Skip to content

D
dragonwell8_jdk

openanolis / dragonwell8_jdk

通知 4
Star 2
Fork 0
D
dragonwell8_jdk
提交 8587eb8d 编写于 作者: A asaha
浏览文件
操作

Merge

上级 74ef472b 741c2a11
展开全部 显示空白变更内容
内联 并排
Showing with 5565 addition and 9909 deletion
.hgtags
浏览文件 @ 8587eb8d
...@@ -707,3 +707,6 @@ e95a13de2d36050302a1af422967f5260fc8eabd jdk8u141-b01 ...@@ -707,3 +707,6 @@ e95a13de2d36050302a1af422967f5260fc8eabd jdk8u141-b01
e5e3c33f57367b2b23d5e05a77b41948e9d4a1b9 jdk8u141-b04 e5e3c33f57367b2b23d5e05a77b41948e9d4a1b9 jdk8u141-b04
b3e7354e6ae8567294ae664bf4a1a38a6c0bde9f jdk8u141-b05 b3e7354e6ae8567294ae664bf4a1a38a6c0bde9f jdk8u141-b05
c49f918efc4e6e2b8a1e771dba0c8de8d636660c jdk8u141-b06 c49f918efc4e6e2b8a1e771dba0c8de8d636660c jdk8u141-b06
9fd2a2019a5b7f35957c43c83eb00e1ae371a95e jdk8u141-b07
64261149b033dd6f625ccf7b4aaf7452baec82ef jdk8u141-b08
276269460238f84410a70ffe735db9cf78651b8f jdk8u141-b09
src/macosx/classes/sun/lwawt/macosx/CPlatformWindow.java
浏览文件 @ 8587eb8d
...@@ -252,13 +252,18 @@ public class CPlatformWindow extends CFRetainedResource implements PlatformWindo ...@@ -252,13 +252,18 @@ public class CPlatformWindow extends CFRetainedResource implements PlatformWindo
} }
AtomicLong ref = new AtomicLong(); AtomicLong ref = new AtomicLong();
contentView.execute(viewPtr -> { contentView.execute(viewPtr -> {
boolean hasOwnerPtr = false;
if (owner != null) { if (owner != null) {
owner.execute(ownerPtr -> { hasOwnerPtr = 0L != owner.executeGet(ownerPtr -> {
ref.set(nativeCreateNSWindow(viewPtr, ownerPtr, styleBits, ref.set(nativeCreateNSWindow(viewPtr, ownerPtr, styleBits,
bounds.x, bounds.y, bounds.x, bounds.y,
bounds.width, bounds.height)); bounds.width, bounds.height));
return 1;
}); });
} else { }
if (!hasOwnerPtr) {
ref.set(nativeCreateNSWindow(viewPtr, 0, ref.set(nativeCreateNSWindow(viewPtr, 0,
styleBits, bounds.x, bounds.y, styleBits, bounds.x, bounds.y,
bounds.width, bounds.height)); bounds.width, bounds.height));
......
src/share/classes/java/lang/reflect/WeakCache.java
浏览文件 @ 8587eb8d
...@@ -239,11 +239,11 @@ final class WeakCache<K, P, V> { ...@@ -239,11 +239,11 @@ final class WeakCache<K, P, V> {
// wrap value with CacheValue (WeakReference) // wrap value with CacheValue (WeakReference)
CacheValue<V> cacheValue = new CacheValue<>(value); CacheValue<V> cacheValue = new CacheValue<>(value);
// try replacing us with CacheValue (this should always succeed) // put into reverseMap
if (valuesMap.replace(subKey, this, cacheValue)) {
// put also in reverseMap
reverseMap.put(cacheValue, Boolean.TRUE); reverseMap.put(cacheValue, Boolean.TRUE);
} else {
// try replacing us with CacheValue (this should always succeed)
if (!valuesMap.replace(subKey, this, cacheValue)) {
throw new AssertionError("Should not reach here"); throw new AssertionError("Should not reach here");
} }
......
src/share/classes/java/nio/Bits.java
浏览文件 @ 8587eb8d
/* /*
* Copyright (c) 2000, 2012, Oracle and/or its affiliates. All rights reserved. * Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
* *
* This code is free software; you can redistribute it and/or modify it * This code is free software; you can redistribute it and/or modify it
...@@ -614,7 +614,8 @@ class Bits { // package-private ...@@ -614,7 +614,8 @@ class Bits { // package-private
String arch = AccessController.doPrivileged( String arch = AccessController.doPrivileged(
new sun.security.action.GetPropertyAction("os.arch")); new sun.security.action.GetPropertyAction("os.arch"));
unaligned = arch.equals("i386") || arch.equals("x86") unaligned = arch.equals("i386") || arch.equals("x86")
|| arch.equals("amd64") || arch.equals("x86_64"); || arch.equals("amd64") || arch.equals("x86_64")
|| arch.equals("ppc64") || arch.equals("ppc64le");
unalignedKnown = true; unalignedKnown = true;
return unaligned; return unaligned;
} }
......
src/share/classes/sun/management/LazyCompositeData.java
浏览文件 @ 8587eb8d
...@@ -27,6 +27,7 @@ package sun.management; ...@@ -27,6 +27,7 @@ package sun.management;
import java.io.Serializable; import java.io.Serializable;
import java.util.*; import java.util.*;
import javax.management.openmbean.ArrayType;
import javax.management.openmbean.CompositeData; import javax.management.openmbean.CompositeData;
import javax.management.openmbean.CompositeType; import javax.management.openmbean.CompositeType;
import javax.management.openmbean.OpenType; import javax.management.openmbean.OpenType;
...@@ -48,39 +49,48 @@ public abstract class LazyCompositeData ...@@ -48,39 +49,48 @@ public abstract class LazyCompositeData
private CompositeData compositeData; private CompositeData compositeData;
// Implementation of the CompositeData interface // Implementation of the CompositeData interface
@Override
public boolean containsKey(String key) { public boolean containsKey(String key) {
return compositeData().containsKey(key); return compositeData().containsKey(key);
} }
@Override
public boolean containsValue(Object value) { public boolean containsValue(Object value) {
return compositeData().containsValue(value); return compositeData().containsValue(value);
} }
@Override
public boolean equals(Object obj) { public boolean equals(Object obj) {
return compositeData().equals(obj); return compositeData().equals(obj);
} }
@Override
public Object get(String key) { public Object get(String key) {
return compositeData().get(key); return compositeData().get(key);
} }
@Override
public Object[] getAll(String[] keys) { public Object[] getAll(String[] keys) {
return compositeData().getAll(keys); return compositeData().getAll(keys);
} }
@Override
public CompositeType getCompositeType() { public CompositeType getCompositeType() {
return compositeData().getCompositeType(); return compositeData().getCompositeType();
} }
@Override
public int hashCode() { public int hashCode() {
return compositeData().hashCode(); return compositeData().hashCode();
} }
@Override
public String toString() { public String toString() {
/** FIXME: What should this be?? */ /** FIXME: What should this be?? */
return compositeData().toString(); return compositeData().toString();
} }
@Override
public Collection<?> values() { public Collection<?> values() {
return compositeData().values(); return compositeData().values();
} }
...@@ -126,27 +136,31 @@ public abstract class LazyCompositeData ...@@ -126,27 +136,31 @@ public abstract class LazyCompositeData
if (cd == null) if (cd == null)
throw new IllegalArgumentException("Null CompositeData"); throw new IllegalArgumentException("Null CompositeData");
return ((Boolean) cd.get(itemName)).booleanValue(); return ((Boolean) cd.get(itemName));
} }
static long getLong(CompositeData cd, String itemName) { static long getLong(CompositeData cd, String itemName) {
if (cd == null) if (cd == null)
throw new IllegalArgumentException("Null CompositeData"); throw new IllegalArgumentException("Null CompositeData");
return ((Long) cd.get(itemName)).longValue(); return ((Long) cd.get(itemName));
} }
static int getInt(CompositeData cd, String itemName) { static int getInt(CompositeData cd, String itemName) {
if (cd == null) if (cd == null)
throw new IllegalArgumentException("Null CompositeData"); throw new IllegalArgumentException("Null CompositeData");
return ((Integer) cd.get(itemName)).intValue(); return ((Integer) cd.get(itemName));
} }
/** /**
* Compares two CompositeTypes and returns true if * Compares two CompositeTypes and returns true if
* all items in type1 exist in type2 and their item types * all items in type1 exist in type2 and their item types
* are the same. * are the same.
* @param type1 the base composite type
* @param type2 the checked composite type
* @return {@code true} if all items in type1 exist in type2 and their item
* types are the same.
*/ */
protected static boolean isTypeMatched(CompositeType type1, CompositeType type2) { protected static boolean isTypeMatched(CompositeType type1, CompositeType type2) {
if (type1 == type2) return true; if (type1 == type2) return true;
...@@ -159,9 +173,38 @@ public abstract class LazyCompositeData ...@@ -159,9 +173,38 @@ public abstract class LazyCompositeData
if (!type2.keySet().containsAll(allItems)) if (!type2.keySet().containsAll(allItems))
return false; return false;
for (String item: allItems) { return allItems.stream().allMatch(
OpenType<?> ot1 = type1.getType(item); item -> isTypeMatched(type1.getType(item), type2.getType(item))
OpenType<?> ot2 = type2.getType(item); );
}
protected static boolean isTypeMatched(TabularType type1, TabularType type2) {
if (type1 == type2) return true;
List<String> list1 = type1.getIndexNames();
List<String> list2 = type2.getIndexNames();
// check if the list of index names are the same
if (!list1.equals(list2))
return false;
return isTypeMatched(type1.getRowType(), type2.getRowType());
}
protected static boolean isTypeMatched(ArrayType<?> type1, ArrayType<?> type2) {
if (type1 == type2) return true;
int dim1 = type1.getDimension();
int dim2 = type2.getDimension();
// check if the array dimensions are the same
if (dim1 != dim2)
return false;
return isTypeMatched(type1.getElementOpenType(), type2.getElementOpenType());
}
private static boolean isTypeMatched(OpenType<?> ot1, OpenType<?> ot2) {
if (ot1 instanceof CompositeType) { if (ot1 instanceof CompositeType) {
if (! (ot2 instanceof CompositeType)) if (! (ot2 instanceof CompositeType))
return false; return false;
...@@ -172,25 +215,17 @@ public abstract class LazyCompositeData ...@@ -172,25 +215,17 @@ public abstract class LazyCompositeData
return false; return false;
if (!isTypeMatched((TabularType) ot1, (TabularType) ot2)) if (!isTypeMatched((TabularType) ot1, (TabularType) ot2))
return false; return false;
} else if (!ot1.equals(ot2)) { } else if (ot1 instanceof ArrayType) {
if (! (ot2 instanceof ArrayType))
return false;
if (!isTypeMatched((ArrayType<?>) ot1, (ArrayType<?>) ot2)) {
return false; return false;
} }
} else if (!ot1.equals(ot2)) {
return false;
} }
return true; return true;
} }
protected static boolean isTypeMatched(TabularType type1, TabularType type2) {
if (type1 == type2) return true;
List<String> list1 = type1.getIndexNames();
List<String> list2 = type2.getIndexNames();
// check if the list of index names are the same
if (!list1.equals(list2))
return false;
return isTypeMatched(type1.getRowType(), type2.getRowType());
}
private static final long serialVersionUID = -2190411934472666714L; private static final long serialVersionUID = -2190411934472666714L;
} }
src/share/classes/sun/security/pkcs/SignerInfo.java
浏览文件 @ 8587eb8d
/* /*
* Copyright (c) 1996, 2016, Oracle and/or its affiliates. All rights reserved. * Copyright (c) 1996, 2017, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
* *
* This code is free software; you can redistribute it and/or modify it * This code is free software; you can redistribute it and/or modify it
...@@ -37,6 +37,7 @@ import java.security.PublicKey; ...@@ -37,6 +37,7 @@ import java.security.PublicKey;
import java.security.Signature; import java.security.Signature;
import java.security.SignatureException; import java.security.SignatureException;
import java.security.Timestamp; import java.security.Timestamp;
import java.security.cert.CertPathValidatorException;
import java.security.cert.CertificateException; import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory; import java.security.cert.CertificateFactory;
import java.security.cert.CertPath; import java.security.cert.CertPath;
...@@ -49,6 +50,7 @@ import java.util.Set; ...@@ -49,6 +50,7 @@ import java.util.Set;
import sun.misc.HexDumpEncoder; import sun.misc.HexDumpEncoder;
import sun.security.timestamp.TimestampToken; import sun.security.timestamp.TimestampToken;
import sun.security.util.ConstraintsParameters;
import sun.security.util.Debug; import sun.security.util.Debug;
import sun.security.util.DerEncoder; import sun.security.util.DerEncoder;
import sun.security.util.DerInputStream; import sun.security.util.DerInputStream;
...@@ -209,7 +211,7 @@ public class SignerInfo implements DerEncoder { ...@@ -209,7 +211,7 @@ public class SignerInfo implements DerEncoder {
/** /**
* DER encode this object onto an output stream. * DER encode this object onto an output stream.
* Implements the <code>DerEncoder</code> interface. * Implements the {@code DerEncoder} interface.
* *
* @param out * @param out
* the output stream on which to write the DER encoding. * the output stream on which to write the DER encoding.
...@@ -266,7 +268,7 @@ public class SignerInfo implements DerEncoder { ...@@ -266,7 +268,7 @@ public class SignerInfo implements DerEncoder {
if (userCert == null) if (userCert == null)
return null; return null;
ArrayList<X509Certificate> certList = new ArrayList<X509Certificate>(); ArrayList<X509Certificate> certList = new ArrayList<>();
certList.add(userCert); certList.add(userCert);
X509Certificate[] pkcsCerts = block.getCertificates(); X509Certificate[] pkcsCerts = block.getCertificates();
...@@ -321,6 +323,14 @@ public class SignerInfo implements DerEncoder { ...@@ -321,6 +323,14 @@ public class SignerInfo implements DerEncoder {
data = content.getContentBytes(); data = content.getContentBytes();
} }
Timestamp timestamp = null;
try {
timestamp = getTimestamp();
} catch (Exception ignore) {
}
ConstraintsParameters cparams =
new ConstraintsParameters(timestamp);
String digestAlgname = getDigestAlgorithmId().getName(); String digestAlgname = getDigestAlgorithmId().getName();
byte[] dataSigned; byte[] dataSigned;
...@@ -347,11 +357,11 @@ public class SignerInfo implements DerEncoder { ...@@ -347,11 +357,11 @@ public class SignerInfo implements DerEncoder {
if (messageDigest == null) // fail if there is no message digest if (messageDigest == null) // fail if there is no message digest
return null; return null;
// check that algorithm is not restricted // check that digest algorithm is not restricted
if (!JAR_DISABLED_CHECK.permits(DIGEST_PRIMITIVE_SET, try {
digestAlgname, null)) { JAR_DISABLED_CHECK.permits(digestAlgname, cparams);
throw new SignatureException("Digest check failed. " + } catch (CertPathValidatorException e) {
"Disabled algorithm used: " + digestAlgname); throw new SignatureException(e.getMessage(), e);
} }
MessageDigest md = MessageDigest.getInstance(digestAlgname); MessageDigest md = MessageDigest.getInstance(digestAlgname);
...@@ -385,17 +395,18 @@ public class SignerInfo implements DerEncoder { ...@@ -385,17 +395,18 @@ public class SignerInfo implements DerEncoder {
String algname = AlgorithmId.makeSigAlg( String algname = AlgorithmId.makeSigAlg(
digestAlgname, encryptionAlgname); digestAlgname, encryptionAlgname);
// check that algorithm is not restricted // check that jar signature algorithm is not restricted
if (!JAR_DISABLED_CHECK.permits(SIG_PRIMITIVE_SET, algname, null)) { try {
throw new SignatureException("Signature check failed. " + JAR_DISABLED_CHECK.permits(algname, cparams);
"Disabled algorithm used: " + algname); } catch (CertPathValidatorException e) {
throw new SignatureException(e.getMessage(), e);
} }
X509Certificate cert = getCertificate(block); X509Certificate cert = getCertificate(block);
PublicKey key = cert.getPublicKey();
if (cert == null) { if (cert == null) {
return null; return null;
} }
PublicKey key = cert.getPublicKey();
// check if the public key is restricted // check if the public key is restricted
if (!JAR_DISABLED_CHECK.permits(SIG_PRIMITIVE_SET, key)) { if (!JAR_DISABLED_CHECK.permits(SIG_PRIMITIVE_SET, key)) {
...@@ -519,7 +530,7 @@ public class SignerInfo implements DerEncoder { ...@@ -519,7 +530,7 @@ public class SignerInfo implements DerEncoder {
* Extracts a timestamp from a PKCS7 SignerInfo. * Extracts a timestamp from a PKCS7 SignerInfo.
* *
* Examines the signer's unsigned attributes for a * Examines the signer's unsigned attributes for a
* <tt>signatureTimestampToken</tt> attribute. If present, * {@code signatureTimestampToken} attribute. If present,
* then it is parsed to extract the date and time at which the * then it is parsed to extract the date and time at which the
* timestamp was generated. * timestamp was generated.
* *
......
src/share/classes/sun/security/provider/ByteArrayAccess.java
浏览文件 @ 8587eb8d
/* /*
* Copyright (c) 2006, 2013, Oracle and/or its affiliates. All rights reserved. * Copyright (c) 2006, 2016, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
* *
* This code is free software; you can redistribute it and/or modify it * This code is free software; you can redistribute it and/or modify it
...@@ -94,7 +94,7 @@ final class ByteArrayAccess { ...@@ -94,7 +94,7 @@ final class ByteArrayAccess {
String arch = java.security.AccessController.doPrivileged String arch = java.security.AccessController.doPrivileged
(new sun.security.action.GetPropertyAction("os.arch", "")); (new sun.security.action.GetPropertyAction("os.arch", ""));
return arch.equals("i386") || arch.equals("x86") || arch.equals("amd64") return arch.equals("i386") || arch.equals("x86") || arch.equals("amd64")
|| arch.equals("x86_64"); || arch.equals("x86_64") || arch.equals("ppc64") || arch.equals("ppc64le");
} }
/** /**
......
src/share/classes/sun/security/provider/certpath/AlgorithmChecker.java
浏览文件 @ 8587eb8d
/* /*
* Copyright (c) 2009, 2016, Oracle and/or its affiliates. All rights reserved. * Copyright (c) 2009, 2017, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
* *
* This code is free software; you can redistribute it and/or modify it * This code is free software; you can redistribute it and/or modify it
...@@ -27,8 +27,11 @@ package sun.security.provider.certpath; ...@@ -27,8 +27,11 @@ package sun.security.provider.certpath;
import java.security.AlgorithmConstraints; import java.security.AlgorithmConstraints;
import java.security.CryptoPrimitive; import java.security.CryptoPrimitive;
import java.security.Timestamp;
import java.security.cert.CertPathValidator;
import java.util.Collection; import java.util.Collection;
import java.util.Collections; import java.util.Collections;
import java.util.Date;
import java.util.Set; import java.util.Set;
import java.util.EnumSet; import java.util.EnumSet;
import java.math.BigInteger; import java.math.BigInteger;
...@@ -51,15 +54,16 @@ import java.security.interfaces.DSAPublicKey; ...@@ -51,15 +54,16 @@ import java.security.interfaces.DSAPublicKey;
import java.security.spec.DSAPublicKeySpec; import java.security.spec.DSAPublicKeySpec;
import sun.security.util.AnchorCertificates; import sun.security.util.AnchorCertificates;
import sun.security.util.CertConstraintParameters; import sun.security.util.ConstraintsParameters;
import sun.security.util.Debug; import sun.security.util.Debug;
import sun.security.util.DisabledAlgorithmConstraints; import sun.security.util.DisabledAlgorithmConstraints;
import sun.security.validator.Validator;
import sun.security.x509.X509CertImpl; import sun.security.x509.X509CertImpl;
import sun.security.x509.X509CRLImpl; import sun.security.x509.X509CRLImpl;
import sun.security.x509.AlgorithmId; import sun.security.x509.AlgorithmId;
/** /**
* A <code>PKIXCertPathChecker</code> implementation to check whether a * A {@code PKIXCertPathChecker} implementation to check whether a
* specified certificate contains the required algorithm constraints. * specified certificate contains the required algorithm constraints.
* <p> * <p>
* Certificate fields such as the subject public key, the signature * Certificate fields such as the subject public key, the signature
...@@ -69,24 +73,27 @@ import sun.security.x509.AlgorithmId; ...@@ -69,24 +73,27 @@ import sun.security.x509.AlgorithmId;
* @see PKIXCertPathChecker * @see PKIXCertPathChecker
* @see PKIXParameters * @see PKIXParameters
*/ */
final public class AlgorithmChecker extends PKIXCertPathChecker { public final class AlgorithmChecker extends PKIXCertPathChecker {
private static final Debug debug = Debug.getInstance("certpath"); private static final Debug debug = Debug.getInstance("certpath");
private final AlgorithmConstraints constraints; private final AlgorithmConstraints constraints;
private final PublicKey trustedPubKey; private final PublicKey trustedPubKey;
private final Date pkixdate;
private PublicKey prevPubKey; private PublicKey prevPubKey;
private final Timestamp jarTimestamp;
private final String variant;
private final static Set<CryptoPrimitive> SIGNATURE_PRIMITIVE_SET = private static final Set<CryptoPrimitive> SIGNATURE_PRIMITIVE_SET =
Collections.unmodifiableSet(EnumSet.of(CryptoPrimitive.SIGNATURE)); Collections.unmodifiableSet(EnumSet.of(CryptoPrimitive.SIGNATURE));
private final static Set<CryptoPrimitive> KU_PRIMITIVE_SET = private static final Set<CryptoPrimitive> KU_PRIMITIVE_SET =
Collections.unmodifiableSet(EnumSet.of( Collections.unmodifiableSet(EnumSet.of(
CryptoPrimitive.SIGNATURE, CryptoPrimitive.SIGNATURE,
CryptoPrimitive.KEY_ENCAPSULATION, CryptoPrimitive.KEY_ENCAPSULATION,
CryptoPrimitive.PUBLIC_KEY_ENCRYPTION, CryptoPrimitive.PUBLIC_KEY_ENCRYPTION,
CryptoPrimitive.KEY_AGREEMENT)); CryptoPrimitive.KEY_AGREEMENT));
private final static DisabledAlgorithmConstraints private static final DisabledAlgorithmConstraints
certPathDefaultConstraints = new DisabledAlgorithmConstraints( certPathDefaultConstraints = new DisabledAlgorithmConstraints(
DisabledAlgorithmConstraints.PROPERTY_CERTPATH_DISABLED_ALGS); DisabledAlgorithmConstraints.PROPERTY_CERTPATH_DISABLED_ALGS);
...@@ -99,51 +106,58 @@ final public class AlgorithmChecker extends PKIXCertPathChecker { ...@@ -99,51 +106,58 @@ final public class AlgorithmChecker extends PKIXCertPathChecker {
private boolean trustedMatch = false; private boolean trustedMatch = false;
/** /**
* Create a new <code>AlgorithmChecker</code> with the algorithm * Create a new {@code AlgorithmChecker} with the given algorithm
* constraints specified in security property * given {@code TrustAnchor} and {@code String} variant.
