stan/jdk-24
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

8067694: Improved certification checking

Browse Source 
Reviewed-by: mullan, jnimeh, coffeys, robm, asmotrak, ahgross
This commit is contained in:
Xue-Lei Andrew Fan 2015-02-04 11:13:14 +00:00
parent 8bc30fb3c8
commit 635f7a3e20
4 changed files with 78 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
jdk/src/java.base/share/classes/java/net/InetAddress.java
View File

@ -1,5 +1,5 @@
/* /*
* Copyright (c) 1995, 2014, Oracle and/or its affiliates. All rights reserved. * Copyright (c) 1995, 2015, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
* *
* This code is free software; you can redistribute it and/or modify it * This code is free software; you can redistribute it and/or modify it
@ -205,16 +205,33 @@ class InetAddress implements java.io.Serializable {
static transient boolean preferIPv6Address = false; static transient boolean preferIPv6Address = false;
static class InetAddressHolder { static class InetAddressHolder {
/**
* Reserve the original application specified hostname.
*
* The original hostname is useful for domain-based endpoint
* identification (see RFC 2818 and RFC 6125). If an address
* was created with a raw IP address, a reverse name lookup
* may introduce endpoint identification security issue via
* DNS forging.
*
* Oracle JSSE provider is using this original hostname, via
* sun.misc.JavaNetAccess, for SSL/TLS endpoint identification.
*
* Note: May define a new public method in the future if necessary.
*/
private String originalHostName;
InetAddressHolder() {} InetAddressHolder() {}
InetAddressHolder(String hostName, int address, int family) { InetAddressHolder(String hostName, int address, int family) {
this.originalHostName = hostName;
this.hostName = hostName; this.hostName = hostName;
this.address = address; this.address = address;
this.family = family; this.family = family;
} }
void init(String hostName, int family) { void init(String hostName, int family) {
this.originalHostName = hostName;
this.hostName = hostName; this.hostName = hostName;
if (family != -1) { if (family != -1) {
this.family = family; this.family = family;
@ -227,6 +244,10 @@ class InetAddress implements java.io.Serializable {
return hostName; return hostName;
} }
String getOriginalHostName() {
return originalHostName;
}
/** /**
* Holds a 32-bit IPv4 address. * Holds a 32-bit IPv4 address.
*/ */

6
jdk/src/java.base/share/classes/java/net/URLClassLoader.java
View File

@ -1,5 +1,5 @@
/* /*
* Copyright (c) 1997, 2014, Oracle and/or its affiliates. All rights reserved. * Copyright (c) 1997, 2015, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
* *
* This code is free software; you can redistribute it and/or modify it * This code is free software; you can redistribute it and/or modify it
@ -774,6 +774,10 @@ public class URLClassLoader extends SecureClassLoader implements Closeable {
public URLClassPath getURLClassPath (URLClassLoader u) { public URLClassPath getURLClassPath (URLClassLoader u) {
return u.ucp; return u.ucp;
} }
public String getOriginalHostName(InetAddress ia) {
return ia.holder.getOriginalHostName();
}
} }
); );
ClassLoader.registerAsParallelCapable(); ClassLoader.registerAsParallelCapable();

9
jdk/src/java.base/share/classes/sun/misc/JavaNetAccess.java
View File

@ -1,5 +1,5 @@
/* /*
* Copyright (c) 2006, Oracle and/or its affiliates. All rights reserved. * Copyright (c) 2006, 2015, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
* *
* This code is free software; you can redistribute it and/or modify it * This code is free software; you can redistribute it and/or modify it
@ -26,10 +26,17 @@
package sun.misc; package sun.misc;
import java.net.URLClassLoader; import java.net.URLClassLoader;
import java.net.InetAddress;
public interface JavaNetAccess { public interface JavaNetAccess {
/** /**
* return the URLClassPath belonging to the given loader * return the URLClassPath belonging to the given loader
*/ */
URLClassPath getURLClassPath (URLClassLoader u); URLClassPath getURLClassPath (URLClassLoader u);
/**
* Return the original application specified hostname of
* the given InetAddress object.
*/
String getOriginalHostName(InetAddress ia);
} }

45
jdk/src/java.base/share/classes/sun/security/ssl/SSLSocketImpl.java
View File

@ -1,5 +1,5 @@
/* /*
* Copyright (c) 1996, 2014, Oracle and/or its affiliates. All rights reserved. * Copyright (c) 1996, 2015, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
* *
* This code is free software; you can redistribute it and/or modify it * This code is free software; you can redistribute it and/or modify it
@ -42,6 +42,9 @@ import javax.crypto.BadPaddingException;
import javax.net.ssl.*; import javax.net.ssl.*;
import sun.misc.ManagedLocalsThread; import sun.misc.ManagedLocalsThread;
import sun.misc.JavaNetAccess;
import sun.misc.SharedSecrets;
/** /**
* Implementation of an SSL socket. This is a normal connection type * Implementation of an SSL socket. This is a normal connection type
* socket, implementing SSL over some lower level socket, such as TCP. * socket, implementing SSL over some lower level socket, such as TCP.
@ -377,6 +380,15 @@ final public class SSLSocketImpl extends BaseSSLSocketImpl {
*/ */
private int maximumPacketSize = 0; private int maximumPacketSize = 0;
/*
* Is the local name service trustworthy?
*
* If the local name service is not trustworthy, reverse host name
* resolution should not be performed for endpoint identification.
*/
static final boolean trustNameService =
Debug.getBooleanProperty("jdk.tls.trustNameService", false);
// //
// CONSTRUCTORS AND INITIALIZATION CODE // CONSTRUCTORS AND INITIALIZATION CODE
// //
@ -2063,11 +2075,40 @@ final public class SSLSocketImpl extends BaseSSLSocketImpl {
synchronized String getHost() { synchronized String getHost() {
// Note that the host may be null or empty for localhost. // Note that the host may be null or empty for localhost.
if (host == null || host.length() == 0) { if (host == null || host.length() == 0) {
host = getInetAddress().getHostName(); if (!trustNameService) {
// If the local name service is not trustworthy, reverse host
// name resolution should not be performed for endpoint
// identification. Use the application original specified
// hostname or IP address instead.
host = getOriginalHostname(getInetAddress());
} else {
host = getInetAddress().getHostName();
}
} }
return host; return host;
} }
/*
* Get the original application specified hostname.
*/
private static String getOriginalHostname(InetAddress inetAddress) {
/*
* Get the original hostname via sun.misc.SharedSecrets.
*/
JavaNetAccess jna = SharedSecrets.getJavaNetAccess();
String originalHostname = jna.getOriginalHostName(inetAddress);
/*
* If no application specified hostname, use the IP address.
*/
if (originalHostname == null || originalHostname.length() == 0) {
originalHostname = inetAddress.getHostAddress();
}
return originalHostname;
}
// ONLY used by HttpsClient to setup the URI specified hostname // ONLY used by HttpsClient to setup the URI specified hostname
// //
// Please NOTE that this method MUST be called before calling to // Please NOTE that this method MUST be called before calling to