6876158: Remove dependencies on Signer, Certificate, Identity, IdentityScope classes from java.security pkg
Reviewed-by: alanb, mullan
--- a/jdk/src/share/classes/com/sun/security/auth/PolicyFile.java Mon Dec 07 15:29:44 2009 +0800
+++ b/jdk/src/share/classes/com/sun/security/auth/PolicyFile.java Mon Dec 07 17:06:59 2009 +0000
@@ -34,8 +34,6 @@
import java.security.AccessController;
import java.security.CodeSource;
-import java.security.Identity;
-import java.security.IdentityScope;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.Permission;
@@ -267,7 +265,7 @@
private boolean initialized = false;
private boolean expandProperties = true;
- private boolean ignoreIdentityScope = false;
+ private boolean ignoreIdentityScope = true;
// for use with the reflection API
@@ -459,9 +457,6 @@
}
}
- /** the scope to check */
- private static IdentityScope scope = null;
-
/**
* Checks public key. If it is marked as trusted in
* the identity database, add it to the policy
--- a/jdk/src/share/classes/sun/security/pkcs/PKCS10.java Mon Dec 07 15:29:44 2009 +0800
+++ b/jdk/src/share/classes/sun/security/pkcs/PKCS10.java Mon Dec 07 17:06:59 2009 +0000
@@ -44,7 +44,6 @@
import sun.security.x509.AlgorithmId;
import sun.security.x509.X509Key;
import sun.security.x509.X500Name;
-import sun.security.x509.X500Signer;
/**
* A PKCS #10 certificate request is created and sent to a Certificate
@@ -183,13 +182,13 @@
* Create the signed certificate request. This will later be
* retrieved in either string or binary format.
*
- * @param requester identifies the signer (by X.500 name)
- * and provides the private key used to sign.
+ * @param subject identifies the signer (by X.500 name).
+ * @param signature private key and signing algorithm to use.
* @exception IOException on errors.
* @exception CertificateException on certificate handling errors.
* @exception SignatureException on signature handling errors.
*/
- public void encodeAndSign(X500Signer requester)
+ public void encodeAndSign(X500Name subject, Signature signature)
throws CertificateException, IOException, SignatureException {
DerOutputStream out, scratch;
byte[] certificateRequestInfo;
@@ -198,7 +197,7 @@
if (encoded != null)
throw new SignatureException("request is already signed");
- subject = requester.getSigner();
+ this.subject = subject;
/*
* Encode cert request info, wrap in a sequence for signing
@@ -217,14 +216,20 @@
/*
* Sign it ...
*/
- requester.update(certificateRequestInfo, 0,
+ signature.update(certificateRequestInfo, 0,
certificateRequestInfo.length);
- sig = requester.sign();
+ sig = signature.sign();
/*
* Build guts of SIGNED macro
*/
- requester.getAlgorithmId().encode(scratch); // sig algorithm
+ AlgorithmId algId = null;
+ try {
+ algId = AlgorithmId.getAlgorithmId(signature.getAlgorithm());
+ } catch (NoSuchAlgorithmException nsae) {
+ throw new SignatureException(nsae);
+ }
+ algId.encode(scratch); // sig algorithm
scratch.putBitString(sig); // sig
/*
--- a/jdk/src/share/classes/sun/security/provider/IdentityDatabase.java Mon Dec 07 15:29:44 2009 +0800
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,427 +0,0 @@
-/*
- * Copyright 1996-2006 Sun Microsystems, Inc. All Rights Reserved.
- * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
- *
- * This code is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License version 2 only, as
- * published by the Free Software Foundation. Sun designates this
- * particular file as subject to the "Classpath" exception as provided
- * by Sun in the LICENSE file that accompanied this code.
- *
- * This code is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
- * version 2 for more details (a copy is included in the LICENSE file that
- * accompanied this code).
- *
- * You should have received a copy of the GNU General Public License version
- * 2 along with this work; if not, write to the Free Software Foundation,
- * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- * Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
- * CA 95054 USA or visit www.sun.com if you need additional information or
- * have any questions.
- */
-
-package sun.security.provider;
-
-import java.io.*;
-import java.util.*;
-import java.security.*;
-
-/**
- * An implementation of IdentityScope as a persistent identity
- * database.
- *
- * @see Identity
- * @see Key
- *
- * @author Benjamin Renaud
- */
-public
-class IdentityDatabase extends IdentityScope implements Serializable {
-
- /** use serialVersionUID from JDK 1.1. for interoperability */
- private static final long serialVersionUID = 4923799573357658384L;
-
- /* Are we debugging? */
- private static final boolean debug = false;
-
- /* Are we printing out error messages? */
- private static final boolean error = true;
-
- /* The source file, if any, for this database.*/
- File sourceFile;
-
- /* The private representation of the database.*/
- Hashtable<String, Identity> identities;
-
- IdentityDatabase() throws InvalidParameterException {
- this("restoring...");
- }
-
- /**
- * Construct a new, empty database with a specified source file.
- *
- * @param file the source file.
- */
- public IdentityDatabase(File file) throws InvalidParameterException {
- this(file.getName());
- sourceFile = file;
- }
-
- /**
- * Construct a new, empty database.
- */
- public IdentityDatabase(String name) throws InvalidParameterException {
- super(name);
- identities = new Hashtable<String, Identity>();
- }
-
- /**
- * Initialize an identity database from a stream. The stream should
- * contain data to initialized a serialized IdentityDatabase
- * object.
- *
- * @param is the input stream from which to restore the database.
- *
- * @exception IOException if a stream IO exception occurs
- */
- public static IdentityDatabase fromStream(InputStream is)
- throws IOException {
- IdentityDatabase db = null;
- try {
- ObjectInputStream ois = new ObjectInputStream(is);
- db = (IdentityDatabase)ois.readObject();
- } catch (ClassNotFoundException e) {
- // this can't happen.
- debug("This should not be happening.", e);
- error(
- "The version of the database is obsolete. Cannot initialize.");
-
- } catch (InvalidClassException e) {
- // this may happen in developers workspaces happen.
- debug("This should not be happening.", e);
- error("Unable to initialize system identity scope: " +
- " InvalidClassException. \nThis is most likely due to " +
- "a serialization versioning problem: a class used in " +
- "key management was obsoleted");
-
- } catch (StreamCorruptedException e) {
- debug("The serialization stream is corrupted. Unable to load.", e);
- error("Unable to initialize system identity scope." +
- " StreamCorruptedException.");
- }
-
- if (db == null) {
- db = new IdentityDatabase("uninitialized");
- }
-
- return db;
- }
-
- /**
- * Initialize an IdentityDatabase from file.
- *
- * @param f the filename where the identity database is stored.
- *
- * @exception IOException a file-related exception occurs (e.g.
- * the directory of the file passed does not exists, etc.
- *
- * @IOException if a file IO exception occurs.
- */
- public static IdentityDatabase fromFile(File f) throws IOException {
- FileInputStream fis = new FileInputStream(f);
- IdentityDatabase edb = fromStream(fis);
- edb.sourceFile = f;
- return edb;
- }
-
-
-
- /**
- * @return the number of identities in the database.
- */
- public int size() {
- return identities.size();
- }
-
-
- /**
- * @param name the name of the identity to be retrieved.
- *
- * @return the identity named name, or null if there are
- * no identities named name in the database.
- */
- public Identity getIdentity(String name) {
- Identity id = identities.get(name);
- if (id instanceof Signer) {
- localCheck("get.signer");
- }
- return id;
- }
-
- /**
- * Get an identity by key.
- *
- * @param name the key of the identity to be retrieved.
- *
- * @return the identity with a given key, or null if there are no
- * identities with that key in the database.
- */
- public Identity getIdentity(PublicKey key) {
- if (key == null) {
- return null;
- }
- Enumeration<Identity> e = identities();
- while (e.hasMoreElements()) {
- Identity i = e.nextElement();
- PublicKey k = i.getPublicKey();
- if (k != null && keyEqual(k, key)) {
- if (i instanceof Signer) {
- localCheck("get.signer");
- }
- return i;
- }
- }
- return null;
- }
-
- private boolean keyEqual(Key key1, Key key2) {
- if (key1 == key2) {
- return true;
- } else {
- return MessageDigest.isEqual(key1.getEncoded(), key2.getEncoded());
- }
- }
-
- /**
- * Adds an identity to the database.
- *
- * @param identity the identity to be added.
- *
- * @exception KeyManagementException if a name or key clash
- * occurs, or if another exception occurs.
