Merge

src/share/classes/sun/security/ssl/SSLAlgorithmDecomposer.java

 /*
- * Copyright (c) 2015, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2015, 2019, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -239,7 +239,8 @@ class SSLAlgorithmDecomposer extends AlgorithmDecomposer {
                 // ignore: unknown or unsupported ciphersuite
             }
 
-            if (cipherSuite != null) {
+            if (cipherSuite != null &&
+                cipherSuite != CipherSuite.C_SCSV /* TLS_EMPTY_RENEGOTIATION_INFO_SCSV */) {
                 return decompose(cipherSuite.keyExchange, cipherSuite.cipher,
                         cipherSuite.macAlg);
             }

src/share/classes/sun/security/x509/DNSName.java

 /*
- * Copyright (c) 1997, 2011, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -34,16 +34,17 @@ import sun.security.util.*;
  * This class implements the DNSName as required by the GeneralNames
  * ASN.1 object.
  * <p>
- * [RFC2459] When the subjectAltName extension contains a domain name service
+ * [RFC5280] When the subjectAltName extension contains a domain name system
  * label, the domain name MUST be stored in the dNSName (an IA5String).
- * The name MUST be in the "preferred name syntax," as specified by RFC
- * 1034 [RFC 1034]. Note that while upper and lower case letters are
- * allowed in domain names, no signifigance is attached to the case.  In
+ * The name MUST be in the "preferred name syntax", as specified by
+ * Section 3.5 of [RFC1034] and as modified by Section 2.1 of
+ * [RFC1123].  Note that while uppercase and lowercase letters are
+ * allowed in domain names, no significance is attached to the case. In
  * addition, while the string " " is a legal domain name, subjectAltName
- * extensions with a dNSName " " are not permitted.  Finally, the use of
- * the DNS representation for Internet mail addresses (wpolk.nist.gov
- * instead of wpolk@nist.gov) is not permitted; such identities are to
- * be encoded as rfc822Name.
+ * extensions with a dNSName of " " MUST NOT be used.  Finally, the use
+ * of the DNS representation for Internet mail addresses
+ * (subscriber.example.com instead of subscriber@example.com) MUST NOT
+ * be used; such identities are to be encoded as rfc822Name.
  * <p>
  * @author Amit Kapoor
  * @author Hemma Prafullchandra
@@ -51,9 +52,8 @@ import sun.security.util.*;
 public class DNSName implements GeneralNameInterface {
     private String name;
 
-    private static final String alpha = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
-    private static final String digitsAndHyphen = "0123456789-";
-    private static final String alphaDigitsAndHyphen = alpha + digitsAndHyphen;
+    private static final String alphaDigits =
+        "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";
 
     /**
      * Create the DNSName object from the passed encoded Der value.
@@ -73,35 +73,38 @@ public class DNSName implements GeneralNameInterface {
      */
     public DNSName(String name) throws IOException {
         if (name == null || name.length() == 0)
-            throw new IOException("DNS name must not be null");
-        if (name.indexOf(' ') != -1)
-            throw new IOException("DNS names or NameConstraints with blank components are not permitted");
-        if (name.charAt(0) == '.' || name.charAt(name.length() -1) == '.')
-            throw new IOException("DNS names or NameConstraints may not begin or end with a .");
-        //Name will consist of label components separated by "."
-        //startIndex is the index of the first character of a component
-        //endIndex is the index of the last character of a component plus 1
-        for (int endIndex,startIndex=0; startIndex < name.length(); startIndex = endIndex+1) {
+            throw new IOException("DNSName must not be null or empty");
+        if (name.contains(" "))
+            throw new IOException("DNSName with blank components is not permitted");
+        if (name.startsWith(".") || name.endsWith("."))
+            throw new IOException("DNSName may not begin or end with a .");
+        /*
+         * Name will consist of label components separated by "."
+         * startIndex is the index of the first character of a component
+         * endIndex is the index of the last character of a component plus 1
+        */
+        for (int endIndex,startIndex = 0; startIndex < name.length(); startIndex = endIndex+1) {
             endIndex = name.indexOf('.', startIndex);
             if (endIndex < 0) {
                 endIndex = name.length();
             }
-            if ((endIndex-startIndex) < 1)
-                throw new IOException("DNSName SubjectAltNames with empty components are not permitted");
+            if (endIndex - startIndex < 1)
+                throw new IOException("DNSName with empty components are not permitted");
 
