Skip to content

D
dragonwell8_jdk

openanolis / dragonwell8_jdk

通知 4
Star 2
Fork 0
D
dragonwell8_jdk
提交 83f4f6a9 编写于 作者: A asaha
浏览文件
操作

Merge

上级 93db103c 44e04b6b
展开全部 隐藏空白更改
内联 并排
Showing with 3632 addition and 2026 deletion
.hgtags
浏览文件 @ 83f4f6a9
......@@ -663,11 +663,21 @@ c86d82567b1200bdb2d2a757f676179a637c4244 jdk8u112-b10
d2d8b67021a0f41e0eabd711bfd87a943dc0a8d5 jdk8u112-b14
60767ec3909b3d0cb26dd7b3f952c62053719dda jdk8u112-b15
5dd7e4bae5c2f1ee4f80c5570e7e3e2f715f7a32 jdk8u112-b16
41fac11792c1ee6945f56721ee558a7424395a81 jdk8u112-b31
ab5ff8f1e52c5e3ca02e988f4d978af63ceca5b8 jdk8u121-b00
5f0839ac7e0d25dd1ae705df496b12ca76c26d59 jdk8u121-b01
f91e3aa155b3c6774afb456db15fb358313d5771 jdk8u121-b02
ecdb635eaf4886829089b987c339e35dfb5ea0e8 jdk8u121-b03
d54219144844fb358f87f4a37255242aae9782fa jdk8u121-b04
fb4e3a7375c91e02bd1c0a764dfb53fba3839c18 jdk8u121-b05
3bc671481026decc460e636e8b2f19a36bfe89af jdk8u121-b06
a2c2fbc61674869e85d5345804cff4834cc010d1 jdk8u121-b07
392209fbe127896df2749344ea127f2c0a62da55 jdk8u121-b08
494d27357b8cfc6b6c4346a814c8717a8502d769 jdk8u121-b09
d66de7e2f672a1ff6947846818412fa899456972 jdk8u121-b10
ec72a941be0a50ab77f5375cf710bc06e4f118d3 jdk8u121-b11
9561afc12df843ef21ecd9d7b3633371e7a2bfc4 jdk8u121-b12
2974746e56192cdd14fc2dd43179bcf28e4faf4a jdk8u121-b13
032874d46bf95478cb86690b3c91d335c0764b0b jdk8u131-b00
a160009bbe1417d85f1c0eec890fdb17391b3637 jdk8u141-b00
072e084bceeedeb75467e40ca77786ac9ef5227a jdk8u151-b00
make/data/tzdata/VERSION
浏览文件 @ 83f4f6a9
......@@ -21,4 +21,4 @@
# or visit www.oracle.com if you need additional information or have any
# questions.
#
tzdata2016f
tzdata2016i
make/data/tzdata/africa
浏览文件 @ 83f4f6a9
......@@ -487,7 +487,7 @@ Zone Africa/Monrovia -0:43:08 - LMT 1882
# http://www.libyaherald.com/2013/10/24/correction-no-time-change-tomorrow/
#
# From Paul Eggert (2013-10-25):
# For now, assume they're reverting to the pre-2012 rules of permanent UTC+2.
# For now, assume they're reverting to the pre-2012 rules of permanent UT +02.
# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S
Rule Libya 1951 only - Oct 14 2:00 1:00 S
......
make/data/tzdata/antarctica
浏览文件 @ 83f4f6a9
......@@ -33,9 +33,7 @@
# http://www.spri.cam.ac.uk/bob/periant.htm
# for information.
# Unless otherwise specified, we have no time zone information.
#
# Except for the French entries,
# I made up all time zone abbreviations mentioned here; corrections welcome!
# FORMAT is '-00' and GMTOFF is 0 for locations while uninhabited.
# Argentina - year-round bases
......@@ -52,7 +50,7 @@
# previously sealers and scientific personnel wintered
# Margaret Turner reports
# http://web.archive.org/web/20021204222245/http://www.dstc.qut.edu.au/DST/marg/daylight.html
# (1999-09-30) that they're UTC+5, with no DST;
# (1999-09-30) that they're UT +05, with no DST;
# presumably this is when they have visitors.
#
# year-round bases
......@@ -89,25 +87,29 @@
# Background:
# http://www.timeanddate.com/news/time/antartica-time-changes-2010.html
# From Steffen Thorsen (2016-10-28):
# Australian Antarctica Division informed us that Casey changed time
# zone to UTC+11 in "the morning of 22nd October 2016".
# Zone NAME GMTOFF RULES FORMAT [UNTIL]
Zone Antarctica/Casey 0 - -00 1969
8:00 - AWST 2009 Oct 18 2:00
# Australian Western Std Time
11:00 - CAST 2010 Mar 5 2:00 # Casey Time
8:00 - AWST 2011 Oct 28 2:00
11:00 - CAST 2012 Feb 21 17:00u
8:00 - AWST
8:00 - +08 2009 Oct 18 2:00
11:00 - +11 2010 Mar 5 2:00
8:00 - +08 2011 Oct 28 2:00
11:00 - +11 2012 Feb 21 17:00u
8:00 - +08 2016 Oct 22
11:00 - +11
Zone Antarctica/Davis 0 - -00 1957 Jan 13
7:00 - DAVT 1964 Nov # Davis Time
7:00 - +07 1964 Nov
0 - -00 1969 Feb
7:00 - DAVT 2009 Oct 18 2:00
5:00 - DAVT 2010 Mar 10 20:00u
7:00 - DAVT 2011 Oct 28 2:00
5:00 - DAVT 2012 Feb 21 20:00u
7:00 - DAVT
7:00 - +07 2009 Oct 18 2:00
5:00 - +05 2010 Mar 10 20:00u
7:00 - +07 2011 Oct 28 2:00
5:00 - +05 2012 Feb 21 20:00u
7:00 - +07
Zone Antarctica/Mawson 0 - -00 1954 Feb 13
6:00 - MAWT 2009 Oct 18 2:00 # Mawson Time
5:00 - MAWT
6:00 - +06 2009 Oct 18 2:00
5:00 - +05
# References:
# Casey Weather (1998-02-26)
# http://www.antdiv.gov.au/aad/exop/sfo/casey/casey_aws.html
......@@ -161,7 +163,7 @@ Zone Antarctica/Mawson 0 - -00 1954 Feb 13
#
# Zone NAME GMTOFF RULES FORMAT [UNTIL]
Zone Indian/Kerguelen 0 - -00 1950 # Port-aux-Français
5:00 - TFT # ISO code TF Time
5:00 - +05
#
# year-round base in the main continent
# Dumont d'Urville, Île des Pétrels, -6640+14001, since 1956-11
......@@ -172,9 +174,9 @@ Zone Indian/Kerguelen 0 - -00 1950 # Port-aux-Français
#
# Zone NAME GMTOFF RULES FORMAT [UNTIL]
Zone Antarctica/DumontDUrville 0 - -00 1947
10:00 - PMT 1952 Jan 14 # Port-Martin Time
10:00 - +10 1952 Jan 14
0 - -00 1956 Nov
10:00 - DDUT # Dumont-d'Urville Time
10:00 - +10
# France & Italy - year-round base
# Concordia, -750600+1232000, since 2005
......@@ -200,7 +202,7 @@ Zone Antarctica/DumontDUrville 0 - -00 1947
# station of Japan, it's appropriate for the principal location.
# Zone NAME GMTOFF RULES FORMAT [UNTIL]
Zone Antarctica/Syowa 0 - -00 1957 Jan 29
3:00 - SYOT # Syowa Time
3:00 - +03
# See:
# NIPR Antarctic Research Activities (1999-08-17)
# http://www.nipr.ac.jp/english/ara01.html
......@@ -237,17 +239,17 @@ Zone Antarctica/Syowa 0 - -00 1957 Jan 29
# correct, but they should be quite close to the actual dates.
#
# From Paul Eggert (2014-03-21):
# The CET-switching Troll rules require zic from tzcode 2014b or later, so as
# The CET-switching Troll rules require zic from tz 2014b or later, so as
# suggested by Bengt-Inge Larsson comment them out for now, and approximate
# with only UTC and CEST. Uncomment them when 2014b is more prevalent.
#
# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S
#Rule Troll 2005 max - Mar 1 1:00u 1:00 CET
Rule Troll 2005 max - Mar lastSun 1:00u 2:00 CEST
#Rule Troll 2005 max - Oct lastSun 1:00u 1:00 CET
#Rule Troll 2004 max - Nov 7 1:00u 0:00 UTC
#Rule Troll 2005 max - Mar 1 1:00u 1:00 +01
Rule Troll 2005 max - Mar lastSun 1:00u 2:00 +02
#Rule Troll 2005 max - Oct lastSun 1:00u 1:00 +01
#Rule Troll 2004 max - Nov 7 1:00u 0:00 +00
# Remove the following line when uncommenting the above '#Rule' lines.
Rule Troll 2004 max - Oct lastSun 1:00u 0:00 UTC
Rule Troll 2004 max - Oct lastSun 1:00u 0:00 +00
# Zone NAME GMTOFF RULES FORMAT [UNTIL]
Zone Antarctica/Troll 0 - -00 2005 Feb 12
0:00 Troll %s
......@@ -288,10 +290,10 @@ Zone Antarctica/Troll 0 - -00 2005 Feb 12
# changes during the year and does not necessarily correspond to mean
# solar noon. So the Vostok time might have been whatever the clocks
# happened to be during their visit. So we still don't really know what time
# it is at Vostok. But we'll guess UTC+6.
# it is at Vostok. But we'll guess +06.
#
Zone Antarctica/Vostok 0 - -00 1957 Dec 16
6:00 - VOST # Vostok time
6:00 - +06
# S Africa - year-round bases
# Marion Island, -4653+03752
......@@ -324,7 +326,7 @@ Zone Antarctica/Vostok 0 - -00 1957 Dec 16
#
# Zone NAME GMTOFF RULES FORMAT [UNTIL]
Zone Antarctica/Rothera 0 - -00 1976 Dec 1
-3:00 - ROTT # Rothera time
-3:00 - -03
# Uruguay - year round base
# Artigas, King George Island, -621104-0585107
......
make/data/tzdata/asia
浏览文件 @ 83f4f6a9
此差异已折叠。
make/data/tzdata/australasia
浏览文件 @ 83f4f6a9
......@@ -373,7 +373,13 @@ Zone Indian/Cocos 6:27:40 - LMT 1900
# commencing at 2.00 am on Sunday 1st November, 2015 and ending at
# 3.00 am on Sunday 17th January, 2016.
# From Paul Eggert (2015-09-01):
# From Raymond Kumar (2016-10-04):
# http://www.fiji.gov.fj/Media-Center/Press-Releases/DAYLIGHT-SAVING-STARTS-ON-6th-NOVEMBER,-2016.aspx
# "Fiji's daylight savings will begin on Sunday, 6 November 2016, when
# clocks go forward an hour at 2am to 3am.... Daylight Saving will
# end at 3.00am on Sunday 15th January 2017."
# From Paul Eggert (2016-10-03):
# For now, guess DST from 02:00 the first Sunday in November to
# 03:00 the third Sunday in January. Although ad hoc, it matches
# transitions since late 2014 and seems more likely to match future
......@@ -568,7 +574,7 @@ Zone Pacific/Port_Moresby 9:48:40 - LMT 1880
# Base the Bougainville entry on the Arawa-Kieta region, which appears to have
# the most people even though it was devastated in the Bougainville Civil War.
#
# Although Shanks gives 1942-03-15 / 1943-11-01 for JST, these dates
# Although Shanks gives 1942-03-15 / 1943-11-01 for UT +09, these dates
# are apparently rough guesswork from the starts of military campaigns.
# The World War II entries below are instead based on Arawa-Kieta.
# The Japanese occupied Kieta in July 1942,
......@@ -576,8 +582,8 @@ Zone Pacific/Port_Moresby 9:48:40 - LMT 1880
# http://pwencycl.kgbudge.com/B/o/Bougainville.htm
# and seem to have controlled it until their 1945-08-21 surrender.
#
# The Autonomous Region of Bougainville plans to switch from UTC+10 to UTC+11
# on 2014-12-28 at 02:00. They call UTC+11 "Bougainville Standard Time";
# The Autonomous Region of Bougainville switched from UT +10 to +11
# on 2014-12-28 at 02:00. They call +11 "Bougainville Standard Time";
# abbreviate this as BST. See:
# http://www.bougainville24.com/bougainville-issues/bougainville-gets-own-timezone/
#
......@@ -643,7 +649,7 @@ Link Pacific/Pago_Pago Pacific/Midway # in US minor outlying islands
# From Paul Eggert (2014-06-27):
# The International Date Line Act 2011
# http://www.parliament.gov.ws/images/ACTS/International_Date_Line_Act__2011_-_Eng.pdf
# changed Samoa from UTC-11 to UTC+13, effective "12 o'clock midnight, on
# changed Samoa from UT -11 to +13, effective "12 o'clock midnight, on
# Thursday 29th December 2011". The International Date Line was adjusted
# accordingly.
......@@ -719,11 +725,13 @@ Rule Tonga 1999 only - Oct 7 2:00s 1:00 S
Rule Tonga 2000 only - Mar 19 2:00s 0 -
Rule Tonga 2000 2001 - Nov Sun>=1 2:00 1:00 S
Rule Tonga 2001 2002 - Jan lastSun 2:00 0 -
Rule Tonga 2016 max - Nov Sun>=1 2:00 1:00 S
Rule Tonga 2017 max - Jan Sun>=15 3:00 0 -
# Zone NAME GMTOFF RULES FORMAT [UNTIL]
Zone Pacific/Tongatapu 12:19:20 - LMT 1901
12:20 - TOT 1941 # Tonga Time
13:00 - TOT 1999
13:00 Tonga TO%sT
12:20 - +1220 1941
13:00 - +13 1999
13:00 Tonga +13/+14
# Tuvalu
# Zone NAME GMTOFF RULES FORMAT [UNTIL]
......@@ -738,7 +746,7 @@ Zone Pacific/Funafuti 11:56:52 - LMT 1901
# 1886-1891; Baker was similar but exact dates are not known.
# Inhabited by civilians 1935-1942; U.S. military bases 1943-1944;
# uninhabited thereafter.
# Howland observed Hawaii Standard Time (UT-10:30) in 1937;
# Howland observed Hawaii Standard Time (UT -10:30) in 1937;
# see page 206 of Elgen M. Long and Marie K. Long,
# Amelia Earhart: the Mystery Solved, Simon & Schuster (2000).
# So most likely Howland and Baker observed Hawaii Time from 1935
......@@ -1496,7 +1504,7 @@ Zone Pacific/Wallis 12:15:20 - LMT 1901
# Zealand time. I understand that is the time they keep locally, anyhow."
# For now, assume this practice goes back to the introduction of standard time
# in New Zealand, as this would make Chatham Islands time almost exactly match
# LMT back when New Zealand was at UTC+11:30; also, assume Chatham Islands did
# LMT back when New Zealand was at UT +11:30; also, assume Chatham Islands did
# not observe New Zealand's prewar DST.
###############################################################################
......@@ -1552,7 +1560,7 @@ Zone Pacific/Wallis 12:15:20 - LMT 1901
# For now, we assume the Ladrones switched at the same time as the Philippines;
# see Asia/Manila.
# US Public Law 106-564 (2000-12-23) made UTC+10 the official standard time,
# US Public Law 106-564 (2000-12-23) made UT +10 the official standard time,
# under the name "Chamorro Standard Time". There is no official abbreviation,
# but Congressman Robert A. Underwood, author of the bill that became law,
# wrote in a press release (2000-12-27) that he will seek the use of "ChST".
......@@ -1564,15 +1572,15 @@ Zone Pacific/Wallis 12:15:20 - LMT 1901
# "I am certain, having lived there for the past decade, that 'Truk'
# (now properly known as Chuuk) ... is in the time zone GMT+10."
#
# Shanks & Pottenger write that Truk switched from UTC+10 to UTC+11
# Shanks & Pottenger write that Truk switched from UT +10 to +11
# on 1978-10-01; ignore this for now.
# From Paul Eggert (1999-10-29):
# The Federated States of Micronesia Visitors Board writes in
# The Federated States of Micronesia - Visitor Information (1999-01-26)
# http://www.fsmgov.org/info/clocks.html
# that Truk and Yap are UTC+10, and Ponape and Kosrae are UTC+11.
# We don't know when Kosrae switched from UTC+12; assume January 1 for now.
# that Truk and Yap are UT +10, and Ponape and Kosrae are +11.
# We don't know when Kosrae switched from +12; assume January 1 for now.
# Midway
......@@ -1638,11 +1646,11 @@ Zone Pacific/Wallis 12:15:20 - LMT 1901
# ordaining - by a masterpiece of diplomatic flattery - that
# the Fourth of July should be celebrated twice in that year."
# Although Shanks & Pottenger says they both switched to UTC-11:30
# in 1911, and to UTC-11 in 1950. many earlier sources give UTC-11
# Although Shanks & Pottenger says they both switched to UT -11:30
# in 1911, and to -11 in 1950. many earlier sources give -11
# for American Samoa, e.g., the US National Bureau of Standards
# circular "Standard Time Throughout the World", 1932.
# Assume American Samoa switched to UTC-11 in 1911, not 1950,
# Assume American Samoa switched to -11 in 1911, not 1950,
# and that after 1950 they agreed until (western) Samoa skipped a
# day in 2011. Assume also that the Samoas follow the US and New
# Zealand's "ST"/"DT" style of daylight-saving abbreviations.
......@@ -1729,9 +1737,17 @@ Zone Pacific/Wallis 12:15:20 - LMT 1901
# of January the standard time in the Kingdom shall be moved backward by one
# hour to 1:00am.
# From Pulu 'Anau (2002-11-05):
# From Pulu ʻAnau (2002-11-05):
# The law was for 3 years, supposedly to get renewed. It wasn't.
# From Pulu ʻAnau (2016-10-27):
# http://mic.gov.to/news-today/press-releases/6375-daylight-saving-set-to-run-from-6-november-2016-to-15-january-2017
# Cannot find anyone who knows the rules, has seen the duration or has seen
# the cabinet decision, but it appears we are following Fiji's rule set.
#
# From Tim Parenti (2016-10-26):
# Assume Tonga will observe DST from the first Sunday in November at 02:00
# through the third Sunday in January at 03:00, like Fiji, for now.
# Wake
......
make/data/tzdata/backward
浏览文件 @ 83f4f6a9
......@@ -59,6 +59,7 @@ Link Asia/Shanghai Asia/Harbin
Link Asia/Urumqi Asia/Kashgar
Link Asia/Kathmandu Asia/Katmandu
Link Asia/Macau Asia/Macao
Link Asia/Yangon Asia/Rangoon
Link Asia/Ho_Chi_Minh Asia/Saigon
Link Asia/Jerusalem Asia/Tel_Aviv
Link Asia/Thimphu Asia/Thimbu
......