- */
- public void addIdentity(Identity identity)
- throws KeyManagementException {
- localCheck("add.identity");
- Identity byName = getIdentity(identity.getName());
- Identity byKey = getIdentity(identity.getPublicKey());
- String msg = null;
-
- if (byName != null) {
- msg = "name conflict";
- }
- if (byKey != null) {
- msg = "key conflict";
- }
- if (msg != null) {
- throw new KeyManagementException(msg);
- }
- identities.put(identity.getName(), identity);
- }
-
- /**
- * Removes an identity to the database.
- */
- public void removeIdentity(Identity identity)
- throws KeyManagementException {
- localCheck("remove.identity");
- String name = identity.getName();
- if (identities.get(name) == null) {
- throw new KeyManagementException("there is no identity named " +
- name + " in " + this);
- }
- identities.remove(name);
- }
-
- /**
- * @return an enumeration of all identities in the database.
- */
- public Enumeration<Identity> identities() {
- return identities.elements();
- }
-
- /**
- * Set the source file for this database.
- */
- void setSourceFile(File f) {
- sourceFile = f;
- }
-
- /**
- * @return the source file for this database.
- */
- File getSourceFile() {
- return sourceFile;
- }
-
- /**
- * Save the database in its current state to an output stream.
- *
- * @param os the output stream to which the database should be serialized.
- *
- * @exception IOException if an IO exception is raised by stream
- * operations.
- */
- public void save(OutputStream os) throws IOException {
- try {
- ObjectOutputStream oos = new ObjectOutputStream(os);
- oos.writeObject(this);
- oos.flush();
- } catch (InvalidClassException e) {
- debug("This should not be happening.", e);
- return;
- }
- }
-
- /**
- * Save the database to a file.
- *
- * @exception IOException if an IO exception is raised by stream
- * operations.
- */
- void save(File f) throws IOException {
- setSourceFile(f);
- FileOutputStream fos = new FileOutputStream(f);
- save(fos);
- }
-
- /**
- * Saves the database to the default source file.
- *
- * @exception KeyManagementException when there is no default source
- * file specified for this database.
- */
- public void save() throws IOException {
- if (sourceFile == null) {
- throw new IOException("this database has no source file");
- }
- save(sourceFile);
- }
-
- /**
- * This method returns the file from which to initialize the
- * system database.
- */
- private static File systemDatabaseFile() {
-
- // First figure out where the identity database is hiding, if anywhere.
- String dbPath = Security.getProperty("identity.database");
- // if nowhere, it's the canonical place.
- if (dbPath == null) {
- dbPath = System.getProperty("user.home") + File.separatorChar +
- "identitydb.obj";
- }
- return new File(dbPath);
- }
-
-
- /* This block initializes the system database, if there is one. */
- static {
- java.security.AccessController.doPrivileged(
- new java.security.PrivilegedAction<Void>() {
- public Void run() {
- initializeSystem();
- return null;
- }
- });
- }
-
- /**
- * This method initializes the system's identity database. The
- * canonical location is
- * <user.home>/identitydatabase.obj. This is settable through
- * the identity.database property. */
- private static void initializeSystem() {
-
- IdentityDatabase systemDatabase;
- File dbFile = systemDatabaseFile();
-
- // Second figure out if it's there, and if it isn't, create one.
- try {
- if (dbFile.exists()) {
- debug("loading system database from file: " + dbFile);
- systemDatabase = fromFile(dbFile);
- } else {
- systemDatabase = new IdentityDatabase(dbFile);
- }
- IdentityScope.setSystemScope(systemDatabase);
- debug("System database initialized: " + systemDatabase);
- } catch (IOException e) {
- debug("Error initializing identity database: " + dbFile, e);
- return;
- } catch (InvalidParameterException e) {
- debug("Error trying to instantiate a system identities db in " +
- dbFile, e);
- return;
- }
- }
-
- /*
- private static File securityPropFile(String filename) {
- // maybe check for a system property which will specify where to
- // look.
- String sep = File.separator;
- return new File(System.getProperty("java.home") +
- sep + "lib" + sep + "security" +
- sep + filename);
- }
- */
-
- public String toString() {
- return "sun.security.provider.IdentityDatabase, source file: " +
- sourceFile;
- }
-
-
- private static void debug(String s) {
- if (debug) {
- System.err.println(s);
- }
- }
-
- private static void debug(String s, Throwable t) {
- if (debug) {
- t.printStackTrace();
- System.err.println(s);
- }
- }
-
- private static void error(String s) {
- if (error) {
- System.err.println(s);
- }
- }
-
- void localCheck(String directive) {
- SecurityManager security = System.getSecurityManager();
- if (security != null) {
- directive = this.getClass().getName() + "." +
- directive + "." + localFullName();
- security.checkSecurityAccess(directive);
- }
- }
-
- /**
- * Returns a parsable name for identity: identityName.scopeName
- */
- String localFullName() {
- String parsable = getName();
- if (getScope() != null) {
- parsable += "." +getScope().getName();
- }
- return parsable;
- }
-
- /**
- * Serialization write.
- */
- private synchronized void writeObject (java.io.ObjectOutputStream stream)
- throws IOException {
- localCheck("serialize.identity.database");
- stream.writeObject(identities);
- stream.writeObject(sourceFile);
- }
-}
--- a/jdk/src/share/classes/sun/security/provider/PolicyFile.java Mon Dec 07 15:29:44 2009 +0800
+++ b/jdk/src/share/classes/sun/security/provider/PolicyFile.java Mon Dec 07 17:06:59 2009 +0000
@@ -295,16 +295,13 @@
private static final int DEFAULT_CACHE_SIZE = 1;
- /** the scope to check */
- private static IdentityScope scope = null;
-
// contains the policy grant entries, PD cache, and alias mapping
private AtomicReference<PolicyInfo> policyInfo =
new AtomicReference<PolicyInfo>();
private boolean constructed = false;
private boolean expandProperties = true;
- private boolean ignoreIdentityScope = false;
+ private boolean ignoreIdentityScope = true;
private boolean allowSystemProperties = true;
private boolean notUtf8 = false;
private URL url;
@@ -2024,85 +2021,9 @@
private boolean checkForTrustedIdentity(final Certificate cert,
PolicyInfo myInfo)
{
- if (cert == null)
- return false;
-
- // see if we are ignoring the identity scope or not
- if (ignoreIdentityScope)
- return false;
-
- // try to initialize scope
- synchronized(PolicyFile.class) {
- if (scope == null) {
- IdentityScope is = IdentityScope.getSystemScope();
-
- if (is instanceof sun.security.provider.IdentityDatabase) {
- scope = is;
- } else {
- // leave scope null
- }
- }
- }
-
- if (scope == null) {
- ignoreIdentityScope = true;
- return false;
- }
-
- // need privileged block for getIdentity in case we are trying
- // to get a signer
- final Identity id = AccessController.doPrivileged(
- new java.security.PrivilegedAction<Identity>() {
- public Identity run() {
- return scope.getIdentity(cert.getPublicKey());
- }
- });
-
- if (isTrusted(id)) {
- if (debug != null) {
- debug.println("Adding policy entry for trusted Identity: ");
- //needed for identity toString!
- AccessController.doPrivileged(
- new java.security.PrivilegedAction<Void>() {
- public Void run() {
- debug.println(" identity = " + id);
- return null;
- }
- });
- debug.println("");
- }
-
- // add it to the policy for future reference
- Certificate certs[] = new Certificate[] {cert};
- PolicyEntry pe = new PolicyEntry(new CodeSource(null, certs));
- pe.add(SecurityConstants.ALL_PERMISSION);
-
- myInfo.identityPolicyEntries.add(pe);
-
- // add it to the mapping as well so
- // we don't have to go through this again
- myInfo.aliasMapping.put(cert, id.getName());
-
- return true;
- }
return false;
}
- private static boolean isTrusted(Identity id) {
- if (id instanceof SystemIdentity) {
- SystemIdentity sysid = (SystemIdentity)id;
- if (sysid.isTrusted()) {
- return true;
- }
- } else if (id instanceof SystemSigner) {
- SystemSigner sysid = (SystemSigner)id;
- if (sysid.isTrusted()) {
- return true;
- }
- }
- return false;
- }
-
/**
* Each entry in the policy configuration file is represented by a
* PolicyEntry object. <p>
--- a/jdk/src/share/classes/sun/security/provider/SystemIdentity.java Mon Dec 07 15:29:44 2009 +0800
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,107 +0,0 @@
-/*
- * Copyright 1996-2000 Sun Microsystems, Inc. All Rights Reserved.
- * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
- *
- * This code is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License version 2 only, as
- * published by the Free Software Foundation. Sun designates this
- * particular file as subject to the "Classpath" exception as provided
- * by Sun in the LICENSE file that accompanied this code.
- *
- * This code is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
- * version 2 for more details (a copy is included in the LICENSE file that
- * accompanied this code).