-            //DNSName components must begin with a letter A-Z or a-z
-            if (alpha.indexOf(name.charAt(startIndex)) < 0)
-                throw new IOException("DNSName components must begin with a letter");
+            // RFC 1123: DNSName components must begin with a letter or digit
+            if (alphaDigits.indexOf(name.charAt(startIndex)) < 0)
+                throw new IOException("DNSName components must begin with a letter or digit");
             //nonStartIndex: index for characters in the component beyond the first one
             for (int nonStartIndex=startIndex+1; nonStartIndex < endIndex; nonStartIndex++) {
                 char x = name.charAt(nonStartIndex);
-                if ((alphaDigitsAndHyphen).indexOf(x) < 0)
+                if ((alphaDigits).indexOf(x) < 0 && x != '-')
                     throw new IOException("DNSName components must consist of letters, digits, and hyphens");
             }
         }
         this.name = name;
     }
 
+
     /**
      * Return the type of the GeneralName.
      */
@@ -117,7 +120,7 @@ public class DNSName implements GeneralNameInterface {
     }
 
     /**
-     * Encode the DNS name into the DerOutputStream.
+     * Encode the DNSName into the DerOutputStream.
      *
      * @param out the DER stream to encode the DNSName to.
      * @exception IOException on encoding errors.
@@ -137,7 +140,7 @@ public class DNSName implements GeneralNameInterface {
      * Compares this name with another, for equality.
      *
      * @return true iff the names are equivalent
-     * according to RFC2459.
+     * according to RFC5280.
      */
     public boolean equals(Object obj) {
         if (this == obj)
@@ -148,7 +151,7 @@ public class DNSName implements GeneralNameInterface {
 
         DNSName other = (DNSName)obj;
 
-        // RFC2459 mandates that these names are
+        // RFC5280 mandates that these names are
         // not case-sensitive
         return name.equalsIgnoreCase(other.name);
     }
@@ -172,12 +175,14 @@ public class DNSName implements GeneralNameInterface {
      * </ul>.  These results are used in checking NameConstraints during
      * certification path verification.
      * <p>
-     * RFC2459: DNS name restrictions are expressed as foo.bar.com. Any subdomain
-     * satisfies the name constraint. For example, www.foo.bar.com would
-     * satisfy the constraint but bigfoo.bar.com would not.
+     * RFC5280: DNS name restrictions are expressed as host.example.com.
+     * Any DNS name that can be constructed by simply adding zero or more
+     * labels to the left-hand side of the name satisfies the name constraint.
+     * For example, www.host.example.com would satisfy the constraint but
+     * host1.example.com would not.
      * <p>
-     * draft-ietf-pkix-new-part1-00.txt:  DNS name restrictions are expressed as foo.bar.com.
-     * Any DNS name that
+     * draft-ietf-pkix-new-part1-00.txt:  DNSName restrictions are expressed as foo.bar.com.
+     * Any DNSName that
      * can be constructed by simply adding to the left hand side of the name
      * satisfies the name constraint. For example, www.foo.bar.com would
      * satisfy the constraint but foo1.bar.com would not.

src/share/classes/sun/security/x509/GeneralName.java

@@ -112,7 +112,7 @@ public class GeneralName {
                 encName.resetTag(DerValue.tag_IA5String);
                 name = new DNSName(encName);
             } else {
-                throw new IOException("Invalid encoding of DNS name");
+                throw new IOException("Invalid encoding of DNSName");
             }
             break;
 

src/share/classes/sun/security/x509/RFC822Name.java

@@ -246,7 +246,7 @@ public class RFC822Name implements GeneralNameInterface
             subtree=subtree.substring(atNdx+1);
         }
 