make/data/tzdata/etcetera
浏览文件 @ 83f4f6a9
......@@ -31,6 +31,13 @@
# need now for the entries that are not on UTC are for ships at sea
# that cannot use POSIX TZ settings.
# Starting with POSIX 1003.1-2001, the entries below are all
# unnecessary as settings for the TZ environment variable. E.g.,
# instead of TZ='Etc/GMT+4' one can use the POSIX setting TZ='<-04>+4'.
#
# Do not use a POSIX TZ setting like TZ='GMT+4', which is four hours
# behind GMT but uses the completely misleading abbreviation "GMT".
Zone Etc/GMT 0 - GMT
Zone Etc/UTC 0 - UTC
Zone Etc/UCT 0 - UCT
......@@ -49,23 +56,13 @@ Link Etc/GMT Etc/GMT-0
Link Etc/GMT Etc/GMT+0
Link Etc/GMT Etc/GMT0
# We use POSIX-style signs in the Zone names and the output abbreviations,
# Be consistent with POSIX TZ settings in the Zone names,
# even though this is the opposite of what many people expect.
# POSIX has positive signs west of Greenwich, but many people expect
# positive signs east of Greenwich. For example, TZ='Etc/GMT+4' uses
# the abbreviation "GMT+4" and corresponds to 4 hours behind UT
# the abbreviation "-04" and corresponds to 4 hours behind UT
# (i.e. west of Greenwich) even though many people would expect it to
# mean 4 hours ahead of UT (i.e. east of Greenwich).
#
# In the draft 5 of POSIX 1003.1-200x, the angle bracket notation allows for
# TZ='<GMT-4>+4'; if you want time zone abbreviations conforming to
# ISO 8601 you can use TZ='<-0400>+4'. Thus the commonly-expected
# offset is kept within the angle bracket (and is used for display)
# while the POSIX sign is kept outside the angle bracket (and is used
# for calculation).
#
# Do not use a TZ setting like TZ='GMT+4', which is four hours behind
# GMT but uses the completely misleading abbreviation "GMT".
# Earlier incarnations of this package were not POSIX-compliant,
# and had lines such as
......@@ -74,30 +71,31 @@ Link Etc/GMT Etc/GMT0
# way does a
# zic -l GMT-12
# so we moved the names into the Etc subdirectory.
# Also, the time zone abbreviations are now compatible with %z.
Zone Etc/GMT-14 14 - GMT-14 # 14 hours ahead of GMT
Zone Etc/GMT-13 13 - GMT-13
Zone Etc/GMT-12 12 - GMT-12
Zone Etc/GMT-11 11 - GMT-11
Zone Etc/GMT-10 10 - GMT-10
Zone Etc/GMT-9 9 - GMT-9
Zone Etc/GMT-8 8 - GMT-8
Zone Etc/GMT-7 7 - GMT-7
Zone Etc/GMT-6 6 - GMT-6
Zone Etc/GMT-5 5 - GMT-5
Zone Etc/GMT-4 4 - GMT-4
Zone Etc/GMT-3 3 - GMT-3
Zone Etc/GMT-2 2 - GMT-2
Zone Etc/GMT-1 1 - GMT-1
Zone Etc/GMT+1 -1 - GMT+1
Zone Etc/GMT+2 -2 - GMT+2
Zone Etc/GMT+3 -3 - GMT+3
Zone Etc/GMT+4 -4 - GMT+4
Zone Etc/GMT+5 -5 - GMT+5
Zone Etc/GMT+6 -6 - GMT+6
Zone Etc/GMT+7 -7 - GMT+7
Zone Etc/GMT+8 -8 - GMT+8
Zone Etc/GMT+9 -9 - GMT+9
Zone Etc/GMT+10 -10 - GMT+10
Zone Etc/GMT+11 -11 - GMT+11
Zone Etc/GMT+12 -12 - GMT+12
Zone Etc/GMT-14 14 - +14
Zone Etc/GMT-13 13 - +13
Zone Etc/GMT-12 12 - +12
Zone Etc/GMT-11 11 - +11
Zone Etc/GMT-10 10 - +10
Zone Etc/GMT-9 9 - +09
Zone Etc/GMT-8 8 - +08
Zone Etc/GMT-7 7 - +07
Zone Etc/GMT-6 6 - +06
Zone Etc/GMT-5 5 - +05
Zone Etc/GMT-4 4 - +04
Zone Etc/GMT-3 3 - +03
Zone Etc/GMT-2 2 - +02
Zone Etc/GMT-1 1 - +01
Zone Etc/GMT+1 -1 - -01
Zone Etc/GMT+2 -2 - -02
Zone Etc/GMT+3 -3 - -03
Zone Etc/GMT+4 -4 - -04
Zone Etc/GMT+5 -5 - -05
Zone Etc/GMT+6 -6 - -06
Zone Etc/GMT+7 -7 - -07
Zone Etc/GMT+8 -8 - -08
Zone Etc/GMT+9 -9 - -09
Zone Etc/GMT+10 -10 - -10
Zone Etc/GMT+11 -11 - -11
Zone Etc/GMT+12 -12 - -12
make/data/tzdata/europe
浏览文件 @ 83f4f6a9
此差异已折叠。
make/data/tzdata/factory
浏览文件 @ 83f4f6a9
......@@ -24,9 +24,10 @@
# This file is in the public domain, so clarified as of
# 2009-05-17 by Arthur David Olson.
# For companies who don't want to put time zone specification in
# their installation procedures. When users run date, they'll get the message.
# Also useful for the "comp.sources" version.
# For distributors who don't want to put time zone specification in
# their installation procedures. Users that run 'date' will get the
# time zone abbreviation "-00", indicating that the actual time zone
# is unknown.
# Zone NAME GMTOFF RULES FORMAT
Zone Factory 0 - "Local time zone must be set--see zic manual page"
Zone Factory 0 - -00
make/data/tzdata/leapseconds
浏览文件 @ 83f4f6a9
......@@ -79,6 +79,7 @@ Leap 2005 Dec 31 23:59:60 + S
Leap 2008 Dec 31 23:59:60 + S
Leap 2012 Jun 30 23:59:60 + S
Leap 2015 Jun 30 23:59:60 + S
Leap 2016 Dec 31 23:59:60 + S
# Updated through IERS Bulletin C51
# File expires on: 28 December 2016
# Updated through IERS Bulletin C52
# File expires on: 28 June 2017
make/data/tzdata/northamerica
浏览文件 @ 83f4f6a9
......@@ -47,8 +47,32 @@
# was the result of his proposals at the Convention of Railroad Trunk Lines
# in New York City (1869-10). His 1870 proposal was based on Washington, DC,
# but in 1872-05 he moved the proposed origin to Greenwich.
# His proposal was adopted by the railroads on 1883-11-18 at 12:00,
# and the most of the country soon followed suit.
# From Paul Eggert (2016-09-21):
# Dowd's proposal left many details unresolved, such as where to draw
# lines between time zones. The key individual who made time zones
# work in the US was William Frederick Allen - railway engineer,
# managing editor of the Travelers' Guide, and secretary of the
# General Time Convention, a railway standardization group. Allen
# spent months in dialogs with scientific and railway leaders,
# developed a workable plan to institute time zones, and presented it
# to the General Time Convention on 1883-04-11, saying that his plan
# meant "local time would be practically abolished" - a plus for
# railway scheduling. By the next convention on 1883-10-11 nearly all
# railroads had agreed and it took effect on 1883-11-18 at 12:00.
# That Sunday was called the "day of two noons", as the eastern parts
# of the new zones observed noon twice. Allen witnessed the
# transition in New York City, writing:
#
# I heard the bells of St. Paul's strike on the old time. Four
# minutes later, obedient to the electrical signal from the Naval
# Observatory ... the time-ball made its rapid descent, the chimes
# of old Trinity rang twelve measured strokes, and local time was
# abandoned, probably forever.
#
# Most of the US soon followed suit. See:
# Bartky IR. The adoption of standard time. Technol Cult 1989 Jan;30(1):25-56.
# http://dx.doi.org/10.2307/3105430
# From Paul Eggert (2005-04-16):
# That 1883 transition occurred at 12:00 new time, not at 12:00 old time.
......@@ -436,11 +460,42 @@ Zone America/Denver -6:59:56 - LMT 1883 Nov 18 12:00:04
# north of the Salmon River, and the towns of Burgdorf and Warren),
# Nevada (except West Wendover), Oregon (except the northern 3/4 of
# Malheur county), and Washington
# From Paul Eggert (2016-08-20):
# In early February 1948, in response to California's electricity shortage,
# PG&E changed power frequency from 60 to 59.5 Hz during daylight hours,
# causing electric clocks to lose six minutes per day. (This did not change
# legal time, and is not part of the data here.) See:
# Ross SA. An energy crisis from the past: Northern California in 1948.
# Working Paper No. 8, Institute of Governmental Studies, UC Berkeley,
# 1973-11. http://escholarship.org/uc/item/8x22k30c
#
# In another measure to save electricity, DST was instituted from 1948-03-14
# at 02:01 to 1949-01-16 at 02:00, with the governor having the option to move
# the fallback transition earlier. See pages 3-4 of:
# http://clerk.assembly.ca.gov/sites/clerk.assembly.ca.gov/files/archive/Statutes/1948/48Vol1_Chapters.pdf
#
# In response:
#
# Governor Warren received a torrent of objecting mail, and it is not too much
# to speculate that the objections to Daylight Saving Time were one important
# factor in the defeat of the Dewey-Warren Presidential ticket in California.
# -- Ross, p 25
#
# On December 8 the governor exercised the option, setting the date to January 1
# (LA Times 1948-12-09). The transition time was 02:00 (LA Times 1949-01-01).
#
# Despite the controversy, in 1949 California voters approved Proposition 12,
# which established DST from April's last Sunday at 01:00 until September's
# last Sunday at 02:00. This was amended by 1962's Proposition 6, which changed
# the fall-back date to October's last Sunday. See:
# http://repository.uchastings.edu/cgi/viewcontent.cgi?article=1501&context=ca_ballot_props
# http://repository.uchastings.edu/cgi/viewcontent.cgi?article=1636&context=ca_ballot_props
#
# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER
Rule CA 1948 only - Mar 14 2:00 1:00 D
Rule CA 1948 only - Mar 14 2:01 1:00 D
Rule CA 1949 only - Jan 1 2:00 0 S
Rule CA 1950 1966 - Apr lastSun 2:00 1:00 D
Rule CA 1950 1966 - Apr lastSun 1:00 1:00 D
Rule CA 1950 1961 - Sep lastSun 2:00 0 S
Rule CA 1962 1966 - Oct lastSun 2:00 0 S
# Zone NAME GMTOFF RULES FORMAT [UNTIL]
......@@ -3304,7 +3359,7 @@ Zone America/Miquelon -3:44:40 - LMT 1911 May 15 # St Pierre
# indicating that the normal ET rules are followed.
#
# From Paul Eggert (2014-08-19):
# The 2014-08-13 Cabinet meeting decided to stay on UTC-4 year-round. See:
# The 2014-08-13 Cabinet meeting decided to stay on UT -04 year-round. See:
# http://tcweeklynews.com/daylight-savings-time-to-be-maintained-p5353-127.htm
# Model this as a switch from EST/EDT to AST ...
# From Chris Walton (2014-11-04):
......
make/data/tzdata/southamerica
浏览文件 @ 83f4f6a9
......@@ -433,9 +433,9 @@ Rule Arg 2008 only - Oct Sun>=15 0:00 1:00 S
# stuck on Summer daylight savings time even though the summer is over.
# From Paul Eggert (2013-09-05):
# Perhaps San Luis operates on the legal fiction that it is at UTC-4
# Perhaps San Luis operates on the legal fiction that it is at -04
# with perpetual summer time, but ordinary usage typically seems to
# just say it's at UTC-3; see, for example,
# just say it's at -03; see, for example,
# http://es.wikipedia.org/wiki/Hora_oficial_argentina
# We've documented similar situations as being plain changes to
# standard time, so let's do that here too. This does not change UTC
......
make/data/tzdata/zone.tab
浏览文件 @ 83f4f6a9
......@@ -175,7 +175,8 @@ CU +2308-08222 America/Havana
CV +1455-02331 Atlantic/Cape_Verde
CW +1211-06900 America/Curacao
CX -1025+10543 Indian/Christmas
CY +3510+03322 Asia/Nicosia
CY +3510+03322 Asia/Nicosia Cyprus (most areas)
CY +3507+03357 Asia/Famagusta Northern Cyprus
CZ +5005+01426 Europe/Prague
DE +5230+01322 Europe/Berlin Germany (most areas)
DE +4742+00841 Europe/Busingen Busingen
......@@ -284,7 +285,7 @@ MH +0709+17112 Pacific/Majuro Marshall Islands (most areas)
MH +0905+16720 Pacific/Kwajalein Kwajalein
MK +4159+02126 Europe/Skopje
ML +1239-00800 Africa/Bamako
MM +1647+09610 Asia/Rangoon
MM +1647+09610 Asia/Yangon
MN +4755+10653 Asia/Ulaanbaatar Mongolia (most areas)
MN +4801+09139 Asia/Hovd Bayan-Olgiy, Govi-Altai, Hovd, Uvs, Zavkhan
MN +4804+11430 Asia/Choibalsan Dornod, Sukhbaatar
......
src/macosx/native/sun/awt/CMenuComponent.m
浏览文件 @ 83f4f6a9
......@@ -41,45 +41,11 @@
return self;
}
-(void) cleanup {
// Used by subclasses
}
-(void) disposer {
-(void) dealloc {
JNIEnv *env = [ThreadUtilities getJNIEnvUncached];
JNFDeleteGlobalRef(env, fPeer);
fPeer = NULL;
[self cleanup];
[self release];
}
// The method is used by all subclasses, since the process of the creation
// is the same. The only exception is the CMenuItem class.
- (void) _create_OnAppKitThread: (NSMutableArray *)argValue {
jobject cPeerObjGlobal = (jobject)[[argValue objectAtIndex: 0] pointerValue];
CMenuItem *aCMenuItem = [self initWithPeer:cPeerObjGlobal];
[argValue removeAllObjects];
[argValue addObject: aCMenuItem];
[super dealloc];
}
@end
/*
* Class: sun_lwawt_macosx_CMenuComponent
* Method: nativeDispose
* Signature: (J)V
*/
JNIEXPORT void JNICALL
Java_sun_lwawt_macosx_CMenuComponent_nativeDispose
(JNIEnv *env, jobject peer, jlong menuItemObj)
{
JNF_COCOA_ENTER(env);
[ThreadUtilities performOnMainThread:@selector(disposer)
on:((id)jlong_to_ptr(menuItemObj))
withObject:nil
waitUntilDone:NO];
JNF_COCOA_EXIT(env);
}
src/share/classes/com/sun/imageio/plugins/png/PNGImageReader.java
浏览文件 @ 83f4f6a9
......@@ -729,7 +729,11 @@ public class PNGImageReader extends ImageReader {
parse_iCCP_chunk(chunkLength);
break;
case iTXt_TYPE:
parse_iTXt_chunk(chunkLength);
if (ignoreMetadata) {
stream.skipBytes(chunkLength);
} else {
parse_iTXt_chunk(chunkLength);
}
break;
case pHYs_TYPE:
parse_pHYs_chunk();
......@@ -753,7 +757,11 @@ public class PNGImageReader extends ImageReader {
parse_tRNS_chunk(chunkLength);
break;
case zTXt_TYPE:
parse_zTXt_chunk(chunkLength);
if (ignoreMetadata) {
stream.skipBytes(chunkLength);
} else {
parse_zTXt_chunk(chunkLength);
}
break;
default:
// Read an unknown chunk
......
src/share/classes/com/sun/jndi/cosnaming/CNBindingEnumeration.java
浏览文件 @ 83f4f6a9
......@@ -33,6 +33,8 @@ import java.util.Hashtable;
import org.omg.CosNaming.*;
import com.sun.jndi.toolkit.corba.CorbaUtils;
/**
* Implements the JNDI NamingEnumeration interface for COS
* Naming. Gets hold of a list of bindings from the COS Naming Server
......@@ -212,7 +214,10 @@ final class CNBindingEnumeration
Name cname = CNNameParser.cosNameToName(bndg.binding_name);
try {
// Check whether object factory codebase is trusted
if (CorbaUtils.isObjectFactoryTrusted(obj)) {
obj = NamingManager.getObjectInstance(obj, cname, _ctx, _env);
}
} catch (NamingException e) {
throw e;
} catch (Exception e) {
......
src/share/classes/com/sun/jndi/cosnaming/CNCtx.java
浏览文件 @ 83f4f6a9
......@@ -36,6 +36,8 @@ import java.io.InputStream;
import java.io.InputStreamReader;
import java.io.BufferedReader;
import java.io.IOException;
import java.security.AccessController;
import java.security.PrivilegedAction;
import org.omg.CosNaming.*;
import org.omg.CosNaming.NamingContextPackage.*;
......@@ -82,6 +84,19 @@ public class CNCtx implements javax.naming.Context {
private static final String FED_PROP = "com.sun.jndi.cosnaming.federation";
boolean federation = false;
/**
* Determines whether classes may be loaded from an arbitrary URL code base.
*/
public static final boolean trustURLCodebase;
static {
// System property to control whether classes may be loaded from an
// arbitrary URL code base
PrivilegedAction<String> act = () -> System.getProperty(
"com.sun.jndi.cosnaming.object.trustURLCodebase", "false");
String trust = AccessController.doPrivileged(act);
trustURLCodebase = "true".equalsIgnoreCase(trust);
}
// Reference counter for tracking _orb references
OrbReuseTracker orbTracker = null;
int enumCount;
......@@ -534,12 +549,16 @@ public class CNCtx implements javax.naming.Context {
if (name.size() == 0 )
return this; // %%% should clone() so that env can be changed
NameComponent[] path = CNNameParser.nameToCosName(name);
java.lang.Object answer = null;
try {
java.lang.Object answer = callResolve(path);
answer = callResolve(path);
try {
return NamingManager.getObjectInstance(answer, name, this, _env);
// Check whether object factory codebase is trusted
if (CorbaUtils.isObjectFactoryTrusted(answer)) {
answer = NamingManager.getObjectInstance(
answer, name, this, _env);
}
} catch (NamingException e) {
throw e;
} catch (Exception e) {
......@@ -552,6 +571,7 @@ public class CNCtx implements javax.naming.Context {
javax.naming.Context cctx = getContinuationContext(cpe);
return cctx.lookup(cpe.getRemainingName());
}
return answer;
}
/**
......
src/share/classes/com/sun/jndi/cosnaming/ExceptionMapper.java
浏览文件 @ 83f4f6a9
......@@ -33,6 +33,8 @@ import org.omg.CosNaming.*;
import org.omg.CosNaming.NamingContextPackage.*;
import org.omg.CORBA.*;
import com.sun.jndi.toolkit.corba.CorbaUtils;
/**
* A convenience class to map the COS Naming exceptions to the JNDI exceptions.
* @author Raj Krishnamurthy
......@@ -202,10 +204,13 @@ public final class ExceptionMapper {
// Not a context, use object factory to transform object.
Name cname = CNNameParser.cosNameToName(resolvedName);
java.lang.Object resolvedObj2;
java.lang.Object resolvedObj2 = null;
try {
// Check whether object factory codebase is trusted
if (CorbaUtils.isObjectFactoryTrusted(resolvedObj)) {
resolvedObj2 = NamingManager.getObjectInstance(resolvedObj,
cname, ctx, ctx._env);
}
} catch (NamingException ge) {
throw ge;
} catch (Exception ge) {
......
src/share/classes/com/sun/jndi/rmi/registry/RegistryContext.java
浏览文件 @ 83f4f6a9
......@@ -32,6 +32,8 @@ import java.rmi.*;
import java.rmi.server.*;
import java.rmi.registry.Registry;
import java.rmi.registry.LocateRegistry;
import java.security.AccessController;
import java.security.PrivilegedAction;
import javax.naming.*;
import javax.naming.spi.NamingManager;
......@@ -52,6 +54,18 @@ public class RegistryContext implements Context, Referenceable {
private int port;
private static final NameParser nameParser = new AtomicNameParser();
private static final String SOCKET_FACTORY = "com.sun.jndi.rmi.factory.socket";
/**
* Determines whether classes may be loaded from an arbitrary URL code base.
*/
static final boolean trustURLCodebase;
static {
// System property to control whether classes may be loaded from an
// arbitrary URL codebase
PrivilegedAction<String> act = () -> System.getProperty(
"com.sun.jndi.rmi.object.trustURLCodebase", "false");
String trust = AccessController.doPrivileged(act);
trustURLCodebase = "true".equalsIgnoreCase(trust);
}
Reference reference = null; // ref used to create this context, if any
......@@ -461,6 +475,27 @@ public class RegistryContext implements Context, Referenceable {
Object obj = (r instanceof RemoteReference)
? ((RemoteReference)r).getReference()
: (Object)r;
/*
* Classes may only be loaded from an arbitrary URL codebase when
* the system property com.sun.jndi.rmi.object.trustURLCodebase
* has been set to "true".
*/
// Use reference if possible
Reference ref = null;
if (obj instanceof Reference) {
ref = (Reference) obj;
} else if (obj instanceof Referenceable) {
ref = ((Referenceable)(obj)).getReference();
}
if (ref != null && ref.getFactoryClassLocation() != null &&
!trustURLCodebase) {
throw new ConfigurationException(
"The object factory is untrusted. Set the system property" +
" 'com.sun.jndi.rmi.object.trustURLCodebase' to 'true'.");
}
return NamingManager.getObjectInstance(obj, name, this,
environment);
} catch (NamingException e) {
......
src/share/classes/com/sun/jndi/toolkit/corba/CorbaUtils.java
浏览文件 @ 83f4f6a9
......@@ -36,8 +36,9 @@ import java.util.Enumeration;
import org.omg.CORBA.ORB;
import javax.naming.Context;
import javax.naming.ConfigurationException;
import javax.naming.*;
import com.sun.jndi.cosnaming.CNCtx;
/**
* Contains utilities for performing CORBA-related tasks:
......@@ -203,6 +204,32 @@ public class CorbaUtils {
return ORB.init(new String[0], orbProp);
}
/**
* Check whether object factory code base is trusted.
* Classes may only be loaded from an arbitrary URL code base when
* the system property com.sun.jndi.rmi.object.trustURLCodebase
* has been set to "true".
*/
public static boolean isObjectFactoryTrusted(Object obj)
throws NamingException {
// Extract Reference, if possible
Reference ref = null;
if (obj instanceof Reference) {
ref = (Reference) obj;
} else if (obj instanceof Referenceable) {
ref = ((Referenceable)(obj)).getReference();
}
if (ref != null && ref.getFactoryClassLocation() != null &&
!CNCtx.trustURLCodebase) {
throw new ConfigurationException(
"The object factory is untrusted. Set the system property" +
" 'com.sun.jndi.cosnaming.object.trustURLCodebase' to 'true'.");
}
return true;
}
/**
* This method returns a new ORB instance for the given applet
* without creating a static dependency on java.applet.
......
src/share/classes/java/lang/invoke/MethodHandles.java
浏览文件 @ 83f4f6a9
......@@ -680,7 +680,9 @@ public class MethodHandles {
// disallow lookup more restricted packages
if (allowedModes == ALL_MODES && lookupClass.getClassLoader() == null) {
if (name.startsWith("java.") ||
(name.startsWith("sun.") && !name.startsWith("sun.invoke."))) {
(name.startsWith("sun.")
&& !name.startsWith("sun.invoke.")
&& !name.equals("sun.reflect.ReflectionFactory"))) {
throw newIllegalArgumentException("illegal lookupClass: " + lookupClass);
}
}
......
src/share/classes/java/net/URLStreamHandler.java
浏览文件 @ 83f4f6a9
......@@ -161,9 +161,9 @@ public abstract class URLStreamHandler {
(spec.charAt(start + 1) == '/')) {
start += 2;
i = spec.indexOf('/', start);
if (i < 0) {
if (i < 0 || i > limit) {
i = spec.indexOf('?', start);
if (i < 0)
if (i < 0 || i > limit)
i = limit;
}
......@@ -171,8 +171,14 @@ public abstract class URLStreamHandler {
int ind = authority.indexOf('@');
if (ind != -1) {
userInfo = authority.substring(0, ind);
host = authority.substring(ind+1);
if (ind != authority.lastIndexOf('@')) {
// more than one '@' in authority. This is not server based
userInfo = null;
host = null;
} else {
userInfo = authority.substring(0, ind);
host = authority.substring(ind+1);
}
} else {
userInfo = null;
}
......
src/share/classes/java/time/format/ZoneName.java
浏览文件 @ 83f4f6a9
/*
* Copyright (c) 2013, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2013, 2016, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
......@@ -25,11 +25,8 @@
package java.time.format;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Locale;
import java.util.Map;
import java.util.Map.Entry;
import java.util.Set;
/**
* A helper class to map a zone name to metazone and back to the
......@@ -335,6 +332,7 @@ class ZoneName {
"America/Eirunepe", "Amazon", "America/Manaus",
"Africa/Nairobi", "Africa_Eastern", "Africa/Nairobi",
"Asia/Yakutsk", "Yakutsk", "Asia/Yakutsk",
"Asia/Yangon", "Myanmar", "Asia/Rangoon",
"America/Goose_Bay", "Atlantic", "America/Halifax",
"Africa/Maseru", "Africa_Southern", "Africa/Johannesburg",
"America/Swift_Current", "America_Central", "America/Chicago",
......@@ -770,6 +768,7 @@ class ZoneName {
"America/Indianapolis", "America/Indiana/Indianapolis",
"Europe/Belfast", "Europe/London",
"America/Kralendijk", "America/Curacao",
"Asia/Rangoon", "Asia/Yangon",
};
private static final Map<String, String> zidToMzone = new HashMap<>();
......
src/share/classes/java/util/concurrent/atomic/AtomicIntegerFieldUpdater.java
浏览文件 @ 83f4f6a9
......@@ -40,6 +40,7 @@ import java.lang.reflect.Modifier;
import java.security.AccessController;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.util.Objects;
import java.util.function.IntBinaryOperator;
import java.util.function.IntUnaryOperator;
import sun.reflect.CallerSensitive;
......@@ -410,7 +411,17 @@ public abstract class AtomicIntegerFieldUpdater<T> {
if (!Modifier.isVolatile(modifiers))
throw new IllegalArgumentException("Must be volatile type");
this.cclass = (Modifier.isProtected(modifiers)) ? caller : tclass;
// Access to protected field members is restricted to receivers only
// of the accessing class, or one of its subclasses, and the
// accessing class must in turn be a subclass (or package sibling)
// of the protected member's defining class.
