Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
openanolis
dragonwell8_jdk
提交
8587eb8d
D
dragonwell8_jdk
项目概览
openanolis
/
dragonwell8_jdk
通知
4
Star
2
Fork
0
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
D
dragonwell8_jdk
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
提交
Issue看板
提交
8587eb8d
编写于
5月 18, 2017
作者:
A
asaha
浏览文件
操作
浏览文件
下载
差异文件
Merge
上级
74ef472b
741c2a11
变更
65
展开全部
隐藏空白更改
内联
并排
Showing
65 changed file
with
5565 addition
and
9909 deletion
+5565
-9909
.hgtags
.hgtags
+3
-0
src/macosx/classes/sun/lwawt/macosx/CPlatformWindow.java
src/macosx/classes/sun/lwawt/macosx/CPlatformWindow.java
+9
-4
src/share/classes/java/lang/reflect/WeakCache.java
src/share/classes/java/lang/reflect/WeakCache.java
+4
-4
src/share/classes/java/nio/Bits.java
src/share/classes/java/nio/Bits.java
+3
-2
src/share/classes/sun/management/LazyCompositeData.java
src/share/classes/sun/management/LazyCompositeData.java
+56
-21
src/share/classes/sun/security/pkcs/SignerInfo.java
src/share/classes/sun/security/pkcs/SignerInfo.java
+25
-14
src/share/classes/sun/security/provider/ByteArrayAccess.java
src/share/classes/sun/security/provider/ByteArrayAccess.java
+2
-2
src/share/classes/sun/security/provider/certpath/AlgorithmChecker.java
...sses/sun/security/provider/certpath/AlgorithmChecker.java
+161
-126
src/share/classes/sun/security/provider/certpath/DistributionPointFetcher.java
.../security/provider/certpath/DistributionPointFetcher.java
+25
-9
src/share/classes/sun/security/provider/certpath/OCSP.java
src/share/classes/sun/security/provider/certpath/OCSP.java
+74
-79
src/share/classes/sun/security/provider/certpath/OCSPRequest.java
...e/classes/sun/security/provider/certpath/OCSPRequest.java
+5
-3
src/share/classes/sun/security/provider/certpath/OCSPResponse.java
.../classes/sun/security/provider/certpath/OCSPResponse.java
+359
-118
src/share/classes/sun/security/provider/certpath/PKIX.java
src/share/classes/sun/security/provider/certpath/PKIX.java
+17
-1
src/share/classes/sun/security/provider/certpath/PKIXCertPathValidator.java
...sun/security/provider/certpath/PKIXCertPathValidator.java
+8
-4
src/share/classes/sun/security/provider/certpath/PKIXExtendedParameters.java
...un/security/provider/certpath/PKIXExtendedParameters.java
+226
-0
src/share/classes/sun/security/provider/certpath/ResponderId.java
...e/classes/sun/security/provider/certpath/ResponderId.java
+315
-0
src/share/classes/sun/security/provider/certpath/RevocationChecker.java
...ses/sun/security/provider/certpath/RevocationChecker.java
+54
-34
src/share/classes/sun/security/provider/certpath/SunCertPathBuilder.java
...es/sun/security/provider/certpath/SunCertPathBuilder.java
+4
-3
src/share/classes/sun/security/ssl/SSLContextImpl.java
src/share/classes/sun/security/ssl/SSLContextImpl.java
+8
-5
src/share/classes/sun/security/ssl/SSLSocketImpl.java
src/share/classes/sun/security/ssl/SSLSocketImpl.java
+72
-23
src/share/classes/sun/security/ssl/X509KeyManagerImpl.java
src/share/classes/sun/security/ssl/X509KeyManagerImpl.java
+27
-5
src/share/classes/sun/security/util/AnchorCertificates.java
src/share/classes/sun/security/util/AnchorCertificates.java
+3
-1
src/share/classes/sun/security/util/ConstraintsParameters.java
...hare/classes/sun/security/util/ConstraintsParameters.java
+135
-0
src/share/classes/sun/security/util/DisabledAlgorithmConstraints.java
...asses/sun/security/util/DisabledAlgorithmConstraints.java
+386
-124
src/share/classes/sun/security/util/SignatureFileVerifier.java
...hare/classes/sun/security/util/SignatureFileVerifier.java
+208
-45
src/share/classes/sun/security/validator/PKIXValidator.java
src/share/classes/sun/security/validator/PKIXValidator.java
+18
-8
src/share/classes/sun/security/validator/SimpleValidator.java
...share/classes/sun/security/validator/SimpleValidator.java
+6
-3
src/share/classes/sun/security/x509/PKIXExtensions.java
src/share/classes/sun/security/x509/PKIXExtensions.java
+45
-31
src/share/lib/security/java.security-aix
src/share/lib/security/java.security-aix
+78
-38
src/share/lib/security/java.security-linux
src/share/lib/security/java.security-linux
+78
-38
src/share/lib/security/java.security-macosx
src/share/lib/security/java.security-macosx
+78
-38
src/share/lib/security/java.security-solaris
src/share/lib/security/java.security-solaris
+78
-38
src/share/lib/security/java.security-windows
src/share/lib/security/java.security-windows
+78
-38
src/share/native/sun/awt/libpng/CHANGES
src/share/native/sun/awt/libpng/CHANGES
+351
-28
src/share/native/sun/awt/libpng/LICENSE
src/share/native/sun/awt/libpng/LICENSE
+27
-8
src/share/native/sun/awt/libpng/README
src/share/native/sun/awt/libpng/README
+4
-1
src/share/native/sun/awt/libpng/png.c
src/share/native/sun/awt/libpng/png.c
+285
-249
src/share/native/sun/awt/libpng/png.h
src/share/native/sun/awt/libpng/png.h
+255
-125
src/share/native/sun/awt/libpng/pngconf.h
src/share/native/sun/awt/libpng/pngconf.h
+25
-25
src/share/native/sun/awt/libpng/pngdebug.h
src/share/native/sun/awt/libpng/pngdebug.h
+1
-1
src/share/native/sun/awt/libpng/pngerror.c
src/share/native/sun/awt/libpng/pngerror.c
+35
-35
src/share/native/sun/awt/libpng/pngget.c
src/share/native/sun/awt/libpng/pngget.c
+37
-37
src/share/native/sun/awt/libpng/pnginfo.h
src/share/native/sun/awt/libpng/pnginfo.h
+1
-1
src/share/native/sun/awt/libpng/pnglibconf.h
src/share/native/sun/awt/libpng/pnglibconf.h
+11
-11
src/share/native/sun/awt/libpng/pngmem.c
src/share/native/sun/awt/libpng/pngmem.c
+11
-11
src/share/native/sun/awt/libpng/pngpread.c
src/share/native/sun/awt/libpng/pngpread.c
+28
-18
src/share/native/sun/awt/libpng/pngpriv.h
src/share/native/sun/awt/libpng/pngpriv.h
+177
-98
src/share/native/sun/awt/libpng/pngread.c
src/share/native/sun/awt/libpng/pngread.c
+248
-187
src/share/native/sun/awt/libpng/pngrio.c
src/share/native/sun/awt/libpng/pngrio.c
+3
-3
src/share/native/sun/awt/libpng/pngrtran.c
src/share/native/sun/awt/libpng/pngrtran.c
+52
-44
src/share/native/sun/awt/libpng/pngrutil.c
src/share/native/sun/awt/libpng/pngrutil.c
+168
-159
src/share/native/sun/awt/libpng/pngset.c
src/share/native/sun/awt/libpng/pngset.c
+204
-100
src/share/native/sun/awt/libpng/pngstruct.h
src/share/native/sun/awt/libpng/pngstruct.h
+5
-5
src/share/native/sun/awt/libpng/pngtest.c
src/share/native/sun/awt/libpng/pngtest.c
+0
-2101
src/share/native/sun/awt/libpng/pngtrans.c
src/share/native/sun/awt/libpng/pngtrans.c
+8
-7
src/share/native/sun/awt/libpng/pngwio.c
src/share/native/sun/awt/libpng/pngwio.c
+0
-196
src/share/native/sun/awt/libpng/pngwrite.c
src/share/native/sun/awt/libpng/pngwrite.c
+0
-2258
src/share/native/sun/awt/libpng/pngwtran.c
src/share/native/sun/awt/libpng/pngwtran.c
+0
-604
src/share/native/sun/awt/libpng/pngwutil.c
src/share/native/sun/awt/libpng/pngwutil.c
+0
-2737
test/ProblemList.txt
test/ProblemList.txt
+3
-0
test/java/lang/reflect/Proxy/ProxyRace.java
test/java/lang/reflect/Proxy/ProxyRace.java
+88
-0
test/javax/net/ssl/ServerName/BestEffortOnLazyConnected.java
test/javax/net/ssl/ServerName/BestEffortOnLazyConnected.java
+335
-0
test/sun/management/LazyCompositeDataTest.java
test/sun/management/LazyCompositeDataTest.java
+163
-0
test/sun/net/www/protocol/https/HttpsURLConnection/ImpactOnSNI.java
...et/www/protocol/https/HttpsURLConnection/ImpactOnSNI.java
+391
-0
test/sun/security/tools/jarsigner/TimestampCheck.java
test/sun/security/tools/jarsigner/TimestampCheck.java
+1
-1
未找到文件。
.hgtags
浏览文件 @
8587eb8d
...
...
@@ -707,3 +707,6 @@ e95a13de2d36050302a1af422967f5260fc8eabd jdk8u141-b01
e5e3c33f57367b2b23d5e05a77b41948e9d4a1b9 jdk8u141-b04
b3e7354e6ae8567294ae664bf4a1a38a6c0bde9f jdk8u141-b05
c49f918efc4e6e2b8a1e771dba0c8de8d636660c jdk8u141-b06
9fd2a2019a5b7f35957c43c83eb00e1ae371a95e jdk8u141-b07
64261149b033dd6f625ccf7b4aaf7452baec82ef jdk8u141-b08
276269460238f84410a70ffe735db9cf78651b8f jdk8u141-b09
src/macosx/classes/sun/lwawt/macosx/CPlatformWindow.java
浏览文件 @
8587eb8d
...
...
@@ -252,13 +252,18 @@ public class CPlatformWindow extends CFRetainedResource implements PlatformWindo
}
AtomicLong
ref
=
new
AtomicLong
();
contentView
.
execute
(
viewPtr
->
{
boolean
hasOwnerPtr
=
false
;
if
(
owner
!=
null
)
{
owner
.
execute
(
ownerPtr
->
{
hasOwnerPtr
=
0L
!=
owner
.
executeGet
(
ownerPtr
->
{
ref
.
set
(
nativeCreateNSWindow
(
viewPtr
,
ownerPtr
,
styleBits
,
bounds
.
x
,
bounds
.
y
,
bounds
.
width
,
bounds
.
height
));
bounds
.
x
,
bounds
.
y
,
bounds
.
width
,
bounds
.
height
));
return
1
;
});
}
else
{
}
if
(!
hasOwnerPtr
)
{
ref
.
set
(
nativeCreateNSWindow
(
viewPtr
,
0
,
styleBits
,
bounds
.
x
,
bounds
.
y
,
bounds
.
width
,
bounds
.
height
));
...
...
src/share/classes/java/lang/reflect/WeakCache.java
浏览文件 @
8587eb8d
...
...
@@ -239,11 +239,11 @@ final class WeakCache<K, P, V> {
// wrap value with CacheValue (WeakReference)
CacheValue
<
V
>
cacheValue
=
new
CacheValue
<>(
value
);
// put into reverseMap
reverseMap
.
put
(
cacheValue
,
Boolean
.
TRUE
);
// try replacing us with CacheValue (this should always succeed)
if
(
valuesMap
.
replace
(
subKey
,
this
,
cacheValue
))
{
// put also in reverseMap
reverseMap
.
put
(
cacheValue
,
Boolean
.
TRUE
);
}
else
{
if
(!
valuesMap
.
replace
(
subKey
,
this
,
cacheValue
))
{
throw
new
AssertionError
(
"Should not reach here"
);
}
...
...
src/share/classes/java/nio/Bits.java
浏览文件 @
8587eb8d
/*
* Copyright (c) 2000, 201
2
, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2000, 201
6
, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
...
...
@@ -614,7 +614,8 @@ class Bits { // package-private
String
arch
=
AccessController
.
doPrivileged
(
new
sun
.
security
.
action
.
GetPropertyAction
(
"os.arch"
));
unaligned
=
arch
.
equals
(
"i386"
)
||
arch
.
equals
(
"x86"
)
||
arch
.
equals
(
"amd64"
)
||
arch
.
equals
(
"x86_64"
);
||
arch
.
equals
(
"amd64"
)
||
arch
.
equals
(
"x86_64"
)
||
arch
.
equals
(
"ppc64"
)
||
arch
.
equals
(
"ppc64le"
);
unalignedKnown
=
true
;
return
unaligned
;
}
...
...
src/share/classes/sun/management/LazyCompositeData.java
浏览文件 @
8587eb8d
...
...
@@ -27,6 +27,7 @@ package sun.management;
import
java.io.Serializable
;
import
java.util.*
;
import
javax.management.openmbean.ArrayType
;
import
javax.management.openmbean.CompositeData
;
import
javax.management.openmbean.CompositeType
;
import
javax.management.openmbean.OpenType
;
...
...
@@ -48,39 +49,48 @@ public abstract class LazyCompositeData
private
CompositeData
compositeData
;
// Implementation of the CompositeData interface
@Override
public
boolean
containsKey
(
String
key
)
{
return
compositeData
().
containsKey
(
key
);
}
@Override
public
boolean
containsValue
(
Object
value
)
{
return
compositeData
().
containsValue
(
value
);
}
@Override
public
boolean
equals
(
Object
obj
)
{
return
compositeData
().
equals
(
obj
);
}
@Override
public
Object
get
(
String
key
)
{
return
compositeData
().
get
(
key
);
}
@Override
public
Object
[]
getAll
(
String
[]
keys
)
{
return
compositeData
().
getAll
(
keys
);
}
@Override
public
CompositeType
getCompositeType
()
{
return
compositeData
().
getCompositeType
();
}
@Override
public
int
hashCode
()
{
return
compositeData
().
hashCode
();
}
@Override
public
String
toString
()
{
/** FIXME: What should this be?? */
return
compositeData
().
toString
();
}
@Override
public
Collection
<?>
values
()
{
return
compositeData
().
values
();
}
...
...
@@ -126,27 +136,31 @@ public abstract class LazyCompositeData
if
(
cd
==
null
)
throw
new
IllegalArgumentException
(
"Null CompositeData"
);
return
((
Boolean
)
cd
.
get
(
itemName
))
.
booleanValue
()
;
return
((
Boolean
)
cd
.
get
(
itemName
));
}
static
long
getLong
(
CompositeData
cd
,
String
itemName
)
{
if
(
cd
==
null
)
throw
new
IllegalArgumentException
(
"Null CompositeData"
);
return
((
Long
)
cd
.
get
(
itemName
))
.
longValue
()
;
return
((
Long
)
cd
.
get
(
itemName
));
}
static
int
getInt
(
CompositeData
cd
,
String
itemName
)
{
if
(
cd
==
null
)
throw
new
IllegalArgumentException
(
"Null CompositeData"
);
return
((
Integer
)
cd
.
get
(
itemName
))
.
intValue
()
;
return
((
Integer
)
cd
.
get
(
itemName
));
}
/**
* Compares two CompositeTypes and returns true if
* all items in type1 exist in type2 and their item types
* are the same.
* @param type1 the base composite type
* @param type2 the checked composite type
* @return {@code true} if all items in type1 exist in type2 and their item
* types are the same.
*/
protected
static
boolean
isTypeMatched
(
CompositeType
type1
,
CompositeType
type2
)
{
if
(
type1
==
type2
)
return
true
;
...
...
@@ -159,24 +173,9 @@ public abstract class LazyCompositeData
if
(!
type2
.
keySet
().
containsAll
(
allItems
))
return
false
;
for
(
String
item:
allItems
)
{
OpenType
<?>
ot1
=
type1
.
getType
(
item
);
OpenType
<?>
ot2
=
type2
.
getType
(
item
);
if
(
ot1
instanceof
CompositeType
)
{
if
(!
(
ot2
instanceof
CompositeType
))
return
false
;
if
(!
isTypeMatched
((
CompositeType
)
ot1
,
(
CompositeType
)
ot2
))
return
false
;
}
else
if
(
ot1
instanceof
TabularType
)
{
if
(!
(
ot2
instanceof
TabularType
))
return
false
;
if
(!
isTypeMatched
((
TabularType
)
ot1
,
(
TabularType
)
ot2
))
return
false
;
}
else
if
(!
ot1
.
equals
(
ot2
))
{
return
false
;
}
}
return
true
;
return
allItems
.
stream
().
allMatch
(
item
->
isTypeMatched
(
type1
.
getType
(
item
),
type2
.
getType
(
item
))
);
}
protected
static
boolean
isTypeMatched
(
TabularType
type1
,
TabularType
type2
)
{
...
...
@@ -192,5 +191,41 @@ public abstract class LazyCompositeData
return
isTypeMatched
(
type1
.
getRowType
(),
type2
.
getRowType
());
}
protected
static
boolean
isTypeMatched
(
ArrayType
<?>
type1
,
ArrayType
<?>
type2
)
{
if
(
type1
==
type2
)
return
true
;
int
dim1
=
type1
.
getDimension
();
int
dim2
=
type2
.
getDimension
();
// check if the array dimensions are the same
if
(
dim1
!=
dim2
)
return
false
;
return
isTypeMatched
(
type1
.
getElementOpenType
(),
type2
.
getElementOpenType
());
}
private
static
boolean
isTypeMatched
(
OpenType
<?>
ot1
,
OpenType
<?>
ot2
)
{
if
(
ot1
instanceof
CompositeType
)
{
if
(!
(
ot2
instanceof
CompositeType
))
return
false
;
if
(!
isTypeMatched
((
CompositeType
)
ot1
,
(
CompositeType
)
ot2
))
return
false
;
}
else
if
(
ot1
instanceof
TabularType
)
{
if
(!
(
ot2
instanceof
TabularType
))
return
false
;
if
(!
isTypeMatched
((
TabularType
)
ot1
,
(
TabularType
)
ot2
))
return
false
;
}
else
if
(
ot1
instanceof
ArrayType
)
{
if
(!
(
ot2
instanceof
ArrayType
))
return
false
;
if
(!
isTypeMatched
((
ArrayType
<?>)
ot1
,
(
ArrayType
<?>)
ot2
))
{
return
false
;
}
}
else
if
(!
ot1
.
equals
(
ot2
))
{
return
false
;
}
return
true
;
}
private
static
final
long
serialVersionUID
=
-
2190411934472666714L
;
}
src/share/classes/sun/security/pkcs/SignerInfo.java
浏览文件 @
8587eb8d
/*
* Copyright (c) 1996, 201
6
, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 1996, 201
7
, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
...
...
@@ -37,6 +37,7 @@ import java.security.PublicKey;
import
java.security.Signature
;
import
java.security.SignatureException
;
import
java.security.Timestamp
;
import
java.security.cert.CertPathValidatorException
;
import
java.security.cert.CertificateException
;
import
java.security.cert.CertificateFactory
;
import
java.security.cert.CertPath
;
...
...
@@ -49,6 +50,7 @@ import java.util.Set;
import
sun.misc.HexDumpEncoder
;
import
sun.security.timestamp.TimestampToken
;
import
sun.security.util.ConstraintsParameters
;
import
sun.security.util.Debug
;
import
sun.security.util.DerEncoder
;
import
sun.security.util.DerInputStream
;
...
...
@@ -209,7 +211,7 @@ public class SignerInfo implements DerEncoder {
/**
* DER encode this object onto an output stream.
* Implements the
<code>DerEncoder</code>
interface.
* Implements the
{@code DerEncoder}
interface.
*
* @param out
* the output stream on which to write the DER encoding.
...
...
@@ -266,7 +268,7 @@ public class SignerInfo implements DerEncoder {
if
(
userCert
==
null
)
return
null
;
ArrayList
<
X509Certificate
>
certList
=
new
ArrayList
<
X509Certificate
>();
ArrayList
<
X509Certificate
>
certList
=
new
ArrayList
<>();
certList
.
add
(
userCert
);
X509Certificate
[]
pkcsCerts
=
block
.
getCertificates
();
...
...
@@ -321,6 +323,14 @@ public class SignerInfo implements DerEncoder {
data
=
content
.
getContentBytes
();
}
Timestamp
timestamp
=
null
;
try
{
timestamp
=
getTimestamp
();
}
catch
(
Exception
ignore
)
{
}
ConstraintsParameters
cparams
=
new
ConstraintsParameters
(
timestamp
);
String
digestAlgname
=
getDigestAlgorithmId
().
getName
();
byte
[]
dataSigned
;
...
