Skip to content

D
dragonwell8_jdk

openanolis / dragonwell8_jdk

通知 4
Star 2
Fork 0
D
dragonwell8_jdk
提交 8587eb8d 编写于 作者: A asaha
浏览文件
操作

Merge

上级 74ef472b 741c2a11
展开全部 显示空白变更内容
内联 并排
Showing with 5565 addition and 9909 deletion
.hgtags
浏览文件 @ 8587eb8d
......@@ -707,3 +707,6 @@ e95a13de2d36050302a1af422967f5260fc8eabd jdk8u141-b01
e5e3c33f57367b2b23d5e05a77b41948e9d4a1b9 jdk8u141-b04
b3e7354e6ae8567294ae664bf4a1a38a6c0bde9f jdk8u141-b05
c49f918efc4e6e2b8a1e771dba0c8de8d636660c jdk8u141-b06
9fd2a2019a5b7f35957c43c83eb00e1ae371a95e jdk8u141-b07
64261149b033dd6f625ccf7b4aaf7452baec82ef jdk8u141-b08
276269460238f84410a70ffe735db9cf78651b8f jdk8u141-b09
src/macosx/classes/sun/lwawt/macosx/CPlatformWindow.java
浏览文件 @ 8587eb8d
......@@ -252,13 +252,18 @@ public class CPlatformWindow extends CFRetainedResource implements PlatformWindo
}
AtomicLong ref = new AtomicLong();
contentView.execute(viewPtr -> {
boolean hasOwnerPtr = false;
if (owner != null) {
owner.execute(ownerPtr -> {
hasOwnerPtr = 0L != owner.executeGet(ownerPtr -> {
ref.set(nativeCreateNSWindow(viewPtr, ownerPtr, styleBits,
bounds.x, bounds.y,
bounds.width, bounds.height));
return 1;
});
} else {
}
if (!hasOwnerPtr) {
ref.set(nativeCreateNSWindow(viewPtr, 0,
styleBits, bounds.x, bounds.y,
bounds.width, bounds.height));
......
src/share/classes/java/lang/reflect/WeakCache.java
浏览文件 @ 8587eb8d
......@@ -239,11 +239,11 @@ final class WeakCache<K, P, V> {
// wrap value with CacheValue (WeakReference)
CacheValue<V> cacheValue = new CacheValue<>(value);
// try replacing us with CacheValue (this should always succeed)
if (valuesMap.replace(subKey, this, cacheValue)) {
// put also in reverseMap
// put into reverseMap
reverseMap.put(cacheValue, Boolean.TRUE);
} else {
// try replacing us with CacheValue (this should always succeed)
if (!valuesMap.replace(subKey, this, cacheValue)) {
throw new AssertionError("Should not reach here");
}
......
src/share/classes/java/nio/Bits.java
浏览文件 @ 8587eb8d
/*
* Copyright (c) 2000, 2012, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
......@@ -614,7 +614,8 @@ class Bits { // package-private
String arch = AccessController.doPrivileged(
new sun.security.action.GetPropertyAction("os.arch"));
unaligned = arch.equals("i386") || arch.equals("x86")
|| arch.equals("amd64") || arch.equals("x86_64");
|| arch.equals("amd64") || arch.equals("x86_64")
|| arch.equals("ppc64") || arch.equals("ppc64le");
unalignedKnown = true;
return unaligned;
}
......
src/share/classes/sun/management/LazyCompositeData.java
浏览文件 @ 8587eb8d
......@@ -27,6 +27,7 @@ package sun.management;
import java.io.Serializable;
import java.util.*;
import javax.management.openmbean.ArrayType;
import javax.management.openmbean.CompositeData;
import javax.management.openmbean.CompositeType;
import javax.management.openmbean.OpenType;
......@@ -48,39 +49,48 @@ public abstract class LazyCompositeData
private CompositeData compositeData;
// Implementation of the CompositeData interface
@Override
public boolean containsKey(String key) {
return compositeData().containsKey(key);
}
@Override
public boolean containsValue(Object value) {
return compositeData().containsValue(value);
}
@Override
public boolean equals(Object obj) {
return compositeData().equals(obj);
}
@Override
public Object get(String key) {
return compositeData().get(key);
}
@Override
public Object[] getAll(String[] keys) {
return compositeData().getAll(keys);
}
@Override
public CompositeType getCompositeType() {
return compositeData().getCompositeType();
}
@Override
public int hashCode() {
return compositeData().hashCode();
}
@Override
public String toString() {
/** FIXME: What should this be?? */
return compositeData().toString();
}
@Override
public Collection<?> values() {
return compositeData().values();
}
......@@ -126,27 +136,31 @@ public abstract class LazyCompositeData
if (cd == null)
throw new IllegalArgumentException("Null CompositeData");
return ((Boolean) cd.get(itemName)).booleanValue();
return ((Boolean) cd.get(itemName));
}
static long getLong(CompositeData cd, String itemName) {
if (cd == null)
throw new IllegalArgumentException("Null CompositeData");
return ((Long) cd.get(itemName)).longValue();
return ((Long) cd.get(itemName));
}
static int getInt(CompositeData cd, String itemName) {
if (cd == null)
throw new IllegalArgumentException("Null CompositeData");
return ((Integer) cd.get(itemName)).intValue();
return ((Integer) cd.get(itemName));
}
/**
* Compares two CompositeTypes and returns true if
* all items in type1 exist in type2 and their item types
* are the same.
* @param type1 the base composite type
* @param type2 the checked composite type
* @return {@code true} if all items in type1 exist in type2 and their item
* types are the same.
*/
protected static boolean isTypeMatched(CompositeType type1, CompositeType type2) {
if (type1 == type2) return true;
......@@ -159,9 +173,38 @@ public abstract class LazyCompositeData
if (!type2.keySet().containsAll(allItems))
return false;
for (String item: allItems) {
OpenType<?> ot1 = type1.getType(item);
OpenType<?> ot2 = type2.getType(item);
return allItems.stream().allMatch(
item -> isTypeMatched(type1.getType(item), type2.getType(item))
);
}
protected static boolean isTypeMatched(TabularType type1, TabularType type2) {
if (type1 == type2) return true;
List<String> list1 = type1.getIndexNames();
List<String> list2 = type2.getIndexNames();
// check if the list of index names are the same
if (!list1.equals(list2))
return false;
return isTypeMatched(type1.getRowType(), type2.getRowType());
}
protected static boolean isTypeMatched(ArrayType<?> type1, ArrayType<?> type2) {
if (type1 == type2) return true;
int dim1 = type1.getDimension();
int dim2 = type2.getDimension();
// check if the array dimensions are the same
if (dim1 != dim2)
return false;
return isTypeMatched(type1.getElementOpenType(), type2.getElementOpenType());
}
private static boolean isTypeMatched(OpenType<?> ot1, OpenType<?> ot2) {
if (ot1 instanceof CompositeType) {
if (! (ot2 instanceof CompositeType))
return false;
......@@ -172,25 +215,17 @@ public abstract class LazyCompositeData
return false;
if (!isTypeMatched((TabularType) ot1, (TabularType) ot2))
return false;
} else if (!ot1.equals(ot2)) {
} else if (ot1 instanceof ArrayType) {
if (! (ot2 instanceof ArrayType))
return false;
if (!isTypeMatched((ArrayType<?>) ot1, (ArrayType<?>) ot2)) {
return false;
}
} else if (!ot1.equals(ot2)) {
return false;
}
return true;
}
protected static boolean isTypeMatched(TabularType type1, TabularType type2) {
if (type1 == type2) return true;
List<String> list1 = type1.getIndexNames();
List<String> list2 = type2.getIndexNames();
// check if the list of index names are the same
if (!list1.equals(list2))
return false;
return isTypeMatched(type1.getRowType(), type2.getRowType());
}
private static final long serialVersionUID = -2190411934472666714L;
}
src/share/classes/sun/security/pkcs/SignerInfo.java
浏览文件 @ 8587eb8d
/*
* Copyright (c) 1996, 2016, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 1996, 2017, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
......@@ -37,6 +37,7 @@ import java.security.PublicKey;
import java.security.Signature;
import java.security.SignatureException;
import java.security.Timestamp;
import java.security.cert.CertPathValidatorException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.CertPath;
......@@ -49,6 +50,7 @@ import java.util.Set;
import sun.misc.HexDumpEncoder;
import sun.security.timestamp.TimestampToken;
import sun.security.util.ConstraintsParameters;
import sun.security.util.Debug;
import sun.security.util.DerEncoder;
import sun.security.util.DerInputStream;
......@@ -209,7 +211,7 @@ public class SignerInfo implements DerEncoder {
/**
* DER encode this object onto an output stream.
* Implements the <code>DerEncoder</code> interface.
* Implements the {@code DerEncoder} interface.
*
* @param out
* the output stream on which to write the DER encoding.
......@@ -266,7 +268,7 @@ public class SignerInfo implements DerEncoder {
if (userCert == null)
return null;
ArrayList<X509Certificate> certList = new ArrayList<X509Certificate>();
ArrayList<X509Certificate> certList = new ArrayList<>();
certList.add(userCert);
X509Certificate[] pkcsCerts = block.getCertificates();
......@@ -321,6 +323,14 @@ public class SignerInfo implements DerEncoder {
data = content.getContentBytes();
}
Timestamp timestamp = null;
try {
timestamp = getTimestamp();
} catch (Exception ignore) {
}
ConstraintsParameters cparams =
new ConstraintsParameters(timestamp);
String digestAlgname = getDigestAlgorithmId().getName();
byte[] dataSigned;
......@@ -347,11 +357,11 @@ public class SignerInfo implements DerEncoder {
if (messageDigest == null) // fail if there is no message digest
return null;
// check that algorithm is not restricted
if (!JAR_DISABLED_CHECK.permits(DIGEST_PRIMITIVE_SET,
digestAlgname, null)) {
throw new SignatureException("Digest check failed. " +
"Disabled algorithm used: " + digestAlgname);
// check that digest algorithm is not restricted
try {
JAR_DISABLED_CHECK.permits(digestAlgname, cparams);
} catch (CertPathValidatorException e) {
throw new SignatureException(e.getMessage(), e);
}
MessageDigest md = MessageDigest.getInstance(digestAlgname);
......@@ -385,17 +395,18 @@ public class SignerInfo implements DerEncoder {
String algname = AlgorithmId.makeSigAlg(
digestAlgname, encryptionAlgname);
// check that algorithm is not restricted
if (!JAR_DISABLED_CHECK.permits(SIG_PRIMITIVE_SET, algname, null)) {
throw new SignatureException("Signature check failed. " +
"Disabled algorithm used: " + algname);
// check that jar signature algorithm is not restricted
try {
JAR_DISABLED_CHECK.permits(algname, cparams);
} catch (CertPathValidatorException e) {
throw new SignatureException(e.getMessage(), e);
}
X509Certificate cert = getCertificate(block);
PublicKey key = cert.getPublicKey();
if (cert == null) {
return null;
}
PublicKey key = cert.getPublicKey();
// check if the public key is restricted
if (!JAR_DISABLED_CHECK.permits(SIG_PRIMITIVE_SET, key)) {
......@@ -519,7 +530,7 @@ public class SignerInfo implements DerEncoder {
* Extracts a timestamp from a PKCS7 SignerInfo.
*
* Examines the signer's unsigned attributes for a
* <tt>signatureTimestampToken</tt> attribute. If present,
* {@code signatureTimestampToken} attribute. If present,
* then it is parsed to extract the date and time at which the
* timestamp was generated.
*
......
src/share/classes/sun/security/provider/ByteArrayAccess.java
浏览文件 @ 8587eb8d
/*
* Copyright (c) 2006, 2013, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2006, 2016, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
......@@ -94,7 +94,7 @@ final class ByteArrayAccess {
String arch = java.security.AccessController.doPrivileged
(new sun.security.action.GetPropertyAction("os.arch", ""));
return arch.equals("i386") || arch.equals("x86") || arch.equals("amd64")
|| arch.equals("x86_64");
|| arch.equals("x86_64") || arch.equals("ppc64") || arch.equals("ppc64le");
}
/**
......
src/share/classes/sun/security/provider/certpath/AlgorithmChecker.java
浏览文件 @ 8587eb8d
/*
* Copyright (c) 2009, 2016, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2009, 2017, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
......@@ -27,8 +27,11 @@ package sun.security.provider.certpath;
import java.security.AlgorithmConstraints;
import java.security.CryptoPrimitive;
import java.security.Timestamp;
import java.security.cert.CertPathValidator;
import java.util.Collection;
import java.util.Collections;
import java.util.Date;
import java.util.Set;
import java.util.EnumSet;
import java.math.BigInteger;
......@@ -51,15 +54,16 @@ import java.security.interfaces.DSAPublicKey;
import java.security.spec.DSAPublicKeySpec;
import sun.security.util.AnchorCertificates;
import sun.security.util.CertConstraintParameters;
import sun.security.util.ConstraintsParameters;
import sun.security.util.Debug;
import sun.security.util.DisabledAlgorithmConstraints;
import sun.security.validator.Validator;
import sun.security.x509.X509CertImpl;
import sun.security.x509.X509CRLImpl;
import sun.security.x509.AlgorithmId;
/**
* A <code>PKIXCertPathChecker</code> implementation to check whether a
* A {@code PKIXCertPathChecker} implementation to check whether a
* specified certificate contains the required algorithm constraints.
* <p>
* Certificate fields such as the subject public key, the signature
......@@ -69,24 +73,27 @@ import sun.security.x509.AlgorithmId;
* @see PKIXCertPathChecker
* @see PKIXParameters
*/
final public class AlgorithmChecker extends PKIXCertPathChecker {
public final class AlgorithmChecker extends PKIXCertPathChecker {
private static final Debug debug = Debug.getInstance("certpath");
private final AlgorithmConstraints constraints;
private final PublicKey trustedPubKey;
private final Date pkixdate;
private PublicKey prevPubKey;
private final Timestamp jarTimestamp;
private final String variant;
private final static Set<CryptoPrimitive> SIGNATURE_PRIMITIVE_SET =
private static final Set<CryptoPrimitive> SIGNATURE_PRIMITIVE_SET =
Collections.unmodifiableSet(EnumSet.of(CryptoPrimitive.SIGNATURE));
private final static Set<CryptoPrimitive> KU_PRIMITIVE_SET =
private static final Set<CryptoPrimitive> KU_PRIMITIVE_SET =
Collections.unmodifiableSet(EnumSet.of(
CryptoPrimitive.SIGNATURE,
CryptoPrimitive.KEY_ENCAPSULATION,
CryptoPrimitive.PUBLIC_KEY_ENCRYPTION,
CryptoPrimitive.KEY_AGREEMENT));
private final static DisabledAlgorithmConstraints
private static final DisabledAlgorithmConstraints
certPathDefaultConstraints = new DisabledAlgorithmConstraints(
DisabledAlgorithmConstraints.PROPERTY_CERTPATH_DISABLED_ALGS);
......@@ -99,51 +106,58 @@ final public class AlgorithmChecker extends PKIXCertPathChecker {
private boolean trustedMatch = false;
/**
* Create a new <code>AlgorithmChecker</code> with the algorithm
* constraints specified in security property
* "jdk.certpath.disabledAlgorithms".
* Create a new {@code AlgorithmChecker} with the given algorithm
* given {@code TrustAnchor} and {@code String} variant.
*
* @param anchor the trust anchor selected to validate the target
* certificate
* @param variant is the Validator variants of the operation. A null value
* passed will set it to Validator.GENERIC.
*/
public AlgorithmChecker(TrustAnchor anchor) {
this(anchor, certPathDefaultConstraints);
public AlgorithmChecker(TrustAnchor anchor, String variant) {
this(anchor, certPathDefaultConstraints, null, null, variant);
}
/**
* Create a new <code>AlgorithmChecker</code> with the
* given {@code AlgorithmConstraints}.
* <p>
* Note that this constructor will be used to check a certification
* path where the trust anchor is unknown, or a certificate list which may
* contain the trust anchor. This constructor is used by SunJSSE.
* Create a new {@code AlgorithmChecker} with the given
* {@code AlgorithmConstraints}, {@code Timestamp}, and {@code String}
* variant.
*
* Note that this constructor can initialize a variation of situations where
* the AlgorithmConstraints, Timestamp, or Variant maybe known.
*
* @param constraints the algorithm constraints (or null)
* @param jarTimestamp Timestamp passed for JAR timestamp constraint
* checking. Set to null if not applicable.
* @param variant is the Validator variants of the operation. A null value
* passed will set it to Validator.GENERIC.
