From fd8c7f484cb1efa0fb2f9200014e43f0668a1eea Mon Sep 17 00:00:00 2001 From: Syed Yusuf Date: Fri, 16 Jul 2021 04:01:08 +0530 Subject: [PATCH 1/9] [DE485106] While writing the outstream, again boundary was getting assigned. Due to that duplicate boundary is getting added in the request while sending multipart data. --- .../src/main/java/com/ca/mas/foundation/MASRequestBody.java | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/mas-foundation/src/main/java/com/ca/mas/foundation/MASRequestBody.java b/mas-foundation/src/main/java/com/ca/mas/foundation/MASRequestBody.java index cce58fbe9..77bec7107 100755 --- a/mas-foundation/src/main/java/com/ca/mas/foundation/MASRequestBody.java +++ b/mas-foundation/src/main/java/com/ca/mas/foundation/MASRequestBody.java @@ -375,7 +375,7 @@ public ContentType getContentType() { @Override public long getContentLength() { - return content.length + multipart_separator.length(); + return content.length; } @Override @@ -397,8 +397,7 @@ public void write(OutputStream outputStream) throws IOException { progressListener.onProgress("" + (int) ((progress * 100) / content.length)); // sending progress percent to publishProgress } } - outputStream.write((multipart_separator).getBytes()); - outputStream.flush(); + if (progressListener != null) { progressListener.onComplete(); } From 50326cd0d851998800b9a7c615cf95849a948ef6 Mon Sep 17 00:00:00 2001 From: am654971 Date: Tue, 30 Mar 2021 11:51:45 +0530 Subject: [PATCH 2/9] Added the codes for the fix given by Oracle for Parsing the cipher issue in Turkish Language --- .../sun/security/pkcs/PKCS9Attribute.java | 346 +++++++-------- .../main/java/sun/security/util/Debug.java | 27 +- .../src/main/java/sun/security/x509/AVA.java | 191 ++++---- .../java/sun/security/x509/AlgorithmId.java | 420 ++++++++++-------- .../main/java/sun/security/x509/DNSName.java | 27 +- .../java/sun/security/x509/RFC822Name.java | 17 +- 6 files changed, 542 insertions(+), 486 deletions(-) diff --git a/mas-foundation/src/main/java/sun/security/pkcs/PKCS9Attribute.java b/mas-foundation/src/main/java/sun/security/pkcs/PKCS9Attribute.java index cf914784d..4f8096217 100644 --- a/mas-foundation/src/main/java/sun/security/pkcs/PKCS9Attribute.java +++ b/mas-foundation/src/main/java/sun/security/pkcs/PKCS9Attribute.java @@ -1,12 +1,12 @@ /* - * Copyright 1997-2006 Sun Microsystems, Inc. All Rights Reserved. + * Copyright (c) 1997, 2010, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License version 2 only, as - * published by the Free Software Foundation. Sun designates this + * published by the Free Software Foundation. Oracle designates this * particular file as subject to the "Classpath" exception as provided - * by Sun in the LICENSE file that accompanied this code. + * by Oracle in the LICENSE file that accompanied this code. * * This code is distributed in the hope that it will be useful, but WITHOUT * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or @@ -18,9 +18,9 @@ * 2 along with this work; if not, write to the Free Software Foundation, * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. * - * Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, - * CA 95054 USA or visit www.sun.com if you need additional information or - * have any questions. + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. */ package sun.security.pkcs; @@ -28,17 +28,17 @@ import java.io.IOException; import java.io.OutputStream; import java.security.cert.CertificateException; +import java.util.Locale; import java.util.Date; import java.util.Hashtable; - -import sun.misc.HexDumpEncoder; +import sun.security.x509.CertificateExtensions; import sun.security.util.Debug; import sun.security.util.DerEncoder; +import sun.security.util.DerValue; import sun.security.util.DerInputStream; import sun.security.util.DerOutputStream; -import sun.security.util.DerValue; import sun.security.util.ObjectIdentifier; -import sun.security.x509.CertificateExtensions; +import sun.misc.HexDumpEncoder; /** * Class supporting any PKCS9 attributes. @@ -188,14 +188,14 @@ public class PKCS9Attribute implements DerEncoder { static { // static initializer for PKCS9_OIDS for (int i = 1; i < PKCS9_OIDS.length - 2; i++) { PKCS9_OIDS[i] = - ObjectIdentifier.newInternal(new int[]{1,2,840,113549,1,9,i}); + ObjectIdentifier.newInternal(new int[]{1,2,840,113549,1,9,i}); } // Initialize SigningCertificate and SignatureTimestampToken // separately (because their values are out of sequence) PKCS9_OIDS[PKCS9_OIDS.length - 2] = - ObjectIdentifier.newInternal(new int[]{1,2,840,113549,1,9,16,2,12}); + ObjectIdentifier.newInternal(new int[]{1,2,840,113549,1,9,16,2,12}); PKCS9_OIDS[PKCS9_OIDS.length - 1] = - ObjectIdentifier.newInternal(new int[]{1,2,840,113549,1,9,16,2,14}); + ObjectIdentifier.newInternal(new int[]{1,2,840,113549,1,9,16,2,14}); } // first element [0] not used @@ -208,7 +208,7 @@ public class PKCS9Attribute implements DerEncoder { public static final ObjectIdentifier CHALLENGE_PASSWORD_OID = PKCS9_OIDS[7]; public static final ObjectIdentifier UNSTRUCTURED_ADDRESS_OID = PKCS9_OIDS[8]; public static final ObjectIdentifier EXTENDED_CERTIFICATE_ATTRIBUTES_OID - = PKCS9_OIDS[9]; + = PKCS9_OIDS[9]; public static final ObjectIdentifier ISSUER_SERIALNUMBER_OID = PKCS9_OIDS[10]; // [11], [12] are RSA DSI proprietary // [13] ==> signingDescription, S/MIME, not used anymore @@ -216,7 +216,7 @@ public class PKCS9Attribute implements DerEncoder { public static final ObjectIdentifier SMIME_CAPABILITY_OID = PKCS9_OIDS[15]; public static final ObjectIdentifier SIGNING_CERTIFICATE_OID = PKCS9_OIDS[16]; public static final ObjectIdentifier SIGNATURE_TIMESTAMP_TOKEN_OID = - PKCS9_OIDS[17]; + PKCS9_OIDS[17]; public static final String EMAIL_ADDRESS_STR = "EmailAddress"; public static final String UNSTRUCTURED_NAME_STR = "UnstructuredName"; public static final String CONTENT_TYPE_STR = "ContentType"; @@ -226,7 +226,7 @@ public class PKCS9Attribute implements DerEncoder { public static final String CHALLENGE_PASSWORD_STR = "ChallengePassword"; public static final String UNSTRUCTURED_ADDRESS_STR = "UnstructuredAddress"; public static final String EXTENDED_CERTIFICATE_ATTRIBUTES_STR = - "ExtendedCertificateAttributes"; + "ExtendedCertificateAttributes"; public static final String ISSUER_SERIALNUMBER_STR = "IssuerAndSerialNumber"; // [11], [12] are RSA DSI proprietary private static final String RSA_PROPRIETARY_STR = "RSAProprietary"; @@ -236,7 +236,7 @@ public class PKCS9Attribute implements DerEncoder { public static final String SMIME_CAPABILITY_STR = "SMIMECapability"; public static final String SIGNING_CERTIFICATE_STR = "SigningCertificate"; public static final String SIGNATURE_TIMESTAMP_TOKEN_STR = - "SignatureTimestampToken"; + "SignatureTimestampToken"; /** * Hashtable mapping names and variant names of supported @@ -244,7 +244,7 @@ public class PKCS9Attribute implements DerEncoder { * that occur in PKCS9, in lower case. */ private static final Hashtable NAME_OID_TABLE = - new Hashtable(18); + new Hashtable(18); static { // static initializer for PCKS9_NAMES NAME_OID_TABLE.put("emailaddress", PKCS9_OIDS[1]); @@ -271,7 +271,7 @@ public class PKCS9Attribute implements DerEncoder { * corresponding attribute value type. */ private static final Hashtable OID_NAME_TABLE = - new Hashtable(16); + new Hashtable(16); static { OID_NAME_TABLE.put(PKCS9_OIDS[1], EMAIL_ADDRESS_STR); OID_NAME_TABLE.put(PKCS9_OIDS[2], UNSTRUCTURED_NAME_STR); @@ -298,26 +298,26 @@ public class PKCS9Attribute implements DerEncoder { * Sets of acceptable tags are represented as arrays. */ private static final Byte[][] PKCS9_VALUE_TAGS = { - null, - {new Byte(DerValue.tag_IA5String)}, // EMailAddress - {new Byte(DerValue.tag_IA5String)}, // UnstructuredName - {new Byte(DerValue.tag_ObjectId)}, // ContentType - {new Byte(DerValue.tag_OctetString)}, // MessageDigest - {new Byte(DerValue.tag_UtcTime)}, // SigningTime - {new Byte(DerValue.tag_Sequence)}, // Countersignature - {new Byte(DerValue.tag_PrintableString), - new Byte(DerValue.tag_T61String)}, // ChallengePassword - {new Byte(DerValue.tag_PrintableString), - new Byte(DerValue.tag_T61String)}, // UnstructuredAddress - {new Byte(DerValue.tag_SetOf)}, // ExtendedCertificateAttributes - {new Byte(DerValue.tag_Sequence)}, // issuerAndSerialNumber - null, - null, - null, - {new Byte(DerValue.tag_Sequence)}, // extensionRequest - {new Byte(DerValue.tag_Sequence)}, // SMIMECapability - {new Byte(DerValue.tag_Sequence)}, // SigningCertificate - {new Byte(DerValue.tag_Sequence)} // SignatureTimestampToken + null, + {new Byte(DerValue.tag_IA5String)}, // EMailAddress + {new Byte(DerValue.tag_IA5String)}, // UnstructuredName + {new Byte(DerValue.tag_ObjectId)}, // ContentType + {new Byte(DerValue.tag_OctetString)}, // MessageDigest + {new Byte(DerValue.tag_UtcTime)}, // SigningTime + {new Byte(DerValue.tag_Sequence)}, // Countersignature + {new Byte(DerValue.tag_PrintableString), + new Byte(DerValue.tag_T61String)}, // ChallengePassword + {new Byte(DerValue.tag_PrintableString), + new Byte(DerValue.tag_T61String)}, // UnstructuredAddress + {new Byte(DerValue.tag_SetOf)}, // ExtendedCertificateAttributes + {new Byte(DerValue.tag_Sequence)}, // issuerAndSerialNumber + null, + null, + null, + {new Byte(DerValue.tag_Sequence)}, // extensionRequest + {new Byte(DerValue.tag_Sequence)}, // SMIMECapability + {new Byte(DerValue.tag_Sequence)}, // SigningCertificate + {new Byte(DerValue.tag_Sequence)} // SignatureTimestampToken }; private static final Class[] VALUE_CLASSES = new Class[18]; @@ -330,13 +330,13 @@ public class PKCS9Attribute implements DerEncoder { VALUE_CLASSES[1] = str; // EMailAddress VALUE_CLASSES[2] = str; // UnstructuredName VALUE_CLASSES[3] = // ContentType - Class.forName("sun.security.util.ObjectIdentifier"); + Class.forName("sun.security.util.ObjectIdentifier"); VALUE_CLASSES[4] = Class.forName("[B"); // MessageDigest (byte[]) VALUE_CLASSES[5] = Class.forName("java.util.Date"); // SigningTime VALUE_CLASSES[6] = // Countersignature - Class.forName("[Lsun.security.pkcs.SignerInfo;"); + Class.forName("[Lsun.security.pkcs.SignerInfo;"); VALUE_CLASSES[7] = // ChallengePassword - Class.forName("java.lang.String"); + Class.forName("java.lang.String"); VALUE_CLASSES[8] = str; // UnstructuredAddress VALUE_CLASSES[9] = null; // ExtendedCertificateAttributes VALUE_CLASSES[10] = null; // IssuerAndSerialNumber @@ -344,7 +344,7 @@ public class PKCS9Attribute implements DerEncoder { VALUE_CLASSES[12] = null; // not used VALUE_CLASSES[13] = null; // not used VALUE_CLASSES[14] = // ExtensionRequest - Class.forName("sun.security.x509.CertificateExtensions"); + Class.forName("sun.security.x509.CertificateExtensions"); VALUE_CLASSES[15] = null; // not supported yet VALUE_CLASSES[16] = null; // not supported yet VALUE_CLASSES[17] = Class.forName("[B"); // SignatureTimestampToken @@ -358,24 +358,24 @@ public class PKCS9Attribute implements DerEncoder { * by index in PKCS9_OIDS. */ private static final boolean[] SINGLE_VALUED = { - false, - false, // EMailAddress - false, // UnstructuredName - true, // ContentType - true, // MessageDigest - true, // SigningTime - false, // Countersignature - true, // ChallengePassword - false, // UnstructuredAddress - false, // ExtendedCertificateAttributes - true, // IssuerAndSerialNumber - not supported yet - false, // not used - false, // not used - false, // not used - true, // ExtensionRequest - true, // SMIMECapability - not supported yet - true, // SigningCertificate - true // SignatureTimestampToken + false, + false, // EMailAddress + false, // UnstructuredName + true, // ContentType + true, // MessageDigest + true, // SigningTime + false, // Countersignature + true, // ChallengePassword + false, // UnstructuredAddress + false, // ExtendedCertificateAttributes + true, // IssuerAndSerialNumber - not supported yet + false, // not used + false, // not used + false, // not used + true, // ExtensionRequest + true, // SMIMECapability - not supported yet + true, // SigningCertificate + true // SignatureTimestampToken }; /** @@ -402,7 +402,7 @@ public class PKCS9Attribute implements DerEncoder { * */ public PKCS9Attribute(ObjectIdentifier oid, Object value) - throws IllegalArgumentException { + throws IllegalArgumentException { init(oid, value); } @@ -423,34 +423,34 @@ public PKCS9Attribute(ObjectIdentifier oid, Object value) * value has the wrong type. */ public PKCS9Attribute(String name, Object value) - throws IllegalArgumentException { + throws IllegalArgumentException { ObjectIdentifier oid = getOID(name); if (oid == null) throw new IllegalArgumentException( - "Unrecognized attribute name " + name + - " constructing PKCS9Attribute."); + "Unrecognized attribute name " + name + + " constructing PKCS9Attribute."); init(oid, value); } private void init(ObjectIdentifier oid, Object value) - throws IllegalArgumentException { + throws IllegalArgumentException { index = indexOf(oid, PKCS9_OIDS, 1); if (index == -1) throw new IllegalArgumentException( - "Unsupported OID " + oid + - " constructing PKCS9Attribute."); + "Unsupported OID " + oid + + " constructing PKCS9Attribute."); if (!VALUE_CLASSES[index].isInstance(value)) - throw new IllegalArgumentException( - "Wrong value class " + - " for attribute " + oid + - " constructing PKCS9Attribute; was " + - value.getClass().toString() + ", should be " + - VALUE_CLASSES[index].toString()); + throw new IllegalArgumentException( + "Wrong value class " + + " for attribute " + oid + + " constructing PKCS9Attribute; was " + + value.getClass().toString() + ", should be " + + VALUE_CLASSES[index].toString()); this.value = value; } @@ -460,7 +460,7 @@ private void init(ObjectIdentifier oid, Object value) * Construct a PKCS9Attribute from its encoding on an input * stream. * - * @param derVal the DerValue representing the DER encoding of the attribute. + * @param val the DerValue representing the DER encoding of the attribute. * @exception IOException on parsing error. */ public PKCS9Attribute(DerValue derVal) throws IOException { @@ -499,9 +499,9 @@ public PKCS9Attribute(DerValue derVal) throws IOException { } switch (index) { - case 1: // email address - case 2: // unstructured name - case 8: // unstructured address + case 1: // email address + case 2: // unstructured name + case 8: // unstructured address { // open scope String[] values = new String[elems.length]; @@ -511,66 +511,66 @@ public PKCS9Attribute(DerValue derVal) throws IOException { } // close scope break; - case 3: // content type - value = elems[0].getOID(); - break; + case 3: // content type + value = elems[0].getOID(); + break; - case 4: // message digest - value = elems[0].getOctetString(); - break; + case 4: // message digest + value = elems[0].getOctetString(); + break; - case 5: // signing time - value = (new DerInputStream(elems[0].toByteArray())).getUTCTime(); - break; + case 5: // signing time + value = (new DerInputStream(elems[0].toByteArray())).getUTCTime(); + break; - case 6: // countersignature + case 6: // countersignature { // open scope SignerInfo[] values = new SignerInfo[elems.length]; for (int i=0; i < elems.length; i++) values[i] = - new SignerInfo(elems[i].toDerInputStream()); + new SignerInfo(elems[i].toDerInputStream()); value = values; } // close scope break; - case 7: // challenge password - value = elems[0].getAsString(); - break; - - case 9: // extended-certificate attribute -- not supported - throw new IOException("PKCS9 extended-certificate " + - "attribute not supported."); - // break unnecessary - case 10: // issuerAndserialNumber attribute -- not supported - throw new IOException("PKCS9 IssuerAndSerialNumber" + - "attribute not supported."); - // break unnecessary - case 11: // RSA DSI proprietary - case 12: // RSA DSI proprietary - throw new IOException("PKCS9 RSA DSI attributes" + - "11 and 12, not supported."); - // break unnecessary - case 13: // S/MIME unused attribute - throw new IOException("PKCS9 attribute #13 not supported."); - // break unnecessary - - case 14: // ExtensionRequest - value = new CertificateExtensions( - new DerInputStream(elems[0].toByteArray())); - break; - - case 15: // SMIME-capability attribute -- not supported - throw new IOException("PKCS9 SMIMECapability " + - "attribute not supported."); - // break unnecessary - case 16: // SigningCertificate attribute - value = new SigningCertificateInfo(elems[0].toByteArray()); - break; - - case 17: // SignatureTimestampToken attribute - value = elems[0].toByteArray(); - break; - default: // can't happen + case 7: // challenge password + value = elems[0].getAsString(); + break; + + case 9: // extended-certificate attribute -- not supported + throw new IOException("PKCS9 extended-certificate " + + "attribute not supported."); + // break unnecessary + case 10: // issuerAndserialNumber attribute -- not supported + throw new IOException("PKCS9 IssuerAndSerialNumber" + + "attribute not supported."); + // break unnecessary + case 11: // RSA DSI proprietary + case 12: // RSA DSI proprietary + throw new IOException("PKCS9 RSA DSI attributes" + + "11 and 12, not supported."); + // break unnecessary + case 13: // S/MIME unused attribute + throw new IOException("PKCS9 attribute #13 not supported."); + // break unnecessary + + case 14: // ExtensionRequest + value = new CertificateExtensions( + new DerInputStream(elems[0].toByteArray())); + break; + + case 15: // SMIME-capability attribute -- not supported + throw new IOException("PKCS9 SMIMECapability " + + "attribute not supported."); + // break unnecessary + case 16: // SigningCertificate attribute + value = new SigningCertificateInfo(elems[0].toByteArray()); + break; + + case 17: // SignatureTimestampToken attribute + value = elems[0].toByteArray(); + break; + default: // can't happen } } @@ -586,12 +586,12 @@ public void derEncode(OutputStream out) throws IOException { DerOutputStream temp = new DerOutputStream(); temp.putOID(getOID()); switch (index) { - case 1: // email address - case 2: // unstructured name + case 1: // email address + case 2: // unstructured name { // open scope String[] values = (String[]) value; DerOutputStream[] temps = new - DerOutputStream[values.length]; + DerOutputStream[values.length]; for (int i=0; i < values.length; i++) { temps[i] = new DerOutputStream(); @@ -601,7 +601,7 @@ public void derEncode(OutputStream out) throws IOException { } // close scope break; - case 3: // content type + case 3: // content type { DerOutputStream temp2 = new DerOutputStream(); temp2.putOID((ObjectIdentifier) value); @@ -609,7 +609,7 @@ public void derEncode(OutputStream out) throws IOException { } break; - case 4: // message digest + case 4: // message digest { DerOutputStream temp2 = new DerOutputStream(); temp2.putOctetString((byte[]) value); @@ -617,7 +617,7 @@ public void derEncode(OutputStream out) throws IOException { } break; - case 5: // signing time + case 5: // signing time { DerOutputStream temp2 = new DerOutputStream(); temp2.putUTCTime((Date) value); @@ -625,11 +625,11 @@ public void derEncode(OutputStream out) throws IOException { } break; - case 6: // countersignature - temp.putOrderedSetOf(DerValue.tag_Set, (DerEncoder[]) value); - break; + case 6: // countersignature + temp.putOrderedSetOf(DerValue.tag_Set, (DerEncoder[]) value); + break; - case 7: // challenge password + case 7: // challenge password { DerOutputStream temp2 = new DerOutputStream(); temp2.putPrintableString((String) value); @@ -637,11 +637,11 @@ public void derEncode(OutputStream out) throws IOException { } break; - case 8: // unstructured address + case 8: // unstructured address { // open scope String[] values = (String[]) value; DerOutputStream[] temps = new - DerOutputStream[values.length]; + DerOutputStream[values.length]; for (int i=0; i < values.length; i++) { temps[i] = new DerOutputStream(); @@ -651,24 +651,24 @@ public void derEncode(OutputStream out) throws IOException { } // close scope break; - case 9: // extended-certificate attribute -- not supported - throw new IOException("PKCS9 extended-certificate " + - "attribute not supported."); - // break unnecessary - case 10: // issuerAndserialNumber attribute -- not supported - throw new IOException("PKCS9 IssuerAndSerialNumber" + - "attribute not supported."); - // break unnecessary - case 11: // RSA DSI proprietary - case 12: // RSA DSI proprietary - throw new IOException("PKCS9 RSA DSI attributes" + - "11 and 12, not supported."); - // break unnecessary - case 13: // S/MIME unused attribute - throw new IOException("PKCS9 attribute #13 not supported."); - // break unnecessary - - case 14: // ExtensionRequest + case 9: // extended-certificate attribute -- not supported + throw new IOException("PKCS9 extended-certificate " + + "attribute not supported."); + // break unnecessary + case 10: // issuerAndserialNumber attribute -- not supported + throw new IOException("PKCS9 IssuerAndSerialNumber" + + "attribute not supported."); + // break unnecessary + case 11: // RSA DSI proprietary + case 12: // RSA DSI proprietary + throw new IOException("PKCS9 RSA DSI attributes" + + "11 and 12, not supported."); + // break unnecessary + case 13: // S/MIME unused attribute + throw new IOException("PKCS9 attribute #13 not supported."); + // break unnecessary + + case 14: // ExtensionRequest { DerOutputStream temp2 = new DerOutputStream(); CertificateExtensions exts = (CertificateExtensions)value; @@ -680,20 +680,20 @@ public void derEncode(OutputStream out) throws IOException { temp.write(DerValue.tag_Set, temp2.toByteArray()); } break; - case 15: // SMIMECapability - throw new IOException("PKCS9 attribute #15 not supported."); - // break unnecessary + case 15: // SMIMECapability + throw new IOException("PKCS9 attribute #15 not supported."); + // break unnecessary - case 16: // SigningCertificate - throw new IOException( - "PKCS9 SigningCertificate attribute not supported."); - // break unnecessary + case 16: // SigningCertificate + throw new IOException( + "PKCS9 SigningCertificate attribute not supported."); + // break unnecessary - case 17: // SignatureTimestampToken - temp.write(DerValue.tag_Set, (byte[])value); - break; + case 17: // SignatureTimestampToken + temp.write(DerValue.tag_Set, (byte[])value); + break; - default: // can't happen + default: // can't happen } DerOutputStream derOut = new DerOutputStream(); @@ -743,7 +743,7 @@ public String getName() { * the name. */ public static ObjectIdentifier getOID(String name) { - return NAME_OID_TABLE.get(name.toLowerCase()); + return NAME_OID_TABLE.get(name.toLowerCase(Locale.ENGLISH)); } /** @@ -809,8 +809,8 @@ static int indexOf(Object obj, Object[] a, int start) { */ private void throwSingleValuedException() throws IOException { throw new IOException("Single-value attribute " + - getOID() + " (" + getName() + ")" + - " has multiple values."); + getOID() + " (" + getName() + ")" + + " has multiple values."); } /** @@ -818,7 +818,7 @@ private void throwSingleValuedException() throws IOException { * wrong for the attribute whose value it is. */ private void throwTagException(Byte tag) - throws IOException { + throws IOException { Byte[] expectedTags = PKCS9_VALUE_TAGS[index]; StringBuffer msg = new StringBuffer(100); msg.append("Value of attribute "); @@ -838,4 +838,4 @@ private void throwTagException(Byte tag) msg.append("."); throw new IOException(msg.toString()); } -} +} \ No newline at end of file diff --git a/mas-foundation/src/main/java/sun/security/util/Debug.java b/mas-foundation/src/main/java/sun/security/util/Debug.java index b6165b9b2..2f63ab6c9 100644 --- a/mas-foundation/src/main/java/sun/security/util/Debug.java +++ b/mas-foundation/src/main/java/sun/security/util/Debug.java @@ -1,12 +1,12 @@ /* - * Copyright 1998-2007 Sun Microsystems, Inc. All Rights Reserved. + * Copyright (c) 1998, 2010, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License version 2 only, as - * published by the Free Software Foundation. Sun designates this + * published by the Free Software Foundation. Oracle designates this * particular file as subject to the "Classpath" exception as provided - * by Sun in the LICENSE file that accompanied this code. + * by Oracle in the LICENSE file that accompanied this code. * * This code is distributed in the hope that it will be useful, but WITHOUT * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or @@ -18,16 +18,17 @@ * 2 along with this work; if not, write to the Free Software Foundation, * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. * - * Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, - * CA 95054 USA or visit www.sun.com if you need additional information or - * have any questions. + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. */ package sun.security.util; import java.math.BigInteger; -import java.util.regex.Matcher; import java.util.regex.Pattern; +import java.util.regex.Matcher; +import java.util.Locale; /** * A utility class for debuging. @@ -43,17 +44,17 @@ public class Debug { static { args = java.security.AccessController.doPrivileged (new sun.security.action.GetPropertyAction - ("java.security.debug")); + ("java.security.debug")); String args2 = java.security.AccessController.doPrivileged (new sun.security.action.GetPropertyAction - ("java.security.auth.debug")); + ("java.security.auth.debug")); if (args == null) { args = args2; } else { if (args2 != null) - args = args + "," + args2; + args = args + "," + args2; } if (args != null) { @@ -222,7 +223,7 @@ private static String marshal(String args) { String keyReg = "[Pp][Ee][Rr][Mm][Ii][Ss][Ss][Ii][Oo][Nn]="; String keyStr = "permission="; String reg = keyReg + - "[a-zA-Z_$][a-zA-Z0-9_$]*([.][a-zA-Z_$][a-zA-Z0-9_$]*)*"; + "[a-zA-Z_$][a-zA-Z0-9_$]*([.][a-zA-Z_$][a-zA-Z0-9_$]*)*"; Pattern pattern = Pattern.compile(reg); Matcher matcher = pattern.matcher(source); StringBuffer left = new StringBuffer(); @@ -262,7 +263,7 @@ private static String marshal(String args) { source = left; // convert the rest to lower-case characters - target.append(source.toString().toLowerCase()); + target.append(source.toString().toLowerCase(Locale.ENGLISH)); return target.toString(); } @@ -288,4 +289,4 @@ public static String toString(byte[] b) { return sb.toString(); } -} +} \ No newline at end of file diff --git a/mas-foundation/src/main/java/sun/security/x509/AVA.java b/mas-foundation/src/main/java/sun/security/x509/AVA.java index a17ca4de8..26ed6f02a 100644 --- a/mas-foundation/src/main/java/sun/security/x509/AVA.java +++ b/mas-foundation/src/main/java/sun/security/x509/AVA.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 1996, 2006, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1996, 2010, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -31,21 +31,11 @@ import java.io.Reader; import java.security.AccessController; import java.text.Normalizer; -import java.util.ArrayList; -import java.util.Collections; -import java.util.HashMap; -import java.util.List; -import java.util.Locale; -import java.util.Map; +import java.util.*; import sun.security.action.GetBooleanAction; +import sun.security.util.*; import sun.security.pkcs.PKCS9Attribute; -import sun.security.util.Debug; -import sun.security.util.DerEncoder; -import sun.security.util.DerInputStream; -import sun.security.util.DerOutputStream; -import sun.security.util.DerValue; -import sun.security.util.ObjectIdentifier; /** @@ -75,8 +65,8 @@ public class AVA implements DerEncoder { // PrintableString encoding for DomainComponent. It may need to be set to // avoid breaking preexisting certificates generated with sun.security APIs. private static final boolean PRESERVE_OLD_DC_ENCODING = - AccessController.doPrivileged(new GetBooleanAction - ("com.sun.security.preserveOldDCEncoding")); + AccessController.doPrivileged(new GetBooleanAction + ("com.sun.security.preserveOldDCEncoding")); /** * DEFAULT format allows both RFC1779 and RFC2253 syntax and @@ -181,7 +171,7 @@ public AVA(ObjectIdentifier type, DerValue val) { * standard or an OID String from the keywordMap is improperly formatted */ AVA(Reader in, int format, Map keywordMap) - throws IOException { + throws IOException { // assume format is one of DEFAULT, RFC1779, RFC2253 StringBuilder temp = new StringBuilder(); @@ -212,7 +202,7 @@ public AVA(ObjectIdentifier type, DerValue val) { c = in.read(); if (c == ' ') { throw new IOException("Incorrect AVA RFC2253 format - " + - "leading space must be escaped"); + "leading space must be escaped"); } } else { // read next character skipping whitespace @@ -269,7 +259,7 @@ public String getValueString() { } private static DerValue parseHexString - (Reader in, int format) throws IOException { + (Reader in, int format) throws IOException { int c; ByteArrayOutputStream baos = new ByteArrayOutputStream(); @@ -286,7 +276,7 @@ public String getValueString() { if (cVal == -1) { throw new IOException("AVA parse, invalid hex " + - "digit: "+ (char)c); + "digit: "+ (char)c); } if ((cNdx % 2) == 1) { @@ -312,7 +302,7 @@ public String getValueString() { } private DerValue parseQuotedString - (Reader in, StringBuilder temp) throws IOException { + (Reader in, StringBuilder temp) throws IOException { // RFC1779 specifies that an entire RDN may be enclosed in double // quotes. In this case the syntax is any sequence of @@ -342,10 +332,10 @@ public String getValueString() { } if (c != '\\' && c != '"' && - specialChars.indexOf((char)c) < 0) { + specialChars.indexOf((char)c) < 0) { throw new IOException - ("Invalid escaped character in AVA: " + - (char)c); + ("Invalid escaped character in AVA: " + + (char)c); } } @@ -380,21 +370,21 @@ public String getValueString() { // encode as PrintableString unless value contains // non-PrintableString chars if (this.oid.equals(PKCS9Attribute.EMAIL_ADDRESS_OID) || - (this.oid.equals(X500Name.DOMAIN_COMPONENT_OID) && - PRESERVE_OLD_DC_ENCODING == false)) { + (this.oid.equals(X500Name.DOMAIN_COMPONENT_OID) && + PRESERVE_OLD_DC_ENCODING == false)) { // EmailAddress and DomainComponent must be IA5String return new DerValue(DerValue.tag_IA5String, - temp.toString().trim()); + temp.toString().trim()); } else if (isPrintableString) { return new DerValue(temp.toString().trim()); } else { return new DerValue(DerValue.tag_UTF8String, - temp.toString().trim()); + temp.toString().trim()); } } private DerValue parseString - (Reader in, int c, int format, StringBuilder temp) throws IOException { + (Reader in, int c, int format, StringBuilder temp) throws IOException { List embeddedHex = new ArrayList(); boolean isPrintableString = true; @@ -425,34 +415,34 @@ public String getValueString() { // check if character was improperly escaped if ((format == DEFAULT && specialCharsAll.indexOf((char)c) == -1) || - (format == RFC1779 && - specialChars.indexOf((char)c) == -1 && - c != '\\' && c != '\"')) { + (format == RFC1779 && + specialChars.indexOf((char)c) == -1 && + c != '\\' && c != '\"')) { throw new IOException - ("Invalid escaped character in AVA: '" + - (char)c + "'"); + ("Invalid escaped character in AVA: '" + + (char)c + "'"); } else if (format == RFC2253) { if (c == ' ') { // only leading/trailing space can be escaped if (!leadingChar && !trailingSpace(in)) { - throw new IOException - ("Invalid escaped space character " + - "in AVA. Only a leading or trailing " + - "space character can be escaped."); + throw new IOException + ("Invalid escaped space character " + + "in AVA. Only a leading or trailing " + + "space character can be escaped."); } } else if (c == '#') { // only leading '#' can be escaped if (!leadingChar) { throw new IOException - ("Invalid escaped '#' character in AVA. " + - "Only a leading '#' can be escaped."); + ("Invalid escaped '#' character in AVA. " + + "Only a leading '#' can be escaped."); } } else if (specialChars2253.indexOf((char)c) == -1) { throw new IOException ("Invalid escaped character in AVA: '" + - (char)c + "'"); + (char)c + "'"); } } @@ -463,7 +453,7 @@ public String getValueString() { if (specialChars2253.indexOf((char)c) != -1) { throw new IOException ("Character '" + (char)c + - "' in AVA appears without escape"); + "' in AVA appears without escape"); } } } @@ -501,7 +491,7 @@ public String getValueString() { if (format == RFC2253 && spaceCount > 0) { throw new IOException("Incorrect AVA RFC2253 format - " + - "trailing space must be escaped"); + "trailing space must be escaped"); } // add trailing embedded hex bytes @@ -514,8 +504,8 @@ public String getValueString() { // encode as PrintableString unless value contains // non-PrintableString chars if (this.oid.equals(PKCS9Attribute.EMAIL_ADDRESS_OID) || - (this.oid.equals(X500Name.DOMAIN_COMPONENT_OID) && - PRESERVE_OLD_DC_ENCODING == false)) { + (this.oid.equals(X500Name.DOMAIN_COMPONENT_OID) && + PRESERVE_OLD_DC_ENCODING == false)) { // EmailAddress and DomainComponent must be IA5String return new DerValue(DerValue.tag_IA5String, temp.toString()); } else if (isPrintableString) { @@ -526,11 +516,11 @@ public String