changeset 13522:900e4921e59d

8129988: JSSE should create a single instance of the cacerts KeyStore Summary: Add a TrustStoreManager to manage trusted certs. Reviewed-by: mullan
author xuelei
date Wed, 24 Apr 2019 14:48:52 +0000
parents ece1d281763e
children f2be071af129
files src/share/classes/sun/security/ssl/SSLContextImpl.java src/share/classes/sun/security/ssl/TrustManagerFactoryImpl.java src/share/classes/sun/security/ssl/X509TrustManagerImpl.java src/share/classes/sun/security/validator/Validator.java test/sun/security/ssl/com/sun/net/ssl/internal/ssl/SSLContextImpl/BadTSProvider.java test/sun/security/validator/EndEntityExtensionCheck.java
diffstat 6 files changed, 83 insertions(+), 166 deletions(-) [+]
line wrap: on
line diff
--- a/src/share/classes/sun/security/ssl/SSLContextImpl.java	Tue Apr 16 17:37:16 2019 +0000
+++ b/src/share/classes/sun/security/ssl/SSLContextImpl.java	Wed Apr 24 14:48:52 2019 +0000
@@ -873,12 +873,20 @@
         }
 
         private static TrustManager[] getTrustManagers() throws Exception {
-            KeyStore ks =
-                TrustManagerFactoryImpl.getCacertsKeyStore("defaultctx");
+            TrustManagerFactory tmf = TrustManagerFactory.getInstance(
+                    TrustManagerFactory.getDefaultAlgorithm());
+            if ("SunJSSE".equals(tmf.getProvider().getName())) {
+                // The implementation will load the default KeyStore
+                // automatically.  Cached trust materials may be used
+                // for performance improvement.
+                tmf.init((KeyStore)null);
+            } else {
+                // Use the explicitly specified KeyStore for third party's
+                // TrustManagerFactory implementation.
+                KeyStore ks = TrustStoreManager.getTrustedKeyStore();
+                tmf.init(ks);
+            }
 
-            TrustManagerFactory tmf = TrustManagerFactory.getInstance(
-                TrustManagerFactory.getDefaultAlgorithm());
-            tmf.init(ks);
             return tmf.getTrustManagers();
         }
 
--- a/src/share/classes/sun/security/ssl/TrustManagerFactoryImpl.java	Tue Apr 16 17:37:16 2019 +0000
+++ b/src/share/classes/sun/security/ssl/TrustManagerFactoryImpl.java	Wed Apr 24 14:48:52 2019 +0000
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1999, 2012, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1999, 2016, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -32,6 +32,7 @@
 import javax.net.ssl.*;
 
 import sun.security.validator.Validator;
+import sun.security.validator.TrustStoreUtil;
 
 abstract class TrustManagerFactoryImpl extends TrustManagerFactorySpi {
 
@@ -47,7 +48,7 @@
     protected void engineInit(KeyStore ks) throws KeyStoreException {
         if (ks == null) {
             try {
-                ks = getCacertsKeyStore("trustmanager");
+                trustManager = getInstance(TrustStoreManager.getTrustedCerts());
             } catch (SecurityException se) {
                 // eat security exceptions but report other throwables
                 if (debug != null && Debug.isOn("trustmanager")) {
@@ -72,14 +73,17 @@
                         "SunX509: skip default keystore: " + e);
                 }
                 throw new KeyStoreException(
-                    "problem accessing trust store" + e);
+                    "problem accessing trust store", e);
             }
+        } else {
+            trustManager = getInstance(TrustStoreUtil.getTrustedCerts(ks));
         }
-        trustManager = getInstance(ks);
+
         isInitialized = true;
     }
 
-    abstract X509TrustManager getInstance(KeyStore ks) throws KeyStoreException;
+    abstract X509TrustManager getInstance(
+            Collection<X509Certificate> trustedCerts);
 
     abstract X509TrustManager getInstance(ManagerFactoryParameters spec)
             throws InvalidAlgorithmParameterException;
@@ -126,126 +130,14 @@
                 });
     }
 
