Merge

src/share/classes/sun/security/provider/certpath/AdaptableX509CertSelector.java

 /*
- * Copyright (c) 2011, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2011, 2014, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -26,13 +26,16 @@
 package sun.security.provider.certpath;
 
 import java.io.IOException;
-import java.util.Date;
-
+import java.math.BigInteger;
 import java.security.cert.Certificate;
 import java.security.cert.X509Certificate;
 import java.security.cert.X509CertSelector;
 import java.security.cert.CertificateException;
+import java.util.Arrays;
+import java.util.Date;
 
+import sun.security.util.Debug;
+import sun.security.util.DerInputStream;
 import sun.security.util.DerOutputStream;
 import sun.security.x509.SerialNumber;
 import sun.security.x509.KeyIdentifier;
@@ -40,26 +43,27 @@ import sun.security.x509.AuthorityKeyIdentifierExtension;
 
 /**
  * An adaptable X509 certificate selector for forward certification path
- * building.
+ * building. This selector overrides the default X509CertSelector matching
+ * rules for the subjectKeyIdentifier and serialNumber criteria, and adds
+ * additional rules for certificate validity.
  *
  * @since 1.7
  */
 class AdaptableX509CertSelector extends X509CertSelector {
+
+    private static final Debug debug = Debug.getInstance("certpath");
+
     // The start date of a validity period.
     private Date startDate;
 
     // The end date of a validity period.
     private Date endDate;
 
-    // Is subject key identifier sensitive?
-    private boolean isSKIDSensitive = false;
-
-    // Is serial number sensitive?
-    private boolean isSNSensitive = false;
+    // The subject key identifier
+    private byte[] ski;
 
-    AdaptableX509CertSelector() {
-        super();
-    }
+    // The serial number
+    private BigInteger serial;
 
     /**
      * Sets the criterion of the X509Certificate validity period.
@@ -86,51 +90,70 @@ class AdaptableX509CertSelector extends X509CertSelector {
     }
 
     /**
-     * Parse the authority key identifier extension.
+     * This selector overrides the subjectKeyIdentifier matching rules of
+     * X509CertSelector, so it throws IllegalArgumentException if this method
+     * is ever called.
+     */
+    @Override
+    public void setSubjectKeyIdentifier(byte[] subjectKeyID) {
+        throw new IllegalArgumentException();
+    }
+
+    /**
+     * This selector overrides the serialNumber matching rules of
+     * X509CertSelector, so it throws IllegalArgumentException if this method
+     * is ever called.
+     */
+    @Override
+    public void setSerialNumber(BigInteger serial) {
+        throw new IllegalArgumentException();
+    }
+
+    /**
+     * Sets the subjectKeyIdentifier and serialNumber criteria from the
+     * authority key identifier extension.
      *
-     * If the keyIdentifier field of the extension is non-null, set the
-     * subjectKeyIdentifier criterion. If the authorityCertSerialNumber
-     * field is non-null, set the serialNumber criterion.
+     * The subjectKeyIdentifier criterion is set to the keyIdentifier field
+     * of the extension, or null if it is empty. The serialNumber criterion
+     * is set to the authorityCertSerialNumber field, or null if it is empty.
      *
-     * Note that we will not set the subject criterion according to the
+     * Note that we do not set the subject criterion to the
      * authorityCertIssuer field of the extension. The caller MUST set
-     * the subject criterion before call match().
+     * the subject criterion before calling match().
      *
-     * @param akidext the authorityKeyIdentifier extension
+     * @param ext the authorityKeyIdentifier extension
+     * @throws IOException if there is an error parsing the extension
      */
-    void parseAuthorityKeyIdentifierExtension(
-            AuthorityKeyIdentifierExtension akidext) throws IOException {
-        if (akidext != null) {
-            KeyIdentifier akid = (KeyIdentifier)akidext.get(
-                    AuthorityKeyIdentifierExtension.KEY_ID);
-            if (akid != null) {
-                // Do not override the previous setting for initial selection.
-                if (isSKIDSensitive || getSubjectKeyIdentifier() == null) {
-                    DerOutputStream derout = new DerOutputStream();
-                    derout.putOctetString(akid.getIdentifier());
-                    super.setSubjectKeyIdentifier(derout.toByteArray());
+    void setSkiAndSerialNumber(AuthorityKeyIdentifierExtension ext)
+        throws IOException {
 
-                    isSKIDSensitive = true;
-                }
-            }
+        ski = null;
+        serial = null;
 
