate that is anchored by one of the Symantec
+    // roots above and is issued after this date will be distrusted.
+    private static final LocalDate APRIL_16_2019 =
+        LocalDate.of(2019, Month.APRIL, 16);
+
+    /**
+     * This method assumes the eeCert is a TLS Server Cert and chains back to
+     * the anchor.
+     *
+     * @param chain the end-entity's certificate chain. The end entity cert
+     *              is at index 0, the trust anchor at index n-1.
+     * @throws ValidatorException if the certificate is distrusted
+     */
+    static void checkDistrust(X509Certificate[] chain)
+                              throws ValidatorException {
+        X509Certificate anchor = chain[chain.length-1];
+        if (FINGERPRINTS.contains(fingerprint(anchor))) {
+            Date notBefore = chain[0].getNotBefore();
+            LocalDate ldNotBefore = notBefore.toInstant().atZone(ZoneOffset.UTC).toLocalDate();
+
+            // check if chain goes through one of the subCAs
+            if (chain.length > 2) {
+                X509Certificate subCA = chain[chain.length - 2];
+                LocalDate distrustDate = EXEMPT_SUBCAS.get(fingerprint(subCA));
+                if (distrustDate != null) {
+                    // reject if certificate is issued after specified date
+                    checkNotBefore(ldNotBefore, distrustDate, anchor);
+                    return; // success
+                }
+            }
+            // reject if certificate is issued after April 16, 2019
+            checkNotBefore(ldNotBefore, APRIL_16_2019, anchor);
+        }
+    }
+
+    private static String fingerprint(X509Certificate cert) {
+        return (cert instanceof X509CertImpl)
+               ? ((X509CertImpl)cert).getFingerprint("SHA-256")
+               : X509CertImpl.getFingerprint("SHA-256", cert);
+    }
+
+    private static void checkNotBefore(LocalDate notBeforeDate,
+            LocalDate distrustDate, X509Certificate anchor)
+            throws ValidatorException {
+        if (notBeforeDate.isAfter(distrustDate)) {
+            throw new ValidatorException
+                    ("TLS Server certificate issued after " + distrustDate +
+                     " and anchored by a distrusted legacy Symantec root CA: "
+                     + anchor.getSubjectX500Principal(),
+                     ValidatorException.T_UNTRUSTED_CERT, anchor);
+        }
+    }
+    private SymantecTLSPolicy() {}
+}
diff --git a/src/share/classes/sun/security/validator/Validator.java b/src/share/classes/sun/security/validator/Validator.java
index dd880a7b2d..c96454d1ab 100644
--- a/src/share/classes/sun/security/validator/Validator.java
+++ b/src/share/classes/sun/security/validator/Validator.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2002, 2015, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2002, 2019, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -271,7 +271,7 @@ public abstract class Validator {
             // redundant.
             boolean checkUnresolvedCritExts =
                     (type == TYPE_PKIX) ? false : true;
-            endEntityChecker.check(chain[0], parameter,
+            endEntityChecker.check(chain, parameter,
                                    checkUnresolvedCritExts);
         }