*/
public AlgorithmChecker(AlgorithmConstraints constraints) {
this.prevPubKey = null;
this.trustedPubKey = null;
this.constraints = constraints;
public AlgorithmChecker(AlgorithmConstraints constraints,
Timestamp jarTimestamp, String variant) {
this(null, constraints, null, jarTimestamp, variant);
}
/**
* Create a new <code>AlgorithmChecker</code> with the
* given <code>TrustAnchor</code> and <code>AlgorithmConstraints</code>.
* Create a new {@code AlgorithmChecker} with the
* given {@code TrustAnchor}, {@code AlgorithmConstraints},
* {@code Timestamp}, and {@code String} variant.
*
* @param anchor the trust anchor selected to validate the target
* certificate
* @param constraints the algorithm constraints (or null)
*
* @throws IllegalArgumentException if the <code>anchor</code> is null
* @param pkixdate The date specified by the PKIXParameters date. If the
* PKIXParameters is null, the current date is used. This
* should be null when jar files are being checked.
* @param jarTimestamp Timestamp passed for JAR timestamp constraint
* checking. Set to null if not applicable.
* @param variant is the Validator variants of the operation. A null value
* passed will set it to Validator.GENERIC.
*/
public AlgorithmChecker(TrustAnchor anchor,
AlgorithmConstraints constraints) {
if (anchor == null) {
throw new IllegalArgumentException(
"The trust anchor cannot be null");
}
AlgorithmConstraints constraints, Date pkixdate,
Timestamp jarTimestamp, String variant) {
if (anchor != null) {
if (anchor.getTrustedCert() != null) {
this.trustedPubKey = anchor.getTrustedCert().getPublicKey();
// Check for anchor certificate restrictions
......@@ -154,9 +168,37 @@ final public class AlgorithmChecker extends PKIXCertPathChecker {
} else {
this.trustedPubKey = anchor.getCAPublicKey();
}
} else {
this.trustedPubKey = null;
if (debug != null) {
debug.println("TrustAnchor is null, trustedMatch is false.");
}
}
this.prevPubKey = this.trustedPubKey;
this.constraints = (constraints == null ? certPathDefaultConstraints :
constraints);
// If we are checking jar files, set pkixdate the same as the timestamp
// for certificate checking
this.pkixdate = (jarTimestamp != null ? jarTimestamp.getTimestamp() :
pkixdate);
this.jarTimestamp = jarTimestamp;
this.variant = (variant == null ? Validator.VAR_GENERIC : variant);
}
this.prevPubKey = trustedPubKey;
this.constraints = constraints;
/**
* Create a new {@code AlgorithmChecker} with the given {@code TrustAnchor},
* {@code PKIXParameter} date, and {@code varient}
*
* @param anchor the trust anchor selected to validate the target
* certificate
* @param pkixdate Date the constraints are checked against. The value is
* either the PKIXParameters date or null for the current date.
* @param variant is the Validator variants of the operation. A null value
* passed will set it to Validator.GENERIC.
*/
public AlgorithmChecker(TrustAnchor anchor, Date pkixdate, String variant) {
this(anchor, certPathDefaultConstraints, pkixdate, null, variant);
}
// Check this 'cert' for restrictions in the AnchorCertificates
......@@ -217,6 +259,28 @@ final public class AlgorithmChecker extends PKIXCertPathChecker {
null, null, -1, PKIXReason.INVALID_KEY_USAGE);
}
X509CertImpl x509Cert;
AlgorithmId algorithmId;
try {
x509Cert = X509CertImpl.toImpl((X509Certificate)cert);
algorithmId = (AlgorithmId)x509Cert.get(X509CertImpl.SIG_ALG);
} catch (CertificateException ce) {
throw new CertPathValidatorException(ce);
}
AlgorithmParameters currSigAlgParams = algorithmId.getParameters();
PublicKey currPubKey = cert.getPublicKey();
String currSigAlg = ((X509Certificate)cert).getSigAlgName();
// Check the signature algorithm and parameters against constraints.
if (!constraints.permits(SIGNATURE_PRIMITIVE_SET, currSigAlg,
currSigAlgParams)) {
throw new CertPathValidatorException(
"Algorithm constraints check failed on signature " +
"algorithm: " + currSigAlg, null, null, -1,
BasicReason.ALGORITHM_CONSTRAINED);
}
// Assume all key usage bits are set if key usage is not present
Set<CryptoPrimitive> primitives = KU_PRIMITIVE_SET;
......@@ -253,56 +317,37 @@ final public class AlgorithmChecker extends PKIXCertPathChecker {
}
}
PublicKey currPubKey = cert.getPublicKey();
ConstraintsParameters cp =
new ConstraintsParameters((X509Certificate)cert,
trustedMatch, pkixdate, jarTimestamp, variant);
// Check against local constraints if it is DisabledAlgorithmConstraints
if (constraints instanceof DisabledAlgorithmConstraints) {
// Check against DisabledAlgorithmConstraints certpath constraints.
// permits() will throw exception on failure.
((DisabledAlgorithmConstraints)constraints).permits(primitives,
new CertConstraintParameters((X509Certificate)cert,
trustedMatch));
// If there is no previous key, set one and exit
if (prevPubKey == null) {
prevPubKey = currPubKey;
return;
}
}
X509CertImpl x509Cert;
AlgorithmId algorithmId;
try {
x509Cert = X509CertImpl.toImpl((X509Certificate)cert);
algorithmId = (AlgorithmId)x509Cert.get(X509CertImpl.SIG_ALG);
} catch (CertificateException ce) {
throw new CertPathValidatorException(ce);
}
AlgorithmParameters currSigAlgParams = algorithmId.getParameters();
String currSigAlg = x509Cert.getSigAlgName();
// If 'constraints' is not of DisabledAlgorithmConstraints, check all
// everything individually
if (!(constraints instanceof DisabledAlgorithmConstraints)) {
// Check the current signature algorithm
if (!constraints.permits(
SIGNATURE_PRIMITIVE_SET,
currSigAlg, currSigAlgParams)) {
throw new CertPathValidatorException(
"Algorithm constraints check failed on signature " +
"algorithm: " + currSigAlg, null, null, -1,
BasicReason.ALGORITHM_CONSTRAINED);
}
((DisabledAlgorithmConstraints)constraints).permits(currSigAlg, cp);
// DisabledAlgorithmsConstraints does not check primitives, so key
// additional key check.
} else {
// Perform the default constraints checking anyway.
certPathDefaultConstraints.permits(currSigAlg, cp);
// Call locally set constraints to check key with primitives.
if (!constraints.permits(primitives, currPubKey)) {
throw new CertPathValidatorException(
"Algorithm constraints check failed on keysize: " +
sun.security.util.KeyUtil.getKeySize(currPubKey),
"Algorithm constraints check failed on key " +
currPubKey.getAlgorithm() + " with size of " +
sun.security.util.KeyUtil.getKeySize(currPubKey) +
"bits",
null, null, -1, BasicReason.ALGORITHM_CONSTRAINED);
}
}
// If there is no previous key, set one and exit
if (prevPubKey == null) {
prevPubKey = currPubKey;
return;
}
// Check with previous cert for signature algorithm and public key
if (prevPubKey != null) {
if (!constraints.permits(
SIGNATURE_PRIMITIVE_SET,
currSigAlg, prevPubKey, currSigAlgParams)) {
......@@ -329,25 +374,17 @@ final public class AlgorithmChecker extends PKIXCertPathChecker {
try {
BigInteger y = ((DSAPublicKey)currPubKey).getY();
KeyFactory kf = KeyFactory.getInstance("DSA");
DSAPublicKeySpec ks = new DSAPublicKeySpec(y,
params.getP(),
params.getQ(),
params.getG());
DSAPublicKeySpec ks = new DSAPublicKeySpec(y, params.getP(),
params.getQ(), params.getG());
currPubKey = kf.generatePublic(ks);
} catch (GeneralSecurityException e) {
throw new CertPathValidatorException("Unable to generate " +
"key with inherited parameters: " + e.getMessage(), e);
}
}
}
// reset the previous public key
prevPubKey = currPubKey;
// check the extended key usage, ignore the check now
// List<String> extendedKeyUsages = x509Cert.getExtendedKeyUsage();
// DO NOT remove any unresolved critical extensions
}
/**
......@@ -387,8 +424,10 @@ final public class AlgorithmChecker extends PKIXCertPathChecker {
*
* @param key the public key to verify the CRL signature
* @param crl the target CRL
* @param variant is the Validator variants of the operation. A null value
* passed will set it to Validator.GENERIC.
*/
static void check(PublicKey key, X509CRL crl)
static void check(PublicKey key, X509CRL crl, String variant)
throws CertPathValidatorException {
X509CRLImpl x509CRLImpl = null;
......@@ -399,28 +438,24 @@ final public class AlgorithmChecker extends PKIXCertPathChecker {
}
AlgorithmId algorithmId = x509CRLImpl.getSigAlgId();
check(key, algorithmId);
check(key, algorithmId, variant);
}
/**
* Check the signature algorithm with the specified public key.
*
* @param key the public key to verify the CRL signature
* @param crl the target CRL
* @param algorithmId signature algorithm Algorithm ID
* @param variant is the Validator variants of the operation. A null value
* passed will set it to Validator.GENERIC.
*/
static void check(PublicKey key, AlgorithmId algorithmId)
static void check(PublicKey key, AlgorithmId algorithmId, String variant)
throws CertPathValidatorException {
String sigAlgName = algorithmId.getName();
AlgorithmParameters sigAlgParams = algorithmId.getParameters();
if (!certPathDefaultConstraints.permits(
SIGNATURE_PRIMITIVE_SET, sigAlgName, key, sigAlgParams)) {
throw new CertPathValidatorException(
"Algorithm constraints check failed on signature algorithm: " +
sigAlgName + " is disabled",
null, null, -1, BasicReason.ALGORITHM_CONSTRAINED);
certPathDefaultConstraints.permits(new ConstraintsParameters(
sigAlgName, sigAlgParams, key, variant));
}
}
}
src/share/classes/sun/security/provider/certpath/DistributionPointFetcher.java
浏览文件 @ 8587eb8d
/*
* Copyright (c) 2002, 2015, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2002, 2017, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
......@@ -33,6 +33,7 @@ import javax.security.auth.x500.X500Principal;
import java.util.*;
import sun.security.util.Debug;
import sun.security.validator.Validator;
import static sun.security.x509.PKIXExtensions.*;
import sun.security.x509.*;
......@@ -65,6 +66,20 @@ public class DistributionPointFetcher {
* Return the X509CRLs matching this selector. The selector must be
* an X509CRLSelector with certificateChecking set.
*/
public static Collection<X509CRL> getCRLs(X509CRLSelector selector,
boolean signFlag, PublicKey prevKey, String provider,
List<CertStore> certStores, boolean[] reasonsMask,
Set<TrustAnchor> trustAnchors, Date validity, String variant)
throws CertStoreException
{
return getCRLs(selector, signFlag, prevKey, null, provider, certStores,
reasonsMask, trustAnchors, validity, variant);
}
/**
* Return the X509CRLs matching this selector. The selector must be
* an X509CRLSelector with certificateChecking set.
*/
// Called by com.sun.deploy.security.RevocationChecker
public static Collection<X509CRL> getCRLs(X509CRLSelector selector,
boolean signFlag,
PublicKey prevKey,
......@@ -76,7 +91,7 @@ public class DistributionPointFetcher {
throws CertStoreException
{
return getCRLs(selector, signFlag, prevKey, null, provider, certStores,
reasonsMask, trustAnchors, validity);
reasonsMask, trustAnchors, validity, Validator.VAR_GENERIC);
}
/**
......@@ -91,7 +106,8 @@ public class DistributionPointFetcher {
List<CertStore> certStores,
boolean[] reasonsMask,
Set<TrustAnchor> trustAnchors,
Date validity)
Date validity,
String variant)
throws CertStoreException
{
X509Certificate cert = selector.getCertificateChecking();
......@@ -120,7 +136,7 @@ public class DistributionPointFetcher {
DistributionPoint point = t.next();
Collection<X509CRL> crls = getCRLs(selector, certImpl,
point, reasonsMask, signFlag, prevKey, prevCert, provider,
certStores, trustAnchors, validity);
certStores, trustAnchors, validity, variant);
results.addAll(crls);
}
if (debug != null) {
......@@ -145,7 +161,7 @@ public class DistributionPointFetcher {
X509CertImpl certImpl, DistributionPoint point, boolean[] reasonsMask,
boolean signFlag, PublicKey prevKey, X509Certificate prevCert,
String provider, List<CertStore> certStores,
Set<TrustAnchor> trustAnchors, Date validity)
Set<TrustAnchor> trustAnchors, Date validity, String variant)
throws CertStoreException {
// check for full name
......@@ -208,7 +224,7 @@ public class DistributionPointFetcher {
selector.setIssuerNames(null);
if (selector.match(crl) && verifyCRL(certImpl, point, crl,
reasonsMask, signFlag, prevKey, prevCert, provider,
trustAnchors, certStores, validity)) {
trustAnchors, certStores, validity, variant)) {
crls.add(crl);
}
} catch (IOException | CRLException e) {
......@@ -317,7 +333,7 @@ public class DistributionPointFetcher {
X509CRL crl, boolean[] reasonsMask, boolean signFlag,
PublicKey prevKey, X509Certificate prevCert, String provider,
Set<TrustAnchor> trustAnchors, List<CertStore> certStores,
Date validity) throws CRLException, IOException {
Date validity, String variant) throws CRLException, IOException {
if (debug != null) {
debug.println("DistributionPointFetcher.verifyCRL: " +
......@@ -443,7 +459,7 @@ public class DistributionPointFetcher {
}
if (indirectCRL) {
if (pointCrlIssuers.size() != 1) {
// RFC 3280: there must be only 1 CRL issuer
// RFC 5280: there must be only 1 CRL issuer
// name when relativeName is present
if (debug != null) {
debug.println("must only be one CRL " +
......@@ -664,7 +680,7 @@ public class DistributionPointFetcher {
// check the crl signature algorithm
try {
AlgorithmChecker.check(prevKey, crl);
AlgorithmChecker.check(prevKey, crl, variant);
} catch (CertPathValidatorException cpve) {
if (debug != null) {
debug.println("CRL signature algorithm check failed: " + cpve);
......
src/share/classes/sun/security/provider/certpath/OCSP.java
浏览文件 @ 8587eb8d
/*
* Copyright (c) 2009, 2013, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2009, 2017, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
......@@ -35,6 +35,7 @@ import java.security.cert.CertPathValidatorException;
import java.security.cert.CertPathValidatorException.BasicReason;
import java.security.cert.CRLReason;
import java.security.cert.Extension;
import java.security.cert.TrustAnchor;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Collections;
......@@ -42,14 +43,14 @@ import java.util.Date;
import java.util.List;
import java.util.Map;
import static sun.security.provider.certpath.OCSPResponse.*;
import sun.security.action.GetIntegerAction;
import sun.security.util.Debug;
import sun.security.util.ObjectIdentifier;
import sun.security.validator.Validator;
import sun.security.x509.AccessDescription;
import sun.security.x509.AuthorityInfoAccessExtension;
import sun.security.x509.GeneralName;
import sun.security.x509.GeneralNameInterface;
import sun.security.x509.PKIXExtensions;
import sun.security.x509.URIName;
import sun.security.x509.X509CertImpl;
......@@ -65,9 +66,6 @@ import sun.security.x509.X509CertImpl;
*/
public final class OCSP {
static final ObjectIdentifier NONCE_EXTENSION_OID =
ObjectIdentifier.newInternal(new int[]{ 1, 3, 6, 1, 5, 5, 7, 48, 1, 2});
private static final Debug debug = Debug.getInstance("certpath");
private static final int DEFAULT_CONNECT_TIMEOUT = 15000;
......@@ -97,42 +95,6 @@ public final class OCSP {
private OCSP() {}
/**
* Obtains the revocation status of a certificate using OCSP using the most
* common defaults. The OCSP responder URI is retrieved from the
* certificate's AIA extension. The OCSP responder certificate is assumed
* to be the issuer's certificate (or issued by the issuer CA).
