Date: Thu, 26 Mar 2009 17:39:42 -0700
Subject: [PATCH 08/14] 6822903: Reliability and documentation improvements for
ReentrantReadWriteLock
Make firstReader a Thread, not a long
Reviewed-by: martin
---
.../locks/ReentrantReadWriteLock.java | 86 +++++++++++--------
1 file changed, 49 insertions(+), 37 deletions(-)
diff --git a/jdk/src/share/classes/java/util/concurrent/locks/ReentrantReadWriteLock.java b/jdk/src/share/classes/java/util/concurrent/locks/ReentrantReadWriteLock.java
index 8888efb2477..e767dfa62b1 100644
--- a/jdk/src/share/classes/java/util/concurrent/locks/ReentrantReadWriteLock.java
+++ b/jdk/src/share/classes/java/util/concurrent/locks/ReentrantReadWriteLock.java
@@ -276,7 +276,7 @@ public class ReentrantReadWriteLock implements ReadWriteLock, java.io.Serializab
* Maintained as a ThreadLocal; cached in cachedHoldCounter
*/
static final class HoldCounter {
- int count;
+ int count = 0;
// Use id, not reference, to avoid garbage retention
final long tid = Thread.currentThread().getId();
}
@@ -293,8 +293,9 @@ public class ReentrantReadWriteLock implements ReadWriteLock, java.io.Serializab
}
/**
- * The number of read locks held by current thread.
+ * The number of reentrant read locks held by current thread.
* Initialized only in constructor and readObject.
+ * Removed whenever a thread's read hold count drops to 0.
*/
private transient ThreadLocalHoldCounter readHolds;
@@ -304,17 +305,35 @@ public class ReentrantReadWriteLock implements ReadWriteLock, java.io.Serializab
* where the next thread to release is the last one to
* acquire. This is non-volatile since it is just used
* as a heuristic, and would be great for threads to cache.
+ *
+ * Can outlive the Thread for which it is caching the read
+ * hold count, but avoids garbage retention by not retaining a
+ * reference to the Thread.
+ *
+ *
Accessed via a benign data race; relies on the memory
+ * model's final field and out-of-thin-air guarantees.
*/
private transient HoldCounter cachedHoldCounter;
/**
* firstReader is the first thread to have acquired the read lock.
* firstReaderHoldCount is firstReader's hold count.
- * This allows tracking of read holds for uncontended read
+ *
+ *
More precisely, firstReader is the unique thread that last
+ * changed the shared count from 0 to 1, and has not released the
+ * read lock since then; null if there is no such thread.
+ *
+ *
Cannot cause garbage retention unless the thread terminated
+ * without relinquishing its read locks, since tryReleaseShared
+ * sets it to null.
+ *
+ *
Accessed via a benign data race; relies on the memory
+ * model's out-of-thin-air guarantees for references.
+ *
+ *
This allows tracking of read holds for uncontended read
* locks to be very cheap.
*/
- private final static long INVALID_THREAD_ID = -1;
- private transient long firstReader = INVALID_THREAD_ID;
+ private transient Thread firstReader = null;
private transient int firstReaderHoldCount;
Sync() {
@@ -393,16 +412,16 @@ public class ReentrantReadWriteLock implements ReadWriteLock, java.io.Serializab
}
protected final boolean tryReleaseShared(int unused) {
- long tid = Thread.currentThread().getId();
- if (firstReader == tid) {
+ Thread current = Thread.currentThread();
+ if (firstReader == current) {
// assert firstReaderHoldCount > 0;
if (firstReaderHoldCount == 1)
- firstReader = INVALID_THREAD_ID;
+ firstReader = null;
else
firstReaderHoldCount--;
} else {
HoldCounter rh = cachedHoldCounter;
- if (rh == null || rh.tid != tid)
+ if (rh == null || rh.tid != current.getId())
rh = readHolds.get();
int count = rh.count;
if (count <= 1) {
@@ -416,6 +435,9 @@ public class ReentrantReadWriteLock implements ReadWriteLock, java.io.Serializab
int c = getState();
int nextc = c - SHARED_UNIT;
if (compareAndSetState(c, nextc))
+ // Releasing the read lock has no effect on readers,
+ // but it may allow waiting writers to proceed if
+ // both read and write locks are now free.
return nextc == 0;
}
}
@@ -450,15 +472,14 @@ public class ReentrantReadWriteLock implements ReadWriteLock, java.io.Serializab
if (!readerShouldBlock() &&
r < MAX_COUNT &&
compareAndSetState(c, c + SHARED_UNIT)) {
- long tid = current.getId();
if (r == 0) {
- firstReader = tid;
+ firstReader = current;
firstReaderHoldCount = 1;
- } else if (firstReader == tid) {
+ } else if (firstReader == current) {
firstReaderHoldCount++;
} else {
HoldCounter rh = cachedHoldCounter;
- if (rh == null || rh.tid != tid)
+ if (rh == null || rh.tid != current.getId())
cachedHoldCounter = rh = readHolds.get();
else if (rh.count == 0)
readHolds.set(rh);
@@ -485,19 +506,17 @@ public class ReentrantReadWriteLock implements ReadWriteLock, java.io.Serializab
int c = getState();
if (exclusiveCount(c) != 0) {
if (getExclusiveOwnerThread() != current)
- //if (removeNeeded) readHolds.remove();
return -1;
// else we hold the exclusive lock; blocking here
// would cause deadlock.
} else if (readerShouldBlock()) {
// Make sure we're not acquiring read lock reentrantly
- long tid = current.getId();
- if (firstReader == tid) {
+ if (firstReader == current) {
// assert firstReaderHoldCount > 0;
} else {
if (rh == null) {
rh = cachedHoldCounter;
- if (rh == null || rh.tid != tid) {
+ if (rh == null || rh.tid != current.getId()) {
rh = readHolds.get();
if (rh.count == 0)
readHolds.remove();
@@ -510,25 +529,20 @@ public class ReentrantReadWriteLock implements ReadWriteLock, java.io.Serializab
if (sharedCount(c) == MAX_COUNT)
throw new Error("Maximum lock count exceeded");
if (compareAndSetState(c, c + SHARED_UNIT)) {
- long tid = current.getId();
if (sharedCount(c) == 0) {
- firstReader = tid;
+ firstReader = current;
firstReaderHoldCount = 1;
- } else if (firstReader == tid) {
+ } else if (firstReader == current) {
firstReaderHoldCount++;
} else {
- if (rh == null) {
+ if (rh == null)
rh = cachedHoldCounter;
- if (rh != null && rh.tid == tid) {
- if (rh.count == 0)
- readHolds.set(rh);
- } else {
- rh = readHolds.get();
- }
- } else if (rh.count == 0)
+ if (rh == null || rh.tid != current.getId())
+ rh = readHolds.get();
+ else if (rh.count == 0)
readHolds.set(rh);
- cachedHoldCounter = rh; // cache for release
rh.count++;
+ cachedHoldCounter = rh; // cache for release
}
return 1;
}
@@ -572,15 +586,14 @@ public class ReentrantReadWriteLock implements ReadWriteLock, java.io.Serializab
if (r == MAX_COUNT)
throw new Error("Maximum lock count exceeded");
if (compareAndSetState(c, c + SHARED_UNIT)) {
- long tid = current.getId();
if (r == 0) {
- firstReader = tid;
+ firstReader = current;
firstReaderHoldCount = 1;
- } else if (firstReader == tid) {
+ } else if (firstReader == current) {
firstReaderHoldCount++;
} else {
HoldCounter rh = cachedHoldCounter;
- if (rh == null || rh.tid != tid)
+ if (rh == null || rh.tid != current.getId())
cachedHoldCounter = rh = readHolds.get();
else if (rh.count == 0)
readHolds.set(rh);
@@ -626,12 +639,12 @@ public class ReentrantReadWriteLock implements ReadWriteLock, java.io.Serializab
if (getReadLockCount() == 0)
return 0;
- long tid = Thread.currentThread().getId();
- if (firstReader == tid)
+ Thread current = Thread.currentThread();
+ if (firstReader == current)
return firstReaderHoldCount;
HoldCounter rh = cachedHoldCounter;
- if (rh != null && rh.tid == tid)
+ if (rh != null && rh.tid == current.getId())
return rh.count;
int count = readHolds.get().count;
@@ -647,7 +660,6 @@ public class ReentrantReadWriteLock implements ReadWriteLock, java.io.Serializab
throws java.io.IOException, ClassNotFoundException {
s.defaultReadObject();
readHolds = new ThreadLocalHoldCounter();
- firstReader = INVALID_THREAD_ID;
setState(0); // reset to unlocked state
}
From 739414c17703f8370e3b40ff2b9e53c85de5efca Mon Sep 17 00:00:00 2001
From: Weijun Wang
Date: Fri, 27 Mar 2009 11:05:45 +0800
Subject: [PATCH 09/14] 6802846: jarsigner needs enhanced cert
validation(options)
Reviewed-by: xuelei
---
.../classes/sun/security/tools/JarSigner.java | 706 ++++++++++++------
.../security/tools/JarSignerResources.java | 53 +-
.../classes/sun/security/tools/KeyTool.java | 2 +-
.../tools/jarsigner/concise_jarsigner.sh | 200 +++++
4 files changed, 706 insertions(+), 255 deletions(-)
create mode 100644 jdk/test/sun/security/tools/jarsigner/concise_jarsigner.sh
diff --git a/jdk/src/share/classes/sun/security/tools/JarSigner.java b/jdk/src/share/classes/sun/security/tools/JarSigner.java
index d8d1ee3d517..2de2e52b08a 100644
--- a/jdk/src/share/classes/sun/security/tools/JarSigner.java
+++ b/jdk/src/share/classes/sun/security/tools/JarSigner.java
@@ -1,5 +1,5 @@
/*
- * Copyright 1997-2007 Sun Microsystems, Inc. All Rights Reserved.
+ * Copyright 1997-2009 Sun Microsystems, Inc. All Rights Reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -32,28 +32,44 @@ import java.util.jar.*;
import java.math.BigInteger;
import java.net.URI;
import java.net.URISyntaxException;
-import java.net.URL;
-import java.net.URLClassLoader;
-import java.net.SocketTimeoutException;
import java.text.Collator;
import java.text.MessageFormat;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.security.cert.CertificateException;
-import java.security.cert.CertificateExpiredException;
-import java.security.cert.CertificateNotYetValidException;
import java.security.*;
import java.lang.reflect.Constructor;
import com.sun.jarsigner.ContentSigner;
import com.sun.jarsigner.ContentSignerParameters;
+import java.net.SocketTimeoutException;
+import java.net.URL;
+import java.net.URLClassLoader;
+import java.security.cert.CertPath;
+import java.security.cert.CertPathValidator;
+import java.security.cert.CertificateExpiredException;
+import java.security.cert.CertificateFactory;
+import java.security.cert.CertificateNotYetValidException;
+import java.security.cert.PKIXParameters;
+import java.security.cert.TrustAnchor;
+import java.util.Map.Entry;
import sun.security.x509.*;
import sun.security.util.*;
import sun.misc.BASE64Encoder;
+
/**
* The jarsigner utility.
*
+ * The exit codes for the main method are:
+ *
+ * 0: success
+ * 1: any error that the jar cannot be signed or verified, including:
+ * keystore loading error
+ * TSP communciation error
+ * jarsigner command line error...
+ * otherwise: error codes from -strict
+ *
* @author Roland Schemers
* @author Jan Luehe
*/
@@ -84,8 +100,6 @@ public class JarSigner {
// Attention:
// This is the entry that get launched by the security tool jarsigner.
- // It's marked as exported private per AppServer Team's request.
