--- a/jdk/src/share/classes/java/lang/ClassLoader.java Tue Mar 15 20:00:45 2011 -0400
+++ b/jdk/src/share/classes/java/lang/ClassLoader.java Wed Mar 16 05:29:27 2011 -0400
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 1994, 2010, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1994, 2011, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -1626,20 +1626,28 @@
* @since 1.2
*/
protected Package getPackage(String name) {
+ Package pkg;
synchronized (packages) {
- Package pkg = packages.get(name);
- if (pkg == null) {
- if (parent != null) {
- pkg = parent.getPackage(name);
- } else {
- pkg = Package.getSystemPackage(name);
- }
- if (pkg != null) {
- packages.put(name, pkg);
+ pkg = packages.get(name);
+ }
+ if (pkg == null) {
+ if (parent != null) {
+ pkg = parent.getPackage(name);
+ } else {
+ pkg = Package.getSystemPackage(name);
+ }
+ if (pkg != null) {
+ synchronized (packages) {
+ Package pkg2 = packages.get(name);
+ if (pkg2 == null) {
+ packages.put(name, pkg);
+ } else {
+ pkg = pkg2;
+ }
}
}
- return pkg;
}
+ return pkg;
}
/**
--- a/jdk/src/share/classes/sun/security/provider/certpath/AdaptableX509CertSelector.java Tue Mar 15 20:00:45 2011 -0400
+++ b/jdk/src/share/classes/sun/security/provider/certpath/AdaptableX509CertSelector.java Wed Mar 16 05:29:27 2011 -0400
@@ -46,10 +46,16 @@
*/
class AdaptableX509CertSelector extends X509CertSelector {
// The start date of a validity period.
- private Date startDate = null;
+ private Date startDate;
// The end date of a validity period.
- private Date endDate = null;
+ private Date endDate;
+
+ // Is subject key identifier sensitive?
+ private boolean isSKIDSensitive = false;
+
+ // Is serial number sensitive?
+ private boolean isSNSensitive = false;
AdaptableX509CertSelector() {
super();
@@ -97,15 +103,24 @@
if (akidext != null) {
KeyIdentifier akid = (KeyIdentifier)akidext.get(akidext.KEY_ID);
if (akid != null) {
- DerOutputStream derout = new DerOutputStream();
- derout.putOctetString(akid.getIdentifier());
- super.setSubjectKeyIdentifier(derout.toByteArray());
+ // Do not override the previous setting
+ if (getSubjectKeyIdentifier() == null) {
+ DerOutputStream derout = new DerOutputStream();
+ derout.putOctetString(akid.getIdentifier());
+ super.setSubjectKeyIdentifier(derout.toByteArray());
+
+ isSKIDSensitive = true;
+ }
}
SerialNumber asn =
(SerialNumber)akidext.get(akidext.SERIAL_NUMBER);
if (asn != null) {
- super.setSerialNumber(asn.getNumber());
+ // Do not override the previous setting
+ if (getSerialNumber() == null) {
+ super.setSerialNumber(asn.getNumber());
+ isSNSensitive = true;
+ }
}
// the subject criterion should be set by the caller.
@@ -148,11 +163,25 @@
}
}
- if (version < 3 || xcert.getExtensionValue("2.5.29.14") == null) {
- // If no SubjectKeyIdentifier extension, don't bother to check it.
+ // If no SubjectKeyIdentifier extension, don't bother to check it.
+ if (isSKIDSensitive &&
+ (version < 3 || xcert.getExtensionValue("2.5.29.14") == null)) {
setSubjectKeyIdentifier(null);
}
+ // In practice, a CA may replace its root certificate and require that
+ // the existing certificate is still valid, even if the AKID extension
+ // does not match the replacement root certificate fields.
+ //
+ // Conservatively, we only support the replacement for version 1 and
+ // version 2 certificate. As for version 2, the certificate extension
+ // may contain sensitive information (for example, policies), the
+ // AKID need to be respected to seek the exact certificate in case
+ // of key or certificate abuse.
+ if (isSNSensitive && version < 3) {
+ setSerialNumber(null);
+ }
+
return super.match(cert);
}
--- a/jdk/src/share/classes/sun/security/provider/certpath/ForwardBuilder.java Tue Mar 15 20:00:45 2011 -0400
+++ b/jdk/src/share/classes/sun/security/provider/certpath/ForwardBuilder.java Wed Mar 16 05:29:27 2011 -0400
@@ -243,12 +243,6 @@
caTargetSelector.setPolicy(getMatchingPolicies());
}
- /*
- * Require CA certs with a pathLenConstraint that allows
- * at least as many CA certs that have already been traversed
- */
- caTargetSelector.setBasicConstraints(currentState.traversedCACerts);
-
sel = caTargetSelector;
} else {
@@ -283,12 +277,6 @@
(caSelector, currentState.subjectNamesTraversed);
/*
- * Require CA certs with a pathLenConstraint that allows
- * at least as many CA certs that have already been traversed
- */
- caSelector.setBasicConstraints(currentState.traversedCACerts);
-
- /*
* Facilitate certification path construction with authority
* key identifier and subject key identifier.
*/
@@ -305,6 +293,14 @@
sel = caSelector;
}
+ /*
+ * For compatibility, conservatively, we don't check the path
+ * length constraint of trusted anchors. Please don't set the
+ * basic constraints criterion unless the trusted certificate
+ * matching is completed.
