changeset 2061:ee6abb3199cc

Merge
author asaha
date Wed, 28 Oct 2009 15:47:55 -0700
parents 83817bb507c0 67e53f0f4a4d
children 10fb43d2c0ce
files
diffstat 9 files changed, 265 insertions(+), 8 deletions(-) [+]
line wrap: on
line diff
--- a/src/share/classes/sun/security/krb5/EncryptionKey.java	Tue Oct 27 12:33:34 2009 -0700
+++ b/src/share/classes/sun/security/krb5/EncryptionKey.java	Wed Oct 28 15:47:55 2009 -0700
@@ -1,5 +1,5 @@
 /*
- * Portions Copyright 2000-2007 Sun Microsystems, Inc.  All Rights Reserved.
+ * Portions Copyright 2000-2009 Sun Microsystems, Inc.  All Rights Reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -503,7 +503,19 @@
                              + '\n'));
     }
 
+    /**
+     * Find a key with given etype
+     */
     public static EncryptionKey findKey(int etype, EncryptionKey[] keys)
+            throws KrbException {
+        return findKey(etype, null, keys);
+    }
+
+    /**
+     * Find a key with given etype and kvno
+     * @param kvno if null, return any (first?) key
+     */
+    public static EncryptionKey findKey(int etype, Integer kvno, EncryptionKey[] keys)
         throws KrbException {
 
         // check if encryption type is supported
@@ -516,7 +528,8 @@
         for (int i = 0; i < keys.length; i++) {
             ktype = keys[i].getEType();
             if (EType.isSupported(ktype)) {
-                if (etype == ktype) {
+                Integer kv = keys[i].getKeyVersionNumber();
+                if (etype == ktype && (kvno == null || kvno.equals(kv))) {
                     return keys[i];
                 }
             }
@@ -528,8 +541,11 @@
             for (int i = 0; i < keys.length; i++) {
                 ktype = keys[i].getEType();
                 if (ktype == EncryptedData.ETYPE_DES_CBC_CRC ||
-                    ktype == EncryptedData.ETYPE_DES_CBC_MD5) {
-                    return new EncryptionKey(etype, keys[i].getBytes());
+                        ktype == EncryptedData.ETYPE_DES_CBC_MD5) {
+                    Integer kv = keys[i].getKeyVersionNumber();
+                    if (kvno == null || kvno.equals(kv)) {
+                        return new EncryptionKey(etype, keys[i].getBytes());
+                    }
                 }
             }
         }
--- a/src/share/classes/sun/security/krb5/KrbApReq.java	Tue Oct 27 12:33:34 2009 -0700
+++ b/src/share/classes/sun/security/krb5/KrbApReq.java	Wed Oct 28 15:47:55 2009 -0700
@@ -268,7 +268,8 @@
     private void authenticate(EncryptionKey[] keys, InetAddress initiator)
         throws KrbException, IOException {
         int encPartKeyType = apReqMessg.ticket.encPart.getEType();
-        EncryptionKey dkey = EncryptionKey.findKey(encPartKeyType, keys);
+        Integer kvno = apReqMessg.ticket.encPart.getKeyVersionNumber();
+        EncryptionKey dkey = EncryptionKey.findKey(encPartKeyType, kvno, keys);
 
         if (dkey == null) {
             throw new KrbException(Krb5.API_INVALID_ARG,
--- a/src/share/classes/sun/security/krb5/internal/ktab/KeyTab.java	Tue Oct 27 12:33:34 2009 -0700
+++ b/src/share/classes/sun/security/krb5/internal/ktab/KeyTab.java	Wed Oct 28 15:47:55 2009 -0700
@@ -395,6 +395,28 @@
         }
     }
 
+    /**
+     * Only used by KDC test. This method can specify kvno and does not
+     * remove any old keys.
+     */
+    public void addEntry(PrincipalName service, char[] psswd, int kvno)
+         throws KrbException {
+
+        EncryptionKey[] encKeys = EncryptionKey.acquireSecretKeys(
+            psswd, service.getSalt());
+
+        for (int i = 0; encKeys != null && i < encKeys.length; i++) {
+            int keyType = encKeys[i].getEType();
+            byte[] keyValue = encKeys[i].getBytes();
+            KeyTabEntry newEntry = new KeyTabEntry(service,
+                            service.getRealm(),
+                            new KerberosTime(System.currentTimeMillis()),
+                                               kvno, keyType, keyValue);
+            if (entries == null)
+                entries = new Vector<KeyTabEntry> ();
+            entries.addElement(newEntry);
+        }
+    }
 