-        /* count dots in dnsname, adding one if dnsname preceded by @ */
+        /* count dots in DNSName, adding one if DNSName preceded by @ */
         for (; subtree.lastIndexOf('.') >= 0; i++) {
             subtree=subtree.substring(0,subtree.lastIndexOf('.'));
         }

src/share/classes/sun/security/x509/URIName.java

@@ -131,13 +131,13 @@ public class URIName implements GeneralNameInterface {
                 try {
                     hostDNS = new DNSName(host);
                 } catch (IOException ioe) {
-                    // Not a valid DNS Name; see if it is a valid IPv4
+                    // Not a valid DNSName; see if it is a valid IPv4
                     // IPAddressName
                     try {
                         hostIP = new IPAddressName(host);
                     } catch (Exception ioe2) {
                         throw new IOException("invalid URI name (host " +
-                            "portion is not a valid DNS name, IPv4 address," +
+                            "portion is not a valid DNSName, IPv4 address," +
                             " or IPv6 address):" + name);
                     }
                 }
@@ -339,7 +339,7 @@ public class URIName implements GeneralNameInterface {
                     // If one (or both) is an IP address, only same type
                     constraintType = NAME_SAME_TYPE;
                 } else {
-                    // Both host portions are DNS names. Are they domains?
+                    // Both host portions are DNSNames. Are they domains?
                     boolean thisDomain = (host.charAt(0) == '.');
                     boolean otherDomain = (otherHost.charAt(0) == '.');
                     DNSName otherDNS = (DNSName) otherHostObject;

src/share/classes/sun/security/x509/X500Name.java

@@ -1219,7 +1219,7 @@ public class X500Name implements GeneralNameInterface, Principal {
      */
 
     /*
-     * OID for "DC=" domain component attributes, used with DNS names in DN
+     * OID for "DC=" domain component attributes, used with DNSNames in DN
      * format
      */
         DOMAIN_COMPONENT_OID =

test/sun/security/ssl/sanity/ciphersuites/CheckCipherSuites.java

 /*
- * Copyright (c) 2002, 2010, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2002, 2019, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -23,221 +23,166 @@
 
 /*
  * @test
- * @bug 4750141 4895631
+ * @bug 4750141 4895631 8217579
  * @summary Check enabled and supported ciphersuites are correct
- * @ignore JSSE supported cipher suites are changed with CR 6916074,
- *     need to update this test case in JDK 7 soon
+ * @run main CheckCipherSuites default
+ * @run main/othervm CheckCipherSuites limited
  */
 
 import java.util.*;
-
+import java.security.Security;
 import javax.net.ssl.*;
 
-import javax.crypto.Cipher;
-import javax.crypto.spec.*;
-
 public class CheckCipherSuites {
 
+    // List of enabled cipher suites when the "crypto.policy" security
+    // property is set to "unlimited" (the default value).
     private final static String[] ENABLED_DEFAULT = {
-        "SSL_RSA_WITH_RC4_128_MD5",
-        "SSL_RSA_WITH_RC4_128_SHA",
+        "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
+        "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
+        "TLS_RSA_WITH_AES_256_CBC_SHA256",
+        "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384",
+        "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384",
+        "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256",
+        "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256",
+        "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
+        "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
+        "TLS_RSA_WITH_AES_256_CBC_SHA",
+        "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA",
+        "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA",
+        "TLS_DHE_RSA_WITH_AES_256_CBC_SHA",
+        "TLS_DHE_DSS_WITH_AES_256_CBC_SHA",
+        "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
+        "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
+        "TLS_RSA_WITH_AES_128_CBC_SHA256",
+        "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256",
+        "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256",
+        "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256",
+        "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256",
+        "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
+        "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
         "TLS_RSA_WITH_AES_128_CBC_SHA",
-        "TLS_ECDH_ECDSA_WITH_RC4_128_SHA",
         "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA",
-        "TLS_ECDH_RSA_WITH_RC4_128_SHA",
         "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA",
-        "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA",
-        "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
-        "TLS_ECDHE_RSA_WITH_RC4_128_SHA",
-        "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
         "TLS_DHE_RSA_WITH_AES_128_CBC_SHA",
         "TLS_DHE_DSS_WITH_AES_128_CBC_SHA",
-        "SSL_RSA_WITH_3DES_EDE_CBC_SHA",
-        "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA",
-        "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA",
-        "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA",
-        "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA",
-        "SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA",
-        "SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA",
-        "SSL_RSA_WITH_DES_CBC_SHA",
-        "SSL_DHE_RSA_WITH_DES_CBC_SHA",
-        "SSL_DHE_DSS_WITH_DES_CBC_SHA",
-        "SSL_RSA_EXPORT_WITH_RC4_40_MD5",
-        "SSL_RSA_EXPORT_WITH_DES40_CBC_SHA",
-        "SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA",
-        "SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA",
-        "TLS_EMPTY_RENEGOTIATION_INFO_SCSV",
-
+        "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
+        "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
+        "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
+        "TLS_RSA_WITH_AES_256_GCM_SHA384",
+        "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384",
+        "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384",
+        "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
+        "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384",
+        "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
+        "TLS_RSA_WITH_AES_128_GCM_SHA256",
+        "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256",
+        "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256",
+        "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
+        "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256",
+        "TLS_EMPTY_RENEGOTIATION_INFO_SCSV"
     };
 
