8291509: Minor cleanup could be done in sun.security

Reviewed-by: weijun
This commit is contained in:
Mark Powers 2022-09-15 19:59:53 +00:00 committed by Weijun Wang
parent 6beeb8471c
commit 4cec141a90
298 changed files with 2650 additions and 3262 deletions
src/java.base/share/classes/sun/security
action
internal
jca
pkcs
pkcs10
pkcs12
provider
rsa
ssl

@ -1,5 +1,5 @@
/*
* Copyright (c) 1998, 2021, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 1998, 2022, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -50,7 +50,7 @@ import java.security.AccessController;
public class GetBooleanAction
implements java.security.PrivilegedAction<Boolean> {
private String theProp;
private final String theProp;
/**
* Constructor that takes the name of the system property whose boolean

@ -1,5 +1,5 @@
/*
* Copyright (c) 1998, 2021, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 1998, 2022, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -67,9 +67,9 @@ import java.security.AccessController;
public class GetIntegerAction
implements java.security.PrivilegedAction<Integer> {
private String theProp;
private int defaultVal;
private boolean defaultSet;
private final String theProp;
private final int defaultVal;
private final boolean defaultSet;
/**
* Constructor that takes the name of the system property whose integer
@ -79,6 +79,8 @@ public class GetIntegerAction
*/
public GetIntegerAction(String theProp) {
this.theProp = theProp;
this.defaultVal = 0;
this.defaultSet = false;
}
/**

@ -1,5 +1,5 @@
/*
* Copyright (c) 1998, 2006, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 1998, 2022, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -64,9 +64,9 @@ package sun.security.action;
*/
public class GetLongAction implements java.security.PrivilegedAction<Long> {
private String theProp;
private long defaultVal;
private boolean defaultSet = false;
private final String theProp;
private final long defaultVal;
private final boolean defaultSet;
/**
* Constructor that takes the name of the system property whose
@ -76,6 +76,8 @@ public class GetLongAction implements java.security.PrivilegedAction<Long> {
*/
public GetLongAction(String theProp) {
this.theProp = theProp;
this.defaultVal = 0;
this.defaultSet = false;
}
/**

@ -1,5 +1,5 @@
/*
* Copyright (c) 1998, 2021, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 1998, 2022, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -51,8 +51,8 @@ import java.util.Properties;
*/
public class GetPropertyAction implements PrivilegedAction<String> {
private String theProp;
private String defaultVal;
private final String theProp;
private final String defaultVal;
/**
* Constructor that takes the name of the system property whose
@ -62,6 +62,7 @@ public class GetPropertyAction implements PrivilegedAction<String> {
*/
public GetPropertyAction(String theProp) {
this.theProp = theProp;
this.defaultVal = null;
}
/**

@ -1,5 +1,5 @@
/*
* Copyright (c) 2005, 2019, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2005, 2022, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -51,7 +51,7 @@ public interface TlsMasterSecret extends SecretKey {
@Deprecated
@SuppressWarnings("serial")
@java.io.Serial
public static final long serialVersionUID = -461748105810469773L;
long serialVersionUID = -461748105810469773L;
/**
* Returns the major version number encapsulated in the premaster secret
@ -62,7 +62,7 @@ public interface TlsMasterSecret extends SecretKey {
*
* @return the major version number, or -1 if it is not available
*/
public int getMajorVersion();
int getMajorVersion();
/**
* Returns the minor version number encapsulated in the premaster secret
@ -73,6 +73,6 @@ public interface TlsMasterSecret extends SecretKey {
*
* @return the major version number, or -1 if it is not available
*/
public int getMinorVersion();
int getMinorVersion();
}

@ -1,5 +1,5 @@
/*
* Copyright (c) 2005, 2013, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2005, 2022, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -94,7 +94,7 @@ public class TlsKeyMaterialParameterSpec implements AlgorithmParameterSpec {
byte[] serverRandom, String cipherAlgorithm, int cipherKeyLength,
int expandedCipherKeyLength, int ivLength, int macKeyLength,
String prfHashAlg, int prfHashLength, int prfBlockSize) {
if (masterSecret.getAlgorithm().equals("TlsMasterSecret") == false) {
if (!masterSecret.getAlgorithm().equals("TlsMasterSecret")) {
throw new IllegalArgumentException("Not a TLS master secret");
}
if (cipherAlgorithm == null) {

@ -1,5 +1,5 @@
/*
* Copyright (c) 2005, 2017, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2005, 2022, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -31,7 +31,7 @@ import javax.crypto.SecretKey;
/**
* Parameters for SSL/TLS master secret generation.
* This class encapsulates the information necessary to calculate a SSL/TLS
* This class encapsulates the information necessary to calculate an SSL/TLS
* master secret from the premaster secret and other parameters.
* It is used to initialize KeyGenerators of the type "TlsMasterSecret".
*

@ -1,5 +1,5 @@
/*
* Copyright (c) 2005, 2010, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2005, 2022, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -99,18 +99,18 @@ public class TlsPrfParameterSpec implements AlgorithmParameterSpec {
}
/**
* Returns the label to use in the PRF calcuation.
* Returns the label to use in the PRF calculation.
*
* @return the label to use in the PRF calcuation.
* @return the label to use in the PRF calculation.
*/
public String getLabel() {
return label;
}
/**
* Returns a copy of the seed to use in the PRF calcuation.
* Returns a copy of the seed to use in the PRF calculation.
*
* @return a copy of the seed to use in the PRF calcuation.
* @return a copy of the seed to use in the PRF calculation.
*/
public byte[] getSeed() {
return seed.clone();

@ -128,7 +128,7 @@ public class GetInstance {
/**
* Return a List of all the available Services that implement any of
* the specified algorithms. See getServices(String, String) for detals.
* the specified algorithms. See getServices(String, String) for details.
*/
public static List<Service> getServices(List<ServiceId> ids) {
ProviderList list = Providers.getProviderList();
@ -254,7 +254,7 @@ public class GetInstance {
if (superClass == null) {
return;
}
if (superClass.isAssignableFrom(subClass) == false) {
if (!superClass.isAssignableFrom(subClass)) {
throw new NoSuchAlgorithmException
("class configured for " + s.getType() + ": "
+ s.getClassName() + " not a " + s.getType());

@ -1,5 +1,5 @@
/*
* Copyright (c) 2003, 2021, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2003, 2022, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -25,8 +25,7 @@
package sun.security.jca;
import java.lang.ref.*;
import java.security.*;
import java.security.SecureRandom;
/**
* Collection of static utility methods used by the security framework.

@ -1,5 +1,5 @@
/*
* Copyright (c) 2003, 2021, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2003, 2022, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -136,10 +136,9 @@ final class ProviderConfig {
if (this == obj) {
return true;
}
if (obj instanceof ProviderConfig == false) {
if (!(obj instanceof ProviderConfig other)) {
return false;
}
ProviderConfig other = (ProviderConfig)obj;
return this.provName.equals(other.provName)
&& this.argument.equals(other.argument);
@ -173,7 +172,7 @@ final class ProviderConfig {
if (p != null) {
return p;
}
if (shouldLoad() == false) {
if (!shouldLoad()) {
return null;
}
@ -411,7 +410,7 @@ final class ProviderConfig {
} catch (Exception e) {
Throwable t;
if (e instanceof InvocationTargetException) {
t = ((InvocationTargetException)e).getCause();
t = e.getCause();
} else {
t = e;
}

@ -1,5 +1,5 @@
/*
* Copyright (c) 2003, 2021, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2003, 2022, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -126,7 +126,7 @@ public final class ProviderList {
ProviderConfig[] configs = new ProviderConfig[providerList.size() - 1];
int j = 0;
for (ProviderConfig config : providerList.configs) {
if (config.getProvider().getName().equals(name) == false) {
if (!config.getProvider().getName().equals(name)) {
configs[j++] = config;
}
}
@ -150,10 +150,11 @@ public final class ProviderList {
private volatile boolean allLoaded;
// List returned by providers()
private final List<Provider> userList = new AbstractList<Provider>() {
private final List<Provider> userList = new AbstractList<>() {
public int size() {
return configs.length;
}
public Provider get(int index) {
return getProvider(index);
}
@ -195,7 +196,7 @@ public final class ProviderList {
}
// Get rid of duplicate providers.
if (configList.contains(config) == false) {
if (!configList.contains(config)) {
configList.add(config);
}
i++;
@ -364,7 +365,7 @@ public final class ProviderList {
* algorithm.
*/
public Service getService(String type, String name) {
ArrayList<PreferredEntry> pList = null;
ArrayList<PreferredEntry> pList;
int i;
// Preferred provider list
@ -469,7 +470,7 @@ public final class ProviderList {
firstService = s;
} else {
if (services == null) {
services = new ArrayList<Service>(4);
services = new ArrayList<>(4);
services.add(firstService);
}
services.add(s);
@ -562,7 +563,7 @@ public final class ProviderList {
}
public Iterator<Service> iterator() {
return new Iterator<Service>() {
return new Iterator<>() {
int index;
public boolean hasNext() {
@ -587,7 +588,7 @@ public final class ProviderList {
// Provider list defined by jdk.security.provider.preferred entry
static final class PreferredList {
ArrayList<PreferredEntry> list = new ArrayList<PreferredEntry>();
ArrayList<PreferredEntry> list = new ArrayList<>();
/*
* Return a list of all preferred entries that match the passed
@ -599,7 +600,7 @@ public final class ProviderList {
}
ArrayList<PreferredEntry> l = new ArrayList<PreferredEntry>();
ArrayList<PreferredEntry> l = new ArrayList<>();
for (ServiceId id : s.ids) {
implGetAll(l, id.type, id.algorithm);
}
@ -612,7 +613,7 @@ public final class ProviderList {
* type and algorithm.
*/
ArrayList<PreferredEntry> getAll(String type, String algorithm) {
ArrayList<PreferredEntry> l = new ArrayList<PreferredEntry>();
ArrayList<PreferredEntry> l = new ArrayList<>();
implGetAll(l, type, algorithm);
return l;
}
@ -655,27 +656,27 @@ public final class ProviderList {
}
/* Defined Groups for jdk.security.provider.preferred */
private static final String SHA2Group[] = { "SHA-224", "SHA-256",
private static final String[] SHA2_GROUP = { "SHA-224", "SHA-256",
"SHA-384", "SHA-512", "SHA-512/224", "SHA-512/256" };
private static final String HmacSHA2Group[] = { "HmacSHA224",
private static final String[] HMACSHA2_GROUP = { "HmacSHA224",
"HmacSHA256", "HmacSHA384", "HmacSHA512"};
private static final String SHA2RSAGroup[] = { "SHA224withRSA",
private static final String[] SHA2RSA_GROUP = { "SHA224withRSA",
"SHA256withRSA", "SHA384withRSA", "SHA512withRSA"};
private static final String SHA2DSAGroup[] = { "SHA224withDSA",
private static final String[] SHA2DSA_GROUP = { "SHA224withDSA",
"SHA256withDSA", "SHA384withDSA", "SHA512withDSA"};
private static final String SHA2ECDSAGroup[] = { "SHA224withECDSA",
private static final String[] SHA2ECDSA_GROUP = { "SHA224withECDSA",
"SHA256withECDSA", "SHA384withECDSA", "SHA512withECDSA"};
private static final String SHA3Group[] = { "SHA3-224", "SHA3-256",
private static final String[] SHA3_GROUP = { "SHA3-224", "SHA3-256",
"SHA3-384", "SHA3-512" };
private static final String HmacSHA3Group[] = { "HmacSHA3-224",
private static final String[] HMACSHA3_GROUP = { "HmacSHA3-224",
"HmacSHA3-256", "HmacSHA3-384", "HmacSHA3-512"};
// Individual preferred property entry from jdk.security.provider.preferred
private static class PreferredEntry {
private String type = null;
private String algorithm;
private String provider;
private String alternateNames[] = null;
private final String type;
private final String algorithm;
private final String provider;
private final String[] alternateNames;
private boolean group = false;
PreferredEntry(String t, String p) {
@ -684,6 +685,7 @@ public final class ProviderList {
type = t.substring(0, i);
algorithm = t.substring(i + 1);
} else {
type = null;
algorithm = t;
}
@ -692,19 +694,21 @@ public final class ProviderList {
if (type != null && type.compareToIgnoreCase("Group") == 0) {
// Currently intrinsic algorithm groups
if (algorithm.compareToIgnoreCase("SHA2") == 0) {
alternateNames = SHA2Group;
alternateNames = SHA2_GROUP;
} else if (algorithm.compareToIgnoreCase("HmacSHA2") == 0) {
alternateNames = HmacSHA2Group;
alternateNames = HMACSHA2_GROUP;
} else if (algorithm.compareToIgnoreCase("SHA2RSA") == 0) {
alternateNames = SHA2RSAGroup;
alternateNames = SHA2RSA_GROUP;
} else if (algorithm.compareToIgnoreCase("SHA2DSA") == 0) {
alternateNames = SHA2DSAGroup;
alternateNames = SHA2DSA_GROUP;
} else if (algorithm.compareToIgnoreCase("SHA2ECDSA") == 0) {
alternateNames = SHA2ECDSAGroup;
alternateNames = SHA2ECDSA_GROUP;
} else if (algorithm.compareToIgnoreCase("SHA3") == 0) {
alternateNames = SHA3Group;
alternateNames = SHA3_GROUP;
} else if (algorithm.compareToIgnoreCase("HmacSHA3") == 0) {
alternateNames = HmacSHA3Group;
alternateNames = HMACSHA3_GROUP;
} else {
alternateNames = null;
}
if (alternateNames != null) {
group = true;
@ -715,6 +719,8 @@ public final class ProviderList {
alternateNames = new String[] { "SHA-1" };
} else if (algorithm.compareToIgnoreCase("SHA-1") == 0) {
alternateNames = new String[] { "SHA1" };
} else {
alternateNames = null;
}
}

@ -1,5 +1,5 @@
/*
* Copyright (c) 2003, 2021, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2003, 2022, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -62,7 +62,7 @@ public class Providers {
// After the switch to modules, JDK providers are all in modules and JDK
// no longer needs to load signed jars during start up.
//
// However, for earlier releases, it need special handling to resolve
// However, for earlier releases, it needs special handling to resolve
// circularities when loading signed JAR files during startup. The code
// below is part of that.
//
@ -101,7 +101,7 @@ public class Providers {
/**
* Start JAR verification. This sets a special provider list for
* the current thread. You MUST save the return value from this
* method and you MUST call stopJarVerification() with that object
* method, and you MUST call stopJarVerification() with that object
* once you are done.
*/
public static Object startJarVerification() {
@ -131,7 +131,7 @@ public class Providers {
/**
* Return the current ProviderList. If the thread-local list is set,
* it is returned. Otherwise, the system wide list is returned.
* it is returned. Otherwise, the system-wide list is returned.
*/
public static ProviderList getProviderList() {
ProviderList list = getThreadProviderList();
@ -143,7 +143,7 @@ public class Providers {
/**
* Set the current ProviderList. Affects the thread-local list if set,
* otherwise the system wide list.
* otherwise the system-wide list.
*/
public static void setProviderList(ProviderList newList) {
if (getThreadProviderList() == null) {

@ -90,8 +90,7 @@ public class ContentInfo {
* Parses a PKCS#7 content info.
*/
public ContentInfo(DerInputStream derin)
throws IOException, ParsingException
{
throws IOException {
this(derin, false);
}
@ -102,12 +101,11 @@ public class ContentInfo {
* PKCS#7 blocks that were generated using JDK1.1.x.
*
* @param derin the ASN.1 encoding of the content info.
* @param oldStyle flag indicating whether or not the given content info
* @param oldStyle flag indicating whether the given content info
* is encoded according to JDK1.1.x.
*/
public ContentInfo(DerInputStream derin, boolean oldStyle)
throws IOException, ParsingException
{
throws IOException {
DerInputStream disType;
DerInputStream disTaggedContent;
DerValue type;
@ -177,7 +175,7 @@ public class ContentInfo {
// content is optional, it could be external
if (content != null) {
DerValue taggedContent = null;
DerValue taggedContent;
contentDerCode = new DerOutputStream();
content.encode(contentDerCode);

@ -1,5 +1,5 @@
/*
* Copyright (c) 1998, 1999, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 1998, 2022, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -47,10 +47,10 @@ import sun.security.util.DerOutputStream;
public class EncryptedPrivateKeyInfo {
// the "encryptionAlgorithm" field
private AlgorithmId algid;
private final AlgorithmId algid;
// the "encryptedData" field
private byte[] encryptedData;
private final byte[] encryptedData;
// the ASN.1 encoded contents of this class
private byte[] encoded;

@ -90,7 +90,7 @@ public class PKCS7 {
* @exception ParsingException on parsing errors.
* @exception IOException on other errors.
*/
public PKCS7(InputStream in) throws ParsingException, IOException {
public PKCS7(InputStream in) throws IOException {
DataInputStream dis = new DataInputStream(in);
byte[] data = new byte[dis.available()];
dis.readFully(data);
@ -158,7 +158,7 @@ public class PKCS7 {
* Parses a PKCS#7 block.
*
* @param derin the ASN.1 encoding of the PKCS#7 block.
* @param oldStyle flag indicating whether or not the given PKCS#7 block
* @param oldStyle flag indicating whether the given PKCS#7 block
* is encoded according to JDK1.1.x.
*/
private void parse(DerInputStream derin, boolean oldStyle)
@ -212,8 +212,7 @@ public class PKCS7 {
this(digestAlgorithmIds, contentInfo, certificates, null, signerInfos);
}
private void parseNetscapeCertChain(DerValue val)
throws ParsingException, IOException {
private void parseNetscapeCertChain(DerValue val) throws IOException {
DerInputStream dis = new DerInputStream(val.toByteArray());
DerValue[] contents = dis.getSequence(2);
certificates = new X509Certificate[contents.length];
@ -259,9 +258,7 @@ public class PKCS7 {
// crls
// [1] IMPLICIT CertificateRevocationLists OPTIONAL,
// signerInfos SignerInfos }
private void parseSignedData(DerValue val)
throws ParsingException, IOException {
private void parseSignedData(DerValue val) throws IOException {
DerInputStream dis = val.toDerInputStream();
// Version
@ -385,9 +382,7 @@ public class PKCS7 {
* Parses an old-style SignedData encoding (for backwards
* compatibility with JDK1.1.x).
*/
private void parseOldSignedData(DerValue val)
throws ParsingException, IOException
{
private void parseOldSignedData(DerValue val) throws IOException {
DerInputStream dis = val.toDerInputStream();
// Version
@ -531,7 +526,7 @@ public class PKCS7 {
// Add the CRL set (tagged with [1] IMPLICIT)
// to the signed data
signedData.putOrderedSetOf((byte)0xA1,
implCRLs.toArray(new X509CRLImpl[implCRLs.size()]));
implCRLs.toArray(new X509CRLImpl[0]));
}
// signerInfos
@ -765,8 +760,8 @@ public class PKCS7 {
* @param privateKey signer's private ky
* @param signerChain signer's certificate chain
* @param content the content to sign
* @param internalsf whether the content should be include in output
* @param directsign if the content is signed directly or thru authattrs
* @param internalsf whether the content should be included in output
* @param directsign if the content is signed directly or through authattrs
* @param ts (optional) timestamper
* @return the pkcs7 output in an array
* @throws SignatureException if signing failed
@ -1012,8 +1007,8 @@ public class PKCS7 {
throws IOException, CertificateException
{
// Generate a timestamp
MessageDigest messageDigest = null;
TSRequest tsQuery = null;
MessageDigest messageDigest;
TSRequest tsQuery;
try {
messageDigest = MessageDigest.getInstance(tSADigestAlg);
tsQuery = new TSRequest(tSAPolicyID, toBeTimestamped, messageDigest);

@ -1,5 +1,5 @@
/*
* Copyright (c) 1996, 2021, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 1996, 2022, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -78,14 +78,14 @@ public class PKCS8Key implements PrivateKey {
private static final int V2 = 1;
/**
* Default constructor. Constructors in sub-classes that create a new key
* Default constructor. Constructors in subclasses that create a new key
* from its components require this. These constructors must initialize
* {@link #algid} and {@link #key}.
*/
protected PKCS8Key() { }
/**
* Another constructor. Constructors in sub-classes that create a new key
* Another constructor. Constructors in subclasses that create a new key
* from an encoded byte array require this. We do not assign this
* encoding to {@link #encodedKey} directly.
*

@ -1,5 +1,5 @@
/*
* Copyright (c) 1997, 2020, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 1997, 2022, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -29,6 +29,7 @@ import java.io.IOException;
import java.io.OutputStream;
import java.security.cert.CertificateException;
import java.util.Date;
import sun.security.x509.CertificateExtensions;
import sun.security.util.*;
@ -507,10 +508,7 @@ public class PKCS9Attribute implements DerEncoder {
break;
case 17: // SignatureTimestampToken attribute
value = elems[0].toByteArray();
break;
case 18: // CMSAlgorithmProtection
case 18: // CMSAlgorithmProtection
value = elems[0].toByteArray();
break;
@ -638,9 +636,6 @@ public class PKCS9Attribute implements DerEncoder {
// break unnecessary
case 17: // SignatureTimestampToken
temp.write(DerValue.tag_Set, (byte[])value);
break;
case 18: // CMSAlgorithmProtection
temp.write(DerValue.tag_Set, (byte[])value);
break;
@ -745,7 +740,6 @@ public class PKCS9Attribute implements DerEncoder {
sb.append(value.toString());
}
sb.append("]");
return sb.toString();
} else { // multi-valued
boolean first = true;
Object[] values = (Object[]) value;
@ -757,8 +751,8 @@ public class PKCS9Attribute implements DerEncoder {
sb.append(", ");
sb.append(curVal.toString());
}
return sb.toString();
}
return sb.toString();
}
/**

