Home | History | Annotate | Download | only in jsse 
      1 /*
      2  * Copyright (C) 2012 The Android Open Source Project
      3  *
      4  * Licensed under the Apache License, Version 2.0 (the "License");
      5  * you may not use this file except in compliance with the License.
      6  * You may obtain a copy of the License at
      7  *
      8  *      http://www.apache.org/licenses/LICENSE-2.0
      9  *
     10  * Unless required by applicable law or agreed to in writing, software
     11  * distributed under the License is distributed on an "AS IS" BASIS,
     12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
     13  * See the License for the specific language governing permissions and
     14  * limitations under the License.
     15  */
     16 
     17 package org.apache.harmony.xnet.provider.jsse;
     18 
     19 import java.security.cert.CertificateException;
     20 import java.security.cert.X509Certificate;
     21 import java.security.interfaces.RSAPublicKey;
     22 import java.util.List;
     23 
     24 public final class ChainStrengthAnalyzer {
     25 
     26     private static final int MIN_MODULUS = 1024;
     27     private static final String[] OID_BLACKLIST = {"1.2.840.113549.1.1.4"}; // MD5withRSA
     28 
     29     public static final void check(X509Certificate[] chain) throws CertificateException {
     30         for (X509Certificate cert : chain) {
     31             checkCert(cert);
     32         }
     33     }
     34 
     35     private static final void checkCert(X509Certificate cert) throws CertificateException {
     36         checkModulusLength(cert);
     37         checkNotMD5(cert);
     38     }
     39 
     40     private static final void checkModulusLength(X509Certificate cert) throws CertificateException {
     41         Object pubkey = cert.getPublicKey();
     42         if (pubkey instanceof RSAPublicKey) {
     43             int modulusLength = ((RSAPublicKey) pubkey).getModulus().bitLength();
     44             if(!(modulusLength >= MIN_MODULUS)) {
     45                 throw new CertificateException("Modulus is < 1024 bits");
     46             }
     47         }
     48     }
     49 
     50     private static final void checkNotMD5(X509Certificate cert) throws CertificateException {
     51         String oid = cert.getSigAlgOID();
     52         for (String blacklisted : OID_BLACKLIST) {
     53             if (oid.equals(blacklisted)) {
     54                 throw new CertificateException("Signature uses an insecure hash function");
     55             }
     56         }
     57     }
     58 }
     59 
     60