- // See http://ccc.sfbay/6428446
public static void main(String args[]) throws Exception {
JarSigner js = new JarSigner();
js.run(args);
@@ -93,31 +107,32 @@ public class JarSigner {
static final String VERSION = "1.0";
- static final int IN_KEYSTORE = 0x01;
+ static final int IN_KEYSTORE = 0x01; // signer is in keystore
static final int IN_SCOPE = 0x02;
+ static final int NOT_ALIAS = 0x04; // alias list is NOT empty and
+ // signer is not in alias list
+ static final int SIGNED_BY_ALIAS = 0x08; // signer is in alias list
- // signer's certificate chain (when composing)
- X509Certificate[] certChain;
-
- /*
- * private key
- */
- PrivateKey privateKey;
- KeyStore store;
+ X509Certificate[] certChain; // signer's cert chain (when composing)
+ PrivateKey privateKey; // private key
+ KeyStore store; // the keystore specified by -keystore
+ // or the default keystore, never null
IdentityScope scope;
String keystore; // key store file
boolean nullStream = false; // null keystore input stream (NONE)
boolean token = false; // token-based keystore
- String jarfile; // jar file to sign
+ String jarfile; // jar file to sign or verify
String alias; // alias to sign jar with
+ List ckaliases = new ArrayList(); // aliases in -verify
char[] storepass; // keystore password
boolean protectedPath; // protected authentication path
String storetype; // keystore type
String providerName; // provider name
Vector providers = null; // list of providers
- HashMap providerArgs = new HashMap(); // arguments for provider constructors
+ // arguments for provider constructors
+ HashMap providerArgs = new HashMap();
char[] keypass; // private key password
String sigfile; // name of .SF file
String sigalg; // name of signature algorithm
@@ -125,12 +140,14 @@ public class JarSigner {
String signedjar; // output filename
String tsaUrl; // location of the Timestamping Authority
String tsaAlias; // alias for the Timestamping Authority's certificate
+ String altCertChain; // file to read alternative cert chain from
boolean verify = false; // verify the jar
- boolean verbose = false; // verbose output when signing/verifying
+ String verbose = null; // verbose output when signing/verifying
boolean showcerts = false; // show certs when verifying
boolean debug = false; // debug
boolean signManifest = true; // "sign" the whole manifest
boolean externalSF = true; // leave the .SF out of the PKCS7 block
+ boolean strict = false; // treat warnings as error
// read zip entry raw bytes
private ByteArrayOutputStream baos = new ByteArrayOutputStream(2048);
@@ -139,14 +156,22 @@ public class JarSigner {
private String altSignerClass = null;
private String altSignerClasspath = null;
private ZipFile zipFile = null;
+
private boolean hasExpiredCert = false;
private boolean hasExpiringCert = false;
private boolean notYetValidCert = false;
-
+ private boolean chainNotValidated = false;
+ private boolean notSignedByAlias = false;
+ private boolean aliasNotInStore = false;
+ private boolean hasUnsignedEntry = false;
private boolean badKeyUsage = false;
private boolean badExtendedKeyUsage = false;
private boolean badNetscapeCertType = false;
+ CertificateFactory certificateFactory;
+ CertPathValidator validator;
+ PKIXParameters pkixParameters;
+
public void run(String args[]) {
try {
parseArgs(args);
@@ -184,14 +209,6 @@ public class JarSigner {
}
}
- hasExpiredCert = false;
- hasExpiringCert = false;
- notYetValidCert = false;
-
- badKeyUsage = false;
- badExtendedKeyUsage = false;
- badNetscapeCertType = false;
-
if (verify) {
try {
loadKeyStore(keystore, false);
@@ -238,6 +255,29 @@ public class JarSigner {
storepass = null;
}
}
+
+ if (strict) {
+ int exitCode = 0;
+ if (hasExpiringCert) {
+ exitCode |= 2;
+ }
+ if (chainNotValidated) {
+ // hasExpiredCert and notYetValidCert included in this case
+ exitCode |= 4;
+ }
+ if (badKeyUsage || badExtendedKeyUsage || badNetscapeCertType) {
+ exitCode |= 8;
+ }
+ if (hasUnsignedEntry) {
+ exitCode |= 16;
+ }
+ if (notSignedByAlias || aliasNotInStore) {
+ exitCode |= 32;
+ }
+ if (exitCode != 0) {
+ System.exit(exitCode);
+ }
+ }
}
/*
@@ -247,25 +287,26 @@ public class JarSigner {
/* parse flags */
int n = 0;
- for (n=0; (n < args.length) && args[n].startsWith("-"); n++) {
+ if (args.length == 0) fullusage();
+ for (n=0; n < args.length; n++) {
String flags = args[n];
if (collator.compare(flags, "-keystore") == 0) {
- if (++n == args.length) usage();
+ if (++n == args.length) usageNoArg();
keystore = args[n];
} else if (collator.compare(flags, "-storepass") ==0) {
- if (++n == args.length) usage();
+ if (++n == args.length) usageNoArg();
storepass = args[n].toCharArray();
} else if (collator.compare(flags, "-storetype") ==0) {
- if (++n == args.length) usage();
+ if (++n == args.length) usageNoArg();
storetype = args[n];
} else if (collator.compare(flags, "-providerName") ==0) {
- if (++n == args.length) usage();
+ if (++n == args.length) usageNoArg();
providerName = args[n];
} else if ((collator.compare(flags, "-provider") == 0) ||
(collator.compare(flags, "-providerClass") == 0)) {
- if (++n == args.length) usage();
+ if (++n == args.length) usageNoArg();
if (providers == null) {
providers = new Vector(3);
}
@@ -274,35 +315,38 @@ public class JarSigner {
if (args.length > (n+1)) {
flags = args[n+1];
if (collator.compare(flags, "-providerArg") == 0) {
- if (args.length == (n+2)) usage();
+ if (args.length == (n+2)) usageNoArg();
providerArgs.put(args[n], args[n+2]);
n += 2;
}
}
} else if (collator.compare(flags, "-protected") ==0) {
protectedPath = true;
+ } else if (collator.compare(flags, "-certchain") ==0) {
+ if (++n == args.length) usageNoArg();
+ altCertChain = args[n];
} else if (collator.compare(flags, "-debug") ==0) {
debug = true;
} else if (collator.compare(flags, "-keypass") ==0) {
- if (++n == args.length) usage();
+ if (++n == args.length) usageNoArg();
keypass = args[n].toCharArray();
} else if (collator.compare(flags, "-sigfile") ==0) {
- if (++n == args.length) usage();
+ if (++n == args.length) usageNoArg();
sigfile = args[n];
} else if (collator.compare(flags, "-signedjar") ==0) {
- if (++n == args.length) usage();
+ if (++n == args.length) usageNoArg();
signedjar = args[n];
} else if (collator.compare(flags, "-tsa") ==0) {
- if (++n == args.length) usage();
+ if (++n == args.length) usageNoArg();
tsaUrl = args[n];
} else if (collator.compare(flags, "-tsacert") ==0) {
- if (++n == args.length) usage();
+ if (++n == args.length) usageNoArg();
tsaAlias = args[n];
} else if (collator.compare(flags, "-altsigner") ==0) {
- if (++n == args.length) usage();
+ if (++n == args.length) usageNoArg();
altSignerClass = args[n];
} else if (collator.compare(flags, "-altsignerpath") ==0) {
- if (++n == args.length) usage();
+ if (++n == args.length) usageNoArg();
altSignerClasspath = args[n];
} else if (collator.compare(flags, "-sectionsonly") ==0) {
signManifest = false;
@@ -311,30 +355,56 @@ public class JarSigner {
} else if (collator.compare(flags, "-verify") ==0) {
verify = true;
} else if (collator.compare(flags, "-verbose") ==0) {
- verbose = true;
+ verbose = "all";
+ } else if (collator.compare(flags, "-verbose:all") ==0) {
+ verbose = "all";
+ } else if (collator.compare(flags, "-verbose:summary") ==0) {
+ verbose = "summary";
+ } else if (collator.compare(flags, "-verbose:grouped") ==0) {
+ verbose = "grouped";
} else if (collator.compare(flags, "-sigalg") ==0) {
- if (++n == args.length) usage();
+ if (++n == args.length) usageNoArg();
sigalg = args[n];
} else if (collator.compare(flags, "-digestalg") ==0) {
- if (++n == args.length) usage();
+ if (++n == args.length) usageNoArg();
digestalg = args[n];
} else if (collator.compare(flags, "-certs") ==0) {
showcerts = true;
+ } else if (collator.compare(flags, "-strict") ==0) {
+ strict = true;
} else if (collator.compare(flags, "-h") == 0 ||
collator.compare(flags, "-help") == 0) {
- usage();
+ fullusage();
} else {
- System.err.println(rb.getString("Illegal option: ") + flags);
- usage();
+ if (!flags.startsWith("-")) {
+ if (jarfile == null) {
+ jarfile = flags;
+ } else {
+ alias = flags;
+ ckaliases.add(alias);
+ }
+ } else {
+ System.err.println(
+ rb.getString("Illegal option: ") + flags);
+ usage();
+ }
}
}
- if (n == args.length) usage();
- jarfile = args[n++];
+ // -certs must always be specified with -verbose
+ if (verbose == null) showcerts = false;
- if (!verify) {
- if (n == args.length) usage();
- alias = args[n++];
+ if (jarfile == null) {
+ System.err.println(rb.getString("Please specify jarfile name"));
+ usage();
+ }
+ if (!verify && alias == null) {
+ System.err.println(rb.getString("Please specify alias name"));
+ usage();
+ }
+ if (!verify && ckaliases.size() > 1) {
+ System.err.println(rb.getString("Only one alias can be specified"));
+ usage();
}
if (storetype == null) {
@@ -357,7 +427,6 @@ public class JarSigner {
if (token && !nullStream) {
System.err.println(MessageFormat.format(rb.getString
("-keystore must be NONE if -storetype is {0}"), storetype));
- System.err.println();
usage();
}
@@ -365,7 +434,6 @@ public class JarSigner {
System.err.println(MessageFormat.format(rb.getString
("-keypass can not be specified " +
"if -storetype is {0}"), storetype));
- System.err.println();
usage();
}
@@ -374,7 +442,6 @@ public class JarSigner {
System.err.println(rb.getString
("If -protected is specified, " +
"then -storepass and -keypass must not be specified"));
- System.err.println();
usage();
}
}
@@ -383,17 +450,27 @@ public class JarSigner {
System.err.println(rb.getString
("If keystore is not password protected, " +
"then -storepass and -keypass must not be specified"));
- System.err.println();
usage();
}
}
}
+ void usageNoArg() {
+ System.out.println(rb.getString("Option lacks argument"));
+ usage();
+ }
+
void usage() {
+ System.out.println();
+ System.out.println(rb.getString("Please type jarsigner -help for usage"));
+ System.exit(1);
+ }
+
+ void fullusage() {
System.out.println(rb.getString
("Usage: jarsigner [options] jar-file alias"));
System.out.println(rb.getString
- (" jarsigner -verify [options] jar-file"));
+ (" jarsigner -verify [options] jar-file [alias...]"));
System.out.println();
System.out.println(rb.getString
("[-keystore ] keystore location"));
@@ -407,6 +484,9 @@ public class JarSigner {
System.out.println(rb.getString
("[-keypass ] password for private key (if different)"));
System.out.println();
+ System.out.println(rb.getString
+ ("[-certchain ] name of alternative certchain file"));
+ System.out.println();
System.out.println(rb.getString
("[-sigfile ] name of .SF/.DSA file"));
System.out.println();
@@ -423,7 +503,9 @@ public class JarSigner {
("[-verify] verify a signed JAR file"));
System.out.println();
System.out.println(rb.getString
- ("[-verbose] verbose output when signing/verifying"));
+ ("[-verbose[:suboptions]] verbose output when signing/verifying."));
+ System.out.println(rb.getString
+ (" suboptions can be all, grouped or summary"));
System.out.println();
System.out.println(rb.getString
("[-certs] display certificates when verbose and verifying"));
@@ -457,15 +539,17 @@ public class JarSigner {
System.out.println(rb.getString
(" [-providerArg ]] ... master class file and constructor argument"));
System.out.println();
+ System.out.println(rb.getString
+ ("[-strict] treat warnings as errors"));
+ System.out.println();
- System.exit(1);
+ System.exit(0);
}
void verifyJar(String jarName)
throws Exception
{
- boolean anySigned = false;
- boolean hasUnsignedEntry = false;
+ boolean anySigned = false; // if there exists entry inside jar signed
JarFile jf = null;
try {
@@ -494,11 +578,18 @@ public class JarSigner {
Manifest man = jf.getManifest();
+ // The map to record display info, only used when -verbose provided
+ // key: signer info string
+ // value: the list of files with common key
+ Map> output =
+ new LinkedHashMap>();
+
if (man != null) {
- if (verbose) System.out.println();
+ if (verbose != null) System.out.println();
Enumeration e = entriesVec.elements();
long now = System.currentTimeMillis();
+ String tab = rb.getString(" ");
while (e.hasMoreElements()) {
JarEntry je = e.nextElement();
@@ -509,77 +600,118 @@ public class JarSigner {
hasUnsignedEntry |= !je.isDirectory() && !isSigned
&& !signatureRelated(name);
- if (verbose) {
- int inStoreOrScope = inKeyStore(signers);
- boolean inStore = (inStoreOrScope & IN_KEYSTORE) != 0;
- boolean inScope = (inStoreOrScope & IN_SCOPE) != 0;
+ int inStoreOrScope = inKeyStore(signers);
+
+ boolean inStore = (inStoreOrScope & IN_KEYSTORE) != 0;
+ boolean inScope = (inStoreOrScope & IN_SCOPE) != 0;
+
+ notSignedByAlias |= (inStoreOrScope & NOT_ALIAS) != 0;
+ aliasNotInStore |= isSigned && (!inStore && !inScope);
+
+ // Only used when -verbose provided
+ StringBuffer sb = null;
+ if (verbose != null) {
+ sb = new StringBuffer();
boolean inManifest =
((man.getAttributes(name) != null) ||
(man.getAttributes("./"+name) != null) ||
(man.getAttributes("/"+name) != null));
- System.out.print(
+ sb.append(
(isSigned ? rb.getString("s") : rb.getString(" ")) +
(inManifest ? rb.getString("m") : rb.getString(" ")) +
(inStore ? rb.getString("k") : rb.getString(" ")) +
(inScope ? rb.getString("i") : rb.getString(" ")) +
- rb.getString(" "));
- StringBuffer sb = new StringBuffer();
+ ((inStoreOrScope & NOT_ALIAS) != 0 ?"X":" ") +
+ rb.getString(" "));
+ sb.append("|");
+ }
+
+ // When -certs provided, display info has extra empty
+ // lines at the beginning and end.
+ if (isSigned) {
+ if (showcerts) sb.append('\n');
+ for (CodeSigner signer: signers) {
+ // signerInfo() must be called even if -verbose
+ // not provided. The method updates various
+ // warning flags.
+ String si = signerInfo(signer, tab, now);
+ if (showcerts) {
+ sb.append(si);
+ sb.append('\n');
+ }
+ }
+ } else if (showcerts && !verbose.equals("all")) {
+ // Print no info for unsigned entries when -verbose:all,
+ // to be consistent with old behavior.
+ if (signatureRelated(name)) {
+ sb.append("\n" + tab + rb.getString(
+ "(Signature related entries)") + "\n\n");
+ } else {
+ sb.append("\n" + tab + rb.getString(
+ "(Unsigned entries)") + "\n\n");
+ }
+ }
+
+ if (verbose != null) {
+ String label = sb.toString();
+ if (signatureRelated(name)) {
+ // Entries inside META-INF and other unsigned
+ // entries are grouped separately.
+ label = "-" + label.substring(1);
+ }
+
+ // The label finally contains 2 parts separated by '|':
+ // The legend displayed before the entry names, and
+ // the cert info (if -certs specfied).
+
+ if (!output.containsKey(label)) {
+ output.put(label, new ArrayList());
+ }
+
+ StringBuffer fb = new StringBuffer();
String s = Long.toString(je.getSize());
for (int i = 6 - s.length(); i > 0; --i) {
- sb.append(' ');
- }
- sb.append(s).append(' ').
- append(new Date(je.getTime()).toString());
- sb.append(' ').append(je.getName());
- System.out.println(sb.toString());
-
- if (signers != null && showcerts) {
- String tab = rb.getString(" ");
- for (int i = 0; i < signers.length; i++) {
- System.out.println();
- List extends Certificate> certs =
- signers[i].getSignerCertPath()
- .getCertificates();
- // display the signature timestamp, if present
- Timestamp timestamp = signers[i].getTimestamp();
- if (timestamp != null) {
- System.out.println(
- printTimestamp(tab, timestamp));
- }
- // display the certificate(s)
- for (Certificate c : certs) {
- System.out.println(
- printCert(tab, c, true, now));
- }
- }
- System.out.println();
+ fb.append(' ');
}
+ fb.append(s).append(' ').