-            SerialNumber asn = (SerialNumber)akidext.get(
-                    AuthorityKeyIdentifierExtension.SERIAL_NUMBER);
+        if (ext != null) {
+            KeyIdentifier akid = (KeyIdentifier)ext.get(
+                AuthorityKeyIdentifierExtension.KEY_ID);
+            if (akid != null) {
+                DerOutputStream derout = new DerOutputStream();
+                derout.putOctetString(akid.getIdentifier());
+                ski = derout.toByteArray();
+            }
+            SerialNumber asn = (SerialNumber)ext.get(
+                AuthorityKeyIdentifierExtension.SERIAL_NUMBER);
             if (asn != null) {
-                // Do not override the previous setting for initial selection.
-                if (isSNSensitive || getSerialNumber() == null) {
-                    super.setSerialNumber(asn.getNumber());
-                    isSNSensitive = true;
-                }
+                serial = asn.getNumber();
             }
-
-            // the subject criterion should be set by the caller.
+            // the subject criterion should be set by the caller
         }
     }
 
     /**
      * Decides whether a <code>Certificate</code> should be selected.
      *
+     * This method overrides the matching rules for the subjectKeyIdentifier
+     * and serialNumber criteria and adds additional rules for certificate
+     * validity.
+     *
      * For the purpose of compatibility, when a certificate is of
      * version 1 and version 2, or the certificate does not include
      * a subject key identifier extension, the selection criterion
@@ -138,12 +161,28 @@ class AdaptableX509CertSelector extends X509CertSelector {
      */
     @Override
     public boolean match(Certificate cert) {
-        if (!(cert instanceof X509Certificate)) {
+        X509Certificate xcert = (X509Certificate)cert;
+
+        // match subject key identifier
+        if (!matchSubjectKeyID(xcert)) {
             return false;
         }
 
-        X509Certificate xcert = (X509Certificate)cert;
+        // In practice, a CA may replace its root certificate and require that
+        // the existing certificate is still valid, even if the AKID extension
+        // does not match the replacement root certificate fields.
+        //
+        // Conservatively, we only support the replacement for version 1 and
+        // version 2 certificate. As for version 3, the certificate extension
+        // may contain sensitive information (for example, policies), the
+        // AKID need to be respected to seek the exact certificate in case
+        // of key or certificate abuse.
         int version = xcert.getVersion();
+        if (serial != null && version > 2) {
+            if (!serial.equals(xcert.getSerialNumber())) {
+                return false;
+            }
+        }
 
         // Check the validity period for version 1 and 2 certificate.
         if (version < 3) {
@@ -154,7 +193,6 @@ class AdaptableX509CertSelector extends X509CertSelector {
                     return false;
                 }
             }
-
             if (endDate != null) {
                 try {
                     xcert.checkValidity(endDate);
@@ -164,26 +202,50 @@ class AdaptableX509CertSelector extends X509CertSelector {
             }
         }
 
-        // If no SubjectKeyIdentifier extension, don't bother to check it.
-        if (isSKIDSensitive &&
-            (version < 3 || xcert.getExtensionValue("2.5.29.14") == null)) {
-            setSubjectKeyIdentifier(null);
-        }
 
-        // In practice, a CA may replace its root certificate and require that
-        // the existing certificate is still valid, even if the AKID extension
-        // does not match the replacement root certificate fields.
-        //
-        // Conservatively, we only support the replacement for version 1 and
-        // version 2 certificate. As for version 2, the certificate extension
-        // may contain sensitive information (for example, policies), the
-        // AKID need to be respected to seek the exact certificate in case
-        // of key or certificate abuse.
-        if (isSNSensitive && version < 3) {
-            setSerialNumber(null);
+        if (!super.match(cert)) {
+            return false;
         }
 
-        return super.match(cert);
+        return true;
+    }
+
+    /*
+     * Match on subject key identifier extension value. These matching rules
+     * are identical to X509CertSelector except that if the certificate does
+     * not have a subject key identifier extension, it returns true.
+     */
+    private boolean matchSubjectKeyID(X509Certificate xcert) {
+        if (ski == null) {
+            return true;
+        }
+        try {
+            byte[] extVal = xcert.getExtensionValue("2.5.29.14");
+            if (extVal == null) {
+                if (debug != null) {
+                    debug.println("AdaptableX509CertSelector.match: "
+                        + "no subject key ID extension");
+                }
+                return true;
+            }
+            DerInputStream in = new DerInputStream(extVal);
+            byte[] certSubjectKeyID = in.getOctetString();
+            if (certSubjectKeyID == null ||
+                    !Arrays.equals(ski, certSubjectKeyID)) {
+                if (debug != null) {
+                    debug.println("AdaptableX509CertSelector.match: "
+                        + "subject key IDs don't match");
+                }
+                return false;
+            }
+        } catch (IOException ex) {
+            if (debug != null) {
+                debug.println("AdaptableX509CertSelector.match: "
+                    + "exception in subject key ID check");
+            }
+            return false;
+        }
+        return true;
     }
 