@ -28,6 +28,7 @@ package sun.security.pkcs;
import java.io.IOException;
import java.io.OutputStream;
import java.util.Hashtable;
import sun.security.util.DerEncoder;
import sun.security.util.DerValue;
import sun.security.util.DerInputStream;
@ -44,7 +45,7 @@ public class PKCS9Attributes {
* Attributes in this set indexed by OID.
*/
private final Hashtable<ObjectIdentifier, PKCS9Attribute> attributes =
new Hashtable<ObjectIdentifier, PKCS9Attribute>(3);
new Hashtable<>(3);
/**
* The keys of this hashtable are the OIDs of permitted attributes.
@ -123,7 +124,7 @@ public class PKCS9Attributes {
*
* @param in the contents of the DER encoding of the attribute set.
* @param ignoreUnsupportedAttributes If true then any attributes
* not supported by the PKCS9Attribute class are ignored. Otherwise
* not supported by the PKCS9Attribute class are ignored. Otherwise,
* unsupported attributes cause an exception to be thrown.
* @exception IOException
* on i/o error, encoding syntax error, or unsupported or
@ -296,8 +297,7 @@ public class PKCS9Attributes {
public Object getAttributeValue(ObjectIdentifier oid)
throws IOException {
try {
Object value = getAttribute(oid).getValue();
return value;
return getAttribute(oid).getValue();
} catch (NullPointerException ex) {
throw new IOException("No value found for attribute " + oid);
}

@ -1,5 +1,5 @@
/*
* Copyright (c) 1996, 2021, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 1996, 2022, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -25,30 +25,20 @@
package sun.security.pkcs;
import java.io.OutputStream;
import java.io.IOException;
import java.io.OutputStream;
import java.math.BigInteger;
import java.security.cert.CertPathValidatorException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.CertPath;
import java.security.cert.X509Certificate;
import java.security.*;
import java.security.cert.*;
import java.security.spec.PSSParameterSpec;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Date;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Map;
import java.util.Set;
import java.util.*;
import sun.security.provider.SHAKE256;
import sun.security.timestamp.TimestampToken;
import sun.security.util.*;
import sun.security.x509.AlgorithmId;
import sun.security.x509.X500Name;
import sun.security.x509.KeyUsageExtension;
import sun.security.x509.X500Name;
/**
* A SignerInfo, as defined in PKCS#7's signedData type.
@ -81,7 +71,7 @@ public class SignerInfo implements DerEncoder {
* should also be checked (ex: if it is a signature algorithm).
*/
private record AlgorithmInfo(String field, boolean checkKey) {}
private Map<AlgorithmId, AlgorithmInfo> algorithms = new HashMap<>();
private final Map<AlgorithmId, AlgorithmInfo> algorithms = new HashMap<>();
public SignerInfo(X500Name issuerName,
BigInteger serial,
@ -112,9 +102,7 @@ public class SignerInfo implements DerEncoder {
/**
* Parses a PKCS#7 signer info.
*/
public SignerInfo(DerInputStream derin)
throws IOException, ParsingException
{
public SignerInfo(DerInputStream derin) throws IOException {
this(derin, false);
}
@ -125,12 +113,11 @@ public class SignerInfo implements DerEncoder {
* PKCS#7 blocks that were generated using JDK1.1.x.
*
* @param derin the ASN.1 encoding of the signer info.
* @param oldStyle flag indicating whether or not the given signer info
* @param oldStyle flag indicating whether the given signer info
* is encoded according to JDK1.1.x.
*/
public SignerInfo(DerInputStream derin, boolean oldStyle)
throws IOException, ParsingException
{
throws IOException {
// version
version = derin.getBigInteger();
@ -357,7 +344,7 @@ public class SignerInfo implements DerEncoder {
byte[] dataSigned;
// if there are authenticate attributes, get the message
// if there are authenticated attributes, get the message
// digest and compare it with the digest of data
if (authenticatedAttributes == null) {
dataSigned = data;
@ -454,7 +441,7 @@ public class SignerInfo implements DerEncoder {
if (keyUsageBits != null) {
KeyUsageExtension keyUsage;
try {
// We don't care whether or not this extension was marked
// We don't care whether this extension was marked
// critical in the certificate.
// We're interested only in its value (i.e., the bits set)
// and treat the extension as critical.
@ -737,7 +724,7 @@ public class SignerInfo implements DerEncoder {
}
/**
* Verify all of the algorithms in the array of SignerInfos against the
* Verify all the algorithms in the array of SignerInfos against the
* constraints in the jdk.jar.disabledAlgorithms security property.
*
* @param infos array of SignerInfos

@ -1,5 +1,5 @@
/*
* Copyright (c) 2003, 2004, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2003, 2022, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -26,11 +26,9 @@
package sun.security.pkcs;
import java.io.IOException;
import java.util.ArrayList;
import sun.security.util.HexDumpEncoder;
import sun.security.util.DerInputStream;
import sun.security.util.DerValue;
import sun.security.util.HexDumpEncoder;
import sun.security.x509.GeneralNames;
import sun.security.x509.SerialNumber;
@ -83,8 +81,6 @@ import sun.security.x509.SerialNumber;
*/
public class SigningCertificateInfo {
private byte[] ber = null;
private ESSCertId[] certId = null;
public SigningCertificateInfo(byte[] ber) throws IOException {
@ -132,9 +128,9 @@ class ESSCertId {
private static volatile HexDumpEncoder hexDumper;
private byte[] certHash;
private GeneralNames issuer;
private SerialNumber serialNumber;
private final byte[] certHash;
private final GeneralNames issuer;
private final SerialNumber serialNumber;
ESSCertId(DerValue certId) throws IOException {
// Parse certHash
@ -147,6 +143,9 @@ class ESSCertId {
issuer = new GeneralNames(issuerSerial.data.getDerValue());
// Parse serialNumber
serialNumber = new SerialNumber(issuerSerial.data.getDerValue());
} else {
issuer = null;
serialNumber = null;
}
}

@ -361,9 +361,9 @@ public class PKCS10 {
return(retval);
}
private X500Name subject;
private PublicKey subjectPublicKeyInfo;
private String sigAlg;
private PKCS10Attributes attributeSet;
private byte[] encoded; // signed
private X500Name subject;
private final PublicKey subjectPublicKeyInfo;
private String sigAlg;
private final PKCS10Attributes attributeSet;
private byte[] encoded; // signed
}

@ -56,8 +56,8 @@ import sun.security.util.*;
*/
public class PKCS10Attribute implements DerEncoder {
protected ObjectIdentifier attributeId = null;
protected Object attributeValue = null;
protected ObjectIdentifier attributeId;
protected Object attributeValue;
/**
* Constructs an attribute from a DER encoding.

@ -1,5 +1,5 @@
/*
* Copyright (c) 1997, 2011, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 1997, 2022, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -27,13 +27,15 @@ package sun.security.pkcs10;
import java.io.IOException;
import java.io.OutputStream;
import java.security.cert.CertificateException;
import java.util.Collection;
import java.util.Collections;
import java.util.Enumeration;
import java.util.Hashtable;
import sun.security.util.*;
import sun.security.util.DerEncoder;
import sun.security.util.DerInputStream;
import sun.security.util.DerOutputStream;
import sun.security.util.DerValue;
/**
* This class defines the PKCS10 attributes for the request.
@ -49,8 +51,8 @@ import sun.security.util.*;
*/
public class PKCS10Attributes implements DerEncoder {
private Hashtable<String, PKCS10Attribute> map =
new Hashtable<String, PKCS10Attribute>(3);
private final Hashtable<String, PKCS10Attribute> map =
new Hashtable<>(3);
/**
* Default constructor for the PKCS10 attribute.
@ -174,18 +176,16 @@ public class PKCS10Attributes implements DerEncoder {
Collection<PKCS10Attribute> othersAttribs =
((PKCS10Attributes)other).getAttributes();
PKCS10Attribute[] attrs =
othersAttribs.toArray(new PKCS10Attribute[othersAttribs.size()]);
othersAttribs.toArray(new PKCS10Attribute[0]);
int len = attrs.length;
if (len != map.size())
return false;
PKCS10Attribute thisAttr, otherAttr;
String key = null;
String key;
for (int i=0; i < len; i++) {
otherAttr = attrs[i];
key = otherAttr.getAttributeId().toString();
if (key == null)
return false;
thisAttr = map.get(key);
if (thisAttr == null)
return false;
@ -213,7 +213,6 @@ public class PKCS10Attributes implements DerEncoder {
* @return a string representation of this PKCS10Attributes.
*/
public String toString() {
String s = map.size() + "\n" + map.toString();
return s;
return map.size() + "\n" + map;
}
}

@ -1,5 +1,5 @@
/*
* Copyright (c) 1999, 2020, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 1999, 2022, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -43,11 +43,11 @@ import sun.security.pkcs.ParsingException;
class MacData {
private String digestAlgorithmName;
private final String digestAlgorithmName;
private AlgorithmParameters digestAlgorithmParams;
private byte[] digest;
private byte[] macSalt;
private int iterations;
private final byte[] digest;
private final byte[] macSalt;
private final int iterations;
// the ASN.1 encoded contents of this class
private byte[] encoded = null;
@ -55,9 +55,7 @@ class MacData {
/**
* Parses a PKCS#12 MAC data.
*/
MacData(DerInputStream derin)
throws IOException, ParsingException
{
MacData(DerInputStream derin) throws IOException {
DerValue[] macData = derin.getSequence(2);
if (macData.length < 2 || macData.length > 3) {
throw new ParsingException("Invalid length for MacData");

@ -212,12 +212,12 @@ public final class PKCS12KeyStore extends KeyStoreSpi {
private static class PrivateKeyEntry extends KeyEntry {
byte[] protectedPrivKey;
Certificate[] chain;
};
}
// A secret key
private static class SecretKeyEntry extends KeyEntry {
byte[] protectedSecretKey;
};
}
// A certificate entry
private static class CertEntry extends Entry {
@ -272,12 +272,12 @@ public final class PKCS12KeyStore extends KeyStoreSpi {
* Private keys and certificates are stored in a map.
* Map entries are keyed by alias names.
*/
private Map<String, Entry> entries =
Collections.synchronizedMap(new LinkedHashMap<String, Entry>());
private final Map<String, Entry> entries =
Collections.synchronizedMap(new LinkedHashMap<>());
private ArrayList<KeyEntry> keyList = new ArrayList<KeyEntry>();
private List<X509Certificate> allCerts = new ArrayList<>();
private ArrayList<CertEntry> certEntries = new ArrayList<CertEntry>();
private final ArrayList<KeyEntry> keyList = new ArrayList<>();
private final List<X509Certificate> allCerts = new ArrayList<>();
private final ArrayList<CertEntry> certEntries = new ArrayList<>();
/**
* Returns the key associated with the given alias, using the given
@ -298,14 +298,14 @@ public final class PKCS12KeyStore extends KeyStoreSpi {
throws NoSuchAlgorithmException, UnrecoverableKeyException
{
Entry entry = entries.get(alias.toLowerCase(Locale.ENGLISH));
Key key = null;
Key key;
if (!(entry instanceof KeyEntry)) {
return null;
}
// get the encoded private key or secret key
byte[] encrBytes = null;
byte[] encrBytes;
if (entry instanceof PrivateKeyEntry) {
encrBytes = ((PrivateKeyEntry) entry).protectedPrivKey;
} else if (entry instanceof SecretKeyEntry) {
@ -866,7 +866,7 @@ public final class PKCS12KeyStore extends KeyStoreSpi {
*/
private SecretKey getPBEKey(char[] password) throws IOException
{
SecretKey skey = null;
SecretKey skey;
PBEKeySpec keySpec = new PBEKeySpec(password);
try {
@ -900,9 +900,9 @@ public final class PKCS12KeyStore extends KeyStoreSpi {
*/
private byte[] encryptPrivateKey(byte[] data,
KeyStore.PasswordProtection passwordProtection)
throws IOException, NoSuchAlgorithmException, UnrecoverableKeyException
throws UnrecoverableKeyException
{
byte[] key = null;
byte[] key;
try {
String algorithm;
@ -1043,8 +1043,7 @@ public final class PKCS12KeyStore extends KeyStoreSpi {
}
Entry entry = entries.get(alias.toLowerCase(Locale.ENGLISH));
if (entry instanceof PrivateKeyEntry) {
PrivateKeyEntry keyEntry = (PrivateKeyEntry) entry;
if (entry instanceof PrivateKeyEntry keyEntry) {
if (keyEntry.chain != null) {
certificateCount -= keyEntry.chain.length;
}
@ -1107,12 +1106,8 @@ public final class PKCS12KeyStore extends KeyStoreSpi {
*/
public boolean engineIsCertificateEntry(String alias) {
Entry entry = entries.get(alias.toLowerCase(Locale.ENGLISH));
if (entry instanceof CertEntry certEntry &&
certEntry.trustedKeyUsage != null) {
return true;
} else {
return false;
}
return entry instanceof CertEntry certEntry &&
certEntry.trustedKeyUsage != null;
}
/**
@ -1455,7 +1450,7 @@ public final class PKCS12KeyStore extends KeyStoreSpi {
} else {
KeyStore.SecretKeyEntry ske = (KeyStore.SecretKeyEntry)entry;
setKeyEntry(alias, ske.getSecretKey(), pProtect,
(Certificate[])null, ske.getAttributes());
null, ske.getAttributes());
return;
}
@ -1514,7 +1509,7 @@ public final class PKCS12KeyStore extends KeyStoreSpi {
private byte[] calculateMac(char[] passwd, byte[] data)
throws IOException
{
byte[] mData = null;
byte[] mData;
String algName = macAlgorithm.substring(7);
try {
@ -1598,7 +1593,7 @@ public final class PKCS12KeyStore extends KeyStoreSpi {
* unique, and the corresponding private key should have the same
* localKeyID. For trusted CA certs in the cert-chain, localKeyID
* attribute is not required, hence most vendors don't include it.
* NSS/Netscape require it to be unique or null, where as IE/OpenSSL
* NSS/Netscape require it to be unique or null, whereas IE/OpenSSL
* ignore it.
*
* Here is a list of pkcs12 attribute values in CertBags.
@ -1632,8 +1627,8 @@ public final class PKCS12KeyStore extends KeyStoreSpi {
byte[] friendlyName = null;
byte[] trustedKeyUsage = null;
// return null if all three attributes are null
if ((alias == null) && (keyId == null) && (trustedKeyUsage == null)) {
// return null if both attributes are null
if (alias == null && keyId == null) {
return null;
}
@ -1723,13 +1718,9 @@ public final class PKCS12KeyStore extends KeyStoreSpi {
// certificate chain
Certificate[] certs;
if (entry instanceof PrivateKeyEntry) {
PrivateKeyEntry keyEntry = (PrivateKeyEntry) entry;
if (keyEntry.chain != null) {
certs = keyEntry.chain;
} else {
certs = new Certificate[0];
}
if (entry instanceof PrivateKeyEntry keyEntry) {
certs = (keyEntry.chain != null) ?
keyEntry.chain : new Certificate[0];
} else if (entry instanceof CertEntry) {
certs = new Certificate[]{((CertEntry) entry).cert};
} else {
@ -1767,11 +1758,10 @@ public final class PKCS12KeyStore extends KeyStoreSpi {
// write SafeBag Attributes
// All Certs should have a unique friendlyName.
// This change is made to meet NSS requirements.
byte[] bagAttrs = null;
byte[] bagAttrs;
if (i == 0) {
// Only End-Entity Cert should have a localKeyId.
if (entry instanceof KeyEntry) {
KeyEntry keyEntry = (KeyEntry) entry;
if (entry instanceof KeyEntry keyEntry) {
bagAttrs =
getBagAttributes(keyEntry.alias, keyEntry.keyId,
keyEntry.attributes);
@ -1815,8 +1805,7 @@ public final class PKCS12KeyStore extends KeyStoreSpi {
* Each PKCS8ShroudedKeyBag includes pkcs12 attributes
* (see comments in getBagAttributes)
*/
private byte[] createSafeContent()
throws CertificateException, IOException {
private byte[] createSafeContent() throws IOException {
DerOutputStream out = new DerOutputStream();
for (Enumeration<String> e = engineAliases(); e.hasMoreElements(); ) {
@ -1835,7 +1824,7 @@ public final class PKCS12KeyStore extends KeyStoreSpi {
// get the encrypted private key
byte[] encrBytes = ((PrivateKeyEntry)keyEntry).protectedPrivKey;
EncryptedPrivateKeyInfo encrInfo = null;
EncryptedPrivateKeyInfo encrInfo;
try {
encrInfo = new EncryptedPrivateKeyInfo(encrBytes);
@ -1908,7 +1897,7 @@ public final class PKCS12KeyStore extends KeyStoreSpi {
private byte[] encryptContent(byte[] data, char[] password)
throws IOException {
byte[] encryptedData = null;
byte[] encryptedData;
try {
@ -2215,12 +2204,11 @@ public final class PKCS12KeyStore extends KeyStoreSpi {
* Match up private keys with certificate chains.
*/
PrivateKeyEntry[] list =
keyList.toArray(new PrivateKeyEntry[keyList.size()]);
keyList.toArray(new PrivateKeyEntry[0]);
for (int m = 0; m < list.length; m++) {
PrivateKeyEntry entry = list[m];
if (entry.keyId != null) {
ArrayList<X509Certificate> chain =
new ArrayList<X509Certificate>();
ArrayList<X509Certificate> chain = new ArrayList<>();
X509Certificate cert = findMatchedCertificate(entry);
mainloop:
@ -2248,7 +2236,7 @@ public final class PKCS12KeyStore extends KeyStoreSpi {
}
/* Update existing KeyEntry in entries table */
if (chain.size() > 0) {
entry.chain = chain.toArray(new Certificate[chain.size()]);
entry.chain = chain.toArray(new Certificate[0]);
}
}
}
@ -2396,8 +2384,7 @@ public final class PKCS12KeyStore extends KeyStoreSpi {
}
private void loadSafeContents(DerInputStream stream)
throws IOException, NoSuchAlgorithmException, CertificateException
{
throws IOException, CertificateException {
DerValue[] safeBags = stream.getSequence(2);
int count = safeBags.length;
@ -2517,14 +2504,13 @@ public final class PKCS12KeyStore extends KeyStoreSpi {
/*
* As per PKCS12 v1.0 friendlyname (alias) and localKeyId (keyId)
* are optional PKCS12 bagAttributes. But entries in the keyStore
* are identified by their alias. Hence we need to have an
* are identified by their alias. Hence, we need to have an
* Unfriendlyname in the alias, if alias is null. The keyId
* attribute is required to match the private key with the
* certificate. If we get a bagItem of type KeyEntry with a
* null keyId, we should skip it entirely.
*/
if (bagItem instanceof KeyEntry) {
KeyEntry entry = (KeyEntry)bagItem;
if (bagItem instanceof KeyEntry entry) {
if (keyId == null) {
if (bagItem instanceof PrivateKeyEntry) {
@ -2551,7 +2537,7 @@ public final class PKCS12KeyStore extends KeyStoreSpi {
date = new Date(
Long.parseLong(keyIdStr.substring(5)));
} catch (Exception e) {
date = null;
// date has been initialized to null
}
}
if (date == null) {
@ -2560,7 +2546,7 @@ public final class PKCS12KeyStore extends KeyStoreSpi {
entry.date = date;
if (bagItem instanceof PrivateKeyEntry) {
keyList.add((PrivateKeyEntry) entry);
keyList.add(entry);
}
if (entry.attributes == null) {
entry.attributes = new HashSet<>();
@ -2572,8 +2558,7 @@ public final class PKCS12KeyStore extends KeyStoreSpi {
entry.alias = alias;
entries.put(alias.toLowerCase(Locale.ENGLISH), entry);
} else if (bagItem instanceof X509Certificate) {
X509Certificate cert = (X509Certificate)bagItem;
} else if (bagItem instanceof X509Certificate cert) {
// Insert a localKeyID for the corresponding cert
// Note: This is a workaround to allow null localKeyID
// attribute in pkcs12 with one private key entry and

