stan/jdk-24
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge

Browse Source
This commit is contained in:
David Holmes 2011-03-16 05:29:27 -04:00
commit 4293c9d423
6 changed files with 121 additions and 36 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
jdk/src/share/classes/java/lang/ClassLoader.java
View File

@ -1,5 +1,5 @@
/*
* Copyright (c) 1994, 2010, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 1994, 2011, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -1626,20 +1626,28 @@ public abstract class ClassLoader {
* @since 1.2
*/
protected Package getPackage(String name) {
Package pkg;
synchronized (packages) {
Package pkg = packages.get(name);
if (pkg == null) {
if (parent != null) {
pkg = parent.getPackage(name);
} else {
pkg = Package.getSystemPackage(name);
}
if (pkg != null) {
packages.put(name, pkg);
pkg = packages.get(name);
}
if (pkg == null) {
if (parent != null) {
pkg = parent.getPackage(name);
} else {
pkg = Package.getSystemPackage(name);
}
if (pkg != null) {
synchronized (packages) {
Package pkg2 = packages.get(name);
if (pkg2 == null) {
packages.put(name, pkg);
} else {
pkg = pkg2;
}
}
}
return pkg;
}
return pkg;
}
/**

45
jdk/src/share/classes/sun/security/provider/certpath/AdaptableX509CertSelector.java
View File

@ -46,10 +46,16 @@ import sun.security.x509.AuthorityKeyIdentifierExtension;
*/
class AdaptableX509CertSelector extends X509CertSelector {
// The start date of a validity period.
private Date startDate = null;
private Date startDate;
// The end date of a validity period.
private Date endDate = null;
private Date endDate;
// Is subject key identifier sensitive?
private boolean isSKIDSensitive = false;
// Is serial number sensitive?
private boolean isSNSensitive = false;
AdaptableX509CertSelector() {
super();
@ -97,15 +103,24 @@ class AdaptableX509CertSelector extends X509CertSelector {
if (akidext != null) {
KeyIdentifier akid = (KeyIdentifier)akidext.get(akidext.KEY_ID);
if (akid != null) {
DerOutputStream derout = new DerOutputStream();
derout.putOctetString(akid.getIdentifier());
super.setSubjectKeyIdentifier(derout.toByteArray());
// Do not override the previous setting
if (getSubjectKeyIdentifier() == null) {
DerOutputStream derout = new DerOutputStream();
derout.putOctetString(akid.getIdentifier());
super.setSubjectKeyIdentifier(derout.toByteArray());
isSKIDSensitive = true;
}
}
SerialNumber asn =
(SerialNumber)akidext.get(akidext.SERIAL_NUMBER);
if (asn != null) {
super.setSerialNumber(asn.getNumber());
// Do not override the previous setting
if (getSerialNumber() == null) {
super.setSerialNumber(asn.getNumber());
isSNSensitive = true;
}
}
// the subject criterion should be set by the caller.
@ -148,11 +163,25 @@ class AdaptableX509CertSelector extends X509CertSelector {
}
}
if (version < 3 || xcert.getExtensionValue("2.5.29.14") == null) {
// If no SubjectKeyIdentifier extension, don't bother to check it.
// If no SubjectKeyIdentifier extension, don't bother to check it.
if (isSKIDSensitive &&
(version < 3 || xcert.getExtensionValue("2.5.29.14") == null)) {
setSubjectKeyIdentifier(null);
}
// In practice, a CA may replace its root certificate and require that
// the existing certificate is still valid, even if the AKID extension
// does not match the replacement root certificate fields.
//
// Conservatively, we only support the replacement for version 1 and
// version 2 certificate. As for version 2, the certificate extension
// may contain sensitive information (for example, policies), the
// AKID need to be respected to seek the exact certificate in case
// of key or certificate abuse.
if (isSNSensitive && version < 3) {
setSerialNumber(null);
}
return super.match(cert);
}

26
jdk/src/share/classes/sun/security/provider/certpath/ForwardBuilder.java
View File

@ -243,12 +243,6 @@ class ForwardBuilder extends Builder {
caTargetSelector.setPolicy(getMatchingPolicies());
}
/*
* Require CA certs with a pathLenConstraint that allows
* at least as many CA certs that have already been traversed
*/
caTargetSelector.setBasicConstraints(currentState.traversedCACerts);
sel = caTargetSelector;
} else {
@ -282,12 +276,6 @@ class ForwardBuilder extends Builder {
CertPathHelper.setPathToNames
(caSelector, currentState.subjectNamesTraversed);
/*
* Require CA certs with a pathLenConstraint that allows
* at least as many CA certs that have already been traversed
*/
caSelector.setBasicConstraints(currentState.traversedCACerts);
/*
* Facilitate certification path construction with authority
* key identifier and subject key identifier.
@ -305,6 +293,14 @@ class ForwardBuilder extends Builder {
sel = caSelector;
}
/*
* For compatibility, conservatively, we don't check the path
* length constraint of trusted anchors. Please don't set the
* basic constraints criterion unless the trusted certificate
* matching is completed.
*/
sel.setBasicConstraints(-1);
for (X509Certificate trustedCert : trustedCerts) {
if (sel.match(trustedCert)) {
if (debug != null) {
@ -323,6 +319,12 @@ class ForwardBuilder extends Builder {
*/
sel.setCertificateValid(date);
/*
* Require CA certs with a pathLenConstraint that allows
* at least as many CA certs that have already been traversed
*/
sel.setBasicConstraints(currentState.traversedCACerts);
/*
* If we have already traversed as many CA certs as the maxPathLength
* will allow us to, then we don't bother looking through these

