Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
LinuxSuRen
Dragonwell11
提交
b3991477
D
Dragonwell11
项目概览
LinuxSuRen
/
Dragonwell11
通知
2
Star
0
Fork
0
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
D
Dragonwell11
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
提交
Issue看板
前往新版Gitcode,体验更适合开发者的 AI 搜索 >>
提交
b3991477
编写于
4月 22, 2020
作者:
X
xuelei
浏览文件
操作
浏览文件
下载
电子邮件补丁
差异文件
8242141: New System Properties to configure the TLS signature schemes
Reviewed-by: ascarpino, jnimeh, mullan
上级
b414dda5
变更
11
隐藏空白更改
内联
并排
Showing
11 changed file
with
232 addition
and
6 deletion
+232
-6
src/java.base/share/classes/sun/security/ssl/CertSignAlgsExtension.java
...share/classes/sun/security/ssl/CertSignAlgsExtension.java
+4
-0
src/java.base/share/classes/sun/security/ssl/CertificateRequest.java
...se/share/classes/sun/security/ssl/CertificateRequest.java
+1
-0
src/java.base/share/classes/sun/security/ssl/PreSharedKeyExtension.java
...share/classes/sun/security/ssl/PreSharedKeyExtension.java
+1
-0
src/java.base/share/classes/sun/security/ssl/SSLConfiguration.java
...base/share/classes/sun/security/ssl/SSLConfiguration.java
+85
-0
src/java.base/share/classes/sun/security/ssl/SSLServerSocketImpl.java
...e/share/classes/sun/security/ssl/SSLServerSocketImpl.java
+1
-4
src/java.base/share/classes/sun/security/ssl/ServerHello.java
...java.base/share/classes/sun/security/ssl/ServerHello.java
+2
-0
src/java.base/share/classes/sun/security/ssl/SignatureAlgorithmsExtension.java
...lasses/sun/security/ssl/SignatureAlgorithmsExtension.java
+4
-0
src/java.base/share/classes/sun/security/ssl/SignatureScheme.java
....base/share/classes/sun/security/ssl/SignatureScheme.java
+23
-1
src/java.base/share/classes/sun/security/ssl/TransportContext.java
...base/share/classes/sun/security/ssl/TransportContext.java
+1
-1
test/jdk/sun/security/ssl/SignatureScheme/CustomizedClientSchemes.java
...security/ssl/SignatureScheme/CustomizedClientSchemes.java
+55
-0
test/jdk/sun/security/ssl/SignatureScheme/CustomizedServerSchemes.java
...security/ssl/SignatureScheme/CustomizedServerSchemes.java
+55
-0
未找到文件。
src/java.base/share/classes/sun/security/ssl/CertSignAlgsExtension.java
浏览文件 @
b3991477
...
...
@@ -99,6 +99,7 @@ final class CertSignAlgsExtension {
if
(
chc
.
localSupportedSignAlgs
==
null
)
{
chc
.
localSupportedSignAlgs
=
SignatureScheme
.
getSupportedAlgorithms
(
chc
.
sslConfig
,
chc
.
algorithmConstraints
,
chc
.
activeProtocols
);
}
...
...
@@ -192,6 +193,7 @@ final class CertSignAlgsExtension {
// update the context
List
<
SignatureScheme
>
schemes
=
SignatureScheme
.
getSupportedAlgorithms
(
shc
.
sslConfig
,
shc
.
algorithmConstraints
,
shc
.
negotiatedProtocol
,
spec
.
signatureSchemes
);
shc
.
peerRequestedCertSignSchemes
=
schemes
;
...
...
@@ -244,6 +246,7 @@ final class CertSignAlgsExtension {
// Produce the extension.
List
<
SignatureScheme
>
sigAlgs
=
SignatureScheme
.
getSupportedAlgorithms
(
shc
.
sslConfig
,
shc
.
algorithmConstraints
,
List
.
of
(
shc
.
negotiatedProtocol
));
...
...
