diff --git a/src/share/classes/java/util/TreeMap.java b/src/share/classes/java/util/TreeMap.java index 6a1c6b411f53e91a95887eaf25a201a461f3ccc0..cf97bccb7e7dc9101ae945a63b4cca64b299e108 100644 --- a/src/share/classes/java/util/TreeMap.java +++ b/src/share/classes/java/util/TreeMap.java @@ -1068,14 +1068,14 @@ public class TreeMap } public NavigableSet subSet(E fromElement, boolean fromInclusive, E toElement, boolean toInclusive) { - return new TreeSet(m.subMap(fromElement, fromInclusive, - toElement, toInclusive)); + return new KeySet(m.subMap(fromElement, fromInclusive, + toElement, toInclusive)); } public NavigableSet headSet(E toElement, boolean inclusive) { - return new TreeSet(m.headMap(toElement, inclusive)); + return new KeySet(m.headMap(toElement, inclusive)); } public NavigableSet tailSet(E fromElement, boolean inclusive) { - return new TreeSet(m.tailMap(fromElement, inclusive)); + return new KeySet(m.tailMap(fromElement, inclusive)); } public SortedSet subSet(E fromElement, E toElement) { return subSet(fromElement, true, toElement, false); @@ -1087,7 +1087,7 @@ public class TreeMap return tailSet(fromElement, true); } public NavigableSet descendingSet() { - return new TreeSet(m.descendingMap()); + return new KeySet(m.descendingMap()); } } diff --git a/src/share/classes/java/util/concurrent/ConcurrentSkipListMap.java b/src/share/classes/java/util/concurrent/ConcurrentSkipListMap.java index 143d06713b4b69626677628c6ae2ec928d4d7baf..323482acb4ea0ffbd18622d93c223bf396ad66bb 100644 --- a/src/share/classes/java/util/concurrent/ConcurrentSkipListMap.java +++ b/src/share/classes/java/util/concurrent/ConcurrentSkipListMap.java @@ -2394,15 +2394,14 @@ public class ConcurrentSkipListMap extends AbstractMap boolean fromInclusive, E toElement, boolean toInclusive) { - return new ConcurrentSkipListSet - (m.subMap(fromElement, fromInclusive, - toElement, toInclusive)); + return new KeySet(m.subMap(fromElement, fromInclusive, + toElement, toInclusive)); } public NavigableSet headSet(E toElement, boolean inclusive) { - return new ConcurrentSkipListSet(m.headMap(toElement, inclusive)); + return new KeySet(m.headMap(toElement, inclusive)); } public NavigableSet tailSet(E fromElement, boolean inclusive) { - return new ConcurrentSkipListSet(m.tailMap(fromElement, inclusive)); + return new KeySet(m.tailMap(fromElement, inclusive)); } public NavigableSet subSet(E fromElement, E toElement) { return subSet(fromElement, true, toElement, false); @@ -2414,7 +2413,7 @@ public class ConcurrentSkipListMap extends AbstractMap return tailSet(fromElement, true); } public NavigableSet descendingSet() { - return new ConcurrentSkipListSet(m.descendingMap()); + return new KeySet(m.descendingMap()); } } diff --git a/src/share/classes/java/util/concurrent/locks/AbstractQueuedLongSynchronizer.java b/src/share/classes/java/util/concurrent/locks/AbstractQueuedLongSynchronizer.java index a7f048e8bdb13e52a64e0d864246ad06f45b3b5e..68135015c291d684a522c62b3a955bc1f4243895 100644 --- a/src/share/classes/java/util/concurrent/locks/AbstractQueuedLongSynchronizer.java +++ b/src/share/classes/java/util/concurrent/locks/AbstractQueuedLongSynchronizer.java @@ -166,6 +166,11 @@ public abstract class AbstractQueuedLongSynchronizer static final int SIGNAL = -1; /** waitStatus value to indicate thread is waiting on condition */ static final int CONDITION = -2; + /** + * waitStatus value to indicate the next acquireShared should + * unconditionally propagate + */ + static final int PROPAGATE = -3; /** * Status field, taking on only the values: @@ -180,10 +185,16 @@ public abstract class AbstractQueuedLongSynchronizer * Nodes never leave this state. In particular, * a thread with cancelled node never again blocks. * CONDITION: This node is currently on a condition queue. - * It will not be used as a sync queue node until - * transferred. (Use of this value here - * has nothing to do with the other uses - * of the field, but simplifies mechanics.) + * It will not be used as a sync queue node + * until transferred, at which time the status + * will be set to 0. (Use of this value here has + * nothing to do with the other uses of the + * field, but simplifies mechanics.) + * PROPAGATE: A releaseShared should be propagated to other + * nodes. This is set (for head node only) in + * doReleaseShared to ensure propagation + * continues, even if other operations have + * since intervened. * 0: None of the above * * The values are arranged numerically to simplify use. @@ -403,10 +414,13 @@ public abstract class AbstractQueuedLongSynchronizer */ private void unparkSuccessor(Node node) { /* - * Try to clear status in anticipation of signalling. It is - * OK if this fails or if status is changed by waiting thread. + * If status is negative (i.e., possibly needing signal) try + * to clear in anticipation of signalling. It is OK if this + * fails or if status is changed by waiting thread. */ - compareAndSetWaitStatus(node, Node.SIGNAL, 0); + int ws = node.waitStatus; + if (ws < 0) + compareAndSetWaitStatus(node, ws, 0); /* * Thread to unpark is held in successor, which is normally @@ -425,24 +439,71 @@ public abstract class AbstractQueuedLongSynchronizer LockSupport.unpark(s.thread); } + /** + * Release action for shared mode -- signal successor and ensure + * propagation. (Note: For exclusive mode, release just amounts + * to calling unparkSuccessor of head if it needs signal.) + */ + private void doReleaseShared() { + /* + * Ensure that a release propagates, even if there are other + * in-progress acquires/releases. This proceeds in the usual + * way of trying to unparkSuccessor of head if it needs + * signal. But if it does not, status is set to PROPAGATE to + * ensure that upon release, propagation continues. + * Additionally, we must loop in case a new node is added + * while we are doing this. Also, unlike other uses of + * unparkSuccessor, we need to know if CAS to reset status + * fails, if so rechecking. + */ + for (;;) { + Node h = head; + if (h != null && h != tail) { + int ws = h.waitStatus; + if (ws == Node.SIGNAL) { + if (!compareAndSetWaitStatus(h, Node.SIGNAL, 0)) + continue; // loop to recheck cases + unparkSuccessor(h); + } + else if (ws == 0 && + !compareAndSetWaitStatus(h, 0, Node.PROPAGATE)) + continue; // loop on failed CAS + } + if (h == head) // loop if head changed + break; + } + } + /** * Sets head of queue, and checks if successor may be waiting - * in shared mode, if so propagating if propagate > 0. + * in shared mode, if so propagating if either propagate > 0 or + * PROPAGATE status was set. * - * @param pred the node holding waitStatus for node * @param node the node * @param propagate the return value from a tryAcquireShared */ private void setHeadAndPropagate(Node node, long propagate) { + Node h = head; // Record old head for check below setHead(node); - if (propagate > 0 && node.waitStatus != 0) { - /* - * Don't bother fully figuring out successor. If it - * looks null, call unparkSuccessor anyway to be safe. - */ + /* + * Try to signal next queued node if: + * Propagation was indicated by caller, + * or was recorded (as h.waitStatus) by a previous operation + * (note: this uses sign-check of waitStatus because + * PROPAGATE status may transition to SIGNAL.) + * and + * The next node is waiting in shared mode, + * or we don't know, because it appears null + * + * The conservatism in both of these checks may cause + * unnecessary wake-ups, but only when there are multiple + * racing acquires/releases, so most need signals now or soon + * anyway. + */ + if (propagate > 0 || h == null || h.waitStatus < 0) { Node s = node.next; if (s == null || s.isShared()) - unparkSuccessor(node); + doReleaseShared(); } } @@ -465,23 +526,27 @@ public abstract class AbstractQueuedLongSynchronizer while (pred.waitStatus > 0) node.prev = pred = pred.prev; - // Getting this before setting waitStatus ensures staleness + // predNext is the apparent node to unsplice. CASes below will + // fail if not, in which case, we lost race vs another cancel + // or signal, so no further action is necessary. Node predNext = pred.next; - // Can use unconditional write instead of CAS here + // Can use unconditional write instead of CAS here. + // After this atomic step, other Nodes can skip past us. + // Before, we are free of interference from other threads. node.waitStatus = Node.CANCELLED; - // If we are the tail, remove ourselves + // If we are the tail, remove ourselves. if (node == tail && compareAndSetTail(node, pred)) { compareAndSetNext(pred, predNext, null); } else { - // If "active" predecessor found... - if (pred != head - && (pred.waitStatus == Node.SIGNAL - || compareAndSetWaitStatus(pred, 0, Node.SIGNAL)) - && pred.thread != null) { - - // If successor is active, set predecessor's next link + // If successor needs signal, try to set pred's next-link + // so it will get one. Otherwise wake it up to propagate. + int ws; + if (pred != head && + ((ws = pred.waitStatus) == Node.SIGNAL || + (ws <= 0 && compareAndSetWaitStatus(pred, ws, Node.SIGNAL))) && + pred.thread != null) { Node next = node.next; if (next != null && next.waitStatus <= 0) compareAndSetNext(pred, predNext, next); @@ -503,14 +568,14 @@ public abstract class AbstractQueuedLongSynchronizer * @return {@code true} if thread should block */ private static boolean shouldParkAfterFailedAcquire(Node pred, Node node) { - int s = pred.waitStatus; - if (s < 0) + int ws = pred.waitStatus; + if (ws == Node.SIGNAL) /* * This node has already set status asking a release * to signal it, so it can safely park. */ return true; - if (s > 0) { + if (ws > 0) { /* * Predecessor was cancelled. Skip over predecessors and * indicate retry. @@ -519,14 +584,14 @@ public abstract class AbstractQueuedLongSynchronizer node.prev = pred = pred.prev; } while (pred.waitStatus > 0); pred.next = node; - } - else + } else { /* - * Indicate that we need a signal, but don't park yet. Caller - * will need to retry to make sure it cannot acquire before - * parking. + * waitStatus must be 0 or PROPAGATE. Indicate that we + * need a signal, but don't park yet. Caller will need to + * retry to make sure it cannot acquire before parking. */ - compareAndSetWaitStatus(pred, 0, Node.SIGNAL); + compareAndSetWaitStatus(pred, ws, Node.SIGNAL); + } return false; } @@ -1046,9 +1111,7 @@ public abstract class