提交 13422679 编写于 作者: A asaha

Merge

......@@ -133,6 +133,9 @@ public final class DHParameterGenerator extends AlgorithmParameterGeneratorSpi {
@Override
protected AlgorithmParameters engineGenerateParameters() {
if (this.exponentSize == 0) {
this.exponentSize = this.primeSize - 1;
}
if (random == null) {
random = SunJCE.getRandom();
}
......
/*
* Copyright (c) 2005, 2010, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2005, 2017, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
......@@ -35,6 +35,7 @@ import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.callback.UnsupportedCallbackException;
import sun.net.www.protocol.http.HttpCallerInfo;
import sun.security.jgss.LoginConfigImpl;
/**
* @since 1.6
......@@ -61,18 +62,21 @@ public class NegotiateCallbackHandler implements CallbackHandler {
private void getAnswer() {
if (!answered) {
answered = true;
PasswordAuthentication passAuth =
Authenticator.requestPasswordAuthentication(
hci.host, hci.addr, hci.port, hci.protocol,
hci.prompt, hci.scheme, hci.url, hci.authType);
/**
* To be compatible with existing callback handler implementations,
* when the underlying Authenticator is canceled, username and
* password are assigned null. No exception is thrown.
*/
if (passAuth != null) {
username = passAuth.getUserName();
password = passAuth.getPassword();
if (LoginConfigImpl.HTTP_USE_GLOBAL_CREDS) {
PasswordAuthentication passAuth =
Authenticator.requestPasswordAuthentication(
hci.host, hci.addr, hci.port, hci.protocol,
hci.prompt, hci.scheme, hci.url, hci.authType);
/**
* To be compatible with existing callback handler implementations,
* when the underlying Authenticator is canceled, username and
* password are assigned null. No exception is thrown.
*/
if (passAuth != null) {
username = passAuth.getUserName();
password = passAuth.getPassword();
}
}
}
}
......
/*
* Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
......@@ -270,24 +270,17 @@ public class GSSUtil {
*/
public static boolean useSubjectCredsOnly(GSSCaller caller) {
// HTTP/SPNEGO doesn't use the standard JAAS framework. Instead, it
// uses the java.net.Authenticator style, therefore always return
// false here.
String propValue = GetPropertyAction.privilegedGetProperty(
"javax.security.auth.useSubjectCredsOnly");
// Invalid values should be ignored and the default assumed.
if (caller instanceof HttpCaller) {
return false;
// Default for HTTP/SPNEGO is false.
return "true".equalsIgnoreCase(propValue);
} else {
// Default for JGSS is true.
return !("false".equalsIgnoreCase(propValue));
}
/*
* Don't use GetBooleanAction because the default value in the JRE
* (when this is unset) has to treated as true.
*/
String propValue = AccessController.doPrivileged(
new GetPropertyAction("javax.security.auth.useSubjectCredsOnly",
"true"));
/*
* This property has to be explicitly set to "false". Invalid
* values should be ignored and the default "true" assumed.
*/
return (!propValue.equalsIgnoreCase("false"));
}
/**
......
/*
* Copyright (c) 2005, 2013, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2005, 2017, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
......@@ -29,6 +29,7 @@ import java.util.HashMap;
import javax.security.auth.login.AppConfigurationEntry;
import javax.security.auth.login.Configuration;
import org.ietf.jgss.Oid;
import sun.security.action.GetPropertyAction;
/**
* A Configuration implementation especially designed for JGSS.
......@@ -44,6 +45,16 @@ public class LoginConfigImpl extends Configuration {
private static final sun.security.util.Debug debug =
sun.security.util.Debug.getInstance("gssloginconfig", "\t[GSS LoginConfigImpl]");
public static final boolean HTTP_USE_GLOBAL_CREDS;
static {
String prop = GetPropertyAction
.privilegedGetProperty("http.use.global.creds");
//HTTP_USE_GLOBAL_CREDS = "true".equalsIgnoreCase(prop); // default false
HTTP_USE_GLOBAL_CREDS = !"false".equalsIgnoreCase(prop); // default true
}
/**
* A new instance of LoginConfigImpl must be created for each login request
* since it's only used by a single (caller, mech) pair
......@@ -178,7 +189,11 @@ public class LoginConfigImpl extends Configuration {
options.put("principal", "*");
options.put("isInitiator", "false");
} else {
options.put("useTicketCache", "true");
if (caller instanceof HttpCaller && !HTTP_USE_GLOBAL_CREDS) {
options.put("useTicketCache", "false");
} else {
options.put("useTicketCache", "true");
}
options.put("doNotPrompt", "false");
}
return new AppConfigurationEntry[] {
......