-    private final static String[] ENABLED_UNLIMITED = {
-        "SSL_RSA_WITH_RC4_128_MD5",
-        "SSL_RSA_WITH_RC4_128_SHA",
+    // List of enabled cipher suites when the "crypto.policy" security
+    // property is set to "limited".
+    private final static String[] ENABLED_LIMITED = {
+        "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
+        "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
+        "TLS_RSA_WITH_AES_128_CBC_SHA256",
+        "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256",
+        "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256",
+        "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256",
+        "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256",
+        "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
+        "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
         "TLS_RSA_WITH_AES_128_CBC_SHA",
-        "TLS_RSA_WITH_AES_256_CBC_SHA",
-        "TLS_ECDH_ECDSA_WITH_RC4_128_SHA",
         "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA",
-        "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA",
-        "TLS_ECDH_RSA_WITH_RC4_128_SHA",
         "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA",
-        "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA",
-        "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA",
-        "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
-        "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
-        "TLS_ECDHE_RSA_WITH_RC4_128_SHA",
-        "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
-        "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
         "TLS_DHE_RSA_WITH_AES_128_CBC_SHA",
-        "TLS_DHE_RSA_WITH_AES_256_CBC_SHA",
         "TLS_DHE_DSS_WITH_AES_128_CBC_SHA",
-        "TLS_DHE_DSS_WITH_AES_256_CBC_SHA",
-        "SSL_RSA_WITH_3DES_EDE_CBC_SHA",
-        "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA",
-        "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA",
-        "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA",
-        "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA",
-        "SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA",
-        "SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA",
-        "SSL_RSA_WITH_DES_CBC_SHA",
-        "SSL_DHE_RSA_WITH_DES_CBC_SHA",
-        "SSL_DHE_DSS_WITH_DES_CBC_SHA",
-        "SSL_RSA_EXPORT_WITH_RC4_40_MD5",
-        "SSL_RSA_EXPORT_WITH_DES40_CBC_SHA",
-        "SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA",
-        "SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA",
-        "TLS_EMPTY_RENEGOTIATION_INFO_SCSV",
-
+        "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
+        "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
+        "TLS_RSA_WITH_AES_128_GCM_SHA256",
+        "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256",
+        "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256",
+        "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
+        "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256",
+        "TLS_EMPTY_RENEGOTIATION_INFO_SCSV"
     };
 