* "jdk.certpath.disabledAlgorithms".
* *
* @param anchor the trust anchor selected to validate the target * @param anchor the trust anchor selected to validate the target
* certificate * certificate
* @param variant is the Validator variants of the operation. A null value
* passed will set it to Validator.GENERIC.
*/ */
public AlgorithmChecker(TrustAnchor anchor) { public AlgorithmChecker(TrustAnchor anchor, String variant) {
this(anchor, certPathDefaultConstraints); this(anchor, certPathDefaultConstraints, null, null, variant);
} }
/** /**
* Create a new <code>AlgorithmChecker</code> with the * Create a new {@code AlgorithmChecker} with the given
* given {@code AlgorithmConstraints}. * {@code AlgorithmConstraints}, {@code Timestamp}, and {@code String}
* <p> * variant.
* Note that this constructor will be used to check a certification *
* path where the trust anchor is unknown, or a certificate list which may * Note that this constructor can initialize a variation of situations where
* contain the trust anchor. This constructor is used by SunJSSE. * the AlgorithmConstraints, Timestamp, or Variant maybe known.
* *
* @param constraints the algorithm constraints (or null) * @param constraints the algorithm constraints (or null)
* @param jarTimestamp Timestamp passed for JAR timestamp constraint
* checking. Set to null if not applicable.
* @param variant is the Validator variants of the operation. A null value
* passed will set it to Validator.GENERIC.
*/ */
public AlgorithmChecker(AlgorithmConstraints constraints) { public AlgorithmChecker(AlgorithmConstraints constraints,
this.prevPubKey = null; Timestamp jarTimestamp, String variant) {
this.trustedPubKey = null; this(null, constraints, null, jarTimestamp, variant);
this.constraints = constraints;
} }
/** /**
* Create a new <code>AlgorithmChecker</code> with the * Create a new {@code AlgorithmChecker} with the
* given <code>TrustAnchor</code> and <code>AlgorithmConstraints</code>. * given {@code TrustAnchor}, {@code AlgorithmConstraints},
* {@code Timestamp}, and {@code String} variant.
* *
* @param anchor the trust anchor selected to validate the target * @param anchor the trust anchor selected to validate the target
* certificate * certificate
* @param constraints the algorithm constraints (or null) * @param constraints the algorithm constraints (or null)
* * @param pkixdate The date specified by the PKIXParameters date. If the
* @throws IllegalArgumentException if the <code>anchor</code> is null * PKIXParameters is null, the current date is used. This
* should be null when jar files are being checked.
* @param jarTimestamp Timestamp passed for JAR timestamp constraint
* checking. Set to null if not applicable.
* @param variant is the Validator variants of the operation. A null value
* passed will set it to Validator.GENERIC.
*/ */
public AlgorithmChecker(TrustAnchor anchor, public AlgorithmChecker(TrustAnchor anchor,
AlgorithmConstraints constraints) { AlgorithmConstraints constraints, Date pkixdate,
Timestamp jarTimestamp, String variant) {
if (anchor == null) {
throw new IllegalArgumentException(
"The trust anchor cannot be null");
}
if (anchor != null) {
if (anchor.getTrustedCert() != null) { if (anchor.getTrustedCert() != null) {
this.trustedPubKey = anchor.getTrustedCert().getPublicKey(); this.trustedPubKey = anchor.getTrustedCert().getPublicKey();
// Check for anchor certificate restrictions // Check for anchor certificate restrictions
...@@ -154,9 +168,37 @@ final public class AlgorithmChecker extends PKIXCertPathChecker { ...@@ -154,9 +168,37 @@ final public class AlgorithmChecker extends PKIXCertPathChecker {
} else { } else {
this.trustedPubKey = anchor.getCAPublicKey(); this.trustedPubKey = anchor.getCAPublicKey();
} }
} else {
this.trustedPubKey = null;
if (debug != null) {
debug.println("TrustAnchor is null, trustedMatch is false.");
}
}
this.prevPubKey = this.trustedPubKey;
this.constraints = (constraints == null ? certPathDefaultConstraints :
constraints);
// If we are checking jar files, set pkixdate the same as the timestamp
// for certificate checking
this.pkixdate = (jarTimestamp != null ? jarTimestamp.getTimestamp() :
pkixdate);
this.jarTimestamp = jarTimestamp;
this.variant = (variant == null ? Validator.VAR_GENERIC : variant);
}
this.prevPubKey = trustedPubKey; /**
this.constraints = constraints; * Create a new {@code AlgorithmChecker} with the given {@code TrustAnchor},
* {@code PKIXParameter} date, and {@code varient}
*
* @param anchor the trust anchor selected to validate the target
* certificate
* @param pkixdate Date the constraints are checked against. The value is
* either the PKIXParameters date or null for the current date.
* @param variant is the Validator variants of the operation. A null value
* passed will set it to Validator.GENERIC.
*/
public AlgorithmChecker(TrustAnchor anchor, Date pkixdate, String variant) {
this(anchor, certPathDefaultConstraints, pkixdate, null, variant);
} }
// Check this 'cert' for restrictions in the AnchorCertificates // Check this 'cert' for restrictions in the AnchorCertificates
...@@ -217,6 +259,28 @@ final public class AlgorithmChecker extends PKIXCertPathChecker { ...@@ -217,6 +259,28 @@ final public class AlgorithmChecker extends PKIXCertPathChecker {
null, null, -1, PKIXReason.INVALID_KEY_USAGE); null, null, -1, PKIXReason.INVALID_KEY_USAGE);
} }
X509CertImpl x509Cert;
AlgorithmId algorithmId;
try {
x509Cert = X509CertImpl.toImpl((X509Certificate)cert);
algorithmId = (AlgorithmId)x509Cert.get(X509CertImpl.SIG_ALG);
} catch (CertificateException ce) {
throw new CertPathValidatorException(ce);
}
AlgorithmParameters currSigAlgParams = algorithmId.getParameters();
PublicKey currPubKey = cert.getPublicKey();
String currSigAlg = ((X509Certificate)cert).getSigAlgName();
// Check the signature algorithm and parameters against constraints.
if (!constraints.permits(SIGNATURE_PRIMITIVE_SET, currSigAlg,
currSigAlgParams)) {
throw new CertPathValidatorException(
"Algorithm constraints check failed on signature " +
"algorithm: " + currSigAlg, null, null, -1,
BasicReason.ALGORITHM_CONSTRAINED);
}
// Assume all key usage bits are set if key usage is not present // Assume all key usage bits are set if key usage is not present
Set<CryptoPrimitive> primitives = KU_PRIMITIVE_SET; Set<CryptoPrimitive> primitives = KU_PRIMITIVE_SET;
...@@ -253,56 +317,37 @@ final public class AlgorithmChecker extends PKIXCertPathChecker { ...@@ -253,56 +317,37 @@ final public class AlgorithmChecker extends PKIXCertPathChecker {
} }
} }
PublicKey currPubKey = cert.getPublicKey(); ConstraintsParameters cp =
new ConstraintsParameters((X509Certificate)cert,
trustedMatch, pkixdate, jarTimestamp, variant);
// Check against local constraints if it is DisabledAlgorithmConstraints
if (constraints instanceof DisabledAlgorithmConstraints) { if (constraints instanceof DisabledAlgorithmConstraints) {
// Check against DisabledAlgorithmConstraints certpath constraints. ((DisabledAlgorithmConstraints)constraints).permits(currSigAlg, cp);
// permits() will throw exception on failure. // DisabledAlgorithmsConstraints does not check primitives, so key
((DisabledAlgorithmConstraints)constraints).permits(primitives, // additional key check.
new CertConstraintParameters((X509Certificate)cert,
trustedMatch));
// If there is no previous key, set one and exit
if (prevPubKey == null) {
prevPubKey = currPubKey;
return;
}
}
X509CertImpl x509Cert;
AlgorithmId algorithmId;
try {
x509Cert = X509CertImpl.toImpl((X509Certificate)cert);
algorithmId = (AlgorithmId)x509Cert.get(X509CertImpl.SIG_ALG);
} catch (CertificateException ce) {
throw new CertPathValidatorException(ce);
}
AlgorithmParameters currSigAlgParams = algorithmId.getParameters();
String currSigAlg = x509Cert.getSigAlgName();
// If 'constraints' is not of DisabledAlgorithmConstraints, check all
// everything individually
if (!(constraints instanceof DisabledAlgorithmConstraints)) {
// Check the current signature algorithm
if (!constraints.permits(
SIGNATURE_PRIMITIVE_SET,
currSigAlg, currSigAlgParams)) {
throw new CertPathValidatorException(
"Algorithm constraints check failed on signature " +
"algorithm: " + currSigAlg, null, null, -1,
BasicReason.ALGORITHM_CONSTRAINED);
}
} else {
// Perform the default constraints checking anyway.
certPathDefaultConstraints.permits(currSigAlg, cp);
// Call locally set constraints to check key with primitives.
if (!constraints.permits(primitives, currPubKey)) { if (!constraints.permits(primitives, currPubKey)) {
throw new CertPathValidatorException( throw new CertPathValidatorException(
"Algorithm constraints check failed on keysize: " + "Algorithm constraints check failed on key " +
sun.security.util.KeyUtil.getKeySize(currPubKey), currPubKey.getAlgorithm() + " with size of " +
sun.security.util.KeyUtil.getKeySize(currPubKey) +
"bits",
null, null, -1, BasicReason.ALGORITHM_CONSTRAINED); null, null, -1, BasicReason.ALGORITHM_CONSTRAINED);
} }
} }
// If there is no previous key, set one and exit
if (prevPubKey == null) {
prevPubKey = currPubKey;
return;
}
// Check with previous cert for signature algorithm and public key // Check with previous cert for signature algorithm and public key
if (prevPubKey != null) {
if (!constraints.permits( if (!constraints.permits(
SIGNATURE_PRIMITIVE_SET, SIGNATURE_PRIMITIVE_SET,
currSigAlg, prevPubKey, currSigAlgParams)) { currSigAlg, prevPubKey, currSigAlgParams)) {
...@@ -329,25 +374,17 @@ final public class AlgorithmChecker extends PKIXCertPathChecker { ...@@ -329,25 +374,17 @@ final public class AlgorithmChecker extends PKIXCertPathChecker {
try { try {
BigInteger y = ((DSAPublicKey)currPubKey).getY(); BigInteger y = ((DSAPublicKey)currPubKey).getY();
KeyFactory kf = KeyFactory.getInstance("DSA"); KeyFactory kf = KeyFactory.getInstance("DSA");
DSAPublicKeySpec ks = new DSAPublicKeySpec(y, DSAPublicKeySpec ks = new DSAPublicKeySpec(y, params.getP(),
params.getP(), params.getQ(), params.getG());
params.getQ(),
params.getG());
currPubKey = kf.generatePublic(ks); currPubKey = kf.generatePublic(ks);
} catch (GeneralSecurityException e) { } catch (GeneralSecurityException e) {
throw new CertPathValidatorException("Unable to generate " + throw new CertPathValidatorException("Unable to generate " +
"key with inherited parameters: " + e.getMessage(), e); "key with inherited parameters: " + e.getMessage(), e);
} }
} }
}
// reset the previous public key // reset the previous public key
prevPubKey = currPubKey; prevPubKey = currPubKey;
// check the extended key usage, ignore the check now
// List<String> extendedKeyUsages = x509Cert.getExtendedKeyUsage();
// DO NOT remove any unresolved critical extensions
} }
/** /**
...@@ -387,8 +424,10 @@ final public class AlgorithmChecker extends PKIXCertPathChecker { ...@@ -387,8 +424,10 @@ final public class AlgorithmChecker extends PKIXCertPathChecker {
* *
* @param key the public key to verify the CRL signature * @param key the public key to verify the CRL signature
* @param crl the target CRL * @param crl the target CRL
* @param variant is the Validator variants of the operation. A null value
* passed will set it to Validator.GENERIC.
*/ */
static void check(PublicKey key, X509CRL crl) static void check(PublicKey key, X509CRL crl, String variant)
throws CertPathValidatorException { throws CertPathValidatorException {
X509CRLImpl x509CRLImpl = null; X509CRLImpl x509CRLImpl = null;
...@@ -399,28 +438,24 @@ final public class AlgorithmChecker extends PKIXCertPathChecker { ...@@ -399,28 +438,24 @@ final public class AlgorithmChecker extends PKIXCertPathChecker {
} }
AlgorithmId algorithmId = x509CRLImpl.getSigAlgId(); AlgorithmId algorithmId = x509CRLImpl.getSigAlgId();
check(key, algorithmId); check(key, algorithmId, variant);
} }
/** /**
* Check the signature algorithm with the specified public key. * Check the signature algorithm with the specified public key.
* *
* @param key the public key to verify the CRL signature * @param key the public key to verify the CRL signature
* @param crl the target CRL * @param algorithmId signature algorithm Algorithm ID
* @param variant is the Validator variants of the operation. A null value
* passed will set it to Validator.GENERIC.
*/ */
static void check(PublicKey key, AlgorithmId algorithmId) static void check(PublicKey key, AlgorithmId algorithmId, String variant)
throws CertPathValidatorException { throws CertPathValidatorException {
String sigAlgName = algorithmId.getName(); String sigAlgName = algorithmId.getName();
AlgorithmParameters sigAlgParams = algorithmId.getParameters(); AlgorithmParameters sigAlgParams = algorithmId.getParameters();
if (!certPathDefaultConstraints.permits( certPathDefaultConstraints.permits(new ConstraintsParameters(
SIGNATURE_PRIMITIVE_SET, sigAlgName, key, sigAlgParams)) { sigAlgName, sigAlgParams, key, variant));
throw new CertPathValidatorException(
"Algorithm constraints check failed on signature algorithm: " +
sigAlgName + " is disabled",
null, null, -1, BasicReason.ALGORITHM_CONSTRAINED);
} }
}
} }
src/share/classes/sun/security/provider/certpath/DistributionPointFetcher.java
浏览文件 @ 8587eb8d
/* /*
* Copyright (c) 2002, 2015, Oracle and/or its affiliates. All rights reserved. * Copyright (c) 2002, 2017, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
* *
* This code is free software; you can redistribute it and/or modify it * This code is free software; you can redistribute it and/or modify it
...@@ -33,6 +33,7 @@ import javax.security.auth.x500.X500Principal; ...@@ -33,6 +33,7 @@ import javax.security.auth.x500.X500Principal;
import java.util.*; import java.util.*;
import sun.security.util.Debug; import sun.security.util.Debug;
import sun.security.validator.Validator;
import static sun.security.x509.PKIXExtensions.*; import static sun.security.x509.PKIXExtensions.*;
import sun.security.x509.*; import sun.security.x509.*;
...@@ -65,6 +66,20 @@ public class DistributionPointFetcher { ...@@ -65,6 +66,20 @@ public class DistributionPointFetcher {
* Return the X509CRLs matching this selector. The selector must be * Return the X509CRLs matching this selector. The selector must be
* an X509CRLSelector with certificateChecking set. * an X509CRLSelector with certificateChecking set.
*/ */
public static Collection<X509CRL> getCRLs(X509CRLSelector selector,
boolean signFlag, PublicKey prevKey, String provider,
List<CertStore> certStores, boolean[] reasonsMask,
Set<TrustAnchor> trustAnchors, Date validity, String variant)
throws CertStoreException
{
return getCRLs(selector, signFlag, prevKey, null, provider, certStores,
reasonsMask, trustAnchors, validity, variant);
}
/**
* Return the X509CRLs matching this selector. The selector must be
* an X509CRLSelector with certificateChecking set.
*/
// Called by com.sun.deploy.security.RevocationChecker
public static Collection<X509CRL> getCRLs(X509CRLSelector selector, public static Collection<X509CRL> getCRLs(X509CRLSelector selector,
boolean signFlag, boolean signFlag,
PublicKey prevKey, PublicKey prevKey,
...@@ -76,7 +91,7 @@ public class DistributionPointFetcher { ...@@ -76,7 +91,7 @@ public class DistributionPointFetcher {
throws CertStoreException throws CertStoreException
{ {
return getCRLs(selector, signFlag, prevKey, null, provider, certStores, return getCRLs(selector, signFlag, prevKey, null, provider, certStores,
reasonsMask, trustAnchors, validity); reasonsMask, trustAnchors, validity, Validator.VAR_GENERIC);
} }
/** /**
...@@ -91,7 +106,8 @@ public class DistributionPointFetcher { ...@@ -91,7 +106,8 @@ public class DistributionPointFetcher {
List<CertStore> certStores, List<CertStore> certStores,
boolean[] reasonsMask, boolean[] reasonsMask,
Set<TrustAnchor> trustAnchors, Set<TrustAnchor> trustAnchors,
Date validity) Date validity,
String variant)
throws CertStoreException throws CertStoreException
{ {
X509Certificate cert = selector.getCertificateChecking(); X509Certificate cert = selector.getCertificateChecking();
...@@ -120,7 +136,7 @@ public class DistributionPointFetcher { ...@@ -120,7 +136,7 @@ public class DistributionPointFetcher {
DistributionPoint point = t.next(); DistributionPoint point = t.next();
Collection<X509CRL> crls = getCRLs(selector, certImpl, Collection<X509CRL> crls = getCRLs(selector, certImpl,
point, reasonsMask, signFlag, prevKey, prevCert, provider, point, reasonsMask, signFlag, prevKey, prevCert, provider,
certStores, trustAnchors, validity); certStores, trustAnchors, validity, variant);
results.addAll(crls); results.addAll(crls);
} }
if (debug != null) { if (debug != null) {
...@@ -145,7 +161,7 @@ public class DistributionPointFetcher { ...@@ -145,7 +161,7 @@ public class DistributionPointFetcher {
X509CertImpl certImpl, DistributionPoint point, boolean[] reasonsMask, X509CertImpl certImpl, DistributionPoint point, boolean[] reasonsMask,
boolean signFlag, PublicKey prevKey, X509Certificate prevCert, boolean signFlag, PublicKey prevKey, X509Certificate prevCert,
String provider, List<CertStore> certStores, String provider, List<CertStore> certStores,
Set<TrustAnchor> trustAnchors, Date validity) Set<TrustAnchor> trustAnchors, Date validity, String variant)
throws CertStoreException { throws CertStoreException {
// check for full name // check for full name
...@@ -208,7 +224,7 @@ public class DistributionPointFetcher { ...@@ -208,7 +224,7 @@ public class DistributionPointFetcher {
selector.setIssuerNames(null); selector.setIssuerNames(null);
if (selector.match(crl) && verifyCRL(certImpl, point, crl, if (selector.match(crl) && verifyCRL(certImpl, point, crl,
reasonsMask, signFlag, prevKey, prevCert, provider, reasonsMask, signFlag, prevKey, prevCert, provider,
trustAnchors, certStores, validity)) { trustAnchors, certStores, validity, variant)) {
crls.add(crl); crls.add(crl);
} }
} catch (IOException | CRLException e) { } catch (IOException | CRLException e) {
...@@ -317,7 +333,7 @@ public class DistributionPointFetcher { ...@@ -317,7 +333,7 @@ public class DistributionPointFetcher {
X509CRL crl, boolean[] reasonsMask, boolean signFlag, X509CRL crl, boolean[] reasonsMask, boolean signFlag,
PublicKey prevKey, X509Certificate prevCert, String provider, PublicKey prevKey, X509Certificate prevCert, String provider,
Set<TrustAnchor> trustAnchors, List<CertStore> certStores, Set<TrustAnchor> trustAnchors, List<CertStore> certStores,
Date validity) throws CRLException, IOException { Date validity, String variant) throws CRLException, IOException {
if (debug != null) { if (debug != null) {
debug.println("DistributionPointFetcher.verifyCRL: " + debug.println("DistributionPointFetcher.verifyCRL: " +
...@@ -443,7 +459,7 @@ public class DistributionPointFetcher { ...@@ -443,7 +459,7 @@ public class DistributionPointFetcher {
} }
if (indirectCRL) { if (indirectCRL) {
if (pointCrlIssuers.size() != 1) { if (pointCrlIssuers.size() != 1) {
// RFC 3280: there must be only 1 CRL issuer // RFC 5280: there must be only 1 CRL issuer
// name when relativeName is present // name when relativeName is present
if (debug != null) { if (debug != null) {
debug.println("must only be one CRL " + debug.println("must only be one CRL " +
...@@ -664,7 +680,7 @@ public class DistributionPointFetcher { ...@@ -664,7 +680,7 @@ public class DistributionPointFetcher {
// check the crl signature algorithm // check the crl signature algorithm
try { try {
AlgorithmChecker.check(prevKey, crl); AlgorithmChecker.check(prevKey, crl, variant);
} catch (CertPathValidatorException cpve) { } catch (CertPathValidatorException cpve) {
if (debug != null) { if (debug != null) {
debug.println("CRL signature algorithm check failed: " + cpve); debug.println("CRL signature algorithm check failed: " + cpve);
......
src/share/classes/sun/security/provider/certpath/OCSP.java
浏览文件 @ 8587eb8d
/* /*
* Copyright (c) 2009, 2013, Oracle and/or its affiliates. All rights reserved. * Copyright (c) 2009, 2017, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
* *
* This code is free software; you can redistribute it and/or modify it * This code is free software; you can redistribute it and/or modify it
...@@ -35,6 +35,7 @@ import java.security.cert.CertPathValidatorException; ...@@ -35,6 +35,7 @@ import java.security.cert.CertPathValidatorException;
import java.security.cert.CertPathValidatorException.BasicReason; import java.security.cert.CertPathValidatorException.BasicReason;
import java.security.cert.CRLReason; import java.security.cert.CRLReason;
import java.security.cert.Extension; import java.security.cert.Extension;
import java.security.cert.TrustAnchor;
import java.security.cert.X509Certificate; import java.security.cert.X509Certificate;
import java.util.Arrays; import java.util.Arrays;
import java.util.Collections; import java.util.Collections;
...@@ -42,14 +43,14 @@ import java.util.Date; ...@@ -42,14 +43,14 @@ import java.util.Date;
import java.util.List; import java.util.List;
import java.util.Map; import java.util.Map;
import static sun.security.provider.certpath.OCSPResponse.*;
import sun.security.action.GetIntegerAction; import sun.security.action.GetIntegerAction;
import sun.security.util.Debug; import sun.security.util.Debug;
import sun.security.util.ObjectIdentifier; import sun.security.validator.Validator;
import sun.security.x509.AccessDescription; import sun.security.x509.AccessDescription;
import sun.security.x509.AuthorityInfoAccessExtension; import sun.security.x509.AuthorityInfoAccessExtension;
import sun.security.x509.GeneralName; import sun.security.x509.GeneralName;
import sun.security.x509.GeneralNameInterface; import sun.security.x509.GeneralNameInterface;
import sun.security.x509.PKIXExtensions;
import sun.security.x509.URIName; import sun.security.x509.URIName;
import sun.security.x509.X509CertImpl; import sun.security.x509.X509CertImpl;
...@@ -65,9 +66,6 @@ import sun.security.x509.X509CertImpl; ...@@ -65,9 +66,6 @@ import sun.security.x509.X509CertImpl;
*/ */
public final class OCSP { public final class OCSP {
static final ObjectIdentifier NONCE_EXTENSION_OID =
ObjectIdentifier.newInternal(new int[]{ 1, 3, 6, 1, 5, 5, 7, 48, 1, 2});
private static final Debug debug = Debug.getInstance("certpath"); private static final Debug debug = Debug.getInstance("certpath");
private static final int DEFAULT_CONNECT_TIMEOUT = 15000; private static final int DEFAULT_CONNECT_TIMEOUT = 15000;
...@@ -97,42 +95,6 @@ public final class OCSP { ...@@ -97,42 +95,6 @@ public final class OCSP {
private OCSP() {} private OCSP() {}
/**
* Obtains the revocation status of a certificate using OCSP using the most
* common defaults. The OCSP responder URI is retrieved from the
* certificate's AIA extension. The OCSP responder certificate is assumed
* to be the issuer's certificate (or issued by the issuer CA).