*
* @param cert the certificate to be checked
* @param issuerCert the issuer certificate
* @return the RevocationStatus
* @throws IOException if there is an exception connecting to or
* communicating with the OCSP responder
* @throws CertPathValidatorException if an exception occurs while
* encoding the OCSP Request or validating the OCSP Response
*/
public static RevocationStatus check(X509Certificate cert,
X509Certificate issuerCert)
throws IOException, CertPathValidatorException {
CertId certId = null;
URI responderURI = null;
try {
X509CertImpl certImpl = X509CertImpl.toImpl(cert);
responderURI = getResponderURI(certImpl);
if (responderURI == null) {
throw new CertPathValidatorException
("No OCSP Responder URI in certificate");
}
certId = new CertId(issuerCert, certImpl.getSerialNumberObject());
} catch (CertificateException | IOException e) {
throw new CertPathValidatorException
("Exception while encoding OCSPRequest", e);
}
OCSPResponse ocspResponse = check(Collections.singletonList(certId),
responderURI, issuerCert, null, null,
Collections.<Extension>emptyList());
return (RevocationStatus)ocspResponse.getSingleResponse(certId);
}
/**
* Obtains the revocation status of a certificate using OCSP.
......@@ -149,6 +111,8 @@ public final class OCSP {
* @throws CertPathValidatorException if an exception occurs while
* encoding the OCSP Request or validating the OCSP Response
*/
// Called by com.sun.deploy.security.TrustDecider
public static RevocationStatus check(X509Certificate cert,
X509Certificate issuerCert,
URI responderURI,
......@@ -157,18 +121,27 @@ public final class OCSP {
throws IOException, CertPathValidatorException
{
return check(cert, issuerCert, responderURI, responderCert, date,
Collections.<Extension>emptyList());
Collections.<Extension>emptyList(), Validator.VAR_GENERIC);
}
// Called by com.sun.deploy.security.TrustDecider
public static RevocationStatus check(X509Certificate cert,
X509Certificate issuerCert,
URI responderURI,
X509Certificate responderCert,
Date date, List<Extension> extensions)
X509Certificate issuerCert, URI responderURI,
X509Certificate responderCert, Date date, List<Extension> extensions,
String variant)
throws IOException, CertPathValidatorException
{
CertId certId = null;
return check(cert, responderURI, null, issuerCert, responderCert, date,
extensions, variant);
}
public static RevocationStatus check(X509Certificate cert,
URI responderURI, TrustAnchor anchor, X509Certificate issuerCert,
X509Certificate responderCert, Date date,
List<Extension> extensions, String variant)
throws IOException, CertPathValidatorException
{
CertId certId;
try {
X509CertImpl certImpl = X509CertImpl.toImpl(cert);
certId = new CertId(issuerCert, certImpl.getSerialNumberObject());
......@@ -177,19 +150,23 @@ public final class OCSP {
("Exception while encoding OCSPRequest", e);
}
OCSPResponse ocspResponse = check(Collections.singletonList(certId),
responderURI, issuerCert, responderCert, date, extensions);
responderURI, new OCSPResponse.IssuerInfo(anchor, issuerCert),
responderCert, date, extensions, variant);
return (RevocationStatus) ocspResponse.getSingleResponse(certId);
}
/**
* Checks the revocation status of a list of certificates using OCSP.
*
* @param certs the CertIds to be checked
* @param certIds the CertIds to be checked
* @param responderURI the URI of the OCSP responder
* @param issuerCert the issuer's certificate
* @param issuerInfo the issuer's certificate and/or subject and public key
* @param responderCert the OCSP responder's certificate
* @param date the time the validity of the OCSP responder's certificate
* should be checked against. If null, the current time is used.
* @param extensions zero or more OCSP extensions to be included in the
* request. If no extensions are requested, an empty {@code List} must
* be used. A {@code null} value is not allowed.
* @return the OCSPResponse
* @throws IOException if there is an exception connecting to or
* communicating with the OCSP responder
......@@ -197,24 +174,59 @@ public final class OCSP {
* encoding the OCSP Request or validating the OCSP Response
*/
static OCSPResponse check(List<CertId> certIds, URI responderURI,
X509Certificate issuerCert,
OCSPResponse.IssuerInfo issuerInfo,
X509Certificate responderCert, Date date,
List<Extension> extensions)
List<Extension> extensions, String variant)
throws IOException, CertPathValidatorException
{
byte[] bytes = null;
OCSPRequest request = null;
byte[] nonce = null;
for (Extension ext : extensions) {
if (ext.getId().equals(PKIXExtensions.OCSPNonce_Id.toString())) {
nonce = ext.getValue();
}
}
OCSPResponse ocspResponse = null;
try {
request = new OCSPRequest(certIds, extensions);
bytes = request.encodeBytes();
byte[] response = getOCSPBytes(certIds, responderURI, extensions);
ocspResponse = new OCSPResponse(response);
// verify the response
ocspResponse.verify(certIds, issuerInfo, responderCert, date,
nonce, variant);
} catch (IOException ioe) {
throw new CertPathValidatorException
("Exception while encoding OCSPRequest", ioe);
throw new CertPathValidatorException(
"Unable to determine revocation status due to network error",
ioe, null, -1, BasicReason.UNDETERMINED_REVOCATION_STATUS);
}
return ocspResponse;
}
/**
* Send an OCSP request, then read and return the OCSP response bytes.
*
* @param certIds the CertIds to be checked
* @param responderURI the URI of the OCSP responder
* @param extensions zero or more OCSP extensions to be included in the
* request. If no extensions are requested, an empty {@code List} must
* be used. A {@code null} value is not allowed.
*
* @return the OCSP response bytes
*
* @throws IOException if there is an exception connecting to or
* communicating with the OCSP responder
*/
public static byte[] getOCSPBytes(List<CertId> certIds, URI responderURI,
List<Extension> extensions) throws IOException {
OCSPRequest request = new OCSPRequest(certIds, extensions);
byte[] bytes = request.encodeBytes();
InputStream in = null;
OutputStream out = null;
byte[] response = null;
try {
URL url = responderURI.toURL();
if (debug != null) {
......@@ -257,10 +269,6 @@ public final class OCSP {
}
}
response = Arrays.copyOf(response, total);
} catch (IOException ioe) {
throw new CertPathValidatorException(
"Unable to determine revocation status due to network error",
ioe, null, -1, BasicReason.UNDETERMINED_REVOCATION_STATUS);
} finally {
if (in != null) {
try {
......@@ -277,20 +285,7 @@ public final class OCSP {
}
}
}
OCSPResponse ocspResponse = null;
try {
ocspResponse = new OCSPResponse(response);
} catch (IOException ioe) {
// response decoding exception
throw new CertPathValidatorException(ioe);
}
// verify the response
ocspResponse.verify(certIds, issuerCert, responderCert, date,
request.getNonce());
return ocspResponse;
return response;
}
/**
......@@ -322,7 +317,7 @@ public final class OCSP {
List<AccessDescription> descriptions = aia.getAccessDescriptions();
for (AccessDescription description : descriptions) {
if (description.getAccessMethod().equals((Object)
if (description.getAccessMethod().equals(
AccessDescription.Ad_OCSP_Id)) {
GeneralName generalName = description.getAccessLocation();
......
src/share/classes/sun/security/provider/certpath/OCSPRequest.java
浏览文件 @ 8587eb8d
/*
* Copyright (c) 2003, 2013, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2003, 2017, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
......@@ -32,10 +32,11 @@ import java.util.List;
import sun.misc.HexDumpEncoder;
import sun.security.util.*;
import sun.security.x509.PKIXExtensions;
/**
* This class can be used to generate an OCSP request and send it over
* an outputstream. Currently we do not support signing requests
* an output stream. Currently we do not support signing requests.
* The OCSP Request is specified in RFC 2560 and
* the ASN.1 definition is as follows:
* <pre>
......@@ -118,7 +119,8 @@ class OCSPRequest {
DerOutputStream extOut = new DerOutputStream();
for (Extension ext : extensions) {
ext.encode(extOut);
if (ext.getId().equals(OCSP.NONCE_EXTENSION_OID.toString())) {
if (ext.getId().equals(
PKIXExtensions.OCSPNonce_Id.toString())) {
nonce = ext.getValue();
}
}
......
src/share/classes/sun/security/provider/certpath/PKIX.java
浏览文件 @ 8587eb8d
/*
* Copyright (c) 2012, 2015, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2012, 2017, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
......@@ -26,6 +26,7 @@ package sun.security.provider.certpath;
import java.security.InvalidAlgorithmParameterException;
import java.security.PublicKey;
import java.security.Timestamp;
import java.security.cert.*;
import java.security.interfaces.DSAPublicKey;
import java.util.*;
......@@ -85,6 +86,8 @@ class PKIX {
private CertSelector constraints;
private Set<TrustAnchor> anchors;
private List<X509Certificate> certs;
private Timestamp timestamp;
private String variant;
ValidatorParams(CertPath cp, PKIXParameters params)
throws InvalidAlgorithmParameterException
......@@ -100,6 +103,11 @@ class PKIX {
ValidatorParams(PKIXParameters params)
throws InvalidAlgorithmParameterException
{
if (params instanceof PKIXExtendedParameters) {
timestamp = ((PKIXExtendedParameters) params).getTimestamp();
variant = ((PKIXExtendedParameters) params).getVariant();
}
this.anchors = params.getTrustAnchors();
// Make sure that none of the trust anchors include name constraints
// (not supported).
......@@ -189,6 +197,14 @@ class PKIX {
PKIXParameters getPKIXParameters() {
return params;
}
Timestamp timestamp() {
return timestamp;
}
String variant() {
return variant;
}
}
static class BuilderParams extends ValidatorParams {
......
src/share/classes/sun/security/provider/certpath/PKIXCertPathValidator.java
浏览文件 @ 8587eb8d
/*
* Copyright (c) 2000, 2015, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
......@@ -172,7 +172,8 @@ public final class PKIXCertPathValidator extends CertPathValidatorSpi {
List<PKIXCertPathChecker> certPathCheckers = new ArrayList<>();
// add standard checkers that we will be using
certPathCheckers.add(untrustedChecker);
certPathCheckers.add(new AlgorithmChecker(anchor));
certPathCheckers.add(new AlgorithmChecker(anchor, null, params.date(),
params.timestamp(), params.variant()));
certPathCheckers.add(new KeyChecker(certPathLen,
params.targetCertConstraints()));
certPathCheckers.add(new ConstraintsChecker(certPathLen));
......@@ -189,7 +190,10 @@ public final class PKIXCertPathValidator extends CertPathValidatorSpi {
rootNode);
certPathCheckers.add(pc);
// default value for date is current time
BasicChecker bc = new BasicChecker(anchor, params.date(),
BasicChecker bc;
bc = new BasicChecker(anchor,
(params.timestamp() == null ? params.date() :
params.timestamp().getTimestamp()),
params.sigProvider(), false);
certPathCheckers.add(bc);
......
src/share/classes/sun/security/provider/certpath/PKIXExtendedParameters.java 0 → 100644
浏览文件 @ 8587eb8d
/*
* Copyright (c) 2016, 2017, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation. Oracle designates this
* particular file as subject to the "Classpath" exception as provided
* by Oracle in the LICENSE file that accompanied this code.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
package sun.security.provider.certpath;
import java.security.InvalidAlgorithmParameterException;
import java.security.Timestamp;
import java.security.cert.CertSelector;
import java.security.cert.CertStore;
import java.security.cert.PKIXBuilderParameters;
import java.security.cert.PKIXCertPathChecker;
import java.security.cert.TrustAnchor;
import java.util.Date;
import java.util.List;
import java.util.Set;
/**
* This class is a wrapper for PKIXBuilderParameters so that a Timestamp object
* and a string for the variant type, can be passed when doing certpath
* checking.
*/
public class PKIXExtendedParameters extends PKIXBuilderParameters {
private final PKIXBuilderParameters p;
private Timestamp jarTimestamp;
private final String variant;
public PKIXExtendedParameters(PKIXBuilderParameters params,
Timestamp timestamp, String variant)
throws InvalidAlgorithmParameterException {
super(params.getTrustAnchors(), null);
p = params;
jarTimestamp = timestamp;
this.variant = variant;
}
public Timestamp getTimestamp() {
return jarTimestamp;
}
public void setTimestamp(Timestamp t) {
jarTimestamp = t;
}
public String getVariant() {
return variant;
}
@Override
public void setDate(Date d) {
p.setDate(d);
}
@Override
public void addCertPathChecker(PKIXCertPathChecker c) {
p.addCertPathChecker(c);
}
@Override
public void setMaxPathLength(int maxPathLength) {
p.setMaxPathLength(maxPathLength);
}
@Override
public int getMaxPathLength() {
return p.getMaxPathLength();
}
@Override
public String toString() {
return p.toString();
}
@Override
public Set<TrustAnchor> getTrustAnchors() {
return p.getTrustAnchors();
}
@Override
public void setTrustAnchors(Set<TrustAnchor> trustAnchors)
throws InvalidAlgorithmParameterException {
// To avoid problems with PKIXBuilderParameter's constructors
if (p == null) {
return;
}
p.setTrustAnchors(trustAnchors);
}
@Override
public Set<String> getInitialPolicies() {
return p.getInitialPolicies();
}
@Override
public void setInitialPolicies(Set<String> initialPolicies) {
p.setInitialPolicies(initialPolicies);
}
@Override
public void setCertStores(List<CertStore> stores) {
p.setCertStores(stores);
}
@Override
public void addCertStore(CertStore store) {
p.addCertStore(store);
}
@Override
public List<CertStore> getCertStores() {
return p.getCertStores();
}
@Override
public void setRevocationEnabled(boolean val) {
p.setRevocationEnabled(val);
}
@Override
public boolean isRevocationEnabled() {
return p.isRevocationEnabled();
}
@Override
public void setExplicitPolicyRequired(boolean val) {
p.setExplicitPolicyRequired(val);
}
@Override
public boolean isExplicitPolicyRequired() {
return p.isExplicitPolicyRequired();
}
@Override
public void setPolicyMappingInhibited(boolean val) {
p.setPolicyMappingInhibited(val);
}
@Override
public boolean isPolicyMappingInhibited() {
return p.isPolicyMappingInhibited();
}
@Override
public void setAnyPolicyInhibited(boolean val) {
p.setAnyPolicyInhibited(val);
}
@Override
public boolean isAnyPolicyInhibited() {
return p.isAnyPolicyInhibited();
}
@Override
public void setPolicyQualifiersRejected(boolean qualifiersRejected) {
p.setPolicyQualifiersRejected(qualifiersRejected);
}
@Override
public boolean getPolicyQualifiersRejected() {
return p.getPolicyQualifiersRejected();
}
@Override
public Date getDate() {
return p.getDate();
}
@Override
public void setCertPathCheckers(List<PKIXCertPathChecker> checkers) {
p.setCertPathCheckers(checkers);
}
@Override
public List<PKIXCertPathChecker> getCertPathCheckers() {
return p.getCertPathCheckers();
}
@Override
public String getSigProvider() {
return p.getSigProvider();
}
@Override
public void setSigProvider(String sigProvider) {
p.setSigProvider(sigProvider);
}
@Override
public CertSelector getTargetCertConstraints() {
return p.getTargetCertConstraints();
}
@Override
public void setTargetCertConstraints(CertSelector selector) {
// To avoid problems with PKIXBuilderParameter's constructors
if (p == null) {
return;
}
p.setTargetCertConstraints(selector);
}
}
src/share/classes/sun/security/provider/certpath/ResponderId.java 0 → 100644
浏览文件 @ 8587eb8d
/*
* Copyright (c) 2015, 2017 Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation. Oracle designates this
* particular file as subject to the "Classpath" exception as provided
* by Oracle in the LICENSE file that accompanied this code.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
package sun.security.provider.certpath;
import java.util.Arrays;
import java.io.IOException;
import java.security.PublicKey;
import javax.security.auth.x500.X500Principal;
import sun.security.x509.KeyIdentifier;
import sun.security.util.DerValue;
/**
* Class for ResponderId entities as described in RFC6960. ResponderId objects
* are used to uniquely identify OCSP responders.
* <p>
* The RFC 6960 defines a ResponderID structure as:
* <pre>
* ResponderID ::= CHOICE {
* byName [1] Name,
* byKey [2] KeyHash }
*
* KeyHash ::= OCTET STRING -- SHA-1 hash of responder's public key
* (excluding the tag and length fields)
*
* Name is defined in RFC 5280.
* </pre>
*
* @see ResponderId.Type
* @since 9
*/
public final class ResponderId {
/**
* A {@code ResponderId} enumeration describing the accepted forms for a
* {@code ResponderId}.
*
* @see ResponderId
* @since 9
*/
public static enum Type {
/**
* A BY_NAME {@code ResponderId} will be built from a subject name,
* either as an {@code X500Principal} or a DER-encoded byte array.
