Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
openanolis
dragonwell8_jdk
提交
8f7d719c
D
dragonwell8_jdk
项目概览
openanolis
/
dragonwell8_jdk
通知
4
Star
2
Fork
0
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
D
dragonwell8_jdk
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
提交
Issue看板
提交
8f7d719c
编写于
7月 29, 2016
作者:
I
igerasim
浏览文件
操作
浏览文件
下载
电子邮件补丁
差异文件
8155973: Tighten jar checks
Reviewed-by: mullan, igerasim, ahgross
上级
a78caf7f
变更
15
隐藏空白更改
内联
并排
Showing
15 changed file
with
395 addition
and
29 deletion
+395
-29
src/share/classes/sun/security/pkcs/SignerInfo.java
src/share/classes/sun/security/pkcs/SignerInfo.java
+62
-10
src/share/classes/sun/security/util/AbstractAlgorithmConstraints.java
...asses/sun/security/util/AbstractAlgorithmConstraints.java
+6
-2
src/share/classes/sun/security/util/DisabledAlgorithmConstraints.java
...asses/sun/security/util/DisabledAlgorithmConstraints.java
+12
-0
src/share/classes/sun/security/util/SignatureFileVerifier.java
...hare/classes/sun/security/util/SignatureFileVerifier.java
+44
-14
src/share/lib/security/java.security-aix
src/share/lib/security/java.security-aix
+38
-0
src/share/lib/security/java.security-linux
src/share/lib/security/java.security-linux
+38
-0
src/share/lib/security/java.security-macosx
src/share/lib/security/java.security-macosx
+38
-0
src/share/lib/security/java.security-solaris
src/share/lib/security/java.security-solaris
+38
-0
src/share/lib/security/java.security-windows
src/share/lib/security/java.security-windows
+38
-0
test/javax/crypto/SecretKeyFactory/FailOverTest.sh
test/javax/crypto/SecretKeyFactory/FailOverTest.sh
+1
-0
test/javax/crypto/SecretKeyFactory/security.properties
test/javax/crypto/SecretKeyFactory/security.properties
+26
-0
test/sun/security/pkcs/pkcs7/PKCS7VerifyTest.java
test/sun/security/pkcs/pkcs7/PKCS7VerifyTest.java
+3
-2
test/sun/security/pkcs/pkcs7/reenable.jar.alg.props
test/sun/security/pkcs/pkcs7/reenable.jar.alg.props
+24
-0
test/sun/security/tools/jarsigner/JarSigningNonAscii.java
test/sun/security/tools/jarsigner/JarSigningNonAscii.java
+3
-1
test/sun/security/tools/jarsigner/reenable.jar.alg.props
test/sun/security/tools/jarsigner/reenable.jar.alg.props
+24
-0
未找到文件。
src/share/classes/sun/security/pkcs/SignerInfo.java
浏览文件 @
8f7d719c
/*
/*
* Copyright (c) 1996, 201
3
, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 1996, 201
6
, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
*
* This code is free software; you can redistribute it and/or modify it
* This code is free software; you can redistribute it and/or modify it
...
@@ -28,20 +28,37 @@ package sun.security.pkcs;
...
@@ -28,20 +28,37 @@ package sun.security.pkcs;
import
java.io.OutputStream
;
import
java.io.OutputStream
;
import
java.io.IOException
;
import
java.io.IOException
;
import
java.math.BigInteger
;
import
java.math.BigInteger
;
import
java.security.CryptoPrimitive
;
import
java.security.InvalidKeyException
;
import
java.security.MessageDigest
;
import
java.security.NoSuchAlgorithmException
;
import
java.security.Principal
;
import
java.security.PublicKey
;
import
java.security.Signature
;
import
java.security.SignatureException
;
import
java.security.Timestamp
;
import
java.security.cert.CertificateException
;
import
java.security.cert.CertificateException
;
import
java.security.cert.CertificateFactory
;
import
java.security.cert.CertificateFactory
;
import
java.security.cert.CertPath
;
import
java.security.cert.CertPath
;
import
java.security.cert.X509Certificate
;
import
java.security.cert.X509Certificate
;
import
java.security.*
;
import
java.util.ArrayList
;
import
java.util.ArrayList
;
import
java.util.Arrays
;
import
java.util.Arrays
;
import
java.util.Collections
;
import
java.util.EnumSet
;
import
java.util.Set
;
import
sun.misc.HexDumpEncoder
;
import
sun.security.timestamp.TimestampToken
;
import
sun.security.timestamp.TimestampToken
;
import
sun.security.util.*
;
import
sun.security.util.Debug
;
import
sun.security.util.DerEncoder
;
import
sun.security.util.DerInputStream
;
import
sun.security.util.DerOutputStream
;
import
sun.security.util.DerValue
;
import
sun.security.util.DisabledAlgorithmConstraints
;
import
sun.security.util.ObjectIdentifier
;
import
sun.security.x509.AlgorithmId
;
import
sun.security.x509.AlgorithmId
;
import
sun.security.x509.X500Name
;
import
sun.security.x509.X500Name
;
import
sun.security.x509.KeyUsageExtension
;
import
sun.security.x509.KeyUsageExtension
;
import
sun.misc.HexDumpEncoder
;
/**
/**
* A SignerInfo, as defined in PKCS#7's signedData type.