     @Override
@@ -198,6 +260,9 @@ class AdaptableX509CertSelector extends X509CertSelector {
             copy.endDate = (Date)endDate.clone();
         }
 
+        if (ski != null) {
+            copy.ski = ski.clone();
+        }
         return copy;
     }
 }

src/share/classes/sun/security/provider/certpath/DistributionPointFetcher.java

 /*
- * Copyright (c) 2002, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2002, 2014, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -751,9 +751,7 @@ public class DistributionPointFetcher {
          * issued. [section 5.2.1, RFC 2459]
          */
         AuthorityKeyIdentifierExtension crlAKID = crl.getAuthKeyIdExtension();
-        if (crlAKID != null) {
-            issuerSelector.parseAuthorityKeyIdentifierExtension(crlAKID);
-        }
+        issuerSelector.setSkiAndSerialNumber(crlAKID);
 
         matched = issuerSelector.match(cert);
 

src/share/classes/sun/security/provider/certpath/ForwardBuilder.java

 /*
- * Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2000, 2014, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -269,7 +269,7 @@ class ForwardBuilder extends Builder {
              */
             AuthorityKeyIdentifierExtension akidext =
                     currentState.cert.getAuthorityKeyIdentifierExtension();
-            caSelector.parseAuthorityKeyIdentifierExtension(akidext);
+            caSelector.setSkiAndSerialNumber(akidext);
 
             /*
              * check the validity period

src/share/classes/sun/security/provider/certpath/PKIXCertPathValidator.java

 /*
- * Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2000, 2014, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -103,7 +103,7 @@ public final class PKIXCertPathValidator extends CertPathValidatorSpi {
              */
             try {
                 X509CertImpl firstCertImpl = X509CertImpl.toImpl(firstCert);
-                selector.parseAuthorityKeyIdentifierExtension(
+                selector.setSkiAndSerialNumber(
                             firstCertImpl.getAuthorityKeyIdentifierExtension());
             } catch (CertificateException | IOException e) {
                 // ignore

src/share/native/sun/awt/splashscreen/splashscreen_gfx_impl.h

@@ -189,7 +189,11 @@ putRGBADither(rgbquad_t value, void *ptr, ImageFormat * format,
             PUT(rgbquad_t, ptr, value);
             break;
         case 3:                /* not supported, LSB or MSB should always be specified */
-            *(int *) 0 = 0;    /* crash */
+            PUT(byte_t, ptr, 0xff); /* Put a stub value */
+            INCP(byte_t, ptr);
+            PUT(byte_t, ptr, 0xff);
+            INCP(byte_t, ptr);
+            PUT(byte_t, ptr, 0xff);
             break;
         case 2:
             PUT(word_t, ptr, value);
@@ -253,7 +257,7 @@ getRGBA(void *ptr, ImageFormat * format)
             value = GET(rgbquad_t, ptr);
             break;
         case 3:                /* not supported, LSB or MSB should always be specified */
-            *(int *) 0 = 0;
+            value = 0xFFFFFFFF; /*return a stub value */
             break;
         case 2:
             value = (rgbquad_t) GET(word_t, ptr);

test/com/sun/jdi/ExclusiveBind.java

 /*
- * Copyright (c) 2003, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2014, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -25,57 +25,28 @@
  * @bug 4531526
  * @summary Test that more than one debuggee cannot bind to same port
  *          at the same time.
+ * @library /lib/testlibrary
  *
+ * @build jdk.testlibrary.ProcessTools jdk.testlibrary.JDKToolLauncher jdk.testlibrary.Utils
  * @build VMConnection ExclusiveBind HelloWorld
  * @run main ExclusiveBind
  */
-import java.io.InputStream;
-import java.io.IOException;
-import java.io.File;
 import java.net.ServerSocket;
 import com.sun.jdi.Bootstrap;
 import com.sun.jdi.VirtualMachine;
 import com.sun.jdi.connect.Connector;
 import com.sun.jdi.connect.AttachingConnector;
+
+import java.util.ArrayList;
 import java.util.Map;
 import java.util.List;
 import java.util.Iterator;
+import java.util.concurrent.TimeUnit;
 