getValueString() { } private static Byte getEmbeddedHexPair(int c1, Reader in) - throws IOException { + throws IOException { if (hexDigits.indexOf(Character.toUpperCase((char)c1)) >= 0) { int c2 = readChar(in, "unexpected EOF - " + - "escaped hex value must include two valid digits"); + "escaped hex value must include two valid digits"); if (hexDigits.indexOf(Character.toUpperCase((char)c2)) >= 0) { int hi = Character.digit((char)c1, 16); @@ -545,26 +535,26 @@ private static Byte getEmbeddedHexPair(int c1, Reader in) } private static String getEmbeddedHexString(List hexList) - throws IOException { + throws IOException { int n = hexList.size(); byte[] hexBytes = new byte[n]; for (int i = 0; i < n; i++) { - hexBytes[i] = hexList.get(i).byteValue(); + hexBytes[i] = hexList.get(i).byteValue(); } return new String(hexBytes, "UTF8"); } private static boolean isTerminator(int ch, int format) { switch (ch) { - case -1: - case '+': - case ',': - return true; - case ';': - case '>': - return format != RFC2253; - default: - return false; + case -1: + case '+': + case ',': + return true; + case ';': + case '>': + return format != RFC2253; + default: + return false; } } @@ -623,7 +613,7 @@ private static boolean trailingSpace(Reader in) throws IOException { if (derval.data.available() != 0) { throw new IOException("AVA, extra bytes = " - + derval.data.available()); + + derval.data.available()); } } @@ -640,7 +630,7 @@ public boolean equals(Object obj) { } AVA other = (AVA)obj; return this.toRFC2253CanonicalString().equals - (other.toRFC2253CanonicalString()); + (other.toRFC2253CanonicalString()); } /** @@ -688,7 +678,7 @@ private String toKeyword(int format, Map oidMap) { */ public String toString() { return toKeywordValueString - (toKeyword(DEFAULT, Collections.emptyMap())); + (toKeyword(DEFAULT, Collections.emptyMap())); } /** @@ -747,7 +737,7 @@ public String toRFC2253String(Map oidMap) { * the dotted-decimal form. */ if ((typeAndValue.charAt(0) >= '0' && typeAndValue.charAt(0) <= '9') || - !isDerString(value, false)) + !isDerString(value, false)) { byte[] data = null; try { @@ -790,7 +780,8 @@ public String toRFC2253String(Map oidMap) { * Implementations MAY escape other characters. * * NOTE: this implementation also recognizes "=" and "#" as - * characters which need escaping. + * characters which need escaping, and null which is escaped as + * '\00' (see RFC 4514). * * If a character to be escaped is one of the list shown above, then * it is prefixed by a backslash ('\' ASCII 92). @@ -805,7 +796,7 @@ public String toRFC2253String(Map oidMap) { for (int i = 0; i < valStr.length(); i++) { char c = valStr.charAt(i); if (DerValue.isPrintableStringChar(c) || - escapees.indexOf(c) >= 0) { + escapees.indexOf(c) >= 0) { // escape escapees if (escapees.indexOf(c) >= 0) { @@ -815,6 +806,10 @@ public String toRFC2253String(Map oidMap) { // append printable/escaped char sbuffer.append(c); + } else if (c == '\u0000') { + // escape null character + sbuffer.append("\\00"); + } else if (debug != null && Debug.isOn("ava")) { // embed non-printable/non-escaped char @@ -824,7 +819,7 @@ public String toRFC2253String(Map oidMap) { valueBytes = Character.toString(c).getBytes("UTF8"); } catch (IOException ie) { throw new IllegalArgumentException - ("DER Value conversion"); + ("DER Value conversion"); } for (int j = 0; j < valueBytes.length; j++) { sbuffer.append('\\'); @@ -882,7 +877,7 @@ public String toRFC2253CanonicalString() { */ StringBuilder typeAndValue = new StringBuilder(40); typeAndValue.append - (toKeyword(RFC2253, Collections.emptyMap())); + (toKeyword(RFC2253, Collections.emptyMap())); typeAndValue.append('='); /* @@ -895,7 +890,7 @@ public String toRFC2253CanonicalString() { * the dotted-decimal form. */ if ((typeAndValue.charAt(0) >= '0' && typeAndValue.charAt(0) <= '9') || - !isDerString(value, true)) + !isDerString(value, true)) { byte[] data = null; try { @@ -951,8 +946,8 @@ public String toRFC2253CanonicalString() { char c = valStr.charAt(i); if (DerValue.isPrintableStringChar(c) || - escapees.indexOf(c) >= 0 || - (i == 0 && c == '#')) { + escapees.indexOf(c) >= 0 || + (i == 0 && c == '#')) { // escape leading '#' and escapees if ((i == 0 && c == '#') || escapees.indexOf(c) >= 0) { @@ -986,14 +981,14 @@ public String toRFC2253CanonicalString() { valueBytes = Character.toString(c).getBytes("UTF8"); } catch (IOException ie) { throw new IllegalArgumentException - ("DER Value conversion"); + ("DER Value conversion"); } for (int j = 0; j < valueBytes.length; j++) { sbuffer.append('\\'); sbuffer.append(Character.forDigit - (0xF & (valueBytes[j] >>> 4), 16)); + (0xF & (valueBytes[j] >>> 4), 16)); sbuffer.append(Character.forDigit - (0xF & (valueBytes[j]), 16)); + (0xF & (valueBytes[j]), 16)); } } else { @@ -1088,12 +1083,12 @@ private String toKeywordValueString(String keyword) { for (int i = 0; i < valStr.length(); i++) { char c = valStr.charAt(i); if (DerValue.isPrintableStringChar(c) || - escapees.indexOf(c) >= 0) { + escapees.indexOf(c) >= 0) { // quote if leading whitespace or special chars if (!quoteNeeded && - ((i == 0 && (c == ' ' || c == '\n')) || - escapees.indexOf(c) >= 0)) { + ((i == 0 && (c == ' ' || c == '\n')) || + escapees.indexOf(c) >= 0)) { quoteNeeded = true; } @@ -1126,10 +1121,10 @@ private String toKeywordValueString(String keyword) { for (int j = 0; j < valueBytes.length; j++) { sbuffer.append('\\'); char hexChar = Character.forDigit - (0xF & (valueBytes[j] >>> 4), 16); + (0xF & (valueBytes[j] >>> 4), 16); sbuffer.append(Character.toUpperCase(hexChar)); hexChar = Character.forDigit - (0xF & (valueBytes[j]), 16); + (0xF & (valueBytes[j]), 16); sbuffer.append(Character.toUpperCase(hexChar)); } } else { @@ -1180,7 +1175,7 @@ class AVAKeyword { private boolean rfc1779Compliant, rfc2253Compliant; private AVAKeyword(String keyword, ObjectIdentifier oid, - boolean rfc1779Compliant, boolean rfc2253Compliant) { + boolean rfc1779Compliant, boolean rfc2253Compliant) { this.keyword = keyword; this.oid = oid; this.rfc1779Compliant = rfc1779Compliant; @@ -1193,15 +1188,15 @@ private AVAKeyword(String keyword, ObjectIdentifier oid, private boolean isCompliant(int standard) { switch (standard) { - case AVA.RFC1779: - return rfc1779Compliant; - case AVA.RFC2253: - return rfc2253Compliant; - case AVA.DEFAULT: - return true; - default: - // should not occur, internal error - throw new IllegalArgumentException("Invalid standard " + standard); + case AVA.RFC1779: + return rfc1779Compliant; + case AVA.RFC2253: + return rfc2253Compliant; + case AVA.DEFAULT: + return true; + default: + // should not occur, internal error + throw new IllegalArgumentException("Invalid standard " + standard); } } @@ -1214,7 +1209,7 @@ private boolean isCompliant(int standard) { static ObjectIdentifier getOID(String keyword, int standard) throws IOException { return getOID - (keyword, standard, Collections.emptyMap()); + (keyword, standard, Collections.emptyMap()); } /** @@ -1229,10 +1224,10 @@ static ObjectIdentifier getOID(String keyword, int standard) * or the OID String to which a keyword maps to is improperly formatted. */ static ObjectIdentifier getOID - (String keyword, int standard, Map extraKeywordMap) + (String keyword, int standard, Map extraKeywordMap) throws IOException { - keyword = keyword.toUpperCase(); + keyword = keyword.toUpperCase(Locale.ENGLISH); if (standard == AVA.RFC2253) { if (keyword.startsWith(" ") || keyword.endsWith(" ")) { throw new IOException("Invalid leading or trailing space " + @@ -1287,7 +1282,7 @@ static ObjectIdentifier getOID(String keyword, int standard) */ static String getKeyword(ObjectIdentifier oid, int standard) { return getKeyword - (oid, standard, Collections.emptyMap()); + (oid, standard, Collections.emptyMap()); } /** @@ -1297,7 +1292,7 @@ static String getKeyword(ObjectIdentifier oid, int standard) { * is encoded as a String. */ static String getKeyword - (ObjectIdentifier oid, int standard, Map extraOidMap) { + (ObjectIdentifier oid, int standard, Map extraOidMap) { // check extraOidMap first, then fallback to built-in map String oidString = oid.toString(); @@ -1315,14 +1310,14 @@ static String getKeyword(ObjectIdentifier oid, int standard) { char c = keywordString.charAt(0); if (c < 65 || c > 122 || (c > 90 && c < 97)) { throw new IllegalArgumentException - ("keyword does not start with letter"); + ("keyword does not start with letter"); } for (int i=1; i 122 || (c > 90 && c < 97)) && - (c < 48 || c > 57) && c != '_') { + (c < 48 || c > 57) && c != '_') { throw new IllegalArgumentException - ("keyword character is not a letter, digit, or underscore"); + ("keyword character is not a letter, digit, or underscore"); } } return keywordString; @@ -1363,18 +1358,18 @@ static boolean hasKeyword(ObjectIdentifier oid, int standard) { new AVAKeyword("IP", X500Name.ipAddress_oid, false, false); new AVAKeyword("STREET", X500Name.streetAddress_oid,true, true); new AVAKeyword("DC", X500Name.DOMAIN_COMPONENT_OID, - false, true); + false, true); new AVAKeyword("DNQUALIFIER", X500Name.DNQUALIFIER_OID, false, false); new AVAKeyword("DNQ", X500Name.DNQUALIFIER_OID, false, false); new AVAKeyword("SURNAME", X500Name.SURNAME_OID, false, false); new AVAKeyword("GIVENNAME", X500Name.GIVENNAME_OID, false, false); new AVAKeyword("INITIALS", X500Name.INITIALS_OID, false, false); new AVAKeyword("GENERATION", X500Name.GENERATIONQUALIFIER_OID, - false, false); + false, false); new AVAKeyword("EMAIL", PKCS9Attribute.EMAIL_ADDRESS_OID, false, false); new AVAKeyword("EMAILADDRESS", PKCS9Attribute.EMAIL_ADDRESS_OID, - false, false); + false, false); new AVAKeyword("UID", X500Name.userid_oid, false, true); new AVAKeyword("SERIALNUMBER", X500Name.SERIALNUMBER_OID, false, false); } -} +} \ No newline at end of file diff --git a/mas-foundation/src/main/java/sun/security/x509/AlgorithmId.java b/mas-foundation/src/main/java/sun/security/x509/AlgorithmId.java index 8f74b8eac..40d812f22 100644 --- a/mas-foundation/src/main/java/sun/security/x509/AlgorithmId.java +++ b/mas-foundation/src/main/java/sun/security/x509/AlgorithmId.java @@ -1,12 +1,12 @@ /* - * Copyright 1996-2006 Sun Microsystems, Inc. All Rights Reserved. + * Copyright (c) 1996, 2010, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License version 2 only, as - * published by the Free Software Foundation. Sun designates this + * published by the Free Software Foundation. Oracle designates this * particular file as subject to the "Classpath" exception as provided - * by Sun in the LICENSE file that accompanied this code. + * by Oracle in the LICENSE file that accompanied this code. * * This code is distributed in the hope that it will be useful, but WITHOUT * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or @@ -18,29 +18,18 @@ * 2 along with this work; if not, write to the Free Software Foundation, * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. * - * Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, - * CA 95054 USA or visit www.sun.com if you need additional information or - * have any questions. + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. */ package sun.security.x509; -import java.io.IOException; -import java.io.OutputStream; -import java.io.Serializable; -import java.security.AlgorithmParameters; -import java.security.NoSuchAlgorithmException; -import java.security.Provider; -import java.security.Security; -import java.util.Enumeration; -import java.util.HashMap; -import java.util.Map; +import java.io.*; +import java.util.*; +import java.security.*; -import sun.security.util.DerEncoder; -import sun.security.util.DerInputStream; -import sun.security.util.DerOutputStream; -import sun.security.util.DerValue; -import sun.security.util.ObjectIdentifier; +import sun.security.util.*; /** @@ -136,7 +125,7 @@ protected void decodeParams() throws IOException { // keys even if the provider is not registered. // This code can go away once we have EC in the SUN provider. algParams = AlgorithmParameters.getInstance(algidString, - sun.security.ec.ECKeyFactory.ecInternalProvider); + sun.security.ec.ECKeyFactory.ecInternalProvider); } catch (NoSuchAlgorithmException ee) { /* * This algorithm parameter type is not supported, so we cannot @@ -283,7 +272,7 @@ public byte[] getEncodedParams() throws IOException { */ public boolean equals(AlgorithmId other) { boolean paramsEqual = - (params == null ? other.params == null : params.equals(other.params)); + (params == null ? other.params == null : params.equals(other.params)); return (algid.equals(other.algid) && paramsEqual); } @@ -420,12 +409,12 @@ public static AlgorithmId get(String algname) oid = algOID(algname); } catch (IOException ioe) { throw new NoSuchAlgorithmException - ("Invalid ObjectIdentifier " + algname); + ("Invalid ObjectIdentifier " + algname); } if (oid == null) { throw new NoSuchAlgorithmException - ("unrecognized algorithm name: " + algname); + ("unrecognized algorithm name: " + algname); } return new AlgorithmId(oid); } @@ -445,11 +434,11 @@ public static AlgorithmId get(AlgorithmParameters algparams) oid = algOID(algname); } catch (IOException ioe) { throw new NoSuchAlgorithmException - ("Invalid ObjectIdentifier " + algname); + ("Invalid ObjectIdentifier " + algname); } if (oid == null) { throw new NoSuchAlgorithmException - ("unrecognized algorithm name: " + algname); + ("unrecognized algorithm name: " + algname); } return new AlgorithmId(oid, algparams); } @@ -484,19 +473,19 @@ private static ObjectIdentifier algOID(String name) throws IOException { return AlgorithmId.MD2_oid; } if (name.equalsIgnoreCase("SHA") || name.equalsIgnoreCase("SHA1") - || name.equalsIgnoreCase("SHA-1")) { + || name.equalsIgnoreCase("SHA-1")) { return AlgorithmId.SHA_oid; } if (name.equalsIgnoreCase("SHA-256") || - name.equalsIgnoreCase("SHA256")) { + name.equalsIgnoreCase("SHA256")) { return AlgorithmId.SHA256_oid; } if (name.equalsIgnoreCase("SHA-384") || - name.equalsIgnoreCase("SHA384")) { + name.equalsIgnoreCase("SHA384")) { return AlgorithmId.SHA384_oid; } if (name.equalsIgnoreCase("SHA-512") || - name.equalsIgnoreCase("SHA512")) { + name.equalsIgnoreCase("SHA512")) { return AlgorithmId.SHA512_oid; } @@ -506,7 +495,7 @@ private static ObjectIdentifier algOID(String name) throws IOException { return AlgorithmId.RSAEncryption_oid; } if (name.equalsIgnoreCase("Diffie-Hellman") - || name.equalsIgnoreCase("DH")) { + || name.equalsIgnoreCase("DH")) { return AlgorithmId.DH_oid; } if (name.equalsIgnoreCase("DSA")) { @@ -518,30 +507,42 @@ private static ObjectIdentifier algOID(String name) throws IOException { // Common signature types if (name.equalsIgnoreCase("MD5withRSA") - || name.equalsIgnoreCase("MD5/RSA")) { + || name.equalsIgnoreCase("MD5/RSA")) { return AlgorithmId.md5WithRSAEncryption_oid; } if (name.equalsIgnoreCase("MD2withRSA") - || name.equalsIgnoreCase("MD2/RSA")) { + || name.equalsIgnoreCase("MD2/RSA")) { return AlgorithmId.md2WithRSAEncryption_oid; } if (name.equalsIgnoreCase("SHAwithDSA") - || name.equalsIgnoreCase("SHA1withDSA") - || name.equalsIgnoreCase("SHA/DSA") - || name.equalsIgnoreCase("SHA1/DSA") - || name.equalsIgnoreCase("DSAWithSHA1") - || name.equalsIgnoreCase("DSS") - || name.equalsIgnoreCase("SHA-1/DSA")) { + || name.equalsIgnoreCase("SHA1withDSA") + || name.equalsIgnoreCase("SHA/DSA") + || name.equalsIgnoreCase("SHA1/DSA") + || name.equalsIgnoreCase("DSAWithSHA1") + || name.equalsIgnoreCase("DSS") + || name.equalsIgnoreCase("SHA-1/DSA")) { return AlgorithmId.sha1WithDSA_oid; } if (name.equalsIgnoreCase("SHA1WithRSA") - || name.equalsIgnoreCase("SHA1/RSA")) { + || name.equalsIgnoreCase("SHA1/RSA")) { return AlgorithmId.sha1WithRSAEncryption_oid; } if (name.equalsIgnoreCase("SHA1withECDSA") || name.equalsIgnoreCase("ECDSA")) { return AlgorithmId.sha1WithECDSA_oid; } + if (name.equalsIgnoreCase("SHA224withECDSA")) { + return AlgorithmId.sha224WithECDSA_oid; + } + if (name.equalsIgnoreCase("SHA256withECDSA")) { + return AlgorithmId.sha256WithECDSA_oid; + } + if (name.equalsIgnoreCase("SHA384withECDSA")) { + return AlgorithmId.sha384WithECDSA_oid; + } + if (name.equalsIgnoreCase("SHA512withECDSA")) { + return AlgorithmId.sha512WithECDSA_oid; + } // See if any of the installed providers supply a mapping from // the given algorithm name to an OID string @@ -552,9 +553,10 @@ private static ObjectIdentifier algOID(String name) throws IOException { for (Enumeration enum_ = provs[i].keys(); enum_.hasMoreElements(); ) { String alias = (String)enum_.nextElement(); + String upperCaseAlias = alias.toUpperCase(Locale.ENGLISH); int index; - if (alias.toUpperCase().startsWith("ALG.ALIAS") && - (index=alias.toUpperCase().indexOf("OID.", 0)) != -1) { + if (upperCaseAlias.startsWith("ALG.ALIAS") && + (index=upperCaseAlias.indexOf("OID.", 0)) != -1) { index += "OID.".length(); if (index == alias.length()) { // invalid alias entry @@ -564,19 +566,26 @@ private static ObjectIdentifier algOID(String name) throws IOException { oidTable = new HashMap(); } oidString = alias.substring(index); - String stdAlgName - = provs[i].getProperty(alias).toUpperCase(); - if (oidTable.get(stdAlgName) == null) { + String stdAlgName = provs[i].getProperty(alias); + if (stdAlgName != null) { + stdAlgName = stdAlgName.toUpperCase(Locale.ENGLISH); + } + if (stdAlgName != null && + oidTable.get(stdAlgName) == null) { oidTable.put(stdAlgName, - new ObjectIdentifier(oidString)); + new ObjectIdentifier(oidString)); } } } } + + if (oidTable == null) { + oidTable = new HashMap(1); + } initOidTable = true; } - return oidTable.get(name.toUpperCase()); + return oidTable.get(name.toUpperCase(Locale.ENGLISH)); } private static ObjectIdentifier oid(int ... values) { @@ -598,14 +607,14 @@ private static ObjectIdentifier oid(int ... values) { * OID = 1.2.840.113549.2.2 */ public static final ObjectIdentifier MD2_oid = - ObjectIdentifier.newInternal(new int[] {1, 2, 840, 113549, 2, 2}); + ObjectIdentifier.newInternal(new int[] {1, 2, 840, 113549, 2, 2}); /** * Algorithm ID for the MD5 Message Digest Algorthm, from RFC 1321. * OID = 1.2.840.113549.2.5 */ public static final ObjectIdentifier MD5_oid = - ObjectIdentifier.newInternal(new int[] {1, 2, 840, 113549, 2, 5}); + ObjectIdentifier.newInternal(new int[] {1, 2, 840, 113549, 2, 5}); /** * Algorithm ID for the SHA1 Message Digest Algorithm, from FIPS 180-1. @@ -614,16 +623,16 @@ private static ObjectIdentifier oid(int ... values) { * OID = 1.3.14.3.2.26. Old SHA-0 OID: 1.3.14.3.2.18. */ public static final ObjectIdentifier SHA_oid = - ObjectIdentifier.newInternal(new int[] {1, 3, 14, 3, 2, 26}); + ObjectIdentifier.newInternal(new int[] {1, 3, 14, 3, 2, 26}); public static final ObjectIdentifier SHA256_oid = - ObjectIdentifier.newInternal(new int[] {2, 16, 840, 1, 101, 3, 4, 2, 1}); + ObjectIdentifier.newInternal(new int[] {2, 16, 840, 1, 101, 3, 4, 2, 1}); public static final ObjectIdentifier SHA384_oid = - ObjectIdentifier.newInternal(new int[] {2, 16, 840, 1, 101, 3, 4, 2, 2}); + ObjectIdentifier.newInternal(new int[] {2, 16, 840, 1, 101, 3, 4, 2, 2}); public static final ObjectIdentifier SHA512_oid = - ObjectIdentifier.newInternal(new int[] {2, 16, 840, 1, 101, 3, 4, 2, 3}); + ObjectIdentifier.newInternal(new int[] {2, 16, 840, 1, 101, 3, 4, 2, 3}); /* * COMMON PUBLIC KEY TYPES @@ -632,9 +641,9 @@ private static ObjectIdentifier oid(int ... values) { private static final int DH_PKIX_data[] = { 1, 2, 840, 10046, 2, 1 }; private static final int DSA_OIW_data[] = { 1, 3, 14, 3, 2, 12 }; private static final int DSA_PKIX_data[] = { 1, 2, 840, 10040, 4, 1 }; - private static final int RSA_data[] = { 1, 2, 5, 8, 1, 1 }; + private static final int RSA_data[] = { 2, 5, 8, 1, 1 }; private static final int RSAEncryption_data[] = - { 1, 2, 840, 113549, 1, 1, 1 }; + { 1, 2, 840, 113549, 1, 1, 1 }; public static final ObjectIdentifier DH_oid; public static final ObjectIdentifier DH_PKIX_oid; @@ -648,25 +657,25 @@ private static ObjectIdentifier oid(int ... values) { * COMMON SIGNATURE ALGORITHMS */ private static final int md2WithRSAEncryption_data[] = - { 1, 2, 840, 113549, 1, 1, 2 }; + { 1, 2, 840, 113549, 1, 1, 2 }; private static final int md5WithRSAEncryption_data[] = - { 1, 2, 840, 113549, 1, 1, 4 }; + { 1, 2, 840, 113549, 1, 1, 4 }; private static final int sha1WithRSAEncryption_data[] = - { 1, 2, 840, 113549, 1, 1, 5 }; + { 1, 2, 840, 113549, 1, 1, 5 }; private static final int sha1WithRSAEncryption_OIW_data[] = - { 1, 3, 14, 3, 2, 29 }; + { 1, 3, 14, 3, 2, 29 }; private static final int sha256WithRSAEncryption_data[] = - { 1, 2, 840, 113549, 1, 1, 11 }; + { 1, 2, 840, 113549, 1, 1, 11 }; private static final int sha384WithRSAEncryption_data[] = - { 1, 2, 840, 113549, 1, 1, 12 }; + { 1, 2, 840, 113549, 1, 1, 12 }; private static final int sha512WithRSAEncryption_data[] = - { 1, 2, 840, 113549, 1, 1, 13 }; + { 1, 2, 840, 113549, 1, 1, 13 }; private static final int shaWithDSA_OIW_data[] = - { 1, 3, 14, 3, 2, 13 }; + { 1, 3, 14, 3, 2, 13 }; private static final int sha1WithDSA_OIW_data[] = - { 1, 3, 14, 3, 2, 27 }; + { 1, 3, 14, 3, 2, 27 }; private static final int dsaWithSHA1_PKIX_data[] = - { 1, 2, 840, 10040, 4, 3 }; + { 1, 2, 840, 10040, 4, 3 }; public static final ObjectIdentifier md2WithRSAEncryption_oid; public static final ObjectIdentifier md5WithRSAEncryption_oid; @@ -680,170 +689,170 @@ private static ObjectIdentifier oid(int ... values) { public static final ObjectIdentifier sha1WithDSA_oid; public static final ObjectIdentifier sha1WithECDSA_oid = - oid(1, 2, 840, 10045, 4, 1); + oid(1, 2, 840, 10045, 4, 1); public static final ObjectIdentifier sha224WithECDSA_oid = - oid(1, 2, 840, 10045, 4, 3, 1); + oid(1, 2, 840, 10045, 4, 3, 1); public static final ObjectIdentifier sha256WithECDSA_oid = - oid(1, 2, 840, 10045, 4, 3, 2); + oid(1, 2, 840, 10045, 4, 3, 2); public static final ObjectIdentifier sha384WithECDSA_oid = - oid(1, 2, 840, 10045, 4, 3, 3); + oid(1, 2, 840, 10045, 4, 3, 3); public static final ObjectIdentifier sha512WithECDSA_oid = - oid(1, 2, 840, 10045, 4, 3, 4); + oid(1, 2, 840, 10045, 4, 3, 4); public static final ObjectIdentifier specifiedWithECDSA_oid = - oid(1, 2, 840, 10045, 4, 3); + oid(1, 2, 840, 10045, 4, 3); /** * Algorithm ID for the PBE encryption algorithms from PKCS#5 and * PKCS#12. */ public static final ObjectIdentifier pbeWithMD5AndDES_oid = - ObjectIdentifier.newInternal(new int[]{1, 2, 840, 113549, 1, 5, 3}); + ObjectIdentifier.newInternal(new int[]{1, 2, 840, 113549, 1, 5, 3}); public static final ObjectIdentifier pbeWithMD5AndRC2_oid = - ObjectIdentifier.newInternal(new int[] {1, 2, 840, 113549, 1, 5, 6}); + ObjectIdentifier.newInternal(new int[] {1, 2, 840, 113549, 1, 5, 6}); public static final ObjectIdentifier pbeWithSHA1AndDES_oid = - ObjectIdentifier.newInternal(new int[] {1, 2, 840, 113549, 1, 5, 10}); + ObjectIdentifier.newInternal(new int[] {1, 2, 840, 113549, 1, 5, 10}); public static final ObjectIdentifier pbeWithSHA1AndRC2_oid = - ObjectIdentifier.newInternal(new int[] {1, 2, 840, 113549, 1, 5, 11}); + ObjectIdentifier.newInternal(new int[] {1, 2, 840, 113549, 1, 5, 11}); public static ObjectIdentifier pbeWithSHA1AndDESede_oid = - ObjectIdentifier.newInternal(new int[] {1, 2, 840, 113549, 1, 12, 1, 3}); + ObjectIdentifier.newInternal(new int[] {1, 2, 840, 113549, 1, 12, 1, 3}); public static ObjectIdentifier pbeWithSHA1AndRC2_40_oid = - ObjectIdentifier.newInternal(new int[] {1, 2, 840, 113549, 1, 12, 1, 6}); + ObjectIdentifier.newInternal(new int[] {1, 2, 840, 113549, 1, 12, 1, 6}); static { - /* - * Note the preferred OIDs are named simply with no "OIW" or - * "PKIX" in them, even though they may point to data from these - * specs; e.g. SHA_oid, DH_oid, DSA_oid, SHA1WithDSA_oid... - */ - /** - * Algorithm ID for Diffie Hellman Key agreement, from PKCS #3. - * Parameters include public values P and G, and may optionally specify - * the length of the private key X. Alternatively, algorithm parameters - * may be derived from another source such as a Certificate Authority's - * certificate. - * OID = 1.2.840.113549.1.3.1 - */ + /* + * Note the preferred OIDs are named simply with no "OIW" or + * "PKIX" in them, even though they may point to data from these + * specs; e.g. SHA_oid, DH_oid, DSA_oid, SHA1WithDSA_oid... + */ + /** + * Algorithm ID for Diffie Hellman Key agreement, from PKCS #3. + * Parameters include public values P and G, and may optionally specify + * the length of the private key X. Alternatively, algorithm parameters + * may be derived from another source such as a Certificate Authority's + * certificate. + * OID = 1.2.840.113549.1.3.1 + */ DH_oid = ObjectIdentifier.newInternal(DH_data); - /** - * Algorithm ID for the Diffie Hellman Key Agreement (DH), from RFC 3279. - * Parameters may include public values P and G. - * OID = 1.2.840.10046.2.1 - */ + /** + * Algorithm ID for the Diffie Hellman Key Agreement (DH), from RFC 3279. + * Parameters may include public values P and G. + * OID = 1.2.840.10046.2.1 + */ DH_PKIX_oid = ObjectIdentifier.newInternal(DH_PKIX_data); - /** - * Algorithm ID for the Digital Signing Algorithm (DSA), from the - * NIST OIW Stable Agreements part 12. - * Parameters may include public values P, Q, and G; or these may be - * derived from - * another source such as a Certificate Authority's certificate. - * OID = 1.3.14.3.2.12 - */ + /** + * Algorithm ID for the Digital Signing Algorithm (DSA), from the + * NIST OIW Stable Agreements part 12. + * Parameters may include public values P, Q, and G; or these may be + * derived from + * another source such as a Certificate Authority's certificate. + * OID = 1.3.14.3.2.12 + */ DSA_OIW_oid = ObjectIdentifier.newInternal(DSA_OIW_data); - /** - * Algorithm ID for the Digital Signing Algorithm (DSA), from RFC 3279. - * Parameters may include public values P, Q, and G; or these may be - * derived from another source such as a Certificate Authority's - * certificate. - * OID = 1.2.840.10040.4.1 - */ + /** + * Algorithm ID for the Digital Signing Algorithm (DSA), from RFC 3279. + * Parameters may include public values P, Q, and G; or these may be + * derived from another source such as a Certificate Authority's + * certificate. + * OID = 1.2.840.10040.4.1 + */ DSA_oid = ObjectIdentifier.newInternal(DSA_PKIX_data); - /** - * Algorithm ID for RSA keys used for any purpose, as defined in X.509. - * The algorithm parameter is a single value, the number of bits in the - * public modulus. - * OID = 1.2.5.8.1.1 - */ + /** + * Algorithm ID for RSA keys used for any purpose, as defined in X.509. + * The algorithm parameter is a single value, the number of bits in the + * public modulus. + * OID = 2.5.8.1.1 + */ RSA_oid = ObjectIdentifier.newInternal(RSA_data); - /** - * Algorithm ID for RSA keys used with RSA encryption, as defined - * in PKCS #1. There are no parameters associated with this algorithm. - * OID = 1.2.840.113549.1.1.1 - */ + /** + * Algorithm ID for RSA keys used with RSA encryption, as defined + * in PKCS #1. There are no parameters associated with this algorithm. + * OID = 1.2.840.113549.1.1.1 + */ RSAEncryption_oid = ObjectIdentifier.newInternal(RSAEncryption_data); - /** - * Identifies a signing algorithm where an MD2 digest is encrypted - * using an RSA private key; defined in PKCS #1. Use of this - * signing algorithm is discouraged due to MD2 vulnerabilities. - * OID = 1.2.840.113549.1.1.2 - */ + /** + * Identifies a signing algorithm where an MD2 digest is encrypted + * using an RSA private key; defined in PKCS #1. Use of this + * signing algorithm is discouraged due to MD2 vulnerabilities. + * OID = 1.2.840.113549.1.1.2 + */ md2WithRSAEncryption_oid = - ObjectIdentifier.newInternal(md2WithRSAEncryption_data); + ObjectIdentifier.newInternal(md2WithRSAEncryption_data); - /** - * Identifies a signing algorithm where an MD5 digest is - * encrypted using an RSA private key; defined in PKCS #1. - * OID = 1.2.840.113549.1.1.4 - */ + /** + * Identifies a signing algorithm where an MD5 digest is + * encrypted using an RSA private key; defined in PKCS #1. + * OID = 1.2.840.113549.1.1.4 + */ md5WithRSAEncryption_oid = - ObjectIdentifier.newInternal(md5WithRSAEncryption_data); + ObjectIdentifier.newInternal(md5WithRSAEncryption_data); - /** - * Identifies a signing algorithm where a SHA1 digest is - * encrypted using an RSA private key; defined by RSA DSI. - * OID = 1.2.840.113549.1.1.5 - */ + /** + * Identifies a signing algorithm where a SHA1 digest is + * encrypted using an RSA private key; defined by RSA DSI. + * OID = 1.2.840.113549.1.1.5 + */ sha1WithRSAEncryption_oid = - ObjectIdentifier.newInternal(sha1WithRSAEncryption_data); + ObjectIdentifier.newInternal(sha1WithRSAEncryption_data); - /** - * Identifies a signing algorithm where a SHA1 digest is - * encrypted using an RSA private key; defined in NIST OIW. - * OID = 1.3.14.3.2.29 - */ + /** + * Identifies a signing algorithm where a SHA1 digest is + * encrypted using an RSA private key; defined in NIST OIW. + * OID = 1.3.14.3.2.29 + */ sha1WithRSAEncryption_OIW_oid = - ObjectIdentifier.newInternal(sha1WithRSAEncryption_OIW_data); + ObjectIdentifier.newInternal(sha1WithRSAEncryption_OIW_data); - /** - * Identifies a signing algorithm where a SHA256 digest is - * encrypted using an RSA private key; defined by PKCS #1. - * OID = 1.2.840.113549.1.1.11 - */ + /** + * Identifies a signing algorithm where a SHA256 digest is + * encrypted using an RSA private key; defined by PKCS #1. + * OID = 1.2.840.113549.1.1.11 + */ sha256WithRSAEncryption_oid = - ObjectIdentifier.newInternal(sha256WithRSAEncryption_data); + ObjectIdentifier.newInternal(sha256WithRSAEncryption_data); - /** - * Identifies a signing algorithm where a SHA384 digest is - * encrypted using an RSA private key; defined by PKCS #1. - * OID = 1.2.840.113549.1.1.12 - */ + /** + * Identifies a signing algorithm where a SHA384 digest is + * encrypted using an RSA private key; defined by PKCS #1. + * OID = 1.2.840.113549.1.1.12 + */ sha384WithRSAEncryption_oid = - ObjectIdentifier.newInternal(sha384WithRSAEncryption_data); + ObjectIdentifier.newInternal(sha384WithRSAEncryption_data); - /** - * Identifies a signing algorithm where a SHA512 digest is - * encrypted using an RSA private key; defined by PKCS #1. - * OID = 1.2.840.113549.1.1.13 - */ + /** + * Identifies a signing algorithm where a SHA512 digest is + * encrypted using an RSA private key; defined by PKCS #1. + * OID = 1.2.840.113549.1.1.13 + */ sha512WithRSAEncryption_oid = - ObjectIdentifier.newInternal(sha512WithRSAEncryption_data); + ObjectIdentifier.newInternal(sha512WithRSAEncryption_data); - /** - * Identifies the FIPS 186 "Digital Signature Standard" (DSS), where a - * SHA digest is signed using the Digital Signing Algorithm (DSA). - * This should not be used. - * OID = 1.3.14.3.2.13 - */ + /** + * Identifies the FIPS 186 "Digital Signature Standard" (DSS), where a + * SHA digest is signed using the Digital Signing Algorithm (DSA). + * This should not be used. + * OID = 1.3.14.3.2.13 + */ shaWithDSA_OIW_oid = ObjectIdentifier.newInternal(shaWithDSA_OIW_data); - /** - * Identifies the FIPS 186 "Digital Signature Standard" (DSS), where a - * SHA1 digest is signed using the Digital Signing Algorithm (DSA). - * OID = 1.3.14.3.2.27 - */ + /** + * Identifies the FIPS 186 "Digital Signature Standard" (DSS), where a + * SHA1 digest is signed using the Digital Signing Algorithm (DSA). + * OID = 1.3.14.3.2.27 + */ sha1WithDSA_OIW_oid = ObjectIdentifier.newInternal(sha1WithDSA_OIW_data); - /** - * Identifies the FIPS 186 "Digital Signature Standard" (DSS), where a - * SHA1 digest is signed using the Digital Signing Algorithm (DSA). - * OID = 1.2.840.10040.4.3 - */ + /** + * Identifies the FIPS 186 "Digital Signature Standard" (DSS), where a + * SHA1 digest is signed using the Digital Signing Algorithm (DSA). + * OID = 1.2.840.10040.4.3 + */ sha1WithDSA_oid = ObjectIdentifier.newInternal(dsaWithSHA1_PKIX_data); nameTable = new HashMap(); @@ -882,4 +891,53 @@ private static ObjectIdentifier oid(int ... values) { nameTable.put(pbeWithSHA1AndDESede_oid, "PBEWithSHA1AndDESede"); nameTable.put(pbeWithSHA1AndRC2_40_oid, "PBEWithSHA1AndRC2_40"); } + + /** + * Creates a signature algorithm name from a digest algorithm + * name and a encryption algorithm name. + */ + public static String makeSigAlg(String digAlg, String encAlg) { + digAlg = digAlg.replace("-", "").toUpperCase(Locale.ENGLISH); + if (digAlg.equalsIgnoreCase("SHA")) digAlg = "SHA1"; + + encAlg = encAlg.toUpperCase(Locale.ENGLISH); + if (encAlg.equals("EC")) encAlg = "ECDSA"; + + return digAlg + "with" + encAlg; + } + + /** + * Extracts the encryption algorithm name from a signature + * algorithm name. + */ + public static String getEncAlgFromSigAlg(String signatureAlgorithm) { + signatureAlgorithm = signatureAlgorithm.toUpperCase(Locale.ENGLISH); + int with = signatureAlgorithm.indexOf("WITH"); + String keyAlgorithm = null; + if (with > 0) { + int and = signatureAlgorithm.indexOf("AND", with + 4); + if (and > 0) { + keyAlgorithm = signatureAlgorithm.substring(with + 4, and); + } else { + keyAlgorithm = signatureAlgorithm.substring(with + 4); + } + if (keyAlgorithm.equalsIgnoreCase("ECDSA")) { + keyAlgorithm = "EC"; + } + } + return keyAlgorithm; + } + + /** + * Extracts the digest algorithm name from a signature + * algorithm name. + */ + public static String getDigAlgFromSigAlg(String signatureAlgorithm) { + signatureAlgorithm = signatureAlgorithm.toUpperCase(Locale.ENGLISH); + int with = signatureAlgorithm.indexOf("WITH"); + if (with > 0) { + return signatureAlgorithm.substring(0, with); + } + return null; + } } diff --git a/mas-foundation/src/main/java/sun/security/x509/DNSName.java b/mas-foundation/src/main/java/sun/security/x509/DNSName.java index 7dc6f41e0..cbbb40f15 100644 --- a/mas-foundation/src/main/java/sun/security/x509/DNSName.java +++ b/mas-foundation/src/main/java/sun/security/x509/DNSName.java @@ -1,12 +1,12 @@ /* - * Copyright 1997-2000 Sun Microsystems, Inc. All Rights Reserved. + * Copyright (c) 1997, 2010, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License version 2 only, as - * published by the Free Software Foundation. Sun designates this + * published by the Free Software Foundation. Oracle designates this * particular file as subject to the "Classpath" exception as provided - * by Sun in the LICENSE file that accompanied this code. + * by Oracle in the LICENSE file that accompanied this code. * * This code is distributed in the hope that it will be useful, but WITHOUT * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or @@ -18,17 +18,17 @@ * 2 along with this work; if not, write to the Free Software Foundation, * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. * - * Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, - * CA 95054 USA or visit www.sun.com if you need additional information or - * have any questions. + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. */ package sun.security.x509; import java.io.IOException; +import java.util.Locale; -import sun.security.util.DerOutputStream; -import sun.security.util.DerValue; +import sun.security.util.*; /** * This class implements the DNSName as required by the GeneralNames @@ -188,7 +188,7 @@ public int hashCode() { * order zero bit. *