* A SignerInfo, as defined in PKCS#7's signedData type.
...
@@ -50,6 +67,17 @@ import sun.misc.HexDumpEncoder;
...
@@ -50,6 +67,17 @@ import sun.misc.HexDumpEncoder;
*/
*/
public
class
SignerInfo
implements
DerEncoder
{
public
class
SignerInfo
implements
DerEncoder
{
// Digest and Signature restrictions
private
static
final
Set
<
CryptoPrimitive
>
DIGEST_PRIMITIVE_SET
=
Collections
.
unmodifiableSet
(
EnumSet
.
of
(
CryptoPrimitive
.
MESSAGE_DIGEST
));
private
static
final
Set
<
CryptoPrimitive
>
SIG_PRIMITIVE_SET
=
Collections
.
unmodifiableSet
(
EnumSet
.
of
(
CryptoPrimitive
.
SIGNATURE
));
private
static
final
DisabledAlgorithmConstraints
JAR_DISABLED_CHECK
=
new
DisabledAlgorithmConstraints
(
DisabledAlgorithmConstraints
.
PROPERTY_JAR_DISABLED_ALGS
);
BigInteger
version
;
BigInteger
version
;
X500Name
issuerName
;
X500Name
issuerName
;
BigInteger
certificateSerialNumber
;
BigInteger
certificateSerialNumber
;
...
@@ -318,6 +346,13 @@ public class SignerInfo implements DerEncoder {
...
@@ -318,6 +346,13 @@ public class SignerInfo implements DerEncoder {
if
(
messageDigest
==
null
)
// fail if there is no message digest
if
(
messageDigest
==
null
)
// fail if there is no message digest
return
null
;
return
null
;
// check that algorithm is not restricted
if
(!
JAR_DISABLED_CHECK
.
permits
(
DIGEST_PRIMITIVE_SET
,
digestAlgname
,
null
))
{
throw
new
SignatureException
(
"Digest check failed. "
+
"Disabled algorithm used: "
+
digestAlgname
);
}
MessageDigest
md
=
MessageDigest
.
getInstance
(
digestAlgname
);
MessageDigest
md
=
MessageDigest
.
getInstance
(
digestAlgname
);
byte
[]
computedMessageDigest
=
md
.
digest
(
data
);
byte
[]
computedMessageDigest
=
md
.
digest
(
data
);
...
@@ -349,12 +384,24 @@ public class SignerInfo implements DerEncoder {
...
@@ -349,12 +384,24 @@ public class SignerInfo implements DerEncoder {
String
algname
=
AlgorithmId
.
makeSigAlg
(
String
algname
=
AlgorithmId
.
makeSigAlg
(
digestAlgname
,
encryptionAlgname
);
digestAlgname
,
encryptionAlgname
);
Signature
sig
=
Signature
.
getInstance
(
algname
);
// check that algorithm is not restricted
X509Certificate
cert
=
getCertificate
(
block
);
if
(!
JAR_DISABLED_CHECK
.
permits
(
SIG_PRIMITIVE_SET
,
algname
,
null
))
{
throw
new
SignatureException
(
"Signature check failed. "
+
"Disabled algorithm used: "
+
algname
);
}
X509Certificate
cert
=
getCertificate
(
block
);
PublicKey
key
=
cert
.
getPublicKey
();
if
(
cert
==
null
)
{
if
(
cert
==
null
)
{
return
null
;
return
null
;
}
}
// check if the public key is restricted
if
(!
