diff --git a/.hgtags b/.hgtags index c5bec5f8e6bd9e79a659c1fb2c341504d0e22cc7..6e96d48619b2077260a9519a61edd70b001c905b 100644 --- a/.hgtags +++ b/.hgtags @@ -358,6 +358,7 @@ a21dd7999d1e4ba612c951c2c78504d23eb7243a jdk8u31-b11 ced84cf3eebc69f7e04b0098d85dcb3a6b872586 jdk8u31-b31 46338075c4262057099e57638e0758817052da0d jdk8u31-b32 a1c3099e1b90230435e890ca56adc8a5aa5149ff jdk8u31-b33 +35dfb86684554685d6efd2fc7fd5eb9b7d4545c5 jdk8u31-b34 e6ed015afbbf3459ba3297e270b4f3170e989c80 jdk8u40-b00 6e223d48080ef40f4ec11ecbcd19b4a20813b9eb jdk8u40-b01 4797cd0713b44b009525f1276d571ade7e24f3f5 jdk8u40-b02 @@ -429,6 +430,8 @@ b7403e15864dc0c1f9740d66af91bddb3e2215e8 jdk8u51-b14 192bda44c0c463104c96058bb815a546b282ca43 jdk8u51-b15 ee86422973691bb7efae58d201e5a382ea0bb150 jdk8u51-b16 f94ea276f608b22d78281d70361092ba4864038e jdk8u51-b31 +887dde3afb3bb233958775de22eafb3328af6437 jdk8u51-b32 +dc7b827522bc3a804f7e8951cc27414f19a7c427 jdk8u51-b33 5c31204d19e5976f025026db3d5c17331e8c44db jdk8u60-b00 c46daef6edb5385d11876ed40f292a4b62e96867 jdk8u60-b01 c10fd784956cc7099657181029ac3e790267b678 jdk8u60-b02 @@ -457,6 +460,8 @@ d433f5fd8910bee1f2c295b65cf03977034fe0ea jdk8u60-b24 c8cfbe57bcd5042d2fef42dcef14d73dd4bdc416 jdk8u60-b25 0d6a8a9b26a37678b420ff540b5a622c3f4fd44c jdk8u60-b26 afbc08ea922bf6e5e14d2eea24a2f94f37627ea7 jdk8u60-b27 +1450696a76c667e6f189d026408182a002b93fa7 jdk8u60-b31 +fe24fa1e6d995390df6491975352a15634981b35 jdk8u60-b32 286b9a885fcc6245fdf2b20697473ec3b35f2538 jdk8u65-b00 80a796d0db958f49a4b0713818227eda8e5efbb9 jdk8u65-b01 77d48e6d111faec236c8678997ae4311151cfee4 jdk8u65-b02 @@ -470,6 +475,8 @@ e9de15763a5a3cef64ef1d4bc40a018d4d572325 jdk8u65-b09 ed9e7ba6a419a80cbcdc60f4634388af054bdc76 jdk8u65-b10 22ae2d11ff54b758b648b5fcd6ea90e03a4c6781 jdk8u65-b11 7eb9c6cf007cc6176ccb700f995a3e9b81746bfd jdk8u65-b12 +64ac5b0b4b9e7a587fc0606fada354c6fa4a7a86 jdk8u65-b13 +d26fd80f684d44fd9b16e84e585dda3757d4a19c jdk8u65-b14 e9f82302d5fdef8a0976640e09363895e9dcde3c jdk8u66-b00 64d7bd4e98150447916f210e3bfd6875a4c2728a jdk8u66-b01 d8210091911b14930192abd3138ee37c281fb632 jdk8u66-b02 @@ -479,4 +486,6 @@ b3773a2b6bf64c1df4db2b94f822b5ffb17eacc9 jdk8u66-b07 fe6a3b134c1d4288a5bcb6152632edca1833ab58 jdk8u66-b10 e77c306d8ce409a65166813cc3b5e9403f96246b jdk8u66-b11 6f5b22ffd9626ea1bb2879cfe93f4baafce3d644 jdk8u66-b12 +e951c898bb6ca7be2ce49ac23f8442c0bccad4e9 jdk8u66-b13 +371fc17e38ccf9a729e34c518f6942162ba6c225 jdk8u66-b14 9a2747ef337bdee71bc8225dea77eb403cca1179 jdk8u71-b00 diff --git a/make/CompileJavaClasses.gmk b/make/CompileJavaClasses.gmk index a3fe9dde677b36cfa7cdc025a28620f1caea70e3..505b82180f741b312fe738d65b67de296b8806ba 100644 --- a/make/CompileJavaClasses.gmk +++ b/make/CompileJavaClasses.gmk @@ -393,7 +393,7 @@ $(JDK_OUTPUTDIR)/classes/META-INF/services/com.sun.tools.xjc.Plugin: JAVAC_FLAGS := -cp $(JDK_OUTPUTDIR)/classes, \ SRC := $(JDK_OUTPUTDIR)/gensrc_ab/legacy, \ BIN := $(JDK_OUTPUTDIR)/classes_ab/legacy, \ - HEADERS := $(JDK_OUTPUTDIR)/gensrc_headers_ab/legacy)) + HEADERS := $(JDK_OUTPUTDIR)/gensrc_headers_ab/LEGACY)) $(BUILD_ACCESSBRIDGE_LEGACY): $(BUILD_JDK) diff --git a/make/lib/PlatformLibraries.gmk b/make/lib/PlatformLibraries.gmk