@@ -335,6 +338,7 @@ final class CertSignAlgsExtension {
// update the context
List
<
SignatureScheme
>
schemes
=
SignatureScheme
.
getSupportedAlgorithms
(
chc
.
sslConfig
,
chc
.
algorithmConstraints
,
chc
.
negotiatedProtocol
,
spec
.
signatureSchemes
);
chc
.
peerRequestedCertSignSchemes
=
schemes
;
...
...
src/java.base/share/classes/sun/security/ssl/CertificateRequest.java
浏览文件 @
b3991477
...
...
@@ -601,6 +601,7 @@ final class CertificateRequest {
if
(
shc
.
localSupportedSignAlgs
==
null
)
{
shc
.
localSupportedSignAlgs
=
SignatureScheme
.
getSupportedAlgorithms
(
shc
.
sslConfig
,
shc
.
algorithmConstraints
,
shc
.
activeProtocols
);
}
...
...
src/java.base/share/classes/sun/security/ssl/PreSharedKeyExtension.java
浏览文件 @
b3991477
...
...
@@ -422,6 +422,7 @@ final class PreSharedKeyExtension {
if
(
shc
.
localSupportedSignAlgs
==
null
)
{
shc
.
localSupportedSignAlgs
=
SignatureScheme
.
getSupportedAlgorithms
(
shc
.
sslConfig
,
shc
.
algorithmConstraints
,
shc
.
activeProtocols
);
}
...
...
src/java.base/share/classes/sun/security/ssl/SSLConfiguration.java
浏览文件 @
b3991477
...
...
@@ -42,6 +42,7 @@ import javax.net.ssl.SNIServerName;
import
javax.net.ssl.SSLEngine
;
import
javax.net.ssl.SSLParameters
;
import
javax.net.ssl.SSLSocket
;
import
sun.security.action.GetPropertyAction
;
import
sun.security.ssl.SSLExtension.ClientExtensions
;
import
sun.security.ssl.SSLExtension.ServerExtensions
;
...
...
@@ -62,6 +63,10 @@ final class SSLConfiguration implements Cloneable {
boolean
enableRetransmissions
;
int
maximumPacketSize
;
// The configured signature schemes for "signature_algorithms" and
// "signature_algorithms_cert" extensions
List
<
SignatureScheme
>
signatureSchemes
;
// the maximum protocol version of enabled protocols
ProtocolVersion
maximumProtocolVersion
;
...
...
@@ -132,6 +137,9 @@ final class SSLConfiguration implements Cloneable {
this
.
enableRetransmissions
=
sslContext
.
isDTLS
();
this
.
maximumPacketSize
=
0
;
// please reset it explicitly later
this
.
signatureSchemes
=
isClientMode
?
CustomizedClientSignatureSchemes
.
signatureSchemes
:
CustomizedServerSignatureSchemes
.
signatureSchemes
;
this
.
maximumProtocolVersion
=
ProtocolVersion
.
NONE
;
for
(
ProtocolVersion
pv
:
enabledProtocols
)
{
if
(
pv
.
compareTo
(
maximumProtocolVersion
)
>
0
)
{
...
...
@@ -382,6 +390,15 @@ final class SSLConfiguration implements Cloneable {
return
extensions
.
toArray
(
new
SSLExtension
[
0
]);
}
void
toggleClientMode
()
{
this
.
isClientMode
^=
true
;
// reset the signature schemes
this
.
signatureSchemes
=
isClientMode
?
CustomizedClientSignatureSchemes
.
signatureSchemes
:
CustomizedServerSignatureSchemes
.
signatureSchemes
;
}
@Override
@SuppressWarnings
({
"unchecked"
,
"CloneDeclaresCloneNotSupported"
})
public
Object
clone
()
{
...
...
@@ -401,4 +418,72 @@ final class SSLConfiguration implements Cloneable {
return
null
;
// unlikely
}
// lazy initialization holder class idiom for static default parameters
//
// See Effective Java Second Edition: Item 71.
private
static
final
class
CustomizedClientSignatureSchemes
{
private
static
List
<
SignatureScheme
>
signatureSchemes
=
getCustomizedSignatureScheme
(
"jdk.tls.client.SignatureSchemes"
);
}
// lazy initialization holder class idiom for static default parameters
//
// See Effective Java Second Edition: Item 71.
private
static
final
class
CustomizedServerSignatureSchemes
{
private
static
List
<
SignatureScheme
>
signatureSchemes
=
getCustomizedSignatureScheme
(
"jdk.tls.server.SignatureSchemes"
);
}
/*
* Get the customized signature schemes specified by the given
* system property.