     /**
      * Retrieves the key table entry with the specified service name.
--- a/src/share/classes/sun/security/tools/JarSigner.java	Tue Oct 27 12:33:34 2009 -0700
+++ b/src/share/classes/sun/security/tools/JarSigner.java	Wed Oct 28 15:47:55 2009 -0700
@@ -1483,6 +1483,7 @@
         Timestamp timestamp = signer.getTimestamp();
         if (timestamp != null) {
             s.append(printTimestamp(tab, timestamp));
+            s.append('\n');
         }
         // display the certificate(s)
         for (Certificate c : certs) {
--- a/src/share/classes/sun/security/tools/KeyTool.java	Tue Oct 27 12:33:34 2009 -0700
+++ b/src/share/classes/sun/security/tools/KeyTool.java	Wed Oct 28 15:47:55 2009 -0700
@@ -26,6 +26,7 @@
 package sun.security.tools;
 
 import java.io.*;
+import java.security.CodeSigner;
 import java.security.KeyStore;
 import java.security.KeyStoreException;
 import java.security.MessageDigest;
@@ -34,6 +35,7 @@
 import java.security.PrivateKey;
 import java.security.Security;
 import java.security.Signature;
+import java.security.Timestamp;
 import java.security.UnrecoverableEntryException;
 import java.security.UnrecoverableKeyException;
 import java.security.Principal;
@@ -46,6 +48,8 @@
 import java.text.Collator;
 import java.text.MessageFormat;
 import java.util.*;
+import java.util.jar.JarEntry;
+import java.util.jar.JarFile;
 import java.lang.reflect.Constructor;
 import java.net.URL;
 import java.net.URLClassLoader;
@@ -130,6 +134,7 @@
     private File ksfile = null;
     private InputStream ksStream = null; // keystore stream
     private String sslserver = null;
+    private String jarfile = null;
     private KeyStore keyStore = null;
     private boolean token = false;
     private boolean nullStream = false;
@@ -206,7 +211,7 @@
             "-providername", "-providerclass", "-providerarg",
             "-providerpath", "-v", "-protected"),
         PRINTCERT("Prints the content of a certificate",
-            "-rfc", "-file", "-sslserver", "-v"),
+            "-rfc", "-file", "-sslserver", "-jarfile", "-v"),
         PRINTCERTREQ("Prints the content of a certificate request",
             "-file", "-v"),
         SELFCERT("Generates a self-signed certificate",
@@ -266,6 +271,7 @@
         {"-srcstorepass", "<arg>", "source keystore password"},
         {"-srcstoretype", "<srcstoretype>", "source keystore type"},
         {"-sslserver", "<server[:port]>", "SSL server host and port"},
+        {"-jarfile", "<filename>", "signed jar file"},
         {"-startdate", "<startdate>", "certificate validity start date/time"},
         {"-storepass", "<arg>", "keystore password"},
         {"-storetype", "<storetype>", "keystore type"},
@@ -453,6 +459,8 @@
                 outfilename = args[++i];
             } else if (collator.compare(flags, "-sslserver") == 0) {
                 sslserver = args[++i];
+            } else if (collator.compare(flags, "-jarfile") == 0) {
+                jarfile = args[++i];
             } else if (collator.compare(flags, "-srckeystore") == 0) {
                 srcksfname = args[++i];
             } else if ((collator.compare(flags, "-provider") == 0) ||
@@ -2065,7 +2073,71 @@
     }
 