// If the updater refers to a protected field of a declaring class
// outside the current package, the receiver argument will be
// narrowed to the type of the accessing class.
this.cclass = (Modifier.isProtected(modifiers) &&
tclass.isAssignableFrom(caller) &&
!isSamePackage(tclass, caller))
? caller : tclass;
this.tclass = tclass;
this.offset = U.objectFieldOffset(field);
}
......@@ -431,6 +442,21 @@ public abstract class AtomicIntegerFieldUpdater<T> {
return false;
}
/**
* Returns true if the two classes have the same class loader and
* package qualifier
*/
private static boolean isSamePackage(Class<?> class1, Class<?> class2) {
return class1.getClassLoader() == class2.getClassLoader()
&& Objects.equals(getPackageName(class1), getPackageName(class2));
}
private static String getPackageName(Class<?> cls) {
String cn = cls.getName();
int dot = cn.lastIndexOf('.');
return (dot != -1) ? cn.substring(0, dot) : "";
}
/**
* Checks that target argument is instance of cclass. On
* failure, throws cause.
......
src/share/classes/java/util/concurrent/atomic/AtomicLongFieldUpdater.java
浏览文件 @ 83f4f6a9
......@@ -40,6 +40,7 @@ import java.lang.reflect.Modifier;
import java.security.AccessController;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.util.Objects;
import java.util.function.LongBinaryOperator;
import java.util.function.LongUnaryOperator;
import sun.reflect.CallerSensitive;
......@@ -408,7 +409,17 @@ public abstract class AtomicLongFieldUpdater<T> {
if (!Modifier.isVolatile(modifiers))
throw new IllegalArgumentException("Must be volatile type");
this.cclass = (Modifier.isProtected(modifiers)) ? caller : tclass;
// Access to protected field members is restricted to receivers only
// of the accessing class, or one of its subclasses, and the
// accessing class must in turn be a subclass (or package sibling)
// of the protected member's defining class.
// If the updater refers to a protected field of a declaring class
// outside the current package, the receiver argument will be
// narrowed to the type of the accessing class.
this.cclass = (Modifier.isProtected(modifiers) &&
tclass.isAssignableFrom(caller) &&
!isSamePackage(tclass, caller))
? caller : tclass;
this.tclass = tclass;
this.offset = U.objectFieldOffset(field);
}
......@@ -539,7 +550,17 @@ public abstract class AtomicLongFieldUpdater<T> {
if (!Modifier.isVolatile(modifiers))
throw new IllegalArgumentException("Must be volatile type");
this.cclass = (Modifier.isProtected(modifiers)) ? caller : tclass;
// Access to protected field members is restricted to receivers only
// of the accessing class, or one of its subclasses, and the
// accessing class must in turn be a subclass (or package sibling)
// of the protected member's defining class.
// If the updater refers to a protected field of a declaring class
// outside the current package, the receiver argument will be
// narrowed to the type of the accessing class.
this.cclass = (Modifier.isProtected(modifiers) &&
tclass.isAssignableFrom(caller) &&
!isSamePackage(tclass, caller))
? caller : tclass;
this.tclass = tclass;
this.offset = U.objectFieldOffset(field);
}
......@@ -620,4 +641,19 @@ public abstract class AtomicLongFieldUpdater<T> {
} while (acl != null);
return false;
}
/**
* Returns true if the two classes have the same class loader and
* package qualifier
*/
private static boolean isSamePackage(Class<?> class1, Class<?> class2) {
return class1.getClassLoader() == class2.getClassLoader()
&& Objects.equals(getPackageName(class1), getPackageName(class2));
}
private static String getPackageName(Class<?> cls) {
String cn = cls.getName();
int dot = cn.lastIndexOf('.');
return (dot != -1) ? cn.substring(0, dot) : "";
}
}
src/share/classes/java/util/concurrent/atomic/AtomicReferenceFieldUpdater.java
浏览文件 @ 83f4f6a9
......@@ -40,6 +40,7 @@ import java.lang.reflect.Modifier;
import java.security.AccessController;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.util.Objects;
import java.util.function.BinaryOperator;
import java.util.function.UnaryOperator;
import sun.reflect.CallerSensitive;
......@@ -346,7 +347,17 @@ public abstract class AtomicReferenceFieldUpdater<T,V> {
if (!Modifier.isVolatile(modifiers))
throw new IllegalArgumentException("Must be volatile type");
this.cclass = (Modifier.isProtected(modifiers)) ? caller : tclass;
// Access to protected field members is restricted to receivers only
// of the accessing class, or one of its subclasses, and the
// accessing class must in turn be a subclass (or package sibling)
// of the protected member's defining class.
// If the updater refers to a protected field of a declaring class
// outside the current package, the receiver argument will be
// narrowed to the type of the accessing class.
this.cclass = (Modifier.isProtected(modifiers) &&
tclass.isAssignableFrom(caller) &&
!isSamePackage(tclass, caller))
? caller : tclass;
this.tclass = tclass;
this.vclass = vclass;
this.offset = U.objectFieldOffset(field);
......@@ -368,6 +379,21 @@ public abstract class AtomicReferenceFieldUpdater<T,V> {
return false;
}
/**
* Returns true if the two classes have the same class loader and
* package qualifier
*/
private static boolean isSamePackage(Class<?> class1, Class<?> class2) {
return class1.getClassLoader() == class2.getClassLoader()
&& Objects.equals(getPackageName(class1), getPackageName(class2));
}
private static String getPackageName(Class<?> cls) {
String cn = cls.getName();
int dot = cn.lastIndexOf('.');
return (dot != -1) ? cn.substring(0, dot) : "";
}
/**
* Checks that target argument is instance of cclass. On
* failure, throws cause.
......
src/share/classes/javax/management/remote/rmi/RMIConnectionImpl.java
浏览文件 @ 83f4f6a9
/*
* Copyright (c) 2002, 2013, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2002, 2016, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
......@@ -992,7 +992,7 @@ public class RMIConnectionImpl implements RMIConnection, Unreferenced {
filterValues[i] =
unwrap(filters[i], targetCl, defaultClassLoader,
NotificationFilter.class, delegationSubjects[i]);
NotificationFilter.class, sbjs[i]);
if (debug) logger.debug("addNotificationListener"+
"(ObjectName,NotificationFilter)",
......
src/share/classes/org/jcp/xml/dsig/internal/dom/DOMSignatureMethod.java
浏览文件 @ 83f4f6a9
......@@ -21,7 +21,7 @@
* under the License.
*/
/*
* Copyright (c) 2005, 2014, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2005, 2016, Oracle and/or its affiliates. All rights reserved.
*/
/*
* $Id: DOMSignatureMethod.java 1333415 2012-05-03 12:03:51Z coheigea $
......@@ -41,6 +41,7 @@ import org.w3c.dom.Element;
import com.sun.org.apache.xml.internal.security.algorithms.implementations.SignatureECDSA;
import com.sun.org.apache.xml.internal.security.utils.JavaUtils;
import org.jcp.xml.dsig.internal.SignerOutputStream;
import sun.security.util.KeyUtil;
/**
* DOM-based abstract implementation of SignatureMethod.
......@@ -162,6 +163,7 @@ public abstract class DOMSignatureMethod extends AbstractDOMSignatureMethod {
if (!(key instanceof PublicKey)) {
throw new InvalidKeyException("key must be PublicKey");
}
checkKeySize(context, key);
if (signature == null) {
try {
Provider p = (Provider)context.getProperty
......@@ -197,6 +199,37 @@ public abstract class DOMSignatureMethod extends AbstractDOMSignatureMethod {
}
}
/**
* If secure validation mode is enabled, checks that the key size is
* restricted.
*
* @param context the context
* @param key the key to check
* @throws XMLSignatureException if the key size is restricted
*/
private static void checkKeySize(XMLCryptoContext context, Key key)
throws XMLSignatureException {
if (Utils.secureValidation(context)) {
int size = KeyUtil.getKeySize(key);
if (size == -1) {
// key size cannot be determined, so we cannot check against
// restrictions. Note that a DSA key w/o params will be
// rejected later if the certificate chain is validated.
if (log.isLoggable(java.util.logging.Level.FINE)) {
log.log(java.util.logging.Level.FINE, "Size for " +
key.getAlgorithm() + " key cannot be determined");
}
return;
}
if (Policy.restrictKey(key.getAlgorithm(), size)) {
throw new XMLSignatureException(key.getAlgorithm() +
" keys less than " +
Policy.minKeySize(key.getAlgorithm()) + " bits are" +
" forbidden when secure validation is enabled");
}
}
}
byte[] sign(Key key, SignedInfo si, XMLSignContext context)
throws InvalidKeyException, XMLSignatureException
{
......@@ -207,6 +240,7 @@ public abstract class DOMSignatureMethod extends AbstractDOMSignatureMethod {
if (!(key instanceof PrivateKey)) {
throw new InvalidKeyException("key must be PrivateKey");
}
checkKeySize(context, key);
if (signature == null) {
try {
Provider p = (Provider)context.getProperty
......
src/share/classes/org/jcp/xml/dsig/internal/dom/Policy.java
浏览文件 @ 83f4f6a9
......@@ -31,8 +31,10 @@ import java.security.AccessController;
import java.security.PrivilegedAction;
import java.security.Security;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Locale;
import java.util.Map;
import java.util.Set;
/**
......@@ -46,6 +48,7 @@ public final class Policy {
private static int maxTrans = Integer.MAX_VALUE;
private static int maxRefs = Integer.MAX_VALUE;
private static Set<String> disallowedRefUriSchemes = new HashSet<>();
private static Map<String, Integer> minKeyMap = new HashMap<>();
private static boolean noDuplicateIds = false;
private static boolean noRMLoops = false;
......@@ -101,6 +104,13 @@ public final class Policy {
scheme.toLowerCase(Locale.ROOT));
}
break;
case "minKeySize":
if (tokens.length != 3) {
error(entry);
}
minKeyMap.put(tokens[1],
Integer.parseUnsignedInt(tokens[2]));
break;
case "noDuplicateIds":
if (tokens.length != 1) {
error(entry);
......@@ -147,6 +157,10 @@ public final class Policy {
return false;
}
public static boolean restrictKey(String type, int size) {
return (size < minKeyMap.getOrDefault(type, 0));
}
public static boolean restrictDuplicateIds() {
return noDuplicateIds;
}
......@@ -171,6 +185,10 @@ public final class Policy {
return Collections.<String>unmodifiableSet(disallowedRefUriSchemes);
}
public static int minKeySize(String type) {
return minKeyMap.getOrDefault(type, 0);
}
private static void error(String entry) {
throw new IllegalArgumentException(
"Invalid jdk.xml.dsig.secureValidationPolicy entry: " + entry);
......
src/share/classes/sun/reflect/ReflectionFactory.java
浏览文件 @ 83f4f6a9
......@@ -25,16 +25,28 @@
package sun.reflect;
import java.io.Externalizable;
import java.io.ObjectInputStream;
import java.io.ObjectOutputStream;
import java.io.ObjectStreamClass;
import java.io.OptionalDataException;
import java.io.Serializable;
import java.lang.invoke.MethodHandle;
import java.lang.invoke.MethodHandles;
import java.lang.reflect.Field;
import java.lang.reflect.Executable;
import java.lang.reflect.InvocationTargetException;
import java.lang.reflect.Method;
import java.lang.reflect.Constructor;
import java.lang.reflect.Modifier;
import java.security.AccessController;
import java.security.Permission;
import java.security.PrivilegedAction;
import java.util.Objects;
import sun.reflect.misc.ReflectUtil;
/** <P> The master factory for all reflective objects, both those in
java.lang.reflect (Fields, Methods, Constructors) as well as their
delegates (FieldAccessors, MethodAccessors, ConstructorAccessors).
......@@ -56,6 +68,9 @@ public class ReflectionFactory {
// Provides access to package-private mechanisms in java.lang.reflect
private static volatile LangReflectAccess langReflectAccess;
/* Method for static class initializer <clinit>, or null */
private static volatile Method hasStaticInitializerMethod;
//
// "Inflation" mechanism. Loading bytecodes to implement
// Method.invoke() and Constructor.newInstance() currently costs
......@@ -73,8 +88,7 @@ public class ReflectionFactory {
private static boolean noInflation = false;
private static int inflationThreshold = 15;
private ReflectionFactory() {
}
private ReflectionFactory() {}
/**
* A convenience class for acquiring the capability to instantiate
......@@ -328,6 +342,14 @@ public class ReflectionFactory {
//
//
/**
* Returns an accessible constructor capable of creating instances
* of the given class, initialized by the given constructor.
*
* @param classToInstantiate the class to instantiate
* @param constructorToCall the constructor to call
* @return an accessible constructor
*/
public Constructor<?> newConstructorForSerialization
(Class<?> classToInstantiate, Constructor<?> constructorToCall)
{
......@@ -335,6 +357,42 @@ public class ReflectionFactory {
if (constructorToCall.getDeclaringClass() == classToInstantiate) {
return constructorToCall;
}
return generateConstructor(classToInstantiate, constructorToCall);
}
/**
* Returns an accessible no-arg constructor for a class.
* The no-arg constructor is found searching the class and its supertypes.
*
* @param cl the class to instantiate
* @return a no-arg constructor for the class or {@code null} if
* the class or supertypes do not have a suitable no-arg constructor
*/
public final Constructor<?> newConstructorForSerialization(Class<?> cl) {
Class<?> initCl = cl;
while (Serializable.class.isAssignableFrom(initCl)) {
if ((initCl = initCl.getSuperclass()) == null) {
return null;
}
}
Constructor<?> constructorToCall;
try {
constructorToCall = initCl.getDeclaredConstructor();
int mods = constructorToCall.getModifiers();
if ((mods & Modifier.PRIVATE) != 0 ||
((mods & (Modifier.PUBLIC | Modifier.PROTECTED)) == 0 &&
!packageEquals(cl, initCl))) {
return null;
}
} catch (NoSuchMethodException ex) {
return null;
}
return generateConstructor(cl, constructorToCall);
}
private final Constructor<?> generateConstructor(Class<?> classToInstantiate,
Constructor<?> constructorToCall) {
ConstructorAccessor acc = new MethodAccessorGenerator().
generateSerializationConstructor(classToInstantiate,
......@@ -355,9 +413,222 @@ public class ReflectionFactory {
langReflectAccess().
getConstructorParameterAnnotations(constructorToCall));
setConstructorAccessor(c, acc);
c.setAccessible(true);
return c;
}
/**
* Returns an accessible no-arg constructor for an externalizable class to be
* initialized using a public no-argument constructor.
*
* @param cl the class to instantiate
* @return A no-arg constructor for the class; returns {@code null} if
* the class does not implement {@link java.io.Externalizable}
*/
public final Constructor<?> newConstructorForExternalization(Class<?> cl) {
if (!Externalizable.class.isAssignableFrom(cl)) {
return null;
}
try {
Constructor<?> cons = cl.getConstructor();
cons.setAccessible(true);
return cons;
} catch (NoSuchMethodException ex) {
return null;
}
}
/**
* Returns a direct MethodHandle for the {@code readObject} method on
* a Serializable class.
* The first argument of {@link MethodHandle#invoke} is the serializable
* object and the second argument is the {@code ObjectInputStream} passed to
* {@code readObject}.
*
* @param cl a Serializable class
* @return a direct MethodHandle for the {@code readObject} method of the class or
* {@code null} if the class does not have a {@code readObject} method
*/
public final MethodHandle readObjectForSerialization(Class<?> cl) {
return findReadWriteObjectForSerialization(cl, "readObject", ObjectInputStream.class);
}
/**
* Returns a direct MethodHandle for the {@code readObjectNoData} method on
* a Serializable class.
* The first argument of {@link MethodHandle#invoke} is the serializable
* object and the second argument is the {@code ObjectInputStream} passed to
* {@code readObjectNoData}.
*
* @param cl a Serializable class
* @return a direct MethodHandle for the {@code readObjectNoData} method
* of the class or {@code null} if the class does not have a
* {@code readObjectNoData} method
*/
public final MethodHandle readObjectNoDataForSerialization(Class<?> cl) {
return findReadWriteObjectForSerialization(cl, "readObjectNoData", ObjectInputStream.class);
}
/**
* Returns a direct MethodHandle for the {@code writeObject} method on
* a Serializable class.
* The first argument of {@link MethodHandle#invoke} is the serializable
* object and the second argument is the {@code ObjectOutputStream} passed to
* {@code writeObject}.
*
* @param cl a Serializable class
* @return a direct MethodHandle for the {@code writeObject} method of the class or
* {@code null} if the class does not have a {@code writeObject} method
*/
public final MethodHandle writeObjectForSerialization(Class<?> cl) {
return findReadWriteObjectForSerialization(cl, "writeObject", ObjectOutputStream.class);
}
private final MethodHandle findReadWriteObjectForSerialization(Class<?> cl,
String methodName,
Class<?> streamClass) {
if (!Serializable.class.isAssignableFrom(cl)) {
return null;
}
try {
Method meth = cl.getDeclaredMethod(methodName, streamClass);
int mods = meth.getModifiers();
if (meth.getReturnType() != Void.TYPE ||
Modifier.isStatic(mods) ||
!Modifier.isPrivate(mods)) {
return null;
}
meth.setAccessible(true);
return MethodHandles.lookup().unreflect(meth);
} catch (NoSuchMethodException ex) {
return null;
} catch (IllegalAccessException ex1) {
throw new InternalError("Error", ex1);
}
}
/**
* Returns a direct MethodHandle for the {@code readResolve} method on
* a serializable class.
* The single argument of {@link MethodHandle#invoke} is the serializable
* object.
*
* @param cl the Serializable class
* @return a direct MethodHandle for the {@code readResolve} method of the class or
* {@code null} if the class does not have a {@code readResolve} method
*/
public final MethodHandle readResolveForSerialization(Class<?> cl) {
return getReplaceResolveForSerialization(cl, "readResolve");
}
/**
* Returns a direct MethodHandle for the {@code writeReplace} method on
* a serializable class.
* The single argument of {@link MethodHandle#invoke} is the serializable
* object.
*
* @param cl the Serializable class
* @return a direct MethodHandle for the {@code writeReplace} method of the class or
* {@code null} if the class does not have a {@code writeReplace} method
*/
public final MethodHandle writeReplaceForSerialization(Class<?> cl) {
return getReplaceResolveForSerialization(cl, "writeReplace");
}
/**
* Returns a direct MethodHandle for the {@code writeReplace} method on
* a serializable class.
* The single argument of {@link MethodHandle#invoke} is the serializable
* object.
*
* @param cl the Serializable class
* @return a direct MethodHandle for the {@code writeReplace} method of the class or
* {@code null} if the class does not have a {@code writeReplace} method
*/
private MethodHandle getReplaceResolveForSerialization(Class<?> cl,
String methodName) {
if (!Serializable.class.isAssignableFrom(cl)) {
return null;
}
Class<?> defCl = cl;
while (defCl != null) {
try {
Method m = defCl.getDeclaredMethod(methodName);
if (m.getReturnType() != Object.class) {
return null;
}
int mods = m.getModifiers();
if (Modifier.isStatic(mods) | Modifier.isAbstract(mods)) {
return null;
} else if (Modifier.isPublic(mods) | Modifier.isProtected(mods)) {
// fall through
} else if (Modifier.isPrivate(mods) && (cl != defCl)) {
return null;
} else if (!packageEquals(cl, defCl)) {
return null;
}
try {
// Normal return
m.setAccessible(true);
return MethodHandles.lookup().unreflect(m);
} catch (IllegalAccessException ex0) {
// setAccessible should prevent IAE
throw new InternalError("Error", ex0);
}
} catch (NoSuchMethodException ex) {
defCl = defCl.getSuperclass();
}
}
return null;
}
/**
* Returns true if the class has a static initializer.
* The presence of a static initializer is used to compute the serialVersionUID.
* @param cl a serializable classLook
* @return {@code true} if the class has a static initializer,
* otherwise {@code false}
*/
public final boolean hasStaticInitializerForSerialization(Class<?> cl) {
Method m = hasStaticInitializerMethod;
if (m == null) {
try {
m = ObjectStreamClass.class.getDeclaredMethod("hasStaticInitializer",
new Class<?>[]{Class.class});
m.setAccessible(true);
hasStaticInitializerMethod = m;
} catch (NoSuchMethodException ex) {
throw new InternalError("No such method hasStaticInitializer on "
+ ObjectStreamClass.class, ex);
}
}
try {
return (Boolean) m.invoke(null, cl);
} catch (InvocationTargetException | IllegalAccessException ex) {
throw new InternalError("Exception invoking hasStaticInitializer", ex);
}
}
/**
* Returns a new OptionalDataException with {@code eof} set to {@code true}
* or {@code false}.
* @param bool the value of {@code eof} in the created OptionalDataException
* @return a new OptionalDataException
*/
public final OptionalDataException newOptionalDataExceptionForSerialization(boolean bool) {
try {
Constructor<OptionalDataException> boolCtor =
OptionalDataException.class.getDeclaredConstructor(Boolean.TYPE);
boolCtor.setAccessible(true);
return boolCtor.newInstance(bool);
} catch (NoSuchMethodException | InstantiationException|
IllegalAccessException|InvocationTargetException ex) {
throw new InternalError("unable to create OptionalDataException", ex);
}
}
//--------------------------------------------------------------------------
//
// Internals only below this point
......@@ -421,4 +692,17 @@ public class ReflectionFactory {
}
return langReflectAccess;
}
/**
* Returns true if classes are defined in the classloader and same package, false
* otherwise.
* @param cl1 a class
* @param cl2 another class
* @returns true if the two classes are in the same classloader and package
*/
private static boolean packageEquals(Class<?> cl1, Class<?> cl2) {
return cl1.getClassLoader() == cl2.getClassLoader() &&
Objects.equals(cl1.getPackage(), cl2.getPackage());
}
}
src/share/classes/sun/security/ec/ECDSASignature.java
浏览文件 @ 83f4f6a9
/*
* Copyright (c) 2009, 2013, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2009, 2016, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
......@@ -25,6 +25,7 @@
package sun.security.ec;
import java.io.IOException;
import java.nio.ByteBuffer;
import java.math.BigInteger;
......@@ -363,13 +364,22 @@ abstract class ECDSASignature extends SignatureSpi {
}
// Convert the DER encoding of R and S into a concatenation of R and S
private byte[] decodeSignature(byte[] signature) throws SignatureException {
private byte[] decodeSignature(byte[] sig) throws SignatureException {
try {
DerInputStream in = new DerInputStream(signature);
// Enforce strict DER checking for signatures
DerInputStream in = new DerInputStream(sig, 0, sig.length, false);
DerValue[] values = in.getSequence(2);
// check number of components in the read sequence
// and trailing data
if ((values.length != 2) || (in.available() != 0)) {
throw new IOException("Invalid encoding for signature");
}
BigInteger r = values[0].getPositiveBigInteger();
BigInteger s = values[1].getPositiveBigInteger();
// trim leading zeroes
byte[] rBytes = trimZeroes(r.toByteArray());
byte[] sBytes = trimZeroes(s.toByteArray());
......@@ -383,7 +393,7 @@ abstract class ECDSASignature extends SignatureSpi {
return result;
} catch (Exception e) {
throw new SignatureException("Could not decode signature", e);
throw new SignatureException("Invalid encoding for signature", e);
}
}
......
src/share/classes/sun/security/pkcs/SignerInfo.java
浏览文件 @ 83f4f6a9
......@@ -498,6 +498,23 @@ public class SignerInfo implements DerEncoder {
return unauthenticatedAttributes;
}
/**
* Returns the timestamp PKCS7 data unverified.
