Mercurial > hg > icedtea8-forest > jdk
changeset 14759:2207d468c781 icedtea-3.17.1
Merge jdk8u275-ga
author | Andrew John Hughes <gnu_andrew@member.fsf.org> |
---|---|
date | Tue, 10 Nov 2020 02:47:05 +0000 |
parents | acc51158d6be (current diff) 9b8fdf354146 (diff) |
children | ab3a1c66dc7e |
files | .hgtags src/share/classes/sun/security/pkcs11/P11AEADCipher.java src/share/classes/sun/security/pkcs11/P11Cipher.java src/share/classes/sun/security/pkcs11/P11Signature.java |
diffstat | 6 files changed, 107 insertions(+), 75 deletions(-) [+] |
line wrap: on
line diff
--- a/.hgtags Wed Oct 28 07:40:01 2020 +0000 +++ b/.hgtags Tue Nov 10 02:47:05 2020 +0000 @@ -1142,3 +1142,6 @@ badfd40f15ac56deecb250cc14735974c3e41611 jdk8u272-b10 badfd40f15ac56deecb250cc14735974c3e41611 jdk8u272-ga efb8a0718403427e144d7586b9b94295261f76df icedtea-3.17.0 +badfd40f15ac56deecb250cc14735974c3e41611 jdk8u275-b00 +efb922cd7ac475a882ae6d941f4f3072bec01b7a jdk8u275-b01 +efb922cd7ac475a882ae6d941f4f3072bec01b7a jdk8u275-ga
--- a/src/share/classes/com/sun/jndi/ldap/ext/StartTlsResponseImpl.java Wed Oct 28 07:40:01 2020 +0000 +++ b/src/share/classes/com/sun/jndi/ldap/ext/StartTlsResponseImpl.java Tue Nov 10 02:47:05 2020 +0000 @@ -288,7 +288,8 @@ */ public void setConnection(Connection ldapConnection, String hostname) { this.ldapConnection = ldapConnection; - this.hostname = (hostname != null) ? hostname : ldapConnection.host; + this.hostname = (hostname == null || hostname.isEmpty()) + ? ldapConnection.host : hostname; originalInputStream = ldapConnection.inStream; originalOutputStream = ldapConnection.outStream; }
--- a/src/share/classes/sun/security/ssl/CertificateVerify.java Wed Oct 28 07:40:01 2020 +0000 +++ b/src/share/classes/sun/security/ssl/CertificateVerify.java Tue Nov 10 02:47:05 2020 +0000 @@ -31,6 +31,7 @@ import java.text.MessageFormat; import java.util.Arrays; import java.util.Locale; +import java.util.Map; import sun.security.ssl.SSLHandshake.HandshakeMessage; import sun.security.ssl.X509Authentication.X509Credentials; import sun.security.ssl.X509Authentication.X509Possession; @@ -585,30 +586,27 @@ // This happens in client side only. ClientHandshakeContext chc = (ClientHandshakeContext)context; - this.signatureScheme = SignatureScheme.getPreferableAlgorithm( + Map.Entry<SignatureScheme, Signature> schemeAndSigner = + SignatureScheme.getSignerOfPreferableAlgorithm( chc.peerRequestedSignatureSchemes, x509Possession, chc.negotiatedProtocol); - if (signatureScheme == null) { + if (schemeAndSigner == null) { // Unlikely, the credentials generator should have // selected the preferable signature algorithm properly. throw chc.conContext.fatal(Alert.INTERNAL_ERROR, - "No preferred signature algorithm for CertificateVerify"); + "No supported CertificateVerify signature algorithm for " + + x509Possession.popPrivateKey.getAlgorithm() + + " key"); } + this.signatureScheme = schemeAndSigner.getKey(); byte[] temproary = null; try { - Signature signer = - signatureScheme.getSignature(x509Possession.popPrivateKey); + Signature signer = schemeAndSigner.getValue(); signer.update(chc.handshakeHash.archived()); temproary = signer.sign(); - } catch (NoSuchAlgorithmException | - InvalidAlgorithmParameterException nsae) { - throw chc.conContext.fatal(Alert.INTERNAL_ERROR, - "Unsupported signature algorithm (" + - signatureScheme.name + - ") used in CertificateVerify handshake message", nsae); - } catch (InvalidKeyException | SignatureException ikse) { + } catch (SignatureException ikse) { throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE, "Cannot produce CertificateVerify signature", ikse); } @@ -668,7 +666,7 @@ this.signature = Record.getBytes16(m); try { Signature signer = - signatureScheme.getSignature(x509Credentials.popPublicKey); + signatureScheme.getVerifier(x509Credentials.popPublicKey); signer.update(shc.handshakeHash.archived()); if (!signer.verify(signature)) { throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE, @@ -897,17 +895,22 @@ X509Possession x509Possession) throws IOException { super(context); - this.signatureScheme = SignatureScheme.getPreferableAlgorithm( - context.peerRequestedSignatureSchemes, - x509Possession, - context.negotiatedProtocol); - if (signatureScheme == null) { + Map.Entry<SignatureScheme, Signature> schemeAndSigner = + SignatureScheme.getSignerOfPreferableAlgorithm( + context.peerRequestedSignatureSchemes, + x509Possession, + context.negotiatedProtocol); + if (schemeAndSigner == null) { // Unlikely, the credentials generator should have // selected the preferable signature algorithm properly. throw context.conContext.fatal(Alert.INTERNAL_ERROR, - "No preferred signature algorithm for CertificateVerify"); + "No supported CertificateVerify signature algorithm for " + + x509Possession.popPrivateKey.getAlgorithm() + + " key"); } + this.signatureScheme = schemeAndSigner.getKey(); + byte[] hashValue = context.handshakeHash.digest(); byte[] contentCovered; if (context.sslConfig.isClientMode) { @@ -924,17 +927,10 @@ byte[] temproary = null; try { - Signature signer = - signatureScheme.getSignature(x509Possession.popPrivateKey); + Signature signer = schemeAndSigner.getValue(); signer.update(contentCovered); temproary = signer.sign(); - } catch (NoSuchAlgorithmException | - InvalidAlgorithmParameterException nsae) { - throw context.conContext.fatal(Alert.INTERNAL_ERROR, - "Unsupported signature algorithm (" + - signatureScheme.name + - ") used in CertificateVerify handshake message", nsae); - } catch (InvalidKeyException | SignatureException ikse) { + } catch (SignatureException ikse) { throw context.conContext.fatal(Alert.HANDSHAKE_FAILURE, "Cannot produce CertificateVerify signature", ikse); } @@ -1005,7 +1001,7 @@ try { Signature signer = - signatureScheme.getSignature(x509Credentials.popPublicKey); + signatureScheme.getVerifier(x509Credentials.popPublicKey); signer.update(contentCovered); if (!signer.verify(signature)) { throw context.conContext.fatal(Alert.HANDSHAKE_FAILURE,
--- a/src/share/classes/sun/security/ssl/DHServerKeyExchange.java Wed Oct 28 07:40:01 2020 +0000 +++ b/src/share/classes/sun/security/ssl/DHServerKeyExchange.java Tue Nov 10 02:47:05 2020 +0000 @@ -42,6 +42,7 @@ import java.text.MessageFormat; import java.util.EnumSet; import java.util.Locale; +import java.util.Map; import javax.crypto.interfaces.DHPublicKey; import javax.crypto.spec.DHParameterSpec; import javax.crypto.spec.DHPublicKeySpec; @@ -125,24 +126,21 @@ shc.negotiatedProtocol.useTLS12PlusSpec(); Signature signer = null; if (useExplicitSigAlgorithm) { - signatureScheme = SignatureScheme.getPreferableAlgorithm( - shc.peerRequestedSignatureSchemes, - x509Possession, - shc.negotiatedProtocol); - if (signatureScheme == null) { + Map.Entry<SignatureScheme, Signature> schemeAndSigner = + SignatureScheme.getSignerOfPreferableAlgorithm( + shc.peerRequestedSignatureSchemes, + x509Possession, + shc.negotiatedProtocol); + if (schemeAndSigner == null) { // Unlikely, the credentials generator should have // selected the preferable signature algorithm properly. throw shc.conContext.fatal(Alert.INTERNAL_ERROR, - "No preferred signature algorithm"); - } - try { - signer = signatureScheme.getSignature( - x509Possession.popPrivateKey); - } catch (NoSuchAlgorithmException | InvalidKeyException | - InvalidAlgorithmParameterException nsae) { - throw shc.conContext.fatal(Alert.INTERNAL_ERROR, - "Unsupported signature algorithm: " + - signatureScheme.name, nsae); + "No supported signature algorithm for " + + x509Possession.popPrivateKey.getAlgorithm() + + " key"); + } else { + signatureScheme = schemeAndSigner.getKey(); + signer = schemeAndSigner.getValue(); } } else { signatureScheme = null; @@ -241,7 +239,7 @@ Signature signer; if (useExplicitSigAlgorithm) { try { - signer = signatureScheme.getSignature( + signer = signatureScheme.getVerifier( x509Credentials.popPublicKey); } catch (NoSuchAlgorithmException | InvalidKeyException | InvalidAlgorithmParameterException nsae) {
--- a/src/share/classes/sun/security/ssl/ECDHServerKeyExchange.java Wed Oct 28 07:40:01 2020 +0000 +++ b/src/share/classes/sun/security/ssl/ECDHServerKeyExchange.java Tue Nov 10 02:47:05 2020 +0000 @@ -45,6 +45,7 @@ import java.text.MessageFormat; import java.util.EnumSet; import java.util.Locale; +import java.util.Map; import sun.security.ssl.ECDHKeyExchange.ECDHECredentials; import sun.security.ssl.ECDHKeyExchange.ECDHEPossession; import sun.security.ssl.SSLHandshake.HandshakeMessage; @@ -139,26 +140,21 @@ shc.negotiatedProtocol.useTLS12PlusSpec(); Signature signer = null; if (useExplicitSigAlgorithm) { - signatureScheme = SignatureScheme.getPreferableAlgorithm( - shc.peerRequestedSignatureSchemes, - x509Possession, - shc.negotiatedProtocol); - if (signatureScheme == null) { + Map.Entry<SignatureScheme, Signature> schemeAndSigner = + SignatureScheme.getSignerOfPreferableAlgorithm( + shc.peerRequestedSignatureSchemes, + x509Possession, + shc.negotiatedProtocol); + if (schemeAndSigner == null) { // Unlikely, the credentials generator should have // selected the preferable signature algorithm properly. throw shc.conContext.fatal(Alert.INTERNAL_ERROR, - "No preferred signature algorithm for " + + "No supported signature algorithm for " + x509Possession.popPrivateKey.getAlgorithm() + " key"); - } - try { - signer = signatureScheme.getSignature( - x509Possession.popPrivateKey); - } catch (NoSuchAlgorithmException | InvalidKeyException | - InvalidAlgorithmParameterException nsae) { - throw shc.conContext.fatal(Alert.INTERNAL_ERROR, - "Unsupported signature algorithm: " + - signatureScheme.name, nsae); + } else { + signatureScheme = schemeAndSigner.getKey(); + signer = schemeAndSigner.getValue(); } } else { signatureScheme = null; @@ -295,7 +291,7 @@ Signature signer; if (useExplicitSigAlgorithm) { try { - signer = signatureScheme.getSignature( + signer = signatureScheme.getVerifier( x509Credentials.popPublicKey); } catch (NoSuchAlgorithmException | InvalidKeyException | InvalidAlgorithmParameterException nsae) {