JAR_DISABLED_CHECK
.
permits
(
SIG_PRIMITIVE_SET
,
key
))
{
throw
new
SignatureException
(
"Public key check failed. "
+
"Disabled algorithm used: "
+
key
.
getAlgorithm
());
}
if
(
cert
.
hasUnsupportedCriticalExtension
())
{
if
(
cert
.
hasUnsupportedCriticalExtension
())
{
throw
new
SignatureException
(
"Certificate has unsupported "
throw
new
SignatureException
(
"Certificate has unsupported "
+
"critical extension(s)"
);
+
"critical extension(s)"
);
...
@@ -391,11 +438,9 @@ public class SignerInfo implements DerEncoder {
...
@@ -391,11 +438,9 @@ public class SignerInfo implements DerEncoder {
}
}
}
}
PublicKey
key
=
cert
.
getPublicKey
(
);
Signature
sig
=
Signature
.
getInstance
(
algname
);
sig
.
initVerify
(
key
);
sig
.
initVerify
(
key
);
sig
.
update
(
dataSigned
);
sig
.
update
(
dataSigned
);
if
(
sig
.
verify
(
encryptedDigest
))
{
if
(
sig
.
verify
(
encryptedDigest
))
{
return
this
;
return
this
;
}
}
...
@@ -515,9 +560,16 @@ public class SignerInfo implements DerEncoder {
...
@@ -515,9 +560,16 @@ public class SignerInfo implements DerEncoder {
*/
*/
private
void
verifyTimestamp
(
TimestampToken
token
)
private
void
verifyTimestamp
(
TimestampToken
token
)
throws
NoSuchAlgorithmException
,
SignatureException
{
throws
NoSuchAlgorithmException
,
SignatureException
{
String
digestAlgname
=
token
.
getHashAlgorithm
().
getName
();
// check that algorithm is not restricted
if
(!
JAR_DISABLED_CHECK
.
permits
(
DIGEST_PRIMITIVE_SET
,
digestAlgname
,
null
))
{
throw
new
SignatureException
(
"Timestamp token digest check failed. "
+
"Disabled algorithm used: "
+
digestAlgname
);
}
MessageDigest
md
=
MessageDigest
md
=
MessageDigest
.
getInstance
(
token
.
getHashAlgorithm
().
getName
()
);
MessageDigest
.
getInstance
(
digestAlgname
);
if
(!
Arrays
.
equals
(
token
.
getHashedMessage
(),
if
(!
Arrays
.
equals
(
token
.
getHashedMessage
(),
md
.
digest
(
encryptedDigest
)))
{
md
.
digest
(
encryptedDigest
)))
{
...
...
src/share/classes/sun/security/util/AbstractAlgorithmConstraints.java
浏览文件 @
8f7d719c
...
@@ -48,8 +48,12 @@ public abstract class AbstractAlgorithmConstraints
...
@@ -48,8 +48,12 @@ public abstract class AbstractAlgorithmConstraints
private
static
void
loadAlgorithmsMap
(
Map
<
String
,
String
[]>
algorithmsMap
,
private
static
void
loadAlgorithmsMap
(
Map
<
String
,
String
[]>
algorithmsMap
,
String
propertyName
)
{
String
propertyName
)
{
String
property
=
AccessController
.
doPrivileged
(
String
property
=
AccessController
.
doPrivileged
(
(
PrivilegedAction
<
String
>)
()
->
Security
.
getProperty
(
new
PrivilegedAction
<
String
>()
{
propertyName
));
@Override
public
String
run
()
{
return
Security
.
getProperty
(
propertyName
);
}
});
String
[]
algorithmsInProperty
=
null
;
String
[]
algorithmsInProperty
=
null
;
if
(
property
!=
null
&&
!
property
.
isEmpty
())
{
if
(
property
!=
null
&&
!
property
.
isEmpty
())
{
...
...
src/share/classes/sun/security/util/DisabledAlgorithmConstraints.java
浏览文件 @
8f7d719c
...
@@ -58,6 +58,10 @@ public class DisabledAlgorithmConstraints extends AbstractAlgorithmConstraints {
...