-    // supported ciphersuites using default JCE policy jurisdiction files
-    // AES/256 unavailable
+    // List of supported cipher suites when the "crypto.policy" security
+    // property is set to "unlimited" (the default value).
     private final static String[] SUPPORTED_DEFAULT = {
-        "SSL_RSA_WITH_RC4_128_MD5",
-        "SSL_RSA_WITH_RC4_128_SHA",
+        "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
+        "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384",
+        "TLS_RSA_WITH_AES_256_CBC_SHA256",
+        "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384",
+        "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384",
+        "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256",
+        "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256",
+        "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
+        "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
+        "TLS_RSA_WITH_AES_256_CBC_SHA",
+        "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA",
+        "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA",
+        "TLS_DHE_RSA_WITH_AES_256_CBC_SHA",
+        "TLS_DHE_DSS_WITH_AES_256_CBC_SHA",
+        "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
+        "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
+        "TLS_RSA_WITH_AES_128_CBC_SHA256",
+        "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256",
+        "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256",
+        "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256",
+        "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256",
+        "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
+        "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
         "TLS_RSA_WITH_AES_128_CBC_SHA",
-        "TLS_ECDH_ECDSA_WITH_RC4_128_SHA",
         "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA",
-        "TLS_ECDH_RSA_WITH_RC4_128_SHA",
         "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA",
-        "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA",
-        "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
-        "TLS_ECDHE_RSA_WITH_RC4_128_SHA",
-        "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
         "TLS_DHE_RSA_WITH_AES_128_CBC_SHA",
         "TLS_DHE_DSS_WITH_AES_128_CBC_SHA",
-        "SSL_RSA_WITH_3DES_EDE_CBC_SHA",
-        "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA",
-        "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA",
-        "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA",
-        "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA",
-        "SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA",
-        "SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA",
-        "SSL_RSA_WITH_DES_CBC_SHA",
-        "SSL_DHE_RSA_WITH_DES_CBC_SHA",
-        "SSL_DHE_DSS_WITH_DES_CBC_SHA",
-        "SSL_RSA_EXPORT_WITH_RC4_40_MD5",
-        "SSL_RSA_EXPORT_WITH_DES40_CBC_SHA",
-        "SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA",
-        "SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA",
-        "TLS_EMPTY_RENEGOTIATION_INFO_SCSV",
-
-        "SSL_RSA_WITH_NULL_MD5",
-        "SSL_RSA_WITH_NULL_SHA",
-        "TLS_ECDH_ECDSA_WITH_NULL_SHA",
-        "TLS_ECDH_RSA_WITH_NULL_SHA",
-        "TLS_ECDHE_ECDSA_WITH_NULL_SHA",
-        "TLS_ECDHE_RSA_WITH_NULL_SHA",
-        "SSL_DH_anon_WITH_RC4_128_MD5",
-        "TLS_DH_anon_WITH_AES_128_CBC_SHA",
-        "SSL_DH_anon_WITH_3DES_EDE_CBC_SHA",
-        "SSL_DH_anon_WITH_DES_CBC_SHA",
-        "TLS_ECDH_anon_WITH_RC4_128_SHA",
-        "TLS_ECDH_anon_WITH_AES_128_CBC_SHA",
-        "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA",
-        "SSL_DH_anon_EXPORT_WITH_RC4_40_MD5",
-        "SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA",
-        "TLS_ECDH_anon_WITH_NULL_SHA",
-        "TLS_KRB5_WITH_RC4_128_SHA",
-        "TLS_KRB5_WITH_RC4_128_MD5",
-        "TLS_KRB5_WITH_3DES_EDE_CBC_SHA",
-        "TLS_KRB5_WITH_3DES_EDE_CBC_MD5",
-        "TLS_KRB5_WITH_DES_CBC_SHA",
-        "TLS_KRB5_WITH_DES_CBC_MD5",
-        "TLS_KRB5_EXPORT_WITH_RC4_40_SHA",
-        "TLS_KRB5_EXPORT_WITH_RC4_40_MD5",
-        "TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA",
-        "TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5",
-
+        "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
+        "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
+        "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
+        "TLS_RSA_WITH_AES_256_GCM_SHA384",
+        "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384",
+        "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384",
+        "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384",
+        "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384",
+        "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
+        "TLS_RSA_WITH_AES_128_GCM_SHA256",
+        "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256",
+        "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256",
+        "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
+        "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256",
+        "TLS_EMPTY_RENEGOTIATION_INFO_SCSV"
     };
 
