1 /* 2 * Copyright (C) 2012 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17 package org.apache.harmony.xnet.provider.jsse; 18 19 import java.security.cert.CertificateException; 20 import java.security.cert.X509Certificate; 21 import java.security.interfaces.RSAPublicKey; 22 import java.util.List; 23 24 public final class ChainStrengthAnalyzer { 25 26 private static final int MIN_MODULUS = 1024; 27 private static final String[] OID_BLACKLIST = {"1.2.840.113549.1.1.4"}; // MD5withRSA 28 29 public static final void check(X509Certificate[] chain) throws CertificateException { 30 for (X509Certificate cert : chain) { 31 checkCert(cert); 32 } 33 } 34 35 private static final void checkCert(X509Certificate cert) throws CertificateException { 36 checkModulusLength(cert); 37 checkNotMD5(cert); 38 } 39 40 private static final void checkModulusLength(X509Certificate cert) throws CertificateException { 41 Object pubkey = cert.getPublicKey(); 42 if (pubkey instanceof RSAPublicKey) { 43 int modulusLength = ((RSAPublicKey) pubkey).getModulus().bitLength(); 44 if(!(modulusLength >= MIN_MODULUS)) { 45 throw new CertificateException("Modulus is < 1024 bits"); 46 } 47 } 48 } 49 50 private static final void checkNotMD5(X509Certificate cert) throws CertificateException { 51 String oid = cert.getSigAlgOID(); 52 for (String blacklisted : OID_BLACKLIST) { 53 if (oid.equals(blacklisted)) { 54 throw new CertificateException("Signature uses an insecure hash function"); 55 } 56 } 57 } 58 } 59 60