*
* @param cert the certificate to be checked
* @param issuerCert the issuer certificate
* @return the RevocationStatus
* @throws IOException if there is an exception connecting to or
* communicating with the OCSP responder
* @throws CertPathValidatorException if an exception occurs while
* encoding the OCSP Request or validating the OCSP Response
*/
public static RevocationStatus check(X509Certificate cert,
X509Certificate issuerCert)
throws IOException, CertPathValidatorException {
CertId certId = null;
URI responderURI = null;
try {
X509CertImpl certImpl = X509CertImpl.toImpl(cert);
responderURI = getResponderURI(certImpl);
if (responderURI == null) {
throw new CertPathValidatorException
("No OCSP Responder URI in certificate");
}
certId = new CertId(issuerCert, certImpl.getSerialNumberObject());
} catch (CertificateException | IOException e) {
throw new CertPathValidatorException
("Exception while encoding OCSPRequest", e);
}
OCSPResponse ocspResponse = check(Collections.singletonList(certId),
responderURI, issuerCert, null, null,
Collections.<Extension>emptyList());
return (RevocationStatus)ocspResponse.getSingleResponse(certId);
}
/** /**
* Obtains the revocation status of a certificate using OCSP. * Obtains the revocation status of a certificate using OCSP.
...@@ -149,6 +111,8 @@ public final class OCSP { ...@@ -149,6 +111,8 @@ public final class OCSP {
* @throws CertPathValidatorException if an exception occurs while * @throws CertPathValidatorException if an exception occurs while
* encoding the OCSP Request or validating the OCSP Response * encoding the OCSP Request or validating the OCSP Response
*/ */
// Called by com.sun.deploy.security.TrustDecider
public static RevocationStatus check(X509Certificate cert, public static RevocationStatus check(X509Certificate cert,
X509Certificate issuerCert, X509Certificate issuerCert,
URI responderURI, URI responderURI,
...@@ -157,18 +121,27 @@ public final class OCSP { ...@@ -157,18 +121,27 @@ public final class OCSP {
throws IOException, CertPathValidatorException throws IOException, CertPathValidatorException
{ {
return check(cert, issuerCert, responderURI, responderCert, date, return check(cert, issuerCert, responderURI, responderCert, date,
Collections.<Extension>emptyList()); Collections.<Extension>emptyList(), Validator.VAR_GENERIC);
} }
// Called by com.sun.deploy.security.TrustDecider
public static RevocationStatus check(X509Certificate cert, public static RevocationStatus check(X509Certificate cert,
X509Certificate issuerCert, X509Certificate issuerCert, URI responderURI,
URI responderURI, X509Certificate responderCert, Date date, List<Extension> extensions,
X509Certificate responderCert, String variant)
Date date, List<Extension> extensions)
throws IOException, CertPathValidatorException throws IOException, CertPathValidatorException
{ {
CertId certId = null; return check(cert, responderURI, null, issuerCert, responderCert, date,
extensions, variant);
}
public static RevocationStatus check(X509Certificate cert,
URI responderURI, TrustAnchor anchor, X509Certificate issuerCert,
X509Certificate responderCert, Date date,
List<Extension> extensions, String variant)
throws IOException, CertPathValidatorException
{
CertId certId;
try { try {
X509CertImpl certImpl = X509CertImpl.toImpl(cert); X509CertImpl certImpl = X509CertImpl.toImpl(cert);
certId = new CertId(issuerCert, certImpl.getSerialNumberObject()); certId = new CertId(issuerCert, certImpl.getSerialNumberObject());
...@@ -177,19 +150,23 @@ public final class OCSP { ...@@ -177,19 +150,23 @@ public final class OCSP {
("Exception while encoding OCSPRequest", e); ("Exception while encoding OCSPRequest", e);
} }
OCSPResponse ocspResponse = check(Collections.singletonList(certId), OCSPResponse ocspResponse = check(Collections.singletonList(certId),
responderURI, issuerCert, responderCert, date, extensions); responderURI, new OCSPResponse.IssuerInfo(anchor, issuerCert),
responderCert, date, extensions, variant);
return (RevocationStatus) ocspResponse.getSingleResponse(certId); return (RevocationStatus) ocspResponse.getSingleResponse(certId);
} }
/** /**
* Checks the revocation status of a list of certificates using OCSP. * Checks the revocation status of a list of certificates using OCSP.
* *
* @param certs the CertIds to be checked * @param certIds the CertIds to be checked
* @param responderURI the URI of the OCSP responder * @param responderURI the URI of the OCSP responder
* @param issuerCert the issuer's certificate * @param issuerInfo the issuer's certificate and/or subject and public key
* @param responderCert the OCSP responder's certificate * @param responderCert the OCSP responder's certificate
* @param date the time the validity of the OCSP responder's certificate * @param date the time the validity of the OCSP responder's certificate
* should be checked against. If null, the current time is used. * should be checked against. If null, the current time is used.
* @param extensions zero or more OCSP extensions to be included in the
* request. If no extensions are requested, an empty {@code List} must
* be used. A {@code null} value is not allowed.
* @return the OCSPResponse * @return the OCSPResponse
* @throws IOException if there is an exception connecting to or * @throws IOException if there is an exception connecting to or
* communicating with the OCSP responder * communicating with the OCSP responder
...@@ -197,24 +174,59 @@ public final class OCSP { ...@@ -197,24 +174,59 @@ public final class OCSP {
* encoding the OCSP Request or validating the OCSP Response * encoding the OCSP Request or validating the OCSP Response
*/ */
static OCSPResponse check(List<CertId> certIds, URI responderURI, static OCSPResponse check(List<CertId> certIds, URI responderURI,
X509Certificate issuerCert, OCSPResponse.IssuerInfo issuerInfo,
X509Certificate responderCert, Date date, X509Certificate responderCert, Date date,
List<Extension> extensions) List<Extension> extensions, String variant)
throws IOException, CertPathValidatorException throws IOException, CertPathValidatorException
{ {
byte[] bytes = null; byte[] nonce = null;
OCSPRequest request = null; for (Extension ext : extensions) {
if (ext.getId().equals(PKIXExtensions.OCSPNonce_Id.toString())) {
nonce = ext.getValue();
}
}
OCSPResponse ocspResponse = null;
try { try {
request = new OCSPRequest(certIds, extensions); byte[] response = getOCSPBytes(certIds, responderURI, extensions);
bytes = request.encodeBytes(); ocspResponse = new OCSPResponse(response);
// verify the response
ocspResponse.verify(certIds, issuerInfo, responderCert, date,
nonce, variant);
} catch (IOException ioe) { } catch (IOException ioe) {
throw new CertPathValidatorException throw new CertPathValidatorException(
("Exception while encoding OCSPRequest", ioe); "Unable to determine revocation status due to network error",
ioe, null, -1, BasicReason.UNDETERMINED_REVOCATION_STATUS);
} }
return ocspResponse;
}
/**
* Send an OCSP request, then read and return the OCSP response bytes.
*
* @param certIds the CertIds to be checked
* @param responderURI the URI of the OCSP responder
* @param extensions zero or more OCSP extensions to be included in the
* request. If no extensions are requested, an empty {@code List} must
* be used. A {@code null} value is not allowed.
*
* @return the OCSP response bytes
*
* @throws IOException if there is an exception connecting to or
* communicating with the OCSP responder
*/
public static byte[] getOCSPBytes(List<CertId> certIds, URI responderURI,
List<Extension> extensions) throws IOException {
OCSPRequest request = new OCSPRequest(certIds, extensions);
byte[] bytes = request.encodeBytes();
InputStream in = null; InputStream in = null;
OutputStream out = null; OutputStream out = null;
byte[] response = null; byte[] response = null;
try { try {
URL url = responderURI.toURL(); URL url = responderURI.toURL();
if (debug != null) { if (debug != null) {
...@@ -257,10 +269,6 @@ public final class OCSP { ...@@ -257,10 +269,6 @@ public final class OCSP {
} }
} }
response = Arrays.copyOf(response, total); response = Arrays.copyOf(response, total);
} catch (IOException ioe) {
throw new CertPathValidatorException(
"Unable to determine revocation status due to network error",
ioe, null, -1, BasicReason.UNDETERMINED_REVOCATION_STATUS);
} finally { } finally {
if (in != null) { if (in != null) {
try { try {
...@@ -277,20 +285,7 @@ public final class OCSP { ...@@ -277,20 +285,7 @@ public final class OCSP {
} }
} }
} }
return response;
OCSPResponse ocspResponse = null;
try {
ocspResponse = new OCSPResponse(response);
} catch (IOException ioe) {
// response decoding exception
throw new CertPathValidatorException(ioe);
}
// verify the response
ocspResponse.verify(certIds, issuerCert, responderCert, date,
request.getNonce());
return ocspResponse;
} }
/** /**
...@@ -322,7 +317,7 @@ public final class OCSP { ...@@ -322,7 +317,7 @@ public final class OCSP {
List<AccessDescription> descriptions = aia.getAccessDescriptions(); List<AccessDescription> descriptions = aia.getAccessDescriptions();
for (AccessDescription description : descriptions) { for (AccessDescription description : descriptions) {
if (description.getAccessMethod().equals((Object) if (description.getAccessMethod().equals(
AccessDescription.Ad_OCSP_Id)) { AccessDescription.Ad_OCSP_Id)) {
GeneralName generalName = description.getAccessLocation(); GeneralName generalName = description.getAccessLocation();
......
src/share/classes/sun/security/provider/certpath/OCSPRequest.java
浏览文件 @ 8587eb8d
/* /*
* Copyright (c) 2003, 2013, Oracle and/or its affiliates. All rights reserved. * Copyright (c) 2003, 2017, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
* *
* This code is free software; you can redistribute it and/or modify it * This code is free software; you can redistribute it and/or modify it
...@@ -32,10 +32,11 @@ import java.util.List; ...@@ -32,10 +32,11 @@ import java.util.List;
import sun.misc.HexDumpEncoder; import sun.misc.HexDumpEncoder;
import sun.security.util.*; import sun.security.util.*;
import sun.security.x509.PKIXExtensions;
/** /**
* This class can be used to generate an OCSP request and send it over * This class can be used to generate an OCSP request and send it over
* an outputstream. Currently we do not support signing requests * an output stream. Currently we do not support signing requests.
* The OCSP Request is specified in RFC 2560 and * The OCSP Request is specified in RFC 2560 and
* the ASN.1 definition is as follows: * the ASN.1 definition is as follows:
* <pre> * <pre>
...@@ -118,7 +119,8 @@ class OCSPRequest { ...@@ -118,7 +119,8 @@ class OCSPRequest {
DerOutputStream extOut = new DerOutputStream(); DerOutputStream extOut = new DerOutputStream();
for (Extension ext : extensions) { for (Extension ext : extensions) {
ext.encode(extOut); ext.encode(extOut);
if (ext.getId().equals(OCSP.NONCE_EXTENSION_OID.toString())) { if (ext.getId().equals(
PKIXExtensions.OCSPNonce_Id.toString())) {
nonce = ext.getValue(); nonce = ext.getValue();
} }
} }
......
src/share/classes/sun/security/provider/certpath/PKIX.java
浏览文件 @ 8587eb8d
/* /*
* Copyright (c) 2012, 2015, Oracle and/or its affiliates. All rights reserved. * Copyright (c) 2012, 2017, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
* *
* This code is free software; you can redistribute it and/or modify it * This code is free software; you can redistribute it and/or modify it
...@@ -26,6 +26,7 @@ package sun.security.provider.certpath; ...@@ -26,6 +26,7 @@ package sun.security.provider.certpath;
import java.security.InvalidAlgorithmParameterException; import java.security.InvalidAlgorithmParameterException;
import java.security.PublicKey; import java.security.PublicKey;
import java.security.Timestamp;
import java.security.cert.*; import java.security.cert.*;
import java.security.interfaces.DSAPublicKey; import java.security.interfaces.DSAPublicKey;
import java.util.*; import java.util.*;
...@@ -85,6 +86,8 @@ class PKIX { ...@@ -85,6 +86,8 @@ class PKIX {
private CertSelector constraints; private CertSelector constraints;
private Set<TrustAnchor> anchors; private Set<TrustAnchor> anchors;
private List<X509Certificate> certs; private List<X509Certificate> certs;
private Timestamp timestamp;
private String variant;
ValidatorParams(CertPath cp, PKIXParameters params) ValidatorParams(CertPath cp, PKIXParameters params)
throws InvalidAlgorithmParameterException throws InvalidAlgorithmParameterException
...@@ -100,6 +103,11 @@ class PKIX { ...@@ -100,6 +103,11 @@ class PKIX {
ValidatorParams(PKIXParameters params) ValidatorParams(PKIXParameters params)
throws InvalidAlgorithmParameterException throws InvalidAlgorithmParameterException
{ {
if (params instanceof PKIXExtendedParameters) {
timestamp = ((PKIXExtendedParameters) params).getTimestamp();
variant = ((PKIXExtendedParameters) params).getVariant();
}
this.anchors = params.getTrustAnchors(); this.anchors = params.getTrustAnchors();
// Make sure that none of the trust anchors include name constraints // Make sure that none of the trust anchors include name constraints
// (not supported). // (not supported).
...@@ -189,6 +197,14 @@ class PKIX { ...@@ -189,6 +197,14 @@ class PKIX {
PKIXParameters getPKIXParameters() { PKIXParameters getPKIXParameters() {
return params; return params;
} }
Timestamp timestamp() {
return timestamp;
}
String variant() {
return variant;
}
} }
static class BuilderParams extends ValidatorParams { static class BuilderParams extends ValidatorParams {
......
src/share/classes/sun/security/provider/certpath/PKIXCertPathValidator.java
浏览文件 @ 8587eb8d
/* /*
* Copyright (c) 2000, 2015, Oracle and/or its affiliates. All rights reserved. * Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
* *
* This code is free software; you can redistribute it and/or modify it * This code is free software; you can redistribute it and/or modify it
...@@ -172,7 +172,8 @@ public final class PKIXCertPathValidator extends CertPathValidatorSpi { ...@@ -172,7 +172,8 @@ public final class PKIXCertPathValidator extends CertPathValidatorSpi {
List<PKIXCertPathChecker> certPathCheckers = new ArrayList<>(); List<PKIXCertPathChecker> certPathCheckers = new ArrayList<>();
// add standard checkers that we will be using // add standard checkers that we will be using
certPathCheckers.add(untrustedChecker); certPathCheckers.add(untrustedChecker);
certPathCheckers.add(new AlgorithmChecker(anchor)); certPathCheckers.add(new AlgorithmChecker(anchor, null, params.date(),
params.timestamp(), params.variant()));
certPathCheckers.add(new KeyChecker(certPathLen, certPathCheckers.add(new KeyChecker(certPathLen,
params.targetCertConstraints())); params.targetCertConstraints()));
certPathCheckers.add(new ConstraintsChecker(certPathLen)); certPathCheckers.add(new ConstraintsChecker(certPathLen));
...@@ -189,7 +190,10 @@ public final class PKIXCertPathValidator extends CertPathValidatorSpi { ...@@ -189,7 +190,10 @@ public final class PKIXCertPathValidator extends CertPathValidatorSpi {
rootNode); rootNode);
certPathCheckers.add(pc); certPathCheckers.add(pc);
// default value for date is current time // default value for date is current time
BasicChecker bc = new BasicChecker(anchor, params.date(), BasicChecker bc;
bc = new BasicChecker(anchor,
(params.timestamp() == null ? params.date() :
params.timestamp().getTimestamp()),
params.sigProvider(), false); params.sigProvider(), false);
certPathCheckers.add(bc); certPathCheckers.add(bc);
......
src/share/classes/sun/security/provider/certpath/PKIXExtendedParameters.java 0 → 100644
浏览文件 @ 8587eb8d
/*
* Copyright (c) 2016, 2017, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation. Oracle designates this
* particular file as subject to the "Classpath" exception as provided
* by Oracle in the LICENSE file that accompanied this code.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
package sun.security.provider.certpath;
import java.security.InvalidAlgorithmParameterException;
import java.security.Timestamp;
import java.security.cert.CertSelector;
import java.security.cert.CertStore;
import java.security.cert.PKIXBuilderParameters;
import java.security.cert.PKIXCertPathChecker;
import java.security.cert.TrustAnchor;
import java.util.Date;
import java.util.List;
import java.util.Set;
/**
* This class is a wrapper for PKIXBuilderParameters so that a Timestamp object
* and a string for the variant type, can be passed when doing certpath
* checking.
*/
public class PKIXExtendedParameters extends PKIXBuilderParameters {
private final PKIXBuilderParameters p;
private Timestamp jarTimestamp;
private final String variant;
public PKIXExtendedParameters(PKIXBuilderParameters params,
Timestamp timestamp, String variant)
throws InvalidAlgorithmParameterException {
super(params.getTrustAnchors(), null);
p = params;
jarTimestamp = timestamp;
this.variant = variant;
}
public Timestamp getTimestamp() {
return jarTimestamp;
}
public void setTimestamp(Timestamp t) {
jarTimestamp = t;
}
public String getVariant() {
return variant;
}
@Override
public void setDate(Date d) {
p.setDate(d);
}
@Override
public void addCertPathChecker(PKIXCertPathChecker c) {
p.addCertPathChecker(c);
}
@Override
public void setMaxPathLength(int maxPathLength) {
p.setMaxPathLength(maxPathLength);
}
@Override
public int getMaxPathLength() {
return p.getMaxPathLength();
}
@Override
public String toString() {
return p.toString();
}
@Override
public Set<TrustAnchor> getTrustAnchors() {
return p.getTrustAnchors();
}
@Override
public void setTrustAnchors(Set<TrustAnchor> trustAnchors)
throws InvalidAlgorithmParameterException {
// To avoid problems with PKIXBuilderParameter's constructors
if (p == null) {
return;
}
p.setTrustAnchors(trustAnchors);
}
@Override
public Set<String> getInitialPolicies() {
return p.getInitialPolicies();
}
@Override
public void setInitialPolicies(Set<String> initialPolicies) {
p.setInitialPolicies(initialPolicies);
}
@Override
public void setCertStores(List<CertStore> stores) {
p.setCertStores(stores);
}
@Override
public void addCertStore(CertStore store) {
p.addCertStore(store);
}
@Override
public List<CertStore> getCertStores() {
return p.getCertStores();
}
@Override
public void setRevocationEnabled(boolean val) {
p.setRevocationEnabled(val);
}
@Override
public boolean isRevocationEnabled() {
return p.isRevocationEnabled();
}
@Override
public void setExplicitPolicyRequired(boolean val) {
p.setExplicitPolicyRequired(val);
}
@Override
public boolean isExplicitPolicyRequired() {
return p.isExplicitPolicyRequired();
}
@Override
public void setPolicyMappingInhibited(boolean val) {
p.setPolicyMappingInhibited(val);
}
@Override
public boolean isPolicyMappingInhibited() {
return p.isPolicyMappingInhibited();
}
@Override
public void setAnyPolicyInhibited(boolean val) {
p.setAnyPolicyInhibited(val);
}
@Override
public boolean isAnyPolicyInhibited() {
return p.isAnyPolicyInhibited();
}
@Override
public void setPolicyQualifiersRejected(boolean qualifiersRejected) {
p.setPolicyQualifiersRejected(qualifiersRejected);
}
@Override
public boolean getPolicyQualifiersRejected() {
return p.getPolicyQualifiersRejected();
}
@Override
public Date getDate() {
return p.getDate();
}
@Override
public void setCertPathCheckers(List<PKIXCertPathChecker> checkers) {
p.setCertPathCheckers(checkers);
}
@Override
public List<PKIXCertPathChecker> getCertPathCheckers() {
return p.getCertPathCheckers();
}
@Override
public String getSigProvider() {
return p.getSigProvider();
}
@Override
public void setSigProvider(String sigProvider) {
p.setSigProvider(sigProvider);
}
@Override
public CertSelector getTargetCertConstraints() {
return p.getTargetCertConstraints();
}
@Override
public void setTargetCertConstraints(CertSelector selector) {
// To avoid problems with PKIXBuilderParameter's constructors
if (p == null) {
return;
}
p.setTargetCertConstraints(selector);
}
}
src/share/classes/sun/security/provider/certpath/ResponderId.java 0 → 100644
浏览文件 @ 8587eb8d
/*
* Copyright (c) 2015, 2017 Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation. Oracle designates this
* particular file as subject to the "Classpath" exception as provided
* by Oracle in the LICENSE file that accompanied this code.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
* Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
* or visit www.oracle.com if you need additional information or have any
* questions.
*/
package sun.security.provider.certpath;
import java.util.Arrays;
import java.io.IOException;
import java.security.PublicKey;
import javax.security.auth.x500.X500Principal;
import sun.security.x509.KeyIdentifier;
import sun.security.util.DerValue;
/**
* Class for ResponderId entities as described in RFC6960. ResponderId objects
* are used to uniquely identify OCSP responders.
