Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
openanolis
dragonwell8_jdk
提交
7459aba3
D
dragonwell8_jdk
项目概览
openanolis
/
dragonwell8_jdk
通知
4
Star
2
Fork
0
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
D
dragonwell8_jdk
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
提交
Issue看板
提交
7459aba3
编写于
1月 12, 2020
作者:
A
alvdavi
浏览文件
操作
浏览文件
下载
电子邮件补丁
差异文件
8230318: Better trust store usage
Reviewed-by: andrew
上级
3c504251
变更
18
显示空白变更内容
内联
并排
Showing
18 changed file
with
85 addition
and
32 deletion
+85
-32
src/share/classes/sun/security/validator/PKIXValidator.java
src/share/classes/sun/security/validator/PKIXValidator.java
+55
-4
test/sun/security/tools/jarsigner/TsacertOptionTest.java
test/sun/security/tools/jarsigner/TsacertOptionTest.java
+1
-0
test/sun/security/tools/jarsigner/Warning.java
test/sun/security/tools/jarsigner/Warning.java
+1
-1
test/sun/security/tools/jarsigner/concise_jarsigner.sh
test/sun/security/tools/jarsigner/concise_jarsigner.sh
+2
-2
test/sun/security/tools/jarsigner/ec.sh
test/sun/security/tools/jarsigner/ec.sh
+1
-1
test/sun/security/tools/jarsigner/onlymanifest.sh
test/sun/security/tools/jarsigner/onlymanifest.sh
+1
-1
test/sun/security/tools/jarsigner/warnings/BadExtendedKeyUsageTest.java
...ity/tools/jarsigner/warnings/BadExtendedKeyUsageTest.java
+2
-2
test/sun/security/tools/jarsigner/warnings/BadKeyUsageTest.java
...un/security/tools/jarsigner/warnings/BadKeyUsageTest.java
+2
-2
test/sun/security/tools/jarsigner/warnings/BadNetscapeCertTypeTest.java
...ity/tools/jarsigner/warnings/BadNetscapeCertTypeTest.java
+2
-2
test/sun/security/tools/jarsigner/warnings/ChainNotValidatedTest.java
...urity/tools/jarsigner/warnings/ChainNotValidatedTest.java
+2
-2
test/sun/security/tools/jarsigner/warnings/HasExpiredCertTest.java
...security/tools/jarsigner/warnings/HasExpiredCertTest.java
+2
-2
test/sun/security/tools/jarsigner/warnings/HasExpiringCertTest.java
...ecurity/tools/jarsigner/warnings/HasExpiringCertTest.java
+2
-2
test/sun/security/tools/jarsigner/warnings/HasUnsignedEntryTest.java
...curity/tools/jarsigner/warnings/HasUnsignedEntryTest.java
+2
-2
test/sun/security/tools/jarsigner/warnings/MultipleWarningsTest.java
...curity/tools/jarsigner/warnings/MultipleWarningsTest.java
+2
-2
test/sun/security/tools/jarsigner/warnings/NoTimestampTest.java
...un/security/tools/jarsigner/warnings/NoTimestampTest.java
+2
-2
test/sun/security/tools/jarsigner/warnings/NotSignedByAliasTest.java
...curity/tools/jarsigner/warnings/NotSignedByAliasTest.java
+2
-2
test/sun/security/tools/jarsigner/warnings/NotYetValidCertTest.java
...ecurity/tools/jarsigner/warnings/NotYetValidCertTest.java
+2
-2
test/sun/security/validator/EndEntityExtensionCheck.java
test/sun/security/validator/EndEntityExtensionCheck.java
+2
-1
未找到文件。
src/share/classes/sun/security/validator/PKIXValidator.java
浏览文件 @
7459aba3
...
...
@@ -32,6 +32,7 @@ import java.security.cert.*;
import
javax.security.auth.x500.X500Principal
;
import
sun.security.action.GetBooleanAction
;
import
sun.security.action.GetPropertyAction
;
import
sun.security.provider.certpath.AlgorithmChecker
;
import
sun.security.provider.certpath.PKIXExtendedParameters
;
...
...
@@ -64,6 +65,18 @@ public final class PKIXValidator extends Validator {
// enable use of the validator if possible
private
final
static
boolean
TRY_VALIDATOR
=
true
;
/**
* System property that if set (or set to "true"), allows trust anchor
* certificates to be used if they do not have the proper CA extensions.
* Set to false if prop is not set, or set to any other value.
*/
private
static
final
boolean
ALLOW_NON_CA_ANCHOR
=
allowNonCaAnchor
();
private
static
boolean
allowNonCaAnchor
()
{
String
prop
=
GetPropertyAction
.
privilegedGetProperty
(
"jdk.security.allowNonCaAnchor"
);
return
prop
!=
null
&&
(
prop
.
isEmpty
()
||
prop
.
equalsIgnoreCase
(
"true"
));
}
private
final
Set
<
X509Certificate
>
trustedCerts
;
private
final
PKIXBuilderParameters
parameterTemplate
;
private
int
certPathLength
=
-
1
;
...
