author | weijun |
Thu, 07 Jun 2018 23:19:25 +0800 | |
branch | JDK-8145252-TLS13-branch |
changeset 56692 | 7b0bde908f58 |
parent 56686 | 07dc566630ee |
child 56693 | 64aa781522be |
--- a/src/java.base/share/classes/com/sun/crypto/provider/TlsMasterSecretGenerator.java Wed Jun 06 23:53:47 2018 -0700 +++ b/src/java.base/share/classes/com/sun/crypto/provider/TlsMasterSecretGenerator.java Thu Jun 07 23:19:25 2018 +0800 @@ -95,7 +95,7 @@ premasterMajor = premaster[0] & 0xff; premasterMinor = premaster[1] & 0xff; } else { - // DH, KRB5, others + // DH, others premasterMajor = -1; premasterMinor = -1; }
--- a/src/java.base/share/classes/com/sun/net/ssl/internal/www/protocol/https/DelegateHttpsURLConnection.java Wed Jun 06 23:53:47 2018 -0700 +++ b/src/java.base/share/classes/com/sun/net/ssl/internal/www/protocol/https/DelegateHttpsURLConnection.java Thu Jun 07 23:19:25 2018 +0800 @@ -113,27 +113,19 @@ * In com.sun.net.ssl.HostnameVerifier the method is defined * as verify(String urlHostname, String certHostname). * This means we need to extract the hostname from the X.509 certificate - * or from the Kerberos principal name, in this wrapper. + * in this wrapper. */ public boolean verify(String hostname, javax.net.ssl.SSLSession session) { try { - String serverName; - // Use ciphersuite to determine whether Kerberos is active. - if (session.getCipherSuite().startsWith("TLS_KRB5")) { - serverName = - HostnameChecker.getServerName(getPeerPrincipal(session)); - - } else { // X.509 - Certificate[] serverChain = session.getPeerCertificates(); - if ((serverChain == null) || (serverChain.length == 0)) { - return false; - } - if (serverChain[0] instanceof X509Certificate == false) { - return false; - } - X509Certificate serverCert = (X509Certificate)serverChain[0]; - serverName = getServername(serverCert); + Certificate[] serverChain = session.getPeerCertificates(); + if ((serverChain == null) || (serverChain.length == 0)) { + return false; } + if (serverChain[0] instanceof X509Certificate == false) { + return false; + } + X509Certificate serverCert = (X509Certificate)serverChain[0]; + String serverName = getServername(serverCert); if (serverName == null) { return false; } @@ -144,23 +136,6 @@ } /* - * Get the peer principal from the session - */ - private Principal getPeerPrincipal(javax.net.ssl.SSLSession session) - throws javax.net.ssl.SSLPeerUnverifiedException - { - Principal principal; - try { - principal = session.getPeerPrincipal(); - } catch (AbstractMethodError e) { - // if the provider does not support it, return null, since - // we need it only for Kerberos. - principal = null; - } - return principal; - } - - /* * Extract the name of the SSL server from the certificate. * * Note this code is essentially a subset of the hostname extraction
--- a/src/java.base/share/classes/sun/net/www/protocol/https/HttpsClient.java Wed Jun 06 23:53:47 2018 -0700 +++ b/src/java.base/share/classes/sun/net/www/protocol/https/HttpsClient.java Thu Jun 07 23:19:25 2018 +0800 @@ -608,26 +608,17 @@ HostnameChecker checker = HostnameChecker.getInstance( HostnameChecker.TYPE_TLS); - // Use ciphersuite to determine whether Kerberos is present. - if (cipher.startsWith("TLS_KRB5")) { - if (!HostnameChecker.match(host, getPeerPrincipal())) { - throw new SSLPeerUnverifiedException("Hostname