AbstractQueuedLongSynchronizer */ public final boolean releaseShared(long arg) { if (tryReleaseShared(arg)) { - Node h = head; - if (h != null && h.waitStatus != 0) - unparkSuccessor(h); + doReleaseShared(); return true; } return false; @@ -1390,8 +1453,8 @@ public abstract class AbstractQueuedLongSynchronizer * case the waitStatus can be transiently and harmlessly wrong). */ Node p = enq(node); - int c = p.waitStatus; - if (c > 0 || !compareAndSetWaitStatus(p, c, Node.SIGNAL)) + int ws = p.waitStatus; + if (ws > 0 || !compareAndSetWaitStatus(p, ws, Node.SIGNAL)) LockSupport.unpark(node.thread); return true; } diff --git a/src/share/classes/java/util/concurrent/locks/AbstractQueuedSynchronizer.java b/src/share/classes/java/util/concurrent/locks/AbstractQueuedSynchronizer.java index 39219bb5fd9111950c61c46f9eb02631f382190e..8de1cad1d503997b052c0ca2b875330d90d67d22 100644 --- a/src/share/classes/java/util/concurrent/locks/AbstractQueuedSynchronizer.java +++ b/src/share/classes/java/util/concurrent/locks/AbstractQueuedSynchronizer.java @@ -389,6 +389,11 @@ public abstract class AbstractQueuedSynchronizer static final int SIGNAL = -1; /** waitStatus value to indicate thread is waiting on condition */ static final int CONDITION = -2; + /** + * waitStatus value to indicate the next acquireShared should + * unconditionally propagate + */ + static final int PROPAGATE = -3; /** * Status field, taking on only the values: @@ -403,10 +408,16 @@ public abstract class AbstractQueuedSynchronizer * Nodes never leave this state. In particular, * a thread with cancelled node never again blocks. * CONDITION: This node is currently on a condition queue. - * It will not be used as a sync queue node until - * transferred. (Use of this value here - * has nothing to do with the other uses - * of the field, but simplifies mechanics.) + * It will not be used as a sync queue node + * until transferred, at which time the status + * will be set to 0. (Use of this value here has + * nothing to do with the other uses of the + * field, but simplifies mechanics.) + * PROPAGATE: A releaseShared should be propagated to other + * nodes. This is set (for head node only) in + * doReleaseShared to ensure propagation + * continues, even if other operations have + * since intervened. * 0: None of the above * * The values are arranged numerically to simplify use. @@ -626,10 +637,13 @@ public abstract class AbstractQueuedSynchronizer */ private void unparkSuccessor(Node node) { /* - * Try to clear status in anticipation of signalling. It is - * OK if this fails or if status is changed by waiting thread. + * If status is negative (i.e., possibly needing signal) try + * to clear in anticipation of signalling. It is OK if this + * fails or if status is changed by waiting thread. */ - compareAndSetWaitStatus(node, Node.SIGNAL, 0); + int ws = node.waitStatus; + if (ws < 0) + compareAndSetWaitStatus(node, ws, 0); /* * Thread to unpark is held in successor, which is normally @@ -648,24 +662,71 @@ public abstract class AbstractQueuedSynchronizer LockSupport.unpark(s.thread); } + /** + * Release action for shared mode -- signal successor and ensure + * propagation. (Note: For exclusive mode, release just amounts + * to calling unparkSuccessor of head if it needs signal.) + */ + private void doReleaseShared() { + /* + * Ensure that a release propagates, even if there are other + * in-progress acquires/releases. This proceeds in the usual + * way of trying to unparkSuccessor of head if it needs + * signal. But if it does not, status is set to PROPAGATE to + * ensure that upon release, propagation continues. + * Additionally, we must loop in case a new node is added + * while we are doing this. Also, unlike other uses of + * unparkSuccessor, we need to know if CAS to reset status + * fails, if so rechecking. + */ + for (;;) { + Node h = head; + if (h != null && h != tail) { + int ws = h.waitStatus; + if (ws == Node.SIGNAL) { + if (!compareAndSetWaitStatus(h, Node.SIGNAL, 0)) + continue; // loop to recheck cases + unparkSuccessor(h); + } + else if (ws == 0 && + !compareAndSetWaitStatus(h, 0, Node.PROPAGATE)) + continue; // loop on failed CAS + } + if (h == head) // loop if head changed + break; + } + } + /** * Sets head of queue, and checks if successor may be waiting - * in shared mode, if so propagating if propagate > 0. + * in shared mode, if so propagating if either propagate > 0 or + * PROPAGATE status was set. * - * @param pred the node holding waitStatus for node * @param node the node * @param propagate the return value from a tryAcquireShared */ private void setHeadAndPropagate(Node node, int propagate) { + Node h = head; // Record old head for check below setHead(node); - if (propagate > 0 && node.waitStatus != 0) { - /* - * Don't bother fully figuring out successor. If it - * looks null, call unparkSuccessor anyway to be safe. - */ + /* + * Try to signal next queued node if: + * Propagation was indicated by caller, + * or was recorded (as h.waitStatus) by a previous operation + * (note: this uses sign-check of waitStatus because + * PROPAGATE status may transition to SIGNAL.) + * and + * The next node is waiting in shared mode, + * or we don't know, because it appears null + * + * The conservatism in both of these checks may cause + * unnecessary wake-ups, but only when there are multiple + * racing acquires/releases, so most need signals now or soon + * anyway. + */ + if (propagate > 0 || h == null || h.waitStatus < 0) { Node s = node.next; if (s == null || s.isShared()) - unparkSuccessor(node); + doReleaseShared(); } } @@ -688,23 +749,27 @@ public abstract class AbstractQueuedSynchronizer while (pred.waitStatus > 0) node.prev = pred = pred.prev; - // Getting this before setting waitStatus ensures staleness + // predNext is the apparent node to unsplice. CASes below will + // fail if not, in which case, we lost race vs another cancel + // or signal, so no further action is necessary. Node predNext = pred.next; - // Can use unconditional write instead of CAS here + // Can use unconditional write instead of CAS here. + // After this atomic step, other Nodes can skip past us. + // Before, we are free of interference from other threads. node.waitStatus = Node.CANCELLED; - // If we are the tail, remove ourselves + // If we are the tail, remove ourselves. if (node == tail && compareAndSetTail(node, pred)) { compareAndSetNext(pred, predNext, null); } else { - // If "active" predecessor found... - if (pred != head - && (pred.waitStatus == Node.SIGNAL - || compareAndSetWaitStatus(pred, 0, Node.SIGNAL)) - && pred.thread != null) { - - // If successor is active, set predecessor's next link + // If successor needs signal, try to set pred's next-link + // so it will get one. Otherwise wake it up to propagate. + int ws; + if (pred != head && + ((ws = pred.waitStatus) == Node.SIGNAL || + (ws <= 0 && compareAndSetWaitStatus(pred, ws, Node.SIGNAL))) && + pred.thread != null) { Node next = node.next; if (next != null && next.waitStatus <= 0) compareAndSetNext(pred, predNext, next); @@ -726,14 +791,14 @@ public abstract class AbstractQueuedSynchronizer * @return {@code true} if thread should block */ private static boolean shouldParkAfterFailedAcquire(Node pred, Node node) { - int s = pred.waitStatus; - if (s < 0) + int ws = pred.waitStatus; + if (ws == Node.SIGNAL) /* * This node has already set status asking a release * to signal it, so it can safely park. */ return true; - if (s > 0) { + if (ws > 0) { /* * Predecessor was cancelled. Skip over predecessors and * indicate retry. @@ -742,14 +807,14 @@ public abstract class AbstractQueuedSynchronizer node.prev = pred = pred.prev; } while (pred.waitStatus > 0); pred.next = node; - } - else + } else { /* - * Indicate that we need a signal, but don't park yet. Caller - * will need to retry to make sure it cannot acquire before - * parking. + * waitStatus must be 0 or PROPAGATE. Indicate that we + * need a signal, but don't park yet. Caller will need to + * retry to make sure it cannot acquire before parking. */ - compareAndSetWaitStatus(pred, 0, Node.SIGNAL); + compareAndSetWaitStatus(pred, ws, Node.SIGNAL); + } return false; } @@ -1269,9 +1334,7 @@ public abstract class AbstractQueuedSynchronizer */ public final boolean releaseShared(int arg) { if (tryReleaseShared(arg)) { - Node h = head; - if (h != null && h.waitStatus != 0) - unparkSuccessor(h); + doReleaseShared(); return true; } return false; @@ -1613,8 +1676,8 @@ public abstract class AbstractQueuedSynchronizer * case the waitStatus can be transiently and harmlessly wrong). */ Node p = enq(node); - int c = p.waitStatus; - if (c > 0 || !compareAndSetWaitStatus(p, c, Node.SIGNAL)) + int ws = p.waitStatus; + if (ws > 0 || !compareAndSetWaitStatus(p, ws, Node.SIGNAL)) LockSupport.unpark(node.thread); return true; } diff --git a/src/share/classes/java/util/concurrent/locks/ReentrantReadWriteLock.java b/src/share/classes/java/util/concurrent/locks/ReentrantReadWriteLock.java index 8888efb2477a57994432cdb724ba0969333a567f..e767dfa62b1d2974bcc2d5aa23c4a848e740ba67 100644 --- a/src/share/classes/java/util/concurrent/locks/ReentrantReadWriteLock.java +++ b/src/share/classes/java/util/concurrent/locks/ReentrantReadWriteLock.java @@ -276,7 +276,7 @@ public class ReentrantReadWriteLock implements ReadWriteLock, java.io.Serializab * Maintained as a ThreadLocal; cached in cachedHoldCounter */ static final class HoldCounter { - int count; + int count = 0; // Use id, not reference, to avoid garbage retention final long tid = Thread.currentThread().getId(); } @@ -293,8 +293,9 @@ public class ReentrantReadWriteLock implements ReadWriteLock, java.io.Serializab } /** - * The number of read locks held by current thread. + * The number of reentrant read locks held by current thread. * Initialized only in constructor and readObject. + * Removed whenever a thread's read hold count drops to 0. */ private transient ThreadLocalHoldCounter readHolds; @@ -304,17 +305,35 @@ public class ReentrantReadWriteLock implements ReadWriteLock, java.io.Serializab * where the next thread to release is the last one to * acquire. This is non-volatile since it is just used * as a heuristic, and would be great for threads to cache. + * + *

Can outlive the Thread for which it is caching the read + * hold count, but avoids garbage retention by not retaining a + * reference to the Thread. + * + *

