diff --git a/jdk/make/sun/security/other/Makefile b/jdk/make/sun/security/other/Makefile index 78893730edd..cc869aec2e3 100644 --- a/jdk/make/sun/security/other/Makefile +++ b/jdk/make/sun/security/other/Makefile @@ -38,6 +38,7 @@ AUTO_FILES_JAVA_DIRS = \ sun/security/acl \ sun/security/jca \ sun/security/pkcs \ + sun/security/pkcs10 \ sun/security/pkcs12 \ sun/security/provider \ sun/security/rsa \ diff --git a/jdk/src/share/classes/sun/security/pkcs/EncodingException.java b/jdk/src/share/classes/sun/security/pkcs/EncodingException.java deleted file mode 100644 index 81650cd89f5..00000000000 --- a/jdk/src/share/classes/sun/security/pkcs/EncodingException.java +++ /dev/null @@ -1,45 +0,0 @@ -/* - * Copyright (c) 1996, 2003, Oracle and/or its affiliates. All rights reserved. - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License version 2 only, as - * published by the Free Software Foundation. Oracle designates this - * particular file as subject to the "Classpath" exception as provided - * by Oracle in the LICENSE file that accompanied this code. - * - * This code is distributed in the hope that it will be useful, but WITHOUT - * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or - * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * version 2 for more details (a copy is included in the LICENSE file that - * accompanied this code). - * - * You should have received a copy of the GNU General Public License version - * 2 along with this work; if not, write to the Free Software Foundation, - * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. - * - * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA - * or visit www.oracle.com if you need additional information or have any - * questions. - */ - -/** - * Generic PKCS Encoding exception. - * - * @author Benjamin Renaud - */ - -package sun.security.pkcs; - -public class EncodingException extends Exception { - - private static final long serialVersionUID = 4060198374240668325L; - - public EncodingException() { - super(); - } - - public EncodingException(String s) { - super(s); - } -} diff --git a/jdk/src/share/classes/sun/security/pkcs/PKCS10.java b/jdk/src/share/classes/sun/security/pkcs10/PKCS10.java similarity index 99% rename from jdk/src/share/classes/sun/security/pkcs/PKCS10.java rename to jdk/src/share/classes/sun/security/pkcs10/PKCS10.java index 6303c8b9adf..c5418c67d07 100644 --- a/jdk/src/share/classes/sun/security/pkcs/PKCS10.java +++ b/jdk/src/share/classes/sun/security/pkcs10/PKCS10.java @@ -24,7 +24,7 @@ */ -package sun.security.pkcs; +package sun.security.pkcs10; import java.io.PrintStream; import java.io.IOException; diff --git a/jdk/src/share/classes/sun/security/pkcs/PKCS10Attribute.java b/jdk/src/share/classes/sun/security/pkcs10/PKCS10Attribute.java similarity index 97% rename from jdk/src/share/classes/sun/security/pkcs/PKCS10Attribute.java rename to jdk/src/share/classes/sun/security/pkcs10/PKCS10Attribute.java index a83813157b0..c7cac3baa25 100644 --- a/jdk/src/share/classes/sun/security/pkcs/PKCS10Attribute.java +++ b/jdk/src/share/classes/sun/security/pkcs10/PKCS10Attribute.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997, 1998, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1997, 2011, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -23,11 +23,12 @@ * questions. */ -package sun.security.pkcs; +package sun.security.pkcs10; import java.io.OutputStream; import java.io.IOException; +import sun.security.pkcs.PKCS9Attribute; import sun.security.util.*; /** diff --git a/jdk/src/share/classes/sun/security/pkcs/PKCS10Attributes.java b/jdk/src/share/classes/sun/security/pkcs10/PKCS10Attributes.java similarity index 98% rename from jdk/src/share/classes/sun/security/pkcs/PKCS10Attributes.java rename to jdk/src/share/classes/sun/security/pkcs10/PKCS10Attributes.java index 8279ae237eb..d35f3a7fe29 100644 --- a/jdk/src/share/classes/sun/security/pkcs/PKCS10Attributes.java +++ b/jdk/src/share/classes/sun/security/pkcs10/PKCS10Attributes.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997, 2006, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1997, 2011, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -23,7 +23,7 @@ * questions. */ -package sun.security.pkcs; +package sun.security.pkcs10; import java.io.IOException; import java.io.OutputStream; diff --git a/jdk/src/share/classes/sun/security/provider/certpath/CertStoreHelper.java b/jdk/src/share/classes/sun/security/provider/certpath/CertStoreHelper.java index 891919a4bb1..e325239d114 100644 --- a/jdk/src/share/classes/sun/security/provider/certpath/CertStoreHelper.java +++ b/jdk/src/share/classes/sun/security/provider/certpath/CertStoreHelper.