ECB, CFB, OFB,
+ * This class implements the DESede algorithm (DES-EDE, tripleDES) in
+ * its various modes (ECB, CFB, OFB,
* CBC, PCBC) and padding schemes
* (PKCS5Padding, NoPadding,
* ISO10126Padding).
diff --git a/src/share/classes/com/sun/crypto/provider/DHPrivateKey.java b/src/share/classes/com/sun/crypto/provider/DHPrivateKey.java
index f83ae597b52ea68c7839653d94eeac74fefa379a..4af003d68ae791e3c26298b7a556bb925c0cbb7f 100644
--- a/src/share/classes/com/sun/crypto/provider/DHPrivateKey.java
+++ b/src/share/classes/com/sun/crypto/provider/DHPrivateKey.java
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 1997, 2007, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2010, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -190,7 +190,8 @@ javax.crypto.interfaces.DHPrivateKey, Serializable {
ike.initCause(e);
throw ike;
} catch (IOException e) {
- InvalidKeyException ike = new InvalidKeyException("Error parsing key encoding: " + e.getMessage());
+ InvalidKeyException ike = new InvalidKeyException(
+ "Error parsing key encoding: " + e.getMessage());
ike.initCause(e);
throw ike;
}
@@ -300,7 +301,8 @@ javax.crypto.interfaces.DHPrivateKey, Serializable {
DerInputStream in = new DerInputStream(this.key);
this.x = in.getBigInteger();
} catch (IOException e) {
- InvalidKeyException ike = new InvalidKeyException("Error parsing key encoding: " + e.getMessage());
+ InvalidKeyException ike = new InvalidKeyException(
+ "Error parsing key encoding: " + e.getMessage());
ike.initCause(e);
throw ike;
}
diff --git a/src/share/classes/com/sun/crypto/provider/DHPublicKey.java b/src/share/classes/com/sun/crypto/provider/DHPublicKey.java
index 9318fbd8caf59919ecc412d3a2f684b810c267d4..46bf6024dd446f3652ff700a81cfea236e72b790 100644
--- a/src/share/classes/com/sun/crypto/provider/DHPublicKey.java
+++ b/src/share/classes/com/sun/crypto/provider/DHPublicKey.java
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 1997, 2007, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2010, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -180,7 +180,8 @@ javax.crypto.interfaces.DHPublicKey, Serializable {
throw new InvalidKeyException("Private-value length too big");
} catch (IOException e) {
- throw new InvalidKeyException("Error parsing key encoding: " + e.toString());
+ throw new InvalidKeyException(
+ "Error parsing key encoding: " + e.toString());
}
}
@@ -281,7 +282,8 @@ javax.crypto.interfaces.DHPublicKey, Serializable {
DerInputStream in = new DerInputStream(this.key);
this.y = in.getBigInteger();
} catch (IOException e) {
- throw new InvalidKeyException("Error parsing key encoding: " + e.toString());
+ throw new InvalidKeyException(
+ "Error parsing key encoding: " + e.toString());
}
}
diff --git a/src/share/classes/com/sun/crypto/provider/JceKeyStore.java b/src/share/classes/com/sun/crypto/provider/JceKeyStore.java
index 5d54688069914ee0cbca6bd7208f386c44cdc31a..1f37e18579661251f15454cb9036a4af64aff0f1 100644
--- a/src/share/classes/com/sun/crypto/provider/JceKeyStore.java
+++ b/src/share/classes/com/sun/crypto/provider/JceKeyStore.java
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 1998, 2007, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1998, 2010, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -764,7 +764,8 @@ public final class JceKeyStore extends KeyStoreSpi {
cf = (CertificateFactory)cfs.get(certType);
} else {
// create new certificate factory
- cf = CertificateFactory.getInstance(certType);
+ cf = CertificateFactory.getInstance(
+ certType);
// store the certificate factory so we can
// reuse it later
cfs.put(certType, cf);
@@ -863,8 +864,9 @@ public final class JceKeyStore extends KeyStoreSpi {
dis.readFully(actual);
for (int i = 0; i < computed.length; i++) {
if (computed[i] != actual[i]) {
- throw new IOException("Keystore was tampered with, or "
- + "password was incorrect");
+ throw new IOException(
+ "Keystore was tampered with, or "
+ + "password was incorrect");
}
}
}
diff --git a/src/share/classes/com/sun/crypto/provider/OAEPParameters.java b/src/share/classes/com/sun/crypto/provider/OAEPParameters.java
index 65a85e753315ed68b10c598d457c11c2ecc865c8..07d613babe8b757f1759e5c23f3c092ef0238b58 100644
--- a/src/share/classes/com/sun/crypto/provider/OAEPParameters.java
+++ b/src/share/classes/com/sun/crypto/provider/OAEPParameters.java
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2003, 2007, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -139,7 +139,8 @@ public final class OAEPParameters extends AlgorithmParametersSpi {
if (!val.getOID().equals((Object) OID_MGF1)) {
throw new IOException("Only MGF1 mgf is supported");
}
- AlgorithmId params = AlgorithmId.parse(new DerValue(val.getEncodedParams()));
+ AlgorithmId params = AlgorithmId.parse(
+ new DerValue(val.getEncodedParams()));
String mgfDigestName = convertToStandardName(params.getName());
if (mgfDigestName.equals("SHA-1")) {
mgfSpec = MGF1ParameterSpec.SHA1;
@@ -150,7 +151,8 @@ public final class OAEPParameters extends AlgorithmParametersSpi {
} else if (mgfDigestName.equals("SHA-512")) {
mgfSpec = MGF1ParameterSpec.SHA512;
} else {
- throw new IOException("Unrecognized message digest algorithm");
+ throw new IOException(
+ "Unrecognized message digest algorithm");
}
} else if (data.isContextSpecific((byte) 0x02)) {
// pSource algid
diff --git a/src/share/classes/com/sun/crypto/provider/PBKDF2KeyImpl.java b/src/share/classes/com/sun/crypto/provider/PBKDF2KeyImpl.java
index c5c0d844912f832de73bb0483fecc4a45060a282..7f74609c002aeb0720e7d23a4ce6190a0ecfe536 100644
--- a/src/share/classes/com/sun/crypto/provider/PBKDF2KeyImpl.java
+++ b/src/share/classes/com/sun/crypto/provider/PBKDF2KeyImpl.java
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2005, 2009, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2005, 2010, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -121,8 +121,8 @@ final class PBKDF2KeyImpl implements javax.crypto.interfaces.PBEKey {
this.key = deriveKey(prf, passwdBytes, salt, iterCount, keyLength);
}
- private static byte[] deriveKey(final Mac prf, final byte[] password, byte[] salt,
- int iterCount, int keyLengthInBit) {
+ private static byte[] deriveKey(final Mac prf, final byte[] password,
+ byte[] salt, int iterCount, int keyLengthInBit) {
int keyLength = keyLengthInBit/8;
byte[] key = new byte[keyLength];
try {
@@ -155,8 +155,9 @@ final class PBKDF2KeyImpl implements javax.crypto.interfaces.PBEKey {
if (this == obj) return true;
if (this.getClass() != obj.getClass()) return false;
SecretKey sk = (SecretKey)obj;
- return prf.getAlgorithm().equalsIgnoreCase(sk.getAlgorithm()) &&
- Arrays.equals(password, sk.getEncoded());
+ return prf.getAlgorithm().equalsIgnoreCase(
+ sk.getAlgorithm()) &&
+ Arrays.equals(password, sk.getEncoded());
}
};
prf.init(macKey);
diff --git a/src/share/classes/com/sun/crypto/provider/PKCS12PBECipherCore.java b/src/share/classes/com/sun/crypto/provider/PKCS12PBECipherCore.java
index fce352f1d3c651a58ca24762fca9c3d2585e88eb..e091e90e2c116835e891e9c3150ffe74172658ef 100644
--- a/src/share/classes/com/sun/crypto/provider/PKCS12PBECipherCore.java
+++ b/src/share/classes/com/sun/crypto/provider/PKCS12PBECipherCore.java
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2003, 2009, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -206,7 +206,8 @@ final class PKCS12PBECipherCore {
(algo.equalsIgnoreCase("RC2")?"RC2_40":algo), "SunJCE");
} catch (GeneralSecurityException gse) {
// should never happen
- throw new RuntimeException("SunJCE provider is not configured properly");
+ throw new RuntimeException(
+ "SunJCE provider is not configured properly");
}
try {
params.init(pbeSpec);
@@ -316,7 +317,8 @@ final class PKCS12PBECipherCore {
try {
paramSpec = params.getParameterSpec(PBEParameterSpec.class);
} catch (InvalidParameterSpecException ipse) {
- throw new InvalidAlgorithmParameterException("requires PBE parameters");
+ throw new InvalidAlgorithmParameterException(
+ "requires PBE parameters");
}
}
implInit(opmode, key, paramSpec, random);
diff --git a/src/share/classes/com/sun/crypto/provider/SunJCE.java b/src/share/classes/com/sun/crypto/provider/SunJCE.java
index df68b11aaebfbbb1e254e9d84c15c6c8a13918b9..4b53f84fedc0fc63cc1ee933503afb3b3e2551a5 100644
--- a/src/share/classes/com/sun/crypto/provider/SunJCE.java
+++ b/src/share/classes/com/sun/crypto/provider/SunJCE.java
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 1997, 2009, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2010, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -423,15 +423,31 @@ public final class SunJCE extends Provider {
/*
* SSL/TLS mechanisms
+ *
+ * These are strictly internal implementations and may
+ * be changed at any time. These names were chosen
+ * because PKCS11/SunPKCS11 does not yet have TLS1.2
+ * mechanisms, and it will cause calls to come here.
*/
put("KeyGenerator.SunTlsPrf",
- "com.sun.crypto.provider.TlsPrfGenerator");
- put("KeyGenerator.SunTlsRsaPremasterSecret",
- "com.sun.crypto.provider.TlsRsaPremasterSecretGenerator");
+ "com.sun.crypto.provider.TlsPrfGenerator$V10");
+ put("KeyGenerator.SunTls12Prf",
+ "com.sun.crypto.provider.TlsPrfGenerator$V12");
+
put("KeyGenerator.SunTlsMasterSecret",
- "com.sun.crypto.provider.TlsMasterSecretGenerator");
+ "com.sun.crypto.provider.TlsMasterSecretGenerator");
+ put("Alg.Alias.KeyGenerator.SunTls12MasterSecret",
+ "SunTlsMasterSecret");
+
put("KeyGenerator.SunTlsKeyMaterial",
- "com.sun.crypto.provider.TlsKeyMaterialGenerator");
+ "com.sun.crypto.provider.TlsKeyMaterialGenerator");
+ put("Alg.Alias.KeyGenerator.SunTls12KeyMaterial",
+ "SunTlsKeyMaterial");
+
+ put("KeyGenerator.SunTlsRsaPremasterSecret",
+ "com.sun.crypto.provider.TlsRsaPremasterSecretGenerator");
+ put("Alg.Alias.KeyGenerator.SunTls12RsaPremasterSecret",
+ "SunTlsRsaPremasterSecret");
return null;
}
diff --git a/src/share/classes/com/sun/crypto/provider/TlsKeyMaterialGenerator.java b/src/share/classes/com/sun/crypto/provider/TlsKeyMaterialGenerator.java
index 91a8d3b5a99230eb3e248c5a5236e92e67ed0202..8e4f6a15d8e5f7dfd1cc07bc8319c60128bf3834 100644
--- a/src/share/classes/com/sun/crypto/provider/TlsKeyMaterialGenerator.java
+++ b/src/share/classes/com/sun/crypto/provider/TlsKeyMaterialGenerator.java
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2005, 2009, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2005, 2010, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -65,12 +65,14 @@ public final class TlsKeyMaterialGenerator extends KeyGeneratorSpi {
}
this.spec = (TlsKeyMaterialParameterSpec)params;
if ("RAW".equals(spec.getMasterSecret().getFormat()) == false) {
- throw new InvalidAlgorithmParameterException("Key format must be RAW");
+ throw new InvalidAlgorithmParameterException(
+ "Key format must be RAW");
}
- protocolVersion = (spec.getMajorVersion() << 8) | spec.getMinorVersion();
- if ((protocolVersion < 0x0300) || (protocolVersion > 0x0302)) {
- throw new InvalidAlgorithmParameterException
- ("Only SSL 3.0, TLS 1.0, and TLS 1.1 supported");
+ protocolVersion = (spec.getMajorVersion() << 8)
+ | spec.getMinorVersion();
+ if ((protocolVersion < 0x0300) || (protocolVersion > 0x0303)) {
+ throw new InvalidAlgorithmParameterException(
+ "Only SSL 3.0, TLS 1.0/1.1/1.2 supported");
}
}
@@ -80,8 +82,8 @@ public final class TlsKeyMaterialGenerator extends KeyGeneratorSpi {
protected SecretKey engineGenerateKey() {
if (spec == null) {
- throw new IllegalStateException
- ("TlsKeyMaterialGenerator must be initialized");
+ throw new IllegalStateException(
+ "TlsKeyMaterialGenerator must be initialized");
}
try {
return engineGenerateKey0();
@@ -99,8 +101,8 @@ public final class TlsKeyMaterialGenerator extends KeyGeneratorSpi {
SecretKey clientMacKey = null;
SecretKey serverMacKey = null;
SecretKey clientCipherKey = null;
- IvParameterSpec clientIv = null;
SecretKey serverCipherKey = null;
+ IvParameterSpec clientIv = null;
IvParameterSpec serverIv = null;
int macLength = spec.getMacKeyLength();
@@ -109,21 +111,33 @@ public final class TlsKeyMaterialGenerator extends KeyGeneratorSpi {
int keyLength = spec.getCipherKeyLength();
int ivLength = spec.getIvLength();
- int keyBlockLen = macLength + keyLength + (isExportable ? 0 : ivLength);
+ int keyBlockLen = macLength + keyLength
+ + (isExportable ? 0 : ivLength);
keyBlockLen <<= 1;
byte[] keyBlock = new byte[keyBlockLen];
- MessageDigest md5 = MessageDigest.getInstance("MD5");
- MessageDigest sha = MessageDigest.getInstance("SHA1");
+ // These may be used again later for exportable suite calculations.
+ MessageDigest md5 = null;
+ MessageDigest sha = null;
// generate key block
- if (protocolVersion >= 0x0301) {
- // TLS
+ if (protocolVersion >= 0x0303) {
+ // TLS 1.2
+ byte[] seed = concat(serverRandom, clientRandom);
+ keyBlock = doTLS12PRF(masterSecret, LABEL_KEY_EXPANSION, seed,
+ keyBlockLen, spec.getPRFHashAlg(),
+ spec.getPRFHashLength(), spec.getPRFBlockSize());
+ } else if (protocolVersion >= 0x0301) {
+ // TLS 1.0/1.1
+ md5 = MessageDigest.getInstance("MD5");
+ sha = MessageDigest.getInstance("SHA1");
byte[] seed = concat(serverRandom, clientRandom);
- keyBlock = doPRF(masterSecret, LABEL_KEY_EXPANSION, seed,
+ keyBlock = doTLS10PRF(masterSecret, LABEL_KEY_EXPANSION, seed,
keyBlockLen, md5, sha);
} else {
// SSL
+ md5 = MessageDigest.getInstance("MD5");
+ sha = MessageDigest.getInstance("SHA1");
keyBlock = new byte[keyBlockLen];
byte[] tmp = new byte[20];
@@ -169,6 +183,7 @@ public final class TlsKeyMaterialGenerator extends KeyGeneratorSpi {
String alg = spec.getCipherAlgorithm();
+ // cipher keys
byte[] clientKeyBytes = new byte[keyLength];
System.arraycopy(keyBlock, ofs, clientKeyBytes, 0, keyLength);
ofs += keyLength;
@@ -182,6 +197,7 @@ public final class TlsKeyMaterialGenerator extends KeyGeneratorSpi {
clientCipherKey = new SecretKeySpec(clientKeyBytes, alg);
serverCipherKey = new SecretKeySpec(serverKeyBytes, alg);
+ // IV keys if needed.
if (ivLength != 0) {
tmp = new byte[ivLength];
@@ -194,21 +210,28 @@ public final class TlsKeyMaterialGenerator extends KeyGeneratorSpi {
serverIv = new IvParameterSpec(tmp);
}
} else {
+ // if exportable suites, calculate the alternate
// cipher key expansion and IV generation
- if (protocolVersion >= 0x0301) {
+ if (protocolVersion >= 0x0302) {
+ // TLS 1.1+
+ throw new RuntimeException(
+ "Internal Error: TLS 1.1+ should not be negotiating" +
+ "exportable ciphersuites");
+ } else if (protocolVersion == 0x0301) {
+ // TLS 1.0
byte[] seed = concat(clientRandom, serverRandom);
- tmp = doPRF(clientKeyBytes, LABEL_CLIENT_WRITE_KEY, seed,
+ tmp = doTLS10PRF(clientKeyBytes, LABEL_CLIENT_WRITE_KEY, seed,
expandedKeyLength, md5, sha);
clientCipherKey = new SecretKeySpec(tmp, alg);
- tmp = doPRF(serverKeyBytes, LABEL_SERVER_WRITE_KEY, seed,
+ tmp = doTLS10PRF(serverKeyBytes, LABEL_SERVER_WRITE_KEY, seed,
expandedKeyLength, md5, sha);
serverCipherKey = new SecretKeySpec(tmp, alg);
if (ivLength != 0) {
tmp = new byte[ivLength];
- byte[] block = doPRF(null, LABEL_IV_BLOCK, seed,
+ byte[] block = doTLS10PRF(null, LABEL_IV_BLOCK, seed,
ivLength << 1, md5, sha);
System.arraycopy(block, 0, tmp, 0, ivLength);
clientIv = new IvParameterSpec(tmp);
@@ -216,6 +239,7 @@ public final class TlsKeyMaterialGenerator extends KeyGeneratorSpi {
serverIv = new IvParameterSpec(tmp);
}
} else {
+ // SSLv3
tmp = new byte[expandedKeyLength];
md5.update(clientKeyBytes);
diff --git a/src/share/classes/com/sun/crypto/provider/TlsMasterSecretGenerator.java b/src/share/classes/com/sun/crypto/provider/TlsMasterSecretGenerator.java
index 9a6fb80180268d0f79b27195d4e423cfbffcd5c1..1d5e97aefbf26d1b5a730c8799bd7a5b68c927c4 100644
--- a/src/share/classes/com/sun/crypto/provider/TlsMasterSecretGenerator.java
+++ b/src/share/classes/com/sun/crypto/provider/TlsMasterSecretGenerator.java
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2005, 2009, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2005, 2010, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -64,12 +64,14 @@ public final class TlsMasterSecretGenerator extends KeyGeneratorSpi {
}
this.spec = (TlsMasterSecretParameterSpec)params;
if ("RAW".equals(spec.getPremasterSecret().getFormat()) == false) {
- throw new InvalidAlgorithmParameterException("Key format must be RAW");
+ throw new InvalidAlgorithmParameterException(
+ "Key format must be RAW");
}
- protocolVersion = (spec.getMajorVersion() << 8) | spec.getMinorVersion();
- if ((protocolVersion < 0x0300) || (protocolVersion > 0x0302)) {
- throw new InvalidAlgorithmParameterException
- ("Only SSL 3.0, TLS 1.0, and TLS 1.1 supported");
+ protocolVersion = (spec.getMajorVersion() << 8)
+ | spec.getMinorVersion();
+ if ((protocolVersion < 0x0300) || (protocolVersion > 0x0303)) {
+ throw new InvalidAlgorithmParameterException(
+ "Only SSL 3.0, TLS 1.0/1.1/1.2 supported");
}
}
@@ -79,8 +81,8 @@ public final class TlsMasterSecretGenerator extends KeyGeneratorSpi {
protected SecretKey engineGenerateKey() {
if (spec == null) {
- throw new IllegalStateException
- ("TlsMasterSecretGenerator must be initialized");
+ throw new IllegalStateException(
+ "TlsMasterSecretGenerator must be initialized");
}
SecretKey premasterKey = spec.getPremasterSecret();
byte[] premaster = premasterKey.getEncoded();
@@ -103,7 +105,11 @@ public final class TlsMasterSecretGenerator extends KeyGeneratorSpi {
if (protocolVersion >= 0x0301) {
byte[] seed = concat(clientRandom, serverRandom);
- master = doPRF(premaster, LABEL_MASTER_SECRET, seed, 48);
+ master = ((protocolVersion >= 0x0303) ?