@@ -58,6 +58,10 @@ public class DisabledAlgorithmConstraints extends AbstractAlgorithmConstraints {
private
final
static
Map
<
String
,
KeySizeConstraints
>
keySizeConstraintsMap
=
private
final
static
Map
<
String
,
KeySizeConstraints
>
keySizeConstraintsMap
=
new
HashMap
<>();
new
HashMap
<>();
// the known security property, jdk.jar.disabledAlgorithms
public
static
final
String
PROPERTY_JAR_DISABLED_ALGS
=
"jdk.jar.disabledAlgorithms"
;
private
final
String
[]
disabledAlgorithms
;
private
final
String
[]
disabledAlgorithms
;
private
final
KeySizeConstraints
keySizeConstraints
;
private
final
KeySizeConstraints
keySizeConstraints
;
...
@@ -71,6 +75,14 @@ public class DisabledAlgorithmConstraints extends AbstractAlgorithmConstraints {
...
@@ -71,6 +75,14 @@ public class DisabledAlgorithmConstraints extends AbstractAlgorithmConstraints {
this
(
propertyName
,
new
AlgorithmDecomposer
());
this
(
propertyName
,
new
AlgorithmDecomposer
());
}
}
/**
* Initialize algorithm constraints with the specified security property
* for a specific usage type.
*
* @param propertyName the security property name that define the disabled
* algorithm constraints
* @param decomposer an alternate AlgorithmDecomposer.
*/
public
DisabledAlgorithmConstraints
(
String
propertyName
,
public
DisabledAlgorithmConstraints
(
String
propertyName
,
AlgorithmDecomposer
decomposer
)
{
AlgorithmDecomposer
decomposer
)
{
super
(
decomposer
);
super
(
decomposer
);
...
...
src/share/classes/sun/security/util/SignatureFileVerifier.java
浏览文件 @
8f7d719c
/*
/*
* Copyright (c) 1997, 201
3
, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 1997, 201
6
, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
*
* This code is free software; you can redistribute it and/or modify it
* This code is free software; you can redistribute it and/or modify it
...
@@ -25,26 +25,49 @@
...
@@ -25,26 +25,49 @@
package
sun.security.util
;
package
sun.security.util
;
import
java.io.ByteArrayInputStream
;
import
java.io.IOException
;
import
java.security.CodeSigner
;
import
java.security.CryptoPrimitive
;
import
java.security.MessageDigest
;
import
java.security.NoSuchAlgorithmException
;
import
java.security.SignatureException
;
import
java.security.cert.CertPath
;
import
java.security.cert.CertPath
;
import
java.security.cert.X509Certificate
;
import
java.security.cert.X509Certificate
;
import
java.security.cert.CertificateException
;
import
java.security.cert.CertificateException
;
import
java.security.cert.CertificateFactory
;
import
java.security.cert.CertificateFactory
;
import
java.security.*
;
import
java.util.ArrayList
;
import
java.io.*
;
import
java.util.*
;
import
java.util.jar.*
;
import
sun.security.pkcs.*
;
import
java.util.Base64
;
import
java.util.Base64
;
import
java.util.Collections
;
import
java.util.EnumSet
;
import
java.util.HashMap
;
import
java.util.Hashtable
;
import
java.util.Iterator
;
import
java.util.List
;
import
java.util.Locale
;
import
java.util.Map
;
import
java.util.Set
;
import
java.util.jar.Attributes
;
import
java.util.jar.JarException
;
import
java.util.jar.JarFile
;
import
java.util.jar.Manifest
;
import
sun.security.jca.Providers
;
import
sun.security.jca.Providers
;
import
sun.security.pkcs.PKCS7
;
import
sun.security.pkcs.SignerInfo
;
public
class
SignatureFileVerifier
{
public
class
SignatureFileVerifier
{
/* Are we debugging ? */
/* Are we debugging ? */
private
static
final
Debug
debug
=
Debug
.
getInstance
(
"jar"
);
private
static
final
Debug
debug
=
Debug
.
getInstance
(
"jar"
);
/* cache of CodeSigner objects */
private
static
final
Set
<
CryptoPrimitive
>
DIGEST_PRIMITIVE_SET
=
Collections
.
unmodifiableSet
(
EnumSet
.
of
(
CryptoPrimitive
.
MESSAGE_DIGEST
));
private
static
final
DisabledAlgorithmConstraints
JAR_DISABLED_CHECK
=
new
DisabledAlgorithmConstraints
(
DisabledAlgorithmConstraints
.