*/
private
static
List
<
SignatureScheme
>
getCustomizedSignatureScheme
(
String
propertyName
)
{
String
property
=
GetPropertyAction
.
privilegedGetProperty
(
propertyName
);
if
(
SSLLogger
.
isOn
&&
SSLLogger
.
isOn
(
"ssl,sslctx"
))
{
SSLLogger
.
fine
(
"System property "
+
propertyName
+
" is set to '"
+
property
+
"'"
);
}
if
(
property
!=
null
&&
!
property
.
isEmpty
())
{
// remove double quote marks from beginning/end of the property
if
(
property
.
length
()
>
1
&&
property
.
charAt
(
0
)
==
'"'
&&
property
.
charAt
(
property
.
length
()
-
1
)
==
'"'
)
{
property
=
property
.
substring
(
1
,
property
.
length
()
-
1
);
}
}
if
(
property
!=
null
&&
!
property
.
isEmpty
())
{
String
[]
signatureSchemeNames
=
property
.
split
(
","
);
List
<
SignatureScheme
>
signatureSchemes
=
new
ArrayList
<>(
signatureSchemeNames
.
length
);
for
(
int
i
=
0
;
i
<
signatureSchemeNames
.
length
;
i
++)
{
signatureSchemeNames
[
i
]
=
signatureSchemeNames
[
i
].
trim
();
if
(
signatureSchemeNames
[
i
].
isEmpty
())
{
continue
;
}
SignatureScheme
scheme
=
SignatureScheme
.
nameOf
(
signatureSchemeNames
[
i
]);
if
(
scheme
!=
null
&&
scheme
.
isAvailable
)
{
signatureSchemes
.
add
(
scheme
);
}
else
{
if
(
SSLLogger
.
isOn
&&
SSLLogger
.
isOn
(
"ssl,sslctx"
))
{
SSLLogger
.
fine
(
"The current installed providers do not "
+
"support signature scheme: "
+
signatureSchemeNames
[
i
]);
}
}
}
return
signatureSchemes
;
}
return
Collections
.
emptyList
();
}
}
src/java.base/share/classes/sun/security/ssl/SSLServerSocketImpl.java
浏览文件 @
b3991477
...
...
@@ -62,7 +62,6 @@ final class SSLServerSocketImpl extends SSLServerSocket {
super
();
this
.
sslContext
=
sslContext
;
this
.
sslConfig
=
new
SSLConfiguration
(
sslContext
,
false
);
this
.
sslConfig
.
isClientMode
=
false
;
}
SSLServerSocketImpl
(
SSLContextImpl
sslContext
,
...
...
@@ -71,7 +70,6 @@ final class SSLServerSocketImpl extends SSLServerSocket {
super
(
port
,
backlog
);
this
.
sslContext
=
sslContext
;
this
.
sslConfig
=
new
SSLConfiguration
(
sslContext
,
false
);
this
.
sslConfig
.
isClientMode
=
false
;
}
SSLServerSocketImpl
(
SSLContextImpl
sslContext
,
...
...
@@ -80,7 +78,6 @@ final class SSLServerSocketImpl extends SSLServerSocket {
super
(
port
,
backlog
,
address
);
this
.
sslContext
=
sslContext
;
this
.
sslConfig
=
new
SSLConfiguration
(
sslContext
,
false
);
this
.
sslConfig
.
isClientMode
=
false
;
}
@Override
...
...
@@ -166,7 +163,7 @@ final class SSLServerSocketImpl extends SSLServerSocket {
sslContext
.
getDefaultCipherSuites
(!
useClientMode
);
}
sslConfig
.
isClientMode
=
useClientMode
;
sslConfig
.
toggleClientMode
()
;
}
}
...