+ append(new Date(je.getTime()).toString());
+ fb.append(' ').append(name);
+ output.get(label).add(fb.toString());
}
- if (isSigned) {
- for (int i = 0; i < signers.length; i++) {
- Certificate cert =
- signers[i].getSignerCertPath()
- .getCertificates().get(0);
- if (cert instanceof X509Certificate) {
- checkCertUsage((X509Certificate)cert, null);
- if (!showcerts) {
- long notAfter = ((X509Certificate)cert)
- .getNotAfter().getTime();
-
- if (notAfter < now) {
- hasExpiredCert = true;
- } else if (notAfter < now + SIX_MONTHS) {
- hasExpiringCert = true;
- }
- }
- }
- }
- }
-
}
}
- if (verbose) {
+ if (verbose != null) {
+ for (Entry> s: output.entrySet()) {
+ List files = s.getValue();
+ String key = s.getKey();
+ if (key.charAt(0) == '-') { // the signature-related group
+ key = ' ' + key.substring(1);
+ }
+ int pipe = key.indexOf('|');
+ if (verbose.equals("all")) {
+ for (String f: files) {
+ System.out.println(key.substring(0, pipe) + f);
+ System.out.printf(key.substring(pipe+1));
+ }
+ } else {
+ if (verbose.equals("grouped")) {
+ for (String f: files) {
+ System.out.println(key.substring(0, pipe) + f);
+ }
+ } else if (verbose.equals("summary")) {
+ System.out.print(key.substring(0, pipe));
+ if (files.size() > 1) {
+ System.out.println(files.get(0) + " " +
+ String.format(rb.getString(
+ "(and %d more)"), files.size()-1));
+ } else {
+ System.out.println(files.get(0));
+ }
+ }
+ System.out.printf(key.substring(pipe+1));
+ }
+ }
System.out.println();
System.out.println(rb.getString(
" s = signature was verified "));
@@ -589,9 +721,12 @@ public class JarSigner {
" k = at least one certificate was found in keystore"));
System.out.println(rb.getString(
" i = at least one certificate was found in identity scope"));
+ if (ckaliases.size() > 0) {
+ System.out.println((
+ " X = not signed by specified alias(es)"));
+ }
System.out.println();
}
-
if (man == null)
System.out.println(rb.getString("no manifest."));
@@ -602,7 +737,8 @@ public class JarSigner {
System.out.println(rb.getString("jar verified."));
if (hasUnsignedEntry || hasExpiredCert || hasExpiringCert ||
badKeyUsage || badExtendedKeyUsage || badNetscapeCertType ||
- notYetValidCert) {
+ notYetValidCert || chainNotValidated ||
+ aliasNotInStore || notSignedByAlias) {
System.out.println();
System.out.println(rb.getString("Warning: "));
@@ -638,14 +774,27 @@ public class JarSigner {
"This jar contains entries whose signer certificate is not yet valid. "));
}
- if (! (verbose && showcerts)) {
+ if (chainNotValidated) {
+ System.out.println(
+ rb.getString("This jar contains entries whose certificate chain is not validated."));
+ }
+
+ if (notSignedByAlias) {
+ System.out.println(
+ rb.getString("This jar contains signed entries which is not signed by the specified alias(es)."));
+ }
+
+ if (aliasNotInStore) {
+ System.out.println(rb.getString("This jar contains signed entries that's not signed by alias in this keystore."));
+ }
+ if (! (verbose != null && showcerts)) {
System.out.println();
System.out.println(rb.getString(
"Re-run with the -verbose and -certs options for more details."));
}
}
}
- System.exit(0);
+ return;
} catch (Exception e) {
System.out.println(rb.getString("jarsigner: ") + e);
if (debug) {
@@ -660,15 +809,6 @@ public class JarSigner {
System.exit(1);
}
- /*
- * Display some details about a certificate:
- *
- * [", " ] [" (" ")"]
- */
- String printCert(Certificate c) {
- return printCert("", c, false, 0);
- }
-
private static MessageFormat validityTimeForm = null;
private static MessageFormat notYetTimeForm = null;
private static MessageFormat expiredTimeForm = null;
@@ -679,6 +819,8 @@ public class JarSigner {
*
* [] [", " ] [" (" ")"]
* [ | ]
+ *
+ * Note: no newline character at the end
*/
String printCert(String tab, Certificate c, boolean checkValidityPeriod,
long now) {
@@ -788,54 +930,75 @@ public class JarSigner {
.append(signTimeForm.format(source)).append("]").toString();
}
+ private Map cacheForInKS =
+ new IdentityHashMap();
+
+ private int inKeyStoreForOneSigner(CodeSigner signer) {
+ if (cacheForInKS.containsKey(signer)) {
+ return cacheForInKS.get(signer);
+ }
+
+ boolean found = false;
+ int result = 0;
+ List extends Certificate> certs = signer.getSignerCertPath().getCertificates();
+ for (Certificate c : certs) {
+ String alias = storeHash.get(c);
+ if (alias != null) {
+ if (alias.startsWith("(")) {
+ result |= IN_KEYSTORE;
+ } else if (alias.startsWith("[")) {
+ result |= IN_SCOPE;
+ }
+ if (ckaliases.contains(alias.substring(1, alias.length() - 1))) {
+ result |= SIGNED_BY_ALIAS;
+ }
+ } else {
+ if (store != null) {
+ try {
+ alias = store.getCertificateAlias(c);
+ } catch (KeyStoreException kse) {
+ // never happens, because keystore has been loaded
+ }
+ if (alias != null) {
+ storeHash.put(c, "(" + alias + ")");
+ found = true;
+ result |= IN_KEYSTORE;
+ }
+ }
+ if (!found && (scope != null)) {
+ Identity id = scope.getIdentity(c.getPublicKey());
+ if (id != null) {
+ result |= IN_SCOPE;
+ storeHash.put(c, "[" + id.getName() + "]");
+ }
+ }
+ if (ckaliases.contains(alias)) {
+ result |= SIGNED_BY_ALIAS;
+ }
+ }
+ }
+ cacheForInKS.put(signer, result);
+ return result;
+ }
+
Hashtable storeHash =
new Hashtable();
int inKeyStore(CodeSigner[] signers) {
- int result = 0;
if (signers == null)
return 0;
- boolean found = false;
+ int output = 0;
- for (int i = 0; i < signers.length; i++) {
- found = false;
- List extends Certificate> certs =
- signers[i].getSignerCertPath().getCertificates();
-
- for (Certificate c : certs) {
- String alias = storeHash.get(c);
-
- if (alias != null) {
- if (alias.startsWith("("))
- result |= IN_KEYSTORE;
- else if (alias.startsWith("["))
- result |= IN_SCOPE;
- } else {
- if (store != null) {
- try {
- alias = store.getCertificateAlias(c);
- } catch (KeyStoreException kse) {
- // never happens, because keystore has been loaded
- }
- if (alias != null) {
- storeHash.put(c, "("+alias+")");
- found = true;
- result |= IN_KEYSTORE;
- }
- }
- if (!found && (scope != null)) {
- Identity id = scope.getIdentity(c.getPublicKey());
- if (id != null) {
- result |= IN_SCOPE;
- storeHash.put(c, "["+id.getName()+"]");
- }
- }
- }
- }
+ for (CodeSigner signer: signers) {
+ int result = inKeyStoreForOneSigner(signer);
+ output |= result;
}
- return result;
+ if (ckaliases.size() > 0 && (output & SIGNED_BY_ALIAS) == 0) {
+ output |= NOT_ALIAS;
+ }
+ return output;
}
void signJar(String jarName, String alias, String[] args)
@@ -1025,7 +1188,7 @@ public class JarSigner {
// manifest file has new length
mfFile = new ZipEntry(JarFile.MANIFEST_NAME);
}
- if (verbose) {
+ if (verbose != null) {
if (mfCreated) {
System.out.println(rb.getString(" adding: ") +
mfFile.getName());
@@ -1076,7 +1239,7 @@ public class JarSigner {
// signature file
zos.putNextEntry(sfFile);
sf.write(zos);
- if (verbose) {
+ if (verbose != null) {
if (zipFile.getEntry(sfFilename) != null) {
System.out.println(rb.getString(" updating: ") +
sfFilename);
@@ -1086,7 +1249,7 @@ public class JarSigner {
}
}
- if (verbose) {
+ if (verbose != null) {
if (tsaUrl != null || tsaCert != null) {
System.out.println(
rb.getString("requesting a signature timestamp"));
@@ -1101,8 +1264,8 @@ public class JarSigner {
System.out.println(rb.getString("TSA location: ") +
certUrl);
}
- System.out.println(
- rb.getString("TSA certificate: ") + printCert(tsaCert));
+ System.out.println(rb.getString("TSA certificate: ") +
+ printCert("", tsaCert, false, 0));
}
if (signingMechanism != null) {
System.out.println(
@@ -1113,7 +1276,7 @@ public class JarSigner {
// signature block file
zos.putNextEntry(bkFile);
block.write(zos);
- if (verbose) {
+ if (verbose != null) {
if (zipFile.getEntry(bkFilename) != null) {
System.out.println(rb.getString(" updating: ") +
bkFilename);
@@ -1140,7 +1303,7 @@ public class JarSigner {
ZipEntry ze = enum_.nextElement();
if (!ze.getName().startsWith(META_INF)) {
- if (verbose) {
+ if (verbose != null) {
if (manifest.getAttributes(ze.getName()) != null)
System.out.println(rb.getString(" signing: ") +
ze.getName());
@@ -1194,7 +1357,8 @@ public class JarSigner {
}
if (hasExpiredCert || hasExpiringCert || notYetValidCert
- || badKeyUsage || badExtendedKeyUsage || badNetscapeCertType) {
+ || badKeyUsage || badExtendedKeyUsage
+ || badNetscapeCertType || chainNotValidated) {
System.out.println();
System.out.println(rb.getString("Warning: "));
@@ -1223,6 +1387,11 @@ public class JarSigner {
System.out.println(
rb.getString("The signer certificate is not yet valid."));
}
+
+ if (chainNotValidated) {
+ System.out.println(
+ rb.getString("The signer's certificate chain is not validated."));
+ }
}
// no IOException thrown in the above try clause, so disable
@@ -1274,6 +1443,40 @@ public class JarSigner {
return false;
}
+ Map cacheForSignerInfo = new IdentityHashMap();
+
+ /**
+ * Returns a string of singer info, with a newline at the end
+ */
+ private String signerInfo(CodeSigner signer, String tab, long now) {
+ if (cacheForSignerInfo.containsKey(signer)) {
+ return cacheForSignerInfo.get(signer);
+ }
+ StringBuffer s = new StringBuffer();
+ List extends Certificate> certs = signer.getSignerCertPath().getCertificates();
+ // display the signature timestamp, if present
+ Timestamp timestamp = signer.getTimestamp();
+ if (timestamp != null) {
+ s.append(printTimestamp(tab, timestamp));
+ }
+ // display the certificate(s)
+ for (Certificate c : certs) {
+ s.append(printCert(tab, c, true, now));
+ s.append('\n');
+ }
+ try {
+ CertPath cp = certificateFactory.generateCertPath(certs);
+ validator.validate(cp, pkixParameters);
+ } catch (Exception e) {
+ chainNotValidated = true;
+ s.append(tab + rb.getString("[CertPath not validated: ") +
+ e.getLocalizedMessage() + "]\n"); // TODO
+ }
+ String result = s.toString();
+ cacheForSignerInfo.put(signer, result);
+ return result;
+ }
+
private void writeEntry(ZipFile zf, ZipOutputStream os, ZipEntry ze)
throws IOException
{
@@ -1360,6 +1563,48 @@ public class JarSigner {
}
}
}
+ Set tas = new HashSet();
+ try {
+ KeyStore caks = KeyTool.getCacertsKeyStore();
+ if (caks != null) {
+ Enumeration aliases = caks.aliases();
+ while (aliases.hasMoreElements()) {
+ String a = aliases.nextElement();
+ try {
+ tas.add(new TrustAnchor((X509Certificate)caks.getCertificate(a), null));
+ } catch (Exception e2) {
+ // ignore, when a SecretkeyEntry does not include a cert
+ }
+ }
+ }
+ } catch (Exception e) {
+ // Ignore, if cacerts cannot be loaded
+ }
+ if (store != null) {
+ Enumeration aliases = store.aliases();
+ while (aliases.hasMoreElements()) {
+ String a = aliases.nextElement();
+ try {
+ X509Certificate c = (X509Certificate)store.getCertificate(a);
+ // Only add TrustedCertificateEntry and self-signed
+ // PrivateKeyEntry
+ if (store.isCertificateEntry(a) ||
+ c.getSubjectDN().equals(c.getIssuerDN())) {
+ tas.add(new TrustAnchor(c, null));
+ }
+ } catch (Exception e2) {
+ // ignore, when a SecretkeyEntry does not include a cert
+ }
+ }
+ }
+ certificateFactory = CertificateFactory.getInstance("X.509");
+ validator = CertPathValidator.getInstance("PKIX");
+ try {
+ pkixParameters = new PKIXParameters(tas);
+ pkixParameters.setRevocationEnabled(false);
+ } catch (InvalidAlgorithmParameterException ex) {
+ // Only if tas is empty
+ }
} catch (IOException ioe) {
throw new RuntimeException(rb.getString("keystore load: ") +
ioe.getMessage());
@@ -1408,7 +1653,8 @@ public class JarSigner {
void checkCertUsage(X509Certificate userCert, boolean[] bad) {
// Can act as a signer?
- // 1. if KeyUsage, then [0] should be true
+ // 1. if KeyUsage, then [0:digitalSignature] or
+ // [1:nonRepudiation] should be true
// 2. if ExtendedKeyUsage, then should contains ANY or CODE_SIGNING
// 3. if NetscapeCertType, then should contains OBJECT_SIGNING
// 1,2,3 must be true
@@ -1419,10 +1665,10 @@ public class JarSigner {
boolean[] keyUsage = userCert.getKeyUsage();
if (keyUsage != null) {
- if (keyUsage.length < 1 || !keyUsage[0]) {
+ keyUsage = Arrays.copyOf(keyUsage, 9);
+ if (!keyUsage[0] && !keyUsage[1]) {
if (bad != null) {
bad[0] = true;
- } else {
badKeyUsage = true;
}
}
@@ -1435,7 +1681,6 @@ public class JarSigner {
&& !xKeyUsage.contains("1.3.6.1.5.5.7.3.3")) { // codeSigning
if (bad != null) {
bad[1] = true;
- } else {
badExtendedKeyUsage = true;
}
}
@@ -1462,7 +1707,6 @@ public class JarSigner {
if (!val) {
if (bad != null) {
bad[2] = true;
- } else {
badNetscapeCertType = true;
}
}
@@ -1477,19 +1721,36 @@ public class JarSigner {
Key key = null;
try {
-
java.security.cert.Certificate[] cs = null;
-
- try {
- cs = store.getCertificateChain(alias);
- } catch (KeyStoreException kse) {
- // this never happens, because keystore has been loaded
+ if (altCertChain != null) {
+ try {
+ cs = CertificateFactory.getInstance("X.509").
+ generateCertificates(new FileInputStream(altCertChain)).
+ toArray(new Certificate[0]);
+ } catch (CertificateException ex) {
+ error(rb.getString("Cannot restore certchain from file specified"));
+ } catch (FileNotFoundException ex) {
+ error(rb.getString("File specified by -certchain does not exist"));
+ }
+ } else {
+ try {
+ cs = store.getCertificateChain(alias);
+ } catch (KeyStoreException kse) {
+ // this never happens, because keystore has been loaded
+ }
}
- if (cs == null) {
- MessageFormat form = new MessageFormat(rb.getString
- ("Certificate chain not found for: alias. alias must reference a valid KeyStore key entry containing a private key and corresponding public key certificate chain."));
- Object[] source = {alias, alias};
- error(form.format(source));
+ if (cs == null || cs.length == 0) {
+ if (altCertChain != null) {
+ error(rb.getString
+ ("Certificate chain not found in the file specified."));
+ } else {
+ MessageFormat form = new MessageFormat(rb.getString
+ ("Certificate chain not found for: alias. alias must" +
+ " reference a valid KeyStore key entry containing a" +
+ " private key and corresponding public key certificate chain."));
+ Object[] source = {alias, alias};
+ error(form.format(source));
+ }
}
certChain = new X509Certificate[cs.length];
@@ -1501,56 +1762,15 @@ public class JarSigner {
certChain[i] = (X509Certificate)cs[i];
}
- // order the cert chain if necessary (put user cert first,
- // root-cert last in the chain)
- X509Certificate userCert
- = (X509Certificate)store.getCertificate(alias);
+ // We don't meant to print anything, the next call
+ // checks validity and keyUsage etc
+ printCert("", certChain[0], true, 0);
- // check validity of signer certificate
try {
- userCert.checkValidity();
-
- if (userCert.getNotAfter().getTime() <
- System.currentTimeMillis() + SIX_MONTHS) {
-
- hasExpiringCert = true;
- }
- } catch (CertificateExpiredException cee) {
- hasExpiredCert = true;
-
- } catch (CertificateNotYetValidException cnyve) {
- notYetValidCert = true;
- }
-
- checkCertUsage(userCert, null);
-
- if (!userCert.equals(certChain[0])) {
- // need to order ...
