Mercurial > hg > release > icedtea6-1.11
changeset 2867:1e70da0f6120
Add patches for next security update.
2013-02-15 Andrew John Hughes <gnu.andrew@redhat.com>
* Makefile.am:
(SECURITY_PATCHES): Add latest security patches
and backport required for 8007688.
* NEWS: List security fixes & backport and
set release date.
* patches/openjdk/7123519-problems_with_certification_path.patch,
* patches/security/20130219/8006446.patch,
* patches/security/20130219/8006777.patch,
* patches/security/20130219/8007688.patch:
New patches for next security update.
author | Andrew John Hughes <gnu.andrew@redhat.com> |
---|---|
date | Fri, 15 Feb 2013 04:54:48 +0000 |
parents | d6603cf5d5ad |
children | 333a669397e2 |
files | ChangeLog Makefile.am NEWS patches/openjdk/7123519-problems_with_certification_path.patch patches/security/20130219/8006446.patch patches/security/20130219/8006777.patch patches/security/20130219/8007688.patch |
diffstat | 7 files changed, 2624 insertions(+), 2 deletions(-) [+] |
line wrap: on
line diff
--- a/ChangeLog Fri Feb 15 02:36:30 2013 +0000 +++ b/ChangeLog Fri Feb 15 04:54:48 2013 +0000 @@ -1,3 +1,16 @@ +2013-02-15 Andrew John Hughes <gnu.andrew@redhat.com> + + * Makefile.am: + (SECURITY_PATCHES): Add latest security patches + and backport required for 8007688. + * NEWS: List security fixes & backport and + set release date. + * patches/openjdk/7123519-problems_with_certification_path.patch, + * patches/security/20130219/8006446.patch, + * patches/security/20130219/8006777.patch, + * patches/security/20130219/8007688.patch: + New patches for next security update. + 2013-02-14 Andrew John Hughes <gnu.andrew@redhat.com> PR1319: Support GIF lib v5.
--- a/Makefile.am Fri Feb 15 02:36:30 2013 +0000 +++ b/Makefile.am Fri Feb 15 04:54:48 2013 +0000 @@ -274,7 +274,11 @@ patches/security/20130201/8001307.patch \ patches/security/20130201/8001972.patch \ patches/security/20130201/8002325.patch \ - patches/security/20130201/8001235.patch + patches/security/20130201/8001235.patch \ + patches/security/20130219/8006446.patch \ + patches/security/20130219/8006777.patch \ + patches/openjdk/7123519-problems_with_certification_path.patch \ + patches/security/20130219/8007688.patch SPECIAL_SECURITY_PATCH = patches/security/20120214/7112642.patch
--- a/NEWS Fri Feb 15 02:36:30 2013 +0000 +++ b/NEWS Fri Feb 15 04:54:48 2013 +0000 @@ -10,8 +10,14 @@ CVE-XXXX-YYYY: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=XXXX-YYYY -New in release 1.11.8 (2013-02-XX): +New in release 1.11.8 (2013-02-19): +* Security fixes + - S8006446: Restrict MBeanServer access + - S8006777: Improve TLS handling of invalid messages + - S8007688: Blacklist known bad certificate +* Backports + - S7123519: problems with certification path * Bug fixes - PR1319: Support GIF lib v5.
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/patches/openjdk/7123519-problems_with_certification_path.patch Fri Feb 15 04:54:48 2013 +0000 @@ -0,0 +1,1055 @@ +# HG changeset patch +# User robm +# Date 1326225462 0 +# Node ID a224904d42db1f54139257221e9b545bd1c90b2e +# Parent 6621fc84cbd66d4adc4cb5dbb11015719c281fc5 +7123519: problems with certification path +Reviewed-by: xuelei, coffeys + +diff --git a/src/share/classes/sun/security/provider/certpath/ForwardBuilder.java b/src/share/classes/sun/security/provider/certpath/ForwardBuilder.java +--- openjdk/jdk/src/share/classes/sun/security/provider/certpath/ForwardBuilder.java ++++ openjdk/jdk/src/share/classes/sun/security/provider/certpath/ForwardBuilder.java +@@ -1,5 +1,5 @@ + /* +- * Copyright (c) 2000, 2010, Oracle and/or its affiliates. All rights reserved. ++ * Copyright (c) 2000, 2012, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it +@@ -640,7 +640,10 @@ + + "\n Subject: " + cert.getSubjectX500Principal() + ")"); + } + +- ForwardState currState = (ForwardState) currentState; ++ ForwardState currState = (ForwardState)currentState; ++ ++ // Don't bother to verify untrusted certificate. ++ currState.untrustedChecker.check(cert, Collections.