*/
BY_NAME(1, "byName"),
/**
* A BY_KEY {@code ResponderId} will be built from a public key
* identifier, either derived from a {@code PublicKey} or directly
* from a DER-encoded byte array containing the key identifier.
*/
BY_KEY(2, "byKey");
private final int tagNumber;
private final String ridTypeName;
private Type(int value, String name) {
this.tagNumber = value;
this.ridTypeName = name;
}
public int value() {
return tagNumber;
}
@Override
public String toString() {
return ridTypeName;
}
}
private Type type;
private X500Principal responderName;
private KeyIdentifier responderKeyId;
private byte[] encodedRid;
/**
* Constructs a {@code ResponderId} object using an {@code X500Principal}.
* When encoded in DER this object will use the BY_NAME option.
*
* @param subjectName the subject name of the certificate used
* to sign OCSP responses.
*
* @throws IOException if the internal DER-encoding of the
* {@code X500Principal} fails.
*/
public ResponderId(X500Principal subjectName) throws IOException {
responderName = subjectName;
responderKeyId = null;
encodedRid = principalToBytes();
type = Type.BY_NAME;
}
/**
* Constructs a {@code ResponderId} object using a {@code PublicKey}.
* When encoded in DER this object will use the byKey option, a
* SHA-1 hash of the responder's public key.
*
* @param pubKey the the OCSP responder's public key
*
* @throws IOException if the internal DER-encoding of the
* {@code KeyIdentifier} fails.
*/
public ResponderId(PublicKey pubKey) throws IOException {
responderKeyId = new KeyIdentifier(pubKey);
responderName = null;
encodedRid = keyIdToBytes();
type = Type.BY_KEY;
}
/**
* Constructs a {@code ResponderId} object from its DER-encoding.
*
* @param encodedData the DER-encoded bytes
*
* @throws IOException if the encodedData is not properly DER encoded
*/
public ResponderId(byte[] encodedData) throws IOException {
DerValue outer = new DerValue(encodedData);
if (outer.isContextSpecific((byte)Type.BY_NAME.value())
&& outer.isConstructed()) {
// Use the X500Principal constructor as a way to sanity
// check the incoming data.
responderName = new X500Principal(outer.getDataBytes());
encodedRid = principalToBytes();
type = Type.BY_NAME;
} else if (outer.isContextSpecific((byte)Type.BY_KEY.value())
&& outer.isConstructed()) {
// Use the KeyIdentifier constructor as a way to sanity
// check the incoming data.
responderKeyId =
new KeyIdentifier(new DerValue(outer.getDataBytes()));
encodedRid = keyIdToBytes();
type = Type.BY_KEY;
} else {
throw new IOException("Invalid ResponderId content");
}
}
/**
* Encode a {@code ResponderId} in DER form
*
* @return a byte array containing the DER-encoded representation for this
* {@code ResponderId}
*/
public byte[] getEncoded() {
return encodedRid.clone();
}
/**
* Return the type of {@ResponderId}
*
* @return a number corresponding to the context-specific tag number
* used in the DER-encoding for a {@code ResponderId}
*/
public ResponderId.Type getType() {
return type;
}
/**
* Get the length of the encoded {@code ResponderId} (including the tag and
* length of the explicit tagging from the outer ASN.1 CHOICE).
*
* @return the length of the encoded {@code ResponderId}
*/
public int length() {
return encodedRid.length;
}
/**
* Obtain the underlying {@code X500Principal} from a {@code ResponderId}
*
* @return the {@code X500Principal} for this {@code ResponderId} if it
* is a BY_NAME variant. If the {@code ResponderId} is a BY_KEY
* variant, this routine will return {@code null}.
*/
public X500Principal getResponderName() {
return responderName;
}
/**
* Obtain the underlying key identifier from a {@code ResponderId}
*
* @return the {@code KeyIdentifier} for this {@code ResponderId} if it
* is a BY_KEY variant. If the {@code ResponderId} is a BY_NAME
* variant, this routine will return {@code null}.
*/
public KeyIdentifier getKeyIdentifier() {
return responderKeyId;
}
/**
* Compares the specified object with this {@code ResponderId} for equality.
* A ResponderId will only be considered equivalent if both the type and
* data value are equal. Two ResponderIds initialized by name and
* key ID, respectively, will not be equal even if the
* ResponderId objects are created from the same source certificate.
*
* @param obj the object to be compared against
*
* @return true if the specified object is equal to this {@code Responderid}
*/
@Override
public boolean equals(Object obj) {
if (obj == null) {
return false;
}
if (this == obj) {
return true;
}
if (obj instanceof ResponderId) {
ResponderId respObj = (ResponderId)obj;
return Arrays.equals(encodedRid, respObj.getEncoded());
}
return false;
}
/**
* Returns the hash code value for this {@code ResponderId}
*
* @return the hash code value for this {@code ResponderId}
*/
@Override
public int hashCode() {
return Arrays.hashCode(encodedRid);
}
/**
* Create a String representation of this {@code ResponderId}
*
* @return a String representation of this {@code ResponderId}
*/
@Override
public String toString() {
StringBuilder sb = new StringBuilder();
switch (type) {
case BY_NAME:
sb.append(type).append(": ").append(responderName);
break;
case BY_KEY:
sb.append(type).append(": ");
for (byte keyIdByte : responderKeyId.getIdentifier()) {
sb.append(String.format("%02X", keyIdByte));
}
break;
default:
sb.append("Unknown ResponderId Type: ").append(type);
}
return sb.toString();
}
/**
* Convert the responderName data member into its DER-encoded form
*
* @return the DER encoding for a responder ID byName option, including
* explicit context-specific tagging.
*
* @throws IOException if any encoding error occurs
*/
private byte[] principalToBytes() throws IOException {
DerValue dv = new DerValue(DerValue.createTag(DerValue.TAG_CONTEXT,
true, (byte)Type.BY_NAME.value()),
responderName.getEncoded());
return dv.toByteArray();
}
/**
* Convert the responderKeyId data member into its DER-encoded form
*
* @return the DER encoding for a responder ID byKey option, including
* explicit context-specific tagging.
*
* @throws IOException if any encoding error occurs
*/
private byte[] keyIdToBytes() throws IOException {
// Place the KeyIdentifier bytes into an OCTET STRING
DerValue inner = new DerValue(DerValue.tag_OctetString,
responderKeyId.getIdentifier());
// Mark the OCTET STRING-wrapped KeyIdentifier bytes
// as EXPLICIT CONTEXT 2
DerValue outer = new DerValue(DerValue.createTag(DerValue.TAG_CONTEXT,
true, (byte)Type.BY_KEY.value()), inner.toByteArray());
return outer.toByteArray();
}
}
src/share/classes/sun/security/provider/certpath/RevocationChecker.java
浏览文件 @ 8587eb8d
/*
* Copyright (c) 2012, 2015, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2012, 2017, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
......@@ -43,7 +43,6 @@ import javax.security.auth.x500.X500Principal;
import static sun.security.provider.certpath.OCSP.*;
import static sun.security.provider.certpath.PKIX.*;
import sun.security.action.GetPropertyAction;
import sun.security.x509.*;
import static sun.security.x509.PKIXExtensions.*;
import sun.security.util.Debug;
......@@ -62,12 +61,12 @@ class RevocationChecker extends PKIXRevocationChecker {
private List<CertStore> certStores;
private Map<X509Certificate, byte[]> ocspResponses;
private List<Extension> ocspExtensions;
private boolean legacy;
private final boolean legacy;
private LinkedList<CertPathValidatorException> softFailExceptions =
new LinkedList<>();
// state variables
private X509Certificate issuerCert;
private OCSPResponse.IssuerInfo issuerInfo;
private PublicKey prevPubKey;
private boolean crlSignFlag;
private int certIndex;
......@@ -302,9 +301,9 @@ class RevocationChecker extends PKIXRevocationChecker {
CertPathValidatorException("forward checking not supported");
}
if (anchor != null) {
issuerCert = anchor.getTrustedCert();
prevPubKey = (issuerCert != null) ? issuerCert.getPublicKey()
: anchor.getCAPublicKey();
issuerInfo = new OCSPResponse.IssuerInfo(anchor);
prevPubKey = issuerInfo.getPublicKey();
}
crlSignFlag = true;
if (params != null && params.certPath() != null) {
......@@ -438,7 +437,7 @@ class RevocationChecker extends PKIXRevocationChecker {
private void updateState(X509Certificate cert)
throws CertPathValidatorException
{
issuerCert = cert;
issuerInfo = new OCSPResponse.IssuerInfo(anchor, cert);
// Make new public key if parameters are missing
PublicKey pubKey = cert.getPublicKey();
......@@ -466,6 +465,34 @@ class RevocationChecker extends PKIXRevocationChecker {
stackedCerts, params.trustAnchors());
}
static boolean isCausedByNetworkIssue(String type, CertStoreException cse) {
boolean result;
Throwable t = cse.getCause();
switch (type) {
case "LDAP":
if (t != null) {
// These two exception classes are inside java.naming module
String cn = t.getClass().getName();
result = (cn.equals("javax.naming.ServiceUnavailableException") ||
cn.equals("javax.naming.CommunicationException"));
} else {
result = false;
}
break;
case "SSLServer":
result = (t != null && t instanceof IOException);
break;
case "URI":
result = (t != null && t instanceof IOException);
break;
default:
// we don't know about any other remote CertStore types
return false;
}
return result;
}
private void checkCRLs(X509Certificate cert, PublicKey prevKey,
X509Certificate prevCert, boolean signFlag,
boolean allowSeparateKey,
......@@ -478,9 +505,9 @@ class RevocationChecker extends PKIXRevocationChecker {
" ---checking revocation status ...");
}
// reject circular dependencies - RFC 3280 is not explicit on how
// to handle this, so we feel it is safest to reject them until
// the issue is resolved in the PKIX WG.
// Reject circular dependencies - RFC 5280 is not explicit on how
// to handle this, but does suggest that they can be a security
// risk and can create unresolvable dependencies
if (stackedCerts != null && stackedCerts.contains(cert)) {
if (debug != null) {
debug.println("RevocationChecker.checkCRLs()" +
......@@ -510,7 +537,7 @@ class RevocationChecker extends PKIXRevocationChecker {
"CertStoreException: " + e.getMessage());
}
if (networkFailureException == null &&
CertStoreHelper.isCausedByNetworkIssue(store.getType(),e)) {
isCausedByNetworkIssue(store.getType(),e)) {
// save this exception, we may need to throw it later
networkFailureException = new CertPathValidatorException(
"Unable to determine revocation status due to " +
......@@ -551,14 +578,13 @@ class RevocationChecker extends PKIXRevocationChecker {
if (crlDP) {
approvedCRLs.addAll(DistributionPointFetcher.getCRLs(
sel, signFlag, prevKey, prevCert,
params.sigProvider(), certStores,
reasonsMask, anchors, null));
params.sigProvider(), certStores, reasonsMask,
anchors, null, params.variant()));
}
} catch (CertStoreException e) {
if (e instanceof CertStoreTypeException) {
CertStoreTypeException cste = (CertStoreTypeException)e;
if (CertStoreHelper.isCausedByNetworkIssue(cste.getType(),
e)) {
if (isCausedByNetworkIssue(cste.getType(), e)) {
throw new CertPathValidatorException(
"Unable to determine revocation status due to " +
"network error", e, null, -1,
......@@ -634,7 +660,7 @@ class RevocationChecker extends PKIXRevocationChecker {
/*
* Abort CRL validation and throw exception if there are any
* unrecognized critical CRL entry extensions (see section
* 5.3 of RFC 3280).
* 5.3 of RFC 5280).
*/
Set<String> unresCritExts = entry.getCriticalExtensionOIDs();
if (unresCritExts != null && !unresCritExts.isEmpty()) {
......@@ -682,14 +708,8 @@ class RevocationChecker extends PKIXRevocationChecker {
OCSPResponse response = null;
CertId certId = null;
try {
if (issuerCert != null) {
certId = new CertId(issuerCert,
certId = new CertId(issuerInfo.getName(), issuerInfo.getPublicKey(),
currCert.getSerialNumberObject());
} else {
// must be an anchor name and key
certId = new CertId(anchor.getCA(), anchor.getCAPublicKey(),
currCert.getSerialNumberObject());
}
// check if there is a cached OCSP response available
byte[] responseBytes = ocspResponses.get(cert);
......@@ -706,8 +726,8 @@ class RevocationChecker extends PKIXRevocationChecker {
nonce = ext.getValue();
}
}
response.verify(Collections.singletonList(certId), issuerCert,
responderCert, params.date(), nonce);
response.verify(Collections.singletonList(certId), issuerInfo,
responderCert, params.date(), nonce, params.variant());
} else {
URI responderURI = (this.responderURI != null)
......@@ -720,8 +740,8 @@ class RevocationChecker extends PKIXRevocationChecker {
}
response = OCSP.check(Collections.singletonList(certId),
responderURI, issuerCert, responderCert,
null, ocspExtensions);
responderURI, issuerInfo, responderCert, null,
ocspExtensions, params.variant());
}
} catch (IOException e) {
throw new CertPathValidatorException(
......@@ -833,7 +853,7 @@ class RevocationChecker extends PKIXRevocationChecker {
if (DistributionPointFetcher.verifyCRL(
certImpl, point, crl, reasonsMask, signFlag,
prevKey, null, params.sigProvider(), anchors,
certStores, params.date()))
certStores, params.date(), params.variant()))
{
results.add(crl);
}
......@@ -886,9 +906,9 @@ class RevocationChecker extends PKIXRevocationChecker {
" ---checking " + msg + "...");
}
// reject circular dependencies - RFC 3280 is not explicit on how
// to handle this, so we feel it is safest to reject them until
// the issue is resolved in the PKIX WG.
// Reject circular dependencies - RFC 5280 is not explicit on how
// to handle this, but does suggest that they can be a security
// risk and can create unresolvable dependencies
if ((stackedCerts != null) && stackedCerts.contains(cert)) {
if (debug != null) {
debug.println(
......
src/share/classes/sun/security/provider/certpath/SunCertPathBuilder.java
浏览文件 @ 8587eb8d
/*
* Copyright (c) 2000, 2015, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
......@@ -50,7 +50,7 @@ import sun.security.util.Debug;
* <p> If successful, it returns a certification path which has successfully
* satisfied all the constraints and requirements specified in the
* PKIXBuilderParameters object and has been validated according to the PKIX
* path validation algorithm defined in RFC 3280.
* path validation algorithm defined in RFC 5280.
*
* <p> This implementation uses a depth-first search approach to finding
* certification paths. If it comes to a point in which it cannot find
......@@ -343,7 +343,8 @@ public final class SunCertPathBuilder extends CertPathBuilderSpi {
checkers.add(policyChecker);
// add the algorithm checker
checkers.add(new AlgorithmChecker(builder.trustAnchor));
checkers.add(new AlgorithmChecker(builder.trustAnchor,
buildParams.date(), buildParams.variant()));
BasicChecker basicChecker = null;
if (nextState.keyParamsNeeded()) {
......
src/share/classes/sun/security/ssl/SSLContextImpl.java
浏览文件 @ 8587eb8d
/*
* Copyright (c) 1999, 2015, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 1999, 2017, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
......@@ -37,6 +37,7 @@ import javax.net.ssl.*;
import sun.security.provider.certpath.AlgorithmChecker;
import sun.security.action.GetPropertyAction;
import sun.security.validator.Validator;
public abstract class SSLContextImpl extends SSLContextSpi {
......@@ -1040,7 +1041,7 @@ final class AbstractTrustManagerWrapper extends X509ExtendedTrustManager
constraints = new SSLAlgorithmConstraints(sslSocket, true);
}
checkAlgorithmConstraints(chain, constraints);
checkAlgorithmConstraints(chain, constraints, isClient);
}
}
......@@ -1082,12 +1083,12 @@ final class AbstractTrustManagerWrapper extends X509ExtendedTrustManager
constraints = new SSLAlgorithmConstraints(engine, true);
}
checkAlgorithmConstraints(chain, constraints);
checkAlgorithmConstraints(chain, constraints, isClient);
}
}
private void checkAlgorithmConstraints(X509Certificate[] chain,
AlgorithmConstraints constraints) throws CertificateException {
AlgorithmConstraints constraints, boolean isClient) throws CertificateException {
try {
// Does the certificate chain end with a trusted certificate?