* @param inputName to be checked for being constrained - * @return constraint type above + * @returns constraint type above * @throws UnsupportedOperationException if name is not exact match, but narrowing and widening are * not supported for this name type. */ @@ -199,8 +199,9 @@ public int constrains(GeneralNameInterface inputName) throws UnsupportedOperatio else if (inputName.getType() != NAME_DNS) constraintType = NAME_DIFF_TYPE; else { - String inName = (((DNSName)inputName).getName()).toLowerCase(); - String thisName = name.toLowerCase(); + String inName = + (((DNSName)inputName).getName()).toLowerCase(Locale.ENGLISH); + String thisName = name.toLowerCase(Locale.ENGLISH); if (inName.equals(thisName)) constraintType = NAME_MATCH; else if (thisName.endsWith(inName)) { @@ -227,7 +228,7 @@ else if (thisName.endsWith(inName)) { * NameConstraints minimum and maximum bounds and for calculating * path lengths in name subtrees. * - * @return distance of name from root + * @returns distance of name from root * @throws UnsupportedOperationException if not supported for this name type */ public int subtreeDepth() throws UnsupportedOperationException { @@ -242,4 +243,4 @@ public int subtreeDepth() throws UnsupportedOperationException { return i; } -} +} \ No newline at end of file diff --git a/mas-foundation/src/main/java/sun/security/x509/RFC822Name.java b/mas-foundation/src/main/java/sun/security/x509/RFC822Name.java index 4a50ef680..91466a90e 100644 --- a/mas-foundation/src/main/java/sun/security/x509/RFC822Name.java +++ b/mas-foundation/src/main/java/sun/security/x509/RFC822Name.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997, 2000, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1997, 2010, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -26,9 +26,9 @@ package sun.security.x509; import java.io.IOException; +import java.util.Locale; -import sun.security.util.DerOutputStream; -import sun.security.util.DerValue; +import sun.security.util.*; /** * This class implements the RFC822Name as required by the GeneralNames @@ -176,7 +176,7 @@ public int hashCode() { * RFC 822 addr-spec, no significance is attached to the case. *

* @param inputName to be checked for being constrained - * @return constraint type above + * @returns constraint type above * @throws UnsupportedOperationException if name is not exact match, but narrowing and widening are * not supported for this name type. */ @@ -188,8 +188,9 @@ else if (inputName.getType() != (GeneralNameInterface.NAME_RFC822)) { constraintType = NAME_DIFF_TYPE; } else { //RFC2459 specifies that case is not significant in RFC822Names - String inName = (((RFC822Name)inputName).getName()).toLowerCase(); - String thisName = name.toLowerCase(); + String inName = + (((RFC822Name)inputName).getName()).toLowerCase(Locale.ENGLISH); + String thisName = name.toLowerCase(Locale.ENGLISH); if (inName.equals(thisName)) { constraintType = NAME_MATCH; } else if (thisName.endsWith(inName)) { @@ -231,7 +232,7 @@ else if (inputName.getType() != (GeneralNameInterface.NAME_RFC822)) { * Return subtree depth of this name for purposes of determining * NameConstraints minimum and maximum bounds. * - * @return distance of name from root + * @returns distance of name from root * @throws UnsupportedOperationException if not supported for this name type */ public int subtreeDepth() throws UnsupportedOperationException { @@ -252,4 +253,4 @@ public int subtreeDepth() throws UnsupportedOperationException { return i; } -} +} \ No newline at end of file From 66eb4d2ed8dfb102d8608eb272f1bfd050e5e7b0 Mon Sep 17 00:00:00 2001 From: am654971 Date: Mon, 7 Jun 2021 18:16:29 +0530 Subject: [PATCH 3/9] Code changes for SSL Pinning implementation. SSL Pinning will be disabled by default. It can be enabled using enableSSLPinning method or msso_config property --- .../java/com/ca/mas/core/MobileSsoConfig.java | 1 + .../java/com/ca/mas/core/conf/Config.java | 3 +- .../mas/core/conf/ConfigurationManager.java | 15 ++++++ ...dCertificateConfigurationTrustManager.java | 53 ++++++++++--------- .../main/java/com/ca/mas/foundation/MAS.java | 16 ++++++ .../ca/mas/foundation/MASConfiguration.java | 7 +++ .../foundation/MASSecurityConfiguration.java | 19 ++++++- 7 files changed, 88 insertions(+), 26 deletions(-) diff --git a/mas-foundation/src/main/java/com/ca/mas/core/MobileSsoConfig.java b/mas-foundation/src/main/java/com/ca/mas/core/MobileSsoConfig.java index 69b5dfa15..bc4607d3f 100755 --- a/mas-foundation/src/main/java/com/ca/mas/core/MobileSsoConfig.java +++ b/mas-foundation/src/main/java/com/ca/mas/core/MobileSsoConfig.java @@ -310,6 +310,7 @@ public interface MobileSsoConfig { String PROP_DEVICE_METADATA_PATH = "msso_device_metadata"; + String PROP_SSL_PINNING_ENABLED = "ssl_pinning_enabled"; // If you add any properties to this file, you must update MobileSsoFactory.createConfig() // or they will be ignored. diff --git a/mas-foundation/src/main/java/com/ca/mas/core/conf/Config.java b/mas-foundation/src/main/java/com/ca/mas/core/conf/Config.java index cb1bdae47..634b1a1ee 100755 --- a/mas-foundation/src/main/java/com/ca/mas/core/conf/Config.java +++ b/mas-foundation/src/main/java/com/ca/mas/core/conf/Config.java @@ -56,6 +56,7 @@ public class Config { public static final Config TRUSTED_CERT_PINNED_PUBLIC_KEY_HASHES = new Config(false, MobileSsoConfig.PROP_TRUSTED_CERT_PINNED_PUBLIC_KEY_HASHES, "mag.mobile_sdk.trusted_cert_pinned_public_key_hashes", List.class); public static final Config CLIENT_CERT_RSA_KEYBITS = new Config(false, MobileSsoConfig.PROP_CLIENT_CERT_RSA_KEYBITS, "mag.mobile_sdk.client_cert_rsa_keybits", Integer.class); public static final Config CLIENT_STORAGE = new Config(false, MobileSsoConfig.PROP_STORAGE, "mag.mobile_sdk.storage", String.class); + public static final Config SSL_PINNING_ENABLED = new Config(true, MobileSsoConfig.PROP_SSL_PINNING_ENABLED, "mag.mobile_sdk.ssl_pinning_enabled", Boolean.class); //mag.ble public static final Config BLE_SERVICE_UUID = new Config(false, MobileSsoConfig.PROP_BLE_SERVICE_UUID, "mag.ble.msso_ble_service_uuid", String.class); @@ -66,7 +67,7 @@ public class Config { HOSTNAME, PORT, PREFIX, SERVER_CERTS, ORGANIZATION, CLIENT_KEY, CLIENT_SECRET, SCOPE, REDIRECT_URI, AUTHORIZE_PATH, REGISTER_TOKEN_PATH, REGISTER_TOKEN_PATH_SSO, LOGOUT_DEVICE_PATH, REVOKE_PATH, REMOVE_DEVICE_PATH, REGISTER_DEVICE_PATH, RENEW_DEVICE_PATH, REGISTER_DEVICE_PATH_CLIENT, CLIENT_CREDENTIAL_INIT_PATH, ENTERPRISE_APP_PATH, SSO_ENABLED, LOCATION_ENABLED, LOCATION_PROVIDER, MSISDN_ENABLED, TRUSTED_PUBLIC_PKI,DEVICE_METADATA_PATH, TRUSTED_CERT_PINNED_PUBLIC_KEY_HASHES, CLIENT_CERT_RSA_KEYBITS, CLIENT_STORAGE, BLE_SERVICE_UUID, BLE_USER_SESSION_CHARACTERISTIC_UUID, - BLE_RSSI, AUTHENTICATE_OTP_PATH + BLE_RSSI, AUTHENTICATE_OTP_PATH, SSL_PINNING_ENABLED }; public boolean mandatory; diff --git a/mas-foundation/src/main/java/com/ca/mas/core/conf/ConfigurationManager.java b/mas-foundation/src/main/java/com/ca/mas/core/conf/ConfigurationManager.java index 45c133f31..11d626779 100755 --- a/mas-foundation/src/main/java/com/ca/mas/core/conf/ConfigurationManager.java +++ b/mas-foundation/src/main/java/com/ca/mas/core/conf/ConfigurationManager.java @@ -46,6 +46,7 @@ public class ConfigurationManager { private List appConfigs; private String configurationFileName = null; private boolean enablePKCE = true; + private boolean enableSslPinning = false; private boolean idTokenValidation = true; private boolean enableJwksPreload = false; private JSONObject jsonConfiguration; @@ -78,6 +79,10 @@ public void enablePKCE(boolean enablePKCE) { this.enablePKCE = enablePKCE; } + public void enableSslPinningEnabled(boolean enableSslPinning) { + this.enableSslPinning = enableSslPinning; + } + public void enableIdTokenValidation(boolean enableValidation) { this.idTokenValidation = enableValidation; } @@ -90,6 +95,10 @@ public boolean isPKCEEnabled() { return enablePKCE; } + public boolean isSslPinningEnabled() { + return enableSslPinning; + } + public void reset() { connectedGatewayConfigurationProvider = null; } @@ -258,6 +267,12 @@ public ConfigurationProvider create(JSONObject jsonObject) throws JSONException conf.setAlsoTrustPublicPki((Boolean) getValue(Config.TRUSTED_PUBLIC_PKI, jsonObject, Boolean.FALSE)); continue; } + + if (attr == Config.SSL_PINNING_ENABLED) { + conf.setAlsoTrustPublicPki((Boolean) getValue(Config.TRUSTED_PUBLIC_PKI, jsonObject, Boolean.FALSE)); + continue; + } + Object value = getValue(attr, jsonObject); if (value != null) { conf.putProperty(attr.key, value); diff --git a/mas-foundation/src/main/java/com/ca/mas/core/io/http/TrustedCertificateConfigurationTrustManager.java b/mas-foundation/src/main/java/com/ca/mas/core/io/http/TrustedCertificateConfigurationTrustManager.java index 00bf9290f..3e11fb017 100755 --- a/mas-foundation/src/main/java/com/ca/mas/core/io/http/TrustedCertificateConfigurationTrustManager.java +++ b/mas-foundation/src/main/java/com/ca/mas/core/io/http/TrustedCertificateConfigurationTrustManager.java @@ -9,6 +9,7 @@ import com.ca.mas.core.cert.PublicKeyHash; import com.ca.mas.core.cert.TrustedCertificateConfiguration; +import com.ca.mas.foundation.MAS; import com.ca.mas.foundation.MASSecurityConfiguration; import java.io.IOException; @@ -117,39 +118,43 @@ public void checkServerTrusted(X509Certificate[] chain, String s) throws Certifi List certs = config.getCertificates(); List hashes = config.getPublicKeyHashes(); - //If we don't trust the public PKI, we fail the validation - if (config.trustPublicPki()) { - //All public PKI delegates must succeed - for (X509TrustManager delegate : publicPkiDelegates) { - delegate.checkServerTrusted(chain, s); + if(MAS.isSslPinningEnabled() && config.isSslPinningEnabled()) + { + //If we don't trust the public PKI, we fail the validation + if (config.trustPublicPki()) { + //All public PKI delegates must succeed + for (X509TrustManager delegate : publicPkiDelegates) { + delegate.checkServerTrusted(chain, s); + } } - } - //Check the private trust store for any thrown exceptions - if (certs != null && !certs.isEmpty()) { - checkPrivateTrustStoreDelegates(chain, s); - } + //Check the private trust store for any thrown exceptions + if (certs != null && !certs.isEmpty()) { + checkPrivateTrustStoreDelegates(chain, s); + } - //Check the public key hashes - boolean hashesValid = false; - if (hashes != null) { - if (!hashes.isEmpty()) { - for (X509Certificate xcert : chain) { - PublicKey key = xcert.getPublicKey(); - if (key != null) { - String hashString = PublicKeyHash.fromPublicKey(key).getHashString(); - if (hashes.contains(hashString)) { - hashesValid = true; - break; + //Check the public key hashes + boolean hashesValid = false; + if (hashes != null) { + if (!hashes.isEmpty()) { + for (X509Certificate xcert : chain) { + PublicKey key = xcert.getPublicKey(); + if (key != null) { + String hashString = PublicKeyHash.fromPublicKey(key).getHashString(); + if (hashes.contains(hashString)) { + hashesValid = true; + break; + } } } } - } - if (!hashesValid) { - throw new CertificateException("Server certificate chain did not contain any of the pinned public keys."); + if (!hashesValid) { + throw new CertificateException("Server certificate chain did not contain any of the pinned public keys."); + } } } + } @Override diff --git a/mas-foundation/src/main/java/com/ca/mas/foundation/MAS.java b/mas-foundation/src/main/java/com/ca/mas/foundation/MAS.java index 6d6a791d5..5aca968a9 100755 --- a/mas-foundation/src/main/java/com/ca/mas/foundation/MAS.java +++ b/mas-foundation/src/main/java/com/ca/mas/foundation/MAS.java @@ -21,6 +21,7 @@ import com.ca.mas.core.EventDispatcher; import com.ca.mas.core.MAGResultReceiver; +import com.ca.mas.core.MobileSsoConfig; import com.ca.mas.core.MobileSsoFactory; import com.ca.mas.core.client.ServerClient; import com.ca.mas.core.conf.ConfigurationManager; @@ -556,6 +557,12 @@ public static void enableIdTokenValidation(boolean enableValidation) { ConfigurationManager.getInstance().enableIdTokenValidation(enableValidation); } + /** + * Enables the SSL Pinning. + */ + public static void enableSslPinningEnabled(boolean enableSSLPinning) { + ConfigurationManager.getInstance().enableSslPinningEnabled(enableSSLPinning); + } /** * Value of the boolean indicator which indicate if the id_token validation is active or not. */ @@ -572,6 +579,15 @@ public static boolean isPKCEEnabled() { return ConfigurationManager.getInstance().isPKCEEnabled(); } + /** + * Determines whether PKCE extension is enabled. + * + * @return true if ssl pinning is enabled, false otherwise + */ + public static boolean isSslPinningEnabled() { + return ConfigurationManager.getInstance().isSslPinningEnabled(); + } + /** * Stops the lifecycle of all MAS processes. */ diff --git a/mas-foundation/src/main/java/com/ca/mas/foundation/MASConfiguration.java b/mas-foundation/src/main/java/com/ca/mas/foundation/MASConfiguration.java index bc974b9f7..6f03049df 100755 --- a/mas-foundation/src/main/java/com/ca/mas/foundation/MASConfiguration.java +++ b/mas-foundation/src/main/java/com/ca/mas/foundation/MASConfiguration.java @@ -247,6 +247,13 @@ public boolean isSsoEnabled() { return ConfigurationManager.getInstance().getConnectedGatewayConfigurationProvider().getProperty(MobileSsoConfig.PROP_SSO_ENABLED); } +// /** +// * Determines if the client's SSO is enabled or not. This value is read from JSON configuration, if there is no value defined in keychain. +// */ +// public boolean isSslPinningEnabled() { +// return ConfigurationManager.getInstance().getConnectedGatewayConfigurationProvider().getProperty(MobileSsoConfig.PROP_SSL_PINNING_ENABLED); +// } + /** * Retrieves an endpoint path fragment for a given endpoint key, the keys can be one of the following *