<String>emptySet()); + + /* + * check for looping - abort a loop if +diff --git a/src/share/classes/sun/security/provider/certpath/ForwardState.java b/src/share/classes/sun/security/provider/certpath/ForwardState.java +--- openjdk/jdk/src/share/classes/sun/security/provider/certpath/ForwardState.java ++++ openjdk/jdk/src/share/classes/sun/security/provider/certpath/ForwardState.java +@@ -1,5 +1,5 @@ + /* +- * Copyright (c) 2000, 2006, Oracle and/or its affiliates. All rights reserved. ++ * Copyright (c) 2000, 2012, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it +@@ -78,6 +78,9 @@ + + /* the checker used for revocation status */ + public CrlRevocationChecker crlChecker; ++ ++ /* the untrusted certificates checker */ ++ UntrustedChecker untrustedChecker; + + /* The list of user-defined checkers that support forward checking */ + ArrayList<PKIXCertPathChecker> forwardCheckers; +diff --git a/src/share/classes/sun/security/provider/certpath/PKIXCertPathValidator.java b/src/share/classes/sun/security/provider/certpath/PKIXCertPathValidator.java +--- openjdk/jdk/src/share/classes/sun/security/provider/certpath/PKIXCertPathValidator.java ++++ openjdk/jdk/src/share/classes/sun/security/provider/certpath/PKIXCertPathValidator.java +@@ -1,5 +1,5 @@ + /* +- * Copyright (c) 2000, 2010, Oracle and/or its affiliates. All rights reserved. ++ * Copyright (c) 2000, 2012, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it +@@ -292,8 +292,10 @@ + pkixParam.isAnyPolicyInhibited(), + pkixParam.getPolicyQualifiersRejected(), + rootNode); ++ UntrustedChecker untrustedChecker = new UntrustedChecker(); + + // add standard checkers that we will be using ++ certPathCheckers.add(untrustedChecker); + certPathCheckers.add(algorithmChecker); + certPathCheckers.add(keyChecker); + certPathCheckers.add(constraintsChecker); +diff --git a/src/share/classes/sun/security/provider/certpath/ReverseBuilder.java b/src/share/classes/sun/security/provider/certpath/ReverseBuilder.java +--- openjdk/jdk/src/share/classes/sun/security/provider/certpath/ReverseBuilder.java ++++ openjdk/jdk/src/share/classes/sun/security/provider/certpath/ReverseBuilder.java +@@ -1,5 +1,5 @@ + /* +- * Copyright (c) 2000, 2009, Oracle and/or its affiliates. All rights reserved. ++ * Copyright (c) 2000, 2012, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it +@@ -345,6 +345,10 @@ + if (currentState.isInitial()) { + return; + } ++ ++ // Don't bother to verify untrusted certificate. ++ currentState.untrustedChecker.check(cert, ++ Collections.<String>emptySet()); + + /* check that the signature algorithm is not disabled. */ + AlgorithmChecker.check(cert); +diff --git a/src/share/classes/sun/security/provider/certpath/ReverseState.java b/src/share/classes/sun/security/provider/certpath/ReverseState.java +--- openjdk/jdk/src/share/classes/sun/security/provider/certpath/ReverseState.java ++++ openjdk/jdk/src/share/classes/sun/security/provider/certpath/ReverseState.java +@@ -1,5 +1,5 @@ + /* +- * Copyright (c) 2000, 2006, Oracle and/or its affiliates. All rights reserved. ++ * Copyright (c) 2000, 2012, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it +@@ -95,6 +95,9 @@ + + /* the checker used for revocation status */ + public CrlRevocationChecker crlChecker; ++ ++ /* the untrusted certificates checker */ ++ UntrustedChecker untrustedChecker; + + /* the trust anchor