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2009, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2009, 2011, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -27,32 +27,86 @@ package sun.security.provider.certpath; import java.net.URI; import java.util.Collection; +import java.util.HashMap; +import java.util.Map; +import java.security.AccessController; import java.security.NoSuchAlgorithmException; import java.security.InvalidAlgorithmParameterException; +import java.security.PrivilegedActionException; +import java.security.PrivilegedExceptionAction; import java.security.cert.CertStore; import java.security.cert.X509CertSelector; import java.security.cert.X509CRLSelector; import javax.security.auth.x500.X500Principal; import java.io.IOException; +import sun.security.util.Cache; + /** - * Helper used by URICertStore when delegating to another CertStore to - * fetch certs and CRLs. + * Helper used by URICertStore and others when delegating to another CertStore + * to fetch certs and CRLs. */ -public interface CertStoreHelper { +public abstract class CertStoreHelper { + + private static final int NUM_TYPES = 2; + private final static Map classMap = new HashMap<>(NUM_TYPES); + static { + classMap.put( + "LDAP", + "sun.security.provider.certpath.ldap.LDAPCertStoreHelper"); + classMap.put( + "SSLServer", + "sun.security.provider.certpath.ssl.SSLServerCertStoreHelper"); + }; + private static Cache cache = Cache.newSoftMemoryCache(NUM_TYPES); + + public static CertStoreHelper getInstance(final String type) + throws NoSuchAlgorithmException + { + CertStoreHelper helper = (CertStoreHelper)cache.get(type); + if (helper != null) { + return helper; + } + final String cl = classMap.get(type); + if (cl == null) { + throw new NoSuchAlgorithmException(type + " not available"); + } + try { + helper = AccessController.doPrivileged( + new PrivilegedExceptionAction() { + public CertStoreHelper run() throws ClassNotFoundException { + try { + Class c = Class.forName(cl, true, null); + CertStoreHelper csh + = (CertStoreHelper)c.newInstance(); + cache.put(type, csh); + return csh; + } catch (InstantiationException e) { + throw new AssertionError(e); + } catch (IllegalAccessException e) { + throw new AssertionError(e); + } + } + }); + return helper; + } catch (PrivilegedActionException e) { + throw new NoSuchAlgorithmException(type + " not available", + e.getException()); + } + } /** * Returns a CertStore using the given URI as parameters. */ - CertStore getCertStore(URI uri) + public abstract CertStore getCertStore(URI uri) throws NoSuchAlgorithmException, InvalidAlgorithmParameterException; /** * Wraps an existing X509CertSelector when needing to avoid DN matching * issues. */ - X509CertSelector wrap(X509CertSelector selector, + public abstract X509CertSelector wrap(X509CertSelector selector, X500Principal certSubject, String dn) throws IOException; @@ -61,7 +115,7 @@ public interface CertStoreHelper { * Wraps an existing X509CRLSelector when needing to avoid DN matching * issues. */ - X509CRLSelector wrap(X509CRLSelector selector, + public abstract X509CRLSelector wrap(X509CRLSelector selector, Collection certIssuers, String dn) throws IOException; diff --git a/jdk/src/share/classes/sun/security/provider/certpath/URICertStore.java b/jdk/src/share/classes/sun/security/provider/certpath/URICertStore.java index 321f9153ec3..da607724437 100644 --- a/jdk/src/share/classes/sun/security/provider/certpath/URICertStore.java +++ b/jdk/src/share/classes/sun/security/provider/certpath/URICertStore.java @@ -30,8 +30,6 @@ import java.io.IOException; import java.net.HttpURLConnection; import java.net.URI; import java.net.URLConnection; -import java.security.AccessController; -import java.security.PrivilegedAction; import java.security.InvalidAlgorithmParameterException; import java.security.NoSuchAlgorithmException; import java.security.Provider; @@ -120,35 +118,10 @@ class URICertStore extends CertStoreSpi { // true if URI is ldap private boolean ldap = false; + private CertStoreHelper ldapHelper; private CertStore ldapCertStore; private String ldapPath; - /** - * Holder class to lazily load LDAPCertStoreHelper if present. - */ - private static class LDAP { - private static final String CERT_STORE_HELPER = - "sun.security.provider.certpath.ldap.LDAPCertStoreHelper"; - private static final CertStoreHelper helper = - AccessController.doPrivileged( - new PrivilegedAction() { - public CertStoreHelper run() { - try { - Class c = Class.forName(CERT_STORE_HELPER, true, null); - return (CertStoreHelper)c.newInstance(); - } catch (ClassNotFoundException cnf) { - return null; - } catch (InstantiationException e) { - throw new AssertionError(e); - } catch (IllegalAccessException e) { - throw new AssertionError(e); - } - }}); - static CertStoreHelper helper() { - return helper; - } - } - /** * Creates a URICertStore. * @@ -164,10 +137,9 @@ class URICertStore extends CertStoreSpi { this.uri = ((URICertStoreParameters) params).uri; // if ldap URI, use an LDAPCertStore to fetch certs and CRLs if (uri.getScheme().toLowerCase(Locale.ENGLISH).equals("ldap")) { - if (LDAP.helper() == null) - throw new NoSuchAlgorithmException("LDAP not present"); ldap = true; - ldapCertStore = LDAP.helper().getCertStore(uri); + ldapHelper = CertStoreHelper.getInstance("LDAP"); + ldapCertStore = ldapHelper.getCertStore(uri); ldapPath = uri.getPath(); // strip off leading '/' if (ldapPath.charAt(0) == '/') { @@ -251,7 +223,7 @@ class URICertStore extends CertStoreSpi { if (ldap) { X509CertSelector xsel = (X509CertSelector) selector; try { - xsel = LDAP.helper().wrap(xsel, xsel.getSubject(), ldapPath); + xsel = ldapHelper.wrap(xsel, xsel.getSubject(), ldapPath); } catch (IOException ioe) { throw new CertStoreException(ioe); } @@ -273,57 +245,44 @@ class URICertStore extends CertStoreSpi { return getMatchingCerts(certs, selector); } lastChecked = time; - InputStream in = null; try { URLConnection connection = uri.toURL().openConnection(); if (lastModified != 0) { connection.setIfModifiedSince(lastModified); } - in = connection.getInputStream(); long oldLastModified = lastModified; - lastModified = connection.getLastModified(); - if (oldLastModified != 0) { - if (oldLastModified == lastModified) { - if (debug != null) { - debug.println("Not modified, using cached copy"); - } - return getMatchingCerts(certs, selector); - } else if (connection instanceof HttpURLConnection) { - // some proxy servers omit last modified - HttpURLConnection hconn = (HttpURLConnection) connection; - if (hconn.getResponseCode() - == HttpURLConnection.HTTP_NOT_MODIFIED) { + try (InputStream in = connection.getInputStream()) { + lastModified = connection.getLastModified(); + if (oldLastModified != 0) { + if (oldLastModified == lastModified) { if (debug != null) { debug.println("Not modified, using cached copy"); } return getMatchingCerts(certs, selector); + } else if (connection instanceof HttpURLConnection) { + // some proxy servers omit last modified + HttpURLConnection hconn = (HttpURLConnection)connection; + if (hconn.getResponseCode() + == HttpURLConnection.HTTP_NOT_MODIFIED) { + if (debug != null) { + debug.println("Not modified, using cached copy"); + } + return getMatchingCerts(certs, selector); + } } } - } - if (debug != null) { - debug.println("Downloading new certificates..."); - } - // Safe cast since factory is an X.509 certificate factory - certs = (Collection) - factory.generateCertificates(in); - return getMatchingCerts(certs, selector); - } catch (IOException e) { - if (debug != null) { - debug.println("Exception fetching certificates:"); - e.printStackTrace(); - } - } catch (CertificateException e) { - if (debug != null) { - debug.println("Exception fetching certificates:"); - e.printStackTrace(); - } - } finally { - if (in != null) { - try { - in.close(); - } catch (IOException e) { - // ignore + if (debug != null) { + debug.println("Downloading new certificates..."); } + // Safe cast since factory is an X.509 certificate factory + certs = (Collection) + factory.generateCertificates(in); + } + return getMatchingCerts(certs, selector); + } catch (IOException | CertificateException e) { + if (debug != null) { + debug.println("Exception fetching certificates:"); + e.printStackTrace(); } } // exception, forget previous values @@ -343,8 +302,7 @@ class URICertStore extends CertStoreSpi { if (selector == null) { return certs; } - List matchedCerts = - new ArrayList(certs.size()); + List matchedCerts = new ArrayList<>(certs.size()); for (X509Certificate cert : certs) { if (selector.match(cert)) { matchedCerts.add(cert); @@ -374,7 +332,7 @@ class URICertStore extends CertStoreSpi { if (ldap) { X509CRLSelector xsel = (X509CRLSelector) selector; try { - xsel = LDAP.helper().wrap(xsel, null, ldapPath); + xsel = ldapHelper.wrap(xsel, null, ldapPath); } catch (IOException ioe) { throw new CertStoreException(ioe); } @@ -395,55 +353,42 @@ class URICertStore extends CertStoreSpi { return getMatchingCRLs(crl, selector); } lastChecked = time; - InputStream in = null; try { URLConnection connection = uri.toURL().openConnection(); if (lastModified != 0) { connection.setIfModifiedSince(lastModified); } - in = connection.getInputStream(); long oldLastModified = lastModified; - lastModified = connection.getLastModified(); - if (oldLastModified != 0) { - if (oldLastModified == lastModified) { - if (debug != null) { - debug.println("Not modified, using cached copy"); - } - return getMatchingCRLs(crl, selector); - } else if (connection instanceof HttpURLConnection) { - // some proxy servers omit last modified - HttpURLConnection hconn = (HttpURLConnection) connection; - if (hconn.getResponseCode() - == HttpURLConnection.HTTP_NOT_MODIFIED) { + try (InputStream in = connection.getInputStream()) { + lastModified = connection.getLastModified(); + if (oldLastModified != 0) { + if (oldLastModified == lastModified) { if (debug != null) { debug.println("Not modified, using cached copy"); } return getMatchingCRLs(crl, selector); + } else if (connection instanceof HttpURLConnection) { + // some proxy servers omit last modified + HttpURLConnection hconn = (HttpURLConnection)connection; + if (hconn.getResponseCode() + == HttpURLConnection.HTTP_NOT_MODIFIED) { + if (debug != null) { + debug.println("Not modified, using cached copy"); + } + return getMatchingCRLs(crl, selector); + } } } - } - if (debug != null) { - debug.println("Downloading new CRL..."); - } - crl = (X509CRL) factory.generateCRL(in); - return getMatchingCRLs(crl, selector); - } catch (IOException e) { - if (debug != null) { - debug.println("Exception fetching CRL:"); - e.printStackTrace(); - } - } catch (CRLException e) { - if (debug != null) { - debug.println("Exception fetching CRL:"); - e.printStackTrace(); - } - } finally { - if (in != null) { - try { - in.close(); - } catch (IOException e) { - // ignore + if (debug != null) { + debug.println("Downloading new CRL..."); } + crl = (X509CRL) factory.generateCRL(in); + } + return getMatchingCRLs(crl, selector); + } catch (IOException | CRLException e) { + if (debug != null) { + debug.println("Exception fetching CRL:"); + e.printStackTrace(); } } // exception, forget previous values diff --git