- *
- * You should have received a copy of the GNU General Public License version
- * 2 along with this work; if not, write to the Free Software Foundation,
- * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- * Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
- * CA 95054 USA or visit www.sun.com if you need additional information or
- * have any questions.
- */
-
-package sun.security.provider;
-
-import java.io.Serializable;
-import java.util.Enumeration;
-import java.security.*;
-
-/**
- * An identity with a very simple trust mechanism.
- *
- * @author Benjamin Renaud
- */
-
-public class SystemIdentity extends Identity implements Serializable {
-
- /** use serialVersionUID from JDK 1.1. for interoperability */
- private static final long serialVersionUID = 9060648952088498478L;
-
- /* This should be changed to ACL */
- boolean trusted = false;
-
- /* Free form additional information about this identity. */
- private String info;
-
- public SystemIdentity(String name, IdentityScope scope)
- throws InvalidParameterException, KeyManagementException {
- super(name, scope);
- }
-
- /**
- * Is this identity trusted by sun.* facilities?
- */
- public boolean isTrusted() {
- return trusted;
- }
-
- /**
- * Set the trust status of this identity.
- */
- protected void setTrusted(boolean trusted) {
- this.trusted = trusted;
- }
-
- void setIdentityInfo(String info) {
- super.setInfo(info);
- }
-
- String getIndentityInfo() {
- return super.getInfo();
- }
-
- /**
- * Call back method into a protected method for package friends.
- */
- void setIdentityPublicKey(PublicKey key) throws KeyManagementException {
- setPublicKey(key);
- }
-
- /**
- * Call back method into a protected method for package friends.
- */
- void addIdentityCertificate(Certificate cert)
- throws KeyManagementException {
- addCertificate(cert);
- }
-
- void clearCertificates() throws KeyManagementException {
- Certificate[] certs = certificates();
- for (int i = 0; i < certs.length; i++) {
- removeCertificate(certs[i]);
- }
- }
-
- public String toString() {
- String trustedString = "not trusted";
- if (trusted) {
- trustedString = "trusted";
- }
- return super.toString() + "[" + trustedString + "]";
- }
-
-
-}
--- a/jdk/src/share/classes/sun/security/provider/SystemSigner.java Mon Dec 07 15:29:44 2009 +0800
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,115 +0,0 @@
-/*
- * Copyright 1996-2000 Sun Microsystems, Inc. All Rights Reserved.
- * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
- *
- * This code is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License version 2 only, as
- * published by the Free Software Foundation. Sun designates this
- * particular file as subject to the "Classpath" exception as provided
- * by Sun in the LICENSE file that accompanied this code.
- *
- * This code is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
- * version 2 for more details (a copy is included in the LICENSE file that
- * accompanied this code).
- *
- * You should have received a copy of the GNU General Public License version
- * 2 along with this work; if not, write to the Free Software Foundation,
- * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- * Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
- * CA 95054 USA or visit www.sun.com if you need additional information or
- * have any questions.
- */
-
-package sun.security.provider;
-
-import java.util.*;
-import java.security.*;
-
-/**
- * SunSecurity signer. Like SystemIdentity, it has a trust bit, which
- * can be set by SunSecurity classes, and a set of accessors for other
- * classes in sun.security.*.
- *
- * @author Benjamin Renaud
- */
-
-public class SystemSigner extends Signer {
-
- /** use serialVersionUID from JDK 1.1. for interoperability */
- private static final long serialVersionUID = -2127743304301557711L;
-
- /* Is this signer trusted */
- private boolean trusted = false;
-
- /**
- * Construct a signer with a given name.
- */
- public SystemSigner(String name) {
- super(name);
- }
-
- /**
- * Construct a signer with a name and a scope.
- *
- * @param name the signer's name.
- *
- * @param scope the scope for this signer.
- */
- public SystemSigner(String name, IdentityScope scope)
- throws KeyManagementException {
-
- super(name, scope);
- }
-
- /* Set the trust status of this signer */
- void setTrusted(boolean trusted) {
- this.trusted = trusted;
- }
-
- /**
- * Returns true if this signer is trusted.
- */
- public boolean isTrusted() {
- return trusted;
- }
-
- /* friendly callback for set keys */
- void setSignerKeyPair(KeyPair pair)
- throws InvalidParameterException, KeyException {
- setKeyPair(pair);
- }
-
- /* friendly callback for getting private keys */
- PrivateKey getSignerPrivateKey() {
- return getPrivateKey();
- }
-
- void setSignerInfo(String s) {
- setInfo(s);
- }
-
- /**
- * Call back method into a protected method for package friends.
- */
- void addSignerCertificate(Certificate cert) throws KeyManagementException {
- addCertificate(cert);
- }
-
- void clearCertificates() throws KeyManagementException {
- Certificate[] certs = certificates();
- for (int i = 0; i < certs.length; i++) {
- removeCertificate(certs[i]);
- }
- }
-
- public String toString() {
- String trustedString = "not trusted";
- if (trusted) {
- trustedString = "trusted";
- }
- return super.toString() + "[" + trustedString + "]";
- }
-}
--- a/jdk/src/share/classes/sun/security/tools/JarSigner.java Mon Dec 07 15:29:44 2009 +0800
+++ b/jdk/src/share/classes/sun/security/tools/JarSigner.java Mon Dec 07 17:06:59 2009 +0000
@@ -118,8 +118,6 @@
KeyStore store; // the keystore specified by -keystore
// or the default keystore, never null
- IdentityScope scope;
-
String keystore; // key store file
boolean nullStream = false; // null keystore input stream (NONE)
boolean token = false; // token-based keystore
@@ -212,7 +210,6 @@
if (verify) {
try {
loadKeyStore(keystore, false);
- scope = IdentityScope.getSystemScope();
} catch (Exception e) {
if ((keystore != null) || (storepass != null)) {
System.out.println(rb.getString("jarsigner error: ") +
@@ -984,13 +981,6 @@
result |= IN_KEYSTORE;
}
}
- if (!found && (scope != null)) {
- Identity id = scope.getIdentity(c.getPublicKey());
- if (id != null) {
- result |= IN_SCOPE;
- storeHash.put(c, "[" + id.getName() + "]");
- }
- }
if (ckaliases.contains(alias)) {
result |= SIGNED_BY_ALIAS;
}
--- a/jdk/src/share/classes/sun/security/tools/KeyTool.java Mon Dec 07 15:29:44 2009 +0800
+++ b/jdk/src/share/classes/sun/security/tools/KeyTool.java Mon Dec 07 17:06:59 2009 +0000
@@ -40,7 +40,6 @@
import java.security.UnrecoverableKeyException;
import java.security.Principal;
import java.security.Provider;
-import java.security.Identity;
import java.security.cert.Certificate;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
@@ -57,9 +56,6 @@
import sun.misc.BASE64Encoder;
import sun.security.util.ObjectIdentifier;
import sun.security.pkcs.PKCS10;
-import sun.security.provider.IdentityDatabase;
-import sun.security.provider.SystemSigner;
-import sun.security.provider.SystemIdentity;
import sun.security.provider.X509Factory;
import sun.security.util.DerOutputStream;
import sun.security.util.Password;
@@ -1163,18 +1159,16 @@
Signature signature = Signature.getInstance(sigAlgName);
signature.initSign(privateKey);
- X500Signer signer = new X500Signer(signature, issuer);
-
X509CertInfo info = new X509CertInfo();
info.set(X509CertInfo.VALIDITY, interval);
info.set(X509CertInfo.SERIAL_NUMBER, new CertificateSerialNumber(
new java.util.Random().nextInt() & 0x7fffffff));
info.set(X509CertInfo.VERSION,
- new CertificateVersion(CertificateVersion.V3));
+ new CertificateVersion(CertificateVersion.V3));
info.set(X509CertInfo.ALGORITHM_ID,
- new CertificateAlgorithmId(signer.getAlgorithmId()));
- info.set(X509CertInfo.ISSUER,
- new CertificateIssuerName(signer.getSigner()));
+ new CertificateAlgorithmId(
+ AlgorithmId.getAlgorithmId(sigAlgName)));
+ info.set(X509CertInfo.ISSUER, new CertificateIssuerName(issuer));
BufferedReader reader = new BufferedReader(new InputStreamReader(in));
boolean canRead = false;
@@ -1249,7 +1243,7 @@
request.getAttributes().setAttribute(X509CertInfo.EXTENSIONS,
new PKCS10Attribute(PKCS9Attribute.EXTENSION_REQUEST_OID, ext));
- // Construct an X500Signer object, so that we can sign the request
+ // Construct a Signature object, so that we can sign the request
if (sigAlgName == null) {
sigAlgName = getCompatibleSigAlgName(privKey.getAlgorithm());
}
@@ -1259,10 +1253,9 @@
X500Name subject = dname == null?