...
@@ -322,15 +335,18 @@ public final class PKIXValidator extends Validator {
private
static
X509Certificate
[]
toArray
(
CertPath
path
,
TrustAnchor
anchor
)
throws
CertificateException
{
List
<?
extends
java
.
security
.
cert
.
Certificate
>
list
=
path
.
getCertificates
();
X509Certificate
[]
chain
=
new
X509Certificate
[
list
.
size
()
+
1
];
list
.
toArray
(
chain
);
X509Certificate
trustedCert
=
anchor
.
getTrustedCert
();
if
(
trustedCert
==
null
)
{
throw
new
ValidatorException
(
"TrustAnchor must be specified as certificate"
);
}
verifyTrustAnchor
(
trustedCert
);
List
<?
extends
java
.
security
.
cert
.
Certificate
>
list
=
path
.
getCertificates
();
X509Certificate
[]
chain
=
new
X509Certificate
[
list
.
size
()
+
1
];
list
.
toArray
(
chain
);
chain
[
chain
.
length
-
1
]
=
trustedCert
;
return
chain
;
}
...
...
@@ -365,6 +381,41 @@ public final class PKIXValidator extends Validator {
}
}
/**
* Verify that a trust anchor certificate is a CA certificate.
*/
private
static
void
verifyTrustAnchor
(
X509Certificate
trustedCert
)
throws
ValidatorException
{
// skip check if jdk.security.allowNonCAAnchor system property is set
if
(
ALLOW_NON_CA_ANCHOR
)
{
return
;
}
// allow v1 trust anchor certificates
if
(
trustedCert
.
getVersion
()
<
3
)
{
return
;
}
// check that the BasicConstraints cA field is not set to false
if
(
trustedCert
.
getBasicConstraints
()
==
-
1
)
{
throw
new
ValidatorException
(
"TrustAnchor with subject \""
+
trustedCert
.
getSubjectX500Principal
()
+
"\" is not a CA certificate"
);
}
// check that the KeyUsage extension, if included, asserts the
// keyCertSign bit
boolean
[]
keyUsageBits
=
trustedCert
.
getKeyUsage
();
if
(
keyUsageBits
!=
null
&&
!
keyUsageBits
[
5
])
{
throw
new
ValidatorException
(
"TrustAnchor with subject \""
+
trustedCert
.
getSubjectX500Principal
()
+
"\" does not have keyCertSign bit set in KeyUsage extension"
);
}
}
private
X509Certificate
[]
doBuild
(
X509Certificate
[]
chain
,
Collection
<
X509Certificate
>
otherCerts
,
PKIXBuilderParameters
params
)
throws
CertificateException
{
...
...
test/sun/security/tools/jarsigner/TsacertOptionTest.java
浏览文件 @
7459aba3
...
...
@@ -87,6 +87,7 @@ public class TsacertOptionTest {
"-storepass"
,
PASSWORD
,
"-keypass"
,
PASSWORD
,
"-dname"
,
"CN=CA"
,
"-ext"
,
"bc:c"
,
"-validity"
,
Integer
.
toString
(
VALIDITY
)).
shouldHaveExitValue
(
0
);
ProcessTools
.
executeCommand
(
KEYTOOL
,
"-genkey"
,
...
...
test/sun/security/tools/jarsigner/Warning.java
浏览文件 @
7459aba3
...
...
@@ -42,7 +42,7 @@ public class Warning {
Files
.
deleteIfExists
(
Paths
.
get
(
"ks"
));
newCert
(
"ca"
,
"-validity 365000"
);
newCert
(
"ca"
,
"-validity 365000"
,
"-ext bc:c"
);
recreateJar
();
...
...
test/sun/security/tools/jarsigner/concise_jarsigner.sh
浏览文件 @
7459aba3
...
...
@@ -224,8 +224,8 @@ $JARSIGNER -verify a.jar
# ==========================================================
$KT
-genkeypair
-alias
ee
-dname
CN
=
ee
$KT
-genkeypair
-alias
caone
-dname
CN
=
caone
$KT
-genkeypair
-alias
catwo
-dname
CN
=
catwo
$KT
-genkeypair
-alias
caone
-dname
CN
=
caone
-ext
bc:c
$KT
-genkeypair
-alias
catwo
-dname
CN
=
catwo
-ext
bc:c
$KT
-certreq
-alias
ee |
$KT
-gencert
-alias
catwo
-rfc
>
ee.cert
$KT
-certreq
-alias
catwo |
$KT
-gencert
-alias
caone
-sigalg
MD5withRSA
-rfc
>
catwo.cert
...