PROPERTY_JAR_DISABLED_ALGS
);
private
ArrayList
<
CodeSigner
[]>
signerCache
;
private
ArrayList
<
CodeSigner
[]>
signerCache
;
private
static
final
String
ATTR_DIGEST
=
private
static
final
String
ATTR_DIGEST
=
...
@@ -200,8 +223,15 @@ public class SignatureFileVerifier {
...
@@ -200,8 +223,15 @@ public class SignatureFileVerifier {
/** get digest from cache */
/** get digest from cache */
private
MessageDigest
getDigest
(
String
algorithm
)
private
MessageDigest
getDigest
(
String
algorithm
)
throws
SignatureException
{
{
// check that algorithm is not restricted
if
(!
JAR_DISABLED_CHECK
.
permits
(
DIGEST_PRIMITIVE_SET
,
algorithm
,
null
))
{
SignatureException
e
=
new
SignatureException
(
"SignatureFile check failed. "
+
"Disabled algorithm used: "
+
algorithm
);
throw
e
;
}
if
(
createdDigests
==
null
)
if
(
createdDigests
==
null
)
createdDigests
=
new
HashMap
<
String
,
MessageDigest
>();
createdDigests
=
new
HashMap
<
String
,
MessageDigest
>();
...
@@ -321,7 +351,7 @@ public class SignatureFileVerifier {
...
@@ -321,7 +351,7 @@ public class SignatureFileVerifier {
private
boolean
verifyManifestHash
(
Manifest
sf
,
private
boolean
verifyManifestHash
(
Manifest
sf
,
ManifestDigester
md
,
ManifestDigester
md
,
List
<
Object
>
manifestDigests
)
List
<
Object
>
manifestDigests
)
throws
IOException
throws
IOException
,
SignatureException
{
{
Attributes
mattr
=
sf
.
getMainAttributes
();
Attributes
mattr
=
sf
.
getMainAttributes
();
boolean
manifestSigned
=
false
;
boolean
manifestSigned
=
false
;
...
@@ -365,7 +395,7 @@ public class SignatureFileVerifier {
...
@@ -365,7 +395,7 @@ public class SignatureFileVerifier {
private
boolean
verifyManifestMainAttrs
(
Manifest
sf
,
private
boolean
verifyManifestMainAttrs
(
Manifest
sf
,
ManifestDigester
md
)
ManifestDigester
md
)
throws
IOException
throws
IOException
,
SignatureException
{
{
Attributes
mattr
=
sf
.
getMainAttributes
();
Attributes
mattr
=
sf
.
getMainAttributes
();
boolean
attrsVerified
=
true
;
boolean
attrsVerified
=
true
;
...
@@ -431,14 +461,14 @@ public class SignatureFileVerifier {
...
@@ -431,14 +461,14 @@ public class SignatureFileVerifier {
private
boolean
verifySection
(
Attributes
sfAttr
,
private
boolean
verifySection
(
Attributes
sfAttr
,
String
name
,
String
name
,
ManifestDigester
md
)
ManifestDigester
md
)
throws
IOException
throws
IOException
,
SignatureException
{
{
boolean
oneDigestVerified
=
false
;
boolean
oneDigestVerified
=
false
;
ManifestDigester
.
Entry
mde
=
md
.
get
(
name
,
block
.
isOldStyle
());
ManifestDigester
.
Entry
mde
=
md
.
get
(
name
,
block
.
isOldStyle
());
if
(
mde
==
null
)
{
if
(
mde
==
null
)
{
throw
new
SecurityException
(
throw
new
SecurityException
(
"no manif
i
est section for signature file entry "
+
name
);
"no manifest section for signature file entry "
+
name
);
}
}
if
(
sfAttr
!=
null
)
{
if
(
sfAttr
!=
null
)
{
...
...
src/share/lib/security/java.security-aix
浏览文件 @
8f7d719c
...
@@ -624,3 +624,41 @@ jdk.tls.legacyAlgorithms= \
...