- X509Certificate[] certChainTmp
- = new X509Certificate[certChain.length];
- certChainTmp[0] = userCert;
- Principal issuer = userCert.getIssuerDN();
- for (int i=1; i] keystore location",
"[-keystore ] keystore location"},
{"[-storepass ] password for keystore integrity",
@@ -64,6 +64,8 @@ public class JarSignerResources extends java.util.ListResourceBundle {
"[-storetype ] keystore type"},
{"[-keypass ] password for private key (if different)",
"[-keypass ] password for private key (if different)"},
+ {"[-certchain ] name of alternative certchain file",
+ "[-certchain ] name of alternative certchain file"},
{"[-sigfile ] name of .SF/.DSA file",
"[-sigfile ] name of .SF/.DSA file"},
{"[-signedjar ] name of signed JAR file",
@@ -74,8 +76,10 @@ public class JarSignerResources extends java.util.ListResourceBundle {
"[-sigalg ] name of signature algorithm"},
{"[-verify] verify a signed JAR file",
"[-verify] verify a signed JAR file"},
- {"[-verbose] verbose output when signing/verifying",
- "[-verbose] verbose output when signing/verifying"},
+ {"[-verbose[:suboptions]] verbose output when signing/verifying.",
+ "[-verbose[:suboptions]] verbose output when signing/verifying."},
+ {" suboptions can be all, grouped or summary",
+ " suboptions can be all, grouped or summary"},
{"[-certs] display certificates when verbose and verifying",
"[-certs] display certificates when verbose and verifying"},
{"[-tsa ] location of the Timestamping Authority",
@@ -98,10 +102,22 @@ public class JarSignerResources extends java.util.ListResourceBundle {
"[-providerClass name of cryptographic service provider's"},
{" [-providerArg ]] ... master class file and constructor argument",
" [-providerArg ]] ... master class file and constructor argument"},
+ {"[-strict] treat warnings as errors",
+ "[-strict] treat warnings as errors"},
+ {"Option lacks argument", "Option lacks argument"},
+ {"Please type jarsigner -help for usage", "Please type jarsigner -help for usage"},
+ {"Please specify jarfile name", "Please specify jarfile name"},
+ {"Please specify alias name", "Please specify alias name"},
+ {"Only one alias can be specified", "Only one alias can be specified"},
+ {"This jar contains signed entries which is not signed by the specified alias(es).",
+ "This jar contains signed entries which is not signed by the specified alias(es)."},
+ {"This jar contains signed entries that's not signed by alias in this keystore.",
+ "This jar contains signed entries that's not signed by alias in this keystore."},
{"s", "s"},
{"m", "m"},
{"k", "k"},
{"i", "i"},
+ {"(and %d more)", "(and %d more)"},
{" s = signature was verified ",
" s = signature was verified "},
{" m = entry is listed in manifest",
@@ -110,7 +126,11 @@ public class JarSignerResources extends java.util.ListResourceBundle {
" k = at least one certificate was found in keystore"},
{" i = at least one certificate was found in identity scope",
" i = at least one certificate was found in identity scope"},
+ {" X = not signed by specified alias(es)",
+ " X = not signed by specified alias(es)"},
{"no manifest.", "no manifest."},
+ {"(Signature related entries)","(Signature related entries)"},
+ {"(Unsigned entries)", "(Unsigned entries)"},
{"jar is unsigned. (signatures missing or not parsable)",
"jar is unsigned. (signatures missing or not parsable)"},
{"jar verified.", "jar verified."},
@@ -134,6 +154,12 @@ public class JarSignerResources extends java.util.ListResourceBundle {
"unable to instantiate keystore class: "},
{"Certificate chain not found for: alias. alias must reference a valid KeyStore key entry containing a private key and corresponding public key certificate chain.",
"Certificate chain not found for: {0}. {1} must reference a valid KeyStore key entry containing a private key and corresponding public key certificate chain."},
+ {"File specified by -certchain does not exist",
+ "File specified by -certchain does not exist"},
+ {"Cannot restore certchain from file specified",
+ "Cannot restore certchain from file specified"},
+ {"Certificate chain not found in the file specified.",
+ "Certificate chain not found in the file specified."},
{"found non-X.509 certificate in signer's chain",
"found non-X.509 certificate in signer's chain"},
{"incomplete certificate chain", "incomplete certificate chain"},
@@ -149,6 +175,7 @@ public class JarSignerResources extends java.util.ListResourceBundle {
{"certificate is not valid until",
"certificate is not valid until {0}"},
{"certificate will expire on", "certificate will expire on {0}"},
+ {"[CertPath not validated: ", "[CertPath not validated: "},
{"requesting a signature timestamp",
"requesting a signature timestamp"},
{"TSA location: ", "TSA location: "},
@@ -189,14 +216,18 @@ public class JarSignerResources extends java.util.ListResourceBundle {
"The signer certificate's ExtendedKeyUsage extension doesn't allow code signing."},
{"The signer certificate's NetscapeCertType extension doesn't allow code signing.",
"The signer certificate's NetscapeCertType extension doesn't allow code signing."},
- {"This jar contains entries whose signer certificate's KeyUsage extension doesn't allow code signing.",
- "This jar contains entries whose signer certificate's KeyUsage extension doesn't allow code signing."},
- {"This jar contains entries whose signer certificate's ExtendedKeyUsage extension doesn't allow code signing.",
- "This jar contains entries whose signer certificate's ExtendedKeyUsage extension doesn't allow code signing."},
- {"This jar contains entries whose signer certificate's NetscapeCertType extension doesn't allow code signing.",
- "This jar contains entries whose signer certificate's NetscapeCertType extension doesn't allow code signing."},
+ {"This jar contains entries whose signer certificate's KeyUsage extension doesn't allow code signing.",
+ "This jar contains entries whose signer certificate's KeyUsage extension doesn't allow code signing."},
+ {"This jar contains entries whose signer certificate's ExtendedKeyUsage extension doesn't allow code signing.",
+ "This jar contains entries whose signer certificate's ExtendedKeyUsage extension doesn't allow code signing."},
+ {"This jar contains entries whose signer certificate's NetscapeCertType extension doesn't allow code signing.",
+ "This jar contains entries whose signer certificate's NetscapeCertType extension doesn't allow code signing."},
{"[{0} extension does not support code signing]",
"[{0} extension does not support code signing]"},
+ {"The signer's certificate chain is not validated.",
+ "The signer's certificate chain is not validated."},
+ {"This jar contains entries whose certificate chain is not validated.",
+ "This jar contains entries whose certificate chain is not validated."},
};
/**
diff --git a/jdk/src/share/classes/sun/security/tools/KeyTool.java b/jdk/src/share/classes/sun/security/tools/KeyTool.java
index 163e78fc5cf..1ce3ab21a02 100644
--- a/jdk/src/share/classes/sun/security/tools/KeyTool.java
+++ b/jdk/src/share/classes/sun/security/tools/KeyTool.java
@@ -3108,7 +3108,7 @@ public final class KeyTool {
/**
* Returns the keystore with the configured CA certificates.
*/
- private KeyStore getCacertsKeyStore()
+ public static KeyStore getCacertsKeyStore()
throws Exception
{
String sep = File.separator;
diff --git a/jdk/test/sun/security/tools/jarsigner/concise_jarsigner.sh b/jdk/test/sun/security/tools/jarsigner/concise_jarsigner.sh
new file mode 100644
index 00000000000..1c9eaabe396
--- /dev/null
+++ b/jdk/test/sun/security/tools/jarsigner/concise_jarsigner.sh
@@ -0,0 +1,200 @@
+#
+# Copyright 2009 Sun Microsystems, Inc. All Rights Reserved.
+# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+#
+# This code is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License version 2 only, as
+# published by the Free Software Foundation.
+#
+# This code is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+# version 2 for more details (a copy is included in the LICENSE file that
+# accompanied this code).
+#
+# You should have received a copy of the GNU General Public License version
+# 2 along with this work; if not, write to the Free Software Foundation,
+# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
+# CA 95054 USA or visit www.sun.com if you need additional information or
+# have any questions.
+#
+
+# @test
+# @bug 6802846
+# @summary jarsigner needs enhanced cert validation(options)
+#
+# @run shell concise_jarsigner.sh
+#
+
+if [ "${TESTJAVA}" = "" ] ; then
+ JAVAC_CMD=`which javac`
+ TESTJAVA=`dirname $JAVAC_CMD`/..
+fi
+
+# set platform-dependent variables
+OS=`uname -s`
+case "$OS" in
+ Windows_* )
+ FS="\\"
+ ;;
+ * )
+ FS="/"
+ ;;
+esac
+
+KT="$TESTJAVA${FS}bin${FS}keytool -storepass changeit -keypass changeit -keystore js.jks"
+JAR=$TESTJAVA${FS}bin${FS}jar
+JARSIGNER=$TESTJAVA${FS}bin${FS}jarsigner
+JAVAC=$TESTJAVA${FS}bin${FS}javac
+
+rm js.jks
+
+echo class A1 {} > A1.java
+echo class A2 {} > A2.java
+echo class A3 {} > A3.java
+echo class A4 {} > A4.java
+echo class A5 {} > A5.java
+echo class A6 {} > A6.java
+
+$JAVAC A1.java A2.java A3.java A4.java A5.java A6.java
+YEAR=`date +%Y`
+
+# ==========================================================
+# First part: output format
+# ==========================================================
+
+$KT -genkeypair -alias a1 -dname CN=a1 -validity 365
+$KT -genkeypair -alias a2 -dname CN=a2 -validity 365
+
+# a.jar includes 8 unsigned, 2 signed by a1 and a2, 2 signed by a3
+$JAR cvf a.jar A1.class A2.class
+$JARSIGNER -keystore js.jks -storepass changeit a.jar a1
+$JAR uvf a.jar A3.class A4.class
+$JARSIGNER -keystore js.jks -storepass changeit a.jar a2
+$JAR uvf a.jar A5.class A6.class
+
+# Verify OK
+$JARSIGNER -verify a.jar
+[ $? = 0 ] || exit $LINENO
+
+# 4(chainNotValidated)+16(hasUnsignedEntry)+32(aliasNotInStore)
+$JARSIGNER -verify a.jar -strict
+[ $? = 52 ] || exit $LINENO
+
+# 16(hasUnsignedEntry)
+$JARSIGNER -verify a.jar -strict -keystore js.jks
+[ $? = 16 ] || exit $LINENO
+
+# 16(hasUnsignedEntry)+32(notSignedByAlias)
+$JARSIGNER -verify a.jar a1 -strict -keystore js.jks
+[ $? = 48 ] || exit $LINENO
+
+# 16(hasUnsignedEntry)
+$JARSIGNER -verify a.jar a1 a2 -strict -keystore js.jks
+[ $? = 16 ] || exit $LINENO
+
+# 12 entries all together
+LINES=`$JARSIGNER -verify a.jar -verbose | grep $YEAR | wc -l`
+[ $LINES = 12 ] || exit $LINENO
+
+# 12 entries all listed
+LINES=`$JARSIGNER -verify a.jar -verbose:grouped | grep $YEAR | wc -l`
+[ $LINES = 12 ] || exit $LINENO
+
+# 3 groups: unrelated, signed, unsigned
+LINES=`$JARSIGNER -verify a.jar -verbose:summary | grep $YEAR | wc -l`
+[ $LINES = 3 ] || exit $LINENO
+
+# 4 groups: unrelated, signed by a1/a2, signed by a2, unsigned
+LINES=`$JARSIGNER -verify a.jar -verbose:summary -certs | grep $YEAR | wc -l`
+[ $LINES = 4 ] || exit $LINENO
+
+# 2*2 for A1/A2, 2 for A3/A4
+LINES=`$JARSIGNER -verify a.jar -verbose -certs | grep "\[certificate" | wc -l`
+[ $LINES = 6 ] || exit $LINENO
+
+# a1,a2 for A1/A2, a2 for A3/A4
+LINES=`$JARSIGNER -verify a.jar -verbose:grouped -certs | grep "\[certificate" | wc -l`
+[ $LINES = 3 ] || exit $LINENO
+
+# a1,a2 for A1/A2, a2 for A3/A4
+LINES=`$JARSIGNER -verify a.jar -verbose:summary -certs | grep "\[certificate" | wc -l`
+[ $LINES = 3 ] || exit $LINENO
+
+# 4 groups
+LINES=`$JARSIGNER -verify a.jar -verbose:summary -certs | grep "more)" | wc -l`
+[ $LINES = 4 ] || exit $LINENO
+
+# ==========================================================
+# Second part: exit code 2, 4, 8
+# 16 and 32 already covered in the first part
+# ==========================================================
+
+$KT -genkeypair -alias expiring -dname CN=expiring -startdate -1m
+$KT -genkeypair -alias expired -dname CN=expired -startdate -10m
+$KT -genkeypair -alias notyetvalid -dname CN=notyetvalid -startdate +1m
+$KT -genkeypair -alias badku -dname CN=badku -ext KU=cRLSign -validity 365
+$KT -genkeypair -alias badeku -dname CN=badeku -ext EKU=sa -validity 365
+$KT -genkeypair -alias goodku -dname CN=goodku -ext KU=dig -validity 365
+$KT -genkeypair -alias goodeku -dname CN=goodeku -ext EKU=codesign -validity 365
+
+# badchain signed by ca, but ca is removed later
+$KT -genkeypair -alias badchain -dname CN=badchain -validity 365
+$KT -genkeypair -alias ca -dname CN=ca -ext bc -validity 365
+$KT -certreq -alias badchain | $KT -gencert -alias ca -validity 365 | \
+ $KT -importcert -alias badchain
+$KT -delete -alias ca
+
+$JARSIGNER -strict -keystore js.jks -storepass changeit a.jar expiring
+[ $? = 2 ] || exit $LINENO
+
+$JARSIGNER -strict -keystore js.jks -storepass changeit a.jar expired
+[ $? = 4 ] || exit $LINENO
+
+$JARSIGNER -strict -keystore js.jks -storepass changeit a.jar notyetvalid
+[ $? = 4 ] || exit $LINENO
+
+$JARSIGNER -strict -keystore js.jks -storepass changeit a.jar badku
+[ $? = 8 ] || exit $LINENO
+
+$JARSIGNER -strict -keystore js.jks -storepass changeit a.jar badeku
+[ $? = 8 ] || exit $LINENO
+
+$JARSIGNER -strict -keystore js.jks -storepass changeit a.jar goodku
+[ $? = 0 ] || exit $LINENO
+
+$JARSIGNER -strict -keystore js.jks -storepass changeit a.jar goodeku
+[ $? = 0 ] || exit $LINENO
+
+$JARSIGNER -strict -keystore js.jks -storepass changeit a.jar badchain
+[ $? = 4 ] || exit $LINENO
+
+$JARSIGNER -verify a.jar
+[ $? = 0 ] || exit $LINENO
+
+# ==========================================================
+# Third part: -certchain test
+# ==========================================================
+
+# altchain signed by ca2, but ca2 is removed later
+$KT -genkeypair -alias altchain -dname CN=altchain -validity 365
+$KT -genkeypair -alias ca2 -dname CN=ca2 -ext bc -validity 365
+$KT -certreq -alias altchain | $KT -gencert -alias ca2 -validity 365 -rfc > certchain
+$KT -exportcert -alias ca2 -rfc >> certchain
+$KT -delete -alias ca2
+
+# Now altchain is still self-signed
+$JARSIGNER -strict -keystore js.jks -storepass changeit a.jar altchain
+[ $? = 0 ] || exit $LINENO
+
+# If -certchain is used, then it's bad
+$JARSIGNER -strict -keystore js.jks -storepass changeit -certchain certchain a.jar altchain
+[ $? = 4 ] || exit $LINENO
+
+$JARSIGNER -verify a.jar
+[ $? = 0 ] || exit $LINENO
+
+echo OK
+exit 0
From f59df4d48967de362500257eec95251589832698 Mon Sep 17 00:00:00 2001
From: Alan Bateman
Date: Fri, 27 Mar 2009 15:24:37 +0000
Subject: [PATCH 10/14] 6693490: (se) select throws "File exists" IOException
under load (lnx)
Reviewed-by: sherman
---
.../share/classes/sun/nio/ch/SelChImpl.java | 3 +-
.../classes/sun/nio/ch/EPollArrayWrapper.java | 88 +++++++-----
.../classes/sun/nio/ch/EPollSelectorImpl.java | 15 +--
.../channels/Selector/RegAfterPreClose.java | 127 ++++++++++++++++++
4 files changed, 188 insertions(+), 45 deletions(-)
create mode 100644 jdk/test/java/nio/channels/Selector/RegAfterPreClose.java
diff --git a/jdk/src/share/classes/sun/nio/ch/SelChImpl.java b/jdk/src/share/classes/sun/nio/ch/SelChImpl.java
index 0ef4d357f8d..fb1571d84d2 100644
--- a/jdk/src/share/classes/sun/nio/ch/SelChImpl.java
+++ b/jdk/src/share/classes/sun/nio/ch/SelChImpl.java
@@ -25,6 +25,7 @@
package sun.nio.ch;
+import java.nio.channels.Channel;
import java.io.FileDescriptor;
import java.io.IOException;
@@ -35,7 +36,7 @@ import java.io.IOException;
* @since 1.4
*/
-interface SelChImpl {
+interface SelChImpl extends Channel {
FileDescriptor getFD();
diff --git a/jdk/src/solaris/classes/sun/nio/ch/EPollArrayWrapper.java b/jdk/src/solaris/classes/sun/nio/ch/EPollArrayWrapper.java
index 362bd97089c..622ff8d4764 100644
--- a/jdk/src/solaris/classes/sun/nio/ch/EPollArrayWrapper.java
+++ b/jdk/src/solaris/classes/sun/nio/ch/EPollArrayWrapper.java
@@ -78,8 +78,8 @@ class EPollArrayWrapper {
// Base address of the native pollArray
private final long pollArrayAddress;
- // Set of "idle" file descriptors
- private final HashSet idleSet;
+ // Set of "idle" channels
+ private final HashSet idleSet;
EPollArrayWrapper() {
// creates the epoll file descriptor
@@ -96,19 +96,22 @@ class EPollArrayWrapper {
}
// create idle set
- idleSet = new HashSet();
+ idleSet = new HashSet();
}
// Used to update file description registrations
private static class Updator {
+ SelChImpl channel;
int opcode;
- int fd;
int events;
- Updator(int opcode, int fd, int events) {
+ Updator(SelChImpl channel, int opcode, int events) {
+ this.channel = channel;
this.opcode = opcode;
- this.fd = fd;
this.events = events;
}
+ Updator(SelChImpl channel, int opcode) {
+ this(channel, opcode, 0);
+ }
}
private LinkedList updateList = new LinkedList();
@@ -163,60 +166,54 @@ class EPollArrayWrapper {
}
/**
- * Update the events for a given file descriptor.