* <p>
* The RFC 6960 defines a ResponderID structure as:
* <pre>
* ResponderID ::= CHOICE {
* byName [1] Name,
* byKey [2] KeyHash }
*
* KeyHash ::= OCTET STRING -- SHA-1 hash of responder's public key
* (excluding the tag and length fields)
*
* Name is defined in RFC 5280.
* </pre>
*
* @see ResponderId.Type
* @since 9
*/
public final class ResponderId {
/**
* A {@code ResponderId} enumeration describing the accepted forms for a
* {@code ResponderId}.
*
* @see ResponderId
* @since 9
*/
public static enum Type {
/**
* A BY_NAME {@code ResponderId} will be built from a subject name,
* either as an {@code X500Principal} or a DER-encoded byte array.
*/
BY_NAME(1, "byName"),
/**
* A BY_KEY {@code ResponderId} will be built from a public key
* identifier, either derived from a {@code PublicKey} or directly
* from a DER-encoded byte array containing the key identifier.
*/
BY_KEY(2, "byKey");
private final int tagNumber;
private final String ridTypeName;
private Type(int value, String name) {
this.tagNumber = value;
this.ridTypeName = name;
}
public int value() {
return tagNumber;
}
@Override
public String toString() {
return ridTypeName;
}
}
private Type type;
private X500Principal responderName;
private KeyIdentifier responderKeyId;
private byte[] encodedRid;
/**
* Constructs a {@code ResponderId} object using an {@code X500Principal}.
* When encoded in DER this object will use the BY_NAME option.
*
* @param subjectName the subject name of the certificate used
* to sign OCSP responses.
*
* @throws IOException if the internal DER-encoding of the
* {@code X500Principal} fails.
*/
public ResponderId(X500Principal subjectName) throws IOException {
responderName = subjectName;
responderKeyId = null;
encodedRid = principalToBytes();
type = Type.BY_NAME;
}
/**
* Constructs a {@code ResponderId} object using a {@code PublicKey}.
* When encoded in DER this object will use the byKey option, a
* SHA-1 hash of the responder's public key.
*
* @param pubKey the the OCSP responder's public key
*
* @throws IOException if the internal DER-encoding of the
* {@code KeyIdentifier} fails.
*/
public ResponderId(PublicKey pubKey) throws IOException {
responderKeyId = new KeyIdentifier(pubKey);
responderName = null;
encodedRid = keyIdToBytes();
type = Type.BY_KEY;
}
/**
* Constructs a {@code ResponderId} object from its DER-encoding.
*
* @param encodedData the DER-encoded bytes
*
* @throws IOException if the encodedData is not properly DER encoded
*/
public ResponderId(byte[] encodedData) throws IOException {
DerValue outer = new DerValue(encodedData);
if (outer.isContextSpecific((byte)Type.BY_NAME.value())
&& outer.isConstructed()) {
// Use the X500Principal constructor as a way to sanity
// check the incoming data.
responderName = new X500Principal(outer.getDataBytes());
encodedRid = principalToBytes();
type = Type.BY_NAME;
} else if (outer.isContextSpecific((byte)Type.BY_KEY.value())
&& outer.isConstructed()) {
// Use the KeyIdentifier constructor as a way to sanity
// check the incoming data.
responderKeyId =
new KeyIdentifier(new DerValue(outer.getDataBytes()));
encodedRid = keyIdToBytes();
type = Type.BY_KEY;
} else {
throw new IOException("Invalid ResponderId content");
}
}
/**
* Encode a {@code ResponderId} in DER form
*
* @return a byte array containing the DER-encoded representation for this
* {@code ResponderId}
*/
public byte[] getEncoded() {
return encodedRid.clone();
}
/**
* Return the type of {@ResponderId}
*
* @return a number corresponding to the context-specific tag number
* used in the DER-encoding for a {@code ResponderId}
*/
public ResponderId.Type getType() {
return type;
}
/**
* Get the length of the encoded {@code ResponderId} (including the tag and
* length of the explicit tagging from the outer ASN.1 CHOICE).
*
* @return the length of the encoded {@code ResponderId}
*/
public int length() {
return encodedRid.length;
}
/**
* Obtain the underlying {@code X500Principal} from a {@code ResponderId}
*
* @return the {@code X500Principal} for this {@code ResponderId} if it
* is a BY_NAME variant. If the {@code ResponderId} is a BY_KEY
* variant, this routine will return {@code null}.
*/
public X500Principal getResponderName() {
return responderName;
}
/**
* Obtain the underlying key identifier from a {@code ResponderId}
*
* @return the {@code KeyIdentifier} for this {@code ResponderId} if it
* is a BY_KEY variant. If the {@code ResponderId} is a BY_NAME
* variant, this routine will return {@code null}.
*/
public KeyIdentifier getKeyIdentifier() {
return responderKeyId;
}
/**
* Compares the specified object with this {@code ResponderId} for equality.
* A ResponderId will only be considered equivalent if both the type and
* data value are equal. Two ResponderIds initialized by name and
* key ID, respectively, will not be equal even if the
* ResponderId objects are created from the same source certificate.
*
* @param obj the object to be compared against
*
* @return true if the specified object is equal to this {@code Responderid}
*/
@Override
public boolean equals(Object obj) {
if (obj == null) {
return false;
}
if (this == obj) {
return true;
}
if (obj instanceof ResponderId) {
ResponderId respObj = (ResponderId)obj;
return Arrays.equals(encodedRid, respObj.getEncoded());
}
return false;
}
/**
* Returns the hash code value for this {@code ResponderId}
*
* @return the hash code value for this {@code ResponderId}
*/
@Override
public int hashCode() {
return Arrays.hashCode(encodedRid);
}
/**
* Create a String representation of this {@code ResponderId}
*
* @return a String representation of this {@code ResponderId}
*/
@Override
public String toString() {
StringBuilder sb = new StringBuilder();
switch (type) {
case BY_NAME:
sb.append(type).append(": ").append(responderName);
break;
case BY_KEY:
sb.append(type).append(": ");
for (byte keyIdByte : responderKeyId.getIdentifier()) {
sb.append(String.format("%02X", keyIdByte));
}
break;
default:
sb.append("Unknown ResponderId Type: ").append(type);
}
return sb.toString();
}
/**
* Convert the responderName data member into its DER-encoded form
*
* @return the DER encoding for a responder ID byName option, including
* explicit context-specific tagging.
*
* @throws IOException if any encoding error occurs
*/
private byte[] principalToBytes() throws IOException {
DerValue dv = new DerValue(DerValue.createTag(DerValue.TAG_CONTEXT,
true, (byte)Type.BY_NAME.value()),
responderName.getEncoded());
return dv.toByteArray();
}
/**
* Convert the responderKeyId data member into its DER-encoded form
*
* @return the DER encoding for a responder ID byKey option, including
* explicit context-specific tagging.
*
* @throws IOException if any encoding error occurs
*/
private byte[] keyIdToBytes() throws IOException {
// Place the KeyIdentifier bytes into an OCTET STRING
DerValue inner = new DerValue(DerValue.tag_OctetString,
responderKeyId.getIdentifier());
// Mark the OCTET STRING-wrapped KeyIdentifier bytes
// as EXPLICIT CONTEXT 2
DerValue outer = new DerValue(DerValue.createTag(DerValue.TAG_CONTEXT,
true, (byte)Type.BY_KEY.value()), inner.toByteArray());
return outer.toByteArray();
}
}
src/share/classes/sun/security/provider/certpath/RevocationChecker.java
浏览文件 @ 8587eb8d
/* /*
* Copyright (c) 2012, 2015, Oracle and/or its affiliates. All rights reserved. * Copyright (c) 2012, 2017, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
* *
* This code is free software; you can redistribute it and/or modify it * This code is free software; you can redistribute it and/or modify it
...@@ -43,7 +43,6 @@ import javax.security.auth.x500.X500Principal; ...@@ -43,7 +43,6 @@ import javax.security.auth.x500.X500Principal;
import static sun.security.provider.certpath.OCSP.*; import static sun.security.provider.certpath.OCSP.*;
import static sun.security.provider.certpath.PKIX.*; import static sun.security.provider.certpath.PKIX.*;
import sun.security.action.GetPropertyAction;
import sun.security.x509.*; import sun.security.x509.*;
import static sun.security.x509.PKIXExtensions.*; import static sun.security.x509.PKIXExtensions.*;
import sun.security.util.Debug; import sun.security.util.Debug;
...@@ -62,12 +61,12 @@ class RevocationChecker extends PKIXRevocationChecker { ...@@ -62,12 +61,12 @@ class RevocationChecker extends PKIXRevocationChecker {
private List<CertStore> certStores; private List<CertStore> certStores;
private Map<X509Certificate, byte[]> ocspResponses; private Map<X509Certificate, byte[]> ocspResponses;
private List<Extension> ocspExtensions; private List<Extension> ocspExtensions;
private boolean legacy; private final boolean legacy;
private LinkedList<CertPathValidatorException> softFailExceptions = private LinkedList<CertPathValidatorException> softFailExceptions =
new LinkedList<>(); new LinkedList<>();
// state variables // state variables
private X509Certificate issuerCert; private OCSPResponse.IssuerInfo issuerInfo;
private PublicKey prevPubKey; private PublicKey prevPubKey;
private boolean crlSignFlag; private boolean crlSignFlag;
private int certIndex; private int certIndex;
...@@ -302,9 +301,9 @@ class RevocationChecker extends PKIXRevocationChecker { ...@@ -302,9 +301,9 @@ class RevocationChecker extends PKIXRevocationChecker {
CertPathValidatorException("forward checking not supported"); CertPathValidatorException("forward checking not supported");
} }
if (anchor != null) { if (anchor != null) {
issuerCert = anchor.getTrustedCert(); issuerInfo = new OCSPResponse.IssuerInfo(anchor);
prevPubKey = (issuerCert != null) ? issuerCert.getPublicKey() prevPubKey = issuerInfo.getPublicKey();
: anchor.getCAPublicKey();
} }
crlSignFlag = true; crlSignFlag = true;
if (params != null && params.certPath() != null) { if (params != null && params.certPath() != null) {
...@@ -438,7 +437,7 @@ class RevocationChecker extends PKIXRevocationChecker { ...@@ -438,7 +437,7 @@ class RevocationChecker extends PKIXRevocationChecker {
private void updateState(X509Certificate cert) private void updateState(X509Certificate cert)
throws CertPathValidatorException throws CertPathValidatorException
{ {
issuerCert = cert; issuerInfo = new OCSPResponse.IssuerInfo(anchor, cert);
// Make new public key if parameters are missing // Make new public key if parameters are missing
PublicKey pubKey = cert.getPublicKey(); PublicKey pubKey = cert.getPublicKey();
...@@ -466,6 +465,34 @@ class RevocationChecker extends PKIXRevocationChecker { ...@@ -466,6 +465,34 @@ class RevocationChecker extends PKIXRevocationChecker {
stackedCerts, params.trustAnchors()); stackedCerts, params.trustAnchors());
} }
static boolean isCausedByNetworkIssue(String type, CertStoreException cse) {
boolean result;
Throwable t = cse.getCause();
switch (type) {
case "LDAP":
if (t != null) {
// These two exception classes are inside java.naming module
String cn = t.getClass().getName();
result = (cn.equals("javax.naming.ServiceUnavailableException") ||
cn.equals("javax.naming.CommunicationException"));
} else {
result = false;
}
break;
case "SSLServer":
result = (t != null && t instanceof IOException);
break;
case "URI":
result = (t != null && t instanceof IOException);
break;
default:
// we don't know about any other remote CertStore types
return false;
}
return result;
}
private void checkCRLs(X509Certificate cert, PublicKey prevKey, private void checkCRLs(X509Certificate cert, PublicKey prevKey,
X509Certificate prevCert, boolean signFlag, X509Certificate prevCert, boolean signFlag,
boolean allowSeparateKey, boolean allowSeparateKey,
...@@ -478,9 +505,9 @@ class RevocationChecker extends PKIXRevocationChecker { ...@@ -478,9 +505,9 @@ class RevocationChecker extends PKIXRevocationChecker {
" ---checking revocation status ..."); " ---checking revocation status ...");
} }
// reject circular dependencies - RFC 3280 is not explicit on how // Reject circular dependencies - RFC 5280 is not explicit on how
// to handle this, so we feel it is safest to reject them until // to handle this, but does suggest that they can be a security
// the issue is resolved in the PKIX WG. // risk and can create unresolvable dependencies
if (stackedCerts != null && stackedCerts.contains(cert)) { if (stackedCerts != null && stackedCerts.contains(cert)) {
if (debug != null) { if (debug != null) {
debug.println("RevocationChecker.checkCRLs()" + debug.println("RevocationChecker.checkCRLs()" +
...@@ -510,7 +537,7 @@ class RevocationChecker extends PKIXRevocationChecker { ...@@ -510,7 +537,7 @@ class RevocationChecker extends PKIXRevocationChecker {
"CertStoreException: " + e.getMessage()); "CertStoreException: " + e.getMessage());
} }
if (networkFailureException == null && if (networkFailureException == null &&
CertStoreHelper.isCausedByNetworkIssue(store.getType(),e)) { isCausedByNetworkIssue(store.getType(),e)) {
// save this exception, we may need to throw it later // save this exception, we may need to throw it later
networkFailureException = new CertPathValidatorException( networkFailureException = new CertPathValidatorException(
"Unable to determine revocation status due to " + "Unable to determine revocation status due to " +
...@@ -551,14 +578,13 @@ class RevocationChecker extends PKIXRevocationChecker { ...@@ -551,14 +578,13 @@ class RevocationChecker extends PKIXRevocationChecker {
if (crlDP) { if (crlDP) {
approvedCRLs.addAll(DistributionPointFetcher.getCRLs( approvedCRLs.addAll(DistributionPointFetcher.getCRLs(
sel, signFlag, prevKey, prevCert, sel, signFlag, prevKey, prevCert,
params.sigProvider(), certStores, params.sigProvider(), certStores, reasonsMask,
reasonsMask, anchors, null)); anchors, null, params.variant()));
} }
} catch (CertStoreException e) { } catch (CertStoreException e) {
if (e instanceof CertStoreTypeException) { if (e instanceof CertStoreTypeException) {
CertStoreTypeException cste = (CertStoreTypeException)e; CertStoreTypeException cste = (CertStoreTypeException)e;
if (CertStoreHelper.isCausedByNetworkIssue(cste.getType(), if (isCausedByNetworkIssue(cste.getType(), e)) {
e)) {
throw new CertPathValidatorException( throw new CertPathValidatorException(
"Unable to determine revocation status due to " + "Unable to determine revocation status due to " +
"network error", e, null, -1, "network error", e, null, -1,
...@@ -634,7 +660,7 @@ class RevocationChecker extends PKIXRevocationChecker { ...@@ -634,7 +660,7 @@ class RevocationChecker extends PKIXRevocationChecker {
/* /*
* Abort CRL validation and throw exception if there are any * Abort CRL validation and throw exception if there are any
* unrecognized critical CRL entry extensions (see section * unrecognized critical CRL entry extensions (see section
* 5.3 of RFC 3280). * 5.3 of RFC 5280).
*/ */
Set<String> unresCritExts = entry.getCriticalExtensionOIDs(); Set<String> unresCritExts = entry.getCriticalExtensionOIDs();
if (unresCritExts != null && !unresCritExts.isEmpty()) { if (unresCritExts != null && !unresCritExts.isEmpty()) {
...@@ -682,14 +708,8 @@ class RevocationChecker extends PKIXRevocationChecker { ...@@ -682,14 +708,8 @@ class RevocationChecker extends PKIXRevocationChecker {
OCSPResponse response = null; OCSPResponse response = null;
CertId certId = null; CertId certId = null;
try { try {
if (issuerCert != null) { certId = new CertId(issuerInfo.getName(), issuerInfo.getPublicKey(),
certId = new CertId(issuerCert,
currCert.getSerialNumberObject()); currCert.getSerialNumberObject());
} else {
// must be an anchor name and key
certId = new CertId(anchor.getCA(), anchor.getCAPublicKey(),
currCert.getSerialNumberObject());
}
// check if there is a cached OCSP response available // check if there is a cached OCSP response available
byte[] responseBytes = ocspResponses.get(cert); byte[] responseBytes = ocspResponses.get(cert);
...@@ -706,8 +726,8 @@ class RevocationChecker extends PKIXRevocationChecker { ...@@ -706,8 +726,8 @@ class RevocationChecker extends PKIXRevocationChecker {
nonce = ext.getValue(); nonce = ext.getValue();
} }
} }
response.verify(Collections.singletonList(certId), issuerCert, response.verify(Collections.singletonList(certId), issuerInfo,
responderCert, params.date(), nonce); responderCert, params.date(), nonce, params.variant());
} else { } else {
URI responderURI = (this.responderURI != null) URI responderURI = (this.responderURI != null)
...@@ -720,8 +740,8 @@ class RevocationChecker extends PKIXRevocationChecker { ...@@ -720,8 +740,8 @@ class RevocationChecker extends PKIXRevocationChecker {
} }
response = OCSP.check(Collections.singletonList(certId), response = OCSP.check(Collections.singletonList(certId),
responderURI, issuerCert, responderCert, responderURI, issuerInfo, responderCert, null,
null, ocspExtensions); ocspExtensions, params.variant());
} }
} catch (IOException e) { } catch (IOException e) {
throw new CertPathValidatorException( throw new CertPathValidatorException(
...@@ -833,7 +853,7 @@ class RevocationChecker extends PKIXRevocationChecker { ...@@ -833,7 +853,7 @@ class RevocationChecker extends PKIXRevocationChecker {
if (DistributionPointFetcher.verifyCRL( if (DistributionPointFetcher.verifyCRL(
certImpl, point, crl, reasonsMask, signFlag, certImpl, point, crl, reasonsMask, signFlag,
prevKey, null, params.sigProvider(), anchors, prevKey, null, params.sigProvider(), anchors,
certStores, params.date())) certStores, params.date(), params.variant()))
{ {
results.add(crl); results.add(crl);
} }
...@@ -886,9 +906,9 @@ class RevocationChecker extends PKIXRevocationChecker { ...@@ -886,9 +906,9 @@ class RevocationChecker extends PKIXRevocationChecker {
" ---checking " + msg + "..."); " ---checking " + msg + "...");
} }
// reject circular dependencies - RFC 3280 is not explicit on how // Reject circular dependencies - RFC 5280 is not explicit on how
// to handle this, so we feel it is safest to reject them until // to handle this, but does suggest that they can be a security
// the issue is resolved in the PKIX WG. // risk and can create unresolvable dependencies
if ((stackedCerts != null) && stackedCerts.contains(cert)) { if ((stackedCerts != null) && stackedCerts.contains(cert)) {
if (debug != null) { if (debug != null) {
debug.println( debug.println(
......
src/share/classes/sun/security/provider/certpath/SunCertPathBuilder.java
浏览文件 @ 8587eb8d
/* /*
* Copyright (c) 2000, 2015, Oracle and/or its affiliates. All rights reserved. * Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
* *
* This code is free software; you can redistribute it and/or modify it * This code is free software; you can redistribute it and/or modify it
...@@ -50,7 +50,7 @@ import sun.security.util.Debug; ...@@ -50,7 +50,7 @@ import sun.security.util.Debug;
* <p> If successful, it returns a certification path which has successfully * <p> If successful, it returns a certification path which has successfully
* satisfied all the constraints and requirements specified in the * satisfied all the constraints and requirements specified in the
* PKIXBuilderParameters object and has been validated according to the PKIX * PKIXBuilderParameters object and has been validated according to the PKIX
* path validation algorithm defined in RFC 3280. * path validation algorithm defined in RFC 5280.
* *
* <p> This implementation uses a depth-first search approach to finding * <p> This implementation uses a depth-first search approach to finding
* certification paths. If it comes to a point in which it cannot find * certification paths. If it comes to a point in which it cannot find
...@@ -343,7 +343,8 @@ public final class SunCertPathBuilder extends CertPathBuilderSpi { ...@@ -343,7 +343,8 @@ public final class SunCertPathBuilder extends CertPathBuilderSpi {
checkers.add(policyChecker); checkers.add(policyChecker);
// add the algorithm checker // add the algorithm checker
checkers.add(new AlgorithmChecker(builder.trustAnchor)); checkers.add(new AlgorithmChecker(builder.trustAnchor,
buildParams.date(), buildParams.variant()));
BasicChecker basicChecker = null; BasicChecker basicChecker = null;
if (nextState.keyParamsNeeded()) { if (nextState.keyParamsNeeded()) {
......
src/share/classes/sun/security/ssl/SSLContextImpl.java
浏览文件 @ 8587eb8d
/* /*
* Copyright (c) 1999, 2015, Oracle and/or its affiliates. All rights reserved. * Copyright (c) 1999, 2017, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
* *
* This code is free software; you can redistribute it and/or modify it * This code is free software; you can redistribute it and/or modify it
...@@ -37,6 +37,7 @@ import javax.net.ssl.*; ...@@ -37,6 +37,7 @@ import javax.net.ssl.*;
import sun.security.provider.certpath.AlgorithmChecker; import sun.security.provider.certpath.AlgorithmChecker;
import sun.security.action.GetPropertyAction; import sun.security.action.GetPropertyAction;
import sun.security.validator.Validator;
public abstract class SSLContextImpl extends SSLContextSpi { public abstract class SSLContextImpl extends SSLContextSpi {
...@@ -1040,7 +1041,7 @@ final class AbstractTrustManagerWrapper extends X509ExtendedTrustManager ...@@ -1040,7 +1041,7 @@ final class AbstractTrustManagerWrapper extends X509ExtendedTrustManager
constraints = new SSLAlgorithmConstraints(sslSocket, true); constraints = new SSLAlgorithmConstraints(sslSocket, true);
} }
checkAlgorithmConstraints(chain, constraints); checkAlgorithmConstraints(chain, constraints, isClient);
} }
} }
...@@ -1082,12 +1083,12 @@ final class AbstractTrustManagerWrapper extends X509ExtendedTrustManager ...@@ -1082,12 +1083,12 @@ final class AbstractTrustManagerWrapper extends X509ExtendedTrustManager
constraints = new SSLAlgorithmConstraints(engine, true); constraints = new SSLAlgorithmConstraints(engine, true);
} }
checkAlgorithmConstraints(chain, constraints); checkAlgorithmConstraints(chain, constraints, isClient);
} }
} }
private void checkAlgorithmConstraints(X509Certificate[] chain, private void checkAlgorithmConstraints(X509Certificate[] chain,
AlgorithmConstraints constraints) throws CertificateException { AlgorithmConstraints constraints, boolean isClient) throws CertificateException {
try { try {
// Does the certificate chain end with a trusted certificate? // Does the certificate chain end with a trusted certificate?
