Mercurial > hg > openjdk > jdk8u > jdk
changeset 13444:aa5e4bedfa82
Merge
author | phh |
---|---|
date | Fri, 22 Feb 2019 18:18:16 +0000 |
parents | a854158a2c94 (current diff) c763f8d25eac (diff) |
children | 5833bcef26ca 111b0d11b261 |
files | |
diffstat | 10 files changed, 286 insertions(+), 237 deletions(-) [+] |
line wrap: on
line diff
--- a/src/share/classes/sun/security/ssl/SSLAlgorithmDecomposer.java Wed Feb 20 21:11:13 2019 +0000 +++ b/src/share/classes/sun/security/ssl/SSLAlgorithmDecomposer.java Fri Feb 22 18:18:16 2019 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2015, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2015, 2019, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -239,7 +239,8 @@ // ignore: unknown or unsupported ciphersuite } - if (cipherSuite != null) { + if (cipherSuite != null && + cipherSuite != CipherSuite.C_SCSV /* TLS_EMPTY_RENEGOTIATION_INFO_SCSV */) { return decompose(cipherSuite.keyExchange, cipherSuite.cipher, cipherSuite.macAlg); }
--- a/src/share/classes/sun/security/x509/DNSName.java Wed Feb 20 21:11:13 2019 +0000 +++ b/src/share/classes/sun/security/x509/DNSName.java Fri Feb 22 18:18:16 2019 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997, 2011, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1997, 2018, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -34,16 +34,17 @@ * This class implements the DNSName as required by the GeneralNames * ASN.1 object. * <p> - * [RFC2459] When the subjectAltName extension contains a domain name service + * [RFC5280] When the subjectAltName extension contains a domain name system * label, the domain name MUST be stored in the dNSName (an IA5String). - * The name MUST be in the "preferred name syntax," as specified by RFC - * 1034 [RFC 1034]. Note that while upper and lower case letters are - * allowed in domain names, no signifigance is attached to the case. In + * The name MUST be in the "preferred name syntax", as specified by + * Section 3.5 of [RFC1034] and as modified by Section 2.1 of + * [RFC1123]. Note that while uppercase and lowercase letters are + * allowed in domain names, no significance is attached to the case. In * addition, while the string " " is a legal domain name, subjectAltName - * extensions with a dNSName " " are not permitted. Finally, the use of - * the DNS representation for Internet mail addresses (wpolk.nist.gov - * instead of wpolk@nist.gov) is not permitted; such identities are to - * be encoded as rfc822Name. + * extensions with a dNSName of " " MUST NOT be used. Finally, the use + * of the DNS representation for Internet mail addresses + * (subscriber.example.com instead of subscriber@example.com) MUST NOT + * be used; such identities are to be encoded as rfc822Name. * <p> * @author Amit Kapoor * @author Hemma Prafullchandra @@ -51,9 +52,8 @@ public class DNSName implements GeneralNameInterface { private String name; - private static final String alpha = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"; - private static final String digitsAndHyphen = "0123456789-"; - private static final String alphaDigitsAndHyphen = alpha + digitsAndHyphen; + private static final String alphaDigits = + "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"; /** * Create the DNSName object from the passed encoded Der value. @@ -73,35 +73,38 @@ */ public DNSName(String name) throws IOException { if (name == null || name.length() == 0) - throw new IOException("DNS name must not be null"); - if (name.indexOf(' ') != -1) - throw new IOException("DNS names or NameConstraints with blank components are not permitted"); - if (name.charAt(0) == '.' || name.charAt(name.length() -1) == '.') - throw new IOException("DNS names or NameConstraints may not begin or end with a ."); - //Name will consist of label components separated by "." - //startIndex is the index of the first character of a component - //endIndex is the index of the last character of a component plus 1 - for (int endIndex,startIndex=0; startIndex < name.length(); startIndex = endIndex+1) { + throw new IOException("DNSName must not be null or empty"); + if (name.contains(" ")) + throw new IOException("DNSName with blank components is not permitted"); + if (name.startsWith(".") || name.endsWith(".")) + throw new IOException("DNSName may not begin or end with a ."); + /* + * Name will consist of label components separated by "." + * startIndex is the index of the first character of a component + * endIndex is the index of the last character of a component plus 1 + */ + for (int endIndex,startIndex = 0; startIndex < name.length(); startIndex = endIndex+1) { endIndex = name.indexOf('.', startIndex); if (endIndex < 0) { endIndex = name.length(); } - if ((endIndex-startIndex) < 1) - throw new IOException("DNSName SubjectAltNames with empty components are not permitted"); + if (endIndex - startIndex < 1) + throw new IOException("DNSName with empty components are not permitted"); - //DNSName components must begin with a letter A-Z or a-z - if (alpha.indexOf(name.charAt(startIndex)) < 0) - throw new IOException("DNSName components must begin with a letter"); + // RFC 1123: DNSName components must begin with a letter or digit + if (alphaDigits.indexOf(name.charAt(startIndex)) < 0) + throw new IOException("DNSName components must begin with a letter or digit"); //nonStartIndex: index for characters in the component beyond the first one for (int nonStartIndex=startIndex+1; nonStartIndex < endIndex; nonStartIndex++) { char x = name.charAt(nonStartIndex); - if ((alphaDigitsAndHyphen).indexOf(x) < 0) + if ((alphaDigits).indexOf(x) < 0 && x != '-') throw new IOException("DNSName components must consist of letters, digits, and hyphens"); } } this.name = name; } + /** * Return the type of the GeneralName. */ @@ -117,7 +120,7 @@ } /** - * Encode the DNS name into the DerOutputStream. + * Encode the DNSName into the DerOutputStream. * * @param out the DER stream to encode the DNSName to. * @exception IOException on encoding errors. @@ -137,7 +140,7 @@ * Compares this name with another, for equality. * * @return true iff the names are equivalent - * according to RFC2459. + * according to RFC5280. */ public boolean equals(Object obj) { if (this == obj) @@ -148,7 +151,7 @@ DNSName other = (DNSName)obj; - // RFC2459 mandates that these names are + // RFC5280 mandates that these names are // not case-sensitive return name.equalsIgnoreCase(other.name); } @@ -172,12 +175,14 @@ * </ul>. These results are used in checking NameConstraints during * certification path verification. * <p> - * RFC2459: DNS name restrictions are expressed as foo.bar.com. Any subdomain - * satisfies the name constraint. For example, www.foo.bar.com would - * satisfy the constraint but bigfoo.bar.com would not. + * RFC5280: DNS name restrictions are expressed as host.example.com. + * Any DNS name that can be constructed by simply adding zero or more + * labels to the left-hand side of the name satisfies the name constraint. + * For example, www.host.example.com would satisfy the constraint but + * host1.example.com would not. * <p> - * draft-ietf-pkix-new-part1-00.txt: DNS name restrictions are expressed as foo.bar.com. - * Any DNS name that + * draft-ietf-pkix-new-part1-00.txt: DNSName restrictions are expressed as foo.bar.com. + * Any DNSName that * can be constructed by simply adding to the left hand side of the name * satisfies the name constraint. For example, www.foo.bar.com would * satisfy the constraint but foo1.bar.com would not.