* @return a PKCS7 object
*/
public PKCS7 getTsToken() throws IOException {
if (unauthenticatedAttributes == null) {
return null;
}
PKCS9Attribute tsTokenAttr =
unauthenticatedAttributes.getAttribute(
PKCS9Attribute.SIGNATURE_TIMESTAMP_TOKEN_OID);
if (tsTokenAttr == null) {
return null;
}
return new PKCS7((byte[])tsTokenAttr.getValue());
}
/*
* Extracts a timestamp from a PKCS7 SignerInfo.
*
......@@ -525,19 +542,12 @@ public class SignerInfo implements DerEncoder {
if (timestamp != null || !hasTimestamp)
return timestamp;
if (unauthenticatedAttributes == null) {
hasTimestamp = false;
return null;
}
PKCS9Attribute tsTokenAttr =
unauthenticatedAttributes.getAttribute(
PKCS9Attribute.SIGNATURE_TIMESTAMP_TOKEN_OID);
if (tsTokenAttr == null) {
PKCS7 tsToken = getTsToken();
if (tsToken == null) {
hasTimestamp = false;
return null;
}
PKCS7 tsToken = new PKCS7((byte[])tsTokenAttr.getValue());
// Extract the content (an encoded timestamp token info)
byte[] encTsTokenInfo = tsToken.getContentInfo().getData();
// Extract the signer (the Timestamping Authority)
......
src/share/classes/sun/security/pkcs11/P11Signature.java
浏览文件 @ 83f4f6a9
/*
* Copyright (c) 2003, 2014, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2003, 2016, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
......@@ -705,12 +705,21 @@ final class P11Signature extends SignatureSpi {
}
}
private static byte[] asn1ToDSA(byte[] signature) throws SignatureException {
private static byte[] asn1ToDSA(byte[] sig) throws SignatureException {
try {
DerInputStream in = new DerInputStream(signature);
// Enforce strict DER checking for signatures
DerInputStream in = new DerInputStream(sig, 0, sig.length, false);
DerValue[] values = in.getSequence(2);
// check number of components in the read sequence
// and trailing data
if ((values.length != 2) || (in.available() != 0)) {
throw new IOException("Invalid encoding for signature");
}
BigInteger r = values[0].getPositiveBigInteger();
BigInteger s = values[1].getPositiveBigInteger();
byte[] br = toByteArray(r, 20);
byte[] bs = toByteArray(s, 20);
if ((br == null) || (bs == null)) {
......@@ -720,16 +729,25 @@ final class P11Signature extends SignatureSpi {
} catch (SignatureException e) {
throw e;
} catch (Exception e) {
throw new SignatureException("invalid encoding for signature", e);
throw new SignatureException("Invalid encoding for signature", e);
}
}
private byte[] asn1ToECDSA(byte[] signature) throws SignatureException {
private byte[] asn1ToECDSA(byte[] sig) throws SignatureException {
try {
DerInputStream in = new DerInputStream(signature);
// Enforce strict DER checking for signatures
DerInputStream in = new DerInputStream(sig, 0, sig.length, false);
DerValue[] values = in.getSequence(2);
// check number of components in the read sequence
// and trailing data
if ((values.length != 2) || (in.available() != 0)) {
throw new IOException("Invalid encoding for signature");
}
BigInteger r = values[0].getPositiveBigInteger();
BigInteger s = values[1].getPositiveBigInteger();
// trim leading zeroes
byte[] br = KeyUtil.trimZeroes(r.toByteArray());
byte[] bs = KeyUtil.trimZeroes(s.toByteArray());
......@@ -740,7 +758,7 @@ final class P11Signature extends SignatureSpi {
System.arraycopy(bs, 0, res, res.length - bs.length, bs.length);
return res;
} catch (Exception e) {
throw new SignatureException("invalid encoding for signature", e);
throw new SignatureException("Invalid encoding for signature", e);
}
}
......
src/share/classes/sun/security/provider/DSA.java
浏览文件 @ 83f4f6a9
/*
* Copyright (c) 1996, 2015, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 1996, 2016, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
......@@ -267,14 +267,20 @@ abstract class DSA extends SignatureSpi {
BigInteger s = null;
// first decode the signature.
try {
DerInputStream in = new DerInputStream(signature, offset, length);
// Enforce strict DER checking for signatures
DerInputStream in =
new DerInputStream(signature, offset, length, false);
DerValue[] values = in.getSequence(2);
// check number of components in the read sequence
// and trailing data
if ((values.length != 2) || (in.available() != 0)) {
throw new IOException("Invalid encoding for signature");
}
r = values[0].getBigInteger();
s = values[1].getBigInteger();
} catch (IOException e) {
throw new SignatureException("invalid encoding for signature");
throw new SignatureException("Invalid encoding for signature", e);
}
// some implementations do not correctly encode values in the ASN.1
......@@ -366,13 +372,49 @@ abstract class DSA extends SignatureSpi {
return t5.mod(q);
}
// NOTE: This following impl is defined in FIPS 186-4 AppendixB.2.1.
protected BigInteger generateK(BigInteger q) {
// Implementation defined in FIPS 186-4 AppendixB.2.1.
SecureRandom random = getSigningRandom();
byte[] kValue = new byte[(q.bitLength() + 7)/8 + 8];
random.nextBytes(kValue);
return new BigInteger(1, kValue).mod(q.subtract(BigInteger.ONE)).add(BigInteger.ONE);
BigInteger k = new BigInteger(1, kValue).mod(
q.subtract(BigInteger.ONE)).add(BigInteger.ONE);
// Using an equivalent exponent of fixed length (same as q or 1 bit
// less than q) to keep the kG timing relatively constant.
//
// Note that this is an extra step on top of the approach defined in
// FIPS 186-4 AppendixB.2.1 so as to make a fixed length K.
k = k.add(q).divide(BigInteger.valueOf(2));
// An alternative implementation based on FIPS 186-4 AppendixB2.2
// with fixed-length K.
//
// Please keep it here as we may need to switch to it in the future.
//
// SecureRandom random = getSigningRandom();
// byte[] kValue = new byte[(q.bitLength() + 7)/8];
// BigInteger d = q.subtract(BigInteger.TWO);
// BigInteger k;
// do {
// random.nextBytes(kValue);
// BigInteger c = new BigInteger(1, kValue);
// if (c.compareTo(d) <= 0) {
// k = c.add(BigInteger.ONE);
// // Using an equivalent exponent of fixed length to keep
// // the g^k timing relatively constant.
// //
// // Note that this is an extra step on top of the approach
// // defined in FIPS 186-4 AppendixB.2.2 so as to make a
// // fixed length K.
// if (k.bitLength() >= q.bitLength()) {
// break;
// }
// }
// } while (true);
return k;
}
// Use the application-specified SecureRandom Object if provided.
......
src/share/classes/sun/security/provider/certpath/AlgorithmChecker.java
浏览文件 @ 83f4f6a9
......@@ -29,7 +29,6 @@ import java.security.AlgorithmConstraints;
import java.security.CryptoPrimitive;
import java.util.Collection;
import java.util.Collections;
import java.util.Date;
import java.util.Set;
import java.util.EnumSet;
import java.math.BigInteger;
......@@ -60,7 +59,7 @@ import sun.security.x509.X509CRLImpl;
import sun.security.x509.AlgorithmId;
/**
* A {@code PKIXCertPathChecker} implementation to check whether a
* A <code>PKIXCertPathChecker</code> implementation to check whether a
* specified certificate contains the required algorithm constraints.
* <p>
* Certificate fields such as the subject public key, the signature
......@@ -75,7 +74,6 @@ final public class AlgorithmChecker extends PKIXCertPathChecker {
private final AlgorithmConstraints constraints;
private final PublicKey trustedPubKey;
private final Date pkixdate;
private PublicKey prevPubKey;
private final static Set<CryptoPrimitive> SIGNATURE_PRIMITIVE_SET =
......@@ -101,7 +99,7 @@ final public class AlgorithmChecker extends PKIXCertPathChecker {
private boolean trustedMatch = false;
/**
* Create a new {@code AlgorithmChecker} with the algorithm
* Create a new <code>AlgorithmChecker</code> with the algorithm
* constraints specified in security property
* "jdk.certpath.disabledAlgorithms".
*
......@@ -109,26 +107,11 @@ final public class AlgorithmChecker extends PKIXCertPathChecker {
* certificate
*/
public AlgorithmChecker(TrustAnchor anchor) {
this(anchor, certPathDefaultConstraints, null);
this(anchor, certPathDefaultConstraints);
}
/**
* Create a new {@code AlgorithmChecker} with the
* given {@code TrustAnchor} and {@code AlgorithmConstraints}.
*
* @param anchor the trust anchor selected to validate the target
* certificate
* @param constraints the algorithm constraints (or null)
*
* @throws IllegalArgumentException if the {@code anchor} is null
*/
public AlgorithmChecker(TrustAnchor anchor,
AlgorithmConstraints constraints) {
this(anchor, constraints, null);
}
/**
* Create a new {@code AlgorithmChecker} with the
* Create a new <code>AlgorithmChecker</code> with the
* given {@code AlgorithmConstraints}.
* <p>
* Note that this constructor will be used to check a certification
......@@ -141,24 +124,20 @@ final public class AlgorithmChecker extends PKIXCertPathChecker {
this.prevPubKey = null;
this.trustedPubKey = null;
this.constraints = constraints;
this.pkixdate = null;
}
/**
* Create a new {@code AlgorithmChecker} with the
* given {@code TrustAnchor} and {@code AlgorithmConstraints}.
* Create a new <code>AlgorithmChecker</code> with the
* given <code>TrustAnchor</code> and <code>AlgorithmConstraints</code>.
*
* @param anchor the trust anchor selected to validate the target
* certificate
* @param constraints the algorithm constraints (or null)
* @param pkixdate Date the constraints are checked against. The value is
* either the PKIXParameter date or null for the current date.
*
* @throws IllegalArgumentException if the {@code anchor} is null
* @throws IllegalArgumentException if the <code>anchor</code> is null
*/
public AlgorithmChecker(TrustAnchor anchor,
AlgorithmConstraints constraints,
Date pkixdate) {
AlgorithmConstraints constraints) {
if (anchor == null) {
throw new IllegalArgumentException(
......@@ -178,22 +157,6 @@ final public class AlgorithmChecker extends PKIXCertPathChecker {
this.prevPubKey = trustedPubKey;
this.constraints = constraints;
this.pkixdate = pkixdate;
}
/**
* Create a new {@code AlgorithmChecker} with the
* given {@code TrustAnchor} and {@code PKIXParameter} date.
*
* @param anchor the trust anchor selected to validate the target
* certificate
* @param pkixdate Date the constraints are checked against. The value is
* either the PKIXParameter date or null for the current date.
*
* @throws IllegalArgumentException if the {@code anchor} is null
*/
public AlgorithmChecker(TrustAnchor anchor, Date pkixdate) {
this(anchor, certPathDefaultConstraints, pkixdate);
}
// Check this 'cert' for restrictions in the AnchorCertificates
......@@ -292,16 +255,17 @@ final public class AlgorithmChecker extends PKIXCertPathChecker {
PublicKey currPubKey = cert.getPublicKey();
// Check against DisabledAlgorithmConstraints certpath constraints.
// permits() will throw exception on failure.
certPathDefaultConstraints.permits(primitives,
if (constraints instanceof DisabledAlgorithmConstraints) {
// Check against DisabledAlgorithmConstraints certpath constraints.
// permits() will throw exception on failure.
((DisabledAlgorithmConstraints)constraints).permits(primitives,
new CertConstraintParameters((X509Certificate)cert,
trustedMatch, pkixdate));
// new CertConstraintParameters(x509Cert, trustedMatch));
// If there is no previous key, set one and exit
if (prevPubKey == null) {
prevPubKey = currPubKey;
return;
trustedMatch));
// If there is no previous key, set one and exit
if (prevPubKey == null) {
prevPubKey = currPubKey;
return;
}
}
X509CertImpl x509Cert;
......
src/share/classes/sun/security/provider/certpath/PKIXCertPathValidator.java
浏览文件 @ 83f4f6a9
......@@ -172,7 +172,7 @@ public final class PKIXCertPathValidator extends CertPathValidatorSpi {
List<PKIXCertPathChecker> certPathCheckers = new ArrayList<>();
// add standard checkers that we will be using
certPathCheckers.add(untrustedChecker);
certPathCheckers.add(new AlgorithmChecker(anchor, params.date()));
certPathCheckers.add(new AlgorithmChecker(anchor));
certPathCheckers.add(new KeyChecker(certPathLen,
params.targetCertConstraints()));
certPathCheckers.add(new ConstraintsChecker(certPathLen));
......
src/share/classes/sun/security/provider/certpath/SunCertPathBuilder.java
浏览文件 @ 83f4f6a9
......@@ -343,8 +343,7 @@ public final class SunCertPathBuilder extends CertPathBuilderSpi {
checkers.add(policyChecker);
// add the algorithm checker
checkers.add(new AlgorithmChecker(builder.trustAnchor,
buildParams.date()));
checkers.add(new AlgorithmChecker(builder.trustAnchor));
BasicChecker basicChecker = null;
if (nextState.keyParamsNeeded()) {
......
src/share/classes/sun/security/rsa/RSASignature.java
浏览文件 @ 83f4f6a9
......@@ -223,9 +223,10 @@ public abstract class RSASignature extends SignatureSpi {
* Decode the signature data. Verify that the object identifier matches
* and return the message digest.
*/
public static byte[] decodeSignature(ObjectIdentifier oid, byte[] signature)
public static byte[] decodeSignature(ObjectIdentifier oid, byte[] sig)
throws IOException {
DerInputStream in = new DerInputStream(signature);
// Enforce strict DER checking for signatures
DerInputStream in = new DerInputStream(sig, 0, sig.length, false);
DerValue[] values = in.getSequence(2);
if ((values.length != 2) || (in.available() != 0)) {
throw new IOException("SEQUENCE length error");
......
src/share/classes/sun/security/ssl/ServerHandshaker.java
浏览文件 @ 83f4f6a9
......@@ -1026,11 +1026,18 @@ final class ServerHandshaker extends Handshaker {
if (trySetCipherSuite(suite) == false) {
continue;
}
if (debug != null && Debug.isOn("handshake")) {
System.out.println("Standard ciphersuite chosen: " + suite);
}
return;
}
for (CipherSuite suite : legacySuites) {
if (trySetCipherSuite(suite)) {
if (debug != null && Debug.isOn("handshake")) {
System.out.println("Legacy ciphersuite chosen: " + suite);
}
return;
}
}
......
src/share/classes/sun/security/ssl/SupportedEllipticCurvesExtension.java
浏览文件 @ 83f4f6a9
......@@ -280,7 +280,7 @@ final class SupportedEllipticCurvesExtension extends HelloExtension {
private static int getPreferredCurve(int[] curves,
AlgorithmConstraints constraints) {
for (int curveId : curves) {
if (constraints.permits(
if (isSupported(curveId) && constraints.permits(
EnumSet.of(CryptoPrimitive.KEY_AGREEMENT),
"EC", idToParams.get(curveId))) {
return curveId;
......
src/share/classes/sun/security/tools/jarsigner/Main.java
浏览文件 @ 83f4f6a9
......@@ -53,6 +53,9 @@ import java.security.cert.CertificateNotYetValidException;
import java.security.cert.PKIXParameters;
import java.security.cert.TrustAnchor;
import java.util.Map.Entry;
import sun.security.pkcs.PKCS7;
import sun.security.pkcs.SignerInfo;
import sun.security.timestamp.TimestampToken;
import sun.security.tools.KeyStoreUtil;
import sun.security.tools.PathList;
import sun.security.x509.*;
......@@ -97,6 +100,15 @@ public class Main {
private static final long SIX_MONTHS = 180*24*60*60*1000L; //milliseconds
private static final DisabledAlgorithmConstraints DISABLED_CHECK =
new DisabledAlgorithmConstraints(
DisabledAlgorithmConstraints.PROPERTY_JAR_DISABLED_ALGS);
private static final Set<CryptoPrimitive> DIGEST_PRIMITIVE_SET = Collections
.unmodifiableSet(EnumSet.of(CryptoPrimitive.MESSAGE_DIGEST));
private static final Set<CryptoPrimitive> SIG_PRIMITIVE_SET = Collections
.unmodifiableSet(EnumSet.of(CryptoPrimitive.SIGNATURE));
// Attention:
// This is the entry that get launched by the security tool jarsigner.
public static void main(String args[]) throws Exception {
......@@ -172,6 +184,8 @@ public class Main {
private boolean badExtendedKeyUsage = false;
private boolean badNetscapeCertType = false;
private boolean seeWeak = false;
CertificateFactory certificateFactory;
CertPathValidator validator;
PKIXParameters pkixParameters;
......@@ -577,6 +591,10 @@ public class Main {
{
boolean anySigned = false; // if there exists entry inside jar signed
JarFile jf = null;
Map<String,String> digestMap = new HashMap<>();
Map<String,PKCS7> sigMap = new HashMap<>();
Map<String,String> sigNameMap = new HashMap<>();
Map<String,String> unparsableSignatures = new HashMap<>();
try {
jf = new JarFile(jarName, true);
......@@ -587,17 +605,44 @@ public class Main {
while (entries.hasMoreElements()) {
JarEntry je = entries.nextElement();
entriesVec.addElement(je);
InputStream is = null;
try (InputStream is = jf.getInputStream(je)) {
String name = je.getName();
if (signatureRelated(name)
&& SignatureFileVerifier.isBlockOrSF(name)) {
String alias = name.substring(name.lastIndexOf('/') + 1,
name.lastIndexOf('.'));
try {
is = jf.getInputStream(je);
int n;
while ((n = is.read(buffer, 0, buffer.length)) != -1) {
if (name.endsWith(".SF")) {
Manifest sf = new Manifest(is);
boolean found = false;
for (Object obj : sf.getMainAttributes().keySet()) {
String key = obj.toString();
if (key.endsWith("-Digest-Manifest")) {
digestMap.put(alias,
key.substring(0, key.length() - 16));
found = true;
break;
}
}
if (!found) {
unparsableSignatures.putIfAbsent(alias,
String.format(
rb.getString("history.unparsable"),
name));
}
} else {
sigNameMap.put(alias, name);
sigMap.put(alias, new PKCS7(is));
}
} catch (IOException ioe) {
unparsableSignatures.putIfAbsent(alias, String.format(
rb.getString("history.unparsable"), name));
}
} else {
while (is.read(buffer, 0, buffer.length) != -1) {
// we just read. this will throw a SecurityException
// if a signature/digest check fails.
}
} finally {
if (is != null) {
is.close();
}
}
}
......@@ -756,13 +801,106 @@ public class Main {
System.out.println(rb.getString(
".X.not.signed.by.specified.alias.es."));
}
System.out.println();
}
if (man == null)
if (man == null) {
System.out.println();
System.out.println(rb.getString("no.manifest."));
}
// Even if the verbose option is not specified, all out strings
// must be generated so seeWeak can be updated.
if (!digestMap.isEmpty()
|| !sigMap.isEmpty()
|| !unparsableSignatures.isEmpty()) {
if (verbose != null) {
System.out.println();
}
for (String s : sigMap.keySet()) {
if (!digestMap.containsKey(s)) {
unparsableSignatures.putIfAbsent(s, String.format(
rb.getString("history.nosf"), s));
}
}
for (String s : digestMap.keySet()) {
PKCS7 p7 = sigMap.get(s);
if (p7 != null) {
String history;
try {
SignerInfo si = p7.getSignerInfos()[0];
X509Certificate signer = si.getCertificate(p7);
String digestAlg = digestMap.get(s);
String sigAlg = AlgorithmId.makeSigAlg(
si.getDigestAlgorithmId().getName(),
si.getDigestEncryptionAlgorithmId().getName());
PublicKey key = signer.getPublicKey();
PKCS7 tsToken = si.getTsToken();
if (tsToken != null) {
SignerInfo tsSi = tsToken.getSignerInfos()[0];
X509Certificate tsSigner = tsSi.getCertificate(tsToken);
byte[] encTsTokenInfo = tsToken.getContentInfo().getData();
TimestampToken tsTokenInfo = new TimestampToken(encTsTokenInfo);
PublicKey tsKey = tsSigner.getPublicKey();
String tsDigestAlg = tsTokenInfo.getHashAlgorithm().getName();
String tsSigAlg = AlgorithmId.makeSigAlg(
tsSi.getDigestAlgorithmId().getName(),
tsSi.getDigestEncryptionAlgorithmId().getName());
Calendar c = Calendar.getInstance(
TimeZone.getTimeZone("UTC"),
Locale.getDefault(Locale.Category.FORMAT));
c.setTime(tsTokenInfo.getDate());
history = String.format(
rb.getString("history.with.ts"),
signer.getSubjectX500Principal(),
withWeak(digestAlg, DIGEST_PRIMITIVE_SET),
withWeak(sigAlg, SIG_PRIMITIVE_SET),
withWeak(key),
c,
tsSigner.getSubjectX500Principal(),
withWeak(tsDigestAlg, DIGEST_PRIMITIVE_SET),
withWeak(tsSigAlg, SIG_PRIMITIVE_SET),
withWeak(tsKey));
} else {
history = String.format(
rb.getString("history.without.ts"),
signer.getSubjectX500Principal(),
withWeak(digestAlg, DIGEST_PRIMITIVE_SET),
withWeak(sigAlg, SIG_PRIMITIVE_SET),
withWeak(key));
}
} catch (Exception e) {
// The only usage of sigNameMap, remember the name
// of the block file if it's invalid.
history = String.format(
rb.getString("history.unparsable"),
sigNameMap.get(s));
}
if (verbose != null) {
System.out.println(history);
}
} else {
unparsableSignatures.putIfAbsent(s, String.format(
rb.getString("history.nobk"), s));
}
}
if (verbose != null) {
for (String s : unparsableSignatures.keySet()) {
System.out.println(unparsableSignatures.get(s));
}
}
}
System.out.println();
if (!anySigned) {
if (hasSignature) {
if (seeWeak) {
if (verbose != null) {
System.out.println(rb.getString("jar.treated.unsigned.see.weak.verbose"));
System.out.println("\n " +
DisabledAlgorithmConstraints.PROPERTY_JAR_DISABLED_ALGS +
"=" + Security.getProperty(DisabledAlgorithmConstraints.PROPERTY_JAR_DISABLED_ALGS));
} else {
System.out.println(rb.getString("jar.treated.unsigned.see.weak"));
}
} else if (hasSignature) {
System.out.println(rb.getString("jar.treated.unsigned"));
} else {
System.out.println(rb.getString("jar.is.unsigned"));
......@@ -869,6 +1007,26 @@ public class Main {
System.exit(1);
}
private String withWeak(String alg, Set<CryptoPrimitive> primitiveSet) {
if (DISABLED_CHECK.permits(primitiveSet, alg, null)) {
return alg;
} else {
seeWeak = true;
return String.format(rb.getString("with.weak"), alg);
}
}
private String withWeak(PublicKey key) {
if (DISABLED_CHECK.permits(SIG_PRIMITIVE_SET, key)) {
return String.format(
rb.getString("key.bit"), KeyUtil.getKeySize(key));
} else {
seeWeak = true;
return String.format(
rb.getString("key.bit.weak"), KeyUtil.getKeySize(key));
}
}
private static MessageFormat validityTimeForm = null;
private static MessageFormat notYetTimeForm = null;
private static MessageFormat expiredTimeForm = null;
......