...@@ -1105,7 +1106,9 @@ final class AbstractTrustManagerWrapper extends X509ExtendedTrustManager ...@@ -1105,7 +1106,9 @@ final class AbstractTrustManagerWrapper extends X509ExtendedTrustManager
// A forward checker, need to check from trust to target // A forward checker, need to check from trust to target
if (checkedLength >= 0) { if (checkedLength >= 0) {
AlgorithmChecker checker = new AlgorithmChecker(constraints); AlgorithmChecker checker =
new AlgorithmChecker(constraints, null,
(isClient ? Validator.VAR_TLS_CLIENT : Validator.VAR_TLS_SERVER));
checker.init(false); checker.init(false);
for (int i = checkedLength; i >= 0; i--) { for (int i = checkedLength; i >= 0; i--) {
Certificate cert = chain[i]; Certificate cert = chain[i];
......
src/share/classes/sun/security/ssl/SSLSocketImpl.java
浏览文件 @ 8587eb8d
/* /*
* Copyright (c) 1996, 2015, Oracle and/or its affiliates. All rights reserved. * Copyright (c) 1996, 2016, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
* *
* This code is free software; you can redistribute it and/or modify it * This code is free software; you can redistribute it and/or modify it
...@@ -220,6 +220,11 @@ final public class SSLSocketImpl extends BaseSSLSocketImpl { ...@@ -220,6 +220,11 @@ final public class SSLSocketImpl extends BaseSSLSocketImpl {
Collections.<SNIServerName>emptyList(); Collections.<SNIServerName>emptyList();
Collection<SNIMatcher> sniMatchers = Collection<SNIMatcher> sniMatchers =
Collections.<SNIMatcher>emptyList(); Collections.<SNIMatcher>emptyList();
// Is the serverNames set to empty with SSLParameters.setServerNames()?
private boolean noSniExtension = false;
// Is the sniMatchers set to empty with SSLParameters.setSNIMatchers()?
private boolean noSniMatcher = false;
/* /*
* READ ME * READ ME * READ ME * READ ME * READ ME * READ ME * * READ ME * READ ME * READ ME * READ ME * READ ME * READ ME *
...@@ -666,6 +671,11 @@ final public class SSLSocketImpl extends BaseSSLSocketImpl { ...@@ -666,6 +671,11 @@ final public class SSLSocketImpl extends BaseSSLSocketImpl {
} }
super.connect(endpoint, timeout); super.connect(endpoint, timeout);
if (host == null || host.length() == 0) {
useImplicitHost(false);
}
doneConnect(); doneConnect();
} }
...@@ -2158,41 +2168,61 @@ final public class SSLSocketImpl extends BaseSSLSocketImpl { ...@@ -2158,41 +2168,61 @@ final public class SSLSocketImpl extends BaseSSLSocketImpl {
output.r.setVersion(protocolVersion); output.r.setVersion(protocolVersion);
} }
//
// ONLY used by ClientHandshaker for the server hostname during handshaking
//
synchronized String getHost() { synchronized String getHost() {
// Note that the host may be null or empty for localhost. // Note that the host may be null or empty for localhost.
if (host == null || host.length() == 0) { if (host == null || host.length() == 0) {
if (!trustNameService) { useImplicitHost(true);
// If the local name service is not trustworthy, reverse host
// name resolution should not be performed for endpoint
// identification. Use the application original specified
// hostname or IP address instead.
host = getOriginalHostname(getInetAddress());
} else {
host = getInetAddress().getHostName();
}
} }
return host; return host;
} }
/* /*
* Get the original application specified hostname. * Try to set and use the implicit specified hostname
*/
private static String getOriginalHostname(InetAddress inetAddress) {
/*
* Get the original hostname via sun.misc.SharedSecrets.
*/ */
private synchronized void useImplicitHost(boolean noSniUpdate) {
// Note: If the local name service is not trustworthy, reverse
// host name resolution should not be performed for endpoint
// identification. Use the application original specified
// hostname or IP address instead.
// Get the original hostname via jdk.internal.misc.SharedSecrets
InetAddress inetAddress = getInetAddress();
if (inetAddress == null) { // not connected
return;
}
JavaNetAccess jna = SharedSecrets.getJavaNetAccess(); JavaNetAccess jna = SharedSecrets.getJavaNetAccess();
String originalHostname = jna.getOriginalHostName(inetAddress); String originalHostname = jna.getOriginalHostName(inetAddress);
if ((originalHostname != null) &&
(originalHostname.length() != 0)) {
/* host = originalHostname;
* If no application specified hostname, use the IP address. if (!noSniUpdate && serverNames.isEmpty() && !noSniExtension) {
*/ serverNames =
if (originalHostname == null || originalHostname.length() == 0) { Utilities.addToSNIServerNameList(serverNames, host);
originalHostname = inetAddress.getHostAddress();
if (!roleIsServer &&
(handshaker != null) && !handshaker.started()) {
handshaker.setSNIServerNames(serverNames);
}
} }
return originalHostname; return;
}
// No explicitly specified hostname, no server name indication.
if (!trustNameService) {
// The local name service is not trustworthy, use IP address.
host = inetAddress.getHostAddress();
} else {
// Use the underlying reverse host name resolution service.
host = getInetAddress().getHostName();
}
} }
...@@ -2205,6 +2235,10 @@ final public class SSLSocketImpl extends BaseSSLSocketImpl { ...@@ -2205,6 +2235,10 @@ final public class SSLSocketImpl extends BaseSSLSocketImpl {
this.host = host; this.host = host;
this.serverNames = this.serverNames =
Utilities.addToSNIServerNameList(this.serverNames, this.host); Utilities.addToSNIServerNameList(this.serverNames, this.host);
if (!roleIsServer && (handshaker != null) && !handshaker.started()) {
handshaker.setSNIServerNames(serverNames);
}
} }
/** /**
...@@ -2571,8 +2605,21 @@ final public class SSLSocketImpl extends BaseSSLSocketImpl { ...@@ -2571,8 +2605,21 @@ final public class SSLSocketImpl extends BaseSSLSocketImpl {
// the super implementation does not handle the following parameters // the super implementation does not handle the following parameters
params.setEndpointIdentificationAlgorithm(identificationProtocol); params.setEndpointIdentificationAlgorithm(identificationProtocol);
params.setAlgorithmConstraints(algorithmConstraints); params.setAlgorithmConstraints(algorithmConstraints);
if (sniMatchers.isEmpty() && !noSniMatcher) {
// 'null' indicates none has been set
params.setSNIMatchers(null);
} else {
params.setSNIMatchers(sniMatchers); params.setSNIMatchers(sniMatchers);
}
if (serverNames.isEmpty() && !noSniExtension) {
// 'null' indicates none has been set
params.setServerNames(null);
} else {
params.setServerNames(serverNames); params.setServerNames(serverNames);
}
params.setUseCipherSuitesOrder(preferLocalCipherSuites); params.setUseCipherSuitesOrder(preferLocalCipherSuites);
return params; return params;
...@@ -2592,11 +2639,13 @@ final public class SSLSocketImpl extends BaseSSLSocketImpl { ...@@ -2592,11 +2639,13 @@ final public class SSLSocketImpl extends BaseSSLSocketImpl {
List<SNIServerName> sniNames = params.getServerNames(); List<SNIServerName> sniNames = params.getServerNames();
if (sniNames != null) { if (sniNames != null) {
noSniExtension = sniNames.isEmpty();
serverNames = sniNames; serverNames = sniNames;
} }
Collection<SNIMatcher> matchers = params.getSNIMatchers(); Collection<SNIMatcher> matchers = params.getSNIMatchers();
if (matchers != null) { if (matchers != null) {
noSniMatcher = matchers.isEmpty();
sniMatchers = matchers; sniMatchers = matchers;
} }
......
src/share/classes/sun/security/ssl/X509KeyManagerImpl.java
浏览文件 @ 8587eb8d
/* /*
* Copyright (c) 2004, 2013, Oracle and/or its affiliates. All rights reserved. * Copyright (c) 2004, 2017, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
* *
* This code is free software; you can redistribute it and/or modify it * This code is free software; you can redistribute it and/or modify it
...@@ -39,6 +39,7 @@ import java.security.cert.Certificate; ...@@ -39,6 +39,7 @@ import java.security.cert.Certificate;
import javax.net.ssl.*; import javax.net.ssl.*;
import sun.security.provider.certpath.AlgorithmChecker; import sun.security.provider.certpath.AlgorithmChecker;
import sun.security.validator.Validator;
/** /**
* The new X509 key manager implementation. The main differences to the * The new X509 key manager implementation. The main differences to the
...@@ -62,7 +63,7 @@ final class X509KeyManagerImpl extends X509ExtendedKeyManager ...@@ -62,7 +63,7 @@ final class X509KeyManagerImpl extends X509ExtendedKeyManager
private static final Debug debug = Debug.getInstance("ssl"); private static final Debug debug = Debug.getInstance("ssl");
private final static boolean useDebug = private static final boolean useDebug =
(debug != null) && Debug.isOn("keymanager"); (debug != null) && Debug.isOn("keymanager");
// for unit testing only, set via privileged reflection // for unit testing only, set via privileged reflection
...@@ -661,6 +662,15 @@ final class X509KeyManagerImpl extends X509ExtendedKeyManager ...@@ -661,6 +662,15 @@ final class X509KeyManagerImpl extends X509ExtendedKeyManager
return CheckResult.OK; return CheckResult.OK;
} }
public String getValidator() {
if (this == CLIENT) {
return Validator.VAR_TLS_CLIENT;
} else if (this == SERVER) {
return Validator.VAR_TLS_SERVER;
}
return Validator.VAR_GENERIC;
}
} }
// enum for the result of the extension check // enum for the result of the extension check
...@@ -774,7 +784,8 @@ final class X509KeyManagerImpl extends X509ExtendedKeyManager ...@@ -774,7 +784,8 @@ final class X509KeyManagerImpl extends X509ExtendedKeyManager
// check the algorithm constraints // check the algorithm constraints
if (constraints != null && if (constraints != null &&
!conformsToAlgorithmConstraints(constraints, chain)) { !conformsToAlgorithmConstraints(constraints, chain,
checkType.getValidator())) {
if (useDebug) { if (useDebug) {
debug.println("Ignoring alias " + alias + debug.println("Ignoring alias " + alias +
...@@ -811,13 +822,19 @@ final class X509KeyManagerImpl extends X509ExtendedKeyManager ...@@ -811,13 +822,19 @@ final class X509KeyManagerImpl extends X509ExtendedKeyManager
} }
private static boolean conformsToAlgorithmConstraints( private static boolean conformsToAlgorithmConstraints(
AlgorithmConstraints constraints, Certificate[] chain) { AlgorithmConstraints constraints, Certificate[] chain,
String variant) {
AlgorithmChecker checker = new AlgorithmChecker(constraints); AlgorithmChecker checker = new AlgorithmChecker(constraints, null, variant);
try { try {
checker.init(false); checker.init(false);
} catch (CertPathValidatorException cpve) { } catch (CertPathValidatorException cpve) {
// unlikely to happen // unlikely to happen
if (useDebug) {
debug.println(
"Cannot initialize algorithm constraints checker: " + cpve);
}
return false; return false;
} }
...@@ -828,6 +845,11 @@ final class X509KeyManagerImpl extends X509ExtendedKeyManager ...@@ -828,6 +845,11 @@ final class X509KeyManagerImpl extends X509ExtendedKeyManager
// We don't care about the unresolved critical extensions. // We don't care about the unresolved critical extensions.
checker.check(cert, Collections.<String>emptySet()); checker.check(cert, Collections.<String>emptySet());
} catch (CertPathValidatorException cpve) { } catch (CertPathValidatorException cpve) {
if (useDebug) {
debug.println("Certificate (" + cert +
") does not conform to algorithm constraints: " + cpve);
}
return false; return false;
} }
} }
......
src/share/classes/sun/security/util/AnchorCertificates.java
浏览文件 @ 8587eb8d
...@@ -31,8 +31,10 @@ import java.security.AccessController; ...@@ -31,8 +31,10 @@ import java.security.AccessController;
import java.security.KeyStore; import java.security.KeyStore;
import java.security.PrivilegedAction; import java.security.PrivilegedAction;
import java.security.cert.X509Certificate; import java.security.cert.X509Certificate;
import java.util.Collections;
import java.util.Enumeration; import java.util.Enumeration;
import java.util.HashSet; import java.util.HashSet;
import java.util.Set;
import sun.security.x509.X509CertImpl; import sun.security.x509.X509CertImpl;
...@@ -44,7 +46,7 @@ public class AnchorCertificates { ...@@ -44,7 +46,7 @@ public class AnchorCertificates {
private static final Debug debug = Debug.getInstance("certpath"); private static final Debug debug = Debug.getInstance("certpath");
private static final String HASH = "SHA-256"; private static final String HASH = "SHA-256";
private static HashSet<String> certs; private static Set<String> certs = Collections.emptySet();
static { static {
AccessController.doPrivileged(new PrivilegedAction<Void>() { AccessController.doPrivileged(new PrivilegedAction<Void>() {
......
src/share/classes/sun/security/util/CertConstraintParameters.java src/share/classes/sun/security/util/ConstraintsParameters.java
浏览文件 @ 8587eb8d
/* /*
* Copyright (c) 2016, Oracle and/or its affiliates. All rights reserved. * Copyright (c) 2016, 2017 Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
* *
* This code is free software; you can redistribute it and/or modify it * This code is free software; you can redistribute it and/or modify it
...@@ -25,29 +25,93 @@ ...@@ -25,29 +25,93 @@
package sun.security.util; package sun.security.util;
import sun.security.validator.Validator;
import java.security.AlgorithmParameters;
import java.security.Key;
import java.security.Timestamp;
import java.security.cert.X509Certificate; import java.security.cert.X509Certificate;
import java.util.Date;
/** /**
* This class is a wrapper for keeping state and passing objects between PKIX, * This class contains parameters for checking against constraints that extend
* AlgorithmChecker, and DisabledAlgorithmConstraints. * past the publicly available parameters in java.security.AlgorithmConstraints.
* This is currently on passed between between PKIX, AlgorithmChecker,
* and DisabledAlgorithmConstraints.
*/
public class ConstraintsParameters {
/*
* The below 3 values are used the same as the permit() methods
* published in java.security.AlgorithmConstraints.
*/
// Algorithm string to be checked against constraints
private final String algorithm;
// AlgorithmParameters to the algorithm being checked
private final AlgorithmParameters algParams;
// Public Key being checked against constraints
private final Key publicKey;
/*
* New values that are checked against constraints that the current public
* API does not support.
*/ */
public class CertConstraintParameters {
// A certificate being passed to check against constraints. // A certificate being passed to check against constraints.
private final X509Certificate cert; private final X509Certificate cert;
// This is true if the trust anchor in the certificate chain matches a cert // This is true if the trust anchor in the certificate chain matches a cert
// in AnchorCertificates // in AnchorCertificates
private final boolean trustedMatch; private final boolean trustedMatch;
// PKIXParameter date
private final Date pkixDate;
// Timestamp of the signed JAR file
private final Timestamp jarTimestamp;
private final String variant;
public CertConstraintParameters(X509Certificate c, boolean match) { public ConstraintsParameters(X509Certificate c, boolean match,
Date pkixdate, Timestamp jarTime, String variant) {
cert = c; cert = c;
trustedMatch = match; trustedMatch = match;
pkixDate = pkixdate;
jarTimestamp = jarTime;
this.variant = (variant == null ? Validator.VAR_GENERIC : variant);
algorithm = null;
algParams = null;
publicKey = null;
}
public ConstraintsParameters(String algorithm, AlgorithmParameters params,
Key key, String variant) {
this.algorithm = algorithm;
algParams = params;
this.publicKey = key;
cert = null;
trustedMatch = false;
pkixDate = null;
jarTimestamp = null;
this.variant = (variant == null ? Validator.VAR_GENERIC : variant);
}
public ConstraintsParameters(X509Certificate c) {
this(c, false, null, null,
Validator.VAR_GENERIC);
} }
public CertConstraintParameters(X509Certificate c) { public ConstraintsParameters(Timestamp jarTime) {
this(c, false); this(null, false, null, jarTime, Validator.VAR_GENERIC);
} }
public String getAlgorithm() {
return algorithm;
}
public AlgorithmParameters getAlgParams() {
return algParams;
}
public Key getPublicKey() {
return publicKey;
}
// Returns if the trust anchor has a match if anchor checking is enabled. // Returns if the trust anchor has a match if anchor checking is enabled.
public boolean isTrustedMatch() { public boolean isTrustedMatch() {
return trustedMatch; return trustedMatch;
...@@ -56,4 +120,16 @@ public class CertConstraintParameters { ...@@ -56,4 +120,16 @@ public class CertConstraintParameters {
public X509Certificate getCertificate() { public X509Certificate getCertificate() {
return cert; return cert;
} }
public Date getPKIXParamDate() {
return pkixDate;
}
public Timestamp getJARTimestamp() {
return jarTimestamp;
}
public String getVariant() {
return variant;
}
} }
src/share/classes/sun/security/util/SignatureFileVerifier.java
浏览文件 @ 8587eb8d
/* /*
* Copyright (c) 1997, 2016, Oracle and/or its affiliates. All rights reserved. * Copyright (c) 1997, 2017, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
* *
* This code is free software; you can redistribute it and/or modify it * This code is free software; you can redistribute it and/or modify it
...@@ -28,25 +28,23 @@ package sun.security.util; ...@@ -28,25 +28,23 @@ package sun.security.util;
import java.io.ByteArrayInputStream; import java.io.ByteArrayInputStream;
import java.io.IOException; import java.io.IOException;
import java.security.CodeSigner; import java.security.CodeSigner;
import java.security.CryptoPrimitive; import java.security.GeneralSecurityException;
import java.security.MessageDigest; import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException; import java.security.NoSuchAlgorithmException;
import java.security.SignatureException; import java.security.SignatureException;
import java.security.Timestamp;
import java.security.cert.CertPath; import java.security.cert.CertPath;
import java.security.cert.X509Certificate; import java.security.cert.X509Certificate;
import java.security.cert.CertificateException; import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory; import java.security.cert.CertificateFactory;
import java.util.ArrayList; import java.util.ArrayList;
import java.util.Base64; import java.util.Base64;
import java.util.Collections;
import java.util.EnumSet;
import java.util.HashMap; import java.util.HashMap;
import java.util.Hashtable; import java.util.Hashtable;
import java.util.Iterator; import java.util.Iterator;
import java.util.List; import java.util.List;
import java.util.Locale; import java.util.Locale;
import java.util.Map; import java.util.Map;
import java.util.Set;
import java.util.jar.Attributes; import java.util.jar.Attributes;
import java.util.jar.JarException; import java.util.jar.JarException;
import java.util.jar.JarFile; import java.util.jar.JarFile;
...@@ -61,9 +59,6 @@ public class SignatureFileVerifier { ...@@ -61,9 +59,6 @@ public class SignatureFileVerifier {
/* Are we debugging ? */ /* Are we debugging ? */
private static final Debug debug = Debug.getInstance("jar"); private static final Debug debug = Debug.getInstance("jar");
private static final Set<CryptoPrimitive> DIGEST_PRIMITIVE_SET =
Collections.unmodifiableSet(EnumSet.of(CryptoPrimitive.MESSAGE_DIGEST));
private static final DisabledAlgorithmConstraints JAR_DISABLED_CHECK = private static final DisabledAlgorithmConstraints JAR_DISABLED_CHECK =
new DisabledAlgorithmConstraints( new DisabledAlgorithmConstraints(
DisabledAlgorithmConstraints.PROPERTY_JAR_DISABLED_ALGS); DisabledAlgorithmConstraints.PROPERTY_JAR_DISABLED_ALGS);
...@@ -78,7 +73,7 @@ public class SignatureFileVerifier { ...@@ -78,7 +73,7 @@ public class SignatureFileVerifier {
private PKCS7 block; private PKCS7 block;
/** the raw bytes of the .SF file */ /** the raw bytes of the .SF file */
private byte sfBytes[]; private byte[] sfBytes;
/** the name of the signature block file, uppercased and without /** the name of the signature block file, uppercased and without
* the extension (.DSA/.RSA/.EC) * the extension (.DSA/.RSA/.EC)
...@@ -97,6 +92,14 @@ public class SignatureFileVerifier { ...@@ -97,6 +92,14 @@ public class SignatureFileVerifier {
/* for generating certpath objects */ /* for generating certpath objects */
private CertificateFactory certificateFactory = null; private CertificateFactory certificateFactory = null;
/** Algorithms that have been checked if they are weak. */
private Map<String, Boolean> permittedAlgs= new HashMap<>();
/** TSA timestamp of signed jar. The newest timestamp is used. If there
* was no TSA timestamp used when signed, current time is used ("null").
*/
private Timestamp timestamp = null;
/** /**
* Create the named SignatureFileVerifier. * Create the named SignatureFileVerifier.
* *
...@@ -107,7 +110,7 @@ public class SignatureFileVerifier { ...@@ -107,7 +110,7 @@ public class SignatureFileVerifier {
public SignatureFileVerifier(ArrayList<CodeSigner[]> signerCache, public SignatureFileVerifier(ArrayList<CodeSigner[]> signerCache,
ManifestDigester md, ManifestDigester md,
String name, String name,
byte rawBytes[]) byte[] rawBytes)
throws IOException, CertificateException throws IOException, CertificateException
{ {
// new PKCS7() calls CertificateFactory.getInstance() // new PKCS7() calls CertificateFactory.getInstance()
...@@ -121,7 +124,7 @@ public class SignatureFileVerifier { ...@@ -121,7 +124,7 @@ public class SignatureFileVerifier {
} finally { } finally {
Providers.stopJarVerification(obj); Providers.stopJarVerification(obj);
} }
this.name = name.substring(0, name.lastIndexOf(".")) this.name = name.substring(0, name.lastIndexOf('.'))
.toUpperCase(Locale.ENGLISH); .toUpperCase(Locale.ENGLISH);
this.md = md; this.md = md;
this.signerCache = signerCache; this.signerCache = signerCache;
...@@ -152,7 +155,7 @@ public class SignatureFileVerifier { ...@@ -152,7 +155,7 @@ public class SignatureFileVerifier {
* used to set the raw bytes of the .SF file when it * used to set the raw bytes of the .SF file when it
* is external to the signature block file. * is external to the signature block file.
