--- a/jdk/src/share/classes/java/util/TreeMap.java Fri Mar 27 16:04:05 2009 +0000
+++ b/jdk/src/share/classes/java/util/TreeMap.java Mon Mar 30 19:22:27 2009 +0100
@@ -1068,14 +1068,14 @@
}
public NavigableSet<E> subSet(E fromElement, boolean fromInclusive,
E toElement, boolean toInclusive) {
- return new TreeSet<E>(m.subMap(fromElement, fromInclusive,
- toElement, toInclusive));
+ return new KeySet<E>(m.subMap(fromElement, fromInclusive,
+ toElement, toInclusive));
}
public NavigableSet<E> headSet(E toElement, boolean inclusive) {
- return new TreeSet<E>(m.headMap(toElement, inclusive));
+ return new KeySet<E>(m.headMap(toElement, inclusive));
}
public NavigableSet<E> tailSet(E fromElement, boolean inclusive) {
- return new TreeSet<E>(m.tailMap(fromElement, inclusive));
+ return new KeySet<E>(m.tailMap(fromElement, inclusive));
}
public SortedSet<E> subSet(E fromElement, E toElement) {
return subSet(fromElement, true, toElement, false);
@@ -1087,7 +1087,7 @@
return tailSet(fromElement, true);
}
public NavigableSet<E> descendingSet() {
- return new TreeSet(m.descendingMap());
+ return new KeySet(m.descendingMap());
}
}
--- a/jdk/src/share/classes/java/util/concurrent/ConcurrentSkipListMap.java Fri Mar 27 16:04:05 2009 +0000
+++ b/jdk/src/share/classes/java/util/concurrent/ConcurrentSkipListMap.java Mon Mar 30 19:22:27 2009 +0100
@@ -2394,15 +2394,14 @@
boolean fromInclusive,
E toElement,
boolean toInclusive) {
- return new ConcurrentSkipListSet<E>
- (m.subMap(fromElement, fromInclusive,
- toElement, toInclusive));
+ return new KeySet<E>(m.subMap(fromElement, fromInclusive,
+ toElement, toInclusive));
}
public NavigableSet<E> headSet(E toElement, boolean inclusive) {
- return new ConcurrentSkipListSet<E>(m.headMap(toElement, inclusive));
+ return new KeySet<E>(m.headMap(toElement, inclusive));
}
public NavigableSet<E> tailSet(E fromElement, boolean inclusive) {
- return new ConcurrentSkipListSet<E>(m.tailMap(fromElement, inclusive));
+ return new KeySet<E>(m.tailMap(fromElement, inclusive));
}
public NavigableSet<E> subSet(E fromElement, E toElement) {
return subSet(fromElement, true, toElement, false);
@@ -2414,7 +2413,7 @@
return tailSet(fromElement, true);
}
public NavigableSet<E> descendingSet() {
- return new ConcurrentSkipListSet(m.descendingMap());
+ return new KeySet(m.descendingMap());
}
}
--- a/jdk/src/share/classes/java/util/concurrent/locks/AbstractQueuedLongSynchronizer.java Fri Mar 27 16:04:05 2009 +0000
+++ b/jdk/src/share/classes/java/util/concurrent/locks/AbstractQueuedLongSynchronizer.java Mon Mar 30 19:22:27 2009 +0100
@@ -166,6 +166,11 @@
static final int SIGNAL = -1;
/** waitStatus value to indicate thread is waiting on condition */
static final int CONDITION = -2;
+ /**
+ * waitStatus value to indicate the next acquireShared should
+ * unconditionally propagate
+ */
+ static final int PROPAGATE = -3;
/**
* Status field, taking on only the values:
@@ -180,10 +185,16 @@
* Nodes never leave this state. In particular,
* a thread with cancelled node never again blocks.
* CONDITION: This node is currently on a condition queue.
- * It will not be used as a sync queue node until
- * transferred. (Use of this value here
- * has nothing to do with the other uses
- * of the field, but simplifies mechanics.)
+ * It will not be used as a sync queue node
+ * until transferred, at which time the status
+ * will be set to 0. (Use of this value here has
+ * nothing to do with the other uses of the
+ * field, but simplifies mechanics.)
+ * PROPAGATE: A releaseShared should be propagated to other
+ * nodes. This is set (for head node only) in
+ * doReleaseShared to ensure propagation
+ * continues, even if other operations have
+ * since intervened.
* 0: None of the above
*
* The values are arranged numerically to simplify use.
@@ -403,10 +414,13 @@
*/
private void unparkSuccessor(Node node) {
/*
- * Try to clear status in anticipation of signalling. It is
- * OK if this fails or if status is changed by waiting thread.
+ * If status is negative (i.e., possibly needing signal) try
+ * to clear in anticipation of signalling. It is OK if this
+ * fails or if status is changed by waiting thread.
*/
- compareAndSetWaitStatus(node, Node.SIGNAL, 0);
+ int ws = node.waitStatus;
+ if (ws < 0)
+ compareAndSetWaitStatus(node, ws, 0);
/*
* Thread to unpark is held in successor, which is normally
@@ -426,23 +440,70 @@
}
/**
+ * Release action for shared mode -- signal successor and ensure
+ * propagation. (Note: For exclusive mode, release just amounts
+ * to calling unparkSuccessor of head if it needs signal.)
+ */
+ private void doReleaseShared() {
+ /*
+ * Ensure that a release propagates, even if there are other
+ * in-progress acquires/releases. This proceeds in the usual
+ * way of trying to unparkSuccessor of head if it needs
+ * signal. But if it does not, status is set to PROPAGATE to
+ * ensure that upon release, propagation continues.
+ * Additionally, we must loop in case a new node is added
+ * while we are doing this. Also, unlike other uses of
+ * unparkSuccessor, we need to know if CAS to reset status
+ * fails, if so rechecking.
+ */
+ for (;;) {
+ Node h = head;
+ if (h != null && h != tail) {
+ int ws = h.waitStatus;
+ if (ws == Node.SIGNAL) {
+ if (!compareAndSetWaitStatus(h, Node.SIGNAL, 0))
+ continue; // loop to recheck cases
+ unparkSuccessor(h);
+ }
+ else if (ws == 0 &&
+ !compareAndSetWaitStatus(h, 0, Node.PROPAGATE))
+ continue; // loop on failed CAS
+ }
+ if (h == head) // loop if head changed
+ break;
+ }
+ }
+
+ /**
* Sets head of queue, and checks if successor may be waiting
- * in shared mode, if so propagating if propagate > 0.
+ * in shared mode, if so propagating if either propagate > 0 or
+ * PROPAGATE status was set.
*
- * @param pred the node holding waitStatus for node
* @param node the node
* @param propagate the return value from a tryAcquireShared
*/
private void setHeadAndPropagate(Node node, long propagate) {
+ Node h = head; // Record old head for check below
setHead(node);
- if (propagate > 0 && node.waitStatus != 0) {
- /*
- * Don't bother fully figuring out successor. If it
- * looks null, call unparkSuccessor anyway to be safe.
- */
+ /*
+ * Try to signal next queued node if:
+ * Propagation was indicated by caller,
+ * or was recorded (as h.waitStatus) by a previous operation
+ * (note: this uses sign-check of waitStatus because
+ * PROPAGATE status may transition to SIGNAL.)
+ * and
+ * The next node is waiting in shared mode,
+ * or we don't know, because it appears null
+ *
+ * The conservatism in both of these checks may cause
+ * unnecessary wake-ups, but only when there are multiple
+ * racing acquires/releases, so most need signals now or soon
+ * anyway.
+ */
+ if (propagate > 0 || h == null || h.waitStatus < 0) {
Node s = node.next;
if (s == null || s.isShared())
- unparkSuccessor(node);
+ doReleaseShared();
}
}
@@ -465,23 +526,27 @@
while (pred.waitStatus > 0)
node.prev = pred = pred.prev;
- // Getting this before setting waitStatus ensures staleness
+ // predNext is the apparent node to unsplice. CASes below will
+ // fail if not, in which case, we lost race vs another cancel
+ // or signal, so no further action is necessary.
Node predNext = pred.next;
- // Can use unconditional write instead of CAS here
+ // Can use unconditional write instead of CAS here.
+ // After this atomic step, other Nodes can skip past us.
+ // Before, we are free of interference from other threads.
node.waitStatus = Node.CANCELLED;
- // If we are the tail, remove ourselves
+ // If we are the tail, remove ourselves.
if (node == tail && compareAndSetTail(node, pred)) {
compareAndSetNext(pred, predNext, null);
} else {
- // If "active" predecessor found...
- if (pred != head
- && (pred.waitStatus == Node.SIGNAL
- || compareAndSetWaitStatus(pred, 0, Node.SIGNAL))
- && pred.thread != null) {
-
- // If successor is active, set predecessor's next link
+ // If successor needs signal, try to set pred's next-link
+ // so it will get one. Otherwise wake it up to propagate.
+ int ws;
+ if (pred != head &&
+ ((ws = pred.waitStatus) == Node.SIGNAL ||
+ (ws <= 0 && compareAndSetWaitStatus(pred, ws, Node.SIGNAL))) &&
+ pred.thread != null) {
Node next = node.next;
if (next != null && next.waitStatus <= 0)
compareAndSetNext(pred, predNext, next);
@@ -503,14 +568,14 @@
* @return {@code true} if thread should block
*/
private static boolean shouldParkAfterFailedAcquire(Node pred, Node node) {
- int s = pred.waitStatus;
- if (s < 0)
+ int ws = pred.waitStatus;
+ if (ws == Node.SIGNAL)
/*
* This node has already set status asking a release
* to signal it, so it can safely park.
*/
return true;
- if (s > 0) {
+ if (ws > 0) {
/*
* Predecessor was cancelled. Skip over predecessors and
* indicate retry.
@@ -519,14 +584,14 @@
node.prev = pred = pred.prev;
} while (pred.waitStatus > 0);
pred.next = node;
- }
- else
+ } else {
/*
- * Indicate that we need a signal, but don't park yet. Caller
- * will need to retry to make sure it cannot acquire before
- * parking.
+ * waitStatus must be 0 or PROPAGATE. Indicate that we
+ * need a signal, but don't park yet. Caller will need to
+ * retry to make sure it cannot acquire before parking.
*/
- compareAndSetWaitStatus(pred, 0, Node.SIGNAL);
+ compareAndSetWaitStatus(pred, ws, Node.SIGNAL);
+ }
return false;
}
@@ -1046,9 +1111,7 @@
*/
public final boolean releaseShared(long arg) {
if (tryReleaseShared(arg)) {
- Node h = head;
- if (h != null && h.waitStatus != 0)
- unparkSuccessor(h);
+ doReleaseShared();
return true;
}
return false;
@@ -1390,8 +1453,8 @@
* case the waitStatus can be transiently and harmlessly wrong).