+ doTLS12PRF(premaster, LABEL_MASTER_SECRET, seed, 48,
+ spec.getPRFHashAlg(), spec.getPRFHashLength(),
+ spec.getPRFBlockSize()) :
+ doTLS10PRF(premaster, LABEL_MASTER_SECRET, seed, 48));
} else {
master = new byte[48];
MessageDigest md5 = MessageDigest.getInstance("MD5");
@@ -124,7 +130,8 @@ public final class TlsMasterSecretGenerator extends KeyGeneratorSpi {
}
- return new TlsMasterSecretKey(master, premasterMajor, premasterMinor);
+ return new TlsMasterSecretKey(master, premasterMajor,
+ premasterMinor);
} catch (NoSuchAlgorithmException e) {
throw new ProviderException(e);
} catch (DigestException e) {
diff --git a/src/share/classes/com/sun/crypto/provider/TlsPrfGenerator.java b/src/share/classes/com/sun/crypto/provider/TlsPrfGenerator.java
index f73045e6eb26a357f7df9a261a404422d350dae7..137ba255c339928bf0a15c34efb04ae2a92ce9f6 100644
--- a/src/share/classes/com/sun/crypto/provider/TlsPrfGenerator.java
+++ b/src/share/classes/com/sun/crypto/provider/TlsPrfGenerator.java
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2005, 2009, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2005, 2010, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -37,11 +37,15 @@ import sun.security.internal.spec.TlsPrfParameterSpec;
/**
* KeyGenerator implementation for the TLS PRF function.
+ * + * This class duplicates the HMAC functionality (RFC 2104) with + * performance optimizations (e.g. XOR'ing keys with padding doesn't + * need to be redone for each HMAC operation). * * @author Andreas Sterbenz * @since 1.6 */ -public final class TlsPrfGenerator extends KeyGeneratorSpi { +abstract class TlsPrfGenerator extends KeyGeneratorSpi { // magic constants and utility functions, also used by other files // in this package @@ -69,8 +73,10 @@ public final class TlsPrfGenerator extends KeyGeneratorSpi { * TLS HMAC "inner" and "outer" padding. This isn't a function * of the digest algorithm. */ - private static final byte[] HMAC_ipad = genPad((byte)0x36, 64); - private static final byte[] HMAC_opad = genPad((byte)0x5c, 64); + private static final byte[] HMAC_ipad64 = genPad((byte)0x36, 64); + private static final byte[] HMAC_ipad128 = genPad((byte)0x36, 128); + private static final byte[] HMAC_opad64 = genPad((byte)0x5c, 64); + private static final byte[] HMAC_opad128 = genPad((byte)0x5c, 128); // SSL3 magic mix constants ("A", "BB", "CCC", ...) final static byte[][] SSL3_CONST = genConst(); @@ -123,8 +129,8 @@ public final class TlsPrfGenerator extends KeyGeneratorSpi { this.spec = (TlsPrfParameterSpec)params; SecretKey key = spec.getSecret(); if ((key != null) && ("RAW".equals(key.getFormat()) == false)) { - throw new InvalidAlgorithmParameterException - ("Key encoding format must be RAW"); + throw new InvalidAlgorithmParameterException( + "Key encoding format must be RAW"); } } @@ -132,17 +138,21 @@ public final class TlsPrfGenerator extends KeyGeneratorSpi { throw new InvalidParameterException(MSG); } - protected SecretKey engineGenerateKey() { + SecretKey engineGenerateKey0(boolean tls12) { if (spec == null) { - throw new IllegalStateException - ("TlsPrfGenerator must be initialized"); + throw new IllegalStateException( + "TlsPrfGenerator must be initialized"); } SecretKey key = spec.getSecret(); byte[] secret = (key == null) ? null : key.getEncoded(); try { byte[] labelBytes = spec.getLabel().getBytes("UTF8"); int n = spec.getOutputLength(); - byte[] prfBytes = doPRF(secret, labelBytes, spec.getSeed(), n); + byte[] prfBytes = (tls12 ? + doTLS12PRF(secret, labelBytes, spec.getSeed(), n, + spec.getPRFHashAlg(), spec.getPRFHashLength(), + spec.getPRFBlockSize()) : + doTLS10PRF(secret, labelBytes, spec.getSeed(), n)); return new SecretKeySpec(prfBytes, "TlsPrf"); } catch (GeneralSecurityException e) { throw new ProviderException("Could not generate PRF", e); @@ -151,16 +161,67 @@ public final class TlsPrfGenerator extends KeyGeneratorSpi { } } - static final byte[] doPRF(byte[] secret, byte[] labelBytes, byte[] seed, - int outputLength) throws NoSuchAlgorithmException, DigestException { + static byte[] doTLS12PRF(byte[] secret, byte[] labelBytes, + byte[] seed, int outputLength, + String prfHash, int prfHashLength, int prfBlockSize) + throws NoSuchAlgorithmException, DigestException { + if (prfHash == null) { + throw new NoSuchAlgorithmException("Unspecified PRF algorithm"); + } + MessageDigest prfMD = MessageDigest.getInstance(prfHash); + return doTLS12PRF(secret, labelBytes, seed, outputLength, + prfMD, prfHashLength, prfBlockSize); + } + + static byte[] doTLS12PRF(byte[] secret, byte[] labelBytes, + byte[] seed, int outputLength, + MessageDigest mdPRF, int mdPRFLen, int mdPRFBlockSize) + throws DigestException { + + if (secret == null) { + secret = B0; + } + + // If we have a long secret, digest it first. + if (secret.length > mdPRFBlockSize) { + secret = mdPRF.digest(secret); + } + + byte[] output = new byte[outputLength]; + byte [] ipad; + byte [] opad; + + switch (mdPRFBlockSize) { + case 64: + ipad = HMAC_ipad64.clone(); + opad = HMAC_opad64.clone(); + break; + case 128: + ipad = HMAC_ipad128.clone(); + opad = HMAC_opad128.clone(); + break; + default: + throw new DigestException("Unexpected block size."); + } + + // P_HASH(Secret, label + seed) + expand(mdPRF, mdPRFLen, secret, 0, secret.length, labelBytes, + seed, output, ipad, opad); + + return output; + } + + static byte[] doTLS10PRF(byte[] secret, byte[] labelBytes, + byte[] seed, int outputLength) throws NoSuchAlgorithmException, + DigestException { MessageDigest md5 = MessageDigest.getInstance("MD5"); MessageDigest sha = MessageDigest.getInstance("SHA1"); - return doPRF(secret, labelBytes, seed, outputLength, md5, sha); + return doTLS10PRF(secret, labelBytes, seed, outputLength, md5, sha); } - static final byte[] doPRF(byte[] secret, byte[] labelBytes, byte[] seed, - int outputLength, MessageDigest md5, MessageDigest sha) - throws DigestException { + static byte[] doTLS10PRF(byte[] secret, byte[] labelBytes, + byte[] seed, int outputLength, MessageDigest md5, + MessageDigest sha) throws DigestException { /* * Split the secret into two halves S1 and S2 of same length. * S1 is taken from the first half of the secret, S2 from the @@ -183,10 +244,12 @@ public final class TlsPrfGenerator extends KeyGeneratorSpi { byte[] output = new byte[outputLength]; // P_MD5(S1, label + seed) - expand(md5, 16, secret, 0, seclen, labelBytes, seed, output); + expand(md5, 16, secret, 0, seclen, labelBytes, seed, output, + HMAC_ipad64.clone(), HMAC_opad64.clone()); // P_SHA-1(S2, label + seed) - expand(sha, 20, secret, off, seclen, labelBytes, seed, output); + expand(sha, 20, secret, off, seclen, labelBytes, seed, output, + HMAC_ipad64.clone(), HMAC_opad64.clone()); return output; } @@ -201,16 +264,13 @@ public final class TlsPrfGenerator extends KeyGeneratorSpi { * @param seed the seed * @param output the output array */ - private static final void expand(MessageDigest digest, int hmacSize, + private static void expand(MessageDigest digest, int hmacSize, byte[] secret, int secOff, int secLen, byte[] label, byte[] seed, - byte[] output) throws DigestException { + byte[] output, byte[] pad1, byte[] pad2) throws DigestException { /* * modify the padding used, by XORing the key into our copy of that * padding. That's to avoid doing that for each HMAC computation. */ - byte[] pad1 = HMAC_ipad.clone(); - byte[] pad2 = HMAC_opad.clone(); - for (int i = 0; i < secLen; i++) { pad1[i] ^= secret[i + secOff]; pad2[i] ^= secret[i + secOff]; @@ -275,7 +335,34 @@ public final class TlsPrfGenerator extends KeyGeneratorSpi { } remaining -= k; } + } + /** + * A KeyGenerator implementation that supports TLS 1.2. + *
+ * TLS 1.2 uses a different hash algorithm than 1.0/1.1 for the PRF
+ * calculations. As of 2010, there is no PKCS11-level support for TLS
+ * 1.2 PRF calculations, and no known OS's have an internal variant
+ * we could use. Therefore for TLS 1.2, we are updating JSSE to request
+ * a different provider algorithm: "SunTls12Prf". If we reused the
+ * name "SunTlsPrf", the PKCS11 provider would need be updated to
+ * fail correctly when presented with the wrong version number
+ * (via Provider.Service.supportsParameters()), and add the
+ * appropriate supportsParamters() checks into KeyGenerators (not
+ * currently there).
+ */
+ static public class V12 extends TlsPrfGenerator {
+ protected SecretKey engineGenerateKey() {
+ return engineGenerateKey0(true);
+ }
}
+ /**
+ * A KeyGenerator implementation that supports TLS 1.0/1.1.
+ */
+ static public class V10 extends TlsPrfGenerator {
+ protected SecretKey engineGenerateKey() {
+ return engineGenerateKey0(false);
+ }
+ }
}
diff --git a/src/share/classes/com/sun/crypto/provider/TlsRsaPremasterSecretGenerator.java b/src/share/classes/com/sun/crypto/provider/TlsRsaPremasterSecretGenerator.java
index 9402a1bb2930ddc249762a9a2495522586d5acad..1820ee8cbc384edb48929505bf5090452cae8837 100644
--- a/src/share/classes/com/sun/crypto/provider/TlsRsaPremasterSecretGenerator.java
+++ b/src/share/classes/com/sun/crypto/provider/TlsRsaPremasterSecretGenerator.java
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2005, 2009, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2005, 2010, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -69,8 +69,8 @@ public final class TlsRsaPremasterSecretGenerator extends KeyGeneratorSpi {
protected SecretKey engineGenerateKey() {
if (spec == null) {
- throw new IllegalStateException
- ("TlsRsaPremasterSecretGenerator must be initialized");
+ throw new IllegalStateException(
+ "TlsRsaPremasterSecretGenerator must be initialized");
}
if (random == null) {
random = new SecureRandom();
diff --git a/src/share/classes/com/sun/jmx/defaults/ServiceName.java b/src/share/classes/com/sun/jmx/defaults/ServiceName.java
index aa0a46fe2acba9549242df54c2db22b11c5b86f4..8f742dff0f8601fbb1cd71ae792bece1371c9fae 100644
--- a/src/share/classes/com/sun/jmx/defaults/ServiceName.java
+++ b/src/share/classes/com/sun/jmx/defaults/ServiceName.java
@@ -76,9 +76,9 @@ public class ServiceName {
/**
* The vendor of the JMX specification implemented by this product.
*
- * The value is Sun Microsystems.
+ * The value is Oracle Corporation.
*/
- public static final String JMX_SPEC_VENDOR = "Sun Microsystems";
+ public static final String JMX_SPEC_VENDOR = "Oracle Corporation";
/**
* The name of this product implementing the JMX specification.
@@ -91,7 +91,7 @@ public class ServiceName {
* The name of the vendor of this product implementing the
* JMX specification.
*
- * The value is Sun Microsystems.
+ * The value is Oracle Corporation.
*/
- public static final String JMX_IMPL_VENDOR = "Sun Microsystems";
+ public static final String JMX_IMPL_VENDOR = "Oracle Corporation";
}
diff --git a/src/share/classes/com/sun/jmx/snmp/ServiceName.java b/src/share/classes/com/sun/jmx/snmp/ServiceName.java
index 0301389aa563e70f062a5f5d81e40f94f340f618..edf77073ee8d3db97568135bf5af604956bc4f56 100644
--- a/src/share/classes/com/sun/jmx/snmp/ServiceName.java
+++ b/src/share/classes/com/sun/jmx/snmp/ServiceName.java
@@ -27,7 +27,7 @@ package com.sun.jmx.snmp;
/**
* Used for storing default values used by SNMP Runtime services.
- *
This API is a Sun Microsystems internal API and is subject + *
This API is an Oracle Corporation internal API and is subject * to change without notice.
*/ public class ServiceName { @@ -144,16 +144,16 @@ public class ServiceName { /** * The vendor of the JMX specification implemented by this product. *Sun Microsystems.
+ * The value is Oracle Corporation.
*/
- public static final String JMX_SPEC_VENDOR = "Sun Microsystems";
+ public static final String JMX_SPEC_VENDOR = "Oracle Corporation";
/**
* The name of the vendor of this product implementing the JMX specification.
* Sun Microsystems.
+ * The value is Oracle Corporation.
*/
- public static final String JMX_IMPL_VENDOR = "Sun Microsystems";
+ public static final String JMX_IMPL_VENDOR = "Oracle Corporation";
/**
* The build number of the current product version, of the form rXX.
diff --git a/src/share/classes/com/sun/management/package.html b/src/share/classes/com/sun/management/package.html
index b4c66900c22ed3c94b52c32a0c4c7bf2993af4da..c26d4309da6bfb666866c37a44c059113fb09ad5 100644
--- a/src/share/classes/com/sun/management/package.html
+++ b/src/share/classes/com/sun/management/package.html
@@ -30,7 +30,7 @@ questions.
-This package contains Sun Microsystem's platform extension to
+This package contains Oracle Corporation's platform extension to
the implementation of the
java.lang.management API and also defines the management
diff --git a/src/share/classes/java/io/ObjectInputStream.java b/src/share/classes/java/io/ObjectInputStream.java
index 3a5c1dee08093c6922e01b9d9ae0ed53f22b07f4..2ed505f3b07c6cd940bb632037e8e854f9cf4cd9 100644
--- a/src/share/classes/java/io/ObjectInputStream.java
+++ b/src/share/classes/java/io/ObjectInputStream.java
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 1996, 2008, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1996, 2010, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -265,7 +265,7 @@ public class ObjectInputStream
* object currently being deserialized and descriptor for current class.
* Null when not during readObject upcall.
*/
- private CallbackContext curContext;
+ private SerialCallbackContext curContext;
/**
* Creates an ObjectInputStream that reads from the specified InputStream.
@@ -1798,7 +1798,7 @@ public class ObjectInputStream
private void readExternalData(Externalizable obj, ObjectStreamClass desc)
throws IOException
{
- CallbackContext oldContext = curContext;
+ SerialCallbackContext oldContext = curContext;
curContext = null;
try {
boolean blocked = desc.hasBlockExternalData();
@@ -1857,10 +1857,10 @@ public class ObjectInputStream
slotDesc.hasReadObjectMethod() &&
handles.lookupException(passHandle) == null)
{
- CallbackContext oldContext = curContext;
+ SerialCallbackContext oldContext = curContext;
try {
- curContext = new CallbackContext(obj, slotDesc);
+ curContext = new SerialCallbackContext(obj, slotDesc);
bin.setBlockDataMode(true);
slotDesc.invokeReadObject(obj, this);
@@ -3505,42 +3505,4 @@ public class ObjectInputStream
}
}
- /**
- * Context that during upcalls to class-defined readObject methods; holds
- * object currently being deserialized and descriptor for current class.
- * This context keeps a boolean state to indicate that defaultReadObject
- * or readFields has already been invoked with this context or the class's
- * readObject method has returned; if true, the getObj method throws
- * NotActiveException.
- */
- private static class CallbackContext {
- private final Object obj;
- private final ObjectStreamClass desc;
- private final AtomicBoolean used = new AtomicBoolean();
-
- public CallbackContext(Object obj, ObjectStreamClass desc) {
- this.obj = obj;
- this.desc = desc;
- }
-
- public Object getObj() throws NotActiveException {
- checkAndSetUsed();
- return obj;
- }
-
- public ObjectStreamClass getDesc() {
- return desc;
- }
-
- private void checkAndSetUsed() throws NotActiveException {
- if (!used.compareAndSet(false, true)) {
- throw new NotActiveException(
- "not in readObject invocation or fields already read");
- }
- }
-
- public void setUsed() {
- used.set(true);
- }
- }
}
diff --git a/src/share/classes/java/io/ObjectOutputStream.java b/src/share/classes/java/io/ObjectOutputStream.java
index 3a722d43a9efdc0fe36fc9d7cb5196b7e83976d6..5b37e4dc6ca494b4bd549940d4fdafd6b6b27d08 100644
--- a/src/share/classes/java/io/ObjectOutputStream.java
+++ b/src/share/classes/java/io/ObjectOutputStream.java
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 1996, 2006, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1996, 2010, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -35,6 +35,7 @@ import java.util.List;
import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.ConcurrentMap;
import static java.io.ObjectStreamClass.processQueue;
+import java.io.SerialCallbackContext;
/**
* An ObjectOutputStream writes primitive data types and graphs of Java objects
@@ -191,10 +192,12 @@ public class ObjectOutputStream
private boolean enableReplace;
// values below valid only during upcalls to writeObject()/writeExternal()
- /** object currently being serialized */
- private Object curObj;
- /** descriptor for current class (null if in writeExternal()) */
- private ObjectStreamClass curDesc;
+ /**
+ * Context during upcalls to class-defined writeObject methods; holds
+ * object currently being serialized and descriptor for current class.
+ * Null when not during writeObject upcall.
+ */
+ private SerialCallbackContext curContext;
/** current PutField object */
private PutFieldImpl curPut;
@@ -426,9 +429,11 @@ public class ObjectOutputStream
* OutputStream
*/
public void defaultWriteObject() throws IOException {
- if (curObj == null || curDesc == null) {
+ if ( curContext == null ) {
throw new NotActiveException("not in call to writeObject");
}
+ Object curObj = curContext.getObj();
+ ObjectStreamClass curDesc = curContext.getDesc();
bout.setBlockDataMode(false);
defaultWriteFields(curObj, curDesc);
bout.setBlockDataMode(true);
@@ -446,9 +451,11 @@ public class ObjectOutputStream
*/
public ObjectOutputStream.PutField putFields() throws IOException {
if (curPut == null) {
- if (curObj == null || curDesc == null) {
+ if (curContext == null) {
throw new NotActiveException("not in call to writeObject");
}
+ Object curObj = curContext.getObj();
+ ObjectStreamClass curDesc = curContext.getDesc();
curPut = new PutFieldImpl(curDesc);
}
return curPut;
@@ -1420,17 +1427,15 @@ public class ObjectOutputStream
* writeExternal() method.