+ * Update the events for a given channel.
*/
- void setInterest(int fd, int mask) {
+ void setInterest(SelChImpl channel, int mask) {
synchronized (updateList) {
-
- // if the interest events are 0 then add to idle set, and delete
- // from epoll if registered (or pending)
- if (mask == 0) {
- if (idleSet.add(fd)) {
- updateList.add(new Updator(EPOLL_CTL_DEL, fd, 0));
- }
- return;
- }
-
- // if file descriptor is idle then add to epoll
- if (!idleSet.isEmpty() && idleSet.remove(fd)) {
- updateList.add(new Updator(EPOLL_CTL_ADD, fd, mask));
- return;
- }
-
// if the previous pending operation is to add this file descriptor
// to epoll then update its event set
if (updateList.size() > 0) {
Updator last = updateList.getLast();
- if (last.fd == fd && last.opcode == EPOLL_CTL_ADD) {
+ if (last.channel == channel && last.opcode == EPOLL_CTL_ADD) {
last.events = mask;
return;
}
}
// update existing registration
- updateList.add(new Updator(EPOLL_CTL_MOD, fd, mask));
+ updateList.add(new Updator(channel, EPOLL_CTL_MOD, mask));
}
}
/**
- * Add a new file descriptor to epoll
+ * Add a channel's file descriptor to epoll
*/
- void add(int fd) {
+ void add(SelChImpl channel) {
synchronized (updateList) {
- updateList.add(new Updator(EPOLL_CTL_ADD, fd, 0));
+ updateList.add(new Updator(channel, EPOLL_CTL_ADD));
}
}
/**
- * Remove a file descriptor from epoll
+ * Remove a channel's file descriptor from epoll
*/
- void release(int fd) {
+ void release(SelChImpl channel) {
synchronized (updateList) {
- // if file descriptor is idle then remove from idle set, otherwise
- // delete from epoll
- if (!idleSet.remove(fd)) {
- updateList.add(new Updator(EPOLL_CTL_DEL, fd, 0));
+ // flush any pending updates
+ int i = 0;
+ while (i < updateList.size()) {
+ if (updateList.get(i).channel == channel) {
+ updateList.remove(i);
+ } else {
+ i++;
+ }
}
+
+ // remove from the idle set (if present)
+ idleSet.remove(channel);
+
+ // remove from epoll (if registered)
+ epollCtl(epfd, EPOLL_CTL_DEL, channel.getFDVal(), 0);
}
}
@@ -248,7 +245,26 @@ class EPollArrayWrapper {
synchronized (updateList) {
Updator u = null;
while ((u = updateList.poll()) != null) {
- epollCtl(epfd, u.opcode, u.fd, u.events);
+ SelChImpl ch = u.channel;
+ if (!ch.isOpen())
+ continue;
+
+ // if the events are 0 then file descriptor is put into "idle
+ // set" to prevent it being polled
+ if (u.events == 0) {
+ boolean added = idleSet.add(u.channel);
+ // if added to idle set then remove from epoll if registered
+ if (added && (u.opcode == EPOLL_CTL_MOD))
+ epollCtl(epfd, EPOLL_CTL_DEL, ch.getFDVal(), 0);
+ } else {
+ // events are specified. If file descriptor was in idle set
+ // it must be re-registered (by converting opcode to ADD)
+ boolean idle = false;
+ if (!idleSet.isEmpty())
+ idle = idleSet.remove(u.channel);
+ int opcode = (idle) ? EPOLL_CTL_ADD : u.opcode;
+ epollCtl(epfd, opcode, ch.getFDVal(), u.events);
+ }
}
}
}
diff --git a/jdk/src/solaris/classes/sun/nio/ch/EPollSelectorImpl.java b/jdk/src/solaris/classes/sun/nio/ch/EPollSelectorImpl.java
index a9bf82353f6..505d8b7bb4e 100644
--- a/jdk/src/solaris/classes/sun/nio/ch/EPollSelectorImpl.java
+++ b/jdk/src/solaris/classes/sun/nio/ch/EPollSelectorImpl.java
@@ -139,7 +139,6 @@ class EPollSelectorImpl
FileDispatcherImpl.closeIntFD(fd0);
FileDispatcherImpl.closeIntFD(fd1);
- pollWrapper.release(fd0);
pollWrapper.closeEPollFD();
// it is possible
selectedKeys = null;
@@ -162,17 +161,18 @@ class EPollSelectorImpl
protected void implRegister(SelectionKeyImpl ski) {
if (closed)
throw new ClosedSelectorException();
- int fd = IOUtil.fdVal(ski.channel.getFD());
- fdToKey.put(Integer.valueOf(fd), ski);
- pollWrapper.add(fd);
+ SelChImpl ch = ski.channel;
+ fdToKey.put(Integer.valueOf(ch.getFDVal()), ski);
+ pollWrapper.add(ch);
keys.add(ski);
}
protected void implDereg(SelectionKeyImpl ski) throws IOException {
assert (ski.getIndex() >= 0);
- int fd = ski.channel.getFDVal();
+ SelChImpl ch = ski.channel;
+ int fd = ch.getFDVal();
fdToKey.remove(Integer.valueOf(fd));
- pollWrapper.release(fd);
+ pollWrapper.release(ch);
ski.setIndex(-1);
keys.remove(ski);
selectedKeys.remove(ski);
@@ -185,8 +185,7 @@ class EPollSelectorImpl
void putEventOps(SelectionKeyImpl sk, int ops) {
if (closed)
throw new ClosedSelectorException();
- int fd = IOUtil.fdVal(sk.channel.getFD());
- pollWrapper.setInterest(fd, ops);
+ pollWrapper.setInterest(sk.channel, ops);
}
public Selector wakeup() {
diff --git a/jdk/test/java/nio/channels/Selector/RegAfterPreClose.java b/jdk/test/java/nio/channels/Selector/RegAfterPreClose.java
new file mode 100644
index 00000000000..c5f6be1d60c
--- /dev/null
+++ b/jdk/test/java/nio/channels/Selector/RegAfterPreClose.java
@@ -0,0 +1,127 @@
+/*
+ * Copyright 2009 Sun Microsystems, Inc. All Rights Reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
+ * CA 95054 USA or visit www.sun.com if you need additional information or
+ * have any questions.
+ */
+
+/* @test
+ * @bug 6693490
+ * @summary Pre-close file descriptor may inadvertently get registered with
+ * epoll during close
+ */
+
+import java.net.*;
+import java.nio.channels.*;
+import java.util.concurrent.*;
+import java.util.*;
+import java.io.IOException;
+
+public class RegAfterPreClose {
+
+ static volatile boolean done;
+
+ /**
+ * A task that continuously connects to a given address and immediately
+ * closes the connection.
+ */
+ static class Connector implements Runnable {
+ private final SocketAddress sa;
+ Connector(int port) throws IOException {
+ InetAddress lh = InetAddress.getLocalHost();
+ this.sa = new InetSocketAddress(lh, port);
+ }
+ public void run() {
+ while (!done) {
+ try {
+ SocketChannel.open(sa).close();
+ } catch (IOException x) {
+ // back-off as probably resource related
+ try {
+ Thread.sleep(10);
+ } catch (InterruptedException ignore) { }
+ }
+ }
+ }
+ }
+
+ /**
+ * A task that closes a channel.
+ */
+ static class Closer implements Runnable {
+ private final Channel channel;
+ Closer(Channel sc) {
+ this.channel = sc;
+ }
+ public void run() {
+ try {
+ channel.close();
+ } catch (IOException ignore) { }
+ }
+ }
+
+ public static void main(String[] args) throws Exception {
+ // create listener
+ InetSocketAddress isa = new InetSocketAddress(0);
+ ServerSocketChannel ssc = ServerSocketChannel.open();
+ ssc.socket().bind(isa);
+
+ // register with Selector
+ final Selector sel = Selector.open();
+ ssc.configureBlocking(false);
+ SelectionKey key = ssc.register(sel, SelectionKey.OP_ACCEPT);
+
+ ThreadFactory factory = new ThreadFactory() {
+ @Override
+ public Thread newThread(Runnable r) {
+ Thread t = new Thread(r);
+ t.setDaemon(true);
+ return t;
+ }
+ };
+
+ // schedule test to run for 1 minute
+ Executors.newScheduledThreadPool(1, factory).schedule(new Runnable() {
+ public void run() {
+ done = true;
+ sel.wakeup();
+ }}, 1, TimeUnit.MINUTES);
+
+ // create Executor that handles tasks that closes channels
+ // "asynchronously" - this creates the conditions to provoke the bug.
+ Executor executor = Executors.newFixedThreadPool(2, factory);
+
+ // submit task that connects to listener
+ executor.execute(new Connector(ssc.socket().getLocalPort()));
+
+ // loop accepting connections until done (or an IOException is thrown)
+ while (!done) {
+ sel.select();
+ if (key.isAcceptable()) {
+ SocketChannel sc = ssc.accept();
+ if (sc != null) {
+ sc.configureBlocking(false);
+ sc.register(sel, SelectionKey.OP_READ);
+ executor.execute(new Closer(sc));
+ }
+ }
+ sel.selectedKeys().clear();
+ }
+ }
+}
From de8096cf4822983d870d6ee7c008d9cc282c45d7 Mon Sep 17 00:00:00 2001
From: Alan Bateman
Date: Fri, 27 Mar 2009 16:04:05 +0000
Subject: [PATCH 11/14] 6772303: (se) IOException: Invalid argument" thrown on
a call to Selector.select(value) with -d64
Reviewed-by: sherman
---
jdk/src/solaris/native/sun/nio/ch/DevPollArrayWrapper.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/jdk/src/solaris/native/sun/nio/ch/DevPollArrayWrapper.c b/jdk/src/solaris/native/sun/nio/ch/DevPollArrayWrapper.c
index 090c77e6774..fa36f612bff 100644
--- a/jdk/src/solaris/native/sun/nio/ch/DevPollArrayWrapper.c
+++ b/jdk/src/solaris/native/sun/nio/ch/DevPollArrayWrapper.c
@@ -28,6 +28,7 @@
#include "jvm.h"
#include "jlong.h"
#include "sun_nio_ch_DevPollArrayWrapper.h"
+#include "java_lang_Integer.h"
#include
#include
#include
@@ -192,7 +193,11 @@ Java_sun_nio_ch_DevPollArrayWrapper_fdLimit(JNIEnv *env, jclass this)
JNU_ThrowIOExceptionWithLastError(env,
"getrlimit failed");
}
- return (jint)rlp.rlim_max;
+ if (rlp.rlim_max < 0 || rlp.rlim_max > java_lang_Integer_MAX_VALUE) {
+ return java_lang_Integer_MAX_VALUE;
+ } else {
+ return (jint)rlp.rlim_max;
+ }
}
JNIEXPORT void JNICALL
From 1870624c08204c56a9f5c46935bbbd52012950e1 Mon Sep 17 00:00:00 2001
From: Mandy Chung
Date: Tue, 31 Mar 2009 23:52:04 -0700
Subject: [PATCH 12/14] 6819110: Lazily load Sun digest provider for jar
verification
Lazily call Providers.getSunProvider() instead of at static initializer
Reviewed-by: mullan
---
.../classes/sun/security/util/ManifestEntryVerifier.java | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/jdk/src/share/classes/sun/security/util/ManifestEntryVerifier.java b/jdk/src/share/classes/sun/security/util/ManifestEntryVerifier.java
index c528d95c8b1..b713f16e768 100644
--- a/jdk/src/share/classes/sun/security/util/ManifestEntryVerifier.java
+++ b/jdk/src/share/classes/sun/security/util/ManifestEntryVerifier.java
@@ -44,8 +44,6 @@ public class ManifestEntryVerifier {
private static final Debug debug = Debug.getInstance("jar");
- private static final Provider digestProvider = Providers.getSunProvider();
-
/** the created digest objects */
HashMap createdDigests;
@@ -127,7 +125,7 @@ public class ManifestEntryVerifier {
try {
digest = MessageDigest.getInstance
- (algorithm, digestProvider);
+ (algorithm, Providers.getSunProvider());
createdDigests.put(algorithm, digest);
} catch (NoSuchAlgorithmException nsae) {
// ignore
From 21aa30606a26191e0418ab9fdfd04d9ecfe155a0 Mon Sep 17 00:00:00 2001
From: Xueming Shen
Date: Thu, 2 Apr 2009 15:35:46 -0700
Subject: [PATCH 13/14] 4681995: Add support for large (> 4GB) zip/jar files
The ZIP64 format support is added for > 4GB jar/zip files
Reviewed-by: alanb, martin
---
.../classes/java/util/zip/ZipConstants64.java | 77 +++++++
.../share/classes/java/util/zip/ZipEntry.java | 8 +-
.../classes/java/util/zip/ZipInputStream.java | 76 +++++--
.../java/util/zip/ZipOutputStream.java | 174 +++++++++++++---
.../share/classes/java/util/zip/package.html | 8 +-
jdk/src/share/native/java/util/zip/zip_util.c | 104 +++++++++-
jdk/src/share/native/java/util/zip/zip_util.h | 38 +++-
.../native/java/util/zip/zlib-1.1.3/zlib.h | 4 +-
jdk/test/java/util/zip/LargeZip.java | 193 ++++++++++++++++++
.../java/util/zip/ZipFile/LargeZipFile.java | 1 -
10 files changed, 629 insertions(+), 54 deletions(-)
create mode 100644 jdk/src/share/classes/java/util/zip/ZipConstants64.java
create mode 100644 jdk/test/java/util/zip/LargeZip.java
diff --git a/jdk/src/share/classes/java/util/zip/ZipConstants64.java b/jdk/src/share/classes/java/util/zip/ZipConstants64.java
new file mode 100644
index 00000000000..1bf3b1841b4
--- /dev/null
+++ b/jdk/src/share/classes/java/util/zip/ZipConstants64.java
@@ -0,0 +1,77 @@
+/*
+ * Copyright 1995-1996 Sun Microsystems, Inc. All Rights Reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation. Sun designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Sun in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
+ * CA 95054 USA or visit www.sun.com if you need additional information or
+ * have any questions.