...
@@ -347,11 +357,11 @@ public class SignerInfo implements DerEncoder {
if
(
messageDigest
==
null
)
// fail if there is no message digest
return
null
;
// check that algorithm is not restricted
if
(!
JAR_DISABLED_CHECK
.
permits
(
DIGEST_PRIMITIVE_SET
,
digestAlgname
,
null
))
{
throw
new
SignatureException
(
"Digest check failed. "
+
"Disabled algorithm used: "
+
digestAlgnam
e
);
// check that
digest
algorithm is not restricted
try
{
JAR_DISABLED_CHECK
.
permits
(
digestAlgname
,
cparams
);
}
catch
(
CertPathValidatorException
e
)
{
throw
new
SignatureException
(
e
.
getMessage
(),
e
);
}
MessageDigest
md
=
MessageDigest
.
getInstance
(
digestAlgname
);
...
...
@@ -385,17 +395,18 @@ public class SignerInfo implements DerEncoder {
String
algname
=
AlgorithmId
.
makeSigAlg
(
digestAlgname
,
encryptionAlgname
);
// check that algorithm is not restricted
if
(!
JAR_DISABLED_CHECK
.
permits
(
SIG_PRIMITIVE_SET
,
algname
,
null
))
{
throw
new
SignatureException
(
"Signature check failed. "
+
"Disabled algorithm used: "
+
algname
);
// check that jar signature algorithm is not restricted
try
{
JAR_DISABLED_CHECK
.
permits
(
algname
,
cparams
);
}
catch
(
CertPathValidatorException
e
)
{
throw
new
SignatureException
(
e
.
getMessage
(),
e
);
}
X509Certificate
cert
=
getCertificate
(
block
);
PublicKey
key
=
cert
.
getPublicKey
();
if
(
cert
==
null
)
{
return
null
;
}
PublicKey
key
=
cert
.
getPublicKey
();
// check if the public key is restricted
if
(!
JAR_DISABLED_CHECK
.
permits
(
SIG_PRIMITIVE_SET
,
key
))
{
...
...
@@ -519,7 +530,7 @@ public class SignerInfo implements DerEncoder {
* Extracts a timestamp from a PKCS7 SignerInfo.
*
* Examines the signer's unsigned attributes for a
*
<tt>signatureTimestampToken</tt>
attribute. If present,
*
{@code signatureTimestampToken}
attribute. If present,
* then it is parsed to extract the date and time at which the
* timestamp was generated.
*
...
...
src/share/classes/sun/security/provider/ByteArrayAccess.java
浏览文件 @
8587eb8d
/*
* Copyright (c) 2006, 201
3
, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2006, 201
6
, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
...
...
@@ -94,7 +94,7 @@ final class ByteArrayAccess {
String
arch
=
java
.
security
.
AccessController
.
doPrivileged
(
new
sun
.
security
.
action
.
GetPropertyAction
(
"os.arch"
,
""
));
return
arch
.
equals
(
"i386"
)
||
arch
.
equals
(
"x86"
)
||
arch
.
equals
(
"amd64"
)
||
arch
.
equals
(
"x86_64"
);
||
arch
.
equals
(
"x86_64"
)
||
arch
.
equals
(
"ppc64"
)
||
arch
.
equals
(
"ppc64le"
)
;
}
/**
...
...
src/share/classes/sun/security/provider/certpath/AlgorithmChecker.java
浏览文件 @
8587eb8d
/*
* Copyright (c) 2009, 201
6
, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2009, 201
7
, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
...
...
@@ -27,8 +27,11 @@ package sun.security.provider.certpath;
import
java.security.AlgorithmConstraints
;
import
java.security.CryptoPrimitive
;
import
java.security.Timestamp
;
import
java.security.cert.CertPathValidator
;
import
java.util.Collection
;
import
java.util.Collections
;
import
java.util.Date
;
import
java.util.Set
;
import
java.util.EnumSet
;
import
java.math.BigInteger
;
...
...
@@ -51,15 +54,16 @@ import java.security.interfaces.DSAPublicKey;
import
java.security.spec.DSAPublicKeySpec
;
import
sun.security.util.AnchorCertificates
;
import
sun.security.util.C
ertConstraint
Parameters
;
import
sun.security.util.C
onstraints
Parameters
;
import
sun.security.util.Debug
;
import
sun.security.util.DisabledAlgorithmConstraints
;
import
sun.security.validator.Validator
;
import
sun.security.x509.X509CertImpl
;
import
sun.security.x509.X509CRLImpl
;
import
sun.security.x509.AlgorithmId
;
/**
* A
<code>PKIXCertPathChecker</code>
implementation to check whether a
* A
{@code PKIXCertPathChecker}
implementation to check whether a
* specified certificate contains the required algorithm constraints.
* <p>
* Certificate fields such as the subject public key, the signature
...
...
@@ -69,24 +73,27 @@ import sun.security.x509.AlgorithmId;
* @see PKIXCertPathChecker
* @see PKIXParameters
*/
final
public
class
AlgorithmChecker
extends
PKIXCertPathChecker
{
public
final
class
AlgorithmChecker
extends
PKIXCertPathChecker
{
private
static
final
Debug
debug
=
Debug
.
getInstance
(
"certpath"
);
private
final
AlgorithmConstraints
constraints
;
private
final
PublicKey
trustedPubKey
;
private
final
Date
pkixdate
;
private
PublicKey
prevPubKey
;
private
final
Timestamp
jarTimestamp
;
private
final
String
variant
;
private
final
static
Set
<
CryptoPrimitive
>
SIGNATURE_PRIMITIVE_SET
=
private
static
final
Set
<
CryptoPrimitive
>
SIGNATURE_PRIMITIVE_SET
=
Collections
.
unmodifiableSet
(
EnumSet
.
of
(
CryptoPrimitive
.
SIGNATURE
));
private
final
static
Set
<
CryptoPrimitive
>
KU_PRIMITIVE_SET
=
private
static
final
Set
<
CryptoPrimitive
>
KU_PRIMITIVE_SET
=
Collections
.
unmodifiableSet
(
EnumSet
.
of
(
CryptoPrimitive
.
SIGNATURE
,
CryptoPrimitive
.
KEY_ENCAPSULATION
,
CryptoPrimitive
.
PUBLIC_KEY_ENCRYPTION
,
CryptoPrimitive
.
KEY_AGREEMENT
));
private
final
static
DisabledAlgorithmConstraints
private
static
final
DisabledAlgorithmConstraints
certPathDefaultConstraints
=
new
DisabledAlgorithmConstraints
(
DisabledAlgorithmConstraints
.
PROPERTY_CERTPATH_DISABLED_ALGS
);
...
...
@@ -99,64 +106,99 @@ final public class AlgorithmChecker extends PKIXCertPathChecker {
private
boolean
trustedMatch
=
false
;
/**
* Create a new <code>AlgorithmChecker</code> with the algorithm
* constraints specified in security property
* "jdk.certpath.disabledAlgorithms".
* Create a new {@code AlgorithmChecker} with the given algorithm
* given {@code TrustAnchor} and {@code String} variant.
*
* @param anchor the trust anchor selected to validate the target
* certificate
* @param variant is the Validator variants of the operation. A null value
* passed will set it to Validator.GENERIC.
*/
public
AlgorithmChecker
(
TrustAnchor
anchor
)
{
this
(
anchor
,
certPathDefaultConstraints
);
public
AlgorithmChecker
(
TrustAnchor
anchor
,
String
variant
)
{
this
(
anchor
,
certPathDefaultConstraints
,
null
,
null
,
variant
);
}
/**
* Create a new
<code>AlgorithmChecker</code> with the
*
given {@code AlgorithmConstraints}.
*
<p>
*
Note that this constructor will be used to check a certification
*
path where the trust anchor is unknown, or a certificate list which may
*
contain the trust anchor. This constructor is used by SunJSSE
.
* Create a new
{@code AlgorithmChecker} with the given
*
{@code AlgorithmConstraints}, {@code Timestamp}, and {@code String}
*
variant.
*
*
Note that this constructor can initialize a variation of situations where
*
the AlgorithmConstraints, Timestamp, or Variant maybe known
.
*
* @param constraints the algorithm constraints (or null)
* @param jarTimestamp Timestamp passed for JAR timestamp constraint
* checking. Set to null if not applicable.
* @param variant is the Validator variants of the operation. A null value
* passed will set it to Validator.GENERIC.
*/
public
AlgorithmChecker
(
AlgorithmConstraints
constraints
)
{
this
.
prevPubKey
=
null
;
this
.
trustedPubKey
=
null
;
this
.
constraints
=
constraints
;
public
AlgorithmChecker
(
AlgorithmConstraints
constraints
,
Timestamp
jarTimestamp
,
String
variant
)
{
this
(
null
,
constraints
,
null
,
jarTimestamp
,
variant
);
}
/**
* Create a new <code>AlgorithmChecker</code> with the
* given <code>TrustAnchor</code> and <code>AlgorithmConstraints</code>.
* Create a new {@code AlgorithmChecker} with the
* given {@code TrustAnchor}, {@code AlgorithmConstraints},
* {@code Timestamp}, and {@code String} variant.
*
* @param anchor the trust anchor selected to validate the target
* certificate
* @param constraints the algorithm constraints (or null)
*
* @throws IllegalArgumentException if the <code>anchor</code> is null
* @param pkixdate The date specified by the PKIXParameters date. If the
* PKIXParameters is null, the current date is used. This
* should be null when jar files are being checked.
* @param jarTimestamp Timestamp passed for JAR timestamp constraint
* checking. Set to null if not applicable.
* @param variant is the Validator variants of the operation. A null value
* passed will set it to Validator.GENERIC.
*/
public
AlgorithmChecker
(
TrustAnchor
anchor
,
AlgorithmConstraints
constraints
)
{
AlgorithmConstraints
constraints
,
Date
pkixdate
,
Timestamp
jarTimestamp
,
String
variant
)
{
if
(
anchor
==
null
)
{
throw
new
IllegalArgumentException
(
"The trust anchor cannot be null"
);
}
if
(
anchor
.
getTrustedCert
()
!=
null
)
{
this
.
trustedPubKey
=
anchor
.
getTrustedCert
().
getPublicKey
();
// Check for anchor certificate restrictions
trustedMatch
=
checkFingerprint
(
anchor
.
getTrustedCert
());
if
(
trustedMatch
&&
debug
!=
null
)
{
debug
.
println
(
"trustedMatch = true"
);
if
(
anchor
!=
null
)
{
if
(
anchor
.
getTrustedCert
()
!=
null
)
{
this
.
trustedPubKey
=
anchor
.
getTrustedCert
().
getPublicKey
();
// Check for anchor certificate restrictions
trustedMatch
=
checkFingerprint
(
anchor
.
getTrustedCert
());
if
(
trustedMatch
&&
debug
!=
null
)
{
debug
.
println
(
"trustedMatch = true"
);
}
}
else
{
this
.
trustedPubKey
=
anchor
.
getCAPublicKey
();
}
}
else
{
this
.
trustedPubKey
=
anchor
.
getCAPublicKey
();
this
.
trustedPubKey
=
null
;
if
(
debug
!=
null
)
{
debug
.
println
(
"TrustAnchor is null, trustedMatch is false."
);
}
}
this
.
prevPubKey
=
trustedPubKey
;
this
.
constraints
=
constraints
;
this
.
prevPubKey
=
this
.
trustedPubKey
;
this
.
constraints
=
(
constraints
==
null
?
certPathDefaultConstraints
:
constraints
);
// If we are checking jar files, set pkixdate the same as the timestamp
// for certificate checking
this
.
pkixdate
=
(
jarTimestamp
!=
null
?
jarTimestamp
.
getTimestamp
()
:
pkixdate
);
this
.
jarTimestamp
=
jarTimestamp
;
this
.
variant
=
(
variant
==
null
?
Validator
.
VAR_GENERIC
:
variant
);
}
/**
* Create a new {@code AlgorithmChecker} with the given {@code TrustAnchor},
* {@code PKIXParameter} date, and {@code varient}
*
* @param anchor the trust anchor selected to validate the target
* certificate
* @param pkixdate Date the constraints are checked against. The value is
* either the PKIXParameters date or null for the current date.
* @param variant is the Validator variants of the operation. A null value
* passed will set it to Validator.GENERIC.
*/
public
AlgorithmChecker
(
TrustAnchor
anchor
,
Date
pkixdate
,
String
variant
)
{
this
(
anchor
,
certPathDefaultConstraints
,
pkixdate
,
null
,
variant
);
}
// Check this 'cert' for restrictions in the AnchorCertificates
...
...
@@ -217,6 +259,28 @@ final public class AlgorithmChecker extends PKIXCertPathChecker {
null
,
null
,
-
1
,
PKIXReason
.
INVALID_KEY_USAGE
);
}
X509CertImpl
x509Cert
;
AlgorithmId
algorithmId
;
try
{
x509Cert
=
X509CertImpl
.
toImpl
((
X509Certificate
)
cert
);
algorithmId
=
(
AlgorithmId
)
x509Cert
.
get
(
X509CertImpl
.
SIG_ALG
);
}
catch
(
CertificateException
ce
)
{
throw
new
CertPathValidatorException
(
ce
);
}
AlgorithmParameters
currSigAlgParams
=
algorithmId
.
getParameters
();
PublicKey
currPubKey
=
cert
.
getPublicKey
();
String
currSigAlg
=
((
X509Certificate
)
cert
).
getSigAlgName
();
// Check the signature algorithm and parameters against constraints.
if
(!
constraints
.
permits
(
SIGNATURE_PRIMITIVE_SET
,
currSigAlg
,
currSigAlgParams
))
{
throw
new
CertPathValidatorException
(
"Algorithm constraints check failed on signature "
+
"algorithm: "
+
currSigAlg
,
null
,
null
,
-
1
,
BasicReason
.
ALGORITHM_CONSTRAINED
);
}
// Assume all key usage bits are set if key usage is not present
Set
<
CryptoPrimitive
>
primitives
=
KU_PRIMITIVE_SET
;
...
...
@@ -253,101 +317,74 @@ final public class AlgorithmChecker extends PKIXCertPathChecker {
}
}
PublicKey
currPubKey
=
cert
.
getPublicKey
();
ConstraintsParameters
cp
=
new
ConstraintsParameters
((
X509Certificate
)
cert
,
trustedMatch
,
pkixdate
,
jarTimestamp
,
variant
);
// Check against local constraints if it is DisabledAlgorithmConstraints
if
(
constraints
instanceof
DisabledAlgorithmConstraints
)
{
// Check against DisabledAlgorithmConstraints certpath constraints.
// permits() will throw exception on failure.
((
DisabledAlgorithmConstraints
)
constraints
).
permits
(
primitives
,
new
CertConstraintParameters
((
X509Certificate
)
cert
,
trustedMatch
));
// If there is no previous key, set one and exit
if
(
prevPubKey
==
null
)
{
prevPubKey
=
currPubKey
;
return
;
}
}
X509CertImpl
x509Cert
;
AlgorithmId
algorithmId
;
try
{
x509Cert
=
X509CertImpl
.
toImpl
((
X509Certificate
)
cert
);
algorithmId
=
(
AlgorithmId
)
x509Cert
.
get
(
X509CertImpl
.
SIG_ALG
);
}
catch
(
CertificateException
ce
)
{
throw
new
CertPathValidatorException
(
ce
);
}
((
DisabledAlgorithmConstraints
)
constraints
).
permits
(
currSigAlg
,
cp
);
// DisabledAlgorithmsConstraints does not check primitives, so key
// additional key check.
AlgorithmParameters
currSigAlgParams
=
algorithmId
.
getParameters
();
String
currSigAlg
=
x509Cert
.
getSigAlgName
();
// If 'constraints' is not of DisabledAlgorithmConstraints, check all
// everything individually
if
(!(
constraints
instanceof
DisabledAlgorithmConstraints
))
{
// Check the current signature algorithm
if
(!
constraints
.
permits
(
SIGNATURE_PRIMITIVE_SET
,
currSigAlg
,
currSigAlgParams
))
{
}
else
{
// Perform the default constraints checking anyway.
certPathDefaultConstraints
.
permits
(
currSigAlg
,
cp
);
// Call locally set constraints to check key with primitives.
if
(!
constraints
.
permits
(
primitives
,
currPubKey
))
{
throw
new
CertPathValidatorException
(
"Algorithm constraints check failed on signature "
+
"algorithm: "
+
currSigAlg
,
null
,
null
,
-
1
,
BasicReason
.
ALGORITHM_CONSTRAINED
);
"Algorithm constraints check failed on key "
+
currPubKey
.
getAlgorithm
()
+
" with size of "
+
sun
.
security
.
util
.
KeyUtil
.
getKeySize
(
currPubKey
)
+
"bits"
,
null
,
null
,
-
1
,
BasicReason
.
ALGORITHM_CONSTRAINED
);
}
if
(!
constraints
.
permits
(
primitives
,
currPubKey
))
{
throw
new
CertPathValidatorException
(
"Algorithm constraints check failed on keysize: "
+
sun
.
security
.
util
.
KeyUtil
.
getKeySize
(
currPubKey
),
null
,
null
,
-
1
,
BasicReason
.
ALGORITHM_CONSTRAINED
);
}
// If there is no previous key, set one and exit
if
(
prevPubKey
==
null
)
{
prevPubKey
=
currPubKey
;
return
;
}
// Check with previous cert for signature algorithm and public key
if
(
prevPubKey
!=
null
)
{
if
(!
constraints
.
permits
(
SIGNATURE_PRIMITIVE_SET
,
currSigAlg
,
prevPubKey
,
currSigAlgParams
))
{
throw
new
CertPathValidatorException
(
if
(!
constraints
.
permits
(
SIGNATURE_PRIMITIVE_SET
,
currSigAlg
,
prevPubKey
,
currSigAlgParams
))
{
throw
new
CertPathValidatorException
(
"Algorithm constraints check failed on "
+
"signature algorithm: "
+
currSigAlg
,
null
,
null
,
-
1
,
BasicReason
.
ALGORITHM_CONSTRAINED
);
}
null
,
null
,
-
1
,
BasicReason
.
ALGORITHM_CONSTRAINED
);
}
// Inherit key parameters from previous key
if
(
PKIX
.
isDSAPublicKeyWithoutParams
(
currPubKey
))
{
// Inherit DSA parameters from previous key
if
(!(
prevPubKey
instanceof
DSAPublicKey
))
{
throw
new
CertPathValidatorException
(
"Input key is not "
+
// Inherit key parameters from previous key
if
(
PKIX
.
isDSAPublicKeyWithoutParams
(
currPubKey
))
{
// Inherit DSA parameters from previous key
if
(!(
prevPubKey
instanceof
DSAPublicKey
))
{
throw
new
CertPathValidatorException
(
"Input key is not "
+
"of a appropriate type for inheriting parameters"
);
}
}
DSAParams
params
=
((
DSAPublicKey
)
prevPubKey
).
getParams
();
if
(
params
==
null
)
{
throw
new
CertPathValidatorException
(
DSAParams
params
=
((
DSAPublicKey
)
prevPubKey
).
getParams
();
if
(
params
==
null
)
{
throw
new
CertPathValidatorException
(
"Key parameters missing from public key."
);
}
}
try
{
BigInteger
y
=
((
DSAPublicKey
)
currPubKey
).
getY
();
KeyFactory
kf
=
KeyFactory
.
getInstance
(
"DSA"
);
DSAPublicKeySpec
ks
=
new
DSAPublicKeySpec
(
y
,
params
.
getP
(),
params
.
getQ
(),
params
.
getG
());
currPubKey
=
kf
.
generatePublic
(
ks
);
}
catch
(
GeneralSecurityException
e
)
{
throw
new
CertPathValidatorException
(
"Unable to generate "
+
try
{
BigInteger
y
=
((
DSAPublicKey
)
currPubKey
).
getY
();
KeyFactory
kf
=
KeyFactory
.
getInstance
(
"DSA"
);
DSAPublicKeySpec
ks
=
new
DSAPublicKeySpec
(
y
,
params
.
getP
(),
params
.
getQ
(),
params
.
getG
());
currPubKey
=
kf
.
generatePublic
(
ks
);
}
catch
(
GeneralSecurityException
e
)
{
throw
new
CertPathValidatorException
(
"Unable to generate "
+
"key with inherited parameters: "
+
e
.
getMessage
(),
e
);
}
}
}
// reset the previous public key
prevPubKey
=
currPubKey
;
// check the extended key usage, ignore the check now
// List<String> extendedKeyUsages = x509Cert.getExtendedKeyUsage();
// DO NOT remove any unresolved critical extensions
}
/**
...
...
@@ -387,8 +424,10 @@ final public class AlgorithmChecker extends PKIXCertPathChecker {
*
* @param key the public key to verify the CRL signature
* @param crl the target CRL
* @param variant is the Validator variants of the operation. A null value
* passed will set it to Validator.GENERIC.
