提交 6b1b12bc 编写于 作者: M mchung

Merge

......@@ -251,6 +251,7 @@ JAVA_JAVA_java = \
java/util/IdentityHashMap.java \
java/util/EnumMap.java \
java/util/Arrays.java \
java/util/DualPivotQuicksort.java \
java/util/TimSort.java \
java/util/ComparableTimSort.java \
java/util/ConcurrentModificationException.java \
......
此差异已折叠。
/*
* Portions Copyright 2000-2007 Sun Microsystems, Inc. All Rights Reserved.
* Portions Copyright 2000-2009 Sun Microsystems, Inc. All Rights Reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
......@@ -503,7 +503,19 @@ public class EncryptionKey
+ '\n'));
}
/**
* Find a key with given etype
*/
public static EncryptionKey findKey(int etype, EncryptionKey[] keys)
throws KrbException {
return findKey(etype, null, keys);
}
/**
* Find a key with given etype and kvno
* @param kvno if null, return any (first?) key
*/
public static EncryptionKey findKey(int etype, Integer kvno, EncryptionKey[] keys)
throws KrbException {
// check if encryption type is supported
......@@ -516,7 +528,8 @@ public class EncryptionKey
for (int i = 0; i < keys.length; i++) {
ktype = keys[i].getEType();
if (EType.isSupported(ktype)) {
if (etype == ktype) {
Integer kv = keys[i].getKeyVersionNumber();
if (etype == ktype && (kvno == null || kvno.equals(kv))) {
return keys[i];
}
}
......@@ -528,8 +541,11 @@ public class EncryptionKey
for (int i = 0; i < keys.length; i++) {
ktype = keys[i].getEType();
if (ktype == EncryptedData.ETYPE_DES_CBC_CRC ||
ktype == EncryptedData.ETYPE_DES_CBC_MD5) {
return new EncryptionKey(etype, keys[i].getBytes());
ktype == EncryptedData.ETYPE_DES_CBC_MD5) {
Integer kv = keys[i].getKeyVersionNumber();
if (kvno == null || kvno.equals(kv)) {
return new EncryptionKey(etype, keys[i].getBytes());
}
}
}
}
......
......@@ -268,7 +268,8 @@ public class KrbApReq {
private void authenticate(EncryptionKey[] keys, InetAddress initiator)
throws KrbException, IOException {
int encPartKeyType = apReqMessg.ticket.encPart.getEType();
EncryptionKey dkey = EncryptionKey.findKey(encPartKeyType, keys);
Integer kvno = apReqMessg.ticket.encPart.getKeyVersionNumber();
EncryptionKey dkey = EncryptionKey.findKey(encPartKeyType, kvno, keys);
if (dkey == null) {
throw new KrbException(Krb5.API_INVALID_ARG,
......
......@@ -395,6 +395,28 @@ public class KeyTab implements KeyTabConstants {
}
}
/**
* Only used by KDC test. This method can specify kvno and does not
* remove any old keys.
*/
public void addEntry(PrincipalName service, char[] psswd, int kvno)
throws KrbException {
EncryptionKey[] encKeys = EncryptionKey.acquireSecretKeys(
psswd, service.getSalt());
for (int i = 0; encKeys != null && i < encKeys.length; i++) {
int keyType = encKeys[i].getEType();
byte[] keyValue = encKeys[i].getBytes();
KeyTabEntry newEntry = new KeyTabEntry(service,
service.getRealm(),
new KerberosTime(System.currentTimeMillis()),
kvno, keyType, keyValue);
if (entries == null)
entries = new Vector<KeyTabEntry> ();
entries.addElement(newEntry);
}
}
/**
* Retrieves the key table entry with the specified service name.
......
......@@ -1483,6 +1483,7 @@ public class JarSigner {
Timestamp timestamp = signer.getTimestamp();
if (timestamp != null) {
s.append(printTimestamp(tab, timestamp));
s.append('\n');
}
// display the certificate(s)
for (Certificate c : certs) {
......
