changeset 3932:3a22998bc3c7

Merge
author dholmes
date Wed, 16 Mar 2011 05:29:27 -0400
parents d7034302bc24 e3efbb250c0c
children 05911dc54a67
files
diffstat 6 files changed, 121 insertions(+), 36 deletions(-) [+]
line wrap: on
line diff
--- a/src/share/classes/java/lang/ClassLoader.java	Tue Mar 15 20:00:45 2011 -0400
+++ b/src/share/classes/java/lang/ClassLoader.java	Wed Mar 16 05:29:27 2011 -0400
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1994, 2010, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1994, 2011, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -1626,20 +1626,28 @@
      * @since  1.2
      */
     protected Package getPackage(String name) {
+        Package pkg;
         synchronized (packages) {
-            Package pkg = packages.get(name);
-            if (pkg == null) {
-                if (parent != null) {
-                    pkg = parent.getPackage(name);
-                } else {
-                    pkg = Package.getSystemPackage(name);
-                }
-                if (pkg != null) {
-                    packages.put(name, pkg);
+            pkg = packages.get(name);
+        }
+        if (pkg == null) {
+            if (parent != null) {
+                pkg = parent.getPackage(name);
+            } else {
+                pkg = Package.getSystemPackage(name);
+            }
+            if (pkg != null) {
+                synchronized (packages) {
+                    Package pkg2 = packages.get(name);
+                    if (pkg2 == null) {
+                        packages.put(name, pkg);
+                    } else {
+                        pkg = pkg2;
+                    }
                 }
             }
-            return pkg;
         }
+        return pkg;
     }
 
     /**
--- a/src/share/classes/sun/security/provider/certpath/AdaptableX509CertSelector.java	Tue Mar 15 20:00:45 2011 -0400
+++ b/src/share/classes/sun/security/provider/certpath/AdaptableX509CertSelector.java	Wed Mar 16 05:29:27 2011 -0400
@@ -46,10 +46,16 @@
  */
 class AdaptableX509CertSelector extends X509CertSelector {
     // The start date of a validity period.
-    private Date startDate = null;
+    private Date startDate;
 
     // The end date of a validity period.
-    private Date endDate = null;
+    private Date endDate;
+
+    // Is subject key identifier sensitive?
+    private boolean isSKIDSensitive = false;
+
+    // Is serial number sensitive?
+    private boolean isSNSensitive = false;
 
     AdaptableX509CertSelector() {
         super();
@@ -97,15 +103,24 @@
         if (akidext != null) {
             KeyIdentifier akid = (KeyIdentifier)akidext.get(akidext.KEY_ID);
             if (akid != null) {
-                DerOutputStream derout = new DerOutputStream();
-                derout.putOctetString(akid.getIdentifier());
-                super.setSubjectKeyIdentifier(derout.toByteArray());
+                // Do not override the previous setting
+                if (getSubjectKeyIdentifier() == null) {
+                    DerOutputStream derout = new DerOutputStream();
+                    derout.putOctetString(akid.getIdentifier());
+                    super.setSubjectKeyIdentifier(derout.toByteArray());
+
+                    isSKIDSensitive = true;
+                }
             }
 
             SerialNumber asn =
                 (SerialNumber)akidext.get(akidext.SERIAL_NUMBER);
             if (asn != null) {
-                super.setSerialNumber(asn.getNumber());
+                // Do not override the previous setting
+                if (getSerialNumber() == null) {
+                    super.setSerialNumber(asn.getNumber());
+                    isSNSensitive = true;
+                }
             }
 
             // the subject criterion should be set by the caller.
@@ -148,11 +163,25 @@
             }
         }
 
-        if (version < 3 || xcert.getExtensionValue("2.5.29.14") == null) {
-            // If no SubjectKeyIdentifier extension, don't bother to check it.
+        // If no SubjectKeyIdentifier extension, don't bother to check it.
+        if (isSKIDSensitive &&
+            (version < 3 || xcert.getExtensionValue("2.5.29.14") == null)) {
             setSubjectKeyIdentifier(null);
         }
 
+        // In practice, a CA may replace its root certificate and require that
+        // the existing certificate is still valid, even if the AKID extension
+        // does not match the replacement root certificate fields.
+        //
+        // Conservatively, we only support the replacement for version 1 and
+        // version 2 certificate. As for version 2, the certificate extension
+        // may contain sensitive information (for example, policies), the
+        // AKID need to be respected to seek the exact certificate in case
+        // of key or certificate abuse.
+        if (isSNSensitive && version < 3) {
+            setSerialNumber(null);
+        }
+
         return super.match(cert);
     }
 
--- a/src/share/classes/sun/security/provider/certpath/ForwardBuilder.java	Tue Mar 15 20:00:45 2011 -0400
+++ b/src/share/classes/sun/security/provider/certpath/ForwardBuilder.java	Wed Mar 16 05:29:27 2011 -0400
@@ -243,12 +243,6 @@
                     caTargetSelector.setPolicy(getMatchingPolicies());
             }
 
-            /*
-             * Require CA certs with a pathLenConstraint that allows
-             * at least as many CA certs that have already been traversed
-             */
-            caTargetSelector.setBasicConstraints(currentState.traversedCACerts);
-
             sel = caTargetSelector;
         } else {
 
@@ -283,12 +277,6 @@
                 (caSelector, currentState.subjectNamesTraversed);
 
             /*
-             * Require CA certs with a pathLenConstraint that allows
-             * at least as many CA certs that have already been traversed
-             */
-            caSelector.setBasicConstraints(currentState.traversedCACerts);
-
-            /*
              * Facilitate certification path construction with authority
              * key identifier and subject key identifier.
              */
@@ -305,6 +293,14 @@
             sel = caSelector;
         }
 