@@ -624,3 +624,41 @@ jdk.tls.legacyAlgorithms= \
# E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED \
# E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED \
# EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE65381 \
# EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE65381 \
# FFFFFFFF FFFFFFFF, 2}
# FFFFFFFF FFFFFFFF, 2}
# Algorithm restrictions for signed JAR files
#
# In some environments, certain algorithms or key lengths may be undesirable
# for signed JAR validation. For example, "MD2" is generally no longer
# considered to be a secure hash algorithm. This section describes the
# mechanism for disabling algorithms based on algorithm name and/or key length.
# JARs signed with any of the disabled algorithms or key sizes will be treated
# as unsigned.
#
# The syntax of the disabled algorithm string is described as follows:
# DisabledAlgorithms:
# " DisabledAlgorithm { , DisabledAlgorithm } "
#
# DisabledAlgorithm:
# AlgorithmName [Constraint]
#
# AlgorithmName:
# (see below)
#
# Constraint:
# KeySizeConstraint
#
# KeySizeConstraint:
# keySize Operator KeyLength
#
# Operator:
# <= | < | == | != | >= | >
#
# KeyLength:
# Integer value of the algorithm's key length in bits
#
# Note: This property is currently used by the JDK Reference
# implementation. It is not guaranteed to be examined and used by other
# implementations.
#
jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, \
DSA keySize < 1024
src/share/lib/security/java.security-linux
浏览文件 @
8f7d719c
...
@@ -624,3 +624,41 @@ jdk.tls.legacyAlgorithms= \
...
@@ -624,3 +624,41 @@ jdk.tls.legacyAlgorithms= \
# E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED \
# E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED \
# EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE65381 \
# EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE65381 \
# FFFFFFFF FFFFFFFF, 2}
# FFFFFFFF FFFFFFFF, 2}
# Algorithm restrictions for signed JAR files
#
# In some environments, certain algorithms or key lengths may be undesirable
# for signed JAR validation. For example, "MD2" is generally no longer
# considered to be a secure hash algorithm. This section describes the
# mechanism for disabling algorithms based on algorithm name and/or key length.
# JARs signed with any of the disabled algorithms or key sizes will be treated
# as unsigned.
#
# The syntax of the disabled algorithm string is described as follows:
# DisabledAlgorithms:
# " DisabledAlgorithm { , DisabledAlgorithm } "
#
# DisabledAlgorithm:
# AlgorithmName [Constraint]
#
# AlgorithmName:
# (see below)
#
# Constraint:
# KeySizeConstraint
#
# KeySizeConstraint:
# keySize Operator KeyLength
#
# Operator:
# <= | < | == | != | >= | >
#
# KeyLength:
# Integer value of the algorithm's key length in bits
#
# Note: This property is currently used by the JDK Reference
# implementation. It is not guaranteed to be examined and used by other
# implementations.
#
jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, \
DSA keySize < 1024
src/share/lib/security/java.security-macosx
浏览文件 @
8f7d719c
...
@@ -627,3 +627,41 @@ jdk.tls.legacyAlgorithms= \
...
@@ -627,3 +627,41 @@ jdk.tls.legacyAlgorithms= \
# E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED \
# E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED \
# EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE65381 \
# EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE65381 \
# FFFFFFFF FFFFFFFF, 2}
# FFFFFFFF FFFFFFFF, 2}
# Algorithm restrictions for signed JAR files
#
# In some environments, certain algorithms or key lengths may be undesirable
# for signed JAR validation. For example, "MD2" is generally no longer
# considered to be a secure hash algorithm. This section describes the
# mechanism for disabling algorithms based on algorithm name and/or key length.
# JARs signed with any of the disabled algorithms or key sizes will be treated
# as unsigned.
#
# The syntax of the disabled algorithm string is described as follows:
# DisabledAlgorithms:
# " DisabledAlgorithm { , DisabledAlgorithm } "
#
# DisabledAlgorithm:
# AlgorithmName [Constraint]
#
# AlgorithmName:
# (see below)
#
# Constraint:
# KeySizeConstraint
#
# KeySizeConstraint:
# keySize Operator KeyLength
#
# Operator:
# <= | < | == | != | >= | >
#
# KeyLength:
# Integer value of the algorithm's key length in bits
#
# Note: This property is currently used by the JDK Reference
# implementation. It is not guaranteed to be examined and used by other
# implementations.
#
jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, \
DSA keySize < 1024
src/share/lib/security/java.security-solaris
浏览文件 @
8f7d719c
...
@@ -626,3 +626,41 @@ jdk.tls.legacyAlgorithms= \
...
