From c9f0c7a252271af75df9b75d1d8623678f649a2f Mon Sep 17 00:00:00 2001 From: Valerie Peng Date: Tue, 15 Mar 2011 18:42:35 -0700 Subject: [PATCH 1/3] 7001933: Deadlock in java.lang.classloader.getPackage() Modified to not holding the "packages" lock when calling parent CL. Reviewed-by: dholmes, alanb --- .../share/classes/java/lang/ClassLoader.java | 30 ++++++++++++------- 1 file changed, 19 insertions(+), 11 deletions(-) diff --git a/jdk/src/share/classes/java/lang/ClassLoader.java b/jdk/src/share/classes/java/lang/ClassLoader.java index 37d7a30b583..2c0c7908566 100644 --- a/jdk/src/share/classes/java/lang/ClassLoader.java +++ b/jdk/src/share/classes/java/lang/ClassLoader.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 1994, 2010, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1994, 2011, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -1626,20 +1626,28 @@ public abstract class ClassLoader { * @since 1.2 */ protected Package getPackage(String name) { + Package pkg; synchronized (packages) { - Package pkg = packages.get(name); - if (pkg == null) { - if (parent != null) { - pkg = parent.getPackage(name); - } else { - pkg = Package.getSystemPackage(name); - } - if (pkg != null) { - packages.put(name, pkg); + pkg = packages.get(name); + } + if (pkg == null) { + if (parent != null) { + pkg = parent.getPackage(name); + } else { + pkg = Package.getSystemPackage(name); + } + if (pkg != null) { + synchronized (packages) { + Package pkg2 = packages.get(name); + if (pkg2 == null) { + packages.put(name, pkg); + } else { + pkg = pkg2; + } } } - return pkg; } + return pkg; } /** From 85935bc056a894a1d81e28e6fcad8d474e16e498 Mon Sep 17 00:00:00 2001 From: Xue-Lei Andrew Fan Date: Tue, 15 Mar 2011 23:08:40 -0700 Subject: [PATCH 2/3] 7025073: Stricter check on trust anchor makes VerifyCACerts.java test fail Loosen the check for version 1 and 2 X.509 certificate Reviewed-by: mullan, weijun --- .../certpath/AdaptableX509CertSelector.java | 45 +++++++++++++++---- .../provider/certpath/ForwardBuilder.java | 26 ++++++----- 2 files changed, 51 insertions(+), 20 deletions(-) diff --git a/jdk/src/share/classes/sun/security/provider/certpath/AdaptableX509CertSelector.java b/jdk/src/share/classes/sun/security/provider/certpath/AdaptableX509CertSelector.java index 1b14bf8fa66..1acb029a18d 100644 --- a/jdk/src/share/classes/sun/security/provider/certpath/AdaptableX509CertSelector.java +++ b/jdk/src/share/classes/sun/security/provider/certpath/AdaptableX509CertSelector.java @@ -46,10 +46,16 @@ import sun.security.x509.AuthorityKeyIdentifierExtension; */ class AdaptableX509CertSelector extends X509CertSelector { // The start date of a validity period. - private Date startDate = null; + private Date startDate; // The end date of a validity period. - private Date endDate = null; + private Date endDate; + + // Is subject key identifier sensitive? + private boolean isSKIDSensitive = false; + + // Is serial number sensitive? + private boolean isSNSensitive = false; AdaptableX509CertSelector() { super(); @@ -97,15 +103,24 @@ class AdaptableX509CertSelector extends X509CertSelector { if (akidext != null) { KeyIdentifier akid = (KeyIdentifier)akidext.get(akidext.KEY_ID); if (akid != null) { - DerOutputStream derout = new DerOutputStream(); - derout.putOctetString(akid.getIdentifier()); - super.setSubjectKeyIdentifier(derout.toByteArray()); + // Do not override the previous setting + if (getSubjectKeyIdentifier() == null) { + DerOutputStream derout = new DerOutputStream(); + derout.putOctetString(akid.getIdentifier()); + super.setSubjectKeyIdentifier(derout.toByteArray()); + + isSKIDSensitive = true; + } } SerialNumber asn = (SerialNumber)akidext.get(akidext.SERIAL_NUMBER); if (asn != null) { - super.setSerialNumber(asn.getNumber()); + // Do not override the previous setting + if (getSerialNumber() == null) { + super.setSerialNumber(asn.getNumber()); + isSNSensitive = true; + } } // the subject criterion should be set by the caller. @@ -148,11 +163,25 @@ class AdaptableX509CertSelector extends X509CertSelector { } } - if (version < 3 || xcert.getExtensionValue("2.5.29.14") == null) { - // If no SubjectKeyIdentifier extension, don't bother to check it. + // If no SubjectKeyIdentifier extension, don't bother to check it. + if (isSKIDSensitive && + (version < 3 || xcert.getExtensionValue("2.5.29.14") == null)) { setSubjectKeyIdentifier(null); } + // In practice, a CA may replace its root certificate and require that + // the existing certificate is still valid, even if the AKID extension + // does not match the replacement root certificate fields. + // + // Conservatively, we only support the replacement for version 1 and + // version 2 certificate. As for version 2, the certificate extension + // may contain sensitive information (for example, policies), the + // AKID need to be respected to seek the exact certificate in case + // of key or certificate abuse. + if (isSNSensitive && version < 3) { + setSerialNumber(null); + } + return super.match(cert); } diff --git a/jdk/src/share/classes/sun/security/provider/certpath/ForwardBuilder.java b/jdk/src/share/classes/sun/security/provider/certpath/ForwardBuilder.java index e9c0ca77879..e2666a6771b 100644 --- a/jdk/src/share/classes/sun/security/provider/certpath/ForwardBuilder.java +++ b/jdk/src/share/classes/sun/security/provider/certpath/ForwardBuilder.java @@ -243,12 +243,6 @@ class ForwardBuilder extends Builder { caTargetSelector.setPolicy(getMatchingPolicies()); } - /* - * Require CA certs with a pathLenConstraint that allows - * at least as many CA certs that have already been traversed - */ - caTargetSelector.setBasicConstraints(currentState.traversedCACerts); - sel = caTargetSelector; } else { @@ -282,12 +276,6 @@ class ForwardBuilder extends Builder { CertPathHelper.setPathToNames (caSelector, currentState.subjectNamesTraversed); - /* - * Require CA certs with a pathLenConstraint that allows - * at least as many CA certs that have already been traversed - */ - caSelector.setBasicConstraints(currentState.traversedCACerts); - /* * Facilitate certification path construction with authority * key identifier and subject key identifier. @@ -305,6 +293,14 @@ class ForwardBuilder extends Builder { sel = caSelector; } + /* + * For compatibility, conservatively, we don't check the path + * length constraint of trusted anchors. Please don't set the + * basic constraints criterion unless the trusted certificate + * matching is completed. + */ + sel.setBasicConstraints(-1); + for (X509Certificate trustedCert : trustedCerts) { if (sel.match(trustedCert)) { if (debug != null) { @@ -323,6 +319,12 @@ class ForwardBuilder extends Builder { */ sel.setCertificateValid(date); + /* + * Require CA certs with a pathLenConstraint that allows + * at least as many CA certs that have already been traversed + */ + sel.setBasicConstraints(currentState.traversedCACerts); + /* * If we have already traversed as many CA certs as the maxPathLength * will allow us to, then we don't bother looking through these From 7705e63e3099d97c457401e7728fbbabfd06b43d Mon Sep 17 00:00:00 2001 From: Xue-Lei Andrew Fan Date: Tue, 15 Mar 2011 23:13:35 -0700 Subject: [PATCH 3/3] 7022855: Export "PKIX" as the standard algorithm name of KeyManagerFactory Export the existing "NewSunX509" algorithm implementation using the standard name "PKIX" Reviewed-by: weijun, wetmore --- .../sun/security/ssl/ClientHandshaker.java | 5 +- .../classes/sun/security/ssl/SunJSSE.java | 4 +- .../ssl/javax/net/ssl/GetInstance.java | 47 ++++++++++++++++++- 3 files changed, 51 insertions(+), 5 deletions(-) diff --git a/jdk/src/share/classes/sun/security/ssl/ClientHandshaker.java b/jdk/src/share/classes/sun/security/ssl/ClientHandshaker.java index 5fa8e0279d9..fbf23196aba 100644 --- a/jdk/src/share/classes/sun/security/ssl/ClientHandshaker.java +++ b/jdk/src/share/classes/sun/security/ssl/ClientHandshaker.