*/
Node p = enq(node);
- int c = p.waitStatus;
- if (c > 0 || !compareAndSetWaitStatus(p, c, Node.SIGNAL))
+ int ws = p.waitStatus;
+ if (ws > 0 || !compareAndSetWaitStatus(p, ws, Node.SIGNAL))
LockSupport.unpark(node.thread);
return true;
}
--- a/jdk/src/share/classes/java/util/concurrent/locks/AbstractQueuedSynchronizer.java Fri Mar 27 16:04:05 2009 +0000
+++ b/jdk/src/share/classes/java/util/concurrent/locks/AbstractQueuedSynchronizer.java Mon Mar 30 19:22:27 2009 +0100
@@ -389,6 +389,11 @@
static final int SIGNAL = -1;
/** waitStatus value to indicate thread is waiting on condition */
static final int CONDITION = -2;
+ /**
+ * waitStatus value to indicate the next acquireShared should
+ * unconditionally propagate
+ */
+ static final int PROPAGATE = -3;
/**
* Status field, taking on only the values:
@@ -403,10 +408,16 @@
* Nodes never leave this state. In particular,
* a thread with cancelled node never again blocks.
* CONDITION: This node is currently on a condition queue.
- * It will not be used as a sync queue node until
- * transferred. (Use of this value here
- * has nothing to do with the other uses
- * of the field, but simplifies mechanics.)
+ * It will not be used as a sync queue node
+ * until transferred, at which time the status
+ * will be set to 0. (Use of this value here has
+ * nothing to do with the other uses of the
+ * field, but simplifies mechanics.)
+ * PROPAGATE: A releaseShared should be propagated to other
+ * nodes. This is set (for head node only) in
+ * doReleaseShared to ensure propagation
+ * continues, even if other operations have
+ * since intervened.
* 0: None of the above
*
* The values are arranged numerically to simplify use.
@@ -626,10 +637,13 @@
*/
private void unparkSuccessor(Node node) {
/*
- * Try to clear status in anticipation of signalling. It is
- * OK if this fails or if status is changed by waiting thread.
+ * If status is negative (i.e., possibly needing signal) try
+ * to clear in anticipation of signalling. It is OK if this
+ * fails or if status is changed by waiting thread.
*/
- compareAndSetWaitStatus(node, Node.SIGNAL, 0);
+ int ws = node.waitStatus;
+ if (ws < 0)
+ compareAndSetWaitStatus(node, ws, 0);
/*
* Thread to unpark is held in successor, which is normally
@@ -649,23 +663,70 @@
}
/**
+ * Release action for shared mode -- signal successor and ensure
+ * propagation. (Note: For exclusive mode, release just amounts
+ * to calling unparkSuccessor of head if it needs signal.)
+ */
+ private void doReleaseShared() {
+ /*
+ * Ensure that a release propagates, even if there are other
+ * in-progress acquires/releases. This proceeds in the usual
+ * way of trying to unparkSuccessor of head if it needs
+ * signal. But if it does not, status is set to PROPAGATE to
+ * ensure that upon release, propagation continues.
+ * Additionally, we must loop in case a new node is added
+ * while we are doing this. Also, unlike other uses of
+ * unparkSuccessor, we need to know if CAS to reset status
+ * fails, if so rechecking.
+ */
+ for (;;) {
+ Node h = head;
+ if (h != null && h != tail) {
+ int ws = h.waitStatus;
+ if (ws == Node.SIGNAL) {
+ if (!compareAndSetWaitStatus(h, Node.SIGNAL, 0))
+ continue; // loop to recheck cases
+ unparkSuccessor(h);
+ }
+ else if (ws == 0 &&
+ !compareAndSetWaitStatus(h, 0, Node.PROPAGATE))
+ continue; // loop on failed CAS
+ }
+ if (h == head) // loop if head changed
+ break;
+ }
+ }
+
+ /**
* Sets head of queue, and checks if successor may be waiting
- * in shared mode, if so propagating if propagate > 0.
+ * in shared mode, if so propagating if either propagate > 0 or
+ * PROPAGATE status was set.
*
- * @param pred the node holding waitStatus for node
* @param node the node
* @param propagate the return value from a tryAcquireShared
*/
private void setHeadAndPropagate(Node node, int propagate) {
+ Node h = head; // Record old head for check below
setHead(node);
- if (propagate > 0 && node.waitStatus != 0) {
- /*
- * Don't bother fully figuring out successor. If it
- * looks null, call unparkSuccessor anyway to be safe.
- */
+ /*
+ * Try to signal next queued node if:
+ * Propagation was indicated by caller,
+ * or was recorded (as h.waitStatus) by a previous operation
+ * (note: this uses sign-check of waitStatus because
+ * PROPAGATE status may transition to SIGNAL.)
+ * and
+ * The next node is waiting in shared mode,
+ * or we don't know, because it appears null
+ *
+ * The conservatism in both of these checks may cause
+ * unnecessary wake-ups, but only when there are multiple
+ * racing acquires/releases, so most need signals now or soon
+ * anyway.
+ */
+ if (propagate > 0 || h == null || h.waitStatus < 0) {
Node s = node.next;
if (s == null || s.isShared())
- unparkSuccessor(node);
+ doReleaseShared();
}
}
@@ -688,23 +749,27 @@
while (pred.waitStatus > 0)
node.prev = pred = pred.prev;
- // Getting this before setting waitStatus ensures staleness
+ // predNext is the apparent node to unsplice. CASes below will
+ // fail if not, in which case, we lost race vs another cancel
+ // or signal, so no further action is necessary.
Node predNext = pred.next;
- // Can use unconditional write instead of CAS here
+ // Can use unconditional write instead of CAS here.
+ // After this atomic step, other Nodes can skip past us.
+ // Before, we are free of interference from other threads.
node.waitStatus = Node.CANCELLED;
- // If we are the tail, remove ourselves
+ // If we are the tail, remove ourselves.
if (node == tail && compareAndSetTail(node, pred)) {
compareAndSetNext(pred, predNext, null);
} else {
- // If "active" predecessor found...
- if (pred != head
- && (pred.waitStatus == Node.SIGNAL
- || compareAndSetWaitStatus(pred, 0, Node.SIGNAL))
- && pred.thread != null) {
-
- // If successor is active, set predecessor's next link
+ // If successor needs signal, try to set pred's next-link
+ // so it will get one. Otherwise wake it up to propagate.
+ int ws;
+ if (pred != head &&
+ ((ws = pred.waitStatus) == Node.SIGNAL ||
+ (ws <= 0 && compareAndSetWaitStatus(pred, ws, Node.SIGNAL))) &&
+ pred.thread != null) {
Node next = node.next;
if (next != null && next.waitStatus <= 0)
compareAndSetNext(pred, predNext, next);
@@ -726,14 +791,14 @@
* @return {@code true} if thread should block
*/
private static boolean shouldParkAfterFailedAcquire(Node pred, Node node) {
- int s = pred.waitStatus;
- if (s < 0)
+ int ws = pred.waitStatus;
+ if (ws == Node.SIGNAL)
/*
* This node has already set status asking a release
* to signal it, so it can safely park.
*/
return true;
- if (s > 0) {
+ if (ws > 0) {
/*
* Predecessor was cancelled. Skip over predecessors and
* indicate retry.
@@ -742,14 +807,14 @@
node.prev = pred = pred.prev;
} while (pred.waitStatus > 0);
pred.next = node;
- }
- else
+ } else {
/*
- * Indicate that we need a signal, but don't park yet. Caller
- * will need to retry to make sure it cannot acquire before
- * parking.
+ * waitStatus must be 0 or PROPAGATE. Indicate that we
+ * need a signal, but don't park yet. Caller will need to
+ * retry to make sure it cannot acquire before parking.
*/
- compareAndSetWaitStatus(pred, 0, Node.SIGNAL);
+ compareAndSetWaitStatus(pred, ws, Node.SIGNAL);
+ }
return false;
}
@@ -1269,9 +1334,7 @@
*/
public final boolean releaseShared(int arg) {
if (tryReleaseShared(arg)) {
- Node h = head;
- if (h != null && h.waitStatus != 0)
- unparkSuccessor(h);
+ doReleaseShared();
return true;
}
return false;
@@ -1613,8 +1676,8 @@
* case the waitStatus can be transiently and harmlessly wrong).
*/
Node p = enq(node);
- int c = p.waitStatus;
- if (c > 0 || !compareAndSetWaitStatus(p, c, Node.SIGNAL))
+ int ws = p.waitStatus;
+ if (ws > 0 || !compareAndSetWaitStatus(p, ws, Node.SIGNAL))
LockSupport.unpark(node.thread);
return true;
}
--- a/jdk/src/share/classes/java/util/concurrent/locks/ReentrantReadWriteLock.java Fri Mar 27 16:04:05 2009 +0000
+++ b/jdk/src/share/classes/java/util/concurrent/locks/ReentrantReadWriteLock.java Mon Mar 30 19:22:27 2009 +0100
@@ -276,7 +276,7 @@
* Maintained as a ThreadLocal; cached in cachedHoldCounter
*/
static final class HoldCounter {
- int count;
+ int count = 0;
// Use id, not reference, to avoid garbage retention
final long tid = Thread.currentThread().getId();
}
@@ -293,8 +293,9 @@
}
/**
- * The number of read locks held by current thread.
+ * The number of reentrant read locks held by current thread.
* Initialized only in constructor and readObject.
+ * Removed whenever a thread's read hold count drops to 0.
*/
private transient ThreadLocalHoldCounter readHolds;
@@ -304,17 +305,35 @@
* where the next thread to release is the last one to
* acquire. This is non-volatile since it is just used
* as a heuristic, and would be great for threads to cache.
+ *
+ * <p>Can outlive the Thread for which it is caching the read
+ * hold count, but avoids garbage retention by not retaining a
+ * reference to the Thread.
+ *
+ * <p>Accessed via a benign data race; relies on the memory
+ * model's final field and out-of-thin-air guarantees.
*/
private transient HoldCounter cachedHoldCounter;
/**
* firstReader is the first thread to have acquired the read lock.
* firstReaderHoldCount is firstReader's hold count.
- * This allows tracking of read holds for uncontended read
+ *
+ * <p>More precisely, firstReader is the unique thread that last
+ * changed the shared count from 0 to 1, and has not released the
+ * read lock since then; null if there is no such thread.
+ *
+ * <p>Cannot cause garbage retention unless the thread terminated
+ * without relinquishing its read locks, since tryReleaseShared
+ * sets it to null.
+ *
+ * <p>Accessed via a benign data race; relies on the memory
+ * model's out-of-thin-air guarantees for references.
+ *
+ * <p>This allows tracking of read holds for uncontended read
* locks to be very cheap.
*/
- private final static long INVALID_THREAD_ID = -1;
- private transient long firstReader = INVALID_THREAD_ID;
+ private transient Thread firstReader = null;
private transient int firstReaderHoldCount;
Sync() {
@@ -393,16 +412,16 @@
}
protected final boolean tryReleaseShared(int unused) {
- long tid = Thread.currentThread().getId();
- if (firstReader == tid) {
+ Thread current = Thread.currentThread();
+ if (firstReader == current) {
// assert firstReaderHoldCount > 0;
if (firstReaderHoldCount == 1)
- firstReader = INVALID_THREAD_ID;
+ firstReader = null;
else
firstReaderHoldCount--;
} else {
HoldCounter rh = cachedHoldCounter;
- if (rh == null || rh.tid != tid)
+ if (rh == null || rh.tid != current.getId())
rh = readHolds.get();
int count = rh.count;
if (count <= 1) {
@@ -416,6 +435,9 @@
int c = getState();
int nextc = c - SHARED_UNIT;
if (compareAndSetState(c, nextc))
+ // Releasing the read lock has no effect on readers,
+ // but it may allow waiting writers to proceed if
+ // both read and write locks are now free.
return nextc == 0;
}
}
@@ -450,15 +472,14 @@
if (!readerShouldBlock() &&
r < MAX_COUNT &&
compareAndSetState(c, c + SHARED_UNIT)) {
- long tid = current.getId();
if (r == 0) {
- firstReader = tid;
+ firstReader = current;
firstReaderHoldCount = 1;
- } else if (firstReader == tid) {
+ } else if (firstReader == current) {
firstReaderHoldCount++;
} else {
HoldCounter rh = cachedHoldCounter;
- if (rh == null || rh.tid != tid)
+ if (rh == null || rh.tid != current.getId())
cachedHoldCounter = rh = readHolds.get();
else if (rh.count == 0)
readHolds.set(rh);
@@ -485,19 +506,17 @@
int c = getState();
if (exclusiveCount(c) != 0) {
if (getExclusiveOwnerThread() != current)
- //if (removeNeeded) readHolds.remove();
return -1;
// else we hold the exclusive lock; blocking here
// would cause deadlock.
