提交 13422679 编写于 作者: A asaha

Merge

...@@ -133,6 +133,9 @@ public final class DHParameterGenerator extends AlgorithmParameterGeneratorSpi { ...@@ -133,6 +133,9 @@ public final class DHParameterGenerator extends AlgorithmParameterGeneratorSpi {
@Override @Override
protected AlgorithmParameters engineGenerateParameters() { protected AlgorithmParameters engineGenerateParameters() {
if (this.exponentSize == 0) {
this.exponentSize = this.primeSize - 1;
}
if (random == null) { if (random == null) {
random = SunJCE.getRandom(); random = SunJCE.getRandom();
} }
......
/* /*
* Copyright (c) 2005, 2010, Oracle and/or its affiliates. All rights reserved. * Copyright (c) 2005, 2017, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
* *
* This code is free software; you can redistribute it and/or modify it * This code is free software; you can redistribute it and/or modify it
...@@ -35,6 +35,7 @@ import javax.security.auth.callback.NameCallback; ...@@ -35,6 +35,7 @@ import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.PasswordCallback; import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.callback.UnsupportedCallbackException; import javax.security.auth.callback.UnsupportedCallbackException;
import sun.net.www.protocol.http.HttpCallerInfo; import sun.net.www.protocol.http.HttpCallerInfo;
import sun.security.jgss.LoginConfigImpl;
/** /**
* @since 1.6 * @since 1.6
...@@ -61,18 +62,21 @@ public class NegotiateCallbackHandler implements CallbackHandler { ...@@ -61,18 +62,21 @@ public class NegotiateCallbackHandler implements CallbackHandler {
private void getAnswer() { private void getAnswer() {
if (!answered) { if (!answered) {
answered = true; answered = true;
PasswordAuthentication passAuth =
Authenticator.requestPasswordAuthentication( if (LoginConfigImpl.HTTP_USE_GLOBAL_CREDS) {
hci.host, hci.addr, hci.port, hci.protocol, PasswordAuthentication passAuth =
hci.prompt, hci.scheme, hci.url, hci.authType); Authenticator.requestPasswordAuthentication(
/** hci.host, hci.addr, hci.port, hci.protocol,
* To be compatible with existing callback handler implementations, hci.prompt, hci.scheme, hci.url, hci.authType);
* when the underlying Authenticator is canceled, username and /**
* password are assigned null. No exception is thrown. * To be compatible with existing callback handler implementations,
*/ * when the underlying Authenticator is canceled, username and
if (passAuth != null) { * password are assigned null. No exception is thrown.
username = passAuth.getUserName(); */
password = passAuth.getPassword(); if (passAuth != null) {
username = passAuth.getUserName();
password = passAuth.getPassword();
}
} }
} }
} }
......
/* /*
* Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved. * Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
* *
* This code is free software; you can redistribute it and/or modify it * This code is free software; you can redistribute it and/or modify it
...@@ -270,24 +270,17 @@ public class GSSUtil { ...@@ -270,24 +270,17 @@ public class GSSUtil {
*/ */
public static boolean useSubjectCredsOnly(GSSCaller caller) { public static boolean useSubjectCredsOnly(GSSCaller caller) {
// HTTP/SPNEGO doesn't use the standard JAAS framework. Instead, it String propValue = GetPropertyAction.privilegedGetProperty(
// uses the java.net.Authenticator style, therefore always return "javax.security.auth.useSubjectCredsOnly");
// false here.
// Invalid values should be ignored and the default assumed.
if (caller instanceof HttpCaller) { if (caller instanceof HttpCaller) {
return false; // Default for HTTP/SPNEGO is false.
return "true".equalsIgnoreCase(propValue);
} else {
// Default for JGSS is true.
return !("false".equalsIgnoreCase(propValue));
} }
/*
* Don't use GetBooleanAction because the default value in the JRE
* (when this is unset) has to treated as true.