Accessed via a benign data race; relies on the memory + * model's final field and out-of-thin-air guarantees. */ private transient HoldCounter cachedHoldCounter; /** * firstReader is the first thread to have acquired the read lock. * firstReaderHoldCount is firstReader's hold count. - * This allows tracking of read holds for uncontended read + * + *

More precisely, firstReader is the unique thread that last + * changed the shared count from 0 to 1, and has not released the + * read lock since then; null if there is no such thread. + * + *

Cannot cause garbage retention unless the thread terminated + * without relinquishing its read locks, since tryReleaseShared + * sets it to null. + * + *

Accessed via a benign data race; relies on the memory + * model's out-of-thin-air guarantees for references. + * + *

This allows tracking of read holds for uncontended read * locks to be very cheap. */ - private final static long INVALID_THREAD_ID = -1; - private transient long firstReader = INVALID_THREAD_ID; + private transient Thread firstReader = null; private transient int firstReaderHoldCount; Sync() { @@ -393,16 +412,16 @@ public class ReentrantReadWriteLock implements ReadWriteLock, java.io.Serializab } protected final boolean tryReleaseShared(int unused) { - long tid = Thread.currentThread().getId(); - if (firstReader == tid) { + Thread current = Thread.currentThread(); + if (firstReader == current) { // assert firstReaderHoldCount > 0; if (firstReaderHoldCount == 1) - firstReader = INVALID_THREAD_ID; + firstReader = null; else firstReaderHoldCount--; } else { HoldCounter rh = cachedHoldCounter; - if (rh == null || rh.tid != tid) + if (rh == null || rh.tid != current.getId()) rh = readHolds.get(); int count = rh.count; if (count <= 1) { @@ -416,6 +435,9 @@ public class ReentrantReadWriteLock implements ReadWriteLock, java.io.Serializab int c = getState(); int nextc = c - SHARED_UNIT; if (compareAndSetState(c, nextc)) + // Releasing the read lock has no effect on readers, + // but it may allow waiting writers to proceed if + // both read and write locks are now free. return nextc == 0; } } @@ -450,15 +472,14 @@ public class ReentrantReadWriteLock implements ReadWriteLock, java.io.Serializab if (!readerShouldBlock() && r < MAX_COUNT && compareAndSetState(c, c + SHARED_UNIT)) { - long tid = current.getId(); if (r == 0) { - firstReader = tid; + firstReader = current; firstReaderHoldCount = 1; - } else if (firstReader == tid) { + } else if (firstReader == current) { firstReaderHoldCount++; } else { HoldCounter rh = cachedHoldCounter; - if (rh == null || rh.tid != tid) + if (rh == null || rh.tid != current.getId()) cachedHoldCounter = rh = readHolds.get(); else if (rh.count == 0) readHolds.set(rh); @@ -485,19 +506,17 @@ public class ReentrantReadWriteLock implements ReadWriteLock, java.io.Serializab int c = getState(); if (exclusiveCount(c) != 0) { if (getExclusiveOwnerThread() != current) - //if (removeNeeded) readHolds.remove(); return -1; // else we hold the exclusive lock; blocking here // would cause deadlock. } else if (readerShouldBlock()) { // Make sure we're not acquiring read lock reentrantly - long tid = current.getId(); - if (firstReader == tid) { + if (firstReader == current) { // assert firstReaderHoldCount > 0; } else { if (rh == null) { rh = cachedHoldCounter; - if (rh == null || rh.tid != tid) { + if (rh == null || rh.tid != current.getId()) { rh = readHolds.get(); if (rh.count == 0) readHolds.remove(); @@ -510,25 +529,20 @@ public class ReentrantReadWriteLock implements ReadWriteLock, java.io.Serializab if (sharedCount(c) == MAX_COUNT) throw new Error("Maximum lock count exceeded"); if (compareAndSetState(c, c + SHARED_UNIT)) { - long tid = current.getId(); if (sharedCount(c) == 0) { - firstReader = tid; + firstReader = current; firstReaderHoldCount = 1; - } else if (firstReader == tid) { + } else if (firstReader == current) { firstReaderHoldCount++; } else { - if (rh == null) { + if (rh == null) rh = cachedHoldCounter; - if (rh != null && rh.tid == tid) { - if (rh.count == 0) - readHolds.set(rh); - } else { - rh = readHolds.get(); - } - } else if (rh.count == 0) + if (rh == null || rh.tid != current.getId()) + rh = readHolds.get(); + else if (rh.count == 0) readHolds.set(rh); - cachedHoldCounter = rh; // cache for release rh.count++; + cachedHoldCounter = rh; // cache for release } return 1; } @@ -572,15 +586,14 @@ public class ReentrantReadWriteLock implements ReadWriteLock, java.io.Serializab if (r == MAX_COUNT) throw new Error("Maximum lock count exceeded"); if (compareAndSetState(c, c + SHARED_UNIT)) { - long tid = current.getId(); if (r == 0) { - firstReader = tid; + firstReader = current; firstReaderHoldCount = 1; - } else if (firstReader == tid) { + } else if (firstReader == current) { firstReaderHoldCount++; } else { HoldCounter rh = cachedHoldCounter; - if (rh == null || rh.tid != tid) + if (rh == null || rh.tid != current.getId()) cachedHoldCounter = rh = readHolds.get(); else if (rh.count == 0) readHolds.set(rh); @@ -626,12 +639,12 @@ public class ReentrantReadWriteLock implements ReadWriteLock, java.io.Serializab if (getReadLockCount() == 0) return 0; - long tid = Thread.currentThread().getId(); - if (firstReader == tid) + Thread current = Thread.currentThread(); + if (firstReader == current) return firstReaderHoldCount; HoldCounter rh = cachedHoldCounter; - if (rh != null && rh.tid == tid) + if (rh != null && rh.tid == current.getId()) return rh.count; int count = readHolds.get().count; @@ -647,7 +660,6 @@ public class ReentrantReadWriteLock implements ReadWriteLock, java.io.Serializab throws java.io.IOException, ClassNotFoundException { s.defaultReadObject(); readHolds = new ThreadLocalHoldCounter(); - firstReader = INVALID_THREAD_ID; setState(0); // reset to unlocked state } diff --git a/src/share/classes/sun/net/spi/DefaultProxySelector.java b/src/share/classes/sun/net/spi/DefaultProxySelector.java index a4fd7df23e15ede56b2a2795bb00681e4dc58566..714dc4ce5c3ba133a47825a1a13ab674ead65e63 100644 --- a/src/share/classes/sun/net/spi/DefaultProxySelector.java +++ b/src/share/classes/sun/net/spi/DefaultProxySelector.java @@ -78,7 +78,6 @@ public class DefaultProxySelector extends ProxySelector { }; private static boolean hasSystemProxies = false; - private static Properties defprops = new Properties(); static { final String key = "java.net.useSystemProxies"; @@ -107,6 +106,9 @@ public class DefaultProxySelector extends ProxySelector { RegexpPool hostsPool; String property; + static NonProxyInfo ftpNonProxyInfo = new NonProxyInfo("ftp.nonProxyHosts", null, null); + static NonProxyInfo httpNonProxyInfo = new NonProxyInfo("http.nonProxyHosts", null, null); + NonProxyInfo(String p, String s, RegexpPool pool) { property = p; hostsSource = s; @@ -114,8 +116,6 @@ public class DefaultProxySelector extends ProxySelector { } } - private static NonProxyInfo ftpNonProxyInfo = new NonProxyInfo("ftp.nonProxyHosts", null, null); - private static NonProxyInfo httpNonProxyInfo = new NonProxyInfo("http.nonProxyHosts", null, null); /** * select() method. Where all the hard work is done. @@ -175,13 +175,13 @@ public class DefaultProxySelector extends ProxySelector { NonProxyInfo pinfo = null; if ("http".equalsIgnoreCase(protocol)) { - pinfo = httpNonProxyInfo; + pinfo = NonProxyInfo.httpNonProxyInfo; } else if ("https".equalsIgnoreCase(protocol)) { // HTTPS uses the same property as HTTP, for backward // compatibility - pinfo = httpNonProxyInfo; + pinfo = NonProxyInfo.httpNonProxyInfo; } else if ("ftp".equalsIgnoreCase(protocol)) { - pinfo = ftpNonProxyInfo; + pinfo = NonProxyInfo.ftpNonProxyInfo; } /** @@ -334,7 +334,6 @@ public class DefaultProxySelector extends ProxySelector { } } - private static final Pattern p6 = Pattern.compile("::1|(0:){7}1|(0:){1,6}:1"); private boolean isLoopback(String host) { if (host == null || host.length() == 0) return false; @@ -364,6 +363,7 @@ public class DefaultProxySelector extends ProxySelector { } if (host.endsWith(":1")) { + final Pattern p6 = Pattern.compile("::1|(0:){7}1|(0:){1,6}:1"); return p6.matcher(host).matches(); } return false; diff --git a/src/share/classes/sun/security/tools/JarSigner.java b/src/share/classes/sun/security/tools/JarSigner.java index d8d1ee3d517ed82506a339145f1a61d4347ac3b4..2de2e52b08a64dd80e4ecbe58bd684fd87642664 100644 --- a/src/share/classes/sun/security/tools/JarSigner.java +++ b/src/share/classes/sun/security/tools/JarSigner.java @@ -1,5 +1,5 @@ /* - * Copyright 1997-2007 Sun Microsystems, Inc. All Rights Reserved. + * Copyright 1997-2009 Sun Microsystems, Inc. All Rights Reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -32,28 +32,44 @@ import java.util.jar.*; import java.math.BigInteger; import java.net.URI; import java.net.URISyntaxException; -import java.net.URL; -import java.net.URLClassLoader; -import java.net.SocketTimeoutException; import java.text.Collator; import java.text.MessageFormat; import java.security.cert.Certificate; import java.security.cert.X509Certificate; import java.security.cert.CertificateException; -import java.security.cert.CertificateExpiredException; -import java.security.cert.CertificateNotYetValidException; import java.security.*; import java.lang.reflect.Constructor; import com.sun.jarsigner.ContentSigner; import com.sun.jarsigner.ContentSignerParameters; +import java.net.SocketTimeoutException; +import java.net.URL; +import java.net.URLClassLoader; +import java.security.cert.CertPath; +import java.security.cert.CertPathValidator; +import java.security.cert.CertificateExpiredException; +import java.security.cert.CertificateFactory; +import java.security.cert.CertificateNotYetValidException; +import java.security.cert.PKIXParameters; +import java.security.cert.TrustAnchor; +import java.util.Map.Entry; import sun.security.x509.*; import sun.security.util.*; import sun.misc.BASE64Encoder; + /** *