-public class ExclusiveBind {
-
-    /*
-     * Helper class to direct process output to the parent
-     * System.out
-     */
-    static class IOHandler implements Runnable {
-        InputStream in;
-
-        IOHandler(InputStream in) {
-            this.in = in;
-        }
-
-        static void handle(InputStream in) {
-            IOHandler handler = new IOHandler(in);
-            Thread thr = new Thread(handler);
-            thr.setDaemon(true);
-            thr.start();
-        }
-
-        public void run() {
-            try {
-                byte b[] = new byte[100];
-                for (;;) {
-                    int n = in.read(b);
-                    if (n < 0) return;
-                    for (int i=0; i<n; i++) {
-                        System.out.print((char)b[i]);
-                    }
-                }
-            } catch (IOException ioe) { }
-        }
-
-    }
+import jdk.testlibrary.ProcessTools;
+import jdk.testlibrary.Utils;
 
+public class ExclusiveBind {
     /*
      * Find a connector by name
      */
@@ -95,25 +66,23 @@ public class ExclusiveBind {
      * Launch (in server mode) a debuggee with the given address and
      * suspend mode.
      */
-    private static Process launch(String address, boolean suspend, String class_name) throws IOException {
-        String exe = System.getProperty("java.home") + File.separator + "bin" +
-            File.separator + "java";
-        String cmd = exe + " " + VMConnection.getDebuggeeVMOptions() +
-            " -agentlib:jdwp=transport=dt_socket,server=y,suspend=";
+    private static ProcessBuilder prepareLauncher(String address, boolean suspend, String class_name) throws Exception {
+        List<String> args = new ArrayList<>();
+        for(String dbgOption : VMConnection.getDebuggeeVMOptions().split(" ")) {
+            args.add(dbgOption);
+        }
+        String lib = "-agentlib:jdwp=transport=dt_socket,server=y,suspend=";
         if (suspend) {
-            cmd += "y";
+            lib += "y";
         } else {
-            cmd += "n";
+            lib += "n";
         }
-        cmd += ",address=" + address + " " + class_name;
+        lib += ",address=" + address;
 
-        System.out.println("Starting: " + cmd);
+        args.add(lib);
+        args.add(class_name);
 
-        Process p = Runtime.getRuntime().exec(cmd);
-        IOHandler.handle(p.getInputStream());
-        IOHandler.handle(p.getErrorStream());
-
-        return p;
+        return ProcessTools.createJavaProcessBuilder(args.toArray(new String[args.size()]));
     }
 
     /*
@@ -132,16 +101,21 @@ public class ExclusiveBind {
         String address = String.valueOf(port);
 
         // launch the first debuggee
-        Process process1 = launch(address, true, "HelloWorld");
-
-        // give first debuggee time to suspend
-        Thread.currentThread().sleep(5000);
+        ProcessBuilder process1 = prepareLauncher(address, true, "HelloWorld");
+        // start the debuggee and wait for the "ready" message
+        Process p = ProcessTools.startProcess(
+                "process1",
+                process1,
+                line -> line.equals("Listening for transport dt_socket at address: " + address),
+                Math.round(5000 * Utils.TIMEOUT_FACTOR),
+                TimeUnit.MILLISECONDS
+        );
 
         // launch a second debuggee with the same address
-        Process process2 = launch(address, false, "HelloWorld");
+        ProcessBuilder process2 = prepareLauncher(address, false, "HelloWorld");
 
         // get exit status from second debuggee
-        int exitCode = process2.waitFor();
+        int exitCode = ProcessTools.startProcess("process2", process2).waitFor();
 
         // clean-up - attach to first debuggee and resume it
         AttachingConnector conn = (AttachingConnector)findConnector("com.sun.jdi.SocketAttach");

test/java/awt/DataFlavor/MissedHtmlAndRtfBug/InterprocessMessages.java

 /*
- * Copyright (c) 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2013, 2014, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -24,5 +24,6 @@
 interface InterprocessMessages {
     final static int EXECUTION_IS_SUCCESSFULL = 0;
     final static int DATA_IS_CORRUPTED = 212;
+    final static int NO_DROP_HAPPENED = 112;
 }
 

test/java/awt/DataFlavor/MissedHtmlAndRtfBug/MissedHtmlAndRtfBug.html

 <!--
- Copyright (c) 2013, Oracle and/or its affiliates. All rights reserved.
+ Copyright (c) 2013, 2014, Oracle and/or its affiliates. All rights reserved.
  DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 
  This code is free software; you can redistribute it and/or modify it
@@ -24,7 +24,7 @@
 <html>
 <!--  
   @test
-  @bug 8005932
+  @bug 8005932 8017456
   @summary Java 7 on mac os x only provides text clipboard formats
   @author mikhail.cherkasov@oracle.com
   @library ../../regtesthelpers

test/java/awt/DataFlavor/MissedHtmlAndRtfBug/MissedHtmlAndRtfBug.java

 /*
- * Copyright (c) 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2013, 2014, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -21,17 +21,6 @@
  * questions.
  */
 