src/share/classes/sun/security/tools/jarsigner/Resources.java
浏览文件 @ 83f4f6a9
......@@ -138,11 +138,26 @@ public class Resources extends java.util.ListResourceBundle {
{"jar.is.unsigned",
"jar is unsigned."},
{"jar.treated.unsigned",
"Signature not parsable or verifiable. The jar will be treated as unsigned. The jar may have been signed with a weak algorithm that is now disabled. For more information, rerun jarsigner with debug enabled (-J-Djava.security.debug=jar)."},
"WARNING: Signature is either not parsable or not verifiable, and the jar will be treated as unsigned. For more information, re-run jarsigner with debug enabled (-J-Djava.security.debug=jar)."},
{"jar.treated.unsigned.see.weak",
"The jar will be treated as unsigned, because it is signed with a weak algorithm that is now disabled.\n\nRe-run jarsigner with the -verbose option for more details."},
{"jar.treated.unsigned.see.weak.verbose",
"WARNING: The jar will be treated as unsigned, because it is signed with a weak algorithm that is now disabled by the security property:"},
{"jar.signed.", "jar signed."},
{"jar.signed.with.signer.errors.", "jar signed, with signer errors."},
{"jar.verified.", "jar verified."},
{"jar.verified.with.signer.errors.", "jar verified, with signer errors."},
{"history.with.ts", "- Signed by \"%1$s\"\n Digest algorithm: %2$s\n Signature algorithm: %3$s, %4$s\n Timestamped by \"%6$s\" on %5$tc\n Timestamp digest algorithm: %7$s\n Timestamp signature algorithm: %8$s, %9$s"},
{"history.without.ts", "- Signed by \"%1$s\"\n Digest algorithm: %2$s\n Signature algorithm: %3$s, %4$s"},
{"history.unparsable", "- Unparsable signature-related file %s"},
{"history.nosf", "- Missing signature-related file META-INF/%s.SF"},
{"history.nobk", "- Missing block file for signature-related file META-INF/%s.SF"},
{"with.weak", "%s (weak)"},
{"key.bit", "%d-bit key"},
{"key.bit.weak", "%d-bit key (weak)"},
{"jarsigner.", "jarsigner: "},
{"signature.filename.must.consist.of.the.following.characters.A.Z.0.9.or.",
"signature filename must consist of the following characters: A-Z, 0-9, _ or -"},
......
src/share/classes/sun/security/tools/jarsigner/Resources_ja.java
浏览文件 @ 83f4f6a9
......@@ -135,12 +135,29 @@ public class Resources_ja extends java.util.ListResourceBundle {
{"no.manifest.", "\u30DE\u30CB\u30D5\u30A7\u30B9\u30C8\u306F\u5B58\u5728\u3057\u307E\u305B\u3093\u3002"},
{".Signature.related.entries.","(\u30B7\u30B0\u30CD\u30C1\u30E3\u95A2\u9023\u30A8\u30F3\u30C8\u30EA)"},
{".Unsigned.entries.", "(\u672A\u7F72\u540D\u306E\u30A8\u30F3\u30C8\u30EA)"},
{"jar.is.unsigned.signatures.missing.or.not.parsable.",
"jar\u306F\u7F72\u540D\u3055\u308C\u3066\u3044\u307E\u305B\u3093\u3002(\u30B7\u30B0\u30CD\u30C1\u30E3\u304C\u898B\u3064\u304B\u3089\u306A\u3044\u304B\u3001\u69CB\u6587\u89E3\u6790\u3067\u304D\u307E\u305B\u3093)"},
{"jar.is.unsigned",
"jar\u306F\u7F72\u540D\u3055\u308C\u3066\u3044\u307E\u305B\u3093\u3002"},
{"jar.treated.unsigned",
"\u8B66\u544A: \u7F72\u540D\u304C\u69CB\u6587\u89E3\u6790\u3067\u304D\u306A\u3044\u304B\u691C\u8A3C\u3067\u304D\u306A\u3044\u305F\u3081\u3001\u3053\u306Ejar\u306F\u672A\u7F72\u540D\u3068\u3057\u3066\u6271\u308F\u308C\u307E\u3059\u3002\u8A73\u7D30\u306F\u3001\u30C7\u30D0\u30C3\u30B0\u3092\u6709\u52B9\u306B\u3057\u3066(-J-Djava.security.debug=jar) jarsigner\u3092\u518D\u5B9F\u884C\u3057\u3066\u304F\u3060\u3055\u3044\u3002"},
{"jar.treated.unsigned.see.weak",
"\u3053\u306Ejar\u306F\u3001\u73FE\u5728\u7121\u52B9\u306B\u306A\u3063\u3066\u3044\u308B\u5F31\u3044\u30A2\u30EB\u30B4\u30EA\u30BA\u30E0\u3067\u7F72\u540D\u3055\u308C\u3066\u3044\u308B\u305F\u3081\u3001\u672A\u7F72\u540D\u3068\u3057\u3066\u6271\u308F\u308C\u307E\u3059\u3002\n\n\u8A73\u7D30\u306F\u3001-verbose\u30AA\u30D7\u30B7\u30E7\u30F3\u3092\u4F7F\u7528\u3057\u3066jarsigner\u3092\u518D\u5B9F\u884C\u3057\u3066\u304F\u3060\u3055\u3044\u3002"},
{"jar.treated.unsigned.see.weak.verbose",
"\u8B66\u544A: \u3053\u306Ejar\u306F\u3001\u30BB\u30AD\u30E5\u30EA\u30C6\u30A3\u30FB\u30D7\u30ED\u30D1\u30C6\u30A3\u306B\u3088\u3063\u3066\u73FE\u5728\u7121\u52B9\u306B\u306A\u3063\u3066\u3044\u308B\u5F31\u3044\u30A2\u30EB\u30B4\u30EA\u30BA\u30E0\u3067\u7F72\u540D\u3055\u308C\u3066\u3044\u308B\u305F\u3081\u3001\u672A\u7F72\u540D\u3068\u3057\u3066\u6271\u308F\u308C\u307E\u3059:"},
{"jar.signed.", "jar\u306F\u7F72\u540D\u3055\u308C\u307E\u3057\u305F\u3002"},
{"jar.signed.with.signer.errors.", "jar\u306F\u7F72\u540D\u3055\u308C\u307E\u3057\u305F - \u7F72\u540D\u8005\u30A8\u30E9\u30FC\u304C\u3042\u308A\u307E\u3059\u3002"},
{"jar.verified.", "jar\u304C\u691C\u8A3C\u3055\u308C\u307E\u3057\u305F\u3002"},
{"jar.verified.with.signer.errors.", "jar\u306F\u691C\u8A3C\u3055\u308C\u307E\u3057\u305F - \u7F72\u540D\u8005\u30A8\u30E9\u30FC\u304C\u3042\u308A\u307E\u3059\u3002"},
{"history.with.ts", "- \u7F72\u540D\u8005: \"%1$s\"\n \u30C0\u30A4\u30B8\u30A7\u30B9\u30C8\u30FB\u30A2\u30EB\u30B4\u30EA\u30BA\u30E0: %2$s\n \u7F72\u540D\u30A2\u30EB\u30B4\u30EA\u30BA\u30E0: %3$s\u3001%4$s\n \u30BF\u30A4\u30E0\u30B9\u30BF\u30F3\u30D7\u4ED8\u52A0\u8005: \"%6$s\" \u65E5\u6642: %5$tc\n \u30BF\u30A4\u30E0\u30B9\u30BF\u30F3\u30D7\u306E\u30C0\u30A4\u30B8\u30A7\u30B9\u30C8\u30FB\u30A2\u30EB\u30B4\u30EA\u30BA\u30E0: %7$s\n \u30BF\u30A4\u30E0\u30B9\u30BF\u30F3\u30D7\u306E\u7F72\u540D\u30A2\u30EB\u30B4\u30EA\u30BA\u30E0: %8$s\u3001%9$s"},
{"history.without.ts", "- \u7F72\u540D\u8005: \"%1$s\"\n \u30C0\u30A4\u30B8\u30A7\u30B9\u30C8\u30FB\u30A2\u30EB\u30B4\u30EA\u30BA\u30E0: %2$s\n \u7F72\u540D\u30A2\u30EB\u30B4\u30EA\u30BA\u30E0: %3$s\u3001%4$s"},
{"history.unparsable", "- \u7F72\u540D\u95A2\u9023\u30D5\u30A1\u30A4\u30EB%s\u3092\u89E3\u6790\u3067\u304D\u307E\u305B\u3093"},
{"history.nosf", "- \u7F72\u540D\u95A2\u9023\u30D5\u30A1\u30A4\u30EBMETA-INF/%s.SF\u304C\u3042\u308A\u307E\u305B\u3093"},
{"history.nobk", "- \u7F72\u540D\u95A2\u9023\u30D5\u30A1\u30A4\u30EBMETA-INF/%s.SF\u306E\u30D6\u30ED\u30C3\u30AF\u30FB\u30D5\u30A1\u30A4\u30EB\u304C\u3042\u308A\u307E\u305B\u3093"},
{"with.weak", "%s (\u5F31)"},
{"key.bit", "%d\u30D3\u30C3\u30C8\u9375"},
{"key.bit.weak", "%d\u30D3\u30C3\u30C8\u9375(\u5F31)"},
{"jarsigner.", "jarsigner: "},
{"signature.filename.must.consist.of.the.following.characters.A.Z.0.9.or.",
"\u30B7\u30B0\u30CD\u30C1\u30E3\u306E\u30D5\u30A1\u30A4\u30EB\u540D\u306B\u4F7F\u7528\u3067\u304D\u308B\u6587\u5B57\u306F\u3001A-Z\u30010-9\u3001_\u3001- \u306E\u307F\u3067\u3059\u3002"},
......
src/share/classes/sun/security/tools/jarsigner/Resources_zh_CN.java
浏览文件 @ 83f4f6a9
......@@ -135,12 +135,29 @@ public class Resources_zh_CN extends java.util.ListResourceBundle {
{"no.manifest.", "\u6CA1\u6709\u6E05\u5355\u3002"},
{".Signature.related.entries.","(\u4E0E\u7B7E\u540D\u76F8\u5173\u7684\u6761\u76EE)"},
{".Unsigned.entries.", "(\u672A\u7B7E\u540D\u6761\u76EE)"},
{"jar.is.unsigned.signatures.missing.or.not.parsable.",
"jar \u672A\u7B7E\u540D\u3002(\u7F3A\u5C11\u7B7E\u540D\u6216\u65E0\u6CD5\u89E3\u6790\u7B7E\u540D)"},
{"jar.is.unsigned",
"jar \u672A\u7B7E\u540D\u3002"},
{"jar.treated.unsigned",
"\u8B66\u544A: \u7B7E\u540D\u65E0\u6CD5\u89E3\u6790\u6216\u9A8C\u8BC1, \u8BE5 jar \u5C06\u88AB\u89C6\u4E3A\u672A\u7B7E\u540D\u3002\u6709\u5173\u8BE6\u7EC6\u4FE1\u606F, \u8BF7\u5728\u542F\u7528\u8C03\u8BD5\u7684\u60C5\u51B5\u4E0B\u91CD\u65B0\u8FD0\u884C jarsigner (-J-Djava.security.debug=jar)\u3002"},
{"jar.treated.unsigned.see.weak",
"\u7531\u4E8E\u8BE5 jar \u662F\u4F7F\u7528\u76EE\u524D\u5DF2\u7981\u7528\u7684\u5F31\u7B97\u6CD5\u7B7E\u540D\u7684, \u56E0\u6B64\u8BE5 jar \u5C06\u88AB\u89C6\u4E3A\u672A\u7B7E\u540D\u3002\n\n\u6709\u5173\u8BE6\u7EC6\u4FE1\u606F, \u8BF7\u4F7F\u7528 -verbose \u9009\u9879\u91CD\u65B0\u8FD0\u884C jarsigner\u3002"},
{"jar.treated.unsigned.see.weak.verbose",
"\u8B66\u544A: \u7531\u4E8E\u8BE5 jar \u662F\u4F7F\u7528\u76EE\u524D\u5DF2\u7531\u5B89\u5168\u5C5E\u6027\u7981\u7528\u7684\u5F31\u7B97\u6CD5\u7B7E\u540D\u7684, \u56E0\u6B64\u8BE5 jar \u5C06\u88AB\u89C6\u4E3A\u672A\u7B7E\u540D:"},
{"jar.signed.", "jar \u5DF2\u7B7E\u540D\u3002"},
{"jar.signed.with.signer.errors.", "jar \u5DF2\u7B7E\u540D, \u4F46\u51FA\u73B0\u7B7E\u540D\u8005\u9519\u8BEF\u3002"},
{"jar.verified.", "jar \u5DF2\u9A8C\u8BC1\u3002"},
{"jar.verified.with.signer.errors.", "jar \u5DF2\u9A8C\u8BC1, \u4F46\u51FA\u73B0\u7B7E\u540D\u8005\u9519\u8BEF\u3002"},
{"history.with.ts", "- \u7531 \"%1$s\" \u7B7E\u540D\n \u6458\u8981\u7B97\u6CD5: %2$s\n \u7B7E\u540D\u7B97\u6CD5: %3$s, %4$s\n \u7531 \"%6$s\" \u4E8E %5$tc \u52A0\u65F6\u95F4\u6233\n \u65F6\u95F4\u6233\u6458\u8981\u7B97\u6CD5: %7$s\n \u65F6\u95F4\u6233\u7B7E\u540D\u7B97\u6CD5: %8$s, %9$s"},
{"history.without.ts", "- \u7531 \"%1$s\" \u7B7E\u540D\n \u6458\u8981\u7B97\u6CD5: %2$s\n \u7B7E\u540D\u7B97\u6CD5: %3$s, %4$s"},
{"history.unparsable", "- \u65E0\u6CD5\u89E3\u6790\u7684\u4E0E\u7B7E\u540D\u76F8\u5173\u7684\u6587\u4EF6 %s"},
{"history.nosf", "- \u7F3A\u5C11\u4E0E\u7B7E\u540D\u76F8\u5173\u7684\u6587\u4EF6 META-INF/%s.SF"},
{"history.nobk", "- \u4E0E\u7B7E\u540D\u76F8\u5173\u7684\u6587\u4EF6 META-INF/%s.SF \u7F3A\u5C11\u5757\u6587\u4EF6"},
{"with.weak", "%s (\u5F31)"},
{"key.bit", "%d \u4F4D\u5BC6\u94A5"},
{"key.bit.weak", "%d \u4F4D\u5BC6\u94A5 (\u5F31)"},
{"jarsigner.", "jarsigner: "},
{"signature.filename.must.consist.of.the.following.characters.A.Z.0.9.or.",
"\u7B7E\u540D\u6587\u4EF6\u540D\u5FC5\u987B\u5305\u542B\u4EE5\u4E0B\u5B57\u7B26: A-Z, 0-9, _ \u6216 -"},
......
src/share/classes/sun/security/tools/policytool/Resources_sv.java
浏览文件 @ 83f4f6a9
/*
* Copyright (c) 2000, 2015, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
......@@ -43,7 +43,7 @@ public class Resources_sv extends java.util.ListResourceBundle {
{"Illegal.option.option", "Otill\u00E5tet alternativ: {0}"},
{"Usage.policytool.options.", "Syntax: policytool [alternativ]"},
{".file.file.policy.file.location",
" [-file <fil>] policyfilens plats"},
" [-file <fil>] policyfiladress"},
{"New", "&Nytt"},
{"Open", "&\u00D6ppna..."},
{"Save", "S&para"},
......
src/share/classes/sun/security/util/AnchorCertificates.java
浏览文件 @ 83f4f6a9
......@@ -56,7 +56,7 @@ public class AnchorCertificates {
try {
cacerts = KeyStore.getInstance("JKS");
try (FileInputStream fis = new FileInputStream(f)) {
cacerts.load(fis, "changeit".toCharArray());
cacerts.load(fis, null);
certs = new HashSet<>();
Enumeration<String> list = cacerts.aliases();
String alias;
......
src/share/classes/sun/security/util/CertConstraintParameters.java
浏览文件 @ 83f4f6a9
......@@ -26,7 +26,6 @@
package sun.security.util;
import java.security.cert.X509Certificate;
import java.util.Date;
/**
* This class is a wrapper for keeping state and passing objects between PKIX,
......@@ -35,21 +34,18 @@ import java.util.Date;
public class CertConstraintParameters {
// A certificate being passed to check against constraints.
private final X509Certificate cert;
// This is true if the trust anchor in the certificate chain matches a cert
// in AnchorCertificates
private final boolean trustedMatch;
// PKIXParameter date
private final Date pkixDate;
public CertConstraintParameters(X509Certificate c, boolean match,
Date pkixdate) {
public CertConstraintParameters(X509Certificate c, boolean match) {
cert = c;
trustedMatch = match;
pkixDate = pkixdate;
}
public CertConstraintParameters(X509Certificate c) {
this(c, false, null);
this(c, false);
}
// Returns if the trust anchor has a match if anchor checking is enabled.
......@@ -60,9 +56,4 @@ public class CertConstraintParameters {
public X509Certificate getCertificate() {
return cert;
}
public Date getPKIXParamDate() {
return pkixDate;
}
}
src/share/classes/sun/security/util/DerInputBuffer.java
浏览文件 @ 83f4f6a9
/*
* Copyright (c) 1996, 2006, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 1996, 2016, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
......@@ -147,6 +147,11 @@ class DerInputBuffer extends ByteArrayInputStream implements Cloneable {
System.arraycopy(buf, pos, bytes, 0, len);
skip(len);
// check to make sure no extra leading 0s for DER
if (len >= 2 && (bytes[0] == 0) && (bytes[1] >= 0)) {
throw new IOException("Invalid encoding: redundant leading 0s");
}
if (makePositive) {
return new BigInteger(1, bytes);
} else {
......
src/share/classes/sun/security/util/DerInputStream.java
浏览文件 @ 83f4f6a9
/*
* Copyright (c) 1996, 2006, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 1996, 2016, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
......@@ -77,7 +77,7 @@ public class DerInputStream {
* @param data the buffer from which to create the string (CONSUMED)
*/
public DerInputStream(byte[] data) throws IOException {
init(data, 0, data.length);
init(data, 0, data.length, true);
}
/**
......@@ -92,23 +92,48 @@ public class DerInputStream {
* starting at "offset"
*/
public DerInputStream(byte[] data, int offset, int len) throws IOException {
init(data, offset, len);
init(data, offset, len, true);
}
/**
* Create a DER input stream from part of a data buffer with
* additional arg to indicate whether to allow constructed
* indefinite-length encoding.
* The buffer is not copied, it is shared. Accordingly, the
* buffer should be treated as read-only.
*
* @param data the buffer from which to create the string (CONSUMED)
* @param offset the first index of <em>data</em> which will
* be read as DER input in the new stream
* @param len how long a chunk of the buffer to use,
* starting at "offset"
* @param allowIndefiniteLength whether to allow constructed
* indefinite-length encoding
*/
public DerInputStream(byte[] data, int offset, int len,
boolean allowIndefiniteLength) throws IOException {
init(data, offset, len, allowIndefiniteLength);
}
/*
* private helper routine
*/
private void init(byte[] data, int offset, int len) throws IOException {
private void init(byte[] data, int offset, int len,
boolean allowIndefiniteLength) throws IOException {
if ((offset+2 > data.length) || (offset+len > data.length)) {
throw new IOException("Encoding bytes too short");
}
// check for indefinite length encoding
if (DerIndefLenConverter.isIndefinite(data[offset+1])) {
byte[] inData = new byte[len];
System.arraycopy(data, offset, inData, 0, len);
DerIndefLenConverter derIn = new DerIndefLenConverter();
buffer = new DerInputBuffer(derIn.convert(inData));
if (!allowIndefiniteLength) {
throw new IOException("Indefinite length BER encoding found");
} else {
byte[] inData = new byte[len];
System.arraycopy(data, offset, inData, 0, len);
DerIndefLenConverter derIn = new DerIndefLenConverter();
buffer = new DerInputBuffer(derIn.convert(inData));
}
} else
buffer = new DerInputBuffer(data, offset, len);
buffer.mark(Integer.MAX_VALUE);
......@@ -233,12 +258,21 @@ public class DerInputStream {
* First byte = number of excess bits in the last octet of the
* representation.
*/
int validBits = length*8 - buffer.read();
int excessBits = buffer.read();
if (excessBits < 0) {
throw new IOException("Unused bits of bit string invalid");
}
int validBits = length*8 - excessBits;
if (validBits < 0) {
throw new IOException("Valid bits of bit string invalid");
}
byte[] repn = new byte[length];
if ((length != 0) && (buffer.read(repn) != length))
throw new IOException("short read of DER bit string");
if ((length != 0) && (buffer.read(repn) != length)) {
throw new IOException("Short read of DER bit string");
}
return new BitArray(validBits, repn);
}
......@@ -252,7 +286,7 @@ public class DerInputStream {
int length = getLength(buffer);
byte[] retval = new byte[length];
if ((length != 0) && (buffer.read(retval) != length))
throw new IOException("short read of DER octet string");
throw new IOException("Short read of DER octet string");
return retval;
}
......@@ -262,7 +296,7 @@ public class DerInputStream {
*/
public void getBytes(byte[] val) throws IOException {
if ((val.length != 0) && (buffer.read(val) != val.length)) {
throw new IOException("short read of DER octet string");
throw new IOException("Short read of DER octet string");
}
}
......@@ -346,7 +380,7 @@ public class DerInputStream {
DerInputStream newstr;
byte lenByte = (byte)buffer.read();
int len = getLength((lenByte & 0xff), buffer);
int len = getLength(lenByte, buffer);
if (len == -1) {
// indefinite length encoding found
......@@ -392,7 +426,7 @@ public class DerInputStream {
} while (newstr.available() > 0);
if (newstr.available() != 0)
throw new IOException("extra data at end of vector");
throw new IOException("Extra data at end of vector");
/*
* Now stick them into the array we're returning.