-    /**
-     * Returns the keystore with the configured CA certificates.
-     */
-    static KeyStore getCacertsKeyStore(String dbgname) throws Exception
-    {
-        String storeFileName = null;
-        File storeFile = null;
-        FileInputStream fis = null;
-        String defaultTrustStoreType;
-        String defaultTrustStoreProvider;
-        final HashMap<String,String> props = new HashMap<>();
-        final String sep = File.separator;
-        KeyStore ks = null;
-
-        AccessController.doPrivileged(new PrivilegedExceptionAction<Void>() {
-            @Override
-            public Void run() throws Exception {
-                props.put("trustStore", System.getProperty(
-                                "javax.net.ssl.trustStore"));
-                props.put("javaHome", System.getProperty(
-                                        "java.home"));
-                props.put("trustStoreType", System.getProperty(
-                                "javax.net.ssl.trustStoreType",
-                                KeyStore.getDefaultType()));
-                props.put("trustStoreProvider", System.getProperty(
-                                "javax.net.ssl.trustStoreProvider", ""));
-                props.put("trustStorePasswd", System.getProperty(
-                                "javax.net.ssl.trustStorePassword", ""));
-                return null;
-            }
-        });
-
-        /*
-         * Try:
-         *      javax.net.ssl.trustStore  (if this variable exists, stop)
-         *      jssecacerts
-         *      cacerts
-         *
-         * If none exists, we use an empty keystore.
-         */
-
-        try {
-            storeFileName = props.get("trustStore");
-            if (!"NONE".equals(storeFileName)) {
-                if (storeFileName != null) {
-                    storeFile = new File(storeFileName);
-                    fis = getFileInputStream(storeFile);
-                } else {
-                    String javaHome = props.get("javaHome");
-                    storeFile = new File(javaHome + sep + "lib" + sep
-                                                    + "security" + sep +
-                                                    "jssecacerts");
-                    if ((fis = getFileInputStream(storeFile)) == null) {
-                        storeFile = new File(javaHome + sep + "lib" + sep
-                                                    + "security" + sep +
-                                                    "cacerts");
-                        fis = getFileInputStream(storeFile);
-                    }
-                }
-
-                if (fis != null) {
-                    storeFileName = storeFile.getPath();
-                } else {
-                    storeFileName = "No File Available, using empty keystore.";
-                }
-            }
-
-            defaultTrustStoreType = props.get("trustStoreType");
-            defaultTrustStoreProvider = props.get("trustStoreProvider");
-            if (debug != null && Debug.isOn(dbgname)) {
-                System.out.println("trustStore is: " + storeFileName);
-                System.out.println("trustStore type is : " +
-                                    defaultTrustStoreType);
-                System.out.println("trustStore provider is : " +
-                                    defaultTrustStoreProvider);
-            }
-
-            /*
-             * Try to initialize trust store.
-             */
-            if (defaultTrustStoreType.length() != 0) {
-                if (debug != null && Debug.isOn(dbgname)) {
-                    System.out.println("init truststore");
-                }
-                if (defaultTrustStoreProvider.length() == 0) {
-                    ks = KeyStore.getInstance(defaultTrustStoreType);
-                } else {
-                    ks = KeyStore.getInstance(defaultTrustStoreType,
-                                            defaultTrustStoreProvider);
-                }
-                char[] passwd = null;
-                String defaultTrustStorePassword =
-                        props.get("trustStorePasswd");
-                if (defaultTrustStorePassword.length() != 0)
-                    passwd = defaultTrustStorePassword.toCharArray();
-
-                // if trustStore is NONE, fis will be null
-                ks.load(fis, passwd);
-
-                // Zero out the temporary password storage
-                if (passwd != null) {
-                    for (int i = 0; i < passwd.length; i++) {
-                        passwd[i] = (char)0;
-                    }
-                }
-            }
-        } finally {
-            if (fis != null) {
-                fis.close();
-            }
+    public static final class SimpleFactory extends TrustManagerFactoryImpl {
+        @Override
+        X509TrustManager getInstance(
+                Collection<X509Certificate> trustedCerts) {
+            return new X509TrustManagerImpl(
+                    Validator.TYPE_SIMPLE, trustedCerts);
         }
 