@ -57,7 +57,7 @@ import static java.security.DrbgParameters.Capability.*;
* <p>
* SecureRandom methods like reseed and nextBytes are not thread-safe.
* An implementation is required to protect shared access to instantiate states
* (instantiated, nonce) and DRBG states (v, c, key, reseedCounter, etc).
* (instantiated, nonce) and DRBG states (v, c, key, reseedCounter, etc.).
*/
public abstract class AbstractDrbg {
@ -78,7 +78,7 @@ public abstract class AbstractDrbg {
* after each random bits generation and reset it in reseed. A mechanism
* does <em>not</em> need to compare it to {@link #reseedInterval}.
*
* Volatile, will be used in a double checked locking.
* Volatile, will be used in double-checked locking.
*/
protected volatile int reseedCounter;
@ -343,12 +343,10 @@ public abstract class AbstractDrbg {
if (debug != null) {
debug.println(this, "nextBytes");
}
if (params instanceof DrbgParameters.NextBytes) {
if (params instanceof DrbgParameters.NextBytes dp) {
// 800-90Ar1 9.3: Generate Process.
DrbgParameters.NextBytes dp = (DrbgParameters.NextBytes) params;
// Step 2: max_number_of_bits_per_request
if (result.length > maxNumberOfBytesPerRequest) {
// generateAlgorithm should be called multiple times to fill
@ -378,7 +376,7 @@ public abstract class AbstractDrbg {
instantiateIfNecessary(null);
// Step 7: Auto reseed (reseedCounter might overflow)
// Double checked locking, safe because reseedCounter is volatile
// Double-checked locking, safe because reseedCounter is volatile
if (reseedCounter < 0 || reseedCounter > reseedInterval || pr) {
synchronized (this) {
if (reseedCounter < 0 || reseedCounter > reseedInterval
@ -410,8 +408,7 @@ public abstract class AbstractDrbg {
if (params == null) {
params = DrbgParameters.reseed(predictionResistanceFlag, null);
}
if (params instanceof DrbgParameters.Reseed) {
DrbgParameters.Reseed dp = (DrbgParameters.Reseed) params;
if (params instanceof DrbgParameters.Reseed dp) {
// 800-90Ar1 9.2: Reseed Process.
@ -542,7 +539,7 @@ public abstract class AbstractDrbg {
prseeder = defaultES;
// According to SP800-90C section 7, a DRBG without live
// entropy (drbg here, with pr being false) can instantiate
// another DRBG with weaker strength. So we choose highest
// another DRBG with weaker strength. So we choose the highest
// strength we support.
HashDrbg first = new HashDrbg(new MoreDrbgParameters(
prseeder, null, "SHA-256", null, false,
@ -572,10 +569,10 @@ public abstract class AbstractDrbg {
}
/**
* A mechanism shall override this constructor to setup {@link #mechName},
* A mechanism shall override this constructor to set up {@link #mechName},
* {@link #highestSupportedSecurityStrength},
* {@link #supportPredictionResistance}, {@link #supportReseeding}
* or other features like {@link #DEFAULT_STRENGTH}. Finally it shall
* or other features like {@link #DEFAULT_STRENGTH}. Finally, it shall
* call {@link #configure} on {@code params}.
*
* @param params the {@link SecureRandomParameters} object.
@ -619,8 +616,7 @@ public abstract class AbstractDrbg {
if (params == null) {
params = DrbgParameters.instantiation(-1, RESEED_ONLY, null);
}
if (params instanceof MoreDrbgParameters) {
MoreDrbgParameters m = (MoreDrbgParameters)params;
if (params instanceof MoreDrbgParameters m) {
this.requestedNonce = m.nonce;
this.es = m.es;
this.requestedAlgorithm = m.algorithm;
@ -628,44 +624,40 @@ public abstract class AbstractDrbg {
params = DrbgParameters.instantiation(m.strength,
m.capability, m.personalizationString);
}
if (params != null) {
if (params instanceof DrbgParameters.Instantiation) {
DrbgParameters.Instantiation inst =
(DrbgParameters.Instantiation) params;
if (params instanceof DrbgParameters.Instantiation inst) {
// 800-90Ar1 9.1: Instantiate Process. Steps 1-5.
// 800-90Ar1 9.1: Instantiate Process. Steps 1-5.
// Step 1: Check requested_instantiation_security_strength
if (inst.getStrength() > highestSupportedSecurityStrength) {
throw new IllegalArgumentException("strength too big: "
+ inst.getStrength());
}
// Step 2: Check prediction_resistance_flag
if (inst.getCapability().supportsPredictionResistance()
&& !supportPredictionResistance) {
throw new IllegalArgumentException("pr not supported");
}
// Step 3: Check personalization_string
byte[] ps = inst.getPersonalizationString();
if (ps != null && ps.length > maxPersonalizationStringLength) {
throw new IllegalArgumentException("ps too long: "
+ ps.length);
}
if (inst.getCapability().supportsReseeding()
&& !supportReseeding) {
throw new IllegalArgumentException("reseed not supported");
}
this.personalizationString = ps;
this.predictionResistanceFlag =
inst.getCapability().supportsPredictionResistance();
this.requestedInstantiationSecurityStrength = inst.getStrength();
} else {
throw new IllegalArgumentException("unknown params: "
+ params.getClass());
// Step 1: Check requested_instantiation_security_strength
if (inst.getStrength() > highestSupportedSecurityStrength) {
throw new IllegalArgumentException("strength too big: "
+ inst.getStrength());
}
// Step 2: Check prediction_resistance_flag
if (inst.getCapability().supportsPredictionResistance()
&& !supportPredictionResistance) {
throw new IllegalArgumentException("pr not supported");
}
// Step 3: Check personalization_string
byte[] ps = inst.getPersonalizationString();
if (ps != null && ps.length > maxPersonalizationStringLength) {
throw new IllegalArgumentException("ps too long: "
+ ps.length);
}
if (inst.getCapability().supportsReseeding()
&& !supportReseeding) {
throw new IllegalArgumentException("reseed not supported");
}
this.personalizationString = ps;
this.predictionResistanceFlag =
inst.getCapability().supportsPredictionResistance();
this.requestedInstantiationSecurityStrength = inst.getStrength();
} else {
throw new IllegalArgumentException("unknown params: "
+ params.getClass());
}
// Step 4: Set security_strength

@ -1,5 +1,5 @@
/*
* Copyright (c) 2016, 2020, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2016, 2022, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -66,8 +66,7 @@ public abstract class AbstractHashDrbg extends AbstractDrbg {
}
this.securityStrength = tryStrength;
} else {
this.securityStrength = DEFAULT_STRENGTH > supportedStrength ?
supportedStrength : DEFAULT_STRENGTH;
this.securityStrength = Math.min(DEFAULT_STRENGTH, supportedStrength);
}
} else {
int tryStrength = (requestedInstantiationSecurityStrength < 0) ?

@ -1,5 +1,5 @@
/*
* Copyright (c) 2000, 2021, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2000, 2022, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -123,8 +123,8 @@ public final class ConfigFile extends Configuration {
private StreamTokenizer st;
private int lookahead;
private static Debug debugConfig = Debug.getInstance("configfile");
private static Debug debugParser = Debug.getInstance("configparser");
private static final Debug debugConfig = Debug.getInstance("configfile");
private static final Debug debugParser = Debug.getInstance("configparser");
/**
* Creates a new {@code ConfigurationSpi} object.
@ -164,8 +164,8 @@ public final class ConfigFile extends Configuration {
// call in a doPrivileged
//
// we have already passed the Configuration.getInstance
// security check. also this class is not freely accessible
// We have already passed the Configuration.getInstance
// security check. Also, this class is not freely accessible
// (it is in the "sun" package).
try {
@ -207,7 +207,7 @@ public final class ConfigFile extends Configuration {
// For policy.expandProperties, check if either a security or system
// property is set to false (old code erroneously checked the system
// prop so we must check both to preserve compatibility).
// prop, so we must check both to preserve compatibility).
String expand = Security.getProperty("policy.expandProperties");
if (expand == null) {
expand = System.getProperty("policy.expandProperties");
@ -220,7 +220,7 @@ public final class ConfigFile extends Configuration {
Map<String, List<AppConfigurationEntry>> newConfig = new HashMap<>();
if (url != null) {
/**
/*
* If the caller specified a URI via Configuration.getInstance,
* we only read from that URI
*/
@ -232,7 +232,7 @@ public final class ConfigFile extends Configuration {
return;
}
/**
/*
* Caller did not specify URI via Configuration.getInstance.
* Read from URLs listed in the java.security properties file.
*/
@ -254,7 +254,7 @@ public final class ConfigFile extends Configuration {
extra_config);
}
URL configURL = null;
URL configURL;
try {
configURL = new URL(extra_config);
} catch (MalformedURLException mue) {
@ -302,7 +302,7 @@ public final class ConfigFile extends Configuration {
n++;
}
if (initialized == false && n == 1 && config_url == null) {
if (!initialized && n == 1) {
// get the config from the user's home directory
if (debugConfig != null) {
@ -353,7 +353,7 @@ public final class ConfigFile extends Configuration {
public AppConfigurationEntry[] engineGetAppConfigurationEntry
(String applicationName) {
List<AppConfigurationEntry> list = null;
List<AppConfigurationEntry> list;
synchronized (configuration) {
list = configuration.get(applicationName);
}
@ -375,7 +375,7 @@ public final class ConfigFile extends Configuration {
}
/**
* Refresh and reload the Configuration by re-reading all of the
* Refresh and reload the Configuration by re-reading all the
* login configurations.
*
* @throws SecurityException if the caller does not have permission
@ -448,7 +448,7 @@ public final class ConfigFile extends Configuration {
match("{");
// get the modules
while (peek("}") == false) {
while (!peek("}")) {
// get the module class name
String moduleClass = match("module class name");
@ -476,7 +476,7 @@ public final class ConfigFile extends Configuration {
// get the args
Map<String, String> options = new HashMap<>();
while (peek(";") == false) {
while (!peek(";")) {
String key = match("option key");
match("=");
try {

@ -1,5 +1,5 @@
/*
* Copyright (c) 2016, 2021, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2016, 2022, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -93,8 +93,7 @@ public class CtrDrbg extends AbstractDrbg {
}
this.securityStrength = tryStrength;
} else {
this.securityStrength = (DEFAULT_STRENGTH > supportedStrength) ?
supportedStrength : DEFAULT_STRENGTH;
this.securityStrength = Math.min(DEFAULT_STRENGTH, supportedStrength);
}
} else {
int tryStrength = (requestedInstantiationSecurityStrength < 0) ?
@ -244,7 +243,7 @@ public class CtrDrbg extends AbstractDrbg {
more = nonce;
} else {
if (nonce.length + personalizationString.length < 0) {
// Length must be represented as a 32 bit integer in df()
// Length must be represented as a 32-bit integer in df()
throw new IllegalArgumentException(
"nonce plus personalization string is too long");
}
@ -328,7 +327,7 @@ public class CtrDrbg extends AbstractDrbg {
try {
cipher.init(Cipher.ENCRYPT_MODE, new SecretKeySpec(k, keyAlg));
int tailLen = temp.length - blockLen*i;
// 14. requested_bits = leftmost(temp, nuumber_of_bits_to_return)
// 14. requested_bits = leftmost(temp, number_of_bits_to_return)
if (tailLen > blockLen) {
tailLen = blockLen;
}
@ -395,7 +394,7 @@ public class CtrDrbg extends AbstractDrbg {
// Step 1: cat bytes
if (additionalInput != null) {
if (ei.length + additionalInput.length < 0) {
// Length must be represented as a 32 bit integer in df()
// Length must be represented as a 32-bit integer in df()
throw new IllegalArgumentException(
"entropy plus additional input is too long");
}

@ -1,5 +1,5 @@
/*
* Copyright (c) 2016, 2021, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2016, 2022, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -154,8 +154,7 @@ public final class DRBG extends SecureRandomSpi {
if (params != null) {
// MoreDrbgParameters is used for testing.
if (params instanceof MoreDrbgParameters) {
MoreDrbgParameters m = (MoreDrbgParameters) params;
if (params instanceof MoreDrbgParameters m) {
params = DrbgParameters.instantiation(m.strength,
m.capability, m.personalizationString);
@ -171,9 +170,7 @@ public final class DRBG extends SecureRandomSpi {
}
usedf = m.usedf;
}
if (params instanceof DrbgParameters.Instantiation) {
DrbgParameters.Instantiation dp =
(DrbgParameters.Instantiation) params;
if (params instanceof DrbgParameters.Instantiation dp) {
// ps is still null by now
ps = dp.getPersonalizationString();

@ -1,5 +1,5 @@
/*
* Copyright (c) 1996, 2021, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 1996, 2022, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -43,7 +43,7 @@ import sun.security.jca.JCAUtil;
/**
* The Digital Signature Standard (using the Digital Signature
* Algorithm), as described in fips186-3 of the National Instute of
* Algorithm), as described in fips186-3 of the National Institute of
* Standards and Technology (NIST), using SHA digest algorithms
* from FIPS180-3.
*
@ -141,14 +141,11 @@ abstract class DSA extends SignatureSpi {
*/
protected void engineInitSign(PrivateKey privateKey)
throws InvalidKeyException {
if (!(privateKey instanceof java.security.interfaces.DSAPrivateKey)) {
if (!(privateKey instanceof java.security.interfaces.DSAPrivateKey priv)) {
throw new InvalidKeyException("not a DSA private key: " +
privateKey);
}
java.security.interfaces.DSAPrivateKey priv =
(java.security.interfaces.DSAPrivateKey)privateKey;
// check for algorithm specific constraints before doing initialization
DSAParams params = priv.getParams();
if (params == null) {
@ -179,12 +176,10 @@ abstract class DSA extends SignatureSpi {
*/
protected void engineInitVerify(PublicKey publicKey)
throws InvalidKeyException {
if (!(publicKey instanceof java.security.interfaces.DSAPublicKey)) {
if (!(publicKey instanceof java.security.interfaces.DSAPublicKey pub)) {
throw new InvalidKeyException("not a DSA public key: " +
publicKey);
}
java.security.interfaces.DSAPublicKey pub =
(java.security.interfaces.DSAPublicKey)publicKey;
// check for algorithm specific constraints before doing initialization
DSAParams params = pub.getParams();
@ -321,8 +316,8 @@ abstract class DSA extends SignatureSpi {
protected boolean engineVerify(byte[] signature, int offset, int length)
throws SignatureException {
BigInteger r = null;
BigInteger s = null;
BigInteger r;
BigInteger s;
if (p1363Format) {
if ((length & 1) == 1) {
@ -490,7 +485,7 @@ abstract class DSA extends SignatureSpi {
}
/**
* Return a human readable rendition of the engine.
* Return a human-readable rendition of the engine.
*/
public String toString() {
String printable = "DSA Signature";
@ -505,7 +500,7 @@ abstract class DSA extends SignatureSpi {
printable += "\n\ty: " + Debug.toHexString(presetY);
}
if (presetY == null && presetX == null) {
printable += "\n\tUNINIIALIZED";
printable += "\n\tUNINITIALIZED";
}
return printable;
}
@ -709,7 +704,7 @@ abstract class DSA extends SignatureSpi {
ofs += len;
}
}
protected final void engineUpdate(ByteBuffer input) {
protected void engineUpdate(ByteBuffer input) {
int inputLen = input.remaining();
if (inputLen > (digestBuffer.length - ofs)) {
ofs = Integer.MAX_VALUE;
@ -744,12 +739,12 @@ abstract class DSA extends SignatureSpi {
protected void engineReset() {
ofs = 0;
}
protected final int engineGetDigestLength() {
protected int engineGetDigestLength() {
return digestBuffer.length;
}
}
private Raw(boolean p1363Format) throws NoSuchAlgorithmException {
private Raw(boolean p1363Format) {
super(new NullDigest20(), p1363Format);
}
@ -759,7 +754,7 @@ abstract class DSA extends SignatureSpi {
* Standard Raw DSA implementation.
*/
public static final class RawDSA extends Raw {
public RawDSA() throws NoSuchAlgorithmException {
public RawDSA() {
super(false);
}
}
@ -768,7 +763,7 @@ abstract class DSA extends SignatureSpi {
* Raw DSA implementation that uses the IEEE P1363 format.
*/
public static final class RawDSAinP1363Format extends Raw {
public RawDSAinP1363Format() throws NoSuchAlgorithmException {
public RawDSAinP1363Format() {
super(true);
}
}

@ -1,5 +1,5 @@
/*
* Copyright (c) 1997, 2021, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 1997, 2022, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -63,8 +63,7 @@ public class DSAKeyFactory extends KeyFactorySpi {
protected PublicKey engineGeneratePublic(KeySpec keySpec)
throws InvalidKeySpecException {
try {
if (keySpec instanceof DSAPublicKeySpec) {
DSAPublicKeySpec dsaPubKeySpec = (DSAPublicKeySpec)keySpec;
if (keySpec instanceof DSAPublicKeySpec dsaPubKeySpec) {
return new DSAPublicKeyImpl(dsaPubKeySpec.getY(),
dsaPubKeySpec.getP(),
dsaPubKeySpec.getQ(),
@ -96,8 +95,7 @@ public class DSAKeyFactory extends KeyFactorySpi {
protected PrivateKey engineGeneratePrivate(KeySpec keySpec)
throws InvalidKeySpecException {
try {
if (keySpec instanceof DSAPrivateKeySpec) {
DSAPrivateKeySpec dsaPrivKeySpec = (DSAPrivateKeySpec)keySpec;
if (keySpec instanceof DSAPrivateKeySpec dsaPrivKeySpec) {
return new DSAPrivateKey(dsaPrivKeySpec.getX(),
dsaPrivKeySpec.getP(),
dsaPrivKeySpec.getQ(),

@ -1,5 +1,5 @@
/*
* Copyright (c) 1997, 2018, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 1997, 2022, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -26,12 +26,10 @@
package sun.security.provider;
import java.math.BigInteger;
import java.security.*;
import java.security.SecureRandom;
import java.security.*;
import java.security.interfaces.DSAParams;
import java.security.spec.AlgorithmParameterSpec;
import java.security.spec.InvalidParameterSpecException;
import java.security.spec.DSAParameterSpec;
import sun.security.jca.JCAUtil;
@ -169,8 +167,7 @@ class DSAKeyPairGenerator extends KeyPairGenerator {
pub = new DSAPublicKeyImpl(y, p, q, g);
DSAPrivateKey priv = new DSAPrivateKey(x, p, q, g);
KeyPair pair = new KeyPair(pub, priv);
return pair;
return new KeyPair(pub, priv);
} catch (InvalidKeyException e) {
throw new ProviderException(e);
}
@ -183,7 +180,7 @@ class DSAKeyPairGenerator extends KeyPairGenerator {
* generateX method.
*/
private BigInteger generateX(SecureRandom random, BigInteger q) {
BigInteger x = null;
BigInteger x;
byte[] temp = new byte[qlen];
while (true) {
random.nextBytes(temp);
@ -202,8 +199,7 @@ class DSAKeyPairGenerator extends KeyPairGenerator {
* @param p the base parameter.
*/
BigInteger generateY(BigInteger x, BigInteger p, BigInteger g) {
BigInteger y = g.modPow(x, p);
return y;
return g.modPow(x, p);
}
public static final class Current extends DSAKeyPairGenerator {

@ -105,10 +105,9 @@ public class DSAParameterGenerator extends AlgorithmParameterGeneratorSpi {
@Override
protected void engineInit(AlgorithmParameterSpec genParamSpec,
SecureRandom random) throws InvalidAlgorithmParameterException {
if (!(genParamSpec instanceof DSAGenParameterSpec)) {
if (!(genParamSpec instanceof DSAGenParameterSpec dsaGenParams)) {
throw new InvalidAlgorithmParameterException("Invalid parameter");
}
DSAGenParameterSpec dsaGenParams = (DSAGenParameterSpec)genParamSpec;
// directly initialize using the already validated values
this.valueL = dsaGenParams.getPrimePLength();
@ -124,7 +123,7 @@ public class DSAParameterGenerator extends AlgorithmParameterGeneratorSpi {
*/
@Override
protected AlgorithmParameters engineGenerateParameters() {
AlgorithmParameters algParams = null;
AlgorithmParameters algParams;
try {
if (this.random == null) {
this.random = new SecureRandom();
@ -142,14 +141,13 @@ public class DSAParameterGenerator extends AlgorithmParameterGeneratorSpi {
new DSAParameterSpec(paramP, paramQ, paramG);
algParams = AlgorithmParameters.getInstance("DSA", "SUN");
algParams.init(dsaParamSpec);
} catch (InvalidParameterSpecException e) {
} catch (InvalidParameterSpecException | NoSuchAlgorithmException |
NoSuchProviderException e) {
// this should never happen
throw new RuntimeException(e.getMessage());
} catch (NoSuchAlgorithmException | NoSuchProviderException e) {
// this should never happen, because we provide it
throw new RuntimeException(e.getMessage());
}
return algParams;
}
@ -203,7 +201,7 @@ public class DSAParameterGenerator extends AlgorithmParameterGeneratorSpi {
if (primeCertainty < 0) {
throw new ProviderException("Invalid valueL: " + valueL);
}
BigInteger resultP, resultQ, seed = null;
BigInteger resultP, resultQ, seed;
int counter;
while (true) {
do {
@ -251,9 +249,8 @@ public class DSAParameterGenerator extends AlgorithmParameterGeneratorSpi {
if (resultP.compareTo(twoLm1) > -1
&& resultP.isProbablePrime(primeCertainty)) {
/* Step 11.8 */
BigInteger[] result = {resultP, resultQ, seed,
return new BigInteger[]{resultP, resultQ, seed,
BigInteger.valueOf(counter)};
return result;
}
/* Step 11.9 */
offset = offset.add(BigInteger.valueOf(n)).add(BigInteger.ONE);

@ -1,5 +1,5 @@
/*
* Copyright (c) 1996, 2021, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 1996, 2022, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -58,7 +58,7 @@ public final class DSAPrivateKey extends PKCS8Key
private static final long serialVersionUID = -3244453684193605938L;
/* the private key */
private BigInteger x;
private final BigInteger x;
/**
* Make a DSA private key out of a private key and three parameters.

@ -1,5 +1,5 @@
/*
* Copyright (c) 1996, 2021, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 1996, 2022, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -25,23 +25,21 @@
package sun.security.provider;
import java.util.*;
import java.io.*;
import java.io.IOException;
import java.io.Serializable;
import java.math.BigInteger;
import java.security.InvalidKeyException;
import java.security.ProviderException;
import java.security.AlgorithmParameters;
import java.security.InvalidKeyException;
import java.security.interfaces.DSAParams;
import java.security.spec.DSAParameterSpec;
import java.security.spec.InvalidParameterSpecException;
import java.security.interfaces.DSAParams;
import sun.security.x509.X509Key;
import sun.security.x509.AlgIdDSA;
import sun.security.util.BitArray;
import sun.security.util.Debug;
import sun.security.util.DerValue;
import sun.security.util.DerInputStream;
import sun.security.util.DerOutputStream;
import sun.security.util.DerValue;
import sun.security.x509.AlgIdDSA;
import sun.security.x509.X509Key;
/**
* An X.509 public key for the Digital Signature Algorithm.