+ */
+
+package java.util.zip;
+
+/*
+ * This class defines the constants that are used by the classes
+ * which manipulate Zip64 files.
+ */
+
+class ZipConstants64 {
+
+ /*
+ * ZIP64 constants
+ */
+ static final long ZIP64_ENDSIG = 0x06064b50L; // "PK\006\006"
+ static final long ZIP64_LOCSIG = 0x07064b50L; // "PK\006\007"
+ static final int ZIP64_ENDHDR = 56; // ZIP64 end header size
+ static final int ZIP64_LOCHDR = 20; // ZIP64 end loc header size
+ static final int ZIP64_EXTHDR = 24; // EXT header size
+ static final int ZIP64_EXTID = 0x0001; // Extra field Zip64 header ID
+
+ static final int ZIP64_MAGICCOUNT = 0xFFFF;
+ static final long ZIP64_MAGICVAL = 0xFFFFFFFFL;
+
+ /*
+ * Zip64 End of central directory (END) header field offsets
+ */
+ static final int ZIP64_ENDLEN = 4; // size of zip64 end of central dir
+ static final int ZIP64_ENDVEM = 12; // version made by
+ static final int ZIP64_ENDVER = 14; // version needed to extract
+ static final int ZIP64_ENDNMD = 16; // number of this disk
+ static final int ZIP64_ENDDSK = 20; // disk number of start
+ static final int ZIP64_ENDTOD = 24; // total number of entries on this disk
+ static final int ZIP64_ENDTOT = 32; // total number of entries
+ static final int ZIP64_ENDSIZ = 40; // central directory size in bytes
+ static final int ZIP64_ENDOFF = 48; // offset of first CEN header
+ static final int ZIP64_ENDEXT = 56; // zip64 extensible data sector
+
+ /*
+ * Zip64 End of central directory locator field offsets
+ */
+ static final int ZIP64_LOCDSK = 4; // disk number start
+ static final int ZIP64_LOCOFF = 8; // offset of zip64 end
+ static final int ZIP64_LOCTOT = 16; // total number of disks
+
+ /*
+ * Zip64 Extra local (EXT) header field offsets
+ */
+ static final int ZIP64_EXTCRC = 4; // uncompressed file crc-32 value
+ static final int ZIP64_EXTSIZ = 8; // compressed size, 8-byte
+ static final int ZIP64_EXTLEN = 16; // uncompressed size, 8-byte
+
+ private ZipConstants64() {}
+}
diff --git a/jdk/src/share/classes/java/util/zip/ZipEntry.java b/jdk/src/share/classes/java/util/zip/ZipEntry.java
index bcc27e63a0f..6c16a9adb15 100644
--- a/jdk/src/share/classes/java/util/zip/ZipEntry.java
+++ b/jdk/src/share/classes/java/util/zip/ZipEntry.java
@@ -1,5 +1,5 @@
/*
- * Copyright 1995-2005 Sun Microsystems, Inc. All Rights Reserved.
+ * Copyright 1995-2009 Sun Microsystems, Inc. All Rights Reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -144,11 +144,13 @@ class ZipEntry implements ZipConstants, Cloneable {
* Sets the uncompressed size of the entry data.
* @param size the uncompressed size in bytes
* @exception IllegalArgumentException if the specified size is less
- * than 0 or greater than 0xFFFFFFFF bytes
+ * than 0, is greater than 0xFFFFFFFF when
+ * ZIP64 format is not supported,
+ * or is less than 0 when ZIP64 is supported
* @see #getSize()
*/
public void setSize(long size) {
- if (size < 0 || size > 0xFFFFFFFFL) {
+ if (size < 0) {
throw new IllegalArgumentException("invalid entry size");
}
this.size = size;
diff --git a/jdk/src/share/classes/java/util/zip/ZipInputStream.java b/jdk/src/share/classes/java/util/zip/ZipInputStream.java
index e8f0ebdc5d9..1b9b93415cb 100644
--- a/jdk/src/share/classes/java/util/zip/ZipInputStream.java
+++ b/jdk/src/share/classes/java/util/zip/ZipInputStream.java
@@ -1,5 +1,5 @@
/*
- * Copyright 1996-2006 Sun Microsystems, Inc. All Rights Reserved.
+ * Copyright 1996-2009 Sun Microsystems, Inc. All Rights Reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -29,6 +29,7 @@ import java.io.InputStream;
import java.io.IOException;
import java.io.EOFException;
import java.io.PushbackInputStream;
+import static java.util.zip.ZipConstants64.*;
/**
* This class implements an input stream filter for reading files in the
@@ -285,6 +286,29 @@ class ZipInputStream extends InflaterInputStream implements ZipConstants {
byte[] bb = new byte[len];
readFully(bb, 0, len);
e.setExtra(bb);
+ // extra fields are in "HeaderID(2)DataSize(2)Data... format
+ if (e.csize == ZIP64_MAGICVAL || e.size == ZIP64_MAGICVAL) {
+ int off = 0;
+ while (off + 4 < len) {
+ int sz = get16(bb, off + 2);
+ if (get16(bb, off) == ZIP64_EXTID) {
+ off += 4;
+ // LOC extra zip64 entry MUST include BOTH original and
+ // compressed file size fields
+ if (sz < 16 || (off + sz) > len ) {
+ // Invalid zip64 extra fields, simply skip. Even it's
+ // rare, it's possible the entry size happens to be
+ // the magic value and it "accidnetly" has some bytes
+ // in extra match the id.
+ return e;
+ }
+ e.size = get64(bb, off);
+ e.csize = get64(bb, off + 8);
+ break;
+ }
+ off += (sz + 4);
+ }
+ }
}
return e;
}
@@ -375,18 +399,36 @@ class ZipInputStream extends InflaterInputStream implements ZipConstants {
}
if ((flag & 8) == 8) {
/* "Data Descriptor" present */
- readFully(tmpbuf, 0, EXTHDR);
- long sig = get32(tmpbuf, 0);
- if (sig != EXTSIG) { // no EXTSIG present
- e.crc = sig;
- e.csize = get32(tmpbuf, EXTSIZ - EXTCRC);
- e.size = get32(tmpbuf, EXTLEN - EXTCRC);
- ((PushbackInputStream)in).unread(
- tmpbuf, EXTHDR - EXTCRC - 1, EXTCRC);
+ if (inf.getBytesWritten() > ZIP64_MAGICVAL ||
+ inf.getBytesRead() > ZIP64_MAGICVAL) {
+ // ZIP64 format
+ readFully(tmpbuf, 0, ZIP64_EXTHDR);
+ long sig = get32(tmpbuf, 0);
+ if (sig != EXTSIG) { // no EXTSIG present
+ e.crc = sig;
+ e.csize = get64(tmpbuf, ZIP64_EXTSIZ - ZIP64_EXTCRC);
+ e.size = get64(tmpbuf, ZIP64_EXTLEN - ZIP64_EXTCRC);
+ ((PushbackInputStream)in).unread(
+ tmpbuf, ZIP64_EXTHDR - ZIP64_EXTCRC - 1, ZIP64_EXTCRC);
+ } else {
+ e.crc = get32(tmpbuf, ZIP64_EXTCRC);
+ e.csize = get64(tmpbuf, ZIP64_EXTSIZ);
+ e.size = get64(tmpbuf, ZIP64_EXTLEN);
+ }
} else {
- e.crc = get32(tmpbuf, EXTCRC);
- e.csize = get32(tmpbuf, EXTSIZ);
- e.size = get32(tmpbuf, EXTLEN);
+ readFully(tmpbuf, 0, EXTHDR);
+ long sig = get32(tmpbuf, 0);
+ if (sig != EXTSIG) { // no EXTSIG present
+ e.crc = sig;
+ e.csize = get32(tmpbuf, EXTSIZ - EXTCRC);
+ e.size = get32(tmpbuf, EXTLEN - EXTCRC);
+ ((PushbackInputStream)in).unread(
+ tmpbuf, EXTHDR - EXTCRC - 1, EXTCRC);
+ } else {
+ e.crc = get32(tmpbuf, EXTCRC);
+ e.csize = get32(tmpbuf, EXTSIZ);
+ e.size = get32(tmpbuf, EXTLEN);
+ }
}
}
if (e.size != inf.getBytesWritten()) {
@@ -433,6 +475,14 @@ class ZipInputStream extends InflaterInputStream implements ZipConstants {
* The bytes are assumed to be in Intel (little-endian) byte order.
*/
private static final long get32(byte b[], int off) {
- return get16(b, off) | ((long)get16(b, off+2) << 16);
+ return (get16(b, off) | ((long)get16(b, off+2) << 16)) & 0xffffffffL;
+ }
+
+ /*
+ * Fetches signed 64-bit value from byte array at specified offset.
+ * The bytes are assumed to be in Intel (little-endian) byte order.
+ */
+ private static final long get64(byte b[], int off) {
+ return get32(b, off) | (get32(b, off+4) << 32);
}
}
diff --git a/jdk/src/share/classes/java/util/zip/ZipOutputStream.java b/jdk/src/share/classes/java/util/zip/ZipOutputStream.java
index 797a37392fe..bd44d3213cf 100644
--- a/jdk/src/share/classes/java/util/zip/ZipOutputStream.java
+++ b/jdk/src/share/classes/java/util/zip/ZipOutputStream.java
@@ -1,5 +1,5 @@
/*
- * Copyright 1996-2008 Sun Microsystems, Inc. All Rights Reserved.
+ * Copyright 1996-2009 Sun Microsystems, Inc. All Rights Reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -29,6 +29,7 @@ import java.io.OutputStream;
import java.io.IOException;
import java.util.Vector;
import java.util.HashSet;
+import static java.util.zip.ZipConstants64.*;
/**
* This class implements an output stream filter for writing files in the
@@ -343,26 +344,52 @@ class ZipOutputStream extends DeflaterOutputStream implements ZipConstants {
private void writeLOC(XEntry xentry) throws IOException {
ZipEntry e = xentry.entry;
int flag = xentry.flag;
+ int elen = (e.extra != null) ? e.extra.length : 0;
+ boolean hasZip64 = false;
+
writeInt(LOCSIG); // LOC header signature
- writeShort(version(e)); // version needed to extract
- writeShort(flag); // general purpose bit flag
- writeShort(e.method); // compression method
- writeInt(e.time); // last modification time
+
if ((flag & 8) == 8) {
+ writeShort(version(e)); // version needed to extract
+ writeShort(flag); // general purpose bit flag
+ writeShort(e.method); // compression method
+ writeInt(e.time); // last modification time
+
// store size, uncompressed size, and crc-32 in data descriptor
// immediately following compressed entry data
writeInt(0);
writeInt(0);
writeInt(0);
} else {
- writeInt(e.crc); // crc-32
- writeInt(e.csize); // compressed size
- writeInt(e.size); // uncompressed size
+ if (e.csize >= ZIP64_MAGICVAL || e.size >= ZIP64_MAGICVAL) {
+ hasZip64 = true;
+ writeShort(45); // ver 4.5 for zip64
+ } else {
+ writeShort(version(e)); // version needed to extract
+ }
+ writeShort(flag); // general purpose bit flag
+ writeShort(e.method); // compression method
+ writeInt(e.time); // last modification time
+ writeInt(e.crc); // crc-32
+ if (hasZip64) {
+ writeInt(ZIP64_MAGICVAL);
+ writeInt(ZIP64_MAGICVAL);
+ elen += 20; //headid(2) + size(2) + size(8) + csize(8)
+ } else {
+ writeInt(e.csize); // compressed size
+ writeInt(e.size); // uncompressed size
+ }
}
byte[] nameBytes = getUTF8Bytes(e.name);
writeShort(nameBytes.length);
- writeShort(e.extra != null ? e.extra.length : 0);
+ writeShort(elen);
writeBytes(nameBytes, 0, nameBytes.length);
+ if (hasZip64) {
+ writeShort(ZIP64_EXTID);
+ writeShort(16);
+ writeLong(e.size);
+ writeLong(e.csize);
+ }
if (e.extra != null) {
writeBytes(e.extra, 0, e.extra.length);
}
@@ -375,8 +402,13 @@ class ZipOutputStream extends DeflaterOutputStream implements ZipConstants {
private void writeEXT(ZipEntry e) throws IOException {
writeInt(EXTSIG); // EXT header signature
writeInt(e.crc); // crc-32
- writeInt(e.csize); // compressed size
- writeInt(e.size); // uncompressed size
+ if (e.csize >= ZIP64_MAGICVAL || e.size >= ZIP64_MAGICVAL) {
+ writeLong(e.csize);
+ writeLong(e.size);
+ } else {
+ writeInt(e.csize); // compressed size
+ writeInt(e.size); // uncompressed size
+ }
}
/*
@@ -387,18 +419,49 @@ class ZipOutputStream extends DeflaterOutputStream implements ZipConstants {
ZipEntry e = xentry.entry;
int flag = xentry.flag;
int version = version(e);
+
+ long csize = e.csize;
+ long size = e.size;
+ long offset = xentry.offset;
+ int e64len = 0;
+ boolean hasZip64 = false;
+ if (e.csize >= ZIP64_MAGICVAL) {
+ csize = ZIP64_MAGICVAL;
+ e64len += 8; // csize(8)
+ hasZip64 = true;
+ }
+ if (e.size >= ZIP64_MAGICVAL) {
+ size = ZIP64_MAGICVAL; // size(8)
+ e64len += 8;
+ hasZip64 = true;
+ }
+ if (xentry.offset >= ZIP64_MAGICVAL) {
+ offset = ZIP64_MAGICVAL;
+ e64len += 8; // offset(8)
+ hasZip64 = true;
+ }
writeInt(CENSIG); // CEN header signature
- writeShort(version); // version made by
- writeShort(version); // version needed to extract
+ if (hasZip64) {
+ writeShort(45); // ver 4.5 for zip64
+ writeShort(45);
+ } else {
+ writeShort(version); // version made by
+ writeShort(version); // version needed to extract
+ }
writeShort(flag); // general purpose bit flag
writeShort(e.method); // compression method
writeInt(e.time); // last modification time
writeInt(e.crc); // crc-32
- writeInt(e.csize); // compressed size
- writeInt(e.size); // uncompressed size
+ writeInt(csize); // compressed size
+ writeInt(size); // uncompressed size
byte[] nameBytes = getUTF8Bytes(e.name);
writeShort(nameBytes.length);
- writeShort(e.extra != null ? e.extra.length : 0);
+ if (hasZip64) {
+ // + headid(2) + datasize(2)
+ writeShort(e64len + 4 + (e.extra != null ? e.extra.length : 0));
+ } else {
+ writeShort(e.extra != null ? e.extra.length : 0);
+ }
byte[] commentBytes;
if (e.comment != null) {
commentBytes = getUTF8Bytes(e.comment);
@@ -410,8 +473,18 @@ class ZipOutputStream extends DeflaterOutputStream implements ZipConstants {
writeShort(0); // starting disk number
writeShort(0); // internal file attributes (unused)
writeInt(0); // external file attributes (unused)
- writeInt(xentry.offset); // relative offset of local header
+ writeInt(offset); // relative offset of local header
writeBytes(nameBytes, 0, nameBytes.length);
+ if (hasZip64) {
+ writeShort(ZIP64_EXTID);// Zip64 extra
+ writeShort(e64len);
+ if (size == ZIP64_MAGICVAL)
+ writeLong(e.size);
+ if (csize == ZIP64_MAGICVAL)
+ writeLong(e.csize);
+ if (offset == ZIP64_MAGICVAL)
+ writeLong(xentry.offset);
+ }
if (e.extra != null) {
writeBytes(e.extra, 0, e.extra.length);
}
@@ -424,15 +497,50 @@ class ZipOutputStream extends DeflaterOutputStream implements ZipConstants {
* Writes end of central directory (END) header.