-/*
-  @bug 8005932
-  @summary Java 7 on mac os x only provides text clipboard formats
-  @author mikhail.cherkasov@oracle.com
-  @library ../../regtesthelpers
-  @library ../../regtesthelpers/process
-  @build Util
-  @build ProcessResults ProcessCommunicator
-  @run applet/othervm MissedHtmlAndRtfBug.html
-*/
-
 import java.awt.*;
 import java.awt.datatransfer.DataFlavor;
 import java.awt.event.*;
@@ -47,6 +36,7 @@ import sun.awt.OSInfo;
 import static java.lang.Thread.sleep;
 
 public class MissedHtmlAndRtfBug extends Applet {
+
     public void init() {
         setLayout(new BorderLayout());
     }//End  init()
@@ -82,9 +72,6 @@ public class MissedHtmlAndRtfBug extends Applet {
         args.add(concatStrings(DataFlavorSearcher.RICH_TEXT_NAMES));
 
         ProcessResults processResults =
-//                ProcessCommunicator.executeChildProcess(this.getClass(), "/Users/mcherkasov/ws/clipboard/DataFlover/out/production/DataFlover" +
-//                        " -Xdebug -Xrunjdwp:transport=dt_socket,server=y,suspend=y,address=5005 ",
-//                        args.toArray(new String[0]));
                 ProcessCommunicator.executeChildProcess(this.getClass(),
                         "." + File.separator + System.getProperty("java.class.path"), args.toArray(new String[]{}));
 
@@ -117,6 +104,13 @@ public class MissedHtmlAndRtfBug extends Applet {
             throw new RuntimeException("TEST IS FAILED: Target has received" +
                     " corrupted data.");
         }
+        if (InterprocessMessages.NO_DROP_HAPPENED ==
+                processResults.getExitValue()) {
+            processResults.printProcessErrorOutput(System.err);
+            throw new RuntimeException("Error. Drop did not happen." +
+                " Target frame is possibly covered by a window of other application." +
+                " Please, rerun the test with all windows minimized.");
+        }
         processResults.verifyStdErr(System.err);
         processResults.verifyProcessExitValue(System.err);
         processResults.printProcessStandartOutput(System.out);
@@ -184,7 +178,7 @@ public class MissedHtmlAndRtfBug extends Applet {
         }
     }
 
-    public static void main(String[] args) {
+    public static void main(String[] args) throws InterruptedException {
         Point dragSourcePoint = new Point(InterprocessArguments.DRAG_SOURCE_POINT_X_ARGUMENT.extractInt(args),
                 InterprocessArguments.DRAG_SOURCE_POINT_Y_ARGUMENT.extractInt(args));
         Point targetFrameLocation = new Point(InterprocessArguments.TARGET_FRAME_X_POSITION_ARGUMENT.extractInt(args),
@@ -197,6 +191,8 @@ public class MissedHtmlAndRtfBug extends Applet {
         } catch (InterruptedException e) {
             e.printStackTrace();
         }
+        sleep(5000);
+        System.exit(InterprocessMessages.NO_DROP_HAPPENED);
     }
 
 