......@@ -1105,7 +1106,9 @@ final class AbstractTrustManagerWrapper extends X509ExtendedTrustManager
// A forward checker, need to check from trust to target
if (checkedLength >= 0) {
AlgorithmChecker checker = new AlgorithmChecker(constraints);
AlgorithmChecker checker =
new AlgorithmChecker(constraints, null,
(isClient ? Validator.VAR_TLS_CLIENT : Validator.VAR_TLS_SERVER));
checker.init(false);
for (int i = checkedLength; i >= 0; i--) {
Certificate cert = chain[i];
......
src/share/classes/sun/security/ssl/SSLSocketImpl.java
浏览文件 @ 8587eb8d
/*
* Copyright (c) 1996, 2015, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 1996, 2016, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
......@@ -220,6 +220,11 @@ final public class SSLSocketImpl extends BaseSSLSocketImpl {
Collections.<SNIServerName>emptyList();
Collection<SNIMatcher> sniMatchers =
Collections.<SNIMatcher>emptyList();
// Is the serverNames set to empty with SSLParameters.setServerNames()?
private boolean noSniExtension = false;
// Is the sniMatchers set to empty with SSLParameters.setSNIMatchers()?
private boolean noSniMatcher = false;
/*
* READ ME * READ ME * READ ME * READ ME * READ ME * READ ME *
......@@ -666,6 +671,11 @@ final public class SSLSocketImpl extends BaseSSLSocketImpl {
}
super.connect(endpoint, timeout);
if (host == null || host.length() == 0) {
useImplicitHost(false);
}
doneConnect();
}
......@@ -2158,41 +2168,61 @@ final public class SSLSocketImpl extends BaseSSLSocketImpl {
output.r.setVersion(protocolVersion);
}
//
// ONLY used by ClientHandshaker for the server hostname during handshaking
//
synchronized String getHost() {
// Note that the host may be null or empty for localhost.
if (host == null || host.length() == 0) {
if (!trustNameService) {
// If the local name service is not trustworthy, reverse host
// name resolution should not be performed for endpoint
// identification. Use the application original specified
// hostname or IP address instead.
host = getOriginalHostname(getInetAddress());
} else {
host = getInetAddress().getHostName();
}
useImplicitHost(true);
}
return host;
}
/*
* Get the original application specified hostname.
*/
private static String getOriginalHostname(InetAddress inetAddress) {
/*
* Get the original hostname via sun.misc.SharedSecrets.
* Try to set and use the implicit specified hostname
*/
private synchronized void useImplicitHost(boolean noSniUpdate) {
// Note: If the local name service is not trustworthy, reverse
// host name resolution should not be performed for endpoint
// identification. Use the application original specified
// hostname or IP address instead.
// Get the original hostname via jdk.internal.misc.SharedSecrets
InetAddress inetAddress = getInetAddress();
if (inetAddress == null) { // not connected
return;
}
JavaNetAccess jna = SharedSecrets.getJavaNetAccess();
String originalHostname = jna.getOriginalHostName(inetAddress);
if ((originalHostname != null) &&
(originalHostname.length() != 0)) {
/*
* If no application specified hostname, use the IP address.
*/
if (originalHostname == null || originalHostname.length() == 0) {
originalHostname = inetAddress.getHostAddress();
host = originalHostname;
if (!noSniUpdate && serverNames.isEmpty() && !noSniExtension) {
serverNames =
Utilities.addToSNIServerNameList(serverNames, host);
if (!roleIsServer &&
(handshaker != null) && !handshaker.started()) {
handshaker.setSNIServerNames(serverNames);
}
}
return originalHostname;
return;
}
// No explicitly specified hostname, no server name indication.
if (!trustNameService) {
// The local name service is not trustworthy, use IP address.
host = inetAddress.getHostAddress();
} else {
// Use the underlying reverse host name resolution service.
host = getInetAddress().getHostName();
}
}
......@@ -2205,6 +2235,10 @@ final public class SSLSocketImpl extends BaseSSLSocketImpl {
this.host = host;
this.serverNames =
Utilities.addToSNIServerNameList(this.serverNames, this.host);
if (!roleIsServer && (handshaker != null) && !handshaker.started()) {
handshaker.setSNIServerNames(serverNames);
}
}
/**
......@@ -2571,8 +2605,21 @@ final public class SSLSocketImpl extends BaseSSLSocketImpl {
// the super implementation does not handle the following parameters
params.setEndpointIdentificationAlgorithm(identificationProtocol);
params.setAlgorithmConstraints(algorithmConstraints);
if (sniMatchers.isEmpty() && !noSniMatcher) {
// 'null' indicates none has been set
params.setSNIMatchers(null);
} else {
params.setSNIMatchers(sniMatchers);
}
if (serverNames.isEmpty() && !noSniExtension) {
// 'null' indicates none has been set
params.setServerNames(null);
} else {
params.setServerNames(serverNames);
}
params.setUseCipherSuitesOrder(preferLocalCipherSuites);
return params;
......@@ -2592,11 +2639,13 @@ final public class SSLSocketImpl extends BaseSSLSocketImpl {
List<SNIServerName> sniNames = params.getServerNames();
if (sniNames != null) {
noSniExtension = sniNames.isEmpty();
serverNames = sniNames;
}
Collection<SNIMatcher> matchers = params.getSNIMatchers();
if (matchers != null) {
noSniMatcher = matchers.isEmpty();
sniMatchers = matchers;
}
......
src/share/classes/sun/security/ssl/X509KeyManagerImpl.java
浏览文件 @ 8587eb8d
/*
* Copyright (c) 2004, 2013, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2004, 2017, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
......@@ -39,6 +39,7 @@ import java.security.cert.Certificate;
import javax.net.ssl.*;
import sun.security.provider.certpath.AlgorithmChecker;
import sun.security.validator.Validator;
/**
* The new X509 key manager implementation. The main differences to the
......@@ -62,7 +63,7 @@ final class X509KeyManagerImpl extends X509ExtendedKeyManager
private static final Debug debug = Debug.getInstance("ssl");
private final static boolean useDebug =
private static final boolean useDebug =
(debug != null) && Debug.isOn("keymanager");
// for unit testing only, set via privileged reflection
......@@ -661,6 +662,15 @@ final class X509KeyManagerImpl extends X509ExtendedKeyManager
return CheckResult.OK;
}
public String getValidator() {
if (this == CLIENT) {
return Validator.VAR_TLS_CLIENT;
} else if (this == SERVER) {
return Validator.VAR_TLS_SERVER;
}
return Validator.VAR_GENERIC;
}
}
// enum for the result of the extension check
......@@ -774,7 +784,8 @@ final class X509KeyManagerImpl extends X509ExtendedKeyManager
// check the algorithm constraints
if (constraints != null &&
!conformsToAlgorithmConstraints(constraints, chain)) {
!conformsToAlgorithmConstraints(constraints, chain,
checkType.getValidator())) {
if (useDebug) {
debug.println("Ignoring alias " + alias +
......@@ -811,13 +822,19 @@ final class X509KeyManagerImpl extends X509ExtendedKeyManager
}
private static boolean conformsToAlgorithmConstraints(
AlgorithmConstraints constraints, Certificate[] chain) {
AlgorithmConstraints constraints, Certificate[] chain,
String variant) {
AlgorithmChecker checker = new AlgorithmChecker(constraints);
AlgorithmChecker checker = new AlgorithmChecker(constraints, null, variant);
try {
checker.init(false);
} catch (CertPathValidatorException cpve) {
// unlikely to happen
if (useDebug) {
debug.println(
"Cannot initialize algorithm constraints checker: " + cpve);
}
return false;
}
......@@ -828,6 +845,11 @@ final class X509KeyManagerImpl extends X509ExtendedKeyManager
// We don't care about the unresolved critical extensions.
checker.check(cert, Collections.<String>emptySet());
} catch (CertPathValidatorException cpve) {
if (useDebug) {
debug.println("Certificate (" + cert +
") does not conform to algorithm constraints: " + cpve);
}
return false;
}
}
......
src/share/classes/sun/security/util/AnchorCertificates.java
浏览文件 @ 8587eb8d
......@@ -31,8 +31,10 @@ import java.security.AccessController;
import java.security.KeyStore;
import java.security.PrivilegedAction;
import java.security.cert.X509Certificate;
import java.util.Collections;
import java.util.Enumeration;
import java.util.HashSet;
import java.util.Set;
import sun.security.x509.X509CertImpl;
......@@ -44,7 +46,7 @@ public class AnchorCertificates {
private static final Debug debug = Debug.getInstance("certpath");
private static final String HASH = "SHA-256";
private static HashSet<String> certs;
private static Set<String> certs = Collections.emptySet();
static {
AccessController.doPrivileged(new PrivilegedAction<Void>() {
......
src/share/classes/sun/security/util/CertConstraintParameters.java src/share/classes/sun/security/util/ConstraintsParameters.java
浏览文件 @ 8587eb8d
/*
* Copyright (c) 2016, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2016, 2017 Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
......@@ -25,29 +25,93 @@
package sun.security.util;
import sun.security.validator.Validator;
import java.security.AlgorithmParameters;
import java.security.Key;
import java.security.Timestamp;
import java.security.cert.X509Certificate;
import java.util.Date;
/**
* This class is a wrapper for keeping state and passing objects between PKIX,
* AlgorithmChecker, and DisabledAlgorithmConstraints.
* This class contains parameters for checking against constraints that extend
* past the publicly available parameters in java.security.AlgorithmConstraints.
* This is currently on passed between between PKIX, AlgorithmChecker,
* and DisabledAlgorithmConstraints.
*/
public class ConstraintsParameters {
/*
* The below 3 values are used the same as the permit() methods
* published in java.security.AlgorithmConstraints.
*/
// Algorithm string to be checked against constraints
private final String algorithm;
// AlgorithmParameters to the algorithm being checked
private final AlgorithmParameters algParams;
// Public Key being checked against constraints
private final Key publicKey;
/*
* New values that are checked against constraints that the current public
* API does not support.
*/
public class CertConstraintParameters {
// A certificate being passed to check against constraints.
private final X509Certificate cert;
// This is true if the trust anchor in the certificate chain matches a cert
// in AnchorCertificates
private final boolean trustedMatch;
// PKIXParameter date
private final Date pkixDate;
// Timestamp of the signed JAR file
private final Timestamp jarTimestamp;
private final String variant;
public CertConstraintParameters(X509Certificate c, boolean match) {
public ConstraintsParameters(X509Certificate c, boolean match,
Date pkixdate, Timestamp jarTime, String variant) {
cert = c;
trustedMatch = match;
pkixDate = pkixdate;
jarTimestamp = jarTime;
this.variant = (variant == null ? Validator.VAR_GENERIC : variant);
algorithm = null;
algParams = null;
publicKey = null;
}
public ConstraintsParameters(String algorithm, AlgorithmParameters params,
Key key, String variant) {
this.algorithm = algorithm;
algParams = params;
this.publicKey = key;
cert = null;
trustedMatch = false;
pkixDate = null;
jarTimestamp = null;
this.variant = (variant == null ? Validator.VAR_GENERIC : variant);
}
public ConstraintsParameters(X509Certificate c) {
this(c, false, null, null,
Validator.VAR_GENERIC);
}
public CertConstraintParameters(X509Certificate c) {
this(c, false);
public ConstraintsParameters(Timestamp jarTime) {
this(null, false, null, jarTime, Validator.VAR_GENERIC);
}
public String getAlgorithm() {
return algorithm;
}
public AlgorithmParameters getAlgParams() {
return algParams;
}
public Key getPublicKey() {
return publicKey;
}
// Returns if the trust anchor has a match if anchor checking is enabled.
public boolean isTrustedMatch() {
return trustedMatch;
......@@ -56,4 +120,16 @@ public class CertConstraintParameters {
public X509Certificate getCertificate() {
return cert;
}
public Date getPKIXParamDate() {
return pkixDate;
}
public Timestamp getJARTimestamp() {
return jarTimestamp;
}
public String getVariant() {
return variant;
}
}
src/share/classes/sun/security/util/SignatureFileVerifier.java
浏览文件 @ 8587eb8d
/*
* Copyright (c) 1997, 2016, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 1997, 2017, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
......@@ -28,25 +28,23 @@ package sun.security.util;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.security.CodeSigner;
import java.security.CryptoPrimitive;
import java.security.GeneralSecurityException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.SignatureException;
import java.security.Timestamp;
import java.security.cert.CertPath;
import java.security.cert.X509Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.util.ArrayList;
import java.util.Base64;
import java.util.Collections;
import java.util.EnumSet;
import java.util.HashMap;
import java.util.Hashtable;
import java.util.Iterator;
import java.util.List;
import java.util.Locale;
import java.util.Map;
import java.util.Set;
import java.util.jar.Attributes;
import java.util.jar.JarException;
import java.util.jar.JarFile;
......@@ -61,9 +59,6 @@ public class SignatureFileVerifier {
/* Are we debugging ? */
private static final Debug debug = Debug.getInstance("jar");
private static final Set<CryptoPrimitive> DIGEST_PRIMITIVE_SET =
Collections.unmodifiableSet(EnumSet.of(CryptoPrimitive.MESSAGE_DIGEST));
private static final DisabledAlgorithmConstraints JAR_DISABLED_CHECK =
new DisabledAlgorithmConstraints(
DisabledAlgorithmConstraints.PROPERTY_JAR_DISABLED_ALGS);
......@@ -78,7 +73,7 @@ public class SignatureFileVerifier {
private PKCS7 block;
/** the raw bytes of the .SF file */
private byte sfBytes[];
private byte[] sfBytes;
/** the name of the signature block file, uppercased and without
* the extension (.DSA/.RSA/.EC)
......@@ -97,6 +92,14 @@ public class SignatureFileVerifier {
/* for generating certpath objects */
private CertificateFactory certificateFactory = null;
/** Algorithms that have been checked if they are weak. */
private Map<String, Boolean> permittedAlgs= new HashMap<>();
/** TSA timestamp of signed jar. The newest timestamp is used. If there
* was no TSA timestamp used when signed, current time is used ("null").
*/
private Timestamp timestamp = null;
/**
* Create the named SignatureFileVerifier.
*
......@@ -107,7 +110,7 @@ public class SignatureFileVerifier {
public SignatureFileVerifier(ArrayList<CodeSigner[]> signerCache,
ManifestDigester md,
String name,
byte rawBytes[])
byte[] rawBytes)
throws IOException, CertificateException
{
// new PKCS7() calls CertificateFactory.getInstance()
......@@ -121,7 +124,7 @@ public class SignatureFileVerifier {
} finally {
Providers.stopJarVerification(obj);
}
this.name = name.substring(0, name.lastIndexOf("."))
this.name = name.substring(0, name.lastIndexOf('.'))
.toUpperCase(Locale.ENGLISH);
this.md = md;
this.signerCache = signerCache;
......@@ -152,7 +155,7 @@ public class SignatureFileVerifier {
* used to set the raw bytes of the .SF file when it
* is external to the signature block file.
*/
public void setSignatureFile(byte sfBytes[])
public void setSignatureFile(byte[] sfBytes)
{
this.sfBytes = sfBytes;
}
......@@ -168,11 +171,10 @@ public class SignatureFileVerifier {
*/
public static boolean isBlockOrSF(String s) {
// we currently only support DSA and RSA PKCS7 blocks
if (s.endsWith(".SF") || s.endsWith(".DSA") ||
s.endsWith(".RSA") || s.endsWith(".EC")) {
return true;
}
return false;
return s.endsWith(".SF")
|| s.endsWith(".DSA")
|| s.endsWith(".RSA")
|| s.endsWith(".EC");
}
/**
......@@ -182,7 +184,7 @@ public class SignatureFileVerifier {
* unknown signature related files (those starting with SIG- with
* an optional [A-Z0-9]{1,3} extension right inside META-INF).
*
* @param s file name
* @param name file name
* @return true if the input file name is signature related
*/
public static boolean isSigningRelated(String name) {
......@@ -198,7 +200,7 @@ public class SignatureFileVerifier {
return true;
} else if (name.startsWith("SIG-")) {
// check filename extension
// see https://docs.oracle.com/javase/7/docs/technotes/guides/jar/jar.html#Digital_Signatures
// see http://docs.oracle.com/javase/7/docs/technotes/guides/jar/jar.html#Digital_Signatures
// for what filename extensions are legal
int extIndex = name.lastIndexOf('.');
if (extIndex != -1) {
......@@ -223,17 +225,10 @@ public class SignatureFileVerifier {
/** get digest from cache */
private MessageDigest getDigest(String algorithm) throws SignatureException {
// check that algorithm is not restricted
if (!JAR_DISABLED_CHECK.permits(DIGEST_PRIMITIVE_SET, algorithm, null)) {
SignatureException e =
new SignatureException("SignatureFile check failed. " +
"Disabled algorithm used: " + algorithm);
throw e;
}
private MessageDigest getDigest(String algorithm)
throws SignatureException {
if (createdDigests == null)
createdDigests = new HashMap<String, MessageDigest>();
createdDigests = new HashMap<>();
MessageDigest digest = createdDigests.get(algorithm);
......@@ -303,6 +298,27 @@ public class SignatureFileVerifier {
if (newSigners == null)
return;
/*
* Look for the latest timestamp in the signature block. If an entry
* has no timestamp, use current time (aka null).