a/jdk/src/share/classes/sun/security/provider/certpath/ldap/LDAPCertStore.java b/jdk/src/share/classes/sun/security/provider/certpath/ldap/LDAPCertStore.java index d86404d0802..3eea0b25fff 100644 --- a/jdk/src/share/classes/sun/security/provider/certpath/ldap/LDAPCertStore.java +++ b/jdk/src/share/classes/sun/security/provider/certpath/ldap/LDAPCertStore.java @@ -103,7 +103,7 @@ import sun.security.action.GetPropertyAction; * @author Steve Hanna * @author Andreas Sterbenz */ -public class LDAPCertStore extends CertStoreSpi { +public final class LDAPCertStore extends CertStoreSpi { private static final Debug debug = Debug.getInstance("certpath"); diff --git a/jdk/src/share/classes/sun/security/provider/certpath/ldap/LDAPCertStoreHelper.java b/jdk/src/share/classes/sun/security/provider/certpath/ldap/LDAPCertStoreHelper.java index 7eb65d5a7a8..5ec100c6a1d 100644 --- a/jdk/src/share/classes/sun/security/provider/certpath/ldap/LDAPCertStoreHelper.java +++ b/jdk/src/share/classes/sun/security/provider/certpath/ldap/LDAPCertStoreHelper.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2009, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2009, 2011, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -41,11 +41,9 @@ import sun.security.provider.certpath.CertStoreHelper; * LDAP implementation of CertStoreHelper. */ -public class LDAPCertStoreHelper - implements CertStoreHelper +public final class LDAPCertStoreHelper + extends CertStoreHelper { - public LDAPCertStoreHelper() { } - @Override public CertStore getCertStore(URI uri) throws NoSuchAlgorithmException, InvalidAlgorithmParameterException diff --git a/jdk/src/share/classes/sun/security/provider/certpath/ssl/SSLServerCertStore.java b/jdk/src/share/classes/sun/security/provider/certpath/ssl/SSLServerCertStore.java new file mode 100644 index 00000000000..5109e132d22 --- /dev/null +++ b/jdk/src/share/classes/sun/security/provider/certpath/ssl/SSLServerCertStore.java @@ -0,0 +1,153 @@ +/* + * Copyright (c) 2011, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. Oracle designates this + * particular file as subject to the "Classpath" exception as provided + * by Oracle in the LICENSE file that accompanied this code. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +package sun.security.provider.certpath.ssl; + +import java.io.IOException; +import java.net.URI; +import java.util.ArrayList; +import java.util.Arrays; +import java.util.Collection; +import java.util.Collections; +import java.util.List; +import java.security.GeneralSecurityException; +import java.security.InvalidAlgorithmParameterException; +import java.security.Provider; +import java.security.cert.CertificateException; +import java.security.cert.CertSelector; +import java.security.cert.CertStore; +import java.security.cert.CertStoreException; +import java.security.cert.CertStoreParameters; +import java.security.cert.CertStoreSpi; +import java.security.cert.CRLSelector; +import java.security.cert.X509Certificate; +import java.security.cert.X509CRL; +import javax.net.ssl.HostnameVerifier; +import javax.net.ssl.HttpsURLConnection; +import javax.net.ssl.SSLContext; +import javax.net.ssl.SSLSession; +import javax.net.ssl.TrustManager; +import javax.net.ssl.X509TrustManager; + +/** + * A CertStore that retrieves an SSL server's certificate chain. + */ +public final class SSLServerCertStore extends CertStoreSpi { + + private final URI uri; + + SSLServerCertStore(URI uri) throws InvalidAlgorithmParameterException { + super(null); + this.uri = uri; + } + + public synchronized Collection engineGetCertificates + (CertSelector selector) throws CertStoreException + { + try { + SSLContext sc = SSLContext.getInstance("SSL"); + GetChainTrustManager xtm = new GetChainTrustManager(); + sc.init(null, new TrustManager[] { xtm }, null); + HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory()); + HttpsURLConnection.setDefaultHostnameVerifier( + new HostnameVerifier() { + public boolean verify(String hostname, SSLSession session) { + return true; + } + }); + uri.toURL().openConnection().connect(); + return getMatchingCerts(xtm.serverChain, selector); + } catch (GeneralSecurityException | IOException e) { + throw new CertStoreException(e); + } + } + + private static List getMatchingCerts + (List certs, CertSelector selector) + { + // if selector not specified, all certs match + if (selector == null) { + return certs; + } + List matchedCerts = new ArrayList<>(certs.size()); + for (X509Certificate cert : certs) { + if (selector.match(cert)) { + matchedCerts.add(cert); + } + } + return matchedCerts; + } + + public Collection engineGetCRLs(CRLSelector selector) + throws CertStoreException + { + throw new UnsupportedOperationException(); + } + + static synchronized CertStore getInstance(URI uri) + throws InvalidAlgorithmParameterException + { + return new CS(new SSLServerCertStore(uri), null, "SSLServer", null); + } + + /* + * An X509TrustManager that simply stores a reference to the server's + * certificate chain. + */ + private static class GetChainTrustManager implements X509TrustManager { + private List serverChain; + + public X509Certificate[] getAcceptedIssuers() { + throw new UnsupportedOperationException(); + } + + public void checkClientTrusted(X509Certificate[] chain, + String authType) + throws CertificateException + { + throw