-        return ks;
-    }
-
-    public static final class SimpleFactory extends TrustManagerFactoryImpl {
-        @Override
-        X509TrustManager getInstance(KeyStore ks) throws KeyStoreException {
-            return new X509TrustManagerImpl(Validator.TYPE_SIMPLE, ks);
-        }
         @Override
         X509TrustManager getInstance(ManagerFactoryParameters spec)
                 throws InvalidAlgorithmParameterException {
@@ -253,13 +145,15 @@
                 ("SunX509 TrustManagerFactory does not use "
                 + "ManagerFactoryParameters");
         }
-   }
+    }
 
     public static final class PKIXFactory extends TrustManagerFactoryImpl {
         @Override
-        X509TrustManager getInstance(KeyStore ks) throws KeyStoreException {
-            return new X509TrustManagerImpl(Validator.TYPE_PKIX, ks);
+        X509TrustManager getInstance(
+                Collection<X509Certificate> trustedCerts) {
+            return new X509TrustManagerImpl(Validator.TYPE_PKIX, trustedCerts);
         }
+
         @Override
         X509TrustManager getInstance(ManagerFactoryParameters spec)
                 throws InvalidAlgorithmParameterException {
--- a/src/share/classes/sun/security/ssl/X509TrustManagerImpl.java	Tue Apr 16 17:37:16 2019 +0000
+++ b/src/share/classes/sun/security/ssl/X509TrustManagerImpl.java	Wed Apr 24 14:48:52 2019 +0000
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 2012, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2016, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -68,16 +68,21 @@
 
     private static final Debug debug = Debug.getInstance("ssl");
 
-    X509TrustManagerImpl(String validatorType, KeyStore ks)
-            throws KeyStoreException {
+    X509TrustManagerImpl(String validatorType,
+            Collection<X509Certificate> trustedCerts) {
+
         this.validatorType = validatorType;
         this.pkixParams = null;
-        if (ks == null) {
+
+        if (trustedCerts == null) {
             trustedCerts = Collections.<X509Certificate>emptySet();
-        } else {
-            trustedCerts = KeyStores.getTrustedCerts(ks);
         }
-        showTrustedCerts();
+
+        this.trustedCerts = trustedCerts;
+
+        if (debug != null && Debug.isOn("trustmanager")) {
+            showTrustedCerts();
+        }
     }
 
     X509TrustManagerImpl(String validatorType, PKIXBuilderParameters params) {
@@ -90,7 +95,10 @@
         Validator v = getValidator(Validator.VAR_TLS_SERVER);
         trustedCerts = v.getTrustedCertificates();
         serverValidator = v;
-        showTrustedCerts();
+
+        if (debug != null && Debug.isOn("trustmanager")) {
+            showTrustedCerts();
+        }
     }
 
