diff --git a/jdk/src/share/classes/com/sun/net/ssl/internal/www/protocol/https/DelegateHttpsURLConnection.java b/jdk/src/share/classes/com/sun/net/ssl/internal/www/protocol/https/DelegateHttpsURLConnection.java index 7192405745f..e0512a33b87 100644 --- a/jdk/src/share/classes/com/sun/net/ssl/internal/www/protocol/https/DelegateHttpsURLConnection.java +++ b/jdk/src/share/classes/com/sun/net/ssl/internal/www/protocol/https/DelegateHttpsURLConnection.java @@ -1,5 +1,5 @@ /* - * Copyright 2001-2005 Sun Microsystems, Inc. All Rights Reserved. + * Copyright 2001-2009 Sun Microsystems, Inc. All Rights Reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -116,7 +116,10 @@ class VerifierWrapper implements javax.net.ssl.HostnameVerifier { try { String serverName; Principal principal = getPeerPrincipal(session); - if (principal instanceof KerberosPrincipal) { + // X.500 principal or Kerberos principal. + // (Use ciphersuite check to determine whether Kerberos is present.) + if (session.getCipherSuite().startsWith("TLS_KRB5") && + principal instanceof KerberosPrincipal) { serverName = HostnameChecker.getServerName((KerberosPrincipal)principal); } else { diff --git a/jdk/src/share/classes/sun/net/www/protocol/https/HttpsClient.java b/jdk/src/share/classes/sun/net/www/protocol/https/HttpsClient.java index d21425680c8..8bbcb4de312 100644 --- a/jdk/src/share/classes/sun/net/www/protocol/https/HttpsClient.java +++ b/jdk/src/share/classes/sun/net/www/protocol/https/HttpsClient.java @@ -1,5 +1,5 @@ /* - * Copyright 2001-2008 Sun Microsystems, Inc. All Rights Reserved. + * Copyright 2001-2009 Sun Microsystems, Inc. All Rights Reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -461,12 +461,16 @@ final class HttpsClient extends HttpClient } Certificate[] peerCerts = null; + String cipher = session.getCipherSuite(); try { HostnameChecker checker = HostnameChecker.getInstance( HostnameChecker.TYPE_TLS); Principal principal = getPeerPrincipal(); - if (principal instanceof KerberosPrincipal) { + // X.500 principal or Kerberos principal. + // (Use ciphersuite check to determine whether Kerberos is present.) + if (cipher.startsWith("TLS_KRB5") && + principal instanceof KerberosPrincipal) { if (!checker.match(host, (KerberosPrincipal)principal)) { throw new SSLPeerUnverifiedException("Hostname checker" + " failed for Kerberos"); @@ -499,7 +503,6 @@ final class HttpsClient extends HttpClient // ignore } - String cipher = session.getCipherSuite(); if ((cipher != null) && (cipher.indexOf("_anon_") != -1)) { return; } else if ((hostnameVerifier != null) && diff --git a/jdk/src/share/classes/sun/security/ssl/CipherSuite.java b/jdk/src/share/classes/sun/security/ssl/CipherSuite.java index bb1ffa0909d..6ca15478f8e 100644 --- a/jdk/src/share/classes/sun/security/ssl/CipherSuite.java +++ b/jdk/src/share/classes/sun/security/ssl/CipherSuite.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2008 Sun Microsystems, Inc. All Rights Reserved. + * Copyright 2002-2009 Sun Microsystems, Inc. All Rights Reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -74,7 +74,7 @@ final class CipherSuite implements Comparable { // Flag indicating if CipherSuite availability can change dynamically. // This is the case when we rely on a JCE cipher implementation that // may not be available in the installed JCE providers. - // It is true because we do not have a Java ECC implementation. + // It is true because we might not have an ECC or Kerberos implementation. final static boolean DYNAMIC_AVAILABILITY = true; private final static boolean ALLOW_ECC = Debug.getBooleanProperty @@ -278,14 +278,22 @@ final class CipherSuite implements Comparable { KeyExchange(String name, boolean allowed) { this.name = name; this.allowed = allowed; - this.alwaysAvailable = allowed && (name.startsWith("EC") == false); + this.alwaysAvailable = allowed && + (!name.startsWith("EC")) && (!name.startsWith("KRB")); } boolean isAvailable() { if (alwaysAvailable) { return true; } - return allowed && JsseJce.isEcAvailable(); + + if (name.startsWith("EC")) { + return (allowed && JsseJce.isEcAvailable()); + } else if (name.startsWith("KRB")) { + return (allowed && JsseJce.isKerberosAvailable()); + } else { + return allowed; + } } public String toString() { diff --git a/jdk/src/share/classes/sun/security/ssl/JsseJce.java b/jdk/src/share/classes/sun/security/ssl/JsseJce.java index 017efd03ac2..779214308d3 100644 --- a/jdk/src/share/classes/sun/security/ssl/JsseJce.java +++ b/jdk/src/share/classes/sun/security/ssl/JsseJce.java @@ -1,5 +1,5 @@ /* - * Copyright 2001-2008 Sun Microsystems, Inc. All Rights Reserved. + * Copyright 2001-2009 Sun Microsystems, Inc. All Rights Reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -64,6 +64,29 @@ final class JsseJce { // If yes, then all the EC based crypto we need is available. private static volatile Boolean ecAvailable; + // Flag indicating whether Kerberos crypto is available. + // If true, then all the Kerberos-based crypto we need is available. + private final static boolean kerberosAvailable; + static { + boolean temp; + try { + AccessController.doPrivileged( + new PrivilegedExceptionAction() { + public Void run() throws Exception { + // Test for Kerberos using the bootstrap class loader + Class.forName("sun.security.krb5.PrincipalName", true, + null); + return null; + } + }); + temp = true; + + } catch (Exception e) { + temp = false; + } + kerberosAvailable = temp; + } + static { // force FIPS flag initialization // Because isFIPS() is synchronized and cryptoProvider is not modified @@ -187,6 +210,10 @@ final class JsseJce { ecAvailable = null; } + static boolean isKerberosAvailable() { + return kerberosAvailable; + } + /** * Return an JCE cipher implementation for the specified algorithm. */