checker" + - " failed for Kerberos"); - } - } else { // X.509 + // get the subject's certificate + peerCerts = session.getPeerCertificates(); - // get the subject's certificate - peerCerts = session.getPeerCertificates(); - - X509Certificate peerCert; - if (peerCerts[0] instanceof - java.security.cert.X509Certificate) { - peerCert = (java.security.cert.X509Certificate)peerCerts[0]; - } else { - throw new SSLPeerUnverifiedException(""); - } - checker.match(host, peerCert); + X509Certificate peerCert; + if (peerCerts[0] instanceof + java.security.cert.X509Certificate) { + peerCert = (java.security.cert.X509Certificate)peerCerts[0]; + } else { + throw new SSLPeerUnverifiedException(""); } + checker.match(host, peerCert); // if it doesn't throw an exception, we passed. Return. return;
--- a/src/java.base/share/classes/sun/security/ssl/CipherSuite.java Wed Jun 06 23:53:47 2018 -0700 +++ b/src/java.base/share/classes/sun/security/ssl/CipherSuite.java Thu Jun 07 23:19:25 2018 +0800 @@ -290,17 +290,13 @@ // by default. // They are listed in preference order, preferred first, using the // following criteria: - // 1. CipherSuites for KRB5 need additional KRB5 service - // configuration, and these suites are not common in practice, - // so we put KRB5 based cipher suites at the end of the supported - // list. - // 2. If a cipher suite has been obsoleted, we put it at the end of + // 1. If a cipher suite has been obsoleted, we put it at the end of // the list. - // 3. Prefer the stronger bulk cipher, in the order of AES_256, + // 2. Prefer the stronger bulk cipher, in the order of AES_256, // AES_128, 3DES-EDE, RC-4, DES, DES40, RC4_40, NULL. - // 4. Prefer the stronger MAC algorithm, in the order of SHA384, + // 3. Prefer the stronger MAC algorithm, in the order of SHA384, // SHA256, SHA, MD5. - // 5. Prefer the better performance of key exchange and digital + // 4. Prefer the better performance of key exchange and digital // signature algorithm, in the order of ECDHE-ECDSA, ECDHE-RSA, // RSA, ECDH-ECDSA, ECDH-RSA, DHE-RSA, DHE-DSS, anonymous. TLS_DH_anon_WITH_AES_256_GCM_SHA384( @@ -456,48 +452,6 @@ ProtocolVersion.PROTOCOLS_TO_12, K_RSA, B_NULL, M_MD5, H_SHA256), - // supported Kerberos ciphersuites from RFC2712 - TLS_KRB5_WITH_3DES_EDE_CBC_SHA( - 0x001F, false, "TLS_KRB5_WITH_3DES_EDE_CBC_SHA", "", - ProtocolVersion.PROTOCOLS_TO_T12, - K_KRB5, B_3DES, M_SHA, H_SHA256), - TLS_KRB5_WITH_3DES_EDE_CBC_MD5( - 0x0023, false, "TLS_KRB5_WITH_3DES_EDE_CBC_MD5", "", - ProtocolVersion.PROTOCOLS_TO_T12, - K_KRB5, B_3DES, M_MD5, H_SHA256), - TLS_KRB5_WITH_RC4_128_SHA( - 0x0020, false, "TLS_KRB5_WITH_RC4_128_SHA", "", - ProtocolVersion.PROTOCOLS_TO_T12, - K_KRB5, B_RC4_128, M_SHA, H_SHA256), - TLS_KRB5_WITH_RC4_128_MD5( - 0x0024, false, "TLS_KRB5_WITH_RC4_128_MD5", "", - ProtocolVersion.PROTOCOLS_TO_T12, - K_KRB5, B_RC4_128, M_MD5, H_SHA256), - TLS_KRB5_WITH_DES_CBC_SHA( - 0x001e, false, "TLS_KRB5_WITH_DES_CBC_SHA", "", - ProtocolVersion.PROTOCOLS_TO_T11, - K_KRB5, B_DES, M_SHA, H_NONE), - TLS_KRB5_WITH_DES_CBC_MD5( - 0x0022, false, "TLS_KRB5_WITH_DES_CBC_MD5", "", - ProtocolVersion.PROTOCOLS_TO_T11, - K_KRB5, B_DES, M_MD5, H_NONE), - TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA( - 