*/
static
void
check
(
PublicKey
key
,
X509CRL
crl
)
static
void
check
(
PublicKey
key
,
X509CRL
crl
,
String
variant
)
throws
CertPathValidatorException
{
X509CRLImpl
x509CRLImpl
=
null
;
...
...
@@ -399,28 +438,24 @@ final public class AlgorithmChecker extends PKIXCertPathChecker {
}
AlgorithmId
algorithmId
=
x509CRLImpl
.
getSigAlgId
();
check
(
key
,
algorithmId
);
check
(
key
,
algorithmId
,
variant
);
}
/**
* Check the signature algorithm with the specified public key.
*
* @param key the public key to verify the CRL signature
* @param crl the target CRL
* @param algorithmId signature algorithm Algorithm ID
* @param variant is the Validator variants of the operation. A null value
* passed will set it to Validator.GENERIC.
*/
static
void
check
(
PublicKey
key
,
AlgorithmId
algorithmId
)
static
void
check
(
PublicKey
key
,
AlgorithmId
algorithmId
,
String
variant
)
throws
CertPathValidatorException
{
String
sigAlgName
=
algorithmId
.
getName
();
AlgorithmParameters
sigAlgParams
=
algorithmId
.
getParameters
();
if
(!
certPathDefaultConstraints
.
permits
(
SIGNATURE_PRIMITIVE_SET
,
sigAlgName
,
key
,
sigAlgParams
))
{
throw
new
CertPathValidatorException
(
"Algorithm constraints check failed on signature algorithm: "
+
sigAlgName
+
" is disabled"
,
null
,
null
,
-
1
,
BasicReason
.
ALGORITHM_CONSTRAINED
);
}
certPathDefaultConstraints
.
permits
(
new
ConstraintsParameters
(
sigAlgName
,
sigAlgParams
,
key
,
variant
));
}
}
src/share/classes/sun/security/provider/certpath/DistributionPointFetcher.java
浏览文件 @
8587eb8d
/*
* Copyright (c) 2002, 201
5
, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2002, 201
7
, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
...
...
@@ -33,6 +33,7 @@ import javax.security.auth.x500.X500Principal;
import
java.util.*
;
import
sun.security.util.Debug
;
import
sun.security.validator.Validator
;
import
static
sun
.
security
.
x509
.
PKIXExtensions
.*;
import
sun.security.x509.*
;
...
...
@@ -65,6 +66,20 @@ public class DistributionPointFetcher {
* Return the X509CRLs matching this selector. The selector must be
* an X509CRLSelector with certificateChecking set.
*/
public
static
Collection
<
X509CRL
>
getCRLs
(
X509CRLSelector
selector
,
boolean
signFlag
,
PublicKey
prevKey
,
String
provider
,
List
<
CertStore
>
certStores
,
boolean
[]
reasonsMask
,
Set
<
TrustAnchor
>
trustAnchors
,
Date
validity
,
String
variant
)
throws
CertStoreException
{
return
getCRLs
(
selector
,
signFlag
,
prevKey
,
null
,
provider
,
certStores
,
reasonsMask
,
trustAnchors
,
validity
,
variant
);
}
/**
* Return the X509CRLs matching this selector. The selector must be
* an X509CRLSelector with certificateChecking set.
*/
// Called by com.sun.deploy.security.RevocationChecker
public
static
Collection
<
X509CRL
>
getCRLs
(
X509CRLSelector
selector
,
boolean
signFlag
,
PublicKey
prevKey
,
...
...
@@ -76,7 +91,7 @@ public class DistributionPointFetcher {
throws
CertStoreException
{
return
getCRLs
(
selector
,
signFlag
,
prevKey
,
null
,
provider
,
certStores
,
reasonsMask
,
trustAnchors
,
validity
);
reasonsMask
,
trustAnchors
,
validity
,
Validator
.
VAR_GENERIC
);
}
/**
...
...
@@ -91,7 +106,8 @@ public class DistributionPointFetcher {
List
<
CertStore
>
certStores
,
boolean
[]
reasonsMask
,
Set
<
TrustAnchor
>
trustAnchors
,
Date
validity
)
Date
validity
,
String
variant
)
throws
CertStoreException
{
X509Certificate
cert
=
selector
.
getCertificateChecking
();
...
...
@@ -120,7 +136,7 @@ public class DistributionPointFetcher {
DistributionPoint
point
=
t
.
next
();
Collection
<
X509CRL
>
crls
=
getCRLs
(
selector
,
certImpl
,
point
,
reasonsMask
,
signFlag
,
prevKey
,
prevCert
,
provider
,
certStores
,
trustAnchors
,
validity
);
certStores
,
trustAnchors
,
validity
,
variant
);
results
.
addAll
(
crls
);
}
if
(
debug
!=
null
)
{
...
...
@@ -145,7 +161,7 @@ public class DistributionPointFetcher {
X509CertImpl
certImpl
,
DistributionPoint
point
,
boolean
[]
reasonsMask
,
boolean
signFlag
,
PublicKey
prevKey
,
X509Certificate
prevCert
,
String
provider
,
List
<
CertStore
>
certStores
,
Set
<
TrustAnchor
>
trustAnchors
,
Date
validity
)
Set
<
TrustAnchor
>
trustAnchors
,
Date
validity
,
String
variant
)
throws
CertStoreException
{
// check for full name
...
...
@@ -208,7 +224,7 @@ public class DistributionPointFetcher {
selector
.
setIssuerNames
(
null
);
if
(
selector
.
match
(
crl
)
&&
verifyCRL
(
certImpl
,
point
,
crl
,
reasonsMask
,
signFlag
,
prevKey
,
prevCert
,
provider
,
trustAnchors
,
certStores
,
validity
))
{
trustAnchors
,
certStores
,
validity
,
variant
))
{
crls
.
add
(
crl
);
}
}
catch
(
IOException
|
CRLException
e
)
{
...
...
@@ -317,7 +333,7 @@ public class DistributionPointFetcher {
X509CRL
crl
,
boolean
[]
reasonsMask
,
boolean
signFlag
,
PublicKey
prevKey
,
X509Certificate
prevCert
,
String
provider
,
Set
<
TrustAnchor
>
trustAnchors
,
List
<
CertStore
>
certStores
,
Date
validity
)
throws
CRLException
,
IOException
{
Date
validity
,
String
variant
)
throws
CRLException
,
IOException
{
if
(
debug
!=
null
)
{
debug
.
println
(
"DistributionPointFetcher.verifyCRL: "
+
...
...
@@ -443,7 +459,7 @@ public class DistributionPointFetcher {
}
if
(
indirectCRL
)
{
if
(
pointCrlIssuers
.
size
()
!=
1
)
{
// RFC
3
280: there must be only 1 CRL issuer
// RFC
5
280: there must be only 1 CRL issuer
// name when relativeName is present
if
(
debug
!=
null
)
{
debug
.
println
(
"must only be one CRL "
+
...
...
@@ -664,7 +680,7 @@ public class DistributionPointFetcher {
// check the crl signature algorithm
try
{
AlgorithmChecker
.
check
(
prevKey
,
crl
);
AlgorithmChecker
.
check
(
prevKey
,
crl
,
variant
);
}
catch
(
CertPathValidatorException
cpve
)
{
if
(
debug
!=
null
)
{
debug
.
println
(
"CRL signature algorithm check failed: "
+
cpve
);
...
...
src/share/classes/sun/security/provider/certpath/OCSP.java
浏览文件 @
8587eb8d
/*
* Copyright (c) 2009, 201
3
, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2009, 201
7
, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
...
...
@@ -35,6 +35,7 @@ import java.security.cert.CertPathValidatorException;
import
java.security.cert.CertPathValidatorException.BasicReason
;
import
java.security.cert.CRLReason
;
import
java.security.cert.Extension
;
import
java.security.cert.TrustAnchor
;
import
java.security.cert.X509Certificate
;
import
java.util.Arrays
;
import
java.util.Collections
;
...
...
@@ -42,14 +43,14 @@ import java.util.Date;
import
java.util.List
;
import
java.util.Map
;
import
static
sun
.
security
.
provider
.
certpath
.
OCSPResponse
.*;
import
sun.security.action.GetIntegerAction
;
import
sun.security.util.Debug
;
import
sun.security.
util.ObjectIdentifie
r
;
import
sun.security.
validator.Validato
r
;
import
sun.security.x509.AccessDescription
;
import
sun.security.x509.AuthorityInfoAccessExtension
;
import
sun.security.x509.GeneralName
;
import
sun.security.x509.GeneralNameInterface
;
import
sun.security.x509.PKIXExtensions
;
import
sun.security.x509.URIName
;
import
sun.security.x509.X509CertImpl
;
...
...
@@ -65,9 +66,6 @@ import sun.security.x509.X509CertImpl;
*/
public
final
class
OCSP
{
static
final
ObjectIdentifier
NONCE_EXTENSION_OID
=
ObjectIdentifier
.
newInternal
(
new
int
[]{
1
,
3
,
6
,
1
,
5
,
5
,
7
,
48
,
1
,
2
});
private
static
final
Debug
debug
=
Debug
.
getInstance
(
"certpath"
);
private
static
final
int
DEFAULT_CONNECT_TIMEOUT
=
15000
;
...
...
@@ -97,42 +95,6 @@ public final class OCSP {
private
OCSP
()
{}
/**
* Obtains the revocation status of a certificate using OCSP using the most
* common defaults. The OCSP responder URI is retrieved from the
* certificate's AIA extension. The OCSP responder certificate is assumed
* to be the issuer's certificate (or issued by the issuer CA).
*
* @param cert the certificate to be checked
* @param issuerCert the issuer certificate
* @return the RevocationStatus
* @throws IOException if there is an exception connecting to or
* communicating with the OCSP responder
* @throws CertPathValidatorException if an exception occurs while
* encoding the OCSP Request or validating the OCSP Response
*/
public
static
RevocationStatus
check
(
X509Certificate
cert
,
X509Certificate
issuerCert
)
throws
IOException
,
CertPathValidatorException
{
CertId
certId
=
null
;
URI
responderURI
=
null
;
try
{
X509CertImpl
certImpl
=
X509CertImpl
.
toImpl
(
cert
);
responderURI
=
getResponderURI
(
certImpl
);
if
(
responderURI
==
null
)
{
throw
new
CertPathValidatorException
(
"No OCSP Responder URI in certificate"
);
}
certId
=
new
CertId
(
issuerCert
,
certImpl
.
getSerialNumberObject
());
}
catch
(
CertificateException
|
IOException
e
)
{
throw
new
CertPathValidatorException
(
"Exception while encoding OCSPRequest"
,
e
);
}
OCSPResponse
ocspResponse
=
check
(
Collections
.
singletonList
(
certId
),
responderURI
,
issuerCert
,
null
,
null
,
Collections
.<
Extension
>
emptyList
());
return
(
RevocationStatus
)
ocspResponse
.
getSingleResponse
(
certId
);
}
/**
* Obtains the revocation status of a certificate using OCSP.
...
...
@@ -149,6 +111,8 @@ public final class OCSP {
* @throws CertPathValidatorException if an exception occurs while
* encoding the OCSP Request or validating the OCSP Response
*/
// Called by com.sun.deploy.security.TrustDecider
public
static
RevocationStatus
check
(
X509Certificate
cert
,
X509Certificate
issuerCert
,
URI
responderURI
,
...
...
@@ -157,18 +121,27 @@ public final class OCSP {
throws
IOException
,
CertPathValidatorException
{
return
check
(
cert
,
issuerCert
,
responderURI
,
responderCert
,
date
,
Collections
.<
Extension
>
emptyList
());
Collections
.<
Extension
>
emptyList
()
,
Validator
.
VAR_GENERIC
);
}
// Called by com.sun.deploy.security.TrustDecider
public
static
RevocationStatus
check
(
X509Certificate
cert
,
X509Certificate
issuerCert
,
URI
responderURI
,
X509Certificate
responderCert
,
Date
date
,
List
<
Extension
>
extensions
)
X509Certificate
issuerCert
,
URI
responderURI
,
X509Certificate
responderCert
,
Date
date
,
List
<
Extension
>
extensions
,
String
variant
)
throws
IOException
,
CertPathValidatorException
{
CertId
certId
=
null
;
return
check
(
cert
,
responderURI
,
null
,
issuerCert
,
responderCert
,
date
,
extensions
,
variant
);
}
public
static
RevocationStatus
check
(
X509Certificate
cert
,
URI
responderURI
,
TrustAnchor
anchor
,
X509Certificate
issuerCert
,
X509Certificate
responderCert
,
Date
date
,
List
<
Extension
>
extensions
,
String
variant
)
throws
IOException
,
CertPathValidatorException
{
CertId
certId
;
try
{
X509CertImpl
certImpl
=
X509CertImpl
.
toImpl
(
cert
);
certId
=
new
CertId
(
issuerCert
,
certImpl
.
getSerialNumberObject
());
...
...
@@ -177,19 +150,23 @@ public final class OCSP {
(
"Exception while encoding OCSPRequest"
,
e
);
}
OCSPResponse
ocspResponse
=
check
(
Collections
.
singletonList
(
certId
),
responderURI
,
issuerCert
,
responderCert
,
date
,
extensions
);
responderURI
,
new
OCSPResponse
.
IssuerInfo
(
anchor
,
issuerCert
),
responderCert
,
date
,
extensions
,
variant
);
return
(
RevocationStatus
)
ocspResponse
.
getSingleResponse
(
certId
);
}
/**
* Checks the revocation status of a list of certificates using OCSP.
*
* @param certs the CertIds to be checked
* @param cert
Id
s the CertIds to be checked
* @param responderURI the URI of the OCSP responder
* @param issuer
Cert the issuer's certificate
* @param issuer
Info the issuer's certificate and/or subject and public key
* @param responderCert the OCSP responder's certificate
* @param date the time the validity of the OCSP responder's certificate
* should be checked against. If null, the current time is used.
* @param extensions zero or more OCSP extensions to be included in the
* request. If no extensions are requested, an empty {@code List} must
* be used. A {@code null} value is not allowed.
* @return the OCSPResponse
* @throws IOException if there is an exception connecting to or
* communicating with the OCSP responder
...
...
@@ -197,24 +174,59 @@ public final class OCSP {
* encoding the OCSP Request or validating the OCSP Response
*/
static
OCSPResponse
check
(
List
<
CertId
>
certIds
,
URI
responderURI
,
X509Certificate
issuerCert
,
OCSPResponse
.
IssuerInfo
issuerInfo
,
X509Certificate
responderCert
,
Date
date
,
List
<
Extension
>
extensions
)
List
<
Extension
>
extensions
,
String
variant
)
throws
IOException
,
CertPathValidatorException
{
byte
[]
bytes
=
null
;
OCSPRequest
request
=
null
;
byte
[]
nonce
=
null
;
for
(
Extension
ext
:
extensions
)
{
if
(
ext
.
getId
().
equals
(
PKIXExtensions
.
OCSPNonce_Id
.
toString
()))
{
nonce
=
ext
.
getValue
();
}
}
OCSPResponse
ocspResponse
=
null
;
try
{
request
=
new
OCSPRequest
(
certIds
,
extensions
);
bytes
=
request
.
encodeBytes
();
byte
[]
response
=
getOCSPBytes
(
certIds
,
responderURI
,
extensions
);
ocspResponse
=
new
OCSPResponse
(
response
);
// verify the response
ocspResponse
.
verify
(
certIds
,
issuerInfo
,
responderCert
,
date
,
nonce
,
variant
);
}
catch
(
IOException
ioe
)
{
throw
new
CertPathValidatorException
(
"Exception while encoding OCSPRequest"
,
ioe
);
throw
new
CertPathValidatorException
(
"Unable to determine revocation status due to network error"
,
ioe
,
null
,
-
1
,
BasicReason
.
UNDETERMINED_REVOCATION_STATUS
);
}
return
ocspResponse
;
}
/**
* Send an OCSP request, then read and return the OCSP response bytes.
*
* @param certIds the CertIds to be checked
* @param responderURI the URI of the OCSP responder
* @param extensions zero or more OCSP extensions to be included in the
* request. If no extensions are requested, an empty {@code List} must
* be used. A {@code null} value is not allowed.
*
* @return the OCSP response bytes
*
* @throws IOException if there is an exception connecting to or
* communicating with the OCSP responder
*/
public
static
byte
[]
getOCSPBytes
(
List
<
CertId
>
certIds
,
URI
responderURI
,
List
<
Extension
>
extensions
)
throws
IOException
{
OCSPRequest
request
=
new
OCSPRequest
(
certIds
,
extensions
);
byte
[]
bytes
=
request
.
encodeBytes
();
InputStream
in
=
null
;
OutputStream
out
=
null
;
byte
[]
response
=
null
;
try
{
URL
url
=
responderURI
.
toURL
();
if
(
debug
!=
null
)
{
...
...
@@ -257,10 +269,6 @@ public final class OCSP {
}
}
response
=
Arrays
.
copyOf
(
response
,
total
);
}
catch
(
IOException
ioe
)
{
throw
new
CertPathValidatorException
(
"Unable to determine revocation status due to network error"
,
ioe
,
null
,
-
1
,
BasicReason
.
UNDETERMINED_REVOCATION_STATUS
);
}
finally
{
if
(
in
!=
null
)
{
try
{
...
...
@@ -277,20 +285,7 @@ public final class OCSP {
}
}
}
OCSPResponse
ocspResponse
=
null
;
try
{
ocspResponse
=
new
OCSPResponse
(
response
);
}
catch
(
IOException
ioe
)
{
// response decoding exception
throw
new
CertPathValidatorException
(
ioe
);
}
// verify the response
ocspResponse
.
verify
(
certIds
,
issuerCert
,
responderCert
,
date
,
request
.
getNonce
());
return
ocspResponse
;
return
response
;
}
/**
...
...
@@ -322,7 +317,7 @@ public final class OCSP {
List
<
AccessDescription
>
descriptions
=
aia
.
getAccessDescriptions
();
for
(
AccessDescription
description
:
descriptions
)
{
if
(
description
.
getAccessMethod
().
equals
(
(
Object
)
if
(
description
.
getAccessMethod
().
equals
(
AccessDescription
.
Ad_OCSP_Id
))
{
GeneralName
generalName
=
description
.
getAccessLocation
();
...
...
src/share/classes/sun/security/provider/certpath/OCSPRequest.java
浏览文件 @
8587eb8d
/*
* Copyright (c) 2003, 201
3
, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2003, 201
7
, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
...
...
@@ -32,10 +32,11 @@ import java.util.List;
import
sun.misc.HexDumpEncoder
;
import
sun.security.util.*
;
import
sun.security.x509.PKIXExtensions
;
/**
* This class can be used to generate an OCSP request and send it over
* an output
stream. Currently we do not support signing requests
* an output
stream. Currently we do not support signing requests.
* The OCSP Request is specified in RFC 2560 and
* the ASN.1 definition is as follows:
* <pre>
...
...
@@ -118,7 +119,8 @@ class OCSPRequest {
DerOutputStream
extOut
=
new
DerOutputStream
();
for
(
Extension
ext
:
extensions
)
{
ext
.
encode
(
extOut
);
if
(
ext
.
getId
().
equals
(
OCSP
.
NONCE_EXTENSION_OID
.
toString
()))
{
if
(
ext
.
getId
().
equals
(
PKIXExtensions
.
OCSPNonce_Id
.
toString
()))
{
nonce
=
ext
.
getValue
();
}
}
...
...
src/share/classes/sun/security/provider/certpath/OCSPResponse.java
浏览文件 @
8587eb8d
此差异已折叠。
点击以展开。
src/share/classes/sun/security/provider/certpath/PKIX.java
浏览文件 @
8587eb8d
/*
* Copyright (c) 2012, 201
5
, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2012, 201
7
, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
...
...
@@ -26,6 +26,7 @@ package sun.security.provider.certpath;
import
java.security.InvalidAlgorithmParameterException
;
import
java.security.PublicKey
;
import
java.security.Timestamp
;
import
java.security.cert.*
;
import
java.security.interfaces.DSAPublicKey
;
import
java.util.*
;
...
...
@@ -85,6 +86,8 @@ class PKIX {
private
CertSelector
constraints
;
private
Set
<
TrustAnchor
>
anchors
;
private
List
<
X509Certificate
>
certs
;
private
Timestamp
timestamp
;
private
String
variant
;
ValidatorParams
(
CertPath
cp
,
PKIXParameters
params
)
throws
InvalidAlgorithmParameterException
...
...
@@ -100,6 +103,11 @@ class PKIX {
ValidatorParams
(
PKIXParameters
params
)
throws
InvalidAlgorithmParameterException
{
if
(
params
instanceof
PKIXExtendedParameters
)
{
timestamp
=
((
PKIXExtendedParameters
)
params
).
getTimestamp
();
variant
=
((
PKIXExtendedParameters
)
params
).
getVariant
();
}
this
.
anchors
=
params
.
getTrustAnchors
();
// Make sure that none of the trust anchors include name constraints
// (not supported).