+        /*
+         * For compatibility, conservatively, we don't check the path
+         * length constraint of trusted anchors.  Please don't set the
+         * basic constraints criterion unless the trusted certificate
+         * matching is completed.
+         */
+        sel.setBasicConstraints(-1);
+
         for (X509Certificate trustedCert : trustedCerts) {
             if (sel.match(trustedCert)) {
                 if (debug != null) {
@@ -324,6 +320,12 @@
         sel.setCertificateValid(date);
 
         /*
+         * Require CA certs with a pathLenConstraint that allows
+         * at least as many CA certs that have already been traversed
+         */
+        sel.setBasicConstraints(currentState.traversedCACerts);
+
+        /*
          * If we have already traversed as many CA certs as the maxPathLength
          * will allow us to, then we don't bother looking through these
          * certificate pairs. If maxPathLength has a value of -1, this
--- a/src/share/classes/sun/security/ssl/ClientHandshaker.java	Tue Mar 15 20:00:45 2011 -0400
+++ b/src/share/classes/sun/security/ssl/ClientHandshaker.java	Wed Mar 16 05:29:27 2011 -0400
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1996, 2010, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1996, 2011, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -378,7 +378,8 @@
         if (!isNegotiable(mesgVersion)) {
             throw new SSLHandshakeException(
                 "Server chose " + mesgVersion +
-                ", but client does not support or disables " + mesgVersion);
+                ", but that protocol version is not enabled or not supported " +
+                "by the client.");
         }
 
         handshakeHash.protocolDetermined(mesgVersion);
--- a/src/share/classes/sun/security/ssl/SunJSSE.java	Tue Mar 15 20:00:45 2011 -0400
+++ b/src/share/classes/sun/security/ssl/SunJSSE.java	Wed Mar 16 05:29:27 2011 -0400
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1999, 2010, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1999, 2011, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -195,6 +195,8 @@
             "sun.security.ssl.KeyManagerFactoryImpl$SunX509");
         put("KeyManagerFactory.NewSunX509",
             "sun.security.ssl.KeyManagerFactoryImpl$X509");
+        put("Alg.Alias.KeyManagerFactory.PKIX", "NewSunX509");
+
         put("TrustManagerFactory.SunX509",
             "sun.security.ssl.TrustManagerFactoryImpl$SimpleFactory");
         put("TrustManagerFactory.PKIX",
--- a/test/sun/security/ssl/javax/net/ssl/GetInstance.java	Tue Mar 15 20:00:45 2011 -0400
+++ b/test/sun/security/ssl/javax/net/ssl/GetInstance.java	Wed Mar 16 05:29:27 2011 -0400
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2003, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2011, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -23,8 +23,9 @@
 
 /*
  * @test
- * @bug 4898428
+ * @bug 4898428 7022855
  * @summary verify getInstance() works using Provider.getService()
+ *          Export "PKIX" as the standard algorithm name of KeyManagerFactory
  * @author Andreas Sterbenz
  */
 
@@ -61,6 +62,20 @@
         kmf = KeyManagerFactory.getInstance("SunX509", p);
         same(p, kmf.getProvider());
 
+        kmf = KeyManagerFactory.getInstance("NewSunX509");
+        same(p, kmf.getProvider());
+        kmf = KeyManagerFactory.getInstance("NewSunX509", "SunJSSE");
+        same(p, kmf.getProvider());
+        kmf = KeyManagerFactory.getInstance("NewSunX509", p);
+        same(p, kmf.getProvider());
+
+        kmf = KeyManagerFactory.getInstance("PKIX");
+        same(p, kmf.getProvider());
+        kmf = KeyManagerFactory.getInstance("PKIX", "SunJSSE");
+        same(p, kmf.getProvider());
+        kmf = KeyManagerFactory.getInstance("PKIX", p);
+        same(p, kmf.getProvider());
+
         TrustManagerFactory tmf;
         tmf = TrustManagerFactory.getInstance("SunX509");
         same(p, tmf.getProvider());
@@ -69,6 +84,34 @@
         tmf = TrustManagerFactory.getInstance("SunX509", p);
         same(p, tmf.getProvider());
 
+        tmf = TrustManagerFactory.getInstance("PKIX");
+        same(p, tmf.getProvider());
+        tmf = TrustManagerFactory.getInstance("PKIX", "SunJSSE");
+        same(p, tmf.getProvider());
+        tmf = TrustManagerFactory.getInstance("PKIX", p);
+        same(p, tmf.getProvider());
+
+        tmf = TrustManagerFactory.getInstance("SunPKIX");
+        same(p, tmf.getProvider());
+        tmf = TrustManagerFactory.getInstance("SunPKIX", "SunJSSE");
+        same(p, tmf.getProvider());
+        tmf = TrustManagerFactory.getInstance("SunPKIX", p);
+        same(p, tmf.getProvider());
+
+        tmf = TrustManagerFactory.getInstance("X509");
+        same(p, tmf.getProvider());
+        tmf = TrustManagerFactory.getInstance("X509", "SunJSSE");
+        same(p, tmf.getProvider());
+        tmf = TrustManagerFactory.getInstance("X509", p);
+        same(p, tmf.getProvider());
+
+        tmf = TrustManagerFactory.getInstance("X.509");
+        same(p, tmf.getProvider());
+        tmf = TrustManagerFactory.getInstance("X.509", "SunJSSE");
+        same(p, tmf.getProvider());
+        tmf = TrustManagerFactory.getInstance("X.509", p);
+        same(p, tmf.getProvider());
+
         testComSun();
 
         long stop = System.currentTimeMillis();