new UnsupportedOperationException(); + } + + public void checkServerTrusted(X509Certificate[] chain, + String authType) + throws CertificateException + { + this.serverChain = (chain == null) + ? Collections.emptyList() + : Arrays.asList(chain); + } + } + + /** + * This class allows the SSLServerCertStore to be accessed as a CertStore. + */ + private static class CS extends CertStore { + protected CS(CertStoreSpi spi, Provider p, String type, + CertStoreParameters params) + { + super(spi, p, type, params); + } + } +} diff --git a/jdk/src/share/classes/sun/security/provider/certpath/ssl/SSLServerCertStoreHelper.java b/jdk/src/share/classes/sun/security/provider/certpath/ssl/SSLServerCertStoreHelper.java new file mode 100644 index 00000000000..fd36adfbad1 --- /dev/null +++ b/jdk/src/share/classes/sun/security/provider/certpath/ssl/SSLServerCertStoreHelper.java @@ -0,0 +1,69 @@ +/* + * Copyright (c) 2011, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. Oracle designates this + * particular file as subject to the "Classpath" exception as provided + * by Oracle in the LICENSE file that accompanied this code. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +package sun.security.provider.certpath.ssl; + +import java.net.URI; +import java.util.Collection; +import java.security.NoSuchAlgorithmException; +import java.security.InvalidAlgorithmParameterException; +import java.security.cert.CertStore; +import java.security.cert.X509CertSelector; +import java.security.cert.X509CRLSelector; +import javax.security.auth.x500.X500Principal; +import java.io.IOException; + +import sun.security.provider.certpath.CertStoreHelper; + +/** + * SSL implementation of CertStoreHelper. + */ +public final class SSLServerCertStoreHelper extends CertStoreHelper { + + @Override + public CertStore getCertStore(URI uri) + throws NoSuchAlgorithmException, InvalidAlgorithmParameterException + { + return SSLServerCertStore.getInstance(uri); + } + + @Override + public X509CertSelector wrap(X509CertSelector selector, + X500Principal certSubject, + String ldapDN) + throws IOException + { + throw new UnsupportedOperationException(); + } + + @Override + public X509CRLSelector wrap(X509CRLSelector selector, + Collection certIssuers, + String ldapDN) + throws IOException + { + throw new UnsupportedOperationException(); + } +} diff --git a/jdk/src/share/classes/sun/security/x509/CertAndKeyGen.java b/jdk/src/share/classes/sun/security/tools/CertAndKeyGen.java similarity index 95% rename from jdk/src/share/classes/sun/security/x509/CertAndKeyGen.java rename to jdk/src/share/classes/sun/security/tools/CertAndKeyGen.java index f1560c716ad..4c32a33b4f7 100644 --- a/jdk/src/share/classes/sun/security/x509/CertAndKeyGen.java +++ b/jdk/src/share/classes/sun/security/tools/CertAndKeyGen.java @@ -23,7 +23,7 @@ * questions. */ -package sun.security.x509; +package sun.security.tools; import java.io.IOException; import java.security.cert.X509Certificate; @@ -32,7 +32,19 @@ import java.security.cert.CertificateEncodingException; import java.security.*; import java.util.Date; -import sun.security.pkcs.PKCS10; +import sun.security.pkcs10.PKCS10; +import sun.security.x509.AlgorithmId; +import sun.security.x509.CertificateAlgorithmId; +import sun.security.x509.CertificateIssuerName; +import sun.security.x509.CertificateSerialNumber; +import sun.security.x509.CertificateSubjectName; +import sun.security.x509.CertificateValidity; +import sun.security.x509.CertificateVersion; +import sun.security.x509.CertificateX509Key; +import sun.security.x509.X500Name; +import sun.security.x509.X509CertImpl; +import sun.security.x509.X509CertInfo; +import sun.security.x509.X509Key; /** diff --git a/jdk/src/share/classes/sun/security/tools/KeyTool.java b/jdk/src/share/classes/sun/security/tools/KeyTool.java index 2e67bcea23b..0d928209807 100644 --- a/jdk/src/share/classes/sun/security/tools/KeyTool.java +++ b/jdk/src/share/classes/sun/security/tools/KeyTool.java @@ -38,10 +38,12 @@ import java.security.Signature; import java.security.Timestamp; import java.security.UnrecoverableEntryException; import java.security.UnrecoverableKeyException; +import java.security.NoSuchAlgorithmException; import java.security.Principal; import java.security.Provider; import java.security.cert.Certificate; import java.security.cert.CertificateFactory; +import java.security.cert.CertStoreException; import java.security.cert.CRL; import java.security.cert.X509Certificate; import java.security.cert.CertificateException; @@ -63,23 +65,16 @@ import java.security.cert.X509CRLSelector; import javax.security.auth.x500.X500Principal; import sun.misc.BASE64Encoder; import sun.security.util.ObjectIdentifier; -import sun.security.pkcs.PKCS10; +import sun.security.pkcs10.PKCS10; +import sun.security.pkcs10.PKCS10Attribute; import sun.security.provider.X509Factory; +import sun.security.provider.certpath.CertStoreHelper; import sun.security.util.Password; -import sun.security.util.PathList; import javax.crypto.KeyGenerator; import javax.crypto.SecretKey; -import javax.net.ssl.HostnameVerifier; -import javax.net.ssl.HttpsURLConnection; -import javax.net.ssl.SSLContext; -import javax.net.ssl.SSLSession; -import javax.net.ssl.TrustManager; -import javax.net.ssl.X509TrustManager; import sun.misc.BASE64Decoder; -import sun.security.pkcs.PKCS10Attribute; import sun.security.pkcs.PKCS9Attribute; -import sun.security.provider.certpath.ldap.LDAPCertStoreHelper; import sun.security.util.DerValue; import sun.security.x509.