*/
private void writeExternalData(Externalizable obj) throws IOException {
- Object oldObj = curObj;
- ObjectStreamClass oldDesc = curDesc;
PutFieldImpl oldPut = curPut;
- curObj = obj;
- curDesc = null;
curPut = null;
if (extendedDebugInfo) {
debugInfoStack.push("writeExternal data");
}
+ SerialCallbackContext oldContext = curContext;
try {
+ curContext = null;
if (protocol == PROTOCOL_VERSION_1) {
obj.writeExternal(this);
} else {
@@ -1440,13 +1445,12 @@ public class ObjectOutputStream
bout.writeByte(TC_ENDBLOCKDATA);
}
} finally {
+ curContext = oldContext;
if (extendedDebugInfo) {
debugInfoStack.pop();
}
}
- curObj = oldObj;
- curDesc = oldDesc;
curPut = oldPut;
}
@@ -1461,12 +1465,9 @@ public class ObjectOutputStream
for (int i = 0; i < slots.length; i++) {
ObjectStreamClass slotDesc = slots[i].desc;
if (slotDesc.hasWriteObjectMethod()) {
- Object oldObj = curObj;
- ObjectStreamClass oldDesc = curDesc;
PutFieldImpl oldPut = curPut;
- curObj = obj;
- curDesc = slotDesc;
curPut = null;
+ SerialCallbackContext oldContext = curContext;
if (extendedDebugInfo) {
debugInfoStack.push(
@@ -1474,18 +1475,19 @@ public class ObjectOutputStream
slotDesc.getName() + "\")");
}
try {
+ curContext = new SerialCallbackContext(obj, slotDesc);
bout.setBlockDataMode(true);
slotDesc.invokeWriteObject(obj, this);
bout.setBlockDataMode(false);
bout.writeByte(TC_ENDBLOCKDATA);
} finally {
+ curContext.setUsed();
+ curContext = oldContext;
if (extendedDebugInfo) {
debugInfoStack.pop();
}
}
- curObj = oldObj;
- curDesc = oldDesc;
curPut = oldPut;
} else {
defaultWriteFields(obj, slotDesc);
diff --git a/src/share/classes/java/io/ObjectStreamClass.java b/src/share/classes/java/io/ObjectStreamClass.java
index 6b54f36f4b3754dcea51d288a781c873e5c868be..b3842f9128cf57e1f898d438bf6cf6a5111c2048 100644
--- a/src/share/classes/java/io/ObjectStreamClass.java
+++ b/src/share/classes/java/io/ObjectStreamClass.java
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 1996, 2008, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1996, 2010, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -1830,8 +1830,10 @@ public class ObjectStreamClass implements Serializable {
private final ObjectStreamField[] fields;
/** number of primitive fields */
private final int numPrimFields;
- /** unsafe field keys */
- private final long[] keys;
+ /** unsafe field keys for reading fields - may contain dupes */
+ private final long[] readKeys;
+ /** unsafe fields keys for writing fields - no dupes */
+ private final long[] writeKeys;
/** field data offsets */
private final int[] offsets;
/** field type codes */
@@ -1849,16 +1851,22 @@ public class ObjectStreamClass implements Serializable {
FieldReflector(ObjectStreamField[] fields) {
this.fields = fields;
int nfields = fields.length;
- keys = new long[nfields];
+ readKeys = new long[nfields];
+ writeKeys = new long[nfields];
offsets = new int[nfields];
typeCodes = new char[nfields];
ArrayListAn asynchronous datagram channel is created by invoking one of the {@link - * #open open} methods defined by this class. It is not possible to create a channel - * for an arbitrary, pre-existing datagram socket. A newly-created asynchronous - * datagram channel is open but not connected. It need not be connected in order - * for the {@link #send send} and {@link #receive receive} methods to be used. - * A datagram channel may be connected, by invoking its {@link #connect connect} - * method, in order to avoid the overhead of the security checks that are otherwise - * performed as part of every send and receive operation when a security manager - * is set. The channel must be connected in order to use the {@link #read read} - * and {@link #write write} methods, since those methods do not accept or return - * socket addresses. Once connected, an asynchronous datagram channel remains - * connected until it is disconnected or closed. - * - *
Socket options are configured using the {@link #setOption(SocketOption,Object) - * setOption} method. An asynchronous datagram channel to an Internet Protocol - * (IP) socket supports the following options: - *
- *- * Additional (implementation specific) options may also be supported. - * - *- *
- *- * - *Option Name - *Description - *- * - *{@link java.net.StandardSocketOption#SO_SNDBUF SO_SNDBUF} - *The size of the socket send buffer - *- * - *{@link java.net.StandardSocketOption#SO_RCVBUF SO_RCVBUF} - *The size of the socket receive buffer - *- * - *{@link java.net.StandardSocketOption#SO_REUSEADDR SO_REUSEADDR} - *Re-use address - *- * - *{@link java.net.StandardSocketOption#SO_BROADCAST SO_BROADCAST} - *Allow transmission of broadcast datagrams - *- * - *{@link java.net.StandardSocketOption#IP_TOS IP_TOS} - *The Type of Service (ToS) octet in the Internet Protocol (IP) header - *- * - *{@link java.net.StandardSocketOption#IP_MULTICAST_IF IP_MULTICAST_IF} - *The network interface for Internet Protocol (IP) multicast datagrams - *- * - *{@link java.net.StandardSocketOption#IP_MULTICAST_TTL - * IP_MULTICAST_TTL} - *The time-to-live for Internet Protocol (IP) multicast - * datagrams - *- * - *{@link java.net.StandardSocketOption#IP_MULTICAST_LOOP - * IP_MULTICAST_LOOP} - *Loopback for Internet Protocol (IP) multicast datagrams - *
Asynchronous datagram channels allow more than one read/receive and - * write/send to be oustanding at any given time. - * - *
Usage Example: - *
- * final AsynchronousDatagramChannel dc = AsynchronousDatagramChannel.open()
- * .bind(new InetSocketAddress(4000));
- *
- * // print the source address of all packets that we receive
- * dc.receive(buffer, buffer, new CompletionHandler<SocketAddress,ByteBuffer>() {
- * public void completed(SocketAddress sa, ByteBuffer buffer) {
- * System.out.println(sa);
- * buffer.clear();
- * dc.receive(buffer, buffer, this);
- * }
- * public void failed(Throwable exc, ByteBuffer buffer) {
- * ...
- * }
- * });
- *
- *
- * @since 1.7
- */
-
-public abstract class AsynchronousDatagramChannel
- implements AsynchronousByteChannel, MulticastChannel
-{
- private final AsynchronousChannelProvider provider;
-
- /**
- * Initializes a new instance of this class.
- */
- protected AsynchronousDatagramChannel(AsynchronousChannelProvider provider) {
- this.provider = provider;
- }
-
- /**
- * Returns the provider that created this channel.
- */
- public final AsynchronousChannelProvider provider() {
- return provider;
- }
-
- /**
- * Opens an asynchronous datagram channel.
- *
- * The new channel is created by invoking the {@link - * java.nio.channels.spi.AsynchronousChannelProvider#openAsynchronousDatagramChannel - * openAsynchronousDatagramChannel} method on the {@link - * java.nio.channels.spi.AsynchronousChannelProvider} object that created - * the given group (or the default provider where {@code group} is {@code - * null}). - * - *
The {@code family} parameter is used to specify the {@link ProtocolFamily}. - * If the datagram channel is to be used for Internet Protocol {@link - * MulticastChannel multicasting} then this parameter should correspond to - * the address type of the multicast groups that this channel will join. - * - * @param family - * The protocol family, or {@code null} to use the default protocol - * family - * @param group - * The group to which the newly constructed channel should be bound, - * or {@code null} for the default group - * - * @return A new asynchronous datagram channel - * - * @throws UnsupportedOperationException - * If the specified protocol family is not supported. For example, - * suppose the parameter is specified as {@link - * java.net.StandardProtocolFamily#INET6 INET6} but IPv6 is not - * enabled on the platform. - * @throws ShutdownChannelGroupException - * The specified group is shutdown - * @throws IOException - * If an I/O error occurs - */ - public static AsynchronousDatagramChannel open(ProtocolFamily family, - AsynchronousChannelGroup group) - throws IOException - { - AsynchronousChannelProvider provider = (group == null) ? - AsynchronousChannelProvider.provider() : group.provider(); - return provider.openAsynchronousDatagramChannel(family, group); - } - - /** - * Opens an asynchronous datagram channel. - * - *
This method returns an asynchronous datagram channel that is - * bound to the default group. This method is equivalent to evaluating - * the expression: - *
- * - * @return A new asynchronous datagram channel - * - * @throws IOException - * If an I/O error occurs - */ - public static AsynchronousDatagramChannel open() - throws IOException - { - return open(null, null); - } - - // -- Socket-specific operations -- - - /** - * @throws AlreadyBoundException {@inheritDoc} - * @throws UnsupportedAddressTypeException {@inheritDoc} - * @throws ClosedChannelException {@inheritDoc} - * @throws IOException {@inheritDoc} - * @throws SecurityException - * If a security manager has been installed and its {@link - * SecurityManager#checkListen checkListen} method denies the - * operation - */ - @Override - public abstract AsynchronousDatagramChannel bind(SocketAddress local) - throws IOException; - - /** - * @throws IllegalArgumentException {@inheritDoc} - * @throws ClosedChannelException {@inheritDoc} - * @throws IOException {@inheritDoc} - */ - @Override - public abstract- * open((ProtocolFamily)null, (AsynchronousChannelGroup)null); - *
Where the channel is connected to an Internet Protocol socket address - * then the return value from this method is of type {@link - * java.net.InetSocketAddress}. - * - * @return The remote address; {@code null} if the channel's socket is not - * connected - * - * @throws ClosedChannelException - * If the channel is closed - * @throws IOException - * If an I/O error occurs - */ - public abstract SocketAddress getRemoteAddress() throws IOException; - - /** - * Connects this channel's socket. - * - *
The channel's socket is configured so that it only receives - * datagrams from, and sends datagrams to, the given remote peer - * address. Once connected, datagrams may not be received from or sent to - * any other address. A datagram socket remains connected until it is - * explicitly disconnected or until it is closed. - * - *
This method performs exactly the same security checks as the {@link - * java.net.DatagramSocket#connect connect} method of the {@link - * java.net.DatagramSocket} class. That is, if a security manager has been - * installed then this method verifies that its {@link - * java.lang.SecurityManager#checkAccept checkAccept} and {@link - * java.lang.SecurityManager#checkConnect checkConnect} methods permit - * datagrams to be received from and sent to, respectively, the given - * remote address. - * - *
This method may be invoked at any time. Whether it has any effect - * on outstanding read or write operations is implementation specific and - * therefore not specified. - * - * @param remote - * The remote address to which this channel is to be connected - * - * @return This datagram channel - * - * @throws ClosedChannelException - * If this channel is closed - * - * @throws SecurityException - * If a security manager has been installed - * and it does not permit access to the given remote address - * - * @throws IOException - * If some other I/O error occurs - */ - public abstract AsynchronousDatagramChannel connect(SocketAddress remote) - throws IOException; - - /** - * Disconnects this channel's socket. - * - *
The channel's socket is configured so that it can receive datagrams - * from, and sends datagrams to, any remote address so long as the security - * manager, if installed, permits it. - * - *
This method may be invoked at any time. Whether it has any effect - * on outstanding read or write operations is implementation specific and - * therefore not specified. - * - * @return This datagram channel - * - * @throws IOException - * If some other I/O error occurs - */ - public abstract AsynchronousDatagramChannel disconnect() throws IOException; - - /** - * Receives a datagram via this channel. - * - *
This method initiates the receiving of a datagram into the given - * buffer. The {@code handler} parameter is a completion handler that is - * invoked when the receive operation completes (or fails). The result - * passed to the completion handler is the datagram's source address. - * - *
The datagram is transferred into the given byte buffer starting at - * its current position, as if by a regular {@link AsynchronousByteChannel#read - * read} operation. If there are fewer bytes remaining in the buffer - * than are required to hold the datagram then the remainder of the datagram - * is silently discarded. - * - *
If a timeout is specified and the timeout elapses before the operation - * completes then the operation completes with the exception {@link - * InterruptedByTimeoutException}. When a timeout elapses then the state of - * the {@link ByteBuffer} is not defined. The buffers should be discarded or - * at least care must be taken to ensure that the buffer is not accessed - * while the channel remains open. - * - *
When a security manager has been installed and the channel is not
- * connected, then it verifies that the source's address and port number are
- * permitted by the security manager's {@link SecurityManager#checkAccept
- * checkAccept} method. The permission check is performed with privileges that
- * are restricted by the calling context of this method. If the permission
- * check fails then the operation completes with a {@link SecurityException}.
- * The overhead of this security check can be avoided by first connecting the
- * socket via the {@link #connect connect} method.
- *
- * @param dst
- * The buffer into which the datagram is to be transferred
- * @param timeout
- * The timeout, or {@code 0L} for no timeout
- * @param unit
- * The time unit of the {@code timeout} argument
- * @param attachment
- * The object to attach to the I/O operation; can be {@code null}
- * @param handler
- * The handler for consuming the result
- *
- * @throws IllegalArgumentException
- * If the timeout is negative or the buffer is read-only
- * @throws ShutdownChannelGroupException
- * If the channel group has terminated
- */
- public abstract void receive(ByteBuffer dst,
- long timeout,
- TimeUnit unit,
- A attachment,
- CompletionHandler This method initiates the receiving of a datagram into the given
- * buffer. The {@code handler} parameter is a completion handler that is
- * invoked when the receive operation completes (or fails). The result
- * passed to the completion handler is the datagram's source address.
- *
- * This method is equivalent to invoking {@link
- * #receive(ByteBuffer,long,TimeUnit,Object,CompletionHandler)} with a
- * timeout of {@code 0L}.
- *
- * @param dst
- * The buffer into which the datagram is to be transferred
- * @param attachment
- * The object to attach to the I/O operation; can be {@code null}
- * @param handler
- * The handler for consuming the result
- *
- * @throws IllegalArgumentException
- * If the buffer is read-only
- * @throws ShutdownChannelGroupException
- * If the channel group has terminated
- */
- public final void receive(ByteBuffer dst,
- A attachment,
- CompletionHandler This method initiates the receiving of a datagram into the given
- * buffer. The method behaves in exactly the same manner as the {@link
- * #receive(ByteBuffer,Object,CompletionHandler)
- * receive(ByteBuffer,Object,CompletionHandler)} method except that instead
- * of specifying a completion handler, this method returns a {@code Future}
- * representing the pending result. The {@code Future}'s {@link Future#get()
- * get} method returns the datagram's source address.
- *
- * @param dst
- * The buffer into which the datagram is to be transferred
- *
- * @return a {@code Future} object representing the pending result
- *
- * @throws IllegalArgumentException
- * If the buffer is read-only
- */
- public abstract Future This method initiates sending of a datagram from the given buffer to
- * the given address. The {@code handler} parameter is a completion handler
- * that is invoked when the send completes (or fails). The result passed to
- * the completion handler is the number of bytes sent.
- *
- * Otherwise this method works in the same manner as the {@link
- * AsynchronousByteChannel#write(ByteBuffer,Object,CompletionHandler)}
- * method.
- *
- * @param src
- * The buffer containing the datagram to be sent
- * @param target
- * The address to which the datagram is to be sent
- * @param attachment
- * The object to attach to the I/O operation; can be {@code null}
- * @param handler
- * The handler for consuming the result
- *
- * @throws UnresolvedAddressException
- * If the given remote address is not fully resolved
- * @throws UnsupportedAddressTypeException
- * If the type of the given remote address is not supported
- * @throws IllegalArgumentException
- * If the channel's socket is connected and is connected to an
- * address that is not equal to {@code target}
- * @throws SecurityException
- * If a security manager has been installed and it does not permit
- * datagrams to be sent to the given address
- * @throws ShutdownChannelGroupException
- * If the channel group has terminated
- */
- public abstract void send(ByteBuffer src,
- SocketAddress target,
- A attachment,
- CompletionHandler This method initiates sending of a datagram from the given buffer to
- * the given address. The method behaves in exactly the same manner as the
- * {@link #send(ByteBuffer,SocketAddress,Object,CompletionHandler)
- * send(ByteBuffer,SocketAddress,Object,CompletionHandler)} method except
- * that instead of specifying a completion handler, this method returns a
- * {@code Future} representing the pending result. The {@code Future}'s
- * {@link Future#get() get} method returns the number of bytes sent.
- *
- * @param src
- * The buffer containing the datagram to be sent
- * @param target
- * The address to which the datagram is to be sent
- *
- * @return a {@code Future} object representing the pending result
- *
- * @throws UnresolvedAddressException
- * If the given remote address is not fully resolved
- * @throws UnsupportedAddressTypeException
- * If the type of the given remote address is not supported
- * @throws IllegalArgumentException
- * If the channel's socket is connected and is connected to an
- * address that is not equal to {@code target}
- * @throws SecurityException
- * If a security manager has been installed and it does not permit
- * datagrams to be sent to the given address
- */
- public abstract Future This method initiates the receiving of a datagram into the given
- * buffer. The {@code handler} parameter is a completion handler that is
- * invoked when the receive operation completes (or fails). The result
- * passed to the completion handler is number of bytes read.
- *
- * This method may only be invoked if this channel is connected, and it
- * only accepts datagrams from the peer that the channel is connected too.
- * The datagram is transferred into the given byte buffer starting at
- * its current position and exactly as specified in the {@link
- * AsynchronousByteChannel} interface. If there are fewer bytes
- * remaining in the buffer than are required to hold the datagram then the
- * remainder of the datagram is silently discarded.
- *
- * If a timeout is specified and the timeout elapses before the operation
- * completes then the operation completes with the exception {@link
- * InterruptedByTimeoutException}. When a timeout elapses then the state of
- * the {@link ByteBuffer} is not defined. The buffers should be discarded or
- * at least care must be taken to ensure that the buffer is not accessed
- * while the channel remains open.
- *
- * @param dst
- * The buffer into which the datagram is to be transferred
- * @param timeout
- * The timeout, or {@code 0L} for no timeout
- * @param unit
- * The time unit of the {@code timeout} argument
- * @param attachment
- * The object to attach to the I/O operation; can be {@code null}
- * @param handler
- * The handler for consuming the result
- *
- * @throws IllegalArgumentException
- * If the timeout is negative or buffer is read-only
- * @throws NotYetConnectedException
- * If this channel is not connected
- * @throws ShutdownChannelGroupException
- * If the channel group has terminated
- */
- public abstract void read(ByteBuffer dst,
- long timeout,
- TimeUnit unit,
- A attachment,
- CompletionHandler
+ * {@code AlgorithmConstraints} objects are immutable. An implementation
+ * of this interface should not provide methods that can change the state
+ * of an instance once it has been created.
+ *
+ * Note that {@code AlgorithmConstraints} can be used to represent the
+ * restrictions described by the security properties
+ * {@code jdk.certpath.disabledAlgorithms} and
+ * {@code jdk.tls.disabledAlgorithms}, or could be used by a
+ * concrete {@code PKIXCertPathChecker} to check whether a specified
+ * certificate in the certification path contains the required algorithm
+ * constraints.
+ *
+ * @see javax.net.ssl.SSLParameters#getAlgorithmConstraints
+ * @see javax.net.ssl.SSLParameters#setAlgorithmConstraints(AlgorithmConstraints)
+ *
+ * @since 1.7
+ */
+
+public interface AlgorithmConstraints {
+
+ /**
+ * Determines whether an algorithm is granted permission for the
+ * specified cryptographic primitives.
+ *
+ * @param primitives a set of cryptographic primitives
+ * @param algorithm the algorithm name
+ * @param parameters the algorithm parameters, or null if no additional
+ * parameters
+ *
+ * @return true if the algorithm is permitted and can be used for all
+ * of the specified cryptographic primitives
+ *
+ * @throws IllegalArgumentException if primitives or algorithm is null
+ * or empty
+ */
+ public boolean permits(Set
+ * This method is usually used to check key size and key usage.
+ *
+ * @param primitives a set of cryptographic primitives
+ * @param key the key
+ *
+ * @return true if the key can be used for all of the specified
+ * cryptographic primitives
+ *
+ * @throws IllegalArgumentException if primitives is null or empty,
+ * or the key is null
+ */
+ public boolean permits(Set The serialVersionUID of this class is
+ * Note: this method is used to indicate to the peer which signature
+ * algorithms may be used for digital signatures in TLS 1.2. It is
+ * not meaningful for TLS versions prior to 1.2.
+ *
+ * The signature algorithm name must be a standard Java Security
+ * name (such as "SHA1withRSA", "SHA256withECDSA", and so on).
+ * See Appendix A in the
+ * Java Cryptography Architecture API Specification & Reference
+ * for information about standard algorithm names.
+ *
+ * Note: the local supported signature algorithms should conform to
+ * the algorithm constraints specified by
+ * {@link SSLParameters#getAlgorithmConstraints getAlgorithmConstraints()}
+ * method in
+ * Note: this method is used to indicate to the local side which signature
+ * algorithms may be used for digital signatures in TLS 1.2. It is
+ * not meaningful for TLS versions prior to 1.2.
+ *
+ * The signature algorithm name must be a standard Java Security
+ * name (such as "SHA1withRSA", "SHA256withECDSA", and so on).
+ * See Appendix A in the
+ * Java Cryptography Architecture API Specification & Reference
+ * for information about standard algorithm names.
+ *
+ * @return An array of supported signature algorithms, in descending
+ * order of preference. The return value is an empty array if
+ * the peer has not sent the supported signature algorithms.
+ *
+ * @see X509KeyManager
+ * @see X509ExtendedKeyManager
+ */
+ public abstract String[] getPeerSupportedSignatureAlgorithms();
+}
diff --git a/src/share/classes/javax/net/ssl/HttpsURLConnection.java b/src/share/classes/javax/net/ssl/HttpsURLConnection.java
index e9c478fece1549cb1deeed0a3ec631962ee98d77..6d799e3ff5fe8193a2a151eea111ba1c8cc007bf 100644
--- a/src/share/classes/javax/net/ssl/HttpsURLConnection.java
+++ b/src/share/classes/javax/net/ssl/HttpsURLConnection.java
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 1999, 2005, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1999, 2010, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -188,19 +188,8 @@ class HttpsURLConnection extends HttpURLConnection
*
* The default implementation will deny such connections.
*/
- private static HostnameVerifier defaultHostnameVerifier;
-
- /**
- * Initialize the default
+ * TLS protocols may negotiate parameters that are needed when using
+ * an instance of this class, but before the {@code SSLSession} has
+ * been completely initialized and made available via {@code getSession}.
+ * For example, the list of valid signature algorithms may restrict
+ * the type of certificates that can used during TrustManager
+ * decisions, or the maximum TLS fragment packet sizes can be
+ * resized to better support the network environment.
+ *
+ * This method provides early access to the {@code SSLSession} being
+ * constructed. Depending on how far the handshake has progressed,
+ * some data may not yet be available for use. For example, if a
+ * remote server will be sending a Certificate chain, but that chain
+ * has yet not been processed, the {@code getPeerCertificates}
+ * method of {@code SSLSession} will throw a
+ * SSLPeerUnverifiedException. Once that chain has been processed,
+ * {@code getPeerCertificates} will return the proper value.
+ *
+ * @see SSLSocket
+ * @see SSLSession
+ * @see ExtendedSSLSession
+ * @see X509ExtendedKeyManager
+ * @see X509ExtendedTrustManager
+ *
+ * @return null if this instance is not currently handshaking, or
+ * if the current handshake has not progressed far enough to
+ * create a basic SSLSession. Otherwise, this method returns the
+ * {@code SSLSession} currently being negotiated.