} else if (readerShouldBlock()) {
// Make sure we're not acquiring read lock reentrantly
- long tid = current.getId();
- if (firstReader == tid) {
+ if (firstReader == current) {
// assert firstReaderHoldCount > 0;
} else {
if (rh == null) {
rh = cachedHoldCounter;
- if (rh == null || rh.tid != tid) {
+ if (rh == null || rh.tid != current.getId()) {
rh = readHolds.get();
if (rh.count == 0)
readHolds.remove();
@@ -510,25 +529,20 @@
if (sharedCount(c) == MAX_COUNT)
throw new Error("Maximum lock count exceeded");
if (compareAndSetState(c, c + SHARED_UNIT)) {
- long tid = current.getId();
if (sharedCount(c) == 0) {
- firstReader = tid;
+ firstReader = current;
firstReaderHoldCount = 1;
- } else if (firstReader == tid) {
+ } else if (firstReader == current) {
firstReaderHoldCount++;
} else {
- if (rh == null) {
+ if (rh == null)
rh = cachedHoldCounter;
- if (rh != null && rh.tid == tid) {
- if (rh.count == 0)
- readHolds.set(rh);
- } else {
- rh = readHolds.get();
- }
- } else if (rh.count == 0)
+ if (rh == null || rh.tid != current.getId())
+ rh = readHolds.get();
+ else if (rh.count == 0)
readHolds.set(rh);
+ rh.count++;
cachedHoldCounter = rh; // cache for release
- rh.count++;
}
return 1;
}
@@ -572,15 +586,14 @@
if (r == MAX_COUNT)
throw new Error("Maximum lock count exceeded");
if (compareAndSetState(c, c + SHARED_UNIT)) {
- long tid = current.getId();
if (r == 0) {
- firstReader = tid;
+ firstReader = current;
firstReaderHoldCount = 1;
- } else if (firstReader == tid) {
+ } else if (firstReader == current) {
firstReaderHoldCount++;
} else {
HoldCounter rh = cachedHoldCounter;
- if (rh == null || rh.tid != tid)
+ if (rh == null || rh.tid != current.getId())
cachedHoldCounter = rh = readHolds.get();
else if (rh.count == 0)
readHolds.set(rh);
@@ -626,12 +639,12 @@
if (getReadLockCount() == 0)
return 0;
- long tid = Thread.currentThread().getId();
- if (firstReader == tid)
+ Thread current = Thread.currentThread();
+ if (firstReader == current)
return firstReaderHoldCount;
HoldCounter rh = cachedHoldCounter;
- if (rh != null && rh.tid == tid)
+ if (rh != null && rh.tid == current.getId())
return rh.count;
int count = readHolds.get().count;
@@ -647,7 +660,6 @@
throws java.io.IOException, ClassNotFoundException {
s.defaultReadObject();
readHolds = new ThreadLocalHoldCounter();
- firstReader = INVALID_THREAD_ID;
setState(0); // reset to unlocked state
}
--- a/jdk/src/share/classes/sun/net/spi/DefaultProxySelector.java Fri Mar 27 16:04:05 2009 +0000
+++ b/jdk/src/share/classes/sun/net/spi/DefaultProxySelector.java Mon Mar 30 19:22:27 2009 +0100
@@ -78,7 +78,6 @@
};
private static boolean hasSystemProxies = false;
- private static Properties defprops = new Properties();
static {
final String key = "java.net.useSystemProxies";
@@ -107,6 +106,9 @@
RegexpPool hostsPool;
String property;
+ static NonProxyInfo ftpNonProxyInfo = new NonProxyInfo("ftp.nonProxyHosts", null, null);
+ static NonProxyInfo httpNonProxyInfo = new NonProxyInfo("http.nonProxyHosts", null, null);
+
NonProxyInfo(String p, String s, RegexpPool pool) {
property = p;
hostsSource = s;
@@ -114,8 +116,6 @@
}
}
- private static NonProxyInfo ftpNonProxyInfo = new NonProxyInfo("ftp.nonProxyHosts", null, null);
- private static NonProxyInfo httpNonProxyInfo = new NonProxyInfo("http.nonProxyHosts", null, null);
/**
* select() method. Where all the hard work is done.
@@ -175,13 +175,13 @@
NonProxyInfo pinfo = null;
if ("http".equalsIgnoreCase(protocol)) {
- pinfo = httpNonProxyInfo;
+ pinfo = NonProxyInfo.httpNonProxyInfo;
} else if ("https".equalsIgnoreCase(protocol)) {
// HTTPS uses the same property as HTTP, for backward
// compatibility
- pinfo = httpNonProxyInfo;
+ pinfo = NonProxyInfo.httpNonProxyInfo;
} else if ("ftp".equalsIgnoreCase(protocol)) {
- pinfo = ftpNonProxyInfo;
+ pinfo = NonProxyInfo.ftpNonProxyInfo;
}
/**
@@ -334,7 +334,6 @@
}
}
- private static final Pattern p6 = Pattern.compile("::1|(0:){7}1|(0:){1,6}:1");
private boolean isLoopback(String host) {
if (host == null || host.length() == 0)
return false;
@@ -364,6 +363,7 @@
}
if (host.endsWith(":1")) {
+ final Pattern p6 = Pattern.compile("::1|(0:){7}1|(0:){1,6}:1");
return p6.matcher(host).matches();
}
return false;
--- a/jdk/src/share/classes/sun/security/tools/JarSigner.java Fri Mar 27 16:04:05 2009 +0000
+++ b/jdk/src/share/classes/sun/security/tools/JarSigner.java Mon Mar 30 19:22:27 2009 +0100
@@ -1,5 +1,5 @@
/*
- * Copyright 1997-2007 Sun Microsystems, Inc. All Rights Reserved.
+ * Copyright 1997-2009 Sun Microsystems, Inc. All Rights Reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -32,28 +32,44 @@
import java.math.BigInteger;
import java.net.URI;
import java.net.URISyntaxException;
-import java.net.URL;
-import java.net.URLClassLoader;
-import java.net.SocketTimeoutException;
import java.text.Collator;
import java.text.MessageFormat;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.security.cert.CertificateException;
-import java.security.cert.CertificateExpiredException;
-import java.security.cert.CertificateNotYetValidException;
import java.security.*;
import java.lang.reflect.Constructor;
import com.sun.jarsigner.ContentSigner;
import com.sun.jarsigner.ContentSignerParameters;
+import java.net.SocketTimeoutException;
+import java.net.URL;
+import java.net.URLClassLoader;
+import java.security.cert.CertPath;
+import java.security.cert.CertPathValidator;
+import java.security.cert.CertificateExpiredException;
+import java.security.cert.CertificateFactory;
+import java.security.cert.CertificateNotYetValidException;
+import java.security.cert.PKIXParameters;
+import java.security.cert.TrustAnchor;
+import java.util.Map.Entry;
import sun.security.x509.*;
import sun.security.util.*;
import sun.misc.BASE64Encoder;
+
/**
* <p>The jarsigner utility.
*
+ * The exit codes for the main method are:
+ *
+ * 0: success
+ * 1: any error that the jar cannot be signed or verified, including:
+ * keystore loading error
+ * TSP communciation error
+ * jarsigner command line error...
+ * otherwise: error codes from -strict
+ *
* @author Roland Schemers
* @author Jan Luehe
*/
@@ -84,8 +100,6 @@
// Attention:
// This is the entry that get launched by the security tool jarsigner.
- // It's marked as exported private per AppServer Team's request.