*/ */
public void setSignatureFile(byte sfBytes[]) public void setSignatureFile(byte[] sfBytes)
{ {
this.sfBytes = sfBytes; this.sfBytes = sfBytes;
} }
...@@ -168,11 +171,10 @@ public class SignatureFileVerifier { ...@@ -168,11 +171,10 @@ public class SignatureFileVerifier {
*/ */
public static boolean isBlockOrSF(String s) { public static boolean isBlockOrSF(String s) {
// we currently only support DSA and RSA PKCS7 blocks // we currently only support DSA and RSA PKCS7 blocks
if (s.endsWith(".SF") || s.endsWith(".DSA") || return s.endsWith(".SF")
s.endsWith(".RSA") || s.endsWith(".EC")) { || s.endsWith(".DSA")
return true; || s.endsWith(".RSA")
} || s.endsWith(".EC");
return false;
} }
/** /**
...@@ -182,7 +184,7 @@ public class SignatureFileVerifier { ...@@ -182,7 +184,7 @@ public class SignatureFileVerifier {
* unknown signature related files (those starting with SIG- with * unknown signature related files (those starting with SIG- with
* an optional [A-Z0-9]{1,3} extension right inside META-INF). * an optional [A-Z0-9]{1,3} extension right inside META-INF).
* *
* @param s file name * @param name file name
* @return true if the input file name is signature related * @return true if the input file name is signature related
*/ */
public static boolean isSigningRelated(String name) { public static boolean isSigningRelated(String name) {
...@@ -198,7 +200,7 @@ public class SignatureFileVerifier { ...@@ -198,7 +200,7 @@ public class SignatureFileVerifier {
return true; return true;
} else if (name.startsWith("SIG-")) { } else if (name.startsWith("SIG-")) {
// check filename extension // check filename extension
// see https://docs.oracle.com/javase/7/docs/technotes/guides/jar/jar.html#Digital_Signatures // see http://docs.oracle.com/javase/7/docs/technotes/guides/jar/jar.html#Digital_Signatures
// for what filename extensions are legal // for what filename extensions are legal
int extIndex = name.lastIndexOf('.'); int extIndex = name.lastIndexOf('.');
if (extIndex != -1) { if (extIndex != -1) {
...@@ -223,17 +225,10 @@ public class SignatureFileVerifier { ...@@ -223,17 +225,10 @@ public class SignatureFileVerifier {
/** get digest from cache */ /** get digest from cache */
private MessageDigest getDigest(String algorithm) throws SignatureException { private MessageDigest getDigest(String algorithm)
// check that algorithm is not restricted throws SignatureException {
if (!JAR_DISABLED_CHECK.permits(DIGEST_PRIMITIVE_SET, algorithm, null)) {
SignatureException e =
new SignatureException("SignatureFile check failed. " +
"Disabled algorithm used: " + algorithm);
throw e;
}
if (createdDigests == null) if (createdDigests == null)
createdDigests = new HashMap<String, MessageDigest>(); createdDigests = new HashMap<>();
MessageDigest digest = createdDigests.get(algorithm); MessageDigest digest = createdDigests.get(algorithm);
...@@ -303,6 +298,27 @@ public class SignatureFileVerifier { ...@@ -303,6 +298,27 @@ public class SignatureFileVerifier {
if (newSigners == null) if (newSigners == null)
return; return;
/*
* Look for the latest timestamp in the signature block. If an entry
* has no timestamp, use current time (aka null).
*/
for (CodeSigner s: newSigners) {
if (debug != null) {
debug.println("Gathering timestamp for: " + s.toString());
}
if (s.getTimestamp() == null) {
timestamp = null;
break;
} else if (timestamp == null) {
timestamp = s.getTimestamp();
} else {
if (timestamp.getTimestamp().before(
s.getTimestamp().getTimestamp())) {
timestamp = s.getTimestamp();
}
}
}
Iterator<Map.Entry<String,Attributes>> entries = Iterator<Map.Entry<String,Attributes>> entries =
sf.getEntries().entrySet().iterator(); sf.getEntries().entrySet().iterator();
...@@ -345,6 +361,68 @@ public class SignatureFileVerifier { ...@@ -345,6 +361,68 @@ public class SignatureFileVerifier {
updateSigners(newSigners, signers, JarFile.MANIFEST_NAME); updateSigners(newSigners, signers, JarFile.MANIFEST_NAME);
} }
/**
* Check if algorithm is permitted using the permittedAlgs Map.
* If the algorithm is not in the map, check against disabled algorithms and
* store the result. If the algorithm is in the map use that result.
* False is returned for weak algorithm, true for good algorithms.
*/
boolean permittedCheck(String key, String algorithm) {
Boolean permitted = permittedAlgs.get(algorithm);
if (permitted == null) {
try {
JAR_DISABLED_CHECK.permits(algorithm,
new ConstraintsParameters(timestamp));
} catch(GeneralSecurityException e) {
permittedAlgs.put(algorithm, Boolean.FALSE);
permittedAlgs.put(key.toUpperCase(), Boolean.FALSE);
if (debug != null) {
if (e.getMessage() != null) {
debug.println(key + ": " + e.getMessage());
} else {
debug.println(key + ": " + algorithm +
" was disabled, no exception msg given.");
e.printStackTrace();
}
}
return false;
}
permittedAlgs.put(algorithm, Boolean.TRUE);
return true;
}
// Algorithm has already been checked, return the value from map.
return permitted.booleanValue();
}
/**
* With a given header (*-DIGEST*), return a string that lists all the
* algorithms associated with the header.
* If there are none, return "Unknown Algorithm".
*/
String getWeakAlgorithms(String header) {
String w = "";
try {
for (String key : permittedAlgs.keySet()) {
if (key.endsWith(header)) {
w += key.substring(0, key.length() - header.length()) + " ";
}
}
} catch (RuntimeException e) {
w = "Unknown Algorithm(s). Error processing " + header + ". " +
e.getMessage();
}
// This means we have an error in finding weak algorithms, run in
// debug mode to see permittedAlgs map's values.
if (w.length() == 0) {
return "Unknown Algorithm(s)";
}
return w;
}
/** /**
* See if the whole manifest was signed. * See if the whole manifest was signed.
*/ */
...@@ -355,6 +433,10 @@ public class SignatureFileVerifier { ...@@ -355,6 +433,10 @@ public class SignatureFileVerifier {
{ {
Attributes mattr = sf.getMainAttributes(); Attributes mattr = sf.getMainAttributes();
boolean manifestSigned = false; boolean manifestSigned = false;
// If only weak algorithms are used.
boolean weakAlgs = true;
// If a "*-DIGEST-MANIFEST" entry is found.
boolean validEntry = false;
// go through all the attributes and process *-Digest-Manifest entries // go through all the attributes and process *-Digest-Manifest entries
for (Map.Entry<Object,Object> se : mattr.entrySet()) { for (Map.Entry<Object,Object> se : mattr.entrySet()) {
...@@ -364,6 +446,16 @@ public class SignatureFileVerifier { ...@@ -364,6 +446,16 @@ public class SignatureFileVerifier {
if (key.toUpperCase(Locale.ENGLISH).endsWith("-DIGEST-MANIFEST")) { if (key.toUpperCase(Locale.ENGLISH).endsWith("-DIGEST-MANIFEST")) {
// 16 is length of "-Digest-Manifest" // 16 is length of "-Digest-Manifest"
String algorithm = key.substring(0, key.length()-16); String algorithm = key.substring(0, key.length()-16);
validEntry = true;
// Check if this algorithm is permitted, skip if false.
if (!permittedCheck(key, algorithm)) {
continue;
}
// A non-weak algorithm was used, any weak algorithms found do
// not need to be reported.
weakAlgs = false;
manifestDigests.add(key); manifestDigests.add(key);
manifestDigests.add(se.getValue()); manifestDigests.add(se.getValue());
...@@ -375,14 +467,13 @@ public class SignatureFileVerifier { ...@@ -375,14 +467,13 @@ public class SignatureFileVerifier {
if (debug != null) { if (debug != null) {
debug.println("Signature File: Manifest digest " + debug.println("Signature File: Manifest digest " +
digest.getAlgorithm()); algorithm);
debug.println( " sigfile " + toHex(expectedHash)); debug.println( " sigfile " + toHex(expectedHash));
debug.println( " computed " + toHex(computedHash)); debug.println( " computed " + toHex(computedHash));
debug.println(); debug.println();
} }
if (MessageDigest.isEqual(computedHash, if (MessageDigest.isEqual(computedHash, expectedHash)) {
expectedHash)) {
manifestSigned = true; manifestSigned = true;
} else { } else {
//XXX: we will continue and verify each section //XXX: we will continue and verify each section
...@@ -390,15 +481,33 @@ public class SignatureFileVerifier { ...@@ -390,15 +481,33 @@ public class SignatureFileVerifier {
} }
} }
} }
if (debug != null) {
debug.println("PermittedAlgs mapping: ");
for (String key : permittedAlgs.keySet()) {
debug.println(key + " : " +
permittedAlgs.get(key).toString());
}
}
// If there were only weak algorithms entries used, throw an exception.
if (validEntry && weakAlgs) {
throw new SignatureException("Manifest hash check failed " +
"(DIGEST-MANIFEST). Disabled algorithm(s) used: " +
getWeakAlgorithms("-DIGEST-MANIFEST"));
}
return manifestSigned; return manifestSigned;
} }
private boolean verifyManifestMainAttrs(Manifest sf, private boolean verifyManifestMainAttrs(Manifest sf, ManifestDigester md)
ManifestDigester md)
throws IOException, SignatureException throws IOException, SignatureException
{ {
Attributes mattr = sf.getMainAttributes(); Attributes mattr = sf.getMainAttributes();
boolean attrsVerified = true; boolean attrsVerified = true;
// If only weak algorithms are used.
boolean weakAlgs = true;
// If a ATTR_DIGEST entry is found.
boolean validEntry = false;
// go through all the attributes and process // go through all the attributes and process
// digest entries for the manifest main attributes // digest entries for the manifest main attributes
...@@ -408,6 +517,16 @@ public class SignatureFileVerifier { ...@@ -408,6 +517,16 @@ public class SignatureFileVerifier {
if (key.toUpperCase(Locale.ENGLISH).endsWith(ATTR_DIGEST)) { if (key.toUpperCase(Locale.ENGLISH).endsWith(ATTR_DIGEST)) {
String algorithm = String algorithm =
key.substring(0, key.length() - ATTR_DIGEST.length()); key.substring(0, key.length() - ATTR_DIGEST.length());
validEntry = true;
// Check if this algorithm is permitted, skip if false.
if (!permittedCheck(key, algorithm)) {
continue;
}
// A non-weak algorithm was used, any weak algorithms found do
// not need to be reported.
weakAlgs = false;
MessageDigest digest = getDigest(algorithm); MessageDigest digest = getDigest(algorithm);
if (digest != null) { if (digest != null) {
...@@ -426,8 +545,7 @@ public class SignatureFileVerifier { ...@@ -426,8 +545,7 @@ public class SignatureFileVerifier {
debug.println(); debug.println();
} }
if (MessageDigest.isEqual(computedHash, if (MessageDigest.isEqual(computedHash, expectedHash)) {
expectedHash)) {
// good // good
} else { } else {
// we will *not* continue and verify each section // we will *not* continue and verify each section
...@@ -443,6 +561,22 @@ public class SignatureFileVerifier { ...@@ -443,6 +561,22 @@ public class SignatureFileVerifier {
} }
} }
if (debug != null) {
debug.println("PermittedAlgs mapping: ");
for (String key : permittedAlgs.keySet()) {
debug.println(key + " : " +
permittedAlgs.get(key).toString());
}
}
// If there were only weak algorithms entries used, throw an exception.
if (validEntry && weakAlgs) {
throw new SignatureException("Manifest Main Attribute check " +
"failed (" + ATTR_DIGEST + "). " +
"Disabled algorithm(s) used: " +
getWeakAlgorithms(ATTR_DIGEST));
}
// this method returns 'true' if either: // this method returns 'true' if either:
// . manifest main attributes were not signed, or // . manifest main attributes were not signed, or
// . manifest main attributes were signed and verified // . manifest main attributes were signed and verified
...@@ -465,6 +599,10 @@ public class SignatureFileVerifier { ...@@ -465,6 +599,10 @@ public class SignatureFileVerifier {
{ {
boolean oneDigestVerified = false; boolean oneDigestVerified = false;
ManifestDigester.Entry mde = md.get(name,block.isOldStyle()); ManifestDigester.Entry mde = md.get(name,block.isOldStyle());
// If only weak algorithms are used.
boolean weakAlgs = true;
// If a "*-DIGEST" entry is found.
boolean validEntry = false;
if (mde == null) { if (mde == null) {
throw new SecurityException( throw new SecurityException(
...@@ -472,8 +610,7 @@ public class SignatureFileVerifier { ...@@ -472,8 +610,7 @@ public class SignatureFileVerifier {
} }
if (sfAttr != null) { if (sfAttr != null) {
//sun.security.util.HexDumpEncoder hex = new sun.security.util.HexDumpEncoder();
//sun.misc.HexDumpEncoder hex = new sun.misc.HexDumpEncoder();
//hex.encodeBuffer(data, System.out); //hex.encodeBuffer(data, System.out);
// go through all the attributes and process *-Digest entries // go through all the attributes and process *-Digest entries
...@@ -483,6 +620,16 @@ public class SignatureFileVerifier { ...@@ -483,6 +620,16 @@ public class SignatureFileVerifier {
if (key.toUpperCase(Locale.ENGLISH).endsWith("-DIGEST")) { if (key.toUpperCase(Locale.ENGLISH).endsWith("-DIGEST")) {
// 7 is length of "-Digest" // 7 is length of "-Digest"
String algorithm = key.substring(0, key.length()-7); String algorithm = key.substring(0, key.length()-7);
validEntry = true;
// Check if this algorithm is permitted, skip if false.
if (!permittedCheck(key, algorithm)) {
continue;
}
// A non-weak algorithm was used, any weak algorithms found do
// not need to be reported.
weakAlgs = false;
MessageDigest digest = getDigest(algorithm); MessageDigest digest = getDigest(algorithm);
...@@ -533,6 +680,22 @@ public class SignatureFileVerifier { ...@@ -533,6 +680,22 @@ public class SignatureFileVerifier {
} }
} }
} }
if (debug != null) {
debug.println("PermittedAlgs mapping: ");
for (String key : permittedAlgs.keySet()) {
debug.println(key + " : " +
permittedAlgs.get(key).toString());
}
}
// If there were only weak algorithms entries used, throw an exception.
if (validEntry && weakAlgs) {
throw new SignatureException("Manifest Main Attribute check " +
"failed (DIGEST). Disabled algorithm(s) used: " +
getWeakAlgorithms("DIGEST"));
}
return oneDigestVerified; return oneDigestVerified;
} }
...@@ -541,7 +704,7 @@ public class SignatureFileVerifier { ...@@ -541,7 +704,7 @@ public class SignatureFileVerifier {
* CodeSigner objects. We do this only *once* for a given * CodeSigner objects. We do this only *once* for a given
* signature block file. * signature block file.
*/ */
private CodeSigner[] getSigners(SignerInfo infos[], PKCS7 block) private CodeSigner[] getSigners(SignerInfo[] infos, PKCS7 block)
throws IOException, NoSuchAlgorithmException, SignatureException, throws IOException, NoSuchAlgorithmException, SignatureException,
CertificateException { CertificateException {
...@@ -553,7 +716,7 @@ public class SignatureFileVerifier { ...@@ -553,7 +716,7 @@ public class SignatureFileVerifier {
ArrayList<X509Certificate> chain = info.getCertificateChain(block); ArrayList<X509Certificate> chain = info.getCertificateChain(block);
CertPath certChain = certificateFactory.generateCertPath(chain); CertPath certChain = certificateFactory.generateCertPath(chain);
if (signers == null) { if (signers == null) {
signers = new ArrayList<CodeSigner>(); signers = new ArrayList<>();
} }
// Append the new code signer // Append the new code signer
signers.add(new CodeSigner(certChain, info.getTimestamp())); signers.add(new CodeSigner(certChain, info.getTimestamp()));
...@@ -582,7 +745,7 @@ public class SignatureFileVerifier { ...@@ -582,7 +745,7 @@ public class SignatureFileVerifier {
static String toHex(byte[] data) { static String toHex(byte[] data) {
StringBuffer sb = new StringBuffer(data.length*2); StringBuilder sb = new StringBuilder(data.length*2);
for (int i=0; i<data.length; i++) { for (int i=0; i<data.length; i++) {
sb.append(hexc[(data[i] >>4) & 0x0f]); sb.append(hexc[(data[i] >>4) & 0x0f]);
......
src/share/classes/sun/security/validator/PKIXValidator.java
浏览文件 @ 8587eb8d
/* /*
* Copyright (c) 2002, 2011, Oracle and/or its affiliates. All rights reserved. * Copyright (c) 2002, 2017, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
* *
* This code is free software; you can redistribute it and/or modify it * This code is free software; you can redistribute it and/or modify it
...@@ -33,10 +33,11 @@ import java.security.cert.*; ...@@ -33,10 +33,11 @@ import java.security.cert.*;
import javax.security.auth.x500.X500Principal; import javax.security.auth.x500.X500Principal;
import sun.security.action.GetBooleanAction; import sun.security.action.GetBooleanAction;
import sun.security.provider.certpath.AlgorithmChecker; import sun.security.provider.certpath.AlgorithmChecker;
import sun.security.provider.certpath.PKIXExtendedParameters;
/** /**
* Validator implementation built on the PKIX CertPath API. This * Validator implementation built on the PKIX CertPath API. This
* implementation will be emphasized going forward.<p> * implementation will be emphasized going forward.
* <p> * <p>
* Note that the validate() implementation tries to use a PKIX validator * Note that the validate() implementation tries to use a PKIX validator
* if that appears possible and a PKIX builder otherwise. This increases * if that appears possible and a PKIX builder otherwise. This increases
...@@ -208,13 +209,22 @@ public final class PKIXValidator extends Validator { ...@@ -208,13 +209,22 @@ public final class PKIXValidator extends Validator {
("null or zero-length certificate chain"); ("null or zero-length certificate chain");
} }
// add new algorithm constraints checker // Use PKIXExtendedParameters for timestamp and variant additions
PKIXBuilderParameters pkixParameters = PKIXBuilderParameters pkixParameters = null;
(PKIXBuilderParameters) parameterTemplate.clone(); try {
AlgorithmChecker algorithmChecker = null; pkixParameters = new PKIXExtendedParameters(
(PKIXBuilderParameters) parameterTemplate.clone(),
(parameter instanceof Timestamp) ?
(Timestamp) parameter : null,
variant);
} catch (InvalidAlgorithmParameterException e) {
// ignore exception
}
// add a new algorithm constraints checker
if (constraints != null) { if (constraints != null) {
algorithmChecker = new AlgorithmChecker(constraints); pkixParameters.addCertPathChecker(
pkixParameters.addCertPathChecker(algorithmChecker); new AlgorithmChecker(constraints, null, variant));
} }
if (TRY_VALIDATOR) { if (TRY_VALIDATOR) {
......
src/share/classes/sun/security/validator/SimpleValidator.java
浏览文件 @ 8587eb8d
/* /*
* Copyright (c) 2002, 2015, Oracle and/or its affiliates. All rights reserved. * Copyright (c) 2002, 2017, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
* *
* This code is free software; you can redistribute it and/or modify it * This code is free software; you can redistribute it and/or modify it
...@@ -34,6 +34,7 @@ import java.security.cert.*; ...@@ -34,6 +34,7 @@ import java.security.cert.*;
import javax.security.auth.x500.X500Principal; import javax.security.auth.x500.X500Principal;
import sun.security.x509.X509CertImpl; import sun.security.x509.X509CertImpl;
import sun.security.x509.KeyIdentifier;
import sun.security.x509.NetscapeCertTypeExtension; import sun.security.x509.NetscapeCertTypeExtension;
import sun.security.util.DerValue; import sun.security.util.DerValue;
import sun.security.util.DerInputStream; import sun.security.util.DerInputStream;
...@@ -153,12 +154,14 @@ public final class SimpleValidator extends Validator { ...@@ -153,12 +154,14 @@ public final class SimpleValidator extends Validator {
// create default algorithm constraints checker // create default algorithm constraints checker
TrustAnchor anchor = new TrustAnchor(anchorCert, null); TrustAnchor anchor = new TrustAnchor(anchorCert, null);
AlgorithmChecker defaultAlgChecker = new AlgorithmChecker(anchor); AlgorithmChecker defaultAlgChecker =
new AlgorithmChecker(anchor, variant);
// create application level algorithm constraints checker // create application level algorithm constraints checker
AlgorithmChecker appAlgChecker = null; AlgorithmChecker appAlgChecker = null;
if (constraints != null) { if (constraints != null) {
appAlgChecker = new AlgorithmChecker(anchor, constraints); appAlgChecker = new AlgorithmChecker(anchor, constraints, null,
null, variant);
} }
// verify top down, starting at the certificate issued by // verify top down, starting at the certificate issued by
......
src/share/classes/sun/security/x509/PKIXExtensions.java
浏览文件 @ 8587eb8d
/* /*
* Copyright (c) 1997, 2009, Oracle and/or its affiliates. All rights reserved. * Copyright (c) 1997, 2017, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
* *
* This code is free software; you can redistribute it and/or modify it * This code is free software; you can redistribute it and/or modify it
...@@ -49,34 +49,39 @@ import sun.security.util.*; ...@@ -49,34 +49,39 @@ import sun.security.util.*;
*/ */
public class PKIXExtensions { public class PKIXExtensions {
// The object identifiers // The object identifiers
private static final int AuthorityKey_data [] = { 2, 5, 29, 35 }; private static final int[] AuthorityKey_data = { 2, 5, 29, 35 };
private static final int SubjectKey_data [] = { 2, 5, 29, 14 }; private static final int[] SubjectKey_data = { 2, 5, 29, 14 };
private static final int KeyUsage_data [] = { 2, 5, 29, 15 }; private static final int[] KeyUsage_data = { 2, 5, 29, 15 };
private static final int PrivateKeyUsage_data [] = { 2, 5, 29, 16 }; private static final int[] PrivateKeyUsage_data = { 2, 5, 29, 16 };
private static final int CertificatePolicies_data [] = { 2, 5, 29, 32 }; private static final int[] CertificatePolicies_data = { 2, 5, 29, 32 };
private static final int PolicyMappings_data [] = { 2, 5, 29, 33 }; private static final int[] PolicyMappings_data = { 2, 5, 29, 33 };
private static final int SubjectAlternativeName_data [] = { 2, 5, 29, 17 }; private static final int[] SubjectAlternativeName_data = { 2, 5, 29, 17 };
private static final int IssuerAlternativeName_data [] = { 2, 5, 29, 18 }; private static final int[] IssuerAlternativeName_data = { 2, 5, 29, 18 };
private static final int SubjectDirectoryAttributes_data [] = { 2, 5, 29, 9 }; private static final int[] SubjectDirectoryAttributes_data = { 2, 5, 29, 9 };
private static final int BasicConstraints_data [] = { 2, 5, 29, 19 }; private static final int[] BasicConstraints_data = { 2, 5, 29, 19 };
private static final int NameConstraints_data [] = { 2, 5, 29, 30 }; private static final int[] NameConstraints_data = { 2, 5, 29, 30 };
private static final int PolicyConstraints_data [] = { 2, 5, 29, 36 }; private static final int[] PolicyConstraints_data = { 2, 5, 29, 36 };
private static final int CRLDistributionPoints_data [] = { 2, 5, 29, 31 }; private static final int[] CRLDistributionPoints_data = { 2, 5, 29, 31 };
private static final int CRLNumber_data [] = { 2, 5, 29, 20 }; private static final int[] CRLNumber_data = { 2, 5, 29, 20 };
private static final int IssuingDistributionPoint_data [] = { 2, 5, 29, 28 }; private static final int[] IssuingDistributionPoint_data = { 2, 5, 29, 28 };
private static final int DeltaCRLIndicator_data [] = { 2, 5, 29, 27 }; private static final int[] DeltaCRLIndicator_data = { 2, 5, 29, 27 };
private static final int ReasonCode_data [] = { 2, 5, 29, 21 }; private static final int[] ReasonCode_data = { 2, 5, 29, 21 };
private static final int HoldInstructionCode_data [] = { 2, 5, 29, 23 }; private static final int[] HoldInstructionCode_data = { 2, 5, 29, 23 };
private static final int InvalidityDate_data [] = { 2, 5, 29, 24 }; private static final int[] InvalidityDate_data = { 2, 5, 29, 24 };
private static final int ExtendedKeyUsage_data [] = { 2, 5, 29, 37 }; private static final int[] ExtendedKeyUsage_data = { 2, 5, 29, 37 };
private static final int InhibitAnyPolicy_data [] = { 2, 5, 29, 54 }; private static final int[] InhibitAnyPolicy_data = { 2, 5, 29, 54 };
private static final int CertificateIssuer_data [] = { 2, 5, 29, 29 }; private static final int[] CertificateIssuer_data = { 2, 5, 29, 29 };
private static final int AuthInfoAccess_data [] = { 1, 3, 6, 1, 5, 5, 7, 1, 1}; private static final int[] AuthInfoAccess_data = { 1, 3, 6, 1, 5, 5, 7, 1, 1};
private static final int SubjectInfoAccess_data [] = { 1, 3, 6, 1, 5, 5, 7, 1, 11}; private static final int[] SubjectInfoAccess_data = { 1, 3, 6, 1, 5, 5, 7, 1, 11};
private static final int FreshestCRL_data [] = { 2, 5, 29, 46 }; private static final int[] FreshestCRL_data = { 2, 5, 29, 46 };
private static final int OCSPNoCheck_data [] = { 1, 3, 6, 1, 5, 5, 7, private static final int[] OCSPNoCheck_data = { 1, 3, 6, 1, 5, 5, 7,
48, 1, 5}; 48, 1, 5};
// Additional extensions under the PKIX arc that are not necessarily
// used in X.509 Certificates or CRLs.
private static final int[] OCSPNonce_data = { 1, 3, 6, 1, 5, 5, 7,
48, 1, 2};
/** /**
* Identifies the particular public key used to sign the certificate. * Identifies the particular public key used to sign the certificate.