--- a/src/share/classes/sun/security/x509/GeneralName.java Wed Feb 20 21:11:13 2019 +0000 +++ b/src/share/classes/sun/security/x509/GeneralName.java Fri Feb 22 18:18:16 2019 +0000 @@ -112,7 +112,7 @@ encName.resetTag(DerValue.tag_IA5String); name = new DNSName(encName); } else { - throw new IOException("Invalid encoding of DNS name"); + throw new IOException("Invalid encoding of DNSName"); } break;
--- a/src/share/classes/sun/security/x509/RFC822Name.java Wed Feb 20 21:11:13 2019 +0000 +++ b/src/share/classes/sun/security/x509/RFC822Name.java Fri Feb 22 18:18:16 2019 +0000 @@ -246,7 +246,7 @@ subtree=subtree.substring(atNdx+1); } - /* count dots in dnsname, adding one if dnsname preceded by @ */ + /* count dots in DNSName, adding one if DNSName preceded by @ */ for (; subtree.lastIndexOf('.') >= 0; i++) { subtree=subtree.substring(0,subtree.lastIndexOf('.')); }
--- a/src/share/classes/sun/security/x509/URIName.java Wed Feb 20 21:11:13 2019 +0000 +++ b/src/share/classes/sun/security/x509/URIName.java Fri Feb 22 18:18:16 2019 +0000 @@ -131,13 +131,13 @@ try { hostDNS = new DNSName(host); } catch (IOException ioe) { - // Not a valid DNS Name; see if it is a valid IPv4 + // Not a valid DNSName; see if it is a valid IPv4 // IPAddressName try { hostIP = new IPAddressName(host); } catch (Exception ioe2) { throw new IOException("invalid URI name (host " + - "portion is not a valid DNS name, IPv4 address," + + "portion is not a valid DNSName, IPv4 address," + " or IPv6 address):" + name); } } @@ -339,7 +339,7 @@ // If one (or both) is an IP address, only same type constraintType = NAME_SAME_TYPE; } else { - // Both host portions are DNS names. Are they domains? + // Both host portions are DNSNames. Are they domains? boolean thisDomain = (host.charAt(0) == '.'); boolean otherDomain = (otherHost.charAt(0) == '.'); DNSName otherDNS = (DNSName) otherHostObject;
--- a/src/share/classes/sun/security/x509/X500Name.java Wed Feb 20 21:11:13 2019 +0000 +++ b/src/share/classes/sun/security/x509/X500Name.java Fri Feb 22 18:18:16 2019 +0000 @@ -1219,7 +1219,7 @@ */ /* - * OID for "DC=" domain component attributes, used with DNS names in DN + * OID for "DC=" domain component attributes, used with DNSNames in DN * format */ DOMAIN_COMPONENT_OID =
--- a/src/solaris/native/sun/xawt/XToolkit.c Wed Feb 20 21:11:13 2019 +0000 +++ b/src/solaris/native/sun/xawt/XToolkit.c Fri Feb 22 18:18:16 2019 +0000 @@ -154,6 +154,10 @@ JNI_OnLoad(JavaVM *vm, void *reserved) { jvm = vm; + + //Set the gtk backend to x11 on all the systems + putenv("GDK_BACKEND=x11"); + return JNI_VERSION_1_2; }
--- a/test/sun/security/ssl/sanity/ciphersuites/CheckCipherSuites.java Wed Feb 20 21:11:13 2019 +0000 +++ b/test/sun/security/ssl/sanity/ciphersuites/CheckCipherSuites.java Fri Feb 22 18:18:16 2019 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2002, 2010, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2002, 2019, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -23,221 +23,166 @@ /* * @test - * @bug 4750141 4895631 + * @bug 4750141 4895631 8217579 * @summary Check enabled and supported ciphersuites are correct - * @ignore JSSE supported cipher suites are changed with CR 6916074, - * need to update this test case in JDK 7 soon + * @run main CheckCipherSuites default + * @run main/othervm CheckCipherSuites limited */ import java.util.*; - +import java.security.Security; import javax.net.ssl.*; -import javax.crypto.Cipher; -import javax.crypto.spec.*; - public class CheckCipherSuites { + // List of enabled cipher suites when the "crypto.policy" security + // property is set to "unlimited" (the default value). private final static String[] ENABLED_DEFAULT = { - "SSL_RSA_WITH_RC4_128_MD5", - "SSL_RSA_WITH_RC4_128_SHA", + "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", + "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384", + "TLS_RSA_WITH_AES_256_CBC_SHA256", + "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384", + "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384", + "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256", + "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256", + "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA", + "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", + "TLS_RSA_WITH_AES_256_CBC_SHA", + "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA", + "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA", + "TLS_DHE_RSA_WITH_AES_256_CBC_SHA", + "TLS_DHE_DSS_WITH_AES_256_CBC_SHA", + "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", + "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", + "TLS_RSA_WITH_AES_128_CBC_SHA256", + "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256", + "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256", + "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256", + "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256", + "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", + "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", "TLS_RSA_WITH_AES_128_CBC_SHA", - "TLS_ECDH_ECDSA_WITH_RC4_128_SHA", "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA", - "TLS_ECDH_RSA_WITH_RC4_128_SHA", "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA", - "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA", - "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", - "TLS_ECDHE_RSA_WITH_RC4_128_SHA", - "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", "TLS_DHE_RSA_WITH_AES_128_CBC_SHA", "TLS_DHE_DSS_WITH_AES_128_CBC_SHA", - "SSL_RSA_WITH_3DES_EDE_CBC_SHA", - "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA", - "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA", - "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA", - "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA", - "SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA", - "SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA", - "SSL_RSA_WITH_DES_CBC_SHA", - "SSL_DHE_RSA_WITH_DES_CBC_SHA", - "SSL_DHE_DSS_WITH_DES_CBC_SHA", - "SSL_RSA_EXPORT_WITH_RC4_40_MD5", - "SSL_RSA_EXPORT_WITH_DES40_CBC_SHA", - "SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA", - "SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA", - "TLS_EMPTY_RENEGOTIATION_INFO_SCSV", - + "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", + "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", + "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", + "TLS_RSA_WITH_AES_256_GCM_SHA384", + "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384", + "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384", + "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384", + "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384", + "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", + "TLS_RSA_WITH_AES_128_GCM_SHA256", + "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256", + "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256", + "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256", + "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256", + "TLS_EMPTY_RENEGOTIATION_INFO_SCSV" }; - private final static String[] ENABLED_UNLIMITED = { - "SSL_RSA_WITH_RC4_128_MD5", - "SSL_RSA_WITH_RC4_128_SHA", - "TLS_RSA_WITH_AES_128_CBC_SHA", - "TLS_RSA_WITH_AES_256_CBC_SHA", - "TLS_ECDH_ECDSA_WITH_RC4_128_SHA", - "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA", - "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA", - "TLS_ECDH_RSA_WITH_RC4_128_SHA", - "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA", - "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA", - "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA", + // List of enabled cipher suites when the "crypto.policy" security + // property is set to "limited". + private final static String[] ENABLED_LIMITED = { + "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", + "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", + "TLS_RSA_WITH_AES_128_CBC_SHA256", + "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256", + "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256", + "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256", + "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", - "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA", - "TLS_ECDHE_RSA_WITH_RC4_128_SHA", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", - "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", - "TLS_DHE_RSA_WITH_AES_128_CBC_SHA", - "TLS_DHE_RSA_WITH_AES_256_CBC_SHA", - "TLS_DHE_DSS_WITH_AES_128_CBC_SHA", - "TLS_DHE_DSS_WITH_AES_256_CBC_SHA", - "SSL_RSA_WITH_3DES_EDE_CBC_SHA", - "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA", - "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA", - "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA", - "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA", - "SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA", - "SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA", - "SSL_RSA_WITH_DES_CBC_SHA", - "SSL_DHE_RSA_WITH_DES_CBC_SHA", - "SSL_DHE_DSS_WITH_DES_CBC_SHA", - "SSL_RSA_EXPORT_WITH_RC4_40_MD5", - "SSL_RSA_EXPORT_WITH_DES40_CBC_SHA", - "SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA", - "SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA", - "TLS_EMPTY_RENEGOTIATION_INFO_SCSV", - - }; - - // supported