-    // supported ciphersuites using unlimited JCE policy jurisdiction files
-    // AES/256 available
-    private final static String[] SUPPORTED_UNLIMITED = {
-        "SSL_RSA_WITH_RC4_128_MD5",
-        "SSL_RSA_WITH_RC4_128_SHA",
+    // List of supported cipher suites when the "crypto.policy" security
+    // property is set to "limited".
+    private final static String[] SUPPORTED_LIMITED = {
+        "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
+        "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
+        "TLS_RSA_WITH_AES_128_CBC_SHA256",
+        "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256",
+        "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256",
+        "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256",
+        "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256",
+        "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
+        "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
         "TLS_RSA_WITH_AES_128_CBC_SHA",
-        "TLS_RSA_WITH_AES_256_CBC_SHA",
-        "TLS_ECDH_ECDSA_WITH_RC4_128_SHA",
         "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA",
-        "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA",
-        "TLS_ECDH_RSA_WITH_RC4_128_SHA",
         "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA",
-        "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA",
-        "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA",
-        "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA",
-        "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA",
-        "TLS_ECDHE_RSA_WITH_RC4_128_SHA",
-        "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA",
-        "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
         "TLS_DHE_RSA_WITH_AES_128_CBC_SHA",
-        "TLS_DHE_RSA_WITH_AES_256_CBC_SHA",
         "TLS_DHE_DSS_WITH_AES_128_CBC_SHA",
-        "TLS_DHE_DSS_WITH_AES_256_CBC_SHA",
-        "SSL_RSA_WITH_3DES_EDE_CBC_SHA",
-        "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA",
-        "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA",
-        "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA",
-        "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA",
-        "SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA",
-        "SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA",
-        "SSL_RSA_WITH_DES_CBC_SHA",
-        "SSL_DHE_RSA_WITH_DES_CBC_SHA",
-        "SSL_DHE_DSS_WITH_DES_CBC_SHA",
-        "SSL_RSA_EXPORT_WITH_RC4_40_MD5",
-        "SSL_RSA_EXPORT_WITH_DES40_CBC_SHA",
-        "SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA",
-        "SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA",
-        "TLS_EMPTY_RENEGOTIATION_INFO_SCSV",
-
-        "SSL_RSA_WITH_NULL_MD5",
-        "SSL_RSA_WITH_NULL_SHA",
-        "TLS_ECDH_ECDSA_WITH_NULL_SHA",
-        "TLS_ECDH_RSA_WITH_NULL_SHA",
-        "TLS_ECDHE_ECDSA_WITH_NULL_SHA",
-        "TLS_ECDHE_RSA_WITH_NULL_SHA",
-        "SSL_DH_anon_WITH_RC4_128_MD5",
-        "TLS_DH_anon_WITH_AES_128_CBC_SHA",
-        "TLS_DH_anon_WITH_AES_256_CBC_SHA",
-        "SSL_DH_anon_WITH_3DES_EDE_CBC_SHA",
-        "SSL_DH_anon_WITH_DES_CBC_SHA",
-        "TLS_ECDH_anon_WITH_RC4_128_SHA",
-        "TLS_ECDH_anon_WITH_AES_128_CBC_SHA",
-        "TLS_ECDH_anon_WITH_AES_256_CBC_SHA",
-        "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA",
-        "SSL_DH_anon_EXPORT_WITH_RC4_40_MD5",
-        "SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA",
-        "TLS_ECDH_anon_WITH_NULL_SHA",
-        "TLS_KRB5_WITH_RC4_128_SHA",
-        "TLS_KRB5_WITH_RC4_128_MD5",
-        "TLS_KRB5_WITH_3DES_EDE_CBC_SHA",
-        "TLS_KRB5_WITH_3DES_EDE_CBC_MD5",
-        "TLS_KRB5_WITH_DES_CBC_SHA",
-        "TLS_KRB5_WITH_DES_CBC_MD5",
-        "TLS_KRB5_EXPORT_WITH_RC4_40_SHA",
-        "TLS_KRB5_EXPORT_WITH_RC4_40_MD5",
-        "TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA",
-        "TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5",
-
+        "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
+        "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
+        "TLS_RSA_WITH_AES_128_GCM_SHA256",
+        "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256",
+        "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256",
+        "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
+        "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256",
+        "TLS_EMPTY_RENEGOTIATION_INFO_SCSV"
     };
 
     private static void showSuites(String[] suites) {
@@ -252,19 +197,21 @@ public class CheckCipherSuites {
     public static void main(String[] args) throws Exception {
         long start = System.currentTimeMillis();
 