*/
String propValue = AccessController.doPrivileged(
new GetPropertyAction("javax.security.auth.useSubjectCredsOnly",
"true"));
/*
* This property has to be explicitly set to "false". Invalid
* values should be ignored and the default "true" assumed.
*/
return (!propValue.equalsIgnoreCase("false"));
} }
/** /**
......
/* /*
* Copyright (c) 2005, 2013, Oracle and/or its affiliates. All rights reserved. * Copyright (c) 2005, 2017, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
* *
* This code is free software; you can redistribute it and/or modify it * This code is free software; you can redistribute it and/or modify it
...@@ -29,6 +29,7 @@ import java.util.HashMap; ...@@ -29,6 +29,7 @@ import java.util.HashMap;
import javax.security.auth.login.AppConfigurationEntry; import javax.security.auth.login.AppConfigurationEntry;
import javax.security.auth.login.Configuration; import javax.security.auth.login.Configuration;
import org.ietf.jgss.Oid; import org.ietf.jgss.Oid;
import sun.security.action.GetPropertyAction;
/** /**
* A Configuration implementation especially designed for JGSS. * A Configuration implementation especially designed for JGSS.
...@@ -44,6 +45,16 @@ public class LoginConfigImpl extends Configuration { ...@@ -44,6 +45,16 @@ public class LoginConfigImpl extends Configuration {
private static final sun.security.util.Debug debug = private static final sun.security.util.Debug debug =
sun.security.util.Debug.getInstance("gssloginconfig", "\t[GSS LoginConfigImpl]"); sun.security.util.Debug.getInstance("gssloginconfig", "\t[GSS LoginConfigImpl]");
public static final boolean HTTP_USE_GLOBAL_CREDS;
static {
String prop = GetPropertyAction
.privilegedGetProperty("http.use.global.creds");
//HTTP_USE_GLOBAL_CREDS = "true".equalsIgnoreCase(prop); // default false
HTTP_USE_GLOBAL_CREDS = !"false".equalsIgnoreCase(prop); // default true
}
/** /**
* A new instance of LoginConfigImpl must be created for each login request * A new instance of LoginConfigImpl must be created for each login request
* since it's only used by a single (caller, mech) pair * since it's only used by a single (caller, mech) pair
...@@ -178,7 +189,11 @@ public class LoginConfigImpl extends Configuration { ...@@ -178,7 +189,11 @@ public class LoginConfigImpl extends Configuration {
options.put("principal", "*"); options.put("principal", "*");
options.put("isInitiator", "false"); options.put("isInitiator", "false");
} else { } else {
options.put("useTicketCache", "true"); if (caller instanceof HttpCaller && !HTTP_USE_GLOBAL_CREDS) {
options.put("useTicketCache", "false");
} else {
options.put("useTicketCache", "true");
}
options.put("doNotPrompt", "false"); options.put("doNotPrompt", "false");
} }
return new AppConfigurationEntry[] { return new AppConfigurationEntry[] {
......