@@ -626,3 +626,41 @@ jdk.tls.legacyAlgorithms= \
# E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED \
# E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED \
# EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE65381 \
# EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE65381 \
# FFFFFFFF FFFFFFFF, 2}
# FFFFFFFF FFFFFFFF, 2}
# Algorithm restrictions for signed JAR files
#
# In some environments, certain algorithms or key lengths may be undesirable
# for signed JAR validation. For example, "MD2" is generally no longer
# considered to be a secure hash algorithm. This section describes the
# mechanism for disabling algorithms based on algorithm name and/or key length.
# JARs signed with any of the disabled algorithms or key sizes will be treated
# as unsigned.
#
# The syntax of the disabled algorithm string is described as follows:
# DisabledAlgorithms:
# " DisabledAlgorithm { , DisabledAlgorithm } "
#
# DisabledAlgorithm:
# AlgorithmName [Constraint]
#
# AlgorithmName:
# (see below)
#
# Constraint:
# KeySizeConstraint
#
# KeySizeConstraint:
# keySize Operator KeyLength
#
# Operator:
# <= | < | == | != | >= | >
#
# KeyLength:
# Integer value of the algorithm's key length in bits
#
# Note: This property is currently used by the JDK Reference
# implementation. It is not guaranteed to be examined and used by other
# implementations.
#
jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, \
DSA keySize < 1024
src/share/lib/security/java.security-windows
浏览文件 @
8f7d719c
...
@@ -627,3 +627,41 @@ jdk.tls.legacyAlgorithms= \
...
@@ -627,3 +627,41 @@ jdk.tls.legacyAlgorithms= \
# E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED \
# E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED \
# EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE65381 \
# EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE65381 \
# FFFFFFFF FFFFFFFF, 2}
# FFFFFFFF FFFFFFFF, 2}
# Algorithm restrictions for signed JAR files
#
# In some environments, certain algorithms or key lengths may be undesirable
# for signed JAR validation. For example, "MD2" is generally no longer
# considered to be a secure hash algorithm. This section describes the
# mechanism for disabling algorithms based on algorithm name and/or key length.
# JARs signed with any of the disabled algorithms or key sizes will be treated
# as unsigned.
#
# The syntax of the disabled algorithm string is described as follows:
# DisabledAlgorithms:
# " DisabledAlgorithm { , DisabledAlgorithm } "
#
# DisabledAlgorithm:
# AlgorithmName [Constraint]
#
# AlgorithmName:
# (see below)
#
# Constraint:
# KeySizeConstraint
#
# KeySizeConstraint:
# keySize Operator KeyLength
#
# Operator:
# <= | < | == | != | >= | >
#
# KeyLength:
# Integer value of the algorithm's key length in bits
#
# Note: This property is currently used by the JDK Reference
# implementation. It is not guaranteed to be examined and used by other
# implementations.
#
jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, \
DSA keySize < 1024
test/javax/crypto/SecretKeyFactory/FailOverTest.sh
浏览文件 @
8f7d719c
...
@@ -88,6 +88,7 @@ fi
...
@@ -88,6 +88,7 @@ fi
${
TESTJAVA
}${
FS
}
bin
${
FS
}
java
\
${
TESTJAVA
}${
FS
}
bin
${
FS
}
java
\
${
TESTVMOPTS
}
\
${
TESTVMOPTS
}
\
-Djava
.security.properties
=
${
TESTSRC
}${
FS
}
security.properties
\
-classpath
"
${
TESTSRC
}${
FS
}
P1.jar
${
PS
}${
TESTSRC
}${
FS
}
P2.jar
${
PS
}
."
\
-classpath
"
${
TESTSRC
}${
FS
}
P1.jar
${
PS
}${
TESTSRC
}${
FS
}
P2.jar
${
PS
}
."
\
FailOverTest
FailOverTest
result
=
$?
result
=
$?
...
...
test/javax/crypto/SecretKeyFactory/security.properties
0 → 100644
浏览文件 @
8f7d719c
#
# Copyright (c) 2016, Oracle and/or its affiliates. All rights reserved.
# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
#
# This code is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License version 2 only, as
# published by the Free Software Foundation.
#
# This code is distributed in the hope that it will be useful, but WITHOUT
# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
# version 2 for more details (a copy is included in the LICENSE file that
# accompanied this code).
#
# You should have received a copy of the GNU General Public License version
# 2 along with this work; if not, write to the Free Software Foundation,
# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
#
# Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
# or visit www.oracle.com if you need additional information or have any
# questions.
#
jdk.security.provider.preferred
=
jdk.jar.disabledAlgorithms
=
test/sun/security/pkcs/pkcs7/PKCS7VerifyTest.java
浏览文件 @
8f7d719c
...