--- a/src/share/classes/sun/security/ssl/SignatureScheme.java Wed Oct 28 07:40:01 2020 +0000 +++ b/src/share/classes/sun/security/ssl/SignatureScheme.java Tue Nov 10 02:47:05 2020 +0000 @@ -31,6 +31,7 @@ import java.security.spec.ECParameterSpec; import java.security.spec.MGF1ParameterSpec; import java.security.spec.PSSParameterSpec; +import java.util.AbstractMap.SimpleImmutableEntry; import java.util.ArrayList; import java.util.Arrays; import java.util.Collection; @@ -38,6 +39,7 @@ import java.util.EnumSet; import java.util.LinkedList; import java.util.List; +import java.util.Map; import java.util.Set; import sun.security.ssl.SupportedGroupsExtension.NamedGroup; import sun.security.ssl.SupportedGroupsExtension.NamedGroupType; @@ -427,7 +429,7 @@ return null; } - static SignatureScheme getPreferableAlgorithm( + static Map.Entry<SignatureScheme, Signature> getSignerOfPreferableAlgorithm( List<SignatureScheme> schemes, X509Possession x509Possession, ProtocolVersion version) { @@ -452,7 +454,10 @@ x509Possession.getECParameterSpec(); if (params != null && ss.namedGroup == NamedGroup.valueOf(params)) { - return ss; + Signature signer = ss.getSigner(signingKey); + if (signer != null) { + return new SimpleImmutableEntry<>(ss, signer); + } } if (SSLLogger.isOn && @@ -477,7 +482,10 @@ NamedGroup keyGroup = NamedGroup.valueOf(params); if (keyGroup != null && SupportedGroups.isSupported(keyGroup)) { - return ss; + Signature signer = ss.getSigner(signingKey); + if (signer != null) { + return new SimpleImmutableEntry<>(ss, signer); + } } } @@ -488,7 +496,10 @@ "), unsupported EC parameter spec: " + params); } } else { - return ss; + Signature signer = ss.getSigner(signingKey); + if (signer != null) { + return new SimpleImmutableEntry<>(ss, signer); + } } } } @@ -509,21 +520,48 @@ return new String[0]; } - Signature getSignature(Key key) throws NoSuchAlgorithmException, + // This method is used to get the signature instance of this signature + // scheme for the specific public key. Unlike getSigner(), the exception + // is bubbled up. If the public key does not support this signature + // scheme, it normally means the TLS handshaking cannot continue and + // the connection should be terminated. + Signature getVerifier(PublicKey publicKey) throws NoSuchAlgorithmException, InvalidAlgorithmParameterException, InvalidKeyException { if (!isAvailable) { return null; } - Signature signer = JsseJce.getSignature(algorithm); - if (key instanceof PublicKey) { - SignatureUtil.initVerifyWithParam(signer, (PublicKey)key, - signAlgParameter); - } else { - SignatureUtil.initSignWithParam(signer, (PrivateKey)key, - signAlgParameter, null); + Signature verifier = Signature.getInstance(algorithm); + SignatureUtil.initVerifyWithParam(verifier, publicKey, signAlgParameter); + + return verifier; + } + + // This method is also used to choose preferable signature scheme for the + // specific private key. If the private key does not support the signature + // scheme, {@code null} is returned, and the caller may fail back to next + // available signature scheme. + private Signature getSigner(PrivateKey privateKey) { + if (!isAvailable) { + return null; } - return signer; + try { + Signature signer = Signature.getInstance(algorithm); + SignatureUtil.initSignWithParam(signer, privateKey, + signAlgParameter, + null); + return signer; + } catch (NoSuchAlgorithmException | InvalidKeyException | + InvalidAlgorithmParameterException nsae) { + if (SSLLogger.isOn && + SSLLogger.isOn("ssl,handshake,verbose")) { + SSLLogger.finest( + "Ignore unsupported signature algorithm (" + + this.name + ")", nsae); + } + } + + return null; } }