8129988: JSSE should create a single instance of the cacerts KeyStore

Summary: Add a TrustStoreManager to manage trusted certs. Reviewed-by: mullan

8129988: JSSE should create a single instance of the cacerts KeyStore
Summary: Add a TrustStoreManager to manage trusted certs. Reviewed-by: mullan
a7c38674 · xuelei · cfcab60b · a7c38674 · a7c38674 · a7c38674
6 changed file
--- a/src/share/classes/sun/security/ssl/SSLContextImpl.java
+++ b/src/share/classes/sun/security/ssl/SSLContextImpl.java
@@ -873,12 +873,20 @@ public abstract class SSLContextImpl extends SSLContextSpi {
        }

        private static TrustManager[] getTrustManagers() throws Exception {
-            KeyStore ks =
-                TrustManagerFactoryImpl.getCacertsKeyStore("defaultctx");
-
            TrustManagerFactory tmf = TrustManagerFactory.getInstance(
-                TrustManagerFactory.getDefaultAlgorithm());
-            tmf.init(ks);
+                    TrustManagerFactory.getDefaultAlgorithm());
+            if ("SunJSSE".equals(tmf.getProvider().getName())) {
+                // The implementation will load the default KeyStore
+                // automatically.  Cached trust materials may be used
+                // for performance improvement.
+                tmf.init((KeyStore)null);
+            } else {
+                // Use the explicitly specified KeyStore for third party's
+                // TrustManagerFactory implementation.
+                KeyStore ks = TrustStoreManager.getTrustedKeyStore();
+                tmf.init(ks);
+            }
+
            return tmf.getTrustManagers();
        }


--- a/src/share/classes/sun/security/ssl/TrustManagerFactoryImpl.java
+++ b/src/share/classes/sun/security/ssl/TrustManagerFactoryImpl.java
 /*
- * Copyright (c) 1999, 2012, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1999, 2016, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@@ -32,6 +32,7 @@ import java.security.cert.*;
 import javax.net.ssl.*;

 import sun.security.validator.Validator;
+import sun.security.validator.TrustStoreUtil;

 abstract class TrustManagerFactoryImpl extends TrustManagerFactorySpi {

@@ -47,7 +48,7 @@ abstract class TrustManagerFactoryImpl extends TrustManagerFactorySpi {
    protected void engineInit(KeyStore ks) throws KeyStoreException {
        if (ks == null) {
            try {
-                ks = getCacertsKeyStore("trustmanager");
+                trustManager = getInstance(TrustStoreManager.getTrustedCerts());
            } catch (SecurityException se) {
                // eat security exceptions but report other throwables
                if (debug != null && Debug.isOn("trustmanager")) {
@@ -72,14 +73,17 @@ abstract class TrustManagerFactoryImpl extends TrustManagerFactorySpi {
                        "SunX509: skip default keystore: " + e);
                }
                throw new KeyStoreException(
-                    "problem accessing trust store" + e);
+                    "problem accessing trust store", e);
            }
+        } else {
+            trustManager = getInstance(TrustStoreUtil.getTrustedCerts(ks));
        }
-        trustManager = getInstance(ks);
+
        isInitialized = true;
    }

-    abstract X509TrustManager getInstance(KeyStore ks) throws KeyStoreException;
+    abstract X509TrustManager getInstance(
+            Collection<X509Certificate> trustedCerts);

    abstract X509TrustManager getInstance(ManagerFactoryParameters spec)
            throws InvalidAlgorithmParameterException;
@@ -126,126 +130,14 @@ abstract class TrustManagerFactoryImpl extends TrustManagerFactorySpi {
                });
    }