*/
private void writeEND(long off, long len) throws IOException {
+ boolean hasZip64 = false;
+ long xlen = len;
+ long xoff = off;
+ if (xlen >= ZIP64_MAGICVAL) {
+ xlen = ZIP64_MAGICVAL;
+ hasZip64 = true;
+ }
+ if (xoff >= ZIP64_MAGICVAL) {
+ xoff = ZIP64_MAGICVAL;
+ hasZip64 = true;
+ }
int count = xentries.size();
- writeInt(ENDSIG); // END record signature
- writeShort(0); // number of this disk
- writeShort(0); // central directory start disk
- writeShort(count); // number of directory entries on disk
- writeShort(count); // total number of directory entries
- writeInt(len); // length of central directory
- writeInt(off); // offset of central directory
- if (comment != null) { // zip file comment
+ if (count >= ZIP64_MAGICCOUNT) {
+ count = ZIP64_MAGICCOUNT;
+ hasZip64 = true;
+ }
+ if (hasZip64) {
+ long off64 = written;
+ //zip64 end of central directory record
+ writeInt(ZIP64_ENDSIG); // zip64 END record signature
+ writeLong(ZIP64_ENDHDR - 12); // size of zip64 end
+ writeShort(45); // version made by
+ writeShort(45); // version needed to extract
+ writeInt(0); // number of this disk
+ writeInt(0); // central directory start disk
+ writeLong(xentries.size()); // number of directory entires on disk
+ writeLong(xentries.size()); // number of directory entires
+ writeLong(len); // length of central directory
+ writeLong(off); // offset of central directory
+
+ //zip64 end of central directory locator
+ writeInt(ZIP64_LOCSIG); // zip64 END locator signature
+ writeInt(0); // zip64 END start disk
+ writeLong(off64); // offset of zip64 END
+ writeInt(1); // total number of disks (?)
+ }
+ writeInt(ENDSIG); // END record signature
+ writeShort(0); // number of this disk
+ writeShort(0); // central directory start disk
+ writeShort(count); // number of directory entries on disk
+ writeShort(count); // total number of directory entries
+ writeInt(xlen); // length of central directory
+ writeInt(xoff); // offset of central directory
+ if (comment != null) { // zip file comment
byte[] b = getUTF8Bytes(comment);
writeShort(b.length);
writeBytes(b, 0, b.length);
@@ -463,6 +571,22 @@ class ZipOutputStream extends DeflaterOutputStream implements ZipConstants {
written += 4;
}
+ /*
+ * Writes a 64-bit int to the output stream in little-endian byte order.
+ */
+ private void writeLong(long v) throws IOException {
+ OutputStream out = this.out;
+ out.write((int)((v >>> 0) & 0xff));
+ out.write((int)((v >>> 8) & 0xff));
+ out.write((int)((v >>> 16) & 0xff));
+ out.write((int)((v >>> 24) & 0xff));
+ out.write((int)((v >>> 32) & 0xff));
+ out.write((int)((v >>> 40) & 0xff));
+ out.write((int)((v >>> 48) & 0xff));
+ out.write((int)((v >>> 56) & 0xff));
+ written += 8;
+ }
+
/*
* Writes an array of bytes to the output stream.
*/
diff --git a/jdk/src/share/classes/java/util/zip/package.html b/jdk/src/share/classes/java/util/zip/package.html
index d32e0fa0f4a..d4b59263678 100644
--- a/jdk/src/share/classes/java/util/zip/package.html
+++ b/jdk/src/share/classes/java/util/zip/package.html
@@ -45,6 +45,13 @@ input streams.
Info-ZIP Application Note 970311
- a detailed description of the Info-ZIP format upon which
the java.util.zip
classes are based.
+
+
+ - An implementation may optionally support the ZIP64(tm) format extensions
+ defined by the
+
+ PKWARE ZIP File Format Specification. The ZIP64(tm) format extensions
+ are used to overcome the size limitations of the original ZIP format.
-
ZLIB Compressed Data Format Specification version 3.3
@@ -70,7 +77,6 @@ input streams.
- CRC-32 checksum is described in RFC 1952 (above)
- Adler-32 checksum is described in RFC 1950 (above)
-
diff --git a/jdk/src/share/native/java/util/zip/zip_util.c b/jdk/src/share/native/java/util/zip/zip_util.c
index f381629712c..89f52ae3bcc 100644
--- a/jdk/src/share/native/java/util/zip/zip_util.c
+++ b/jdk/src/share/native/java/util/zip/zip_util.c
@@ -312,6 +312,38 @@ findEND(jzfile *zip, void *endbuf)
return -1; /* END header not found */
}
+/*
+ * Searches for the ZIP64 end of central directory (END) header. The
+ * contents of the ZIP64 END header will be read and placed in end64buf.
+ * Returns the file position of the ZIP64 END header, otherwise returns
+ * -1 if the END header was not found or an error occurred.
+ *
+ * The ZIP format specifies the "position" of each related record as
+ * ...
+ * [central directory]
+ * [zip64 end of central directory record]
+ * [zip64 end of central directory locator]
+ * [end of central directory record]
+ *
+ * The offset of zip64 end locator can be calculated from endpos as
+ * "endpos - ZIP64_LOCHDR".
+ * The "offset" of zip64 end record is stored in zip64 end locator.
+ */
+static jlong
+findEND64(jzfile *zip, void *end64buf, jlong endpos)
+{
+ char loc64[ZIP64_LOCHDR];
+ jlong end64pos;
+ if (readFullyAt(zip->zfd, loc64, ZIP64_LOCHDR, endpos - ZIP64_LOCHDR) == -1) {
+ return -1; // end64 locator not found
+ }
+ end64pos = ZIP64_LOCOFF(loc64);
+ if (readFullyAt(zip->zfd, end64buf, ZIP64_ENDHDR, end64pos) == -1) {
+ return -1; // end64 record not found
+ }
+ return end64pos;
+}
+
/*
* Returns a hash code value for a C-style NUL-terminated string.
*/
@@ -463,7 +495,7 @@ static jlong
readCEN(jzfile *zip, jint knownTotal)
{
/* Following are unsigned 32-bit */
- jlong endpos, cenpos, cenlen;
+ jlong endpos, end64pos, cenpos, cenlen, cenoff;
/* Following are unsigned 16-bit */
jint total, tablelen, i, j;
unsigned char *cenbuf = NULL;
@@ -474,6 +506,7 @@ readCEN(jzfile *zip, jint knownTotal)
jlong offset;
#endif
unsigned char endbuf[ENDHDR];
+ jint endhdrlen = ENDHDR;
jzcell *entries;
jint *table;
@@ -490,13 +523,27 @@ readCEN(jzfile *zip, jint knownTotal)
/* Get position and length of central directory */
cenlen = ENDSIZ(endbuf);
+ cenoff = ENDOFF(endbuf);
+ total = ENDTOT(endbuf);
+ if (cenlen == ZIP64_MAGICVAL || cenoff == ZIP64_MAGICVAL ||
+ total == ZIP64_MAGICCOUNT) {
+ unsigned char end64buf[ZIP64_ENDHDR];
+ if ((end64pos = findEND64(zip, end64buf, endpos)) != -1) {
+ cenlen = ZIP64_ENDSIZ(end64buf);
+ cenoff = ZIP64_ENDOFF(end64buf);
+ total = (jint)ZIP64_ENDTOT(end64buf);
+ endpos = end64pos;
+ endhdrlen = ZIP64_ENDHDR;
+ }
+ }
+
if (cenlen > endpos)
ZIP_FORMAT_ERROR("invalid END header (bad central directory size)");
cenpos = endpos - cenlen;
/* Get position of first local file (LOC) header, taking into
* account that there may be a stub prefixed to the zip file. */
- zip->locpos = cenpos - ENDOFF(endbuf);
+ zip->locpos = cenpos - cenoff;
if (zip->locpos < 0)
ZIP_FORMAT_ERROR("invalid END header (bad central directory offset)");
@@ -527,7 +574,7 @@ readCEN(jzfile *zip, jint knownTotal)
out the page size in order to make offset to be multiples of
page size.
*/
- zip->mlen = cenpos - offset + cenlen + ENDHDR;
+ zip->mlen = cenpos - offset + cenlen + endhdrlen;
zip->offset = offset;
mappedAddr = mmap64(0, zip->mlen, PROT_READ, MAP_SHARED, zip->zfd, (off64_t) offset);
zip->maddr = (mappedAddr == (void*) MAP_FAILED) ? NULL :
@@ -551,8 +598,13 @@ readCEN(jzfile *zip, jint knownTotal)
* is a 2-byte field, but we (and other zip implementations)
* support approx. 2**31 entries, we do not trust ENDTOT, but
* treat it only as a strong hint. When we call ourselves
- * recursively, knownTotal will have the "true" value. */
- total = (knownTotal != -1) ? knownTotal : ENDTOT(endbuf);
+ * recursively, knownTotal will have the "true" value.
+ *
+ * Keep this path alive even with the Zip64 END support added, just
+ * for zip files that have more than 0xffff entries but don't have
+ * the Zip64 enabled.
+ */
+ total = (knownTotal != -1) ? knownTotal : total;
entries = zip->entries = calloc(total, sizeof(entries[0]));
tablelen = zip->tablelen = ((total/2) | 1); // Odd -> fewer collisions
table = zip->table = malloc(tablelen * sizeof(table[0]));
@@ -854,6 +906,7 @@ typedef enum { ACCESS_RANDOM, ACCESS_SEQUENTIAL } AccessHint;
static jzentry *
newEntry(jzfile *zip, jzcell *zc, AccessHint accessHint)
{
+ jlong locoff;
jint nlen, elen, clen;
jzentry *ze;
char *cen;
@@ -880,18 +933,55 @@ newEntry(jzfile *zip, jzcell *zc, AccessHint accessHint)
ze->size = CENLEN(cen);
ze->csize = (CENHOW(cen) == STORED) ? 0 : CENSIZ(cen);
ze->crc = CENCRC(cen);
- ze->pos = -(zip->locpos + CENOFF(cen));
+ locoff = CENOFF(cen);
+ ze->pos = -(zip->locpos + locoff);
if ((ze->name = malloc(nlen + 1)) == NULL) goto Catch;
memcpy(ze->name, cen + CENHDR, nlen);
ze->name[nlen] = '\0';
if (elen > 0) {
+ char *extra = cen + CENHDR + nlen;
+
/* This entry has "extra" data */
if ((ze->extra = malloc(elen + 2)) == NULL) goto Catch;
ze->extra[0] = (unsigned char) elen;
ze->extra[1] = (unsigned char) (elen >> 8);
- memcpy(ze->extra+2, cen + CENHDR + nlen, elen);
+ memcpy(ze->extra+2, extra, elen);
+ if (ze->csize == ZIP64_MAGICVAL || ze->size == ZIP64_MAGICVAL ||
+ locoff == ZIP64_MAGICVAL) {
+ jint off = 0;
+ while ((off + 4) < elen) { // spec: HeaderID+DataSize+Data
+ jint sz = SH(extra, off + 2);
+ if (SH(extra, off) == ZIP64_EXTID) {
+ off += 4;
+ if (ze->size == ZIP64_MAGICVAL) {
+ // if invalid zip64 extra fields, just skip
+ if (sz < 8 || (off + 8) > elen)
+ break;
+ ze->size = LL(extra, off);
+ sz -= 8;
+ off += 8;
+ }
+ if (ze->csize == ZIP64_MAGICVAL) {
+ if (sz < 8 || (off + 8) > elen)
+ break;
+ ze->csize = LL(extra, off);
+ sz -= 8;
+ off += 8;
+ }
+ if (locoff == ZIP64_MAGICVAL) {
+ if (sz < 8 || (off + 8) > elen)
+ break;
+ ze->pos = -(zip->locpos + LL(extra, off));
+ sz -= 8;
+ off += 8;
+ }
+ break;
+ }
+ off += (sz + 4);
+ }
+ }
}
if (clen > 0) {
diff --git a/jdk/src/share/native/java/util/zip/zip_util.h b/jdk/src/share/native/java/util/zip/zip_util.h
index 3814ad02d4f..7ad11715e5a 100644
--- a/jdk/src/share/native/java/util/zip/zip_util.h
+++ b/jdk/src/share/native/java/util/zip/zip_util.h
@@ -38,9 +38,13 @@
#define CENSIG 0x02014b50L /* "PK\001\002" */
#define ENDSIG 0x06054b50L /* "PK\005\006" */
+#define ZIP64_ENDSIG 0x06064b50L /* "PK\006\006" */
+#define ZIP64_LOCSIG 0x07064b50L /* "PK\006\007" */
+
/*
* Header sizes including signatures
*/
+
#ifdef USE_MMAP
#define SIGSIZ 4
#endif
@@ -49,12 +53,22 @@
#define CENHDR 46
#define ENDHDR 22
+#define ZIP64_ENDHDR 56 // ZIP64 end header size
+#define ZIP64_LOCHDR 20 // ZIP64 end loc header size
+#define ZIP64_EXTHDR 24 // EXT header size
+#define ZIP64_EXTID 1 // Extra field Zip64 header ID
+
+#define ZIP64_MAGICVAL 0xffffffffLL
+#define ZIP64_MAGICCOUNT 0xffff
+
+
/*
* Header field access macros
*/
#define CH(b, n) (((unsigned char *)(b))[n])
#define SH(b, n) (CH(b, n) | (CH(b, n+1) << 8))
-#define LG(b, n) (SH(b, n) | (SH(b, n+2) << 16))
+#define LG(b, n) ((SH(b, n) | (SH(b, n+2) << 16)) &0xffffffffUL)
+#define LL(b, n) (((jlong)LG(b, n)) | (((jlong)LG(b, n+4)) << 32))
#define GETSIG(b) LG(b, 0)
/*
@@ -105,6 +119,26 @@
#define ENDOFF(b) LG(b, 16) /* central directory offset */
#define ENDCOM(b) SH(b, 20) /* size of zip file comment */
+/*
+ * Macros for getting Zip64 end of central directory header fields
+ */
+#define ZIP64_ENDLEN(b) LL(b, 4) /* size of zip64 end of central dir */
+#define ZIP64_ENDVEM(b) SH(b, 12) /* version made by */
+#define ZIP64_ENDVER(b) SH(b, 14) /* version needed to extract */
+#define ZIP64_ENDNMD(b) LG(b, 16) /* number of this disk */
+#define ZIP64_ENDDSK(b) LG(b, 20) /* disk number of start */
+#define ZIP64_ENDTOD(b) LL(b, 24) /* total number of entries on this disk */
+#define ZIP64_ENDTOT(b) LL(b, 32) /* total number of entries */
+#define ZIP64_ENDSIZ(b) LL(b, 40) /* central directory size in bytes */
+#define ZIP64_ENDOFF(b) LL(b, 48) /* offset of first CEN header */
+
+/*
+ * Macros for getting Zip64 end of central directory locator fields
+ */
+#define ZIP64_LOCDSK(b) LG(b, 4) /* disk number start */
+#define ZIP64_LOCOFF(b) LL(b, 8) /* offset of zip64 end */
+#define ZIP64_LOCTOT(b) LG(b, 16) /* total number of disks */
+
/*
* Supported compression methods
*/
@@ -145,7 +179,7 @@ typedef struct jzentry { /* Zip file entry */
*/
typedef struct jzcell {
unsigned int hash; /* 32 bit hashcode on name */
- unsigned int cenpos; /* Offset of central directory file header */
+ jlong cenpos; /* Offset of central directory file header */
unsigned int next; /* hash chain: index into jzfile->entries */
} jzcell;
diff --git a/jdk/src/share/native/java/util/zip/zlib-1.1.3/zlib.h b/jdk/src/share/native/java/util/zip/zlib-1.1.3/zlib.h
index 9576715b2fa..00fdf06007d 100644
--- a/jdk/src/share/native/java/util/zip/zlib-1.1.3/zlib.h
+++ b/jdk/src/share/native/java/util/zip/zlib-1.1.3/zlib.h
@@ -106,11 +106,11 @@ struct internal_state;
typedef struct z_stream_s {
Bytef *next_in; /* next input byte */
uInt avail_in; /* number of bytes available at next_in */
- uLong total_in; /* total nb of input bytes read so far */
+ long long total_in; /* total nb of input bytes read so far */
Bytef *next_out; /* next output byte should be put there */
uInt avail_out; /* remaining free space at next_out */
- uLong total_out; /* total nb of bytes output so far */
+ long long total_out; /* total nb of bytes output so far */
char *msg; /* last error message, NULL if no error */
struct internal_state FAR *state; /* not visible by applications */
diff --git a/jdk/test/java/util/zip/LargeZip.java b/jdk/test/java/util/zip/LargeZip.java
new file mode 100644
index 00000000000..e49950261b6
--- /dev/null
+++ b/jdk/test/java/util/zip/LargeZip.java
@@ -0,0 +1,193 @@
+/*
+ * Copyright 2009 Sun Microsystems, Inc. All Rights Reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation. Sun designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Sun in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
+ * CA 95054 USA or visit www.sun.com if you need additional information or
+ * have any questions.