...
...
@@ -189,6 +197,14 @@ class PKIX {
PKIXParameters
getPKIXParameters
()
{
return
params
;
}
Timestamp
timestamp
()
{
return
timestamp
;
}
String
variant
()
{
return
variant
;
}
}
static
class
BuilderParams
extends
ValidatorParams
{
...
...
src/share/classes/sun/security/provider/certpath/PKIXCertPathValidator.java
浏览文件 @
8587eb8d
/*
* Copyright (c) 2000, 201
5
, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2000, 201
7
, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
...
...
@@ -172,7 +172,8 @@ public final class PKIXCertPathValidator extends CertPathValidatorSpi {
List
<
PKIXCertPathChecker
>
certPathCheckers
=
new
ArrayList
<>();
// add standard checkers that we will be using
certPathCheckers
.
add
(
untrustedChecker
);
certPathCheckers
.
add
(
new
AlgorithmChecker
(
anchor
));
certPathCheckers
.
add
(
new
AlgorithmChecker
(
anchor
,
null
,
params
.
date
(),
params
.
timestamp
(),
params
.
variant
()));
certPathCheckers
.
add
(
new
KeyChecker
(
certPathLen
,
params
.
targetCertConstraints
()));
certPathCheckers
.
add
(
new
ConstraintsChecker
(
certPathLen
));
...
...
@@ -189,8 +190,11 @@ public final class PKIXCertPathValidator extends CertPathValidatorSpi {
rootNode
);
certPathCheckers
.
add
(
pc
);
// default value for date is current time
BasicChecker
bc
=
new
BasicChecker
(
anchor
,
params
.
date
(),
params
.
sigProvider
(),
false
);
BasicChecker
bc
;
bc
=
new
BasicChecker
(
anchor
,
(
params
.
timestamp
()
==
null
?
params
.
date
()
:
params
.
timestamp
().
getTimestamp
()),
params
.
sigProvider
(),
false
);
certPathCheckers
.
add
(
bc
);
boolean
revCheckerAdded
=
false
;
...
...
src/share/classes/sun/security/provider/certpath/PKIXExtendedParameters.java
0 → 100644
浏览文件 @
8587eb8d
/*
* Copyright (c) 2016, 2017, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation. Oracle designates this
* particular file as subject to the "Classpath" exception as provided
* by Oracle in the LICENSE file that accompanied this code.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
package
sun.security.provider.certpath
;
import
java.security.InvalidAlgorithmParameterException
;
import
java.security.Timestamp
;
import
java.security.cert.CertSelector
;
import
java.security.cert.CertStore
;
import
java.security.cert.PKIXBuilderParameters
;
import
java.security.cert.PKIXCertPathChecker
;
import
java.security.cert.TrustAnchor
;
import
java.util.Date
;
import
java.util.List
;
import
java.util.Set
;
/**
* This class is a wrapper for PKIXBuilderParameters so that a Timestamp object
* and a string for the variant type, can be passed when doing certpath
* checking.
*/
public
class
PKIXExtendedParameters
extends
PKIXBuilderParameters
{
private
final
PKIXBuilderParameters
p
;
private
Timestamp
jarTimestamp
;
private
final
String
variant
;
public
PKIXExtendedParameters
(
PKIXBuilderParameters
params
,
Timestamp
timestamp
,
String
variant
)
throws
InvalidAlgorithmParameterException
{
super
(
params
.
getTrustAnchors
(),
null
);
p
=
params
;
jarTimestamp
=
timestamp
;
this
.
variant
=
variant
;
}
public
Timestamp
getTimestamp
()
{
return
jarTimestamp
;
}
public
void
setTimestamp
(
Timestamp
t
)
{
jarTimestamp
=
t
;
}
public
String
getVariant
()
{
return
variant
;
}
@Override
public
void
setDate
(
Date
d
)
{
p
.
setDate
(
d
);
}
@Override
public
void
addCertPathChecker
(
PKIXCertPathChecker
c
)
{
p
.
addCertPathChecker
(
c
);
}
@Override
public
void
setMaxPathLength
(
int
maxPathLength
)
{
p
.
setMaxPathLength
(
maxPathLength
);
}
@Override
public
int
getMaxPathLength
()
{
return
p
.
getMaxPathLength
();
}
@Override
public
String
toString
()
{
return
p
.
toString
();
}
@Override
public
Set
<
TrustAnchor
>
getTrustAnchors
()
{
return
p
.
getTrustAnchors
();
}
@Override
public
void
setTrustAnchors
(
Set
<
TrustAnchor
>
trustAnchors
)
throws
InvalidAlgorithmParameterException
{
// To avoid problems with PKIXBuilderParameter's constructors
if
(
p
==
null
)
{
return
;
}
p
.
setTrustAnchors
(
trustAnchors
);
}
@Override
public
Set
<
String
>
getInitialPolicies
()
{
return
p
.
getInitialPolicies
();
}
@Override
public
void
setInitialPolicies
(
Set
<
String
>
initialPolicies
)
{
p
.
setInitialPolicies
(
initialPolicies
);
}
@Override
public
void
setCertStores
(
List
<
CertStore
>
stores
)
{
p
.
setCertStores
(
stores
);
}
@Override
public
void
addCertStore
(
CertStore
store
)
{
p
.
addCertStore
(
store
);
}
@Override
public
List
<
CertStore
>
getCertStores
()
{
return
p
.
getCertStores
();
}
@Override
public
void
setRevocationEnabled
(
boolean
val
)
{
p
.
setRevocationEnabled
(
val
);
}
@Override
public
boolean
isRevocationEnabled
()
{
return
p
.
isRevocationEnabled
();
}
@Override
public
void
setExplicitPolicyRequired
(
boolean
val
)
{
p
.
setExplicitPolicyRequired
(
val
);
}
@Override
public
boolean
isExplicitPolicyRequired
()
{
return
p
.
isExplicitPolicyRequired
();
}
@Override
public
void
setPolicyMappingInhibited
(
boolean
val
)
{
p
.
setPolicyMappingInhibited
(
val
);
}
@Override
public
boolean
isPolicyMappingInhibited
()
{
return
p
.
isPolicyMappingInhibited
();
}
@Override
public
void
setAnyPolicyInhibited
(
boolean
val
)
{
p
.
setAnyPolicyInhibited
(
val
);
}
@Override
public
boolean
isAnyPolicyInhibited
()
{
return
p
.
isAnyPolicyInhibited
();
}
@Override
public
void
setPolicyQualifiersRejected
(
boolean
qualifiersRejected
)
{
p
.
setPolicyQualifiersRejected
(
qualifiersRejected
);
}
@Override
public
boolean
getPolicyQualifiersRejected
()
{
return
p
.
getPolicyQualifiersRejected
();
}
@Override
public
Date
getDate
()
{
return
p
.
getDate
();
}
@Override
public
void
setCertPathCheckers
(
List
<
PKIXCertPathChecker
>
checkers
)
{
p
.
setCertPathCheckers
(
checkers
);
}
@Override
public
List
<
PKIXCertPathChecker
>
getCertPathCheckers
()
{
return
p
.
getCertPathCheckers
();
}
@Override
public
String
getSigProvider
()
{
return
p
.
getSigProvider
();
}
@Override
public
void
setSigProvider
(
String
sigProvider
)
{
p
.
setSigProvider
(
sigProvider
);
}
@Override
public
CertSelector
getTargetCertConstraints
()
{
return
p
.
getTargetCertConstraints
();
}
@Override
public
void
setTargetCertConstraints
(
CertSelector
selector
)
{
// To avoid problems with PKIXBuilderParameter's constructors
if
(
p
==
null
)
{
return
;
}
p
.
setTargetCertConstraints
(
selector
);
}
}
src/share/classes/sun/security/provider/certpath/ResponderId.java
0 → 100644
浏览文件 @
8587eb8d
/*
* Copyright (c) 2015, 2017 Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation. Oracle designates this
* particular file as subject to the "Classpath" exception as provided
* by Oracle in the LICENSE file that accompanied this code.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
package
sun.security.provider.certpath
;
import
java.util.Arrays
;
import
java.io.IOException
;
import
java.security.PublicKey
;
import
javax.security.auth.x500.X500Principal
;
import
sun.security.x509.KeyIdentifier
;
import
sun.security.util.DerValue
;
/**
* Class for ResponderId entities as described in RFC6960. ResponderId objects
* are used to uniquely identify OCSP responders.
* <p>
* The RFC 6960 defines a ResponderID structure as:
* <pre>
* ResponderID ::= CHOICE {
* byName [1] Name,
* byKey [2] KeyHash }
*
* KeyHash ::= OCTET STRING -- SHA-1 hash of responder's public key
* (excluding the tag and length fields)
*
* Name is defined in RFC 5280.
* </pre>
*
* @see ResponderId.Type
* @since 9
*/
public
final
class
ResponderId
{
/**
* A {@code ResponderId} enumeration describing the accepted forms for a
* {@code ResponderId}.
*
* @see ResponderId
* @since 9
*/
public
static
enum
Type
{
/**
* A BY_NAME {@code ResponderId} will be built from a subject name,
* either as an {@code X500Principal} or a DER-encoded byte array.
*/
BY_NAME
(
1
,
"byName"
),
/**
* A BY_KEY {@code ResponderId} will be built from a public key
* identifier, either derived from a {@code PublicKey} or directly
* from a DER-encoded byte array containing the key identifier.
*/
BY_KEY
(
2
,
"byKey"
);
private
final
int
tagNumber
;
private
final
String
ridTypeName
;
private
Type
(
int
value
,
String
name
)
{
this
.
tagNumber
=
value
;
this
.
ridTypeName
=
name
;
}
public
int
value
()
{
return
tagNumber
;
}
@Override
public
String
toString
()
{
return
ridTypeName
;
}
}
private
Type
type
;
private
X500Principal
responderName
;
private
KeyIdentifier
responderKeyId
;
private
byte
[]
encodedRid
;
/**
* Constructs a {@code ResponderId} object using an {@code X500Principal}.
* When encoded in DER this object will use the BY_NAME option.
*
* @param subjectName the subject name of the certificate used
* to sign OCSP responses.
*
* @throws IOException if the internal DER-encoding of the
* {@code X500Principal} fails.
*/
public
ResponderId
(
X500Principal
subjectName
)
throws
IOException
{
responderName
=
subjectName
;
responderKeyId
=
null
;
encodedRid
=
principalToBytes
();
type
=
Type
.
BY_NAME
;
}
/**
* Constructs a {@code ResponderId} object using a {@code PublicKey}.
* When encoded in DER this object will use the byKey option, a
* SHA-1 hash of the responder's public key.
*
* @param pubKey the the OCSP responder's public key
*
* @throws IOException if the internal DER-encoding of the
* {@code KeyIdentifier} fails.
*/
public
ResponderId
(
PublicKey
pubKey
)
throws
IOException
{
responderKeyId
=
new
KeyIdentifier
(
pubKey
);
responderName
=
null
;
encodedRid
=
keyIdToBytes
();
type
=
Type
.
BY_KEY
;
}
/**
* Constructs a {@code ResponderId} object from its DER-encoding.
*
* @param encodedData the DER-encoded bytes
*
* @throws IOException if the encodedData is not properly DER encoded
*/
public
ResponderId
(
byte
[]
encodedData
)
throws
IOException
{
DerValue
outer
=
new
DerValue
(
encodedData
);
if
(
outer
.
isContextSpecific
((
byte
)
Type
.
BY_NAME
.
value
())
&&
outer
.
isConstructed
())
{
// Use the X500Principal constructor as a way to sanity
// check the incoming data.
responderName
=
new
X500Principal
(
outer
.
getDataBytes
());
encodedRid
=
principalToBytes
();
type
=
Type
.
BY_NAME
;
}
else
if
(
outer
.
isContextSpecific
((
byte
)
Type
.
BY_KEY
.
value
())
&&
outer
.
isConstructed
())
{
// Use the KeyIdentifier constructor as a way to sanity
// check the incoming data.
responderKeyId
=
new
KeyIdentifier
(
new
DerValue
(
outer
.
getDataBytes
()));
encodedRid
=
keyIdToBytes
();
type
=
Type
.
BY_KEY
;
}
else
{
throw
new
IOException
(
"Invalid ResponderId content"
);
}
}
/**
* Encode a {@code ResponderId} in DER form
*
* @return a byte array containing the DER-encoded representation for this
* {@code ResponderId}
*/
public
byte
[]
getEncoded
()
{
return
encodedRid
.
clone
();
}
/**
* Return the type of {@ResponderId}
*
* @return a number corresponding to the context-specific tag number
* used in the DER-encoding for a {@code ResponderId}
*/
public
ResponderId
.
Type
getType
()
{
return
type
;
}
/**
* Get the length of the encoded {@code ResponderId} (including the tag and
* length of the explicit tagging from the outer ASN.1 CHOICE).
*
* @return the length of the encoded {@code ResponderId}
*/
public
int
length
()
{
return
encodedRid
.
length
;
}
/**
* Obtain the underlying {@code X500Principal} from a {@code ResponderId}
*
* @return the {@code X500Principal} for this {@code ResponderId} if it
* is a BY_NAME variant. If the {@code ResponderId} is a BY_KEY
* variant, this routine will return {@code null}.
*/
public
X500Principal
getResponderName
()
{
return
responderName
;
}
/**
* Obtain the underlying key identifier from a {@code ResponderId}
*
* @return the {@code KeyIdentifier} for this {@code ResponderId} if it
* is a BY_KEY variant. If the {@code ResponderId} is a BY_NAME
* variant, this routine will return {@code null}.
*/
public
KeyIdentifier
getKeyIdentifier
()
{
return
responderKeyId
;
}
/**
* Compares the specified object with this {@code ResponderId} for equality.
* A ResponderId will only be considered equivalent if both the type and
* data value are equal. Two ResponderIds initialized by name and
* key ID, respectively, will not be equal even if the
* ResponderId objects are created from the same source certificate.
*
* @param obj the object to be compared against
*
* @return true if the specified object is equal to this {@code Responderid}
*/
@Override
public
boolean
equals
(
Object
obj
)
{
if
(
obj
==
null
)
{
return
false
;
}
if
(
this
==
obj
)
{
return
true
;
}
if
(
obj
instanceof
ResponderId
)
{
ResponderId
respObj
=
(
ResponderId
)
obj
;
return
Arrays
.
equals
(
encodedRid
,
respObj
.
getEncoded
());
}
return
false
;
}
/**
* Returns the hash code value for this {@code ResponderId}
*
* @return the hash code value for this {@code ResponderId}
*/
@Override
public
int
hashCode
()
{
return
Arrays
.
hashCode
(
encodedRid
);
}
/**
* Create a String representation of this {@code ResponderId}
*
* @return a String representation of this {@code ResponderId}
*/
@Override
public
String
toString
()
{
StringBuilder
sb
=
new
StringBuilder
();
switch
(
type
)
{
case
BY_NAME:
sb
.
append
(
type
).
append
(
": "
).
append
(
responderName
);
break
;
case
BY_KEY:
sb
.
append
(
type
).
append
(
": "
);
for
(
byte
keyIdByte
:
responderKeyId
.
getIdentifier
())
{
sb
.
append
(
String
.
format
(
"%02X"
,
keyIdByte
));
}
break
;
default
:
sb
.
append
(
"Unknown ResponderId Type: "
).
append
(
type
);
}
return
sb
.
toString
();
}
/**
* Convert the responderName data member into its DER-encoded form
*
* @return the DER encoding for a responder ID byName option, including
* explicit context-specific tagging.
*
* @throws IOException if any encoding error occurs
*/
private
byte
[]
principalToBytes
()
throws
IOException
{
DerValue
dv
=
new
DerValue
(
DerValue
.
createTag
(
DerValue
.
TAG_CONTEXT
,
true
,
(
byte
)
Type
.
BY_NAME
.
value
()),
responderName
.
getEncoded
());
return
dv
.
toByteArray
();
}
/**
* Convert the responderKeyId data member into its DER-encoded form
*
* @return the DER encoding for a responder ID byKey option, including
* explicit context-specific tagging.
*
* @throws IOException if any encoding error occurs
*/
private
byte
[]
keyIdToBytes
()
throws
IOException
{
// Place the KeyIdentifier bytes into an OCTET STRING
DerValue
inner
=
new
DerValue
(
DerValue
.
tag_OctetString
,
responderKeyId
.
getIdentifier
());
// Mark the OCTET STRING-wrapped KeyIdentifier bytes
// as EXPLICIT CONTEXT 2
DerValue
outer
=
new
DerValue
(
DerValue
.
createTag
(
DerValue
.
TAG_CONTEXT
,
true
,
(
byte
)
Type
.
BY_KEY
.
value
()),
inner
.
toByteArray
());
return
outer
.
toByteArray
();
}
}
src/share/classes/sun/security/provider/certpath/RevocationChecker.java
浏览文件 @
8587eb8d
/*
* Copyright (c) 2012, 201
5
, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2012, 201
7
, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
...
...
@@ -43,7 +43,6 @@ import javax.security.auth.x500.X500Principal;
import
static
sun
.
security
.
provider
.
certpath
.
OCSP
.*;
import
static
sun
.
security
.
provider
.
certpath
.
PKIX
.*;
import
sun.security.action.GetPropertyAction
;
import
sun.security.x509.*
;
import
static
sun
.
security
.
x509
.
PKIXExtensions
.*;
import
sun.security.util.Debug
;
...
...
@@ -62,12 +61,12 @@ class RevocationChecker extends PKIXRevocationChecker {
private
List
<
CertStore
>
certStores
;
private
Map
<
X509Certificate
,
byte
[]>
ocspResponses
;
private
List
<
Extension
>
ocspExtensions
;
private
boolean
legacy
;
private
final
boolean
legacy
;
private
LinkedList
<
CertPathValidatorException
>
softFailExceptions
=
new
LinkedList
<>();
// state variables
private
X509Certificate
issuerCert
;
private
OCSPResponse
.
IssuerInfo
issuerInfo
;
private
PublicKey
prevPubKey
;
private
boolean
crlSignFlag
;
private
int
certIndex
;
...
...
@@ -302,9 +301,9 @@ class RevocationChecker extends PKIXRevocationChecker {
CertPathValidatorException
(
"forward checking not supported"
);
}
if
(
anchor
!=
null
)
{
issuer
Cert
=
anchor
.
getTrustedCert
(
);
prevPubKey
=
(
issuerCert
!=
null
)
?
issuerCert
.
getPublicKey
()
:
anchor
.
getCAPublicKey
();
issuer
Info
=
new
OCSPResponse
.
IssuerInfo
(
anchor
);
prevPubKey
=
issuerInfo
.
getPublicKey
();
}
crlSignFlag
=
true
;
if
(
params
!=
null
&&
params
.
certPath
()
!=
null
)
{
...
...
@@ -438,7 +437,7 @@ class RevocationChecker extends PKIXRevocationChecker {
private
void
updateState
(
X509Certificate
cert
)
throws
CertPathValidatorException
{
issuer
Cert
=
cert
;
issuer
Info
=
new
OCSPResponse
.
IssuerInfo
(
anchor
,
cert
)
;
// Make new public key if parameters are missing
PublicKey
pubKey
=
cert
.
getPublicKey
();
...
...
@@ -466,6 +465,34 @@ class RevocationChecker extends PKIXRevocationChecker {
stackedCerts
,
params
.
trustAnchors
());
}
static
boolean
isCausedByNetworkIssue
(
String
type
,
CertStoreException
cse
)
{
boolean
result
;
Throwable
t
=
cse
.
getCause
();
switch
(
type
)
{
case
"LDAP"
:
if
(
t
!=
null
)
{
// These two exception classes are inside java.naming module
String
cn
=
t
.
getClass
().
getName
();
result
=
(
cn
.
equals
(
"javax.naming.ServiceUnavailableException"
)
||
cn
.
equals
(
"javax.naming.CommunicationException"
));
}
else
{
result
=
false
;
}
break
;
case
"SSLServer"
:
result
=
(
t
!=
null
&&
t
instanceof
IOException
);
break
;
case
"URI"
:
result
=
(
t
!=
null
&&
t
instanceof
IOException
);
break
;
default
:
// we don't know about any other remote CertStore types
return
false
;
}
return
result
;
}
private
void
checkCRLs
(
X509Certificate
cert
,
PublicKey
prevKey
,
X509Certificate
prevCert
,
boolean
signFlag
,
boolean
allowSeparateKey
,
...
...
@@ -478,9 +505,9 @@ class RevocationChecker extends PKIXRevocationChecker {
" ---checking revocation status ..."