index 6ee5501b7b4ae2e6b9f535d264ecfd0a94e9910b..49f584b4472744d3b1b0ac992a054e12174d2389 100644 --- a/make/lib/PlatformLibraries.gmk +++ b/make/lib/PlatformLibraries.gmk @@ -219,7 +219,7 @@ endif ifeq ($(OPENJDK_TARGET_CPU_BITS), 32) $(eval $(call SetupAccessBridge,-32,I386,32)) - $(eval $(call SetupAccessBridge,,I386,legacy)) + $(eval $(call SetupAccessBridge,,I386,LEGACY)) else $(eval $(call SetupAccessBridge,-64,X64,64)) endif diff --git a/make/mapfiles/libj2ucrypto/mapfile-vers b/make/mapfiles/libj2ucrypto/mapfile-vers index 2a5c2a5f83f88896ee78c791966e92418bef2ac8..833da53297eb604867603ef3b4095f8392d65a2d 100644 --- a/make/mapfiles/libj2ucrypto/mapfile-vers +++ b/make/mapfiles/libj2ucrypto/mapfile-vers @@ -1,5 +1,5 @@ # -# Copyright (c) 2012, 2013, Oracle and/or its affiliates. All rights reserved. +# Copyright (c) 2012, 2015, Oracle and/or its affiliates. All rights reserved. # DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. # # This code is free software; you can redistribute it and/or modify it @@ -39,6 +39,7 @@ SUNWprivate_1.1 { Java_com_oracle_security_ucrypto_NativeCipher_nativeUpdate; Java_com_oracle_security_ucrypto_NativeCipher_nativeFinal; Java_com_oracle_security_ucrypto_NativeKey_nativeFree; + Java_com_oracle_security_ucrypto_NativeKey_00024RSAPrivate_nativeInit; Java_com_oracle_security_ucrypto_NativeKey_00024RSAPrivateCrt_nativeInit; Java_com_oracle_security_ucrypto_NativeKey_00024RSAPublic_nativeInit; Java_com_oracle_security_ucrypto_NativeRSASignature_nativeInit; @@ -56,6 +57,7 @@ SUNWprivate_1.1 { JavaCritical_com_oracle_security_ucrypto_NativeCipher_nativeUpdate; JavaCritical_com_oracle_security_ucrypto_NativeCipher_nativeFinal; JavaCritical_com_oracle_security_ucrypto_NativeKey_nativeFree; + JavaCritical_com_oracle_security_ucrypto_NativeKey_00024RSAPrivate_nativeInit; JavaCritical_com_oracle_security_ucrypto_NativeKey_00024RSAPrivateCrt_nativeInit; JavaCritical_com_oracle_security_ucrypto_NativeKey_00024RSAPublic_nativeInit; JavaCritical_com_oracle_security_ucrypto_NativeRSASignature_nativeInit; diff --git a/src/share/classes/com/sun/crypto/provider/TlsRsaPremasterSecretGenerator.java b/src/share/classes/com/sun/crypto/provider/TlsRsaPremasterSecretGenerator.java index 2a25cb64d5cbc279edfa038121a489086442ac38..66dd8620c438cf4c80bc5e7d536c965191363689 100644 --- a/src/share/classes/com/sun/crypto/provider/TlsRsaPremasterSecretGenerator.java +++ b/src/share/classes/com/sun/crypto/provider/TlsRsaPremasterSecretGenerator.java @@ -74,11 +74,14 @@ public final class TlsRsaPremasterSecretGenerator extends KeyGeneratorSpi { "TlsRsaPremasterSecretGenerator must be initialized"); } - if (random == null) { - random = new SecureRandom(); + byte[] b = spec.getEncodedSecret(); + if (b == null) { + if (random == null) { + random = new SecureRandom(); + } + b = new byte[48]; + random.nextBytes(b); } - byte[] b = new byte[48]; - random.nextBytes(b); b[0] = (byte)spec.getMajorVersion(); b[1] = (byte)spec.getMinorVersion(); diff --git a/src/share/classes/sun/security/internal/spec/TlsRsaPremasterSecretParameterSpec.java b/src/share/classes/sun/security/internal/spec/TlsRsaPremasterSecretParameterSpec.java