used to validate the path */ + TrustAnchor trustAnchor; +diff --git a/src/share/classes/sun/security/provider/certpath/SunCertPathBuilder.java b/src/share/classes/sun/security/provider/certpath/SunCertPathBuilder.java +--- openjdk/jdk/src/share/classes/sun/security/provider/certpath/SunCertPathBuilder.java ++++ openjdk/jdk/src/share/classes/sun/security/provider/certpath/SunCertPathBuilder.java +@@ -1,5 +1,5 @@ + /* +- * Copyright (c) 2000, 2010, Oracle and/or its affiliates. All rights reserved. ++ * Copyright (c) 2000, 2012, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it +@@ -304,6 +304,7 @@ + // init the crl checker + currentState.crlChecker = + new CrlRevocationChecker(null, buildParams, null, onlyEECert); ++ currentState.untrustedChecker = new UntrustedChecker(); + try { + depthFirstSearchReverse(null, currentState, + new ReverseBuilder(buildParams, targetSubjectDN), adjacencyList, +@@ -350,6 +351,7 @@ + // init the crl checker + currentState.crlChecker + = new CrlRevocationChecker(null, buildParams, null, onlyEECert); ++ currentState.untrustedChecker = new UntrustedChecker(); + + depthFirstSearchForward(targetSubjectDN, currentState, + new ForwardBuilder +@@ -625,8 +627,8 @@ + vertex.setIndex(adjList.size() - 1); + + /* recursively search for matching certs at next dN */ +- depthFirstSearchForward(cert.getIssuerX500Principal(), nextState, builder, +- adjList, certPathList); ++ depthFirstSearchForward(cert.getIssuerX500Principal(), ++ nextState, builder, adjList, certPathList); + + /* + * If path has been completed, return ASAP! +diff --git a/src/share/classes/sun/security/provider/certpath/UntrustedChecker.java b/src/share/classes/sun/security/provider/certpath/UntrustedChecker.java +new file mode 100644 +--- /dev/null ++++ openjdk/jdk/src/share/classes/sun/security/provider/certpath/UntrustedChecker.java +@@ -0,0 +1,88 @@ ++/* ++ * Copyright (c) 2012, Oracle and/or its affiliates. All rights reserved. ++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. ++ * ++ * This code is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License version 2 only, as ++ * published by the Free Software Foundation. Oracle designates this ++ * particular file as subject to the "Classpath" exception as provided ++ * by Oracle in the LICENSE file that accompanied this code. ++ * ++ * This code is distributed in the hope that it will be useful, but WITHOUT ++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or ++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ++ * version 2 for more details (a copy is included in the LICENSE file that ++ * accompanied this code). ++ * ++ * You should have received a copy of the GNU General Public License version ++ * 2 along with this work; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. ++ * ++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA ++ * or visit www.oracle.com if you need additional information or have any ++ * questions. ++ */ ++package sun.security.provider.certpath; ++ ++import java.security.cert.Certificate; ++import java.security.cert.X509Certificate; ++import java.security.cert.CertPathValidatorException; ++import java.security.cert.PKIXCertPathChecker; ++import java.util.Set; ++import java.util.Collection; ++import sun.security.util.Debug; ++import sun.security.util.UntrustedCertificates; ++ ++/** ++ * A <code>PKIXCertPathChecker</code> implementation to check whether a ++ * specified certificate is distrusted. ++ * ++ * @see PKIXCertPathChecker ++ * @see PKIXParameters ++ */ ++final public class UntrustedChecker extends PKIXCertPathChecker { ++ ++ private static final Debug debug = Debug.getInstance("certpath"); ++ ++ /** ++ * Default Constructor ++ */ ++ public UntrustedChecker() { ++ // blank ++ } ++ ++ @Override ++ public void init(boolean forward) throws CertPathValidatorException { ++ // Note that this class supports both forward and reverse modes. ++ } ++ ++ @Override ++ public boolean isForwardCheckingSupported() { ++ // Note that this class supports both forward and reverse modes. ++ return true; ++ } ++ ++ @Override ++ public Set<String> getSupportedExtensions() { ++ return null; ++ } ++ ++ @Override ++ public void check(Certificate cert, ++ Collection<String> unresolvedCritExts) ++ throws CertPathValidatorException { ++ ++ X509Certificate currCert = (X509Certificate)cert; ++ ++ if (UntrustedCertificates.isUntrusted(currCert)) { ++ if (debug != null) { ++ debug.println("UntrustedChecker: untrusted certificate " + ++ currCert.getSubjectX500Principal()); ++ } ++ ++ throw new CertPathValidatorException( ++ "Untrusted certificate: " + currCert.getSubjectX500Principal()); ++ } ++ } ++} ++ +diff --git a/src/share/classes/sun/security/util/UntrustedCertificates.java b/src/share/classes/sun/security/util/UntrustedCertificates.java +new file mode 100644 +--- /dev/null ++++ openjdk/jdk/src/share/classes/sun/security/util/UntrustedCertificates.java +@@ -0,0 +1,743 @@ ++/* ++ * Copyright (c) 2012, Oracle and/or its affiliates. All rights reserved. ++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. ++ * ++ * This code is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License version 2 only, as ++ * published by the Free Software Foundation. Oracle designates this ++ * particular file as subject to the "Classpath" exception as provided ++ * by Oracle in the LICENSE file that accompanied this code. ++ * ++ * This code is distributed in the hope that it will be useful, but WITHOUT ++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or ++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ++ * version 2 for more details (a copy is included in the LICENSE file that ++ * accompanied this code). ++ * ++ * You should have received a copy of the GNU General Public License version ++ * 2 along with this work; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. ++ * ++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA ++ * or visit www.oracle.com if you need additional information or have any ++ * questions. ++ */ ++package sun.security.util; ++ ++import java.io.IOException; ++import java.io.ByteArrayInputStream; ++import java.security.cert.X509Certificate; ++import java.security.cert.CertificateFactory; ++import java.security.cert.CertificateException; ++import java.util.Set; ++import java.util.HashSet; ++ ++/** ++ * A utility class to check if a certificate is untrusted. This is an internal ++ * mechanism that explicitly marks a certificate as untrusted, normally in the ++ * case that a certificate is known to be used for malicious reasons. ++ * ++ * <b>Attention</b>: This check is NOT meant to replace the standard PKI-defined ++ * validation check, neither is it used as an alternative to CRL. ++ */ ++public final class UntrustedCertificates { ++ ++ private final static Set<X509Certificate> untrustedCerts = ++ new HashSet<X509Certificate>(); ++ ++ /** ++ * Checks if a certificate is untrusted. ++ * ++ * @param cert the certificate to check ++ * @return true if the certificate is untrusted. ++ */ ++ public static boolean isUntrusted(X509Certificate cert) { ++ return untrustedCerts.contains(cert); ++ } ++ ++ private static void add(String alias, String pemCert) { ++ // generate certificate from PEM certificate ++ try { ++ ByteArrayInputStream is = ++ new ByteArrayInputStream(pemCert.getBytes()); ++ CertificateFactory cf = CertificateFactory.getInstance("X.509"); ++ X509Certificate