);
}
//
reject circular dependencies - RFC 3
280 is not explicit on how
// to handle this,
so we feel it is safest to reject them until
//
the issue is resolved in the PKIX WG.
//
Reject circular dependencies - RFC 5
280 is not explicit on how
// to handle this,
but does suggest that they can be a security
//
risk and can create unresolvable dependencies
if
(
stackedCerts
!=
null
&&
stackedCerts
.
contains
(
cert
))
{
if
(
debug
!=
null
)
{
debug
.
println
(
"RevocationChecker.checkCRLs()"
+
...
...
@@ -510,7 +537,7 @@ class RevocationChecker extends PKIXRevocationChecker {
"CertStoreException: "
+
e
.
getMessage
());
}
if
(
networkFailureException
==
null
&&
CertStoreHelper
.
isCausedByNetworkIssue
(
store
.
getType
(),
e
))
{
isCausedByNetworkIssue
(
store
.
getType
(),
e
))
{
// save this exception, we may need to throw it later
networkFailureException
=
new
CertPathValidatorException
(
"Unable to determine revocation status due to "
+
...
...
@@ -550,15 +577,14 @@ class RevocationChecker extends PKIXRevocationChecker {
try
{
if
(
crlDP
)
{
approvedCRLs
.
addAll
(
DistributionPointFetcher
.
getCRLs
(
sel
,
signFlag
,
prevKey
,
prevCert
,
params
.
sigProvider
(),
certStores
,
reasonsMask
,
anchors
,
null
));
sel
,
signFlag
,
prevKey
,
prevCert
,
params
.
sigProvider
(),
certStores
,
reasonsMask
,
anchors
,
null
,
params
.
variant
()
));
}
}
catch
(
CertStoreException
e
)
{
if
(
e
instanceof
CertStoreTypeException
)
{
CertStoreTypeException
cste
=
(
CertStoreTypeException
)
e
;
if
(
CertStoreHelper
.
isCausedByNetworkIssue
(
cste
.
getType
(),
e
))
{
if
(
isCausedByNetworkIssue
(
cste
.
getType
(),
e
))
{
throw
new
CertPathValidatorException
(
"Unable to determine revocation status due to "
+
"network error"
,
e
,
null
,
-
1
,
...
...
@@ -634,7 +660,7 @@ class RevocationChecker extends PKIXRevocationChecker {
/*
* Abort CRL validation and throw exception if there are any
* unrecognized critical CRL entry extensions (see section
* 5.3 of RFC
3
280).
* 5.3 of RFC
5
280).
*/
Set
<
String
>
unresCritExts
=
entry
.
getCriticalExtensionOIDs
();
if
(
unresCritExts
!=
null
&&
!
unresCritExts
.
isEmpty
())
{
...
...
@@ -682,14 +708,8 @@ class RevocationChecker extends PKIXRevocationChecker {
OCSPResponse
response
=
null
;
CertId
certId
=
null
;
try
{
if
(
issuerCert
!=
null
)
{
certId
=
new
CertId
(
issuerCert
,
currCert
.
getSerialNumberObject
());
}
else
{
// must be an anchor name and key
certId
=
new
CertId
(
anchor
.
getCA
(),
anchor
.
getCAPublicKey
(),
currCert
.
getSerialNumberObject
());
}
certId
=
new
CertId
(
issuerInfo
.
getName
(),
issuerInfo
.
getPublicKey
(),
currCert
.
getSerialNumberObject
());
// check if there is a cached OCSP response available
byte
[]
responseBytes
=
ocspResponses
.
get
(
cert
);
...
...
@@ -706,8 +726,8 @@ class RevocationChecker extends PKIXRevocationChecker {
nonce
=
ext
.
getValue
();
}
}
response
.
verify
(
Collections
.
singletonList
(
certId
),
issuer
Cert
,
responderCert
,
params
.
date
(),
nonce
);
response
.
verify
(
Collections
.
singletonList
(
certId
),
issuer
Info
,
responderCert
,
params
.
date
(),
nonce
,
params
.
variant
()
);
}
else
{
URI
responderURI
=
(
this
.
responderURI
!=
null
)
...
...
@@ -720,8 +740,8 @@ class RevocationChecker extends PKIXRevocationChecker {
}
response
=
OCSP
.
check
(
Collections
.
singletonList
(
certId
),
responderURI
,
issuerCert
,
responderCert
,
null
,
ocspExtensions
);
responderURI
,
issuerInfo
,
responderCert
,
null
,
ocspExtensions
,
params
.
variant
()
);
}
}
catch
(
IOException
e
)
{
throw
new
CertPathValidatorException
(
...
...
@@ -833,7 +853,7 @@ class RevocationChecker extends PKIXRevocationChecker {
if
(
DistributionPointFetcher
.
verifyCRL
(
certImpl
,
point
,
crl
,
reasonsMask
,
signFlag
,
prevKey
,
null
,
params
.
sigProvider
(),
anchors
,
certStores
,
params
.
date
()))
certStores
,
params
.
date
()
,
params
.
variant
()
))
{
results
.
add
(
crl
);
}
...
...
@@ -886,9 +906,9 @@ class RevocationChecker extends PKIXRevocationChecker {
" ---checking "
+
msg
+
"..."
);
}
//
reject circular dependencies - RFC 3
280 is not explicit on how
// to handle this,
so we feel it is safest to reject them until
//
the issue is resolved in the PKIX WG.
//
Reject circular dependencies - RFC 5
280 is not explicit on how
// to handle this,
but does suggest that they can be a security
//
risk and can create unresolvable dependencies
if
((
stackedCerts
!=
null
)
&&
stackedCerts
.
contains
(
cert
))
{
if
(
debug
!=
null
)
{
debug
.
println
(
...
...
src/share/classes/sun/security/provider/certpath/SunCertPathBuilder.java
浏览文件 @
8587eb8d
/*
* Copyright (c) 2000, 201
5
, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2000, 201
7
, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
...
...
@@ -50,7 +50,7 @@ import sun.security.util.Debug;
* <p> If successful, it returns a certification path which has successfully
* satisfied all the constraints and requirements specified in the
* PKIXBuilderParameters object and has been validated according to the PKIX
* path validation algorithm defined in RFC
3
280.
* path validation algorithm defined in RFC
5
280.
*
* <p> This implementation uses a depth-first search approach to finding
* certification paths. If it comes to a point in which it cannot find
...
...
@@ -343,7 +343,8 @@ public final class SunCertPathBuilder extends CertPathBuilderSpi {
checkers
.
add
(
policyChecker
);
// add the algorithm checker
checkers
.
add
(
new
AlgorithmChecker
(
builder
.
trustAnchor
));
checkers
.
add
(
new
AlgorithmChecker
(
builder
.
trustAnchor
,
buildParams
.
date
(),
buildParams
.
variant
()));
BasicChecker
basicChecker
=
null
;
if
(
nextState
.
keyParamsNeeded
())
{
...
...
src/share/classes/sun/security/ssl/SSLContextImpl.java
浏览文件 @
8587eb8d
/*
* Copyright (c) 1999, 201
5
, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 1999, 201
7
, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
...
...
@@ -37,6 +37,7 @@ import javax.net.ssl.*;
import
sun.security.provider.certpath.AlgorithmChecker
;
import
sun.security.action.GetPropertyAction
;
import
sun.security.validator.Validator
;
public
abstract
class
SSLContextImpl
extends
SSLContextSpi
{
...
...
@@ -1040,7 +1041,7 @@ final class AbstractTrustManagerWrapper extends X509ExtendedTrustManager
constraints
=
new
SSLAlgorithmConstraints
(
sslSocket
,
true
);
}
checkAlgorithmConstraints
(
chain
,
constraints
);
checkAlgorithmConstraints
(
chain
,
constraints
,
isClient
);
}
}
...
...
@@ -1082,12 +1083,12 @@ final class AbstractTrustManagerWrapper extends X509ExtendedTrustManager
constraints
=
new
SSLAlgorithmConstraints
(
engine
,
true
);
}
checkAlgorithmConstraints
(
chain
,
constraints
);
checkAlgorithmConstraints
(
chain
,
constraints
,
isClient
);
}
}
private
void
checkAlgorithmConstraints
(
X509Certificate
[]
chain
,
AlgorithmConstraints
constraints
)
throws
CertificateException
{
AlgorithmConstraints
constraints
,
boolean
isClient
)
throws
CertificateException
{
try
{
// Does the certificate chain end with a trusted certificate?
...
...
@@ -1105,7 +1106,9 @@ final class AbstractTrustManagerWrapper extends X509ExtendedTrustManager
// A forward checker, need to check from trust to target
if
(
checkedLength
>=
0
)
{
AlgorithmChecker
checker
=
new
AlgorithmChecker
(
constraints
);
AlgorithmChecker
checker
=
new
AlgorithmChecker
(
constraints
,
null
,
(
isClient
?
Validator
.
VAR_TLS_CLIENT
:
Validator
.
VAR_TLS_SERVER
));
checker
.
init
(
false
);
for
(
int
i
=
checkedLength
;
i
>=
0
;
i
--)
{
Certificate
cert
=
chain
[
i
];
...
...
src/share/classes/sun/security/ssl/SSLSocketImpl.java
浏览文件 @
8587eb8d
/*
* Copyright (c) 1996, 201
5
, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 1996, 201
6
, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
...
...
@@ -220,6 +220,11 @@ final public class SSLSocketImpl extends BaseSSLSocketImpl {
Collections
.<
SNIServerName
>
emptyList
();
Collection
<
SNIMatcher
>
sniMatchers
=
Collections
.<
SNIMatcher
>
emptyList
();
// Is the serverNames set to empty with SSLParameters.setServerNames()?
private
boolean
noSniExtension
=
false
;
// Is the sniMatchers set to empty with SSLParameters.setSNIMatchers()?
private
boolean
noSniMatcher
=
false
;
/*
* READ ME * READ ME * READ ME * READ ME * READ ME * READ ME *
...
...
@@ -666,6 +671,11 @@ final public class SSLSocketImpl extends BaseSSLSocketImpl {
}
super
.
connect
(
endpoint
,
timeout
);
if
(
host
==
null
||
host
.
length
()
==
0
)
{
useImplicitHost
(
false
);
}
doneConnect
();
}
...
...
@@ -2158,41 +2168,61 @@ final public class SSLSocketImpl extends BaseSSLSocketImpl {
output
.
r
.
setVersion
(
protocolVersion
);
}
//
// ONLY used by ClientHandshaker for the server hostname during handshaking
//
synchronized
String
getHost
()
{
// Note that the host may be null or empty for localhost.
if
(
host
==
null
||
host
.
length
()
==
0
)
{
if
(!
trustNameService
)
{
// If the local name service is not trustworthy, reverse host
// name resolution should not be performed for endpoint
// identification. Use the application original specified
// hostname or IP address instead.
host
=
getOriginalHostname
(
getInetAddress
());
}
else
{
host
=
getInetAddress
().
getHostName
();
}
useImplicitHost
(
true
);
}
return
host
;
}
/*
*
Get the original application specified hostname.
*
Try to set and use the implicit specified hostname
*/
private
static
String
getOriginalHostname
(
InetAddress
inetAddress
)
{
/*
* Get the original hostname via sun.misc.SharedSecrets.
*/
private
synchronized
void
useImplicitHost
(
boolean
noSniUpdate
)
{
// Note: If the local name service is not trustworthy, reverse
// host name resolution should not be performed for endpoint
// identification. Use the application original specified
// hostname or IP address instead.
// Get the original hostname via jdk.internal.misc.SharedSecrets
InetAddress
inetAddress
=
getInetAddress
();
if
(
inetAddress
==
null
)
{
// not connected
return
;
}
JavaNetAccess
jna
=
SharedSecrets
.
getJavaNetAccess
();
String
originalHostname
=
jna
.
getOriginalHostName
(
inetAddress
);
if
((
originalHostname
!=
null
)
&&
(
originalHostname
.
length
()
!=
0
))
{
/*
* If no application specified hostname, use the IP address.
*/
if
(
originalHostname
==
null
||
originalHostname
.
length
()
==
0
)
{
originalHostname
=
inetAddress
.
getHostAddress
();
host
=
originalHostname
;
if
(!
noSniUpdate
&&
serverNames
.
isEmpty
()
&&
!
noSniExtension
)
{
serverNames
=
Utilities
.
addToSNIServerNameList
(
serverNames
,
host
);
if
(!
roleIsServer
&&
(
handshaker
!=
null
)
&&
!
handshaker
.
started
())
{
handshaker
.
setSNIServerNames
(
serverNames
);
}
}
return
;
}
return
originalHostname
;
// No explicitly specified hostname, no server name indication.
if
(!
trustNameService
)
{
// The local name service is not trustworthy, use IP address.
host
=
inetAddress
.
getHostAddress
();
}
else
{
// Use the underlying reverse host name resolution service.
host
=
getInetAddress
().
getHostName
();
}
}
...
...
@@ -2205,6 +2235,10 @@ final public class SSLSocketImpl extends BaseSSLSocketImpl {
this
.
host
=
host
;
this
.
serverNames
=
Utilities
.
addToSNIServerNameList
(
this
.
serverNames
,
this
.
host
);
if
(!
roleIsServer
&&
(
handshaker
!=
null
)
&&
!
handshaker
.
started
())
{
handshaker
.
setSNIServerNames
(
serverNames
);
}
}
/**
...
...
@@ -2571,8 +2605,21 @@ final public class SSLSocketImpl extends BaseSSLSocketImpl {
// the super implementation does not handle the following parameters
params
.
setEndpointIdentificationAlgorithm
(
identificationProtocol
);
params
.
setAlgorithmConstraints
(
algorithmConstraints
);
params
.
setSNIMatchers
(
sniMatchers
);
params
.
setServerNames
(
serverNames
);
if
(
sniMatchers
.
isEmpty
()
&&
!
noSniMatcher
)
{
// 'null' indicates none has been set
params
.
setSNIMatchers
(
null
);
}
else
{
params
.
setSNIMatchers
(
sniMatchers
);
}
if
(
serverNames
.
isEmpty
()
&&
!
noSniExtension
)
{
// 'null' indicates none has been set
params
.
setServerNames
(
null
);
}
else
{
params
.
setServerNames
(
serverNames
);
}
params
.
setUseCipherSuitesOrder
(
preferLocalCipherSuites
);
return
params
;
...
...
@@ -2592,11 +2639,13 @@ final public class SSLSocketImpl extends BaseSSLSocketImpl {
List
<
SNIServerName
>
sniNames
=
params
.
getServerNames
();
if
(
sniNames
!=
null
)
{
noSniExtension
=
sniNames
.
isEmpty
();
serverNames
=
sniNames
;
}
Collection
<
SNIMatcher
>
matchers
=
params
.
getSNIMatchers
();
if
(
matchers
!=
null
)
{
noSniMatcher
=
matchers
.
isEmpty
();
sniMatchers
=
matchers
;
}
...
...
src/share/classes/sun/security/ssl/X509KeyManagerImpl.java
浏览文件 @
8587eb8d
/*
* Copyright (c) 2004, 201
3
, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2004, 201
7
, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
...
...
@@ -39,6 +39,7 @@ import java.security.cert.Certificate;
import
javax.net.ssl.*
;
import
sun.security.provider.certpath.AlgorithmChecker
;
import
sun.security.validator.Validator
;
/**
* The new X509 key manager implementation. The main differences to the
...
...
@@ -62,7 +63,7 @@ final class X509KeyManagerImpl extends X509ExtendedKeyManager
private
static
final
Debug
debug
=
Debug
.
getInstance
(
"ssl"
);
private
final
static
boolean
useDebug
=
private
static
final
boolean
useDebug
=
(
debug
!=
null
)
&&
Debug
.
isOn
(
"keymanager"
);
// for unit testing only, set via privileged reflection
...
...
@@ -661,6 +662,15 @@ final class X509KeyManagerImpl extends X509ExtendedKeyManager
return
CheckResult
.
OK
;
}
public
String
getValidator
()
{
if
(
this
==
CLIENT
)
{
return
Validator
.
VAR_TLS_CLIENT
;
}
else
if
(
this
==
SERVER
)
{
return
Validator
.
VAR_TLS_SERVER
;
}
return
Validator
.
VAR_GENERIC
;
}
}
// enum for the result of the extension check
...
...
@@ -774,7 +784,8 @@ final class X509KeyManagerImpl extends X509ExtendedKeyManager
// check the algorithm constraints
if
(
constraints
!=
null
&&
!
conformsToAlgorithmConstraints
(
constraints
,
chain
))
{
!
conformsToAlgorithmConstraints
(
constraints
,
chain
,
checkType
.
getValidator
()))
{
if
(
useDebug
)
{
debug
.
println
(
"Ignoring alias "
+
alias
+
...
...
@@ -811,13 +822,19 @@ final class X509KeyManagerImpl extends X509ExtendedKeyManager
}
private
static
boolean
conformsToAlgorithmConstraints
(
AlgorithmConstraints
constraints
,
Certificate
[]
chain
)
{
AlgorithmConstraints
constraints
,
Certificate
[]
chain
,
String
variant
)
{
AlgorithmChecker
checker
=
new
AlgorithmChecker
(
constraints
);
AlgorithmChecker
checker
=
new
AlgorithmChecker
(
constraints
,
null
,
variant
);
try
{
checker
.
init
(
false
);
}
catch
(
CertPathValidatorException
cpve
)
{
// unlikely to happen
if
(
useDebug
)
{
debug
.
println
(
"Cannot initialize algorithm constraints checker: "
+
cpve
);
}
return
false
;
}
...
...
@@ -828,6 +845,11 @@ final class X509KeyManagerImpl extends X509ExtendedKeyManager
// We don't care about the unresolved critical extensions.
checker
.
check
(
cert
,
Collections
.<
String
>
emptySet
());
}
catch
(
CertPathValidatorException
cpve
)
{
if
(
useDebug
)
{
debug
.
println
(
"Certificate ("
+
cert
+
") does not conform to algorithm constraints: "
+
cpve
);
}
return
false
;
}
}
...
...
src/share/classes/sun/security/util/AnchorCertificates.java
浏览文件 @
8587eb8d
...
...
@@ -31,8 +31,10 @@ import java.security.AccessController;
import
java.security.KeyStore
;
import
java.security.PrivilegedAction
;
import
java.security.cert.X509Certificate
;
import
java.util.Collections
;
import
java.util.Enumeration
;
import
java.util.HashSet
;
import
java.util.Set
;
import
sun.security.x509.X509CertImpl
;
...
...
@@ -44,7 +46,7 @@ public class AnchorCertificates {
private
static
final
Debug
debug
=
Debug
.
getInstance
(
"certpath"
);
private
static
final
String
HASH
=
"SHA-256"
;
private
static
HashSet
<
String
>
certs
;
private
static
Set
<
String
>
certs
=
Collections
.
emptySet
()
;
static
{
AccessController
.
doPrivileged
(
new
PrivilegedAction
<
Void
>()
{
...
...
src/share/classes/sun/security/util/C
ertConstraint
Parameters.java
→
src/share/classes/sun/security/util/C
onstraints
Parameters.java
浏览文件 @
8587eb8d
/*
* Copyright (c) 2016, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2016,
2017
Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
...
...
@@ -25,29 +25,93 @@
package
sun.security.util
;
import
sun.security.validator.Validator
;
import
java.security.AlgorithmParameters
;
import
java.security.Key
;
import
java.security.Timestamp
;
import
java.security.cert.X509Certificate
;
import
java.util.Date
;
/**
* This class is a wrapper for keeping state and passing objects between PKIX,
* AlgorithmChecker, and DisabledAlgorithmConstraints.
* This class contains parameters for checking against constraints that extend
* past the publicly available parameters in java.security.AlgorithmConstraints.
* This is currently on passed between between PKIX, AlgorithmChecker,
* and DisabledAlgorithmConstraints.
*/
public
class
CertConstraintParameters
{
public
class
ConstraintsParameters
{
/*
* The below 3 values are used the same as the permit() methods
* published in java.security.AlgorithmConstraints.
*/
// Algorithm string to be checked against constraints
private
final
String
algorithm
;
// AlgorithmParameters to the algorithm being checked
private
final
AlgorithmParameters
algParams
;
// Public Key being checked against constraints
private
final
Key
publicKey
;
/*
* New values that are checked against constraints that the current public
* API does not support.
*/
// A certificate being passed to check against constraints.
private
final
X509Certificate
cert
;
// This is true if the trust anchor in the certificate chain matches a cert
// in AnchorCertificates
private
final
boolean
trustedMatch
;
// PKIXParameter date
private
final
Date
pkixDate
;
// Timestamp of the signed JAR file
private
final
Timestamp
jarTimestamp
;
private
final
String
variant
;
public
CertConstraintParameters
(
X509Certificate
c
,
boolean
match
)
{
public
ConstraintsParameters
(
X509Certificate
c
,
boolean
match
,
Date
pkixdate
,
Timestamp
jarTime
,
String
variant
)
{
cert
=
c
;
trustedMatch
=
match
;
pkixDate
=
pkixdate
;
jarTimestamp
=
jarTime
;
this
.
variant
=
(
variant
==
null
?