0x0026, false, "TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA", "", - ProtocolVersion.PROTOCOLS_TO_T10, - K_KRB5_EXPORT, B_DES_40, M_SHA, H_NONE), - TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5( - 0x0029, false, "TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5", "", - ProtocolVersion.PROTOCOLS_TO_T10, - K_KRB5_EXPORT, B_DES_40, M_MD5, H_NONE), - TLS_KRB5_EXPORT_WITH_RC4_40_SHA( - 0x0028, false, "TLS_KRB5_EXPORT_WITH_RC4_40_SHA", "", - ProtocolVersion.PROTOCOLS_TO_T10, - K_KRB5_EXPORT, B_RC4_40, M_SHA, H_NONE), - TLS_KRB5_EXPORT_WITH_RC4_40_MD5( - 0x002B, false, "TLS_KRB5_EXPORT_WITH_RC4_40_MD5", "", - ProtocolVersion.PROTOCOLS_TO_T10, - K_KRB5_EXPORT, B_RC4_40, M_MD5, H_NONE), - // Other values from the TLS Cipher Suite Registry, as of August 2010. // // http://www.iana.org/assignments/tls-parameters/tls-parameters.xml @@ -543,10 +497,20 @@ CS_FEFF("SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA", 0xfeff), // Unsupported Kerberos cipher suites from RFC 2712 + CS_001E("TLS_KRB5_WITH_DES_CBC_SHA", 0x001E), + CS_001F("TLS_KRB5_WITH_3DES_EDE_CBC_SHA", 0x001F), + CS_0020("TLS_KRB5_WITH_RC4_128_SHA", 0x0020), CS_0021("TLS_KRB5_WITH_IDEA_CBC_SHA", 0x0021), + CS_0022("TLS_KRB5_WITH_DES_CBC_MD5", 0x0022), + CS_0023("TLS_KRB5_WITH_3DES_EDE_CBC_MD5", 0x0023), + CS_0024("TLS_KRB5_WITH_RC4_128_MD5", 0x0024), CS_0025("TLS_KRB5_WITH_IDEA_CBC_MD5", 0x0025), + CS_0026("TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA", 0x0026), CS_0027("TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA", 0x0027), + CS_0028("TLS_KRB5_EXPORT_WITH_RC4_40_SHA", 0x0028), + CS_0029("TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5", 0x0029), CS_002A("TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5", 0x002a), + CS_002B("TLS_KRB5_EXPORT_WITH_RC4_40_MD5", 0x002B), // Unsupported cipher suites from RFC 4162 CS_0096("TLS_RSA_WITH_SEED_CBC_SHA", 0x0096), @@ -1046,10 +1010,6 @@ K_ECDHE_RSA ("ECDHE_RSA", true, false, NAMED_GROUP_ECDHE), K_ECDH_ANON ("ECDH_anon", true, true, NAMED_GROUP_ECDHE), - // Kerberos cipher suites - K_KRB5 ("KRB5", true, false, NAMED_GROUP_NONE), - K_KRB5_EXPORT("KRB5_EXPORT", true, false, NAMED_GROUP_NONE), - // renegotiation protection request signaling cipher suite K_SCSV ("SCSV", true, true, NAMED_GROUP_NONE); @@ -1069,8 +1029,7 @@ this.allowed = allowed; } this.groupType = groupType; - this.alwaysAvailable = allowed && - (!name.startsWith("EC")) && (!name.startsWith("KRB")); + this.alwaysAvailable = allowed && (!name.startsWith("EC")); this.isAnonymous = isAnonymous; } @@ -1081,8 +1040,6 @@ if (groupType == NAMED_GROUP_ECDHE) { return (allowed && JsseJce.isEcAvailable()); - } else if (name.startsWith("KRB")) { - return (allowed && JsseJce.isKerberosAvailable()); } else { return allowed; }
--- a/src/java.base/share/classes/sun/security/ssl/JsseJce.java Wed Jun 06 23:53:47 2018 -0700 +++ b/src/java.base/share/classes/sun/security/ssl/JsseJce.java Thu Jun 07 23:19:25 2018 +0800 @@ -164,10 +164,6 @@ return EcAvailability.isAvailable; } - static boolean isKerberosAvailable() { - return false; - } - /** * Return an JCE cipher implementation for the specified algorithm. */