+        if (args.length != 1) {
+            throw new Exception("One arg required");
+        }
+
         String[] ENABLED;
         String[] SUPPORTED;
-        try {
-            Cipher c = Cipher.getInstance("AES/CBC/NoPadding");
-            SecretKeySpec key = new SecretKeySpec(new byte[32], "AES");
-            c.init(Cipher.ENCRYPT_MODE, key);
-            System.out.println("AES/256 is available");
-            ENABLED = ENABLED_UNLIMITED;
-            SUPPORTED = SUPPORTED_UNLIMITED;
-        } catch (Exception e) {
-            System.out.println("AES/256 is NOT available (" + e + ")");
+        if (args[0].equals("default")) {
             ENABLED = ENABLED_DEFAULT;
             SUPPORTED = SUPPORTED_DEFAULT;
+        } else if (args[0].equals("limited")) {
+            Security.setProperty("crypto.policy", "limited");
+            ENABLED = ENABLED_LIMITED;
+            SUPPORTED = SUPPORTED_LIMITED;
+        } else {
+            throw new Exception("Illegal argument");
         }
 
         SSLSocketFactory factory = (SSLSocketFactory)SSLSocketFactory.getDefault();

test/sun/security/tools/keytool/KeyToolTest.java

@@ -1028,6 +1028,7 @@ public class KeyToolTest {
         testOK("", pre+"san3 -ext san=dns:me.org");
         testOK("", pre+"san4 -ext san=ip:192.168.0.1");
         testOK("", pre+"san5 -ext san=oid:1.2.3.4");
+        testOK("", pre+"san6 -ext san=dns:1abc.com"); //begin with digit
         testOK("", pre+"san235 -ext san=uri:http://me.org,dns:me.org,oid:1.2.3.4");
 
         ks = loadStore("x.jks", "changeit", "JKS");

test/sun/security/x509/GeneralName/DNSNameTest.java

+/*
+ * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+/**
+ * @test
+ * @summary DNSName parsing tests
+ * @bug 8213952
+ * @modules java.base/sun.security.x509
+ * @run testng DNSNameTest
+ */
+
+import java.io.IOException;
+import sun.security.x509.DNSName;
+
+import org.testng.annotations.DataProvider;
+import org.testng.annotations.Test;
+
+import static org.testng.Assert.*;
+
+public class DNSNameTest {
+    @DataProvider(name = "goodNames")
+    public Object[][] goodNames() {
+        Object[][] data = {
+                {"abc.com"},
+                {"ABC.COM"},
+                {"a12.com"},
+                {"a1b2c3.com"},
+                {"1abc.com"},
+                {"123.com"},
+                {"abc.com-"}, // end with hyphen
+                {"a-b-c.com"}, // hyphens
+        };
+        return data;
+    }
+
+    @DataProvider(name = "badNames")
+    public Object[][] badNames() {
+        Object[][] data = {
+                {" 1abc.com"}, // begin with space
+                {"1abc.com "}, // end with space
+                {"1a bc.com "}, // no space allowed
+                {"-abc.com"}, // begin with hyphen
+                {"a..b"}, // ..
+                {".a"}, // begin with .
+                {"a."}, // end with .
+                {""}, // empty
+                {"  "},  // space only
+        };
+        return data;
+    }
+
+    @Test(dataProvider = "goodNames")
+    public void testGoodDNSName(String dnsNameString) {
+        try {
+            DNSName dn = new DNSName(dnsNameString);
+        } catch (IOException e) {
+            fail("Unexpected IOException");
+        }
+    }
+
+    @Test(dataProvider = "badNames")
+    public void testBadDNSName(String dnsNameString) {
+        try {
+            DNSName dn = new DNSName(dnsNameString);
+            fail("IOException expected");
+        } catch (IOException e) {
+            if (!e.getMessage().contains("DNSName"))
+                fail("Unexpeceted message: " + e);
+        }
+    }
+}