...
src/java.base/share/classes/sun/security/ssl/ServerHello.java
浏览文件 @
b3991477
...
...
@@ -275,6 +275,7 @@ final class ServerHello {
if
(
shc
.
localSupportedSignAlgs
==
null
)
{
shc
.
localSupportedSignAlgs
=
SignatureScheme
.
getSupportedAlgorithms
(
shc
.
sslConfig
,
shc
.
algorithmConstraints
,
shc
.
activeProtocols
);
}
...
...
@@ -503,6 +504,7 @@ final class ServerHello {
if
(
shc
.
localSupportedSignAlgs
==
null
)
{
shc
.
localSupportedSignAlgs
=
SignatureScheme
.
getSupportedAlgorithms
(
shc
.
sslConfig
,
shc
.
algorithmConstraints
,
shc
.
activeProtocols
);
}
...
...
src/java.base/share/classes/sun/security/ssl/SignatureAlgorithmsExtension.java
浏览文件 @
b3991477
...
...
@@ -185,6 +185,7 @@ final class SignatureAlgorithmsExtension {
if
(
chc
.
localSupportedSignAlgs
==
null
)
{
chc
.
localSupportedSignAlgs
=
SignatureScheme
.
getSupportedAlgorithms
(
chc
.
sslConfig
,
chc
.
algorithmConstraints
,
chc
.
activeProtocols
);
}
...
...
@@ -277,6 +278,7 @@ final class SignatureAlgorithmsExtension {
// update the context
List
<
SignatureScheme
>
sss
=
SignatureScheme
.
getSupportedAlgorithms
(
shc
.
sslConfig
,
shc
.
algorithmConstraints
,
shc
.
negotiatedProtocol
,
spec
.
signatureSchemes
);
shc
.
peerRequestedSignatureSchemes
=
sss
;
...
...
@@ -410,6 +412,7 @@ final class SignatureAlgorithmsExtension {
// Produce the extension.
List
<
SignatureScheme
>
sigAlgs
=
SignatureScheme
.
getSupportedAlgorithms
(
shc
.
sslConfig
,
shc
.
algorithmConstraints
,
List
.
of
(
shc
.
negotiatedProtocol
));
...
...
@@ -510,6 +513,7 @@ final class SignatureAlgorithmsExtension {
// update the context
List
<
SignatureScheme
>
sss
=
SignatureScheme
.
getSupportedAlgorithms
(
chc
.
sslConfig
,
chc
.
algorithmConstraints
,
chc
.
negotiatedProtocol
,
spec
.
signatureSchemes
);
chc
.
peerRequestedSignatureSchemes
=
sss
;
...
...
src/java.base/share/classes/sun/security/ssl/SignatureScheme.java
浏览文件 @
b3991477
...
...
@@ -339,6 +339,17 @@ enum SignatureScheme {
return
signName
+
"_"
+
hashName
;
}
// Note: the signatureSchemeName is not case-sensitive.
static
SignatureScheme
nameOf
(
String
signatureSchemeName
)
{
for
(
SignatureScheme
ss:
SignatureScheme
.
values
())
{
if
(
ss
.
name
.
equalsIgnoreCase
(
signatureSchemeName
))
{
return
ss
;
}
}
return
null
;
}
// Return the size of a SignatureScheme structure in TLS record
static
int
sizeInRecord
()
{
return
2
;
...
...
@@ -347,11 +358,19 @@ enum SignatureScheme {
// Get local supported algorithm collection complying to algorithm
// constraints.
static
List
<
SignatureScheme
>
getSupportedAlgorithms
(
SSLConfiguration
config
,
AlgorithmConstraints
constraints
,
List
<
ProtocolVersion
>
activeProtocols
)
{
List
<
SignatureScheme
>
supported
=
new
LinkedList
<>();
for
(
SignatureScheme
ss:
SignatureScheme
.
values
())
{
if
(!
ss
.
isAvailable
)
{
if
(!
ss
.
isAvailable
||
(!
config
.
signatureSchemes
.
isEmpty
()
&&
!
config
.
signatureSchemes
.
contains
(
ss
)))
{
if
(
SSLLogger
.
isOn
&&
SSLLogger
.
isOn
(
"ssl,handshake,verbose"
))
{
SSLLogger
.
finest
(
"Ignore unsupported signature scheme: "
+
ss
.
name
);
}
continue
;
}
...