......@@ -26,6 +26,7 @@
package sun.security.tools;
import java.io.*;
import java.security.CodeSigner;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.MessageDigest;
......@@ -34,6 +35,7 @@ import java.security.PublicKey;
import java.security.PrivateKey;
import java.security.Security;
import java.security.Signature;
import java.security.Timestamp;
import java.security.UnrecoverableEntryException;
import java.security.UnrecoverableKeyException;
import java.security.Principal;
......@@ -46,6 +48,8 @@ import java.security.cert.CertificateException;
import java.text.Collator;
import java.text.MessageFormat;
import java.util.*;
import java.util.jar.JarEntry;
import java.util.jar.JarFile;
import java.lang.reflect.Constructor;
import java.net.URL;
import java.net.URLClassLoader;
......@@ -130,6 +134,7 @@ public final class KeyTool {
private File ksfile = null;
private InputStream ksStream = null; // keystore stream
private String sslserver = null;
private String jarfile = null;
private KeyStore keyStore = null;
private boolean token = false;
private boolean nullStream = false;
......@@ -206,7 +211,7 @@ public final class KeyTool {
"-providername", "-providerclass", "-providerarg",
"-providerpath", "-v", "-protected"),
PRINTCERT("Prints the content of a certificate",
"-rfc", "-file", "-sslserver", "-v"),
"-rfc", "-file", "-sslserver", "-jarfile", "-v"),
PRINTCERTREQ("Prints the content of a certificate request",
"-file", "-v"),
SELFCERT("Generates a self-signed certificate",
......@@ -266,6 +271,7 @@ public final class KeyTool {
{"-srcstorepass", "<arg>", "source keystore password"},
{"-srcstoretype", "<srcstoretype>", "source keystore type"},
{"-sslserver", "<server[:port]>", "SSL server host and port"},
{"-jarfile", "<filename>", "signed jar file"},
{"-startdate", "<startdate>", "certificate validity start date/time"},
{"-storepass", "<arg>", "keystore password"},
{"-storetype", "<storetype>", "keystore type"},
......@@ -453,6 +459,8 @@ public final class KeyTool {
outfilename = args[++i];
} else if (collator.compare(flags, "-sslserver") == 0) {
sslserver = args[++i];
} else if (collator.compare(flags, "-jarfile") == 0) {
jarfile = args[++i];
} else if (collator.compare(flags, "-srckeystore") == 0) {
srcksfname = args[++i];
} else if ((collator.compare(flags, "-provider") == 0) ||
......@@ -2065,7 +2073,71 @@ public final class KeyTool {
}
private void doPrintCert(final PrintStream out) throws Exception {
if (sslserver != null) {
if (jarfile != null) {
JarFile jf = new JarFile(jarfile, true);
Enumeration<JarEntry> entries = jf.entries();
Set<CodeSigner> ss = new HashSet<CodeSigner>();
byte[] buffer = new byte[8192];
int pos = 0;
while (entries.hasMoreElements()) {
JarEntry je = entries.nextElement();
InputStream is = null;
try {
is = jf.getInputStream(je);
while (is.read(buffer) != -1) {
// we just read. this will throw a SecurityException
// if a signature/digest check fails. This also
// populate the signers
}
} finally {
if (is != null) {
is.close();
}
}
CodeSigner[] signers = je.getCodeSigners();
if (signers != null) {
for (CodeSigner signer: signers) {
if (!ss.contains(signer)) {
ss.add(signer);
out.printf(rb.getString("Signer #%d:"), ++pos);
out.println();
out.println();
out.println(rb.getString("Signature:"));
out.println();
for (Certificate cert: signer.getSignerCertPath().getCertificates()) {
X509Certificate x = (X509Certificate)cert;
if (rfc) {
out.println(rb.getString("Certificate owner: ") + x.getSubjectDN() + "\n");
dumpCert(x, out);
} else {
printX509Cert(x, out);
}
out.println();
}
Timestamp ts = signer.getTimestamp();
if (ts != null) {
out.println(rb.getString("Timestamp:"));
out.println();
for (Certificate cert: ts.getSignerCertPath().getCertificates()) {
X509Certificate x = (X509Certificate)cert;
if (rfc) {
out.println(rb.getString("Certificate owner: ") + x.getSubjectDN() + "\n");
dumpCert(x, out);
} else {
printX509Cert(x, out);
}
out.println();
}
}
}
}
}
}
jf.close();
if (ss.size() == 0) {
out.println(rb.getString("Not a signed jar file"));
}
} else if (sslserver != null) {
SSLContext sc = SSLContext.getInstance("SSL");
final boolean[] certPrinted = new boolean[1];
sc.init(null, new TrustManager[] {
......
......@@ -162,6 +162,8 @@ public class Resources extends java.util.ListResourceBundle {
"source keystore type"}, //-srcstoretype
{"SSL server host and port",
"SSL server host and port"}, //-sslserver
{"signed jar file",
"signed jar file"}, //=jarfile
{"certificate validity start date/time",
"certificate validity start date/time"}, //-startdate
{"keystore password",
......@@ -370,6 +372,13 @@ public class Resources extends java.util.ListResourceBundle {
{"***************** WARNING WARNING WARNING *****************",
"***************** WARNING WARNING WARNING *****************"},
{"Signer #%d:", "Signer #%d:"},
{"Timestamp:", "Timestamp:"},
{"Signature:", "Signature:"},
{"Certificate owner: ", "Certificate owner: "},
{"Not a signed jar file", "Not a signed jar file"},
{"No certificate from the SSL server",
"No certificate from the SSL server"},
// Translators of the following 5 pairs, ATTENTION:
// the next 5 string pairs are meant to be combined into 2 paragraphs,
......