...
test/sun/security/tools/jarsigner/ec.sh
浏览文件 @
7459aba3
...
...
@@ -53,7 +53,7 @@ rm $KS $JFILE
echo
A
>
A
$JAR
cvf
$JFILE
A
$KT
-alias
ca
-dname
CN
=
ca
-keyalg
ec
-genkey
-validity
300
||
exit
11
$KT
-alias
ca
-dname
CN
=
ca
-keyalg
ec
-genkey
-validity
300
-ext
bc:c
||
exit
11
$KT
-alias
a
-dname
CN
=
a
-keyalg
ec
-genkey
||
exit
11
$KT
-alias
a
-certreq
|
$KT
-gencert
-alias
ca
-validity
300 |
$KT
-import
-alias
a
||
exit
111
...
...
test/sun/security/tools/jarsigner/onlymanifest.sh
浏览文件 @
7459aba3
...
...
@@ -57,7 +57,7 @@ rm $KS $JFILE 2> /dev/null
echo
"Key: Value"
>
manifest
$JAR
cvfm
$JFILE
manifest
$KT
-alias
ca
-dname
CN
=
ca
-genkey
-validity
300
||
exit
1
$KT
-alias
ca
-dname
CN
=
ca
-genkey
-validity
300
-ext
bc:c
||
exit
1
$KT
-alias
a
-dname
CN
=
a
-genkey
-validity
300
||
exit
2
$KT
-alias
a
-certreq
|
$KT
-gencert
-alias
ca
-validity
300 |
$KT
-import
-alias
a
||
exit
3
$JARSIGNER
-keystore
$KS
-storepass
changeit
$JFILE
a
-debug
-strict
||
exit
4
...
...
test/sun/security/tools/jarsigner/warnings/BadExtendedKeyUsageTest.java
浏览文件 @
7459aba3
/*
* Copyright (c) 2013, 201
8
, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2013, 201
9
, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
...
...
@@ -53,7 +53,7 @@ public class BadExtendedKeyUsageTest extends Test {
// create a certificate whose signer certificate's
// ExtendedKeyUsage extension doesn't allow code signing
// create key pair for jar signing
createAlias
(
CA_KEY_ALIAS
);
createAlias
(
CA_KEY_ALIAS
,
"-ext"
,
"bc:c"
);
createAlias
(
KEY_ALIAS
);
issueCert
(
...
...
test/sun/security/tools/jarsigner/warnings/BadKeyUsageTest.java
浏览文件 @
7459aba3
/*
* Copyright (c) 2013, 201
8
, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2013, 201
9
, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
...
...
@@ -53,7 +53,7 @@ public class BadKeyUsageTest extends Test {
// create a certificate whose signer certificate's KeyUsage extension
// doesn't allow code signing
createAlias
(
CA_KEY_ALIAS
);
createAlias
(
CA_KEY_ALIAS
,
"-ext"
,
"bc:c"
);
createAlias
(
KEY_ALIAS
);
issueCert
(
...
...
test/sun/security/tools/jarsigner/warnings/BadNetscapeCertTypeTest.java
浏览文件 @
7459aba3
/*
* Copyright (c) 2013, 201
8
, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2013, 201
9
, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
...
...
@@ -54,7 +54,7 @@ public class BadNetscapeCertTypeTest extends Test {
// create a certificate whose signer certificate's
// NetscapeCertType extension doesn't allow code signing
// create key pair for jar signing
createAlias
(
CA_KEY_ALIAS
);
createAlias
(
CA_KEY_ALIAS
,
"-ext"
,
"bc:c"
);
createAlias
(
KEY_ALIAS
);
issueCert
(
...
...
test/sun/security/tools/jarsigner/warnings/ChainNotValidatedTest.java
浏览文件 @
7459aba3
/*
* Copyright (c) 2013, 201
8
, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2013, 201
9
, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
...
...
@@ -54,7 +54,7 @@ public class ChainNotValidatedTest extends Test {
// Root CA is not checked at all. If the intermediate CA has
// BasicConstraints extension set to true, it will be valid.
// Otherwise, chain validation will fail.
createAlias
(
CA_KEY_ALIAS
);
createAlias
(
CA_KEY_ALIAS
,
"-ext"
,
"bc:c"
);
createAlias
(
CA2_KEY_ALIAS
);
issueCert
(
CA2_KEY_ALIAS
,
"-ext"
,
...
...
test/sun/security/tools/jarsigner/warnings/HasExpiredCertTest.java
浏览文件 @
7459aba3
/*
* Copyright (c) 2013, 201
8
, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2013, 201
9
, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
...
...