new X500Name(((X509Certificate)cert).getSubjectDN().toString()):
new X500Name(dname);
- X500Signer signer = new X500Signer(signature, subject);
// Sign the request and base-64 encode it
- request.encodeAndSign(signer);
+ request.encodeAndSign(subject, signature);
request.print(out);
}
@@ -1564,75 +1557,8 @@
private void doImportIdentityDatabase(InputStream in)
throws Exception
{
- byte[] encoded;
- ByteArrayInputStream bais;
- java.security.cert.X509Certificate newCert;
- java.security.cert.Certificate[] chain = null;
- PrivateKey privKey;
- boolean modified = false;
-
- IdentityDatabase idb = IdentityDatabase.fromStream(in);
- for (Enumeration<Identity> enum_ = idb.identities();
- enum_.hasMoreElements();) {
- Identity id = enum_.nextElement();
- newCert = null;
- // only store trusted identities in keystore
- if ((id instanceof SystemSigner && ((SystemSigner)id).isTrusted())
- || (id instanceof SystemIdentity
- && ((SystemIdentity)id).isTrusted())) {
- // ignore if keystore entry with same alias name already exists
- if (keyStore.containsAlias(id.getName())) {
- MessageFormat form = new MessageFormat
- (rb.getString("Keystore entry for <id.getName()> already exists"));
- Object[] source = {id.getName()};
- System.err.println(form.format(source));
- continue;
- }
- java.security.Certificate[] certs = id.certificates();
- if (certs!=null && certs.length>0) {
- // we can only store one user cert per identity.
- // convert old-style to new-style cert via the encoding
- DerOutputStream dos = new DerOutputStream();
- certs[0].encode(dos);
- encoded = dos.toByteArray();
- bais = new ByteArrayInputStream(encoded);
- newCert = (X509Certificate)cf.generateCertificate(bais);
- bais.close();
-
- // if certificate is self-signed, make sure it verifies
- if (isSelfSigned(newCert)) {
- PublicKey pubKey = newCert.getPublicKey();
- try {
- newCert.verify(pubKey);
- } catch (Exception e) {
- // ignore this cert
- continue;
- }
- }
-
- if (id instanceof SystemSigner) {
- MessageFormat form = new MessageFormat(rb.getString
- ("Creating keystore entry for <id.getName()> ..."));
- Object[] source = {id.getName()};
- System.err.println(form.format(source));
- if (chain==null) {
- chain = new java.security.cert.Certificate[1];
- }
- chain[0] = newCert;
- privKey = ((SystemSigner)id).getPrivateKey();
- keyStore.setKeyEntry(id.getName(), privKey, storePass,
- chain);
- } else {
- keyStore.setCertificateEntry(id.getName(), newCert);
- }
- kssave = true;
- }
- }
- }
- if (!kssave) {
- System.err.println(rb.getString
- ("No entries from identity database added"));
- }
+ System.err.println(rb.getString
+ ("No entries from identity database added"));
}
/**
--- a/jdk/src/share/classes/sun/security/x509/CertAndKeyGen.java Mon Dec 07 15:29:44 2009 +0800
+++ b/jdk/src/share/classes/sun/security/x509/CertAndKeyGen.java Mon Dec 07 17:06:59 2009 +0000
@@ -190,41 +190,6 @@
/**
- * Returns a self-signed X.509v1 certificate for the public key.
- * The certificate is immediately valid.
- *
- * <P>Such certificates normally are used to identify a "Certificate
- * Authority" (CA). Accordingly, they will not always be accepted by
- * other parties. However, such certificates are also useful when
- * you are bootstrapping your security infrastructure, or deploying
- * system prototypes.
- *
- * @deprecated Use the new <a href =
- * "#getSelfCertificate(sun.security.x509.X500Name, long)">
- *
- * @param myname X.500 name of the subject (who is also the issuer)
- * @param validity how long the certificate should be valid, in seconds
- */
- @Deprecated
- public X509Cert getSelfCert (X500Name myname, long validity)
- throws InvalidKeyException, SignatureException, NoSuchAlgorithmException
- {
- X509Certificate cert;
-
- try {
- cert = getSelfCertificate(myname, validity);
- return new X509Cert(cert.getEncoded());
- } catch (CertificateException e) {
- throw new SignatureException(e.getMessage());
- } catch (NoSuchProviderException e) {
- throw new NoSuchAlgorithmException(e.getMessage());
- } catch (IOException e) {
- throw new SignatureException(e.getMessage());
- }
- }
-
-
- /**
* Returns a self-signed X.509v3 certificate for the public key.
* The certificate is immediately valid. No extensions.
*
@@ -248,13 +213,10 @@
throws CertificateException, InvalidKeyException, SignatureException,
NoSuchAlgorithmException, NoSuchProviderException
{
- X500Signer issuer;
X509CertImpl cert;
Date lastDate;
try {
- issuer = getSigner (myname);
-
lastDate = new Date ();
lastDate.setTime (firstDate.getTime () + validity * 1000);
@@ -267,14 +229,13 @@
new CertificateVersion(CertificateVersion.V3));
info.set(X509CertInfo.SERIAL_NUMBER, new CertificateSerialNumber(
new java.util.Random().nextInt() & 0x7fffffff));
- AlgorithmId algID = issuer.getAlgorithmId();
+ AlgorithmId algID = AlgorithmId.getAlgorithmId(sigAlg);
info.set(X509CertInfo.ALGORITHM_ID,
new CertificateAlgorithmId(algID));
info.set(X509CertInfo.SUBJECT, new CertificateSubjectName(myname));
info.set(X509CertInfo.KEY, new CertificateX509Key(publicKey));
info.set(X509CertInfo.VALIDITY, interval);
- info.set(X509CertInfo.ISSUER,
- new CertificateIssuerName(issuer.getSigner()));
+ info.set(X509CertInfo.ISSUER, new CertificateIssuerName(myname));
cert = new X509CertImpl(info);
cert.sign(privateKey, this.sigAlg);
@@ -315,7 +276,9 @@
PKCS10 req = new PKCS10 (publicKey);
try {
- req.encodeAndSign (getSigner (myname));
+ Signature signature = Signature.getInstance(sigAlg);
+ signature.initSign (privateKey);
+ req.encodeAndSign(myname, signature);
} catch (CertificateException e) {
throw new SignatureException (sigAlg + " CertificateException");
@@ -330,18 +293,6 @@
return req;
}
- private X500Signer getSigner (X500Name me)
- throws InvalidKeyException, NoSuchAlgorithmException
- {
- Signature signature = Signature.getInstance(sigAlg);
-
- // XXX should have a way to pass prng to the signature
- // algorithm ... appropriate for DSS/DSA, not RSA
-
- signature.initSign (privateKey);
- return new X500Signer (signature, me);
- }
-
private SecureRandom prng;
private String sigAlg;
private KeyPairGenerator keyGen;
--- a/jdk/src/share/classes/sun/security/x509/X500Signer.java Mon Dec 07 15:29:44 2009 +0800
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,115 +0,0 @@
-/*
- * Copyright 1996-2003 Sun Microsystems, Inc. All Rights Reserved.
- * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
- *
- * This code is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License version 2 only, as
- * published by the Free Software Foundation. Sun designates this
- * particular file as subject to the "Classpath" exception as provided
- * by Sun in the LICENSE file that accompanied this code.
- *
- * This code is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
- * version 2 for more details (a copy is included in the LICENSE file that
- * accompanied this code).
- *
- * You should have received a copy of the GNU General Public License version
- * 2 along with this work; if not, write to the Free Software Foundation,
- * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- * Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
- * CA 95054 USA or visit www.sun.com if you need additional information or
- * have any questions.
- */
-
-package sun.security.x509;
-
-import java.security.Signature;
-import java.security.SignatureException;
-import java.security.Signer;
-import java.security.NoSuchAlgorithmException;
-
-/**
- * This class provides a binding between a Signature object and an
- * authenticated X.500 name (from an X.509 certificate chain), which
- * is needed in many public key signing applications.
- *
- * <P>The name of the signer is important, both because knowing it is the
- * whole point of the signature, and because the associated X.509 certificate
- * is always used to verify the signature.
- *
- * <P><em>The X.509 certificate chain is temporarily not associated with
- * the signer, but this omission will be resolved.</em>
- *
- *
- * @author David Brownell
- * @author Amit Kapoor
- * @author Hemma Prafullchandra
- */
-public final class X500Signer extends Signer
-{
- private static final long serialVersionUID = -8609982645394364834L;
-
- /**
- * Called for each chunk of the data being signed. That
- * is, you can present the data in many chunks, so that
- * it doesn't need to be in a single sequential buffer.