Validator
.
VAR_GENERIC
:
variant
);
algorithm
=
null
;
algParams
=
null
;
publicKey
=
null
;
}
public
ConstraintsParameters
(
String
algorithm
,
AlgorithmParameters
params
,
Key
key
,
String
variant
)
{
this
.
algorithm
=
algorithm
;
algParams
=
params
;
this
.
publicKey
=
key
;
cert
=
null
;
trustedMatch
=
false
;
pkixDate
=
null
;
jarTimestamp
=
null
;
this
.
variant
=
(
variant
==
null
?
Validator
.
VAR_GENERIC
:
variant
);
}
public
ConstraintsParameters
(
X509Certificate
c
)
{
this
(
c
,
false
,
null
,
null
,
Validator
.
VAR_GENERIC
);
}
public
ConstraintsParameters
(
Timestamp
jarTime
)
{
this
(
null
,
false
,
null
,
jarTime
,
Validator
.
VAR_GENERIC
);
}
public
String
getAlgorithm
()
{
return
algorithm
;
}
public
CertConstraintParameters
(
X509Certificate
c
)
{
this
(
c
,
false
)
;
public
AlgorithmParameters
getAlgParams
(
)
{
return
algParams
;
}
public
Key
getPublicKey
()
{
return
publicKey
;
}
// Returns if the trust anchor has a match if anchor checking is enabled.
public
boolean
isTrustedMatch
()
{
return
trustedMatch
;
...
...
@@ -56,4 +120,16 @@ public class CertConstraintParameters {
public
X509Certificate
getCertificate
()
{
return
cert
;
}
public
Date
getPKIXParamDate
()
{
return
pkixDate
;
}
public
Timestamp
getJARTimestamp
()
{
return
jarTimestamp
;
}
public
String
getVariant
()
{
return
variant
;
}
}
src/share/classes/sun/security/util/DisabledAlgorithmConstraints.java
浏览文件 @
8587eb8d
此差异已折叠。
点击以展开。
src/share/classes/sun/security/util/SignatureFileVerifier.java
浏览文件 @
8587eb8d
/*
* Copyright (c) 1997, 201
6
, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 1997, 201
7
, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
...
...
@@ -28,25 +28,23 @@ package sun.security.util;
import
java.io.ByteArrayInputStream
;
import
java.io.IOException
;
import
java.security.CodeSigner
;
import
java.security.
CryptoPrimitive
;
import
java.security.
GeneralSecurityException
;
import
java.security.MessageDigest
;
import
java.security.NoSuchAlgorithmException
;
import
java.security.SignatureException
;
import
java.security.Timestamp
;
import
java.security.cert.CertPath
;
import
java.security.cert.X509Certificate
;
import
java.security.cert.CertificateException
;
import
java.security.cert.CertificateFactory
;
import
java.util.ArrayList
;
import
java.util.Base64
;
import
java.util.Collections
;
import
java.util.EnumSet
;
import
java.util.HashMap
;
import
java.util.Hashtable
;
import
java.util.Iterator
;
import
java.util.List
;
import
java.util.Locale
;
import
java.util.Map
;
import
java.util.Set
;
import
java.util.jar.Attributes
;
import
java.util.jar.JarException
;
import
java.util.jar.JarFile
;
...
...
@@ -61,9 +59,6 @@ public class SignatureFileVerifier {
/* Are we debugging ? */
private
static
final
Debug
debug
=
Debug
.
getInstance
(
"jar"
);
private
static
final
Set
<
CryptoPrimitive
>
DIGEST_PRIMITIVE_SET
=
Collections
.
unmodifiableSet
(
EnumSet
.
of
(
CryptoPrimitive
.
MESSAGE_DIGEST
));
private
static
final
DisabledAlgorithmConstraints
JAR_DISABLED_CHECK
=
new
DisabledAlgorithmConstraints
(
DisabledAlgorithmConstraints
.
PROPERTY_JAR_DISABLED_ALGS
);
...
...
@@ -78,7 +73,7 @@ public class SignatureFileVerifier {
private
PKCS7
block
;
/** the raw bytes of the .SF file */
private
byte
sfBytes
[]
;
private
byte
[]
sfBytes
;
/** the name of the signature block file, uppercased and without
* the extension (.DSA/.RSA/.EC)
...
...
@@ -97,6 +92,14 @@ public class SignatureFileVerifier {
/* for generating certpath objects */
private
CertificateFactory
certificateFactory
=
null
;
/** Algorithms that have been checked if they are weak. */
private
Map
<
String
,
Boolean
>
permittedAlgs
=
new
HashMap
<>();
/** TSA timestamp of signed jar. The newest timestamp is used. If there
* was no TSA timestamp used when signed, current time is used ("null").
*/
private
Timestamp
timestamp
=
null
;
/**
* Create the named SignatureFileVerifier.
*
...
...
@@ -107,7 +110,7 @@ public class SignatureFileVerifier {
public
SignatureFileVerifier
(
ArrayList
<
CodeSigner
[]>
signerCache
,
ManifestDigester
md
,
String
name
,
byte
rawBytes
[]
)
byte
[]
rawBytes
)
throws
IOException
,
CertificateException
{
// new PKCS7() calls CertificateFactory.getInstance()
...
...
@@ -121,7 +124,7 @@ public class SignatureFileVerifier {
}
finally
{
Providers
.
stopJarVerification
(
obj
);
}
this
.
name
=
name
.
substring
(
0
,
name
.
lastIndexOf
(
"."
))
this
.
name
=
name
.
substring
(
0
,
name
.
lastIndexOf
(
'.'
))
.
toUpperCase
(
Locale
.
ENGLISH
);
this
.
md
=
md
;
this
.
signerCache
=
signerCache
;
...
...
@@ -152,7 +155,7 @@ public class SignatureFileVerifier {
* used to set the raw bytes of the .SF file when it
* is external to the signature block file.
*/
public
void
setSignatureFile
(
byte
sfBytes
[]
)
public
void
setSignatureFile
(
byte
[]
sfBytes
)
{
this
.
sfBytes
=
sfBytes
;
}
...
...
@@ -168,11 +171,10 @@ public class SignatureFileVerifier {
*/
public
static
boolean
isBlockOrSF
(
String
s
)
{
// we currently only support DSA and RSA PKCS7 blocks
if
(
s
.
endsWith
(
".SF"
)
||
s
.
endsWith
(
".DSA"
)
||
s
.
endsWith
(
".RSA"
)
||
s
.
endsWith
(
".EC"
))
{
return
true
;
}
return
false
;
return
s
.
endsWith
(
".SF"
)
||
s
.
endsWith
(
".DSA"
)
||
s
.
endsWith
(
".RSA"
)
||
s
.
endsWith
(
".EC"
);
}
/**
...
...
@@ -182,7 +184,7 @@ public class SignatureFileVerifier {
* unknown signature related files (those starting with SIG- with
* an optional [A-Z0-9]{1,3} extension right inside META-INF).
*
* @param
s
file name
* @param
name
file name
* @return true if the input file name is signature related
*/
public
static
boolean
isSigningRelated
(
String
name
)
{
...
...
@@ -198,7 +200,7 @@ public class SignatureFileVerifier {
return
true
;
}
else
if
(
name
.
startsWith
(
"SIG-"
))
{
// check filename extension
// see http
s
://docs.oracle.com/javase/7/docs/technotes/guides/jar/jar.html#Digital_Signatures
// see http://docs.oracle.com/javase/7/docs/technotes/guides/jar/jar.html#Digital_Signatures
// for what filename extensions are legal
int
extIndex
=
name
.
lastIndexOf
(
'.'
);
if
(
extIndex
!=
-
1
)
{
...
...
@@ -223,17 +225,10 @@ public class SignatureFileVerifier {
/** get digest from cache */
private
MessageDigest
getDigest
(
String
algorithm
)
throws
SignatureException
{
// check that algorithm is not restricted
if
(!
JAR_DISABLED_CHECK
.
permits
(
DIGEST_PRIMITIVE_SET
,
algorithm
,
null
))
{
SignatureException
e
=
new
SignatureException
(
"SignatureFile check failed. "
+
"Disabled algorithm used: "
+
algorithm
);
throw
e
;
}
private
MessageDigest
getDigest
(
String
algorithm
)
throws
SignatureException
{
if
(
createdDigests
==
null
)
createdDigests
=
new
HashMap
<
String
,
MessageDigest
>();
createdDigests
=
new
HashMap
<>();
MessageDigest
digest
=
createdDigests
.
get
(
algorithm
);
...
...
@@ -303,6 +298,27 @@ public class SignatureFileVerifier {
if
(
newSigners
==
null
)
return
;
/*
* Look for the latest timestamp in the signature block. If an entry
* has no timestamp, use current time (aka null).
*/
for
(
CodeSigner
s:
newSigners
)
{
if
(
debug
!=
null
)
{
debug
.
println
(
"Gathering timestamp for: "
+
s
.
toString
());
}
if
(
s
.
getTimestamp
()
==
null
)
{
timestamp
=
null
;
break
;
}
else
if
(
timestamp
==
null
)
{
timestamp
=
s
.
getTimestamp
();
}
else
{
if
(
timestamp
.
getTimestamp
().
before
(
s
.
getTimestamp
().
getTimestamp
()))
{
timestamp
=
s
.
getTimestamp
();
}
}
}
Iterator
<
Map
.
Entry
<
String
,
Attributes
>>
entries
=
sf
.
getEntries
().
entrySet
().
iterator
();
...
...
@@ -345,6 +361,68 @@ public class SignatureFileVerifier {
updateSigners
(
newSigners
,
signers
,
JarFile
.
MANIFEST_NAME
);
}
/**
* Check if algorithm is permitted using the permittedAlgs Map.
* If the algorithm is not in the map, check against disabled algorithms and
* store the result. If the algorithm is in the map use that result.
* False is returned for weak algorithm, true for good algorithms.
*/
boolean
permittedCheck
(
String
key
,
String
algorithm
)
{
Boolean
permitted
=
permittedAlgs
.
get
(
algorithm
);
if
(
permitted
==
null
)
{
try
{
JAR_DISABLED_CHECK
.
permits
(
algorithm
,
new
ConstraintsParameters
(
timestamp
));
}
catch
(
GeneralSecurityException
e
)
{
permittedAlgs
.
put
(
algorithm
,
Boolean
.
FALSE
);
permittedAlgs
.
put
(
key
.
toUpperCase
(),
Boolean
.
FALSE
);
if
(
debug
!=
null
)
{
if
(
e
.
getMessage
()
!=
null
)
{
debug
.
println
(
key
+
": "
+
e
.
getMessage
());
}
else
{
debug
.
println
(
key
+
": "
+
algorithm
+
" was disabled, no exception msg given."
);
e
.
printStackTrace
();
}
}
return
false
;
}
permittedAlgs
.
put
(
algorithm
,
Boolean
.
TRUE
);
return
true
;
}
// Algorithm has already been checked, return the value from map.
return
permitted
.
booleanValue
();
}
/**
* With a given header (*-DIGEST*), return a string that lists all the
* algorithms associated with the header.
* If there are none, return "Unknown Algorithm".
*/
String
getWeakAlgorithms
(
String
header
)
{
String
w
=
""
;
try
{
for
(
String
key
:
permittedAlgs
.
keySet
())
{
if
(
key
.
endsWith
(
header
))
{
w
+=
key
.
substring
(
0
,
key
.
length
()
-
header
.
length
())
+
" "
;
}
}
}
catch
(
RuntimeException
e
)
{
w
=
"Unknown Algorithm(s). Error processing "
+
header
+
". "
+
e
.
getMessage
();
}
// This means we have an error in finding weak algorithms, run in
// debug mode to see permittedAlgs map's values.
if
(
w
.
length
()
==
0
)
{
return
"Unknown Algorithm(s)"
;
}
return
w
;
}
/**
* See if the whole manifest was signed.
*/
...
...
@@ -355,6 +433,10 @@ public class SignatureFileVerifier {
{
Attributes
mattr
=
sf
.
getMainAttributes
();
boolean
manifestSigned
=
false
;
// If only weak algorithms are used.
boolean
weakAlgs
=
true
;
// If a "*-DIGEST-MANIFEST" entry is found.
boolean
validEntry
=
false
;
// go through all the attributes and process *-Digest-Manifest entries
for
(
Map
.
Entry
<
Object
,
Object
>
se
:
mattr
.
entrySet
())
{
...
...
@@ -364,6 +446,16 @@ public class SignatureFileVerifier {
if
(
key
.
toUpperCase
(
Locale
.
ENGLISH
).
endsWith
(
"-DIGEST-MANIFEST"
))
{
// 16 is length of "-Digest-Manifest"
String
algorithm
=
key
.
substring
(
0
,
key
.
length
()-
16
);
validEntry
=
true
;
// Check if this algorithm is permitted, skip if false.
if
(!
permittedCheck
(
key
,
algorithm
))
{
continue
;
}
// A non-weak algorithm was used, any weak algorithms found do
// not need to be reported.
weakAlgs
=
false
;
manifestDigests
.
add
(
key
);
manifestDigests
.
add
(
se
.
getValue
());
...
...
@@ -374,15 +466,14 @@ public class SignatureFileVerifier {
Base64
.
getMimeDecoder
().
decode
((
String
)
se
.
getValue
());
if
(
debug
!=
null
)
{
debug
.
println
(
"Signature File: Manifest digest "
+
digest
.
getAlgorithm
()
);
debug
.
println
(
" sigfile "
+
toHex
(
expectedHash
));
debug
.
println
(
" computed "
+
toHex
(
computedHash
));
debug
.
println
();
debug
.
println
(
"Signature File: Manifest digest "
+
algorithm
);
debug
.
println
(
" sigfile "
+
toHex
(
expectedHash
));
debug
.
println
(
" computed "
+
toHex
(
computedHash
));
debug
.
println
();
}
if
(
MessageDigest
.
isEqual
(
computedHash
,
expectedHash
))
{
if
(
MessageDigest
.
isEqual
(
computedHash
,
expectedHash
))
{
manifestSigned
=
true
;
}
else
{
//XXX: we will continue and verify each section
...
...
@@ -390,15 +481,33 @@ public class SignatureFileVerifier {
}
}
}
if
(
debug
!=
null
)
{
debug
.
println
(
"PermittedAlgs mapping: "
);
for
(
String
key
:
permittedAlgs
.
keySet
())
{
debug
.
println
(
key
+
" : "
+
permittedAlgs
.
get
(
key
).
toString
());
}
}
// If there were only weak algorithms entries used, throw an exception.
if
(
validEntry
&&
weakAlgs
)
{
throw
new
SignatureException
(
"Manifest hash check failed "
+
"(DIGEST-MANIFEST). Disabled algorithm(s) used: "
+
getWeakAlgorithms
(
"-DIGEST-MANIFEST"
));
}
return
manifestSigned
;
}
private
boolean
verifyManifestMainAttrs
(
Manifest
sf
,
ManifestDigester
md
)
private
boolean
verifyManifestMainAttrs
(
Manifest
sf
,
ManifestDigester
md
)
throws
IOException
,
SignatureException
{
Attributes
mattr
=
sf
.
getMainAttributes
();
boolean
attrsVerified
=
true
;
// If only weak algorithms are used.
boolean
weakAlgs
=
true
;
// If a ATTR_DIGEST entry is found.
boolean
validEntry
=
false
;
// go through all the attributes and process
// digest entries for the manifest main attributes
...
...
@@ -408,6 +517,16 @@ public class SignatureFileVerifier {
if
(
key
.
toUpperCase
(
Locale
.
ENGLISH
).
endsWith
(
ATTR_DIGEST
))
{
String
algorithm
=
key
.
substring
(
0
,
key
.
length
()
-
ATTR_DIGEST
.
length
());
validEntry
=
true
;
// Check if this algorithm is permitted, skip if false.
if
(!
permittedCheck
(
key
,
algorithm
))
{
continue
;
}
// A non-weak algorithm was used, any weak algorithms found do
// not need to be reported.
weakAlgs
=
false
;
MessageDigest
digest
=
getDigest
(
algorithm
);
if
(
digest
!=
null
)
{
...
...
@@ -426,8 +545,7 @@ public class SignatureFileVerifier {
debug
.
println
();
}
if
(
MessageDigest
.
isEqual
(
computedHash
,
expectedHash
))
{
if
(
MessageDigest
.
isEqual
(
computedHash
,
expectedHash
))
{
// good
}
else
{
// we will *not* continue and verify each section
...
...
@@ -443,6 +561,22 @@ public class SignatureFileVerifier {
}
}
if
(
debug
!=
null
)
{
debug
.
println
(
"PermittedAlgs mapping: "
);
for
(
String
key
:
permittedAlgs
.
keySet
())
{
debug
.
println
(
key
+
" : "
+
permittedAlgs
.
get
(
key
).
toString
());
}
}
// If there were only weak algorithms entries used, throw an exception.
if
(
validEntry
&&
weakAlgs
)
{
throw
new
SignatureException
(
"Manifest Main Attribute check "
+
"failed ("
+
ATTR_DIGEST
+
"). "
+
"Disabled algorithm(s) used: "
+
getWeakAlgorithms
(
ATTR_DIGEST
));
}
// this method returns 'true' if either:
// . manifest main attributes were not signed, or
// . manifest main attributes were signed and verified
...
...
@@ -465,6 +599,10 @@ public class SignatureFileVerifier {
{
boolean
oneDigestVerified
=
false
;
ManifestDigester
.
Entry
mde
=
md
.
get
(
name
,
block
.
isOldStyle
());
// If only weak algorithms are used.
boolean
weakAlgs
=
true
;
// If a "*-DIGEST" entry is found.
boolean
validEntry
=
false
;
if
(
mde
==
null
)
{
throw
new
SecurityException
(
...
...
@@ -472,8 +610,7 @@ public class SignatureFileVerifier {
}
if
(
sfAttr
!=
null
)
{
//sun.misc.HexDumpEncoder hex = new sun.misc.HexDumpEncoder();
//sun.security.util.HexDumpEncoder hex = new sun.security.util.HexDumpEncoder();
//hex.encodeBuffer(data, System.out);
// go through all the attributes and process *-Digest entries
...
...
@@ -483,6 +620,16 @@ public class SignatureFileVerifier {
if
(
key
.
toUpperCase
(
Locale
.
ENGLISH
).
endsWith
(
"-DIGEST"
))
{
// 7 is length of "-Digest"
String
algorithm
=
key
.
substring
(
0
,
key
.
length
()-
7
);
validEntry
=
true
;
// Check if this algorithm is permitted, skip if false.
if
(!
permittedCheck
(
key
,
algorithm
))
{
continue
;
}
// A non-weak algorithm was used, any weak algorithms found do
// not need to be reported.
weakAlgs
=
false
;
MessageDigest
digest
=
getDigest
(
algorithm
);
...
...
@@ -533,6 +680,22 @@ public class SignatureFileVerifier {
}
}
}
if
(
debug
!=
null
)
{
debug
.
println
(
"PermittedAlgs mapping: "
);
for
(
String
key
:
permittedAlgs
.
keySet
())
{
debug
.
println
(
key
+
" : "
+
permittedAlgs
.
get
(
key
).
toString
());
}
}
// If there were only weak algorithms entries used, throw an exception.
if
(
validEntry
&&
weakAlgs
)
{
throw
new
SignatureException
(
"Manifest Main Attribute check "
+
"failed (DIGEST). Disabled algorithm(s) used: "
+
getWeakAlgorithms
(
"DIGEST"
));
}
return
oneDigestVerified
;
}
...
...
@@ -541,7 +704,7 @@ public class SignatureFileVerifier {
* CodeSigner objects. We do this only *once* for a given
* signature block file.
*/
private
CodeSigner
[]
getSigners
(
SignerInfo
infos
[]
,
PKCS7
block
)
private
CodeSigner
[]
getSigners
(
SignerInfo
[]
infos
,
PKCS7
block
)
throws
IOException
,
NoSuchAlgorithmException
,
SignatureException
,
CertificateException
{
...
...
@@ -553,7 +716,7 @@ public class SignatureFileVerifier {
ArrayList
<
X509Certificate
>
chain
=
info
.
getCertificateChain
(
block
);
CertPath
certChain
=
certificateFactory
.
generateCertPath
(
chain
);
if
(
signers
==
null
)
{
signers
=
new
ArrayList
<
CodeSigner
>();
signers
=
new
ArrayList
<>();
}
// Append the new code signer
signers
.
add
(
new
CodeSigner
(
certChain
,
info
.
getTimestamp
()));
...
...