......@@ -466,7 +466,17 @@ public class KDC {
// the krb5.conf config file would be loaded.
Method stringToKey = EncryptionKey.class.getDeclaredMethod("stringToKey", char[].class, String.class, byte[].class, Integer.TYPE);
stringToKey.setAccessible(true);
return new EncryptionKey((byte[]) stringToKey.invoke(null, getPassword(p), getSalt(p), null, etype), etype, null);
Integer kvno = null;
// For service whose password ending with a number, use it as kvno
if (p.toString().indexOf('/') >= 0) {
char[] pass = getPassword(p);
if (Character.isDigit(pass[pass.length-1])) {
kvno = pass[pass.length-1] - '0';
}
}
return new EncryptionKey((byte[]) stringToKey.invoke(
null, getPassword(p), getSalt(p), null, etype),
etype, kvno);
} catch (InvocationTargetException ex) {
KrbException ke = (KrbException)ex.getCause();
throw ke;
......
/*
* Copyright 2009 Sun Microsystems, Inc. All Rights Reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
* CA 95054 USA or visit www.sun.com if you need additional information or
* have any questions.
*/
/*
* @test
* @bug 6893158
* @summary AP_REQ check should use key version number
*/
import sun.security.jgss.GSSUtil;
import sun.security.krb5.PrincipalName;
import sun.security.krb5.internal.ktab.KeyTab;
public class MoreKvno {
public static void main(String[] args)
throws Exception {
OneKDC kdc = new OneKDC(null);
kdc.writeJAASConf();
// Rewrite keytab, 3 set of keys with different kvno
KeyTab ktab = KeyTab.create(OneKDC.KTAB);
PrincipalName p = new PrincipalName(OneKDC.SERVER+"@"+OneKDC.REALM, PrincipalName.KRB_NT_SRV_HST);
ktab.addEntry(p, "pass0".toCharArray(), 0);
ktab.addEntry(p, "pass2".toCharArray(), 2);
ktab.addEntry(p, "pass1".toCharArray(), 1);
ktab.save();
kdc.addPrincipal(OneKDC.SERVER, "pass1".toCharArray());
go(OneKDC.SERVER, "com.sun.security.jgss.krb5.accept");
kdc.addPrincipal(OneKDC.SERVER, "pass2".toCharArray());
// "server" initiate also, check pass2 is used at authentication
go(OneKDC.SERVER, "server");
}
static void go(String server, String entry) throws Exception {
Context c, s;
c = Context.fromUserPass("dummy", "bogus".toCharArray(), false);
s = Context.fromJAAS(entry);
c.startAsClient(server, GSSUtil.GSS_KRB5_MECH_OID);
s.startAsServer(GSSUtil.GSS_KRB5_MECH_OID);
Context.handshake(c, s);
s.dispose();
c.dispose();
}
}
#
# Copyright 2009 Sun Microsystems, Inc. All Rights Reserved.
# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
#
# This code is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License version 2 only, as
# published by the Free Software Foundation.
#
# This code is distributed in the hope that it will be useful, but WITHOUT
# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
# version 2 for more details (a copy is included in the LICENSE file that
# accompanied this code).
#
# You should have received a copy of the GNU General Public License version
# 2 along with this work; if not, write to the Free Software Foundation,
# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
#
# Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
# CA 95054 USA or visit www.sun.com if you need additional information or
# have any questions.
#
# @test
# @bug 6890872
# @summary keytool -printcert to recognize signed jar files
#
if [ "${TESTJAVA}" = "" ] ; then
JAVAC_CMD=`which javac`
TESTJAVA=`dirname $JAVAC_CMD`/..
fi
# set platform-dependent variables
OS=`uname -s`
case "$OS" in
Windows_* )
FS="\\"
;;
* )
FS="/"
;;
esac
KS=readjar.jks
rm $KS
$TESTJAVA${FS}bin${FS}keytool -storepass changeit -keypass changeit -keystore $KS \
-alias x -dname CN=X -genkeypair
$TESTJAVA${FS}bin${FS}jar cvf readjar.jar $KS
$TESTJAVA${FS}bin${FS}jarsigner -storepass changeit -keystore $KS readjar.jar x
$TESTJAVA${FS}bin${FS}keytool -printcert -jarfile readjar.jar || exit 1
$TESTJAVA${FS}bin${FS}keytool -printcert -jarfile readjar.jar -rfc || exit 1
exit 0
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册