@@ -26,8 +26,8 @@
...
@@ -26,8 +26,8 @@
* @bug 8048357
* @bug 8048357
* @summary Read signed data in one or more PKCS7 objects from individual files,
* @summary Read signed data in one or more PKCS7 objects from individual files,
* verify SignerInfos and certificate chain.
* verify SignerInfos and certificate chain.
* @run main PKCS7VerifyTest PKCS7TEST.DSA.base64
* @run main
/othervm -Djava.security.properties=${test.src}/reenable.jar.alg.props
PKCS7VerifyTest PKCS7TEST.DSA.base64
* @run main PKCS7VerifyTest PKCS7TEST.DSA.base64 PKCS7TEST.SF
* @run main
/othervm -Djava.security.properties=${test.src}/reenable.jar.alg.props
PKCS7VerifyTest PKCS7TEST.DSA.base64 PKCS7TEST.SF
*/
*/
import
java.io.ByteArrayInputStream
;
import
java.io.ByteArrayInputStream
;
import
java.io.File
;
import
java.io.File
;
...
@@ -35,6 +35,7 @@ import java.io.FileInputStream;
...
@@ -35,6 +35,7 @@ import java.io.FileInputStream;
import
java.nio.file.Files
;
import
java.nio.file.Files
;
import
java.nio.file.Path
;
import
java.nio.file.Path
;
import
java.nio.file.Paths
;
import
java.nio.file.Paths
;
import
java.security.Security
;
import
java.security.cert.X509Certificate
;
import
java.security.cert.X509Certificate
;
import
java.util.Base64
;
import
java.util.Base64
;
import
java.util.HashMap
;
import
java.util.HashMap
;
...
...
test/sun/security/pkcs/pkcs7/reenable.jar.alg.props
0 → 100644
浏览文件 @
8f7d719c
#
# Copyright (c) 2016, Oracle and/or its affiliates. All rights reserved.
# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
#
# This code is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License version 2 only, as
# published by the Free Software Foundation.
#
# This code is distributed in the hope that it will be useful, but WITHOUT
# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
# version 2 for more details (a copy is included in the LICENSE file that
# accompanied this code).
#
# You should have received a copy of the GNU General Public License version
# 2 along with this work; if not, write to the Free Software Foundation,
# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
#
# Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
# or visit www.oracle.com if you need additional information or have any
# questions.
#
jdk.jar.disabledAlgorithms=
test/sun/security/tools/jarsigner/JarSigningNonAscii.java
浏览文件 @
8f7d719c
/*
/*
* Copyright (c) 2003, 201
2
, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2003, 201
6
, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
*
* This code is free software; you can redistribute it and/or modify it
* This code is free software; you can redistribute it and/or modify it
...
@@ -25,10 +25,12 @@
...
@@ -25,10 +25,12 @@
* @test
* @test
* @bug 4924188
* @bug 4924188
* @summary sign a JAR file that has entry names with non-ASCII characters.
* @summary sign a JAR file that has entry names with non-ASCII characters.
* @run main/othervm -Djava.security.properties=${test.src}/reenable.jar.alg.props JarSigningNonAscii
*/
*/
import
sun.security.tools.*
;
import
sun.security.tools.*
;
import
java.io.*
;
import
java.io.*
;
import
java.security.Security
;
import
java.util.*
;
import
java.util.*
;
import
java.util.jar.*
;
import
java.util.jar.*
;
import
java.security.cert.Certificate
;
import
java.security.cert.Certificate
;
...
...
test/sun/security/tools/jarsigner/reenable.jar.alg.props
0 → 100644
浏览文件 @
8f7d719c
#
# Copyright (c) 2016, Oracle and/or its affiliates. All rights reserved.
# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
#
# This code is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License version 2 only, as
# published by the Free Software Foundation.
#
# This code is distributed in the hope that it will be useful, but WITHOUT
# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
# version 2 for more details (a copy is included in the LICENSE file that
# accompanied this code).
#
# You should have received a copy of the GNU General Public License version
# 2 along with this work; if not, write to the Free Software Foundation,
# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
#
# Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
# or visit www.oracle.com if you need additional information or have any
# questions.
#
jdk.jar.disabledAlgorithms=
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录