...@@ -31,6 +31,8 @@ import java.math.BigInteger; ...@@ -31,6 +31,8 @@ import java.math.BigInteger;
import java.net.URI; import java.net.URI;
import java.util.*; import java.util.*;
import javax.naming.Context; import javax.naming.Context;
import javax.naming.CompositeName;
import javax.naming.InvalidNameException;
import javax.naming.NamingEnumeration; import javax.naming.NamingEnumeration;
import javax.naming.NamingException; import javax.naming.NamingException;
import javax.naming.NameNotFoundException; import javax.naming.NameNotFoundException;
...@@ -43,8 +45,10 @@ import javax.naming.directory.InitialDirContext; ...@@ -43,8 +45,10 @@ import javax.naming.directory.InitialDirContext;
import java.security.*; import java.security.*;
import java.security.cert.Certificate; import java.security.cert.Certificate;
import java.security.cert.*; import java.security.cert.*;
import javax.naming.ldap.LdapContext;
import javax.security.auth.x500.X500Principal; import javax.security.auth.x500.X500Principal;
import com.sun.jndi.ldap.LdapReferralException;
import sun.misc.HexDumpEncoder; import sun.misc.HexDumpEncoder;
import sun.security.provider.certpath.X509CertificatePair; import sun.security.provider.certpath.X509CertificatePair;
import sun.security.util.Cache; import sun.security.util.Cache;
...@@ -271,7 +275,7 @@ public final class LDAPCertStore extends CertStoreSpi { ...@@ -271,7 +275,7 @@ public final class LDAPCertStore extends CertStoreSpi {
*/ */
Hashtable<?,?> currentEnv = ctx.getEnvironment(); Hashtable<?,?> currentEnv = ctx.getEnvironment();
if (currentEnv.get(Context.REFERRAL) == null) { if (currentEnv.get(Context.REFERRAL) == null) {
ctx.addToEnvironment(Context.REFERRAL, "follow-scheme"); ctx.addToEnvironment(Context.REFERRAL, "throw");
} }
} catch (NamingException e) { } catch (NamingException e) {
if (debug != null) { if (debug != null) {
...@@ -308,11 +312,25 @@ public final class LDAPCertStore extends CertStoreSpi { ...@@ -308,11 +312,25 @@ public final class LDAPCertStore extends CertStoreSpi {
private Map<String, byte[][]> valueMap; private Map<String, byte[][]> valueMap;
private final List<String> requestedAttributes; private final List<String> requestedAttributes;
LDAPRequest(String name) { LDAPRequest(String name) throws CertStoreException {
this.name = name; this.name = checkName(name);
requestedAttributes = new ArrayList<>(5); requestedAttributes = new ArrayList<>(5);
} }
private String checkName(String name) throws CertStoreException {
if (name == null) {
throw new CertStoreException("Name absent");
}
try {
if (new CompositeName(name).size() > 1) {
throw new CertStoreException("Invalid name: " + name);
}
} catch (InvalidNameException ine) {
throw new CertStoreException("Invalid name: " + name, ine);
}
return name;
}
String getName() { String getName() {
return name; return name;
} }
...@@ -327,7 +345,6 @@ public final class LDAPCertStore extends CertStoreSpi { ...@@ -327,7 +345,6 @@ public final class LDAPCertStore extends CertStoreSpi {
/** /**
* Gets one or more binary values from an attribute. * Gets one or more binary values from an attribute.
* *
* @param name the location holding the attribute
* @param attrId the attribute identifier * @param attrId the attribute identifier
* @return an array of binary values (byte arrays) * @return an array of binary values (byte arrays)
* @throws NamingException if a naming exception occurs * @throws NamingException if a naming exception occurs
...@@ -379,6 +396,39 @@ public final class LDAPCertStore extends CertStoreSpi { ...@@ -379,6 +396,39 @@ public final class LDAPCertStore extends CertStoreSpi {
Attributes attrs; Attributes attrs;
try { try {
attrs = ctx.getAttributes(name, attrIds); attrs = ctx.getAttributes(name, attrIds);
} catch (LdapReferralException lre) {
// LdapCtx has a hopCount field to avoid infinite loop
while (true) {
try {
String newName = (String) lre.getReferralInfo();
URI newUri = new URI(newName);
if (!newUri.getScheme().equalsIgnoreCase("ldap")) {
throw new IllegalArgumentException("Not LDAP");
}
String newDn = newUri.getPath();
if (newDn != null && newDn.charAt(0) == '/') {
newDn = newDn.substring(1);
}
checkName(newDn);
} catch (Exception e) {
throw new NamingException("Cannot follow referral to "
+ lre.getReferralInfo());
}
LdapContext refCtx =
(LdapContext)lre.getReferralContext();
// repeat the original operation at the new context
try {
attrs = refCtx.getAttributes(name, attrIds);
break;
} catch (LdapReferralException re) {
lre = re;
continue;
} finally {
// Make sure we close referral context
refCtx.close();
}
}
} catch (NameNotFoundException e) { } catch (NameNotFoundException e) {
// name does not exist on this LDAP server // name does not exist on this LDAP server
// treat same as not attributes found // treat same as not attributes found
......