-    /**
-     * Returns the keystore with the configured CA certificates.
-     */
-    static KeyStore getCacertsKeyStore(String dbgname) throws Exception
-    {
-        String storeFileName = null;
-        File storeFile = null;
-        FileInputStream fis = null;
-        String defaultTrustStoreType;
-        String defaultTrustStoreProvider;
-        final HashMap<String,String> props = new HashMap<>();
-        final String sep = File.separator;
-        KeyStore ks = null;
-
-        AccessController.doPrivileged(new PrivilegedExceptionAction<Void>() {
-            @Override
-            public Void run() throws Exception {
-                props.put("trustStore", System.getProperty(
-                                "javax.net.ssl.trustStore"));
-                props.put("javaHome", System.getProperty(
-                                        "java.home"));
-                props.put("trustStoreType", System.getProperty(
-                                "javax.net.ssl.trustStoreType",
-                                KeyStore.getDefaultType()));
-                props.put("trustStoreProvider", System.getProperty(
-                                "javax.net.ssl.trustStoreProvider", ""));
-                props.put("trustStorePasswd", System.getProperty(
-                                "javax.net.ssl.trustStorePassword", ""));
-                return null;
-            }
-        });
-
-        /*
-         * Try:
-         *      javax.net.ssl.trustStore  (if this variable exists, stop)
-         *      jssecacerts
-         *      cacerts
-         *
-         * If none exists, we use an empty keystore.
-         */
-
-        try {
-            storeFileName = props.get("trustStore");
-            if (!"NONE".equals(storeFileName)) {
-                if (storeFileName != null) {
-                    storeFile = new File(storeFileName);
-                    fis = getFileInputStream(storeFile);
-                } else {
-                    String javaHome = props.get("javaHome");
-                    storeFile = new File(javaHome + sep + "lib" + sep
-                                                    + "security" + sep +
-                                                    "jssecacerts");
-                    if ((fis = getFileInputStream(storeFile)) == null) {
-                        storeFile = new File(javaHome + sep + "lib" + sep
-                                                    + "security" + sep +
-                                                    "cacerts");
-                        fis = getFileInputStream(storeFile);
-                    }
-                }
-
-                if (fis != null) {
-                    storeFileName = storeFile.getPath();
-                } else {
-                    storeFileName = "No File Available, using empty keystore.";
-                }
-            }
-
-            defaultTrustStoreType = props.get("trustStoreType");
-            defaultTrustStoreProvider = props.get("trustStoreProvider");
-            if (debug != null && Debug.isOn(dbgname)) {
-                System.out.println("trustStore is: " + storeFileName);
-                System.out.println("trustStore type is : " +
-                                    defaultTrustStoreType);
-                System.out.println("trustStore provider is : " +
-                                    defaultTrustStoreProvider);
-            }
-
-            /*
-             * Try to initialize trust store.
-             */
-            if (defaultTrustStoreType.length() != 0) {
-                if (debug != null && Debug.isOn(dbgname)) {
-                    System.out.println("init truststore");
-                }
-                if (defaultTrustStoreProvider.length() == 0) {
-                    ks = KeyStore.getInstance(defaultTrustStoreType);
-                } else {
-                    ks = KeyStore.getInstance(defaultTrustStoreType,
-                                            defaultTrustStoreProvider);
-                }
-                char[] passwd = null;
-                String defaultTrustStorePassword =
-                        props.get("trustStorePasswd");
-                if (defaultTrustStorePassword.length() != 0)
-                    passwd = defaultTrustStorePassword.toCharArray();
-
-                // if trustStore is NONE, fis will be null
-                ks.load(fis, passwd);
-
-                // Zero out the temporary password storage
-                if (passwd != null) {
-                    for (int i = 0; i < passwd.length; i++) {
-                        passwd[i] = (char)0;
-                    }
-                }
-            }
-        } finally {
-            if (fis != null) {
-                fis.close();
-            }
-        }
-
-        return ks;
-    }
-
    public static final class SimpleFactory extends TrustManagerFactoryImpl {
        @Override
-        X509TrustManager getInstance(KeyStore ks) throws KeyStoreException {
-            return new X509TrustManagerImpl(Validator.TYPE_SIMPLE, ks);
+        X509TrustManager getInstance(
+                Collection<X509Certificate> trustedCerts) {
+            return new X509TrustManagerImpl(
+                    Validator.TYPE_SIMPLE, trustedCerts);
        }
+
        @Override
        X509TrustManager getInstance(ManagerFactoryParameters spec)
                throws InvalidAlgorithmParameterException {
@@ -253,13 +145,15 @@ abstract class TrustManagerFactoryImpl extends TrustManagerFactorySpi {
                ("SunX509 TrustManagerFactory does not use "
                + "ManagerFactoryParameters");
        }
-   }
+    }

    public static final class PKIXFactory extends TrustManagerFactoryImpl {
        @Override
-        X509TrustManager getInstance(KeyStore ks) throws KeyStoreException {
-            return new X509TrustManagerImpl(Validator.TYPE_PKIX, ks);
+        X509TrustManager getInstance(
+                Collection<X509Certificate> trustedCerts) {
+            return new X509TrustManagerImpl(Validator.TYPE_PKIX, trustedCerts);
        }
+
        @Override
        X509TrustManager getInstance(ManagerFactoryParameters spec)
                throws InvalidAlgorithmParameterException {

--- a/src/share/classes/sun/security/ssl/X509TrustManagerImpl.java
+++ b/src/share/classes/sun/security/ssl/X509TrustManagerImpl.java
 /*
- * Copyright (c) 1997, 2012, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2016, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@@ -68,16 +68,21 @@ final class X509TrustManagerImpl extends X509ExtendedTrustManager

    private static final Debug debug = Debug.getInstance("ssl");

-    X509TrustManagerImpl(String validatorType, KeyStore ks)
-            throws KeyStoreException {
+    X509TrustManagerImpl(String validatorType,
+            Collection<X509Certificate> trustedCerts) {
+
        this.validatorType = validatorType;
        this.pkixParams = null;
-        if (ks == null) {
+
+        if (trustedCerts == null) {
            trustedCerts = Collections.<X509Certificate>emptySet();
-        } else {
-            trustedCerts = KeyStores.getTrustedCerts(ks);
        }
-        showTrustedCerts();
+
+        this.trustedCerts = trustedCerts;
+
+        if (debug != null && Debug.isOn("trustmanager")) {
+            showTrustedCerts();
+        }
    }