    diff --git a/mas-foundation/src/main/java/com/ca/mas/foundation/MASSecurityConfiguration.java b/mas-foundation/src/main/java/com/ca/mas/foundation/MASSecurityConfiguration.java index 1f6de9e09..3c3c388f9 100644 --- a/mas-foundation/src/main/java/com/ca/mas/foundation/MASSecurityConfiguration.java +++ b/mas-foundation/src/main/java/com/ca/mas/foundation/MASSecurityConfiguration.java @@ -23,12 +23,14 @@ public interface MASSecurityConfiguration { Uri getHost(); boolean isPublic(); boolean trustPublicPki(); + boolean isSslPinningEnabled(); List getCertificates(); List getPublicKeyHashes(); class Builder { private boolean isPublic; + private boolean isSSLPinningEnabled = false; private boolean trustPublicPKI; private List certificates; @@ -56,6 +58,16 @@ public Builder trustPublicPKI(boolean trust) { return this; } + /** + * Determines whether or not to enable ssl pinning to primary gateway. + * @param sslPinning to include or not + * @return the builder object + */ + public Builder enableSSLPinning(boolean sslPinning) { + this.isSSLPinningEnabled = sslPinning; + return this; + } + /** * The URI of the designated host. * @param host URI for the host @@ -104,7 +116,7 @@ public MASSecurityConfiguration build() { } // If trustPublicPKI is false and no pinning information is found, throw an exception. - if (!trustPublicPKI && publicKeyHashes == null && certificates == null) { + if (isSSLPinningEnabled && !trustPublicPKI && publicKeyHashes == null && certificates == null) { throw new IllegalArgumentException("Missing pinning type, cannot establish SSL."); } @@ -133,6 +145,11 @@ public List getPublicKeyHashes() { public boolean trustPublicPki() { return trustPublicPKI; } + + @Override + public boolean isSslPinningEnabled() { + return isSSLPinningEnabled; + } }; } } From d8a9df523282e26e0ce7ca85476dc65e90cacef1 Mon Sep 17 00:00:00 2001 From: am654971 Date: Mon, 7 Jun 2021 19:05:05 +0530 Subject: [PATCH 4/9] Code changes for SSL Pinning implementation. SSL Pinning will be disabled by default. It can be enabled using enableSSLPinning method or msso_config property --- .../java/com/ca/mas/core/MobileSsoConfig.java | 1 - .../java/com/ca/mas/core/conf/Config.java | 3 +- .../mas/core/conf/ConfigurationManager.java | 15 ------ ...dCertificateConfigurationTrustManager.java | 53 +++++++++---------- .../main/java/com/ca/mas/foundation/MAS.java | 16 ------ .../ca/mas/foundation/MASConfiguration.java | 7 --- .../foundation/MASSecurityConfiguration.java | 19 +------ 7 files changed, 26 insertions(+), 88 deletions(-) diff --git a/mas-foundation/src/main/java/com/ca/mas/core/MobileSsoConfig.java b/mas-foundation/src/main/java/com/ca/mas/core/MobileSsoConfig.java index bc4607d3f..69b5dfa15 100755 --- a/mas-foundation/src/main/java/com/ca/mas/core/MobileSsoConfig.java +++ b/mas-foundation/src/main/java/com/ca/mas/core/MobileSsoConfig.java @@ -310,7 +310,6 @@ public interface MobileSsoConfig { String PROP_DEVICE_METADATA_PATH = "msso_device_metadata"; - String PROP_SSL_PINNING_ENABLED = "ssl_pinning_enabled"; // If you add any properties to this file, you must update MobileSsoFactory.createConfig() // or they will be ignored. diff --git a/mas-foundation/src/main/java/com/ca/mas/core/conf/Config.java b/mas-foundation/src/main/java/com/ca/mas/core/conf/Config.java index 634b1a1ee..cb1bdae47 100755 --- a/mas-foundation/src/main/java/com/ca/mas/core/conf/Config.java +++ b/mas-foundation/src/main/java/com/ca/mas/core/conf/Config.java @@ -56,7 +56,6 @@ public class Config { public static final Config TRUSTED_CERT_PINNED_PUBLIC_KEY_HASHES = new Config(false, MobileSsoConfig.PROP_TRUSTED_CERT_PINNED_PUBLIC_KEY_HASHES, "mag.mobile_sdk.trusted_cert_pinned_public_key_hashes", List.class); public static final Config CLIENT_CERT_RSA_KEYBITS = new Config(false, MobileSsoConfig.PROP_CLIENT_CERT_RSA_KEYBITS, "mag.mobile_sdk.client_cert_rsa_keybits", Integer.class); public static final Config CLIENT_STORAGE = new Config(false, MobileSsoConfig.PROP_STORAGE, "mag.mobile_sdk.storage", String.class); - public static final Config SSL_PINNING_ENABLED = new Config(true, MobileSsoConfig.PROP_SSL_PINNING_ENABLED, "mag.mobile_sdk.ssl_pinning_enabled", Boolean.class); //mag.ble public static final Config BLE_SERVICE_UUID = new Config(false, MobileSsoConfig.PROP_BLE_SERVICE_UUID, "mag.ble.msso_ble_service_uuid", String.class); @@ -67,7 +66,7 @@ public class Config { HOSTNAME, PORT, PREFIX, SERVER_CERTS, ORGANIZATION, CLIENT_KEY, CLIENT_SECRET, SCOPE, REDIRECT_URI, AUTHORIZE_PATH, REGISTER_TOKEN_PATH, REGISTER_TOKEN_PATH_SSO, LOGOUT_DEVICE_PATH, REVOKE_PATH, REMOVE_DEVICE_PATH, REGISTER_DEVICE_PATH, RENEW_DEVICE_PATH, REGISTER_DEVICE_PATH_CLIENT, CLIENT_CREDENTIAL_INIT_PATH, ENTERPRISE_APP_PATH, SSO_ENABLED, LOCATION_ENABLED, LOCATION_PROVIDER, MSISDN_ENABLED, TRUSTED_PUBLIC_PKI,DEVICE_METADATA_PATH, TRUSTED_CERT_PINNED_PUBLIC_KEY_HASHES, CLIENT_CERT_RSA_KEYBITS, CLIENT_STORAGE, BLE_SERVICE_UUID, BLE_USER_SESSION_CHARACTERISTIC_UUID, - BLE_RSSI, AUTHENTICATE_OTP_PATH, SSL_PINNING_ENABLED + BLE_RSSI, AUTHENTICATE_OTP_PATH }; public boolean mandatory; diff --git a/mas-foundation/src/main/java/com/ca/mas/core/conf/ConfigurationManager.java b/mas-foundation/src/main/java/com/ca/mas/core/conf/ConfigurationManager.java index 11d626779..45c133f31 100755 --- a/mas-foundation/src/main/java/com/ca/mas/core/conf/ConfigurationManager.java +++ b/mas-foundation/src/main/java/com/ca/mas/core/conf/ConfigurationManager.java @@ -46,7 +46,6 @@ public class ConfigurationManager { private List appConfigs; private String configurationFileName = null; private boolean enablePKCE = true; - private boolean enableSslPinning = false; private boolean idTokenValidation = true; private boolean enableJwksPreload = false; private JSONObject jsonConfiguration; @@ -79,10 +78,6 @@ public void enablePKCE(boolean enablePKCE) { this.enablePKCE = enablePKCE; } - public void enableSslPinningEnabled(boolean enableSslPinning) { - this.enableSslPinning = enableSslPinning; - } - public void enableIdTokenValidation(boolean enableValidation) { this.idTokenValidation = enableValidation; } @@ -95,10 +90,6 @@ public boolean isPKCEEnabled() { return enablePKCE; } - public boolean isSslPinningEnabled() { - return enableSslPinning; - } - public void reset() { connectedGatewayConfigurationProvider = null; } @@ -267,12 +258,6 @@ public ConfigurationProvider create(JSONObject jsonObject) throws JSONException conf.setAlsoTrustPublicPki((Boolean) getValue(Config.TRUSTED_PUBLIC_PKI, jsonObject, Boolean.FALSE)); continue; } - - if (attr == Config.SSL_PINNING_ENABLED) { - conf.setAlsoTrustPublicPki((Boolean) getValue(Config.TRUSTED_PUBLIC_PKI, jsonObject, Boolean.FALSE)); - continue; - } - Object value = getValue(attr, jsonObject); if (value != null) { conf.putProperty(attr.key, value); diff --git a/mas-foundation/src/main/java/com/ca/mas/core/io/http/TrustedCertificateConfigurationTrustManager.java b/mas-foundation/src/main/java/com/ca/mas/core/io/http/TrustedCertificateConfigurationTrustManager.java index 3e11fb017..00bf9290f 100755 --- a/mas-foundation/src/main/java/com/ca/mas/core/io/http/TrustedCertificateConfigurationTrustManager.java +++ b/mas-foundation/src/main/java/com/ca/mas/core/io/http/TrustedCertificateConfigurationTrustManager.java @@ -9,7 +9,6 @@ import com.ca.mas.core.cert.PublicKeyHash; import com.ca.mas.core.cert.TrustedCertificateConfiguration; -import com.ca.mas.foundation.MAS; import com.ca.mas.foundation.MASSecurityConfiguration; import java.io.IOException; @@ -118,43 +117,39 @@ public void checkServerTrusted(X509Certificate[] chain, String s) throws Certifi List certs = config.getCertificates(); List hashes = config.getPublicKeyHashes(); - if(MAS.isSslPinningEnabled() && config.isSslPinningEnabled()) - { - //If we don't trust the public PKI, we fail the validation - if (config.trustPublicPki()) { - //All public PKI delegates must succeed - for (X509TrustManager delegate : publicPkiDelegates) { - delegate.checkServerTrusted(chain, s); - } + //If we don't trust the public PKI, we fail the validation + if (config.trustPublicPki()) { + //All public PKI delegates must succeed + for (X509TrustManager delegate : publicPkiDelegates) { + delegate.checkServerTrusted(chain, s); } + } - //Check the private trust store for any thrown exceptions - if (certs != null && !certs.isEmpty()) { - checkPrivateTrustStoreDelegates(chain, s); - } + //Check the private trust store for any thrown exceptions + if (certs != null && !certs.isEmpty()) { + checkPrivateTrustStoreDelegates(chain, s); + } - //Check the public key hashes - boolean hashesValid = false; - if (hashes != null) { - if (!hashes.isEmpty()) { - for (X509Certificate xcert : chain) { - PublicKey key = xcert.getPublicKey(); - if (key != null) { - String hashString = PublicKeyHash.fromPublicKey(key).getHashString(); - if (hashes.contains(hashString)) { - hashesValid = true; - break; - } + //Check the public key hashes + boolean hashesValid = false; + if (hashes != null) { + if (!hashes.isEmpty()) { + for (X509Certificate xcert : chain) { + PublicKey key = xcert.getPublicKey(); + if (key != null) { + String hashString = PublicKeyHash.fromPublicKey(key).getHashString(); + if (hashes.contains(hashString)) { + hashesValid = true; + break; } } } + } - if (!hashesValid) { - throw new CertificateException("Server certificate chain did not contain any of the pinned public keys."); - } + if (!hashesValid) { + throw new CertificateException("Server certificate chain did not contain any of the pinned public keys."); } } - } @Override diff --git a/mas-foundation/src/main/java/com/ca/mas/foundation/MAS.java b/mas-foundation/src/main/java/com/ca/mas/foundation/MAS.java index 5aca968a9..6d6a791d5 100755 --- a/mas-foundation/src/main/java/com/ca/mas/foundation/MAS.java +++ b/mas-foundation/src/main/java/com/ca/mas/foundation/MAS.java @@ -21,7 +21,6 @@ import com.ca.mas.core.EventDispatcher; import com.ca.mas.core.MAGResultReceiver; -import com.ca.mas.core.MobileSsoConfig; import com.ca.mas.core.MobileSsoFactory; import com.ca.mas.core.client.ServerClient; import com.ca.mas.core.conf.ConfigurationManager; @@ -557,12 +556,6 @@ public static void enableIdTokenValidation(boolean enableValidation) { ConfigurationManager.getInstance().enableIdTokenValidation(enableValidation); } - /** - * Enables the SSL Pinning. - */ - public static void enableSslPinningEnabled(boolean enableSSLPinning) { - ConfigurationManager.getInstance().enableSslPinningEnabled(enableSSLPinning); - } /** * Value of the boolean indicator which indicate if the id_token validation is active or not. */ @@ -579,15 +572,6 @@ public static boolean isPKCEEnabled() { return ConfigurationManager.getInstance().isPKCEEnabled(); } - /** - * Determines whether PKCE extension is enabled. - * - * @return true if ssl pinning is enabled, false otherwise - */ - public static boolean isSslPinningEnabled() { - return ConfigurationManager.getInstance().isSslPinningEnabled(); - } - /** * Stops the lifecycle of all MAS processes. */ diff --git a/mas-foundation/src/main/java/com/ca/mas/foundation/MASConfiguration.java b/mas-foundation/src/main/java/com/ca/mas/foundation/MASConfiguration.java index 6f03049df..bc974b9f7 100755 --- a/mas-foundation/src/main/java/com/ca/mas/foundation/MASConfiguration.java +++ b/mas-foundation/src/main/java/com/ca/mas/foundation/MASConfiguration.java @@ -247,13 +247,6 @@ public boolean isSsoEnabled() { return ConfigurationManager.getInstance().getConnectedGatewayConfigurationProvider().getProperty(MobileSsoConfig.PROP_SSO_ENABLED); } -// /** -// * Determines if the client's SSO is enabled or not. This value is read from JSON configuration, if there is no value defined in keychain. -// */ -// public boolean isSslPinningEnabled() { -// return ConfigurationManager.getInstance().getConnectedGatewayConfigurationProvider().getProperty(MobileSsoConfig.PROP_SSL_PINNING_ENABLED); -// } - /** * Retrieves an endpoint path fragment for a given endpoint key, the keys can be one of the following *
      diff --git a/mas-foundation/src/main/java/com/ca/mas/foundation/MASSecurityConfiguration.java b/mas-foundation/src/main/java/com/ca/mas/foundation/MASSecurityConfiguration.java index 3c3c388f9..1f6de9e09 100644 --- a/mas-foundation/src/main/java/com/ca/mas/foundation/MASSecurityConfiguration.java +++ b/mas-foundation/src/main/java/com/ca/mas/foundation/MASSecurityConfiguration.java @@ -23,14 +23,12 @@ public interface MASSecurityConfiguration { Uri getHost(); boolean isPublic(); boolean trustPublicPki(); - boolean isSslPinningEnabled(); List getCertificates(); List getPublicKeyHashes(); class Builder { private boolean isPublic; - private boolean isSSLPinningEnabled = false; private boolean trustPublicPKI; private List certificates; @@ -58,16 +56,6 @@ public Builder trustPublicPKI(boolean trust) { return this; } - /** - * Determines whether or not to enable ssl pinning to primary gateway. - * @param sslPinning to include or not - * @return the builder object - */ - public Builder enableSSLPinning(boolean sslPinning) { - this.isSSLPinningEnabled = sslPinning; - return this; - } - /** * The URI of the designated host. * @param host URI for the host @@ -116,7 +104,7 @@ public MASSecurityConfiguration build() { } // If trustPublicPKI is false and no pinning information is found, throw an exception. - if (isSSLPinningEnabled && !trustPublicPKI && publicKeyHashes == null && certificates == null) { + if (!trustPublicPKI && publicKeyHashes == null && certificates == null) { throw new IllegalArgumentException("Missing pinning type, cannot establish SSL."); } @@ -145,11 +133,6 @@ public List getPublicKeyHashes() { public boolean trustPublicPki() { return trustPublicPKI; } - - @Override - public boolean isSslPinningEnabled() { - return isSSLPinningEnabled; - } }; } } From 59e829339e323a43f8d22c6c6de6ba41e7731710 Mon Sep 17 00:00:00 2001 From: am654971 Date: Mon, 14 Jun 2021 20:05:55 +0530 Subject: [PATCH 5/9] SSL Pinning changes --- .../java/com/ca/mas/core/MobileSsoConfig.java | 5 +- .../java/com/ca/mas/core/conf/Config.java | 5 +- .../mas/core/conf/ConfigurationManager.java | 17 +++++- ...dCertificateConfigurationTrustManager.java | 55 ++++++++++--------- .../main/java/com/ca/mas/foundation/MAS.java | 16 ++++++ .../ca/mas/foundation/MASConfiguration.java | 7 +++ .../foundation/MASSecurityConfiguration.java | 21 ++++++- 7 files changed, 94 insertions(+), 32 deletions(-) diff --git a/mas-foundation/src/main/java/com/ca/mas/core/MobileSsoConfig.java b/mas-foundation/src/main/java/com/ca/mas/core/MobileSsoConfig.java index 69b5dfa15..b91f82151 100755 --- a/mas-foundation/src/main/java/com/ca/mas/core/MobileSsoConfig.java +++ b/mas-foundation/src/main/java/com/ca/mas/core/MobileSsoConfig.java @@ -255,7 +255,7 @@ public interface MobileSsoConfig { * * True if MSISDN information should be included. False if MSISDN information should not be included. */ - String PROP_MSISDN_ENABLED = "msso.msisdn.enabled"; + String PROP_MSISDN_ENABLED = "msso.msisdn.enabled"; /** * String. URL suffix for client credentials endpoint. @@ -310,7 +310,8 @@ public interface MobileSsoConfig { String PROP_DEVICE_METADATA_PATH = "msso_device_metadata"; + String PROP_SSL_PINNING_ENABLED = "ssl_pinning_enabled"; // If you add any properties to this file, you must update MobileSsoFactory.createConfig() // or they will be ignored. -} +} \ No newline at end of file diff --git a/mas-foundation/src/main/java/com/ca/mas/core/conf/Config.java b/mas-foundation/src/main/java/com/ca/mas/core/conf/Config.java index cb1bdae47..d51bae406 100755 --- a/mas-foundation/src/main/java/com/ca/mas/core/conf/Config.java +++ b/mas-foundation/src/main/java/com/ca/mas/core/conf/Config.java @@ -56,6 +56,7 @@ public class Config { public static final Config TRUSTED_CERT_PINNED_PUBLIC_KEY_HASHES = new Config(false, MobileSsoConfig.PROP_TRUSTED_CERT_PINNED_PUBLIC_KEY_HASHES, "mag.mobile_sdk.trusted_cert_pinned_public_key_hashes", List.class); public static final Config CLIENT_CERT_RSA_KEYBITS = new Config(false, MobileSsoConfig.PROP_CLIENT_CERT_RSA_KEYBITS, "mag.mobile_sdk.client_cert_rsa_keybits", Integer.class); public static final Config CLIENT_STORAGE = new Config(false, MobileSsoConfig.PROP_STORAGE, "mag.mobile_sdk.storage", String.class); + public static final Config SSL_PINNING_ENABLED = new Config(true, MobileSsoConfig.PROP_SSL_PINNING_ENABLED, "mag.mobile_sdk.ssl_pinning_enabled", Boolean.class); //mag.ble public static final Config BLE_SERVICE_UUID = new Config(false, MobileSsoConfig.PROP_BLE_SERVICE_UUID, "mag.ble.msso_ble_service_uuid", String.class); @@ -66,7 +67,7 @@ public class Config { HOSTNAME, PORT, PREFIX, SERVER_CERTS, ORGANIZATION, CLIENT_KEY, CLIENT_SECRET, SCOPE, REDIRECT_URI, AUTHORIZE_PATH, REGISTER_TOKEN_PATH, REGISTER_TOKEN_PATH_SSO, LOGOUT_DEVICE_PATH, REVOKE_PATH, REMOVE_DEVICE_PATH, REGISTER_DEVICE_PATH, RENEW_DEVICE_PATH, REGISTER_DEVICE_PATH_CLIENT, CLIENT_CREDENTIAL_INIT_PATH, ENTERPRISE_APP_PATH, SSO_ENABLED, LOCATION_ENABLED, LOCATION_PROVIDER, MSISDN_ENABLED, TRUSTED_PUBLIC_PKI,DEVICE_METADATA_PATH, TRUSTED_CERT_PINNED_PUBLIC_KEY_HASHES, CLIENT_CERT_RSA_KEYBITS, CLIENT_STORAGE, BLE_SERVICE_UUID, BLE_USER_SESSION_CHARACTERISTIC_UUID, - BLE_RSSI, AUTHENTICATE_OTP_PATH + BLE_RSSI, AUTHENTICATE_OTP_PATH, SSL_PINNING_ENABLED }; public boolean mandatory; @@ -89,4 +90,4 @@ public Config(boolean mandatory, String key, String path, Class type) { this.type = type; } -} +} \ No newline at end of file diff --git a/mas-foundation/src/main/java/com/ca/mas/core/conf/ConfigurationManager.java b/mas-foundation/src/main/java/com/ca/mas/core/conf/ConfigurationManager.java index 45c133f31..3c5f25f63 100755 --- a/mas-foundation/src/main/java/com/ca/mas/core/conf/ConfigurationManager.java +++ b/mas-foundation/src/main/java/com/ca/mas/core/conf/ConfigurationManager.java @@ -46,6 +46,7 @@ public class ConfigurationManager { private List appConfigs; private String configurationFileName = null; private boolean enablePKCE = true; + private boolean enableSslPinning = false; private boolean idTokenValidation = true; private boolean enableJwksPreload = false; private JSONObject jsonConfiguration; @@ -78,6 +79,10 @@ public void enablePKCE(boolean enablePKCE) { this.enablePKCE = enablePKCE; } + public void enableSslPinningEnabled(boolean enableSslPinning) { + this.enableSslPinning = enableSslPinning; + } + public void enableIdTokenValidation(boolean enableValidation) { this.idTokenValidation = enableValidation; } @@ -90,6 +95,10 @@ public boolean isPKCEEnabled() { return enablePKCE; } + public boolean isSslPinningEnabled() { + return enableSslPinning; + } + public void reset() { connectedGatewayConfigurationProvider = null; } @@ -258,6 +267,12 @@ public ConfigurationProvider create(JSONObject jsonObject) throws JSONException conf.setAlsoTrustPublicPki((Boolean) getValue(Config.TRUSTED_PUBLIC_PKI, jsonObject, Boolean.FALSE)); continue; } + + if (attr == Config.SSL_PINNING_ENABLED) { + conf.setAlsoTrustPublicPki((Boolean) getValue(Config.TRUSTED_PUBLIC_PKI, jsonObject, Boolean.FALSE)); + continue; + } + Object value = getValue(attr, jsonObject); if (value != null) { conf.putProperty(attr.key, value); @@ -477,4 +492,4 @@ public void enableJwksPreload(boolean enableJwksPreload) { public void setJsonConfig(JSONObject jsonConfig) { this.jsonConfiguration = jsonConfig; } -} +} \ No newline at end of file diff --git a/mas-foundation/src/main/java/com/ca/mas/core/io/http/TrustedCertificateConfigurationTrustManager.java b/mas-foundation/src/main/java/com/ca/mas/core/io/http/TrustedCertificateConfigurationTrustManager.java index 00bf9290f..abc9cb911 100755 --- a/mas-foundation/src/main/java/com/ca/mas/core/io/http/TrustedCertificateConfigurationTrustManager.java +++ b/mas-foundation/src/main/java/com/ca/mas/core/io/http/TrustedCertificateConfigurationTrustManager.java @@ -9,6 +9,7 @@ import com.ca.mas.core.cert.PublicKeyHash; import com.ca.mas.core.cert.TrustedCertificateConfiguration; +import com.ca.mas.foundation.MAS; import com.ca.mas.foundation.MASSecurityConfiguration; import java.io.IOException; @@ -117,43 +118,47 @@ public void checkServerTrusted(X509Certificate[] chain, String s) throws Certifi List certs = config.getCertificates(); List hashes = config.getPublicKeyHashes(); - //If we don't trust the public PKI, we fail the validation - if (config.trustPublicPki()) { - //All public PKI delegates must succeed - for (X509TrustManager delegate : publicPkiDelegates) { - delegate.checkServerTrusted(chain, s); + if(MAS.isSslPinningEnabled() && config.isSslPinningEnabled()) + { + //If we don't trust the public PKI, we fail the validation + if (config.trustPublicPki()) { + //All public PKI delegates must succeed + for (X509TrustManager delegate : publicPkiDelegates) { + delegate.checkServerTrusted(chain, s); + } } - } - //Check the private trust store for any thrown exceptions - if (certs != null && !certs.isEmpty()) { - checkPrivateTrustStoreDelegates(chain, s); - } + //Check the private trust store for any thrown exceptions + if (certs != null && !certs.isEmpty()) { + checkPrivateTrustStoreDelegates(chain, s); + } - //Check the public key hashes - boolean hashesValid = false; - if (hashes != null) { - if (!hashes.isEmpty()) { - for (X509Certificate xcert : chain) { - PublicKey key = xcert.getPublicKey(); - if (key != null) { - String hashString = PublicKeyHash.fromPublicKey(key).getHashString(); - if (hashes.contains(hashString)) { - hashesValid = true; - break; + //Check the public key hashes + boolean hashesValid = false; + if (hashes != null) { + if (!hashes.isEmpty()) { + for (X509Certificate xcert : chain) { + PublicKey key = xcert.getPublicKey(); + if (key != null) { + String hashString = PublicKeyHash.fromPublicKey(key).getHashString(); + if (hashes.contains(hashString)) { + hashesValid = true; + break; + } } } } - } - if (!hashesValid) { - throw new CertificateException("Server certificate chain did not contain any of the pinned public keys."); + if (!hashesValid) { + throw new CertificateException("Server certificate chain did not contain any of the pinned public keys."); + } } } + } @Override public X509Certificate[] getAcceptedIssuers() { return new X509Certificate[0]; } -} +} \ No newline at end of file diff --git a/mas-foundation/src/main/java/com/ca/mas/foundation/MAS.java b/mas-foundation/src/main/java/com/ca/mas/foundation/MAS.java index 6d6a791d5..5aca968a9 100755 --- a/mas-foundation/src/main/java/com/ca/mas/foundation/MAS.java +++ b/mas-foundation/src/main/java/com/ca/mas/foundation/MAS.java @@ -21,6 +21,7 @@ import com.ca.mas.core.EventDispatcher; import com.ca.mas.core.MAGResultReceiver; +import com.ca.mas.core.MobileSsoConfig; import com.ca.mas.core.MobileSsoFactory; import com.ca.mas.core.client.ServerClient; import com.ca.mas.core.conf.ConfigurationManager; @@ -556,6 +557,12 @@ public static void enableIdTokenValidation(boolean enableValidation) { ConfigurationManager.getInstance().enableIdTokenValidation(enableValidation); } + /** + * Enables the SSL Pinning. + */ + public static void enableSslPinningEnabled(boolean enableSSLPinning) { + ConfigurationManager.getInstance().enableSslPinningEnabled(enableSSLPinning); + } /** * Value of the boolean indicator which indicate if the id_token validation is active or not. */ @@ -572,6 +579,15 @@ public static boolean isPKCEEnabled() { return ConfigurationManager.getInstance().isPKCEEnabled(); } + /** + * Determines whether PKCE extension is enabled. + * + * @return true if ssl pinning is enabled, false otherwise + */ + public static boolean isSslPinningEnabled() { + return ConfigurationManager.getInstance().isSslPinningEnabled(); + } + /** * Stops the lifecycle of all MAS processes. */ diff --git a/mas-foundation/src/main/java/com/ca/mas/foundation/MASConfiguration.java b/mas-foundation/src/main/java/com/ca/mas/foundation/MASConfiguration.java index bc974b9f7..6f03049df 100755 --- a/mas-foundation/src/main/java/com/ca/mas/foundation/MASConfiguration.java +++ b/mas-foundation/src/main/java/com/ca/mas/foundation/MASConfiguration.java @@ -247,6 +247,13 @@ public boolean isSsoEnabled() { return ConfigurationManager.getInstance().getConnectedGatewayConfigurationProvider().getProperty(MobileSsoConfig.PROP_SSO_ENABLED); } +// /** +// * Determines if the client's SSO is enabled or not. This value is read from JSON configuration, if there is no value defined in keychain. +// */ +// public boolean isSslPinningEnabled() { +// return ConfigurationManager.getInstance().getConnectedGatewayConfigurationProvider().getProperty(MobileSsoConfig.PROP_SSL_PINNING_ENABLED); +// } + /** * Retrieves an endpoint path fragment for a given endpoint key, the keys can be one of the following *
        diff --git a/mas-foundation/src/main/java/com/ca/mas/foundation/MASSecurityConfiguration.java b/mas-foundation/src/main/java/com/ca/mas/foundation/MASSecurityConfiguration.java index 1f6de9e09..8ce72f339 100644 --- a/mas-foundation/src/main/java/com/ca/mas/foundation/MASSecurityConfiguration.java +++ b/mas-foundation/src/main/java/com/ca/mas/foundation/MASSecurityConfiguration.java @@ -23,12 +23,14 @@ public interface MASSecurityConfiguration { Uri getHost(); boolean isPublic(); boolean trustPublicPki(); + boolean isSslPinningEnabled(); List getCertificates(); List getPublicKeyHashes(); class Builder { private boolean isPublic; + private boolean isSSLPinningEnabled = false; private boolean trustPublicPKI; private List certificates; @@ -56,6 +58,16 @@ public Builder trustPublicPKI(boolean trust) { return this; } + /** + * Determines whether or not to enable ssl pinning to primary gateway. + * @param sslPinning to include or not + * @return the builder object + */ + public Builder enableSSLPinning(boolean sslPinning) { + this.isSSLPinningEnabled = sslPinning; + return this; + } + /** * The URI of the designated host. * @param host URI for the host @@ -104,7 +116,7 @@ public MASSecurityConfiguration build() { } // If trustPublicPKI is false and no pinning information is found, throw an exception. - if (!trustPublicPKI && publicKeyHashes == null && certificates == null) { + if (isSSLPinningEnabled && !trustPublicPKI && publicKeyHashes == null && certificates == null) { throw new IllegalArgumentException("Missing pinning type, cannot establish SSL."); } @@ -133,7 +145,12 @@ public List getPublicKeyHashes() { public boolean trustPublicPki() { return trustPublicPKI; } + + @Override + public boolean isSslPinningEnabled() { + return isSSLPinningEnabled; + } }; } } -} +} \ No newline at end of file From c506942443a5f5bca8452a84998faea0f943054a Mon Sep 17 00:00:00 2001 From: Syed Yusuf Date: Mon, 5 Jul 2021 20:52:22 +0530 Subject: [PATCH 6/9] [US749259] Renaming the flags to be in sync with iOS and added code to fetch ssl_pinning_enabled flag from msso_config and set it to the Primary Gateway and made it to be non-must --- .../java/com/ca/mas/core/conf/Config.java | 2 +- .../mas/core/conf/ConfigurationManager.java | 4 +- .../mas/core/conf/ConfigurationProvider.java | 7 +++ .../mas/core/conf/DefaultConfiguration.java | 8 +++ ...dCertificateConfigurationTrustManager.java | 57 ++++++++++--------- .../main/java/com/ca/mas/foundation/MAS.java | 4 +- .../ca/mas/foundation/MASConfiguration.java | 7 ++- .../foundation/MASSecurityConfiguration.java | 14 ++--- 8 files changed, 62 insertions(+), 41 deletions(-) diff --git a/mas-foundation/src/main/java/com/ca/mas/core/conf/Config.java b/mas-foundation/src/main/java/com/ca/mas/core/conf/Config.java index d51bae406..90de454b7 100755 --- a/mas-foundation/src/main/java/com/ca/mas/core/conf/Config.java +++ b/mas-foundation/src/main/java/com/ca/mas/core/conf/Config.java @@ -56,7 +56,7 @@ public class Config { public static final Config TRUSTED_CERT_PINNED_PUBLIC_KEY_HASHES = new Config(false, MobileSsoConfig.PROP_TRUSTED_CERT_PINNED_PUBLIC_KEY_HASHES, "mag.mobile_sdk.trusted_cert_pinned_public_key_hashes", List.class); public static final Config CLIENT_CERT_RSA_KEYBITS = new Config(false, MobileSsoConfig.PROP_CLIENT_CERT_RSA_KEYBITS, "mag.mobile_sdk.client_cert_rsa_keybits", Integer.class); public static final Config CLIENT_STORAGE = new Config(false, MobileSsoConfig.PROP_STORAGE, "mag.mobile_sdk.storage", String.class); - public static final Config SSL_PINNING_ENABLED = new Config(true, MobileSsoConfig.PROP_SSL_PINNING_ENABLED, "mag.mobile_sdk.ssl_pinning_enabled", Boolean.class); + public static final Config SSL_PINNING_ENABLED = new Config(false, MobileSsoConfig.PROP_SSL_PINNING_ENABLED, "mag.mobile_sdk.ssl_pinning_enabled", Boolean.class); //mag.ble public static final Config BLE_SERVICE_UUID = new Config(false, MobileSsoConfig.PROP_BLE_SERVICE_UUID, "mag.ble.msso_ble_service_uuid", String.class); diff --git a/mas-foundation/src/main/java/com/ca/mas/core/conf/ConfigurationManager.java b/mas-foundation/src/main/java/com/ca/mas/core/conf/ConfigurationManager.java index 3c5f25f63..c470c406e 100755 --- a/mas-foundation/src/main/java/com/ca/mas/core/conf/ConfigurationManager.java +++ b/mas-foundation/src/main/java/com/ca/mas/core/conf/ConfigurationManager.java @@ -46,7 +46,7 @@ public class ConfigurationManager { private List appConfigs; private String configurationFileName = null; private boolean enablePKCE = true; - private boolean enableSslPinning = false; + private boolean enableSslPinning = true; private boolean idTokenValidation = true; private boolean enableJwksPreload = false; private JSONObject jsonConfiguration; @@ -269,7 +269,7 @@ public ConfigurationProvider create(JSONObject jsonObject) throws JSONException } if (attr == Config.SSL_PINNING_ENABLED) { - conf.setAlsoTrustPublicPki((Boolean) getValue(Config.TRUSTED_PUBLIC_PKI, jsonObject, Boolean.FALSE)); + conf.setAllowSSLPinning((Boolean) getValue(Config.SSL_PINNING_ENABLED, jsonObject, Boolean.TRUE)); continue; } diff --git a/mas-foundation/src/main/java/com/ca/mas/core/conf/ConfigurationProvider.java b/mas-foundation/src/main/java/com/ca/mas/core/conf/ConfigurationProvider.java index cb2303f40..3a8187cff 100755 --- a/mas-foundation/src/main/java/com/ca/mas/core/conf/ConfigurationProvider.java +++ b/mas-foundation/src/main/java/com/ca/mas/core/conf/ConfigurationProvider.java @@ -90,6 +90,13 @@ public interface ConfigurationProvider extends TrustedCertificateConfiguration, */ String getPrefix(); + /** + * Based on the provided configuration the SDK, retrieve the ssl_pinning_enabled attribute. + * + * @return the ssl pinning enabled flag configured for the Gateway. + */ + boolean isSSLPinningAllowed(); + // Configuration properties that are not currently documented as part of the public API. /** diff --git a/mas-foundation/src/main/java/com/ca/mas/core/conf/DefaultConfiguration.java b/mas-foundation/src/main/java/com/ca/mas/core/conf/DefaultConfiguration.java index 1b236ee97..3e4a7d23e 100755 --- a/mas-foundation/src/main/java/com/ca/mas/core/conf/DefaultConfiguration.java +++ b/mas-foundation/src/main/java/com/ca/mas/core/conf/DefaultConfiguration.java @@ -64,6 +64,7 @@ public class DefaultConfiguration implements ConfigurationProvider { private List trustedCertificateAnchors = new ArrayList(); private boolean alsoTrustPublicPki = true; + private boolean allowSSLPinning = true; private Set trustedCertificatePinnedPublicKeyHashes = new HashSet(); /** @@ -121,6 +122,10 @@ public void setAlsoTrustPublicPki(boolean alsoTrustPublicPki) { this.alsoTrustPublicPki = alsoTrustPublicPki; } + public void setAllowSSLPinning(boolean allowSSLPinning) { + this.allowSSLPinning = allowSSLPinning; + } + /** * Add one or more trusted certificates to be returned by {@link #getTrustedCertificateAnchors()}. * @@ -272,6 +277,9 @@ public boolean isAlsoTrustPublicPki() { return alsoTrustPublicPki; } + @Override + public boolean isSSLPinningAllowed() { return allowSSLPinning; } + @Override public Collection getTrustedCertificatePinnedPublicKeyHashes() { return Collections.unmodifiableCollection(trustedCertificatePinnedPublicKeyHashes); diff --git a/mas-foundation/src/main/java/com/ca/mas/core/io/http/TrustedCertificateConfigurationTrustManager.java b/mas-foundation/src/main/java/com/ca/mas/core/io/http/TrustedCertificateConfigurationTrustManager.java index abc9cb911..077ec85ec 100755 --- a/mas-foundation/src/main/java/com/ca/mas/core/io/http/TrustedCertificateConfigurationTrustManager.java +++ b/mas-foundation/src/main/java/com/ca/mas/core/io/http/TrustedCertificateConfigurationTrustManager.java @@ -118,43 +118,44 @@ public void checkServerTrusted(X509Certificate[] chain, String s) throws Certifi List certs = config.getCertificates(); List hashes = config.getPublicKeyHashes(); - if(MAS.isSslPinningEnabled() && config.isSslPinningEnabled()) - { - //If we don't trust the public PKI, we fail the validation - if (config.trustPublicPki()) { - //All public PKI delegates must succeed - for (X509TrustManager delegate : publicPkiDelegates) { - delegate.checkServerTrusted(chain, s); - } - } + // Bypass the SSL Pinning if not enabled. + if (!MAS.isSSLPinningEnabled() || !config.allowSSLPinning()) { + return; + } - //Check the private trust store for any thrown exceptions - if (certs != null && !certs.isEmpty()) { - checkPrivateTrustStoreDelegates(chain, s); + //If we don't trust the public PKI, we fail the validation + if (config.trustPublicPki()) { + //All public PKI delegates must succeed + for (X509TrustManager delegate : publicPkiDelegates) { + delegate.checkServerTrusted(chain, s); } + } - //Check the public key hashes - boolean hashesValid = false; - if (hashes != null) { - if (!hashes.isEmpty()) { - for (X509Certificate xcert : chain) { - PublicKey key = xcert.getPublicKey(); - if (key != null) { - String hashString = PublicKeyHash.fromPublicKey(key).getHashString(); - if (hashes.contains(hashString)) { - hashesValid = true; - break; - } + //Check the private trust store for any thrown exceptions + if (certs != null && !certs.isEmpty()) { + checkPrivateTrustStoreDelegates(chain, s); + } + + //Check the public key hashes + boolean hashesValid = false; + if (hashes != null) { + if (!hashes.isEmpty()) { + for (X509Certificate xcert : chain) { + PublicKey key = xcert.getPublicKey(); + if (key != null) { + String hashString = PublicKeyHash.fromPublicKey(key).getHashString(); + if (hashes.contains(hashString)) { + hashesValid = true; + break; } } } + } - if (!hashesValid) { - throw new CertificateException("Server certificate chain did not contain any of the pinned public keys."); - } + if (!hashesValid) { + throw new CertificateException("Server certificate chain did not contain any of the pinned public keys."); } } - } @Override diff --git a/mas-foundation/src/main/java/com/ca/mas/foundation/MAS.java b/mas-foundation/src/main/java/com/ca/mas/foundation/MAS.java index 5aca968a9..c0bd1253c 100755 --- a/mas-foundation/src/main/java/com/ca/mas/foundation/MAS.java +++ b/mas-foundation/src/main/java/com/ca/mas/foundation/MAS.java @@ -560,7 +560,7 @@ public static void enableIdTokenValidation(boolean enableValidation) { /** * Enables the SSL Pinning. */ - public static void enableSslPinningEnabled(boolean enableSSLPinning) { + public static void enableSSLPinning(boolean enableSSLPinning) { ConfigurationManager.getInstance().enableSslPinningEnabled(enableSSLPinning); } /** @@ -584,7 +584,7 @@ public static boolean isPKCEEnabled() { * * @return true if ssl pinning is enabled, false otherwise */ - public static boolean isSslPinningEnabled() { + public static boolean isSSLPinningEnabled() { return ConfigurationManager.getInstance().isSslPinningEnabled(); } diff --git a/mas-foundation/src/main/java/com/ca/mas/foundation/MASConfiguration.java b/mas-foundation/src/main/java/com/ca/mas/foundation/MASConfiguration.java index 6f03049df..317bd9f41 100755 --- a/mas-foundation/src/main/java/com/ca/mas/foundation/MASConfiguration.java +++ b/mas-foundation/src/main/java/com/ca/mas/foundation/MASConfiguration.java @@ -84,9 +84,14 @@ public void update(Observable o, Object arg) { */ static MASSecurityConfiguration createPrimaryConfiguration(Uri uri) { ConfigurationProvider configurationProvider = ConfigurationManager.getInstance().getConnectedGatewayConfigurationProvider(); +// MASSecurityConfiguration.Builder configBuilder = new MASSecurityConfiguration.Builder() +// .host(uri) +// .trustPublicPKI(configurationProvider.isAlsoTrustPublicPki()); + MASSecurityConfiguration.Builder configBuilder = new MASSecurityConfiguration.Builder() .host(uri) - .trustPublicPKI(configurationProvider.isAlsoTrustPublicPki()); + .trustPublicPKI(configurationProvider.isAlsoTrustPublicPki()) + .allowSSLPinning(configurationProvider.isSSLPinningAllowed()); //Add certificates, if any exist Collection certificates = configurationProvider.getTrustedCertificateAnchors(); diff --git a/mas-foundation/src/main/java/com/ca/mas/foundation/MASSecurityConfiguration.java b/mas-foundation/src/main/java/com/ca/mas/foundation/MASSecurityConfiguration.java index 8ce72f339..403a4b08c 100644 --- a/mas-foundation/src/main/java/com/ca/mas/foundation/MASSecurityConfiguration.java +++ b/mas-foundation/src/main/java/com/ca/mas/foundation/MASSecurityConfiguration.java @@ -23,14 +23,14 @@ public interface MASSecurityConfiguration { Uri getHost(); boolean isPublic(); boolean trustPublicPki(); - boolean isSslPinningEnabled(); + boolean allowSSLPinning(); List getCertificates(); List getPublicKeyHashes(); class Builder { private boolean isPublic; - private boolean isSSLPinningEnabled = false; + private boolean allowSSLPinning = true; private boolean trustPublicPKI; private List certificates; @@ -63,8 +63,8 @@ public Builder trustPublicPKI(boolean trust) { * @param sslPinning to include or not * @return the builder object */ - public Builder enableSSLPinning(boolean sslPinning) { - this.isSSLPinningEnabled = sslPinning; + public Builder allowSSLPinning(boolean sslPinning) { + this.allowSSLPinning = sslPinning; return this; } @@ -116,7 +116,7 @@ public MASSecurityConfiguration build() { } // If trustPublicPKI is false and no pinning information is found, throw an exception. - if (isSSLPinningEnabled && !trustPublicPKI && publicKeyHashes == null && certificates == null) { + if (allowSSLPinning && !trustPublicPKI && publicKeyHashes == null && certificates == null) { throw new IllegalArgumentException("Missing pinning type, cannot establish SSL."); } @@ -147,8 +147,8 @@ public boolean trustPublicPki() { } @Override - public boolean isSslPinningEnabled() { - return isSSLPinningEnabled; + public boolean allowSSLPinning() { + return allowSSLPinning; } }; } From 2e6310fbdc3c7ca8a1bbd20de59394b22945eae7 Mon Sep 17 00:00:00 2001 From: Syed Yusuf Date: Tue, 13 Jul 2021 14:06:54 +0530 Subject: [PATCH 7/9] [US749259] Updated the naming convention in accordance with iOS and added unit tests to the androidTest of mas-foundation --- .../ca/mas/foundation/MASMultiServerTest.java | 46 ++++++++++++++++++- .../java/com/ca/mas/core/MobileSsoConfig.java | 2 +- .../java/com/ca/mas/core/conf/Config.java | 4 +- .../mas/core/conf/ConfigurationManager.java | 12 ++--- .../main/java/com/ca/mas/foundation/MAS.java | 4 +- 5 files changed, 56 insertions(+), 12 deletions(-) diff --git a/mas-foundation/src/androidTest/java/com/ca/mas/foundation/MASMultiServerTest.java b/mas-foundation/src/androidTest/java/com/ca/mas/foundation/MASMultiServerTest.java index 71a868928..580c7f116 100644 --- a/mas-foundation/src/androidTest/java/com/ca/mas/foundation/MASMultiServerTest.java +++ b/mas-foundation/src/androidTest/java/com/ca/mas/foundation/MASMultiServerTest.java @@ -145,7 +145,6 @@ public void testHttpOverrideContentType() throws InterruptedException { assertEquals(head, customCharset.toString()); } - @Test public void testMultiServerCertificatePinningWithCertChain() throws Exception { URL url = new URL("https://swapi.co:443"); @@ -593,6 +592,51 @@ public void testMultiServerGeneratedSecurityConfiguration() throws Exception { Assert.assertEquals(expectedResult, "CA Technologies"); } + @Test + public void testMultiServerEnableSSLPinning() throws Exception { + MAS.setSSLPinningEnabled(false); + MASSecurityConfiguration configuration = new MASSecurityConfiguration.Builder() + .host(new Uri.Builder().encodedAuthority(HOST).build()) + .add("ZHVtbXk=") //Dummy + .build(); + MASConfiguration.getCurrentConfiguration().addSecurityConfiguration(configuration); + + MASRequest request = new MASRequest.MASRequestBuilder( + new Uri.Builder().encodedAuthority(HOST) + .scheme("https") + .path("test") + .build()) + .build(); + MASCallbackFuture> callback = new MASCallbackFuture<>(); + MAS.invoke(request, callback); + + // Should pass as enableSSLPinning is false. + Assert.assertEquals(expectResponse.toString(), callback.get().getBody().getContent().toString()); + } + + @Test + public void testMultiServerAllowSSLPinning() throws Exception { + MAS.setSSLPinningEnabled(true); + MASSecurityConfiguration configuration = new MASSecurityConfiguration.Builder() + .host(new Uri.Builder().encodedAuthority(HOST).build()) + .add("ZHVtbXk=") //Dummy + .allowSSLPinning(false) + .build(); + MASConfiguration.getCurrentConfiguration().addSecurityConfiguration(configuration); + + MASRequest request = new MASRequest.MASRequestBuilder( + new Uri.Builder().encodedAuthority(HOST) + .scheme("https") + .path("test") + .build()) + .build(); + MASCallbackFuture> callback = new MASCallbackFuture<>(); + MAS.invoke(request, callback); + + // Should pass as allowSSLPinning is set to False + Assert.assertEquals(expectResponse.toString(), callback.get().getBody().getContent().toString()); + } + private Certificate[] getCert(URL url) throws Exception { //URL url = new URL("https://mobile-staging-androidautomation.l7tech.com:8443"); //URL url = new URL("https://swapi.co"); diff --git a/mas-foundation/src/main/java/com/ca/mas/core/MobileSsoConfig.java b/mas-foundation/src/main/java/com/ca/mas/core/MobileSsoConfig.java index b91f82151..deaec70a0 100755 --- a/mas-foundation/src/main/java/com/ca/mas/core/MobileSsoConfig.java +++ b/mas-foundation/src/main/java/com/ca/mas/core/MobileSsoConfig.java @@ -310,7 +310,7 @@ public interface MobileSsoConfig { String PROP_DEVICE_METADATA_PATH = "msso_device_metadata"; - String PROP_SSL_PINNING_ENABLED = "ssl_pinning_enabled"; + String PROP_ALLOW_SSL_PINNING = "allow_ssl_pinning"; // If you add any properties to this file, you must update MobileSsoFactory.createConfig() // or they will be ignored. diff --git a/mas-foundation/src/main/java/com/ca/mas/core/conf/Config.java b/mas-foundation/src/main/java/com/ca/mas/core/conf/Config.java index 90de454b7..8f2423c36 100755 --- a/mas-foundation/src/main/java/com/ca/mas/core/conf/Config.java +++ b/mas-foundation/src/main/java/com/ca/mas/core/conf/Config.java @@ -56,7 +56,7 @@ public class Config { public static final Config TRUSTED_CERT_PINNED_PUBLIC_KEY_HASHES = new Config(false, MobileSsoConfig.PROP_TRUSTED_CERT_PINNED_PUBLIC_KEY_HASHES, "mag.mobile_sdk.trusted_cert_pinned_public_key_hashes", List.class); public static final Config CLIENT_CERT_RSA_KEYBITS = new Config(false, MobileSsoConfig.PROP_CLIENT_CERT_RSA_KEYBITS, "mag.mobile_sdk.client_cert_rsa_keybits", Integer.class); public static final Config CLIENT_STORAGE = new Config(false, MobileSsoConfig.PROP_STORAGE, "mag.mobile_sdk.storage", String.class); - public static final Config SSL_PINNING_ENABLED = new Config(false, MobileSsoConfig.PROP_SSL_PINNING_ENABLED, "mag.mobile_sdk.ssl_pinning_enabled", Boolean.class); + public static final Config ALLOW_SSL_PINNING = new Config(false, MobileSsoConfig.PROP_ALLOW_SSL_PINNING, "mag.mobile_sdk.allow_ssl_pinning", Boolean.class); //mag.ble public static final Config BLE_SERVICE_UUID = new Config(false, MobileSsoConfig.PROP_BLE_SERVICE_UUID, "mag.ble.msso_ble_service_uuid", String.class); @@ -67,7 +67,7 @@ public class Config { HOSTNAME, PORT, PREFIX, SERVER_CERTS, ORGANIZATION, CLIENT_KEY, CLIENT_SECRET, SCOPE, REDIRECT_URI, AUTHORIZE_PATH, REGISTER_TOKEN_PATH, REGISTER_TOKEN_PATH_SSO, LOGOUT_DEVICE_PATH, REVOKE_PATH, REMOVE_DEVICE_PATH, REGISTER_DEVICE_PATH, RENEW_DEVICE_PATH, REGISTER_DEVICE_PATH_CLIENT, CLIENT_CREDENTIAL_INIT_PATH, ENTERPRISE_APP_PATH, SSO_ENABLED, LOCATION_ENABLED, LOCATION_PROVIDER, MSISDN_ENABLED, TRUSTED_PUBLIC_PKI,DEVICE_METADATA_PATH, TRUSTED_CERT_PINNED_PUBLIC_KEY_HASHES, CLIENT_CERT_RSA_KEYBITS, CLIENT_STORAGE, BLE_SERVICE_UUID, BLE_USER_SESSION_CHARACTERISTIC_UUID, - BLE_RSSI, AUTHENTICATE_OTP_PATH, SSL_PINNING_ENABLED + BLE_RSSI, AUTHENTICATE_OTP_PATH, ALLOW_SSL_PINNING }; public boolean mandatory; diff --git a/mas-foundation/src/main/java/com/ca/mas/core/conf/ConfigurationManager.java b/mas-foundation/src/main/java/com/ca/mas/core/conf/ConfigurationManager.java index c470c406e..d83b7593e 100755 --- a/mas-foundation/src/main/java/com/ca/mas/core/conf/ConfigurationManager.java +++ b/mas-foundation/src/main/java/com/ca/mas/core/conf/ConfigurationManager.java @@ -46,7 +46,7 @@ public class ConfigurationManager { private List appConfigs; private String configurationFileName = null; private boolean enablePKCE = true; - private boolean enableSslPinning = true; + private boolean sslPinningEnabled = true; private boolean idTokenValidation = true; private boolean enableJwksPreload = false; private JSONObject jsonConfiguration; @@ -79,8 +79,8 @@ public void enablePKCE(boolean enablePKCE) { this.enablePKCE = enablePKCE; } - public void enableSslPinningEnabled(boolean enableSslPinning) { - this.enableSslPinning = enableSslPinning; + public void setSSLPinningEnabled(boolean enable) { + this.sslPinningEnabled = enable; } public void enableIdTokenValidation(boolean enableValidation) { @@ -96,7 +96,7 @@ public boolean isPKCEEnabled() { } public boolean isSslPinningEnabled() { - return enableSslPinning; + return sslPinningEnabled; } public void reset() { @@ -268,8 +268,8 @@ public ConfigurationProvider create(JSONObject jsonObject) throws JSONException continue; } - if (attr == Config.SSL_PINNING_ENABLED) { - conf.setAllowSSLPinning((Boolean) getValue(Config.SSL_PINNING_ENABLED, jsonObject, Boolean.TRUE)); + if (attr == Config.ALLOW_SSL_PINNING) { + conf.setAllowSSLPinning((Boolean) getValue(Config.ALLOW_SSL_PINNING, jsonObject, Boolean.TRUE)); continue; } diff --git a/mas-foundation/src/main/java/com/ca/mas/foundation/MAS.java b/mas-foundation/src/main/java/com/ca/mas/foundation/MAS.java index c0bd1253c..701513530 100755 --- a/mas-foundation/src/main/java/com/ca/mas/foundation/MAS.java +++ b/mas-foundation/src/main/java/com/ca/mas/foundation/MAS.java @@ -560,8 +560,8 @@ public static void enableIdTokenValidation(boolean enableValidation) { /** * Enables the SSL Pinning. */ - public static void enableSSLPinning(boolean enableSSLPinning) { - ConfigurationManager.getInstance().enableSslPinningEnabled(enableSSLPinning); + public static void setSSLPinningEnabled(boolean enable) { + ConfigurationManager.getInstance().setSSLPinningEnabled(enable); } /** * Value of the boolean indicator which indicate if the id_token validation is active or not. From 0813cee578ac0ee2acfff4095fdc8a00961d08a8 Mon Sep 17 00:00:00 2001 From: Syed Yusuf Date: Tue, 13 Jul 2021 15:07:46 +0530 Subject: [PATCH 8/9] [US749259] Uncommented the code in MASConfiguration for isSslPinningEnabled --- .../java/com/ca/mas/foundation/MASConfiguration.java | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/mas-foundation/src/main/java/com/ca/mas/foundation/MASConfiguration.java b/mas-foundation/src/main/java/com/ca/mas/foundation/MASConfiguration.java index 317bd9f41..e394a1eb2 100755 --- a/mas-foundation/src/main/java/com/ca/mas/foundation/MASConfiguration.java +++ b/mas-foundation/src/main/java/com/ca/mas/foundation/MASConfiguration.java @@ -252,12 +252,12 @@ public boolean isSsoEnabled() { return ConfigurationManager.getInstance().getConnectedGatewayConfigurationProvider().getProperty(MobileSsoConfig.PROP_SSO_ENABLED); } -// /** -// * Determines if the client's SSO is enabled or not. This value is read from JSON configuration, if there is no value defined in keychain. -// */ -// public boolean isSslPinningEnabled() { -// return ConfigurationManager.getInstance().getConnectedGatewayConfigurationProvider().getProperty(MobileSsoConfig.PROP_SSL_PINNING_ENABLED); -// } + /** + * Determines if the SDK will perform SSL Pinning for an authentication challenge. This read only value is within the JSON configuration file.. + */ + public boolean isSslPinningEnabled() { + return ConfigurationManager.getInstance().getConnectedGatewayConfigurationProvider().getProperty(MobileSsoConfig.PROP_ALLOW_SSL_PINNING); + } /** * Retrieves an endpoint path fragment for a given endpoint key, the keys can be one of the following From a70c80397003a9d43d7057f9723bde37457b3a41 Mon Sep 17 00:00:00 2001 From: Syed Yusuf Date: Tue, 13 Jul 2021 16:03:05 +0530 Subject: [PATCH 9/9] [US749259] Uncommented the code in MASConfiguration --- .../src/main/java/com/ca/mas/foundation/MASConfiguration.java | 3 --- 1 file changed, 3 deletions(-) diff --git a/mas-foundation/src/main/java/com/ca/mas/foundation/MASConfiguration.java b/mas-foundation/src/main/java/com/ca/mas/foundation/MASConfiguration.java index e394a1eb2..cd9ac1a7e 100755 --- a/mas-foundation/src/main/java/com/ca/mas/foundation/MASConfiguration.java +++ b/mas-foundation/src/main/java/com/ca/mas/foundation/MASConfiguration.java @@ -84,9 +84,6 @@ public void update(Observable o, Object arg) { */ static MASSecurityConfiguration createPrimaryConfiguration(Uri uri) { ConfigurationProvider configurationProvider = ConfigurationManager.getInstance().getConnectedGatewayConfigurationProvider(); -// MASSecurityConfiguration.Builder configBuilder = new MASSecurityConfiguration.Builder() -// .host(uri) -// .trustPublicPKI(configurationProvider.isAlsoTrustPublicPki()); MASSecurityConfiguration.Builder configBuilder = new MASSecurityConfiguration.Builder() .host(uri)