Merge

2d6c1a54 · dholmes · 3e4dfc95 · e9a7550a · 2d6c1a54 · 2d6c1a54
6 changed file
--- a/src/share/classes/java/lang/ClassLoader.java
+++ b/src/share/classes/java/lang/ClassLoader.java
 /*
- * Copyright (c) 1994, 2010, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1994, 2011, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@@ -1626,20 +1626,28 @@ public abstract class ClassLoader {
     * @since  1.2
     */
    protected Package getPackage(String name) {
+        Package pkg;
        synchronized (packages) {
-            Package pkg = packages.get(name);
-            if (pkg == null) {
-                if (parent != null) {
-                    pkg = parent.getPackage(name);
-                } else {
-                    pkg = Package.getSystemPackage(name);
-                }
-                if (pkg != null) {
-                    packages.put(name, pkg);
+            pkg = packages.get(name);
+        }
+        if (pkg == null) {
+            if (parent != null) {
+                pkg = parent.getPackage(name);
+            } else {
+                pkg = Package.getSystemPackage(name);
+            }
+            if (pkg != null) {
+                synchronized (packages) {
+                    Package pkg2 = packages.get(name);
+                    if (pkg2 == null) {
+                        packages.put(name, pkg);
+                    } else {
+                        pkg = pkg2;
+                    }
                }
            }
-            return pkg;
        }
+        return pkg;
    }

    /**

--- a/src/share/classes/sun/security/provider/certpath/AdaptableX509CertSelector.java
+++ b/src/share/classes/sun/security/provider/certpath/AdaptableX509CertSelector.java
@@ -46,10 +46,16 @@ import sun.security.x509.AuthorityKeyIdentifierExtension;
 */
 class AdaptableX509CertSelector extends X509CertSelector {
    // The start date of a validity period.
-    private Date startDate = null;
+    private Date startDate;

    // The end date of a validity period.
-    private Date endDate = null;
+    private Date endDate;
+
+    // Is subject key identifier sensitive?
+    private boolean isSKIDSensitive = false;
+
+    // Is serial number sensitive?
+    private boolean isSNSensitive = false;

    AdaptableX509CertSelector() {
        super();
@@ -97,15 +103,24 @@ class AdaptableX509CertSelector extends X509CertSelector {
        if (akidext != null) {
            KeyIdentifier akid = (KeyIdentifier)akidext.get(akidext.KEY_ID);
            if (akid != null) {
-                DerOutputStream derout = new DerOutputStream();
-                derout.putOctetString(akid.getIdentifier());
-                super.setSubjectKeyIdentifier(derout.toByteArray());
+                // Do not override the previous setting
+                if (getSubjectKeyIdentifier() == null) {
+                    DerOutputStream derout = new DerOutputStream();
+                    derout.putOctetString(akid.getIdentifier());
+                    super.setSubjectKeyIdentifier(derout.toByteArray());
+
+                    isSKIDSensitive = true;
+                }
            }

            SerialNumber asn =
                (SerialNumber)akidext.get(akidext.SERIAL_NUMBER);
            if (asn != null) {
-                super.setSerialNumber(asn.getNumber());
+                // Do not override the previous setting
+                if (getSerialNumber() == null) {
+                    super.setSerialNumber(asn.getNumber());
+                    isSNSensitive = true;
+                }
            }

            // the subject criterion should be set by the caller.
@@ -148,11 +163,25 @@ class AdaptableX509CertSelector extends X509CertSelector {
            }
        }

-        if (version < 3 || xcert.getExtensionValue("2.5.29.14") == null) {
-            // If no SubjectKeyIdentifier extension, don't bother to check it.
+        // If no SubjectKeyIdentifier extension, don't bother to check it.
+        if (isSKIDSensitive &&
+            (version < 3 || xcert.getExtensionValue("2.5.29.14") == null)) {
            setSubjectKeyIdentifier(null);
        }

+        // In practice, a CA may replace its root certificate and require that
+        // the existing certificate is still valid, even if the AKID extension
+        // does not match the replacement root certificate fields.
+        //
+        // Conservatively, we only support the replacement for version 1 and
+        // version 2 certificate. As for version 2, the certificate extension
+        // may contain sensitive information (for example, policies), the
+        // AKID need to be respected to seek the exact certificate in case
+        // of key or certificate abuse.
+        if (isSNSensitive && version < 3) {
+            setSerialNumber(null);
+        }
+
        return super.match(cert);
    }


--- a/src/share/classes/sun/security/provider/certpath/ForwardBuilder.java
+++ b/src/share/classes/sun/security/provider/certpath/ForwardBuilder.java
@@ -243,12 +243,6 @@ class ForwardBuilder extends Builder {
                    caTargetSelector.setPolicy(getMatchingPolicies());
            }

-            /*
-             * Require CA certs with a pathLenConstraint that allows
-             * at least as many CA certs that have already been traversed
-             */
-            caTargetSelector.setBasicConstraints(currentState.traversedCACerts);
-
            sel = caTargetSelector;
        } else {

@@ -282,12 +276,6 @@ class ForwardBuilder extends Builder {
            CertPathHelper.setPathToNames
                (caSelector, currentState.subjectNamesTraversed);

-            /*
-             * Require CA certs with a pathLenConstraint that allows
-             * at least as many CA certs that have already been traversed
-             */
-            caSelector.setBasicConstraints(currentState.traversedCACerts);
-
            /*
             * Facilitate certification path construction with authority
             * key identifier and subject key identifier.
@@ -305,6 +293,14 @@ class ForwardBuilder extends Builder {
            sel = caSelector;
        }