@@ -582,7 +745,7 @@ public class SignatureFileVerifier {
static
String
toHex
(
byte
[]
data
)
{
StringBu
ffer
sb
=
new
StringBuff
er
(
data
.
length
*
2
);
StringBu
ilder
sb
=
new
StringBuild
er
(
data
.
length
*
2
);
for
(
int
i
=
0
;
i
<
data
.
length
;
i
++)
{
sb
.
append
(
hexc
[(
data
[
i
]
>>
4
)
&
0x0f
]);
...
...
src/share/classes/sun/security/validator/PKIXValidator.java
浏览文件 @
8587eb8d
/*
* Copyright (c) 2002, 201
1
, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2002, 201
7
, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
...
...
@@ -33,10 +33,11 @@ import java.security.cert.*;
import
javax.security.auth.x500.X500Principal
;
import
sun.security.action.GetBooleanAction
;
import
sun.security.provider.certpath.AlgorithmChecker
;
import
sun.security.provider.certpath.PKIXExtendedParameters
;
/**
* Validator implementation built on the PKIX CertPath API. This
* implementation will be emphasized going forward.
<p>
* implementation will be emphasized going forward.
* <p>
* Note that the validate() implementation tries to use a PKIX validator
* if that appears possible and a PKIX builder otherwise. This increases
...
...
@@ -208,13 +209,22 @@ public final class PKIXValidator extends Validator {
(
"null or zero-length certificate chain"
);
}
// add new algorithm constraints checker
PKIXBuilderParameters
pkixParameters
=
(
PKIXBuilderParameters
)
parameterTemplate
.
clone
();
AlgorithmChecker
algorithmChecker
=
null
;
// Use PKIXExtendedParameters for timestamp and variant additions
PKIXBuilderParameters
pkixParameters
=
null
;
try
{
pkixParameters
=
new
PKIXExtendedParameters
(
(
PKIXBuilderParameters
)
parameterTemplate
.
clone
(),
(
parameter
instanceof
Timestamp
)
?
(
Timestamp
)
parameter
:
null
,
variant
);
}
catch
(
InvalidAlgorithmParameterException
e
)
{
// ignore exception
}
// add a new algorithm constraints checker
if
(
constraints
!=
null
)
{
algorithmChecker
=
new
AlgorithmChecker
(
constraints
);
pkixParameters
.
addCertPathChecker
(
algorithmChecker
);
pkixParameters
.
addCertPathChecker
(
new
AlgorithmChecker
(
constraints
,
null
,
variant
)
);
}
if
(
TRY_VALIDATOR
)
{
...
...
src/share/classes/sun/security/validator/SimpleValidator.java
浏览文件 @
8587eb8d
/*
* Copyright (c) 2002, 201
5
, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2002, 201
7
, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
...
...
@@ -34,6 +34,7 @@ import java.security.cert.*;
import
javax.security.auth.x500.X500Principal
;
import
sun.security.x509.X509CertImpl
;
import
sun.security.x509.KeyIdentifier
;
import
sun.security.x509.NetscapeCertTypeExtension
;
import
sun.security.util.DerValue
;
import
sun.security.util.DerInputStream
;
...
...
@@ -153,12 +154,14 @@ public final class SimpleValidator extends Validator {
// create default algorithm constraints checker
TrustAnchor
anchor
=
new
TrustAnchor
(
anchorCert
,
null
);
AlgorithmChecker
defaultAlgChecker
=
new
AlgorithmChecker
(
anchor
);
AlgorithmChecker
defaultAlgChecker
=
new
AlgorithmChecker
(
anchor
,
variant
);
// create application level algorithm constraints checker
AlgorithmChecker
appAlgChecker
=
null
;
if
(
constraints
!=
null
)
{
appAlgChecker
=
new
AlgorithmChecker
(
anchor
,
constraints
);
appAlgChecker
=
new
AlgorithmChecker
(
anchor
,
constraints
,
null
,
null
,
variant
);
}
// verify top down, starting at the certificate issued by
...
...
src/share/classes/sun/security/x509/PKIXExtensions.java
浏览文件 @
8587eb8d
/*
* Copyright (c) 1997, 20
09
, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 1997, 20
17
, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
...
...
@@ -49,34 +49,39 @@ import sun.security.util.*;
*/
public
class
PKIXExtensions
{
// The object identifiers
private
static
final
int
AuthorityKey_data
[]
=
{
2
,
5
,
29
,
35
};
private
static
final
int
SubjectKey_data
[]
=
{
2
,
5
,
29
,
14
};
private
static
final
int
KeyUsage_data
[]
=
{
2
,
5
,
29
,
15
};
private
static
final
int
PrivateKeyUsage_data
[]
=
{
2
,
5
,
29
,
16
};
private
static
final
int
CertificatePolicies_data
[]
=
{
2
,
5
,
29
,
32
};
private
static
final
int
PolicyMappings_data
[]
=
{
2
,
5
,
29
,
33
};
private
static
final
int
SubjectAlternativeName_data
[]
=
{
2
,
5
,
29
,
17
};
private
static
final
int
IssuerAlternativeName_data
[]
=
{
2
,
5
,
29
,
18
};
private
static
final
int
SubjectDirectoryAttributes_data
[]
=
{
2
,
5
,
29
,
9
};
private
static
final
int
BasicConstraints_data
[]
=
{
2
,
5
,
29
,
19
};
private
static
final
int
NameConstraints_data
[]
=
{
2
,
5
,
29
,
30
};
private
static
final
int
PolicyConstraints_data
[]
=
{
2
,
5
,
29
,
36
};
private
static
final
int
CRLDistributionPoints_data
[]
=
{
2
,
5
,
29
,
31
};
private
static
final
int
CRLNumber_data
[]
=
{
2
,
5
,
29
,
20
};
private
static
final
int
IssuingDistributionPoint_data
[]
=
{
2
,
5
,
29
,
28
};
private
static
final
int
DeltaCRLIndicator_data
[]
=
{
2
,
5
,
29
,
27
};
private
static
final
int
ReasonCode_data
[]
=
{
2
,
5
,
29
,
21
};
private
static
final
int
HoldInstructionCode_data
[]
=
{
2
,
5
,
29
,
23
};
private
static
final
int
InvalidityDate_data
[]
=
{
2
,
5
,
29
,
24
};
private
static
final
int
ExtendedKeyUsage_data
[]
=
{
2
,
5
,
29
,
37
};
private
static
final
int
InhibitAnyPolicy_data
[]
=
{
2
,
5
,
29
,
54
};
private
static
final
int
CertificateIssuer_data
[]
=
{
2
,
5
,
29
,
29
};
private
static
final
int
AuthInfoAccess_data
[]
=
{
1
,
3
,
6
,
1
,
5
,
5
,
7
,
1
,
1
};
private
static
final
int
SubjectInfoAccess_data
[]
=
{
1
,
3
,
6
,
1
,
5
,
5
,
7
,
1
,
11
};
private
static
final
int
FreshestCRL_data
[]
=
{
2
,
5
,
29
,
46
};
private
static
final
int
OCSPNoCheck_data
[]
=
{
1
,
3
,
6
,
1
,
5
,
5
,
7
,
private
static
final
int
[]
AuthorityKey_data
=
{
2
,
5
,
29
,
35
};
private
static
final
int
[]
SubjectKey_data
=
{
2
,
5
,
29
,
14
};
private
static
final
int
[]
KeyUsage_data
=
{
2
,
5
,
29
,
15
};
private
static
final
int
[]
PrivateKeyUsage_data
=
{
2
,
5
,
29
,
16
};
private
static
final
int
[]
CertificatePolicies_data
=
{
2
,
5
,
29
,
32
};
private
static
final
int
[]
PolicyMappings_data
=
{
2
,
5
,
29
,
33
};
private
static
final
int
[]
SubjectAlternativeName_data
=
{
2
,
5
,
29
,
17
};
private
static
final
int
[]
IssuerAlternativeName_data
=
{
2
,
5
,
29
,
18
};
private
static
final
int
[]
SubjectDirectoryAttributes_data
=
{
2
,
5
,
29
,
9
};
private
static
final
int
[]
BasicConstraints_data
=
{
2
,
5
,
29
,
19
};
private
static
final
int
[]
NameConstraints_data
=
{
2
,
5
,
29
,
30
};
private
static
final
int
[]
PolicyConstraints_data
=
{
2
,
5
,
29
,
36
};
private
static
final
int
[]
CRLDistributionPoints_data
=
{
2
,
5
,
29
,
31
};
private
static
final
int
[]
CRLNumber_data
=
{
2
,
5
,
29
,
20
};
private
static
final
int
[]
IssuingDistributionPoint_data
=
{
2
,
5
,
29
,
28
};
private
static
final
int
[]
DeltaCRLIndicator_data
=
{
2
,
5
,
29
,
27
};
private
static
final
int
[]
ReasonCode_data
=
{
2
,
5
,
29
,
21
};
private
static
final
int
[]
HoldInstructionCode_data
=
{
2
,
5
,
29
,
23
};
private
static
final
int
[]
InvalidityDate_data
=
{
2
,
5
,
29
,
24
};
private
static
final
int
[]
ExtendedKeyUsage_data
=
{
2
,
5
,
29
,
37
};
private
static
final
int
[]
InhibitAnyPolicy_data
=
{
2
,
5
,
29
,
54
};
private
static
final
int
[]
CertificateIssuer_data
=
{
2
,
5
,
29
,
29
};
private
static
final
int
[]
AuthInfoAccess_data
=
{
1
,
3
,
6
,
1
,
5
,
5
,
7
,
1
,
1
};
private
static
final
int
[]
SubjectInfoAccess_data
=
{
1
,
3
,
6
,
1
,
5
,
5
,
7
,
1
,
11
};
private
static
final
int
[]
FreshestCRL_data
=
{
2
,
5
,
29
,
46
};
private
static
final
int
[]
OCSPNoCheck_data
=
{
1
,
3
,
6
,
1
,
5
,
5
,
7
,
48
,
1
,
5
};
// Additional extensions under the PKIX arc that are not necessarily
// used in X.509 Certificates or CRLs.
private
static
final
int
[]
OCSPNonce_data
=
{
1
,
3
,
6
,
1
,
5
,
5
,
7
,
48
,
1
,
2
};
/**
* Identifies the particular public key used to sign the certificate.
*/
...
...
@@ -104,18 +109,20 @@ public class PKIXExtensions {
public
static
final
ObjectIdentifier
CertificatePolicies_Id
;
/**
* Lists pairs of object
identifiers of policies considered equivalent by the
* issuing CA to the subject CA.
* Lists pairs of object
identifiers of policies considered equivalent by
*
the
issuing CA to the subject CA.
*/
public
static
final
ObjectIdentifier
PolicyMappings_Id
;
/**
* Allows additional identities to be bound to the subject of the certificate.
* Allows additional identities to be bound to the subject of the
* certificate.
*/
public
static
final
ObjectIdentifier
SubjectAlternativeName_Id
;
/**
* Allows additional identities to be associated with the certificate issuer.
* Allows additional identities to be associated with the certificate
* issuer.
*/
public
static
final
ObjectIdentifier
IssuerAlternativeName_Id
;
...
...
@@ -224,6 +231,12 @@ public class PKIXExtensions {
*/
public
static
final
ObjectIdentifier
OCSPNoCheck_Id
;
/**
* This extension is used to provide nonce data for OCSP requests
* or responses.
*/
public
static
final
ObjectIdentifier
OCSPNonce_Id
;
static
{
AuthorityKey_Id
=
ObjectIdentifier
.
newInternal
(
AuthorityKey_data
);
SubjectKey_Id
=
ObjectIdentifier
.
newInternal
(
SubjectKey_data
);
...
...
@@ -266,5 +279,6 @@ public class PKIXExtensions {
ObjectIdentifier
.
newInternal
(
SubjectInfoAccess_data
);
FreshestCRL_Id
=
ObjectIdentifier
.
newInternal
(
FreshestCRL_data
);
OCSPNoCheck_Id
=
ObjectIdentifier
.
newInternal
(
OCSPNoCheck_data
);
OCSPNonce_Id
=
ObjectIdentifier
.
newInternal
(
OCSPNonce_data
);
}
}
src/share/lib/security/java.security-aix
浏览文件 @
8587eb8d
...
...
@@ -426,9 +426,7 @@ krb5.kdc.bad.policy = tryLast
# describes the mechanism for disabling algorithms based on algorithm name
# and/or key length. This includes algorithms used in certificates, as well
# as revocation information such as CRLs and signed OCSP Responses.
#
# The syntax of the disabled algorithm string is described as this Java
# BNF-style:
# The syntax of the disabled algorithm string is described as follows:
# DisabledAlgorithms:
# " DisabledAlgorithm { , DisabledAlgorithm } "
#
...
...
@@ -439,25 +437,26 @@ krb5.kdc.bad.policy = tryLast
# (see below)
#
# Constraint:
# KeySizeConstraint, CertConstraint
# KeySizeConstraint | CAConstraint | DenyAfterConstraint |
# UsageConstraint
#
# KeySizeConstraint:
# keySize Operator
DecimalInteger
# keySize Operator
KeyLength
#
# Operator:
# <= | < | == | != | >= | >
#
#
DecimalInteger
:
#
DecimalDig
its
#
KeyLength
:
#
Integer value of the algorithm's key length in b
its
#
#
DecimalDigits
:
#
DecimalDigit {DecimalDigit}
#
CAConstraint
:
#
jdkCA
#
# De
cimalDigit: one of
#
1 2 3 4 5 6 7 8 9 0
# De
nyAfterConstraint:
#
denyAfter YYYY-MM-DD
#
#
CertConstraint
#
jdkCA
#
UsageConstraint:
#
usage [TLSServer] [TLSClient] [SignedJAR]
#
# The "AlgorithmName" is the standard algorithm name of the disabled
# algorithm. See "Java Cryptography Architecture Standard Algorithm Name
...
...
@@ -471,27 +470,55 @@ krb5.kdc.bad.policy = tryLast
# that rely on DSA, such as NONEwithDSA, SHA1withDSA. However, the assertion
# will not disable algorithms related to "ECDSA".
#
# A "Constraint" provides further guidance for the algorithm being specified.
# The "KeySizeConstraint" requires a key of a valid size range if the
# "AlgorithmName" is of a key algorithm. The "DecimalInteger" indicates the
# key size specified in number of bits. For example, "RSA keySize <= 1024"
# indicates that any RSA key with key size less than or equal to 1024 bits
# should be disabled, and "RSA keySize < 1024, RSA keySize > 2048" indicates
# that any RSA key with key size less than 1024 or greater than 2048 should
# be disabled. Note that the "KeySizeConstraint" only makes sense to key
# algorithms.
#
# "CertConstraint" specifies additional constraints for
# certificates that contain algorithms that are restricted:
#
# "jdkCA" prohibits the specified algorithm only if the algorithm is used
# in a certificate chain that terminates at a marked trust anchor in the
# lib/security/cacerts keystore. All other chains are not affected.
# If the jdkCA constraint is not set, then all chains using the
# specified algorithm are restricted. jdkCA may only be used once in
# a DisabledAlgorithm expression.
# Example: To apply this constraint to SHA-1 certificates, include
# the following "SHA1 jdkCA"
# A "Constraint" defines restrictions on the keys and/or certificates for
# a specified AlgorithmName:
#
# KeySizeConstraint:
# keySize Operator KeyLength
# The constraint requires a key of a valid size range if the
# "AlgorithmName" is of a key algorithm. The "KeyLength" indicates
# the key size specified in number of bits. For example,
# "RSA keySize <= 1024" indicates that any RSA key with key size less
# than or equal to 1024 bits should be disabled, and
# "RSA keySize < 1024, RSA keySize > 2048" indicates that any RSA key
# with key size less than 1024 or greater than 2048 should be disabled.
# This constraint is only used on algorithms that have a key size.
#
# CAConstraint:
# jdkCA
# This constraint prohibits the specified algorithm only if the
# algorithm is used in a certificate chain that terminates at a marked
# trust anchor in the lib/security/cacerts keystore. If the jdkCA
# constraint is not set, then all chains using the specified algorithm
# are restricted. jdkCA may only be used once in a DisabledAlgorithm
# expression.
# Example: To apply this constraint to SHA-1 certificates, include
# the following: "SHA1 jdkCA"
#
# DenyAfterConstraint:
# denyAfter YYYY-MM-DD
# This constraint prohibits a certificate with the specified algorithm
# from being used after the date regardless of the certificate's
# validity. JAR files that are signed and timestamped before the
# constraint date with certificates containing the disabled algorithm
# will not be restricted. The date is processed in the UTC timezone.
# This constraint can only be used once in a DisabledAlgorithm
# expression.
# Example: To deny usage of RSA 2048 bit certificates after Feb 3 2020,
# use the following: "RSA keySize == 2048 & denyAfter 2020-02-03"
#
# UsageConstraint:
# usage [TLSServer] [TLSClient] [SignedJAR]
# This constraint prohibits the specified algorithm for
# a specified usage. This should be used when disabling an algorithm
# for all usages is not practical. 'TLSServer' restricts the algorithm
# in TLS server certificate chains when server authentication is
# performed. 'TLSClient' restricts the algorithm in TLS client
# certificate chains when client authentication is performed.
# 'SignedJAR' constrains use of certificates in signed jar files.
# The usage type follows the keyword and more than one usage type can
# be specified with a whitespace delimiter.
# Example: "SHA1 usage TLSServer TLSClient"
#
# When an algorithm must satisfy more than one constraint, it must be
# delimited by an ampersand '&'. For example, to restrict certificates in a
...
...
@@ -504,6 +531,9 @@ krb5.kdc.bad.policy = tryLast
# before larger keysize constraints of the same algorithm. For example:
# "RSA keySize < 1024 & jdkCA, RSA keySize < 2048".
#
# Note: The algorithm restrictions do not apply to trust anchors or
# self-signed certificates.
#
# Note: This property is currently used by Oracle's PKIX implementation. It
# is not guaranteed to be examined and used by other implementations.
#
...
...
@@ -511,9 +541,10 @@ krb5.kdc.bad.policy = tryLast
# jdk.certpath.disabledAlgorithms=MD2, DSA, RSA keySize < 2048
#
#
jdk.certpath.disabledAlgorithms=MD2, MD5,
RSA keySize < 1024
, \
DSA keySize < 1024, EC keySize < 224
jdk.certpath.disabledAlgorithms=MD2, MD5,
SHA1 jdkCA & usage TLSServer
, \
RSA keySize < 1024,
DSA keySize < 1024, EC keySize < 224
#
# Algorithm restrictions for signed JAR files
#
# In some environments, certain algorithms or key lengths may be undesirable
...
...
@@ -528,17 +559,20 @@ jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, \
# " DisabledAlgorithm { , DisabledAlgorithm } "
#
# DisabledAlgorithm:
# AlgorithmName [Constraint]
# AlgorithmName [Constraint]
{ '&' Constraint }
#
# AlgorithmName:
# (see below)
#
# Constraint:
# KeySizeConstraint
# KeySizeConstraint
| DenyAfterConstraint
#
# KeySizeConstraint:
# keySize Operator KeyLength
#
# DenyAfterConstraint:
# denyAfter YYYY-MM-DD
#
# Operator:
# <= | < | == | != | >= | >
#
...
...
@@ -549,8 +583,11 @@ jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, \
# implementation. It is not guaranteed to be examined and used by other
# implementations.
#
# See "jdk.certpath.disabledAlgorithms" for syntax descriptions.
#
jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024
#
# Algorithm restrictions for Secure Socket Layer/Transport Layer Security
# (SSL/TLS) processing
#
...
...
@@ -572,6 +609,9 @@ jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024
# See the specification of "jdk.certpath.disabledAlgorithms" for the
# syntax of the disabled algorithm string.
#
# Note: The algorithm restrictions do not apply to trust anchors or
# self-signed certificates.
#
# Note: This property is currently used by the JDK Reference implementation.
# It is not guaranteed to be examined and used by other implementations.
#
...
...
src/share/lib/security/java.security-linux
浏览文件 @
8587eb8d
...
...
@@ -426,9 +426,7 @@ krb5.kdc.bad.policy = tryLast
# describes the mechanism for disabling algorithms based on algorithm name
# and/or key length. This includes algorithms used in certificates, as well
# as revocation information such as CRLs and signed OCSP Responses.
#
# The syntax of the disabled algorithm string is described as this Java
# BNF-style:
# The syntax of the disabled algorithm string is described as follows:
# DisabledAlgorithms:
# " DisabledAlgorithm { , DisabledAlgorithm } "
#
...
...