    X509TrustManagerImpl(String validatorType, PKIXBuilderParameters params) {
@@ -90,7 +95,10 @@ final class X509TrustManagerImpl extends X509ExtendedTrustManager
        Validator v = getValidator(Validator.VAR_TLS_SERVER);
        trustedCerts = v.getTrustedCertificates();
        serverValidator = v;
-        showTrustedCerts();
+
+        if (debug != null && Debug.isOn("trustmanager")) {
+            showTrustedCerts();
+        }
    }

    @Override
@@ -287,22 +295,20 @@ final class X509TrustManagerImpl extends X509ExtendedTrustManager
    }

    private void showTrustedCerts() {
-        if (debug != null && Debug.isOn("trustmanager")) {
-            for (X509Certificate cert : trustedCerts) {
-                System.out.println("adding as trusted cert:");
-                System.out.println("  Subject: "
-                                        + cert.getSubjectX500Principal());
-                System.out.println("  Issuer:  "
-                                        + cert.getIssuerX500Principal());
-                System.out.println("  Algorithm: "
-                                        + cert.getPublicKey().getAlgorithm()
-                                        + "; Serial number: 0x"
-                                        + cert.getSerialNumber().toString(16));
-                System.out.println("  Valid from "
-                                        + cert.getNotBefore() + " until "
-                                        + cert.getNotAfter());
-                System.out.println();
-            }
+        for (X509Certificate cert : trustedCerts) {
+            System.out.println("adding as trusted cert:");
+            System.out.println("  Subject: "
+                                    + cert.getSubjectX500Principal());
+            System.out.println("  Issuer:  "
+                                    + cert.getIssuerX500Principal());
+            System.out.println("  Algorithm: "
+                                    + cert.getPublicKey().getAlgorithm()
+                                    + "; Serial number: 0x"
+                                    + cert.getSerialNumber().toString(16));
+            System.out.println("  Valid from "
+                                    + cert.getNotBefore() + " until "
+                                    + cert.getNotAfter());
+            System.out.println();
        }
    }


--- a/src/share/classes/sun/security/validator/Validator.java
+++ b/src/share/classes/sun/security/validator/Validator.java
 /*
- * Copyright (c) 2002, 2019, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2002, 2018, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@@ -166,7 +166,7 @@ public abstract class Validator {
     */
    public static Validator getInstance(String type, String variant,
            KeyStore ks) {
-        return getInstance(type, variant, KeyStores.getTrustedCerts(ks));
+        return getInstance(type, variant, TrustStoreUtil.getTrustedCerts(ks));
    }

    /**

--- a/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/SSLContextImpl/BadTSProvider.java
+++ b/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/SSLContextImpl/BadTSProvider.java
 /*
- * Copyright (c) 2003, 2011, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2016, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@@ -21,18 +21,21 @@
 * questions.
 */

+//
+// SunJSSE does not support dynamic system properties, no way to re-use
+// system properties in samevm/agentvm mode.
+//
+
 /*
 * @test
 * @bug 4919147
 * @summary Support for token-based KeyStores
 * @run main/othervm BadTSProvider
- *
- *     SunJSSE does not support dynamic system properties, no way to re-use
- *     system properties in samevm/agentvm mode.
 */

 import java.io.*;
 import java.net.*;
+import java.security.*;
 import javax.net.ssl.*;

 public class BadTSProvider {
@@ -179,13 +182,19 @@ public class BadTSProvider {
            // XXX this test must be updated if the exception message changes

            Throwable cause = se.getCause();
-            if (cause instanceof java.security.NoSuchAlgorithmException == false) {
+            if (!(cause instanceof NoSuchAlgorithmException)) {
+                se.printStackTrace();
+                throw new Exception("Unexpected exception" + se);
+            }
+
+            cause = cause.getCause();
+            if (!(cause instanceof KeyStoreException)) {
                se.printStackTrace();
                throw new Exception("Unexpected exception" + se);
            }

            cause = cause.getCause();
-            if (cause instanceof java.security.NoSuchProviderException == false) {
+            if (!(cause instanceof NoSuchProviderException)) {
                se.printStackTrace();
                throw new Exception("Unexpected exception" + se);
            }

--- a/test/sun/security/validator/EndEntityExtensionCheck.java
+++ b/test/sun/security/validator/EndEntityExtensionCheck.java
 /*
- * Copyright (c) 2015, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2015, 2016, Oracle and/or its affiliates. All rights reserved.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
@@ -44,7 +44,7 @@ import java.util.Collection;
 import java.util.Date;
 import java.util.HashSet;
 import java.util.Set;
-import sun.security.validator.KeyStores;
+import sun.security.validator.TrustStoreUtil;
 import sun.security.validator.Validator;


@@ -112,7 +112,7 @@ public class EndEntityExtensionCheck {

        Validator v = Validator.getInstance(Validator.TYPE_SIMPLE,
                                            Validator.VAR_TLS_CLIENT,
-                                            KeyStores.getTrustedCerts(ks));
+                                            TrustStoreUtil.getTrustedCerts(ks));
        try {
            v.validate(chain);
            throw new Exception("Chain should not have validated " +