+ * @throws UnsupportedOperationException if the underlying provider
+ * does not implement the operation.
+ *
+ * @since 1.7
+ */
+ public SSLSession getHandshakeSession() {
+ throw new UnsupportedOperationException();
+ }
+
+
/**
* Initiates handshaking (initial or renegotiation) on this SSLEngine.
*
diff --git a/src/share/classes/javax/net/ssl/SSLParameters.java b/src/share/classes/javax/net/ssl/SSLParameters.java
index ed8913230afbd8ee0fb6b0f4dd8c28d530abd3d0..4bb20a164eb50bc3a5657e5cbaa4395c52e529c2 100644
--- a/src/share/classes/javax/net/ssl/SSLParameters.java
+++ b/src/share/classes/javax/net/ssl/SSLParameters.java
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2005, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2005, 2010, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -25,24 +25,29 @@
package javax.net.ssl;
+import java.security.AlgorithmConstraints;
+
/**
* Encapsulates parameters for an SSL/TLS connection. The parameters
* are the list of ciphersuites to be accepted in an SSL/TLS handshake,
- * the list of protocols to be allowed, and whether SSL/TLS servers should
- * request or require client authentication.
- *
- * SSLParameters can be created via the constructors in this class.
+ * the list of protocols to be allowed, the endpoint identification
+ * algorithm during SSL/TLS handshaking, the algorithm constraints and
+ * whether SSL/TLS servers should request or require client authentication.
+ *
+ * SSLParameters can be created via the constructors in this class.
* Objects can also be obtained using the SSLParameters can be applied to a connection via the methods
+ *
+ * SSLParameters can be applied to a connection via the methods
* {@link SSLSocket#setSSLParameters SSLSocket.setSSLParameters()} and
- * {@link SSLEngine#setSSLParameters SSLEngine.getSSLParameters()}.
+ * {@link SSLServerSocket#setSSLParameters SSLServerSocket.setSSLParameters()}
+ * and {@link SSLEngine#setSSLParameters SSLEngine.getSSLParameters()}.
*
* @see SSLSocket
* @see SSLEngine
@@ -56,11 +61,13 @@ public class SSLParameters {
private String[] protocols;
private boolean wantClientAuth;
private boolean needClientAuth;
+ private String identificationAlgorithm;
+ private AlgorithmConstraints algorithmConstraints;
/**
* Constructs SSLParameters.
- *
- * The cipherSuites and protocols values are set to
+ * The cipherSuites and protocols values are set to
* Calling this constructor is equivalent to calling the no-args
* constructor followed by
*
* Calling this constructor is equivalent to calling the no-args
* constructor followed by
*
+ * If the
+ * If the
@@ -449,8 +449,79 @@ public abstract class SSLServerSocket extends ServerSocket
*
* @return true indicates that sessions may be created; this
* is the default. false indicates that an existing
- * session must be resumed.
+ * session must be resumed
* @see #setEnableSessionCreation(boolean)
*/
public abstract boolean getEnableSessionCreation();
+
+ /**
+ * Returns the SSLParameters in effect for newly accepted connections.
+ * The ciphersuites and protocols of the returned SSLParameters
+ * are always non-null.
+ *
+ * @return the SSLParameters in effect for newly accepted connections
+ *
+ * @see #setSSLParameters(SSLParameters)
+ *
+ * @since 1.7
+ */
+ public SSLParameters getSSLParameters() {
+ SSLParameters parameters = new SSLParameters();
+
+ parameters.setCipherSuites(getEnabledCipherSuites());
+ parameters.setProtocols(getEnabledProtocols());
+ if (getNeedClientAuth()) {
+ parameters.setNeedClientAuth(true);
+ } else if (getWantClientAuth()) {
+ parameters.setWantClientAuth(true);
+ }
+
+ return parameters;
+ }
+
+ /**
+ * Applies SSLParameters to newly accepted connections.
+ *
+ * This means:
+ *
+ * TLS protocols may negotiate parameters that are needed when using
+ * an instance of this class, but before the {@code SSLSession} has
+ * been completely initialized and made available via {@code getSession}.
+ * For example, the list of valid signature algorithms may restrict
+ * the type of certificates that can used during TrustManager
+ * decisions, or the maximum TLS fragment packet sizes can be
+ * resized to better support the network environment.
+ *
+ * This method provides early access to the {@code SSLSession} being
+ * constructed. Depending on how far the handshake has progressed,
+ * some data may not yet be available for use. For example, if a
+ * remote server will be sending a Certificate chain, but that chain
+ * has yet not been processed, the {@code getPeerCertificates}
+ * method of {@code SSLSession} will throw a
+ * SSLPeerUnverifiedException. Once that chain has been processed,
+ * {@code getPeerCertificates} will return the proper value.
+ *
+ * Unlike {@link #getSession()}, this method does not initiate the
+ * initial handshake and does not block until handshaking is
+ * complete.
+ *
+ * @see SSLEngine
+ * @see SSLSession
+ * @see ExtendedSSLSession
+ * @see X509ExtendedKeyManager
+ * @see X509ExtendedTrustManager
+ *
+ * @return null if this instance is not currently handshaking, or
+ * if the current handshake has not progressed far enough to
+ * create a basic SSLSession. Otherwise, this method returns the
+ * {@code SSLSession} currently being negotiated.
+ * @throws UnsupportedOperationException if the underlying provider
+ * does not implement the operation.
+ *
+ * @since 1.7
+ */
+ public SSLSession getHandshakeSession() {
+ throw new UnsupportedOperationException();
+ }
+
+
/**
* Registers an event listener to receive notifications that an
* SSL handshake has completed on this connection.
diff --git a/src/share/classes/javax/net/ssl/SSLSocketFactory.java b/src/share/classes/javax/net/ssl/SSLSocketFactory.java
index a7971b5504beb5cefa360f9255f7779488070aca..f7d5e5b0a2fc2ca1970cca081a4304c49c9717c0 100644
--- a/src/share/classes/javax/net/ssl/SSLSocketFactory.java
+++ b/src/share/classes/javax/net/ssl/SSLSocketFactory.java
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 1997, 2007, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2010, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -30,6 +30,7 @@ import java.net.*;
import javax.net.SocketFactory;
import java.io.IOException;
import java.security.*;
+import java.util.Locale;
import sun.security.action.GetPropertyAction;
@@ -50,7 +51,8 @@ public abstract class SSLSocketFactory extends SocketFactory
static {
String s = java.security.AccessController.doPrivileged(
- new GetPropertyAction("javax.net.debug", "")).toLowerCase();
+ new GetPropertyAction("javax.net.debug", "")).toLowerCase(
+ Locale.ENGLISH);
DEBUG = s.contains("all") || s.contains("ssl");
}
diff --git a/src/share/classes/javax/net/ssl/X509ExtendedTrustManager.java b/src/share/classes/javax/net/ssl/X509ExtendedTrustManager.java
new file mode 100644
index 0000000000000000000000000000000000000000..e69a282c55f3149c9a0bcb759615911b11d336a3
--- /dev/null
+++ b/src/share/classes/javax/net/ssl/X509ExtendedTrustManager.java
@@ -0,0 +1,234 @@
+/*
+ * Copyright (c) 2010, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation. Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package javax.net.ssl;
+
+import java.net.Socket;
+import javax.net.ssl.X509TrustManager;
+
+import java.security.cert.X509Certificate;
+import java.security.cert.CertificateException;
+
+/**
+ * Extensions to the
+ * To prevent man-in-the-middle attacks, hostname checks can be done
+ * to verify that the hostname in an end-entity certificate matches the
+ * targeted hostname. TLS does not require such checks, but some protocols
+ * over TLS (such as HTTPS) do. In earlier versions of the JDK, the
+ * certificate chain checks were done at the SSL/TLS layer, and the hostname
+ * verification checks were done at the layer over TLS. This class allows
+ * for the checking to be done during a single call to this class.
+ *
+ * RFC 2830 defines the server identification specification for the "LDAPS"
+ * algorithm. RFC 2818 defines both the server identification and the
+ * client identification specification for the "HTTPS" algorithm.
+ *
+ * @see X509TrustManager
+ * @see HostnameVerifier
+ *
+ * @since 1.7
+ */
+public abstract class X509ExtendedTrustManager implements X509TrustManager {
+ /**
+ * Given the partial or complete certificate chain provided by the
+ * peer, build and validate the certificate path based on the
+ * authentication type and ssl parameters.
+ *
+ * The authentication type is determined by the actual certificate
+ * used. For instance, if RSAPublicKey is used, the authType
+ * should be "RSA". Checking is case-sensitive.
+ *
+ * If the
+ * If the
+ * The authentication type is the key exchange algorithm portion
+ * of the cipher suites represented as a String, such as "RSA",
+ * "DHE_DSS". Note: for some exportable cipher suites, the key
+ * exchange algorithm is determined at run time during the
+ * handshake. For instance, for TLS_RSA_EXPORT_WITH_RC4_40_MD5,
+ * the authType should be RSA_EXPORT when an ephemeral RSA key is
+ * used for the key exchange, and RSA when the key from the server
+ * certificate is used. Checking is case-sensitive.
+ *
+ * If the
+ * If the
+ * The authentication type is determined by the actual certificate
+ * used. For instance, if RSAPublicKey is used, the authType
+ * should be "RSA". Checking is case-sensitive.
+ *
+ * If the
+ * If the
+ * The authentication type is the key exchange algorithm portion
+ * of the cipher suites represented as a String, such as "RSA",
+ * "DHE_DSS". Note: for some exportable cipher suites, the key
+ * exchange algorithm is determined at run time during the
+ * handshake. For instance, for TLS_RSA_EXPORT_WITH_RC4_40_MD5,
+ * the authType should be RSA_EXPORT when an ephemeral RSA key is
+ * used for the key exchange, and RSA when the key from the server
+ * certificate is used. Checking is case-sensitive.
+ *
+ * If the
+ * If the
+ * Certificate fields such as the subject public key, the signature
+ * algorithm, key usage, extended key usage, etc. need to conform to
+ * the specified algorithm constraints.
*
- * @author Xuelei Fan
+ * @see PKIXCertPathChecker
+ * @see PKIXParameters
*/
final public class AlgorithmChecker extends PKIXCertPathChecker {
- // the disabled algorithms
- private static final String[] disabledAlgorithms = new String[] {"md2"};
+ private final AlgorithmConstraints constraints;
+ private final PublicKey trustedPubKey;
+ private PublicKey prevPubKey;
+
+ private final static Set
+ * Note that this constructor will be used to check a certification
+ * path where the trust anchor is unknown, or a certificate list which may
+ * contain the trust anchor. This constructor is used by SunJSSE.
+ *
+ * @param constraints the algorithm constraints (or null)
*/
- static AlgorithmChecker getInstance() {
- return INSTANCE;
+ public AlgorithmChecker(AlgorithmConstraints constraints) {
+ this.prevPubKey = null;
+ this.trustedPubKey = null;
+ this.constraints = constraints;
}
/**
- * Initializes the internal state of the checker from parameters
- * specified in the constructor.
+ * Create a new
+ * If there is no trust anchor specified and the checker has not started,
+ * set the trust anchor.
+ *
+ * @param anchor the trust anchor selected to validate the target
+ * certificate
+ */
+ void trySetTrustAnchor(TrustAnchor anchor) {
+ // Don't bother if the check has started or trust anchor has already
+ // specified.
+ if (prevPubKey == null) {
+ if (anchor == null) {
+ throw new IllegalArgumentException(
+ "The trust anchor cannot be null");
+ }
+
+ // Don't bother to change the trustedPubKey.
+ if (anchor.getTrustedCert() != null) {
+ prevPubKey = anchor.getTrustedCert().getPublicKey();
+ } else {
+ prevPubKey = anchor.getCAPublicKey();
+ }
+ }
}
- private static void check(String algName)
- throws CertPathValidatorException {
+ /**
+ * Check the signature algorithm with the specified public key.
+ *
+ * @param key the public key to verify the CRL signature
+ * @param crl the target CRL
+ */
+ static void check(PublicKey key, X509CRL crl)
+ throws CertPathValidatorException {
- String lowerCaseAlgName = algName.toLowerCase(Locale.ENGLISH);
+ X509CRLImpl x509CRLImpl = null;
+ try {
+ x509CRLImpl = X509CRLImpl.toImpl(crl);
+ } catch (CRLException ce) {
+ throw new CertPathValidatorException(ce);
+ }
- for (String disabled : disabledAlgorithms) {
- // checking the signature algorithm name
- if (lowerCaseAlgName.indexOf(disabled) != -1) {
- throw new CertPathValidatorException(
- "algorithm check failed: " + algName + " is disabled");
- }
+ AlgorithmId algorithmId = x509CRLImpl.getSigAlgId();
+ check(key, algorithmId);
+ }
+
+ /**
+ * Check the signature algorithm with the specified public key.
+ *
+ * @param key the public key to verify the CRL signature
+ * @param crl the target CRL
+ */
+ static void check(PublicKey key, AlgorithmId algorithmId)
+ throws CertPathValidatorException {
+ String sigAlgName = algorithmId.getName();
+ AlgorithmParameters sigAlgParams = algorithmId.getParameters();
+
+ if (!certPathDefaultConstraints.permits(
+ SIGNATURE_PRIMITIVE_SET, sigAlgName, key, sigAlgParams)) {
+ throw new CertPathValidatorException(
+ "algorithm check failed: " + sigAlgName + " is disabled");
}
}
}
+
diff --git a/src/share/classes/sun/security/provider/certpath/DistributionPointFetcher.java b/src/share/classes/sun/security/provider/certpath/DistributionPointFetcher.java
index 4dd29710ef1fbabdbf4e0928e8b8efe5e9d07682..a980e7d16573d083049a5ef52a41efb389f1a661 100644
--- a/src/share/classes/sun/security/provider/certpath/DistributionPointFetcher.java
+++ b/src/share/classes/sun/security/provider/certpath/DistributionPointFetcher.java
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2002, 2009, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2002, 2010, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -289,16 +289,6 @@ class DistributionPointFetcher {
X500Name certIssuer = (X500Name) certImpl.getIssuerDN();
X500Name crlIssuer = (X500Name) crlImpl.getIssuerDN();
- // check the crl signature algorithm
- try {
- AlgorithmChecker.check(crl);
- } catch (CertPathValidatorException cpve) {
- if (debug != null) {
- debug.println("CRL signature algorithm check failed: " + cpve);
- }
- return false;
- }
-
// if crlIssuer is set, verify that it matches the issuer of the
// CRL and the CRL contains an IDP extension with the indirectCRL
// boolean asserted. Otherwise, verify that the CRL issuer matches the
@@ -637,6 +627,16 @@ class DistributionPointFetcher {
}
}
+ // check the crl signature algorithm
+ try {
+ AlgorithmChecker.check(prevKey, crl);
+ } catch (CertPathValidatorException cpve) {
+ if (debug != null) {
+ debug.println("CRL signature algorithm check failed: " + cpve);
+ }
+ return false;
+ }
+
// validate the signature on the CRL
try {
crl.verify(prevKey, provider);
diff --git a/src/share/classes/sun/security/provider/certpath/ForwardBuilder.java b/src/share/classes/sun/security/provider/certpath/ForwardBuilder.java
index ae7ccd3884684e68b89420bb64571606d448bca2..7e828884940bcacf8e3a75601ec449117c05b39e 100644
--- a/src/share/classes/sun/security/provider/certpath/ForwardBuilder.java
+++ b/src/share/classes/sun/security/provider/certpath/ForwardBuilder.java
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2000, 2009, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2000, 2010, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -718,11 +718,6 @@ class ForwardBuilder extends Builder {
/* we don't perform any validation of the trusted cert */
if (!isTrustedCert) {
- /*
- * check that the signature algorithm is not disabled.
- */
- AlgorithmChecker.check(cert);
-
/*
* Check CRITICAL private extensions for user checkers that
* support forward checking (forwardCheckers) and remove
diff --git a/src/share/classes/sun/security/provider/certpath/OCSPChecker.java b/src/share/classes/sun/security/provider/certpath/OCSPChecker.java
index b72cd79a31cf6dccfa7556460e215dc109df613f..d734ff90408f9eaeb6248c31d867860def3db481 100644
--- a/src/share/classes/sun/security/provider/certpath/OCSPChecker.java
+++ b/src/share/classes/sun/security/provider/certpath/OCSPChecker.java
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2003, 2009, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -327,6 +327,10 @@ class OCSPChecker extends PKIXCertPathChecker {
"(set using the OCSP security properties).");
}
+ // The algorithm constraints of the OCSP trusted responder certificate
+ // does not need to be checked in this code. The constraints will be
+ // checked when the responder's certificate is validated.
+
CertId certId = null;
OCSPResponse response = null;
try {
diff --git a/src/share/classes/sun/security/provider/certpath/OCSPResponse.java b/src/share/classes/sun/security/provider/certpath/OCSPResponse.java
index 0b64e412cf688a02cb9964a3cd1ecc89dd67aa3d..63566dd555879a8f378873a8daab0f7d241e6e06 100644
--- a/src/share/classes/sun/security/provider/certpath/OCSPResponse.java
+++ b/src/share/classes/sun/security/provider/certpath/OCSPResponse.java
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2003, 2009, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -32,6 +32,7 @@ import java.security.cert.CertificateException;
import java.security.cert.CertificateParsingException;
import java.security.cert.CertPathValidatorException;
import java.security.cert.CRLReason;
+import java.security.cert.TrustAnchor;
import java.security.cert.X509Certificate;
import java.util.Collections;
import java.util.Date;
@@ -371,6 +372,13 @@ public final class OCSPResponse {
"OCSP responses", cpe);
}
+ // Check algorithm constraints specified in security property
+ // "jdk.certpath.disabledAlgorithms".
+ AlgorithmChecker algChecker = new AlgorithmChecker(
+ new TrustAnchor(responderCert, null));
+ algChecker.init(false);
+ algChecker.check(cert, Collections.
- *
+ *
* This class supports both the Simple validation algorithm from previous
* JSSE versions and PKIX validation. Currently, it is not possible for the
* application to specify PKIX parameters other than trust anchors. This will
@@ -50,19 +51,10 @@ import sun.security.util.HostnameChecker;
* classes.
*
* @author Andreas Sterbenz
- * @author Xuelei Fan
*/
final class X509TrustManagerImpl extends X509ExtendedTrustManager
implements X509TrustManager {
- /**
- * Flag indicating whether to enable revocation check for the PKIX trust
- * manager. Typically, this will only work if the PKIX implementation
- * supports CRL distribution points as we do not manually setup CertStores.
- */
- private final static boolean checkRevocation =
- Debug.getBooleanProperty("com.sun.net.ssl.checkRevocation", false);
-
private final String validatorType;
/**
@@ -103,188 +95,259 @@ final class X509TrustManagerImpl extends X509ExtendedTrustManager
showTrustedCerts();
}
- private void showTrustedCerts() {
- if (debug != null && Debug.isOn("trustmanager")) {
- for (X509Certificate cert : trustedCerts) {
- System.out.println("adding as trusted cert:");
- System.out.println(" Subject: "
- + cert.getSubjectX500Principal());
- System.out.println(" Issuer: "
- + cert.getIssuerX500Principal());
- System.out.println(" Algorithm: "
- + cert.getPublicKey().getAlgorithm()
- + "; Serial number: 0x"
- + cert.getSerialNumber().toString(16));
- System.out.println(" Valid from "
- + cert.getNotBefore() + " until "
- + cert.getNotAfter());
- System.out.println();
- }
- }
+ @Override
+ public void checkClientTrusted(X509Certificate chain[], String authType)
+ throws CertificateException {
+ checkTrusted(chain, authType, (Socket)null, true);
}
- private Validator getValidator(String variant) {
- Validator v;
- if (pkixParams == null) {
- v = Validator.getInstance(validatorType, variant, trustedCerts);
- // if the PKIX validator is created from a KeyStore,
- // disable revocation checking
- if (v instanceof PKIXValidator) {
- PKIXValidator pkixValidator = (PKIXValidator)v;
- pkixValidator.getParameters().setRevocationEnabled
- (checkRevocation);
- }
- } else {
- v = Validator.getInstance(validatorType, variant, pkixParams);
- }
- return v;
+ @Override
+ public void checkServerTrusted(X509Certificate chain[], String authType)
+ throws CertificateException {
+ checkTrusted(chain, authType, (Socket)null, false);
}
- private static X509Certificate[] validate(Validator v,
- X509Certificate[] chain, String authType) throws CertificateException {
- Object o = JsseJce.beginFipsProvider();
- try {
- return v.validate(chain, null, authType);
- } finally {
- JsseJce.endFipsProvider(o);
- }
+ @Override
+ public X509Certificate[] getAcceptedIssuers() {
+ X509Certificate[] certsArray = new X509Certificate[trustedCerts.size()];
+ trustedCerts.toArray(certsArray);
+ return certsArray;
}
- /**
- * Returns true if the client certificate can be trusted.
- *
- * @param chain certificates which establish an identity for the client.
- * Chains of arbitrary length are supported, and certificates
- * marked internally as trusted will short-circuit signature checks.