*; @@ -917,18 +912,13 @@ public final class KeyTool { // Perform the specified command if (command == CERTREQ) { - PrintStream ps = null; if (filename != null) { - ps = new PrintStream(new FileOutputStream - (filename)); - out = ps; - } - try { - doCertReq(alias, sigAlgName, out); - } finally { - if (ps != null) { - ps.close(); + try (PrintStream ps = new PrintStream(new FileOutputStream + (filename))) { + doCertReq(alias, sigAlgName, ps); } + } else { + doCertReq(alias, sigAlgName, out); } if (verbose && filename != null) { MessageFormat form = new MessageFormat(rb.getString @@ -941,18 +931,13 @@ public final class KeyTool { doDeleteEntry(alias); kssave = true; } else if (command == EXPORTCERT) { - PrintStream ps = null; if (filename != null) { - ps = new PrintStream(new FileOutputStream - (filename)); - out = ps; - } - try { - doExportCert(alias, out); - } finally { - if (ps != null) { - ps.close(); + try (PrintStream ps = new PrintStream(new FileOutputStream + (filename))) { + doExportCert(alias, ps); } + } else { + doExportCert(alias, out); } if (filename != null) { MessageFormat form = new MessageFormat(rb.getString @@ -973,16 +958,12 @@ public final class KeyTool { doGenSecretKey(alias, keyAlgName, keysize); kssave = true; } else if (command == IDENTITYDB) { - InputStream inStream = System.in; if (filename != null) { - inStream = new FileInputStream(filename); - } - try { - doImportIdentityDatabase(inStream); - } finally { - if (inStream != System.in) { - inStream.close(); + try (InputStream inStream = new FileInputStream(filename)) { + doImportIdentityDatabase(inStream); } + } else { + doImportIdentityDatabase(System.in); } } else if (command == IMPORTCERT) { InputStream inStream = System.in; @@ -1101,29 +1082,21 @@ public final class KeyTool { if (alias == null) { alias = keyAlias; } - PrintStream ps = null; if (filename != null) { - ps = new PrintStream(new FileOutputStream(filename)); - out = ps; - } - try { - doGenCRL(out); - } finally { - if (ps != null) { - ps.close(); + try (PrintStream ps = + new PrintStream(new FileOutputStream(filename))) { + doGenCRL(ps); } + } else { + doGenCRL(out); } } else if (command == PRINTCERTREQ) { - InputStream inStream = System.in; if (filename != null) { - inStream = new FileInputStream(filename); - } - try { - doPrintCertReq(inStream, out); - } finally { - if (inStream != System.in) { - inStream.close(); + try (InputStream inStream = new FileInputStream(filename)) { + doPrintCertReq(inStream, out); } + } else { + doPrintCertReq(System.in, out); } } else if (command == PRINTCRL) { doPrintCRL(filename, out); @@ -2070,12 +2043,13 @@ public final class KeyTool { } } } else { // must be LDAP, and uri is not null + // Lazily load LDAPCertStoreHelper if present + CertStoreHelper helper = CertStoreHelper.getInstance("LDAP"); String path = uri.getPath(); if (path.charAt(0) == '/') path = path.substring(1); - LDAPCertStoreHelper h = new LDAPCertStoreHelper(); - CertStore s = h.getCertStore(uri); + CertStore s = helper.getCertStore(uri); X509CRLSelector sel = - h.wrap(new X509CRLSelector(), null, path); + helper.wrap(new X509CRLSelector(), null, path); return s.getCRLs(sel); } } @@ -2259,18 +2233,12 @@ public final class KeyTool { int pos = 0; while (entries.hasMoreElements()) { JarEntry je = entries.nextElement(); - InputStream is = null; - try { - is = jf.getInputStream(je); + try (InputStream is = jf.getInputStream(je)) { while (is.read(buffer) != -1) { // we just read. this will throw a SecurityException // if a signature/digest check fails. This also // populate the signers } - } finally { - if (is != null) { - is.close(); - } } CodeSigner[] signers = je.getCodeSigners(); if (signers != null) { @@ -2316,85 +2284,52 @@ public final class KeyTool { out.println(rb.getString("Not.a.signed.jar.file")); } } else if (sslserver != null) { - SSLContext sc = SSLContext.getInstance("SSL"); - final boolean[] certPrinted = new boolean[1]; - sc.init(null, new TrustManager[] { - new X509TrustManager() { - - public java.security.cert.X509Certificate[] getAcceptedIssuers() { - return null; - } - - public void checkClientTrusted( - java.security.cert.X509Certificate[] certs, String authType) { - } - - public void checkServerTrusted( - java.security.cert.X509Certificate[] certs, String authType) { - for (int i=0; i 0) { - certPrinted[0] = true; - } - } - } - }, null); - HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory()); - HttpsURLConnection.setDefaultHostnameVerifier( - new HostnameVerifier() { - public boolean verify(String hostname, SSLSession session) { - return true; - } - }); - // HTTPS instead of raw SSL, so that -Dhttps.proxyHost and - // -Dhttps.proxyPort can be used. Since we only go through - // the handshake process, an HTTPS server is not needed. - // This program should be able to deal with any SSL-based - // network service. - Exception ex = null; + // Lazily load SSLCertStoreHelper if present + CertStoreHelper helper = CertStoreHelper.getInstance("SSLServer"); + CertStore cs = helper.getCertStore(new URI("https://" + sslserver)); + Collection chain; try { - new