test/java/security/cert/CertPathBuilder/akiExt/AKISerialNumber.java

+/*
+ * Copyright (c) 2014, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+/**
+ * @test
+ * @bug 8025708
+ * @summary make sure a PKIX CertPathBuilder can build a path when an
+ *     intermediate CA certificate contains an AKI extension with a key
+ *     identifier and no serial number and the end-entity certificate contains
+ *     an AKI extension with both a key identifier and a serial number.
+ */
+
+import java.io.ByteArrayInputStream;
+import java.security.cert.*;
+import java.util.ArrayList;
+import java.util.Base64;
+import java.util.Collections;
+
+public class AKISerialNumber {
+
+    private static final String ROOT_CERT =
+        "MIICfTCCAeagAwIBAgIBATANBgkqhkiG9w0BAQUFADB3MQ0wCwYDVQQDEwRSb290\n" +
+        "MRYwFAYDVQQLEw1UZXN0IE9yZyBVbml0MREwDwYDVQQKEwhUZXN0IE9yZzEWMBQG\n" +
+        "A1UEBxMNVGVzdCBMb2NhbGl0eTEWMBQGA1UECBMNTWFzc2FjaHVzZXR0czELMAkG\n" +
+        "A1UEBhMCVVMwHhcNMTQwMjAxMDUwMDAwWhcNMjQwMjAxMDUwMDAwWjB3MQ0wCwYD\n" +
+        "VQQDEwRSb290MRYwFAYDVQQLEw1UZXN0IE9yZyBVbml0MREwDwYDVQQKEwhUZXN0\n" +
+        "IE9yZzEWMBQGA1UEBxMNVGVzdCBMb2NhbGl0eTEWMBQGA1UECBMNTWFzc2FjaHVz\n" +
+        "ZXR0czELMAkGA1UEBhMCVVMwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJvL\n" +
+        "cZu6Rzf9IrduEDjJxEFv5uBvUNMlIAph7NhfmFH9puPW3Ksci4a5yTCzxI9VeVf3\n" +
+        "oYZ/UrZdF+mNZmS23RUh71X5tjMO+xew196M1xNpCRLbjcZ6i4tNdZYkdRIe8ejN\n" +
+        "sbBoD7OAvPbQqTygeG4jYjK6ODofSrba3BndNoFxAgMBAAGjGTAXMBUGA1UdEwEB\n" +
+        "/wQLMAkBAf8CBH////8wDQYJKoZIhvcNAQEFBQADgYEATvCqn69pNHv0zLiZAXk7\n" +
+        "3AKwAoza0wa+1S2rVuZGfBWbV7CxmBHbgcDDbU7/I8pQVkCwOHNkVFnBgNpMuAvU\n" +
+        "aDyrHSNS/av5d1yk5WAuGX2B9mSwZdhnAvtz2fsV1q9NptdF54EkIiKtQQmTGnr9\n" +
+        "TID8CFEk/qje+AB272B1UJw=\n";
+
+    /**
+     * This certificate contains an AuthorityKeyIdentifier with only the
+     * keyIdentifier field filled in.
+     */
+    private static final String INT_CERT_WITH_KEYID_AKI =
+        "MIICqTCCAhKgAwIBAgIBAjANBgkqhkiG9w0BAQUFADB3MQ0wCwYDVQQDEwRSb290\n" +
+        "MRYwFAYDVQQLEw1UZXN0IE9yZyBVbml0MREwDwYDVQQKEwhUZXN0IE9yZzEWMBQG\n" +
+        "A1UEBxMNVGVzdCBMb2NhbGl0eTEWMBQGA1UECBMNTWFzc2FjaHVzZXR0czELMAkG\n" +
+        "A1UEBhMCVVMwHhcNMTQwMjAxMDUwMDAwWhcNMjQwMjAxMDUwMDAwWjCBhDEaMBgG\n" +
+        "A1UEAxMRSW50ZXJtZWRpYXRlIENBIDIxFjAUBgNVBAsTDVRlc3QgT3JnIFVuaXQx\n" +
+        "ETAPBgNVBAoTCFRlc3QgT3JnMRYwFAYDVQQHEw1UZXN0IExvY2FsaXR5MRYwFAYD\n" +
+        "VQQIEw1NYXNzYWNodXNldHRzMQswCQYDVQQGEwJVUzCBnzANBgkqhkiG9w0BAQEF\n" +
+        "AAOBjQAwgYkCgYEAwKTZekCqb9F9T54s2IXjkQbmLIjQamMpkUlZNrpjjNq9CpTT\n" +
+        "POkfxv2UPwzTz3Ij4XFL/kJFBLm8NUOsS5xPJ62pGoZBPw9R0iMTsTce+Fpukqnr\n" +
+        "I+8jTRaAvr0tR3pqrE6uHKg7dWYN2SsWesDia/LHhwEN38yyWtSuTTLo4hcCAwEA\n" +
+        "AaM3MDUwHwYDVR0jBBgwFoAU6gZP1pO8v7+i8gsFf1gWTf/j3PkwEgYDVR0TAQH/\n" +
+        "BAgwBgEB/wIBADANBgkqhkiG9w0BAQUFAAOBgQAQxeQruav4AqQM4gmEfrHr5hOq\n" +
+        "mB2CNJ1ZqVfpDZ8GHijncKTpjNoXzzQtV23Ge+39JHOVBNWtk+aghB3iu6xGq7Qn\n" +
+        "HlBhg9meqHFqd3igDDD/jhABL2/bEo/M9rv6saYWDFZ8nCIEE6iTLTpRRko4W2Xb\n" +
+        "DyzMzMsO1kPNrJaxRg==\n";
+
+    /**