     private void doPrintCert(final PrintStream out) throws Exception {
-        if (sslserver != null) {
+        if (jarfile != null) {
+            JarFile jf = new JarFile(jarfile, true);
+            Enumeration<JarEntry> entries = jf.entries();
+            Set<CodeSigner> ss = new HashSet<CodeSigner>();
+            byte[] buffer = new byte[8192];
+            int pos = 0;
+            while (entries.hasMoreElements()) {
+                JarEntry je = entries.nextElement();
+                InputStream is = null;
+                try {
+                    is = jf.getInputStream(je);
+                    while (is.read(buffer) != -1) {
+                        // we just read. this will throw a SecurityException
+                        // if a signature/digest check fails. This also
+                        // populate the signers
+                    }
+                } finally {
+                    if (is != null) {
+                        is.close();
+                    }
+                }
+                CodeSigner[] signers = je.getCodeSigners();
+                if (signers != null) {
+                    for (CodeSigner signer: signers) {
+                        if (!ss.contains(signer)) {
+                            ss.add(signer);
+                            out.printf(rb.getString("Signer #%d:"), ++pos);
+                            out.println();
+                            out.println();
+                            out.println(rb.getString("Signature:"));
+                            out.println();
+                            for (Certificate cert: signer.getSignerCertPath().getCertificates()) {
+                                X509Certificate x = (X509Certificate)cert;
+                                if (rfc) {
+                                    out.println(rb.getString("Certificate owner: ") + x.getSubjectDN() + "\n");
+                                    dumpCert(x, out);
+                                } else {
+                                    printX509Cert(x, out);
+                                }
+                                out.println();
+                            }
+                            Timestamp ts = signer.getTimestamp();
+                            if (ts != null) {
+                                out.println(rb.getString("Timestamp:"));
+                                out.println();
+                                for (Certificate cert: ts.getSignerCertPath().getCertificates()) {
+                                    X509Certificate x = (X509Certificate)cert;
+                                    if (rfc) {
+                                        out.println(rb.getString("Certificate owner: ") + x.getSubjectDN() + "\n");
+                                        dumpCert(x, out);
+                                    } else {
+                                        printX509Cert(x, out);
+                                    }
+                                    out.println();
+                                }
+                            }
+                        }
+                    }
+                }
+            }
+            jf.close();
+            if (ss.size() == 0) {
+                out.println(rb.getString("Not a signed jar file"));
+            }
+        } else if (sslserver != null) {
             SSLContext sc = SSLContext.getInstance("SSL");
             final boolean[] certPrinted = new boolean[1];
             sc.init(null, new TrustManager[] {
--- a/src/share/classes/sun/security/util/Resources.java	Tue Oct 27 12:33:34 2009 -0700
+++ b/src/share/classes/sun/security/util/Resources.java	Wed Oct 28 15:47:55 2009 -0700
@@ -162,6 +162,8 @@
                 "source keystore type"}, //-srcstoretype
         {"SSL server host and port",
                 "SSL server host and port"}, //-sslserver
+        {"signed jar file",
+                "signed jar file"}, //=jarfile
         {"certificate validity start date/time",
                 "certificate validity start date/time"}, //-startdate
         {"keystore password",
@@ -370,6 +372,13 @@
 
         {"*****************  WARNING WARNING WARNING  *****************",
             "*****************  WARNING WARNING WARNING  *****************"},
+        {"Signer #%d:", "Signer #%d:"},
+        {"Timestamp:", "Timestamp:"},
+        {"Signature:", "Signature:"},
+        {"Certificate owner: ", "Certificate owner: "},
+        {"Not a signed jar file", "Not a signed jar file"},
+        {"No certificate from the SSL server",
+                "No certificate from the SSL server"},
 