+ */
+ sel.setBasicConstraints(-1);
+
for (X509Certificate trustedCert : trustedCerts) {
if (sel.match(trustedCert)) {
if (debug != null) {
@@ -324,6 +320,12 @@
sel.setCertificateValid(date);
/*
+ * Require CA certs with a pathLenConstraint that allows
+ * at least as many CA certs that have already been traversed
+ */
+ sel.setBasicConstraints(currentState.traversedCACerts);
+
+ /*
* If we have already traversed as many CA certs as the maxPathLength
* will allow us to, then we don't bother looking through these
* certificate pairs. If maxPathLength has a value of -1, this
--- a/jdk/src/share/classes/sun/security/ssl/ClientHandshaker.java Tue Mar 15 20:00:45 2011 -0400
+++ b/jdk/src/share/classes/sun/security/ssl/ClientHandshaker.java Wed Mar 16 05:29:27 2011 -0400
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 1996, 2010, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1996, 2011, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -378,7 +378,8 @@
if (!isNegotiable(mesgVersion)) {
throw new SSLHandshakeException(
"Server chose " + mesgVersion +
- ", but client does not support or disables " + mesgVersion);
+ ", but that protocol version is not enabled or not supported " +
+ "by the client.");
}
handshakeHash.protocolDetermined(mesgVersion);
--- a/jdk/src/share/classes/sun/security/ssl/SunJSSE.java Tue Mar 15 20:00:45 2011 -0400
+++ b/jdk/src/share/classes/sun/security/ssl/SunJSSE.java Wed Mar 16 05:29:27 2011 -0400
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 1999, 2010, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1999, 2011, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -195,6 +195,8 @@
"sun.security.ssl.KeyManagerFactoryImpl$SunX509");
put("KeyManagerFactory.NewSunX509",
"sun.security.ssl.KeyManagerFactoryImpl$X509");
+ put("Alg.Alias.KeyManagerFactory.PKIX", "NewSunX509");
+
put("TrustManagerFactory.SunX509",
"sun.security.ssl.TrustManagerFactoryImpl$SimpleFactory");
put("TrustManagerFactory.PKIX",
--- a/jdk/test/sun/security/ssl/javax/net/ssl/GetInstance.java Tue Mar 15 20:00:45 2011 -0400
+++ b/jdk/test/sun/security/ssl/javax/net/ssl/GetInstance.java Wed Mar 16 05:29:27 2011 -0400
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2003, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2011, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -23,8 +23,9 @@
/*
* @test
- * @bug 4898428
+ * @bug 4898428 7022855
* @summary verify getInstance() works using Provider.getService()
+ * Export "PKIX" as the standard algorithm name of KeyManagerFactory
* @author Andreas Sterbenz
*/
@@ -61,6 +62,20 @@
kmf = KeyManagerFactory.getInstance("SunX509", p);
same(p, kmf.getProvider());
+ kmf = KeyManagerFactory.getInstance("NewSunX509");
+ same(p, kmf.getProvider());
+ kmf = KeyManagerFactory.getInstance("NewSunX509", "SunJSSE");
+ same(p, kmf.getProvider());
+ kmf = KeyManagerFactory.getInstance("NewSunX509", p);
+ same(p, kmf.getProvider());
+
+ kmf = KeyManagerFactory.getInstance("PKIX");
+ same(p, kmf.getProvider());
+ kmf = KeyManagerFactory.getInstance("PKIX", "SunJSSE");
+ same(p, kmf.getProvider());
+ kmf = KeyManagerFactory.getInstance("PKIX", p);
+ same(p, kmf.getProvider());
+
TrustManagerFactory tmf;
tmf = TrustManagerFactory.getInstance("SunX509");
same(p, tmf.getProvider());
@@ -69,6 +84,34 @@
tmf = TrustManagerFactory.getInstance("SunX509", p);
same(p, tmf.getProvider());
+ tmf = TrustManagerFactory.getInstance("PKIX");
+ same(p, tmf.getProvider());
+ tmf = TrustManagerFactory.getInstance("PKIX", "SunJSSE");
+ same(p, tmf.getProvider());
+ tmf = TrustManagerFactory.getInstance("PKIX", p);
+ same(p, tmf.getProvider());
+
+ tmf = TrustManagerFactory.getInstance("SunPKIX");
+ same(p, tmf.getProvider());
+ tmf = TrustManagerFactory.getInstance("SunPKIX", "SunJSSE");
+ same(p, tmf.getProvider());
+ tmf = TrustManagerFactory.getInstance("SunPKIX", p);
+ same(p, tmf.getProvider());
+
+ tmf = TrustManagerFactory.getInstance("X509");
+ same(p, tmf.getProvider());
+ tmf = TrustManagerFactory.getInstance("X509", "SunJSSE");
+ same(p, tmf.getProvider());
+ tmf = TrustManagerFactory.getInstance("X509", p);
+ same(p, tmf.getProvider());
+
+ tmf = TrustManagerFactory.getInstance("X.509");
+ same(p, tmf.getProvider());
+ tmf = TrustManagerFactory.getInstance("X.509", "SunJSSE");
+ same(p, tmf.getProvider());
+ tmf = TrustManagerFactory.getInstance("X.509", p);
+ same(p, tmf.getProvider());
+
testComSun();
long stop = System.currentTimeMillis();