@ -396,8 +396,7 @@ abstract class DomainKeyStore extends KeyStoreSpi {
final Iterator<Map.Entry<String, KeyStore>> iterator =
keystores.entrySet().iterator();
return new Enumeration<String>() {
private int index = 0;
return new Enumeration<>() {
private Map.Entry<String, KeyStore> keystoresEntry = null;
private String prefix = null;
private Enumeration<String> aliases = null;
@ -555,14 +554,13 @@ abstract class DomainKeyStore extends KeyStoreSpi {
KeyStore keystore = keystores.get(splits[0]);
if (keystore != null) {
return new AbstractMap.SimpleEntry<>(splits[1],
(Collection<KeyStore>) Collections.singleton(keystore));
Collections.singleton(keystore));
}
} else if (splits.length == 1) { // unprefixed alias
// Check all keystores for the first occurrence of the alias
return new AbstractMap.SimpleEntry<>(alias, keystores.values());
}
return new AbstractMap.SimpleEntry<>("",
(Collection<KeyStore>) Collections.<KeyStore>emptyList());
return new AbstractMap.SimpleEntry<>("", Collections.emptyList());
}
/*
@ -652,9 +650,7 @@ abstract class DomainKeyStore extends KeyStoreSpi {
public void engineStore(KeyStore.LoadStoreParameter param)
throws IOException, NoSuchAlgorithmException, CertificateException
{
if (param instanceof DomainLoadStoreParameter) {
DomainLoadStoreParameter domainParameter =
(DomainLoadStoreParameter) param;
if (param instanceof DomainLoadStoreParameter domainParameter) {
List<KeyStoreBuilderComponents> builders = getBuilders(
domainParameter.getConfiguration(),
domainParameter.getProtectionParams());
@ -714,7 +710,7 @@ abstract class DomainKeyStore extends KeyStoreSpi {
{
// Support loading from a stream only for a JKS or default type keystore
try {
KeyStore keystore = null;
KeyStore keystore;
try {
keystore = KeyStore.getInstance("JKS");
@ -743,9 +739,7 @@ abstract class DomainKeyStore extends KeyStoreSpi {
public void engineLoad(KeyStore.LoadStoreParameter param)
throws IOException, NoSuchAlgorithmException, CertificateException
{
if (param instanceof DomainLoadStoreParameter) {
DomainLoadStoreParameter domainParameter =
(DomainLoadStoreParameter) param;
if (param instanceof DomainLoadStoreParameter domainParameter) {
List<KeyStoreBuilderComponents> builders = getBuilders(
domainParameter.getConfiguration(),
domainParameter.getProtectionParams());
@ -786,7 +780,7 @@ abstract class DomainKeyStore extends KeyStoreSpi {
throws IOException {
PolicyParser parser = new PolicyParser(true); // expand properties
Collection<PolicyParser.DomainEntry> domains = null;
Collection<PolicyParser.DomainEntry> domains;
List<KeyStoreBuilderComponents> builders = new ArrayList<>();
String uriDomain = configuration.getFragment();
@ -812,7 +806,7 @@ abstract class DomainKeyStore extends KeyStoreSpi {
this.entryNameSeparator =
domainProperties.get(ENTRY_NAME_SEPARATOR);
// escape any regex meta characters
char ch = 0;
char ch;
StringBuilder s = new StringBuilder();
for (int i = 0; i < this.entryNameSeparator.length(); i++) {
ch = this.entryNameSeparator.charAt(i);
@ -867,7 +861,7 @@ abstract class DomainKeyStore extends KeyStoreSpi {
}
}
KeyStore.ProtectionParameter keystoreProtection = null;
KeyStore.ProtectionParameter keystoreProtection;
if (passwords.containsKey(keystoreName)) {
keystoreProtection = passwords.get(keystoreName);

@ -1,5 +1,5 @@
/*
* Copyright (c) 2016, 2021, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2016, 2022, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -138,10 +138,8 @@ public class HashDrbg extends AbstractHashDrbg {
// Step 1 of 10.1.1.3: Prepend 0x01 || V
inputs.add(0, ONE);
inputs.add(1, v);
seed = hashDf(seedLen, inputs);
} else {
seed = hashDf(seedLen, inputs);
}
seed = hashDf(seedLen, inputs);
// Step 3. V = seed.
v = seed;

@ -1,5 +1,5 @@
/*
* Copyright (c) 2016, 2020, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2016, 2022, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -177,7 +177,7 @@ public class HmacDrbg extends AbstractHashDrbg {
v = mac.doFinal(v);
// Step 4.2 temp = temp || V.
System.arraycopy(v, 0, result, pos,
len > outLen ? outLen : len);
Math.min(len, outLen));
len -= outLen;
if (len <= 0) {

@ -63,7 +63,7 @@ public abstract sealed class JavaKeyStore extends KeyStoreSpi {
}
}
// special JKS that uses case sensitive aliases
// special JKS that uses case-sensitive aliases
public static final class CaseExactJKS extends JavaKeyStore {
String convertAlias(String alias) {
return alias;
@ -103,13 +103,13 @@ public abstract sealed class JavaKeyStore extends KeyStoreSpi {
Date date; // the creation date of this entry
byte[] protectedPrivKey;
Certificate[] chain;
};
}
// Trusted certificates
private static class TrustedCertEntry {
Date date; // the creation date of this entry
Certificate cert;
};
}
/**
* Private keys and certificates are stored in a hashtable.
@ -118,7 +118,7 @@ public abstract sealed class JavaKeyStore extends KeyStoreSpi {
private final Hashtable<String, Object> entries;
JavaKeyStore() {
entries = new Hashtable<String, Object>();
entries = new Hashtable<>();
}
// convert an alias to internal form, overridden in subclasses:
@ -656,8 +656,8 @@ public abstract sealed class JavaKeyStore extends KeyStoreSpi {
MessageDigest md = null;
CertificateFactory cf = null;
Hashtable<String, CertificateFactory> cfs = null;
ByteArrayInputStream bais = null;
byte[] encoded = null;
ByteArrayInputStream bais;
byte[] encoded;
int trustedKeyCount = 0, privateKeyCount = 0;
if (stream == null)
@ -684,7 +684,7 @@ public abstract sealed class JavaKeyStore extends KeyStoreSpi {
cf = CertificateFactory.getInstance("X509");
} else {
// version 2
cfs = new Hashtable<String, CertificateFactory>(3);
cfs = new Hashtable<>(3);
}
entries.clear();
@ -714,7 +714,7 @@ public abstract sealed class JavaKeyStore extends KeyStoreSpi {
int numOfCerts = dis.readInt();
if (numOfCerts > 0) {
List<Certificate> certs = new ArrayList<>(
numOfCerts > 10 ? 10 : numOfCerts);
Math.min(numOfCerts, 10));
for (int j = 0; j < numOfCerts; j++) {
if (xVersion == 2) {
// read the certificate type, and instantiate a

@ -1,5 +1,5 @@
/*
* Copyright (c) 1997, 2021, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 1997, 2022, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -26,20 +26,15 @@
package sun.security.provider;
import java.io.IOException;
import java.security.Key;
import java.security.KeyStoreException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import java.security.UnrecoverableKeyException;
import java.util.*;
import java.security.*;
import java.util.Arrays;
import sun.security.pkcs.PKCS8Key;
import sun.security.pkcs.EncryptedPrivateKeyInfo;
import sun.security.x509.AlgorithmId;
import sun.security.util.ObjectIdentifier;
import sun.security.pkcs.PKCS8Key;
import sun.security.util.KnownOIDs;
import sun.security.util.DerValue;
import sun.security.util.ObjectIdentifier;
import sun.security.x509.AlgorithmId;
/**
* This is an implementation of a Sun proprietary, exportable algorithm
@ -110,7 +105,7 @@ final class KeyProtector {
// key protector. We store it as a byte array, so that we can digest it.
private byte[] passwdBytes;
private MessageDigest md;
private final MessageDigest md;
/**
@ -231,7 +226,7 @@ final class KeyProtector {
byte[] digest;
int numRounds;
int xorOffset; // offset in xorKey where next digest will be stored
int encrKeyLen; // the length of the encrpyted key
int encrKeyLen; // the length of the encrypted key
// do we support the algorithm?
AlgorithmId encrAlg = encrInfo.getAlgorithm();

@ -26,7 +26,6 @@
package sun.security.provider;
import java.security.*;
import java.util.Arrays;
import static sun.security.provider.ByteArrayAccess.*;
import static sun.security.util.SecurityConstants.PROVIDER_VER;
@ -34,7 +33,7 @@ import static sun.security.util.SecurityConstants.PROVIDER_VER;
/**
* The MD4 class is used to compute an MD4 message digest over a given
* buffer of bytes. It is an implementation of the RSA Data Security Inc
* MD4 algorithim as described in internet RFC 1320.
* MD4 algorithm as described in internet RFC 1320.
*
* <p>The MD4 algorithm is very weak and should not be used unless it is
* unavoidable. Therefore, it is not registered in our standard providers. To

@ -25,21 +25,17 @@
package sun.security.provider;
import java.lang.invoke.MethodHandles;
import java.lang.invoke.VarHandle;
import java.nio.ByteOrder;
import java.util.Arrays;
import java.util.Objects;
import static sun.security.provider.ByteArrayAccess.*;
import jdk.internal.util.Preconditions;
import jdk.internal.vm.annotation.IntrinsicCandidate;
import static sun.security.provider.ByteArrayAccess.*;
/**
* The MD5 class is used to compute an MD5 message digest over a given
* buffer of bytes. It is an implementation of the RSA Data Security Inc
* MD5 algorithim as described in internet RFC 1321.
* MD5 algorithm as described in internet RFC 1321.
*
* @author Chuck McManis
* @author Benjamin Renaud

@ -1,5 +1,5 @@
/*
* Copyright (c) 2003, 2016, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2003, 2022, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -138,7 +138,7 @@ public final class ParameterCache {
/**
* Return new DSA parameters for the given length combination of prime and
* sub prime. Do not lookup in cache and do not cache the newly generated
* sub-prime. Do not look up in cache and do not cache the newly generated
* parameters. This method really only exists for the legacy method
* DSAKeyPairGenerator.initialize(int, boolean, SecureRandom).
*/
@ -157,13 +157,12 @@ public final class ParameterCache {
gen.init(genParams, random);
}
AlgorithmParameters params = gen.generateParameters();
DSAParameterSpec spec = params.getParameterSpec(DSAParameterSpec.class);
return spec;
return params.getParameterSpec(DSAParameterSpec.class);
}
static {
dhCache = new ConcurrentHashMap<Integer,DHParameterSpec>();
dsaCache = new ConcurrentHashMap<Integer,DSAParameterSpec>();
dhCache = new ConcurrentHashMap<>();
dsaCache = new ConcurrentHashMap<>();
/*
* We support precomputed parameter for legacy 512, 768 bit moduli,
@ -173,7 +172,7 @@ public final class ParameterCache {
* for validation purposes. We also include the test vectors
* from the DSA specification, FIPS 186, and the FIPS 186
* Change No 1, which updates the test vector using SHA-1
* instead of SHA (for both the G function and the message
* instead of SHA for both the G function and the message
* hash.
*/

@ -67,7 +67,7 @@ import sun.security.util.LocalizedMessage;
* <p>The protection domain contains a CodeSource
* object, which encapsulates its codebase (URL) and public key attributes.
* It also contains the principals associated with the domain.
* The Policy object evaluates the global policy in light of who the
* The Policy object evaluates the global policy in light of whom the
* principal is and what the code source is and returns an appropriate
* Permissions object.
*
@ -79,7 +79,7 @@ import sun.security.util.LocalizedMessage;
public class PolicyParser {
private Vector<GrantEntry> grantEntries;
private final Vector<GrantEntry> grantEntries;
private Map<String, DomainEntry> domainEntries;
// Convenience variables for parsing
@ -114,7 +114,7 @@ public class PolicyParser {
*/
public PolicyParser() {
grantEntries = new Vector<GrantEntry>();
grantEntries = new Vector<>();
}
@ -143,7 +143,7 @@ public class PolicyParser {
policy = new BufferedReader(policy);
}
/**
/*
* Configure the stream tokenizer:
* Recognize strings between "..."
* Don't convert words to lowercase
@ -169,7 +169,7 @@ public class PolicyParser {
st.slashSlashComments(true);
st.slashStarComments(true);
/**
/*
* The main parsing loop. The loop is executed once
* for each entry in the config file. The entries
* are delimited by semicolons. Once we've read in
@ -200,16 +200,14 @@ public class PolicyParser {
domainEntries = new TreeMap<>();
}
DomainEntry de = parseDomainEntry();
if (de != null) {
String domainName = de.getName();
if (domainEntries.putIfAbsent(domainName, de) != null) {
LocalizedMessage localizedMsg = new LocalizedMessage(
"duplicate.keystore.domain.name");
Object[] source = {domainName};
String msg = "duplicate keystore domain name: " +
domainName;
throw new ParsingException(msg, localizedMsg, source);
}
String domainName = de.getName();
if (domainEntries.putIfAbsent(domainName, de) != null) {
LocalizedMessage localizedMsg = new LocalizedMessage(
"duplicate.keystore.domain.name");
Object[] source = {domainName};
String msg = "duplicate keystore domain name: " +
domainName;
throw new ParsingException(msg, localizedMsg, source);
}
} else {
// error?
@ -573,7 +571,7 @@ public class PolicyParser {
return null;
}
return (ignoreEntry == true) ? null : e;
return (ignoreEntry) ? null : e;
}
/**
@ -618,9 +616,8 @@ public class PolicyParser {
private DomainEntry parseDomainEntry()
throws ParsingException, IOException
{
boolean ignoreEntry = false;
DomainEntry domainEntry;
String name = null;
String name;
Map<String, String> properties = new HashMap<>();
match("domain");
@ -646,7 +643,7 @@ public class PolicyParser {
}
match("}");
return (ignoreEntry == true) ? null : domainEntry;
return domainEntry;
}
/*
@ -870,15 +867,15 @@ public class PolicyParser {
public Vector<PermissionEntry> permissionEntries;
public GrantEntry() {
principals = new LinkedList<PrincipalEntry>();
permissionEntries = new Vector<PermissionEntry>();
principals = new LinkedList<>();
permissionEntries = new Vector<>();
}
public GrantEntry(String signedBy, String codeBase) {
this.codeBase = codeBase;
this.signedBy = signedBy;
principals = new LinkedList<PrincipalEntry>();
permissionEntries = new Vector<PermissionEntry>();
principals = new LinkedList<>();
permissionEntries = new Vector<>();
}
public void add(PermissionEntry pe)
@ -954,9 +951,8 @@ public class PolicyParser {
GrantEntry ge = new GrantEntry();
ge.codeBase = this.codeBase;
ge.signedBy = this.signedBy;
ge.principals = new LinkedList<PrincipalEntry>(this.principals);
ge.permissionEntries =
new Vector<PermissionEntry>(this.permissionEntries);
ge.principals = new LinkedList<>(this.principals);
ge.permissionEntries = new Vector<>(this.permissionEntries);
return ge;
}
}
@ -1059,10 +1055,9 @@ public class PolicyParser {
if (this == obj)
return true;
if (!(obj instanceof PrincipalEntry))
if (!(obj instanceof PrincipalEntry that))
return false;
PrincipalEntry that = (PrincipalEntry)obj;
return (principalClass.equals(that.principalClass) &&
principalName.equals(that.principalName));
}
@ -1140,11 +1135,9 @@ public class PolicyParser {
if (obj == this)
return true;
if (! (obj instanceof PermissionEntry))
if (! (obj instanceof PermissionEntry that))
return false;
PermissionEntry that = (PermissionEntry) obj;
if (this.permission == null) {
if (that.permission != null) return false;
} else {
@ -1164,13 +1157,10 @@ public class PolicyParser {
}
if (this.signedBy == null) {
if (that.signedBy != null) return false;
return that.signedBy == null;
} else {
if (!this.signedBy.equals(that.signedBy)) return false;
return this.signedBy.equals(that.signedBy);
}
// everything matched -- the 2 objects are equal
return true;
}
public void write(PrintWriter out) {
@ -1185,7 +1175,7 @@ public class PolicyParser {
// $name =~ s/\"/\\\"/g;
// and then in a java string, it's escaped again
out.print(name.replaceAll("\\\\", "\\\\\\\\").replaceAll("\\\"", "\\\\\\\""));
out.print(name.replaceAll("\\\\", "\\\\\\\\").replaceAll("\"", "\\\\\\\""));
out.print('"');
}
if (action != null) {
@ -1256,10 +1246,8 @@ public class PolicyParser {
}
s.append(" {\n");
if (entries != null) {
for (KeyStoreEntry entry : entries.values()) {
s.append(entry).append("\n");
}
for (KeyStoreEntry entry : entries.values()) {
s.append(entry).append("\n");
}
s.append("}");

@ -25,11 +25,13 @@
package sun.security.provider;
import java.security.ProviderException;
import java.util.Arrays;
import java.util.Objects;
import jdk.internal.vm.annotation.IntrinsicCandidate;
import static sun.security.provider.ByteArrayAccess.*;
import java.nio.*;
import java.util.*;
import java.security.*;
import static sun.security.provider.ByteArrayAccess.b2lLittle;
import static sun.security.provider.ByteArrayAccess.l2bLittle;
/**
* This class implements the Secure Hash Algorithm SHA-3 developed by
@ -194,7 +196,7 @@ abstract class SHA3 extends DigestBase {
a15 ^= d0; a16 ^= d1; a17 ^= d2; a18 ^= d3; a19 ^= d4;
a20 ^= d0; a21 ^= d1; a22 ^= d2; a23 ^= d3; a24 ^= d4;
/**
/*
* Merged Step mapping Rho (section 3.2.2) and Pi (section 3.2.3).
* for performance. Optimization is achieved by precalculating
* shift constants for the following loop

@ -239,7 +239,7 @@ abstract class SHA5 extends DigestBase {
// offset 'ofs') and not on array 'W', therefore 'buf' and 'ofs'
// must be passed as parameter to the method.
@IntrinsicCandidate
private final void implCompress0(byte[] buf, int ofs) {
private void implCompress0(byte[] buf, int ofs) {
if (W == null) {
W = new long[80];
}

@ -1,5 +1,5 @@
/*
* Copyright (c) 1998, 2020, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 1998, 2022, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -30,9 +30,10 @@ import java.security.MessageDigest;
import java.security.SecureRandomSpi;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.util.Arrays;
/**
* <p>This class provides a crytpographically strong pseudo-random number
* <p>This class provides a cryptographically strong pseudo-random number
* generator based on the SHA-1 hash algorithm.
*
* <p>Note that if a seed is not provided, we attempt to provide sufficient
@ -157,9 +158,7 @@ implements java.io.Serializable {
public synchronized void engineSetSeed(byte[] seed) {
if (state != null) {
digest.update(state);
for (int i = 0; i < state.length; i++) {
state[i] = 0;
}
Arrays.fill(state, (byte) 0);
}
state = digest.digest(seed);
remCount = 0;
@ -233,8 +232,7 @@ implements java.io.Serializable {
int r = remCount;
if (r > 0) {
// How many bytes?
todo = (result.length - index) < (DIGEST_SIZE - r) ?
(result.length - index) : (DIGEST_SIZE - r);
todo = Math.min(result.length - index, DIGEST_SIZE - r);
// Copy the bytes, zero the buffer
for (int i = 0; i < todo; i++) {
result[i] = output[r];
@ -252,8 +250,7 @@ implements java.io.Serializable {
updateState(state, output);
// How many bytes?
todo = (result.length - index) > DIGEST_SIZE ?
DIGEST_SIZE : result.length - index;
todo = Math.min((result.length - index), DIGEST_SIZE);
// Copy the bytes, zero the buffer
for (int i = 0; i < todo; i++) {
result[index++] = output[i];

@ -36,16 +36,16 @@ package sun.security.provider;
* number of times the VM manages to loop in a given period. This number
* roughly reflects the machine load at that point in time.
* The samples are translated using a permutation (s-box)
* and then XORed together. This process is non linear and
* and then XORed together. This process is non-linear and
* should prevent the samples from "averaging out". The s-box
* was designed to have even statistical distribution; it's specific
* was designed to have even statistical distribution; its specific
* values are not crucial for the security of the seed.
* We also create a number of sleeper threads which add entropy
* to the system by keeping the scheduler busy.
* Twenty such samples should give us roughly 160 bits of randomness.
* <p>
* These values are gathered in the background by a daemon thread
* thus allowing the system to continue performing it's different
* thus allowing the system to continue performing its different
* activities, which in turn add entropy to the random seed.
* <p>
* The class also gathers miscellaneous system information, some
@ -186,7 +186,7 @@ abstract class SeedGenerator {
DirectoryStream<Path> stream =
Files.newDirectoryStream(f.toPath())) {
// We use a Random object to choose what file names
// should be used. Otherwise on a machine with too
// should be used. Otherwise, on a machine with too
// many files, the same first 1024 files always get
// used. Any, We make sure the first 512 files are
// always used.
@ -269,7 +269,7 @@ abstract class SeedGenerator {
private static class ThreadedSeedGenerator extends SeedGenerator
implements Runnable {
// Queue is used to collect seed bytes
private byte[] pool;
private final byte[] pool;
private int start, end, count;
// Thread group for our threads
@ -359,7 +359,7 @@ abstract class SeedGenerator {
int latch = 0;
long startTime = System.nanoTime();
while (System.nanoTime() - startTime < 250000000) {
synchronized(this){};
synchronized(this){}
// Mask the sign bit and keep latch non-negative
latch = (latch + 1) & 0x1FFFFFFF;
}
@ -485,7 +485,7 @@ abstract class SeedGenerator {
static class URLSeedGenerator extends SeedGenerator {
private String deviceName;
private final String deviceName;
private InputStream seedStream;
/**

@ -49,13 +49,13 @@ class SubjectCodeSource extends CodeSource implements java.io.Serializable {
@java.io.Serial
private static final long serialVersionUID = 6039418085604715275L;
private Subject subject;
private LinkedList<PrincipalEntry> principals;
private final Subject subject;
private final LinkedList<PrincipalEntry> principals;
private static final Class<?>[] PARAMS = { String.class };
private static final sun.security.util.Debug debug =
sun.security.util.Debug.getInstance("auth", "\t[Auth Access]");
@SuppressWarnings("serial") // Not statically typed as Serializable
private ClassLoader sysClassLoader;
private final ClassLoader sysClassLoader;
/**
* Creates a new <code>SubjectCodeSource</code>
@ -231,7 +231,7 @@ class SubjectCodeSource extends CodeSource implements java.io.Serializable {
Iterator<Principal> i =
that.getSubject().getPrincipals().iterator();
subjectList = new LinkedList<PrincipalEntry>();
subjectList = new LinkedList<>();
while (i.hasNext()) {
Principal p = i.next();
PrincipalEntry spppe = new PrincipalEntry
@ -315,14 +315,12 @@ class SubjectCodeSource extends CodeSource implements java.io.Serializable {
if (obj == this)
return true;
if (super.equals(obj) == false)
if (!super.equals(obj))
return false;
if (!(obj instanceof SubjectCodeSource))
if (!(obj instanceof SubjectCodeSource that))
return false;
SubjectCodeSource that = (SubjectCodeSource)obj;
// the principal lists must match
try {
if (this.getSubject() != that.getSubject())
@ -335,11 +333,9 @@ class SubjectCodeSource extends CodeSource implements java.io.Serializable {
(this.principals != null && that.principals == null))
return false;
if (this.principals != null && that.principals != null) {
if (!this.principals.containsAll(that.principals) ||
!that.principals.containsAll(this.principals))
return false;
if (this.principals != null) {
return this.principals.containsAll(that.principals) &&
that.principals.containsAll(this.principals);
}
return true;