+     * This certificate contains an AuthorityKeyIdentifier with all 3 fields
+     * (keyIdentifier, authorityCertIssuer, and authorityCertSerialNumber)
+     * filled in.
+     */
+    private static final String EE_CERT_WITH_FULL_AKI =
+        "MIIDLjCCApegAwIBAgIBAzANBgkqhkiG9w0BAQUFADCBhDEaMBgGA1UEAxMRSW50\n" +
+        "ZXJtZWRpYXRlIENBIDIxFjAUBgNVBAsTDVRlc3QgT3JnIFVuaXQxETAPBgNVBAoT\n" +
+        "CFRlc3QgT3JnMRYwFAYDVQQHEw1UZXN0IExvY2FsaXR5MRYwFAYDVQQIEw1NYXNz\n" +
+        "YWNodXNldHRzMQswCQYDVQQGEwJVUzAeFw0xNDAyMDEwNTAwMDBaFw0yNDAyMDEw\n" +
+        "NTAwMDBaMH0xEzARBgNVBAMTCkVuZCBFbnRpdHkxFjAUBgNVBAsTDVRlc3QgT3Jn\n" +
+        "IFVuaXQxETAPBgNVBAoTCFRlc3QgT3JnMRYwFAYDVQQHEw1UZXN0IExvY2FsaXR5\n" +
+        "MRYwFAYDVQQIEw1NYXNzYWNodXNldHRzMQswCQYDVQQGEwJVUzCBnzANBgkqhkiG\n" +
+        "9w0BAQEFAAOBjQAwgYkCgYEAqady46PdwlKHVP1iaP11CxVyL6cDlPjpwhHCcIUv\n" +
+        "nKHbzdamqmHebDcWVBNN/I0TLNCl3ga7n8KyygSN379fG7haU8SNjpy4IDAXM0/x\n" +
+        "mwTWNTbKfJEkSoiqx1WUy2JTzRUMhgYPguQNECPxBXAdQrthZ7wQosv6Ro2ySP9O\n" +
+        "YqsCAwEAAaOBtTCBsjCBoQYDVR0jBIGZMIGWgBQdeoKxTvlTgW2KgprD69vgHV4X\n" +
+        "kKF7pHkwdzENMAsGA1UEAxMEUm9vdDEWMBQGA1UECxMNVGVzdCBPcmcgVW5pdDER\n" +
+        "MA8GA1UEChMIVGVzdCBPcmcxFjAUBgNVBAcTDVRlc3QgTG9jYWxpdHkxFjAUBgNV\n" +
+        "BAgTDU1hc3NhY2h1c2V0dHMxCzAJBgNVBAYTAlVTggECMAwGA1UdEwEB/wQCMAAw\n" +
+        "DQYJKoZIhvcNAQEFBQADgYEAuG4mM1nLF7STQWwmceELZEl49ntapH/RVoekknmd\n" +
+        "aNzcL4XQf6BTl8KFUXuThHaukQnGIzFbSZV0hrpSQ5fTN2cSZgD4Fji+HuNURmmd\n" +
+        "+Kayl0piHyO1FSbrty0TFhlVNvzKXjmMp6Jdn42KyGOSCoROQcvUWN6xkV3Hvrei\n" +
+        "0ZE=\n";
+
+    private static Base64.Decoder b64Decoder = Base64.getMimeDecoder();
+    private static CertificateFactory cf;
+
+    public static void main(String[] args) throws Exception {
+
+        cf = CertificateFactory.getInstance("X.509");
+
+        X509Certificate rootCert = getCertFromMimeEncoding(ROOT_CERT);
+        TrustAnchor anchor = new TrustAnchor(rootCert, null);
+
+        X509Certificate eeCert = getCertFromMimeEncoding(EE_CERT_WITH_FULL_AKI);
+        X509Certificate intCert = getCertFromMimeEncoding(INT_CERT_WITH_KEYID_AKI);
+
+        X509CertSelector sel = new X509CertSelector();
+        sel.setCertificate(eeCert);
+        PKIXBuilderParameters params = new PKIXBuilderParameters
+            (Collections.singleton(anchor), sel);
+        params.setRevocationEnabled(false);
+
+        ArrayList<X509Certificate> certs = new ArrayList<>();
+        certs.add(intCert);
+        certs.add(eeCert);
+        CollectionCertStoreParameters ccsp =
+            new CollectionCertStoreParameters(certs);
+        CertStore cs = CertStore.getInstance("Collection", ccsp);
+        params.addCertStore(cs);
+
+        CertPathBuilder cpb = CertPathBuilder.getInstance("PKIX");
+        CertPathBuilderResult res = cpb.build(params);
+    }
+
+    private static X509Certificate getCertFromMimeEncoding(String encoded)
+        throws CertificateException
+    {
+        byte[] bytes = b64Decoder.decode(encoded);
+        ByteArrayInputStream stream = new ByteArrayInputStream(bytes);
+        return (X509Certificate)cf.generateCertificate(stream);
+    }
+}