*/
for (CodeSigner s: newSigners) {
if (debug != null) {
debug.println("Gathering timestamp for: " + s.toString());
}
if (s.getTimestamp() == null) {
timestamp = null;
break;
} else if (timestamp == null) {
timestamp = s.getTimestamp();
} else {
if (timestamp.getTimestamp().before(
s.getTimestamp().getTimestamp())) {
timestamp = s.getTimestamp();
}
}
}
Iterator<Map.Entry<String,Attributes>> entries =
sf.getEntries().entrySet().iterator();
......@@ -345,6 +361,68 @@ public class SignatureFileVerifier {
updateSigners(newSigners, signers, JarFile.MANIFEST_NAME);
}
/**
* Check if algorithm is permitted using the permittedAlgs Map.
* If the algorithm is not in the map, check against disabled algorithms and
* store the result. If the algorithm is in the map use that result.
* False is returned for weak algorithm, true for good algorithms.
*/
boolean permittedCheck(String key, String algorithm) {
Boolean permitted = permittedAlgs.get(algorithm);
if (permitted == null) {
try {
JAR_DISABLED_CHECK.permits(algorithm,
new ConstraintsParameters(timestamp));
} catch(GeneralSecurityException e) {
permittedAlgs.put(algorithm, Boolean.FALSE);
permittedAlgs.put(key.toUpperCase(), Boolean.FALSE);
if (debug != null) {
if (e.getMessage() != null) {
debug.println(key + ": " + e.getMessage());
} else {
debug.println(key + ": " + algorithm +
" was disabled, no exception msg given.");
e.printStackTrace();
}
}
return false;
}
permittedAlgs.put(algorithm, Boolean.TRUE);
return true;
}
// Algorithm has already been checked, return the value from map.
return permitted.booleanValue();
}
/**
* With a given header (*-DIGEST*), return a string that lists all the
* algorithms associated with the header.
* If there are none, return "Unknown Algorithm".
*/
String getWeakAlgorithms(String header) {
String w = "";
try {
for (String key : permittedAlgs.keySet()) {
if (key.endsWith(header)) {
w += key.substring(0, key.length() - header.length()) + " ";
}
}
} catch (RuntimeException e) {
w = "Unknown Algorithm(s). Error processing " + header + ". " +
e.getMessage();
}
// This means we have an error in finding weak algorithms, run in
// debug mode to see permittedAlgs map's values.
if (w.length() == 0) {
return "Unknown Algorithm(s)";
}
return w;
}
/**
* See if the whole manifest was signed.
*/
......@@ -355,6 +433,10 @@ public class SignatureFileVerifier {
{
Attributes mattr = sf.getMainAttributes();
boolean manifestSigned = false;
// If only weak algorithms are used.
boolean weakAlgs = true;
// If a "*-DIGEST-MANIFEST" entry is found.
boolean validEntry = false;
// go through all the attributes and process *-Digest-Manifest entries
for (Map.Entry<Object,Object> se : mattr.entrySet()) {
......@@ -364,6 +446,16 @@ public class SignatureFileVerifier {
if (key.toUpperCase(Locale.ENGLISH).endsWith("-DIGEST-MANIFEST")) {
// 16 is length of "-Digest-Manifest"
String algorithm = key.substring(0, key.length()-16);
validEntry = true;
// Check if this algorithm is permitted, skip if false.
if (!permittedCheck(key, algorithm)) {
continue;
}
// A non-weak algorithm was used, any weak algorithms found do
// not need to be reported.
weakAlgs = false;
manifestDigests.add(key);
manifestDigests.add(se.getValue());
......@@ -375,14 +467,13 @@ public class SignatureFileVerifier {
if (debug != null) {
debug.println("Signature File: Manifest digest " +
digest.getAlgorithm());
algorithm);
debug.println( " sigfile " + toHex(expectedHash));
debug.println( " computed " + toHex(computedHash));
debug.println();
}
if (MessageDigest.isEqual(computedHash,
expectedHash)) {
if (MessageDigest.isEqual(computedHash, expectedHash)) {
manifestSigned = true;
} else {
//XXX: we will continue and verify each section
......@@ -390,15 +481,33 @@ public class SignatureFileVerifier {
}
}
}
if (debug != null) {
debug.println("PermittedAlgs mapping: ");
for (String key : permittedAlgs.keySet()) {
debug.println(key + " : " +
permittedAlgs.get(key).toString());
}
}
// If there were only weak algorithms entries used, throw an exception.
if (validEntry && weakAlgs) {
throw new SignatureException("Manifest hash check failed " +
"(DIGEST-MANIFEST). Disabled algorithm(s) used: " +
getWeakAlgorithms("-DIGEST-MANIFEST"));
}
return manifestSigned;
}
private boolean verifyManifestMainAttrs(Manifest sf,
ManifestDigester md)
private boolean verifyManifestMainAttrs(Manifest sf, ManifestDigester md)
throws IOException, SignatureException
{
Attributes mattr = sf.getMainAttributes();
boolean attrsVerified = true;
// If only weak algorithms are used.
boolean weakAlgs = true;
// If a ATTR_DIGEST entry is found.
boolean validEntry = false;
// go through all the attributes and process
// digest entries for the manifest main attributes
......@@ -408,6 +517,16 @@ public class SignatureFileVerifier {
if (key.toUpperCase(Locale.ENGLISH).endsWith(ATTR_DIGEST)) {
String algorithm =
key.substring(0, key.length() - ATTR_DIGEST.length());
validEntry = true;
// Check if this algorithm is permitted, skip if false.
if (!permittedCheck(key, algorithm)) {
continue;
}
// A non-weak algorithm was used, any weak algorithms found do
// not need to be reported.
weakAlgs = false;
MessageDigest digest = getDigest(algorithm);
if (digest != null) {
......@@ -426,8 +545,7 @@ public class SignatureFileVerifier {
debug.println();
}
if (MessageDigest.isEqual(computedHash,
expectedHash)) {
if (MessageDigest.isEqual(computedHash, expectedHash)) {
// good
} else {
// we will *not* continue and verify each section
......@@ -443,6 +561,22 @@ public class SignatureFileVerifier {
}
}
if (debug != null) {
debug.println("PermittedAlgs mapping: ");
for (String key : permittedAlgs.keySet()) {
debug.println(key + " : " +
permittedAlgs.get(key).toString());
}
}
// If there were only weak algorithms entries used, throw an exception.
if (validEntry && weakAlgs) {
throw new SignatureException("Manifest Main Attribute check " +
"failed (" + ATTR_DIGEST + "). " +
"Disabled algorithm(s) used: " +
getWeakAlgorithms(ATTR_DIGEST));
}
// this method returns 'true' if either:
// . manifest main attributes were not signed, or
// . manifest main attributes were signed and verified
......@@ -465,6 +599,10 @@ public class SignatureFileVerifier {
{
boolean oneDigestVerified = false;
ManifestDigester.Entry mde = md.get(name,block.isOldStyle());
// If only weak algorithms are used.
boolean weakAlgs = true;
// If a "*-DIGEST" entry is found.
boolean validEntry = false;
if (mde == null) {
throw new SecurityException(
......@@ -472,8 +610,7 @@ public class SignatureFileVerifier {
}
if (sfAttr != null) {
//sun.misc.HexDumpEncoder hex = new sun.misc.HexDumpEncoder();
//sun.security.util.HexDumpEncoder hex = new sun.security.util.HexDumpEncoder();
//hex.encodeBuffer(data, System.out);
// go through all the attributes and process *-Digest entries
......@@ -483,6 +620,16 @@ public class SignatureFileVerifier {
if (key.toUpperCase(Locale.ENGLISH).endsWith("-DIGEST")) {
// 7 is length of "-Digest"
String algorithm = key.substring(0, key.length()-7);
validEntry = true;
// Check if this algorithm is permitted, skip if false.
if (!permittedCheck(key, algorithm)) {
continue;
}
// A non-weak algorithm was used, any weak algorithms found do
// not need to be reported.
weakAlgs = false;
MessageDigest digest = getDigest(algorithm);
......@@ -533,6 +680,22 @@ public class SignatureFileVerifier {
}
}
}
if (debug != null) {
debug.println("PermittedAlgs mapping: ");
for (String key : permittedAlgs.keySet()) {
debug.println(key + " : " +
permittedAlgs.get(key).toString());
}
}
// If there were only weak algorithms entries used, throw an exception.
if (validEntry && weakAlgs) {
throw new SignatureException("Manifest Main Attribute check " +
"failed (DIGEST). Disabled algorithm(s) used: " +
getWeakAlgorithms("DIGEST"));
}
return oneDigestVerified;
}
......@@ -541,7 +704,7 @@ public class SignatureFileVerifier {
* CodeSigner objects. We do this only *once* for a given
* signature block file.
*/
private CodeSigner[] getSigners(SignerInfo infos[], PKCS7 block)
private CodeSigner[] getSigners(SignerInfo[] infos, PKCS7 block)
throws IOException, NoSuchAlgorithmException, SignatureException,
CertificateException {
......@@ -553,7 +716,7 @@ public class SignatureFileVerifier {
ArrayList<X509Certificate> chain = info.getCertificateChain(block);
CertPath certChain = certificateFactory.generateCertPath(chain);
if (signers == null) {
signers = new ArrayList<CodeSigner>();
signers = new ArrayList<>();
}
// Append the new code signer
signers.add(new CodeSigner(certChain, info.getTimestamp()));
......@@ -582,7 +745,7 @@ public class SignatureFileVerifier {
static String toHex(byte[] data) {
StringBuffer sb = new StringBuffer(data.length*2);
StringBuilder sb = new StringBuilder(data.length*2);
for (int i=0; i<data.length; i++) {
sb.append(hexc[(data[i] >>4) & 0x0f]);
......
src/share/classes/sun/security/validator/PKIXValidator.java
浏览文件 @ 8587eb8d
/*
* Copyright (c) 2002, 2011, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2002, 2017, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
......@@ -33,10 +33,11 @@ import java.security.cert.*;
import javax.security.auth.x500.X500Principal;
import sun.security.action.GetBooleanAction;
import sun.security.provider.certpath.AlgorithmChecker;
import sun.security.provider.certpath.PKIXExtendedParameters;
/**
* Validator implementation built on the PKIX CertPath API. This
* implementation will be emphasized going forward.<p>
* implementation will be emphasized going forward.
* <p>
* Note that the validate() implementation tries to use a PKIX validator
* if that appears possible and a PKIX builder otherwise. This increases
......@@ -208,13 +209,22 @@ public final class PKIXValidator extends Validator {
("null or zero-length certificate chain");
}
// add new algorithm constraints checker
PKIXBuilderParameters pkixParameters =
(PKIXBuilderParameters) parameterTemplate.clone();
AlgorithmChecker algorithmChecker = null;
// Use PKIXExtendedParameters for timestamp and variant additions
PKIXBuilderParameters pkixParameters = null;
try {
pkixParameters = new PKIXExtendedParameters(
(PKIXBuilderParameters) parameterTemplate.clone(),
(parameter instanceof Timestamp) ?
(Timestamp) parameter : null,
variant);
} catch (InvalidAlgorithmParameterException e) {
// ignore exception
}
// add a new algorithm constraints checker
if (constraints != null) {
algorithmChecker = new AlgorithmChecker(constraints);
pkixParameters.addCertPathChecker(algorithmChecker);
pkixParameters.addCertPathChecker(
new AlgorithmChecker(constraints, null, variant));
}
if (TRY_VALIDATOR) {
......
src/share/classes/sun/security/validator/SimpleValidator.java
浏览文件 @ 8587eb8d
/*
* Copyright (c) 2002, 2015, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2002, 2017, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
......@@ -34,6 +34,7 @@ import java.security.cert.*;
import javax.security.auth.x500.X500Principal;
import sun.security.x509.X509CertImpl;
import sun.security.x509.KeyIdentifier;
import sun.security.x509.NetscapeCertTypeExtension;
import sun.security.util.DerValue;
import sun.security.util.DerInputStream;
......@@ -153,12 +154,14 @@ public final class SimpleValidator extends Validator {
// create default algorithm constraints checker
TrustAnchor anchor = new TrustAnchor(anchorCert, null);
AlgorithmChecker defaultAlgChecker = new AlgorithmChecker(anchor);
AlgorithmChecker defaultAlgChecker =
new AlgorithmChecker(anchor, variant);
// create application level algorithm constraints checker
AlgorithmChecker appAlgChecker = null;
if (constraints != null) {
appAlgChecker = new AlgorithmChecker(anchor, constraints);
appAlgChecker = new AlgorithmChecker(anchor, constraints, null,
null, variant);
}
// verify top down, starting at the certificate issued by
......
src/share/classes/sun/security/x509/PKIXExtensions.java
浏览文件 @ 8587eb8d
/*
* Copyright (c) 1997, 2009, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 1997, 2017, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
......@@ -49,34 +49,39 @@ import sun.security.util.*;
*/
public class PKIXExtensions {
// The object identifiers
private static final int AuthorityKey_data [] = { 2, 5, 29, 35 };
private static final int SubjectKey_data [] = { 2, 5, 29, 14 };
private static final int KeyUsage_data [] = { 2, 5, 29, 15 };
private static final int PrivateKeyUsage_data [] = { 2, 5, 29, 16 };
private static final int CertificatePolicies_data [] = { 2, 5, 29, 32 };
private static final int PolicyMappings_data [] = { 2, 5, 29, 33 };
private static final int SubjectAlternativeName_data [] = { 2, 5, 29, 17 };
private static final int IssuerAlternativeName_data [] = { 2, 5, 29, 18 };
private static final int SubjectDirectoryAttributes_data [] = { 2, 5, 29, 9 };
private static final int BasicConstraints_data [] = { 2, 5, 29, 19 };
private static final int NameConstraints_data [] = { 2, 5, 29, 30 };
private static final int PolicyConstraints_data [] = { 2, 5, 29, 36 };
private static final int CRLDistributionPoints_data [] = { 2, 5, 29, 31 };
private static final int CRLNumber_data [] = { 2, 5, 29, 20 };
private static final int IssuingDistributionPoint_data [] = { 2, 5, 29, 28 };
private static final int DeltaCRLIndicator_data [] = { 2, 5, 29, 27 };
private static final int ReasonCode_data [] = { 2, 5, 29, 21 };
private static final int HoldInstructionCode_data [] = { 2, 5, 29, 23 };
private static final int InvalidityDate_data [] = { 2, 5, 29, 24 };
private static final int ExtendedKeyUsage_data [] = { 2, 5, 29, 37 };
private static final int InhibitAnyPolicy_data [] = { 2, 5, 29, 54 };
private static final int CertificateIssuer_data [] = { 2, 5, 29, 29 };
private static final int AuthInfoAccess_data [] = { 1, 3, 6, 1, 5, 5, 7, 1, 1};
private static final int SubjectInfoAccess_data [] = { 1, 3, 6, 1, 5, 5, 7, 1, 11};
private static final int FreshestCRL_data [] = { 2, 5, 29, 46 };
private static final int OCSPNoCheck_data [] = { 1, 3, 6, 1, 5, 5, 7,
private static final int[] AuthorityKey_data = { 2, 5, 29, 35 };
private static final int[] SubjectKey_data = { 2, 5, 29, 14 };
private static final int[] KeyUsage_data = { 2, 5, 29, 15 };
private static final int[] PrivateKeyUsage_data = { 2, 5, 29, 16 };
private static final int[] CertificatePolicies_data = { 2, 5, 29, 32 };
private static final int[] PolicyMappings_data = { 2, 5, 29, 33 };
private static final int[] SubjectAlternativeName_data = { 2, 5, 29, 17 };
private static final int[] IssuerAlternativeName_data = { 2, 5, 29, 18 };
private static final int[] SubjectDirectoryAttributes_data = { 2, 5, 29, 9 };
private static final int[] BasicConstraints_data = { 2, 5, 29, 19 };
private static final int[] NameConstraints_data = { 2, 5, 29, 30 };
private static final int[] PolicyConstraints_data = { 2, 5, 29, 36 };
private static final int[] CRLDistributionPoints_data = { 2, 5, 29, 31 };
private static final int[] CRLNumber_data = { 2, 5, 29, 20 };
private static final int[] IssuingDistributionPoint_data = { 2, 5, 29, 28 };
private static final int[] DeltaCRLIndicator_data = { 2, 5, 29, 27 };
private static final int[] ReasonCode_data = { 2, 5, 29, 21 };
private static final int[] HoldInstructionCode_data = { 2, 5, 29, 23 };
private static final int[] InvalidityDate_data = { 2, 5, 29, 24 };
private static final int[] ExtendedKeyUsage_data = { 2, 5, 29, 37 };
private static final int[] InhibitAnyPolicy_data = { 2, 5, 29, 54 };
private static final int[] CertificateIssuer_data = { 2, 5, 29, 29 };
private static final int[] AuthInfoAccess_data = { 1, 3, 6, 1, 5, 5, 7, 1, 1};
private static final int[] SubjectInfoAccess_data = { 1, 3, 6, 1, 5, 5, 7, 1, 11};
private static final int[] FreshestCRL_data = { 2, 5, 29, 46 };
private static final int[] OCSPNoCheck_data = { 1, 3, 6, 1, 5, 5, 7,
48, 1, 5};
// Additional extensions under the PKIX arc that are not necessarily
// used in X.509 Certificates or CRLs.
private static final int[] OCSPNonce_data = { 1, 3, 6, 1, 5, 5, 7,
48, 1, 2};
/**
* Identifies the particular public key used to sign the certificate.