@ -25,14 +25,22 @@
package sun.security.provider;
import java.io.*;
import java.net.*;
import java.util.*;
import java.security.*;
import java.io.File;
import java.io.IOException;
import java.net.URI;
import java.net.URISyntaxException;
import java.net.URL;
import java.security.AccessController;
import java.security.PrivilegedAction;
import java.security.Provider;
import java.security.Security;
import java.util.HashMap;
import java.util.Iterator;
import java.util.LinkedHashSet;
import jdk.internal.util.StaticProperty;
import sun.security.action.GetBooleanAction;
import sun.security.util.SecurityProviderConstants;
import static sun.security.util.SecurityProviderConstants.getAliases;
/**
@ -312,7 +320,7 @@ public final class SunEntries {
getAliases(algo), attrs));
}
private LinkedHashSet<Provider.Service> services;
private final LinkedHashSet<Provider.Service> services;
// name of the *System* property, takes precedence over PROP_RNDSOURCE
private static final String PROP_EGD = "java.security.egd";
@ -358,7 +366,7 @@ public final class SunEntries {
/*
* Use a URI to access this File. Previous code used a URL
* which is less strict on syntax. If we encounter a
* URISyntaxException we make best efforts for backwards
* URISyntaxException we make a best effort for backwards
* compatibility. e.g. space character in deviceName string.
*
* Method called within PrivilegedExceptionAction block.
@ -381,7 +389,7 @@ public final class SunEntries {
}
} catch (URISyntaxException use) {
/*
* Make best effort to access this File.
* Make a best effort to access this File.
* We can try using the URL path.
*/
return new File(device.getPath());

@ -1,5 +1,5 @@
/*
* Copyright (c) 1998, 2018, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 1998, 2022, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -27,21 +27,21 @@ package sun.security.provider;
import java.io.*;
import java.security.PublicKey;
import java.util.*;
import java.security.cert.*;
import java.util.*;
import jdk.internal.event.EventHelper;
import jdk.internal.event.X509CertificateEvent;
import sun.security.util.KeyUtil;
import sun.security.util.Pem;
import sun.security.x509.*;
import sun.security.pkcs.PKCS7;
import sun.security.pkcs.ParsingException;
import sun.security.provider.certpath.X509CertPath;
import sun.security.provider.certpath.X509CertificatePair;
import sun.security.util.DerValue;
import sun.security.util.Cache;
import java.util.Base64;
import sun.security.pkcs.ParsingException;
import sun.security.util.DerValue;
import sun.security.util.KeyUtil;
import sun.security.x509.X509CRLImpl;
import sun.security.x509.X509CertImpl;
/**
* This class defines a certificate factory for X.509 v3 certificates {@literal &}
@ -130,7 +130,7 @@ public class X509Factory extends CertificateFactorySpi {
int read = 0;
byte[] buffer = new byte[2048];
while (length > 0) {
int n = in.read(buffer, 0, length<2048?length:2048);
int n = in.read(buffer, 0, Math.min(length, 2048));
if (n <= 0) {
break;
}
@ -676,7 +676,7 @@ public class X509Factory extends CertificateFactorySpi {
/**
* Read one BER data block. This method is aware of indefinite-length BER
* encoding and will read all of the sub-sections in a recursive way
* encoding and will read all the subsections in a recursive way
*
* @param is Read from this InputStream
* @param bout Write into this OutputStream

@ -1,5 +1,5 @@
/*
* Copyright (c) 2011, 2020, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2011, 2022, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -196,11 +196,7 @@ class AdaptableX509CertSelector extends X509CertSelector {
}
if (!super.match(cert)) {
return false;
}
return true;
return super.match(cert);
}
/*

@ -85,10 +85,10 @@ import java.util.List;
public class AdjacencyList {
// the actual set of steps the AdjacencyList represents
private ArrayList<BuildStep> mStepList;
private final ArrayList<BuildStep> mStepList;
// the original list, just for the toString method
private List<List<Vertex>> mOrigList;
private final List<List<Vertex>> mOrigList;
/**
* Constructs a new <code>AdjacencyList</code> based on the specified
@ -98,7 +98,7 @@ public class AdjacencyList {
* <code>Vertex</code> objects
*/
public AdjacencyList(List<List<Vertex>> list) {
mStepList = new ArrayList<BuildStep>();
mStepList = new ArrayList<>();
mOrigList = list;
buildList(list, 0, null);
}
@ -151,7 +151,7 @@ public class AdjacencyList {
if (allNegOne) {
// There are two cases that we could be looking at here. We
// may need to back up, or the build may have succeeded at
// this point. This is based on whether or not any
// this point. This is based on whether any
// exceptions were found in the list.
if (allXcps) {
// we need to go back...see if this is the last one

@ -1,5 +1,5 @@
/*
* Copyright (c) 2009, 2021, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2009, 2022, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -25,32 +25,16 @@
package sun.security.provider.certpath;
import java.security.AlgorithmConstraints;
import java.security.CryptoPrimitive;
import java.util.Collection;
import java.util.Collections;
import java.util.Date;
import java.util.Set;
import java.util.EnumSet;
import java.math.BigInteger;
import java.security.PublicKey;
import java.security.KeyFactory;
import java.security.AlgorithmParameters;
import java.security.GeneralSecurityException;
import java.security.*;
import java.security.cert.*;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.security.cert.PKIXCertPathChecker;
import java.security.cert.TrustAnchor;
import java.security.cert.CRLException;
import java.security.cert.CertificateException;
import java.security.cert.CertPathValidatorException;
import java.security.cert.CertPathValidatorException.BasicReason;
import java.security.cert.PKIXReason;
import java.security.interfaces.DSAParams;
import java.security.interfaces.DSAPublicKey;
import java.security.spec.DSAPublicKeySpec;
import java.util.*;
import sun.security.util.ConstraintsParameters;
import sun.security.util.Debug;
import sun.security.util.DisabledAlgorithmConstraints;
import sun.security.validator.Validator;
@ -175,7 +159,7 @@ public final class AlgorithmChecker extends PKIXCertPathChecker {
@Override
public boolean isForwardCheckingSupported() {
// Note that as this class does not support forward mode, the method
// will always returns false.
// will always return false.
return false;
}
@ -215,9 +199,7 @@ public final class AlgorithmChecker extends PKIXCertPathChecker {
PublicKey currPubKey = cert.getPublicKey();
String currSigAlg = x509Cert.getSigAlgName();
if (constraints instanceof DisabledAlgorithmConstraints) {
DisabledAlgorithmConstraints dac =
(DisabledAlgorithmConstraints)constraints;
if (constraints instanceof DisabledAlgorithmConstraints dac) {
if (prevPubKey != null && prevPubKey == trustedPubKey) {
// check constraints of trusted public key (make sure
// algorithm and size is not restricted)

@ -1,5 +1,5 @@
/*
* Copyright (c) 2000, 2012, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2000, 2022, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -38,10 +38,10 @@ import java.security.cert.X509Certificate;
*/
public class BuildStep {
private Vertex vertex;
private final Vertex vertex;
private X509Certificate cert;
private Throwable throwable;
private int result;
private final int result;
/**
* result code associated with a certificate that may continue a path from
@ -187,29 +187,15 @@ public class BuildStep {
* @return String string representing meaning of the result code
*/
public String resultToString(int res) {
String resultString = "";
switch (res) {
case POSSIBLE:
resultString = "Certificate to be tried.\n";
break;
case BACK:
resultString = "Certificate backed out since path does not "
return switch (res) {
case POSSIBLE -> "Certificate to be tried.\n";
case BACK -> "Certificate backed out since path does not "
+ "satisfy build requirements.\n";
break;
case FOLLOW:
resultString = "Certificate satisfies conditions.\n";
break;
case FAIL:
resultString = "Certificate backed out since path does not "
case FOLLOW, SUCCEED -> "Certificate satisfies conditions.\n";
case FAIL -> "Certificate backed out since path does not "
+ "satisfy conditions.\n";
break;
case SUCCEED:
resultString = "Certificate satisfies conditions.\n";
break;
default:
resultString = "Internal error: Invalid step result value.\n";
}
return resultString;
default -> "Internal error: Invalid step result value.\n";
};
}
/**
@ -220,7 +206,7 @@ public class BuildStep {
*/
@Override
public String toString() {
String out = "Internal Error\n";
String out;
switch (result) {
case BACK:
case FAIL:
@ -256,8 +242,6 @@ public class BuildStep {
case SUCCEED:
out = out + vertex.moreToString();
break;
case POSSIBLE:
break;
default:
break;
}

@ -157,7 +157,6 @@ abstract class Builder {
case GeneralNameInterface.NAME_MATCH:
return 0;
case GeneralNameInterface.NAME_WIDENS:
break;
case GeneralNameInterface.NAME_NARROWS:
break;
default: // should never occur
@ -203,7 +202,6 @@ abstract class Builder {
return 0;
case GeneralNameInterface.NAME_WIDENS:
/* base is ancestor of test */
return (test.subtreeDepth()-base.subtreeDepth());
case GeneralNameInterface.NAME_NARROWS:
/* base is descendant of test */
return (test.subtreeDepth()-base.subtreeDepth());
@ -329,7 +327,7 @@ abstract class Builder {
constraints.merge(ncExt);
} else {
// Make sure we do a clone here, because we're probably
// going to modify this object later and we don't want to
// going to modify this object later, and we don't want to
// be sharing it with a Certificate object!
constraints = (NameConstraintsExtension) ncExt.clone();
}
@ -403,7 +401,7 @@ abstract class Builder {
} else {
// we just return an empty set to make sure that there is
// at least a certificate policies extension in the cert
matchingPolicies = Collections.<String>emptySet();
matchingPolicies = Collections.emptySet();
}
}
return matchingPolicies;

@ -80,7 +80,7 @@ public class CertId {
SerialNumber serialNumber) throws IOException {
// compute issuerNameHash
MessageDigest md = null;
MessageDigest md;
try {
md = MessageDigest.getInstance("SHA1");
} catch (NoSuchAlgorithmException nsae) {
@ -206,29 +206,23 @@ public class CertId {
return false;
}
if (hashAlgId.equals(that.getHashAlgorithm()) &&
Arrays.equals(issuerNameHash, that.getIssuerNameHash()) &&
Arrays.equals(issuerKeyHash, that.getIssuerKeyHash()) &&
certSerialNumber.getNumber().equals(that.getSerialNumber())) {
return true;
} else {
return false;
}
return hashAlgId.equals(that.getHashAlgorithm()) &&
Arrays.equals(issuerNameHash, that.getIssuerNameHash()) &&
Arrays.equals(issuerKeyHash, that.getIssuerKeyHash()) &&
certSerialNumber.getNumber().equals(that.getSerialNumber());
}
/**
* Create a string representation of the CertId.
*/
@Override public String toString() {
StringBuilder sb = new StringBuilder();
sb.append("CertId \n");
sb.append("Algorithm: " + hashAlgId.toString() +"\n");
sb.append("issuerNameHash \n");
HexDumpEncoder encoder = new HexDumpEncoder();
sb.append(encoder.encode(issuerNameHash));
sb.append("\nissuerKeyHash: \n");
sb.append(encoder.encode(issuerKeyHash));
sb.append("\n" + certSerialNumber.toString());
return sb.toString();
return "CertId \n" +
"Algorithm: " + hashAlgId.toString() + "\n" +
"issuerNameHash \n" +
encoder.encode(issuerNameHash) +
"\nissuerKeyHash: \n" +
encoder.encode(issuerKeyHash) +
"\n" + certSerialNumber.toString();
}
}

@ -1,5 +1,5 @@
/*
* Copyright (c) 2002, 2020, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2002, 2022, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -72,6 +72,6 @@ public abstract class CertPathHelper {
}
public static boolean isJdkCA(TrustAnchor anchor) {
return (anchor == null) ? false : instance.implIsJdkCA(anchor);
return anchor != null && instance.implIsJdkCA(anchor);
}
}

@ -1,5 +1,5 @@
/*
* Copyright (c) 2000, 2012, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2000, 2022, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -26,18 +26,10 @@
package sun.security.provider.certpath;
import java.security.InvalidAlgorithmParameterException;
import java.security.cert.Certificate;
import java.security.cert.CRL;
import java.security.cert.*;
import java.util.Collection;
import java.util.ConcurrentModificationException;
import java.util.HashSet;
import java.security.cert.CertSelector;
import java.security.cert.CertStore;
import java.security.cert.CertStoreException;
import java.security.cert.CertStoreParameters;
import java.security.cert.CollectionCertStoreParameters;
import java.security.cert.CRLSelector;
import java.security.cert.CertStoreSpi;
/**
* A <code>CertStore</code> that retrieves <code>Certificates</code> and
@ -78,7 +70,7 @@ import java.security.cert.CertStoreSpi;
*/
public class CollectionCertStore extends CertStoreSpi {
private Collection<?> coll;
private final Collection<?> coll;
/**
* Creates a <code>CertStore</code> with the specified parameters.

@ -1,5 +1,5 @@
/*
* Copyright (c) 2000, 2021, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2000, 2022, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -195,10 +195,10 @@ class ConstraintsChecker extends PKIXCertPathChecker {
debug.println("mergedNC = " + newConstraints);
}
if (newConstraints == null) {
return newConstraints;
return null;
} else {
// Make sure we do a clone here, because we're probably
// going to modify this object later and we don't want to
// going to modify this object later, and we don't want to
// be sharing it with a Certificate object!
return (NameConstraintsExtension)newConstraints.clone();
}

@ -1,5 +1,5 @@
/*
* Copyright (c) 2002, 2021, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2002, 2022, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -25,19 +25,22 @@
package sun.security.provider.certpath;
import java.io.*;
import java.io.IOException;
import java.net.URI;
import java.security.*;
import java.security.GeneralSecurityException;
import java.security.InvalidAlgorithmParameterException;
import java.security.NoSuchAlgorithmException;
import java.security.PublicKey;
import java.security.cert.*;
import javax.security.auth.x500.X500Principal;
import java.util.*;
import javax.security.auth.x500.X500Principal;
import sun.security.util.Debug;
import sun.security.util.Event;
import sun.security.validator.Validator;
import static sun.security.x509.PKIXExtensions.*;
import sun.security.x509.*;
import static sun.security.x509.PKIXExtensions.IssuingDistributionPoint_Id;
/**
* Class to obtain CRLs via the CRLDistributionPoints extension.
* Note that the functionality of this class must be explicitly enabled
@ -219,7 +222,7 @@ public class DistributionPointFetcher {
}
Event.report(Event.ReporterCategory.CRLCHECK, "event.crl.check", uri.toString());
CertStore ucs = null;
CertStore ucs;
try {
ucs = URICertStore.getInstance(new URICertStoreParameters(uri));
} catch (InvalidAlgorithmParameterException |
@ -331,21 +334,20 @@ public class DistributionPointFetcher {
X500Name pointCrlIssuer = null;
if (pointCrlIssuers != null) {
if (idpExt == null ||
((Boolean) idpExt.get
(IssuingDistributionPointExtension.INDIRECT_CRL)).equals
(Boolean.FALSE)) {
idpExt.get(IssuingDistributionPointExtension.INDIRECT_CRL)
== Boolean.FALSE) {
return false;
}
boolean match = false;
for (Iterator<GeneralName> t = pointCrlIssuers.iterator();
!match && t.hasNext(); ) {
GeneralNameInterface name = t.next().getName();
if (crlIssuer.equals(name) == true) {
if (crlIssuer.equals(name)) {
pointCrlIssuer = (X500Name) name;
match = true;
}
}
if (match == false) {
if (!match) {
return false;
}
@ -357,7 +359,7 @@ public class DistributionPointFetcher {
} else {
indirectCRL = true;
}
} else if (crlIssuer.equals(certIssuer) == false) {
} else if (!crlIssuer.equals(certIssuer)) {
if (debug != null) {
debug.println("crl issuer does not equal cert issuer.\n" +
"crl issuer: " + crlIssuer + "\n" +
@ -477,10 +479,10 @@ public class DistributionPointFetcher {
// the names in the cRLIssuer of the cert's DP
boolean match = false;
for (Iterator<GeneralName> t = pointCrlIssuers.iterator();
!match && t.hasNext(); ) {
!match && t.hasNext(); ) {
GeneralNameInterface crlIssuerName = t.next().getName();
for (Iterator<GeneralName> i = idpNames.iterator();
!match && i.hasNext(); ) {
!match && i.hasNext(); ) {
GeneralNameInterface idpName = i.next().getName();
match = crlIssuerName.equals(idpName);
}
@ -550,7 +552,7 @@ public class DistributionPointFetcher {
// modify it)
interimReasonsMask = reasons.getFlags().clone();
}
} else if (idpExt == null || reasons == null) {
} else {
if (pointReasonFlags != null) {
// set interim reasons mask to the value of DP reasons
interimReasonsMask = pointReasonFlags.clone();
@ -563,11 +565,11 @@ public class DistributionPointFetcher {
// verify that interim reasons mask includes one or more reasons
// not included in the reasons mask
boolean oneOrMore = false;
for (int i = 0; i < interimReasonsMask.length && !oneOrMore; i++) {
for (int i = 0; i < interimReasonsMask.length; i++) {
if (interimReasonsMask[i] &&
!(i < reasonsMask.length && reasonsMask[i]))
{
!(i < reasonsMask.length && reasonsMask[i])) {
oneOrMore = true;
break;
}
}
if (!oneOrMore) {
@ -583,7 +585,7 @@ public class DistributionPointFetcher {
boolean[] crlSign = {false,false,false,false,false,false,true};
certSel.setKeyUsage(crlSign);
// Currently by default, forward builder does not enable
// Currently, by default, forward builder does not enable
// subject/authority key identifier identifying for target
// certificate, instead, it only compares the CRL issuer and
// the target certificate subject. If the certificate of the
@ -632,7 +634,7 @@ public class DistributionPointFetcher {
newTrustAnchors.add(temporary);
}
PKIXBuilderParameters params = null;
PKIXBuilderParameters params;
try {
params = new PKIXBuilderParameters(newTrustAnchors, certSel);
} catch (InvalidAlgorithmParameterException iape) {
@ -723,7 +725,7 @@ public class DistributionPointFetcher {
private static boolean issues(X509CertImpl cert, X509CRLImpl crl,
String provider) throws IOException
{
boolean matched = false;
boolean matched;
AdaptableX509CertSelector issuerSelector =
new AdaptableX509CertSelector();
@ -757,7 +759,6 @@ public class DistributionPointFetcher {
cert.getAuthorityKeyIdentifierExtension() == null)) {
try {
crl.verify(cert.getPublicKey(), provider);
matched = true;
} catch (GeneralSecurityException e) {
matched = false;
}

@ -69,7 +69,7 @@ final class ForwardBuilder extends Builder {
private AdaptableX509CertSelector caSelector;
private X509CertSelector caTargetSelector;
TrustAnchor trustAnchor;
private boolean searchAllCertStores = true;
private final boolean searchAllCertStores;
/**
* Initialize the builder with the input parameters.
@ -98,7 +98,7 @@ final class ForwardBuilder extends Builder {
/**
* Retrieves all certs from the specified CertStores that satisfy the
* requirements specified in the parameters and the current
* PKIX state (name constraints, policy constraints, etc).
* PKIX state (name constraints, policy constraints, etc.).
*
* @param currentState the current state.
* Must be an instance of <code>ForwardState</code>
@ -107,7 +107,7 @@ final class ForwardBuilder extends Builder {
@Override
Collection<X509Certificate> getMatchingCerts(State currentState,
List<CertStore> certStores)
throws CertStoreException, CertificateException, IOException
throws IOException
{
if (debug != null) {
debug.println("ForwardBuilder.getMatchingCerts()...");
@ -197,7 +197,7 @@ final class ForwardBuilder extends Builder {
* Compose a CertSelector to filter out
* certs which do not satisfy requirements.
*/
X509CertSelector sel = null;
X509CertSelector sel;
if (currentState.isInitial()) {
if (targetCertConstraints.getBasicConstraints() == -2) {
@ -355,7 +355,7 @@ final class ForwardBuilder extends Builder {
private boolean getCerts(AuthorityInfoAccessExtension aiaExt,
Collection<X509Certificate> certs)
{
if (Builder.USE_AIA == false) {
if (!Builder.USE_AIA) {
return false;
}
List<AccessDescription> adList = aiaExt.getAccessDescriptions();
@ -539,16 +539,13 @@ final class ForwardBuilder extends Builder {
debug.println(METHOD_NME +" distanceTto2: " + distanceTto2);
}
if (distanceTto1 > 0 || distanceTto2 > 0) {
if (distanceTto1 == distanceTto2) {
// at least one is positive
if (distanceTto2 <= 0) { // only d1 is positive
return -1;
} else if (distanceTto1 > 0 && distanceTto2 <= 0) {
return -1;
} else if (distanceTto1 <= 0 && distanceTto2 > 0) {
return 1;
} else if (distanceTto1 < distanceTto2) {
return -1;
} else { // distanceTto1 > distanceTto2
} else if (distanceTto1 <= 0) { // only d2 is positive
return 1;
} else { // all positive
return distanceTto1 > distanceTto2 ? 1 : -1;
}
}
}
@ -571,16 +568,13 @@ final class ForwardBuilder extends Builder {
debug.println(METHOD_NME +" distanceTto2: " + distanceTto2);
}
if (distanceTto1 < 0 || distanceTto2 < 0) {
if (distanceTto1 == distanceTto2) {
// at least one is negative
if (distanceTto2 >= 0) { // only d1 is negative
return -1;
} else if (distanceTto1 < 0 && distanceTto2 >= 0) {
return -1;
} else if (distanceTto1 >= 0 && distanceTto2 < 0) {
return 1;
} else if (distanceTto1 > distanceTto2) {
return -1;
} else {
} else if (distanceTto1 >= 0) { // only d2 is negative
return 1;
} else { // all negative
return distanceTto1 < distanceTto2 ? 1 : -1;
}
}
}
@ -678,9 +672,9 @@ final class ForwardBuilder extends Builder {
* signature and revocation status of the previous cert.
*
* If the last certificate is being verified (the one whose subject
* matches the target subject, then steps in 6.1.4 of the PKIX
* matches the target subject) then steps in 6.1.4 of the PKIX
* Certification Path Validation algorithm are NOT executed,
* regardless of whether or not the last cert is an end-entity
* regardless of whether the last cert is an end-entity
* cert or not. This allows callers to certify CA certs as
* well as EE certs.
*
@ -703,7 +697,7 @@ final class ForwardBuilder extends Builder {
ForwardState currState = (ForwardState)currentState;
// Don't bother to verify untrusted certificate more.
currState.untrustedChecker.check(cert, Collections.<String>emptySet());
currState.untrustedChecker.check(cert, Collections.emptySet());
/*
* check for looping - abort a loop if we encounter the same
@ -732,7 +726,7 @@ final class ForwardBuilder extends Builder {
*/
Set<String> unresCritExts = cert.getCriticalExtensionOIDs();
if (unresCritExts == null) {
unresCritExts = Collections.<String>emptySet();
unresCritExts = Collections.emptySet();
}
for (PKIXCertPathChecker checker : currState.forwardCheckers) {
checker.check(cert, unresCritExts);