- * @throws IllegalArgumentException if null or zero-length chain
- * is passed in for the chain parameter or if null or zero-length
- * string is passed in for the authType parameter.
- * @throws CertificateException if the certificate chain is not trusted
- * by this TrustManager.
- */
- public void checkClientTrusted(X509Certificate chain[], String authType)
- throws CertificateException {
+ @Override
+ public void checkClientTrusted(X509Certificate[] chain, String authType,
+ Socket socket) throws CertificateException {
+ checkTrusted(chain, authType, socket, true);
+ }
+
+ @Override
+ public void checkServerTrusted(X509Certificate[] chain, String authType,
+ Socket socket) throws CertificateException {
+ checkTrusted(chain, authType, socket, false);
+ }
+
+ @Override
+ public void checkClientTrusted(X509Certificate[] chain, String authType,
+ SSLEngine engine) throws CertificateException {
+ checkTrusted(chain, authType, engine, true);
+ }
+
+ @Override
+ public void checkServerTrusted(X509Certificate[] chain, String authType,
+ SSLEngine engine) throws CertificateException {
+ checkTrusted(chain, authType, engine, false);
+ }
+
+ private Validator checkTrustedInit(X509Certificate[] chain,
+ String authType, boolean isClient) {
if (chain == null || chain.length == 0) {
throw new IllegalArgumentException(
"null or zero-length certificate chain");
}
+
if (authType == null || authType.length() == 0) {
throw new IllegalArgumentException(
"null or zero-length authentication type");
}
- // assume double checked locking with a volatile flag works
- // (guaranteed under the new Tiger memory model)
- Validator v = clientValidator;
- if (v == null) {
- synchronized (this) {
- v = clientValidator;
- if (v == null) {
- v = getValidator(Validator.VAR_TLS_CLIENT);
- clientValidator = v;
+ Validator v = null;
+ if (isClient) {
+ v = clientValidator;
+ if (v == null) {
+ synchronized (this) {
+ v = clientValidator;
+ if (v == null) {
+ v = getValidator(Validator.VAR_TLS_CLIENT);
+ clientValidator = v;
+ }
+ }
+ }
+ } else {
+ // assume double checked locking with a volatile flag works
+ // (guaranteed under the new Tiger memory model)
+ v = serverValidator;
+ if (v == null) {
+ synchronized (this) {
+ v = serverValidator;
+ if (v == null) {
+ v = getValidator(Validator.VAR_TLS_SERVER);
+ serverValidator = v;
+ }
+ }
+ }
+ }
+
+ return v;
+ }
+
+
+ private void checkTrusted(X509Certificate[] chain, String authType,
+ Socket socket, boolean isClient) throws CertificateException {
+ Validator v = checkTrustedInit(chain, authType, isClient);
+
+ AlgorithmConstraints constraints = null;
+ if ((socket != null) && socket.isConnected() &&
+ (socket instanceof SSLSocket)) {
+
+ SSLSocket sslSocket = (SSLSocket)socket;
+ SSLSession session = sslSocket.getHandshakeSession();
+ if (session == null) {
+ throw new CertificateException("No handshake session");
+ }
+
+ // check endpoint identity
+ String identityAlg = sslSocket.getSSLParameters().
+ getEndpointIdentificationAlgorithm();
+ if (identityAlg != null && identityAlg.length() != 0) {
+ String hostname = session.getPeerHost();
+ checkIdentity(hostname, chain[0], identityAlg);
+ }
+
+ // create the algorithm constraints
+ ProtocolVersion protocolVersion =
+ ProtocolVersion.valueOf(session.getProtocol());
+ if (protocolVersion.v >= ProtocolVersion.TLS12.v) {
+ if (session instanceof ExtendedSSLSession) {
+ ExtendedSSLSession extSession =
+ (ExtendedSSLSession)session;
+ String[] localSupportedSignAlgs =
+ extSession.getLocalSupportedSignatureAlgorithms();
+
+ constraints = new SSLAlgorithmConstraints(
+ sslSocket, localSupportedSignAlgs, false);
+ } else {
+ constraints =
+ new SSLAlgorithmConstraints(sslSocket, false);
}
+ } else {
+ constraints = new SSLAlgorithmConstraints(sslSocket, false);
}
}
- X509Certificate[] trustedChain = validate(v, chain, null);
+
+ X509Certificate[] trustedChain = null;
+ if (isClient) {
+ trustedChain = validate(v, chain, constraints, null);
+ } else {
+ trustedChain = validate(v, chain, constraints, authType);
+ }
if (debug != null && Debug.isOn("trustmanager")) {
System.out.println("Found trusted certificate:");
System.out.println(trustedChain[trustedChain.length - 1]);
}
}
- /**
- * Returns true if the server certifcate can be trusted.
- *
- * @param chain certificates which establish an identity for the server.
- * Chains of arbitrary length are supported, and certificates
- * marked internally as trusted will short-circuit signature checks.
- * @throws IllegalArgumentException if null or zero-length chain
- * is passed in for the chain parameter or if null or zero-length
- * string is passed in for the authType parameter.
- * @throws CertificateException if the certificate chain is not trusted
- * by this TrustManager.
- */
- public void checkServerTrusted(X509Certificate chain[], String authType)
- throws CertificateException {
- if (chain == null || chain.length == 0) {
- throw new IllegalArgumentException(
- "null or zero-length certificate chain");
- }
- if (authType == null || authType.length() == 0) {
- throw new IllegalArgumentException(
- "null or zero-length authentication type");
- }
+ private void checkTrusted(X509Certificate[] chain, String authType,
+ SSLEngine engine, boolean isClient) throws CertificateException {
+ Validator v = checkTrustedInit(chain, authType, isClient);
+
+ AlgorithmConstraints constraints = null;
+ if (engine != null) {
+ SSLSession session = engine.getHandshakeSession();
+ if (session == null) {
+ throw new CertificateException("No handshake session");
+ }
+
+ // check endpoint identity
+ String identityAlg = engine.getSSLParameters().
+ getEndpointIdentificationAlgorithm();
+ if (identityAlg != null && identityAlg.length() != 0) {
+ String hostname = session.getPeerHost();
+ checkIdentity(hostname, chain[0], identityAlg);
+ }
+
+ // create the algorithm constraints
+ ProtocolVersion protocolVersion =
+ ProtocolVersion.valueOf(session.getProtocol());
+ if (protocolVersion.v >= ProtocolVersion.TLS12.v) {
+ if (session instanceof ExtendedSSLSession) {
+ ExtendedSSLSession extSession =
+ (ExtendedSSLSession)session;
+ String[] localSupportedSignAlgs =
+ extSession.getLocalSupportedSignatureAlgorithms();
- // assume double checked locking with a volatile flag works
- // (guaranteed under the new Tiger memory model)
- Validator v = serverValidator;
- if (v == null) {
- synchronized (this) {
- v = serverValidator;
- if (v == null) {
- v = getValidator(Validator.VAR_TLS_SERVER);
- serverValidator = v;
+ constraints = new SSLAlgorithmConstraints(
+ engine, localSupportedSignAlgs, false);
+ } else {
+ constraints =
+ new SSLAlgorithmConstraints(engine, false);
}
+ } else {
+ constraints = new SSLAlgorithmConstraints(engine, false);
}
}
- X509Certificate[] trustedChain = validate(v, chain, authType);
+
+ X509Certificate[] trustedChain = null;
+ if (isClient) {
+ trustedChain = validate(v, chain, constraints, null);
+ } else {
+ trustedChain = validate(v, chain, constraints, authType);
+ }
if (debug != null && Debug.isOn("trustmanager")) {
System.out.println("Found trusted certificate:");
System.out.println(trustedChain[trustedChain.length - 1]);
}
}
- /**
- * Returns a list of CAs accepted to authenticate entities for the
- * specified purpose.
- *
- * @param purpose activity for which CAs should be trusted
- * @return list of CAs accepted for authenticating such tasks
- */
- public X509Certificate[] getAcceptedIssuers() {
- X509Certificate[] certsArray = new X509Certificate[trustedCerts.size()];
- trustedCerts.toArray(certsArray);
- return certsArray;
+ private void showTrustedCerts() {
+ if (debug != null && Debug.isOn("trustmanager")) {
+ for (X509Certificate cert : trustedCerts) {
+ System.out.println("adding as trusted cert:");
+ System.out.println(" Subject: "
+ + cert.getSubjectX500Principal());
+ System.out.println(" Issuer: "
+ + cert.getIssuerX500Principal());
+ System.out.println(" Algorithm: "
+ + cert.getPublicKey().getAlgorithm()
+ + "; Serial number: 0x"
+ + cert.getSerialNumber().toString(16));
+ System.out.println(" Valid from "
+ + cert.getNotBefore() + " until "
+ + cert.getNotAfter());
+ System.out.println();
+ }
+ }
}
- /**
- * Given the partial or complete certificate chain provided by the
- * peer, check its identity and build a certificate path to a trusted
- * root, return if it can be validated and is trusted for client SSL
- * authentication based on the authentication type.
- */
- public void checkClientTrusted(X509Certificate[] chain, String authType,
- String hostname, String algorithm) throws CertificateException {
- checkClientTrusted(chain, authType);
- checkIdentity(hostname, chain[0], algorithm);
+ private Validator getValidator(String variant) {
+ Validator v;
+ if (pkixParams == null) {
+ v = Validator.getInstance(validatorType, variant, trustedCerts);
+ } else {
+ v = Validator.getInstance(validatorType, variant, pkixParams);
+ }
+ return v;
}
- /**
- * Given the partial or complete certificate chain provided by the
- * peer, check its identity and build a certificate path to a trusted
- * root, return if it can be validated and is trusted for server SSL
- * authentication based on the authentication type.
- */
- public void checkServerTrusted(X509Certificate[] chain, String authType,
- String hostname, String algorithm) throws CertificateException {
- checkServerTrusted(chain, authType);
- checkIdentity(hostname, chain[0], algorithm);
+ private static X509Certificate[] validate(Validator v,
+ X509Certificate[] chain, AlgorithmConstraints constraints,
+ String authType) throws CertificateException {
+ Object o = JsseJce.beginFipsProvider();
+ try {
+ return v.validate(chain, null, constraints, authType);
+ } finally {
+ JsseJce.endFipsProvider(o);
+ }
}
- // Identify the peer by its certificate and hostname.
- private void checkIdentity(String hostname, X509Certificate cert,
- String algorithm) throws CertificateException {
+ /*
+ * Identify the peer by its certificate and hostname.
+ *
+ * Lifted from sun.net.www.protocol.https.HttpsClient.
+ */
+ static void checkIdentity(String hostname, X509Certificate cert,
+ String algorithm) throws CertificateException {
if (algorithm != null && algorithm.length() != 0) {
// if IPv6 strip off the "[]"
- if (hostname != null && hostname.startsWith("[") &&
- hostname.endsWith("]")) {
- hostname = hostname.substring(1, hostname.length()-1);
+ if ((hostname != null) && hostname.startsWith("[") &&
+ hostname.endsWith("]")) {
+ hostname = hostname.substring(1, hostname.length() - 1);
}
if (algorithm.equalsIgnoreCase("HTTPS")) {
HostnameChecker.getInstance(HostnameChecker.TYPE_TLS).match(
hostname, cert);
- } else if (algorithm.equalsIgnoreCase("LDAP")) {
+ } else if (algorithm.equalsIgnoreCase("LDAP") ||
+ algorithm.equalsIgnoreCase("LDAPS")) {
HostnameChecker.getInstance(HostnameChecker.TYPE_LDAP).match(
hostname, cert);
} else {
diff --git a/src/share/classes/sun/security/ssl/krb5/KerberosClientKeyExchangeImpl.java b/src/share/classes/sun/security/ssl/krb5/KerberosClientKeyExchangeImpl.java
index 8cc2d0e497dc47f8c2351606726f399aedca53f8..7e220bc06ebce22f0bb0167b3c585a91caedd4fd 100644
--- a/src/share/classes/sun/security/ssl/krb5/KerberosClientKeyExchangeImpl.java
+++ b/src/share/classes/sun/security/ssl/krb5/KerberosClientKeyExchangeImpl.java
@@ -244,7 +244,7 @@ public final class KerberosClientKeyExchangeImpl
clientVersion, rand, input, sessionKey);
} else {
// Generate bogus premaster secret
- preMaster = new KerberosPreMasterSecret(protocolVersion, rand);
+ preMaster = new KerberosPreMasterSecret(clientVersion, rand);
}
}
diff --git a/src/share/classes/sun/security/ssl/krb5/KerberosPreMasterSecret.java b/src/share/classes/sun/security/ssl/krb5/KerberosPreMasterSecret.java
index 0d7571aab7525e6ad815e6890bca705af0a97f24..84c96a35b3fa2404960223bba7ef2cdb2fec9dbe 100644
--- a/src/share/classes/sun/security/ssl/krb5/KerberosPreMasterSecret.java
+++ b/src/share/classes/sun/security/ssl/krb5/KerberosPreMasterSecret.java
@@ -176,13 +176,21 @@ final class KerberosPreMasterSecret {
// check if the premaster secret version is ok
// the specification says that it must be the maximum version supported
// by the client from its ClientHello message. However, many
- // implementations send the negotiated version, so accept both
+ // old implementations send the negotiated version, so accept both
+ // for SSL v3.0 and TLS v1.0.
// NOTE that we may be comparing two unsupported version numbers in
// the second case, which is why we cannot use object references
// equality in this special case
- boolean versionMismatch = (protocolVersion != currentVersion) &&
- (protocolVersion.v != clientVersion.v);
+ boolean versionMismatch = (protocolVersion.v != clientVersion.v);
+ /*
+ * we never checked the client_version in server side
+ * for TLS v1.0 and SSL v3.0. For compatibility, we
+ * maintain this behavior.
+ */
+ if (versionMismatch && (clientVersion.v <= 0x0301)) {
+ versionMismatch = (protocolVersion.v != currentVersion.v);
+ }
/*
* Bogus decrypted ClientKeyExchange? If so, conjure a
@@ -203,8 +211,14 @@ final class KerberosPreMasterSecret {
Debug.println(System.out, "Invalid secret", preMaster);
}
}
- preMaster = generatePreMaster(generator, currentVersion);
- protocolVersion = currentVersion;
+
+ /*
+ * Randomize the preMaster secret with the
+ * ClientHello.client_version, as will produce invalid master
+ * secret to prevent the attacks.
+ */
+ preMaster = generatePreMaster(generator, clientVersion);
+ protocolVersion = clientVersion;
}
}
diff --git a/src/share/classes/sun/security/util/DisabledAlgorithmConstraints.java b/src/share/classes/sun/security/util/DisabledAlgorithmConstraints.java
new file mode 100644
index 0000000000000000000000000000000000000000..a537c55485422f0d3b957fbe6144b1cd5929f34e
--- /dev/null
+++ b/src/share/classes/sun/security/util/DisabledAlgorithmConstraints.java
@@ -0,0 +1,486 @@
+/*
+ * Copyright (c) 2010, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation. Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package sun.security.util;
+
+import java.security.AlgorithmConstraints;
+import java.security.CryptoPrimitive;
+import java.security.AlgorithmParameters;
+
+import java.security.Key;
+import java.security.Security;
+import java.security.PrivilegedAction;
+import java.security.AccessController;
+import java.security.interfaces.ECKey;
+import java.security.interfaces.RSAKey;
+import java.security.interfaces.DSAKey;
+import javax.crypto.SecretKey;
+import javax.crypto.interfaces.DHKey;
+
+import java.util.Locale;
+import java.util.Set;
+import java.util.Collections;
+import java.util.HashSet;
+import java.util.Map;
+import java.util.HashMap;
+import java.util.regex.Pattern;
+import java.util.regex.Matcher;
+
+/**
+ * Algorithm constraints for disabled algorithms property
+ *
+ * See the "jdk.certpath.disabledAlgorithms" specification in java.security
+ * for the syntax of the disabled algorithm string.
+ */
+public class DisabledAlgorithmConstraints implements AlgorithmConstraints {
+
+ // the known security property, jdk.certpath.disabledAlgorithms
+ public final static String PROPERTY_CERTPATH_DISABLED_ALGS =
+ "jdk.certpath.disabledAlgorithms";
+
+ // the known security property, jdk.tls.disabledAlgorithms
+ public final static String PROPERTY_TLS_DISABLED_ALGS =
+ "jdk.tls.disabledAlgorithms";
+
+ private static Map
+ * For example, we need to decompose "SHA1WithRSA" into "SHA1" and "RSA"
+ * so that we can check the "SHA1" and "RSA" algorithm constraints
+ * separately.
+ *
+ * Please override the method if need to support more name pattern.
+ */
+ protected Set
- *
+ *
* Note that the validate() implementation tries to use a PKIX validator
* if that appears possible and a PKIX builder otherwise. This increases
* performance and currently also leads to better exception messages
* in case of failures.
+ *
+ * {@code PKIXValidator} objects are immutable once they have been created.
+ * Please DO NOT add methods that can change the state of an instance once
+ * it has been created.
*
* @author Andreas Sterbenz
*/
public final class PKIXValidator extends Validator {
+ /**
+ * Flag indicating whether to enable revocation check for the PKIX trust
+ * manager. Typically, this will only work if the PKIX implementation
+ * supports CRL distribution points as we do not manually setup CertStores.
+ */
+ private final static boolean checkTLSRevocation =
+ AccessController.doPrivileged
+ (new GetBooleanAction("com.sun.net.ssl.checkRevocation"));
+
// enable use of the validator if possible
private final static boolean TRY_VALIDATOR = true;
@@ -53,10 +68,10 @@ public final class PKIXValidator extends Validator {
private int certPathLength = -1;
// needed only for the validator
- private MapAn asynchronous channel to a stream-oriented connecting socket
* {@link java.nio.channels.AsynchronousServerSocketChannel}
* An asynchronous channel to a stream-oriented listening socket {@link java.nio.channels.AsynchronousDatagramChannel}
- * An asynchronous channel to a datagram-oriented socket {@link java.nio.channels.CompletionHandler}
* A handler for consuming the result of an asynchronous operation {@link java.nio.channels.AsynchronousChannelGroup}
diff --git a/src/share/classes/java/nio/channels/spi/AsynchronousChannelProvider.java b/src/share/classes/java/nio/channels/spi/AsynchronousChannelProvider.java
index 4ed5a707768fd818f6da8511eca79045e6c1cdef..9df31d4645e92306856be6c0c3a6a1d8459684b3 100644
--- a/src/share/classes/java/nio/channels/spi/AsynchronousChannelProvider.java
+++ b/src/share/classes/java/nio/channels/spi/AsynchronousChannelProvider.java
@@ -26,7 +26,6 @@
package java.nio.channels.spi;
import java.nio.channels.*;
-import java.net.ProtocolFamily;
import java.io.IOException;
import java.util.Iterator;
import java.util.ServiceLoader;
@@ -239,26 +238,4 @@ public abstract class AsynchronousChannelProvider {
*/
public abstract AsynchronousSocketChannel openAsynchronousSocketChannel
(AsynchronousChannelGroup group) throws IOException;
-
- /**
- * Opens an asynchronous datagram channel.
- *
- * @param family
- * The protocol family, or {@code null} for the default protocol
- * family
- * @param group
- * The group to which the channel is bound, or {@code null} to
- * bind to the default group
- *
- * @return The new channel
- *
- * @throws IllegalChannelGroupException
- * If the provider that created the group differs from this provider
- * @throws ShutdownChannelGroupException
- * The group is shutdown
- * @throws IOException
- * If an I/O error occurs
- */
- public abstract AsynchronousDatagramChannel openAsynchronousDatagramChannel
- (ProtocolFamily family, AsynchronousChannelGroup group) throws IOException;
}
diff --git a/src/share/classes/java/security/AlgorithmConstraints.java b/src/share/classes/java/security/AlgorithmConstraints.java
new file mode 100644
index 0000000000000000000000000000000000000000..7341603dc7cf65d3941cee8dce0e38194ed1a560
--- /dev/null
+++ b/src/share/classes/java/security/AlgorithmConstraints.java
@@ -0,0 +1,108 @@
+/*
+ * Copyright (c) 2010, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation. Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package java.security;
+
+import java.util.Set;
+
+/**
+ * This interface specifies constraints for cryptographic algorithms,
+ * keys (key sizes), and other algorithm parameters.
+ * sun.com, would have
- * domains such as com.sun.MyDomain. This is essentially
+ * example.com would have
+ * domains such as com.example.MyDomain. This is essentially
* the same convention as for Java-language package names.1081892073854801359L.
diff --git a/src/share/classes/javax/management/build.xml b/src/share/classes/javax/management/build.xml
index 24357d694af18828523afdff2446903253aa7648..e1d263520f03c0d83bd5ea5eb419cc2981bb5ac6 100644
--- a/src/share/classes/javax/management/build.xml
+++ b/src/share/classes/javax/management/build.xml
@@ -35,18 +35,18 @@
. Please also read the important comment on basedir definition below.
-->
-SSLSession interface to support additional
+ * session attributes.