- *
- * @param buf buffer holding the next chunk of the data to be signed
- * @param offset starting point of to-be-signed data
- * @param len how many bytes of data are to be signed
- * @exception SignatureException on errors.
- */
- public void update(byte buf[], int offset, int len)
- throws SignatureException {
- sig.update (buf, offset, len);
- }
-
- /**
- * Produces the signature for the data processed by update().
- *
- * @exception SignatureException on errors.
- */
- public byte[] sign() throws SignatureException {
- return sig.sign();
- }
-
- /**
- * Returns the algorithm used to sign.
- */
- public AlgorithmId getAlgorithmId() {
- return algid;
- }
-
- /**
- * Returns the name of the signing agent.
- */
- public X500Name getSigner() {
- return agent;
- }
-
- /*
- * Constructs a binding between a signature and an X500 name
- * from an X.509 certificate.
- */
- // package private ----hmmmmm ?????
- public X500Signer(Signature sig, X500Name agent) {
- if (sig == null || agent == null)
- throw new IllegalArgumentException ("null parameter");
-
- this.sig = sig;
- this.agent = agent;
-
- try {
- this.algid = AlgorithmId.getAlgorithmId(sig.getAlgorithm());
-
- } catch (NoSuchAlgorithmException e) {
- throw new RuntimeException("internal error! " + e.getMessage());
- }
- }
-
- private Signature sig;
- private X500Name agent; // XXX should be X509CertChain
- private AlgorithmId algid;
-}
--- a/jdk/src/share/classes/sun/security/x509/X509Cert.java Mon Dec 07 15:29:44 2009 +0800
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,892 +0,0 @@
-/*
- * Copyright 1997-2008 Sun Microsystems, Inc. All Rights Reserved.
- * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
- *
- * This code is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License version 2 only, as
- * published by the Free Software Foundation. Sun designates this
- * particular file as subject to the "Classpath" exception as provided
- * by Sun in the LICENSE file that accompanied this code.
- *
- * This code is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
- * version 2 for more details (a copy is included in the LICENSE file that
- * accompanied this code).
- *
- * You should have received a copy of the GNU General Public License version
- * 2 along with this work; if not, write to the Free Software Foundation,
- * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- * Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
- * CA 95054 USA or visit www.sun.com if you need additional information or
- * have any questions.
- */
-
-package sun.security.x509;
-
-import java.io.IOException;
-import java.io.InputStream;
-import java.io.OutputStream;
-import java.io.ObjectInputStream;
-import java.io.ObjectOutputStream;
-import java.io.Serializable;
-import java.math.BigInteger;
-import java.security.*;
-import java.util.Date;
-import java.util.Enumeration;
-
-import sun.security.util.*; // DER
-
-/**
- * @author David Brownell
- *
- * @see CertAndKeyGen
- * @deprecated Use the new X509Certificate class.
- * This class is only restored for backwards compatibility.
- */
-@Deprecated
-public class X509Cert implements Certificate, Serializable {
-
- static final long serialVersionUID = -52595524744692374L;
-
- /*
- * NOTE: All fields are marked transient, because we do not want them to
- * be included in the class description when we serialize an object of
- * this class. We override "writeObject" and "readObject" to use the
- * ASN.1 encoding of a certificate as the serialized form, instead of
- * calling the default routines which would operate on the field values.
- *
- * MAKE SURE TO MARK ANY FIELDS THAT ARE ADDED IN THE FUTURE AS TRANSIENT.
- */
-
- /* The algorithm id */
- transient protected AlgorithmId algid;
-
- /*
- * Certificate data, and its envelope
- */
- transient private byte rawCert [];
- transient private byte signature [];
- transient private byte signedCert [];
-
- /*
- * X509.v1 data (parsed)
- */
- transient private X500Name subject; // from subject
- transient private PublicKey pubkey;
-
- transient private Date notafter; // from CA (constructor)
- transient private Date notbefore;
-
- transient private int version; // from CA (signAndEncode)
- transient private BigInteger serialnum;
- transient private X500Name issuer;
- transient private AlgorithmId issuerSigAlg;
-
- /*
- * flag to indicate whether or not this certificate has already been parsed
- * (through a call to one of the constructors or the "decode" or
- * "readObject" methods). This is to ensure that certificates are
- * immutable.
- */
- transient private boolean parsed=false;
-
- /*
- * X509.v2 extensions
- */
-
- /*
- * X509.v3 extensions
- */
-
- /*
- * Other extensions ... Netscape, Verisign, SET, etc
- */
-
-
- /**
- * Construct a uninitialized X509 Cert on which <a href="#decode">
- * decode</a> must later be called (or which may be deserialized).
- */
- // XXX deprecated, delete this
- public X509Cert() { }
-
-
- /**
- * Unmarshals a certificate from its encoded form, parsing the
- * encoded bytes. This form of constructor is used by agents which
- * need to examine and use certificate contents. That is, this is
- * one of the more commonly used constructors. Note that the buffer
- * must include only a certificate, and no "garbage" may be left at
- * the end. If you need to ignore data at the end of a certificate,
- * use another constructor.
- *
- * @param cert the encoded bytes, with no terminatu (CONSUMED)
- * @exception IOException when the certificate is improperly encoded.
- */
- public X509Cert(byte cert []) throws IOException
- {
- DerValue in = new DerValue (cert);
- parse (in);
- if (in.data.available () != 0)
- throw new CertParseError ("garbage at end");
- signedCert = cert;
- }
-
-
- /**
- * Unmarshals a certificate from its encoded form, parsing the
- * encoded bytes. This form of constructor is used by agents which
- * need to examine and use certificate contents. That is, this is
- * one of the most commonly used constructors.
- *
- * @param buf the buffer holding the encoded bytes
- * @param offset the offset in the buffer where the bytes begin
- * @param len how many bytes of certificate exist
- *
- * @exception IOException when the certificate is improperly encoded.
- */
- public X509Cert(byte buf [], int offset, int len) throws IOException
- {
- DerValue in = new DerValue (buf, offset, len);
-
- parse (in);
- if (in.data.available () != 0)
- throw new CertParseError ("garbage at end");
- signedCert = new byte [len];
- System.arraycopy (buf, offset, signedCert, 0, len);
- }
-
-
- /**
- * Unmarshal a certificate from its encoded form, parsing a DER value.
- * This form of constructor is used by agents which need to examine
- * and use certificate contents.
- *
- * @param derVal the der value containing the encoded cert.
- * @exception IOException when the certificate is improperly encoded.
- */
- public X509Cert(DerValue derVal) throws IOException
- {
- parse (derVal);
- if (derVal.data.available () != 0)
- throw new CertParseError ("garbage at end");
- signedCert = derVal.toByteArray ();
- }
-
-
- /**
- * Partially constructs a certificate from descriptive parameters.
- * This constructor may be used by Certificate Authority (CA) code,
- * which later <a href="#signAndEncode">signs and encodes</a> the
- * certificate. Also, self-signed certificates serve as CA certificates,
- * and are sometimes used as certificate requests.
- *
- * <P>Until the certificate has been signed and encoded, some of
- * the mandatory fields in the certificate will not be available
- * via accessor functions: the serial number, issuer name and signing
- * algorithm, and of course the signed certificate. The fields passed
- * to this constructor are available, and must be non-null.
- *
- * <P>Note that the public key being signed is generally independent of
- * the signature algorithm being used. So for example Diffie-Hellman
- * keys (which do not support signatures) can be placed in X.509
- * certificates when some other signature algorithm (e.g. DSS/DSA,
- * or one of the RSA based algorithms) is used.
- *
- * @see CertAndKeyGen
- *
- * @param subjectName the X.500 distinguished name being certified
- * @param subjectPublicKey the public key being certified. This
- * must be an "X509Key" implementing the "PublicKey" interface.
- * @param notBefore the first time the certificate is valid
- * @param notAfter the last time the certificate is valid
- *
- * @exception CertException if the public key is inappropriate
- */
- public X509Cert(X500Name subjectName, X509Key subjectPublicKey,
- Date notBefore, Date notAfter) throws CertException
- {
- subject = subjectName;
-
- if (!(subjectPublicKey instanceof PublicKey))
- throw new CertException (CertException.err_INVALID_PUBLIC_KEY,
- "Doesn't implement PublicKey interface");
-
- // The X509 cert API requires X509 keys, else things break.
- pubkey = subjectPublicKey;
- notbefore = notBefore;
- notafter = notAfter;
- version = 0;
- }
-
-
- /**
- * Decode an X.509 certificate from an input stream.
- *
- * @param in an input stream holding at least one certificate
- * @exception IOException when the certificate is improperly encoded, or
- * if it has already been parsed.
- */
- public void decode(InputStream in) throws IOException
- {
- DerValue val = new DerValue(in);
- parse(val);
- signedCert = val.toByteArray();
- }
-
-
- /**
- * Appends the certificate to an output stream.