--- a/src/java.base/share/classes/sun/security/ssl/SSLSessionImpl.java Wed Jun 06 23:53:47 2018 -0700 +++ b/src/java.base/share/classes/sun/security/ssl/SSLSessionImpl.java Thu Jun 07 23:19:25 2018 +0800 @@ -558,8 +558,8 @@ * Return the cert chain presented by the peer in the * java.security.cert format. * Note: This method can be used only when using certificate-based - * cipher suites; using it with non-certificate-based cipher suites, - * such as Kerberos, will throw an SSLPeerUnverifiedException. + * cipher suites; using it with non-certificate-based cipher suites + * will throw an SSLPeerUnverifiedException. * * @return array of peer X.509 certs, with the peer's own cert * first in the chain, and with the "root" CA last. @@ -604,8 +604,8 @@ * Return the cert chain presented by the peer in the * javax.security.cert format. * Note: This method can be used only when using certificate-based - * cipher suites; using it with non-certificate-based cipher suites, - * such as Kerberos, will throw an SSLPeerUnverifiedException. + * cipher suites; using it with non-certificate-based cipher suites + * will throw an SSLPeerUnverifiedException. * * @return array of peer X.509 certs, with the peer's own cert * first in the chain, and with the "root" CA last. @@ -646,8 +646,8 @@ /** * Return the cert chain presented by the peer. * Note: This method can be used only when using certificate-based - * cipher suites; using it with non-certificate-based cipher suites, - * such as Kerberos, will throw an SSLPeerUnverifiedException. + * cipher suites; using it with non-certificate-based cipher suites + * will throw an SSLPeerUnverifiedException. * * @return array of peer X.509 certs, with the peer's own cert * first in the chain, and with the "root" CA last. @@ -695,8 +695,7 @@ * defining the session. * * @return the peer's principal. Returns an X500Principal of the - * end-entity certificate for X509-based cipher suites, and - * Principal for Kerberos cipher suites, etc. + * end-entity certificate for X509-based cipher suites. * * @throws SSLPeerUnverifiedException if the peer's identity has not * been verified @@ -715,9 +714,8 @@ * Returns the principal that was sent to the peer during handshaking. * * @return the principal sent to the peer. Returns an X500Principal - * of the end-entity certificate for X509-based cipher suites, and - * Principal for Kerberos cipher suites, etc. If no principal was - * sent, then null is returned. + * of the end-entity certificate for X509-based cipher suites. + * If no principal was sent, then null is returned. */ @Override public Principal getLocalPrincipal() {
--- a/src/java.base/share/classes/sun/security/util/HostnameChecker.java Wed Jun 06 23:53:47 2018 -0700 +++ b/src/java.base/share/classes/sun/security/util/HostnameChecker.java Thu Jun 07 23:19:25 2018 +0800 @@ -104,29 +104,6 @@ } /** - * Perform the check for Kerberos. - */ - public static boolean match(String expectedName, Principal principal) { - String hostName = getServerName(principal); - return (expectedName.equalsIgnoreCase(hostName)); - } - - /** - * Return the Server name from Kerberos principal. - */ - public static String getServerName(Principal principal) { -/* - ClientKeyExchangeService p = - ClientKeyExchangeService.find("KRB5"); - if (p == null) { - throw new AssertionError("Kerberos should have been available"); - } - return p.getServiceHostName(principal); -*/ - return null; - } - - /** * Test whether the given hostname looks like a literal IPv4 or IPv6 * address. The hostname does not need to be a fully qualified name. *