The jarsigner utility. * + * The exit codes for the main method are: + * + * 0: success + * 1: any error that the jar cannot be signed or verified, including: + * keystore loading error + * TSP communciation error + * jarsigner command line error... + * otherwise: error codes from -strict + * * @author Roland Schemers * @author Jan Luehe */ @@ -84,8 +100,6 @@ public class JarSigner { // Attention: // This is the entry that get launched by the security tool jarsigner. - // It's marked as exported private per AppServer Team's request. - // See http://ccc.sfbay/6428446 public static void main(String args[]) throws Exception { JarSigner js = new JarSigner(); js.run(args); @@ -93,31 +107,32 @@ public class JarSigner { static final String VERSION = "1.0"; - static final int IN_KEYSTORE = 0x01; + static final int IN_KEYSTORE = 0x01; // signer is in keystore static final int IN_SCOPE = 0x02; + static final int NOT_ALIAS = 0x04; // alias list is NOT empty and + // signer is not in alias list + static final int SIGNED_BY_ALIAS = 0x08; // signer is in alias list - // signer's certificate chain (when composing) - X509Certificate[] certChain; - - /* - * private key - */ - PrivateKey privateKey; - KeyStore store; + X509Certificate[] certChain; // signer's cert chain (when composing) + PrivateKey privateKey; // private key + KeyStore store; // the keystore specified by -keystore + // or the default keystore, never null IdentityScope scope; String keystore; // key store file boolean nullStream = false; // null keystore input stream (NONE) boolean token = false; // token-based keystore - String jarfile; // jar file to sign + String jarfile; // jar file to sign or verify String alias; // alias to sign jar with + List ckaliases = new ArrayList(); // aliases in -verify char[] storepass; // keystore password boolean protectedPath; // protected authentication path String storetype; // keystore type String providerName; // provider name Vector providers = null; // list of providers - HashMap providerArgs = new HashMap(); // arguments for provider constructors + // arguments for provider constructors + HashMap providerArgs = new HashMap(); char[] keypass; // private key password String sigfile; // name of .SF file String sigalg; // name of signature algorithm @@ -125,12 +140,14 @@ public class JarSigner { String signedjar; // output filename String tsaUrl; // location of the Timestamping Authority String tsaAlias; // alias for the Timestamping Authority's certificate + String altCertChain; // file to read alternative cert chain from boolean verify = false; // verify the jar - boolean verbose = false; // verbose output when signing/verifying + String verbose = null; // verbose output when signing/verifying boolean showcerts = false; // show certs when verifying boolean debug = false; // debug boolean signManifest = true; // "sign" the whole manifest boolean externalSF = true; // leave the .SF out of the PKCS7 block + boolean strict = false; // treat warnings as error // read zip entry raw bytes private ByteArrayOutputStream baos = new ByteArrayOutputStream(2048); @@ -139,14 +156,22 @@ public class JarSigner { private String altSignerClass = null; private String altSignerClasspath = null; private ZipFile zipFile = null; + private boolean hasExpiredCert = false; private boolean hasExpiringCert = false; private boolean notYetValidCert = false; - + private boolean chainNotValidated = false; + private boolean notSignedByAlias = false; + private boolean aliasNotInStore = false; + private boolean hasUnsignedEntry = false; private boolean badKeyUsage = false; private boolean badExtendedKeyUsage = false; private boolean badNetscapeCertType = false; + CertificateFactory certificateFactory; + CertPathValidator validator; + PKIXParameters pkixParameters; + public void run(String args[]) { try { parseArgs(args); @@ -184,14 +209,6 @@ public class JarSigner { } } - hasExpiredCert = false; - hasExpiringCert = false; - notYetValidCert = false; - - badKeyUsage = false; - badExtendedKeyUsage = false; - badNetscapeCertType = false; - if (verify) { try { loadKeyStore(keystore, false); @@ -238,6 +255,29 @@ public class JarSigner { storepass = null; } } + + if (strict) { + int exitCode = 0; + if (hasExpiringCert) { + exitCode |= 2; + } + if (chainNotValidated) { + // hasExpiredCert and notYetValidCert included in this case + exitCode |= 4; + } + if (badKeyUsage || badExtendedKeyUsage || badNetscapeCertType) { + exitCode |= 8; + } + if (hasUnsignedEntry) { + exitCode |= 16; + } + if (notSignedByAlias || aliasNotInStore) { + exitCode |= 32; + } + if (exitCode != 0) { + System.exit(exitCode); + } + } } /* @@ -247,25 +287,26 @@ public class JarSigner { /* parse flags */ int n = 0; - for (n=0; (n < args.length) && args[n].startsWith("-"); n++) { + if (args.length == 0) fullusage(); + for (n=0; n < args.length; n++) { String flags = args[n]; if (collator.compare(flags, "-keystore") == 0) { - if (++n == args.length) usage(); + if (++n == args.length) usageNoArg(); keystore = args[n]; } else if (collator.compare(flags, "-storepass") ==0) { - if (++n == args.length) usage(); + if (++n == args.length) usageNoArg(); storepass = args[n].toCharArray(); } else if (collator.compare(flags, "-storetype") ==0) { - if (++n == args.length) usage(); + if (++n == args.length) usageNoArg(); storetype = args[n]; } else if (collator.compare(flags, "-providerName") ==0) { - if (++n == args.length) usage(); + if (++n == args.length) usageNoArg(); providerName = args[n]; } else if ((collator.compare(flags, "-provider") == 0) || (collator.compare(flags, "-providerClass") == 0)) { - if (++n == args.length) usage(); + if (++n == args.length) usageNoArg(); if (providers == null) { providers = new Vector(3); } @@ -274,35 +315,38 @@ public class JarSigner { if (args.length > (n+1)) { flags = args[n+1]; if (collator.compare(flags, "-providerArg") == 0) { - if (args.length == (n+2)) usage(); + if (args.length == (n+2)) usageNoArg(); providerArgs.put(args[n], args[n+2]); n += 2; } } } else if (collator.compare(flags, "-protected") ==0) { protectedPath = true; + } else if (collator.compare(flags, "-certchain") ==0) { + if (++n == args.length) usageNoArg(); + altCertChain = args[n]; } else if (collator.compare(flags, "-debug") ==0) { debug = true; } else if (collator.compare(flags, "-keypass") ==0) { - if (++n == args.length) usage(); + if (++n == args.length) usageNoArg(); keypass = args[n].toCharArray(); } else if (collator.compare(flags, "-sigfile") ==0) { - if (++n == args.length) usage(); + if (++n == args.length) usageNoArg(); sigfile = args[n]; } else if (collator.compare(flags, "-signedjar") ==0) { - if (++n == args.length) usage(); + if (++n == args.length) usageNoArg(); signedjar = args[n]; } else if (collator.compare(flags, "-tsa") ==0) { - if (++n == args.length) usage(); + if (++n == args.length) usageNoArg(); tsaUrl = args[n]; } else if (collator.compare(flags, "-tsacert") ==0) { - if (++n == args.length) usage(); + if (++n == args.length) usageNoArg(); tsaAlias = args[n]; } else if (collator.compare(flags, "-altsigner") ==0) { - if (++n == args.length) usage(); + if (++n == args.length) usageNoArg(); altSignerClass = args[n]; } else if (collator.compare(flags, "-altsignerpath") ==0) { - if (++n == args.length) usage(); + if (++n == args.length) usageNoArg(); altSignerClasspath = args[n]; } else if (collator.compare(flags, "-sectionsonly") ==0) { signManifest = false; @@ -311,30 +355,56 @@ public class JarSigner { } else if (collator.compare(flags, "-verify") ==0) { verify = true; } else if (collator.compare(flags, "-verbose") ==0) { - verbose = true; + verbose = "all"; + } else if (collator.compare(flags, "-verbose:all") ==0) { + verbose = "all"; + } else if (collator.compare(flags, "-verbose:summary") ==0) { + verbose = "summary"; + } else if (collator.compare(flags, "-verbose:grouped") ==0) { + verbose = "grouped"; } else if (collator.compare(flags, "-sigalg") ==0) { - if (++n == args.length) usage(); + if (++n == args.length) usageNoArg(); sigalg = args[n]; } else if (collator.compare(flags, "-digestalg") ==0) { - if (++n == args.length) usage(); + if (++n == args.length) usageNoArg(); digestalg = args[n]; } else if (collator.compare(flags, "-certs") ==0) { showcerts = true; + } else if (collator.compare(flags, "-strict") ==0) { + strict = true; } else if (collator.compare(flags, "-h") == 0 || collator.compare(flags, "-help") == 0) { - usage(); + fullusage(); } else { - System.err.println(rb.getString("Illegal option: ") + flags); - usage(); + if (!flags.startsWith("-")) { + if (jarfile == null) { + jarfile = flags; + } else { + alias = flags; + ckaliases.add(alias); + } + } else { + System.err.println( + rb.getString("Illegal option: ") + flags); + usage(); + } } } - if (n == args.length) usage(); - jarfile = args[n++]; + // -certs must always be specified with -verbose + if (verbose == null) showcerts = false; - if (!verify) { - if (n == args.length) usage(); - alias = args[n++]; + if (jarfile == null) { + System.err.println(rb.getString("Please specify jarfile name")); + usage(); + } + if (!verify && alias == null) { + System.err.println(rb.getString("Please specify alias name")); + usage(); + } + if (!verify && ckaliases.size() > 1) { + System.err.println(rb.getString("Only one alias can be specified")); + usage(); } if (storetype == null) { @@ -357,7 +427,6 @@ public class JarSigner { if (token && !nullStream) { System.err.println(MessageFormat.format(rb.getString ("-keystore must be NONE if -storetype is {0}"), storetype)); - System.err.println(); usage(); } @@ -365,7 +434,6 @@ public class JarSigner { System.err.println(MessageFormat.format(rb.getString ("-keypass can not be specified " + "if -storetype is {0}"), storetype)); - System.err.println(); usage(); } @@ -374,7 +442,6 @@ public class JarSigner { System.err.println(rb.getString ("If -protected is specified, " + "then -storepass and -keypass must not be specified")); - System.err.println(); usage(); } } @@ -383,17 +450,27 @@ public class JarSigner { System.err.println(rb.getString ("If keystore is not password protected, " + "then -storepass and -keypass must not be specified")); - System.err.println(); usage(); } } } + void usageNoArg() { + System.out.println(rb.getString("Option lacks argument")); + usage(); + } + void usage() { + System.out.println(); + System.out.println(rb.getString("Please type jarsigner -help for usage")); + System.exit(1); + } + + void fullusage() { System.out.println(rb.getString ("Usage: jarsigner [options] jar-file alias")); System.out.println(rb.getString - (" jarsigner -verify [options] jar-file")); + (" jarsigner -verify [options] jar-file [alias...]")); System.out.println(); System.out.println(rb.getString ("[-keystore ] keystore location")); @@ -407,6 +484,9 @@ public class JarSigner { System.out.println(rb.getString ("[-keypass ] password for private key (if different)")); System.out.println(); + System.out.println(rb.getString + ("[-certchain ] name of alternative certchain file")); + System.out.println(); System.out.println(rb.getString ("[-sigfile ] name of .SF/.DSA file")); System.out.println(); @@ -423,7 +503,9 @@ public class JarSigner { ("[-verify] verify a signed JAR file")); System.out.println(); System.out.println(rb.getString - ("[-verbose] verbose output when signing/verifying")); + ("[-verbose[:suboptions]] verbose output when signing/verifying.")); + System.out.println(rb.getString + (" suboptions can be all, grouped or summary")); System.out.println(); System.out.println(rb.getString ("[-certs] display certificates when verbose and verifying")); @@ -457,15 +539,17 @@ public class JarSigner { System.out.println(rb.getString (" [-providerArg ]] ... master class file and constructor argument")); System.out.println(); + System.out.println(rb.getString + ("[-strict] treat warnings as errors")); + System.out.println(); - System.exit(1); + System.exit(0); } void verifyJar(String jarName) throws Exception { - boolean anySigned = false; - boolean hasUnsignedEntry = false; + boolean anySigned = false; // if there exists entry inside jar signed JarFile jf = null; try { @@ -494,11 +578,18 @@ public class JarSigner { Manifest man = jf.getManifest(); + // The map to record display info, only used when -verbose provided + // key: signer info string + // value: the list of files with common key + Map> output = + new LinkedHashMap>(); + if (man != null) { - if (verbose) System.out.println(); + if (verbose != null) System.out.println(); Enumeration e = entriesVec.elements(); long now = System.currentTimeMillis(); + String tab = rb.getString(" "); while (e.hasMoreElements()) { JarEntry je = e.nextElement(); @@ -509,77 +600,118 @@ public class JarSigner { hasUnsignedEntry |= !je.isDirectory() && !isSigned && !signatureRelated(name); - if (verbose) { - int inStoreOrScope = inKeyStore(signers); - boolean inStore = (inStoreOrScope & IN_KEYSTORE) != 0; - boolean inScope = (inStoreOrScope & IN_SCOPE) != 0; + int inStoreOrScope = inKeyStore(signers); + + boolean inStore = (inStoreOrScope & IN_KEYSTORE) != 0; + boolean inScope = (inStoreOrScope & IN_SCOPE) != 0; + + notSignedByAlias |= (inStoreOrScope & NOT_ALIAS) != 0; + aliasNotInStore |= isSigned && (!inStore && !inScope); + + // Only used when -verbose provided + StringBuffer sb = null; + if (verbose != null) { + sb = new StringBuffer(); boolean inManifest = ((man.getAttributes(name) != null) || (man.getAttributes("./"+name) != null) || (man.getAttributes("/"+name) != null)); - System.out.print( + sb.append( (isSigned ? rb.getString("s") : rb.getString(" ")) + (inManifest ? rb.getString("m") : rb.getString(" ")) + (inStore ? rb.getString("k") : rb.getString(" ")) + (inScope ? rb.getString("i") : rb.getString(" ")) + - rb.getString(" ")); - StringBuffer sb = new StringBuffer(); + ((inStoreOrScope & NOT_ALIAS) != 0 ?"X":" ") + + rb.getString(" ")); + sb.append("|"); + } + + // When -certs provided, display info has extra empty + // lines at the beginning and end. + if (isSigned) { + if (showcerts) sb.append('\n'); + for (CodeSigner signer: signers) { + // signerInfo() must be called even if -verbose + // not provided. The method updates various + // warning flags. + String si = signerInfo(signer, tab, now); + if (showcerts) { + sb.append(si); + sb.append('\n'); + } + } + } else if (showcerts && !verbose.equals("all")) { + // Print no info for unsigned entries when -verbose:all, + // to be consistent with old behavior. + if (signatureRelated(name)) { + sb.append("\n" + tab + rb.getString( + "(Signature related entries)") + "\n\n"); + } else { + sb.append("\n" + tab + rb.getString( + "(Unsigned entries)") + "\n\n"); + } + } + + if (verbose != null) { + String label = sb.toString(); + if (signatureRelated(name)) { + // Entries inside META-INF and other unsigned + // entries are grouped separately. + label = "-" + label.substring(1); + } + + // The label finally contains 2 parts separated by '|': + // The legend displayed before the entry names, and + // the cert info (if -certs specfied). + + if (!output.containsKey(label)) { + output.put(label, new ArrayList()); + } + + StringBuffer fb = new StringBuffer(); String s = Long.toString(je.getSize()); for (int i = 6 - s.length(); i > 0; --i) { - sb.append(' '); - } - sb.append(s).append(' '). - append(new Date(je.getTime()).toString()); - sb.append(' ').append(je.getName()); - System.out.println(sb.toString()); - - if (signers != null && showcerts) { - String tab = rb.getString(" "); - for (int i = 0; i < signers.length; i++) { - System.out.println(); - List certs = - signers[i].getSignerCertPath() - .getCertificates(); - // display the signature timestamp, if present - Timestamp timestamp = signers[i].getTimestamp(); - if (timestamp != null) { - System.out.println( - printTimestamp(tab, timestamp)); - } - // display the certificate(s) - for (Certificate c : certs) { - System.out.println( - printCert(tab, c, true, now)); - } - } - System.out.println(); + fb.append(' '); } + fb.append(s).append(' '). + append(new Date(je.getTime()).toString()); + fb.append(' ').append(name); + output.get(label).add(fb.toString()); } - if (isSigned) { - for (int i = 0; i < signers.length; i++) { - Certificate cert = - signers[i].getSignerCertPath() - .getCertificates().get(0); - if (cert instanceof X509Certificate) { - checkCertUsage((X509Certificate)cert, null); - if (!showcerts) { - long notAfter = ((X509Certificate)cert) - .getNotAfter().getTime(); - - if (notAfter < now) { - hasExpiredCert = true; - } else if (notAfter < now + SIX_MONTHS) { - hasExpiringCert = true; - } - } + } + } + if (verbose != null) { + for (Entry> s: output.entrySet()) { + List files = s.getValue(); + String key = s.getKey(); + if (key.charAt(0) == '-') { // the signature-related group + key = ' ' + key.substring(1); + } + int pipe = key.indexOf('|'); + if (verbose.equals("all")) { + for (String f: files) { + System.out.println(key.substring(0, pipe) + f); + System.out.printf(key.substring(pipe+1)); + } + } else { + if (verbose.equals("grouped")) { + for (String f: files) { + System.out.println(key.substring(0, pipe) + f); + } + } else if (verbose.equals("summary")) { + System.out.print(key.substring(0, pipe)); + if (files.size() > 1) { + System.out.println(files.get(0) + " " + + String.format(rb.getString( + "(and %d more)"), files.size()-1)); + } else { + System.out.println(files.get(0)); } } + System.out.printf(key.substring(pipe+1)); } - } - } - if (verbose) { System.out.println(); System.out.println(rb.getString( " s = signature was verified ")); @@ -589,9 +721,12 @@ public class JarSigner { " k = at least one certificate was found in keystore")); System.out.println(rb.getString( " i = at least one certificate was found in identity scope")); + if (ckaliases.size() > 0) { + System.out.println(( + " X = not signed by specified alias(es)")); + } System.out.println(); } - if (man == null) System.out.println(rb.getString("no manifest.")); @@ -602,7 +737,8 @@ public class JarSigner { System.out.println(rb.getString("jar verified.")); if (hasUnsignedEntry || hasExpiredCert || hasExpiringCert || badKeyUsage || badExtendedKeyUsage || badNetscapeCertType || - notYetValidCert) { + notYetValidCert || chainNotValidated || + aliasNotInStore || notSignedByAlias) { System.out.println(); System.out.println(rb.getString("Warning: ")); @@ -638,14 +774,27 @@ public class JarSigner { "This jar contains entries whose signer certificate is not yet valid. ")); } - if (! (verbose && showcerts)) { + if (chainNotValidated) { + System.out.println( + rb.getString("This jar contains entries whose certificate chain is not validated.")); + } + + if (notSignedByAlias) { + System.out.println( + rb.getString("This jar contains signed entries which is not signed by the specified alias(es).")); + } + + if (aliasNotInStore) { + System.out.println(rb.getString("This jar contains signed entries that's not signed by alias in this keystore.")); + } + if (! (verbose != null && showcerts)) { System.out.println(); System.out.println(rb.getString( "Re-run with the -verbose and -certs options for more details.")); } } } - System.exit(0); + return; } catch (Exception e) { System.out.println(rb.getString("jarsigner: ") + e); if (debug) { @@ -660,15 +809,6 @@ public class JarSigner { System.exit(1); } - /* - * Display some details about a certificate: - * - * [", " ] [" (" ")"] - */ - String printCert(Certificate c) { - return printCert("", c, false, 0); - } - private static MessageFormat validityTimeForm = null; private static MessageFormat notYetTimeForm = null; private static MessageFormat expiredTimeForm = null; @@ -679,6 +819,8 @@ public class JarSigner { * * [] [", " ] [" (" ")"] * [ | ] + * + * Note: no newline character at the end */ String printCert(String tab, Certificate c, boolean checkValidityPeriod, long now) { @@ -788,54 +930,75 @@ public class JarSigner { .append(signTimeForm.format(source)).append("]").toString(); } + private Map cacheForInKS = + new IdentityHashMap(); + + private int inKeyStoreForOneSigner(CodeSigner signer) { + if (cacheForInKS.containsKey(signer)) { + return cacheForInKS.get(signer); + } + + boolean found = false; + int result = 0; + List certs = signer.getSignerCertPath().getCertificates(); + for (Certificate c : certs) { + String alias = storeHash.get(c); + if (alias != null) { + if (alias.startsWith("(")) { + result |= IN_KEYSTORE; + } else if (alias.startsWith("[")) { + result |= IN_SCOPE; + } + if (ckaliases.contains(alias.substring(1, alias.length() - 1))) { + result |= SIGNED_BY_ALIAS; + } + } else { + if (store != null) { + try { + alias = store.getCertificateAlias(c); + } catch (KeyStoreException kse) { + // never happens, because keystore has been loaded + } + if (alias != null) { + storeHash.put(c, "(" + alias + ")"); + found = true; + result |= IN_KEYSTORE; + } + } + if (!found && (scope != null)) { + Identity id = scope.getIdentity(c.getPublicKey()); + if (id != null) { + result |= IN_SCOPE; + storeHash.put(c, "[" + id.getName() + "]"); + } + } + if (ckaliases.contains(alias)) { + result |= SIGNED_BY_ALIAS; + } + } + } + cacheForInKS.put(signer, result); + return result; + } + Hashtable storeHash = new Hashtable(); int