- // See http://ccc.sfbay/6428446
public static void main(String args[]) throws Exception {
JarSigner js = new JarSigner();
js.run(args);
@@ -93,31 +107,32 @@
static final String VERSION = "1.0";
- static final int IN_KEYSTORE = 0x01;
+ static final int IN_KEYSTORE = 0x01; // signer is in keystore
static final int IN_SCOPE = 0x02;
-
- // signer's certificate chain (when composing)
- X509Certificate[] certChain;
+ static final int NOT_ALIAS = 0x04; // alias list is NOT empty and
+ // signer is not in alias list
+ static final int SIGNED_BY_ALIAS = 0x08; // signer is in alias list
- /*
- * private key
- */
- PrivateKey privateKey;
- KeyStore store;
+ X509Certificate[] certChain; // signer's cert chain (when composing)
+ PrivateKey privateKey; // private key
+ KeyStore store; // the keystore specified by -keystore
+ // or the default keystore, never null
IdentityScope scope;
String keystore; // key store file
boolean nullStream = false; // null keystore input stream (NONE)
boolean token = false; // token-based keystore
- String jarfile; // jar file to sign
+ String jarfile; // jar file to sign or verify
String alias; // alias to sign jar with
+ List<String> ckaliases = new ArrayList<String>(); // aliases in -verify
char[] storepass; // keystore password
boolean protectedPath; // protected authentication path
String storetype; // keystore type
String providerName; // provider name
Vector<String> providers = null; // list of providers
- HashMap<String,String> providerArgs = new HashMap<String, String>(); // arguments for provider constructors
+ // arguments for provider constructors
+ HashMap<String,String> providerArgs = new HashMap<String, String>();
char[] keypass; // private key password
String sigfile; // name of .SF file
String sigalg; // name of signature algorithm
@@ -125,12 +140,14 @@
String signedjar; // output filename
String tsaUrl; // location of the Timestamping Authority
String tsaAlias; // alias for the Timestamping Authority's certificate
+ String altCertChain; // file to read alternative cert chain from
boolean verify = false; // verify the jar
- boolean verbose = false; // verbose output when signing/verifying
+ String verbose = null; // verbose output when signing/verifying
boolean showcerts = false; // show certs when verifying
boolean debug = false; // debug
boolean signManifest = true; // "sign" the whole manifest
boolean externalSF = true; // leave the .SF out of the PKCS7 block
+ boolean strict = false; // treat warnings as error
// read zip entry raw bytes
private ByteArrayOutputStream baos = new ByteArrayOutputStream(2048);
@@ -139,14 +156,22 @@
private String altSignerClass = null;
private String altSignerClasspath = null;
private ZipFile zipFile = null;
+
private boolean hasExpiredCert = false;
private boolean hasExpiringCert = false;
private boolean notYetValidCert = false;
-
+ private boolean chainNotValidated = false;
+ private boolean notSignedByAlias = false;
+ private boolean aliasNotInStore = false;
+ private boolean hasUnsignedEntry = false;
private boolean badKeyUsage = false;
private boolean badExtendedKeyUsage = false;
private boolean badNetscapeCertType = false;
+ CertificateFactory certificateFactory;
+ CertPathValidator validator;
+ PKIXParameters pkixParameters;
+
public void run(String args[]) {
try {
parseArgs(args);
@@ -184,14 +209,6 @@
}
}
- hasExpiredCert = false;
- hasExpiringCert = false;
- notYetValidCert = false;
-
- badKeyUsage = false;
- badExtendedKeyUsage = false;
- badNetscapeCertType = false;
-
if (verify) {
try {
loadKeyStore(keystore, false);
@@ -238,6 +255,29 @@
storepass = null;
}
}
+
+ if (strict) {
+ int exitCode = 0;
+ if (hasExpiringCert) {
+ exitCode |= 2;
+ }
+ if (chainNotValidated) {
+ // hasExpiredCert and notYetValidCert included in this case
+ exitCode |= 4;
+ }
+ if (badKeyUsage || badExtendedKeyUsage || badNetscapeCertType) {
+ exitCode |= 8;
+ }
+ if (hasUnsignedEntry) {
+ exitCode |= 16;
+ }
+ if (notSignedByAlias || aliasNotInStore) {
+ exitCode |= 32;
+ }
+ if (exitCode != 0) {
+ System.exit(exitCode);
+ }
+ }
}
/*
@@ -247,25 +287,26 @@
/* parse flags */
int n = 0;
- for (n=0; (n < args.length) && args[n].startsWith("-"); n++) {
+ if (args.length == 0) fullusage();
+ for (n=0; n < args.length; n++) {
String flags = args[n];
if (collator.compare(flags, "-keystore") == 0) {
- if (++n == args.length) usage();
+ if (++n == args.length) usageNoArg();
keystore = args[n];
} else if (collator.compare(flags, "-storepass") ==0) {
- if (++n == args.length) usage();
+ if (++n == args.length) usageNoArg();
storepass = args[n].toCharArray();
} else if (collator.compare(flags, "-storetype") ==0) {
- if (++n == args.length) usage();
+ if (++n == args.length) usageNoArg();
storetype = args[n];
} else if (collator.compare(flags, "-providerName") ==0) {
- if (++n == args.length) usage();
+ if (++n == args.length) usageNoArg();
providerName = args[n];
} else if ((collator.compare(flags, "-provider") == 0) ||
(collator.compare(flags, "-providerClass") == 0)) {
- if (++n == args.length) usage();
+ if (++n == args.length) usageNoArg();
if (providers == null) {
providers = new Vector<String>(3);
}
@@ -274,35 +315,38 @@
if (args.length > (n+1)) {
flags = args[n+1];
if (collator.compare(flags, "-providerArg") == 0) {
- if (args.length == (n+2)) usage();
+ if (args.length == (n+2)) usageNoArg();
providerArgs.put(args[n], args[n+2]);
n += 2;
}
}
} else if (collator.compare(flags, "-protected") ==0) {
protectedPath = true;
+ } else if (collator.compare(flags, "-certchain") ==0) {
+ if (++n == args.length) usageNoArg();
+ altCertChain = args[n];
} else if (collator.compare(flags, "-debug") ==0) {
debug = true;
} else if (collator.compare(flags, "-keypass") ==0) {
- if (++n == args.length) usage();
+ if (++n == args.length) usageNoArg();
keypass = args[n].toCharArray();
} else if (collator.compare(flags, "-sigfile") ==0) {
- if (++n == args.length) usage();
+ if (++n == args.length) usageNoArg();
sigfile = args[n];
} else if (collator.compare(flags, "-signedjar") ==0) {
- if (++n == args.length) usage();
+ if (++n == args.length) usageNoArg();
signedjar = args[n];
} else if (collator.compare(flags, "-tsa") ==0) {
- if (++n == args.length) usage();
+ if (++n == args.length) usageNoArg();
tsaUrl = args[n];
} else if (collator.compare(flags, "-tsacert") ==0) {
- if (++n == args.length) usage();
+ if (++n == args.length) usageNoArg();
tsaAlias = args[n];
} else if (collator.compare(flags, "-altsigner") ==0) {
- if (++n == args.length) usage();
+ if (++n == args.length) usageNoArg();
altSignerClass = args[n];
} else if (collator.compare(flags, "-altsignerpath") ==0) {
- if (++n == args.length) usage();
+ if (++n == args.length) usageNoArg();
altSignerClasspath = args[n];
} else if (collator.compare(flags, "-sectionsonly") ==0) {
signManifest = false;
@@ -311,30 +355,56 @@
} else if (collator.compare(flags, "-verify") ==0) {
verify = true;
} else if (collator.compare(flags, "-verbose") ==0) {
- verbose = true;
+ verbose = "all";
+ } else if (collator.compare(flags, "-verbose:all") ==0) {
+ verbose = "all";
+ } else if (collator.compare(flags, "-verbose:summary") ==0) {
+ verbose = "summary";
+ } else if (collator.compare(flags, "-verbose:grouped") ==0) {
+ verbose = "grouped";
} else if (collator.compare(flags, "-sigalg") ==0) {
- if (++n == args.length) usage();
+ if (++n == args.length) usageNoArg();
sigalg = args[n];
} else if (collator.compare(flags, "-digestalg") ==0) {
- if (++n == args.length) usage();
+ if (++n == args.length) usageNoArg();
digestalg = args[n];
} else if (collator.compare(flags, "-certs") ==0) {
showcerts = true;
+ } else if (collator.compare(flags, "-strict") ==0) {
+ strict = true;
} else if (collator.compare(flags, "-h") == 0 ||
collator.compare(flags, "-help") == 0) {
- usage();
+ fullusage();
} else {
- System.err.println(rb.getString("Illegal option: ") + flags);
- usage();
+ if (!flags.startsWith("-")) {
+ if (jarfile == null) {
+ jarfile = flags;
+ } else {
+ alias = flags;
+ ckaliases.add(alias);
+ }
+ } else {
+ System.err.println(
+ rb.getString("Illegal option: ") + flags);
+ usage();
+ }
}
}
- if (n == args.length) usage();
- jarfile = args[n++];
+ // -certs must always be specified with -verbose
+ if (verbose == null) showcerts = false;
- if (!verify) {
- if (n == args.length) usage();
- alias = args[n++];
+ if (jarfile == null) {
+ System.err.println(rb.getString("Please specify jarfile name"));
+ usage();
+ }
+ if (!verify && alias == null) {
+ System.err.println(rb.getString("Please specify alias name"));
+ usage();
+ }
+ if (!verify && ckaliases.size() > 1) {
+ System.err.println(rb.getString("Only one alias can be specified"));
+ usage();
}
if (storetype == null) {
@@ -357,7 +427,6 @@
if (token && !nullStream) {
System.err.println(MessageFormat.format(rb.getString
("-keystore must be NONE if -storetype is {0}"), storetype));
- System.err.println();
usage();
}
@@ -365,7 +434,6 @@
System.err.println(MessageFormat.format(rb.getString
("-keypass can not be specified " +
"if -storetype is {0}"), storetype));
- System.err.println();
usage();
}
@@ -374,7 +442,6 @@
System.err.println(rb.getString
("If -protected is specified, " +
"then -storepass and -keypass must not be specified"));
- System.err.println();
usage();
}
}
@@ -383,17 +450,27 @@
System.err.println(rb.getString
("If keystore is not password protected, " +
"then -storepass and -keypass must not be specified"));
- System.err.println();
usage();
}
}
}
+ void usageNoArg() {
+ System.out.println(rb.getString("Option lacks argument"));
+ usage();
+ }
+
void usage() {
+ System.out.println();
+ System.out.println(rb.getString("Please type jarsigner -help for usage"));
+ System.exit(1);
+ }
+
+ void fullusage() {
System.out.println(rb.getString
("Usage: jarsigner [options] jar-file alias"));
System.out.println(rb.getString
- (" jarsigner -verify [options] jar-file"));
+ (" jarsigner -verify [options] jar-file [alias...]"));
System.out.println();
System.out.println(rb.getString
("[-keystore <url>] keystore location"));
@@ -408,6 +485,9 @@
("[-keypass <password>] password for private key (if different)"));
System.out.println();
System.out.println(rb.getString
+ ("[-certchain <file>] name of alternative certchain file"));
+ System.out.println();
+ System.out.println(rb.getString
("[-sigfile <file>] name of .SF/.DSA file"));
System.out.println();
System.out.println(rb.getString
@@ -423,7 +503,9 @@
("[-verify] verify a signed JAR file"));
System.out.println();
System.out.println(rb.getString
- ("[-verbose] verbose output when signing/verifying"));
+ ("[-verbose[:suboptions]] verbose output when signing/verifying."));
+ System.out.println(rb.getString
+ (" suboptions can be all, grouped or summary"));
System.out.println();
System.out.println(rb.getString
("[-certs] display certificates when verbose and verifying"));
@@ -457,15 +539,17 @@
System.out.println(rb.getString
(" [-providerArg <arg>]] ... master class file and constructor argument"));
System.out.println();
+ System.out.println(rb.getString
+ ("[-strict] treat warnings as errors"));
+ System.out.println();
- System.exit(1);
+ System.exit(0);
}
void verifyJar(String jarName)
throws Exception
{
- boolean anySigned = false;
- boolean hasUnsignedEntry = false;
+ boolean anySigned = false; // if there exists entry inside jar signed
JarFile jf = null;
try {
@@ -494,11 +578,18 @@
Manifest man = jf.getManifest();
+ // The map to record display info, only used when -verbose provided
+ // key: signer info string
+ // value: the list of files with common key
+ Map<String,List<String>> output =
+ new LinkedHashMap<String,List<String>>();
+
if (man != null) {
- if (verbose) System.out.println();
+ if (verbose != null) System.out.println();
Enumeration<JarEntry> e = entriesVec.elements();
long now = System.currentTimeMillis();
+ String tab = rb.getString(" ");
while (e.hasMoreElements()) {
JarEntry je = e.nextElement();
@@ -509,77 +600,118 @@
hasUnsignedEntry |= !je.isDirectory() && !isSigned
&& !signatureRelated(name);
- if (verbose) {
- int inStoreOrScope = inKeyStore(signers);
- boolean inStore = (inStoreOrScope & IN_KEYSTORE) != 0;
- boolean inScope = (inStoreOrScope & IN_SCOPE) != 0;
+ int inStoreOrScope = inKeyStore(signers);
+
+ boolean inStore = (inStoreOrScope & IN_KEYSTORE) != 0;
+ boolean inScope = (inStoreOrScope & IN_SCOPE) != 0;
+
+ notSignedByAlias |= (inStoreOrScope & NOT_ALIAS) != 0;
+ aliasNotInStore |= isSigned && (!inStore && !inScope);
+
+ // Only used when -verbose provided
+ StringBuffer sb = null;
+ if (verbose != null) {
+ sb = new StringBuffer();
boolean inManifest =
((man.getAttributes(name) != null) ||
(man.getAttributes("./"+name) != null) ||
(man.getAttributes("/"+name) != null));
- System.out.print(
+ sb.append(
(isSigned ? rb.getString("s") : rb.getString(" ")) +
(inManifest ? rb.getString("m") : rb.getString(" ")) +
(inStore ? rb.getString("k") : rb.getString(" ")) +
(inScope ? rb.getString("i") : rb.getString(" ")) +
- rb.getString(" "));
- StringBuffer sb = new StringBuffer();
- String s = Long.toString(je.getSize());
- for (int i = 6 - s.length(); i > 0; --i) {
- sb.append(' ');
- }
- sb.append(s).append(' ').