@ -1,5 +1,5 @@
/*
* Copyright (c) 2000, 2021, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2000, 2022, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -113,16 +113,14 @@ class ForwardState implements State {
*/
@Override
public String toString() {
StringBuilder sb = new StringBuilder();
sb.append("State [");
sb.append("\n issuerDN of last cert: ").append(issuerDN);
sb.append("\n traversedCACerts: ").append(traversedCACerts);
sb.append("\n init: ").append(init);
sb.append("\n keyParamsNeeded: ").append(keyParamsNeededFlag);
sb.append("\n subjectNamesTraversed: \n").append
(subjectNamesTraversed);
sb.append("]\n");
return sb.toString();
return "State [" +
"\n issuerDN of last cert: " + issuerDN +
"\n traversedCACerts: " + traversedCACerts +
"\n init: " + init +
"\n keyParamsNeeded: " + keyParamsNeededFlag +
"\n subjectNamesTraversed: \n" +
subjectNamesTraversed +
"]\n";
}
/**
@ -133,14 +131,14 @@ class ForwardState implements State {
public void initState(List<PKIXCertPathChecker> certPathCheckers)
throws CertPathValidatorException
{
subjectNamesTraversed = new HashSet<GeneralNameInterface>();
subjectNamesTraversed = new HashSet<>();
traversedCACerts = 0;
/*
* Populate forwardCheckers with every user-defined checker
* that supports forward checking and initialize the forwardCheckers
*/
forwardCheckers = new ArrayList<PKIXCertPathChecker>();
forwardCheckers = new ArrayList<>();
for (PKIXCertPathChecker checker : certPathCheckers) {
if (checker.isForwardCheckingSupported()) {
checker.init(true);
@ -238,7 +236,7 @@ class ForwardState implements State {
clonedState.forwardCheckers.listIterator();
while (li.hasNext()) {
PKIXCertPathChecker checker = li.next();
if (checker instanceof Cloneable) {
if (checker != null) {
li.set((PKIXCertPathChecker)checker.clone());
}
}

@ -1,5 +1,5 @@
/*
* Copyright (c) 2002, 2018, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2002, 2022, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -138,8 +138,8 @@ public class IndexedCollectionCertStore extends CertStoreSpi {
* and CRLs.
*/
private void buildIndex(Collection<?> coll) {
certSubjects = new HashMap<X500Principal, Object>();
crlIssuers = new HashMap<X500Principal, Object>();
certSubjects = new HashMap<>();
crlIssuers = new HashMap<>();
otherCertificates = null;
otherCRLs = null;
for (Object obj : coll) {
@ -149,12 +149,12 @@ public class IndexedCollectionCertStore extends CertStoreSpi {
indexCRL((X509CRL)obj);
} else if (obj instanceof Certificate) {
if (otherCertificates == null) {
otherCertificates = new HashSet<Certificate>();
otherCertificates = new HashSet<>();
}
otherCertificates.add((Certificate)obj);
} else if (obj instanceof CRL) {
if (otherCRLs == null) {
otherCRLs = new HashSet<CRL>();
otherCRLs = new HashSet<>();
}
otherCRLs.add((CRL)obj);
} else {
@ -162,10 +162,10 @@ public class IndexedCollectionCertStore extends CertStoreSpi {
}
}
if (otherCertificates == null) {
otherCertificates = Collections.<Certificate>emptySet();
otherCertificates = Collections.emptySet();
}
if (otherCRLs == null) {
otherCRLs = Collections.<CRL>emptySet();
otherCRLs = Collections.emptySet();
}
}
@ -187,7 +187,7 @@ public class IndexedCollectionCertStore extends CertStoreSpi {
} else {
@SuppressWarnings("unchecked") // See certSubjects javadoc.
List<X509Certificate> list = (List<X509Certificate>)oldEntry;
if (list.contains(cert) == false) {
if (!list.contains(cert)) {
list.add(cert);
}
certSubjects.put(subject, list);
@ -214,7 +214,7 @@ public class IndexedCollectionCertStore extends CertStoreSpi {
// See crlIssuers javadoc.
@SuppressWarnings("unchecked")
List<X509CRL> list = (List<X509CRL>)oldEntry;
if (list.contains(crl) == false) {
if (!list.contains(crl)) {
list.add(crl);
}
crlIssuers.put(issuer, list);
@ -246,7 +246,7 @@ public class IndexedCollectionCertStore extends CertStoreSpi {
return matches;
}
if (selector instanceof X509CertSelector == false) {
if (!(selector instanceof X509CertSelector x509Selector)) {
Set<Certificate> matches = new HashSet<>();
matchX509Certs(selector, matches);
for (Certificate cert : otherCertificates) {
@ -260,7 +260,6 @@ public class IndexedCollectionCertStore extends CertStoreSpi {
if (certSubjects.isEmpty()) {
return Collections.<X509Certificate>emptySet();
}
X509CertSelector x509Selector = (X509CertSelector)selector;
// see if the subject is specified
X500Principal subject;
X509Certificate matchCert = x509Selector.getCertificate();
@ -275,8 +274,7 @@ public class IndexedCollectionCertStore extends CertStoreSpi {
if (entry == null) {
return Collections.<X509Certificate>emptySet();
}
if (entry instanceof X509Certificate) {
X509Certificate x509Entry = (X509Certificate)entry;
if (entry instanceof X509Certificate x509Entry) {
if (x509Selector.match(x509Entry)) {
return Collections.singleton(x509Entry);
} else {
@ -309,8 +307,7 @@ public class IndexedCollectionCertStore extends CertStoreSpi {
Collection<Certificate> matches) {
for (Object obj : certSubjects.values()) {
if (obj instanceof X509Certificate) {
X509Certificate cert = (X509Certificate)obj;
if (obj instanceof X509Certificate cert) {
if (selector.match(cert)) {
matches.add(cert);
}
@ -350,7 +347,7 @@ public class IndexedCollectionCertStore extends CertStoreSpi {
return matches;
}
if (selector instanceof X509CRLSelector == false) {
if (!(selector instanceof X509CRLSelector x509Selector)) {
Set<CRL> matches = new HashSet<>();
matchX509CRLs(selector, matches);
for (CRL crl : otherCRLs) {
@ -362,9 +359,8 @@ public class IndexedCollectionCertStore extends CertStoreSpi {
}
if (crlIssuers.isEmpty()) {
return Collections.<CRL>emptySet();
return Collections.emptySet();
}
X509CRLSelector x509Selector = (X509CRLSelector)selector;
// see if the issuer is specified
Collection<X500Principal> issuers = x509Selector.getIssuers();
if (issuers != null) {
@ -373,8 +369,7 @@ public class IndexedCollectionCertStore extends CertStoreSpi {
Object entry = crlIssuers.get(issuer);
if (entry == null) {
// empty
} else if (entry instanceof X509CRL) {
X509CRL crl = (X509CRL)entry;
} else if (entry instanceof X509CRL crl) {
if (x509Selector.match(crl)) {
matches.add(crl);
}
@ -403,8 +398,7 @@ public class IndexedCollectionCertStore extends CertStoreSpi {
*/
private void matchX509CRLs(CRLSelector selector, Collection<CRL> matches) {
for (Object obj : crlIssuers.values()) {
if (obj instanceof X509CRL) {
X509CRL crl = (X509CRL)obj;
if (obj instanceof X509CRL crl) {
if (selector.match(crl)) {
matches.add(crl);
}

@ -113,7 +113,7 @@ class KeyChecker extends PKIXCertPathChecker {
// if final certificate, check that target constraints are satisfied
if (remainingCerts == 0) {
if (targetConstraints != null &&
targetConstraints.match(currCert) == false) {
!targetConstraints.match(currCert)) {
throw new CertPathValidatorException("target certificate " +
"constraints check failed");
}

@ -1,5 +1,5 @@
/*
* Copyright (c) 2009, 2021, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2009, 2022, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -57,10 +57,10 @@ import static java.nio.charset.StandardCharsets.UTF_8;
/**
* This is a class that checks the revocation status of a certificate(s) using
* OCSP. It is not a PKIXCertPathChecker and therefore can be used outside of
* OCSP. It is not a PKIXCertPathChecker and therefore can be used outside
* the CertPathValidator framework. It is useful when you want to
* just check the revocation status of a certificate, and you don't want to
* incur the overhead of validating all of the certificates in the
* incur the overhead of validating all the certificates in the
* associated certificate chain.
*
* @author Sean Mullan
@ -128,7 +128,7 @@ public final class OCSP {
}
}
OCSPResponse ocspResponse = null;
OCSPResponse ocspResponse;
try {
byte[] response = getOCSPBytes(certIds, responderURI, extensions);
ocspResponse = new OCSPResponse(response);
@ -271,8 +271,8 @@ public final class OCSP {
/**
* The Revocation Status of a certificate.
*/
public static interface RevocationStatus {
public enum CertStatus { GOOD, REVOKED, UNKNOWN };
public interface RevocationStatus {
enum CertStatus { GOOD, REVOKED, UNKNOWN }
/**
* Returns the revocation status.

@ -1,5 +1,5 @@
/*
* Copyright (c) 2015, 2021, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2015, 2022, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -48,7 +48,7 @@ public final class OCSPNonceExtension extends Extension {
* Attribute name.
*/
private static final String EXTENSION_NAME = "OCSPNonce";
private byte[] nonceData = null;
private final byte[] nonceData;
/**
* Create an {@code OCSPNonceExtension} by providing the nonce length.
@ -166,11 +166,9 @@ public final class OCSPNonceExtension extends Extension {
*/
@Override
public String toString() {
StringBuilder sb = new StringBuilder();
sb.append(super.toString()).append(EXTENSION_NAME).append(": ");
sb.append((nonceData == null) ? "" : Debug.toString(nonceData));
sb.append("\n");
return sb.toString();
return super.toString() + EXTENSION_NAME + ": " +
((nonceData == null) ? "" : Debug.toString(nonceData)) +
"\n";
}
/**

@ -1,5 +1,5 @@
/*
* Copyright (c) 2003, 2015, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2003, 2022, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -95,7 +95,7 @@ class OCSPRequest {
OCSPRequest(List<CertId> certIds) {
this.certIds = certIds;
this.extensions = Collections.<Extension>emptyList();
this.extensions = Collections.emptyList();
}
OCSPRequest(List<CertId> certIds, List<Extension> extensions) {

@ -129,7 +129,8 @@ public final class OCSPResponse {
UNUSED, // is not used
SIG_REQUIRED, // Must sign the request
UNAUTHORIZED // Request unauthorized
};
}
private static final ResponseStatus[] rsvalues = ResponseStatus.values();
private static final Debug debug = Debug.getInstance("certpath");
@ -171,7 +172,7 @@ public final class OCSPResponse {
return tmp * 1000;
}
// an array of all of the CRLReasons (used in SingleResponse)
// an array of all the CRLReasons (used in SingleResponse)
private static final CRLReason[] values = CRLReason.values();
private final ResponseStatus responseStatus;
@ -180,7 +181,7 @@ public final class OCSPResponse {
private final byte[] signature;
private final byte[] tbsResponseData;
private final byte[] responseNonce;
private List<X509CertImpl> certs;
private final List<X509CertImpl> certs;
private X509CertImpl signerCert = null;
private final ResponderId respId;
private Date producedAtDate = null;
@ -218,7 +219,7 @@ public final class OCSPResponse {
if (responseStatus != ResponseStatus.SUCCESSFUL) {
// no need to continue, responseBytes are not set.
singleResponseMap = Collections.emptyMap();
certs = new ArrayList<X509CertImpl>();
certs = new ArrayList<>();
sigAlgId = null;
signature = null;
tbsResponseData = null;
@ -243,7 +244,7 @@ public final class OCSPResponse {
// responseType
derIn = tmp.data;
ObjectIdentifier responseType = derIn.getOID();
if (responseType.equals((Object)OCSP_BASIC_RESPONSE_OID)) {
if (responseType.equals(OCSP_BASIC_RESPONSE_OID)) {
if (debug != null) {
debug.println("OCSP response type: basic");
}
@ -351,7 +352,7 @@ public final class OCSPResponse {
"OCSP response: expected ASN.1 context specific tag 0.");
}
DerValue[] derCerts = seqCert.getData().getSequence(3);
certs = new ArrayList<X509CertImpl>(derCerts.length);
certs = new ArrayList<>(derCerts.length);
try {
for (int i = 0; i < derCerts.length; i++) {
X509CertImpl cert =
@ -367,7 +368,7 @@ public final class OCSPResponse {
throw new IOException("Bad encoding in X509 Certificate", ce);
}
} else {
certs = new ArrayList<X509CertImpl>();
certs = new ArrayList<>();
}
}
@ -390,7 +391,7 @@ public final class OCSPResponse {
responseStatus);
}
// Check that the response includes a response for all of the
// Check that the response includes a response for all the
// certs that were supplied in the request
for (CertId certId : certIds) {
SingleResponse sr = getSingleResponse(certId);
@ -439,7 +440,7 @@ public final class OCSPResponse {
// This will match if the SKID is encoded using the 160-bit
// SHA-1 hash method as defined in RFC 5280.
KeyIdentifier certKeyId = cert.getSubjectKeyId();
if (certKeyId != null && ridKeyId.equals(certKeyId)) {
if (ridKeyId.equals(certKeyId)) {
signerCert = cert;
break;
} else {
@ -511,7 +512,7 @@ public final class OCSPResponse {
new AlgorithmChecker(issuerInfo.getAnchor(), date,
variant);
algChecker.init(false);
algChecker.check(signerCert, Collections.<String>emptySet());
algChecker.check(signerCert, Collections.emptySet());
// check the validity
try {
@ -699,7 +700,7 @@ public final class OCSPResponse {
* Get the {@code ResponderId} from this {@code OCSPResponse}
*
* @return the {@code ResponderId} from this response or {@code null}
* if no responder ID is in the body of the response (e.g. a
* if no responder ID is in the body of the response, e.g. a
* response with a status other than SUCCESS.
*/
public ResponderId getResponderId() {
@ -1071,11 +1072,9 @@ public final class OCSPResponse {
*/
@Override
public String toString() {
StringBuilder sb = new StringBuilder();
sb.append("Issuer Info:\n");
sb.append("Name: ").append(name.toString()).append("\n");
sb.append("Public Key:\n").append(pubKey.toString()).append("\n");
return sb.toString();
return "Issuer Info:\n" +
"Name: " + name.toString() + "\n" +
"Public Key:\n" + pubKey.toString() + "\n";
}
}
}

@ -1,5 +1,5 @@
/*
* Copyright (c) 2012, 2021, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2012, 2022, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -85,7 +85,7 @@ class PKIX {
private Set<String> policies;
private boolean gotConstraints;
private CertSelector constraints;
private Set<TrustAnchor> anchors;
private final Set<TrustAnchor> anchors;
private List<X509Certificate> certs;
private Timestamp timestamp;
private Date timestampDate;

@ -1,5 +1,5 @@
/*
* Copyright (c) 2000, 2015, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2000, 2022, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -98,7 +98,7 @@ class PKIXMasterCertPathValidator {
Set<String> unresCritExts = currCert.getCriticalExtensionOIDs();
if (unresCritExts == null) {
unresCritExts = Collections.<String>emptySet();
unresCritExts = Collections.emptySet();
}
if (debug != null && !unresCritExts.isEmpty()) {

@ -1,5 +1,5 @@
/*
* Copyright (c) 2000, 2020, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2000, 2022, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -96,7 +96,7 @@ class PolicyChecker extends PKIXCertPathChecker {
this.initPolicies = HashSet.newHashSet(1);
this.initPolicies.add(ANY_POLICY);
} else {
this.initPolicies = new HashSet<String>(initialPolicies);
this.initPolicies = new HashSet<>(initialPolicies);
}
this.certPathLen = certPathLen;
this.expPolicyRequired = expPolicyRequired;
@ -213,7 +213,7 @@ class PolicyChecker extends PKIXCertPathChecker {
+ "policyTree = " + rootNode);
}
X509CertImpl currCertImpl = null;
X509CertImpl currCertImpl;
try {
currCertImpl = X509CertImpl.toImpl(currCert);
} catch (CertificateException ce) {
@ -228,7 +228,7 @@ class PolicyChecker extends PKIXCertPathChecker {
if (!finalCert) {
explicitPolicy = mergeExplicitPolicy(explicitPolicy, currCertImpl,
finalCert);
false);
policyMapping = mergePolicyMapping(policyMapping, currCertImpl);
inhibitAnyPolicy = mergeInhibitAnyPolicy(inhibitAnyPolicy,
currCertImpl);
@ -430,7 +430,7 @@ class PolicyChecker extends PKIXCertPathChecker {
{
boolean policiesCritical = false;
List<PolicyInformation> policyInfo;
PolicyNodeImpl rootNode = null;
PolicyNodeImpl rootNode;
Set<PolicyQualifierInfo> anyQuals = new HashSet<>();
if (origRootNode == null)
@ -545,8 +545,7 @@ class PolicyChecker extends PKIXCertPathChecker {
// removing those nodes which would later have
// been removed by PKIX: Section 6.1.5: Step (g)(iii)
if ((rootNode != null) && (!initPolicies.contains(ANY_POLICY))
&& (currCertPolicies != null)) {
if (rootNode != null && !initPolicies.contains(ANY_POLICY)) {
rootNode = removeInvalidNodes(rootNode, certIndex,
initPolicies, currCertPolicies);
@ -561,7 +560,7 @@ class PolicyChecker extends PKIXCertPathChecker {
if (finalCert) {
// PKIX: Section 6.1.5: Steps (a) and (b)
explicitPolicy = mergeExplicitPolicy(explicitPolicy, currCert,
finalCert);
true);
}
// PKIX: Section 6.1.3: Step (f)
@ -610,7 +609,7 @@ class PolicyChecker extends PKIXCertPathChecker {
// we deleted the anyPolicy node and have nothing to re-add,
// so we need to prune the tree
rootNode.prune(certIndex);
if (rootNode.getChildren().hasNext() == false) {
if (!rootNode.getChildren().hasNext()) {
rootNode = null;
}
} else {
@ -648,14 +647,12 @@ class PolicyChecker extends PKIXCertPathChecker {
* @param matchAny a boolean indicating whether a value of ANY_POLICY
* in the expected policy set will be considered a match
* @return a boolean indicating whether a match was found
* @exception CertPathValidatorException Exception thrown if error occurs.
*/
private static boolean processParents(int certIndex,
boolean policiesCritical, boolean rejectPolicyQualifiers,
PolicyNodeImpl rootNode, String curPolicy,
Set<PolicyQualifierInfo> pQuals,
boolean matchAny) throws CertPathValidatorException
{
boolean matchAny) {
boolean foundMatch = false;
if (debug != null)
@ -674,10 +671,9 @@ class PolicyChecker extends PKIXCertPathChecker {
+ "found parent:\n" + curParent.asString());
foundMatch = true;
String curParPolicy = curParent.getValidPolicy();
PolicyNodeImpl curNode = null;
Set<String> curExpPols = null;
Set<String> curExpPols;
if (curPolicy.equals(ANY_POLICY)) {
// do step 2
@ -707,7 +703,7 @@ class PolicyChecker extends PKIXCertPathChecker {
policiesCritical, expPols, false);
}
} else {
curExpPols = new HashSet<String>();
curExpPols = new HashSet<>();
curExpPols.add(curPolicy);
curNode = new PolicyNodeImpl
@ -750,7 +746,7 @@ class PolicyChecker extends PKIXCertPathChecker {
debug.println("PolicyChecker.processPolicyMappings() "
+ "inside policyMapping check");
List<CertificatePolicyMap> maps = null;
List<CertificatePolicyMap> maps;
try {
maps = polMappingsExt.get(PolicyMappingsExtension.MAP);
} catch (IOException e) {
@ -857,7 +853,7 @@ class PolicyChecker extends PKIXCertPathChecker {
CertificatePoliciesExtension currCertPolicies)
throws CertPathValidatorException
{
List<PolicyInformation> policyInfo = null;
List<PolicyInformation> policyInfo;
try {
policyInfo = currCertPolicies.get(CertificatePoliciesExtension.POLICIES);
} catch (IOException ioe) {