inKeyStore(CodeSigner[] signers) { - int result = 0; if (signers == null) return 0; - boolean found = false; - - for (int i = 0; i < signers.length; i++) { - found = false; - List certs = - signers[i].getSignerCertPath().getCertificates(); + int output = 0; - for (Certificate c : certs) { - String alias = storeHash.get(c); - - if (alias != null) { - if (alias.startsWith("(")) - result |= IN_KEYSTORE; - else if (alias.startsWith("[")) - result |= IN_SCOPE; - } else { - if (store != null) { - try { - alias = store.getCertificateAlias(c); - } catch (KeyStoreException kse) { - // never happens, because keystore has been loaded - } - if (alias != null) { - storeHash.put(c, "("+alias+")"); - found = true; - result |= IN_KEYSTORE; - } - } - if (!found && (scope != null)) { - Identity id = scope.getIdentity(c.getPublicKey()); - if (id != null) { - result |= IN_SCOPE; - storeHash.put(c, "["+id.getName()+"]"); - } - } - } - } + for (CodeSigner signer: signers) { + int result = inKeyStoreForOneSigner(signer); + output |= result; } - return result; + if (ckaliases.size() > 0 && (output & SIGNED_BY_ALIAS) == 0) { + output |= NOT_ALIAS; + } + return output; } void signJar(String jarName, String alias, String[] args) @@ -1025,7 +1188,7 @@ public class JarSigner { // manifest file has new length mfFile = new ZipEntry(JarFile.MANIFEST_NAME); } - if (verbose) { + if (verbose != null) { if (mfCreated) { System.out.println(rb.getString(" adding: ") + mfFile.getName()); @@ -1076,7 +1239,7 @@ public class JarSigner { // signature file zos.putNextEntry(sfFile); sf.write(zos); - if (verbose) { + if (verbose != null) { if (zipFile.getEntry(sfFilename) != null) { System.out.println(rb.getString(" updating: ") + sfFilename); @@ -1086,7 +1249,7 @@ public class JarSigner { } } - if (verbose) { + if (verbose != null) { if (tsaUrl != null || tsaCert != null) { System.out.println( rb.getString("requesting a signature timestamp")); @@ -1101,8 +1264,8 @@ public class JarSigner { System.out.println(rb.getString("TSA location: ") + certUrl); } - System.out.println( - rb.getString("TSA certificate: ") + printCert(tsaCert)); + System.out.println(rb.getString("TSA certificate: ") + + printCert("", tsaCert, false, 0)); } if (signingMechanism != null) { System.out.println( @@ -1113,7 +1276,7 @@ public class JarSigner { // signature block file zos.putNextEntry(bkFile); block.write(zos); - if (verbose) { + if (verbose != null) { if (zipFile.getEntry(bkFilename) != null) { System.out.println(rb.getString(" updating: ") + bkFilename); @@ -1140,7 +1303,7 @@ public class JarSigner { ZipEntry ze = enum_.nextElement(); if (!ze.getName().startsWith(META_INF)) { - if (verbose) { + if (verbose != null) { if (manifest.getAttributes(ze.getName()) != null) System.out.println(rb.getString(" signing: ") + ze.getName()); @@ -1194,7 +1357,8 @@ public class JarSigner { } if (hasExpiredCert || hasExpiringCert || notYetValidCert - || badKeyUsage || badExtendedKeyUsage || badNetscapeCertType) { + || badKeyUsage || badExtendedKeyUsage + || badNetscapeCertType || chainNotValidated) { System.out.println(); System.out.println(rb.getString("Warning: ")); @@ -1223,6 +1387,11 @@ public class JarSigner { System.out.println( rb.getString("The signer certificate is not yet valid.")); } + + if (chainNotValidated) { + System.out.println( + rb.getString("The signer's certificate chain is not validated.")); + } } // no IOException thrown in the above try clause, so disable @@ -1274,6 +1443,40 @@ public class JarSigner { return false; } + Map cacheForSignerInfo = new IdentityHashMap(); + + /** + * Returns a string of singer info, with a newline at the end + */ + private String signerInfo(CodeSigner signer, String tab, long now) { + if (cacheForSignerInfo.containsKey(signer)) { + return cacheForSignerInfo.get(signer); + } + StringBuffer s = new StringBuffer(); + List certs = signer.getSignerCertPath().getCertificates(); + // display the signature timestamp, if present + Timestamp timestamp = signer.getTimestamp(); + if (timestamp != null) { + s.append(printTimestamp(tab, timestamp)); + } + // display the certificate(s) + for (Certificate c : certs) { + s.append(printCert(tab, c, true, now)); + s.append('\n'); + } + try { + CertPath cp = certificateFactory.generateCertPath(certs); + validator.validate(cp, pkixParameters); + } catch (Exception e) { + chainNotValidated = true; + s.append(tab + rb.getString("[CertPath not validated: ") + + e.getLocalizedMessage() + "]\n"); // TODO + } + String result = s.toString(); + cacheForSignerInfo.put(signer, result); + return result; + } + private void writeEntry(ZipFile zf, ZipOutputStream os, ZipEntry ze) throws IOException { @@ -1360,6 +1563,48 @@ public class JarSigner { } } } + Set tas = new HashSet(); + try { + KeyStore caks = KeyTool.getCacertsKeyStore(); + if (caks != null) { + Enumeration aliases = caks.aliases(); + while (aliases.hasMoreElements()) { + String a = aliases.nextElement(); + try { + tas.add(new TrustAnchor((X509Certificate)caks.getCertificate(a), null)); + } catch (Exception e2) { + // ignore, when a SecretkeyEntry does not include a cert + } + } + } + } catch (Exception e) { + // Ignore, if cacerts cannot be loaded + } + if (store != null) { + Enumeration aliases = store.aliases(); + while (aliases.hasMoreElements()) { + String a = aliases.nextElement(); + try { + X509Certificate c = (X509Certificate)store.getCertificate(a); + // Only add TrustedCertificateEntry and self-signed + // PrivateKeyEntry + if (store.isCertificateEntry(a) || + c.getSubjectDN().equals(c.getIssuerDN())) { + tas.add(new TrustAnchor(c, null)); + } + } catch (Exception e2) { + // ignore, when a SecretkeyEntry does not include a cert + } + } + } + certificateFactory = CertificateFactory.getInstance("X.509"); + validator = CertPathValidator.getInstance("PKIX"); + try { + pkixParameters = new PKIXParameters(tas); + pkixParameters.setRevocationEnabled(false); + } catch (InvalidAlgorithmParameterException ex) { + // Only if tas is empty + } } catch (IOException ioe) { throw new RuntimeException(rb.getString("keystore load: ") + ioe.getMessage()); @@ -1408,7 +1653,8 @@ public class JarSigner { void checkCertUsage(X509Certificate userCert, boolean[] bad) { // Can act as a signer? - // 1. if KeyUsage, then [0] should be true + // 1. if KeyUsage, then [0:digitalSignature] or + // [1:nonRepudiation] should be true // 2. if ExtendedKeyUsage, then should contains ANY or CODE_SIGNING // 3. if NetscapeCertType, then should contains OBJECT_SIGNING // 1,2,3 must be true @@ -1419,10 +1665,10 @@ public class JarSigner { boolean[] keyUsage = userCert.getKeyUsage(); if (keyUsage != null) { - if (keyUsage.length < 1 || !keyUsage[0]) { + keyUsage = Arrays.copyOf(keyUsage, 9); + if (!keyUsage[0] && !keyUsage[1]) { if (bad != null) { bad[0] = true; - } else { badKeyUsage = true; } } @@ -1435,7 +1681,6 @@ public class JarSigner { && !xKeyUsage.contains("1.3.6.1.5.5.7.3.3")) { // codeSigning if (bad != null) { bad[1] = true; - } else { badExtendedKeyUsage = true; } } @@ -1462,7 +1707,6 @@ public class JarSigner { if (!val) { if (bad != null) { bad[2] = true; - } else { badNetscapeCertType = true; } } @@ -1477,19 +1721,36 @@ public class JarSigner { Key key = null; try { - java.security.cert.Certificate[] cs = null; - - try { - cs = store.getCertificateChain(alias); - } catch (KeyStoreException kse) { - // this never happens, because keystore has been loaded + if (altCertChain != null) { + try { + cs = CertificateFactory.getInstance("X.509"). + generateCertificates(new FileInputStream(altCertChain)). + toArray(new Certificate[0]); + } catch (CertificateException ex) { + error(rb.getString("Cannot restore certchain from file specified")); + } catch (FileNotFoundException ex) { + error(rb.getString("File specified by -certchain does not exist")); + } + } else { + try { + cs = store.getCertificateChain(alias); + } catch (KeyStoreException kse) { + // this never happens, because keystore has been loaded + } } - if (cs == null) { - MessageFormat form = new MessageFormat(rb.getString - ("Certificate chain not found for: alias. alias must reference a valid KeyStore key entry containing a private key and corresponding public key certificate chain.")); - Object[] source = {alias, alias}; - error(form.format(source)); + if (cs == null || cs.length == 0) { + if (altCertChain != null) { + error(rb.getString + ("Certificate chain not found in the file specified.")); + } else { + MessageFormat form = new MessageFormat(rb.getString + ("Certificate chain not found for: alias. alias must" + + " reference a valid KeyStore key entry containing a" + + " private key and corresponding public key certificate chain.")); + Object[] source = {alias, alias}; + error(form.format(source)); + } } certChain = new X509Certificate[cs.length]; @@ -1501,56 +1762,15 @@ public class JarSigner { certChain[i] = (X509Certificate)cs[i]; } - // order the cert chain if necessary (put user cert first, - // root-cert last in the chain) - X509Certificate userCert - = (X509Certificate)store.getCertificate(alias); + // We don't meant to print anything, the next call + // checks validity and keyUsage etc + printCert("", certChain[0], true, 0); - // check validity of signer certificate try { - userCert.checkValidity(); - - if (userCert.getNotAfter().getTime() < - System.currentTimeMillis() + SIX_MONTHS) { - - hasExpiringCert = true; - } - } catch (CertificateExpiredException cee) { - hasExpiredCert = true; - - } catch (CertificateNotYetValidException cnyve) { - notYetValidCert = true; - } - - checkCertUsage(userCert, null); - - if (!userCert.equals(certChain[0])) { - // need to order ... - X509Certificate[] certChainTmp - = new X509Certificate[certChain.length]; - certChainTmp[0] = userCert; - Principal issuer = userCert.getIssuerDN(); - for (int i=1; i] keystore location", "[-keystore ] keystore location"}, {"[-storepass ] password for keystore integrity", @@ -64,6 +64,8 @@ public class JarSignerResources extends java.util.ListResourceBundle { "[-storetype ] keystore type"}, {"[-keypass ] password for private key (if different)", "[-keypass ] password for private key (if different)"}, + {"[-certchain ] name of alternative certchain file", + "[-certchain ] name of alternative certchain file"}, {"[-sigfile ] name of .SF/.DSA file", "[-sigfile ] name of .SF/.DSA file"}, {"[-signedjar ] name of signed JAR file", @@ -74,8 +76,10 @@ public class JarSignerResources extends java.util.ListResourceBundle { "[-sigalg ] name of signature algorithm"}, {"[-verify] verify a signed JAR file", "[-verify] verify a signed JAR file"}, - {"[-verbose] verbose output when signing/verifying", - "[-verbose] verbose output when signing/verifying"}, + {"[-verbose[:suboptions]] verbose output when signing/verifying.", + "[-verbose[:suboptions]] verbose output when signing/verifying."