- append(new Date(je.getTime()).toString());
- sb.append(' ').append(je.getName());
- System.out.println(sb.toString());
+ ((inStoreOrScope & NOT_ALIAS) != 0 ?"X":" ") +
+ rb.getString(" "));
+ sb.append("|");
+ }
- if (signers != null && showcerts) {
- String tab = rb.getString(" ");
- for (int i = 0; i < signers.length; i++) {
- System.out.println();
- List<? extends Certificate> certs =
- signers[i].getSignerCertPath()
- .getCertificates();
- // display the signature timestamp, if present
- Timestamp timestamp = signers[i].getTimestamp();
- if (timestamp != null) {
- System.out.println(
- printTimestamp(tab, timestamp));
- }
- // display the certificate(s)
- for (Certificate c : certs) {
- System.out.println(
- printCert(tab, c, true, now));
- }
+ // When -certs provided, display info has extra empty
+ // lines at the beginning and end.
+ if (isSigned) {
+ if (showcerts) sb.append('\n');
+ for (CodeSigner signer: signers) {
+ // signerInfo() must be called even if -verbose
+ // not provided. The method updates various
+ // warning flags.
+ String si = signerInfo(signer, tab, now);
+ if (showcerts) {
+ sb.append(si);
+ sb.append('\n');
}
- System.out.println();
}
-
- }
- if (isSigned) {
- for (int i = 0; i < signers.length; i++) {
- Certificate cert =
- signers[i].getSignerCertPath()
- .getCertificates().get(0);
- if (cert instanceof X509Certificate) {
- checkCertUsage((X509Certificate)cert, null);
- if (!showcerts) {
- long notAfter = ((X509Certificate)cert)
- .getNotAfter().getTime();
-
- if (notAfter < now) {
- hasExpiredCert = true;
- } else if (notAfter < now + SIX_MONTHS) {
- hasExpiringCert = true;
- }
- }
- }
+ } else if (showcerts && !verbose.equals("all")) {
+ // Print no info for unsigned entries when -verbose:all,
+ // to be consistent with old behavior.
+ if (signatureRelated(name)) {
+ sb.append("\n" + tab + rb.getString(
+ "(Signature related entries)") + "\n\n");
+ } else {
+ sb.append("\n" + tab + rb.getString(
+ "(Unsigned entries)") + "\n\n");
}
}
+ if (verbose != null) {
+ String label = sb.toString();
+ if (signatureRelated(name)) {
+ // Entries inside META-INF and other unsigned
+ // entries are grouped separately.
+ label = "-" + label.substring(1);
+ }
+
+ // The label finally contains 2 parts separated by '|':
+ // The legend displayed before the entry names, and
+ // the cert info (if -certs specfied).
+
+ if (!output.containsKey(label)) {
+ output.put(label, new ArrayList<String>());
+ }
+
+ StringBuffer fb = new StringBuffer();
+ String s = Long.toString(je.getSize());
+ for (int i = 6 - s.length(); i > 0; --i) {
+ fb.append(' ');
+ }
+ fb.append(s).append(' ').
+ append(new Date(je.getTime()).toString());
+ fb.append(' ').append(name);
+
+ output.get(label).add(fb.toString());
+ }
}
}
- if (verbose) {
+ if (verbose != null) {
+ for (Entry<String,List<String>> s: output.entrySet()) {
+ List<String> files = s.getValue();
+ String key = s.getKey();
+ if (key.charAt(0) == '-') { // the signature-related group
+ key = ' ' + key.substring(1);
+ }
+ int pipe = key.indexOf('|');
+ if (verbose.equals("all")) {
+ for (String f: files) {
+ System.out.println(key.substring(0, pipe) + f);
+ System.out.printf(key.substring(pipe+1));
+ }
+ } else {
+ if (verbose.equals("grouped")) {
+ for (String f: files) {
+ System.out.println(key.substring(0, pipe) + f);
+ }
+ } else if (verbose.equals("summary")) {
+ System.out.print(key.substring(0, pipe));
+ if (files.size() > 1) {
+ System.out.println(files.get(0) + " " +
+ String.format(rb.getString(
+ "(and %d more)"), files.size()-1));
+ } else {
+ System.out.println(files.get(0));
+ }
+ }
+ System.out.printf(key.substring(pipe+1));
+ }
+ }
System.out.println();
System.out.println(rb.getString(
" s = signature was verified "));
@@ -589,9 +721,12 @@
" k = at least one certificate was found in keystore"));
System.out.println(rb.getString(
" i = at least one certificate was found in identity scope"));
+ if (ckaliases.size() > 0) {
+ System.out.println((
+ " X = not signed by specified alias(es)"));
+ }
System.out.println();
}
-
if (man == null)
System.out.println(rb.getString("no manifest."));
@@ -602,7 +737,8 @@
System.out.println(rb.getString("jar verified."));
if (hasUnsignedEntry || hasExpiredCert || hasExpiringCert ||
badKeyUsage || badExtendedKeyUsage || badNetscapeCertType ||
- notYetValidCert) {
+ notYetValidCert || chainNotValidated ||
+ aliasNotInStore || notSignedByAlias) {
System.out.println();
System.out.println(rb.getString("Warning: "));
@@ -638,14 +774,27 @@
"This jar contains entries whose signer certificate is not yet valid. "));
}
- if (! (verbose && showcerts)) {
+ if (chainNotValidated) {
+ System.out.println(
+ rb.getString("This jar contains entries whose certificate chain is not validated."));
+ }
+
+ if (notSignedByAlias) {
+ System.out.println(
+ rb.getString("This jar contains signed entries which is not signed by the specified alias(es)."));
+ }
+
+ if (aliasNotInStore) {
+ System.out.println(rb.getString("This jar contains signed entries that's not signed by alias in this keystore."));
+ }
+ if (! (verbose != null && showcerts)) {
System.out.println();
System.out.println(rb.getString(
"Re-run with the -verbose and -certs options for more details."));
}
}
}
- System.exit(0);
+ return;
} catch (Exception e) {
System.out.println(rb.getString("jarsigner: ") + e);
if (debug) {
@@ -660,15 +809,6 @@
System.exit(1);
}
- /*
- * Display some details about a certificate:
- *
- * <cert-type> [", " <subject-DN>] [" (" <keystore-entry-alias> ")"]
- */
- String printCert(Certificate c) {
- return printCert("", c, false, 0);
- }
-
private static MessageFormat validityTimeForm = null;
private static MessageFormat notYetTimeForm = null;
private static MessageFormat expiredTimeForm = null;
@@ -679,6 +819,8 @@
*
* [<tab>] <cert-type> [", " <subject-DN>] [" (" <keystore-entry-alias> ")"]
* [<validity-period> | <expiry-warning>]
+ *
+ * Note: no newline character at the end
*/
String printCert(String tab, Certificate c, boolean checkValidityPeriod,
long now) {
@@ -788,54 +930,75 @@
.append(signTimeForm.format(source)).append("]").toString();
}
+ private Map<CodeSigner,Integer> cacheForInKS =
+ new IdentityHashMap<CodeSigner,Integer>();
+
+ private int inKeyStoreForOneSigner(CodeSigner signer) {
+ if (cacheForInKS.containsKey(signer)) {
+ return cacheForInKS.get(signer);
+ }
+
+ boolean found = false;
+ int result = 0;
+ List<? extends Certificate> certs = signer.getSignerCertPath().getCertificates();
+ for (Certificate c : certs) {
+ String alias = storeHash.get(c);
+ if (alias != null) {
+ if (alias.startsWith("(")) {
+ result |= IN_KEYSTORE;
+ } else if (alias.startsWith("[")) {
+ result |= IN_SCOPE;
+ }
+ if (ckaliases.contains(alias.substring(1, alias.length() - 1))) {
+ result |= SIGNED_BY_ALIAS;
+ }
+ } else {
+ if (store != null) {
+ try {
+ alias = store.getCertificateAlias(c);
+ } catch (KeyStoreException kse) {
+ // never happens, because keystore has been loaded
+ }
+ if (alias != null) {
+ storeHash.put(c, "(" + alias + ")");
+ found = true;
+ result |= IN_KEYSTORE;
+ }
+ }
+ if (!found && (scope != null)) {
+ Identity id = scope.getIdentity(c.getPublicKey());
+ if (id != null) {
+ result |= IN_SCOPE;
+ storeHash.put(c, "[" + id.getName() + "]");
+ }
+ }
+ if (ckaliases.contains(alias)) {
+ result |= SIGNED_BY_ALIAS;
+ }
+ }
+ }
+ cacheForInKS.put(signer, result);
+ return result;
+ }
+
Hashtable<Certificate, String> storeHash =
new Hashtable<Certificate, String>();
int inKeyStore(CodeSigner[] signers) {
- int result = 0;
if (signers == null)
return 0;
- boolean found = false;
-
- for (int i = 0; i < signers.length; i++) {
- found = false;
- List<? extends Certificate> certs =
- signers[i].getSignerCertPath().getCertificates();
-
- for (Certificate c : certs) {
- String alias = storeHash.get(c);
+ int output = 0;
- if (alias != null) {
- if (alias.startsWith("("))
- result |= IN_KEYSTORE;
- else if (alias.startsWith("["))
- result |= IN_SCOPE;
- } else {
- if (store != null) {
- try {
- alias = store.getCertificateAlias(c);
- } catch (KeyStoreException kse) {
- // never happens, because keystore has been loaded
- }
- if (alias != null) {
- storeHash.put(c, "("+alias+")");
- found = true;
- result |= IN_KEYSTORE;
- }
- }
- if (!found && (scope != null)) {
- Identity id = scope.getIdentity(c.getPublicKey());
- if (id != null) {
- result |= IN_SCOPE;
- storeHash.put(c, "["+id.getName()+"]");
- }
- }
- }
- }
+ for (CodeSigner signer: signers) {
+ int result = inKeyStoreForOneSigner(signer);
+ output |= result;
}
- return result;
+ if (ckaliases.size() > 0 && (output & SIGNED_BY_ALIAS) == 0) {
+ output |= NOT_ALIAS;
+ }
+ return output;
}
void signJar(String jarName, String alias, String[] args)
@@ -1025,7 +1188,7 @@
// manifest file has new length
mfFile = new ZipEntry(JarFile.MANIFEST_NAME);
}
- if (verbose) {
+ if (verbose != null) {
if (mfCreated) {
System.out.println(rb.getString(" adding: ") +
mfFile.getName());
@@ -1076,7 +1239,7 @@
// signature file
zos.putNextEntry(sfFile);