...
@@ -383,6 +402,7 @@ enum SignatureScheme {
}
static
List
<
SignatureScheme
>
getSupportedAlgorithms
(
SSLConfiguration
config
,
AlgorithmConstraints
constraints
,
ProtocolVersion
protocolVersion
,
int
[]
algorithmIds
)
{
List
<
SignatureScheme
>
supported
=
new
LinkedList
<>();
...
...
@@ -396,6 +416,8 @@ enum SignatureScheme {
}
}
else
if
(
ss
.
isAvailable
&&
ss
.
supportedProtocols
.
contains
(
protocolVersion
)
&&
(
config
.
signatureSchemes
.
isEmpty
()
||
config
.
signatureSchemes
.
contains
(
ss
))
&&
constraints
.
permits
(
SIGNATURE_PRIMITIVE_SET
,
ss
.
algorithm
,
null
))
{
supported
.
add
(
ss
);
...
...
src/java.base/share/classes/sun/security/ssl/TransportContext.java
浏览文件 @
b3991477
...
...
@@ -428,7 +428,7 @@ class TransportContext implements ConnectionContext {
sslContext
.
getDefaultCipherSuites
(!
useClientMode
);
}
sslConfig
.
isClientMode
=
useClientMode
;
sslConfig
.
toggleClientMode
()
;
}
isUnsureMode
=
false
;
...
...
test/jdk/sun/security/ssl/SignatureScheme/CustomizedClientSchemes.java
0 → 100644
浏览文件 @
b3991477
/*
* Copyright (c) 2020, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation. Oracle designates this
* particular file as subject to the "Classpath" exception as provided
* by Oracle in the LICENSE file that accompanied this code.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
//
// SunJSSE does not support dynamic system properties, no way to re-use
// system properties in samevm/agentvm mode.
//
/*
* @test
* @bug 8242141
* @summary New System Properties to configure the default signature schemes
* @library /javax/net/ssl/templates
* @run main/othervm CustomizedClientSchemes
*/
import
javax.net.ssl.SSLException
;
public
class
CustomizedClientSchemes
extends
SSLSocketTemplate
{
public
static
void
main
(
String
[]
args
)
throws
Exception
{
System
.
setProperty
(
"jdk.tls.client.SignatureSchemes"
,
"rsa_pkcs1_sha1"
);
try
{
new
CustomizedClientSchemes
().
run
();
throw
new
Exception
(
"The jdk.tls.client.SignatureSchemes System Property "
+
"does not work"
);
}
catch
(
SSLException
e
)
{
// Got the expected exception.
}
}
}
test/jdk/sun/security/ssl/SignatureScheme/CustomizedServerSchemes.java
0 → 100644
浏览文件 @
b3991477
/*
* Copyright (c) 2020, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation. Oracle designates this
* particular file as subject to the "Classpath" exception as provided
* by Oracle in the LICENSE file that accompanied this code.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
//
// SunJSSE does not support dynamic system properties, no way to re-use
// system properties in samevm/agentvm mode.
//
/*
* @test
* @bug 8242141
* @summary New System Properties to configure the default signature schemes
* @library /javax/net/ssl/templates
* @run main/othervm CustomizedServerSchemes
*/
import
javax.net.ssl.SSLException
;
public
class
CustomizedServerSchemes
extends
SSLSocketTemplate
{
public
static
void
main
(
String
[]
args
)
throws
Exception
{
System
.
setProperty
(
"jdk.tls.server.SignatureSchemes"
,
"rsa_pkcs1_sha1"
);
try
{
new
CustomizedServerSchemes
().
run
();
throw
new
Exception
(
"The jdk.tls.server.SignatureSchemes System Property "
+
"does not work"
);
}
catch
(
SSLException
e
)
{
// Got the expected exception.
}
}
}
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录