+ *
+ * @since 1.7
+ */
+public abstract class ExtendedSSLSession implements SSLSession {
+ /**
+ * Obtains an array of supported signature algorithms that the local side
+ * is willing to use.
+ * SSLParameters.
+ *
+ * @return An array of supported signature algorithms, in descending
+ * order of preference. The return value is an empty array if
+ * no signature algorithm is supported.
+ *
+ * @see SSLParameters#getAlgorithmConstraints
+ */
+ public abstract String[] getLocalSupportedSignatureAlgorithms();
+
+ /**
+ * Obtains an array of supported signature algorithms that the peer is
+ * able to use.
+ * HostnameVerifier.
- */
- static {
- try {
- defaultHostnameVerifier =
- new sun.net.www.protocol.https.DefaultHostnameVerifier();
- } catch (NoClassDefFoundError e) {
- defaultHostnameVerifier = new DefaultHostnameVerifier();
- }
- }
+ private static HostnameVerifier defaultHostnameVerifier =
+ new DefaultHostnameVerifier();
/*
* The initial default HostnameVerifier. Should be
diff --git a/src/share/classes/javax/net/ssl/SSLEngine.java b/src/share/classes/javax/net/ssl/SSLEngine.java
index df3830858a6d96654dfaab89b789ab5e799d49b5..2eea55121cb6ce401edaacb0fd79e6ab4d135627 100644
--- a/src/share/classes/javax/net/ssl/SSLEngine.java
+++ b/src/share/classes/javax/net/ssl/SSLEngine.java
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2003, 2006, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -967,6 +967,47 @@ public abstract class SSLEngine {
public abstract SSLSession getSession();
+ /**
+ * Returns the {@code SSLSession} being constructed during a SSL/TLS
+ * handshake.
+ * getSSLParameters()
* methods in
* {@link SSLSocket#getSSLParameters SSLSocket} and
+ * {@link SSLServerSocket#getSSLParameters SSLServerSocket} and
* {@link SSLEngine#getSSLParameters SSLEngine} or the
* {@link SSLContext#getDefaultSSLParameters getDefaultSSLParameters()} and
* {@link SSLContext#getSupportedSSLParameters getSupportedSSLParameters()}
* methods in SSLContext.
- *
- * null,
+ * null,
* wantClientAuth and needClientAuth are set to false.
*/
public SSLParameters() {
@@ -69,6 +76,7 @@ public class SSLParameters {
/**
* Constructs SSLParameters from the specified array of ciphersuites.
+ * setCipherSuites(cipherSuites);.
@@ -82,6 +90,7 @@ public class SSLParameters {
/**
* Constructs SSLParameters from the specified array of ciphersuites
* and protocols.
+ * setCipherSuites(cipherSuites); setProtocols(protocols);.
@@ -178,4 +187,71 @@ public class SSLParameters {
this.needClientAuth = needClientAuth;
}
+ /**
+ * Returns the cryptographic algorithm constraints.
+ *
+ * @return the cryptographic algorithm constraints, or null if the
+ * constraints have not been set
+ *
+ * @see #setAlgorithmConstraints(AlgorithmConstraints)
+ *
+ * @since 1.7
+ */
+ public AlgorithmConstraints getAlgorithmConstraints() {
+ return algorithmConstraints;
+ }
+
+ /**
+ * Sets the cryptographic algorithm constraints, which will be used
+ * in addition to any configured by the runtime environment.
+ * constraints parameter is non-null, every
+ * cryptographic algorithm, key and algorithm parameters used in the
+ * SSL/TLS handshake must be permitted by the constraints.
+ *
+ * @param constraints the algorithm constraints (or null)
+ *
+ * @since 1.7
+ */
+ public void setAlgorithmConstraints(AlgorithmConstraints constraints) {
+ // the constraints object is immutable
+ this.algorithmConstraints = constraints;
+ }
+
+ /**
+ * Gets the endpoint identification algorithm.
+ *
+ * @return the endpoint identification algorithm, or null if none
+ * has been set.
+ *
+ * @see X509ExtendedTrustManager
+ * @see #setEndpointIdentificationAlgorithm(String)
+ *
+ * @since 1.7
+ */
+ public String getEndpointIdentificationAlgorithm() {
+ return identificationAlgorithm;
+ }
+
+ /**
+ * Sets the endpoint identification algorithm.
+ * algorithm parameter is non-null or non-empty, the
+ * endpoint identification/verification procedures must be handled during
+ * SSL/TLS handshaking. This is to prevent man-in-the-middle attacks.
+ *
+ * @param algorithm The standard string name of the endpoint
+ * identification algorithm (or null). See Appendix A in the
+ * Java Cryptography Architecture API Specification & Reference
+ * for information about standard algorithm names.
+ *
+ * @see X509ExtendedTrustManager
+ *
+ * @since 1.7
+ */
+ public void setEndpointIdentificationAlgorithm(String algorithm) {
+ this.identificationAlgorithm = algorithm;
+ }
+
}
diff --git a/src/share/classes/javax/net/ssl/SSLServerSocket.java b/src/share/classes/javax/net/ssl/SSLServerSocket.java
index 6bcb8a678e8f14cb7acd0d41b6d16dca7fbbdf60..d5bbaaf5da5ab79d9dd0f6a60ecb87550b550570 100644
--- a/src/share/classes/javax/net/ssl/SSLServerSocket.java
+++ b/src/share/classes/javax/net/ssl/SSLServerSocket.java
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 1997, 2008, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2010, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -56,8 +56,8 @@ import java.net.*;
* @since 1.4
* @author David Brownell
*/
-public abstract class SSLServerSocket extends ServerSocket
-{
+public abstract class SSLServerSocket extends ServerSocket {
+
/**
* Used only by subclasses.
*
+ *
+ *
+ * @param params the parameters
+ * @throws IllegalArgumentException if the setEnabledCipherSuites() or
+ * the setEnabledProtocols() call fails
+ *
+ * @see #getSSLParameters()
+ *
+ * @since 1.7
+ */
+ public void setSSLParameters(SSLParameters params) {
+ String[] s;
+ s = params.getCipherSuites();
+ if (s != null) {
+ setEnabledCipherSuites(s);
+ }
+
+ s = params.getProtocols();
+ if (s != null) {
+ setEnabledProtocols(s);
+ }
+
+ if (params.getNeedClientAuth()) {
+ setNeedClientAuth(true);
+ } else if (params.getWantClientAuth()) {
+ setWantClientAuth(true);
+ } else {
+ setWantClientAuth(false);
+ }
+ }
+
}
diff --git a/src/share/classes/javax/net/ssl/SSLSocket.java b/src/share/classes/javax/net/ssl/SSLSocket.java
index 29b69f1ccbf000821871fce2810de7da70725cf5..b61f94a5a75801dc67fb53bbb3dcec193f4a594e 100644
--- a/src/share/classes/javax/net/ssl/SSLSocket.java
+++ b/src/share/classes/javax/net/ssl/SSLSocket.java
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 1997, 2008, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2010, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -370,6 +370,51 @@ public abstract class SSLSocket extends Socket
public abstract SSLSession getSession();
+ /**
+ * Returns the {@code SSLSession} being constructed during a SSL/TLS
+ * handshake.
+ * params.getCipherSuites() is non-null,
+ * setEnabledCipherSuites() is called with that value
+ * params.getProtocols() is non-null,
+ * setEnabledProtocols() is called with that value
+ * params.getNeedClientAuth() or
+ * params.getWantClientAuth() return true,
+ * setNeedClientAuth(true) and
+ * setWantClientAuth(true) are called, respectively;
+ * otherwise setWantClientAuth(false) is called.
+ * X509TrustManager interface to support
+ * SSL/TLS connection sensitive trust management.
+ * socket parameter is an instance of
+ * {@link javax.net.SSLSocket}, and the endpoint identification
+ * algorithm of the SSLParameters is non-empty, to prevent
+ * man-in-the-middle attacks, the address that the socket
+ * connected to should be checked against the peer's identity presented
+ * in the end-entity X509 certificate, as specified in the endpoint
+ * identification algorithm.
+ * socket parameter is an instance of
+ * {@link javax.net.SSLSocket}, and the algorithm constraints of the
+ * SSLParameters is non-null, for every certificate in the
+ * certification path, fields such as subject public key, the signature
+ * algorithm, key usage, extended key usage, etc. need to conform to the
+ * algorithm constraints in place on this socket.
+ *
+ * @param chain the peer certificate chain
+ * @param authType the key exchange algorithm used
+ * @param socket the socket used for this connection. This parameter
+ * can be null, which indicates that implementations need not check
+ * the ssl parameters
+ * @throws IllegalArgumentException if null or zero-length array is passed
+ * in for the chain parameter or if null or zero-length
+ * string is passed in for the authType parameter
+ * @throws CertificateException if the certificate chain is not trusted
+ * by this TrustManager
+ *
+ * @see SSLParameters#getEndpointIdentificationProtocol
+ * @see SSLParameters#setEndpointIdentificationProtocol(String)
+ * @see SSLParameters#getAlgorithmConstraints
+ * @see SSLParameters#setAlgorithmConstraints(AlgorithmConstraints)
+ */
+ public abstract void checkClientTrusted(X509Certificate[] chain,
+ String authType, Socket socket) throws CertificateException;
+
+ /**
+ * Given the partial or complete certificate chain provided by the
+ * peer, build and validate the certificate path based on the
+ * authentication type and ssl parameters.
+ * socket parameter is an instance of
+ * {@link javax.net.SSLSocket}, and the endpoint identification
+ * algorithm of the SSLParameters is non-empty, to prevent
+ * man-in-the-middle attacks, the address that the socket
+ * connected to should be checked against the peer's identity presented
+ * in the end-entity X509 certificate, as specified in the endpoint
+ * identification algorithm.
+ * socket parameter is an instance of
+ * {@link javax.net.SSLSocket}, and the algorithm constraints of the
+ * SSLParameters is non-null, for every certificate in the
+ * certification path, fields such as subject public key, the signature
+ * algorithm, key usage, extended key usage, etc. need to conform to the
+ * algorithm constraints in place on this socket.
+ *
+ * @param chain the peer certificate chain
+ * @param authType the key exchange algorithm used
+ * @param socket the socket used for this connection. This parameter
+ * can be null, which indicates that implementations need not check
+ * the ssl parameters
+ * @throws IllegalArgumentException if null or zero-length array is passed
+ * in for the chain parameter or if null or zero-length
+ * string is passed in for the authType parameter
+ * @throws CertificateException if the certificate chain is not trusted
+ * by this TrustManager
+ *
+ * @see SSLParameters#getEndpointIdentificationProtocol
+ * @see SSLParameters#setEndpointIdentificationProtocol(String)
+ * @see SSLParameters#getAlgorithmConstraints
+ * @see SSLParameters#setAlgorithmConstraints(AlgorithmConstraints)
+ */
+ public abstract void checkServerTrusted(X509Certificate[] chain,
+ String authType, Socket socket) throws CertificateException;
+
+ /**
+ * Given the partial or complete certificate chain provided by the
+ * peer, build and validate the certificate path based on the
+ * authentication type and ssl parameters.
+ * engine parameter is available, and the endpoint
+ * identification algorithm of the SSLParameters is
+ * non-empty, to prevent man-in-the-middle attacks, the address that
+ * the engine connected to should be checked against
+ * the peer's identity presented in the end-entity X509 certificate,
+ * as specified in the endpoint identification algorithm.
+ * engine parameter is available, and the algorithm
+ * constraints of the SSLParameters is non-null, for every
+ * certificate in the certification path, fields such as subject public
+ * key, the signature algorithm, key usage, extended key usage, etc.
+ * need to conform to the algorithm constraints in place on this engine.
+ *
+ * @param chain the peer certificate chain
+ * @param authType the key exchange algorithm used
+ * @param engine the engine used for this connection. This parameter
+ * can be null, which indicates that implementations need not check
+ * the ssl parameters
+ * @throws IllegalArgumentException if null or zero-length array is passed
+ * in for the chain parameter or if null or zero-length
+ * string is passed in for the authType parameter
+ * @throws CertificateException if the certificate chain is not trusted
+ * by this TrustManager
+ *
+ * @see SSLParameters#getEndpointIdentificationProtocol
+ * @see SSLParameters#setEndpointIdentificationProtocol(String)
+ * @see SSLParameters#getAlgorithmConstraints
+ * @see SSLParameters#setAlgorithmConstraints(AlgorithmConstraints)
+ */
+ public abstract void checkClientTrusted(X509Certificate[] chain,
+ String authType, SSLEngine engine) throws CertificateException;
+
+ /**
+ * Given the partial or complete certificate chain provided by the
+ * peer, build and validate the certificate path based on the
+ * authentication type and ssl parameters.
+ * engine parameter is available, and the endpoint
+ * identification algorithm of the SSLParameters is
+ * non-empty, to prevent man-in-the-middle attacks, the address that
+ * the engine connected to should be checked against
+ * the peer's identity presented in the end-entity X509 certificate,
+ * as specified in the endpoint identification algorithm.
+ * engine parameter is available, and the algorithm
+ * constraints of the SSLParameters is non-null, for every
+ * certificate in the certification path, fields such as subject public
+ * key, the signature algorithm, key usage, extended key usage, etc.
+ * need to conform to the algorithm constraints in place on this engine.
+ *
+ * @param chain the peer certificate chain
+ * @param authType the key exchange algorithm used
+ * @param engine the engine used for this connection. This parameter
+ * can be null, which indicates that implementations need not check
+ * the ssl parameters
+ * @throws IllegalArgumentException if null or zero-length array is passed
+ * in for the chain parameter or if null or zero-length
+ * string is passed in for the authType parameter
+ * @throws CertificateException if the certificate chain is not trusted
+ * by this TrustManager
+ *
+ * @see SSLParameters#getEndpointIdentificationProtocol
+ * @see SSLParameters#setEndpointIdentificationProtocol(String)
+ * @see SSLParameters#getAlgorithmConstraints
+ * @see SSLParameters#setAlgorithmConstraints(AlgorithmConstraints)
+ */
+ public abstract void checkServerTrusted(X509Certificate[] chain,
+ String authType, SSLEngine engine) throws CertificateException;
+
+}
diff --git a/src/share/classes/sun/net/InetAddressCachePolicy.java b/src/share/classes/sun/net/InetAddressCachePolicy.java
index 7b48f5765ad785fb3535aef9a31f9e17c36e4752..a506a944e2812aab6f2e2a699558e2915d6408cd 100644
--- a/src/share/classes/sun/net/InetAddressCachePolicy.java
+++ b/src/share/classes/sun/net/InetAddressCachePolicy.java
@@ -25,7 +25,6 @@
package sun.net;
-import java.net.InetAddress;
import java.security.PrivilegedAction;
import java.security.Security;
@@ -57,7 +56,7 @@ public final class InetAddressCachePolicy {
* caching. For security reasons, this caching is made forever when
* a security manager is set.
*/
- private static int cachePolicy;
+ private static int cachePolicy = FOREVER;
/* The Java-level namelookup cache policy for negative lookups:
*
@@ -67,31 +66,24 @@ public final class InetAddressCachePolicy {
* default value is 0. It can be set to some other value for
* performance reasons.
*/
- private static int negativeCachePolicy;
+ private static int negativeCachePolicy = NEVER;
/*
* Whether or not the cache policy for successful lookups was set
* using a property (cmd line).
*/
- private static boolean set = false;
+ private static boolean propertySet;
/*
* Whether or not the cache policy for negative lookups was set
* using a property (cmd line).
*/
- private static boolean negativeSet = false;
+ private static boolean propertyNegativeSet;
/*
* Initialize
*/
static {
-
- set = false;
- negativeSet = false;
-
- cachePolicy = FOREVER;
- negativeCachePolicy = 0;
-
Integer tmp = null;
try {
@@ -110,7 +102,7 @@ public final class InetAddressCachePolicy {
if (cachePolicy < 0) {
cachePolicy = FOREVER;
}
- set = true;
+ propertySet = true;
} else {
tmp = java.security.AccessController.doPrivileged
(new sun.security.action.GetIntegerAction(cachePolicyPropFallback));
@@ -119,7 +111,14 @@ public final class InetAddressCachePolicy {
if (cachePolicy < 0) {
cachePolicy = FOREVER;
}
- set = true;
+ propertySet = true;
+ } else {
+ /* No properties defined for positive caching. If there is no
+ * security manager then use the default positive cache value.
+ */
+ if (System.getSecurityManager() == null) {
+ cachePolicy = DEFAULT_POSITIVE;
+ }
}
}
@@ -140,7 +139,7 @@ public final class InetAddressCachePolicy {
if (negativeCachePolicy < 0) {
negativeCachePolicy = FOREVER;
}
- negativeSet = true;
+ propertyNegativeSet = true;
} else {
tmp = java.security.AccessController.doPrivileged
(new sun.security.action.GetIntegerAction(negativeCachePolicyPropFallback));
@@ -149,17 +148,13 @@ public final class InetAddressCachePolicy {
if (negativeCachePolicy < 0) {
negativeCachePolicy = FOREVER;
}
- negativeSet = true;
+ propertyNegativeSet = true;
}
}
}
public static synchronized int get() {
- if (!set && System.getSecurityManager() == null) {
- return DEFAULT_POSITIVE;
- } else {
- return cachePolicy;
- }
+ return cachePolicy;
}
public static synchronized int getNegative() {
@@ -174,21 +169,17 @@ public final class InetAddressCachePolicy {
* should be cached
*/
public static synchronized void setIfNotSet(int newPolicy) {
-
/*
* When setting the new value we may want to signal that the
* cache should be flushed, though this doesn't seem strictly
* necessary.
*/
-
- if (!set) {
+ if (!propertySet) {
checkValue(newPolicy, cachePolicy);
cachePolicy = newPolicy;
}
-
}
-
/**
* Sets the cache policy for negative lookups if the user has not
* already specified a cache policy for it using a
@@ -197,14 +188,12 @@ public final class InetAddressCachePolicy {
* should be cached
*/
public static synchronized void setNegativeIfNotSet(int newPolicy) {
-
/*
* When setting the new value we may want to signal that the
* cache should be flushed, though this doesn't seem strictly
* necessary.
*/
-
- if (!negativeSet) {
+ if (!propertyNegativeSet) {
// Negative caching does not seem to have any security
// implications.
// checkValue(newPolicy, negativeCachePolicy);
@@ -213,13 +202,11 @@ public final class InetAddressCachePolicy {
}
private static void checkValue(int newPolicy, int oldPolicy) {
-
/*
* If malicious code gets a hold of this method, prevent
* setting the cache policy to something laxer or some
* invalid negative value.
*/
-
if (newPolicy == FOREVER)
return;
@@ -229,7 +216,6 @@ public final class InetAddressCachePolicy {
throw new
SecurityException("can't make InetAddress cache more lax");
-
}
}
}
diff --git a/src/share/classes/sun/net/NetworkClient.java b/src/share/classes/sun/net/NetworkClient.java
index 01322c91acc5ec57aee3ea8092d67fe0e5de462a..1e88dc884c42b586de7f99c5ffb1f9818f93b497 100644
--- a/src/share/classes/sun/net/NetworkClient.java
+++ b/src/share/classes/sun/net/NetworkClient.java
@@ -40,6 +40,12 @@ import java.security.PrivilegedAction;
* @author Jonathan Payne
*/
public class NetworkClient {
+ /* Default value of read timeout, if not specified (infinity) */
+ public static final int DEFAULT_READ_TIMEOUT = -1;
+
+ /* Default value of connect timeout, if not specified (infinity) */
+ public static final int DEFAULT_CONNECT_TIMEOUT = -1;
+
protected Proxy proxy = Proxy.NO_PROXY;
/** Socket for communicating with server. */
protected Socket serverSocket = null;
@@ -53,8 +59,8 @@ public class NetworkClient {
protected static int defaultSoTimeout;
protected static int defaultConnectTimeout;
- protected int readTimeout = -1;
- protected int connectTimeout = -1;
+ protected int readTimeout = DEFAULT_READ_TIMEOUT;
+ protected int connectTimeout = DEFAULT_CONNECT_TIMEOUT;
/* Name of encoding to use for output */
protected static String encoding;
@@ -71,16 +77,12 @@ public class NetworkClient {
return null;
}
});
- if (vals[0] == 0)
- defaultSoTimeout = -1;
- else
+ if (vals[0] != 0) {
defaultSoTimeout = vals[0];
-
- if (vals[1] == 0)
- defaultConnectTimeout = -1;
- else
+ }
+ if (vals[1] != 0) {
defaultConnectTimeout = vals[1];
-
+ }
encoding = encs[0];
try {
@@ -232,7 +234,23 @@ public class NetworkClient {
return connectTimeout;
}
+ /**
+ * Sets the read timeout.
+ *
+ * Note: Public URLConnection (and protocol specific implementations)
+ * protect against negative timeout values being set. This implemenation,
+ * and protocol specific implementations, use -1 to represent the default
+ * read timeout.