sf.write(zos);
- if (verbose) {
+ if (verbose != null) {
if (zipFile.getEntry(sfFilename) != null) {
System.out.println(rb.getString(" updating: ") +
sfFilename);
@@ -1086,7 +1249,7 @@
}
}
- if (verbose) {
+ if (verbose != null) {
if (tsaUrl != null || tsaCert != null) {
System.out.println(
rb.getString("requesting a signature timestamp"));
@@ -1101,8 +1264,8 @@
System.out.println(rb.getString("TSA location: ") +
certUrl);
}
- System.out.println(
- rb.getString("TSA certificate: ") + printCert(tsaCert));
+ System.out.println(rb.getString("TSA certificate: ") +
+ printCert("", tsaCert, false, 0));
}
if (signingMechanism != null) {
System.out.println(
@@ -1113,7 +1276,7 @@
// signature block file
zos.putNextEntry(bkFile);
block.write(zos);
- if (verbose) {
+ if (verbose != null) {
if (zipFile.getEntry(bkFilename) != null) {
System.out.println(rb.getString(" updating: ") +
bkFilename);
@@ -1140,7 +1303,7 @@
ZipEntry ze = enum_.nextElement();
if (!ze.getName().startsWith(META_INF)) {
- if (verbose) {
+ if (verbose != null) {
if (manifest.getAttributes(ze.getName()) != null)
System.out.println(rb.getString(" signing: ") +
ze.getName());
@@ -1194,7 +1357,8 @@
}
if (hasExpiredCert || hasExpiringCert || notYetValidCert
- || badKeyUsage || badExtendedKeyUsage || badNetscapeCertType) {
+ || badKeyUsage || badExtendedKeyUsage
+ || badNetscapeCertType || chainNotValidated) {
System.out.println();
System.out.println(rb.getString("Warning: "));
@@ -1223,6 +1387,11 @@
System.out.println(
rb.getString("The signer certificate is not yet valid."));
}
+
+ if (chainNotValidated) {
+ System.out.println(
+ rb.getString("The signer's certificate chain is not validated."));
+ }
}
// no IOException thrown in the above try clause, so disable
@@ -1274,6 +1443,40 @@
return false;
}
+ Map<CodeSigner,String> cacheForSignerInfo = new IdentityHashMap<CodeSigner,String>();
+
+ /**
+ * Returns a string of singer info, with a newline at the end
+ */
+ private String signerInfo(CodeSigner signer, String tab, long now) {
+ if (cacheForSignerInfo.containsKey(signer)) {
+ return cacheForSignerInfo.get(signer);
+ }
+ StringBuffer s = new StringBuffer();
+ List<? extends Certificate> certs = signer.getSignerCertPath().getCertificates();
+ // display the signature timestamp, if present
+ Timestamp timestamp = signer.getTimestamp();
+ if (timestamp != null) {
+ s.append(printTimestamp(tab, timestamp));
+ }
+ // display the certificate(s)
+ for (Certificate c : certs) {
+ s.append(printCert(tab, c, true, now));
+ s.append('\n');
+ }
+ try {
+ CertPath cp = certificateFactory.generateCertPath(certs);
+ validator.validate(cp, pkixParameters);
+ } catch (Exception e) {
+ chainNotValidated = true;
+ s.append(tab + rb.getString("[CertPath not validated: ") +
+ e.getLocalizedMessage() + "]\n"); // TODO
+ }
+ String result = s.toString();
+ cacheForSignerInfo.put(signer, result);
+ return result;
+ }
+
private void writeEntry(ZipFile zf, ZipOutputStream os, ZipEntry ze)
throws IOException
{
@@ -1360,6 +1563,48 @@
}
}
}
+ Set<TrustAnchor> tas = new HashSet<TrustAnchor>();
+ try {
+ KeyStore caks = KeyTool.getCacertsKeyStore();
+ if (caks != null) {
+ Enumeration<String> aliases = caks.aliases();
+ while (aliases.hasMoreElements()) {
+ String a = aliases.nextElement();
+ try {
+ tas.add(new TrustAnchor((X509Certificate)caks.getCertificate(a), null));
+ } catch (Exception e2) {
+ // ignore, when a SecretkeyEntry does not include a cert
+ }
+ }
+ }
+ } catch (Exception e) {
+ // Ignore, if cacerts cannot be loaded
+ }
+ if (store != null) {
+ Enumeration<String> aliases = store.aliases();
+ while (aliases.hasMoreElements()) {
+ String a = aliases.nextElement();
+ try {
+ X509Certificate c = (X509Certificate)store.getCertificate(a);
+ // Only add TrustedCertificateEntry and self-signed
+ // PrivateKeyEntry
+ if (store.isCertificateEntry(a) ||
+ c.getSubjectDN().equals(c.getIssuerDN())) {
+ tas.add(new TrustAnchor(c, null));
+ }
+ } catch (Exception e2) {
+ // ignore, when a SecretkeyEntry does not include a cert
+ }
+ }
+ }
+ certificateFactory = CertificateFactory.getInstance("X.509");
+ validator = CertPathValidator.getInstance("PKIX");
+ try {
+ pkixParameters = new PKIXParameters(tas);
+ pkixParameters.setRevocationEnabled(false);
+ } catch (InvalidAlgorithmParameterException ex) {
+ // Only if tas is empty
+ }
} catch (IOException ioe) {
throw new RuntimeException(rb.getString("keystore load: ") +
ioe.getMessage());
@@ -1408,7 +1653,8 @@
void checkCertUsage(X509Certificate userCert, boolean[] bad) {
// Can act as a signer?
- // 1. if KeyUsage, then [0] should be true
+ // 1. if KeyUsage, then [0:digitalSignature] or
+ // [1:nonRepudiation] should be true
// 2. if ExtendedKeyUsage, then should contains ANY or CODE_SIGNING
// 3. if NetscapeCertType, then should contains OBJECT_SIGNING
// 1,2,3 must be true
@@ -1419,10 +1665,10 @@
boolean[] keyUsage = userCert.getKeyUsage();
if (keyUsage != null) {
- if (keyUsage.length < 1 || !keyUsage[0]) {
+ keyUsage = Arrays.copyOf(keyUsage, 9);
+ if (!keyUsage[0] && !keyUsage[1]) {
if (bad != null) {
bad[0] = true;
- } else {
badKeyUsage = true;
}
}
@@ -1435,7 +1681,6 @@
&& !xKeyUsage.contains("1.3.6.1.5.5.7.3.3")) { // codeSigning
if (bad != null) {
bad[1] = true;
- } else {
badExtendedKeyUsage = true;
}
}
@@ -1462,7 +1707,6 @@
if (!val) {
if (bad != null) {
bad[2] = true;
- } else {
badNetscapeCertType = true;
}
}
@@ -1477,19 +1721,36 @@
Key key = null;
try {
-
java.security.cert.Certificate[] cs = null;
-
- try {
- cs = store.getCertificateChain(alias);
- } catch (KeyStoreException kse) {
- // this never happens, because keystore has been loaded
+ if (altCertChain != null) {
+ try {
+ cs = CertificateFactory.getInstance("X.509").
+ generateCertificates(new FileInputStream(altCertChain)).
+ toArray(new Certificate[0]);
+ } catch (CertificateException ex) {
+ error(rb.getString("Cannot restore certchain from file specified"));
+ } catch (FileNotFoundException ex) {
+ error(rb.getString("File specified by -certchain does not exist"));
+ }
+ } else {
+ try {
+ cs = store.getCertificateChain(alias);
+ } catch (KeyStoreException kse) {
+ // this never happens, because keystore has been loaded
+ }
}
- if (cs == null) {
- MessageFormat form = new MessageFormat(rb.getString
- ("Certificate chain not found for: alias. alias must reference a valid KeyStore key entry containing a private key and corresponding public key certificate chain."));
- Object[] source = {alias, alias};
- error(form.format(source));
+ if (cs == null || cs.length == 0) {
+ if (altCertChain != null) {
+ error(rb.getString
+ ("Certificate chain not found in the file specified."));
+ } else {
+ MessageFormat form = new MessageFormat(rb.getString
+ ("Certificate chain not found for: alias. alias must" +
+ " reference a valid KeyStore key entry containing a" +
+ " private key and corresponding public key certificate chain."));
+ Object[] source = {alias, alias};
+ error(form.format(source));
+ }
}
certChain = new X509Certificate[cs.length];
@@ -1501,56 +1762,15 @@
certChain[i] = (X509Certificate)cs[i];
}
- // order the cert chain if necessary (put user cert first,
- // root-cert last in the chain)
- X509Certificate userCert
- = (X509Certificate)store.getCertificate(alias);
-
- // check validity of signer certificate
- try {
- userCert.checkValidity();
-
- if (userCert.getNotAfter().getTime() <
- System.currentTimeMillis() + SIX_MONTHS) {
-
- hasExpiringCert = true;
- }
- } catch (CertificateExpiredException cee) {
- hasExpiredCert = true;
-
- } catch (CertificateNotYetValidException cnyve) {
- notYetValidCert = true;
- }
-
- checkCertUsage(userCert, null);
+ // We don't meant to print anything, the next call
+ // checks validity and keyUsage etc
+ printCert("", certChain[0], true, 0);
- if (!userCert.equals(certChain[0])) {
- // need to order ...
- X509Certificate[] certChainTmp
- = new X509Certificate[certChain.length];
- certChainTmp[0] = userCert;
- Principal issuer = userCert.getIssuerDN();
- for (int i=1; i<certChain.length; i++) {
- int j;
- // look for the cert whose subject corresponds to the
- // given issuer
- for (j=0; j<certChainTmp.length; j++) {
- if (certChainTmp[j] == null)
- continue;
- Principal subject = certChainTmp[j].getSubjectDN();
- if (issuer.equals(subject)) {
- certChain[i] = certChainTmp[j];
- issuer = certChainTmp[j].getIssuerDN();
- certChainTmp[j] = null;
- break;
- }
- }
- if (j == certChainTmp.length) {
- error(rb.getString("incomplete certificate chain"));
- }
-
- }
- certChain = certChainTmp; // ordered
+ try {
+ CertPath cp = certificateFactory.generateCertPath(Arrays.asList(certChain));
+ validator.validate(cp, pkixParameters);
+ } catch (Exception e) {
+ chainNotValidated = true;
}
try {
--- a/jdk/src/share/classes/sun/security/tools/JarSignerResources.java Fri Mar 27 16:04:05 2009 +0000
+++ b/jdk/src/share/classes/sun/security/tools/JarSignerResources.java Mon Mar 30 19:22:27 2009 +0100
@@ -1,5 +1,5 @@
/*
- * Copyright 2000-2005 Sun Microsystems, Inc. All Rights Reserved.