@ -1,5 +1,5 @@
/*
* Copyright (c) 2000, 2020, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2000, 2022, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -25,15 +25,11 @@
package sun.security.provider.certpath;
import sun.security.util.KnownOIDs;
import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Set;
import java.util.*;
import java.security.cert.*;
import sun.security.util.KnownOIDs;
/**
* Implements the <code>PolicyNode</code> interface.
* <p>
@ -56,18 +52,18 @@ final class PolicyNodeImpl implements PolicyNode {
= KnownOIDs.CE_CERT_POLICIES_ANY.value();
// every node has one parent, and zero or more children
private PolicyNodeImpl mParent;
private HashSet<PolicyNodeImpl> mChildren;
private final PolicyNodeImpl mParent;
private final HashSet<PolicyNodeImpl> mChildren;
// the 4 fields specified by RFC 5280
private String mValidPolicy;
private HashSet<PolicyQualifierInfo> mQualifierSet;
private boolean mCriticalityIndicator;
private HashSet<String> mExpectedPolicySet;
private final String mValidPolicy;
private final HashSet<PolicyQualifierInfo> mQualifierSet;
private final boolean mCriticalityIndicator;
private final HashSet<String> mExpectedPolicySet;
private boolean mOriginalExpectedPolicySet;
// the tree depth
private int mDepth;
private final int mDepth;
// immutability flag
private boolean isImmutable = false;
@ -83,7 +79,7 @@ final class PolicyNodeImpl implements PolicyNode {
* node is the tree's root node
* @param validPolicy a String representing this node's valid policy OID
* @param qualifierSet the Set of qualifiers for this policy
* @param criticalityIndicator a boolean representing whether or not the
* @param criticalityIndicator a boolean representing whether the
* extension is critical
* @param expectedPolicySet a Set of expected policies
* @param generatedByPolicyMapping a boolean indicating whether this
@ -94,24 +90,21 @@ final class PolicyNodeImpl implements PolicyNode {
boolean criticalityIndicator, Set<String> expectedPolicySet,
boolean generatedByPolicyMapping) {
mParent = parent;
mChildren = new HashSet<PolicyNodeImpl>();
mChildren = new HashSet<>();
if (validPolicy != null)
mValidPolicy = validPolicy;
else
mValidPolicy = "";
mValidPolicy = (validPolicy != null) ? validPolicy : "";
if (qualifierSet != null)
mQualifierSet = new HashSet<PolicyQualifierInfo>(qualifierSet);
mQualifierSet = new HashSet<>(qualifierSet);
else
mQualifierSet = new HashSet<PolicyQualifierInfo>();
mQualifierSet = new HashSet<>();
mCriticalityIndicator = criticalityIndicator;
if (expectedPolicySet != null)
mExpectedPolicySet = new HashSet<String>(expectedPolicySet);
mExpectedPolicySet = new HashSet<>(expectedPolicySet);
else
mExpectedPolicySet = new HashSet<String>();
mExpectedPolicySet = new HashSet<>();
mOriginalExpectedPolicySet = !generatedByPolicyMapping;
@ -313,7 +306,7 @@ final class PolicyNodeImpl implements PolicyNode {
* Internal recursion helper.
*/
private void getPolicyNodes(int depth, Set<PolicyNodeImpl> set) {
// if we've reached the desired depth, then return ourself
// if we've reached the desired depth, then return
if (mDepth == depth) {
set.add(this);
} else {

@ -1,5 +1,5 @@
/*
* Copyright (c) 2015, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2022, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -60,7 +60,7 @@ public final class ResponderId {
* @see ResponderId
* @since 9
*/
public static enum Type {
public enum Type {
/**
* A BY_NAME {@code ResponderId} will be built from a subject name,
* either as an {@code X500Principal} or a DER-encoded byte array.
@ -77,7 +77,7 @@ public final class ResponderId {
private final int tagNumber;
private final String ridTypeName;
private Type(int value, String name) {
Type(int value, String name) {
this.tagNumber = value;
this.ridTypeName = name;
}
@ -92,10 +92,10 @@ public final class ResponderId {
}
}
private Type type;
private final Type type;
private X500Principal responderName;
private KeyIdentifier responderKeyId;
private byte[] encodedRid;
private final byte[] encodedRid;
/**
* Constructs a {@code ResponderId} object using an {@code X500Principal}.
@ -172,7 +172,7 @@ public final class ResponderId {
}
/**
* Return the type of {@ResponderId}
* Return the type of {@code ResponderId}
*
* @return a number corresponding to the context-specific tag number
* used in the DER-encoding for a {@code ResponderId}
@ -234,9 +234,8 @@ public final class ResponderId {
return true;
}
if (obj instanceof ResponderId) {
ResponderId respObj = (ResponderId)obj;
return Arrays.equals(encodedRid, respObj.getEncoded());
if (obj instanceof ResponderId respObj) {
return Arrays.equals(encodedRid, respObj.getEncoded());
}
return false;

@ -63,7 +63,7 @@ class RevocationChecker extends PKIXRevocationChecker {
private Map<X509Certificate, byte[]> ocspResponses;
private List<Extension> ocspExtensions;
private final boolean legacy;
private LinkedList<CertPathValidatorException> softFailExceptions =
private final LinkedList<CertPathValidatorException> softFailExceptions =
new LinkedList<>();
// state variables
@ -72,7 +72,8 @@ class RevocationChecker extends PKIXRevocationChecker {
private boolean crlSignFlag;
private int certIndex;
private enum Mode { PREFER_OCSP, PREFER_CRLS, ONLY_CRLS, ONLY_OCSP };
private enum Mode { PREFER_OCSP, PREFER_CRLS, ONLY_CRLS, ONLY_OCSP }
private Mode mode = Mode.PREFER_OCSP;
private static class RevocationProperties {
@ -293,7 +294,6 @@ class RevocationChecker extends PKIXRevocationChecker {
if (debug != null) {
debug.println("CertStore exception:" + e);
}
continue;
}
}
throw new CertPathValidatorException(
@ -388,7 +388,6 @@ class RevocationChecker extends PKIXRevocationChecker {
throw e;
}
}
CertPathValidatorException cause = e;
// Otherwise, failover
if (debug != null) {
debug.println("RevocationChecker.check() " + e.getMessage());
@ -413,12 +412,12 @@ class RevocationChecker extends PKIXRevocationChecker {
throw x;
}
if (!isSoftFailException(x)) {
cause.addSuppressed(x);
throw cause;
e.addSuppressed(x);
throw e;
} else {
// only pass if both exceptions were soft failures
if (!eSoftFail) {
throw cause;
throw e;
}
}
}
@ -488,8 +487,6 @@ class RevocationChecker extends PKIXRevocationChecker {
}
break;
case "SSLServer":
result = (t instanceof IOException);
break;
case "URI":
result = (t instanceof IOException);
break;
@ -590,8 +587,7 @@ class RevocationChecker extends PKIXRevocationChecker {
params.variant(), anchor));
}
} catch (CertStoreException e) {
if (e instanceof CertStoreTypeException) {
CertStoreTypeException cste = (CertStoreTypeException)e;
if (e instanceof CertStoreTypeException cste) {
if (isCausedByNetworkIssue(cste.getType(), e)) {
throw new CertPathValidatorException(
"Unable to determine revocation status due to " +
@ -610,7 +606,6 @@ class RevocationChecker extends PKIXRevocationChecker {
try {
verifyWithSeparateSigningKey(cert, prevKey, signFlag,
stackedCerts);
return;
} catch (CertPathValidatorException cpve) {
if (networkFailureException != null) {
// if a network issue previously prevented us from
@ -651,7 +646,7 @@ class RevocationChecker extends PKIXRevocationChecker {
}
CRLReason reasonCode = CRLReason.UNSPECIFIED;
X509CRLEntryImpl entry = null;
X509CRLEntryImpl entry;
for (X509CRL crl : approvedCRLs) {
X509CRLEntry e = crl.getRevokedCertificate(cert);
if (e != null) {
@ -702,7 +697,7 @@ class RevocationChecker extends PKIXRevocationChecker {
Collection<String> unresolvedCritExts)
throws CertPathValidatorException
{
X509CertImpl currCert = null;
X509CertImpl currCert;
try {
currCert = X509CertImpl.toImpl(cert);
} catch (CertificateException ce) {
@ -713,8 +708,8 @@ class RevocationChecker extends PKIXRevocationChecker {
// does not need to be checked in this code. The constraints will be
// checked when the responder's certificate is validated.
OCSPResponse response = null;
CertId certId = null;
OCSPResponse response;
CertId certId;
try {
certId = new CertId(issuerInfo.getName(), issuerInfo.getPublicKey(),
currCert.getSerialNumberObject());
@ -756,7 +751,7 @@ class RevocationChecker extends PKIXRevocationChecker {
Extension nonceExt = new OCSPNonceExtension(DEFAULT_NONCE_BYTES);
if (ocspExtensions.size() > 0) {
tmpExtensions = new ArrayList<Extension>(ocspExtensions);
tmpExtensions = new ArrayList<>(ocspExtensions);
tmpExtensions.add(nonceExt);
} else {
tmpExtensions = List.of(nonceExt);
@ -863,9 +858,7 @@ class RevocationChecker extends PKIXRevocationChecker {
PublicKey prevKey,
boolean signFlag,
boolean[] reasonsMask,
Set<TrustAnchor> anchors)
throws CertPathValidatorException
{
Set<TrustAnchor> anchors) {
try {
X509CertImpl certImpl = X509CertImpl.toImpl(cert);
if (debug != null) {
@ -875,7 +868,7 @@ class RevocationChecker extends PKIXRevocationChecker {
}
CRLDistributionPointsExtension ext =
certImpl.getCRLDistributionPointsExtension();
List<DistributionPoint> points = null;
List<DistributionPoint> points;
if (ext == null) {
// assume a DP with reasons and CRLIssuer fields omitted
// and a DP name of the cert issuer.
@ -1036,7 +1029,7 @@ class RevocationChecker extends PKIXRevocationChecker {
builderParams.setRevocationEnabled(false);
// check for AuthorityInformationAccess extension
if (Builder.USE_AIA == true) {
if (Builder.USE_AIA) {
X509CertImpl currCertImpl = null;
try {
currCertImpl = X509CertImpl.toImpl(currCert);
@ -1067,7 +1060,7 @@ class RevocationChecker extends PKIXRevocationChecker {
}
}
CertPathBuilder builder = null;
CertPathBuilder builder;
try {
builder = CertPathBuilder.getInstance("PKIX");
} catch (NoSuchAlgorithmException nsae) {
@ -1089,7 +1082,7 @@ class RevocationChecker extends PKIXRevocationChecker {
// Now check revocation of all certs in path, assuming that
// the stackedCerts are revoked.
if (stackedCerts == null) {
stackedCerts = new HashSet<X509Certificate>();
stackedCerts = new HashSet<>();
}
stackedCerts.add(currCert);
TrustAnchor ta = cpbr.getTrustAnchor();
@ -1207,12 +1200,10 @@ class RevocationChecker extends PKIXRevocationChecker {
*/
@Override
public String toString() {
StringBuilder sb = new StringBuilder();
sb.append("RejectKeySelector: [\n");
sb.append(super.toString());
sb.append(badKeySet);
sb.append("]");
return sb.toString();
return "RejectKeySelector: [\n" +
super.toString() +
badKeySet +
"]";
}
}
}

@ -1,5 +1,5 @@
/*
* Copyright (c) 2000, 2001, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2000, 2022, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -47,13 +47,13 @@ interface State extends Cloneable {
*
* @param cert the certificate which is used to update the state
*/
public void updateState(X509Certificate cert)
void updateState(X509Certificate cert)
throws CertificateException, IOException, CertPathValidatorException;
/**
* Creates and returns a copy of this object
*/
public Object clone();
Object clone();
/**
* Returns a boolean flag indicating if the state is initial
@ -61,7 +61,7 @@ interface State extends Cloneable {
*
* @return boolean flag indicating if the state is initial (just starting)
*/
public boolean isInitial();
boolean isInitial();
/**
* Returns a boolean flag indicating if a key lacking necessary key
@ -69,5 +69,5 @@ interface State extends Cloneable {
*
* @return boolean flag indicating if key lacking parameters encountered.
*/
public boolean keyParamsNeeded();
boolean keyParamsNeeded();
}

@ -1,5 +1,5 @@
/*
* Copyright (c) 2000, 2021, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2000, 2022, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -72,7 +72,7 @@ public final class SunCertPathBuilder extends CertPathBuilderSpi {
* private objects shared by methods
*/
private BuilderParams buildParams;
private CertificateFactory cf;
private final CertificateFactory cf;
private boolean pathCompleted = false;
private PolicyNode policyTreeResult;
private TrustAnchor trustAnchor;
@ -218,7 +218,7 @@ public final class SunCertPathBuilder extends CertPathBuilderSpi {
/* Initialize adjacency list */
adjacencyList.clear();
adjacencyList.add(new LinkedList<Vertex>());
adjacencyList.add(new LinkedList<>());
currentState.untrustedChecker = new UntrustedChecker();
@ -269,16 +269,16 @@ public final class SunCertPathBuilder extends CertPathBuilderSpi {
/*
* For each cert in the collection, verify anything
* that hasn't been checked yet (signature, revocation, etc)
* that hasn't been checked yet (signature, revocation, etc.)
* and check for loops. Call depthFirstSearchForward()
* recursively for each good cert.
*/
vertices:
for (Vertex vertex : vertices) {
/**
/*
* Restore state to currentState each time through the loop.
* This is important because some of the user-defined
* This is important because some user-defined
* checkers modify the state, which MUST be restored if
* the cert eventually fails to lead to the target and
* the next matching cert is tried.
@ -405,7 +405,7 @@ public final class SunCertPathBuilder extends CertPathBuilderSpi {
Set<String> unresCritExts =
currCert.getCriticalExtensionOIDs();
if (unresCritExts == null) {
unresCritExts = Collections.<String>emptySet();
unresCritExts = Collections.emptySet();
}
for (PKIXCertPathChecker currChecker : checkers) {
@ -521,7 +521,7 @@ public final class SunCertPathBuilder extends CertPathBuilderSpi {
* Append an entry for cert in adjacency list and
* set index for current vertex.
*/
adjList.add(new LinkedList<Vertex>());
adjList.add(new LinkedList<>());
vertex.setIndex(adjList.size() - 1);
/* recursively search for matching certs at next dN */

@ -1,5 +1,5 @@
/*
* Copyright (c) 2000, 2019, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2000, 2022, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -25,7 +25,6 @@
package sun.security.provider.certpath;
import java.util.List;
import java.security.cert.CertPathBuilderException;
/**

@ -51,7 +51,7 @@ public final class SunCertPathBuilderResult extends PKIXCertPathBuilderResult {
private static final Debug debug = Debug.getInstance("certpath");
private AdjacencyList adjList;
private final AdjacencyList adjList;
/**
* Creates a SunCertPathBuilderResult instance.

@ -1,5 +1,5 @@
/*
* Copyright (c) 2006, 2020, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2006, 2022, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -113,7 +113,7 @@ class URICertStore extends CertStoreSpi {
private long lastModified;
// the URI of this CertStore
private URI uri;
private final URI uri;
// true if URI is ldap
private boolean ldap = false;
@ -284,9 +284,8 @@ class URICertStore extends CertStoreSpi {
debug.println("Not modified, using cached copy");
}
return getMatchingCerts(certs, selector);
} else if (connection instanceof HttpURLConnection) {
} else if (connection instanceof HttpURLConnection hconn) {
// some proxy servers omit last modified
HttpURLConnection hconn = (HttpURLConnection)connection;
if (hconn.getResponseCode()
== HttpURLConnection.HTTP_NOT_MODIFIED) {
if (debug != null) {
@ -390,9 +389,8 @@ class URICertStore extends CertStoreSpi {
debug.println("Not modified, using cached copy");
}
return getMatchingCRLs(crl, selector);
} else if (connection instanceof HttpURLConnection) {
} else if (connection instanceof HttpURLConnection hconn) {
// some proxy servers omit last modified
HttpURLConnection hconn = (HttpURLConnection)connection;
if (hconn.getResponseCode()
== HttpURLConnection.HTTP_NOT_MODIFIED) {
if (debug != null) {

@ -49,7 +49,7 @@ import sun.security.x509.X509CertImpl;
final class Vertex {
private static final Debug debug = Debug.getInstance("certpath");
private X509Certificate cert;
private final X509Certificate cert;
private int index;
private Throwable throwable;
@ -134,7 +134,7 @@ final class Vertex {
public String certToString() {
StringBuilder sb = new StringBuilder();
X509CertImpl x509Cert = null;
X509CertImpl x509Cert;
try {
x509Cert = X509CertImpl.toImpl(cert);
} catch (CertificateException ce) {
@ -214,13 +214,11 @@ final class Vertex {
* the way other Vertex.xToString() methods display
* information.
*
* @return String form of index as "Last cert? [Yes/No]
* @return String form of index as "Last cert? [Yes/No]"
*/
public String moreToString() {
StringBuilder sb = new StringBuilder("Last cert? ");
sb.append((index == -1) ? "Yes" : "No");
sb.append("\n");
return sb.toString();
return "Last cert? " + ((index == -1) ? "Yes" : "No") +
"\n";
}
/**

@ -69,7 +69,7 @@ public class X509CertPath extends CertPath {
* List of certificates in this chain
*/
@SuppressWarnings("serial") // Not statically typed as Serializable
private List<X509Certificate> certs;
private final List<X509Certificate> certs;
/**
* The names of our encodings. PkiPath is the default.
@ -113,7 +113,7 @@ public class X509CertPath extends CertPath {
// don't use
// for (Certificate obj : certs)
for (Object obj : certs) {
if (obj instanceof X509Certificate == false) {
if (!(obj instanceof X509Certificate)) {
throw new CertificateException
("List is not all X509Certificates: "
+ obj.getClass().getName());
@ -125,7 +125,7 @@ public class X509CertPath extends CertPath {
// and the methods in the Sun JDK 1.4 implementation of ArrayList that
// allow read-only access are thread-safe.
this.certs = Collections.unmodifiableList(
new ArrayList<X509Certificate>((List<X509Certificate>)certs));
new ArrayList<>((List<X509Certificate>) certs));
}
/**
@ -176,8 +176,8 @@ public class X509CertPath extends CertPath {
*/
private static List<X509Certificate> parsePKIPATH(InputStream is)
throws CertificateException {
List<X509Certificate> certList = null;
CertificateFactory certFac = null;
List<X509Certificate> certList;
CertificateFactory certFac;
if (is == null) {
throw new CertificateException("input stream is null");
@ -187,11 +187,11 @@ public class X509CertPath extends CertPath {
DerInputStream dis = new DerInputStream(is.readAllBytes());
DerValue[] seq = dis.getSequence(3);
if (seq.length == 0) {
return Collections.<X509Certificate>emptyList();
return Collections.emptyList();
}
certFac = CertificateFactory.getInstance("X.509");
certList = new ArrayList<X509Certificate>(seq.length);
certList = new ArrayList<>(seq.length);
// append certs in reverse order (target to trust anchor)
for (int i = seq.length-1; i >= 0; i--) {
@ -224,7 +224,7 @@ public class X509CertPath extends CertPath {
}
try {
if (is.markSupported() == false) {
if (!is.markSupported()) {
// Copy the entire input stream into an InputStream that does
// support mark
is = new ByteArrayInputStream(is.readAllBytes());
@ -237,7 +237,7 @@ public class X509CertPath extends CertPath {
certList = Arrays.asList(certArray);
} else {
// no certs provided
certList = new ArrayList<X509Certificate>(0);
certList = new ArrayList<>(0);
}
} catch (IOException ioe) {
throw new CertificateException("IOException parsing PKCS7 data: " +
@ -308,7 +308,7 @@ public class X509CertPath extends CertPath {
private byte[] encodePKCS7() throws CertificateEncodingException {
PKCS7 p7 = new PKCS7(new AlgorithmId[0],
new ContentInfo(ContentInfo.DATA_OID, null),
certs.toArray(new X509Certificate[certs.size()]),
certs.toArray(new X509Certificate[0]),
new SignerInfo[0]);
DerOutputStream derout = new DerOutputStream();
try {

@ -187,7 +187,7 @@ public class X509CertificatePair {
* Return the DER encoded form of the certificate pair.
*
* @return The encoded form of the certificate pair.
* @throws CerticateEncodingException If an encoding exception occurs.
* @throws CertificateEncodingException If an encoding exception occurs.
*/
public byte[] getEncoded() throws CertificateEncodingException {
try {

@ -1,5 +1,5 @@
/*
* Copyright (c) 2011, 2015, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2011, 2022, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -26,34 +26,15 @@
package sun.security.provider.certpath.ssl;
import java.io.IOException;
import java.net.Socket;
import java.net.URI;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.List;
import java.net.URLConnection;
import java.security.GeneralSecurityException;
import java.security.InvalidAlgorithmParameterException;
import java.security.Provider;
import java.security.cert.CertificateException;
import java.security.cert.CertSelector;
import java.security.cert.CertStore;
import java.security.cert.CertStoreException;
import java.security.cert.CertStoreParameters;
import java.security.cert.CertStoreSpi;
import java.security.cert.CRLSelector;
import java.security.cert.X509Certificate;
import java.security.cert.X509CRL;
import java.net.Socket;
import java.net.URLConnection;
import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.HttpsURLConnection;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLSession;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLSocketFactory;
import javax.net.ssl.TrustManager;
import javax.net.ssl.X509ExtendedTrustManager;
import java.security.cert.*;
import java.util.*;
import javax.net.ssl.*;
/**
* A CertStore that retrieves an SSL server's certificate chain.
@ -67,11 +48,7 @@ public final class SSLServerCertStore extends CertStoreSpi {
static {
trustManager = new GetChainTrustManager();
hostnameVerifier = new HostnameVerifier() {
public boolean verify(String hostname, SSLSession session) {
return true;
}
};
hostnameVerifier = (hostname, session) -> true;
SSLSocketFactory tempFactory;
try {
@ -95,13 +72,12 @@ public final class SSLServerCertStore extends CertStoreSpi {
try {
URLConnection urlConn = uri.toURL().openConnection();
if (urlConn instanceof HttpsURLConnection) {
if (urlConn instanceof HttpsURLConnection https) {
if (socketFactory == null) {
throw new CertStoreException(
"No initialized SSLSocketFactory");
}
HttpsURLConnection https = (HttpsURLConnection)urlConn;
https.setSSLSocketFactory(socketFactory);
https.setHostnameVerifier(hostnameVerifier);
synchronized (trustManager) {
@ -128,7 +104,7 @@ public final class SSLServerCertStore extends CertStoreSpi {
throw new CertStoreException(ioe);
}
return Collections.<X509Certificate>emptySet();
return Collections.emptySet();
}
private static List<X509Certificate> getMatchingCerts
@ -167,7 +143,7 @@ public final class SSLServerCertStore extends CertStoreSpi {
extends X509ExtendedTrustManager {
private List<X509Certificate> serverChain =
Collections.<X509Certificate>emptyList();
Collections.emptyList();
private boolean exchangedServerCerts = false;
@Override
@ -202,8 +178,8 @@ public final class SSLServerCertStore extends CertStoreSpi {
exchangedServerCerts = true;
this.serverChain = (chain == null)
? Collections.<X509Certificate>emptyList()
: Arrays.<X509Certificate>asList(chain);
? Collections.emptyList()
: Arrays.asList(chain);
}
@ -223,7 +199,7 @@ public final class SSLServerCertStore extends CertStoreSpi {
void cleanup() {
exchangedServerCerts = false;
serverChain = Collections.<X509Certificate>emptyList();
serverChain = Collections.emptyList();
}
}