ciphersuites using default JCE policy jurisdiction files - // AES/256 unavailable - private final static String[] SUPPORTED_DEFAULT = { - "SSL_RSA_WITH_RC4_128_MD5", - "SSL_RSA_WITH_RC4_128_SHA", "TLS_RSA_WITH_AES_128_CBC_SHA", - "TLS_ECDH_ECDSA_WITH_RC4_128_SHA", "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA", - "TLS_ECDH_RSA_WITH_RC4_128_SHA", "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA", - "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA", - "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", - "TLS_ECDHE_RSA_WITH_RC4_128_SHA", - "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", "TLS_DHE_RSA_WITH_AES_128_CBC_SHA", "TLS_DHE_DSS_WITH_AES_128_CBC_SHA", - "SSL_RSA_WITH_3DES_EDE_CBC_SHA", - "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA", - "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA", - "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA", - "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA", - "SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA", - "SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA", - "SSL_RSA_WITH_DES_CBC_SHA", - "SSL_DHE_RSA_WITH_DES_CBC_SHA", - "SSL_DHE_DSS_WITH_DES_CBC_SHA", - "SSL_RSA_EXPORT_WITH_RC4_40_MD5", - "SSL_RSA_EXPORT_WITH_DES40_CBC_SHA", - "SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA", - "SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA", - "TLS_EMPTY_RENEGOTIATION_INFO_SCSV", - - "SSL_RSA_WITH_NULL_MD5", - "SSL_RSA_WITH_NULL_SHA", - "TLS_ECDH_ECDSA_WITH_NULL_SHA", - "TLS_ECDH_RSA_WITH_NULL_SHA", - "TLS_ECDHE_ECDSA_WITH_NULL_SHA", - "TLS_ECDHE_RSA_WITH_NULL_SHA", - "SSL_DH_anon_WITH_RC4_128_MD5", - "TLS_DH_anon_WITH_AES_128_CBC_SHA", - "SSL_DH_anon_WITH_3DES_EDE_CBC_SHA", - "SSL_DH_anon_WITH_DES_CBC_SHA", - "TLS_ECDH_anon_WITH_RC4_128_SHA", - "TLS_ECDH_anon_WITH_AES_128_CBC_SHA", - "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA", - "SSL_DH_anon_EXPORT_WITH_RC4_40_MD5", - "SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA", - "TLS_ECDH_anon_WITH_NULL_SHA", - "TLS_KRB5_WITH_RC4_128_SHA", - "TLS_KRB5_WITH_RC4_128_MD5", - "TLS_KRB5_WITH_3DES_EDE_CBC_SHA", - "TLS_KRB5_WITH_3DES_EDE_CBC_MD5", - "TLS_KRB5_WITH_DES_CBC_SHA", - "TLS_KRB5_WITH_DES_CBC_MD5", - "TLS_KRB5_EXPORT_WITH_RC4_40_SHA", - "TLS_KRB5_EXPORT_WITH_RC4_40_MD5", - "TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA", - "TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5", - + "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", + "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", + "TLS_RSA_WITH_AES_128_GCM_SHA256", + "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256", + "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256", + "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256", + "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256", + "TLS_EMPTY_RENEGOTIATION_INFO_SCSV" }; - // supported ciphersuites using unlimited JCE policy jurisdiction files - // AES/256 available - private final static String[] SUPPORTED_UNLIMITED = { - "SSL_RSA_WITH_RC4_128_MD5", - "SSL_RSA_WITH_RC4_128_SHA", - "TLS_RSA_WITH_AES_128_CBC_SHA", + // List of supported cipher suites when the "crypto.policy" security + // property is set to "unlimited" (the default value). + private final static String[] SUPPORTED_DEFAULT = { + "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", + "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384", + "TLS_RSA_WITH_AES_256_CBC_SHA256", + "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384", + "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384", + "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256", + "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256", + "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA", + "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", "TLS_RSA_WITH_AES_256_CBC_SHA", - "TLS_ECDH_ECDSA_WITH_RC4_128_SHA", - "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA", "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA", - "TLS_ECDH_RSA_WITH_RC4_128_SHA", - "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA", "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA", - "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA", - "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", - "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA", - "TLS_ECDHE_RSA_WITH_RC4_128_SHA", - "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", - "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", - "TLS_DHE_RSA_WITH_AES_128_CBC_SHA", "TLS_DHE_RSA_WITH_AES_256_CBC_SHA", - "TLS_DHE_DSS_WITH_AES_128_CBC_SHA", "TLS_DHE_DSS_WITH_AES_256_CBC_SHA", - "SSL_RSA_WITH_3DES_EDE_CBC_SHA", - "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA", - "TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA", - "TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA", - "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA", - "SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA", - "SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA", - "SSL_RSA_WITH_DES_CBC_SHA", - "SSL_DHE_RSA_WITH_DES_CBC_SHA", - "SSL_DHE_DSS_WITH_DES_CBC_SHA", - "SSL_RSA_EXPORT_WITH_RC4_40_MD5", - "SSL_RSA_EXPORT_WITH_DES40_CBC_SHA", - "SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA", - "SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA", - "TLS_EMPTY_RENEGOTIATION_INFO_SCSV", + "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", + "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", + "TLS_RSA_WITH_AES_128_CBC_SHA256", + "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256", + "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256", + "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256", + "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256", + "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", + "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", + "TLS_RSA_WITH_AES_128_CBC_SHA", + "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA", + "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA", + "TLS_DHE_RSA_WITH_AES_128_CBC_SHA", + "TLS_DHE_DSS_WITH_AES_128_CBC_SHA", + "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", + "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", + "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", + "TLS_RSA_WITH_AES_256_GCM_SHA384", + "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384", + "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384", + "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384", + "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384", + "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", + "TLS_RSA_WITH_AES_128_GCM_SHA256", + "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256", + "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256", + "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256", + "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256", + "TLS_EMPTY_RENEGOTIATION_INFO_SCSV" + }; - "SSL_RSA_WITH_NULL_MD5", - "SSL_RSA_WITH_NULL_SHA", - "TLS_ECDH_ECDSA_WITH_NULL_SHA", - "TLS_ECDH_RSA_WITH_NULL_SHA", - "TLS_ECDHE_ECDSA_WITH_NULL_SHA", - "TLS_ECDHE_RSA_WITH_NULL_SHA", - "SSL_DH_anon_WITH_RC4_128_MD5", - "TLS_DH_anon_WITH_AES_128_CBC_SHA", - "TLS_DH_anon_WITH_AES_256_CBC_SHA", - "SSL_DH_anon_WITH_3DES_EDE_CBC_SHA", - "SSL_DH_anon_WITH_DES_CBC_SHA", - "TLS_ECDH_anon_WITH_RC4_128_SHA", - "TLS_ECDH_anon_WITH_AES_128_CBC_SHA", - "TLS_ECDH_anon_WITH_AES_256_CBC_SHA", - "TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA", - "SSL_DH_anon_EXPORT_WITH_RC4_40_MD5", - "SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA", - "TLS_ECDH_anon_WITH_NULL_SHA", - "TLS_KRB5_WITH_RC4_128_SHA", - "TLS_KRB5_WITH_RC4_128_MD5", - "TLS_KRB5_WITH_3DES_EDE_CBC_SHA", - "TLS_KRB5_WITH_3DES_EDE_CBC_MD5", - "TLS_KRB5_WITH_DES_CBC_SHA", - "TLS_KRB5_WITH_DES_CBC_MD5", - "TLS_KRB5_EXPORT_WITH_RC4_40_SHA", - "TLS_KRB5_EXPORT_WITH_RC4_40_MD5", - "TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA", - "TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5", - + // List of supported cipher suites when the "crypto.policy" security + // property is set to "limited". + private final static String[] SUPPORTED_LIMITED = { + "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", + "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", + "TLS_RSA_WITH_AES_128_CBC_SHA256", + "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256", + "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256", + "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256", + "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256", + "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", + "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", + "TLS_RSA_WITH_AES_128_CBC_SHA", + "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA", + "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA", + "TLS_DHE_RSA_WITH_AES_128_CBC_SHA", + "TLS_DHE_DSS_WITH_AES_128_CBC_SHA", + "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", + "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", + "TLS_RSA_WITH_AES_128_GCM_SHA256", + "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256", + "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256", + "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256", + "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256", + "TLS_EMPTY_RENEGOTIATION_INFO_SCSV" }; private static void showSuites(String[] suites) { @@ -252,19 +197,21 @@ public static void main(String[] args) throws Exception { long start = System.currentTimeMillis(); + if (args.length != 1) { + throw new Exception("One arg required"); + } + String[] ENABLED; String[] SUPPORTED; - try { - Cipher c = Cipher.getInstance("AES/CBC/NoPadding"); - SecretKeySpec key = new SecretKeySpec(new byte[32], "AES"); - c.init(Cipher.ENCRYPT_MODE, key); - System.out.println("AES/256 is available"); - ENABLED = ENABLED_UNLIMITED; - SUPPORTED = SUPPORTED_UNLIMITED; - } catch (Exception e) { - System.out.println("AES/256 is NOT available (" + e + ")"); + if (args[0].equals("default")) { ENABLED = ENABLED_DEFAULT; SUPPORTED = SUPPORTED_DEFAULT; + } else if (args[0].equals("limited")) { + Security.setProperty("crypto.policy", "limited"); + ENABLED = ENABLED_LIMITED; + SUPPORTED = SUPPORTED_LIMITED; + } else { + throw new Exception("Illegal argument"); } SSLSocketFactory factory = (SSLSocketFactory)SSLSocketFactory.getDefault();
--- a/test/sun/security/tools/keytool/KeyToolTest.java Wed Feb 20 21:11:13 2019 +0000 +++ b/test/sun/security/tools/keytool/KeyToolTest.java Fri Feb 22 18:18:16 2019 +0000 @@ -1028,6 +1028,7 @@ testOK("", pre+"san3 -ext san=dns:me.org"); testOK("", pre+"san4 -ext san=ip:192.168.0.1"); testOK("", pre+"san5 -ext san=oid:1.2.3.4"); + testOK("", pre+"san6 -ext san=dns:1abc.com"); //begin with digit testOK("", pre+"san235 -ext san=uri:http://me.org,dns:me.org,oid:1.2.3.4"); ks = loadStore("x.jks", "changeit", "JKS");
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/test/sun/security/x509/GeneralName/DNSNameTest.java Fri Feb 22 18:18:16 2019 +0000 @@ -0,0 +1,91 @@ +/* + * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +/** + * @test + * @summary DNSName parsing tests + * @bug 8213952 + * @modules java.base/sun.security.x509 + * @run testng DNSNameTest + */ + +import java.io.IOException; +import sun.security.x509.DNSName; + +import org.testng.annotations.DataProvider; +import org.testng.annotations.Test; + +import static org.testng.Assert.*; + +public class DNSNameTest { + @DataProvider(name = "goodNames") + public Object[][] goodNames() { + Object[][] data = { + {"abc.com"}, + {"ABC.COM"}, + {"a12.com"}, + {"a1b2c3.com"}, + {"1abc.com"}, + {"123.com"}, + {"abc.com-"}, // end with hyphen + {"a-b-c.com"}, // hyphens + }; + return data; + } + + @DataProvider(name = "badNames") + public Object[][] badNames() { + Object[][] data = { + {" 1abc.com"}, // begin with space + {"1abc.com "}, // end with space + {"1a bc.com "}, // no space allowed + {"-abc.com"}, // begin with hyphen + {"a..b"}, // .. + {".a"}, // begin with . + {"a."}, // end with . + {""}, // empty + {" "}, // space only + }; + return data; + } + + @Test(dataProvider = "goodNames") + public void testGoodDNSName(String dnsNameString) { + try { + DNSName dn = new DNSName(dnsNameString); + } catch (IOException e) { + fail("Unexpected IOException"); + } + } + + @Test(dataProvider = "badNames") + public void testBadDNSName(String dnsNameString) { + try { + DNSName dn = new DNSName(dnsNameString); + fail("IOException expected"); + } catch (IOException e) { + if (!e.getMessage().contains("DNSName")) + fail("Unexpeceted message: " + e); + } + } +}