URL("https://" + sslserver).openConnection().connect(); - } catch (Exception e) { - ex = e; - } - // If the certs are not printed out, we consider it an error even - // if the URL connection is successful. - if (!certPrinted[0]) { - Exception e = new Exception( - rb.getString("No.certificate.from.the.SSL.server")); - if (ex != null) { - e.initCause(ex); + chain = cs.getCertificates(null); + if (chain.isEmpty()) { + // If the certs are not retrieved, we consider it an error + // even if the URL connection is successful. + throw new Exception(rb.getString( + "No.certificate.from.the.SSL.server")); + } + } catch (CertStoreException cse) { + if (cse.getCause() instanceof IOException) { + throw new Exception(rb.getString( + "No.certificate.from.the.SSL.server"), + cse.getCause()); + } else { + throw cse; + } + } + + int i = 0; + for (Certificate cert : chain) { + try { + if (rfc) { + dumpCert(cert, out); + } else { + out.println("Certificate #" + i++); + out.println("===================================="); + printX509Cert((X509Certificate)cert, out); + out.println(); + } + } catch (Exception e) { + if (debug) { + e.printStackTrace(); + } } - throw e; } } else { - InputStream inStream = System.in; if (filename != null) { - inStream = new FileInputStream(filename); - } - try { - printCertFromStream(inStream, out); - } finally { - if (inStream != System.in) { - inStream.close(); + try (FileInputStream inStream = new FileInputStream(filename)) { + printCertFromStream(inStream, out); } + } else { + printCertFromStream(System.in, out); } } } @@ -2590,9 +2525,7 @@ public final class KeyTool { X509Certificate cert = null; try { cert = (X509Certificate)cf.generateCertificate(in); - } catch (ClassCastException cce) { - throw new Exception(rb.getString("Input.not.an.X.509.certificate")); - } catch (CertificateException ce) { + } catch (ClassCastException | CertificateException ce) { throw new Exception(rb.getString("Input.not.an.X.509.certificate")); } @@ -3441,16 +3374,10 @@ public final class KeyTool { if (!file.exists()) { return null; } - FileInputStream fis = null; KeyStore caks = null; - try { - fis = new FileInputStream(file); + try (FileInputStream fis = new FileInputStream(file)) { caks = KeyStore.getInstance(JKS); caks.load(fis, null); - } finally { - if (fis != null) { - fis.close(); - } } return caks; } diff --git a/jdk/src/share/classes/sun/security/util/PathList.java b/jdk/src/share/classes/sun/security/tools/PathList.java similarity index 97% rename from jdk/src/share/classes/sun/security/util/PathList.java rename to jdk/src/share/classes/sun/security/tools/PathList.java index 4d1fa71d704..f059a5ea1aa 100644 --- a/jdk/src/share/classes/sun/security/util/PathList.java +++ b/jdk/src/share/classes/sun/security/tools/PathList.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2004, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2004, 2011, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -23,7 +23,7 @@ * questions. */ -package sun.security.util; +package sun.security.tools; import java.io.File; import java.io.IOException; diff --git a/jdk/src/share/classes/sun/security/util/BigInt.java b/jdk/src/share/classes/sun/security/util/BigInt.java deleted file mode 100644 index 4713cc4d9fb..00000000000 --- a/jdk/src/share/classes/sun/security/util/BigInt.java +++ /dev/null @@ -1,198 +0,0 @@ -/* - * Copyright (c) 1996, 2006, Oracle and/or its affiliates. All rights reserved. - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License version 2 only, as - * published by the Free Software Foundation. Oracle designates this - * particular file as subject to the "Classpath" exception as provided - * by Oracle in the LICENSE file that accompanied this code. - * - * This code is distributed in the hope that it will be useful, but WITHOUT - * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or - * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * version 2 for more details (a copy is included in the LICENSE file that - * accompanied this code). - * - * You should have received a copy of the GNU General Public License version - * 2 along with this work; if not, write to the Free Software Foundation, - * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. - * - * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA - * or visit www.oracle.com if you need additional information or have any - * questions. - */ - -package sun.security.util; - -import java.math.BigInteger; - - -/** - * A low-overhead arbitrary-precision unsigned integer. - * This is intended for use with ASN.1 parsing, and printing of - * such parsed values. Convert to "BigInteger" if you need to do - * arbitrary precision arithmetic, rather than just represent - * the number as a wrapped array of bytes. - * - *