...@@ -620,7 +620,7 @@ jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, DSA keySize < 1024 ...@@ -620,7 +620,7 @@ jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, DSA keySize < 1024
# Example: # Example:
# jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048 # jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 1024, \ jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 1024, \
EC keySize < 224 EC keySize < 224, DES40_CBC, RC4_40
# Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS) # Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS)
# processing in JSSE implementation. # processing in JSSE implementation.
...@@ -674,8 +674,6 @@ jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 1024, \ ...@@ -674,8 +674,6 @@ jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 1024, \
# #
jdk.tls.legacyAlgorithms= \ jdk.tls.legacyAlgorithms= \
K_NULL, C_NULL, M_NULL, \ K_NULL, C_NULL, M_NULL, \
DHE_DSS_EXPORT, DHE_RSA_EXPORT, DH_anon_EXPORT, DH_DSS_EXPORT, \
DH_RSA_EXPORT, RSA_EXPORT, \
DH_anon, ECDH_anon, \ DH_anon, ECDH_anon, \
RC4_128, RC4_40, DES_CBC, DES40_CBC, \ RC4_128, RC4_40, DES_CBC, DES40_CBC, \
3DES_EDE_CBC 3DES_EDE_CBC
......
...@@ -620,7 +620,7 @@ jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, DSA keySize < 1024 ...@@ -620,7 +620,7 @@ jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, DSA keySize < 1024
# Example: # Example:
# jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048 # jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 1024, \ jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 1024, \
EC keySize < 224 EC keySize < 224, DES40_CBC, RC4_40
# Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS) # Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS)
# processing in JSSE implementation. # processing in JSSE implementation.
...@@ -674,8 +674,6 @@ jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 1024, \ ...@@ -674,8 +674,6 @@ jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 1024, \
# #
jdk.tls.legacyAlgorithms= \ jdk.tls.legacyAlgorithms= \
K_NULL, C_NULL, M_NULL, \ K_NULL, C_NULL, M_NULL, \
DHE_DSS_EXPORT, DHE_RSA_EXPORT, DH_anon_EXPORT, DH_DSS_EXPORT, \
DH_RSA_EXPORT, RSA_EXPORT, \
DH_anon, ECDH_anon, \ DH_anon, ECDH_anon, \
RC4_128, RC4_40, DES_CBC, DES40_CBC, \ RC4_128, RC4_40, DES_CBC, DES40_CBC, \
3DES_EDE_CBC 3DES_EDE_CBC
......
...@@ -623,7 +623,7 @@ jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, DSA keySize < 1024 ...@@ -623,7 +623,7 @@ jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, DSA keySize < 1024
# Example: # Example:
# jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048 # jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 1024, \ jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 1024, \
EC keySize < 224 EC keySize < 224, DES40_CBC, RC4_40
# Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS) # Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS)
# processing in JSSE implementation. # processing in JSSE implementation.
...@@ -677,8 +677,6 @@ jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 1024, \ ...@@ -677,8 +677,6 @@ jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 1024, \
# #
jdk.tls.legacyAlgorithms= \ jdk.tls.legacyAlgorithms= \
K_NULL, C_NULL, M_NULL, \ K_NULL, C_NULL, M_NULL, \
DHE_DSS_EXPORT, DHE_RSA_EXPORT, DH_anon_EXPORT, DH_DSS_EXPORT, \
DH_RSA_EXPORT, RSA_EXPORT, \
DH_anon, ECDH_anon, \ DH_anon, ECDH_anon, \
RC4_128, RC4_40, DES_CBC, DES40_CBC, \ RC4_128, RC4_40, DES_CBC, DES40_CBC, \
3DES_EDE_CBC 3DES_EDE_CBC
......