+ *
+ * This method may be invoked with the default timeout value when the
+ * protocol handler is trying to reset the timeout after doing a
+ * potentially blocking internal operation, e.g. cleaning up unread
+ * response data, buffering error stream response data, etc
+ */
public void setReadTimeout(int timeout) {
+ if (timeout == DEFAULT_READ_TIMEOUT)
+ timeout = defaultSoTimeout;
+
if (serverSocket != null && timeout >= 0) {
try {
serverSocket.setSoTimeout(timeout);
diff --git a/src/share/classes/sun/net/www/protocol/ftp/FtpURLConnection.java b/src/share/classes/sun/net/www/protocol/ftp/FtpURLConnection.java
index 49af37825a273e828ad18dede51aa57ad4c32450..826f1afc5ee99c3e2b7a2e6233edea1c1e6179c3 100644
--- a/src/share/classes/sun/net/www/protocol/ftp/FtpURLConnection.java
+++ b/src/share/classes/sun/net/www/protocol/ftp/FtpURLConnection.java
@@ -46,6 +46,7 @@ import java.net.ProxySelector;
import java.util.StringTokenizer;
import java.util.Iterator;
import java.security.Permission;
+import sun.net.NetworkClient;
import sun.net.www.MessageHeader;
import sun.net.www.MeteredStream;
import sun.net.www.URLConnection;
@@ -102,11 +103,11 @@ public class FtpURLConnection extends URLConnection {
static final int BIN = 2;
static final int DIR = 3;
int type = NONE;
- /* Redefine timeouts from java.net.URLConnection as we nee -1 to mean
+ /* Redefine timeouts from java.net.URLConnection as we need -1 to mean
* not set. This is to ensure backward compatibility.
*/
- private int connectTimeout = -1;
- private int readTimeout = -1;
+ private int connectTimeout = NetworkClient.DEFAULT_CONNECT_TIMEOUT;;
+ private int readTimeout = NetworkClient.DEFAULT_READ_TIMEOUT;;
/**
* For FTP URLs we need to have a special InputStream because we
diff --git a/src/share/classes/sun/net/www/protocol/http/HttpURLConnection.java b/src/share/classes/sun/net/www/protocol/http/HttpURLConnection.java
index 56ed6a40fa34fd03b04ac0fa938fd9537851dee8..69f12a5c601117c4931afd8a82da3bcabbc47aab 100644
--- a/src/share/classes/sun/net/www/protocol/http/HttpURLConnection.java
+++ b/src/share/classes/sun/net/www/protocol/http/HttpURLConnection.java
@@ -359,11 +359,11 @@ public class HttpURLConnection extends java.net.HttpURLConnection {
private TunnelState tunnelState = TunnelState.NONE;
- /* Redefine timeouts from java.net.URLConnection as we nee -1 to mean
+ /* Redefine timeouts from java.net.URLConnection as we need -1 to mean
* not set. This is to ensure backward compatibility.
*/
- private int connectTimeout = -1;
- private int readTimeout = -1;
+ private int connectTimeout = NetworkClient.DEFAULT_CONNECT_TIMEOUT;
+ private int readTimeout = NetworkClient.DEFAULT_READ_TIMEOUT;
/* Logging support */
private static final PlatformLogger logger =
@@ -1041,9 +1041,9 @@ public class HttpURLConnection extends java.net.HttpURLConnection {
throw new ProtocolException("Server rejected operation");
}
}
- if (oldTimeout > 0) {
- http.setReadTimeout(oldTimeout);
- }
+
+ http.setReadTimeout(oldTimeout);
+
responseCode = -1;
responses.reset();
// Proceed
diff --git a/src/share/classes/sun/net/www/protocol/https/HttpsClient.java b/src/share/classes/sun/net/www/protocol/https/HttpsClient.java
index 14b6c63b79dd70717436f0733c5d4f3de21cccfb..24618e89b619c9b0dbf7d15217e697bc54168120 100644
--- a/src/share/classes/sun/net/www/protocol/https/HttpsClient.java
+++ b/src/share/classes/sun/net/www/protocol/https/HttpsClient.java
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2001, 2009, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2001, 2010, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -109,6 +109,10 @@ final class HttpsClient extends HttpClient
// HTTPS uses a different default port number than HTTP.
private static final int httpsPortNumber = 443;
+ // default HostnameVerifier class canonical name
+ private static final String defaultHVCanonicalName =
+ "javax.net.ssl.HttpsURLConnection.DefaultHostnameVerifier";
+
/** Returns the default HTTPS port (443) */
@Override
protected int getDefaultPort() { return httpsPortNumber; }
@@ -427,13 +431,93 @@ final class HttpsClient extends HttpClient
}
s.addHandshakeCompletedListener(this);
- // if the HostnameVerifier is not set, try to enable endpoint
- // identification during handshaking
- boolean enabledIdentification = false;
- if (hv instanceof DefaultHostnameVerifier &&
- (s instanceof SSLSocketImpl) &&
- ((SSLSocketImpl)s).trySetHostnameVerification("HTTPS")) {
- enabledIdentification = true;
+ // We have two hostname verification approaches. One is in
+ // SSL/TLS socket layer, where the algorithm is configured with
+ // SSLParameters.setEndpointIdentificationAlgorithm(), and the
+ // hostname verification is done by X509ExtendedTrustManager when
+ // the algorithm is "HTTPS". The other one is in HTTPS layer,
+ // where the algorithm is customized by
+ // HttpsURLConnection.setHostnameVerifier(), and the hostname
+ // verification is done by HostnameVerifier when the default
+ // rules for hostname verification fail.
+ //
+ // The relationship between two hostname verification approaches
+ // likes the following:
+ //
+ // | EIA algorithm
+ // +----------------------------------------------
+ // | null | HTTPS | LDAP/other |
+ // -------------------------------------------------------------
+ // | |1 |2 |3 |
+ // HNV | default | Set HTTPS EIA | use EIA | HTTPS |
+ // |--------------------------------------------------------
+ // | non - |4 |5 |6 |
+ // | default | HTTPS/HNV | use EIA | HTTPS/HNV |
+ // -------------------------------------------------------------
+ //
+ // Abbreviation:
+ // EIA: the endpoint identification algorithm in SSL/TLS
+ // socket layer
+ // HNV: the hostname verification object in HTTPS layer
+ // Notes:
+ // case 1. default HNV and EIA is null
+ // Set EIA as HTTPS, hostname check done in SSL/TLS
+ // layer.
+ // case 2. default HNV and EIA is HTTPS
+ // Use existing EIA, hostname check done in SSL/TLS
+ // layer.
+ // case 3. default HNV and EIA is other than HTTPS
+ // Use existing EIA, EIA check done in SSL/TLS
+ // layer, then do HTTPS check in HTTPS layer.
+ // case 4. non-default HNV and EIA is null
+ // No EIA, no EIA check done in SSL/TLS layer, then do
+ // HTTPS check in HTTPS layer using HNV as override.
+ // case 5. non-default HNV and EIA is HTTPS
+ // Use existing EIA, hostname check done in SSL/TLS
+ // layer. No HNV override possible. We will review this
+ // decision and may update the architecture for JDK 7.
+ // case 6. non-default HNV and EIA is other than HTTPS
+ // Use existing EIA, EIA check done in SSL/TLS layer,
+ // then do HTTPS check in HTTPS layer as override.
+ boolean needToCheckSpoofing = true;
+ String identification =
+ s.getSSLParameters().getEndpointIdentificationAlgorithm();
+ if (identification != null && identification.length() != 0) {
+ if (identification.equalsIgnoreCase("HTTPS")) {
+ // Do not check server identity again out of SSLSocket,
+ // the endpoint will be identified during TLS handshaking
+ // in SSLSocket.
+ needToCheckSpoofing = false;
+ } // else, we don't understand the identification algorithm,
+ // need to check URL spoofing here.
+ } else {
+ boolean isDefaultHostnameVerifier = false;
+
+ // We prefer to let the SSLSocket do the spoof checks, but if
+ // the application has specified a HostnameVerifier (HNV),
+ // we will always use that.
+ if (hv != null) {
+ String canonicalName = hv.getClass().getCanonicalName();
+ if (canonicalName != null &&
+ canonicalName.equalsIgnoreCase(defaultHVCanonicalName)) {
+ isDefaultHostnameVerifier = true;
+ }
+ } else {
+ // Unlikely to happen! As the behavior is the same as the
+ // default hostname verifier, so we prefer to let the
+ // SSLSocket do the spoof checks.
+ isDefaultHostnameVerifier = true;
+ }
+
+ if (isDefaultHostnameVerifier) {
+ // If the HNV is the default from HttpsURLConnection, we
+ // will do the spoof checks in SSLSocket.
+ SSLParameters paramaters = s.getSSLParameters();
+ paramaters.setEndpointIdentificationAlgorithm("HTTPS");
+ s.setSSLParameters(paramaters);
+
+ needToCheckSpoofing = false;
+ }
}
s.startHandshake();
@@ -449,7 +533,7 @@ final class HttpsClient extends HttpClient
}
// check URL spoofing if it has not been checked under handshaking
- if (!enabledIdentification) {
+ if (needToCheckSpoofing) {
checkURLSpoofing(hv);
}
} else {
@@ -463,8 +547,7 @@ final class HttpsClient extends HttpClient
// Server identity checking is done according to RFC 2818: HTTP over TLS
// Section 3.1 Server Identity
private void checkURLSpoofing(HostnameVerifier hostnameVerifier)
- throws IOException
- {
+ throws IOException {
//
// Get authenticated server name, if any
//
diff --git a/src/share/classes/sun/nio/ch/DatagramChannelImpl.java b/src/share/classes/sun/nio/ch/DatagramChannelImpl.java
index 1d7d6758d8e7ef5120ed892f0388e1985365d68f..5a8f6933cc3799d4c1dfde71c71206793589a607 100644
--- a/src/share/classes/sun/nio/ch/DatagramChannelImpl.java
+++ b/src/share/classes/sun/nio/ch/DatagramChannelImpl.java
@@ -711,10 +711,8 @@ class DatagramChannelImpl
cachedSenderInetAddress = isa.getAddress();
cachedSenderPort = isa.getPort();
- // Socket was not bound before connecting,
- if (localAddress == null) {
- localAddress = Net.localAddress(fd);
- }
+ // set or refresh local address
+ localAddress = Net.localAddress(fd);
}
}
}
@@ -735,6 +733,9 @@ class DatagramChannelImpl
disconnect0(fd);
remoteAddress = null;
state = ST_UNCONNECTED;
+
+ // refresh local address
+ localAddress = Net.localAddress(fd);
}
}
}
diff --git a/src/share/classes/sun/nio/ch/FileChannelImpl.java b/src/share/classes/sun/nio/ch/FileChannelImpl.java
index 208c36789b19674fc485e67c638667d429deb8f3..6d1bed731ee3de01145b147a31254e82fcda5792 100644
--- a/src/share/classes/sun/nio/ch/FileChannelImpl.java
+++ b/src/share/classes/sun/nio/ch/FileChannelImpl.java
@@ -699,15 +699,19 @@ public class FileChannelImpl
static volatile long totalSize;
static volatile long totalCapacity;
- private long address;
- private long size;
- private int cap;
+ private volatile long address;
+ private final long size;
+ private final int cap;
+ private final FileDescriptor fd;
- private Unmapper(long address, long size, int cap) {
+ private Unmapper(long address, long size, int cap,
+ FileDescriptor fd)
+ {
assert (address != 0);
this.address = address;
this.size = size;
this.cap = cap;
+ this.fd = fd;
synchronized (Unmapper.class) {
count++;
@@ -722,6 +726,15 @@ public class FileChannelImpl
unmap0(address, size);
address = 0;
+ // if this mapping has a valid file descriptor then we close it
+ if (fd.valid()) {
+ try {
+ nd.close(fd);
+ } catch (IOException ignore) {
+ // nothing we can do
+ }
+ }
+
synchronized (Unmapper.class) {
count--;
totalSize -= size;
@@ -784,10 +797,12 @@ public class FileChannelImpl
}
if (size == 0) {
addr = 0;
+ // a valid file descriptor is not required
+ FileDescriptor dummy = new FileDescriptor();
if ((!writable) || (imode == MAP_RO))
- return Util.newMappedByteBufferR(0, 0, null);
+ return Util.newMappedByteBufferR(0, 0, dummy, null);
else
- return Util.newMappedByteBuffer(0, 0, null);
+ return Util.newMappedByteBuffer(0, 0, dummy, null);
}
int pagePosition = (int)(position % allocationGranularity);
@@ -813,14 +828,31 @@ public class FileChannelImpl
}
}
+ // On Windows, and potentially other platforms, we need an open
+ // file descriptor for some mapping operations.
+ FileDescriptor mfd;
+ try {
+ mfd = nd.duplicateForMapping(fd);
+ } catch (IOException ioe) {
+ unmap0(addr, mapSize);
+ throw ioe;
+ }
+
assert (IOStatus.checkAll(addr));
assert (addr % allocationGranularity == 0);
int isize = (int)size;
- Unmapper um = new Unmapper(addr, size + pagePosition, isize);
- if ((!writable) || (imode == MAP_RO))
- return Util.newMappedByteBufferR(isize, addr + pagePosition, um);
- else
- return Util.newMappedByteBuffer(isize, addr + pagePosition, um);
+ Unmapper um = new Unmapper(addr, mapSize, isize, mfd);
+ if ((!writable) || (imode == MAP_RO)) {
+ return Util.newMappedByteBufferR(isize,
+ addr + pagePosition,
+ mfd,
+ um);
+ } else {
+ return Util.newMappedByteBuffer(isize,
+ addr + pagePosition,
+ mfd,
+ um);
+ }
} finally {
threads.remove(ti);
end(IOStatus.checkAll(addr));
diff --git a/src/share/classes/sun/nio/ch/FileDispatcher.java b/src/share/classes/sun/nio/ch/FileDispatcher.java
index 4e90c9944f5420967d20fe31024d27400f12c00e..0e3635144144c3e8ac2bc36f3a39143798229fb4 100644
--- a/src/share/classes/sun/nio/ch/FileDispatcher.java
+++ b/src/share/classes/sun/nio/ch/FileDispatcher.java
@@ -45,4 +45,12 @@ abstract class FileDispatcher extends NativeDispatcher {
abstract void release(FileDescriptor fd, long pos, long size)
throws IOException;
+
+ /**
+ * Returns a dup of fd if a file descriptor is required for
+ * memory-mapping operations, otherwise returns an invalid
+ * FileDescriptor (meaning a newly allocated FileDescriptor)
+ */
+ abstract FileDescriptor duplicateForMapping(FileDescriptor fd)
+ throws IOException;
}
diff --git a/src/share/classes/sun/nio/ch/SimpleAsynchronousDatagramChannelImpl.java b/src/share/classes/sun/nio/ch/SimpleAsynchronousDatagramChannelImpl.java
deleted file mode 100644
index e1eccdecc9e3af0036eac3bfec612a5feb06b531..0000000000000000000000000000000000000000
--- a/src/share/classes/sun/nio/ch/SimpleAsynchronousDatagramChannelImpl.java
+++ /dev/null
@@ -1,667 +0,0 @@
-/*
- * Copyright (c) 2008, 2009, Oracle and/or its affiliates. All rights reserved.
- * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
- *
- * This code is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License version 2 only, as
- * published by the Free Software Foundation. Oracle designates this
- * particular file as subject to the "Classpath" exception as provided
- * by Oracle in the LICENSE file that accompanied this code.
- *
- * This code is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
- * version 2 for more details (a copy is included in the LICENSE file that
- * accompanied this code).
- *
- * You should have received a copy of the GNU General Public License version
- * 2 along with this work; if not, write to the Free Software Foundation,
- * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
- * or visit www.oracle.com if you need additional information or have any
- * questions.
- */
-
-package sun.nio.ch;
-
-import java.nio.ByteBuffer;
-import java.nio.channels.*;
-import java.net.*;
-import java.io.IOException;
-import java.util.*;
-import java.util.concurrent.*;
-import java.security.AccessController;
-import java.security.AccessControlContext;
-import java.security.PrivilegedExceptionAction;
-import java.security.PrivilegedActionException;
-
-/**
- * A prototype implementation of AsynchronousDatagramChannel, used to aid
- * test and spec development.
- */
-
-class SimpleAsynchronousDatagramChannelImpl
- extends AsynchronousDatagramChannel implements Groupable, Cancellable
-{
- private final DatagramChannel dc;
- private final AsynchronousChannelGroupImpl group;
- private final Object attachKey;
- private boolean closed;
-
- // used to coordinate timed and blocking reads
- private final Object readLock = new Object();
-
- // channel blocking mode (requires readLock)
- private boolean isBlocking = true;
-
- // number of blocking readers (requires readLock)
- private int blockingReaderCount;
-
- // true if timed read attempted while blocking read in progress (requires readLock)
- private boolean transitionToNonBlocking;
-
- // true if a blocking read is cancelled (requires readLock)
- private boolean blockingReadKilledByCancel;
-
- // temporary Selectors used by timed reads (requires readLock)
- private Selector firstReader;
- private SetKeyTabEntry.
*/
public KeyTabEntry[] getEntries() {
- if (entries != null) {
- KeyTabEntry[] kentries = new KeyTabEntry[entries.size()];
- for (int i = 0; i < kentries.length; i++) {
- kentries[i] = entries.elementAt(i);
- }
- return kentries;
- } else {
- return null;
+ KeyTabEntry[] kentries = new KeyTabEntry[entries.size()];
+ for (int i = 0; i < kentries.length; i++) {
+ kentries[i] = entries.elementAt(i);
}
+ return kentries;
}
/**
@@ -464,29 +426,55 @@ public class KeyTab implements KeyTabConstants {
}
/**
- * Removes an entry from the key table.
+ * Removes entries from the key table.
* @param service the service PrincipalName.
- * @param etype the etype to match, first one if -1 provided
- * @return 1 if removed successfully, 0 otherwise
+ * @param etype the etype to match, remove all if -1
+ * @param kvno what kvno to remove, -1 for all, -2 for old
+ * @return the number of entries deleted
*/
- public int deleteEntry(PrincipalName service, int etype) {
- int result = retrieveEntry(service, etype);
- if (result != -1) {
- entries.removeElementAt(result);
- return 1;
+ public int deleteEntries(PrincipalName service, int etype, int kvno) {
+ int count = 0;
+
+ // Remember the highest KVNO for each etype. Used for kvno == -2
+ MapPrincipalName.
- * @return number of entries removed
- */
- public int deleteEntry(PrincipalName service) {
- int count = 0;
- while (deleteEntry(service, -1) > 0) {
- count++;
+ // Second round for kvno == -2, remove old entries
+ if (kvno == -2) {
+ for (int i = entries.size()-1; i >= 0; i--) {
+ KeyTabEntry e = entries.get(i);
+ if (service.match(e.getService())) {
+ if (etype == -1 || e.keyType == etype) {
+ int n = highest.get(e.keyType);
+ if (e.keyVersion != n) {
+ entries.removeElementAt(i);
+ count++;
+ }
+ }
+ }
+ }
}
return count;
}
diff --git a/src/share/classes/sun/security/pkcs11/SunPKCS11.java b/src/share/classes/sun/security/pkcs11/SunPKCS11.java
index 95be485b58a0a2fcef677e09bb46eb1287822e57..33691f87ef725f7c5a20788af6fc8b82f0d2e135 100644
--- a/src/share/classes/sun/security/pkcs11/SunPKCS11.java
+++ b/src/share/classes/sun/security/pkcs11/SunPKCS11.java
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2003, 2009, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -655,6 +655,25 @@ public final class SunPKCS11 extends AuthProvider {
d(SIG, "SHA512withRSA", P11Signature,
m(CKM_SHA512_RSA_PKCS, CKM_RSA_PKCS, CKM_RSA_X_509));
+ /*
+ * TLS 1.2 uses a different hash algorithm than 1.0/1.1 for the
+ * PRF calculations. As of 2010, there is no PKCS11-level
+ * support for TLS 1.2 PRF calculations, and no known OS's have
+ * an internal variant we could use. Therefore for TLS 1.2, we
+ * are updating JSSE to request different provider algorithms
+ * (e.g. "SunTls12Prf"), and currently only SunJCE has these
+ * TLS 1.2 algorithms.
+ *
+ * If we reused the names such as "SunTlsPrf", the PKCS11
+ * providers would need be updated to fail correctly when
+ * presented with the wrong version number (via
+ * Provider.Service.supportsParameters()), and we would also
+ * need to add the appropriate supportsParamters() checks into
+ * KeyGenerators (not currently there).
+ *
+ * In the future, if PKCS11 support is added, we will restructure
+ * this.