5
jdk/src/share/classes/sun/security/ssl/ClientHandshaker.java
View File

@ -1,5 +1,5 @@
/*
* Copyright (c) 1996, 2010, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 1996, 2011, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -378,7 +378,8 @@ final class ClientHandshaker extends Handshaker {
if (!isNegotiable(mesgVersion)) {
throw new SSLHandshakeException(
"Server chose " + mesgVersion +
", but client does not support or disables " + mesgVersion);
", but that protocol version is not enabled or not supported " +
"by the client.");
}
handshakeHash.protocolDetermined(mesgVersion);

4
jdk/src/share/classes/sun/security/ssl/SunJSSE.java
View File

@ -1,5 +1,5 @@
/*
* Copyright (c) 1999, 2010, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 1999, 2011, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -195,6 +195,8 @@ public abstract class SunJSSE extends java.security.Provider {
"sun.security.ssl.KeyManagerFactoryImpl$SunX509");
put("KeyManagerFactory.NewSunX509",
"sun.security.ssl.KeyManagerFactoryImpl$X509");
put("Alg.Alias.KeyManagerFactory.PKIX", "NewSunX509");
put("TrustManagerFactory.SunX509",
"sun.security.ssl.TrustManagerFactoryImpl$SimpleFactory");
put("TrustManagerFactory.PKIX",

47
jdk/test/sun/security/ssl/javax/net/ssl/GetInstance.java
View File

@ -1,5 +1,5 @@
/*
* Copyright (c) 2003, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2003, 2011, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -23,8 +23,9 @@
/*
* @test
* @bug 4898428
* @bug 4898428 7022855
* @summary verify getInstance() works using Provider.getService()
* Export "PKIX" as the standard algorithm name of KeyManagerFactory
* @author Andreas Sterbenz
*/
@ -61,6 +62,20 @@ public class GetInstance {
kmf = KeyManagerFactory.getInstance("SunX509", p);
same(p, kmf.getProvider());
kmf = KeyManagerFactory.getInstance("NewSunX509");
same(p, kmf.getProvider());
kmf = KeyManagerFactory.getInstance("NewSunX509", "SunJSSE");
same(p, kmf.getProvider());
kmf = KeyManagerFactory.getInstance("NewSunX509", p);
same(p, kmf.getProvider());
kmf = KeyManagerFactory.getInstance("PKIX");
same(p, kmf.getProvider());
kmf = KeyManagerFactory.getInstance("PKIX", "SunJSSE");
same(p, kmf.getProvider());
kmf = KeyManagerFactory.getInstance("PKIX", p);
same(p, kmf.getProvider());
TrustManagerFactory tmf;
tmf = TrustManagerFactory.getInstance("SunX509");
same(p, tmf.getProvider());
@ -69,6 +84,34 @@ public class GetInstance {
tmf = TrustManagerFactory.getInstance("SunX509", p);
same(p, tmf.getProvider());
tmf = TrustManagerFactory.getInstance("PKIX");
same(p, tmf.getProvider());
tmf = TrustManagerFactory.getInstance("PKIX", "SunJSSE");
same(p, tmf.getProvider());
tmf = TrustManagerFactory.getInstance("PKIX", p);
same(p, tmf.getProvider());
tmf = TrustManagerFactory.getInstance("SunPKIX");
same(p, tmf.getProvider());
tmf = TrustManagerFactory.getInstance("SunPKIX", "SunJSSE");
same(p, tmf.getProvider());
tmf = TrustManagerFactory.getInstance("SunPKIX", p);
same(p, tmf.getProvider());
tmf = TrustManagerFactory.getInstance("X509");
same(p, tmf.getProvider());
tmf = TrustManagerFactory.getInstance("X509", "SunJSSE");
same(p, tmf.getProvider());
tmf = TrustManagerFactory.getInstance("X509", p);
same(p, tmf.getProvider());
tmf = TrustManagerFactory.getInstance("X.509");
same(p, tmf.getProvider());
tmf = TrustManagerFactory.getInstance("X.509", "SunJSSE");
same(p, tmf.getProvider());
tmf = TrustManagerFactory.getInstance("X.509", p);
same(p, tmf.getProvider());
testComSun();
long stop = System.currentTimeMillis();