     @Override
@@ -287,22 +295,20 @@
     }
 
     private void showTrustedCerts() {
-        if (debug != null && Debug.isOn("trustmanager")) {
-            for (X509Certificate cert : trustedCerts) {
-                System.out.println("adding as trusted cert:");
-                System.out.println("  Subject: "
-                                        + cert.getSubjectX500Principal());
-                System.out.println("  Issuer:  "
-                                        + cert.getIssuerX500Principal());
-                System.out.println("  Algorithm: "
-                                        + cert.getPublicKey().getAlgorithm()
-                                        + "; Serial number: 0x"
-                                        + cert.getSerialNumber().toString(16));
-                System.out.println("  Valid from "
-                                        + cert.getNotBefore() + " until "
-                                        + cert.getNotAfter());
-                System.out.println();
-            }
+        for (X509Certificate cert : trustedCerts) {
+            System.out.println("adding as trusted cert:");
+            System.out.println("  Subject: "
+                                    + cert.getSubjectX500Principal());
+            System.out.println("  Issuer:  "
+                                    + cert.getIssuerX500Principal());
+            System.out.println("  Algorithm: "
+                                    + cert.getPublicKey().getAlgorithm()
+                                    + "; Serial number: 0x"
+                                    + cert.getSerialNumber().toString(16));
+            System.out.println("  Valid from "
+                                    + cert.getNotBefore() + " until "
+                                    + cert.getNotAfter());
+            System.out.println();
         }
     }
 
--- a/src/share/classes/sun/security/validator/Validator.java	Tue Apr 16 17:37:16 2019 +0000
+++ b/src/share/classes/sun/security/validator/Validator.java	Wed Apr 24 14:48:52 2019 +0000
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2002, 2019, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2002, 2018, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -166,7 +166,7 @@
      */
     public static Validator getInstance(String type, String variant,
             KeyStore ks) {
-        return getInstance(type, variant, KeyStores.getTrustedCerts(ks));
+        return getInstance(type, variant, TrustStoreUtil.getTrustedCerts(ks));
     }
 
     /**
--- a/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/SSLContextImpl/BadTSProvider.java	Tue Apr 16 17:37:16 2019 +0000
+++ b/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/SSLContextImpl/BadTSProvider.java	Wed Apr 24 14:48:52 2019 +0000
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2003, 2011, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2016, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -21,18 +21,21 @@
  * questions.
  */
 
+//
+// SunJSSE does not support dynamic system properties, no way to re-use
+// system properties in samevm/agentvm mode.
+//
+
 /*
  * @test
  * @bug 4919147
  * @summary Support for token-based KeyStores
  * @run main/othervm BadTSProvider
- *
- *     SunJSSE does not support dynamic system properties, no way to re-use
- *     system properties in samevm/agentvm mode.
  */
 
 import java.io.*;
 import java.net.*;
+import java.security.*;
 import javax.net.ssl.*;
 
 public class BadTSProvider {
@@ -179,13 +182,19 @@
             // XXX this test must be updated if the exception message changes
 
             Throwable cause = se.getCause();
-            if (cause instanceof java.security.NoSuchAlgorithmException == false) {
+            if (!(cause instanceof NoSuchAlgorithmException)) {
                 se.printStackTrace();
                 throw new Exception("Unexpected exception" + se);
             }
 
             cause = cause.getCause();
-            if (cause instanceof java.security.NoSuchProviderException == false) {
+            if (!(cause instanceof KeyStoreException)) {
+                se.printStackTrace();
+                throw new Exception("Unexpected exception" + se);
+            }
+
+            cause = cause.getCause();
+            if (!(cause instanceof NoSuchProviderException)) {
                 se.printStackTrace();
                 throw new Exception("Unexpected exception" + se);
             }
--- a/test/sun/security/validator/EndEntityExtensionCheck.java	Tue Apr 16 17:37:16 2019 +0000
+++ b/test/sun/security/validator/EndEntityExtensionCheck.java	Wed Apr 24 14:48:52 2019 +0000
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2015, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2015, 2016, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -44,7 +44,7 @@
 import java.util.Date;
 import java.util.HashSet;
 import java.util.Set;
-import sun.security.validator.KeyStores;
+import sun.security.validator.TrustStoreUtil;
 import sun.security.validator.Validator;
 
 
@@ -112,7 +112,7 @@
 
         Validator v = Validator.getInstance(Validator.TYPE_SIMPLE,
                                             Validator.VAR_TLS_CLIENT,
-                                            KeyStores.getTrustedCerts(ks));
+                                            TrustStoreUtil.getTrustedCerts(ks));
         try {
             v.validate(chain);
             throw new Exception("Chain should not have validated " +