test/sun/management/jmxremote/startstop/JMXStartStopTest.java

@@ -25,6 +25,7 @@ import java.io.File;
 import java.io.IOException;
 import java.lang.reflect.Method;
 import java.net.ConnectException;
+import java.net.ServerSocket;
 import java.rmi.NoSuchObjectException;
 import java.rmi.registry.LocateRegistry;
 import java.rmi.registry.Registry;
@@ -255,26 +256,23 @@ public class JMXStartStopTest {
     private static List<Failure> failures = new ArrayList<>();
 
     public static void main(String args[]) throws Exception {
-        for (int i=0;i<3;i++) {
-            System.out.println("=== PASS " + i + " ===");
-            for (Method m : JMXStartStopTest.class.getDeclaredMethods()) {
-                if (m.getName().startsWith("test_")) {
-                    try {
-                        m.invoke(null);
-                        System.out.println("=== PASSED\n");
-                    } catch (Throwable e) {
-                        failures.add(new Failure(e, m.getName() + " failed"));
-                    }
+        for (Method m : JMXStartStopTest.class.getDeclaredMethods()) {
+            if (m.getName().startsWith("test_")) {
+                try {
+                    m.invoke(null);
+                    System.out.println("=== PASSED\n");
+                } catch (Throwable e) {
+                    failures.add(new Failure(e, m.getName() + " failed"));
                 }
             }
+        }
 
-            if (!failures.isEmpty()) {
-                for(Failure f : failures) {
-                    System.err.println(f.getMsg());
-                    f.getCause().printStackTrace(System.err);
-                }
-                throw new Error();
+        if (!failures.isEmpty()) {
+            for(Failure f : failures) {
+                System.err.println(f.getMsg());
+                f.getCause().printStackTrace(System.err);
             }
+            throw new Error();
         }
     }
 
@@ -371,6 +369,7 @@ public class JMXStartStopTest {
         ));
         pbArgs.addAll(Arrays.asList(args));
         pbArgs.add("JMXStartStopDoSomething");
+
         ProcessBuilder pb = ProcessTools.createJavaProcessBuilder(
             pbArgs.toArray(new String[pbArgs.size()])
         );
@@ -596,14 +595,16 @@ public class JMXStartStopTest {
             jcmd(CMD_STOP);
             jcmd(CMD_STOP);
 
+            ServerSocket ss = new ServerSocket(0);
+
             jcmd(
                 line -> {
-                    if (line.contains("Port already in use: 22")) {
+                    if (line.contains("Port already in use: " + ss.getLocalPort())) {
                         checks[2] = true;
                     }
                 },
                 CMD_START,
-                "jmxremote.port=22",
+                "jmxremote.port=" + ss.getLocalPort(),
                 "jmxremote.rmi.port=" + port2,
                 "jmxremote.authenticate=false",
                 "jmxremote.ssl=false");
@@ -616,7 +617,7 @@ public class JMXStartStopTest {
                                     "report an invalid agent state");
             }
             if (!checks[2]) {
-                throw new Exception("Starting agent on port 22 should " +
+                throw new Exception("Starting agent on port " + ss.getLocalPort() + " should " +
                                     "report port in use");
             }
         } finally {
@@ -627,7 +628,7 @@ public class JMXStartStopTest {
     private static void test_07() throws Exception {
         // Run an app without JMX enabled, but with some properties set
         // in command line.
-        // make sure these properties overriden corectly
+        // make sure these properties overridden corectly
 
         System.out.println("**** Test seven ****");
 
@@ -654,7 +655,7 @@ public class JMXStartStopTest {
         // Run an app with JMX enabled and with some properties set
         // in command line.
         // stop JMX agent and then start it again with different property values
-        // make sure these properties overriden corectly
+        // make sure these properties overridden corectly
 
         System.out.println("**** Test eight ****");
 
@@ -690,7 +691,7 @@ public class JMXStartStopTest {
         // stop JMX agent and then start it again with different property values
         // specifing some property in management config file and some of them
         // in command line
-        // make sure these properties overriden corectly
+        // make sure these properties overridden corectly
 
         System.out.println("**** Test nine ****");
 
@@ -725,7 +726,7 @@ public class JMXStartStopTest {
         // in command line.
         // stop JMX agent and then start it again with different property values
         // stop JMX agent again and then start it without property value
-        // make sure these properties overriden corectly
+        // make sure these properties overridden corectly
 
         System.out.println("**** Test ten ****");
 
@@ -800,7 +801,7 @@ public class JMXStartStopTest {
         // Run an app with -javaagent make sure it works as expected -
         // system properties are ignored
 
-        System.out.println("**** Test fourteen ****");
+        System.out.println("**** Test thirteen ****");
 
         String agent = TEST_JDK + "/jre/lib/management-agent.jar";
         if (!new File(agent).exists()) {