         // Translators of the following 5 pairs, ATTENTION:
         // the next 5 string pairs are meant to be combined into 2 paragraphs,
--- a/test/sun/security/krb5/auto/KDC.java	Tue Oct 27 12:33:34 2009 -0700
+++ b/test/sun/security/krb5/auto/KDC.java	Wed Oct 28 15:47:55 2009 -0700
@@ -466,7 +466,17 @@
             // the krb5.conf config file would be loaded.
             Method stringToKey = EncryptionKey.class.getDeclaredMethod("stringToKey", char[].class, String.class, byte[].class, Integer.TYPE);
             stringToKey.setAccessible(true);
-            return new EncryptionKey((byte[]) stringToKey.invoke(null, getPassword(p), getSalt(p), null, etype), etype, null);
+            Integer kvno = null;
+            // For service whose password ending with a number, use it as kvno
+            if (p.toString().indexOf('/') >= 0) {
+                char[] pass = getPassword(p);
+                if (Character.isDigit(pass[pass.length-1])) {
+                    kvno = pass[pass.length-1] - '0';
+                }
+            }
+            return new EncryptionKey((byte[]) stringToKey.invoke(
+                    null, getPassword(p), getSalt(p), null, etype),
+                    etype, kvno);
         } catch (InvocationTargetException ex) {
             KrbException ke = (KrbException)ex.getCause();
             throw ke;
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/test/sun/security/krb5/auto/MoreKvno.java	Wed Oct 28 15:47:55 2009 -0700
@@ -0,0 +1,70 @@
+/*
+ * Copyright 2009 Sun Microsystems, Inc.  All Rights Reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
+ * CA 95054 USA or visit www.sun.com if you need additional information or
+ * have any questions.
+ */
+
+/*
+ * @test
+ * @bug 6893158
+ * @summary AP_REQ check should use key version number
+ */
+
+import sun.security.jgss.GSSUtil;
+import sun.security.krb5.PrincipalName;
+import sun.security.krb5.internal.ktab.KeyTab;
+
+public class MoreKvno {
+
+    public static void main(String[] args)
+            throws Exception {
+
+        OneKDC kdc = new OneKDC(null);
+        kdc.writeJAASConf();
+
+        // Rewrite keytab, 3 set of keys with different kvno
+        KeyTab ktab = KeyTab.create(OneKDC.KTAB);
+        PrincipalName p = new PrincipalName(OneKDC.SERVER+"@"+OneKDC.REALM, PrincipalName.KRB_NT_SRV_HST);
+        ktab.addEntry(p, "pass0".toCharArray(), 0);
+        ktab.addEntry(p, "pass2".toCharArray(), 2);
+        ktab.addEntry(p, "pass1".toCharArray(), 1);
+        ktab.save();
+
+        kdc.addPrincipal(OneKDC.SERVER, "pass1".toCharArray());
+        go(OneKDC.SERVER, "com.sun.security.jgss.krb5.accept");
+        kdc.addPrincipal(OneKDC.SERVER, "pass2".toCharArray());
+        // "server" initiate also, check pass2 is used at authentication
+        go(OneKDC.SERVER, "server");
+    }
+
+    static void go(String server, String entry) throws Exception {
+        Context c, s;
+        c = Context.fromUserPass("dummy", "bogus".toCharArray(), false);
+        s = Context.fromJAAS(entry);
+
+        c.startAsClient(server, GSSUtil.GSS_KRB5_MECH_OID);
+        s.startAsServer(GSSUtil.GSS_KRB5_MECH_OID);
+
+        Context.handshake(c, s);
+
+        s.dispose();
+        c.dispose();
+    }
+}
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/test/sun/security/tools/keytool/readjar.sh	Wed Oct 28 15:47:55 2009 -0700
@@ -0,0 +1,56 @@
+#
+# Copyright 2009 Sun Microsystems, Inc.  All Rights Reserved.
+# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+#
+# This code is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License version 2 only, as
+# published by the Free Software Foundation.
+#
+# This code is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+# FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+# version 2 for more details (a copy is included in the LICENSE file that
+# accompanied this code).
+#
+# You should have received a copy of the GNU General Public License version
+# 2 along with this work; if not, write to the Free Software Foundation,
+# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
+# CA 95054 USA or visit www.sun.com if you need additional information or
+# have any questions.
+#
+
+# @test
+# @bug 6890872
+# @summary keytool -printcert to recognize signed jar files
+#
+
+if [ "${TESTJAVA}" = "" ] ; then
+  JAVAC_CMD=`which javac`
+  TESTJAVA=`dirname $JAVAC_CMD`/..
+fi
+
+# set platform-dependent variables
+OS=`uname -s`
+case "$OS" in
+  Windows_* )
+    FS="\\"
+    ;;
+  * )
+    FS="/"
+    ;;
+esac
+
+KS=readjar.jks
+rm $KS
+$TESTJAVA${FS}bin${FS}keytool -storepass changeit -keypass changeit -keystore $KS \
+        -alias x -dname CN=X -genkeypair
+$TESTJAVA${FS}bin${FS}jar cvf readjar.jar $KS
+$TESTJAVA${FS}bin${FS}jarsigner -storepass changeit -keystore $KS readjar.jar x
+
+$TESTJAVA${FS}bin${FS}keytool -printcert -jarfile readjar.jar || exit 1
+$TESTJAVA${FS}bin${FS}keytool -printcert -jarfile readjar.jar -rfc || exit 1
+
+exit 0
+