*/ */
...@@ -104,18 +109,20 @@ public class PKIXExtensions { ...@@ -104,18 +109,20 @@ public class PKIXExtensions {
public static final ObjectIdentifier CertificatePolicies_Id; public static final ObjectIdentifier CertificatePolicies_Id;
/** /**
* Lists pairs of objectidentifiers of policies considered equivalent by the * Lists pairs of object identifiers of policies considered equivalent by
* issuing CA to the subject CA. * the issuing CA to the subject CA.
*/ */
public static final ObjectIdentifier PolicyMappings_Id; public static final ObjectIdentifier PolicyMappings_Id;
/** /**
* Allows additional identities to be bound to the subject of the certificate. * Allows additional identities to be bound to the subject of the
* certificate.
*/ */
public static final ObjectIdentifier SubjectAlternativeName_Id; public static final ObjectIdentifier SubjectAlternativeName_Id;
/** /**
* Allows additional identities to be associated with the certificate issuer. * Allows additional identities to be associated with the certificate
* issuer.
*/ */
public static final ObjectIdentifier IssuerAlternativeName_Id; public static final ObjectIdentifier IssuerAlternativeName_Id;
...@@ -224,6 +231,12 @@ public class PKIXExtensions { ...@@ -224,6 +231,12 @@ public class PKIXExtensions {
*/ */
public static final ObjectIdentifier OCSPNoCheck_Id; public static final ObjectIdentifier OCSPNoCheck_Id;
/**
* This extension is used to provide nonce data for OCSP requests
* or responses.
*/
public static final ObjectIdentifier OCSPNonce_Id;
static { static {
AuthorityKey_Id = ObjectIdentifier.newInternal(AuthorityKey_data); AuthorityKey_Id = ObjectIdentifier.newInternal(AuthorityKey_data);
SubjectKey_Id = ObjectIdentifier.newInternal(SubjectKey_data); SubjectKey_Id = ObjectIdentifier.newInternal(SubjectKey_data);
...@@ -266,5 +279,6 @@ public class PKIXExtensions { ...@@ -266,5 +279,6 @@ public class PKIXExtensions {
ObjectIdentifier.newInternal(SubjectInfoAccess_data); ObjectIdentifier.newInternal(SubjectInfoAccess_data);
FreshestCRL_Id = ObjectIdentifier.newInternal(FreshestCRL_data); FreshestCRL_Id = ObjectIdentifier.newInternal(FreshestCRL_data);
OCSPNoCheck_Id = ObjectIdentifier.newInternal(OCSPNoCheck_data); OCSPNoCheck_Id = ObjectIdentifier.newInternal(OCSPNoCheck_data);
OCSPNonce_Id = ObjectIdentifier.newInternal(OCSPNonce_data);
} }
} }
src/share/lib/security/java.security-aix
浏览文件 @ 8587eb8d
...@@ -426,9 +426,7 @@ krb5.kdc.bad.policy = tryLast ...@@ -426,9 +426,7 @@ krb5.kdc.bad.policy = tryLast
# describes the mechanism for disabling algorithms based on algorithm name # describes the mechanism for disabling algorithms based on algorithm name
# and/or key length. This includes algorithms used in certificates, as well # and/or key length. This includes algorithms used in certificates, as well
# as revocation information such as CRLs and signed OCSP Responses. # as revocation information such as CRLs and signed OCSP Responses.
# # The syntax of the disabled algorithm string is described as follows:
# The syntax of the disabled algorithm string is described as this Java
# BNF-style:
# DisabledAlgorithms: # DisabledAlgorithms:
# " DisabledAlgorithm { , DisabledAlgorithm } " # " DisabledAlgorithm { , DisabledAlgorithm } "
# #
...@@ -439,25 +437,26 @@ krb5.kdc.bad.policy = tryLast ...@@ -439,25 +437,26 @@ krb5.kdc.bad.policy = tryLast
# (see below) # (see below)
# #
# Constraint: # Constraint:
# KeySizeConstraint, CertConstraint # KeySizeConstraint | CAConstraint | DenyAfterConstraint |
# UsageConstraint
# #
# KeySizeConstraint: # KeySizeConstraint:
# keySize Operator DecimalInteger # keySize Operator KeyLength
# #
# Operator: # Operator:
# <= | < | == | != | >= | > # <= | < | == | != | >= | >
# #
# DecimalInteger: # KeyLength:
# DecimalDigits # Integer value of the algorithm's key length in bits
# #
# DecimalDigits: # CAConstraint:
# DecimalDigit {DecimalDigit} # jdkCA
# #
# DecimalDigit: one of # DenyAfterConstraint:
# 1 2 3 4 5 6 7 8 9 0 # denyAfter YYYY-MM-DD
# #
# CertConstraint # UsageConstraint:
# jdkCA # usage [TLSServer] [TLSClient] [SignedJAR]
# #
# The "AlgorithmName" is the standard algorithm name of the disabled # The "AlgorithmName" is the standard algorithm name of the disabled
# algorithm. See "Java Cryptography Architecture Standard Algorithm Name # algorithm. See "Java Cryptography Architecture Standard Algorithm Name
...@@ -471,27 +470,55 @@ krb5.kdc.bad.policy = tryLast ...@@ -471,27 +470,55 @@ krb5.kdc.bad.policy = tryLast
# that rely on DSA, such as NONEwithDSA, SHA1withDSA. However, the assertion # that rely on DSA, such as NONEwithDSA, SHA1withDSA. However, the assertion
# will not disable algorithms related to "ECDSA". # will not disable algorithms related to "ECDSA".
# #
# A "Constraint" provides further guidance for the algorithm being specified. # A "Constraint" defines restrictions on the keys and/or certificates for
# The "KeySizeConstraint" requires a key of a valid size range if the # a specified AlgorithmName:
# "AlgorithmName" is of a key algorithm. The "DecimalInteger" indicates the #
# key size specified in number of bits. For example, "RSA keySize <= 1024" # KeySizeConstraint:
# indicates that any RSA key with key size less than or equal to 1024 bits # keySize Operator KeyLength
# should be disabled, and "RSA keySize < 1024, RSA keySize > 2048" indicates # The constraint requires a key of a valid size range if the
# that any RSA key with key size less than 1024 or greater than 2048 should # "AlgorithmName" is of a key algorithm. The "KeyLength" indicates
# be disabled. Note that the "KeySizeConstraint" only makes sense to key # the key size specified in number of bits. For example,
# algorithms. # "RSA keySize <= 1024" indicates that any RSA key with key size less
# # than or equal to 1024 bits should be disabled, and
# "CertConstraint" specifies additional constraints for # "RSA keySize < 1024, RSA keySize > 2048" indicates that any RSA key
# certificates that contain algorithms that are restricted: # with key size less than 1024 or greater than 2048 should be disabled.
# # This constraint is only used on algorithms that have a key size.
# "jdkCA" prohibits the specified algorithm only if the algorithm is used #
# in a certificate chain that terminates at a marked trust anchor in the # CAConstraint:
# lib/security/cacerts keystore. All other chains are not affected. # jdkCA
# If the jdkCA constraint is not set, then all chains using the # This constraint prohibits the specified algorithm only if the
# specified algorithm are restricted. jdkCA may only be used once in # algorithm is used in a certificate chain that terminates at a marked
# a DisabledAlgorithm expression. # trust anchor in the lib/security/cacerts keystore. If the jdkCA
# constraint is not set, then all chains using the specified algorithm
# are restricted. jdkCA may only be used once in a DisabledAlgorithm
# expression.
# Example: To apply this constraint to SHA-1 certificates, include # Example: To apply this constraint to SHA-1 certificates, include
# the following "SHA1 jdkCA" # the following: "SHA1 jdkCA"
#
# DenyAfterConstraint:
# denyAfter YYYY-MM-DD
# This constraint prohibits a certificate with the specified algorithm
# from being used after the date regardless of the certificate's
# validity. JAR files that are signed and timestamped before the
# constraint date with certificates containing the disabled algorithm
# will not be restricted. The date is processed in the UTC timezone.
# This constraint can only be used once in a DisabledAlgorithm
# expression.
# Example: To deny usage of RSA 2048 bit certificates after Feb 3 2020,
# use the following: "RSA keySize == 2048 & denyAfter 2020-02-03"
#
# UsageConstraint:
# usage [TLSServer] [TLSClient] [SignedJAR]
# This constraint prohibits the specified algorithm for
# a specified usage. This should be used when disabling an algorithm
# for all usages is not practical. 'TLSServer' restricts the algorithm
# in TLS server certificate chains when server authentication is
# performed. 'TLSClient' restricts the algorithm in TLS client
# certificate chains when client authentication is performed.
# 'SignedJAR' constrains use of certificates in signed jar files.
# The usage type follows the keyword and more than one usage type can
# be specified with a whitespace delimiter.
# Example: "SHA1 usage TLSServer TLSClient"
# #
# When an algorithm must satisfy more than one constraint, it must be # When an algorithm must satisfy more than one constraint, it must be
# delimited by an ampersand '&'. For example, to restrict certificates in a # delimited by an ampersand '&'. For example, to restrict certificates in a
...@@ -504,6 +531,9 @@ krb5.kdc.bad.policy = tryLast ...@@ -504,6 +531,9 @@ krb5.kdc.bad.policy = tryLast
# before larger keysize constraints of the same algorithm. For example: # before larger keysize constraints of the same algorithm. For example:
# "RSA keySize < 1024 & jdkCA, RSA keySize < 2048". # "RSA keySize < 1024 & jdkCA, RSA keySize < 2048".
# #
# Note: The algorithm restrictions do not apply to trust anchors or
# self-signed certificates.
#
# Note: This property is currently used by Oracle's PKIX implementation. It # Note: This property is currently used by Oracle's PKIX implementation. It
# is not guaranteed to be examined and used by other implementations. # is not guaranteed to be examined and used by other implementations.
# #
...@@ -511,9 +541,10 @@ krb5.kdc.bad.policy = tryLast ...@@ -511,9 +541,10 @@ krb5.kdc.bad.policy = tryLast
# jdk.certpath.disabledAlgorithms=MD2, DSA, RSA keySize < 2048 # jdk.certpath.disabledAlgorithms=MD2, DSA, RSA keySize < 2048
# #
# #
jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, \ jdk.certpath.disabledAlgorithms=MD2, MD5, SHA1 jdkCA & usage TLSServer, \
DSA keySize < 1024, EC keySize < 224 RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224
#
# Algorithm restrictions for signed JAR files # Algorithm restrictions for signed JAR files
# #
# In some environments, certain algorithms or key lengths may be undesirable # In some environments, certain algorithms or key lengths may be undesirable
...@@ -528,17 +559,20 @@ jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, \ ...@@ -528,17 +559,20 @@ jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, \
# " DisabledAlgorithm { , DisabledAlgorithm } " # " DisabledAlgorithm { , DisabledAlgorithm } "
# #
# DisabledAlgorithm: # DisabledAlgorithm:
# AlgorithmName [Constraint] # AlgorithmName [Constraint] { '&' Constraint }
# #
# AlgorithmName: # AlgorithmName:
# (see below) # (see below)
# #
# Constraint: # Constraint:
# KeySizeConstraint # KeySizeConstraint | DenyAfterConstraint
# #
# KeySizeConstraint: # KeySizeConstraint:
# keySize Operator KeyLength # keySize Operator KeyLength
# #
# DenyAfterConstraint:
# denyAfter YYYY-MM-DD
#
# Operator: # Operator:
# <= | < | == | != | >= | > # <= | < | == | != | >= | >
# #
...@@ -549,8 +583,11 @@ jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, \ ...@@ -549,8 +583,11 @@ jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, \
# implementation. It is not guaranteed to be examined and used by other # implementation. It is not guaranteed to be examined and used by other
# implementations. # implementations.
# #
# See "jdk.certpath.disabledAlgorithms" for syntax descriptions.
#
jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024 jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024
#
# Algorithm restrictions for Secure Socket Layer/Transport Layer Security # Algorithm restrictions for Secure Socket Layer/Transport Layer Security
# (SSL/TLS) processing # (SSL/TLS) processing
# #
...@@ -572,6 +609,9 @@ jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024 ...@@ -572,6 +609,9 @@ jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024
# See the specification of "jdk.certpath.disabledAlgorithms" for the # See the specification of "jdk.certpath.disabledAlgorithms" for the
# syntax of the disabled algorithm string. # syntax of the disabled algorithm string.
# #
# Note: The algorithm restrictions do not apply to trust anchors or
# self-signed certificates.
#
# Note: This property is currently used by the JDK Reference implementation. # Note: This property is currently used by the JDK Reference implementation.
# It is not guaranteed to be examined and used by other implementations. # It is not guaranteed to be examined and used by other implementations.
# #
......
src/share/lib/security/java.security-linux
浏览文件 @ 8587eb8d
...@@ -426,9 +426,7 @@ krb5.kdc.bad.policy = tryLast ...@@ -426,9 +426,7 @@ krb5.kdc.bad.policy = tryLast
# describes the mechanism for disabling algorithms based on algorithm name # describes the mechanism for disabling algorithms based on algorithm name
# and/or key length. This includes algorithms used in certificates, as well # and/or key length. This includes algorithms used in certificates, as well
# as revocation information such as CRLs and signed OCSP Responses. # as revocation information such as CRLs and signed OCSP Responses.
# # The syntax of the disabled algorithm string is described as follows:
# The syntax of the disabled algorithm string is described as this Java
# BNF-style:
# DisabledAlgorithms: # DisabledAlgorithms:
# " DisabledAlgorithm { , DisabledAlgorithm } " # " DisabledAlgorithm { , DisabledAlgorithm } "
# #
...@@ -439,25 +437,26 @@ krb5.kdc.bad.policy = tryLast ...@@ -439,25 +437,26 @@ krb5.kdc.bad.policy = tryLast
# (see below) # (see below)
# #
# Constraint: # Constraint:
# KeySizeConstraint, CertConstraint # KeySizeConstraint | CAConstraint | DenyAfterConstraint |
# UsageConstraint
# #
# KeySizeConstraint: # KeySizeConstraint:
# keySize Operator DecimalInteger # keySize Operator KeyLength
# #
# Operator: # Operator:
# <= | < | == | != | >= | > # <= | < | == | != | >= | >
# #
# DecimalInteger: # KeyLength:
# DecimalDigits # Integer value of the algorithm's key length in bits
# #
# DecimalDigits: # CAConstraint:
# DecimalDigit {DecimalDigit} # jdkCA
# #
# DecimalDigit: one of # DenyAfterConstraint:
# 1 2 3 4 5 6 7 8 9 0 # denyAfter YYYY-MM-DD
# #
# CertConstraint # UsageConstraint:
# jdkCA # usage [TLSServer] [TLSClient] [SignedJAR]
# #
# The "AlgorithmName" is the standard algorithm name of the disabled # The "AlgorithmName" is the standard algorithm name of the disabled
# algorithm. See "Java Cryptography Architecture Standard Algorithm Name # algorithm. See "Java Cryptography Architecture Standard Algorithm Name
...@@ -471,28 +470,56 @@ krb5.kdc.bad.policy = tryLast ...@@ -471,28 +470,56 @@ krb5.kdc.bad.policy = tryLast
# that rely on DSA, such as NONEwithDSA, SHA1withDSA. However, the assertion # that rely on DSA, such as NONEwithDSA, SHA1withDSA. However, the assertion
# will not disable algorithms related to "ECDSA". # will not disable algorithms related to "ECDSA".
# #
# A "Constraint" provides further guidance for the algorithm being specified. # A "Constraint" defines restrictions on the keys and/or certificates for
# The "KeySizeConstraint" requires a key of a valid size range if the # a specified AlgorithmName:
# "AlgorithmName" is of a key algorithm. The "DecimalInteger" indicates the #
# key size specified in number of bits. For example, "RSA keySize <= 1024" # KeySizeConstraint:
# indicates that any RSA key with key size less than or equal to 1024 bits # keySize Operator KeyLength
# should be disabled, and "RSA keySize < 1024, RSA keySize > 2048" indicates # The constraint requires a key of a valid size range if the
# that any RSA key with key size less than 1024 or greater than 2048 should # "AlgorithmName" is of a key algorithm. The "KeyLength" indicates
# be disabled. Note that the "KeySizeConstraint" only makes sense to key # the key size specified in number of bits. For example,
# algorithms. # "RSA keySize <= 1024" indicates that any RSA key with key size less
# # than or equal to 1024 bits should be disabled, and
# "CertConstraint" specifies additional constraints for # "RSA keySize < 1024, RSA keySize > 2048" indicates that any RSA key
# certificates that contain algorithms that are restricted: # with key size less than 1024 or greater than 2048 should be disabled.
# # This constraint is only used on algorithms that have a key size.
# "jdkCA" prohibits the specified algorithm only if the algorithm is used #
# in a certificate chain that terminates at a marked trust anchor in the # CAConstraint:
# lib/security/cacerts keystore. All other chains are not affected. # jdkCA
# If the jdkCA constraint is not set, then all chains using the # This constraint prohibits the specified algorithm only if the
# specified algorithm are restricted. jdkCA may only be used once in # algorithm is used in a certificate chain that terminates at a marked
# a DisabledAlgorithm expression. # trust anchor in the lib/security/cacerts keystore. If the jdkCA
# constraint is not set, then all chains using the specified algorithm
# are restricted. jdkCA may only be used once in a DisabledAlgorithm
# expression.
# Example: To apply this constraint to SHA-1 certificates, include # Example: To apply this constraint to SHA-1 certificates, include
# the following: "SHA1 jdkCA" # the following: "SHA1 jdkCA"
# #
# DenyAfterConstraint:
# denyAfter YYYY-MM-DD
# This constraint prohibits a certificate with the specified algorithm
# from being used after the date regardless of the certificate's
# validity. JAR files that are signed and timestamped before the
# constraint date with certificates containing the disabled algorithm
# will not be restricted. The date is processed in the UTC timezone.
# This constraint can only be used once in a DisabledAlgorithm
# expression.
# Example: To deny usage of RSA 2048 bit certificates after Feb 3 2020,
# use the following: "RSA keySize == 2048 & denyAfter 2020-02-03"
#
# UsageConstraint:
# usage [TLSServer] [TLSClient] [SignedJAR]
# This constraint prohibits the specified algorithm for
# a specified usage. This should be used when disabling an algorithm
# for all usages is not practical. 'TLSServer' restricts the algorithm
# in TLS server certificate chains when server authentication is
# performed. 'TLSClient' restricts the algorithm in TLS client
# certificate chains when client authentication is performed.
# 'SignedJAR' constrains use of certificates in signed jar files.
# The usage type follows the keyword and more than one usage type can
# be specified with a whitespace delimiter.
# Example: "SHA1 usage TLSServer TLSClient"
#
# When an algorithm must satisfy more than one constraint, it must be # When an algorithm must satisfy more than one constraint, it must be
# delimited by an ampersand '&'. For example, to restrict certificates in a # delimited by an ampersand '&'. For example, to restrict certificates in a
# chain that terminate at a distribution provided trust anchor and contain # chain that terminate at a distribution provided trust anchor and contain
...@@ -504,6 +531,9 @@ krb5.kdc.bad.policy = tryLast ...@@ -504,6 +531,9 @@ krb5.kdc.bad.policy = tryLast
# before larger keysize constraints of the same algorithm. For example: # before larger keysize constraints of the same algorithm. For example:
# "RSA keySize < 1024 & jdkCA, RSA keySize < 2048". # "RSA keySize < 1024 & jdkCA, RSA keySize < 2048".
# #
# Note: The algorithm restrictions do not apply to trust anchors or
# self-signed certificates.
#
# Note: This property is currently used by Oracle's PKIX implementation. It # Note: This property is currently used by Oracle's PKIX implementation. It
# is not guaranteed to be examined and used by other implementations. # is not guaranteed to be examined and used by other implementations.