+        /*
+         * For compatibility, conservatively, we don't check the path
+         * length constraint of trusted anchors.  Please don't set the
+         * basic constraints criterion unless the trusted certificate
+         * matching is completed.
+         */
+        sel.setBasicConstraints(-1);
+
        for (X509Certificate trustedCert : trustedCerts) {
            if (sel.match(trustedCert)) {
                if (debug != null) {
@@ -323,6 +319,12 @@ class ForwardBuilder extends Builder {
         */
        sel.setCertificateValid(date);

+        /*
+         * Require CA certs with a pathLenConstraint that allows
+         * at least as many CA certs that have already been traversed
+         */
+        sel.setBasicConstraints(currentState.traversedCACerts);
+
        /*
         * If we have already traversed as many CA certs as the maxPathLength
         * will allow us to, then we don't bother looking through these

--- a/src/share/classes/sun/security/ssl/ClientHandshaker.java
+++ b/src/share/classes/sun/security/ssl/ClientHandshaker.java
 /*
- * Copyright (c) 1996, 2010, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1996, 2011, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@@ -378,7 +378,8 @@ final class ClientHandshaker extends Handshaker {
        if (!isNegotiable(mesgVersion)) {
            throw new SSLHandshakeException(
                "Server chose " + mesgVersion +
-                ", but client does not support or disables " + mesgVersion);
+                ", but that protocol version is not enabled or not supported " +
+                "by the client.");
        }

        handshakeHash.protocolDetermined(mesgVersion);

--- a/src/share/classes/sun/security/ssl/SunJSSE.java
+++ b/src/share/classes/sun/security/ssl/SunJSSE.java
 /*
- * Copyright (c) 1999, 2010, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1999, 2011, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@@ -195,6 +195,8 @@ public abstract class SunJSSE extends java.security.Provider {
            "sun.security.ssl.KeyManagerFactoryImpl$SunX509");
        put("KeyManagerFactory.NewSunX509",
            "sun.security.ssl.KeyManagerFactoryImpl$X509");
+        put("Alg.Alias.KeyManagerFactory.PKIX", "NewSunX509");
+
        put("TrustManagerFactory.SunX509",
            "sun.security.ssl.TrustManagerFactoryImpl$SimpleFactory");
        put("TrustManagerFactory.PKIX",

--- a/test/sun/security/ssl/javax/net/ssl/GetInstance.java
+++ b/test/sun/security/ssl/javax/net/ssl/GetInstance.java
 /*
- * Copyright (c) 2003, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2011, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@@ -23,8 +23,9 @@

 /*
 * @test
- * @bug 4898428
+ * @bug 4898428 7022855
 * @summary verify getInstance() works using Provider.getService()
+ *          Export "PKIX" as the standard algorithm name of KeyManagerFactory
 * @author Andreas Sterbenz
 */

@@ -61,6 +62,20 @@ public class GetInstance {
        kmf = KeyManagerFactory.getInstance("SunX509", p);
        same(p, kmf.getProvider());

+        kmf = KeyManagerFactory.getInstance("NewSunX509");
+        same(p, kmf.getProvider());
+        kmf = KeyManagerFactory.getInstance("NewSunX509", "SunJSSE");
+        same(p, kmf.getProvider());
+        kmf = KeyManagerFactory.getInstance("NewSunX509", p);
+        same(p, kmf.getProvider());
+
+        kmf = KeyManagerFactory.getInstance("PKIX");
+        same(p, kmf.getProvider());
+        kmf = KeyManagerFactory.getInstance("PKIX", "SunJSSE");
+        same(p, kmf.getProvider());
+        kmf = KeyManagerFactory.getInstance("PKIX", p);
+        same(p, kmf.getProvider());
+
        TrustManagerFactory tmf;
        tmf = TrustManagerFactory.getInstance("SunX509");
        same(p, tmf.getProvider());
@@ -69,6 +84,34 @@ public class GetInstance {
        tmf = TrustManagerFactory.getInstance("SunX509", p);
        same(p, tmf.getProvider());

+        tmf = TrustManagerFactory.getInstance("PKIX");
+        same(p, tmf.getProvider());
+        tmf = TrustManagerFactory.getInstance("PKIX", "SunJSSE");
+        same(p, tmf.getProvider());
+        tmf = TrustManagerFactory.getInstance("PKIX", p);
+        same(p, tmf.getProvider());
+
+        tmf = TrustManagerFactory.getInstance("SunPKIX");
+        same(p, tmf.getProvider());
+        tmf = TrustManagerFactory.getInstance("SunPKIX", "SunJSSE");
+        same(p, tmf.getProvider());
+        tmf = TrustManagerFactory.getInstance("SunPKIX", p);
+        same(p, tmf.getProvider());
+
+        tmf = TrustManagerFactory.getInstance("X509");
+        same(p, tmf.getProvider());
+        tmf = TrustManagerFactory.getInstance("X509", "SunJSSE");
+        same(p, tmf.getProvider());
+        tmf = TrustManagerFactory.getInstance("X509", p);
+        same(p, tmf.getProvider());
+
+        tmf = TrustManagerFactory.getInstance("X.509");
+        same(p, tmf.getProvider());
+        tmf = TrustManagerFactory.getInstance("X.509", "SunJSSE");
+        same(p, tmf.getProvider());
+        tmf = TrustManagerFactory.getInstance("X.509", p);
+        same(p, tmf.getProvider());
+
        testComSun();

        long stop = System.currentTimeMillis();