*/
......@@ -104,18 +109,20 @@ public class PKIXExtensions {
public static final ObjectIdentifier CertificatePolicies_Id;
/**
* Lists pairs of objectidentifiers of policies considered equivalent by the
* issuing CA to the subject CA.
* Lists pairs of object identifiers of policies considered equivalent by
* the issuing CA to the subject CA.
*/
public static final ObjectIdentifier PolicyMappings_Id;
/**
* Allows additional identities to be bound to the subject of the certificate.
* Allows additional identities to be bound to the subject of the
* certificate.
*/
public static final ObjectIdentifier SubjectAlternativeName_Id;
/**
* Allows additional identities to be associated with the certificate issuer.
* Allows additional identities to be associated with the certificate
* issuer.
*/
public static final ObjectIdentifier IssuerAlternativeName_Id;
......@@ -224,6 +231,12 @@ public class PKIXExtensions {
*/
public static final ObjectIdentifier OCSPNoCheck_Id;
/**
* This extension is used to provide nonce data for OCSP requests
* or responses.
*/
public static final ObjectIdentifier OCSPNonce_Id;
static {
AuthorityKey_Id = ObjectIdentifier.newInternal(AuthorityKey_data);
SubjectKey_Id = ObjectIdentifier.newInternal(SubjectKey_data);
......@@ -266,5 +279,6 @@ public class PKIXExtensions {
ObjectIdentifier.newInternal(SubjectInfoAccess_data);
FreshestCRL_Id = ObjectIdentifier.newInternal(FreshestCRL_data);
OCSPNoCheck_Id = ObjectIdentifier.newInternal(OCSPNoCheck_data);
OCSPNonce_Id = ObjectIdentifier.newInternal(OCSPNonce_data);
}
}
src/share/lib/security/java.security-aix
浏览文件 @ 8587eb8d
......@@ -426,9 +426,7 @@ krb5.kdc.bad.policy = tryLast
# describes the mechanism for disabling algorithms based on algorithm name
# and/or key length. This includes algorithms used in certificates, as well
# as revocation information such as CRLs and signed OCSP Responses.
#
# The syntax of the disabled algorithm string is described as this Java
# BNF-style:
# The syntax of the disabled algorithm string is described as follows:
# DisabledAlgorithms:
# " DisabledAlgorithm { , DisabledAlgorithm } "
#
......@@ -439,25 +437,26 @@ krb5.kdc.bad.policy = tryLast
# (see below)
#
# Constraint:
# KeySizeConstraint, CertConstraint
# KeySizeConstraint | CAConstraint | DenyAfterConstraint |
# UsageConstraint
#
# KeySizeConstraint:
# keySize Operator DecimalInteger
# keySize Operator KeyLength
#
# Operator:
# <= | < | == | != | >= | >
#
# DecimalInteger:
# DecimalDigits
# KeyLength:
# Integer value of the algorithm's key length in bits
#
# DecimalDigits:
# DecimalDigit {DecimalDigit}
# CAConstraint:
# jdkCA
#
# DecimalDigit: one of
# 1 2 3 4 5 6 7 8 9 0
# DenyAfterConstraint:
# denyAfter YYYY-MM-DD
#
# CertConstraint
# jdkCA
# UsageConstraint:
# usage [TLSServer] [TLSClient] [SignedJAR]
#
# The "AlgorithmName" is the standard algorithm name of the disabled
# algorithm. See "Java Cryptography Architecture Standard Algorithm Name
......@@ -471,27 +470,55 @@ krb5.kdc.bad.policy = tryLast
# that rely on DSA, such as NONEwithDSA, SHA1withDSA. However, the assertion
# will not disable algorithms related to "ECDSA".
#
# A "Constraint" provides further guidance for the algorithm being specified.
# The "KeySizeConstraint" requires a key of a valid size range if the
# "AlgorithmName" is of a key algorithm. The "DecimalInteger" indicates the
# key size specified in number of bits. For example, "RSA keySize <= 1024"
# indicates that any RSA key with key size less than or equal to 1024 bits
# should be disabled, and "RSA keySize < 1024, RSA keySize > 2048" indicates
# that any RSA key with key size less than 1024 or greater than 2048 should
# be disabled. Note that the "KeySizeConstraint" only makes sense to key
# algorithms.
#
# "CertConstraint" specifies additional constraints for
# certificates that contain algorithms that are restricted:
#
# "jdkCA" prohibits the specified algorithm only if the algorithm is used
# in a certificate chain that terminates at a marked trust anchor in the
# lib/security/cacerts keystore. All other chains are not affected.
# If the jdkCA constraint is not set, then all chains using the
# specified algorithm are restricted. jdkCA may only be used once in
# a DisabledAlgorithm expression.
# A "Constraint" defines restrictions on the keys and/or certificates for
# a specified AlgorithmName:
#
# KeySizeConstraint:
# keySize Operator KeyLength
# The constraint requires a key of a valid size range if the
# "AlgorithmName" is of a key algorithm. The "KeyLength" indicates
# the key size specified in number of bits. For example,
# "RSA keySize <= 1024" indicates that any RSA key with key size less
# than or equal to 1024 bits should be disabled, and
# "RSA keySize < 1024, RSA keySize > 2048" indicates that any RSA key
# with key size less than 1024 or greater than 2048 should be disabled.
# This constraint is only used on algorithms that have a key size.
#
# CAConstraint:
# jdkCA
# This constraint prohibits the specified algorithm only if the
# algorithm is used in a certificate chain that terminates at a marked
# trust anchor in the lib/security/cacerts keystore. If the jdkCA
# constraint is not set, then all chains using the specified algorithm
# are restricted. jdkCA may only be used once in a DisabledAlgorithm
# expression.
# Example: To apply this constraint to SHA-1 certificates, include
# the following "SHA1 jdkCA"
# the following: "SHA1 jdkCA"
#
# DenyAfterConstraint:
# denyAfter YYYY-MM-DD
# This constraint prohibits a certificate with the specified algorithm
# from being used after the date regardless of the certificate's
# validity. JAR files that are signed and timestamped before the
# constraint date with certificates containing the disabled algorithm
# will not be restricted. The date is processed in the UTC timezone.
# This constraint can only be used once in a DisabledAlgorithm
# expression.
# Example: To deny usage of RSA 2048 bit certificates after Feb 3 2020,
# use the following: "RSA keySize == 2048 & denyAfter 2020-02-03"
#
# UsageConstraint:
# usage [TLSServer] [TLSClient] [SignedJAR]
# This constraint prohibits the specified algorithm for
# a specified usage. This should be used when disabling an algorithm
# for all usages is not practical. 'TLSServer' restricts the algorithm
# in TLS server certificate chains when server authentication is
# performed. 'TLSClient' restricts the algorithm in TLS client
# certificate chains when client authentication is performed.
# 'SignedJAR' constrains use of certificates in signed jar files.
# The usage type follows the keyword and more than one usage type can
# be specified with a whitespace delimiter.
# Example: "SHA1 usage TLSServer TLSClient"
#
# When an algorithm must satisfy more than one constraint, it must be
# delimited by an ampersand '&'. For example, to restrict certificates in a
......@@ -504,6 +531,9 @@ krb5.kdc.bad.policy = tryLast
# before larger keysize constraints of the same algorithm. For example:
# "RSA keySize < 1024 & jdkCA, RSA keySize < 2048".
#
# Note: The algorithm restrictions do not apply to trust anchors or
# self-signed certificates.
#
# Note: This property is currently used by Oracle's PKIX implementation. It
# is not guaranteed to be examined and used by other implementations.
#
......@@ -511,9 +541,10 @@ krb5.kdc.bad.policy = tryLast
# jdk.certpath.disabledAlgorithms=MD2, DSA, RSA keySize < 2048
#
#
jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, \
DSA keySize < 1024, EC keySize < 224
jdk.certpath.disabledAlgorithms=MD2, MD5, SHA1 jdkCA & usage TLSServer, \
RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224
#
# Algorithm restrictions for signed JAR files
#
# In some environments, certain algorithms or key lengths may be undesirable
......@@ -528,17 +559,20 @@ jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, \
# " DisabledAlgorithm { , DisabledAlgorithm } "
#
# DisabledAlgorithm:
# AlgorithmName [Constraint]
# AlgorithmName [Constraint] { '&' Constraint }
#
# AlgorithmName:
# (see below)
#
# Constraint:
# KeySizeConstraint
# KeySizeConstraint | DenyAfterConstraint
#
# KeySizeConstraint:
# keySize Operator KeyLength
#
# DenyAfterConstraint:
# denyAfter YYYY-MM-DD
#
# Operator:
# <= | < | == | != | >= | >
#
......@@ -549,8 +583,11 @@ jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, \
# implementation. It is not guaranteed to be examined and used by other
# implementations.
#
# See "jdk.certpath.disabledAlgorithms" for syntax descriptions.
#
jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024
#
# Algorithm restrictions for Secure Socket Layer/Transport Layer Security
# (SSL/TLS) processing
#
......@@ -572,6 +609,9 @@ jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024
# See the specification of "jdk.certpath.disabledAlgorithms" for the
# syntax of the disabled algorithm string.
#
# Note: The algorithm restrictions do not apply to trust anchors or
# self-signed certificates.
#
# Note: This property is currently used by the JDK Reference implementation.
# It is not guaranteed to be examined and used by other implementations.
#
......
src/share/lib/security/java.security-linux
浏览文件 @ 8587eb8d
......@@ -426,9 +426,7 @@ krb5.kdc.bad.policy = tryLast
# describes the mechanism for disabling algorithms based on algorithm name
# and/or key length. This includes algorithms used in certificates, as well
# as revocation information such as CRLs and signed OCSP Responses.
#
# The syntax of the disabled algorithm string is described as this Java
# BNF-style:
# The syntax of the disabled algorithm string is described as follows:
# DisabledAlgorithms:
# " DisabledAlgorithm { , DisabledAlgorithm } "
#
......@@ -439,25 +437,26 @@ krb5.kdc.bad.policy = tryLast
# (see below)
#
# Constraint:
# KeySizeConstraint, CertConstraint
# KeySizeConstraint | CAConstraint | DenyAfterConstraint |
# UsageConstraint
#
# KeySizeConstraint:
# keySize Operator DecimalInteger
# keySize Operator KeyLength
#
# Operator:
# <= | < | == | != | >= | >
#
# DecimalInteger:
# DecimalDigits
# KeyLength:
# Integer value of the algorithm's key length in bits
#
# DecimalDigits:
# DecimalDigit {DecimalDigit}
# CAConstraint:
# jdkCA
#
# DecimalDigit: one of
# 1 2 3 4 5 6 7 8 9 0
# DenyAfterConstraint:
# denyAfter YYYY-MM-DD
#
# CertConstraint
# jdkCA
# UsageConstraint:
# usage [TLSServer] [TLSClient] [SignedJAR]
#
# The "AlgorithmName" is the standard algorithm name of the disabled
# algorithm. See "Java Cryptography Architecture Standard Algorithm Name
......@@ -471,28 +470,56 @@ krb5.kdc.bad.policy = tryLast
# that rely on DSA, such as NONEwithDSA, SHA1withDSA. However, the assertion
# will not disable algorithms related to "ECDSA".
#
# A "Constraint" provides further guidance for the algorithm being specified.
# The "KeySizeConstraint" requires a key of a valid size range if the
# "AlgorithmName" is of a key algorithm. The "DecimalInteger" indicates the
# key size specified in number of bits. For example, "RSA keySize <= 1024"
# indicates that any RSA key with key size less than or equal to 1024 bits
# should be disabled, and "RSA keySize < 1024, RSA keySize > 2048" indicates
# that any RSA key with key size less than 1024 or greater than 2048 should
# be disabled. Note that the "KeySizeConstraint" only makes sense to key
# algorithms.
#
# "CertConstraint" specifies additional constraints for
# certificates that contain algorithms that are restricted:
#
# "jdkCA" prohibits the specified algorithm only if the algorithm is used
# in a certificate chain that terminates at a marked trust anchor in the
# lib/security/cacerts keystore. All other chains are not affected.
# If the jdkCA constraint is not set, then all chains using the
# specified algorithm are restricted. jdkCA may only be used once in
# a DisabledAlgorithm expression.
# A "Constraint" defines restrictions on the keys and/or certificates for
# a specified AlgorithmName:
#
# KeySizeConstraint:
# keySize Operator KeyLength
# The constraint requires a key of a valid size range if the
# "AlgorithmName" is of a key algorithm. The "KeyLength" indicates
# the key size specified in number of bits. For example,
# "RSA keySize <= 1024" indicates that any RSA key with key size less
# than or equal to 1024 bits should be disabled, and
# "RSA keySize < 1024, RSA keySize > 2048" indicates that any RSA key
# with key size less than 1024 or greater than 2048 should be disabled.
# This constraint is only used on algorithms that have a key size.
#
# CAConstraint:
# jdkCA
# This constraint prohibits the specified algorithm only if the
# algorithm is used in a certificate chain that terminates at a marked
# trust anchor in the lib/security/cacerts keystore. If the jdkCA
# constraint is not set, then all chains using the specified algorithm
# are restricted. jdkCA may only be used once in a DisabledAlgorithm
# expression.
# Example: To apply this constraint to SHA-1 certificates, include
# the following: "SHA1 jdkCA"
#
# DenyAfterConstraint:
# denyAfter YYYY-MM-DD
# This constraint prohibits a certificate with the specified algorithm
# from being used after the date regardless of the certificate's
# validity. JAR files that are signed and timestamped before the
# constraint date with certificates containing the disabled algorithm
# will not be restricted. The date is processed in the UTC timezone.
# This constraint can only be used once in a DisabledAlgorithm
# expression.
# Example: To deny usage of RSA 2048 bit certificates after Feb 3 2020,
# use the following: "RSA keySize == 2048 & denyAfter 2020-02-03"
#
# UsageConstraint:
# usage [TLSServer] [TLSClient] [SignedJAR]
# This constraint prohibits the specified algorithm for
# a specified usage. This should be used when disabling an algorithm
# for all usages is not practical. 'TLSServer' restricts the algorithm
# in TLS server certificate chains when server authentication is
# performed. 'TLSClient' restricts the algorithm in TLS client
# certificate chains when client authentication is performed.
# 'SignedJAR' constrains use of certificates in signed jar files.
# The usage type follows the keyword and more than one usage type can
# be specified with a whitespace delimiter.
# Example: "SHA1 usage TLSServer TLSClient"
#
# When an algorithm must satisfy more than one constraint, it must be
# delimited by an ampersand '&'. For example, to restrict certificates in a
# chain that terminate at a distribution provided trust anchor and contain
......@@ -504,6 +531,9 @@ krb5.kdc.bad.policy = tryLast
# before larger keysize constraints of the same algorithm. For example:
# "RSA keySize < 1024 & jdkCA, RSA keySize < 2048".
#
# Note: The algorithm restrictions do not apply to trust anchors or
# self-signed certificates.
#
# Note: This property is currently used by Oracle's PKIX implementation. It
# is not guaranteed to be examined and used by other implementations.
#
......@@ -511,9 +541,10 @@ krb5.kdc.bad.policy = tryLast
# jdk.certpath.disabledAlgorithms=MD2, DSA, RSA keySize < 2048
#
#
jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, \
DSA keySize < 1024, EC keySize < 224
jdk.certpath.disabledAlgorithms=MD2, MD5, SHA1 jdkCA & usage TLSServer, \
RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224
#
# Algorithm restrictions for signed JAR files
#
# In some environments, certain algorithms or key lengths may be undesirable
......@@ -528,17 +559,20 @@ jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, \
# " DisabledAlgorithm { , DisabledAlgorithm } "
#
# DisabledAlgorithm:
# AlgorithmName [Constraint]
# AlgorithmName [Constraint] { '&' Constraint }
#
# AlgorithmName:
# (see below)
#
# Constraint:
# KeySizeConstraint
# KeySizeConstraint | DenyAfterConstraint
#
# KeySizeConstraint:
# keySize Operator KeyLength
#
# DenyAfterConstraint:
# denyAfter YYYY-MM-DD
#
# Operator:
# <= | < | == | != | >= | >
#
......@@ -549,8 +583,11 @@ jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, \
# implementation. It is not guaranteed to be examined and used by other
# implementations.
#
# See "jdk.certpath.disabledAlgorithms" for syntax descriptions.
#
jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024
#
# Algorithm restrictions for Secure Socket Layer/Transport Layer Security
# (SSL/TLS) processing
#
......@@ -572,6 +609,9 @@ jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024
# See the specification of "jdk.certpath.disabledAlgorithms" for the
# syntax of the disabled algorithm string.
#
# Note: The algorithm restrictions do not apply to trust anchors or
# self-signed certificates.
#
# Note: This property is currently used by the JDK Reference implementation.
# It is not guaranteed to be examined and used by other implementations.
#
......