@ -59,11 +59,10 @@ public final class PSSParameters extends AlgorithmParametersSpi {
@Override
protected void engineInit(AlgorithmParameterSpec paramSpec)
throws InvalidParameterSpecException {
if (!(paramSpec instanceof PSSParameterSpec)) {
if (!(paramSpec instanceof PSSParameterSpec spec)) {
throw new InvalidParameterSpecException
("Inappropriate parameter specification");
}
PSSParameterSpec spec = (PSSParameterSpec) paramSpec;
String mgfName = spec.getMGFAlgorithm();
if (!spec.getMGFAlgorithm().equalsIgnoreCase("MGF1")) {
@ -223,12 +222,10 @@ public final class PSSParameters extends AlgorithmParametersSpi {
public static byte[] getEncoded(PSSParameterSpec spec) throws IOException {
AlgorithmParameterSpec mgfSpec = spec.getMGFParameters();
if (!(mgfSpec instanceof MGF1ParameterSpec)) {
if (!(mgfSpec instanceof MGF1ParameterSpec mgf1Spec)) {
throw new IOException("Cannot encode " + mgfSpec);
}
MGF1ParameterSpec mgf1Spec = (MGF1ParameterSpec)mgfSpec;
DerOutputStream tmp = new DerOutputStream();
DerOutputStream tmp2, tmp3;

@ -1,5 +1,5 @@
/*
* Copyright (c) 2003, 2021, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2003, 2022, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -150,7 +150,7 @@ public final class RSACore {
throws BadPaddingException {
BigInteger c = parseMsg(msg, n);
BlindingRandomPair brp = null;
BlindingRandomPair brp;
BigInteger m;
if (ENABLE_BLINDING) {
brp = getBlindingRandomPair(null, exp, n);
@ -468,7 +468,7 @@ public final class RSACore {
}
}
// If this parameters are still usable, put them back into the queue.
// If parameters are still usable, put them back into the queue.
if (bps.isReusable()) {
queue.add(bps);
}

@ -1,5 +1,5 @@
/*
* Copyright (c) 2003, 2021, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2003, 2022, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -135,8 +135,8 @@ public class RSAKeyFactory extends KeyFactorySpi {
}
/*
* Single test entry point for all of the mechanisms in the SunRsaSign
* provider (RSA*KeyImpls). All of the tests are the same.
* Single test entry point for all the mechanisms in the SunRsaSign
* provider (RSA*KeyImpls). All the tests are the same.
*
* For compatibility, we round up to the nearest byte here:
* some Key impls might pass in a value within a byte of the
@ -257,8 +257,7 @@ public class RSAKeyFactory extends KeyFactorySpi {
// internal implementation of translateKey() for public keys. See JCA doc
private PublicKey translatePublicKey(PublicKey key)
throws InvalidKeyException {
if (key instanceof RSAPublicKey) {
RSAPublicKey rsaKey = (RSAPublicKey)key;
if (key instanceof RSAPublicKey rsaKey) {
try {
return new RSAPublicKeyImpl(
type, rsaKey.getParams(),
@ -278,8 +277,7 @@ public class RSAKeyFactory extends KeyFactorySpi {
// internal implementation of translateKey() for private keys. See JCA doc
private PrivateKey translatePrivateKey(PrivateKey key)
throws InvalidKeyException {
if (key instanceof RSAPrivateCrtKey) {
RSAPrivateCrtKey rsaKey = (RSAPrivateCrtKey)key;
if (key instanceof RSAPrivateCrtKey rsaKey) {
try {
return new RSAPrivateCrtKeyImpl(
type, rsaKey.getParams(),
@ -296,8 +294,7 @@ public class RSAKeyFactory extends KeyFactorySpi {
// catch providers that incorrectly implement RSAPrivateCrtKey
throw new InvalidKeyException("Invalid key", e);
}
} else if (key instanceof RSAPrivateKey) {
RSAPrivateKey rsaKey = (RSAPrivateKey)key;
} else if (key instanceof RSAPrivateKey rsaKey) {
try {
return new RSAPrivateKeyImpl(
type, rsaKey.getParams(),
@ -326,8 +323,7 @@ public class RSAKeyFactory extends KeyFactorySpi {
if (keySpec instanceof X509EncodedKeySpec) {
return RSAPublicKeyImpl.newKey(type, "X.509",
((X509EncodedKeySpec)keySpec).getEncoded());
} else if (keySpec instanceof RSAPublicKeySpec) {
RSAPublicKeySpec rsaSpec = (RSAPublicKeySpec)keySpec;
} else if (keySpec instanceof RSAPublicKeySpec rsaSpec) {
try {
return new RSAPublicKeyImpl(
type, rsaSpec.getParams(),
@ -353,8 +349,7 @@ public class RSAKeyFactory extends KeyFactorySpi {
} finally {
Arrays.fill(encoded, (byte)0);
}
} else if (keySpec instanceof RSAPrivateCrtKeySpec) {
RSAPrivateCrtKeySpec rsaSpec = (RSAPrivateCrtKeySpec)keySpec;
} else if (keySpec instanceof RSAPrivateCrtKeySpec rsaSpec) {
try {
return new RSAPrivateCrtKeyImpl(
type, rsaSpec.getParams(),
@ -370,8 +365,7 @@ public class RSAKeyFactory extends KeyFactorySpi {
} catch (ProviderException e) {
throw new InvalidKeySpecException(e);
}
} else if (keySpec instanceof RSAPrivateKeySpec) {
RSAPrivateKeySpec rsaSpec = (RSAPrivateKeySpec)keySpec;
} else if (keySpec instanceof RSAPrivateKeySpec rsaSpec) {
try {
return new RSAPrivateKeyImpl(
type, rsaSpec.getParams(),
@ -398,8 +392,7 @@ public class RSAKeyFactory extends KeyFactorySpi {
} catch (InvalidKeyException e) {
throw new InvalidKeySpecException(e);
}
if (key instanceof RSAPublicKey) {
RSAPublicKey rsaKey = (RSAPublicKey)key;
if (key instanceof RSAPublicKey rsaKey) {
if (keySpec.isAssignableFrom(RSA_PUB_KEYSPEC_CLS)) {
return keySpec.cast(new RSAPublicKeySpec(
rsaKey.getModulus(),
@ -423,8 +416,7 @@ public class RSAKeyFactory extends KeyFactorySpi {
}
} else if (keySpec.isAssignableFrom(RSA_PRIVCRT_KEYSPEC_CLS)) {
// All supported keyspecs (other than PKCS8_KEYSPEC_CLS) descend from RSA_PRIVCRT_KEYSPEC_CLS
if (key instanceof RSAPrivateCrtKey) {
RSAPrivateCrtKey crtKey = (RSAPrivateCrtKey)key;
if (key instanceof RSAPrivateCrtKey crtKey) {
return keySpec.cast(new RSAPrivateCrtKeySpec(
crtKey.getModulus(),
crtKey.getPublicExponent(),

@ -94,12 +94,11 @@ abstract class RSAKeyPairGenerator extends KeyPairGeneratorSpi {
// second initialize method. See JCA doc.
public void initialize(AlgorithmParameterSpec params, SecureRandom random)
throws InvalidAlgorithmParameterException {
if (params instanceof RSAKeyGenParameterSpec == false) {
if (!(params instanceof RSAKeyGenParameterSpec rsaSpec)) {
throw new InvalidAlgorithmParameterException
("Params must be instance of RSAKeyGenParameterSpec");
}
RSAKeyGenParameterSpec rsaSpec = (RSAKeyGenParameterSpec)params;
int tmpKeySize = rsaSpec.getKeysize();
BigInteger tmpPubExp = rsaSpec.getPublicExponent();
AlgorithmParameterSpec tmpParams = rsaSpec.getKeyParams();
@ -119,15 +118,14 @@ abstract class RSAKeyPairGenerator extends KeyPairGeneratorSpi {
// vs FIPS 186-4 checks that F4 <= e < 2^256
// for backward compatibility, we keep the same checks
BigInteger minValue = RSAKeyGenParameterSpec.F0;
int maxBitLength = tmpKeySize;
if (tmpPubExp.compareTo(RSAKeyGenParameterSpec.F0) < 0) {
throw new InvalidAlgorithmParameterException
("Public exponent must be " + minValue + " or larger");
}
if (tmpPubExp.bitLength() > maxBitLength) {
if (tmpPubExp.bitLength() > tmpKeySize) {
throw new InvalidAlgorithmParameterException
("Public exponent must be no longer than " +
maxBitLength + " bits");
tmpKeySize + " bits");
}
useNew &= ((tmpPubExp.compareTo(RSAKeyGenParameterSpec.F4) >= 0) &&
(tmpPubExp.bitLength() < 256));
@ -160,7 +158,7 @@ abstract class RSAKeyPairGenerator extends KeyPairGeneratorSpi {
public KeyPair generateKeyPair() {
BigInteger e = publicExponent;
BigInteger minValue = (useNew? getSqrt(keySize) : ZERO);
int lp = (keySize + 1) >> 1;;
int lp = (keySize + 1) >> 1;
int lq = keySize - lp;
int pqDiffSize = lp - 100;
@ -212,7 +210,7 @@ abstract class RSAKeyPairGenerator extends KeyPairGeneratorSpi {
}
private static BigInteger getSqrt(int keySize) {
BigInteger sqrt = null;
BigInteger sqrt;
switch (keySize) {
case 2048:
sqrt = SQRT_2048;

@ -1,5 +1,5 @@
/*
* Copyright (c) 2018, 2021, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2018, 2022, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -82,7 +82,7 @@ public class RSAPSSSignature extends SignatureSpi {
private static final byte[] EIGHT_BYTES_OF_ZEROS = new byte[8];
private static final Hashtable<KnownOIDs, Integer> DIGEST_LENGTHS =
new Hashtable<KnownOIDs, Integer>();
new Hashtable<>();
static {
DIGEST_LENGTHS.put(KnownOIDs.SHA_1, 20);
DIGEST_LENGTHS.put(KnownOIDs.SHA_224, 28);
@ -113,7 +113,7 @@ public class RSAPSSSignature extends SignatureSpi {
private SecureRandom random;
/**
* Construct a new RSAPSSSignatur with arbitrary digest algorithm
* Construct a new RSAPSSSignature with arbitrary digest algorithm
*/
public RSAPSSSignature() {
this.md = null;
@ -169,14 +169,13 @@ public class RSAPSSSignature extends SignatureSpi {
// key with null PSS parameters means no restriction
return true;
}
if (!(keyParams instanceof PSSParameterSpec)) {
if (!(keyParams instanceof PSSParameterSpec pssKeyParams)) {
return false;
}
// nothing to compare yet, defer the check to when sigParams is set
if (sigParams == null) {
return true;
}
PSSParameterSpec pssKeyParams = (PSSParameterSpec) keyParams;
// first check the salt length requirement
if (pssKeyParams.getSaltLength() > sigParams.getSaltLength()) {
return false;
@ -291,12 +290,11 @@ public class RSAPSSSignature extends SignatureSpi {
throw new InvalidAlgorithmParameterException
("Parameters cannot be null");
}
if (!(p instanceof PSSParameterSpec)) {
if (!(p instanceof PSSParameterSpec params)) {
throw new InvalidAlgorithmParameterException
("parameters must be type PSSParameterSpec");
}
// no need to validate again if same as current signature parameters
PSSParameterSpec params = (PSSParameterSpec) p;
if (params == this.sigParams) return params;
RSAKey key = (this.privKey == null? this.pubKey : this.privKey);
@ -378,7 +376,7 @@ public class RSAPSSSignature extends SignatureSpi {
* Reset the message digest if it is not already reset.
*/
private void resetDigest() {
if (digestReset == false) {
if (!digestReset) {
this.md.reset();
digestReset = true;
}
@ -429,8 +427,7 @@ public class RSAPSSSignature extends SignatureSpi {
byte[] mHash = getDigestValue();
try {
byte[] encoded = encodeSignature(mHash);
byte[] encrypted = RSACore.rsa(encoded, privKey, true);
return encrypted;
return RSACore.rsa(encoded, privKey, true);
} catch (GeneralSecurityException e) {
throw new SignatureException("Could not sign data", e);
} catch (IOException e) {

@ -1,5 +1,5 @@
/*
* Copyright (c) 2003, 2020, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2003, 2022, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -52,7 +52,7 @@ import sun.security.jca.JCAUtil;
* 0x00 | BT | PS...PS | 0x00 | data...data
*
* where BT is the blocktype (1 or 2). The length of the entire string
* must be the same as the size of the modulus (i.e. 128 byte for a 1024 bit
* must be the same as the size of the modulus (i.e. 128 byte for a 1024-bit
* key). Per spec, the padding string must be at least 8 bytes long. That
* leaves up to (length of key in bytes) - 11 bytes for the data.
*
@ -68,7 +68,7 @@ import sun.security.jca.JCAUtil;
* The algorithms (representations) are forwards-compatible: that is,
* the algorithm described in previous releases are in later releases.
* However, additional comments/checks/clarifications were added to the
* later versions based on real-world experience (e.g. stricter v1.5
* latter versions based on real-world experience (e.g. stricter v1.5
* format checking.)
*
* Note: RSA keys should be at least 512 bits long
@ -202,7 +202,7 @@ public final class RSAPadding {
// cache of hashes of zero length data
private static final Map<String,byte[]> emptyHashes =
Collections.synchronizedMap(new HashMap<String,byte[]>());
Collections.synchronizedMap(new HashMap<>());
/**
* Return the value of the digest using the specified message digest
@ -290,7 +290,7 @@ public final class RSAPadding {
/**
* PKCS#1 v1.5 padding (blocktype 1 and 2).
*/
private byte[] padV15(byte[] data, int ofs, int len) throws BadPaddingException {
private byte[] padV15(byte[] data, int ofs, int len) {
byte[] padded = new byte[paddedSize];
System.arraycopy(data, ofs, padded, paddedSize - len, len);
int psSize = paddedSize - 3 - len;
@ -379,7 +379,7 @@ public final class RSAPadding {
* PKCS#1 v2.0 OAEP padding (MGF1).
* Paragraph references refer to PKCS#1 v2.1 (June 14, 2002)
*/
private byte[] padOAEP(byte[] M, int ofs, int len) throws BadPaddingException {
private byte[] padOAEP(byte[] M, int ofs, int len) {
if (random == null) {
random = JCAUtil.getSecureRandom();
}

@ -67,12 +67,12 @@ public final class RSAPrivateCrtKeyImpl
private BigInteger qe; // prime exponent q
private BigInteger coeff; // CRT coefficient
private transient KeyType type;
private final transient KeyType type;
// Optional parameters associated with this RSA key
// specified in the encoding of its AlgorithmId.
// Must be null for "RSA" keys.
private transient AlgorithmParameterSpec keyParams;
private final transient AlgorithmParameterSpec keyParams;
/**
* Generate a new RSAPrivate(Crt)Key from the specified type,
@ -171,7 +171,7 @@ public final class RSAPrivateCrtKeyImpl
}
/**
* Construct a RSA key from its components. Used by the
* Construct an RSA key from its components. Used by the
* RSAKeyFactory and the RSAKeyPairGenerator.
*/
RSAPrivateCrtKeyImpl(KeyType type, AlgorithmParameterSpec keyParams,

@ -1,5 +1,5 @@
/*
* Copyright (c) 2003, 2021, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2003, 2022, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -58,12 +58,12 @@ public final class RSAPublicKeyImpl extends X509Key implements RSAPublicKey {
private BigInteger n; // modulus
private BigInteger e; // public exponent
private transient KeyType type;
private final transient KeyType type;
// optional parameters associated with this RSA key
// specified in the encoding of its AlgorithmId
// must be null for "RSA" keys.
private transient AlgorithmParameterSpec keyParams;
private final transient AlgorithmParameterSpec keyParams;
/**
* Generate a new RSAPublicKey from the specified type, format, and
@ -104,7 +104,7 @@ public final class RSAPublicKeyImpl extends X509Key implements RSAPublicKey {
}
/**
* Construct a RSA key from the specified type and components. Used by
* Construct an RSA key from the specified type and components. Used by
* RSAKeyFactory and RSAKeyPairGenerator.
*/
RSAPublicKeyImpl(KeyType type, AlgorithmParameterSpec keyParams,

@ -144,7 +144,7 @@ abstract class RSASignature extends SignatureSpi {
* Reset the message digest if it is not already reset.
*/
private void resetDigest() {
if (digestReset == false) {
if (!digestReset) {
md.reset();
digestReset = true;
}
@ -190,8 +190,7 @@ abstract class RSASignature extends SignatureSpi {
try {
byte[] encoded = RSAUtil.encodeSignature(digestOID, digest);
byte[] padded = padding.pad(encoded);
byte[] encrypted = RSACore.rsa(padded, privateKey, true);
return encrypted;
return RSACore.rsa(padded, privateKey, true);
} catch (GeneralSecurityException e) {
throw new SignatureException("Could not sign data", e);
} catch (IOException e) {

@ -193,7 +193,7 @@ public class RSAUtil {
throw new IOException("SEQUENCE length error");
}
AlgorithmId algId = AlgorithmId.parse(values[0]);
if (algId.getOID().equals(oid) == false) {
if (!algId.getOID().equals(oid)) {
throw new IOException("ObjectIdentifier mismatch: "
+ algId.getOID());
}
@ -203,7 +203,6 @@ public class RSAUtil {
if (values[1].isConstructed()) {
throw new IOException("Unexpected constructed digest value");
}
byte[] digest = values[1].getOctetString();
return digest;
return values[1].getOctetString();
}
}

@ -1,5 +1,5 @@
/*
* Copyright (c) 2003, 2020, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2003, 2022, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -107,5 +107,5 @@ public final class SunRsaSignEntries {
return services.iterator();
}
private LinkedHashSet<Provider.Service> services;
private final LinkedHashSet<Provider.Service> services;
}

@ -87,7 +87,7 @@ enum Alert {
// Alert message consumer
static final SSLConsumer alertConsumer = new AlertConsumer();
private Alert(byte id, String description, boolean handshakeOnly) {
Alert(byte id, String description, boolean handshakeOnly) {
this.id = id;
this.description = description;
this.handshakeOnly = handshakeOnly;
@ -146,7 +146,7 @@ enum Alert {
// description of the Alert level
final String description;
private Level(byte level, String description) {
Level(byte level, String description) {
this.level = level;
this.description = description;
}
@ -197,10 +197,11 @@ enum Alert {
@Override
public String toString() {
MessageFormat messageFormat = new MessageFormat(
"\"Alert\": '{'\n" +
" \"level\" : \"{0}\",\n" +
" \"description\": \"{1}\"\n" +
"'}'",
"""
"Alert": '{'
"level" : "{0}",
"description": "{1}"
'}'""",
Locale.ENGLISH);
Object[] messageFields = {
@ -265,7 +266,7 @@ enum Alert {
throw tc.fatal(Alert.HANDSHAKE_FAILURE,
"received handshake warning: " + alert.description);
} else {
// Otherwise ignore the warning but remove the
// Otherwise, ignore the warning but remove the
// Certificate and CertificateVerify handshake
// consumer so the state machine doesn't expect it.
tc.handshakeContext.handshakeConsumers.remove(

@ -1,5 +1,5 @@
/*
* Copyright (c) 2015, 2021, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2015, 2022, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -31,10 +31,7 @@ import java.nio.charset.Charset;
import java.security.AccessController;
import java.security.PrivilegedAction;
import java.security.Security;
import java.util.Arrays;
import java.util.Collections;
import java.util.LinkedList;
import java.util.List;
import java.util.*;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLProtocolException;
import javax.net.ssl.SSLSocket;
@ -447,7 +444,7 @@ final class AlpnExtension {
// Clean or register the extension
//
// No further use of the request and respond extension any more.
// No further use of the request and respond extension.
shc.handshakeExtensions.remove(SSLExtension.CH_ALPN);
return extData;
@ -474,7 +471,6 @@ final class AlpnExtension {
AlpnSpec requestedAlps =
(AlpnSpec)chc.handshakeExtensions.get(SSLExtension.CH_ALPN);
if (requestedAlps == null ||
requestedAlps.applicationProtocols == null ||
requestedAlps.applicationProtocols.isEmpty()) {
throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
"Unexpected " + SSLExtension.CH_ALPN.name + " extension");
@ -506,7 +502,7 @@ final class AlpnExtension {
// Clean or register the extension
//
// No further use of the request and respond extension any more.
// No further use of the request and respond extension.
chc.handshakeExtensions.remove(SSLExtension.CH_ALPN);
}
}

@ -1,5 +1,5 @@
/*
* Copyright (c) 2012, 2019, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2012, 2022, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -115,7 +115,7 @@ abstract class Authenticator {
*
* Sequence numbers are of type uint64 and may not exceed 2^64-1.
* Sequence numbers do not wrap. If a TLS
* implementation would need to wrap a sequence number, it must
* implementation needs to wrap a sequence number, it must
* renegotiate instead.
*
* @return true if the sequence number is huge enough to renew

Some files were not shown because too many files have changed in this diff Show More