...@@ -622,7 +622,7 @@ jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, DSA keySize < 1024 ...@@ -622,7 +622,7 @@ jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, DSA keySize < 1024
# Example: # Example:
# jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048 # jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 1024, \ jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 1024, \
EC keySize < 224 EC keySize < 224, DES40_CBC, RC4_40
# Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS) # Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS)
# processing in JSSE implementation. # processing in JSSE implementation.
...@@ -676,8 +676,6 @@ jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 1024, \ ...@@ -676,8 +676,6 @@ jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 1024, \
# #
jdk.tls.legacyAlgorithms= \ jdk.tls.legacyAlgorithms= \
K_NULL, C_NULL, M_NULL, \ K_NULL, C_NULL, M_NULL, \
DHE_DSS_EXPORT, DHE_RSA_EXPORT, DH_anon_EXPORT, DH_DSS_EXPORT, \
DH_RSA_EXPORT, RSA_EXPORT, \
DH_anon, ECDH_anon, \ DH_anon, ECDH_anon, \
RC4_128, RC4_40, DES_CBC, DES40_CBC, \ RC4_128, RC4_40, DES_CBC, DES40_CBC, \
3DES_EDE_CBC 3DES_EDE_CBC
......
...@@ -623,7 +623,7 @@ jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, DSA keySize < 1024 ...@@ -623,7 +623,7 @@ jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, DSA keySize < 1024
# Example: # Example:
# jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048 # jdk.tls.disabledAlgorithms=MD5, SSLv3, DSA, RSA keySize < 2048
jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 1024, \ jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 1024, \
EC keySize < 224 EC keySize < 224, DES40_CBC, RC4_40
# Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS) # Legacy algorithms for Secure Socket Layer/Transport Layer Security (SSL/TLS)
# processing in JSSE implementation. # processing in JSSE implementation.
...@@ -677,8 +677,6 @@ jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 1024, \ ...@@ -677,8 +677,6 @@ jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 1024, \
# #
jdk.tls.legacyAlgorithms= \ jdk.tls.legacyAlgorithms= \
K_NULL, C_NULL, M_NULL, \ K_NULL, C_NULL, M_NULL, \
DHE_DSS_EXPORT, DHE_RSA_EXPORT, DH_anon_EXPORT, DH_DSS_EXPORT, \
DH_RSA_EXPORT, RSA_EXPORT, \
DH_anon, ECDH_anon, \ DH_anon, ECDH_anon, \
RC4_128, RC4_40, DES_CBC, DES40_CBC, \ RC4_128, RC4_40, DES_CBC, DES40_CBC, \
3DES_EDE_CBC 3DES_EDE_CBC
......
...@@ -29,8 +29,8 @@ ...@@ -29,8 +29,8 @@
* @run main/timeout=300 SupportedDHParamGens 768 * @run main/timeout=300 SupportedDHParamGens 768
* @run main/timeout=300 SupportedDHParamGens 832 * @run main/timeout=300 SupportedDHParamGens 832
* @run main/timeout=300 SupportedDHParamGens 1024 * @run main/timeout=300 SupportedDHParamGens 1024
* @run main/timeout=300 SupportedDHParamGens 2048 * @run main/timeout=600 SupportedDHParamGens 2048
* @run main/timeout=450 SupportedDHParamGens 3072 * @run main/timeout=700 SupportedDHParamGens 3072
*/ */
import java.math.BigInteger; import java.math.BigInteger;
......
此差异已折叠。
...@@ -419,6 +419,7 @@ public class RSAExport { ...@@ -419,6 +419,7 @@ public class RSAExport {
// reset the security property to make sure that the algorithms // reset the security property to make sure that the algorithms
// and keys used in this test are not disabled. // and keys used in this test are not disabled.
Security.setProperty("jdk.certpath.disabledAlgorithms", "MD2"); Security.setProperty("jdk.certpath.disabledAlgorithms", "MD2");
Security.setProperty("jdk.tls.disabledAlgorithms", "MD2");
if (debug) if (debug)
System.setProperty("javax.net.debug", "all"); System.setProperty("javax.net.debug", "all");
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册