- *
- * @param out an input stream to which the certificate is appended.
- * @exception IOException when appending fails.
- */
- public void encode (OutputStream out) throws IOException
- { out.write (getSignedCert ()); }
-
-
- /**
- * Compares two certificates. This is false if the
- * certificates are not both X.509 certs, otherwise it
- * compares them as binary data.
- *
- * @param other the object being compared with this one
- * @return true iff the certificates are equivalent
- */
- public boolean equals (Object other)
- {
- if (other instanceof X509Cert)
- return equals ((X509Cert) other);
- else
- return false;
- }
-
-
- /**
- * Compares two certificates, returning false if any data
- * differs between the two.
- *
- * @param other the object being compared with this one
- * @return true iff the certificates are equivalent
- */
- public boolean equals (X509Cert src)
- {
- if (this == src)
- return true;
- if (signedCert == null || src.signedCert == null)
- return false;
- if (signedCert.length != src.signedCert.length)
- return false;
- for (int i = 0; i < signedCert.length; i++)
- if (signedCert [i] != src.signedCert [i])
- return false;
- return true;
- }
-
-
- /** Returns the "X.509" format identifier. */
- public String getFormat () // for Certificate
- { return "X.509"; }
-
-
- /** Returns <a href="#getIssuerName">getIssuerName</a> */
- public Principal getGuarantor () // for Certificate
- { return getIssuerName (); }
-
-
- /** Returns <a href="#getSubjectName">getSubjectName</a> */
- public Principal getPrincipal ()
- { return getSubjectName (); }
-
-
- /**
- * Throws an exception if the certificate is invalid because it is
- * now outside of the certificate's validity period, or because it
- * was not signed using the verification key provided. Successfully
- * verifying a certificate does <em>not</em> indicate that one should
- * trust the entity which it represents.
- *
- * <P><em>Note that since this class represents only a single X.509
- * certificate, it cannot know anything about the certificate chain
- * which is used to provide the verification key and to establish trust.
- * Other code must manage and use those cert chains.
- *
- * <P>For now, you must walk the cert chain being used to verify any
- * given cert. Start at the root, which is a self-signed certificate;
- * verify it using the key inside the certificate. Then use that to
- * verify the next certificate in the chain, issued by that CA. In
- * this manner, verify each certificate until you reach the particular
- * certificate you wish to verify. You should not use a certificate
- * if any of the verification operations for its certificate chain
- * were unsuccessful.
- * </em>
- *
- * @param issuerPublicKey the public key of the issuing CA
- * @exception CertException when the certificate is not valid.
- */
- public void verify (PublicKey issuerPublicKey)
- throws CertException
- {
- Date now = new Date ();
-
- if (now.before (notbefore))
- throw new CertException (CertException.verf_INVALID_NOTBEFORE);
- if (now.after (notafter))
- throw new CertException (CertException.verf_INVALID_EXPIRED);
- if (signedCert == null)
- throw new CertException (CertException.verf_INVALID_SIG,
- "?? certificate is not signed yet ??");
-
- //
- // Verify the signature ...
- //
- String algName = null;
-
- try {
- Signature sigVerf = null;
-
- algName = issuerSigAlg.getName();
- sigVerf = Signature.getInstance(algName);
- sigVerf.initVerify (issuerPublicKey);
- sigVerf.update (rawCert, 0, rawCert.length);
-
- if (!sigVerf.verify (signature)) {
- throw new CertException (CertException.verf_INVALID_SIG,
- "Signature ... by <" + issuer + "> for <" + subject + ">");
- }
-
- // Gag -- too many catch clauses, let most through.
-
- } catch (NoSuchAlgorithmException e) {
- throw new CertException (CertException.verf_INVALID_SIG,
- "Unsupported signature algorithm (" + algName + ")");
-
- } catch (InvalidKeyException e) {
- // e.printStackTrace();
- throw new CertException (CertException.err_INVALID_PUBLIC_KEY,
- "Algorithm (" + algName + ") rejected public key");
-
- } catch (SignatureException e) {
- throw new CertException (CertException.verf_INVALID_SIG,
- "Signature by <" + issuer + "> for <" + subject + ">");
- }
- }
-
-
- /**
- * Creates an X.509 certificate, and signs it using the issuer
- * passed (associating a signature algorithm and an X.500 name).
- * This operation is used to implement the certificate generation
- * functionality of a certificate authority.
- *
- * @see #getSignedCert
- * @see #getSigner
- * @see CertAndKeyGen
- *
- * @param serial the serial number of the certificate (non-null)
- * @param issuer the certificate issuer (CA) (non-null)
- * @return the signed certificate, as returned by getSignedCert
- *
- * @exception IOException if any of the data could not be encoded,
- * or when any mandatory data was omitted
- * @exception SignatureException on signing failures
- */
- public byte []
- encodeAndSign (
- BigInteger serial,
- X500Signer issuer
- ) throws IOException, SignatureException
- {
- rawCert = null;
-
- /*
- * Get the remaining cert parameters, and make sure we have enough.
- *
- * We deduce version based on what attribute data are available
- * For now, we have no attributes, so we always deduce X.509v1 !
- */
- version = 0;
- serialnum = serial;
- this.issuer = issuer.getSigner ();
- issuerSigAlg = issuer.getAlgorithmId ();
-
- if (subject == null || pubkey == null
- || notbefore == null || notafter == null)
- throw new IOException ("not enough cert parameters");
-
- /*
- * Encode the raw cert, create its signature and put it
- * into the envelope.
- */
- rawCert = DERencode ();
- signedCert = sign (issuer, rawCert);
- return signedCert;
- }
-
-
- /**
- * Returns an X500Signer that may be used to create signatures. Those
- * signature may in turn be verified using this certificate (or a
- * copy of it).
- *
- * <P><em><b>NOTE:</b> If the private key is by itself capable of
- * creating signatures, this fact may not be recognized at this time.
- * Specifically, the case of DSS/DSA keys which get their algorithm
- * parameters from higher in the certificate chain is not supportable
- * without using an X509CertChain API, and there is no current support
- * for other sources of algorithm parameters.</em>
- *
- * @param algorithm the signature algorithm to be used. Note that a
- * given public/private key pair may support several such algorithms.
- * @param privateKey the private key used to create the signature,
- * which must correspond to the public key in this certificate
- * @return the Signer object
- *
- * @exception NoSuchAlgorithmException if the signature
- * algorithm is not supported
- * @exception InvalidKeyException if either the key in the certificate,
- * or the private key parameter, does not support the requested
- * signature algorithm
- */
- public X500Signer getSigner (AlgorithmId algorithmId,
- PrivateKey privateKey)
- throws NoSuchAlgorithmException, InvalidKeyException
- {
- String algorithm;
- Signature sig;
-
- if (privateKey instanceof Key) {
- Key key = (Key)privateKey;
- algorithm = key.getAlgorithm();
- } else {
- throw new InvalidKeyException("private key not a key!");
- }
-
- sig = Signature.getInstance(algorithmId.getName());
-
- if (!pubkey.getAlgorithm ().equals (algorithm)) {
-
- throw new InvalidKeyException( "Private key algorithm " +
- algorithm +
- " incompatible with certificate " +
- pubkey.getAlgorithm());
- }
- sig.initSign (privateKey);
- return new X500Signer (sig, subject);
- }
-
-
- /**
- * Returns a signature object that may be used to verify signatures
- * created using a specified signature algorithm and the public key
- * contained in this certificate.
- *
- * <P><em><b>NOTE:</b> If the public key in this certificate is not by
- * itself capable of verifying signatures, this may not be recognized
- * at this time. Specifically, the case of DSS/DSA keys which get
- * their algorithm parameters from higher in the certificate chain
- * is not supportable without using an X509CertChain API, and there
- * is no current support for other sources of algorithm parameters.</em>
- *
- * @param algorithm the algorithm of the signature to be verified
- * @return the Signature object
- * @exception NoSuchAlgorithmException if the signature
- * algorithm is not supported
- * @exception InvalidKeyException if the key in the certificate
- * does not support the requested signature algorithm
- */
- public Signature getVerifier(String algorithm)
- throws NoSuchAlgorithmException, InvalidKeyException
- {
- String algName;
- Signature sig;
-
- sig = Signature.getInstance(algorithm);
- sig.initVerify (pubkey);
- return sig;
- }
-
-
-
- /**
- * Return the signed X.509 certificate as a byte array.
- * The bytes are in standard DER marshaled form.
- * Null is returned in the case of a partially constructed cert.
- */
- public byte [] getSignedCert ()
- { return signedCert.clone(); }
-
-
- /**
- * Returns the certificate's serial number.
- * Null is returned in the case of a partially constructed cert.