+ * Copyright 2000-2009 Sun Microsystems, Inc. All Rights Reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -54,8 +54,8 @@
"If keystore is not password protected, then -storepass and -keypass must not be specified"},
{"Usage: jarsigner [options] jar-file alias",
"Usage: jarsigner [options] jar-file alias"},
- {" jarsigner -verify [options] jar-file",
- " jarsigner -verify [options] jar-file"},
+ {" jarsigner -verify [options] jar-file [alias...]",
+ " jarsigner -verify [options] jar-file [alias...]"},
{"[-keystore <url>] keystore location",
"[-keystore <url>] keystore location"},
{"[-storepass <password>] password for keystore integrity",
@@ -64,6 +64,8 @@
"[-storetype <type>] keystore type"},
{"[-keypass <password>] password for private key (if different)",
"[-keypass <password>] password for private key (if different)"},
+ {"[-certchain <file>] name of alternative certchain file",
+ "[-certchain <file>] name of alternative certchain file"},
{"[-sigfile <file>] name of .SF/.DSA file",
"[-sigfile <file>] name of .SF/.DSA file"},
{"[-signedjar <file>] name of signed JAR file",
@@ -74,8 +76,10 @@
"[-sigalg <algorithm>] name of signature algorithm"},
{"[-verify] verify a signed JAR file",
"[-verify] verify a signed JAR file"},
- {"[-verbose] verbose output when signing/verifying",
- "[-verbose] verbose output when signing/verifying"},
+ {"[-verbose[:suboptions]] verbose output when signing/verifying.",
+ "[-verbose[:suboptions]] verbose output when signing/verifying."},
+ {" suboptions can be all, grouped or summary",
+ " suboptions can be all, grouped or summary"},
{"[-certs] display certificates when verbose and verifying",
"[-certs] display certificates when verbose and verifying"},
{"[-tsa <url>] location of the Timestamping Authority",
@@ -98,10 +102,22 @@
"[-providerClass <class> name of cryptographic service provider's"},
{" [-providerArg <arg>]] ... master class file and constructor argument",
" [-providerArg <arg>]] ... master class file and constructor argument"},
+ {"[-strict] treat warnings as errors",
+ "[-strict] treat warnings as errors"},
+ {"Option lacks argument", "Option lacks argument"},
+ {"Please type jarsigner -help for usage", "Please type jarsigner -help for usage"},
+ {"Please specify jarfile name", "Please specify jarfile name"},
+ {"Please specify alias name", "Please specify alias name"},
+ {"Only one alias can be specified", "Only one alias can be specified"},
+ {"This jar contains signed entries which is not signed by the specified alias(es).",
+ "This jar contains signed entries which is not signed by the specified alias(es)."},
+ {"This jar contains signed entries that's not signed by alias in this keystore.",
+ "This jar contains signed entries that's not signed by alias in this keystore."},
{"s", "s"},
{"m", "m"},
{"k", "k"},
{"i", "i"},
+ {"(and %d more)", "(and %d more)"},
{" s = signature was verified ",
" s = signature was verified "},
{" m = entry is listed in manifest",
@@ -110,7 +126,11 @@
" k = at least one certificate was found in keystore"},
{" i = at least one certificate was found in identity scope",
" i = at least one certificate was found in identity scope"},
+ {" X = not signed by specified alias(es)",
+ " X = not signed by specified alias(es)"},
{"no manifest.", "no manifest."},
+ {"(Signature related entries)","(Signature related entries)"},
+ {"(Unsigned entries)", "(Unsigned entries)"},
{"jar is unsigned. (signatures missing or not parsable)",
"jar is unsigned. (signatures missing or not parsable)"},
{"jar verified.", "jar verified."},
@@ -134,6 +154,12 @@
"unable to instantiate keystore class: "},
{"Certificate chain not found for: alias. alias must reference a valid KeyStore key entry containing a private key and corresponding public key certificate chain.",
"Certificate chain not found for: {0}. {1} must reference a valid KeyStore key entry containing a private key and corresponding public key certificate chain."},
+ {"File specified by -certchain does not exist",
+ "File specified by -certchain does not exist"},
+ {"Cannot restore certchain from file specified",
+ "Cannot restore certchain from file specified"},
+ {"Certificate chain not found in the file specified.",
+ "Certificate chain not found in the file specified."},
{"found non-X.509 certificate in signer's chain",
"found non-X.509 certificate in signer's chain"},
{"incomplete certificate chain", "incomplete certificate chain"},
@@ -149,6 +175,7 @@
{"certificate is not valid until",
"certificate is not valid until {0}"},
{"certificate will expire on", "certificate will expire on {0}"},
+ {"[CertPath not validated: ", "[CertPath not validated: "},
{"requesting a signature timestamp",
"requesting a signature timestamp"},
{"TSA location: ", "TSA location: "},
@@ -189,14 +216,18 @@
"The signer certificate's ExtendedKeyUsage extension doesn't allow code signing."},
{"The signer certificate's NetscapeCertType extension doesn't allow code signing.",
"The signer certificate's NetscapeCertType extension doesn't allow code signing."},
- {"This jar contains entries whose signer certificate's KeyUsage extension doesn't allow code signing.",
- "This jar contains entries whose signer certificate's KeyUsage extension doesn't allow code signing."},
- {"This jar contains entries whose signer certificate's ExtendedKeyUsage extension doesn't allow code signing.",
- "This jar contains entries whose signer certificate's ExtendedKeyUsage extension doesn't allow code signing."},
- {"This jar contains entries whose signer certificate's NetscapeCertType extension doesn't allow code signing.",
- "This jar contains entries whose signer certificate's NetscapeCertType extension doesn't allow code signing."},
+ {"This jar contains entries whose signer certificate's KeyUsage extension doesn't allow code signing.",
+ "This jar contains entries whose signer certificate's KeyUsage extension doesn't allow code signing."},
+ {"This jar contains entries whose signer certificate's ExtendedKeyUsage extension doesn't allow code signing.",
+ "This jar contains entries whose signer certificate's ExtendedKeyUsage extension doesn't allow code signing."},
+ {"This jar contains entries whose signer certificate's NetscapeCertType extension doesn't allow code signing.",
+ "This jar contains entries whose signer certificate's NetscapeCertType extension doesn't allow code signing."},
{"[{0} extension does not support code signing]",
"[{0} extension does not support code signing]"},
+ {"The signer's certificate chain is not validated.",
+ "The signer's certificate chain is not validated."},
+ {"This jar contains entries whose certificate chain is not validated.",
+ "This jar contains entries whose certificate chain is not validated."},
};
/**
--- a/jdk/src/share/classes/sun/security/tools/KeyTool.java Fri Mar 27 16:04:05 2009 +0000
+++ b/jdk/src/share/classes/sun/security/tools/KeyTool.java Mon Mar 30 19:22:27 2009 +0100
@@ -3108,7 +3108,7 @@
/**
* Returns the keystore with the configured CA certificates.
*/
- private KeyStore getCacertsKeyStore()
+ public static KeyStore getCacertsKeyStore()
throws Exception
{
String sep = File.separator;
--- a/jdk/test/java/util/Collection/MOAT.java Fri Mar 27 16:04:05 2009 +0000
+++ b/jdk/test/java/util/Collection/MOAT.java Mon Mar 30 19:22:27 2009 +0100
@@ -555,6 +555,7 @@
NavigableMap<Integer,Integer> nm =
(NavigableMap<Integer,Integer>) m;
+ testNavigableMapRemovers(nm);
testNavigableMap(nm);
testNavigableMap(nm.headMap(6, false));
testNavigableMap(nm.headMap(5, true));
@@ -742,6 +743,97 @@
equal(it.next(), expected);
}
+ static void equalMaps(Map m1, Map m2) {
+ equal(m1, m2);
+ equal(m2, m1);
+ equal(m1.size(), m2.size());
+ equal(m1.isEmpty(), m2.isEmpty());
+ equal(m1.toString(), m2.toString());
+ check(Arrays.equals(m1.entrySet().toArray(), m2.entrySet().toArray()));
+ }
+
+ @SuppressWarnings({"unchecked", "rawtypes"})
+ static void testNavigableMapRemovers(NavigableMap m)
+ {
+ final Map emptyMap = new HashMap();
+
+ final Map singletonMap = new HashMap();
+ singletonMap.put(1, 2);
+
+ abstract class NavigableMapView {
+ abstract NavigableMap view(NavigableMap m);
+ }
+
+ NavigableMapView[] views = {
+ new NavigableMapView() { NavigableMap view(NavigableMap m) {
+ return m; }},
+ new NavigableMapView() { NavigableMap view(NavigableMap m) {
+ return m.headMap(99, true); }},
+ new NavigableMapView() { NavigableMap view(NavigableMap m) {
+ return m.tailMap(-99, false); }},
+ new NavigableMapView() { NavigableMap view(NavigableMap m) {
+ return m.subMap(-99, true, 99, false); }},
+ };
+
+ abstract class Remover {
+ abstract void remove(NavigableMap m, Object k, Object v);
+ }
+
+ Remover[] removers = {
+ new Remover() { void remove(NavigableMap m, Object k, Object v) {
+ equal(m.remove(k), v); }},
+
+ new Remover() { void remove(NavigableMap m, Object k, Object v) {
+ equal(m.descendingMap().remove(k), v); }},
+ new Remover() { void remove(NavigableMap m, Object k, Object v) {
+ equal(m.descendingMap().headMap(-86, false).remove(k), v); }},
+ new Remover() { void remove(NavigableMap m, Object k, Object v) {
+ equal(m.descendingMap().tailMap(86, true).remove(k), v); }},
+
+ new Remover() { void remove(NavigableMap m, Object k, Object v) {
+ equal(m.headMap(86, true).remove(k), v); }},
+ new Remover() { void remove(NavigableMap m, Object k, Object v) {
+ equal(m.tailMap(-86, true).remove(k), v); }},
+ new Remover() { void remove(NavigableMap m, Object k, Object v) {
+ equal(m.subMap(-86, false, 86, true).remove(k), v); }},
+
+ new Remover() { void remove(NavigableMap m, Object k, Object v) {
+ check(m.keySet().remove(k)); }},
+ new Remover() { void remove(NavigableMap m, Object k, Object v) {
+ check(m.navigableKeySet().remove(k)); }},
+
+ new Remover() { void remove(NavigableMap m, Object k, Object v) {
+ check(m.navigableKeySet().headSet(86, true).remove(k)); }},
+ new Remover() { void remove(NavigableMap m, Object k, Object v) {
+ check(m.navigableKeySet().tailSet(-86, false).remove(k)); }},
+ new Remover() { void remove(NavigableMap m, Object k, Object v) {
+ check(m.navigableKeySet().subSet(-86, true, 86, false)
+ .remove(k)); }},
+
+ new Remover() { void remove(NavigableMap m, Object k, Object v) {
+ check(m.descendingKeySet().headSet(-86, false).remove(k)); }},
+ new Remover() { void remove(NavigableMap m, Object k, Object v) {
+ check(m.descendingKeySet().tailSet(86, true).remove(k)); }},
+ new Remover() { void remove(NavigableMap m, Object k, Object v) {
+ check(m.descendingKeySet().subSet(86, true, -86, false)
+ .remove(k)); }},
+ };
+
+ for (NavigableMapView view : views) {
+ for (Remover remover : removers) {
+ try {
+ m.clear();
+ equalMaps(m, emptyMap);
+ equal(m.put(1, 2), null);
+ equalMaps(m, singletonMap);
+ NavigableMap v = view.view(m);
+ remover.remove(v, 1, 2);
+ equalMaps(m, emptyMap);
+ } catch (Throwable t) { unexpected(t); }
+ }
+ }
+ }
+
private static void testNavigableMap(NavigableMap<Integer,Integer> m)
{
clear(m);
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/jdk/test/java/util/concurrent/Semaphore/RacingReleases.java Mon Mar 30 19:22:27 2009 +0100
@@ -0,0 +1,116 @@
+/*
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
+ * CA 95054 USA or visit www.sun.com if you need additional information or
+ * have any questions.
+ */
+
+/*
+ * This file is available under and governed by the GNU General Public
+ * License version 2 only, as published by the Free Software Foundation.