index 0741499b9a78674e8c9a38e86fecceea3dbc2acc..9c020b3bbce0751404d66d52d370ec199fff92cd 100644 --- a/src/share/classes/sun/security/internal/spec/TlsRsaPremasterSecretParameterSpec.java +++ b/src/share/classes/sun/security/internal/spec/TlsRsaPremasterSecretParameterSpec.java @@ -43,6 +43,8 @@ import java.security.PrivilegedAction; public class TlsRsaPremasterSecretParameterSpec implements AlgorithmParameterSpec { + private final byte[] encodedSecret; + /* * The TLS spec says that the version in the RSA premaster secret must * be the maximum version supported by the client (i.e. the version it @@ -89,6 +91,33 @@ public class TlsRsaPremasterSecretParameterSpec this.clientVersion = checkVersion(clientVersion); this.serverVersion = checkVersion(serverVersion); + this.encodedSecret = null; + } + + /** + * Constructs a new TlsRsaPremasterSecretParameterSpec. + * + * @param clientVersion the version of the TLS protocol by which the + * client wishes to communicate during this session + * @param serverVersion the negotiated version of the TLS protocol which + * contains the lower of that suggested by the client in the client + * hello and the highest supported by the server. + * @param encodedSecret the encoded secret key + * + * @throws IllegalArgumentException if clientVersion or serverVersion are + * negative or larger than (2^16 - 1) or if encodedSecret is not + * exactly 48 bytes + */ + public TlsRsaPremasterSecretParameterSpec( + int clientVersion, int serverVersion, byte[] encodedSecret) { + + this.clientVersion = checkVersion(clientVersion); + this.serverVersion = checkVersion(serverVersion); + if (encodedSecret == null || encodedSecret.length != 48) { + throw new IllegalArgumentException( + "Encoded secret is not exactly 48 bytes"); + } + this.encodedSecret = encodedSecret.clone(); } /** @@ -147,4 +176,13 @@ public class TlsRsaPremasterSecretParameterSpec } return version; } + + /** + * Returns the encoded secret. + * + * @return the encoded secret, may be null if no encoded secret. + */ + public byte[] getEncodedSecret() { + return encodedSecret == null ? null : encodedSecret.clone(); + } } diff --git a/src/share/classes/sun/security/ssl/RSAClientKeyExchange.java b/src/share/classes/sun/security/ssl/RSAClientKeyExchange.java index 870d3ea3d5545655cc07373d8c8a299d8f8835eb..aa7df0c9f15037383a51c9224374febe5a8828c1 100644 --- a/src/share/classes/sun/security/ssl/RSAClientKeyExchange.java +++ b/src/share/classes/sun/security/ssl/RSAClientKeyExchange.java @@ -111,14 +111,41 @@ final class RSAClientKeyExchange extends HandshakeMessage { } } + boolean needFailover = false; + byte[] encoded = null; try { Cipher cipher = JsseJce.getCipher(JsseJce.CIPHER_RSA_PKCS1); - cipher.init(Cipher.UNWRAP_MODE, privateKey, - new TlsRsaPremasterSecretParameterSpec( - maxVersion.v, currentVersion.v), - generator); - preMaster = (SecretKey)cipher.unwrap(encrypted, - "TlsRsaPremasterSecret", Cipher.SECRET_KEY); + needFailover = !KeyUtil.isOracleJCEProvider( + cipher.getProvider().getName()); + if (needFailover) { + cipher.init(Cipher.DECRYPT_MODE, privateKey); + encoded = cipher.doFinal(encrypted); + encoded = KeyUtil.checkTlsPreMasterSecretKey( + maxVersion.v, currentVersion.v, + generator, encoded, false); + preMaster = generatePreMasterSecret( + maxVersion.v, currentVersion.v, + encoded, generator); + } else { + cipher.init(Cipher.UNWRAP_MODE, privateKey, + new TlsRsaPremasterSecretParameterSpec( + maxVersion.v, currentVersion.v), + generator); + preMaster = (SecretKey)cipher.unwrap(encrypted, + "TlsRsaPremasterSecret", Cipher.SECRET_KEY); + } + } catch (BadPaddingException bpe) { + if (needFailover) { + encoded = KeyUtil.checkTlsPreMasterSecretKey( + maxVersion.v, currentVersion.v, + generator, null, false); + preMaster = generatePreMasterSecret( + maxVersion.v, currentVersion.v, + encoded, generator); + } else { + // Otherwise, unlikely to happen + throw new RuntimeException("Unexpected exception", bpe); + } } catch (InvalidKeyException ibk) { // the message is too big to process with RSA throw new SSLProtocolException( @@ -133,6 +160,35 @@ final class RSAClientKeyExchange extends HandshakeMessage { } } + // generate a premaster secret with the specified version number + @SuppressWarnings("deprecation") + private static SecretKey generatePreMasterSecret( + int clientVersion, int serverVersion, + byte[] encodedSecret, SecureRandom generator) { + + if (debug != null && Debug.isOn("handshake")) { + System.out.println("Generating a premaster secret"); + } + + try { + String s = ((clientVersion >= ProtocolVersion.TLS12.v) ? + "SunTls12RsaPremasterSecret" : "SunTlsRsaPremasterSecret"); + KeyGenerator kg = JsseJce.getKeyGenerator(s); + kg.init(new TlsRsaPremasterSecretParameterSpec( + clientVersion, serverVersion, encodedSecret), + generator); + return kg.generateKey(); + } catch (InvalidAlgorithmParameterException | + NoSuchAlgorithmException iae) { + // unlikely to happen, otherwise, must be a provider exception + if (debug != null && Debug.isOn("handshake")) { + System.out.println("RSA premaster secret generation error:"); + iae.printStackTrace(System.out); + } + throw new RuntimeException("Could not generate premaster secret", iae); + } + } + @Override int messageType() { return ht_client_key_exchange; diff --git a/src/share/classes/sun/security/util/KeyUtil.java b/src/share/classes/sun/security/util/KeyUtil.java index 661e3b973b937675636592be2596e49a5b2f3987..0fb2ed7c85d6f8e66d866151813a6d1ede106875 100644 --- a/src/share/classes/sun/security/util/KeyUtil.java +++ b/src/share/classes/sun/security/util/KeyUtil.java @@ -144,8 +144,6 @@ public final class KeyUtil { /** * Returns whether the specified provider is Oracle provider or not. - *

- * Note that this method is only apply to SunJCE and SunPKCS11 at present. * * @param providerName * the provider name @@ -153,8 +151,11 @@ public final class KeyUtil { * {@code providerName} is Oracle provider */ public static final boolean isOracleJCEProvider(String providerName) { - return providerName != null && (providerName.equals("SunJCE") || - providerName.startsWith("SunPKCS11")); + return providerName != null && + (providerName.equals("SunJCE") || + providerName.equals("SunMSCAPI") || + providerName.equals("OracleUcrypto") || + providerName.startsWith("SunPKCS11")); } /**