......@@ -483,7 +517,7 @@ public class DerInputStream {
int length = getLength(buffer);
byte[] retval = new byte[length];
if ((length != 0) && (buffer.read(retval) != length))
throw new IOException("short read of DER " +
throw new IOException("Short read of DER " +
stringName + " string");
return new String(retval, enc);
......@@ -544,7 +578,11 @@ public class DerInputStream {
*/
static int getLength(int lenByte, InputStream in) throws IOException {
int value, tmp;
if (lenByte == -1) {
throw new IOException("Short read of DER length");
}
String mdName = "DerInputStream.getLength(): ";
tmp = lenByte;
if ((tmp & 0x080) == 0x00) { // short form, 1 byte datum
value = tmp;
......@@ -558,17 +596,23 @@ public class DerInputStream {
if (tmp == 0)
return -1;
if (tmp < 0 || tmp > 4)
throw new IOException("DerInputStream.getLength(): lengthTag="
+ tmp + ", "
throw new IOException(mdName + "lengthTag=" + tmp + ", "
+ ((tmp < 0) ? "incorrect DER encoding." : "too big."));
for (value = 0; tmp > 0; tmp --) {
value = 0x0ff & in.read();
tmp--;
if (value == 0) {
// DER requires length value be encoded in minimum number of bytes
throw new IOException(mdName + "Redundant length bytes found");
}
while (tmp-- > 0) {
value <<= 8;
value += 0x0ff & in.read();
}
if (value < 0) {
throw new IOException("DerInputStream.getLength(): "
+ "Invalid length bytes");
throw new IOException(mdName + "Invalid length bytes");
} else if (value <= 127) {
throw new IOException(mdName + "Should use short form for length");
}
}
return value;
......
src/share/classes/sun/security/util/DerValue.java
浏览文件 @ 83f4f6a9
/*
* Copyright (c) 1996, 2009, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 1996, 2016, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
......@@ -249,7 +249,7 @@ public class DerValue {
tag = (byte)in.read();
byte lenByte = (byte)in.read();
length = DerInputStream.getLength((lenByte & 0xff), in);
length = DerInputStream.getLength(lenByte, in);
if (length == -1) { // indefinite length encoding found
DerInputBuffer inbuf = in.dup();
int readLen = inbuf.available();
......@@ -362,7 +362,7 @@ public class DerValue {
tag = (byte)in.read();
byte lenByte = (byte)in.read();
length = DerInputStream.getLength((lenByte & 0xff), in);
length = DerInputStream.getLength(lenByte, in);
if (length == -1) { // indefinite length encoding found
int readLen = in.available();
int offset = 2; // for tag and length bytes
......
src/share/classes/sun/security/util/DisabledAlgorithmConstraints.java
浏览文件 @ 83f4f6a9
......@@ -31,15 +31,11 @@ import java.security.Key;
import java.security.cert.CertPathValidatorException;
import java.security.cert.CertPathValidatorException.BasicReason;
import java.security.cert.X509Certificate;
import java.text.SimpleDateFormat;
import java.util.Calendar;
import java.util.Date;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Locale;
import java.util.Map;
import java.util.Set;
import java.util.TimeZone;
import java.util.regex.Pattern;
import java.util.regex.Matcher;
......@@ -242,8 +238,6 @@ public class DisabledAlgorithmConstraints extends AbstractAlgorithmConstraints {
private Map<String, Set<Constraint>> constraintsMap = new HashMap<>();
private static final Pattern keySizePattern = Pattern.compile(
"keySize\\s*(<=|<|==|!=|>|>=)\\s*(\\d+)");
private static final Pattern denyAfterPattern = Pattern.compile(
"denyAfter\\s+(\\d{4})-(\\d{2})-(\\d{2})");
public Constraints(String[] constraintArray) {
for (String constraintEntry : constraintArray) {
......@@ -274,11 +268,10 @@ public class DisabledAlgorithmConstraints extends AbstractAlgorithmConstraints {
}
// Convert constraint conditions into Constraint classes
Constraint c, lastConstraint = null;
Constraint c = null;
Constraint lastConstraint = null;
// Allow only one jdkCA entry per constraint entry
boolean jdkCALimit = false;
// Allow only one denyAfter entry per constraint entry
boolean denyAfterLimit = false;
for (String entry : policy.split("&")) {
entry = entry.trim();
......@@ -304,25 +297,6 @@ public class DisabledAlgorithmConstraints extends AbstractAlgorithmConstraints {
}
c = new jdkCAConstraint(algorithm);
jdkCALimit = true;
} else if(matcher.usePattern(denyAfterPattern).matches()) {
if (debug != null) {
debug.println("Constraints set to denyAfter");
}
if (denyAfterLimit) {
throw new IllegalArgumentException("Only one " +
"denyAfter entry allowed in property. " +
"Constraint: " + constraintEntry);
}
int year = Integer.parseInt(matcher.group(1));
int month = Integer.parseInt(matcher.group(2));
int day = Integer.parseInt(matcher.group(3));
c = new DenyAfterConstraint(algorithm, year, month,
day);
denyAfterLimit = true;
} else {
throw new IllegalArgumentException("Error in security" +
" property. Constraint unknown: " + entry);
}
// Link multiple conditions for a single constraint
......@@ -332,7 +306,9 @@ public class DisabledAlgorithmConstraints extends AbstractAlgorithmConstraints {
constraintsMap.putIfAbsent(algorithm,
new HashSet<>());
}
constraintsMap.get(algorithm).add(c);
if (c != null) {
constraintsMap.get(algorithm).add(c);
}
} else {
lastConstraint.nextConstraint = c;
}
......@@ -396,15 +372,7 @@ public class DisabledAlgorithmConstraints extends AbstractAlgorithmConstraints {
}
}
/**
* This abstract Constraint class for algorithm-based checking
* may contain one or more constraints. If the '&' on the {@Security}
* property is used, multiple constraints have been grouped together
* requiring all the constraints to fail for the check to be disallowed.
*
* If the class contains multiple constraints, the next constraint
* is stored in {@code nextConstraint} in linked-list fashion.
*/
// Abstract class for algorithm constraint checking
private abstract static class Constraint {
String algorithm;
Constraint nextConstraint = null;
......@@ -440,79 +408,22 @@ public class DisabledAlgorithmConstraints extends AbstractAlgorithmConstraints {
}
/**
* Check if an algorithm constraint is permitted with a given key.
*
* If the check inside of {@code permit()} fails, it must call
* {@code next()} with the same {@code Key} parameter passed if
* multiple constraints need to be checked.
*
* Check if an algorithm constraint permit this key to be used.
* @param key Public key
* @return 'true' if constraint is allowed, 'false' if disallowed.
* @return true if constraints do not match
*/
public boolean permits(Key key) {
return true;
}
/**
* Check if an algorithm constraint is permitted with a given
* CertConstraintParameters.
*
* If the check inside of {@code permits()} fails, it must call
* {@code next()} with the same {@code CertConstraintParameters}
* parameter passed if multiple constraints need to be checked.
*
* @param cp CertConstraintParameter containing certificate info
* @throws CertPathValidatorException if constraint disallows.
*
* Check if an algorithm constraint is permit this certificate to
* be used.
* @param cp CertificateParameter containing certificate and state info
* @return true if constraints do not match
*/
public abstract void permits(CertConstraintParameters cp)
throws CertPathValidatorException;
/**
* Recursively check if the constraints are allowed.
*
* If {@code nextConstraint} is non-null, this method will
* call {@code nextConstraint}'s {@code permits()} to check if the
* constraint is allowed or denied. If the constraint's
* {@code permits()} is allowed, this method will exit this and any
* recursive next() calls, returning 'true'. If the constraints called
* were disallowed, the last constraint will throw
* {@code CertPathValidatorException}.
*
* @param cp CertConstraintParameters
* @return 'true' if constraint allows the operation, 'false' if
* we are at the end of the constraint list or,
* {@code nextConstraint} is null.
*/
boolean next(CertConstraintParameters cp)
throws CertPathValidatorException {
if (nextConstraint != null) {
nextConstraint.permits(cp);
return true;
}
return false;
}
/**
* Recursively check if this constraint is allowed,
*
* If {@code nextConstraint} is non-null, this method will
* call {@code nextConstraint}'s {@code permit()} to check if the
* constraint is allowed or denied. If the constraint's
* {@code permit()} is allowed, this method will exit this and any
* recursive next() calls, returning 'true'. If the constraints
* called were disallowed the check will exit with 'false'.
*
* @param key Public key
* @return 'true' if constraint allows the operation, 'false' if
* the constraint denies the operation.
*/
boolean next(Key key) {
if (nextConstraint != null && nextConstraint.permits(key)) {
return true;
}
return false;
}
}
/*
......@@ -525,9 +436,9 @@ public class DisabledAlgorithmConstraints extends AbstractAlgorithmConstraints {
}
/*
* Check if CertConstraintParameters has a trusted match, if it does
* call next() for any following constraints. If it does not, exit
* as this constraint(s) does not restrict the operation.
* Check if each constraint fails and check if there is a linked
* constraint Any permitted constraint will exit the linked list
* to allow the operation.
*/
public void permits(CertConstraintParameters cp)
throws CertPathValidatorException {
......@@ -535,9 +446,10 @@ public class DisabledAlgorithmConstraints extends AbstractAlgorithmConstraints {
debug.println("jdkCAConstraints.permits(): " + algorithm);
}
// Check chain has a trust anchor in cacerts
// Return false if the chain has a trust anchor in cacerts
if (cp.isTrustedMatch()) {
if (next(cp)) {
if (nextConstraint != null) {
nextConstraint.permits(cp);
return;
}
throw new CertPathValidatorException(
......@@ -548,99 +460,6 @@ public class DisabledAlgorithmConstraints extends AbstractAlgorithmConstraints {
}
}
/*
* This class handles the denyAfter constraint. The date is in the UTC/GMT
* timezone.
*/
private static class DenyAfterConstraint extends Constraint {
private Date denyAfterDate;
private static final SimpleDateFormat dateFormat =
new SimpleDateFormat("EEE, MMM d HH:mm:ss z YYYY");
DenyAfterConstraint(String algo, int year, int month, int day) {
Calendar c;
algorithm = algo;
if (debug != null) {
debug.println("DenyAfterConstraint read in as: year " +
year + ", month = " + month + ", day = " + day);
}
c = new Calendar.Builder().setTimeZone(TimeZone.getTimeZone("GMT"))
.setDate(year, month - 1, day).build();
if (year > c.getActualMaximum(Calendar.YEAR) ||
year < c.getActualMinimum(Calendar.YEAR)) {
throw new IllegalArgumentException(
"Invalid year given in constraint: " + year);
}
if ((month - 1) > c.getActualMaximum(Calendar.MONTH) ||
(month - 1) < c.getActualMinimum(Calendar.MONTH)) {
throw new IllegalArgumentException(
"Invalid month given in constraint: " + month);
}
if (day > c.getActualMaximum(Calendar.DAY_OF_MONTH) ||
day < c.getActualMinimum(Calendar.DAY_OF_MONTH)) {
throw new IllegalArgumentException(
"Invalid Day of Month given in constraint: " + day);
}
denyAfterDate = c.getTime();
if (debug != null) {
debug.println("DenyAfterConstraint date set to: " +
dateFormat.format(denyAfterDate));
}
}
/*
* Checking that the provided date is not beyond the constraint date.
* The provided date can be the PKIXParameter date if given,
* otherwise it is the current date.
*
* If the constraint disallows, call next() for any following
* constraints. Throw an exception if this is the last constraint.
*/
@Override
public void permits(CertConstraintParameters cp)
throws CertPathValidatorException {
Date currentDate;
if (cp.getPKIXParamDate() != null) {
currentDate = cp.getPKIXParamDate();
} else {
currentDate = new Date();
}
if (!denyAfterDate.after(currentDate)) {
if (next(cp)) {
return;
}
throw new CertPathValidatorException(
"denyAfter constraint check failed. " +
"Constraint date: " +
dateFormat.format(denyAfterDate) +
"; Cert date: " +
dateFormat.format(currentDate),
null, null, -1, BasicReason.ALGORITHM_CONSTRAINED);
}
}
/*
* Return result if the constraint's date is beyond the current date
* in UTC timezone.
*/
public boolean permits(Key key) {
if (next(key)) {
return true;
}
if (debug != null) {
debug.println("DenyAfterConstraints.permits(): " + algorithm);
}
return denyAfterDate.after(new Date());
}
}
/*
* This class contains constraints dealing with the key size
......
src/share/classes/sun/security/util/ObjectIdentifier.java
浏览文件 @ 83f4f6a9
......@@ -255,7 +255,13 @@ class ObjectIdentifier implements Serializable
+ " (tag = " + type_id + ")"
);
encoding = new byte[in.getLength()];
int len = in.getLength();
if (len > in.available()) {
throw new IOException("ObjectIdentifier() -- length exceeds" +
"data available. Length: " + len + ", Available: " +
in.available());
}
encoding = new byte[len];
in.getBytes(encoding);
check(encoding);
}
......
src/share/classes/sun/util/resources/TimeZoneNames.java
浏览文件 @ 83f4f6a9
......@@ -188,6 +188,9 @@ public final class TimeZoneNames extends TimeZoneNamesBundle {
String MHT[] = new String[] {"Marshall Islands Time", "MHT",
"Marshall Islands Summer Time", "MHST",
"Marshall Islands Time", "MHT"};
String MMT[] = new String[] {"Myanmar Time", "MMT",
"Myanmar Summer Time", "MMST",
"Myanmar Time", "MMT"};
String MSK[] = new String[] {"Moscow Standard Time", "MSK",
"Moscow Daylight Time", "MSD",
"Moscow Time", "MT"};
......@@ -683,9 +686,7 @@ public final class TimeZoneNames extends TimeZoneNamesBundle {
{"Asia/Qyzylorda", new String[] {"Qyzylorda Time", "QYZT",
"Qyzylorda Summer Time", "QYZST",
"Qyzylorda Time", "QYZT"}},
{"Asia/Rangoon", new String[] {"Myanmar Time", "MMT",
"Myanmar Summer Time", "MMST",
"Myanmar Time", "MMT"}},
{"Asia/Rangoon", MMT},
{"Asia/Riyadh", ARAST},
{"Asia/Saigon", ICT},
{"Asia/Sakhalin", new String[] {"Sakhalin Time", "SAKT",
......@@ -718,6 +719,7 @@ public final class TimeZoneNames extends TimeZoneNamesBundle {
"Vladivostok Summer Time", "VLAST",
"Vladivostok Time", "VLAT"}},
{"Asia/Yakutsk", YAKT},
{"Asia/Yangon", MMT},
{"Asia/Yekaterinburg", new String[] {"Yekaterinburg Time", "YEKT",
"Yekaterinburg Summer Time", "YEKST",
"Yekaterinburg Time", "YEKT"}},
......
src/share/classes/sun/util/resources/de/TimeZoneNames_de.java
浏览文件 @ 83f4f6a9
......@@ -189,6 +189,9 @@ public final class TimeZoneNames_de extends TimeZoneNamesBundle {
String MHT[] = new String[] {"Marshallinseln Zeit", "MHT",
"Marshallinseln Sommerzeit", "MHST",
"Marshallinseln Zeit", "MHT"};
String MMT[] = new String[] {"Myanmar Zeit", "MMT",
"Myanmar Sommerzeit", "MMST",
"Myanmar Zeit", "MMT"};
String MSK[] = new String[] {"Moskauer Normalzeit", "MSK",
"Moskauer Sommerzeit", "MSD",
"Zeitzone f\u00FCr Moskau", "MT"};
......@@ -684,9 +687,7 @@ public final class TimeZoneNames_de extends TimeZoneNamesBundle {
{"Asia/Qyzylorda", new String[] {"Qyzylorda Zeit", "QYZT",
"Qyzylorda Sommerzeit", "QYZST",
"Qyzylorda Zeit", "QYZT"}},
{"Asia/Rangoon", new String[] {"Myanmar Zeit", "MMT",
"Myanmar Sommerzeit", "MMST",
"Myanmar Zeit", "MMT"}},
{"Asia/Rangoon", MMT},
{"Asia/Riyadh", ARAST},
{"Asia/Saigon", ICT},
{"Asia/Sakhalin", new String[] {"Sakhalin Zeit", "SAKT",
......@@ -719,6 +720,7 @@ public final class TimeZoneNames_de extends TimeZoneNamesBundle {
"Wladiwostok Sommerzeit", "VLAST",
"Wladiwostok Zeit", "VLAT"}},
{"Asia/Yakutsk", YAKT},
{"Asia/Yangon", MMT},
{"Asia/Yekaterinburg", new String[] {"Jekaterinburger Zeit", "YEKT",
"Jekaterinburger Sommerzeit", "YEKST",
"Jekaterinburger Zeit", "YEKT"}},
......
src/share/classes/sun/util/resources/es/TimeZoneNames_es.java
浏览文件 @ 83f4f6a9
......@@ -189,6 +189,9 @@ public final class TimeZoneNames_es extends TimeZoneNamesBundle {
String MHT[] = new String[] {"Hora de las Islas Marshall", "MHT",
"Hora de verano de las Islas Marshall", "MHST",
"Hora de Islas Marshall", "MHT"};
String MMT[] = new String[] {"Hora de Myanmar", "MMT",
"Hora de verano de Myanmar", "MMST",
"Hora de Myanmar", "MMT"};
String MSK[] = new String[] {"Hora est\u00e1ndar de Mosc\u00fa", "MSK",
"Hora de verano de Mosc\u00fa", "MSD",
"Hora de Mosc\u00FA", "MT"};
......@@ -684,9 +687,7 @@ public final class TimeZoneNames_es extends TimeZoneNamesBundle {
{"Asia/Qyzylorda", new String[] {"Hora de Qyzylorda", "QYZT",
"Hora de verano de Qyzylorda", "QYZST",
"Hora de Qyzylorda", "QYZT"}},
{"Asia/Rangoon", new String[] {"Hora de Myanmar", "MMT",
"Hora de verano de Myanmar", "MMST",
"Hora de Myanmar", "MMT"}},
{"Asia/Rangoon", MMT},
{"Asia/Riyadh", ARAST},
{"Asia/Saigon", ICT},
{"Asia/Sakhalin", new String[] {"Hora de Sajalin", "SAKT",
......@@ -719,6 +720,7 @@ public final class TimeZoneNames_es extends TimeZoneNamesBundle {
"Hora de verano de Vladivostok", "VLAST",
"Hora de Vladivostok", "VLAT"}},
{"Asia/Yakutsk", YAKT},
{"Asia/Yangon", MMT},
{"Asia/Yekaterinburg", new String[] {"Hora de Ekaterinburgo", "YEKT",
"Hora de verano de Ekaterinburgo", "YEKST",
"Hora de Ekaterinburgo", "YEKT"}},
......
src/share/classes/sun/util/resources/fr/TimeZoneNames_fr.java
浏览文件 @ 83f4f6a9
......@@ -189,6 +189,9 @@ public final class TimeZoneNames_fr extends TimeZoneNamesBundle {
String MHT[] = new String[] {"Heure des Iles Marshall", "MHT",
"Heure d'\u00e9t\u00e9 des Iles Marshall", "MHST",
"Heure des Iles Marshall", "MHT"};
String MMT[] = new String[] {"Heure de Myanmar", "MMT",
"Heure d'\u00e9t\u00e9 de Myanmar", "MMST",
"Heure de Myanmar", "MMT"};
String MSK[] = new String[] {"Heure standard de Moscou", "MSK",
"Heure avanc\u00e9e de Moscou", "MSD",
"Moscou", "MT"};
......@@ -684,9 +687,7 @@ public final class TimeZoneNames_fr extends TimeZoneNamesBundle {
{"Asia/Qyzylorda", new String[] {"Heure de Kyzylorda", "QYZT",
"Heure d'\u00e9t\u00e9 de Kyzylorda", "QYZST",
"Heure de Kyzylorda", "QYZT"}},
{"Asia/Rangoon", new String[] {"Heure de Myanmar", "MMT",
"Heure d'\u00e9t\u00e9 de Myanmar", "MMST",
"Heure de Myanmar", "MMT"}},
{"Asia/Rangoon", MMT},
{"Asia/Riyadh", ARAST},
{"Asia/Saigon", ICT},
{"Asia/Sakhalin", new String[] {"Heure de Sakhalin", "SAKT",
......@@ -719,6 +720,7 @@ public final class TimeZoneNames_fr extends TimeZoneNamesBundle {
"Heure d'\u00e9t\u00e9 de Vladivostok", "VLAST",
"Heure de Vladivostok", "VLAT"}},
{"Asia/Yakutsk", YAKT},
{"Asia/Yangon", MMT},
{"Asia/Yekaterinburg", new String[] {"Heure de Yekaterinburg", "YEKT",
"Heure d'\u00e9t\u00e9 de Yekaterinburg", "YEKST",
"Heure de Yekaterinburg", "YEKT"}},
......
src/share/classes/sun/util/resources/it/TimeZoneNames_it.java
浏览文件 @ 83f4f6a9
......@@ -189,6 +189,9 @@ public final class TimeZoneNames_it extends TimeZoneNamesBundle {
String MHT[] = new String[] {"Ora delle Isole Marshall", "MHT",
"Ora estiva delle Isole Marshall", "MHST",
"Ora delle Isole Marshall", "MHT"};
String MMT[] = new String[] {"Ora della Birmania/Myanmar", "MMT",
"Ora estiva della Birmania/Myanmar", "MMST",
"Ora della Birmania/Myanmar", "MMT"};
String MSK[] = new String[] {"Ora standard di Mosca", "MSK",
"Ora legale di Mosca", "MSD",
"Ora Mosca", "MT"};
......@@ -684,9 +687,7 @@ public final class TimeZoneNames_it extends TimeZoneNamesBundle {
{"Asia/Qyzylorda", new String[] {"Ora di Qyzylorda", "QYZT",
"Ora estiva di Qyzylorda", "QYZST",
"Ora di Qyzylorda", "QYZT"}},
{"Asia/Rangoon", new String[] {"Ora della Birmania/Myanmar", "MMT",
"Ora estiva della Birmania/Myanmar", "MMST",
"Ora della Birmania/Myanmar", "MMT"}},
{"Asia/Rangoon", MMT},
{"Asia/Riyadh", ARAST},
{"Asia/Saigon", ICT},
{"Asia/Sakhalin", new String[] {"Ora di Sakhalin", "SAKT",
......@@ -719,6 +720,7 @@ public final class TimeZoneNames_it extends TimeZoneNamesBundle {
"Ora estiva di Vladivostok", "VLAST",
"Ora di Vladivostok", "VLAT"}},
{"Asia/Yakutsk", YAKT},
{"Asia/Yangon", MMT},
{"Asia/Yekaterinburg", new String[] {"Ora di Ekaterinburg", "YEKT",
"Ora estiva di Ekaterinburg", "YEKST",
"Ora di Ekaterinburg", "YEKT"}},
......