......@@ -31,6 +31,8 @@ import java.math.BigInteger;
import java.net.URI;
import java.util.*;
import javax.naming.Context;
import javax.naming.CompositeName;
import javax.naming.InvalidNameException;
import javax.naming.NamingEnumeration;
import javax.naming.NamingException;
import javax.naming.NameNotFoundException;
......@@ -43,8 +45,10 @@ import javax.naming.directory.InitialDirContext;
import java.security.*;
import java.security.cert.Certificate;
import java.security.cert.*;
import javax.naming.ldap.LdapContext;
import javax.security.auth.x500.X500Principal;
import com.sun.jndi.ldap.LdapReferralException;
import sun.misc.HexDumpEncoder;
import sun.security.provider.certpath.X509CertificatePair;
import sun.security.util.Cache;
......@@ -271,7 +275,7 @@ public final class LDAPCertStore extends CertStoreSpi {
*/
Hashtable<?,?> currentEnv = ctx.getEnvironment();
if (currentEnv.get(Context.REFERRAL) == null) {
ctx.addToEnvironment(Context.REFERRAL, "follow-scheme");
ctx.addToEnvironment(Context.REFERRAL, "throw");
}
} catch (NamingException e) {
if (debug != null) {
......@@ -308,11 +312,25 @@ public final class LDAPCertStore extends CertStoreSpi {
private Map<String, byte[][]> valueMap;
private final List<String> requestedAttributes;
LDAPRequest(String name) {
this.name = name;
LDAPRequest(String name) throws CertStoreException {
this.name = checkName(name);
requestedAttributes = new ArrayList<>(5);
}
private String checkName(String name) throws CertStoreException {
if (name == null) {
throw new CertStoreException("Name absent");
}
try {
if (new CompositeName(name).size() > 1) {
throw new CertStoreException("Invalid name: " + name);
}
} catch (InvalidNameException ine) {
throw new CertStoreException("Invalid name: " + name, ine);
}
return name;
}
String getName() {
return name;
}
......@@ -327,7 +345,6 @@ public final class LDAPCertStore extends CertStoreSpi {
/**
* Gets one or more binary values from an attribute.
*
* @param name the location holding the attribute
* @param attrId the attribute identifier
* @return an array of binary values (byte arrays)
* @throws NamingException if a naming exception occurs
......@@ -379,6 +396,39 @@ public final class LDAPCertStore extends CertStoreSpi {
Attributes attrs;
try {
attrs = ctx.getAttributes(name, attrIds);
} catch (LdapReferralException lre) {
// LdapCtx has a hopCount field to avoid infinite loop
while (true) {
try {
String newName = (String) lre.getReferralInfo();
URI newUri = new URI(newName);
if (!newUri.getScheme().equalsIgnoreCase("ldap")) {
throw new IllegalArgumentException("Not LDAP");
}
String newDn = newUri.getPath();
if (newDn != null && newDn.charAt(0) == '/') {
newDn = newDn.substring(1);
}
checkName(newDn);
} catch (Exception e) {
throw new NamingException("Cannot follow referral to "
+ lre.getReferralInfo());
}
LdapContext refCtx =
(LdapContext)lre.getReferralContext();
// repeat the original operation at the new context
try {
attrs = refCtx.getAttributes(name, attrIds);
break;
} catch (LdapReferralException re) {
lre = re;
continue;
} finally {
// Make sure we close referral context
refCtx.close();
}
}
} catch (NameNotFoundException e) {
// name does not exist on this LDAP server
// treat same as not attributes found
......
......@@ -620,7 +620,7 @@ jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, DSA keySize < 1024
# Example:
# jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 1024, \
EC keySize < 224
EC keySize < 224, DES40_CBC, RC4_40
# Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS)
# processing in JSSE implementation.
......@@ -674,8 +674,6 @@ jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 1024, \
#
jdk.tls.legacyAlgorithms= \
K_NULL, C_NULL, M_NULL, \
DHE_DSS_EXPORT, DHE_RSA_EXPORT, DH_anon_EXPORT, DH_DSS_EXPORT, \
DH_RSA_EXPORT, RSA_EXPORT, \
DH_anon, ECDH_anon, \
RC4_128, RC4_40, DES_CBC, DES40_CBC, \
3DES_EDE_CBC
......