src/share/lib/security/java.security-macosx
浏览文件 @ 8587eb8d
......@@ -429,9 +429,7 @@ krb5.kdc.bad.policy = tryLast
# describes the mechanism for disabling algorithms based on algorithm name
# and/or key length. This includes algorithms used in certificates, as well
# as revocation information such as CRLs and signed OCSP Responses.
#
# The syntax of the disabled algorithm string is described as this Java
# BNF-style:
# The syntax of the disabled algorithm string is described as follows:
# DisabledAlgorithms:
# " DisabledAlgorithm { , DisabledAlgorithm } "
#
......@@ -442,25 +440,26 @@ krb5.kdc.bad.policy = tryLast
# (see below)
#
# Constraint:
# KeySizeConstraint, CertConstraint
# KeySizeConstraint | CAConstraint | DenyAfterConstraint |
# UsageConstraint
#
# KeySizeConstraint:
# keySize Operator DecimalInteger
# keySize Operator KeyLength
#
# Operator:
# <= | < | == | != | >= | >
#
# DecimalInteger:
# DecimalDigits
# KeyLength:
# Integer value of the algorithm's key length in bits
#
# DecimalDigits:
# DecimalDigit {DecimalDigit}
# CAConstraint:
# jdkCA
#
# DecimalDigit: one of
# 1 2 3 4 5 6 7 8 9 0
# DenyAfterConstraint:
# denyAfter YYYY-MM-DD
#
# CertConstraint
# jdkCA
# UsageConstraint:
# usage [TLSServer] [TLSClient] [SignedJAR]
#
# The "AlgorithmName" is the standard algorithm name of the disabled
# algorithm. See "Java Cryptography Architecture Standard Algorithm Name
......@@ -474,28 +473,56 @@ krb5.kdc.bad.policy = tryLast
# that rely on DSA, such as NONEwithDSA, SHA1withDSA. However, the assertion
# will not disable algorithms related to "ECDSA".
#
# A "Constraint" provides further guidance for the algorithm being specified.
# The "KeySizeConstraint" requires a key of a valid size range if the
# "AlgorithmName" is of a key algorithm. The "DecimalInteger" indicates the
# key size specified in number of bits. For example, "RSA keySize <= 1024"
# indicates that any RSA key with key size less than or equal to 1024 bits
# should be disabled, and "RSA keySize < 1024, RSA keySize > 2048" indicates
# that any RSA key with key size less than 1024 or greater than 2048 should
# be disabled. Note that the "KeySizeConstraint" only makes sense to key
# algorithms.
#
# "CertConstraint" specifies additional constraints for
# certificates that contain algorithms that are restricted:
#
# "jdkCA" prohibits the specified algorithm only if the algorithm is used
# in a certificate chain that terminates at a marked trust anchor in the
# lib/security/cacerts keystore. All other chains are not affected.
# If the jdkCA constraint is not set, then all chains using the
# specified algorithm are restricted. jdkCA may only be used once in
# a DisabledAlgorithm expression.
# A "Constraint" defines restrictions on the keys and/or certificates for
# a specified AlgorithmName:
#
# KeySizeConstraint:
# keySize Operator KeyLength
# The constraint requires a key of a valid size range if the
# "AlgorithmName" is of a key algorithm. The "KeyLength" indicates
# the key size specified in number of bits. For example,
# "RSA keySize <= 1024" indicates that any RSA key with key size less
# than or equal to 1024 bits should be disabled, and
# "RSA keySize < 1024, RSA keySize > 2048" indicates that any RSA key
# with key size less than 1024 or greater than 2048 should be disabled.
# This constraint is only used on algorithms that have a key size.
#
# CAConstraint:
# jdkCA
# This constraint prohibits the specified algorithm only if the
# algorithm is used in a certificate chain that terminates at a marked
# trust anchor in the lib/security/cacerts keystore. If the jdkCA
# constraint is not set, then all chains using the specified algorithm
# are restricted. jdkCA may only be used once in a DisabledAlgorithm
# expression.
# Example: To apply this constraint to SHA-1 certificates, include
# the following: "SHA1 jdkCA"
#
# DenyAfterConstraint:
# denyAfter YYYY-MM-DD
# This constraint prohibits a certificate with the specified algorithm
# from being used after the date regardless of the certificate's
# validity. JAR files that are signed and timestamped before the
# constraint date with certificates containing the disabled algorithm
# will not be restricted. The date is processed in the UTC timezone.
# This constraint can only be used once in a DisabledAlgorithm
# expression.
# Example: To deny usage of RSA 2048 bit certificates after Feb 3 2020,
# use the following: "RSA keySize == 2048 & denyAfter 2020-02-03"
#
# UsageConstraint:
# usage [TLSServer] [TLSClient] [SignedJAR]
# This constraint prohibits the specified algorithm for
# a specified usage. This should be used when disabling an algorithm
# for all usages is not practical. 'TLSServer' restricts the algorithm
# in TLS server certificate chains when server authentication is
# performed. 'TLSClient' restricts the algorithm in TLS client
# certificate chains when client authentication is performed.
# 'SignedJAR' constrains use of certificates in signed jar files.
# The usage type follows the keyword and more than one usage type can
# be specified with a whitespace delimiter.
# Example: "SHA1 usage TLSServer TLSClient"
#
# When an algorithm must satisfy more than one constraint, it must be
# delimited by an ampersand '&'. For example, to restrict certificates in a
# chain that terminate at a distribution provided trust anchor and contain
......@@ -507,6 +534,9 @@ krb5.kdc.bad.policy = tryLast
# before larger keysize constraints of the same algorithm. For example:
# "RSA keySize < 1024 & jdkCA, RSA keySize < 2048".
#
# Note: The algorithm restrictions do not apply to trust anchors or
# self-signed certificates.
#
# Note: This property is currently used by Oracle's PKIX implementation. It
# is not guaranteed to be examined and used by other implementations.
#
......@@ -514,9 +544,10 @@ krb5.kdc.bad.policy = tryLast
# jdk.certpath.disabledAlgorithms=MD2, DSA, RSA keySize < 2048
#
#
jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, \
DSA keySize < 1024, EC keySize < 224
jdk.certpath.disabledAlgorithms=MD2, MD5, SHA1 jdkCA & usage TLSServer, \
RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224
#
# Algorithm restrictions for signed JAR files
#
# In some environments, certain algorithms or key lengths may be undesirable
......@@ -531,17 +562,20 @@ jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, \
# " DisabledAlgorithm { , DisabledAlgorithm } "
#
# DisabledAlgorithm:
# AlgorithmName [Constraint]
# AlgorithmName [Constraint] { '&' Constraint }
#
# AlgorithmName:
# (see below)
#
# Constraint:
# KeySizeConstraint
# KeySizeConstraint | DenyAfterConstraint
#
# KeySizeConstraint:
# keySize Operator KeyLength
#
# DenyAfterConstraint:
# denyAfter YYYY-MM-DD
#
# Operator:
# <= | < | == | != | >= | >
#
......@@ -552,8 +586,11 @@ jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, \
# implementation. It is not guaranteed to be examined and used by other
# implementations.
#
# See "jdk.certpath.disabledAlgorithms" for syntax descriptions.
#
jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024
#
# Algorithm restrictions for Secure Socket Layer/Transport Layer Security
# (SSL/TLS) processing
#
......@@ -575,6 +612,9 @@ jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024
# See the specification of "jdk.certpath.disabledAlgorithms" for the
# syntax of the disabled algorithm string.
#
# Note: The algorithm restrictions do not apply to trust anchors or
# self-signed certificates.
#
# Note: This property is currently used by the JDK Reference implementation.
# It is not guaranteed to be examined and used by other implementations.
#
......
src/share/native/sun/awt/libpng/LICENSE
浏览文件 @ 8587eb8d
......@@ -10,8 +10,8 @@ this sentence.
This code is released under the libpng license.
libpng versions 1.0.7, July 1, 2000, through 1.6.20, December 3, 2015, are
Copyright (c) 2000-2002, 2004, 2006-2015 Glenn Randers-Pehrson, are
libpng versions 1.0.7, July 1, 2000 through 1.6.28, January 5, 2017 are
Copyright (c) 2000-2002, 2004, 2006-2017 Glenn Randers-Pehrson, are
derived from libpng-1.0.6, and are distributed according to the same
disclaimer and license as libpng-1.0.6 with the following individuals
added to the list of Contributing Authors:
......@@ -22,6 +22,7 @@ added to the list of Contributing Authors:
Cosmin Truta
Gilles Vollant
James Yu
Mandar Sahastrabuddhe
and with the following additions to the disclaimer:
......@@ -32,6 +33,10 @@ and with the following additions to the disclaimer:
risk of satisfactory quality, performance, accuracy, and effort is with
the user.
Some files in the "contrib" directory and some configure-generated
files that are distributed with libpng have other copyright owners and
are released under other open source licenses.
libpng versions 0.97, January 1998, through 1.0.6, March 20, 2000, are
Copyright (c) 1998-2000 Glenn Randers-Pehrson, are derived from
libpng-0.96, and are distributed according to the same disclaimer and
......@@ -55,6 +60,9 @@ Contributing Authors:
Greg Roelofs
Tom Tanner
Some files in the "scripts" directory have other copyright owners
but are released under this license.
libpng versions 0.5, May 1995, through 0.88, January 1996, are
Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc.
......@@ -95,18 +103,29 @@ appreciated.
END OF COPYRIGHT NOTICE, DISCLAIMER, and LICENSE.
A "png_get_copyright" function is available, for convenient use in "about"
boxes and the like:
TRADEMARK:
printf("%s", png_get_copyright(NULL));
The name "libpng" has not been registered by the Copyright owner
as a trademark in any jurisdiction. However, because libpng has
been distributed and maintained world-wide, continually since 1995,
the Copyright owner claims "common-law trademark protection" in any
jurisdiction where common-law trademark is recognized.
Also, the PNG logo (in PNG format, of course) is supplied in the
files "pngbar.png" and "pngbar.jpg (88x31) and "pngnow.png" (98x31).
OSI CERTIFICATION:
Libpng is OSI Certified Open Source Software. OSI Certified Open Source is
a certification mark of the Open Source Initiative. OSI has not addressed
the additional disclaimers inserted at version 1.0.7.
EXPORT CONTROL:
The Copyright owner believes that the Export Control Classification
Number (ECCN) for libpng is EAR99, which means not subject to export
controls or International Traffic in Arms Regulations (ITAR) because
it is open source, publicly available software, that does not contain
any encryption software. See the EAR, paragraphs 734.3(b)(3) and
734.7(b).
Glenn Randers-Pehrson
glennrp at users.sourceforge.net
December 3, 2015
January 5, 2017
src/share/native/sun/awt/libpng/README
浏览文件 @ 8587eb8d
README for libpng version 1.6.20 - December 3, 2015 (shared library 16.0)
README for libpng version 1.6.28 - January 5, 2017 (shared library 16.0)
See the note about version numbers near the top of png.h
See INSTALL for instructions on how to install libpng.
......@@ -180,15 +180,18 @@ Files in this distribution:
pngwutil.c => Write utility functions
arm => Contains optimized code for the ARM platform
contrib => Contributions
arm-neon => Optimized code for ARM-NEON platform
examples => Example programs
gregbook => source code for PNG reading and writing, from
Greg Roelofs' "PNG: The Definitive Guide",
O'Reilly, 1999
intel => Optimized code for INTEL-SSE2 platform
libtests => Test programs
pngminim => Minimal decoder, encoder, and progressive decoder
programs demonstrating use of pngusr.dfa
pngminus => Simple pnm2png and png2pnm programs
pngsuite => Test images
testpngs
tools => Various tools
visupng => Contains a MSVC workspace for VisualPng
projects => Contains project files and workspaces for
......
src/share/native/sun/awt/libpng/pngconf.h
浏览文件 @ 8587eb8d
......@@ -29,9 +29,9 @@
* However, the following notice accompanied the original version of this
* file and, per its terms, should not be removed:
*
* libpng version 1.6.20, December 3, 2015
* libpng version 1.6.28, January 5, 2017
*
* Copyright (c) 1998-2015 Glenn Randers-Pehrson
* Copyright (c) 1998-2002,2004,2006-2016 Glenn Randers-Pehrson
* (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger)
* (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.)
*
......@@ -535,9 +535,9 @@
# error "libpng requires a signed 32-bit (or more) type"
#endif
#if UINT_MAX > 4294967294
#if UINT_MAX > 4294967294U
typedef unsigned int png_uint_32;
#elif ULONG_MAX > 4294967294
#elif ULONG_MAX > 4294967294U
typedef unsigned long int png_uint_32;
#else
# error "libpng requires an unsigned 32-bit (or more) type"
......
src/share/native/sun/awt/libpng/pngdebug.h
浏览文件 @ 8587eb8d
......@@ -30,7 +30,7 @@
* file and, per its terms, should not be removed:
*
* Last changed in libpng 1.6.8 [December 19, 2013]
* Copyright (c) 1998-2013 Glenn Randers-Pehrson
* Copyright (c) 1998-2002,2004,2006-2013 Glenn Randers-Pehrson
* (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger)
* (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.)
*
......
src/share/native/sun/awt/libpng/pnginfo.h
浏览文件 @ 8587eb8d
......@@ -30,7 +30,7 @@
* file and, per its terms, should not be removed:
*
* Last changed in libpng 1.6.1 [March 28, 2013]
* Copyright (c) 1998-2013 Glenn Randers-Pehrson
* Copyright (c) 1998-2002,2004,2006-2013 Glenn Randers-Pehrson
* (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger)
* (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.)
*
......
src/share/native/sun/awt/libpng/pngtest.c 已删除 100644 → 0
浏览文件 @ 74ef472b
此差异已折叠。
src/share/native/sun/awt/libpng/pngwio.c 已删除 100644 → 0
浏览文件 @ 74ef472b
此差异已折叠。
src/share/native/sun/awt/libpng/pngwrite.c 已删除 100644 → 0
浏览文件 @ 74ef472b
此差异已折叠。
src/share/native/sun/awt/libpng/pngwtran.c 已删除 100644 → 0
浏览文件 @ 74ef472b
此差异已折叠。
src/share/native/sun/awt/libpng/pngwutil.c 已删除 100644 → 0
浏览文件 @ 74ef472b
此差异已折叠。
test/ProblemList.txt
浏览文件 @ 8587eb8d
此差异已折叠。
test/java/lang/reflect/Proxy/ProxyRace.java 0 → 100644
浏览文件 @ 8587eb8d
此差异已折叠。
test/sun/management/LazyCompositeDataTest.java 0 → 100644
浏览文件 @ 8587eb8d
此差异已折叠。
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册