src/share/classes/sun/util/resources/ja/TimeZoneNames_ja.java
浏览文件 @ 83f4f6a9
......@@ -189,6 +189,9 @@ public final class TimeZoneNames_ja extends TimeZoneNamesBundle {
String MHT[] = new String[] {"\u30de\u30fc\u30b7\u30e3\u30eb\u5cf6\u6642\u9593", "MHT",
"\u30de\u30fc\u30b7\u30e3\u30eb\u5cf6\u590f\u6642\u9593", "MHST",
"\u30DE\u30FC\u30B7\u30E3\u30EB\u8AF8\u5CF6\u6642\u9593", "MHT"};
String MMT[] = new String[] {"\u30df\u30e3\u30f3\u30de\u30fc\u6642\u9593", "MMT",
"\u30df\u30e3\u30f3\u30de\u30fc\u590f\u6642\u9593", "MMST",
"\u30DF\u30E3\u30F3\u30DE\u30FC\u6642\u9593", "MMT"};
String MSK[] = new String[] {"\u30e2\u30b9\u30af\u30ef\u6a19\u6e96\u6642", "MSK",
"\u30e2\u30b9\u30af\u30ef\u590f\u6642\u9593", "MSD",
"\u30E2\u30B9\u30AF\u30EF\u6642\u9593", "MT"};
......@@ -684,9 +687,7 @@ public final class TimeZoneNames_ja extends TimeZoneNamesBundle {
{"Asia/Qyzylorda", new String[] {"\u30ad\u30b8\u30eb\u30aa\u30eb\u30c0\u6642\u9593", "QYZT",
"\u30ad\u30b8\u30eb\u30aa\u30eb\u30c0\u590f\u6642\u9593", "QYZST",
"\u30AF\u30BA\u30ED\u30EB\u30C0\u6642\u9593", "QYZT"}},
{"Asia/Rangoon", new String[] {"\u30df\u30e3\u30f3\u30de\u30fc\u6642\u9593", "MMT",
"\u30df\u30e3\u30f3\u30de\u30fc\u590f\u6642\u9593", "MMST",
"\u30DF\u30E3\u30F3\u30DE\u30FC\u6642\u9593", "MMT"}},
{"Asia/Rangoon", MMT},
{"Asia/Riyadh", ARAST},
{"Asia/Saigon", ICT},
{"Asia/Sakhalin", new String[] {"\u6a3a\u592a\u6642\u9593", "SAKT",
......@@ -719,6 +720,7 @@ public final class TimeZoneNames_ja extends TimeZoneNamesBundle {
"\u30a6\u30e9\u30b8\u30aa\u30b9\u30c8\u30af\u590f\u6642\u9593", "VLAST",
"\u30A6\u30E9\u30B8\u30AA\u30B9\u30C8\u30AF\u6642\u9593", "VLAT"}},
{"Asia/Yakutsk", YAKT},
{"Asia/Yangon", MMT},
{"Asia/Yekaterinburg", new String[] {"\u30a8\u30ab\u30c6\u30ea\u30f3\u30d6\u30eb\u30b0\u6642\u9593", "YEKT",
"\u30a8\u30ab\u30c6\u30ea\u30f3\u30d6\u30eb\u30b0\u590f\u6642\u9593", "YEKST",
"\u30A8\u30AB\u30C6\u30EA\u30F3\u30D6\u30EB\u30AF\u6642\u9593", "YEKT"}},
......
src/share/classes/sun/util/resources/ko/TimeZoneNames_ko.java
浏览文件 @ 83f4f6a9
......@@ -189,6 +189,9 @@ public final class TimeZoneNames_ko extends TimeZoneNamesBundle {
String MHT[] = new String[] {"\ub9c8\uc15c\uc81c\ub3c4 \uc2dc\uac04", "MHT",
"\ub9c8\uc15c\uc81c\ub3c4 \uc77c\uad11\uc808\uc57d\uc2dc\uac04", "MHST",
"\uB9C8\uC15C \uC81C\uB3C4 \uD45C\uC900\uC2DC", "MHT"};
String MMT[] = new String[] {"\ubbf8\uc580\ub9c8 \uc2dc\uac04", "MMT",
"\ubbf8\uc580\ub9c8 \uc77c\uad11\uc808\uc57d\uc2dc\uac04", "MMST",
"\uBBF8\uC580\uB9C8 \uD45C\uC900\uC2DC", "MMT"};
String MSK[] = new String[] {"\ubaa8\uc2a4\ud06c\ubc14 \ud45c\uc900\uc2dc", "MSK",
"\ubaa8\uc2a4\ud06c\ubc14 \uc77c\uad11\uc808\uc57d\uc2dc\uac04", "MSD",
"\uBAA8\uC2A4\uD06C\uBC14 \uD45C\uC900\uC2DC", "MT"};
......@@ -684,9 +687,7 @@ public final class TimeZoneNames_ko extends TimeZoneNamesBundle {
{"Asia/Qyzylorda", new String[] {"Qyzylorda \ud45c\uc900\uc2dc", "QYZT",
"Qyzylorda \uc77c\uad11\uc808\uc57d\uc2dc\uac04", "QYZST",
"\uD0A4\uC9C8\uB85C\uB974\uB2E4 \uD45C\uC900\uC2DC", "QYZT"}},
{"Asia/Rangoon", new String[] {"\ubbf8\uc580\ub9c8 \uc2dc\uac04", "MMT",
"\ubbf8\uc580\ub9c8 \uc77c\uad11\uc808\uc57d\uc2dc\uac04", "MMST",
"\uBBF8\uC580\uB9C8 \uD45C\uC900\uC2DC", "MMT"}},
{"Asia/Rangoon", MMT},
{"Asia/Riyadh", ARAST},
{"Asia/Saigon", ICT},
{"Asia/Sakhalin", new String[] {"\uc0ac\ud560\ub9b0 \uc2dc\uac04", "SAKT",
......@@ -719,6 +720,7 @@ public final class TimeZoneNames_ko extends TimeZoneNamesBundle {
"\ube14\ub77c\ub514\ubcf4\uc2a4\ud1a1 \uc77c\uad11\uc808\uc57d\uc2dc\uac04", "VLAST",
"\uBE14\uB77C\uB514\uBCF4\uC2A4\uD1A1 \uD45C\uC900\uC2DC", "VLAT"}},
{"Asia/Yakutsk", YAKT},
{"Asia/Yangon", MMT},
{"Asia/Yekaterinburg", new String[] {"\uc608\uce74\ud14c\ub9b0\ubc84\uadf8 \uc2dc\uac04", "YEKT",
"\uc608\uce74\ud14c\ub9b0\ubc84\uadf8 \uc77c\uad11\uc808\uc57d\uc2dc\uac04", "YEKST",
"\uC608\uCE74\uD14C\uB9B0\uBD80\uB974\uD06C \uD45C\uC900\uC2DC", "YEKT"}},
......
src/share/classes/sun/util/resources/pt/TimeZoneNames_pt_BR.java
浏览文件 @ 83f4f6a9
......@@ -189,6 +189,9 @@ public final class TimeZoneNames_pt_BR extends TimeZoneNamesBundle {
String MSK[] = new String[] {"Fuso hor\u00e1rio padr\u00e3o de Moscou", "MSK",
"Hor\u00e1rio de luz natural de Moscou", "MSD",
"Hor\u00E1rio de Moscou", "MT"};
String MMT[] = new String[] {"Fuso hor\u00e1rio de Mianmar", "MMT",
"Fuso hor\u00e1rio de ver\u00e3o de Mianmar", "MMST",
"Hor\u00E1rio de Mianmar", "MMT"};
String MST[] = new String[] {"Fuso hor\u00e1rio padr\u00e3o das montanhas", "MST",
"Hor\u00e1rio de luz natural das montanhas", "MDT",
"Hor\u00E1rio das Montanhas Rochosas", "MT"};
......@@ -684,9 +687,7 @@ public final class TimeZoneNames_pt_BR extends TimeZoneNamesBundle {
{"Asia/Qyzylorda", new String[] {"Fuso hor\u00e1rio de Kizil-Orda", "QYZT",
"Fuso hor\u00e1rio de ver\u00e3o de Kizil-Orda", "QYZST",
"Hor\u00E1rio de Qyzylorda", "QYZT"}},
{"Asia/Rangoon", new String[] {"Fuso hor\u00e1rio de Mianmar", "MMT",
"Fuso hor\u00e1rio de ver\u00e3o de Mianmar", "MMST",
"Hor\u00E1rio de Mianmar", "MMT"}},
{"Asia/Rangoon", MMT},
{"Asia/Riyadh", ARAST},
{"Asia/Saigon", ICT},
{"Asia/Sakhalin", new String[] {"Fuso hor\u00e1rio de Sakhalina", "SAKT",
......@@ -719,6 +720,7 @@ public final class TimeZoneNames_pt_BR extends TimeZoneNamesBundle {
"Fuso hor\u00e1rio de ver\u00e3o de Vladivostok", "VLAST",
"Hor\u00E1rio de Vladivostok", "VLAT"}},
{"Asia/Yakutsk", YAKT},
{"Asia/Yangon", MMT},
{"Asia/Yekaterinburg", new String[] {"Fuso hor\u00e1rio de Yekaterinburgo", "YEKT",
"Fuso hor\u00e1rio de ver\u00e3o de Yekaterinburgo", "YEKST",
"Hor\u00E1rio de Yekaterinburg", "YEKT"}},
......
src/share/classes/sun/util/resources/sv/TimeZoneNames_sv.java
浏览文件 @ 83f4f6a9
......@@ -189,6 +189,9 @@ public final class TimeZoneNames_sv extends TimeZoneNamesBundle {
String MHT[] = new String[] {"Marshall\u00f6arna, normaltid", "MHT",
"Marshall\u00f6arna, sommartid", "MHST",
"Marshall\u00F6arna-tid", "MHT"};
String MMT[] = new String[] {"Myanmar, normaltid", "MMT",
"Myanmar, sommartid", "MMST",
"Myanmar-tid", "MMT"};
String MSK[] = new String[] {"Moskva, normaltid", "MSK",
"Moskva, sommartid", "MSD",
"Moskvas tid", "MT"};
......@@ -684,9 +687,7 @@ public final class TimeZoneNames_sv extends TimeZoneNamesBundle {
{"Asia/Qyzylorda", new String[] {"Qyzylorda, normaltid", "QYZT",
"Qyzylorda, sommartid", "QYZST",
"Qyzylorda-tid", "QYZT"}},
{"Asia/Rangoon", new String[] {"Myanmar, normaltid", "MMT",
"Myanmar, sommartid", "MMST",
"Myanmar-tid", "MMT"}},
{"Asia/Rangoon", MMT},
{"Asia/Riyadh", ARAST},
{"Asia/Saigon", ICT},
{"Asia/Sakhalin", new String[] {"Sakhalin, normaltid", "SAKT",
......@@ -719,6 +720,7 @@ public final class TimeZoneNames_sv extends TimeZoneNamesBundle {
"Vladivostok, sommartid", "VLAST",
"Vladivostok-tid", "VLAT"}},
{"Asia/Yakutsk", YAKT},
{"Asia/Yangon", MMT},
{"Asia/Yekaterinburg", new String[] {"Jekaterinburg, normaltid", "YEKT",
"Jekaterinburg, sommartid", "YEKST",
"Jekaterinburg-tid", "YEKT"}},
......
src/share/classes/sun/util/resources/zh/TimeZoneNames_zh_CN.java
浏览文件 @ 83f4f6a9
......@@ -189,6 +189,9 @@ public final class TimeZoneNames_zh_CN extends TimeZoneNamesBundle {
String MHT[] = new String[] {"\u9a6c\u7ecd\u5c14\u7fa4\u5c9b\u65f6\u95f4", "MHT",
"\u9a6c\u7ecd\u5c14\u7fa4\u5c9b\u590f\u4ee4\u65f6", "MHST",
"\u9A6C\u7ECD\u5C14\u7FA4\u5C9B\u65F6\u95F4", "MHT"};
String MMT[] = new String[] {"\u7f05\u7538\u65f6\u95f4", "MMT",
"\u7f05\u7538\u590f\u4ee4\u65f6", "MMST",
"\u7F05\u7538\u65F6\u95F4", "MMT"};
String MSK[] = new String[] {"\u83ab\u65af\u79d1\u6807\u51c6\u65f6\u95f4", "MSK",
"\u83ab\u65af\u79d1\u590f\u4ee4\u65f6", "MSD",
"\u83AB\u65AF\u79D1\u65F6\u95F4", "MT"};
......@@ -684,9 +687,7 @@ public final class TimeZoneNames_zh_CN extends TimeZoneNamesBundle {
{"Asia/Qyzylorda", new String[] {"Qyzylorda \u65f6\u95f4", "QYZT",
"Qyzylorda \u590f\u4ee4\u65f6", "QYZST",
"Qyzylorda \u65F6\u95F4", "QYZT"}},
{"Asia/Rangoon", new String[] {"\u7f05\u7538\u65f6\u95f4", "MMT",
"\u7f05\u7538\u590f\u4ee4\u65f6", "MMST",
"\u7F05\u7538\u65F6\u95F4", "MMT"}},
{"Asia/Rangoon", MMT},
{"Asia/Riyadh", ARAST},
{"Asia/Saigon", ICT},
{"Asia/Sakhalin", new String[] {"\u5e93\u9875\u5c9b\u65f6\u95f4", "SAKT",
......@@ -719,6 +720,7 @@ public final class TimeZoneNames_zh_CN extends TimeZoneNamesBundle {
"\u6d77\u53c2\u5d34\u590f\u4ee4\u65f6", "VLAST",
"\u6D77\u53C2\u5D34\u65F6\u95F4", "VLAT"}},
{"Asia/Yakutsk", YAKT},
{"Asia/Yangon", MMT},
{"Asia/Yekaterinburg", new String[] {"Yekaterinburg \u65f6\u95f4", "YEKT",
"Yekaterinburg \u590f\u4ee4\u65f6", "YEKST",
"Yekaterinburg \u65F6\u95F4", "YEKT"}},
......
src/share/classes/sun/util/resources/zh/TimeZoneNames_zh_TW.java
浏览文件 @ 83f4f6a9
......@@ -189,6 +189,9 @@ public final class TimeZoneNames_zh_TW extends TimeZoneNamesBundle {
String MHT[] = new String[] {"\u99ac\u7d39\u723e\u7fa4\u5cf6\u6642\u9593", "MHT",
"\u99ac\u7d39\u723e\u7fa4\u5cf6\u590f\u4ee4\u6642\u9593", "MHST",
"\u99AC\u7D39\u723E\u7FA4\u5CF6\u6642\u9593", "MHT"};
String MMT[] = new String[] {"\u7dec\u7538\u6642\u9593", "MMT",
"\u7dec\u7538\u590f\u4ee4\u6642\u9593", "MMST",
"\u7DEC\u7538\u6642\u9593", "MMT"};
String MSK[] = new String[] {"\u83ab\u65af\u79d1\u6a19\u6e96\u6642\u9593", "MSK",
"\u83ab\u65af\u79d1\u65e5\u5149\u7bc0\u7d04\u6642\u9593", "MSD",
"\u83AB\u65AF\u79D1\u6642\u9593", "MT"};
......@@ -684,9 +687,7 @@ public final class TimeZoneNames_zh_TW extends TimeZoneNamesBundle {
{"Asia/Qyzylorda", new String[] {"Qyzylorda \u6642\u9593", "QYZT",
"Qyzylorda \u590f\u4ee4\u6642\u9593", "QYZST",
"\u514B\u5B5C\u6D1B\u723E\u9054\u6642\u9593", "QYZT"}},
{"Asia/Rangoon", new String[] {"\u7dec\u7538\u6642\u9593", "MMT",
"\u7dec\u7538\u590f\u4ee4\u6642\u9593", "MMST",
"\u7DEC\u7538\u6642\u9593", "MMT"}},
{"Asia/Rangoon", MMT},
{"Asia/Riyadh", ARAST},
{"Asia/Saigon", ICT},
{"Asia/Sakhalin", new String[] {"\u5eab\u9801\u5cf6\u6642\u9593", "SAKT",
......@@ -721,6 +722,7 @@ public final class TimeZoneNames_zh_TW extends TimeZoneNamesBundle {
"\u6d77\u53c3\u5d34\u590f\u4ee4\u6642\u9593", "VLAST",
"\u6D77\u53C3\u5D34\u6642\u9593", "VLAT"}},
{"Asia/Yakutsk", YAKT},
{"Asia/Yangon", MMT},
{"Asia/Yekaterinburg", new String[] {"Yekaterinburg \u6642\u9593", "YEKT",
"Yekaterinburg \u590f\u4ee4\u6642\u9593", "YEKST",
"\u8449\u5361\u6377\u7433\u5821\u6642\u9593", "YEKT"}},
......
src/share/lib/security/java.security-aix
浏览文件 @ 83f4f6a9
......@@ -422,7 +422,9 @@ krb5.kdc.bad.policy = tryLast
# describes the mechanism for disabling algorithms based on algorithm name
# and/or key length. This includes algorithms used in certificates, as well
# as revocation information such as CRLs and signed OCSP Responses.
# The syntax of the disabled algorithm string is described as follows:
#
# The syntax of the disabled algorithm string is described as this Java
# BNF-style:
# DisabledAlgorithms:
# " DisabledAlgorithm { , DisabledAlgorithm } "
#
......@@ -433,22 +435,25 @@ krb5.kdc.bad.policy = tryLast
# (see below)
#
# Constraint:
# KeySizeConstraint | CAConstraint | DenyAfterConstraint
# KeySizeConstraint, CertConstraint
#
# KeySizeConstraint:
# keySize Operator KeyLength
# keySize Operator DecimalInteger
#
# Operator:
# <= | < | == | != | >= | >
#
# KeyLength:
# Integer value of the algorithm's key length in bits
# DecimalInteger:
# DecimalDigits
#
# CAConstraint:
# jdkCA
# DecimalDigits:
# DecimalDigit {DecimalDigit}
#
# DecimalDigit: one of
# 1 2 3 4 5 6 7 8 9 0
#
# DenyAfterConstraint:
# denyAfter YYYY-MM-DD
# CertConstraint
# jdkCA
#
# The "AlgorithmName" is the standard algorithm name of the disabled
# algorithm. See "Java Cryptography Architecture Standard Algorithm Name
......@@ -462,42 +467,27 @@ krb5.kdc.bad.policy = tryLast
# that rely on DSA, such as NONEwithDSA, SHA1withDSA. However, the assertion
# will not disable algorithms related to "ECDSA".
#
# A "Constraint" defines restrictions on the keys and/or certificates for
# a specified AlgorithmName:
#
# KeySizeConstraint:
# keySize Operator KeyLength
# The constraint requires a key of a valid size range if the
# "AlgorithmName" is of a key algorithm. The "KeyLength" indicates
# the key size specified in number of bits. For example,
# "RSA keySize <= 1024" indicates that any RSA key with key size less
# than or equal to 1024 bits should be disabled, and
# "RSA keySize < 1024, RSA keySize > 2048" indicates that any RSA key
# with key size less than 1024 or greater than 2048 should be disabled.
# This constraint is only used on algorithms that have a key size.
#
# CAConstraint:
# jdkCA
# This constraint prohibits the specified algorithm only if the
# algorithm is used in a certificate chain that terminates at a marked
# trust anchor in the lib/security/cacerts keystore. If the jdkCA
# constraint is not set, then all chains using the specified algorithm
# are restricted. jdkCA may only be used once in a DisabledAlgorithm
# expression.
# Example:  To apply this constraint to SHA-1 certificates, include
# the following:  "SHA1 jdkCA"
#
# DenyAfterConstraint:
# denyAfter YYYY-MM-DD
# This constraint prohibits a certificate with the specified algorithm
# from being used after the date regardless of the certificate's
# validity.  JAR files that are signed and timestamped before the
# constraint date with certificates containing the disabled algorithm
# will not be restricted.  The date is processed in the UTC timezone.
# This constraint can only be used once in a DisabledAlgorithm
# expression.
# Example: To deny usage of RSA 2048 bit certificates after Feb 3 2020,
# use the following: "RSA keySize == 2048 & denyAfter 2020-02-03"
# A "Constraint" provides further guidance for the algorithm being specified.
# The "KeySizeConstraint" requires a key of a valid size range if the
# "AlgorithmName" is of a key algorithm. The "DecimalInteger" indicates the
# key size specified in number of bits. For example, "RSA keySize <= 1024"
# indicates that any RSA key with key size less than or equal to 1024 bits
# should be disabled, and "RSA keySize < 1024, RSA keySize > 2048" indicates
# that any RSA key with key size less than 1024 or greater than 2048 should
# be disabled. Note that the "KeySizeConstraint" only makes sense to key
# algorithms.
#
# "CertConstraint" specifies additional constraints for
# certificates that contain algorithms that are restricted:
#
# "jdkCA" prohibits the specified algorithm only if the algorithm is used
# in a certificate chain that terminates at a marked trust anchor in the
# lib/security/cacerts keystore. All other chains are not affected.
# If the jdkCA constraint is not set, then all chains using the
# specified algorithm are restricted. jdkCA may only be used once in
# a DisabledAlgorithm expression.
# Example: To apply this constraint to SHA-1 certificates, include
# the following "SHA1 jdkCA"
#
# When an algorithm must satisfy more than one constraint, it must be
# delimited by an ampersand '&'. For example, to restrict certificates in a
......@@ -520,6 +510,43 @@ krb5.kdc.bad.policy = tryLast
jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, \
DSA keySize < 1024, EC keySize < 224
# Algorithm restrictions for signed JAR files
#
# In some environments, certain algorithms or key lengths may be undesirable
# for signed JAR validation. For example, "MD2" is generally no longer
# considered to be a secure hash algorithm. This section describes the
# mechanism for disabling algorithms based on algorithm name and/or key length.
# JARs signed with any of the disabled algorithms or key sizes will be treated
# as unsigned.
#
# The syntax of the disabled algorithm string is described as follows:
# DisabledAlgorithms:
# " DisabledAlgorithm { , DisabledAlgorithm } "
#
# DisabledAlgorithm:
# AlgorithmName [Constraint]
#
# AlgorithmName:
# (see below)
#
# Constraint:
# KeySizeConstraint
#
# KeySizeConstraint:
# keySize Operator KeyLength
#
# Operator:
# <= | < | == | != | >= | >
#
# KeyLength:
# Integer value of the algorithm's key length in bits
#
# Note: This property is currently used by the JDK Reference
# implementation. It is not guaranteed to be examined and used by other
# implementations.
#
jdk.jar.disabledAlgorithms=MD2, RSA keySize < 1024
# Algorithm restrictions for Secure Socket Layer/Transport Layer Security
# (SSL/TLS) processing
#
......@@ -674,7 +701,7 @@ jdk.tls.legacyAlgorithms= \
# Constraint {"," Constraint }
# Constraint:
# AlgConstraint | MaxTransformsConstraint | MaxReferencesConstraint |
# ReferenceUriSchemeConstraint | OtherConstraint
# ReferenceUriSchemeConstraint | KeySizeConstraint | OtherConstraint
# AlgConstraint
# "disallowAlg" Uri
# MaxTransformsConstraint:
......@@ -683,12 +710,16 @@ jdk.tls.legacyAlgorithms= \
# "maxReferences" Integer
# ReferenceUriSchemeConstraint:
# "disallowReferenceUriSchemes" String { String }
# KeySizeConstraint:
# "minKeySize" KeyAlg Integer
# OtherConstraint:
# "noDuplicateIds" | "noRetrievalMethodLoops"
#
# For AlgConstraint, Uri is the algorithm URI String that is not allowed.
# See the XML Signature Recommendation for more information on algorithm
# URI Identifiers. If the MaxTransformsConstraint or MaxReferencesConstraint is
# URI Identifiers. For KeySizeConstraint, KeyAlg is the standard algorithm
# name of the key type (ex: "RSA"). If the MaxTransformsConstraint,
# MaxReferencesConstraint or KeySizeConstraint (for the same key type) is
# specified more than once, only the last entry is enforced.
#
# Note: This property is currently used by the JDK Reference implementation. It
......@@ -702,46 +733,11 @@ jdk.xml.dsig.secureValidationPolicy=\
maxTransforms 5,\
maxReferences 30,\
disallowReferenceUriSchemes file http https,\
minKeySize RSA 1024,\
minKeySize DSA 1024,\
noDuplicateIds,\
noRetrievalMethodLoops
# Algorithm restrictions for signed JAR files
#
# In some environments, certain algorithms or key lengths may be undesirable
# for signed JAR validation. For example, "MD2" is generally no longer
# considered to be a secure hash algorithm. This section describes the
# mechanism for disabling algorithms based on algorithm name and/or key length.
# JARs signed with any of the disabled algorithms or key sizes will be treated
# as unsigned.
#
# The syntax of the disabled algorithm string is described as follows:
# DisabledAlgorithms:
# " DisabledAlgorithm { , DisabledAlgorithm } "
#
# DisabledAlgorithm:
# AlgorithmName [Constraint]
#
# AlgorithmName:
# (see below)
#
# Constraint:
# KeySizeConstraint
#
# KeySizeConstraint:
# keySize Operator KeyLength
#
# Operator:
# <= | < | == | != | >= | >
#
# KeyLength:
# Integer value of the algorithm's key length in bits
#
# Note: This property is currently used by the JDK Reference
# implementation. It is not guaranteed to be examined and used by other
# implementations.
#
jdk.jar.disabledAlgorithms=MD2, RSA keySize < 1024
#
# Serialization process-wide filter
#
......