+ */
d(KG, "SunTlsRsaPremasterSecret",
"sun.security.pkcs11.P11TlsRsaPremasterSecretGenerator",
m(CKM_SSL3_PRE_MASTER_KEY_GEN, CKM_TLS_PRE_MASTER_KEY_GEN));
@@ -887,7 +906,8 @@ public final class SunPKCS11 extends AuthProvider {
return (aliases == null) ? null : Arrays.asList(aliases);
}
- public Object newInstance(Object param) throws NoSuchAlgorithmException {
+ public Object newInstance(Object param)
+ throws NoSuchAlgorithmException {
if (token.isValid() == false) {
throw new NoSuchAlgorithmException("Token has been removed");
}
diff --git a/src/share/classes/sun/security/provider/certpath/AlgorithmChecker.java b/src/share/classes/sun/security/provider/certpath/AlgorithmChecker.java
index eb18820b2b8c9c0745ae0dbf781196ee7efd6a23..69e560ed4bf8489ea420808c9d73cf24af07893a 100644
--- a/src/share/classes/sun/security/provider/certpath/AlgorithmChecker.java
+++ b/src/share/classes/sun/security/provider/certpath/AlgorithmChecker.java
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2009, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2009, 2010, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -25,95 +25,336 @@
package sun.security.provider.certpath;
-import java.util.Set;
+import java.security.AlgorithmConstraints;
+import java.security.CryptoPrimitive;
import java.util.Collection;
-import java.util.Locale;
+import java.util.Collections;
+import java.util.Set;
+import java.util.EnumSet;
+import java.util.HashSet;
+import java.math.BigInteger;
+import java.security.PublicKey;
+import java.security.KeyFactory;
+import java.security.AlgorithmParameters;
+import java.security.NoSuchAlgorithmException;
+import java.security.GeneralSecurityException;
import java.security.cert.Certificate;
-import java.security.cert.X509Certificate;
import java.security.cert.X509CRL;
-import java.security.cert.CertPathValidatorException;
+import java.security.cert.X509Certificate;
import java.security.cert.PKIXCertPathChecker;
+import java.security.cert.TrustAnchor;
+import java.security.cert.CRLException;
+import java.security.cert.CertificateException;
+import java.security.cert.CertPathValidatorException;
+import java.io.IOException;
+import java.security.interfaces.*;
+import java.security.spec.*;
+import sun.security.util.DisabledAlgorithmConstraints;
+import sun.security.x509.X509CertImpl;
+import sun.security.x509.X509CRLImpl;
import sun.security.x509.AlgorithmId;
/**
- * AlgorithmChecker is a PKIXCertPathChecker that checks that
- * the signature algorithm of the specified certificate is not disabled.
+ * A PKIXCertPathChecker implementation to check whether a
+ * specified certificate contains the required algorithm constraints.
+ * AlgorithmChecker with the algorithm
+ * constraints specified in security property
+ * "jdk.certpath.disabledAlgorithms".
+ *
+ * @param anchor the trust anchor selected to validate the target
+ * certificate
*/
- private AlgorithmChecker() {
- // do nothing
+ public AlgorithmChecker(TrustAnchor anchor) {
+ this(anchor, certPathDefaultConstraints);
}
/**
- * Return a AlgorithmChecker instance.
+ * Create a new AlgorithmChecker with the
+ * given {@code AlgorithmConstraints}.
+ * AlgorithmChecker with the
+ * given TrustAnchor and AlgorithmConstraints.
+ *
+ * @param anchor the trust anchor selected to validate the target
+ * certificate
+ * @param constraints the algorithm constraints (or null)
+ *
+ * @throws IllegalArgumentException if the anchor is null
*/
+ public AlgorithmChecker(TrustAnchor anchor,
+ AlgorithmConstraints constraints) {
+
+ if (anchor == null) {
+ throw new IllegalArgumentException(
+ "The trust anchor cannot be null");
+ }
+
+ if (anchor.getTrustedCert() != null) {
+ this.trustedPubKey = anchor.getTrustedCert().getPublicKey();
+ } else {
+ this.trustedPubKey = anchor.getCAPublicKey();
+ }
+
+ this.prevPubKey = trustedPubKey;
+ this.constraints = constraints;
+ }
+
+ @Override
public void init(boolean forward) throws CertPathValidatorException {
- // do nothing
+ // Note that this class does not support forward mode.
+ if (!forward) {
+ if (trustedPubKey != null) {
+ prevPubKey = trustedPubKey;
+ } else {
+ prevPubKey = null;
+ }
+ } else {
+ throw new
+ CertPathValidatorException("forward checking not supported");
+ }
}
+ @Override
public boolean isForwardCheckingSupported() {
+ // Note that as this class does not support forward mode, the method
+ // will always returns false.
return false;
}
+ @Override
public Set
+ * HandshakeHash hh = new HandshakeHash(...)
+ * hh.update(clientHelloBytes);
+ * hh.setFinishedAlg("SHA-256");
+ * hh.update(serverHelloBytes);
+ * ...
+ * hh.setCertificateVerifyAlg("SHA-384");
+ * hh.update(CertificateVerifyBytes);
+ * byte[] cvDigest = hh.getCertificateVerifyHash();
+ * ...
+ * hh.update(finished1);
+ * byte[] finDigest1 = hh.getFinishedHash();
+ * hh.update(finished2);
+ * byte[] finDigest2 = hh.getFinishedHash();
+ *
+ * If no CertificateVerify message is to be used, call
+ *
+ * hh.setCertificateVerifyAlg(null);
+ *
+ * This call can be made once you are certain that this message
+ * will never be used.
*/
final class HandshakeHash {
- private final MessageDigest md5, sha;
+ // Common
+
+ // -1: unknown
+ // 1: <=TLS 1.1
+ // 2: TLS 1.2
+ private int version = -1;
+ private ByteArrayOutputStream data = new ByteArrayOutputStream();
+ private final boolean isServer;
+
+ // For TLS 1.1
+ private MessageDigest md5, sha;
+ private final int clonesNeeded; // needs to be saved for later use
+
+ // For TLS 1.2
+ // cvAlgDetermined == true means setCertificateVerifyAlg() is called
+ private boolean cvAlgDetermined = false;
+ private String cvAlg;
+ private MessageDigest finMD;
/**
* Create a new HandshakeHash. needCertificateVerify indicates whether
- * a hash for the certificate verify message is required.
+ * a hash for the certificate verify message is required. The argument
+ * algs is a set of all possible hash algorithms that might be used in
+ * TLS 1.2. If the caller is sure that TLS 1.2 won't be used or no
+ * CertificateVerify message will be used, leave it null or empty.
*/
- HandshakeHash(boolean needCertificateVerify) {
- int n = needCertificateVerify ? 3 : 2;
- try {
- md5 = CloneableDigest.getDigest("MD5", n);
- sha = CloneableDigest.getDigest("SHA", n);
- } catch (NoSuchAlgorithmException e) {
- throw new RuntimeException
- ("Algorithm MD5 or SHA not available", e);
-
- }
- }
-
- void update(byte b) {
- md5.update(b);
- sha.update(b);
+ HandshakeHash(boolean isServer, boolean needCertificateVerify,
+ SetprotocolVersion and the highest version of this
+ * protocol list, or null if no protocol version is available.
+ *
+ * The method is used by TLS server to negotiated the protocol
+ * version between client suggested protocol version in the
+ * client hello and protocol versions supported by the server.
+ */
+ ProtocolVersion selectProtocolVersion(ProtocolVersion protocolVersion) {
+ ProtocolVersion selectedVersion = null;
+ for (ProtocolVersion pv : protocols) {
+ if (pv.v > protocolVersion.v) {
+ break; // Safe to break here as this.protocols is sorted
+ }
+ selectedVersion = pv;
+ }
+
+ return selectedVersion;
+ }
+
/**
* Return an array with the names of the ProtocolVersions in this list.
*/
@@ -106,11 +156,18 @@ final class ProtocolList {
}
/**
- * Return the list of default enabled protocols. Currently, this
- * is identical to the supported protocols.
+ * Return the list of default enabled protocols.
*/
- static ProtocolList getDefault() {
- return SUPPORTED;
+ static ProtocolList getDefault(boolean isServer) {
+ return isServer ? SERVER_DEFAULT : CLIENT_DEFAULT;
+ }
+
+ /**
+ * Return whether a protocol list is the original default enabled
+ * protocols. See: SSLSocket/SSLEngine.setEnabledProtocols()
+ */
+ static boolean isDefaultProtocolList(ProtocolList protocols) {
+ return protocols == CLIENT_DEFAULT || protocols == SERVER_DEFAULT;
}
/**
@@ -123,6 +180,13 @@ final class ProtocolList {
static {
if (SunJSSE.isFIPS()) {
SUPPORTED = new ProtocolList(new String[] {
+ ProtocolVersion.TLS10.name,
+ ProtocolVersion.TLS11.name,
+ ProtocolVersion.TLS12.name
+ });
+
+ SERVER_DEFAULT = SUPPORTED;
+ CLIENT_DEFAULT = new ProtocolList(new String[] {
ProtocolVersion.TLS10.name
});
} else {
@@ -130,6 +194,24 @@ final class ProtocolList {
ProtocolVersion.SSL20Hello.name,
ProtocolVersion.SSL30.name,
ProtocolVersion.TLS10.name,
+ ProtocolVersion.TLS11.name,
+ ProtocolVersion.TLS12.name
+ });
+
+ SERVER_DEFAULT = SUPPORTED;
+
+ /*
+ * RFC 5246 says that sending SSLv2 backward-compatible
+ * hello SHOULD NOT be done any longer.
+ *
+ * We are not enabling TLS 1.1/1.2 by default yet on clients
+ * out of concern for interop with existing
+ * SSLv3/TLS1.0-only servers. When these versions of TLS
+ * gain more traction, we'll enable them.
+ */
+ CLIENT_DEFAULT = new ProtocolList(new String[] {
+ ProtocolVersion.SSL30.name,
+ ProtocolVersion.TLS10.name
});
}
}
diff --git a/src/share/classes/sun/security/ssl/ProtocolVersion.java b/src/share/classes/sun/security/ssl/ProtocolVersion.java
index 8cda729a97a9f00ff5e0346eb9287adfc40351fc..77c102a62901b166161e0420751ed026658d4871 100644
--- a/src/share/classes/sun/security/ssl/ProtocolVersion.java
+++ b/src/share/classes/sun/security/ssl/ProtocolVersion.java
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2002, 2009, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2002, 2010, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -45,9 +45,15 @@ package sun.security.ssl;
* @author Andreas Sterbenz
* @since 1.4.1
*/
-public final class ProtocolVersion {
+public final class ProtocolVersion implements ComparableSSLEngine.
@@ -1394,6 +1534,15 @@ final public class SSLEngineImpl extends SSLEngine {
return sess;
}
+ @Override
+ synchronized public SSLSession getHandshakeSession() {
+ return handshakeSession;
+ }
+
+ synchronized void setHandshakeSession(SSLSessionImpl session) {
+ handshakeSession = session;
+ }
+
/**
* Returns a delegated Runnable task for
* this SSLEngine.
@@ -1495,6 +1644,9 @@ final public class SSLEngineImpl extends SSLEngine {
inboundDone = true;
sess.invalidate();
+ if (handshakeSession != null) {
+ handshakeSession.invalidate();
+ }
/*
* If we haven't even started handshaking yet, no need
@@ -1594,10 +1746,18 @@ final public class SSLEngineImpl extends SSLEngine {
* Emit alerts. Caller must have synchronized with "this".
*/
private void sendAlert(byte level, byte description) {
+ // the connectionState cannot be cs_START
if (connectionState >= cs_CLOSED) {
return;
}
+ // For initial handshaking, don't send alert message to peer if
+ // handshaker has not started.
+ if (connectionState == cs_HANDSHAKE &&
+ (handshaker == null || !handshaker.started())) {
+ return;
+ }
+
EngineOutputRecord r = new EngineOutputRecord(Record.ct_alert, this);
r.setVersion(protocolVersion);
@@ -1647,7 +1807,7 @@ final public class SSLEngineImpl extends SSLEngine {
synchronized public void setEnableSessionCreation(boolean flag) {
enableSessionCreation = flag;
- if ((handshaker != null) && !handshaker.started()) {
+ if ((handshaker != null) && !handshaker.activated()) {
handshaker.setEnableSessionCreation(enableSessionCreation);
}
}
@@ -1675,7 +1835,7 @@ final public class SSLEngineImpl extends SSLEngine {
if ((handshaker != null) &&
(handshaker instanceof ServerHandshaker) &&
- !handshaker.started()) {
+ !handshaker.activated()) {
((ServerHandshaker) handshaker).setClientAuth(doClientAuth);
}
}
@@ -1698,7 +1858,7 @@ final public class SSLEngineImpl extends SSLEngine {
if ((handshaker != null) &&
(handshaker instanceof ServerHandshaker) &&
- !handshaker.started()) {
+ !handshaker.activated()) {
((ServerHandshaker) handshaker).setClientAuth(doClientAuth);
}
}
@@ -1717,6 +1877,16 @@ final public class SSLEngineImpl extends SSLEngine {
switch (connectionState) {
case cs_START:
+ /*
+ * If we need to change the engine mode and the enabled
+ * protocols haven't specifically been set by the user,
+ * change them to the corresponding default ones.
+ */
+ if (roleIsServer != (!flag) &&
+ ProtocolList.isDefaultProtocolList(enabledProtocols)) {
+ enabledProtocols = ProtocolList.getDefault(!flag);
+ }
+
roleIsServer = !flag;
serverModeSet = true;
break;
@@ -1730,7 +1900,17 @@ final public class SSLEngineImpl extends SSLEngine {
* have the streams.
*/
assert(handshaker != null);
- if (!handshaker.started()) {
+ if (!handshaker.activated()) {
+ /*
+ * If we need to change the engine mode and the enabled
+ * protocols haven't specifically been set by the user,
+ * change them to the corresponding default ones.
+ */
+ if (roleIsServer != (!flag) &&
+ ProtocolList.isDefaultProtocolList(enabledProtocols)) {
+ enabledProtocols = ProtocolList.getDefault(!flag);
+ }
+
roleIsServer = !flag;
connectionState = cs_START;
initHandshaker();
@@ -1786,8 +1966,8 @@ final public class SSLEngineImpl extends SSLEngine {
*/
synchronized public void setEnabledCipherSuites(String[] suites) {
enabledCipherSuites = new CipherSuiteList(suites);
- if ((handshaker != null) && !handshaker.started()) {
- handshaker.enabledCipherSuites = enabledCipherSuites;
+ if ((handshaker != null) && !handshaker.activated()) {
+ handshaker.setEnabledCipherSuites(enabledCipherSuites);
}
}
@@ -1809,7 +1989,7 @@ final public class SSLEngineImpl extends SSLEngine {
/**
* Returns the protocols that are supported by this implementation.
* A subset of the supported protocols may be enabled for this connection
- * @ returns an array of protocol names.
+ * @return an array of protocol names.
*/
public String[] getSupportedProtocols() {
return ProtocolList.getSupported().toStringArray();
@@ -1826,7 +2006,7 @@ final public class SSLEngineImpl extends SSLEngine {
*/
synchronized public void setEnabledProtocols(String[] protocols) {
enabledProtocols = new ProtocolList(protocols);
- if ((handshaker != null) && !handshaker.started()) {
+ if ((handshaker != null) && !handshaker.activated()) {
handshaker.setEnabledProtocols(enabledProtocols);
}
}
@@ -1836,28 +2016,31 @@ final public class SSLEngineImpl extends SSLEngine {
}
/**
- * Try to configure the endpoint identification algorithm of the engine.
- *
- * @param identificationAlgorithm the algorithm used to check the
- * endpoint identity.
- * @return true if the identification algorithm configuration success.
+ * Returns the SSLParameters in effect for this SSLEngine.
*/
- synchronized public boolean trySetHostnameVerification(
- String identificationAlgorithm) {
- if (sslContext.getX509TrustManager() instanceof
- X509ExtendedTrustManager) {
- this.identificationAlg = identificationAlgorithm;
- return true;
- } else {
- return false;
- }
+ synchronized public SSLParameters getSSLParameters() {
+ SSLParameters params = super.getSSLParameters();
+
+ // the super implementation does not handle the following parameters
+ params.setEndpointIdentificationAlgorithm(identificationProtocol);
+ params.setAlgorithmConstraints(algorithmConstraints);
+
+ return params;
}
/**
- * Returns the endpoint identification algorithm of the engine.
+ * Applies SSLParameters to this engine.
*/
- synchronized public String getHostnameVerification() {
- return identificationAlg;
+ synchronized public void setSSLParameters(SSLParameters params) {
+ super.setSSLParameters(params);
+
+ // the super implementation does not handle the following parameters
+ identificationProtocol = params.getEndpointIdentificationAlgorithm();
+ algorithmConstraints = params.getAlgorithmConstraints();
+ if ((handshaker != null) && !handshaker.started()) {
+ handshaker.setIdentificationProtocol(identificationProtocol);
+ handshaker.setAlgorithmConstraints(algorithmConstraints);
+ }
}
/**
diff --git a/src/share/classes/sun/security/ssl/SSLServerSocketImpl.java b/src/share/classes/sun/security/ssl/SSLServerSocketImpl.java
index 914406b2e4281d1672c8ca8a663801b8e74b4297..0ea3cfa9fbad805ca31047132bbc12405ddc32bb 100644
--- a/src/share/classes/sun/security/ssl/SSLServerSocketImpl.java
+++ b/src/share/classes/sun/security/ssl/SSLServerSocketImpl.java
@@ -31,11 +31,14 @@ import java.net.InetAddress;
import java.net.Socket;
import java.net.ServerSocket;
+import java.security.AlgorithmConstraints;
+
import java.util.*;
import javax.net.ServerSocketFactory;
import javax.net.ssl.SSLException;
import javax.net.ssl.SSLServerSocket;
+import javax.net.ssl.SSLParameters;
/**
@@ -83,6 +86,12 @@ class SSLServerSocketImpl extends SSLServerSocket
/* could enabledCipherSuites ever complete handshaking? */
private boolean checkedEnabled = false;
+ // the endpoint identification protocol to use by default
+ private String identificationProtocol = null;
+
+ // The cryptographic algorithm constraints
+ private AlgorithmConstraints algorithmConstraints = null;
+
/**
* Create an SSL server socket on a port, using a non-default
* authentication context and a specified connection backlog.
@@ -145,7 +154,7 @@ class SSLServerSocketImpl extends SSLServerSocket
}
sslContext = context;
enabledCipherSuites = CipherSuiteList.getDefault();
- enabledProtocols = ProtocolList.getDefault();
+ enabledProtocols = ProtocolList.getDefault(true);
}
/**
@@ -238,6 +247,16 @@ class SSLServerSocketImpl extends SSLServerSocket
* rejoining the already-negotiated SSL connection.
*/
public void setUseClientMode(boolean flag) {
+ /*
+ * If we need to change the socket mode and the enabled
+ * protocols haven't specifically been set by the user,
+ * change them to the corresponding default ones.
+ */
+ if (useServerMode != (!flag) &&
+ ProtocolList.isDefaultProtocolList(enabledProtocols)) {
+ enabledProtocols = ProtocolList.getDefault(!flag);
+ }
+
useServerMode = !flag;
}
@@ -262,6 +281,29 @@ class SSLServerSocketImpl extends SSLServerSocket
return enableSessionCreation;
}
+ /**
+ * Returns the SSLParameters in effect for newly accepted connections.
+ */
+ synchronized public SSLParameters getSSLParameters() {
+ SSLParameters params = super.getSSLParameters();
+
+ // the super implementation does not handle the following parameters
+ params.setEndpointIdentificationAlgorithm(identificationProtocol);
+ params.setAlgorithmConstraints(algorithmConstraints);
+
+ return params;
+ }
+
+ /**
+ * Applies SSLParameters to newly accepted connections.
+ */
+ synchronized public void setSSLParameters(SSLParameters params) {
+ super.setSSLParameters(params);
+
+ // the super implementation does not handle the following parameters
+ identificationProtocol = params.getEndpointIdentificationAlgorithm();
+ algorithmConstraints = params.getAlgorithmConstraints();
+ }
/**
* Accept a new SSL connection. This server identifies itself with
@@ -269,67 +311,15 @@ class SSLServerSocketImpl extends SSLServerSocket
* presented during construction.
*/
public Socket accept() throws IOException {
- checkEnabledSuites();
-
SSLSocketImpl s = new SSLSocketImpl(sslContext, useServerMode,
enabledCipherSuites, doClientAuth, enableSessionCreation,
- enabledProtocols);
+ enabledProtocols, identificationProtocol, algorithmConstraints);
implAccept(s);
s.doneConnect();
return s;
}
-
- /*
- * This is a sometimes helpful diagnostic check that is performed
- * once for each ServerSocket to verify that the initial set of
- * enabled suites are capable of supporting a successful handshake.
- */
- private void checkEnabledSuites() throws IOException {
- //
- // We want to report an error if no cipher suites were actually
- // enabled, since this is an error users are known to make. Then
- // they get vastly confused by having clients report an error!
- //
- synchronized (this) {
- if (checkedEnabled) {
- return;
- }
- if (useServerMode == false) {
- return;
- }
-
- SSLSocketImpl tmp = new SSLSocketImpl(sslContext, useServerMode,
- enabledCipherSuites, doClientAuth,
- enableSessionCreation, enabledProtocols);
-
- try {
- ServerHandshaker handshaker = tmp.getServerHandshaker();
-
- for (Iterator