......@@ -620,7 +620,7 @@ jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, DSA keySize < 1024
# Example:
# jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 1024, \
EC keySize < 224
EC keySize < 224, DES40_CBC, RC4_40
# Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS)
# processing in JSSE implementation.
......@@ -674,8 +674,6 @@ jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 1024, \
#
jdk.tls.legacyAlgorithms= \
K_NULL, C_NULL, M_NULL, \
DHE_DSS_EXPORT, DHE_RSA_EXPORT, DH_anon_EXPORT, DH_DSS_EXPORT, \
DH_RSA_EXPORT, RSA_EXPORT, \
DH_anon, ECDH_anon, \
RC4_128, RC4_40, DES_CBC, DES40_CBC, \
3DES_EDE_CBC
......
......@@ -623,7 +623,7 @@ jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, DSA keySize < 1024
# Example:
# jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 1024, \
EC keySize < 224
EC keySize < 224, DES40_CBC, RC4_40
# Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS)
# processing in JSSE implementation.
......@@ -677,8 +677,6 @@ jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 1024, \
#
jdk.tls.legacyAlgorithms= \
K_NULL, C_NULL, M_NULL, \
DHE_DSS_EXPORT, DHE_RSA_EXPORT, DH_anon_EXPORT, DH_DSS_EXPORT, \
DH_RSA_EXPORT, RSA_EXPORT, \
DH_anon, ECDH_anon, \
RC4_128, RC4_40, DES_CBC, DES40_CBC, \
3DES_EDE_CBC
......
......@@ -622,7 +622,7 @@ jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, DSA keySize < 1024
# Example:
# jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 1024, \
EC keySize < 224
EC keySize < 224, DES40_CBC, RC4_40
# Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS)
# processing in JSSE implementation.
......@@ -676,8 +676,6 @@ jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 1024, \
#
jdk.tls.legacyAlgorithms= \
K_NULL, C_NULL, M_NULL, \
DHE_DSS_EXPORT, DHE_RSA_EXPORT, DH_anon_EXPORT, DH_DSS_EXPORT, \
DH_RSA_EXPORT, RSA_EXPORT, \
DH_anon, ECDH_anon, \
RC4_128, RC4_40, DES_CBC, DES40_CBC, \
3DES_EDE_CBC
......
......@@ -623,7 +623,7 @@ jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, DSA keySize < 1024
# Example:
# jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 1024, \
EC keySize < 224
EC keySize < 224, DES40_CBC, RC4_40
# Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS)
# processing in JSSE implementation.
......@@ -677,8 +677,6 @@ jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 1024, \
#
jdk.tls.legacyAlgorithms= \
K_NULL, C_NULL, M_NULL, \
DHE_DSS_EXPORT, DHE_RSA_EXPORT, DH_anon_EXPORT, DH_DSS_EXPORT, \
DH_RSA_EXPORT, RSA_EXPORT, \
DH_anon, ECDH_anon, \
RC4_128, RC4_40, DES_CBC, DES40_CBC, \
3DES_EDE_CBC
......
......@@ -29,8 +29,8 @@
* @run main/timeout=300 SupportedDHParamGens 768
* @run main/timeout=300 SupportedDHParamGens 832
* @run main/timeout=300 SupportedDHParamGens 1024
* @run main/timeout=300 SupportedDHParamGens 2048
* @run main/timeout=450 SupportedDHParamGens 3072
* @run main/timeout=600 SupportedDHParamGens 2048
* @run main/timeout=700 SupportedDHParamGens 3072
*/
import java.math.BigInteger;
......
此差异已折叠。
......@@ -419,6 +419,7 @@ public class RSAExport {
// reset the security property to make sure that the algorithms
// and keys used in this test are not disabled.
Security.setProperty("jdk.certpath.disabledAlgorithms", "MD2");
Security.setProperty("jdk.tls.disabledAlgorithms", "MD2");
if (debug)
System.setProperty("javax.net.debug", "all");
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册