# #
...@@ -511,9 +541,10 @@ krb5.kdc.bad.policy = tryLast ...@@ -511,9 +541,10 @@ krb5.kdc.bad.policy = tryLast
# jdk.certpath.disabledAlgorithms=MD2, DSA, RSA keySize < 2048 # jdk.certpath.disabledAlgorithms=MD2, DSA, RSA keySize < 2048
# #
# #
jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, \ jdk.certpath.disabledAlgorithms=MD2, MD5, SHA1 jdkCA & usage TLSServer, \
DSA keySize < 1024, EC keySize < 224 RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224
#
# Algorithm restrictions for signed JAR files # Algorithm restrictions for signed JAR files
# #
# In some environments, certain algorithms or key lengths may be undesirable # In some environments, certain algorithms or key lengths may be undesirable
...@@ -528,17 +559,20 @@ jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, \ ...@@ -528,17 +559,20 @@ jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, \
# " DisabledAlgorithm { , DisabledAlgorithm } " # " DisabledAlgorithm { , DisabledAlgorithm } "
# #
# DisabledAlgorithm: # DisabledAlgorithm:
# AlgorithmName [Constraint] # AlgorithmName [Constraint] { '&' Constraint }
# #
# AlgorithmName: # AlgorithmName:
# (see below) # (see below)
# #
# Constraint: # Constraint:
# KeySizeConstraint # KeySizeConstraint | DenyAfterConstraint
# #
# KeySizeConstraint: # KeySizeConstraint:
# keySize Operator KeyLength # keySize Operator KeyLength
# #
# DenyAfterConstraint:
# denyAfter YYYY-MM-DD
#
# Operator: # Operator:
# <= | < | == | != | >= | > # <= | < | == | != | >= | >
# #
...@@ -549,8 +583,11 @@ jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, \ ...@@ -549,8 +583,11 @@ jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, \
# implementation. It is not guaranteed to be examined and used by other # implementation. It is not guaranteed to be examined and used by other
# implementations. # implementations.
# #
# See "jdk.certpath.disabledAlgorithms" for syntax descriptions.
#
jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024 jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024
#
# Algorithm restrictions for Secure Socket Layer/Transport Layer Security # Algorithm restrictions for Secure Socket Layer/Transport Layer Security
# (SSL/TLS) processing # (SSL/TLS) processing
# #
...@@ -572,6 +609,9 @@ jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024 ...@@ -572,6 +609,9 @@ jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024
# See the specification of "jdk.certpath.disabledAlgorithms" for the # See the specification of "jdk.certpath.disabledAlgorithms" for the
# syntax of the disabled algorithm string. # syntax of the disabled algorithm string.
# #
# Note: The algorithm restrictions do not apply to trust anchors or
# self-signed certificates.
#
# Note: This property is currently used by the JDK Reference implementation. # Note: This property is currently used by the JDK Reference implementation.
# It is not guaranteed to be examined and used by other implementations. # It is not guaranteed to be examined and used by other implementations.
# #
......
src/share/lib/security/java.security-macosx
浏览文件 @ 8587eb8d
...@@ -429,9 +429,7 @@ krb5.kdc.bad.policy = tryLast ...@@ -429,9 +429,7 @@ krb5.kdc.bad.policy = tryLast
# describes the mechanism for disabling algorithms based on algorithm name # describes the mechanism for disabling algorithms based on algorithm name
# and/or key length. This includes algorithms used in certificates, as well # and/or key length. This includes algorithms used in certificates, as well
# as revocation information such as CRLs and signed OCSP Responses. # as revocation information such as CRLs and signed OCSP Responses.
# # The syntax of the disabled algorithm string is described as follows:
# The syntax of the disabled algorithm string is described as this Java
# BNF-style:
# DisabledAlgorithms: # DisabledAlgorithms:
# " DisabledAlgorithm { , DisabledAlgorithm } " # " DisabledAlgorithm { , DisabledAlgorithm } "
# #
...@@ -442,25 +440,26 @@ krb5.kdc.bad.policy = tryLast ...@@ -442,25 +440,26 @@ krb5.kdc.bad.policy = tryLast
# (see below) # (see below)
# #
# Constraint: # Constraint:
# KeySizeConstraint, CertConstraint # KeySizeConstraint | CAConstraint | DenyAfterConstraint |
# UsageConstraint
# #
# KeySizeConstraint: # KeySizeConstraint:
# keySize Operator DecimalInteger # keySize Operator KeyLength
# #
# Operator: # Operator:
# <= | < | == | != | >= | > # <= | < | == | != | >= | >
# #
# DecimalInteger: # KeyLength:
# DecimalDigits # Integer value of the algorithm's key length in bits
# #
# DecimalDigits: # CAConstraint:
# DecimalDigit {DecimalDigit} # jdkCA
# #
# DecimalDigit: one of # DenyAfterConstraint:
# 1 2 3 4 5 6 7 8 9 0 # denyAfter YYYY-MM-DD
# #
# CertConstraint # UsageConstraint:
# jdkCA # usage [TLSServer] [TLSClient] [SignedJAR]
# #
# The "AlgorithmName" is the standard algorithm name of the disabled # The "AlgorithmName" is the standard algorithm name of the disabled
# algorithm. See "Java Cryptography Architecture Standard Algorithm Name # algorithm. See "Java Cryptography Architecture Standard Algorithm Name
...@@ -474,28 +473,56 @@ krb5.kdc.bad.policy = tryLast ...@@ -474,28 +473,56 @@ krb5.kdc.bad.policy = tryLast
# that rely on DSA, such as NONEwithDSA, SHA1withDSA. However, the assertion # that rely on DSA, such as NONEwithDSA, SHA1withDSA. However, the assertion
# will not disable algorithms related to "ECDSA". # will not disable algorithms related to "ECDSA".
# #
# A "Constraint" provides further guidance for the algorithm being specified. # A "Constraint" defines restrictions on the keys and/or certificates for
# The "KeySizeConstraint" requires a key of a valid size range if the # a specified AlgorithmName:
# "AlgorithmName" is of a key algorithm. The "DecimalInteger" indicates the #
# key size specified in number of bits. For example, "RSA keySize <= 1024" # KeySizeConstraint:
# indicates that any RSA key with key size less than or equal to 1024 bits # keySize Operator KeyLength
# should be disabled, and "RSA keySize < 1024, RSA keySize > 2048" indicates # The constraint requires a key of a valid size range if the
# that any RSA key with key size less than 1024 or greater than 2048 should # "AlgorithmName" is of a key algorithm. The "KeyLength" indicates
# be disabled. Note that the "KeySizeConstraint" only makes sense to key # the key size specified in number of bits. For example,
# algorithms. # "RSA keySize <= 1024" indicates that any RSA key with key size less
# # than or equal to 1024 bits should be disabled, and
# "CertConstraint" specifies additional constraints for # "RSA keySize < 1024, RSA keySize > 2048" indicates that any RSA key
# certificates that contain algorithms that are restricted: # with key size less than 1024 or greater than 2048 should be disabled.
# # This constraint is only used on algorithms that have a key size.
# "jdkCA" prohibits the specified algorithm only if the algorithm is used #
# in a certificate chain that terminates at a marked trust anchor in the # CAConstraint:
# lib/security/cacerts keystore. All other chains are not affected. # jdkCA
# If the jdkCA constraint is not set, then all chains using the # This constraint prohibits the specified algorithm only if the
# specified algorithm are restricted. jdkCA may only be used once in # algorithm is used in a certificate chain that terminates at a marked
# a DisabledAlgorithm expression. # trust anchor in the lib/security/cacerts keystore. If the jdkCA
# constraint is not set, then all chains using the specified algorithm
# are restricted. jdkCA may only be used once in a DisabledAlgorithm
# expression.
# Example: To apply this constraint to SHA-1 certificates, include # Example: To apply this constraint to SHA-1 certificates, include
# the following: "SHA1 jdkCA" # the following: "SHA1 jdkCA"
# #
# DenyAfterConstraint:
# denyAfter YYYY-MM-DD
# This constraint prohibits a certificate with the specified algorithm
# from being used after the date regardless of the certificate's
# validity. JAR files that are signed and timestamped before the
# constraint date with certificates containing the disabled algorithm
# will not be restricted. The date is processed in the UTC timezone.
# This constraint can only be used once in a DisabledAlgorithm
# expression.
# Example: To deny usage of RSA 2048 bit certificates after Feb 3 2020,
# use the following: "RSA keySize == 2048 & denyAfter 2020-02-03"
#
# UsageConstraint:
# usage [TLSServer] [TLSClient] [SignedJAR]
# This constraint prohibits the specified algorithm for
# a specified usage. This should be used when disabling an algorithm
# for all usages is not practical. 'TLSServer' restricts the algorithm
# in TLS server certificate chains when server authentication is
# performed. 'TLSClient' restricts the algorithm in TLS client
# certificate chains when client authentication is performed.
# 'SignedJAR' constrains use of certificates in signed jar files.
# The usage type follows the keyword and more than one usage type can
# be specified with a whitespace delimiter.
# Example: "SHA1 usage TLSServer TLSClient"
#
# When an algorithm must satisfy more than one constraint, it must be # When an algorithm must satisfy more than one constraint, it must be
# delimited by an ampersand '&'. For example, to restrict certificates in a # delimited by an ampersand '&'. For example, to restrict certificates in a
# chain that terminate at a distribution provided trust anchor and contain # chain that terminate at a distribution provided trust anchor and contain
...@@ -507,6 +534,9 @@ krb5.kdc.bad.policy = tryLast ...@@ -507,6 +534,9 @@ krb5.kdc.bad.policy = tryLast
# before larger keysize constraints of the same algorithm. For example: # before larger keysize constraints of the same algorithm. For example:
# "RSA keySize < 1024 & jdkCA, RSA keySize < 2048". # "RSA keySize < 1024 & jdkCA, RSA keySize < 2048".
# #
# Note: The algorithm restrictions do not apply to trust anchors or
# self-signed certificates.
#
# Note: This property is currently used by Oracle's PKIX implementation. It # Note: This property is currently used by Oracle's PKIX implementation. It
# is not guaranteed to be examined and used by other implementations. # is not guaranteed to be examined and used by other implementations.
# #
...@@ -514,9 +544,10 @@ krb5.kdc.bad.policy = tryLast ...@@ -514,9 +544,10 @@ krb5.kdc.bad.policy = tryLast
# jdk.certpath.disabledAlgorithms=MD2, DSA, RSA keySize < 2048 # jdk.certpath.disabledAlgorithms=MD2, DSA, RSA keySize < 2048
# #
# #
jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, \ jdk.certpath.disabledAlgorithms=MD2, MD5, SHA1 jdkCA & usage TLSServer, \
DSA keySize < 1024, EC keySize < 224 RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224
#
# Algorithm restrictions for signed JAR files # Algorithm restrictions for signed JAR files
# #
# In some environments, certain algorithms or key lengths may be undesirable # In some environments, certain algorithms or key lengths may be undesirable
...@@ -531,17 +562,20 @@ jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, \ ...@@ -531,17 +562,20 @@ jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, \
# " DisabledAlgorithm { , DisabledAlgorithm } " # " DisabledAlgorithm { , DisabledAlgorithm } "
# #
# DisabledAlgorithm: # DisabledAlgorithm:
# AlgorithmName [Constraint] # AlgorithmName [Constraint] { '&' Constraint }
# #
# AlgorithmName: # AlgorithmName:
# (see below) # (see below)
# #
# Constraint: # Constraint:
# KeySizeConstraint # KeySizeConstraint | DenyAfterConstraint
# #
# KeySizeConstraint: # KeySizeConstraint:
# keySize Operator KeyLength # keySize Operator KeyLength
# #
# DenyAfterConstraint:
# denyAfter YYYY-MM-DD
#
# Operator: # Operator:
# <= | < | == | != | >= | > # <= | < | == | != | >= | >
# #
...@@ -552,8 +586,11 @@ jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, \ ...@@ -552,8 +586,11 @@ jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, \
# implementation. It is not guaranteed to be examined and used by other # implementation. It is not guaranteed to be examined and used by other
# implementations. # implementations.
# #
# See "jdk.certpath.disabledAlgorithms" for syntax descriptions.
#
jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024 jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024
#
# Algorithm restrictions for Secure Socket Layer/Transport Layer Security # Algorithm restrictions for Secure Socket Layer/Transport Layer Security
# (SSL/TLS) processing # (SSL/TLS) processing
# #
...@@ -575,6 +612,9 @@ jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024 ...@@ -575,6 +612,9 @@ jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024
# See the specification of "jdk.certpath.disabledAlgorithms" for the # See the specification of "jdk.certpath.disabledAlgorithms" for the
# syntax of the disabled algorithm string. # syntax of the disabled algorithm string.
# #
# Note: The algorithm restrictions do not apply to trust anchors or
# self-signed certificates.
#
# Note: This property is currently used by the JDK Reference implementation. # Note: This property is currently used by the JDK Reference implementation.
# It is not guaranteed to be examined and used by other implementations. # It is not guaranteed to be examined and used by other implementations.
# #
......
src/share/native/sun/awt/libpng/LICENSE
浏览文件 @ 8587eb8d
...@@ -10,8 +10,8 @@ this sentence. ...@@ -10,8 +10,8 @@ this sentence.
This code is released under the libpng license. This code is released under the libpng license.
libpng versions 1.0.7, July 1, 2000, through 1.6.20, December 3, 2015, are libpng versions 1.0.7, July 1, 2000 through 1.6.28, January 5, 2017 are
Copyright (c) 2000-2002, 2004, 2006-2015 Glenn Randers-Pehrson, are Copyright (c) 2000-2002, 2004, 2006-2017 Glenn Randers-Pehrson, are
derived from libpng-1.0.6, and are distributed according to the same derived from libpng-1.0.6, and are distributed according to the same
disclaimer and license as libpng-1.0.6 with the following individuals disclaimer and license as libpng-1.0.6 with the following individuals
added to the list of Contributing Authors: added to the list of Contributing Authors:
...@@ -22,6 +22,7 @@ added to the list of Contributing Authors: ...@@ -22,6 +22,7 @@ added to the list of Contributing Authors:
Cosmin Truta Cosmin Truta
Gilles Vollant Gilles Vollant
James Yu James Yu
Mandar Sahastrabuddhe
and with the following additions to the disclaimer: and with the following additions to the disclaimer:
...@@ -32,6 +33,10 @@ and with the following additions to the disclaimer: ...@@ -32,6 +33,10 @@ and with the following additions to the disclaimer:
risk of satisfactory quality, performance, accuracy, and effort is with risk of satisfactory quality, performance, accuracy, and effort is with
the user. the user.
Some files in the "contrib" directory and some configure-generated
files that are distributed with libpng have other copyright owners and
are released under other open source licenses.
libpng versions 0.97, January 1998, through 1.0.6, March 20, 2000, are libpng versions 0.97, January 1998, through 1.0.6, March 20, 2000, are
Copyright (c) 1998-2000 Glenn Randers-Pehrson, are derived from Copyright (c) 1998-2000 Glenn Randers-Pehrson, are derived from
libpng-0.96, and are distributed according to the same disclaimer and libpng-0.96, and are distributed according to the same disclaimer and
...@@ -55,6 +60,9 @@ Contributing Authors: ...@@ -55,6 +60,9 @@ Contributing Authors:
Greg Roelofs Greg Roelofs
Tom Tanner Tom Tanner
Some files in the "scripts" directory have other copyright owners
but are released under this license.
libpng versions 0.5, May 1995, through 0.88, January 1996, are libpng versions 0.5, May 1995, through 0.88, January 1996, are
Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc. Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc.
...@@ -95,18 +103,29 @@ appreciated. ...@@ -95,18 +103,29 @@ appreciated.
END OF COPYRIGHT NOTICE, DISCLAIMER, and LICENSE. END OF COPYRIGHT NOTICE, DISCLAIMER, and LICENSE.
A "png_get_copyright" function is available, for convenient use in "about" TRADEMARK:
boxes and the like:
printf("%s", png_get_copyright(NULL)); The name "libpng" has not been registered by the Copyright owner
as a trademark in any jurisdiction. However, because libpng has
been distributed and maintained world-wide, continually since 1995,
the Copyright owner claims "common-law trademark protection" in any
jurisdiction where common-law trademark is recognized.
Also, the PNG logo (in PNG format, of course) is supplied in the OSI CERTIFICATION:
files "pngbar.png" and "pngbar.jpg (88x31) and "pngnow.png" (98x31).
Libpng is OSI Certified Open Source Software. OSI Certified Open Source is Libpng is OSI Certified Open Source Software. OSI Certified Open Source is
a certification mark of the Open Source Initiative. OSI has not addressed a certification mark of the Open Source Initiative. OSI has not addressed
the additional disclaimers inserted at version 1.0.7. the additional disclaimers inserted at version 1.0.7.
EXPORT CONTROL:
The Copyright owner believes that the Export Control Classification
Number (ECCN) for libpng is EAR99, which means not subject to export
controls or International Traffic in Arms Regulations (ITAR) because
it is open source, publicly available software, that does not contain
any encryption software. See the EAR, paragraphs 734.3(b)(3) and
734.7(b).
Glenn Randers-Pehrson Glenn Randers-Pehrson
glennrp at users.sourceforge.net glennrp at users.sourceforge.net
December 3, 2015 January 5, 2017
src/share/native/sun/awt/libpng/README
浏览文件 @ 8587eb8d
README for libpng version 1.6.20 - December 3, 2015 (shared library 16.0) README for libpng version 1.6.28 - January 5, 2017 (shared library 16.0)
See the note about version numbers near the top of png.h See the note about version numbers near the top of png.h
See INSTALL for instructions on how to install libpng. See INSTALL for instructions on how to install libpng.
...@@ -180,15 +180,18 @@ Files in this distribution: ...@@ -180,15 +180,18 @@ Files in this distribution:
pngwutil.c => Write utility functions pngwutil.c => Write utility functions
arm => Contains optimized code for the ARM platform arm => Contains optimized code for the ARM platform
contrib => Contributions contrib => Contributions
arm-neon => Optimized code for ARM-NEON platform
examples => Example programs examples => Example programs
gregbook => source code for PNG reading and writing, from gregbook => source code for PNG reading and writing, from
Greg Roelofs' "PNG: The Definitive Guide", Greg Roelofs' "PNG: The Definitive Guide",
O'Reilly, 1999 O'Reilly, 1999
intel => Optimized code for INTEL-SSE2 platform
libtests => Test programs libtests => Test programs
pngminim => Minimal decoder, encoder, and progressive decoder pngminim => Minimal decoder, encoder, and progressive decoder
programs demonstrating use of pngusr.dfa programs demonstrating use of pngusr.dfa
pngminus => Simple pnm2png and png2pnm programs pngminus => Simple pnm2png and png2pnm programs
pngsuite => Test images pngsuite => Test images
testpngs
tools => Various tools tools => Various tools
visupng => Contains a MSVC workspace for VisualPng visupng => Contains a MSVC workspace for VisualPng
projects => Contains project files and workspaces for projects => Contains project files and workspaces for
......
src/share/native/sun/awt/libpng/pngconf.h
浏览文件 @ 8587eb8d
...@@ -29,9 +29,9 @@ ...@@ -29,9 +29,9 @@
* However, the following notice accompanied the original version of this * However, the following notice accompanied the original version of this
* file and, per its terms, should not be removed: * file and, per its terms, should not be removed:
* *
* libpng version 1.6.20, December 3, 2015 * libpng version 1.6.28, January 5, 2017
* *
* Copyright (c) 1998-2015 Glenn Randers-Pehrson * Copyright (c) 1998-2002,2004,2006-2016 Glenn Randers-Pehrson
* (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger) * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger)
* (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.) * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.)
* *
...@@ -535,9 +535,9 @@ ...@@ -535,9 +535,9 @@
# error "libpng requires a signed 32-bit (or more) type" # error "libpng requires a signed 32-bit (or more) type"
#endif #endif
#if UINT_MAX > 4294967294 #if UINT_MAX > 4294967294U
typedef unsigned int png_uint_32; typedef unsigned int png_uint_32;
#elif ULONG_MAX > 4294967294 #elif ULONG_MAX > 4294967294U
typedef unsigned long int png_uint_32; typedef unsigned long int png_uint_32;
#else #else
# error "libpng requires an unsigned 32-bit (or more) type" # error "libpng requires an unsigned 32-bit (or more) type"
......
src/share/native/sun/awt/libpng/pngdebug.h
浏览文件 @ 8587eb8d
...@@ -30,7 +30,7 @@ ...@@ -30,7 +30,7 @@
* file and, per its terms, should not be removed: * file and, per its terms, should not be removed:
* *
* Last changed in libpng 1.6.8 [December 19, 2013] * Last changed in libpng 1.6.8 [December 19, 2013]
* Copyright (c) 1998-2013 Glenn Randers-Pehrson * Copyright (c) 1998-2002,2004,2006-2013 Glenn Randers-Pehrson
* (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger) * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger)
* (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.) * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.)
* *
......
src/share/native/sun/awt/libpng/pnginfo.h
浏览文件 @ 8587eb8d
...@@ -30,7 +30,7 @@ ...@@ -30,7 +30,7 @@
* file and, per its terms, should not be removed: * file and, per its terms, should not be removed:
* *
* Last changed in libpng 1.6.1 [March 28, 2013] * Last changed in libpng 1.6.1 [March 28, 2013]
* Copyright (c) 1998-2013 Glenn Randers-Pehrson * Copyright (c) 1998-2002,2004,2006-2013 Glenn Randers-Pehrson
* (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger) * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger)
* (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.) * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.)
* *
......
src/share/native/sun/awt/libpng/pngtest.c 已删除 100644 → 0
浏览文件 @ 74ef472b
此差异已折叠。
src/share/native/sun/awt/libpng/pngwio.c 已删除 100644 → 0
浏览文件 @ 74ef472b
此差异已折叠。
src/share/native/sun/awt/libpng/pngwrite.c 已删除 100644 → 0
浏览文件 @ 74ef472b
此差异已折叠。
src/share/native/sun/awt/libpng/pngwtran.c 已删除 100644 → 0
浏览文件 @ 74ef472b
此差异已折叠。
src/share/native/sun/awt/libpng/pngwutil.c 已删除 100644 → 0
浏览文件 @ 74ef472b
此差异已折叠。
test/ProblemList.txt
浏览文件 @ 8587eb8d
此差异已折叠。
test/java/lang/reflect/Proxy/ProxyRace.java 0 → 100644
浏览文件 @ 8587eb8d
此差异已折叠。
test/sun/management/LazyCompositeDataTest.java 0 → 100644
浏览文件 @ 8587eb8d
此差异已折叠。
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册