@@ -439,25 +437,26 @@ krb5.kdc.bad.policy = tryLast
# (see below)
#
# Constraint:
# KeySizeConstraint, CertConstraint
# KeySizeConstraint | CAConstraint | DenyAfterConstraint |
# UsageConstraint
#
# KeySizeConstraint:
# keySize Operator
DecimalInteger
# keySize Operator
KeyLength
#
# Operator:
# <= | < | == | != | >= | >
#
#
DecimalInteger
:
#
DecimalDig
its
#
KeyLength
:
#
Integer value of the algorithm's key length in b
its
#
#
DecimalDigits
:
#
DecimalDigit {DecimalDigit}
#
CAConstraint
:
#
jdkCA
#
# De
cimalDigit: one of
#
1 2 3 4 5 6 7 8 9 0
# De
nyAfterConstraint:
#
denyAfter YYYY-MM-DD
#
#
CertConstraint
#
jdkCA
#
UsageConstraint:
#
usage [TLSServer] [TLSClient] [SignedJAR]
#
# The "AlgorithmName" is the standard algorithm name of the disabled
# algorithm. See "Java Cryptography Architecture Standard Algorithm Name
...
...
@@ -471,27 +470,55 @@ krb5.kdc.bad.policy = tryLast
# that rely on DSA, such as NONEwithDSA, SHA1withDSA. However, the assertion
# will not disable algorithms related to "ECDSA".
#
# A "Constraint" provides further guidance for the algorithm being specified.
# The "KeySizeConstraint" requires a key of a valid size range if the
# "AlgorithmName" is of a key algorithm. The "DecimalInteger" indicates the
# key size specified in number of bits. For example, "RSA keySize <= 1024"
# indicates that any RSA key with key size less than or equal to 1024 bits
# should be disabled, and "RSA keySize < 1024, RSA keySize > 2048" indicates
# that any RSA key with key size less than 1024 or greater than 2048 should
# be disabled. Note that the "KeySizeConstraint" only makes sense to key
# algorithms.
#
# "CertConstraint" specifies additional constraints for
# certificates that contain algorithms that are restricted:
#
# "jdkCA" prohibits the specified algorithm only if the algorithm is used
# in a certificate chain that terminates at a marked trust anchor in the
# lib/security/cacerts keystore. All other chains are not affected.
# If the jdkCA constraint is not set, then all chains using the
# specified algorithm are restricted. jdkCA may only be used once in
# a DisabledAlgorithm expression.
# Example: To apply this constraint to SHA-1 certificates, include
# the following: "SHA1 jdkCA"
# A "Constraint" defines restrictions on the keys and/or certificates for
# a specified AlgorithmName:
#
# KeySizeConstraint:
# keySize Operator KeyLength
# The constraint requires a key of a valid size range if the
# "AlgorithmName" is of a key algorithm. The "KeyLength" indicates
# the key size specified in number of bits. For example,
# "RSA keySize <= 1024" indicates that any RSA key with key size less
# than or equal to 1024 bits should be disabled, and
# "RSA keySize < 1024, RSA keySize > 2048" indicates that any RSA key
# with key size less than 1024 or greater than 2048 should be disabled.
# This constraint is only used on algorithms that have a key size.
#
# CAConstraint:
# jdkCA
# This constraint prohibits the specified algorithm only if the
# algorithm is used in a certificate chain that terminates at a marked
# trust anchor in the lib/security/cacerts keystore. If the jdkCA
# constraint is not set, then all chains using the specified algorithm
# are restricted. jdkCA may only be used once in a DisabledAlgorithm
# expression.
# Example: To apply this constraint to SHA-1 certificates, include
# the following: "SHA1 jdkCA"
#
# DenyAfterConstraint:
# denyAfter YYYY-MM-DD
# This constraint prohibits a certificate with the specified algorithm
# from being used after the date regardless of the certificate's
# validity. JAR files that are signed and timestamped before the
# constraint date with certificates containing the disabled algorithm
# will not be restricted. The date is processed in the UTC timezone.
# This constraint can only be used once in a DisabledAlgorithm
# expression.
# Example: To deny usage of RSA 2048 bit certificates after Feb 3 2020,
# use the following: "RSA keySize == 2048 & denyAfter 2020-02-03"
#
# UsageConstraint:
# usage [TLSServer] [TLSClient] [SignedJAR]
# This constraint prohibits the specified algorithm for
# a specified usage. This should be used when disabling an algorithm
# for all usages is not practical. 'TLSServer' restricts the algorithm
# in TLS server certificate chains when server authentication is
# performed. 'TLSClient' restricts the algorithm in TLS client
# certificate chains when client authentication is performed.
# 'SignedJAR' constrains use of certificates in signed jar files.
# The usage type follows the keyword and more than one usage type can
# be specified with a whitespace delimiter.
# Example: "SHA1 usage TLSServer TLSClient"
#
# When an algorithm must satisfy more than one constraint, it must be
# delimited by an ampersand '&'. For example, to restrict certificates in a
...
...
@@ -504,6 +531,9 @@ krb5.kdc.bad.policy = tryLast
# before larger keysize constraints of the same algorithm. For example:
# "RSA keySize < 1024 & jdkCA, RSA keySize < 2048".
#
# Note: The algorithm restrictions do not apply to trust anchors or
# self-signed certificates.
#
# Note: This property is currently used by Oracle's PKIX implementation. It
# is not guaranteed to be examined and used by other implementations.
#
...
...
@@ -511,9 +541,10 @@ krb5.kdc.bad.policy = tryLast
# jdk.certpath.disabledAlgorithms=MD2, DSA, RSA keySize < 2048
#
#
jdk.certpath.disabledAlgorithms=MD2, MD5,
RSA keySize < 1024
, \
DSA keySize < 1024, EC keySize < 224
jdk.certpath.disabledAlgorithms=MD2, MD5,
SHA1 jdkCA & usage TLSServer
, \
RSA keySize < 1024,
DSA keySize < 1024, EC keySize < 224
#
# Algorithm restrictions for signed JAR files
#
# In some environments, certain algorithms or key lengths may be undesirable
...
...
@@ -528,17 +559,20 @@ jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, \
# " DisabledAlgorithm { , DisabledAlgorithm } "
#
# DisabledAlgorithm:
# AlgorithmName [Constraint]
# AlgorithmName [Constraint]
{ '&' Constraint }
#
# AlgorithmName:
# (see below)
#
# Constraint:
# KeySizeConstraint
# KeySizeConstraint
| DenyAfterConstraint
#
# KeySizeConstraint:
# keySize Operator KeyLength
#
# DenyAfterConstraint:
# denyAfter YYYY-MM-DD
#
# Operator:
# <= | < | == | != | >= | >
#
...
...
@@ -549,8 +583,11 @@ jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, \
# implementation. It is not guaranteed to be examined and used by other
# implementations.
#
# See "jdk.certpath.disabledAlgorithms" for syntax descriptions.
#
jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024
#
# Algorithm restrictions for Secure Socket Layer/Transport Layer Security
# (SSL/TLS) processing
#
...
...
@@ -572,6 +609,9 @@ jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024
# See the specification of "jdk.certpath.disabledAlgorithms" for the
# syntax of the disabled algorithm string.
#
# Note: The algorithm restrictions do not apply to trust anchors or
# self-signed certificates.
#
# Note: This property is currently used by the JDK Reference implementation.
# It is not guaranteed to be examined and used by other implementations.
#
...
...
src/share/lib/security/java.security-macosx
浏览文件 @
8587eb8d
...
...
@@ -429,9 +429,7 @@ krb5.kdc.bad.policy = tryLast
# describes the mechanism for disabling algorithms based on algorithm name
# and/or key length. This includes algorithms used in certificates, as well
# as revocation information such as CRLs and signed OCSP Responses.
#
# The syntax of the disabled algorithm string is described as this Java
# BNF-style:
# The syntax of the disabled algorithm string is described as follows:
# DisabledAlgorithms:
# " DisabledAlgorithm { , DisabledAlgorithm } "
#
...
...
@@ -442,25 +440,26 @@ krb5.kdc.bad.policy = tryLast
# (see below)
#
# Constraint:
# KeySizeConstraint, CertConstraint
# KeySizeConstraint | CAConstraint | DenyAfterConstraint |
# UsageConstraint
#
# KeySizeConstraint:
# keySize Operator
DecimalInteger
# keySize Operator
KeyLength
#
# Operator:
# <= | < | == | != | >= | >
#
#
DecimalInteger
:
#
DecimalDig
its
#
KeyLength
:
#
Integer value of the algorithm's key length in b
its
#
#
DecimalDigits
:
#
DecimalDigit {DecimalDigit}
#
CAConstraint
:
#
jdkCA
#
# De
cimalDigit: one of
#
1 2 3 4 5 6 7 8 9 0
# De
nyAfterConstraint:
#
denyAfter YYYY-MM-DD
#
#
CertConstraint
#
jdkCA
#
UsageConstraint:
#
usage [TLSServer] [TLSClient] [SignedJAR]
#
# The "AlgorithmName" is the standard algorithm name of the disabled
# algorithm. See "Java Cryptography Architecture Standard Algorithm Name
...
...
@@ -474,27 +473,55 @@ krb5.kdc.bad.policy = tryLast
# that rely on DSA, such as NONEwithDSA, SHA1withDSA. However, the assertion
# will not disable algorithms related to "ECDSA".
#
# A "Constraint" provides further guidance for the algorithm being specified.
# The "KeySizeConstraint" requires a key of a valid size range if the
# "AlgorithmName" is of a key algorithm. The "DecimalInteger" indicates the
# key size specified in number of bits. For example, "RSA keySize <= 1024"
# indicates that any RSA key with key size less than or equal to 1024 bits
# should be disabled, and "RSA keySize < 1024, RSA keySize > 2048" indicates
# that any RSA key with key size less than 1024 or greater than 2048 should
# be disabled. Note that the "KeySizeConstraint" only makes sense to key
# algorithms.
#
# "CertConstraint" specifies additional constraints for
# certificates that contain algorithms that are restricted:
#
# "jdkCA" prohibits the specified algorithm only if the algorithm is used
# in a certificate chain that terminates at a marked trust anchor in the
# lib/security/cacerts keystore. All other chains are not affected.
# If the jdkCA constraint is not set, then all chains using the
# specified algorithm are restricted. jdkCA may only be used once in
# a DisabledAlgorithm expression.
# Example: To apply this constraint to SHA-1 certificates, include
# the following: "SHA1 jdkCA"
# A "Constraint" defines restrictions on the keys and/or certificates for
# a specified AlgorithmName:
#
# KeySizeConstraint:
# keySize Operator KeyLength
# The constraint requires a key of a valid size range if the
# "AlgorithmName" is of a key algorithm. The "KeyLength" indicates
# the key size specified in number of bits. For example,
# "RSA keySize <= 1024" indicates that any RSA key with key size less
# than or equal to 1024 bits should be disabled, and
# "RSA keySize < 1024, RSA keySize > 2048" indicates that any RSA key
# with key size less than 1024 or greater than 2048 should be disabled.
# This constraint is only used on algorithms that have a key size.
#
# CAConstraint:
# jdkCA
# This constraint prohibits the specified algorithm only if the
# algorithm is used in a certificate chain that terminates at a marked
# trust anchor in the lib/security/cacerts keystore. If the jdkCA
# constraint is not set, then all chains using the specified algorithm
# are restricted. jdkCA may only be used once in a DisabledAlgorithm
# expression.
# Example: To apply this constraint to SHA-1 certificates, include
# the following: "SHA1 jdkCA"
#
# DenyAfterConstraint:
# denyAfter YYYY-MM-DD
# This constraint prohibits a certificate with the specified algorithm
# from being used after the date regardless of the certificate's
# validity. JAR files that are signed and timestamped before the
# constraint date with certificates containing the disabled algorithm
# will not be restricted. The date is processed in the UTC timezone.
# This constraint can only be used once in a DisabledAlgorithm
# expression.
# Example: To deny usage of RSA 2048 bit certificates after Feb 3 2020,
# use the following: "RSA keySize == 2048 & denyAfter 2020-02-03"
#
# UsageConstraint:
# usage [TLSServer] [TLSClient] [SignedJAR]
# This constraint prohibits the specified algorithm for
# a specified usage. This should be used when disabling an algorithm
# for all usages is not practical. 'TLSServer' restricts the algorithm
# in TLS server certificate chains when server authentication is
# performed. 'TLSClient' restricts the algorithm in TLS client
# certificate chains when client authentication is performed.
# 'SignedJAR' constrains use of certificates in signed jar files.
# The usage type follows the keyword and more than one usage type can
# be specified with a whitespace delimiter.
# Example: "SHA1 usage TLSServer TLSClient"
#
# When an algorithm must satisfy more than one constraint, it must be
# delimited by an ampersand '&'. For example, to restrict certificates in a
...
...
@@ -507,6 +534,9 @@ krb5.kdc.bad.policy = tryLast
# before larger keysize constraints of the same algorithm. For example:
# "RSA keySize < 1024 & jdkCA, RSA keySize < 2048".
#
# Note: The algorithm restrictions do not apply to trust anchors or
# self-signed certificates.
#
# Note: This property is currently used by Oracle's PKIX implementation. It
# is not guaranteed to be examined and used by other implementations.
#
...
...
@@ -514,9 +544,10 @@ krb5.kdc.bad.policy = tryLast
# jdk.certpath.disabledAlgorithms=MD2, DSA, RSA keySize < 2048
#
#
jdk.certpath.disabledAlgorithms=MD2, MD5,
RSA keySize < 1024
, \
DSA keySize < 1024, EC keySize < 224
jdk.certpath.disabledAlgorithms=MD2, MD5,
SHA1 jdkCA & usage TLSServer
, \
RSA keySize < 1024,
DSA keySize < 1024, EC keySize < 224
#
# Algorithm restrictions for signed JAR files
#
# In some environments, certain algorithms or key lengths may be undesirable
...
...
@@ -531,17 +562,20 @@ jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, \
# " DisabledAlgorithm { , DisabledAlgorithm } "
#
# DisabledAlgorithm:
# AlgorithmName [Constraint]
# AlgorithmName [Constraint]
{ '&' Constraint }
#
# AlgorithmName:
# (see below)
#
# Constraint:
# KeySizeConstraint
# KeySizeConstraint
| DenyAfterConstraint
#
# KeySizeConstraint:
# keySize Operator KeyLength
#
# DenyAfterConstraint:
# denyAfter YYYY-MM-DD
#
# Operator:
# <= | < | == | != | >= | >
#
...
...
@@ -552,8 +586,11 @@ jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, \
# implementation. It is not guaranteed to be examined and used by other
# implementations.
#
# See "jdk.certpath.disabledAlgorithms" for syntax descriptions.
#
jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024
#
# Algorithm restrictions for Secure Socket Layer/Transport Layer Security
# (SSL/TLS) processing
#
...
...
@@ -575,6 +612,9 @@ jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024
# See the specification of "jdk.certpath.disabledAlgorithms" for the
# syntax of the disabled algorithm string.
#
# Note: The algorithm restrictions do not apply to trust anchors or
# self-signed certificates.
#
# Note: This property is currently used by the JDK Reference implementation.
# It is not guaranteed to be examined and used by other implementations.
#
...
...
src/share/lib/security/java.security-solaris
浏览文件 @
8587eb8d
此差异已折叠。
点击以展开。
src/share/lib/security/java.security-windows
浏览文件 @
8587eb8d
此差异已折叠。
点击以展开。
src/share/native/sun/awt/libpng/CHANGES
浏览文件 @
8587eb8d
此差异已折叠。
点击以展开。
src/share/native/sun/awt/libpng/LICENSE
浏览文件 @
8587eb8d
此差异已折叠。
点击以展开。
src/share/native/sun/awt/libpng/README
浏览文件 @
8587eb8d
README for libpng version 1.6.2
0 - December 3, 2015
(shared library 16.0)
README for libpng version 1.6.2
8 - January 5, 2017
(shared library 16.0)
See the note about version numbers near the top of png.h
See INSTALL for instructions on how to install libpng.
...
...
@@ -180,15 +180,18 @@ Files in this distribution:
pngwutil.c => Write utility functions
arm => Contains optimized code for the ARM platform
contrib => Contributions
arm-neon => Optimized code for ARM-NEON platform
examples => Example programs
gregbook => source code for PNG reading and writing, from
Greg Roelofs' "PNG: The Definitive Guide",
O'Reilly, 1999
intel => Optimized code for INTEL-SSE2 platform
libtests => Test programs
pngminim => Minimal decoder, encoder, and progressive decoder
programs demonstrating use of pngusr.dfa
pngminus => Simple pnm2png and png2pnm programs
pngsuite => Test images
testpngs
tools => Various tools
visupng => Contains a MSVC workspace for VisualPng
projects => Contains project files and workspaces for
...
...
src/share/native/sun/awt/libpng/png.c
浏览文件 @
8587eb8d
此差异已折叠。
点击以展开。
src/share/native/sun/awt/libpng/png.h
浏览文件 @
8587eb8d
此差异已折叠。
点击以展开。
src/share/native/sun/awt/libpng/pngconf.h
浏览文件 @
8587eb8d
此差异已折叠。
点击以展开。
src/share/native/sun/awt/libpng/pngdebug.h
浏览文件 @
8587eb8d
...
...
@@ -30,7 +30,7 @@
* file and, per its terms, should not be removed:
*
* Last changed in libpng 1.6.8 [December 19, 2013]
* Copyright (c) 1998-2013 Glenn Randers-Pehrson
* Copyright (c) 1998-20
02,2004,2006-20
13 Glenn Randers-Pehrson
* (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger)
* (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.)
*
...
...
src/share/native/sun/awt/libpng/pngerror.c
浏览文件 @
8587eb8d
此差异已折叠。
点击以展开。
src/share/native/sun/awt/libpng/pngget.c
浏览文件 @
8587eb8d
此差异已折叠。
点击以展开。
src/share/native/sun/awt/libpng/pnginfo.h
浏览文件 @
8587eb8d
此差异已折叠。
点击以展开。
src/share/native/sun/awt/libpng/pnglibconf.h
浏览文件 @
8587eb8d
此差异已折叠。
点击以展开。
src/share/native/sun/awt/libpng/pngmem.c
浏览文件 @
8587eb8d
此差异已折叠。
点击以展开。
src/share/native/sun/awt/libpng/pngpread.c
浏览文件 @
8587eb8d
此差异已折叠。
点击以展开。
src/share/native/sun/awt/libpng/pngpriv.h
浏览文件 @
8587eb8d
此差异已折叠。
点击以展开。
src/share/native/sun/awt/libpng/pngread.c
浏览文件 @
8587eb8d
此差异已折叠。
点击以展开。
src/share/native/sun/awt/libpng/pngrio.c
浏览文件 @
8587eb8d
此差异已折叠。
点击以展开。
src/share/native/sun/awt/libpng/pngrtran.c
浏览文件 @
8587eb8d
此差异已折叠。
点击以展开。
src/share/native/sun/awt/libpng/pngrutil.c
浏览文件 @
8587eb8d
此差异已折叠。
点击以展开。
src/share/native/sun/awt/libpng/pngset.c
浏览文件 @
8587eb8d
此差异已折叠。
点击以展开。
src/share/native/sun/awt/libpng/pngstruct.h
浏览文件 @
8587eb8d
此差异已折叠。
点击以展开。
src/share/native/sun/awt/libpng/pngtest.c
已删除
100644 → 0
浏览文件 @
74ef472b
此差异已折叠。
点击以展开。
src/share/native/sun/awt/libpng/pngtrans.c
浏览文件 @
8587eb8d
此差异已折叠。
点击以展开。
src/share/native/sun/awt/libpng/pngwio.c
已删除
100644 → 0
浏览文件 @
74ef472b
此差异已折叠。
点击以展开。
src/share/native/sun/awt/libpng/pngwrite.c
已删除
100644 → 0
浏览文件 @
74ef472b
此差异已折叠。
点击以展开。
src/share/native/sun/awt/libpng/pngwtran.c
已删除
100644 → 0
浏览文件 @
74ef472b
此差异已折叠。
点击以展开。
src/share/native/sun/awt/libpng/pngwutil.c
已删除
100644 → 0
浏览文件 @
74ef472b
此差异已折叠。
点击以展开。
test/ProblemList.txt
浏览文件 @
8587eb8d
此差异已折叠。
点击以展开。
test/java/lang/reflect/Proxy/ProxyRace.java
0 → 100644
浏览文件 @
8587eb8d
此差异已折叠。
点击以展开。
test/javax/net/ssl/ServerName/BestEffortOnLazyConnected.java
0 → 100644
浏览文件 @
8587eb8d
此差异已折叠。
点击以展开。
test/sun/management/LazyCompositeDataTest.java
0 → 100644
浏览文件 @
8587eb8d
此差异已折叠。
点击以展开。
test/sun/net/www/protocol/https/HttpsURLConnection/ImpactOnSNI.java
0 → 100644
浏览文件 @
8587eb8d
此差异已折叠。
点击以展开。
test/sun/security/tools/jarsigner/TimestampCheck.java
浏览文件 @
8587eb8d
此差异已折叠。
点击以展开。
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录