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 1996, 2010, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1996, 2011, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -378,7 +378,8 @@ final class ClientHandshaker extends Handshaker { if (!isNegotiable(mesgVersion)) { throw new SSLHandshakeException( "Server chose " + mesgVersion + - ", but client does not support or disables " + mesgVersion); + ", but that protocol version is not enabled or not supported " + + "by the client."); } handshakeHash.protocolDetermined(mesgVersion); diff --git a/jdk/src/share/classes/sun/security/ssl/SunJSSE.java b/jdk/src/share/classes/sun/security/ssl/SunJSSE.java index 1668e6ff79d..bba258670d8 100644 --- a/jdk/src/share/classes/sun/security/ssl/SunJSSE.java +++ b/jdk/src/share/classes/sun/security/ssl/SunJSSE.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 1999, 2010, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1999, 2011, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -195,6 +195,8 @@ public abstract class SunJSSE extends java.security.Provider { "sun.security.ssl.KeyManagerFactoryImpl$SunX509"); put("KeyManagerFactory.NewSunX509", "sun.security.ssl.KeyManagerFactoryImpl$X509"); + put("Alg.Alias.KeyManagerFactory.PKIX", "NewSunX509"); + put("TrustManagerFactory.SunX509", "sun.security.ssl.TrustManagerFactoryImpl$SimpleFactory"); put("TrustManagerFactory.PKIX", diff --git a/jdk/test/sun/security/ssl/javax/net/ssl/GetInstance.java b/jdk/test/sun/security/ssl/javax/net/ssl/GetInstance.java index dcfb98b48c4..2ffdad9ac02 100644 --- a/jdk/test/sun/security/ssl/javax/net/ssl/GetInstance.java +++ b/jdk/test/sun/security/ssl/javax/net/ssl/GetInstance.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2003, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2003, 2011, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -23,8 +23,9 @@ /* * @test - * @bug 4898428 + * @bug 4898428 7022855 * @summary verify getInstance() works using Provider.getService() + * Export "PKIX" as the standard algorithm name of KeyManagerFactory * @author Andreas Sterbenz */ @@ -61,6 +62,20 @@ public class GetInstance { kmf = KeyManagerFactory.getInstance("SunX509", p); same(p, kmf.getProvider()); + kmf = KeyManagerFactory.getInstance("NewSunX509"); + same(p, kmf.getProvider()); + kmf = KeyManagerFactory.getInstance("NewSunX509", "SunJSSE"); + same(p, kmf.getProvider()); + kmf = KeyManagerFactory.getInstance("NewSunX509", p); + same(p, kmf.getProvider()); + + kmf = KeyManagerFactory.getInstance("PKIX"); + same(p, kmf.getProvider()); + kmf = KeyManagerFactory.getInstance("PKIX", "SunJSSE"); + same(p, kmf.getProvider()); + kmf = KeyManagerFactory.getInstance("PKIX", p); + same(p, kmf.getProvider()); + TrustManagerFactory tmf; tmf = TrustManagerFactory.getInstance("SunX509"); same(p, tmf.getProvider()); @@ -69,6 +84,34 @@ public class GetInstance { tmf = TrustManagerFactory.getInstance("SunX509", p); same(p, tmf.getProvider()); + tmf = TrustManagerFactory.getInstance("PKIX"); + same(p, tmf.getProvider()); + tmf = TrustManagerFactory.getInstance("PKIX", "SunJSSE"); + same(p, tmf.getProvider()); + tmf = TrustManagerFactory.getInstance("PKIX", p); + same(p, tmf.getProvider()); + + tmf = TrustManagerFactory.getInstance("SunPKIX"); + same(p, tmf.getProvider()); + tmf = TrustManagerFactory.getInstance("SunPKIX", "SunJSSE"); + same(p, tmf.getProvider()); + tmf = TrustManagerFactory.getInstance("SunPKIX", p); + same(p, tmf.getProvider()); + + tmf = TrustManagerFactory.getInstance("X509"); + same(p, tmf.getProvider()); + tmf = TrustManagerFactory.getInstance("X509", "SunJSSE"); + same(p, tmf.getProvider()); + tmf = TrustManagerFactory.getInstance("X509", p); + same(p, tmf.getProvider()); + + tmf = TrustManagerFactory.getInstance("X.509"); + same(p, tmf.getProvider()); + tmf = TrustManagerFactory.getInstance("X.509", "SunJSSE"); + same(p, tmf.getProvider()); + tmf = TrustManagerFactory.getInstance("X.509", p); + same(p, tmf.getProvider()); + testComSun(); long stop = System.currentTimeMillis();