}, + {" suboptions can be all, grouped or summary", + " suboptions can be all, grouped or summary"}, {"[-certs] display certificates when verbose and verifying", "[-certs] display certificates when verbose and verifying"}, {"[-tsa ] location of the Timestamping Authority", @@ -98,10 +102,22 @@ public class JarSignerResources extends java.util.ListResourceBundle { "[-providerClass name of cryptographic service provider's"}, {" [-providerArg ]] ... master class file and constructor argument", " [-providerArg ]] ... master class file and constructor argument"}, + {"[-strict] treat warnings as errors", + "[-strict] treat warnings as errors"}, + {"Option lacks argument", "Option lacks argument"}, + {"Please type jarsigner -help for usage", "Please type jarsigner -help for usage"}, + {"Please specify jarfile name", "Please specify jarfile name"}, + {"Please specify alias name", "Please specify alias name"}, + {"Only one alias can be specified", "Only one alias can be specified"}, + {"This jar contains signed entries which is not signed by the specified alias(es).", + "This jar contains signed entries which is not signed by the specified alias(es)."}, + {"This jar contains signed entries that's not signed by alias in this keystore.", + "This jar contains signed entries that's not signed by alias in this keystore."}, {"s", "s"}, {"m", "m"}, {"k", "k"}, {"i", "i"}, + {"(and %d more)", "(and %d more)"}, {" s = signature was verified ", " s = signature was verified "}, {" m = entry is listed in manifest", @@ -110,7 +126,11 @@ public class JarSignerResources extends java.util.ListResourceBundle { " k = at least one certificate was found in keystore"}, {" i = at least one certificate was found in identity scope", " i = at least one certificate was found in identity scope"}, + {" X = not signed by specified alias(es)", + " X = not signed by specified alias(es)"}, {"no manifest.", "no manifest."}, + {"(Signature related entries)","(Signature related entries)"}, + {"(Unsigned entries)", "(Unsigned entries)"}, {"jar is unsigned. (signatures missing or not parsable)", "jar is unsigned. (signatures missing or not parsable)"}, {"jar verified.", "jar verified."}, @@ -134,6 +154,12 @@ public class JarSignerResources extends java.util.ListResourceBundle { "unable to instantiate keystore class: "}, {"Certificate chain not found for: alias. alias must reference a valid KeyStore key entry containing a private key and corresponding public key certificate chain.", "Certificate chain not found for: {0}. {1} must reference a valid KeyStore key entry containing a private key and corresponding public key certificate chain."}, + {"File specified by -certchain does not exist", + "File specified by -certchain does not exist"}, + {"Cannot restore certchain from file specified", + "Cannot restore certchain from file specified"}, + {"Certificate chain not found in the file specified.", + "Certificate chain not found in the file specified."}, {"found non-X.509 certificate in signer's chain", "found non-X.509 certificate in signer's chain"}, {"incomplete certificate chain", "incomplete certificate chain"}, @@ -149,6 +175,7 @@ public class JarSignerResources extends java.util.ListResourceBundle { {"certificate is not valid until", "certificate is not valid until {0}"}, {"certificate will expire on", "certificate will expire on {0}"}, + {"[CertPath not validated: ", "[CertPath not validated: "}, {"requesting a signature timestamp", "requesting a signature timestamp"}, {"TSA location: ", "TSA location: "}, @@ -189,14 +216,18 @@ public class JarSignerResources extends java.util.ListResourceBundle { "The signer certificate's ExtendedKeyUsage extension doesn't allow code signing."}, {"The signer certificate's NetscapeCertType extension doesn't allow code signing.", "The signer certificate's NetscapeCertType extension doesn't allow code signing."}, - {"This jar contains entries whose signer certificate's KeyUsage extension doesn't allow code signing.", - "This jar contains entries whose signer certificate's KeyUsage extension doesn't allow code signing."}, - {"This jar contains entries whose signer certificate's ExtendedKeyUsage extension doesn't allow code signing.", - "This jar contains entries whose signer certificate's ExtendedKeyUsage extension doesn't allow code signing."}, - {"This jar contains entries whose signer certificate's NetscapeCertType extension doesn't allow code signing.", - "This jar contains entries whose signer certificate's NetscapeCertType extension doesn't allow code signing."}, + {"This jar contains entries whose signer certificate's KeyUsage extension doesn't allow code signing.", + "This jar contains entries whose signer certificate's KeyUsage extension doesn't allow code signing."}, + {"This jar contains entries whose signer certificate's ExtendedKeyUsage extension doesn't allow code signing.", + "This jar contains entries whose signer certificate's ExtendedKeyUsage extension doesn't allow code signing."}, + {"This jar contains entries whose signer certificate's NetscapeCertType extension doesn't allow code signing.", + "This jar contains entries whose signer certificate's NetscapeCertType extension doesn't allow code signing."}, {"[{0} extension does not support code signing]", "[{0} extension does not support code signing]"}, + {"The signer's certificate chain is not validated.", + "The signer's certificate chain is not validated."}, + {"This jar contains entries whose certificate chain is not validated.", + "This jar contains entries whose certificate chain is not validated."}, }; /** diff --git a/src/share/classes/sun/security/tools/KeyTool.java b/src/share/classes/sun/security/tools/KeyTool.java index 163e78fc5cfe58194b9b21c670043251594ef313..1ce3ab21a02cb5747fd38d93f32c42d91497951e 100644 --- a/src/share/classes/sun/security/tools/KeyTool.java +++ b/src/share/classes/sun/security/tools/KeyTool.java @@ -3108,7 +3108,7 @@ public final class KeyTool { /** * Returns the keystore with the configured CA certificates. */ - private KeyStore getCacertsKeyStore() + public static KeyStore getCacertsKeyStore() throws Exception { String sep = File.separator; diff --git a/test/java/util/Collection/MOAT.java b/test/java/util/Collection/MOAT.java index 0dd89f355005d6baeaab7b6dff87f366c5dcd09f..f9d30f56217d23ab6ba2597f41b073f88ef6b670 100644 --- a/test/java/util/Collection/MOAT.java +++ b/test/java/util/Collection/MOAT.java @@ -555,6 +555,7 @@ public class MOAT { NavigableMap nm = (NavigableMap) m; + testNavigableMapRemovers(nm); testNavigableMap(nm); testNavigableMap(nm.headMap(6, false)); testNavigableMap(nm.headMap(5, true)); @@ -742,6 +743,97 @@ public class MOAT { equal(it.next(), expected); } + static void equalMaps(Map m1, Map m2) { + equal(m1, m2); + equal(m2, m1); + equal(m1.size(), m2.size()); + equal(m1.isEmpty(), m2.isEmpty()); + equal(m1.toString(), m2.toString()); + check(Arrays.equals(m1.entrySet().toArray(), m2.entrySet().toArray())); + } + + @SuppressWarnings({"unchecked", "rawtypes"}) + static void testNavigableMapRemovers(NavigableMap m) + { + final Map emptyMap = new HashMap(); + + final Map singletonMap = new HashMap(); + singletonMap.put(1, 2); + + abstract class NavigableMapView { + abstract NavigableMap view(NavigableMap m); + } + + NavigableMapView[] views = { + new NavigableMapView() { NavigableMap view(NavigableMap m) { + return m; }}, + new NavigableMapView() { NavigableMap view(NavigableMap m) { + return m.headMap(99, true); }}, + new NavigableMapView() { NavigableMap view(NavigableMap m) { + return m.tailMap(-99, false); }}, + new NavigableMapView() { NavigableMap view(NavigableMap m) { + return m.subMap(-99, true, 99, false); }}, + }; + + abstract class Remover { + abstract void remove(NavigableMap m, Object k, Object v); + } + + Remover[] removers = { + new Remover() { void remove(NavigableMap m, Object k, Object v) { + equal(m.remove(k), v); }}, + + new Remover() { void remove(NavigableMap m, Object k, Object v) { + equal(m.descendingMap().remove(k), v); }}, + new Remover() { void remove(NavigableMap m, Object k, Object v) { + equal(m.descendingMap().headMap(-86, false).remove(k), v); }}, + new Remover() { void remove(NavigableMap m, Object k, Object v) { + equal(m.descendingMap().tailMap(86, true).remove(k), v); }}, + + new Remover() { void remove(NavigableMap m, Object k, Object v) { + equal(m.headMap(86, true).remove(k), v); }}, + new Remover() { void remove(NavigableMap m, Object k, Object v) { + equal(m.tailMap(-86, true).remove(k), v); }}, + new Remover() { void remove(NavigableMap m, Object k, Object v) { + equal(m.subMap(-86, false, 86, true).remove(k), v); }}, + + new Remover() { void remove(NavigableMap m, Object k, Object v) { + check(m.keySet().remove(k)); }}, + new Remover() { void remove(NavigableMap m, Object k, Object v) { + check(m.navigableKeySet().remove(k)); }}, + + new Remover() { void remove(NavigableMap m, Object k, Object v) { + check(m.navigableKeySet().headSet(86, true).remove(k)); }}, + new Remover() { void remove(NavigableMap m, Object k, Object v) { + check(m.navigableKeySet().tailSet(-86, false).remove(k)); }}, + new Remover() { void remove(NavigableMap m, Object k, Object v) { + check(m.navigableKeySet().subSet(-86, true, 86, false) + .remove(k)); }}, + + new Remover() { void remove(NavigableMap m, Object k, Object v) { + check(m.descendingKeySet().headSet(-86, false).remove(k)); }}, + new Remover() { void remove(NavigableMap m, Object k, Object v) { + check(m.descendingKeySet().tailSet(86, true).remove(k)); }}, + new Remover() { void remove(NavigableMap m, Object k, Object v) { + check(m.descendingKeySet().subSet(86, true, -86, false) + .remove(k)); }}, + }; + + for (NavigableMapView view : views) { + for (Remover remover : removers) { + try { + m.clear(); + equalMaps(m, emptyMap); + equal(m.put(1, 2), null); + equalMaps(m, singletonMap); + NavigableMap v = view.view(m); + remover.remove(v, 