src/share/lib/security/java.security-linux
浏览文件 @ 83f4f6a9
......@@ -422,7 +422,9 @@ krb5.kdc.bad.policy = tryLast
# describes the mechanism for disabling algorithms based on algorithm name
# and/or key length. This includes algorithms used in certificates, as well
# as revocation information such as CRLs and signed OCSP Responses.
# The syntax of the disabled algorithm string is described as follows:
#
# The syntax of the disabled algorithm string is described as this Java
# BNF-style:
# DisabledAlgorithms:
# " DisabledAlgorithm { , DisabledAlgorithm } "
#
......@@ -433,22 +435,25 @@ krb5.kdc.bad.policy = tryLast
# (see below)
#
# Constraint:
# KeySizeConstraint | CAConstraint | DenyAfterConstraint
# KeySizeConstraint, CertConstraint
#
# KeySizeConstraint:
# keySize Operator KeyLength
# keySize Operator DecimalInteger
#
# Operator:
# <= | < | == | != | >= | >
#
# KeyLength:
# Integer value of the algorithm's key length in bits
# DecimalInteger:
# DecimalDigits
#
# CAConstraint:
# jdkCA
# DecimalDigits:
# DecimalDigit {DecimalDigit}
#
# DecimalDigit: one of
# 1 2 3 4 5 6 7 8 9 0
#
# DenyAfterConstraint:
# denyAfter YYYY-MM-DD
# CertConstraint
# jdkCA
#
# The "AlgorithmName" is the standard algorithm name of the disabled
# algorithm. See "Java Cryptography Architecture Standard Algorithm Name
......@@ -462,42 +467,27 @@ krb5.kdc.bad.policy = tryLast
# that rely on DSA, such as NONEwithDSA, SHA1withDSA. However, the assertion
# will not disable algorithms related to "ECDSA".
#
# A "Constraint" defines restrictions on the keys and/or certificates for
# a specified AlgorithmName:
#
# KeySizeConstraint:
# keySize Operator KeyLength
# The constraint requires a key of a valid size range if the
# "AlgorithmName" is of a key algorithm. The "KeyLength" indicates
# the key size specified in number of bits. For example,
# "RSA keySize <= 1024" indicates that any RSA key with key size less
# than or equal to 1024 bits should be disabled, and
# "RSA keySize < 1024, RSA keySize > 2048" indicates that any RSA key
# with key size less than 1024 or greater than 2048 should be disabled.
# This constraint is only used on algorithms that have a key size.
#
# CAConstraint:
# jdkCA
# This constraint prohibits the specified algorithm only if the
# algorithm is used in a certificate chain that terminates at a marked
# trust anchor in the lib/security/cacerts keystore. If the jdkCA
# constraint is not set, then all chains using the specified algorithm
# are restricted. jdkCA may only be used once in a DisabledAlgorithm
# expression.
# Example:  To apply this constraint to SHA-1 certificates, include
# the following:  "SHA1 jdkCA"
#
# DenyAfterConstraint:
# denyAfter YYYY-MM-DD
# This constraint prohibits a certificate with the specified algorithm
# from being used after the date regardless of the certificate's
# validity.  JAR files that are signed and timestamped before the
# constraint date with certificates containing the disabled algorithm
# will not be restricted.  The date is processed in the UTC timezone.
# This constraint can only be used once in a DisabledAlgorithm
# expression.
# Example: To deny usage of RSA 2048 bit certificates after Feb 3 2020,
# use the following: "RSA keySize == 2048 & denyAfter 2020-02-03"
# A "Constraint" provides further guidance for the algorithm being specified.
# The "KeySizeConstraint" requires a key of a valid size range if the
# "AlgorithmName" is of a key algorithm. The "DecimalInteger" indicates the
# key size specified in number of bits. For example, "RSA keySize <= 1024"
# indicates that any RSA key with key size less than or equal to 1024 bits
# should be disabled, and "RSA keySize < 1024, RSA keySize > 2048" indicates
# that any RSA key with key size less than 1024 or greater than 2048 should
# be disabled. Note that the "KeySizeConstraint" only makes sense to key
# algorithms.
#
# "CertConstraint" specifies additional constraints for
# certificates that contain algorithms that are restricted:
#
# "jdkCA" prohibits the specified algorithm only if the algorithm is used
# in a certificate chain that terminates at a marked trust anchor in the
# lib/security/cacerts keystore. All other chains are not affected.
# If the jdkCA constraint is not set, then all chains using the
# specified algorithm are restricted. jdkCA may only be used once in
# a DisabledAlgorithm expression.
# Example: To apply this constraint to SHA-1 certificates, include
# the following: "SHA1 jdkCA"
#
# When an algorithm must satisfy more than one constraint, it must be
# delimited by an ampersand '&'. For example, to restrict certificates in a
......@@ -520,6 +510,43 @@ krb5.kdc.bad.policy = tryLast
jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, \
DSA keySize < 1024, EC keySize < 224
# Algorithm restrictions for signed JAR files
#
# In some environments, certain algorithms or key lengths may be undesirable
# for signed JAR validation. For example, "MD2" is generally no longer
# considered to be a secure hash algorithm. This section describes the
# mechanism for disabling algorithms based on algorithm name and/or key length.
# JARs signed with any of the disabled algorithms or key sizes will be treated
# as unsigned.
#
# The syntax of the disabled algorithm string is described as follows:
# DisabledAlgorithms:
# " DisabledAlgorithm { , DisabledAlgorithm } "
#
# DisabledAlgorithm:
# AlgorithmName [Constraint]
#
# AlgorithmName:
# (see below)
#
# Constraint:
# KeySizeConstraint
#
# KeySizeConstraint:
# keySize Operator KeyLength
#
# Operator:
# <= | < | == | != | >= | >
#
# KeyLength:
# Integer value of the algorithm's key length in bits
#
# Note: This property is currently used by the JDK Reference
# implementation. It is not guaranteed to be examined and used by other
# implementations.
#
jdk.jar.disabledAlgorithms=MD2, RSA keySize < 1024
# Algorithm restrictions for Secure Socket Layer/Transport Layer Security
# (SSL/TLS) processing
#
......@@ -674,7 +701,7 @@ jdk.tls.legacyAlgorithms= \
# Constraint {"," Constraint }
# Constraint:
# AlgConstraint | MaxTransformsConstraint | MaxReferencesConstraint |
# ReferenceUriSchemeConstraint | OtherConstraint
# ReferenceUriSchemeConstraint | KeySizeConstraint | OtherConstraint
# AlgConstraint
# "disallowAlg" Uri
# MaxTransformsConstraint:
......@@ -683,12 +710,16 @@ jdk.tls.legacyAlgorithms= \
# "maxReferences" Integer
# ReferenceUriSchemeConstraint:
# "disallowReferenceUriSchemes" String { String }
# KeySizeConstraint:
# "minKeySize" KeyAlg Integer
# OtherConstraint:
# "noDuplicateIds" | "noRetrievalMethodLoops"
#
# For AlgConstraint, Uri is the algorithm URI String that is not allowed.
# See the XML Signature Recommendation for more information on algorithm
# URI Identifiers. If the MaxTransformsConstraint or MaxReferencesConstraint is
# URI Identifiers. For KeySizeConstraint, KeyAlg is the standard algorithm
# name of the key type (ex: "RSA"). If the MaxTransformsConstraint,
# MaxReferencesConstraint or KeySizeConstraint (for the same key type) is
# specified more than once, only the last entry is enforced.
#
# Note: This property is currently used by the JDK Reference implementation. It
......@@ -702,46 +733,11 @@ jdk.xml.dsig.secureValidationPolicy=\
maxTransforms 5,\
maxReferences 30,\
disallowReferenceUriSchemes file http https,\
minKeySize RSA 1024,\
minKeySize DSA 1024,\
noDuplicateIds,\
noRetrievalMethodLoops
# Algorithm restrictions for signed JAR files
#
# In some environments, certain algorithms or key lengths may be undesirable
# for signed JAR validation. For example, "MD2" is generally no longer
# considered to be a secure hash algorithm. This section describes the
# mechanism for disabling algorithms based on algorithm name and/or key length.
# JARs signed with any of the disabled algorithms or key sizes will be treated
# as unsigned.
#
# The syntax of the disabled algorithm string is described as follows:
# DisabledAlgorithms:
# " DisabledAlgorithm { , DisabledAlgorithm } "
#
# DisabledAlgorithm:
# AlgorithmName [Constraint]
#
# AlgorithmName:
# (see below)
#
# Constraint:
# KeySizeConstraint
#
# KeySizeConstraint:
# keySize Operator KeyLength
#
# Operator:
# <= | < | == | != | >= | >
#
# KeyLength:
# Integer value of the algorithm's key length in bits
#
# Note: This property is currently used by the JDK Reference
# implementation. It is not guaranteed to be examined and used by other
# implementations.
#
jdk.jar.disabledAlgorithms=MD2, RSA keySize < 1024
#
# Serialization process-wide filter
#
......
src/share/lib/security/java.security-macosx
浏览文件 @ 83f4f6a9
......@@ -425,7 +425,9 @@ krb5.kdc.bad.policy = tryLast
# describes the mechanism for disabling algorithms based on algorithm name
# and/or key length. This includes algorithms used in certificates, as well
# as revocation information such as CRLs and signed OCSP Responses.
# The syntax of the disabled algorithm string is described as follows:
#
# The syntax of the disabled algorithm string is described as this Java
# BNF-style:
# DisabledAlgorithms:
# " DisabledAlgorithm { , DisabledAlgorithm } "
#
......@@ -436,22 +438,25 @@ krb5.kdc.bad.policy = tryLast
# (see below)
#
# Constraint:
# KeySizeConstraint | CAConstraint | DenyAfterConstraint
# KeySizeConstraint, CertConstraint
#
# KeySizeConstraint:
# keySize Operator KeyLength
# keySize Operator DecimalInteger
#
# Operator:
# <= | < | == | != | >= | >
#
# KeyLength:
# Integer value of the algorithm's key length in bits
# DecimalInteger:
# DecimalDigits
#
# CAConstraint:
# jdkCA
# DecimalDigits:
# DecimalDigit {DecimalDigit}
#
# DecimalDigit: one of
# 1 2 3 4 5 6 7 8 9 0
#
# DenyAfterConstraint:
# denyAfter YYYY-MM-DD
# CertConstraint
# jdkCA
#
# The "AlgorithmName" is the standard algorithm name of the disabled
# algorithm. See "Java Cryptography Architecture Standard Algorithm Name
......@@ -465,42 +470,27 @@ krb5.kdc.bad.policy = tryLast
# that rely on DSA, such as NONEwithDSA, SHA1withDSA. However, the assertion
# will not disable algorithms related to "ECDSA".
#
# A "Constraint" defines restrictions on the keys and/or certificates for
# a specified AlgorithmName:
#
# KeySizeConstraint:
# keySize Operator KeyLength
# The constraint requires a key of a valid size range if the
# "AlgorithmName" is of a key algorithm. The "KeyLength" indicates
# the key size specified in number of bits. For example,
# "RSA keySize <= 1024" indicates that any RSA key with key size less
# than or equal to 1024 bits should be disabled, and
# "RSA keySize < 1024, RSA keySize > 2048" indicates that any RSA key
# with key size less than 1024 or greater than 2048 should be disabled.
# This constraint is only used on algorithms that have a key size.
#
# CAConstraint:
# jdkCA
# This constraint prohibits the specified algorithm only if the
# algorithm is used in a certificate chain that terminates at a marked
# trust anchor in the lib/security/cacerts keystore. If the jdkCA
# constraint is not set, then all chains using the specified algorithm
# are restricted. jdkCA may only be used once in a DisabledAlgorithm
# expression.
# Example:  To apply this constraint to SHA-1 certificates, include
# the following:  "SHA1 jdkCA"
#
# DenyAfterConstraint:
# denyAfter YYYY-MM-DD
# This constraint prohibits a certificate with the specified algorithm
# from being used after the date regardless of the certificate's
# validity.  JAR files that are signed and timestamped before the
# constraint date with certificates containing the disabled algorithm
# will not be restricted.  The date is processed in the UTC timezone.
# This constraint can only be used once in a DisabledAlgorithm
# expression.
# Example: To deny usage of RSA 2048 bit certificates after Feb 3 2020,
# use the following: "RSA keySize == 2048 & denyAfter 2020-02-03"
# A "Constraint" provides further guidance for the algorithm being specified.
# The "KeySizeConstraint" requires a key of a valid size range if the
# "AlgorithmName" is of a key algorithm. The "DecimalInteger" indicates the
# key size specified in number of bits. For example, "RSA keySize <= 1024"
# indicates that any RSA key with key size less than or equal to 1024 bits
# should be disabled, and "RSA keySize < 1024, RSA keySize > 2048" indicates
# that any RSA key with key size less than 1024 or greater than 2048 should
# be disabled. Note that the "KeySizeConstraint" only makes sense to key
# algorithms.
#
# "CertConstraint" specifies additional constraints for
# certificates that contain algorithms that are restricted:
#
# "jdkCA" prohibits the specified algorithm only if the algorithm is used
# in a certificate chain that terminates at a marked trust anchor in the
# lib/security/cacerts keystore. All other chains are not affected.
# If the jdkCA constraint is not set, then all chains using the
# specified algorithm are restricted. jdkCA may only be used once in
# a DisabledAlgorithm expression.
# Example: To apply this constraint to SHA-1 certificates, include
# the following: "SHA1 jdkCA"
#
# When an algorithm must satisfy more than one constraint, it must be
# delimited by an ampersand '&'. For example, to restrict certificates in a
......@@ -523,6 +513,43 @@ krb5.kdc.bad.policy = tryLast
jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, \
DSA keySize < 1024, EC keySize < 224
# Algorithm restrictions for signed JAR files
#
# In some environments, certain algorithms or key lengths may be undesirable
# for signed JAR validation. For example, "MD2" is generally no longer
# considered to be a secure hash algorithm. This section describes the
# mechanism for disabling algorithms based on algorithm name and/or key length.
# JARs signed with any of the disabled algorithms or key sizes will be treated
# as unsigned.
#
# The syntax of the disabled algorithm string is described as follows:
# DisabledAlgorithms:
# " DisabledAlgorithm { , DisabledAlgorithm } "
#
# DisabledAlgorithm:
# AlgorithmName [Constraint]
#
# AlgorithmName:
# (see below)
#
# Constraint:
# KeySizeConstraint
#
# KeySizeConstraint:
# keySize Operator KeyLength
#
# Operator:
# <= | < | == | != | >= | >
#
# KeyLength:
# Integer value of the algorithm's key length in bits
#
# Note: This property is currently used by the JDK Reference
# implementation. It is not guaranteed to be examined and used by other
# implementations.
#
jdk.jar.disabledAlgorithms=MD2, RSA keySize < 1024
# Algorithm restrictions for Secure Socket Layer/Transport Layer Security
# (SSL/TLS) processing
#
......@@ -677,7 +704,7 @@ jdk.tls.legacyAlgorithms= \
# Constraint {"," Constraint }
# Constraint:
# AlgConstraint | MaxTransformsConstraint | MaxReferencesConstraint |
# ReferenceUriSchemeConstraint | OtherConstraint
# ReferenceUriSchemeConstraint | KeySizeConstraint | OtherConstraint
# AlgConstraint
# "disallowAlg" Uri
# MaxTransformsConstraint:
......@@ -686,12 +713,16 @@ jdk.tls.legacyAlgorithms= \
# "maxReferences" Integer
# ReferenceUriSchemeConstraint:
# "disallowReferenceUriSchemes" String { String }
# KeySizeConstraint:
# "minKeySize" KeyAlg Integer
# OtherConstraint:
# "noDuplicateIds" | "noRetrievalMethodLoops"
#
# For AlgConstraint, Uri is the algorithm URI String that is not allowed.
# See the XML Signature Recommendation for more information on algorithm
# URI Identifiers. If the MaxTransformsConstraint or MaxReferencesConstraint is
# URI Identifiers. For KeySizeConstraint, KeyAlg is the standard algorithm
# name of the key type (ex: "RSA"). If the MaxTransformsConstraint,
# MaxReferencesConstraint or KeySizeConstraint (for the same key type) is
# specified more than once, only the last entry is enforced.
#
# Note: This property is currently used by the JDK Reference implementation. It
......@@ -705,46 +736,11 @@ jdk.xml.dsig.secureValidationPolicy=\
maxTransforms 5,\
maxReferences 30,\
disallowReferenceUriSchemes file http https,\
minKeySize RSA 1024,\
minKeySize DSA 1024,\
noDuplicateIds,\
noRetrievalMethodLoops
# Algorithm restrictions for signed JAR files
#
# In some environments, certain algorithms or key lengths may be undesirable
# for signed JAR validation. For example, "MD2" is generally no longer
# considered to be a secure hash algorithm. This section describes the
# mechanism for disabling algorithms based on algorithm name and/or key length.
# JARs signed with any of the disabled algorithms or key sizes will be treated
# as unsigned.
#
# The syntax of the disabled algorithm string is described as follows:
# DisabledAlgorithms:
# " DisabledAlgorithm { , DisabledAlgorithm } "
#
# DisabledAlgorithm:
# AlgorithmName [Constraint]
#
# AlgorithmName:
# (see below)
#
# Constraint:
# KeySizeConstraint
#
# KeySizeConstraint:
# keySize Operator KeyLength
#
# Operator:
# <= | < | == | != | >= | >
#
# KeyLength:
# Integer value of the algorithm's key length in bits
#
# Note: This property is currently used by the JDK Reference
# implementation. It is not guaranteed to be examined and used by other
# implementations.
#
jdk.jar.disabledAlgorithms=MD2, RSA keySize < 1024
#
# Serialization process-wide filter
#
......
src/share/native/sun/security/ec/impl/ec.c
浏览文件 @ 83f4f6a9
/*
* Copyright (c) 2007, 2015, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2007, 2016, Oracle and/or its affiliates. All rights reserved.
* Use is subject to license terms.
*
* This library is free software; you can redistribute it and/or
......@@ -34,7 +34,7 @@
* Dr Vipul Gupta <vipul.gupta@sun.com> and
* Douglas Stebila <douglas@stebila.ca>, Sun Microsystems Laboratories
*
* Last Modified Date from the Original Code: April 2015
* Last Modified Date from the Original Code: November 2016
*********************************************************************** */
#include "mplogic.h"
......@@ -713,6 +713,16 @@ ECDSA_SignDigestWithSeed(ECPrivateKey *key, SECItem *signature,
goto cleanup;
}
/*
* Using an equivalent exponent of fixed length (same as n or 1 bit less
* than n) to keep the kG timing relatively constant.
*
* Note that this is an extra step on top of the approach defined in
* ANSI X9.62 so as to make a fixed length K.
*/
CHECK_MPI_OK( mp_add(&k, &n, &k) );
CHECK_MPI_OK( mp_div_2(&k, &k) );
/*
** ANSI X9.62, Section 5.3.2, Step 2
**
......
test/java/security/Signature/SignatureLength.java 0 → 100644
浏览文件 @ 83f4f6a9
此差异已折叠。
test/java/time/test/java/time/format/TestZoneTextPrinterParser.java
浏览文件 @ 83f4f6a9
......@@ -49,7 +49,7 @@ import org.testng.annotations.Test;
/*
* @test
* @bug 8081022 8151876
* @bug 8081022 8151876 8166875
* @key randomness
*/
......
test/java/time/test/java/time/format/ZoneName.java
浏览文件 @ 83f4f6a9
/*
* Copyright (c) 2013, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2013, 2016, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
......@@ -378,6 +378,7 @@ class ZoneName {
"Europe/Helsinki", "Europe_Eastern", "Europe/Bucharest",
"America/Nome", "Alaska", "America/Juneau",
"Asia/Yakutsk", "Yakutsk", "Asia/Yakutsk",
"Asia/Yangon", "Myanmar", "Asia/Rangoon",
"Africa/Conakry", "GMT", "Atlantic/Reykjavik",
"Asia/Seoul", "Korea", "Asia/Seoul",
"America/Antigua", "Atlantic", "America/Halifax",
......@@ -747,6 +748,7 @@ class ZoneName {
"NZ", "Pacific/Auckland",
"Asia/Tel_Aviv", "Asia/Jerusalem",
"Hongkong", "Asia/Hong_Kong",
"Asia/Rangoon", "Asia/Yangon",
};
private static final Map<String, String> zidToMzone = new HashMap<>();
......
test/sun/reflect/ReflectionFactory/security.policy 0 → 100644
浏览文件 @ 83f4f6a9
// Individual Permissions for ReflectionFactoryTest
grant {
// Permissions needed to run the test
permission java.util.PropertyPermission "*", "read";
permission java.io.FilePermission "<<ALL FILES>>", "read,write,delete,execute";
permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
permission java.lang.RuntimePermission "accessDeclaredMembers";
permission java.lang.RuntimePermission "accessClassInPackage.sun.reflect";
permission java.lang.RuntimePermission "reflectionFactoryAccess";
};
test/sun/security/tools/jarsigner/ts.sh 已删除 100644 → 0
浏览文件 @ 93db103c
此差异已折叠。
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册