@@ -52,7 +52,7 @@ public class HasExpiredCertTest extends Test {
JarUtils
.
createJar
(
UNSIGNED_JARFILE
,
FIRST_FILE
);
// create key pair for jar signing
createAlias
(
CA_KEY_ALIAS
);
createAlias
(
CA_KEY_ALIAS
,
"-ext"
,
"bc:c"
);
createAlias
(
KEY_ALIAS
);
issueCert
(
...
...
test/sun/security/tools/jarsigner/warnings/HasExpiringCertTest.java
浏览文件 @
7459aba3
/*
* Copyright (c) 2013, 201
8
, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2013, 201
9
, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
...
...
@@ -52,7 +52,7 @@ public class HasExpiringCertTest extends Test {
JarUtils
.
createJar
(
UNSIGNED_JARFILE
,
FIRST_FILE
);
// create key pair for jar signing
createAlias
(
CA_KEY_ALIAS
);
createAlias
(
CA_KEY_ALIAS
,
"-ext"
,
"bc:c"
);
createAlias
(
KEY_ALIAS
);
issueCert
(
...
...
test/sun/security/tools/jarsigner/warnings/HasUnsignedEntryTest.java
浏览文件 @
7459aba3
/*
* Copyright (c) 2013, 201
8
, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2013, 201
9
, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
...
...
@@ -51,7 +51,7 @@ public class HasUnsignedEntryTest extends Test {
JarUtils
.
createJar
(
UNSIGNED_JARFILE
,
FIRST_FILE
);
// create key pair for signing
createAlias
(
CA_KEY_ALIAS
);
createAlias
(
CA_KEY_ALIAS
,
"-ext"
,
"bc:c"
);
createAlias
(
KEY_ALIAS
);
issueCert
(
KEY_ALIAS
,
...
...
test/sun/security/tools/jarsigner/warnings/MultipleWarningsTest.java
浏览文件 @
7459aba3
/*
* Copyright (c) 2013, 201
8
, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2013, 201
9
, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
...
...
@@ -54,7 +54,7 @@ public class MultipleWarningsTest extends Test {
// create a jar file that contains one class file
JarUtils
.
createJar
(
UNSIGNED_JARFILE
,
FIRST_FILE
);
createAlias
(
CA_KEY_ALIAS
);
createAlias
(
CA_KEY_ALIAS
,
"-ext"
,
"bc:c"
);
// create first expired certificate
// whose ExtendedKeyUsage extension does not allow code signing
...
...
test/sun/security/tools/jarsigner/warnings/NoTimestampTest.java
浏览文件 @
7459aba3
/*
* Copyright (c) 2013, 201
8
, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2013, 201
9
, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
...
...
@@ -57,7 +57,7 @@ public class NoTimestampTest extends Test {
*
24
*
60
*
60
*
1000L
);
// create key pair
createAlias
(
CA_KEY_ALIAS
);
createAlias
(
CA_KEY_ALIAS
,
"-ext"
,
"bc:c"
);
createAlias
(
KEY_ALIAS
);
issueCert
(
KEY_ALIAS
,
"-validity"
,
Integer
.
toString
(
VALIDITY
));
...
...
test/sun/security/tools/jarsigner/warnings/NotSignedByAliasTest.java
浏览文件 @
7459aba3
/*
* Copyright (c) 2013, 201
8
, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2013, 201
9
, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
...
...
@@ -49,7 +49,7 @@ public class NotSignedByAliasTest extends Test {
Utils
.
createFiles
(
FIRST_FILE
);
JarUtils
.
createJar
(
UNSIGNED_JARFILE
,
FIRST_FILE
);
createAlias
(
CA_KEY_ALIAS
);
createAlias
(
CA_KEY_ALIAS
,
"-ext"
,
"bc:c"
);
// create first key pair for signing
createAlias
(
FIRST_KEY_ALIAS
);
...
...
test/sun/security/tools/jarsigner/warnings/NotYetValidCertTest.java
浏览文件 @
7459aba3
/*
* Copyright (c) 2013, 201
8
, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2013, 201
9
, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
...
...
@@ -50,7 +50,7 @@ public class NotYetValidCertTest extends Test {
JarUtils
.
createJar
(
UNSIGNED_JARFILE
,
FIRST_FILE
);
// create certificate that will be valid only tomorrow
createAlias
(
CA_KEY_ALIAS
);
createAlias
(
CA_KEY_ALIAS
,
"-ext"
,
"bc:c"
);
createAlias
(
KEY_ALIAS
);
issueCert
(
...
...
test/sun/security/validator/EndEntityExtensionCheck.java
浏览文件 @
7459aba3
/*
* Copyright (c) 2015, 201
6
, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2015, 201
9
, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
...
...
@@ -26,6 +26,7 @@
* @bug 8076117
* @summary EndEntityChecker should not process custom extensions
* after PKIX validation
* @run main/othervm -Djdk.security.allowNonCaAnchor EndEntityExtensionCheck
*/
import
java.io.ByteArrayInputStream
;
...
...
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录