- */
- public BigInteger getSerialNumber ()
- { return serialnum; }
-
-
- /**
- * Returns the subject's X.500 distinguished name.
- */
- public X500Name getSubjectName ()
- { return subject; }
-
-
- /**
- * Returns the certificate issuer's X.500 distinguished name.
- * Null is returned in the case of a partially constructed cert.
- */
- public X500Name getIssuerName ()
- { return issuer; }
-
-
- /**
- * Returns the algorithm used by the issuer to sign the certificate.
- * Null is returned in the case of a partially constructed cert.
- */
- public AlgorithmId getIssuerAlgorithmId ()
- { return issuerSigAlg; }
-
-
- /**
- * Returns the first time the certificate is valid.
- */
- public Date getNotBefore ()
- { return new Date(notbefore.getTime()); }
-
-
- /**
- * Returns the last time the certificate is valid.
- */
- public Date getNotAfter ()
- { return new Date(notafter.getTime()); }
-
-
- /**
- * Returns the subject's public key. Note that some public key
- * algorithms support an optional certificate generation policy
- * where the keys in the certificates are not in themselves sufficient
- * to perform a public key operation. Those keys need to be augmented
- * by algorithm parameters, which the certificate generation policy
- * chose not to place in the certificate.
- *
- * <P>Two such public key algorithms are: DSS/DSA, where algorithm
- * parameters could be acquired from a CA certificate in the chain
- * of issuers; and Diffie-Hellman, with a similar solution although
- * the CA then needs both a Diffie-Hellman certificate and a signature
- * capable certificate.
- */
- public PublicKey getPublicKey ()
- { return pubkey; }
-
-
- /**
- * Returns the X.509 version number of this certificate, zero based.
- * That is, "2" indicates an X.509 version 3 (1993) certificate,
- * and "0" indicates X.509v1 (1988).
- * Zero is returned in the case of a partially constructed cert.
- */
- public int getVersion ()
- { return version; }
-
-
- /**
- * Calculates a hash code value for the object. Objects
- * which are equal will also have the same hashcode.
- */
- public int hashCode ()
- {
- int retval = 0;
-
- for (int i = 0; i < signedCert.length; i++)
- retval += signedCert [i] * i;
- return retval;
- }
-
-
- /**
- * Returns a printable representation of the certificate. This does not
- * contain all the information available to distinguish this from any
- * other certificate. The certificate must be fully constructed
- * before this function may be called; in particular, if you are
- * creating certificates you must call encodeAndSign() before calling
- * this function.
- */
- public String toString ()
- {
- String s;
-
- if (subject == null || pubkey == null
- || notbefore == null || notafter == null
- || issuer == null || issuerSigAlg == null
- || serialnum == null)
- throw new NullPointerException ("X.509 cert is incomplete");
-
- s = " X.509v" + (version + 1) + " certificate,\n";
- s += " Subject is " + subject + "\n";
- s += " Key: " + pubkey;
- s += " Validity <" + notbefore + "> until <" + notafter + ">\n";
- s += " Issuer is " + issuer + "\n";
- s += " Issuer signature used " + issuerSigAlg.toString () + "\n";
- s += " Serial number = " + Debug.toHexString(serialnum) + "\n";
-
- // optional v2, v3 extras
-
- return "[\n" + s + "]";
- }
-
-
- /**
- * Returns a printable representation of the certificate.
- *
- * @param detailed true iff lots of detail is requested
- */
- public String toString (boolean detailed)
- { return toString (); }
-
-
- /************************************************************/
-
- /*
- * Cert is a SIGNED ASN.1 macro, a three elment sequence:
- *
- * - Data to be signed (ToBeSigned) -- the "raw" cert
- * - Signature algorithm (SigAlgId)
- * - The signature bits
- *
- * This routine unmarshals the certificate, saving the signature
- * parts away for later verification.
- */
- private void parse (DerValue val) throws IOException
- {
- if (parsed == true) {
- throw new IOException("Certificate already parsed");
- }
-
- DerValue seq [] = new DerValue [3];
-
- seq [0] = val.data.getDerValue ();
- seq [1] = val.data.getDerValue ();
- seq [2] = val.data.getDerValue ();
-
- if (val.data.available () != 0)
- throw new CertParseError ("signed overrun, bytes = "
- + val.data.available ());
- if (seq [0].tag != DerValue.tag_Sequence)
- throw new CertParseError ("signed fields invalid");
-
- rawCert = seq [0].toByteArray (); // XXX slow; fixme!
-
-
- issuerSigAlg = AlgorithmId.parse (seq [1]);
- signature = seq [2].getBitString ();
-
- if (seq [1].data.available () != 0) {
- // XXX why was this error check commented out?
- // It was originally part of the next check.
- throw new CertParseError ("algid field overrun");
- }
-
- if (seq [2].data.available () != 0)
- throw new CertParseError ("signed fields overrun");
-
- /*
- * Let's have fun parsing the cert itself.
- */
- DerInputStream in;
- DerValue tmp;
-
- in = seq [0].data;
-
- /*
- * Version -- this is optional (default zero). If it's there it's
- * the first field and is specially tagged.
- *
- * Both branches leave "tmp" holding a value for the serial
- * number that comes next.
- */
- version = 0;
- tmp = in.getDerValue ();
- if (tmp.isConstructed () && tmp.isContextSpecific ()) {
- version = tmp.data.getInteger();
- if (tmp.data.available () != 0)
- throw new IOException ("X.509 version, bad format");
- tmp = in.getDerValue ();
- }
-
- /*
- * serial number ... an integer
- */
- serialnum = tmp.getBigInteger ();
-
- /*
- * algorithm type for CA's signature ... needs to match the
- * one on the envelope, and that's about it! different IDs
- * may represent a signature attack. In general we want to
- * inherit parameters.
- */
- tmp = in.getDerValue ();
- {
- AlgorithmId algid;
-
-
- algid = AlgorithmId.parse(tmp);
-
- if (!algid.equals (issuerSigAlg))
- throw new CertParseError ("CA Algorithm mismatch!");
-
- this.algid = algid;
- }
-
- /*
- * issuer name
- */
- issuer = new X500Name (in);
-
- /*
- * validity: SEQUENCE { start date, end date }
- */
- tmp = in.getDerValue ();
- if (tmp.tag != DerValue.tag_Sequence)
- throw new CertParseError ("corrupt validity field");
-
- notbefore = tmp.data.getUTCTime ();
- notafter = tmp.data.getUTCTime ();
- if (tmp.data.available () != 0)
- throw new CertParseError ("excess validity data");
-
- /*
- * subject name and public key
- */
- subject = new X500Name (in);
-
- tmp = in.getDerValue ();
- pubkey = X509Key.parse (tmp);
-
- /*
- * XXX for v2 and later, a bunch of tagged options follow
- */
-
- if (in.available () != 0) {
- /*
- * Until we parse V2/V3 data ... ignore it.
- *
- // throw new CertParseError ("excess cert data");
- System.out.println (
- "@end'o'cert, optional V2/V3 data unparsed: "
- + in.available ()
- + " bytes"
- );
- */
- }
-
- parsed = true;
- }
-
-
- /*
- * Encode only the parts that will later be signed.
- */
- private byte [] DERencode () throws IOException
- {
- DerOutputStream raw = new DerOutputStream ();
-
- encode (raw);
- return raw.toByteArray ();
- }
-
-
- /*
- * Marshal the contents of a "raw" certificate into a DER sequence.
- */
- private void encode (DerOutputStream out) throws IOException
- {
- DerOutputStream tmp = new DerOutputStream ();
-
- /*
- * encode serial number, issuer signing algorithm,
- * and issuer name into the data we'll return
- */
- tmp.putInteger (serialnum);
- issuerSigAlg.encode (tmp);
- issuer.encode (tmp);
-
- /*
- * Validity is a two element sequence ... encode the
- * elements, then wrap them into the data we'll return
- */
- {
- DerOutputStream seq = new DerOutputStream ();
-
- seq.putUTCTime (notbefore);
- seq.putUTCTime (notafter);
- tmp.write (DerValue.tag_Sequence, seq);
- }
-
- /*
- * Encode subject (principal) and associated key
- */
- subject.encode (tmp);
- tmp.write(pubkey.getEncoded());
-
- /*
- * Wrap the data; encoding of the "raw" cert is now complete.
- */
- out.write (DerValue.tag_Sequence, tmp);
- }
-
-
- /*
- * Calculate the signature of the "raw" certificate,
- * and marshal the cert with the signature and a
- * description of the signing algorithm.
- */
- private byte [] sign (X500Signer issuer, byte data [])
- throws IOException, SignatureException
- {
- /*
- * Encode the to-be-signed data, then the algorithm used
- * to create the signature.