NOTE: This class may eventually disappear, to - * be supplanted by big-endian byte arrays which hold both signed - * and unsigned arbitrary-precision integers. - * - * @author David Brownell - */ -public final class BigInt { - - // Big endian -- MSB first. - private byte[] places; - - /** - * Constructs a "Big" integer from a set of (big-endian) bytes. - * Leading zeroes should be stripped off. - * - * @param data a sequence of bytes, most significant bytes/digits - * first. CONSUMED. - */ - public BigInt(byte[] data) { places = data.clone(); } - - /** - * Constructs a "Big" integer from a "BigInteger", which must be - * positive (or zero) in value. - */ - public BigInt(BigInteger i) { - byte[] temp = i.toByteArray(); - - if ((temp[0] & 0x80) != 0) - throw new IllegalArgumentException("negative BigInteger"); - - // XXX we assume exactly _one_ sign byte is used... - - if (temp[0] != 0) - places = temp; - else { - places = new byte[temp.length - 1]; - for (int j = 1; j < temp.length; j++) - places[j - 1] = temp[j]; - } - } - - /** - * Constructs a "Big" integer from a normal Java integer. - * - * @param i the java primitive integer - */ - public BigInt(int i) { - if (i < (1 << 8)) { - places = new byte[1]; - places[0] = (byte) i; - } else if (i < (1 << 16)) { - places = new byte[2]; - places[0] = (byte) (i >> 8); - places[1] = (byte) i; - } else if (i < (1 << 24)) { - places = new byte[3]; - places[0] = (byte) (i >> 16); - places[1] = (byte) (i >> 8); - places[2] = (byte) i; - } else { - places = new byte[4]; - places[0] = (byte) (i >> 24); - places[1] = (byte) (i >> 16); - places[2] = (byte) (i >> 8); - places[3] = (byte) i; - } - } - - /** - * Converts the "big" integer to a java primitive integer. - * - * @excpet NumberFormatException if 32 bits is insufficient. - */ - public int toInt() { - if (places.length > 4) - throw new NumberFormatException("BigInt.toLong, too big"); - int retval = 0, i = 0; - for (; i < places.length; i++) - retval = (retval << 8) + ((int)places[i] & 0xff); - return retval; - } - - /** - * Returns a hexadecimal printed representation. The value is - * formatted to fit on lines of at least 75 characters, with - * embedded newlines. Words are separated for readability, - * with eight words (32 bytes) per line. - */ - public String toString() { return hexify(); } - - /** - * Returns a BigInteger value which supports many arithmetic - * operations. Assumes negative values will never occur. - */ - public BigInteger toBigInteger() - { return new BigInteger(1, places); } - - /** - * Returns the data as a byte array. The most significant bit - * of the array is bit zero (as in java.math.BigInteger). - */ - public byte[] toByteArray() { return places.clone(); } - - private static final String digits = "0123456789abcdef"; - private String hexify() { - if (places.length == 0) - return " 0 "; - - StringBuffer buf = new StringBuffer(places.length * 2); - buf.append(" "); // four spaces - for (int i = 0; i < places.length; i++) { - buf.append(digits.charAt((places[i] >> 4) & 0x0f)); - buf.append(digits.charAt(places[i] & 0x0f)); - if (((i + 1) % 32) == 0) { - if ((i + 1) != places.length) - buf.append("\n "); // line after four words - } else if (((i + 1) % 4) == 0) - buf.append(' '); // space between words - } - return buf.toString(); - } - - /** - * Returns true iff the parameter is a numerically equivalent - * BigInt. - * - * @param other the object being compared with this one. - */ - public boolean equals(Object other) { - if (other instanceof BigInt) - return equals((BigInt) other); - return false; - } - - /** - * Returns true iff the parameter is numerically equivalent. - * - * @param other the BigInt being compared with this one. - */ - public boolean equals(BigInt other) { - if (this == other) - return true; - - byte[] otherPlaces = other.toByteArray(); - if (places.length != otherPlaces.length) - return false; - for (int i = 0; i < places.length; i++) - if (places[i] != otherPlaces[i]) - return false; - return true; - } - - /** - * Returns a hashcode for this BigInt. - * - * @return a hashcode for this BigInt. - */ - public int hashCode() { - return hexify().hashCode(); - } -} diff --git a/jdk/test/sun/security/util/BigInt/BigIntEqualsHashCode.java b/jdk/test/sun/security/util/BigInt/BigIntEqualsHashCode.java deleted file mode 100644 index 5da5752e1e6..00000000000 --- a/jdk/test/sun/security/util/BigInt/BigIntEqualsHashCode.java +++ /dev/null @@ -1,46 +0,0 @@ -/* - * Copyright (c) 1999, Oracle and/or its affiliates. All rights reserved. - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License version 2 only, as - * published by the Free Software Foundation. - * - * This code is distributed in the hope that it will be useful, but WITHOUT - * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or - * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * version 2 for more details (a copy is included in the LICENSE file that - * accompanied this code). - * - * You should have received a copy of the GNU General Public License version - * 2 along with this work; if not, write to the Free Software Foundation, - * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. - * - * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA - * or visit www.oracle.com if you need additional information or have any - * questions. - */ - -/* - * @test - * @author Gary Ellison - * @bug 4170635 - * @summary Verify equals()/hashCode() contract honored - */ - -import java.io.*; -import sun.security.util.*; - - -public class BigIntEqualsHashCode { - public static void main(String[] args) throws Exception { - BigInt bi1 = new BigInt(12345678); - BigInt bi2 = new BigInt(12345678); - - if ( (bi1.equals(bi2)) == (bi1.hashCode()==bi2.hashCode()) ) - System.out.println("PASSED"); - else - throw new Exception ("FAILED equals()/hashCode() contract"); - - } -}