1, 2); + equalMaps(m, emptyMap); + } catch (Throwable t) { unexpected(t); } + } + } + } + private static void testNavigableMap(NavigableMap m) { clear(m); diff --git a/test/java/util/concurrent/Semaphore/RacingReleases.java b/test/java/util/concurrent/Semaphore/RacingReleases.java new file mode 100644 index 0000000000000000000000000000000000000000..c1c573f443fb00eab3b7f70d9bfd81c721c24354 --- /dev/null +++ b/test/java/util/concurrent/Semaphore/RacingReleases.java @@ -0,0 +1,116 @@ +/* + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, + * CA 95054 USA or visit www.sun.com if you need additional information or + * have any questions. + */ + +/* + * This file is available under and governed by the GNU General Public + * License version 2 only, as published by the Free Software Foundation. + * However, the following notice accompanied the original version of this + * file: + * + * Written by Doug Lea with assistance from members of JCP JSR-166 + * Expert Group and released to the public domain, as explained at + * http://creativecommons.org/licenses/publicdomain + */ + +/* + * @test + * @bug 6801020 6803402 + * @summary Try to tickle race conditions in + * AbstractQueuedSynchronizer "shared" code + */ + +import java.util.concurrent.Semaphore; + +public class RacingReleases { + + /** Increase this for better chance of tickling races */ + static final int iterations = 1000; + + public static void test(final boolean fair, + final boolean interruptibly) + throws Throwable { + for (int i = 0; i < iterations; i++) { + final Semaphore sem = new Semaphore(0, fair); + final Throwable[] badness = new Throwable[1]; + Runnable blocker = interruptibly ? + new Runnable() { + public void run() { + try { + sem.acquire(); + } catch (Throwable t) { + badness[0] = t; + throw new Error(t); + }}} + : + new Runnable() { + public void run() { + try { + sem.acquireUninterruptibly(); + } catch (Throwable t) { + badness[0] = t; + throw new Error(t); + }}}; + + Thread b1 = new Thread(blocker); + Thread b2 = new Thread(blocker); + Runnable signaller = new Runnable() { + public void run() { + try { + sem.release(); + } catch (Throwable t) { + badness[0] = t; + throw new Error(t); + }}}; + Thread s1 = new Thread(signaller); + Thread s2 = new Thread(signaller); + Thread[] threads = { b1, b2, s1, s2 }; + java.util.Collections.shuffle(java.util.Arrays.asList(threads)); + for (Thread thread : threads) + thread.start(); + for (Thread thread : threads) { + thread.join(60 * 1000); + if (thread.isAlive()) + throw new Error + (String.format + ("Semaphore stuck: permits %d, thread waiting %s%n", + sem.availablePermits(), + sem.hasQueuedThreads() ? "true" : "false")); + } + if (badness[0] != null) + throw new Error(badness[0]); + if (sem.availablePermits() != 0) + throw new Error(String.valueOf(sem.availablePermits())); + if (sem.hasQueuedThreads()) + throw new Error(String.valueOf(sem.hasQueuedThreads())); + if (sem.getQueueLength() != 0) + throw new Error(String.valueOf(sem.getQueueLength())); + if (sem.isFair() != fair) + throw new Error(String.valueOf(sem.isFair())); + } + } + + public static void main(String[] args) throws Throwable { + for (boolean fair : new boolean[] { true, false }) + for (boolean interruptibly : new boolean[] { true, false }) + test(fair, interruptibly); + } +} diff --git a/test/sun/security/tools/jarsigner/concise_jarsigner.sh b/test/sun/security/tools/jarsigner/concise_jarsigner.sh new file mode 100644 index 0000000000000000000000000000000000000000..1c9eaabe3967eb7d42d7ce6691694f4aa8c19c45 --- /dev/null +++ b/test/sun/security/tools/jarsigner/concise_jarsigner.sh @@ -0,0 +1,200 @@ +# +# Copyright 2009 Sun Microsystems, Inc. All Rights Reserved. +# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. +# +# This code is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License version 2 only, as +# published by the Free Software Foundation. +# +# This code is distributed in the hope that it will be useful, but WITHOUT +# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or +# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License +# version 2 for more details (a copy is included in the LICENSE file that +# accompanied this code). +# +# You should have received a copy of the GNU General Public License version +# 2 along with this work; if not, write to the Free Software Foundation, +# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, +# CA 95054 USA or visit www.sun.com if you need additional information or +# have any questions. +# + +# @test +# @bug 6802846 +# @summary jarsigner needs enhanced cert validation(options) +# +# @run shell concise_jarsigner.sh +# + +if [ "${TESTJAVA}" = "" ] ; then + JAVAC_CMD=`which javac` + TESTJAVA=`dirname $JAVAC_CMD`/.. +fi + +# set platform-dependent variables +OS=`uname -s` +case "$OS" in + Windows_* ) + FS="\\" + ;; + * ) + FS="/" + ;; +esac + +KT="$TESTJAVA${FS}bin${FS}keytool -storepass changeit -keypass changeit -keystore js.jks" +JAR=$TESTJAVA${FS}bin${FS}jar +JARSIGNER=$TESTJAVA${FS}bin${FS}jarsigner +JAVAC=$TESTJAVA${FS}bin${FS}javac + +rm js.jks + +echo class A1 {} > A1.java +echo class A2 {} > A2.java +echo class A3 {} > A3.java +echo class A4 {} > A4.java +echo class A5 {} > A5.java +echo class A6 {} > A6.java + +$JAVAC A1.java A2.java A3.java A4.java A5.java A6.java +YEAR=`date +%Y` + +# ========================================================== +# First part: output format +# ========================================================== + +$KT -genkeypair -alias a1 -dname CN=a1 -validity 365 +$KT -genkeypair -alias a2 -dname CN=a2 -validity 365 + +# a.jar includes 8 unsigned, 2 signed by a1 and a2, 2 signed by a3 +$JAR cvf a.jar A1.class A2.class +$JARSIGNER -keystore js.jks -storepass changeit a.jar a1 +$JAR uvf a.jar A3.class A4.class +$JARSIGNER -keystore js.jks -storepass changeit a.jar a2 +$JAR uvf a.jar A5.class A6.class + +# Verify OK +$JARSIGNER -verify a.jar +[ $? = 0 ] || exit $LINENO + +# 4(chainNotValidated)+16(hasUnsignedEntry)+32(aliasNotInStore) +$JARSIGNER -verify a.jar -strict +[ $? = 52 ] || exit $LINENO + +# 16(hasUnsignedEntry) +$JARSIGNER -verify a.jar -strict -keystore js.jks +[ $? = 16 ] || exit $LINENO + +# 16(hasUnsignedEntry)+32(notSignedByAlias) +$JARSIGNER -verify a.jar a1 -strict -keystore js.jks +[ $? = 48 ] || exit $LINENO + +# 16(hasUnsignedEntry) +$JARSIGNER -verify a.jar a1 a2 -strict -keystore js.jks +[ $? = 16 ] || exit $LINENO + +# 12 entries all together +LINES=`$JARSIGNER -verify a.jar -verbose | grep $YEAR | wc -l` +[ $LINES = 12 ] || exit $LINENO + +# 12 entries all listed +LINES=`$JARSIGNER -verify a.jar -verbose:grouped | grep $YEAR | wc -l` +[ $LINES = 12 ] || exit $LINENO + +# 3 groups: unrelated, signed, unsigned +LINES=`$JARSIGNER -verify a.jar -verbose:summary | grep $YEAR | wc -l` +[ $LINES = 3 ] || exit $LINENO + +# 4 groups: unrelated, signed by a1/a2, signed by a2, unsigned +LINES=`$JARSIGNER -verify a.jar -verbose:summary -certs | grep $YEAR | wc -l` +[ $LINES = 4 ] || exit $LINENO + +# 2*2 for A1/A2, 2 for A3/A4 +LINES=`$JARSIGNER -verify a.jar -verbose -certs | grep "\[certificate" | wc -l` +[ $LINES = 6 ] || exit $LINENO + +# a1,a2 for A1/A2, a2 for A3/A4 +LINES=`$JARSIGNER -verify a.jar -verbose:grouped -certs | grep "\[certificate" | wc -l` +[ $LINES = 3 ] || exit $LINENO + +# a1,a2 for A1/A2, a2 for A3/A4 +LINES=`$JARSIGNER -verify a.jar -verbose:summary -certs | grep "\[certificate" | wc -l` +[ $LINES = 3 ] || exit $LINENO + +# 4 groups +LINES=`$JARSIGNER -verify a.jar -verbose:summary -certs | grep "more)" | wc -l` +[ $LINES = 4 ] || exit $LINENO + +# ========================================================== +# Second part: exit code 2, 4, 8 +# 16 and 32 already covered in the first part +# ========================================================== + +$KT -genkeypair -alias expiring -dname CN=expiring -startdate -1m +$KT -genkeypair -alias expired -dname CN=expired -startdate -10m +$KT -genkeypair -alias notyetvalid -dname CN=notyetvalid -startdate +1m +$KT -genkeypair -alias badku -dname CN=badku -ext KU=cRLSign -validity 365 +$KT -genkeypair -alias badeku -dname CN=badeku -ext EKU=sa -validity 365 +$KT -genkeypair -alias goodku -dname CN=goodku -ext KU=dig -validity 365 +$KT -genkeypair -alias goodeku -dname CN=goodeku -ext EKU=codesign -validity 365 + +# badchain signed by ca, but ca is removed later +$KT -genkeypair -alias badchain -dname CN=badchain -validity 365 +$KT -genkeypair -alias ca -dname CN=ca -ext bc -validity 365 +$KT -certreq -alias badchain | $KT -gencert -alias ca -validity 365 | \ + $KT -importcert -alias badchain +$KT -delete -alias ca + +$JARSIGNER -strict -keystore js.jks -storepass changeit a.jar expiring +[ $? = 2 ] || exit $LINENO + +$JARSIGNER -strict -keystore js.jks -storepass changeit a.jar expired +[ $? = 4 ] || exit $LINENO + +$JARSIGNER -strict -keystore js.jks -storepass changeit a.jar notyetvalid +[ $? = 4 ] || exit $LINENO + +$JARSIGNER -strict -keystore js.jks -storepass changeit a.jar badku +[ $? = 8 ] || exit $LINENO + +$JARSIGNER -strict -keystore js.jks -storepass changeit a.jar badeku +[ $? = 8 ] || exit $LINENO + +$JARSIGNER -strict -keystore js.jks -storepass changeit a.jar goodku +[ $? = 0 ] || exit $LINENO + +$JARSIGNER -strict -keystore js.jks -storepass changeit a.jar goodeku +[ $? = 0 ] || exit $LINENO + +$JARSIGNER -strict -keystore js.jks -storepass changeit a.jar badchain +[ $? = 4 ] || exit $LINENO + +$JARSIGNER -verify a.jar +[ $? = 0 ] || exit $LINENO + +# ========================================================== +# Third part: -certchain test +# ========================================================== + +# altchain signed by ca2, but ca2 is removed later +$KT -genkeypair -alias altchain -dname CN=altchain -validity 365 +$KT -genkeypair -alias ca2 -dname CN=ca2 -ext bc -validity 365 +$KT -certreq -alias altchain | $KT -gencert -alias ca2 -validity 365 -rfc > certchain +$KT -exportcert -alias ca2 -rfc >> certchain +$KT -delete -alias ca2 + +# Now altchain is still self-signed +$JARSIGNER -strict -keystore js.jks -storepass changeit a.jar altchain +[ $? = 0 ] || exit $LINENO + +# If -certchain is used, then it's bad +$JARSIGNER -strict -keystore js.jks -storepass changeit -certchain certchain a.jar altchain +[ $? = 4 ] || exit $LINENO + +$JARSIGNER -verify a.jar +[ $? = 0 ] || exit $LINENO + +echo OK +exit 0