+ */
+
+import java.io.*;
+import java.nio.*;
+import java.util.*;
+import java.util.zip.*;
+
+public class LargeZip {
+ // If true, don't delete large ZIP file created for test.
+ static final boolean debug = System.getProperty("debug") != null;
+
+ //static final int DATA_LEN = 1024 * 1024;
+ static final int DATA_LEN = 80 * 1024;
+ static final int DATA_SIZE = 8;
+
+ static long fileSize = 6L * 1024L * 1024L * 1024L; // 6GB
+
+ static boolean userFile = false;
+
+ static byte[] data;
+ static File largeFile;
+ static String lastEntryName;
+
+ /* args can be empty, in which case check a 3 GB file which is created for
+ * this test (and then deleted). Or it can be a number, in which case
+ * that designates the size of the file that's created for this test (and
+ * then deleted). Or it can be the name of a file to use for the test, in
+ * which case it is *not* deleted. Note that in this last case, the data
+ * comparison might fail.
+ */
+ static void realMain (String[] args) throws Throwable {
+ if (args.length > 0) {
+ try {
+ fileSize = Long.parseLong(args[0]);
+ System.out.println("Testing with file of size " + fileSize);
+ } catch (NumberFormatException ex) {
+ largeFile = new File(args[0]);
+ if (!largeFile.exists()) {
+ throw new Exception("Specified file " + args[0] + " does not exist");
+ }
+ userFile = true;
+ System.out.println("Testing with user-provided file " + largeFile);
+ }
+ }
+ File testDir = null;
+ if (largeFile == null) {
+ testDir = new File(System.getProperty("test.scratch", "."),
+ "LargeZip");
+ if (testDir.exists()) {
+ if (!testDir.delete()) {
+ throw new Exception("Cannot delete already-existing test directory");
+ }
+ }
+ check(!testDir.exists() && testDir.mkdirs());
+ largeFile = new File(testDir, "largezip.zip");
+ createLargeZip();
+ }
+
+ readLargeZip1();
+ readLargeZip2();
+
+ if (!userFile && !debug) {
+ check(largeFile.delete());
+ check(testDir.delete());
+ }
+ }
+
+ static void createLargeZip() throws Throwable {
+ int iterations = DATA_LEN / DATA_SIZE;
+ ByteBuffer bb = ByteBuffer.allocate(DATA_SIZE);
+ ByteArrayOutputStream baos = new ByteArrayOutputStream();
+ for (int i = 0; i < iterations; i++) {
+ bb.putDouble(0, Math.random());
+ baos.write(bb.array(), 0, DATA_SIZE);
+ }
+ data = baos.toByteArray();
+
+ ZipOutputStream zos = new ZipOutputStream(
+ new BufferedOutputStream(new FileOutputStream(largeFile)));
+ long length = 0;
+ while (length < fileSize) {
+ ZipEntry ze = new ZipEntry("entry-" + length);
+ lastEntryName = ze.getName();
+ zos.putNextEntry(ze);
+ zos.write(data, 0, data.length);
+ zos.closeEntry();
+ length = largeFile.length();
+ }
+ System.out.println("Last entry written is " + lastEntryName);
+ zos.close();
+ }
+
+ static void readLargeZip1() throws Throwable {
+ ZipFile zipFile = new ZipFile(largeFile);
+ ZipEntry entry = null;
+ String entryName = null;
+ int count = 0;
+ Enumeration extends ZipEntry> entries = zipFile.entries();
+ while (entries.hasMoreElements()) {
+ entry = entries.nextElement();
+ entryName = entry.getName();
+ count++;
+ }
+ System.out.println("Number of entries read: " + count);
+ System.out.println("Last entry read is " + entryName);
+ check(!entry.isDirectory());
+ if (check(entryName.equals(lastEntryName))) {
+ ByteArrayOutputStream baos = new ByteArrayOutputStream();
+ InputStream is = zipFile.getInputStream(entry);
+ byte buf[] = new byte[4096];
+ int len;
+ while ((len = is.read(buf)) >= 0) {
+ baos.write(buf, 0, len);
+ }
+ baos.close();
+ is.close();
+ check(Arrays.equals(data, baos.toByteArray()));
+ }
+ }
+
+
+ static void readLargeZip2() throws Throwable {
+ ZipInputStream zis = new ZipInputStream(
+ new BufferedInputStream(new FileInputStream(largeFile)));
+ ZipEntry entry = null;
+ String entryName = null;
+ int count = 0;
+ while ((entry = zis.getNextEntry()) != null) {
+ entryName = entry.getName();
+ if (entryName.equals(lastEntryName)) {
+ break;
+ }
+ count++;
+ }
+ System.out.println("Number of entries read: " + count);
+ System.out.println("Last entry read is " + entryName);
+ check(!entry.isDirectory());
+
+ ByteArrayOutputStream baos = new ByteArrayOutputStream();
+
+ byte buf[] = new byte[4096];
+ int len;
+ while ((len = zis.read(buf)) >= 0) {
+ baos.write(buf, 0, len);
+ }
+ baos.close();
+ check(Arrays.equals(data, baos.toByteArray()));
+ check(zis.getNextEntry() == null);
+ zis.close();
+ }
+
+
+ //--------------------- Infrastructure ---------------------------
+ static volatile int passed = 0, failed = 0;
+ static void pass() {passed++;}
+ static void pass(String msg) {System.out.println(msg); passed++;}
+ static void fail() {failed++; Thread.dumpStack();}
+ static void fail(String msg) {System.out.println(msg); fail();}
+ static void unexpected(Throwable t) {failed++; t.printStackTrace();}
+ static void unexpected(Throwable t, String msg) {
+ System.out.println(msg); failed++; t.printStackTrace();}
+ static boolean check(boolean cond) {if (cond) pass(); else fail(); return cond;}
+ static void equal(Object x, Object y) {
+ if (x == null ? y == null : x.equals(y)) pass();
+ else fail(x + " not equal to " + y);}
+ public static void main(String[] args) throws Throwable {
+ try {realMain(args);} catch (Throwable t) {unexpected(t);}
+ System.out.println("\nPassed = " + passed + " failed = " + failed);
+ if (failed > 0) throw new AssertionError("Some tests failed");}
+}
diff --git a/jdk/test/java/util/zip/ZipFile/LargeZipFile.java b/jdk/test/java/util/zip/ZipFile/LargeZipFile.java
index 479bac48bef..d228a5f93e3 100644
--- a/jdk/test/java/util/zip/ZipFile/LargeZipFile.java
+++ b/jdk/test/java/util/zip/ZipFile/LargeZipFile.java
@@ -158,4 +158,3 @@ public class LargeZipFile {
System.out.println("\nPassed = " + passed + " failed = " + failed);
if (failed > 0) throw new AssertionError("Some tests failed");}
}
-
From b01525e89b428c9ef8e6712bc0cf2637f3b31172 Mon Sep 17 00:00:00 2001
From: Weijun Wang
Date: Fri, 3 Apr 2009 11:36:19 +0800
Subject: [PATCH 14/14] 6825352: support self-issued certificate in keytool
Reviewed-by: xuelei
---
.../classes/sun/security/tools/KeyTool.java | 41 +++++------
.../sun/security/tools/keytool/selfissued.sh | 69 +++++++++++++++++++
2 files changed, 88 insertions(+), 22 deletions(-)
create mode 100644 jdk/test/sun/security/tools/keytool/selfissued.sh
diff --git a/jdk/src/share/classes/sun/security/tools/KeyTool.java b/jdk/src/share/classes/sun/security/tools/KeyTool.java
index 1ce3ab21a02..9b4b16fa11d 100644
--- a/jdk/src/share/classes/sun/security/tools/KeyTool.java
+++ b/jdk/src/share/classes/sun/security/tools/KeyTool.java
@@ -2545,7 +2545,19 @@ public final class KeyTool {
* Returns true if the certificate is self-signed, false otherwise.
*/
private boolean isSelfSigned(X509Certificate cert) {
- return cert.getSubjectDN().equals(cert.getIssuerDN());
+ return signedBy(cert, cert);
+ }
+
+ private boolean signedBy(X509Certificate end, X509Certificate ca) {
+ if (!ca.getSubjectDN().equals(end.getIssuerDN())) {
+ return false;
+ }
+ try {
+ end.verify(ca.getPublicKey());
+ return true;
+ } catch (Exception e) {
+ return false;
+ }
}
/**
@@ -2869,20 +2881,18 @@ public final class KeyTool {
Certificate tmpCert = replyCerts[0];
replyCerts[0] = replyCerts[i];
replyCerts[i] = tmpCert;
- Principal issuer = ((X509Certificate)replyCerts[0]).getIssuerDN();
+
+ X509Certificate thisCert = (X509Certificate)replyCerts[0];
for (i=1; i < replyCerts.length-1; i++) {
- // find a cert in the reply whose "subject" is the same as the
- // given "issuer"
+ // find a cert in the reply who signs thisCert
int j;
for (j=i; j chain,
Hashtable> certs) {
- Principal subject = certToVerify.getSubjectDN();
Principal issuer = certToVerify.getIssuerDN();
- if (subject.equals(issuer)) {
+ if (isSelfSigned(certToVerify)) {
// reached self-signed root cert;
// no verification needed because it's trusted.
chain.addElement(certToVerify);
diff --git a/jdk/test/sun/security/tools/keytool/selfissued.sh b/jdk/test/sun/security/tools/keytool/selfissued.sh
new file mode 100644
index 00000000000..e6e06c040b3
--- /dev/null
+++ b/jdk/test/sun/security/tools/keytool/selfissued.sh
@@ -0,0 +1,69 @@
+#
+# Copyright 2009 Sun Microsystems, Inc. All Rights Reserved.
+# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+#
+# This code is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License version 2 only, as
+# published by the Free Software Foundation.
+#
+# This code is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+# version 2 for more details (a copy is included in the LICENSE file that
+# accompanied this code).
+#
+# You should have received a copy of the GNU General Public License version
+# 2 along with this work; if not, write to the Free Software Foundation,
+# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
+# CA 95054 USA or visit www.sun.com if you need additional information or
+# have any questions.
+#
+
+# @test
+# @bug 6825352
+# @summary support self-issued certificate in keytool
+#
+# @run shell selfissued.sh
+#
+
+if [ "${TESTJAVA}" = "" ] ; then
+ JAVAC_CMD=`which javac`
+ TESTJAVA=`dirname $JAVAC_CMD`/..
+fi
+
+# set platform-dependent variables
+OS=`uname -s`
+case "$OS" in
+ Windows_* )
+ FS="\\"
+ ;;
+ * )
+ FS="/"
+ ;;
+esac
+
+KS=selfsigned.jks
+KT="$TESTJAVA${FS}bin${FS}keytool -storepass changeit -keypass changeit -keystore $KS"
+
+rm $KS
+
+$KT -alias ca -dname CN=CA -genkeypair
+$KT -alias me -dname CN=CA -genkeypair
+$KT -alias e1 -dname CN=E1 -genkeypair
+$KT -alias e2 -dname CN=E2 -genkeypair
+
+# me signed by ca, self-issued
+$KT -alias me -certreq | $KT -alias ca -gencert | $KT -alias me -importcert
+
+# Import e1 signed by me, should add me and ca
+$KT -alias e1 -certreq | $KT -alias me -gencert | $KT -alias e1 -importcert
+$KT -alias e1 -list -v | grep '\[3\]' || { echo Bad E1; exit 1; }
+
+# Import (e2 signed by me,ca,me), should reorder to (e2,me,ca)
+( $KT -alias e2 -certreq | $KT -alias me -gencert; $KT -exportcert -alias ca; $KT -exportcert -alias me ) | $KT -alias e2 -importcert
+$KT -alias e2 -list -v | grep '\[3\]' || { echo Bad E2; exit 1; }
+
+echo Good
+