+ * However, the following notice accompanied the original version of this
+ * file:
+ *
+ * Written by Doug Lea with assistance from members of JCP JSR-166
+ * Expert Group and released to the public domain, as explained at
+ * http://creativecommons.org/licenses/publicdomain
+ */
+
+/*
+ * @test
+ * @bug 6801020 6803402
+ * @summary Try to tickle race conditions in
+ * AbstractQueuedSynchronizer "shared" code
+ */
+
+import java.util.concurrent.Semaphore;
+
+public class RacingReleases {
+
+ /** Increase this for better chance of tickling races */
+ static final int iterations = 1000;
+
+ public static void test(final boolean fair,
+ final boolean interruptibly)
+ throws Throwable {
+ for (int i = 0; i < iterations; i++) {
+ final Semaphore sem = new Semaphore(0, fair);
+ final Throwable[] badness = new Throwable[1];
+ Runnable blocker = interruptibly ?
+ new Runnable() {
+ public void run() {
+ try {
+ sem.acquire();
+ } catch (Throwable t) {
+ badness[0] = t;
+ throw new Error(t);
+ }}}
+ :
+ new Runnable() {
+ public void run() {
+ try {
+ sem.acquireUninterruptibly();
+ } catch (Throwable t) {
+ badness[0] = t;
+ throw new Error(t);
+ }}};
+
+ Thread b1 = new Thread(blocker);
+ Thread b2 = new Thread(blocker);
+ Runnable signaller = new Runnable() {
+ public void run() {
+ try {
+ sem.release();
+ } catch (Throwable t) {
+ badness[0] = t;
+ throw new Error(t);
+ }}};
+ Thread s1 = new Thread(signaller);
+ Thread s2 = new Thread(signaller);
+ Thread[] threads = { b1, b2, s1, s2 };
+ java.util.Collections.shuffle(java.util.Arrays.asList(threads));
+ for (Thread thread : threads)
+ thread.start();
+ for (Thread thread : threads) {
+ thread.join(60 * 1000);
+ if (thread.isAlive())
+ throw new Error
+ (String.format
+ ("Semaphore stuck: permits %d, thread waiting %s%n",
+ sem.availablePermits(),
+ sem.hasQueuedThreads() ? "true" : "false"));
+ }
+ if (badness[0] != null)
+ throw new Error(badness[0]);
+ if (sem.availablePermits() != 0)
+ throw new Error(String.valueOf(sem.availablePermits()));
+ if (sem.hasQueuedThreads())
+ throw new Error(String.valueOf(sem.hasQueuedThreads()));
+ if (sem.getQueueLength() != 0)
+ throw new Error(String.valueOf(sem.getQueueLength()));
+ if (sem.isFair() != fair)
+ throw new Error(String.valueOf(sem.isFair()));
+ }
+ }
+
+ public static void main(String[] args) throws Throwable {
+ for (boolean fair : new boolean[] { true, false })
+ for (boolean interruptibly : new boolean[] { true, false })
+ test(fair, interruptibly);
+ }
+}
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/jdk/test/sun/security/tools/jarsigner/concise_jarsigner.sh Mon Mar 30 19:22:27 2009 +0100
@@ -0,0 +1,200 @@
+#
+# Copyright 2009 Sun Microsystems, Inc. All Rights Reserved.
+# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+#
+# This code is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License version 2 only, as
+# published by the Free Software Foundation.
+#
+# This code is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+# version 2 for more details (a copy is included in the LICENSE file that
+# accompanied this code).
+#
+# You should have received a copy of the GNU General Public License version
+# 2 along with this work; if not, write to the Free Software Foundation,
+# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
+# CA 95054 USA or visit www.sun.com if you need additional information or
+# have any questions.
+#
+
+# @test
+# @bug 6802846
+# @summary jarsigner needs enhanced cert validation(options)
+#
+# @run shell concise_jarsigner.sh
+#
+
+if [ "${TESTJAVA}" = "" ] ; then
+ JAVAC_CMD=`which javac`
+ TESTJAVA=`dirname $JAVAC_CMD`/..
+fi
+
+# set platform-dependent variables
+OS=`uname -s`
+case "$OS" in
+ Windows_* )
+ FS="\\"
+ ;;
+ * )
+ FS="/"
+ ;;
+esac
+
+KT="$TESTJAVA${FS}bin${FS}keytool -storepass changeit -keypass changeit -keystore js.jks"
+JAR=$TESTJAVA${FS}bin${FS}jar
+JARSIGNER=$TESTJAVA${FS}bin${FS}jarsigner
+JAVAC=$TESTJAVA${FS}bin${FS}javac
+
+rm js.jks
+
+echo class A1 {} > A1.java
+echo class A2 {} > A2.java
+echo class A3 {} > A3.java
+echo class A4 {} > A4.java
+echo class A5 {} > A5.java
+echo class A6 {} > A6.java
+
+$JAVAC A1.java A2.java A3.java A4.java A5.java A6.java
+YEAR=`date +%Y`
+
+# ==========================================================
+# First part: output format
+# ==========================================================
+
+$KT -genkeypair -alias a1 -dname CN=a1 -validity 365
+$KT -genkeypair -alias a2 -dname CN=a2 -validity 365
+
+# a.jar includes 8 unsigned, 2 signed by a1 and a2, 2 signed by a3
+$JAR cvf a.jar A1.class A2.class
+$JARSIGNER -keystore js.jks -storepass changeit a.jar a1
+$JAR uvf a.jar A3.class A4.class
+$JARSIGNER -keystore js.jks -storepass changeit a.jar a2
+$JAR uvf a.jar A5.class A6.class
+
+# Verify OK
+$JARSIGNER -verify a.jar
+[ $? = 0 ] || exit $LINENO
+
+# 4(chainNotValidated)+16(hasUnsignedEntry)+32(aliasNotInStore)
+$JARSIGNER -verify a.jar -strict
+[ $? = 52 ] || exit $LINENO
+
+# 16(hasUnsignedEntry)
+$JARSIGNER -verify a.jar -strict -keystore js.jks
+[ $? = 16 ] || exit $LINENO
+
+# 16(hasUnsignedEntry)+32(notSignedByAlias)
+$JARSIGNER -verify a.jar a1 -strict -keystore js.jks
+[ $? = 48 ] || exit $LINENO
+
+# 16(hasUnsignedEntry)
+$JARSIGNER -verify a.jar a1 a2 -strict -keystore js.jks
+[ $? = 16 ] || exit $LINENO
+
+# 12 entries all together
+LINES=`$JARSIGNER -verify a.jar -verbose | grep $YEAR | wc -l`
+[ $LINES = 12 ] || exit $LINENO
+
+# 12 entries all listed
+LINES=`$JARSIGNER -verify a.jar -verbose:grouped | grep $YEAR | wc -l`
+[ $LINES = 12 ] || exit $LINENO
+
+# 3 groups: unrelated, signed, unsigned
+LINES=`$JARSIGNER -verify a.jar -verbose:summary | grep $YEAR | wc -l`
+[ $LINES = 3 ] || exit $LINENO
+
+# 4 groups: unrelated, signed by a1/a2, signed by a2, unsigned
+LINES=`$JARSIGNER -verify a.jar -verbose:summary -certs | grep $YEAR | wc -l`
+[ $LINES = 4 ] || exit $LINENO
+
+# 2*2 for A1/A2, 2 for A3/A4
+LINES=`$JARSIGNER -verify a.jar -verbose -certs | grep "\[certificate" | wc -l`
+[ $LINES = 6 ] || exit $LINENO
+
+# a1,a2 for A1/A2, a2 for A3/A4
+LINES=`$JARSIGNER -verify a.jar -verbose:grouped -certs | grep "\[certificate" | wc -l`
+[ $LINES = 3 ] || exit $LINENO
+
+# a1,a2 for A1/A2, a2 for A3/A4
+LINES=`$JARSIGNER -verify a.jar -verbose:summary -certs | grep "\[certificate" | wc -l`
+[ $LINES = 3 ] || exit $LINENO
+
+# 4 groups
+LINES=`$JARSIGNER -verify a.jar -verbose:summary -certs | grep "more)" | wc -l`
+[ $LINES = 4 ] || exit $LINENO
+
+# ==========================================================
+# Second part: exit code 2, 4, 8
+# 16 and 32 already covered in the first part
+# ==========================================================
+
+$KT -genkeypair -alias expiring -dname CN=expiring -startdate -1m
+$KT -genkeypair -alias expired -dname CN=expired -startdate -10m
+$KT -genkeypair -alias notyetvalid -dname CN=notyetvalid -startdate +1m
+$KT -genkeypair -alias badku -dname CN=badku -ext KU=cRLSign -validity 365
+$KT -genkeypair -alias badeku -dname CN=badeku -ext EKU=sa -validity 365
+$KT -genkeypair -alias goodku -dname CN=goodku -ext KU=dig -validity 365
+$KT -genkeypair -alias goodeku -dname CN=goodeku -ext EKU=codesign -validity 365
+
+# badchain signed by ca, but ca is removed later
+$KT -genkeypair -alias badchain -dname CN=badchain -validity 365
+$KT -genkeypair -alias ca -dname CN=ca -ext bc -validity 365
+$KT -certreq -alias badchain | $KT -gencert -alias ca -validity 365 | \
+ $KT -importcert -alias badchain
+$KT -delete -alias ca
+
+$JARSIGNER -strict -keystore js.jks -storepass changeit a.jar expiring
+[ $? = 2 ] || exit $LINENO
+
+$JARSIGNER -strict -keystore js.jks -storepass changeit a.jar expired
+[ $? = 4 ] || exit $LINENO
+
+$JARSIGNER -strict -keystore js.jks -storepass changeit a.jar notyetvalid
+[ $? = 4 ] || exit $LINENO
+
+$JARSIGNER -strict -keystore js.jks -storepass changeit a.jar badku
+[ $? = 8 ] || exit $LINENO
+
+$JARSIGNER -strict -keystore js.jks -storepass changeit a.jar badeku
+[ $? = 8 ] || exit $LINENO
+
+$JARSIGNER -strict -keystore js.jks -storepass changeit a.jar goodku
+[ $? = 0 ] || exit $LINENO
+
+$JARSIGNER -strict -keystore js.jks -storepass changeit a.jar goodeku
+[ $? = 0 ] || exit $LINENO
+
+$JARSIGNER -strict -keystore js.jks -storepass changeit a.jar badchain
+[ $? = 4 ] || exit $LINENO
+
+$JARSIGNER -verify a.jar
+[ $? = 0 ] || exit $LINENO
+
+# ==========================================================
+# Third part: -certchain test
+# ==========================================================
+
+# altchain signed by ca2, but ca2 is removed later
+$KT -genkeypair -alias altchain -dname CN=altchain -validity 365
+$KT -genkeypair -alias ca2 -dname CN=ca2 -ext bc -validity 365
+$KT -certreq -alias altchain | $KT -gencert -alias ca2 -validity 365 -rfc > certchain
+$KT -exportcert -alias ca2 -rfc >> certchain
+$KT -delete -alias ca2
+
+# Now altchain is still self-signed
+$JARSIGNER -strict -keystore js.jks -storepass changeit a.jar altchain
+[ $? = 0 ] || exit $LINENO
+
+# If -certchain is used, then it's bad
+$JARSIGNER -strict -keystore js.jks -storepass changeit -certchain certchain a.jar altchain
+[ $? = 4 ] || exit $LINENO
+
+$JARSIGNER -verify a.jar
+[ $? = 0 ] || exit $LINENO
+
+echo OK
+exit 0