- */
- DerOutputStream out = new DerOutputStream ();
- DerOutputStream tmp = new DerOutputStream ();
-
- tmp.write (data);
- issuer.getAlgorithmId ().encode(tmp);
-
-
- /*
- * Create and encode the signature itself.
- */
- issuer.update (data, 0, data.length);
- signature = issuer.sign ();
- tmp.putBitString (signature);
-
- /*
- * Wrap the signed data in a SEQUENCE { data, algorithm, sig }
- */
- out.write (DerValue.tag_Sequence, tmp);
- return out.toByteArray ();
- }
-
-
- /**
- * Serialization write ... X.509 certificates serialize as
- * themselves, and they're parsed when they get read back.
- * (Actually they serialize as some type data from the
- * serialization subsystem, then the cert data.)
- */
- private void writeObject (java.io.ObjectOutputStream stream)
- throws IOException
- { encode(stream); }
-
- /**
- * Serialization read ... X.509 certificates serialize as
- * themselves, and they're parsed when they get read back.
- */
- private void readObject (ObjectInputStream stream)
- throws IOException
- { decode(stream); }
-}
--- a/jdk/src/share/classes/sun/tools/jar/JarVerifierStream.java Mon Dec 07 15:29:44 2009 +0800
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,295 +0,0 @@
-/*
- * Copyright 1996-2008 Sun Microsystems, Inc. All Rights Reserved.
- * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
- *
- * This code is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License version 2 only, as
- * published by the Free Software Foundation. Sun designates this
- * particular file as subject to the "Classpath" exception as provided
- * by Sun in the LICENSE file that accompanied this code.
- *
- * This code is distributed in the hope that it will be useful, but WITHOUT
- * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
- * version 2 for more details (a copy is included in the LICENSE file that
- * accompanied this code).
- *
- * You should have received a copy of the GNU General Public License version
- * 2 along with this work; if not, write to the Free Software Foundation,
- * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
- *
- * Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
- * CA 95054 USA or visit www.sun.com if you need additional information or
- * have any questions.
- */
-
-package sun.tools.jar;
-
-import java.io.*;
-import java.util.*;
-import java.util.zip.*;
-import java.util.jar.*;
-import java.security.cert.Certificate;
-import java.security.AccessController;
-import java.security.cert.X509Certificate;
-import java.security.PublicKey;
-import java.security.Principal;
-import sun.security.provider.SystemIdentity;
-
-/**
- * This is OBSOLETE. DO NOT USE THIS. Use
- * java.util.jar.JarEntry.getCertificates instead. It has to stay here
- * because some apps (namely HJ and HJV) call directly into it.
- *
- * This class is stripped down greatly from JDK 1.1.x.
- *
- * @author Roland Schemers
- */
-public class JarVerifierStream extends ZipInputStream {
-
- private JarEntry current;
- private Hashtable<String, Vector<SystemIdentity>> verified
- = new Hashtable<String, Vector<SystemIdentity>>();
- private JarInputStream jis;
- private sun.tools.jar.Manifest man = null;
-
- /**
- * construct a JarVerfierStream from an input stream.
- */
- public JarVerifierStream(InputStream is)
- throws IOException
- {
- super(is);
- jis = new JarInputStream(is);
- }
-
- public void close()
- throws IOException
- {
- jis.close();
- }
-
- public void closeEntry() throws IOException {
- jis.closeEntry();
- }
-
- /**
- * This method scans to see which entry we're parsing and
- * keeps various state information depending on what type of
- * file is being parsed. Files it treats specially are: <ul>
- *
- * <li>Manifest files. At any point, this stream can be queried
- * for a manifest. If it is present, a Manifest object will be
- * returned.
- *
- * <li>Block Signature file. Like with the manifest, the stream
- * can be queried at any time for all blocks parsed thus far.
- *
- * </ul>
- */
- public synchronized ZipEntry getNextEntry() throws IOException {
- current = (JarEntry) jis.getNextEntry();
- return current;
- }
-
- /**
- * read a single byte.
- */
- public int read() throws IOException {
- int n = jis.read();
- if (n == -1) {
- addIds();
- }
- return n;
- }
-
- /**
- * read an array of bytes.
- */
- public int read(byte[] b, int off, int len) throws IOException {
- int n = jis.read(b, off, len);
- if (n == -1) {
- addIds();
- }
- return n;
- }
-
- private void addIds()
- {
-
- if (current != null) {
- Certificate[] certs = current.getCertificates();
- if (certs != null) {
- Vector<SystemIdentity> ids = getIds(certs);
- if (ids != null) {
- verified.put(current.getName(), ids);
- }
- }
- }
- }
-
- /**
- * Returns a Hashtable mapping filenames to vectors of identities.
- */
- public Hashtable getVerifiedSignatures() {
- /* we may want to return a copy of this at some point.
- For now we simply trust the caller */
- if (verified.isEmpty())
- return null;
- else
- return verified;
- }
-
- /**
- * Returns an enumeration of PKCS7 blocks. This looks bogus,
- * but Hotjava just checks to see if enumeration is not null
- * to see if anything was signed!
- */
- public Enumeration getBlocks() {
- if (verified.isEmpty()) {
- return null;
- } else {
- return new Enumeration() {
- public boolean hasMoreElements() { return false; }
- public Object nextElement() { return null; }
- };
- }
- }
-
- /**
- * This method used to be called by various versions of
- * AppletResourceLoader, even though they didn't do anything with
- * the result. We leave them and return null for backwards compatability.
- */
- public Hashtable getNameToHash() {
- return null;
- }
-
- /**
- * Convert java.util.jar.Manifest object to a sun.tools.jar.Manifest
- * object.
- */
-
- public sun.tools.jar.Manifest getManifest() {
- if (man == null) {
- try {
- java.util.jar.Manifest jman = jis.getManifest();
- if (jman == null)
- return null;
- ByteArrayOutputStream baos = new ByteArrayOutputStream();
- jman.write(baos);
- byte[] data = baos.toByteArray();
- man = new sun.tools.jar.Manifest(data);
- } catch (IOException ioe) {
- // return null
- }
- }
- return man;
- }
-
- static class CertCache {
- Certificate [] certs;
- Vector<SystemIdentity> ids;
-
- boolean equals(Certificate[] certs) {
- if (this.certs == null) {
- if (certs!= null)
- return false;
- else
- return true;
- }
-
- if (certs == null)
- return false;
-
- boolean match;
-
- for (int i = 0; i < certs.length; i++) {
- match = false;
- for (int j = 0; j < this.certs.length; j++) {
- if (certs[i].equals(this.certs[j])) {
- match = true;
- break;
- }
- }
- if (!match) return false;
- }
-
- for (int i = 0; i < this.certs.length; i++) {
- match = false;
- for (int j = 0; j < certs.length; j++) {
- if (this.certs[i].equals(certs[j])) {
- match = true;
- break;
- }
- }
- if (!match) return false;
- }
- return true;
- }
- }
-
- private ArrayList<CertCache> certCache = null;
-
-
- /**
- * Returns the Identity vector for the given array of Certificates
- */
- protected Vector<SystemIdentity> getIds(Certificate[] certs) {
- if (certs == null)
- return null;
-
- if (certCache == null)
- certCache = new ArrayList<CertCache>();
- CertCache cc;
- for (int i = 0; i < certCache.size(); i++) {
- cc = certCache.get(i);
- if (cc.equals(certs)) {
- return cc.ids;
- }
- }
- cc = new CertCache();
- cc.certs = certs;
-
- if (certs.length > 0) {
- for (int i=0; i<certs.length; i++) {
- try {
- X509Certificate cert = (X509Certificate) certs[i];
- Principal tmpName = cert.getSubjectDN();
- final SystemIdentity id = new SystemIdentity(
- tmpName.getName(),
- null);
-
- byte[] encoded = cert.getEncoded();
- final java.security.Certificate oldC =
- new sun.security.x509.X509Cert(encoded);
- try {
- AccessController.doPrivileged(
- new java.security.PrivilegedExceptionAction<Void>() {
- public Void run()
- throws java.security.KeyManagementException
- {
- id.addCertificate(oldC);
- return null;
- }
- });
- } catch (java.security.PrivilegedActionException pae) {
- throw (java.security.KeyManagementException)
- pae.getException();
- }
- if (cc.ids == null)
- cc.ids = new Vector<SystemIdentity>();
- cc.ids.addElement(id);
- } catch (java.security.KeyManagementException kme) {
- // ignore if we can't create Identity
- } catch (IOException ioe) {
- // ignore if we can't parse
- } catch (java.security.cert.CertificateEncodingException cee) {
- // ignore if we can't encode
- }
- }
- }
- certCache.add(cc);
- return cc.ids;
- }
-}