cert = (X509Certificate)cf.generateCertificate(is); ++ ++ if (!untrustedCerts.add(cert)) { ++ throw new RuntimeException("Duplicate untrusted certificate: " + ++ cert.getSubjectX500Principal()); ++ } ++ } catch (CertificateException e) { ++ throw new RuntimeException( ++ "Incorrect untrusted certificate: " + alias, e); ++ } ++ } ++ ++ static { ++ // ----------------------------------------------------------------- ++ // Compromised CAs of Digicert Malaysia ++ // ++ // Reported by Digicert in its announcement on November 05, 2011. ++ // ++ ++ // Digicert Malaysia intermediate, cross-signed by CyberTrust ++ // ++ // Subject: CN=Digisign Server ID (Enrich), ++ // OU=457608-K, ++ // O=Digicert Sdn. Bhd., ++ // C=MY ++ // Issuer: CN=GTE CyberTrust Global Root, ++ // OU=GTE CyberTrust Solutions, Inc., ++ // O=GTE Corporation, ++ // C=US ++ // Serial: 120001705 (07:27:14:a9) ++ add("digicert-server-cross-to-cybertrust-4C0E636A", ++ "-----BEGIN CERTIFICATE-----\n" + ++ "MIIDyzCCAzSgAwIBAgIEBycUqTANBgkqhkiG9w0BAQUFADB1MQswCQYDVQQGEwJV\n" + ++ "UzEYMBYGA1UEChMPR1RFIENvcnBvcmF0aW9uMScwJQYDVQQLEx5HVEUgQ3liZXJU\n" + ++ "cnVzdCBTb2x1dGlvbnMsIEluYy4xIzAhBgNVBAMTGkdURSBDeWJlclRydXN0IEds\n" + ++ "b2JhbCBSb290MB4XDTA3MDcxNzE1MTc0OFoXDTEyMDcxNzE1MTY1NFowYzELMAkG\n" + ++ "A1UEBhMCTVkxGzAZBgNVBAoTEkRpZ2ljZXJ0IFNkbi4gQmhkLjERMA8GA1UECxMI\n" + ++ "NDU3NjA4LUsxJDAiBgNVBAMTG0RpZ2lzaWduIFNlcnZlciBJRCAoRW5yaWNoKTCB\n" + ++ "nzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEArahkS02Hx4RZufuQRqCmicDx/tXa\n" + ++ "VII3DZkrRSYK6Fawf8qo9I5HhAGCKeOzarWR8/uVhbxyqGToCkCcxfRxrnt7agfq\n" + ++ "kBRPjYmvlKuyBtQCanuYH1m5Os1U+iDfsioK6bjdaZDAKdNO0JftZszFGUkGf/pe\n" + ++ "LHx7hRsyQt97lSUCAwEAAaOCAXgwggF0MBIGA1UdEwEB/wQIMAYBAf8CAQAwXAYD\n" + ++ "VR0gBFUwUzBIBgkrBgEEAbE+AQAwOzA5BggrBgEFBQcCARYtaHR0cDovL2N5YmVy\n" + ++ "dHJ1c3Qub21uaXJvb3QuY29tL3JlcG9zaXRvcnkuY2ZtMAcGBWCDSgEBMA4GA1Ud\n" + ++ "DwEB/wQEAwIB5jCBiQYDVR0jBIGBMH+heaR3MHUxCzAJBgNVBAYTAlVTMRgwFgYD\n" + ++ "VQQKEw9HVEUgQ29ycG9yYXRpb24xJzAlBgNVBAsTHkdURSBDeWJlclRydXN0IFNv\n" + ++ "bHV0aW9ucywgSW5jLjEjMCEGA1UEAxMaR1RFIEN5YmVyVHJ1c3QgR2xvYmFsIFJv\n" + ++ "b3SCAgGlMEUGA1UdHwQ+MDwwOqA4oDaGNGh0dHA6Ly93d3cucHVibGljLXRydXN0\n" + ++ "LmNvbS9jZ2ktYmluL0NSTC8yMDE4L2NkcC5jcmwwHQYDVR0OBBYEFMYWk04WF+wW\n" + ++ "royUdvOGbcV0boR3MA0GCSqGSIb3DQEBBQUAA4GBAHYAe6Z4K2Ydjl42xqSOBfIj\n" + ++ "knyTZ9P0wAp9iy3Z6tVvGvPhSilaIoRNUC9LDPL/hcJ7VdREgr5trGeOvLQfkpxR\n" + ++ "gBoU9m6rYYgLrRx/90tQUdZlG6ZHcRVesHHzNRTyN71jyNXwk1o0X9g96F33xR7A\n" + ++ "5c8fhiSpPAdmzcHSNmNZ\n" + ++ "-----END CERTIFICATE-----"); ++ ++ // Digicert Malaysia intermediate, cross-signed by Entrust ++ // ++ // Subject: CN=Digisign Server ID - (Enrich), ++ // OU=457608-K, ++ // O=Digicert Sdn. Bhd., ++ // C=MY ++ // Issuer: CN=Entrust.net Certification Authority (2048) ++ // OU=(c) 1999 Entrust.net Limited, ++ // OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.), ++ // O=Entrust.net ++ // Serial: 1184644297 (4c:0e:63:6a) ++ add("digicert-server-cross-to-entrust-ca-4C0E636A", ++ "-----BEGIN CERTIFICATE-----\n" + ++ "MIIEzjCCA7agAwIBAgIETA5jajANBgkqhkiG9w0BAQUFADCBtDEUMBIGA1UEChML\n" + ++ "RW50cnVzdC5uZXQxQDA+BgNVBAsUN3d3dy5lbnRydXN0Lm5ldC9DUFNfMjA0OCBp\n" + ++ "bmNvcnAuIGJ5IHJlZi4gKGxpbWl0cyBsaWFiLikxJTAjBgNVBAsTHChjKSAxOTk5\n" + ++ "IEVudHJ1c3QubmV0IExpbWl0ZWQxMzAxBgNVBAMTKkVudHJ1c3QubmV0IENlcnRp\n" + ++ "ZmljYXRpb24gQXV0aG9yaXR5ICgyMDQ4KTAeFw0xMDA3MTYxNzIzMzdaFw0xNTA3\n" + ++ "MTYxNzUzMzdaMGUxCzAJBgNVBAYTAk1ZMRswGQYDVQQKExJEaWdpY2VydCBTZG4u\n" + ++ "IEJoZC4xETAPBgNVBAsTCDQ1NzYwOC1LMSYwJAYDVQQDEx1EaWdpc2lnbiBTZXJ2\n" + ++ "ZXIgSUQgLSAoRW5yaWNoKTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB\n" + ++ "AMWJ5PQNBkCSWccaszXRDkwqM/n4r8qef+65p21g9FTob9Wb8xtjMQRoctE0Foy0\n" + ++ "FyyX3nPF2JAVoBor9cuzSIZE8B2ITM5BQhrv9Qze/kDaOSD3BlU6ap1GwdJvpbLI\n" + ++ "Vz4po5zg6YV3ZuiYpyR+vsBZIOVEb7ZX2L7OwmV3WMZhQdF0BMh/SULFcqlyFu6M\n" + ++ "3RJdtErU0a9Qt9iqdXZorT5dqjBtYairEFs+E78z4K9EnTgiW+9ML6ZxJhUmyiiM\n" + ++ "2fqOjqmiFDXimySItPR/hZ2DTwehthSQNsQ0HI0mYW0Tb3i+6I8nx0uElqOGaAwj\n" + ++ "vgvsjJQAqQSKE5D334VsDLECAwEAAaOCATQwggEwMA4GA1UdDwEB/wQEAwIBBjAS\n" + ++ "BgNVHRMBAf8ECDAGAQH/AgEAMCcGA1UdJQQgMB4GCCsGAQUFBwMBBggrBgEFBQcD\n" + ++ "AgYIKwYBBQUHAwQwMwYIKwYBBQUHAQEEJzAlMCMGCCsGAQUFBzABhhdodHRwOi8v\n" + ++ "b2NzcC5lbnRydXN0Lm5ldDBEBgNVHSAEPTA7MDkGBWCDSgEBMDAwLgYIKwYBBQUH\n" + ++ "AgEWImh0dHA6Ly93d3cuZGlnaWNlcnQuY29tLm15L2Nwcy5odG0wMgYDVR0fBCsw\n" + ++ "KTAnoCWgI4YhaHR0cDovL2NybC5lbnRydXN0Lm5ldC8yMDQ4Y2EuY3JsMBEGA1Ud\n" + ++ "DgQKBAhMTswlKAMpgTAfBgNVHSMEGDAWgBRV5IHREYC+2Im5CKMx+aEkCRa5cDAN\n" + ++ "BgkqhkiG9w0BAQUFAAOCAQEAl0zvSjpJrHL8MCBrtClbp8WVBJD5MtXChWreA6E3\n" + ++ "+YkAsFqsVX7bQzX/yQH4Ub7MJsrIaqTEVD4mHucMo82XZ5TdpkLrXM2POXlrM3kh\n" + ++ "Bnn6gkQVmczBtznTRmJ8snDrb84gqj4Zt+l0gpy0pUtNYQA35IfS8hQ6ZHy4qXth\n" + ++ "4JMi59WfPkfmNnagU9gAAzoPtTP+lsrT0oI6Lt3XSOHkp2nMHOmZSufKcEXXCwcO\n" + ++ "mnUb0C+Sb/akB8O9HEumhLZ9qJqp0qcp8QtXaR6XVybsK0Os1EWDBQDp4/BGQAf6\n" + ++ "6rFRc5Mcpd1TETfIKqcVJx20qsx/qjEw/LhFn0gJ7RDixQ==\n" + ++ "-----END CERTIFICATE-----"); ++ ++ ++ // ----------------------------------------------------------------- ++ // ++ // No longer used certificates ++ // ++ ++ // Subject: CN=Java Media APIs, ++ // OU=Java Signed Extensions, ++ // OU=Corporate Object Signing, ++ // O=Sun Microsystems Inc ++ // Issuer: CN=Object Signing CA, ++ // OU=Class 2 OnSite Subscriber CA, ++ // OU=VeriSign Trust Network, ++ // O=Sun Microsystems Inc ++ // Serial: 6a:8b:99:91:37:59:4f:89:53:e2:97:18:9f:19:1e:4e ++ add("java-media-pretrusted-9F191E4E", ++ "-----BEGIN CERTIFICATE-----\n" + ++ "MIIFdzCCBF+gAwIBAgIQaouZkTdZT4lT4pcYnxkeTjANBgkqhkiG9w0BAQUFADCB\n" + ++ "gzEdMBsGA1UEChMUU3VuIE1pY3Jvc3lzdGVtcyBJbmMxHzAdBgNVBAsTFlZlcmlT\n" + ++ "aWduIFRydXN0IE5ldHdvcmsxJTAjBgNVBAsTHENsYXNzIDIgT25TaXRlIFN1YnNj\n" + ++ "cmliZXIgQ0ExGjAYBgNVBAMTEU9iamVjdCBTaWduaW5nIENBMB4XDTA5MDUxMjAw\n" + ++ "MDAwMFoXDTEyMDUxMTIzNTk1OVowfTEdMBsGA1UEChQUU3VuIE1pY3Jvc3lzdGVt\n" + ++ "cyBJbmMxITAfBgNVBAsUGENvcnBvcmF0ZSBPYmplY3QgU2lnbmluZzEfMB0GA1UE\n" + ++ "CxQWSmF2YSBTaWduZWQgRXh0ZW5zaW9uczEYMBYGA1UEAxQPSmF2YSBNZWRpYSBB\n" + ++ "UElzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAl5blzoKTVE8y4Hpz\n" + ++ "q6E15RZz1bF5HnYEyYqgHkZXnAKedmYCoMzm1XK8s+gQWShLEvGEAvs5yqarx9gE\n" + ++ "nnC21N28aEZgIJMa2/arKxCUkS4pxdGPYGexL9UzSRkUpoBShCZKEGdmX7gfJE2K\n" + ++ "/sd9MFvGV5/yZtWXrADzvm0Kd/9mg1KRv1gfrZIq0TJbupoXPYYqb73AkI9eT2ZD\n" + ++ "q9MdwD4E5+oojsDFXt8GU/D00fUhtXpYwuplU7D667WHYdJhIah0ST6JywyqcLXG\n" + ++ "XSuFTXOgITT2idSHluZVmx3dqJ72u9kPkO4JdJTMDfaK8zgNLaRkiU8Qcj+qhLYH\n" + ++ "ytaqcwIDAQABo4IB6jCCAeYwCQYDVR0TBAIwADAOBgNVHQ8BAf8EBAMCB4AwfwYD\n" + ++ "VR0fBHgwdjB0oHKgcIZuaHR0cDovL29uc2l0ZWNybC52ZXJpc2lnbi5jb20vU3Vu\n" + ++ "TWljcm9zeXN0ZW1zSW5jQ29ycG9yYXRlT2JqZWN0U2lnbmluZ0phdmFTaWduZWRF\n" + ++ "eHRlbnNpb25zQ2xhc3NCL0xhdGVzdENSTC5jcmwwHwYDVR0jBBgwFoAUs0crgn5T\n" + ++ "tHPKuLsZt76BTQeVx+0wHQYDVR0OBBYEFKS32mVx0gNWTeS4ProHEaeSpvvIMDsG\n" + ++ "CCsGAQUFBwEBBC8wLTArBggrBgEFBQcwAYYfaHR0cDovL29uc2l0ZS1vY3NwLnZl\n" + ++ "cmlzaWduLmNvbTCBtQYDVR0gBIGtMIGqMDkGC2CGSAGG+EUBBxcCMCowKAYIKwYB\n" + ++ "BQUHAgEWHGh0dHBzOi8vd3d3LnZlcmlzaWduLmNvbS9ycGEwbQYLYIZIAYb3AIN9\n" + ++ "nD8wXjAnBggrBgEFBQcCARYbaHR0cHM6Ly93d3cuc3VuLmNvbS9wa2kvY3BzMDMG\n" + ++ "CCsGAQUFBwICMCcaJVZhbGlkYXRlZCBGb3IgU3VuIEJ1c2luZXNzIE9wZXJhdGlv\n" + ++ "bnMwEwYDVR0lBAwwCgYIKwYBBQUHAwMwDQYJKoZIhvcNAQEFBQADggEBAAe6BO4W\n" + ++ "3TSNWfezyelJs6kE3HfulT6Bdyz4UUoh9ykXcV8nRwT+kh25I5MdyG2GfkJoADPR\n" + ++ "VhC5DYo13UFpIsTNVjq+hGYe2hML93bN7ad9SxCCyjHUo3yMz2qgBbHZI3VA9ZHA\n" + ++ "aWM4Tx0saMwbcnVvlbuGh+PXvStfypJqYT6lzcdFfjNVX4FI/QQNGhBswMY51tC8\n" + ++ "GTBCL2qhJon0gSCU4zaawDOf7+XxJWirLamYL1Aal1/h2z2sFrvA/1ftxtU3kZ6I\n" + ++ "7De8DyoHeZg7pYGdrj7g+lPhCga/WvEhN152I+aP08YbFcJHYmK05ngl/Ye4c6Bd\n" + ++ "cdrdfbw6QzEUIYY=\n" + ++ "-----END CERTIFICATE-----"); ++ ++ // Subject: CN=JavaFX 1.0 Runtime, ++ // OU=Java Signed Extensions, ++ // OU=Corporate Object Signing, ++ // O=Sun Microsystems Inc ++ // Issuer: CN=Object Signing CA, ++ // OU=Class 2 OnSite Subscriber CA, ++ // OU=VeriSign Trust Network, ++ // O=Sun Microsystems Inc ++ // Serial: 55:c0:e6:44:59:59:79:9e:d9:26:f1:b0:4a:1e:f0:27 ++ add("java-fx10-pretrusted-4A1EF027", ++ "-----BEGIN CERTIFICATE-----\n" + ++ "MIIFezCCBGOgAwIBAgIQVcDmRFlZeZ7ZJvGwSh7wJzANBgkqhkiG9w0BAQUFADCB\n" + ++ "gzEdMBsGA1UEChMUU3VuIE1pY3Jvc3lzdGVtcyBJbmMxHzAdBgNVBAsTFlZlcmlT\n" + ++ "aWduIFRydXN0IE5ldHdvcmsxJTAjBgNVBAsTHENsYXNzIDIgT25TaXRlIFN1YnNj\n" + ++ "cmliZXIgQ0ExGjAYBgNVBAMTEU9iamVjdCBTaWduaW5nIENBMB4XDTA4MTAwOTAw\n" + ++ "MDAwMFoXDTExMTAwOTIzNTk1OVowgYAxHTAbBgNVBAoUFFN1biBNaWNyb3N5c3Rl\n" + ++ "bXMgSW5jMSEwHwYDVQQLFBhDb3Jwb3JhdGUgT2JqZWN0IFNpZ25pbmcxHzAdBgNV\n" + ++ "BAsUFkphdmEgU2lnbmVkIEV4dGVuc2lvbnMxGzAZBgNVBAMUEkphdmFGWCAxLjAg\n" + ++ "UnVudGltZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM+WDc6+bu+4\n" + ++ "tmAcS/lBtUc02WOt9QZpVsXg9cG2pu/8bUtmDELa8iiYBVFpIs8DU58HLrGQtCUY\n" + ++ "SIAGOVPsOJoN29UKCDWfY9j5JeVhfhMGqk9DwrWhzgsjy4cpZ1pIp+k/fJ8zT8Ul\n" + ++ "aYLpow1vg3UNddsmwz02tN7cOrMw9WYIG4CRYnY1OrtJSfe2pYzheC4zyvR+aiVl\n" + ++ "nang2OtqikSQsNFOFHsLOJFxngy9LrO8evDSu25VTKI6zlWU6/bMeqtztJPN0VOn\n" + ++ "NyUrJZvkxZ207Jg0T693BGSxNC1n+ihztXogql8950M/pEuUbDjylv5FFvlp6DSB\n" + ++ "dDT2MkutmyMCAwEAAaOCAeowggHmMAkGA1UdEwQCMAAwDgYDVR0PAQH/BAQDAgeA\n" + ++ "MH8GA1UdHwR4MHYwdKByoHCGbmh0dHA6Ly9vbnNpdGVjcmwudmVyaXNpZ24uY29t\n" + ++ "L1N1bk1pY3Jvc3lzdGVtc0luY0NvcnBvcmF0ZU9iamVjdFNpZ25pbmdKYXZhU2ln\n" + ++ "bmVkRXh0ZW5zaW9uc0NsYXNzQi9MYXRlc3RDUkwuY3JsMB8GA1UdIwQYMBaAFLNH\n" + ++ "K4J+U7Rzyri7Gbe+gU0HlcftMB0GA1UdDgQWBBTjgufVi3XJ3gx1ewsA6Rr7BR4Z\n" + ++ "zjA7BggrBgEFBQcBAQQvMC0wKwYIKwYBBQUHMAGGH2h0dHA6Ly9vbnNpdGUtb2Nz\n" + ++ "cC52ZXJpc2lnbi5jb20wgbUGA1UdIASBrTCBqjA5BgtghkgBhvhFAQcXAjAqMCgG\n" + ++ "CCsGAQUFBwIBFhxodHRwczovL3d3dy52ZXJpc2lnbi5jb20vcnBhMG0GC2CGSAGG\n" + ++ "9wCDfZw/MF4wJwYIKwYBBQUHAgEWG2h0dHBzOi8vd3d3LnN1bi5jb20vcGtpL2Nw\n" + ++ "czAzBggrBgEFBQcCAjAnGiVWYWxpZGF0ZWQgRm9yIFN1biBCdXNpbmVzcyBPcGVy\n" + ++ "YXRpb25zMBMGA1UdJQQMMAoGCCsGAQUFBwMDMA0GCSqGSIb3DQEBBQUAA4IBAQAB\n" + ++ "YVJTTVe7rzyTO4jc3zajErOT/COkdQTfNo0eIX1QbNynFieJvwY/jRzUZwjktIFR\n" + ++ "2p4JtbpHGAtKtjOAOTieQ8xdDOoC1djzpE7/AbMvuvlTavtUKT+F7tPdhfXgWXJV\n" + ++ "6Wbt8jryKyk3zZGiEhauIwZUkfjRkEtffEmZWLUd8c8rURJjfC/XHH2oyurscoxc\n" + ++ "CjX29c9ynxSiS/VvQp1an0HvErGh69N48wj7cj8mtZ1yHzd2XCzSSR1OfTPfk0Pt\n" + ++ "yg51p7yJaFiH21PTZegEL6zyVNOYBTKwwIi2OzpwYalD3uvK6e3OKDrfFCOxu17u\n" + ++ "4PveESbrdyrmvLe7IVez\n" + ++ "-----END CERTIFICATE-----"); ++ ++ // Subject: CN=JavaFX Runtime, ++ // OU=Java Signed Extensions, ++ // OU=Corporate Object Signing, ++ // O=Sun Microsystems Inc ++ // Issuer: CN=Object Signing CA, ++ // OU=Class 2 OnSite Subscriber CA, ++ // OU=VeriSign Trust Network, ++ // O=Sun Microsystems Inc ++ // Serial: 47:f4:55:f1:da:4a:5e:f9:e3:f7:a8:03:62:17:c0:ff ++ add("javafx-runtime-pretrusted-6217C0FF", ++ "-----BEGIN CERTIFICATE-----\n" + ++ "MIIFdjCCBF6gAwIBAgIQR/RV8dpKXvnj96gDYhfA/zANBgkqhkiG9w0BAQUFADCB\n" + ++ "gzEdMBsGA1UEChMUU3VuIE1pY3Jvc3lzdGVtcyBJbmMxHzAdBgNVBAsTFlZlcmlT\n" + ++ "aWduIFRydXN0IE5ldHdvcmsxJTAjBgNVBAsTHENsYXNzIDIgT25TaXRlIFN1YnNj\n" + ++ "cmliZXIgQ0ExGjAYBgNVBAMTEU9iamVjdCBTaWduaW5nIENBMB4XDTA5MDEyOTAw\n" + ++ "MDAwMFoXDTEyMDEyOTIzNTk1OVowfDEdMBsGA1UEChQUU3VuIE1pY3Jvc3lzdGVt\n" + ++ "cyBJbmMxITAfBgNVBAsUGENvcnBvcmF0ZSBPYmplY3QgU2lnbmluZzEfMB0GA1UE\n" + ++ "CxQWSmF2YSBTaWduZWQgRXh0ZW5zaW9uczEXMBUGA1UEAxQOSmF2YUZYIFJ1bnRp\n" + ++ "bWUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCIzd0fAk8mI9ONc6RJ\n" + ++ "aGieioK2FLdXEwj8zL3vdGDVmBwyR1zwYkaOIFFgF9IW/8qc4iAYA5sGUY+0g8q3\n" + ++ "5DuYAxfTzBB5KdaYvbuq6GGnoHIWmTirXY+1friFp8lyXSvtuEaGB1VHaBoZchEg\n" + ++ "k+UgeVDA43dHwcT1Ov3DePczJRUes8T/QHzLX+BxUDG43vjyncCEO/AjqLZxXEz2\n" + ++ "xrNbKLcH3lGMJK7hdbfssUfF5BjC38Hn71HauYlA43b2no+2y0Sjulwzez2YPbDC\n" + ++ "0GLR3TnKtA8dqOrnl5t3DniDbfOBNtBE3VOydJO0XW57Ng1HRXD023nm9ECPY2xp\n" + ++ "0N/pAgMBAAGjggHqMIIB5jAJBgNVHRMEAjAAMA4GA1UdDwEB/wQEAwIHgDB/BgNV\n" + ++ "HR8EeDB2MHSgcqBwhm5odHRwOi8vb25zaXRlY3JsLnZlcmlzaWduLmNvbS9TdW5N\n" + ++ "aWNyb3N5c3RlbXNJbmNDb3Jwb3JhdGVPYmplY3RTaWduaW5nSmF2YVNpZ25lZEV4\n" + ++ "dGVuc2lvbnNDbGFzc0IvTGF0ZXN0Q1JMLmNybDAfBgNVHSMEGDAWgBSzRyuCflO0\n" + ++ "c8q4uxm3voFNB5XH7TAdBgNVHQ4EFgQUvOdd0cKPj+Yik/iOBwTdphh5A+gwOwYI\n" + ++ "KwYBBQUHAQEELzAtMCsGCCsGAQUFBzABhh9odHRwOi8vb25zaXRlLW9jc3AudmVy\n" + ++ "aXNpZ24uY29tMIG1BgNVHSAEga0wgaowOQYLYIZIAYb4RQEHFwIwKjAoBggrBgEF\n" + ++ "BQcCARYcaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYTBtBgtghkgBhvcAg32c\n" + ++ "PzBeMCcGCCsGAQUFBwIBFhtodHRwczovL3d3dy5zdW4uY29tL3BraS9jcHMwMwYI\n" + ++ "KwYBBQUHAgIwJxolVmFsaWRhdGVkIEZvciBTdW4gQnVzaW5lc3MgT3BlcmF0aW9u\n" + ++ "czATBgNVHSUEDDAKBggrBgEFBQcDAzANBgkqhkiG9w0BAQUFAAOCAQEAbGcf2NjL\n" + ++ "AI93HG6ny2BbepaZA1a8xa/R6uUc7xV+Qw6MgLwFD4Q4i6LWUztQDvg9l68MM2/i\n" + ++ "Y9LEi1KM4lcNbK5+D+t9x98wXBiuojXhVdp5ZmC03EyEBbriopdBsmXVLDSu/Y3+\n" + ++ "zowOO5xwpMK3dbgsSDs2Vt0UosD3FTcRaD3GNfOhXMp+o1grHNiXF9YgkmdQbPPZ\n" + ++ "DQ2KBhFPCRJXBGvyKOqno/DTg0sQ3crGH/C4/4t7mnQXWldZotmJUZ0ONc9oD+Q1\n" + ++ "JAaguUKqIwn9yZ093ie+JWHbYNid9IIIPXYgtRxmf9a376WBhqhu56uJftBJ7x9g\n" + ++ "eQ7Lot6CSWCiFw==\n" + ++ "-----END CERTIFICATE-----"); ++ ++ // ++ // Compromised Solaris INTERNAL DEVELOPMENT USE ONLY certificate ++ // ++ ++ // Subject: CN=Solaris INTERNAL DEVELOPMENT USE ONLY, ++ // OU=Solaris Cryptographic Framework, ++ // OU=Corporate Object Signing, ++ // O=Sun Microsystems Inc ++ // Issuer: CN=Object Signing CA, ++ // OU=Class 2 OnSite Subscriber CA, ++ // OU=VeriSign Trust Network, ++ // O=Sun Microsystems Inc ++ // Serial: 77:29:77:52:6a:19:7b:9a:a6:a2:c7:99:a0:e1:cd:8c ++ add("solaris-internal-dev-A0E1CD8C", ++ "-----BEGIN CERTIFICATE-----\n" + ++ "MIIFHjCCBAagAwIBAgIQdyl3UmoZe5qmoseZoOHNjDANBgkqhkiG9w0BAQUFADCB\n" + ++ "gzEdMBsGA1UEChMUU3VuIE1pY3Jvc3lzdGVtcyBJbmMxHzAdBgNVBAsTFlZlcmlT\n" + ++ "aWduIFRydXN0IE5ldHdvcmsxJTAjBgNVBAsTHENsYXNzIDIgT25TaXRlIFN1YnNj\n" + ++ "cmliZXIgQ0ExGjAYBgNVBAMTEU9iamVjdCBTaWduaW5nIENBMB4XDTA3MDEwNDAw\n" + ++ "MDAwMFoXDTEwMDEwMzIzNTk1OVowgZwxHTAbBgNVBAoUFFN1biBNaWNyb3N5c3Rl\n" + ++ "bXMgSW5jMSEwHwYDVQQLFBhDb3Jwb3JhdGUgT2JqZWN0IFNpZ25pbmcxKDAmBgNV\n" + ++ "BAsUH1NvbGFyaXMgQ3J5cHRvZ3JhcGhpYyBGcmFtZXdvcmsxLjAsBgNVBAMUJVNv\n" + ++ "bGFyaXMgSU5URVJOQUwgREVWRUxPUE1FTlQgVVNFIE9OTFkwgZ8wDQYJKoZIhvcN\n" + ++ "AQEBBQADgY0AMIGJAoGBALbNU4hf3mD5ArDI9pjgioAyvV3bjMPRQdCZniIeGJBp\n" + ++ "odFlSEH+Mh64W1DsY8coeZ7FvvGJkx9IpTMJW9k8w1oJK9UNqHyAQfaYjQyXi3xQ\n" + ++ "LJp62EvYdGfDlwOZejEcR/MbzZG+GOPMMvQj5+xyFDvLXNGfQNTnxw2qnBgCJXjj\n" + ++ "AgMBAAGjggH1MIIB8TAJBgNVHRMEAjAAMA4GA1UdDwEB/wQEAwIHgDCBiQYDVR0f\n" + ++ "BIGBMH8wfaB7oHmGd2h0dHA6Ly9vbnNpdGVjcmwudmVyaXNpZ24uY29tL1N1bk1p\n" + ++ "Y3Jvc3lzdGVtc0luY0NvcnBvcmF0ZU9iamVjdFNpZ25pbmdTb2xhcmlzQ3J5cHRv\n" + ++ "Z3JhcGhpY0ZyYW1ld29ya0NsYXNzQi9MYXRlc3RDUkwuY3JsMB8GA1UdIwQYMBaA\n" + ++ "FLNHK4J+U7Rzyri7Gbe+gU0HlcftMB0GA1UdDgQWBBRpfiGYkehTnsIzuN2H6AFb\n" + ++ "VCZG8jA7BggrBgEFBQcBAQQvMC0wKwYIKwYBBQUHMAGGH2h0dHA6Ly9vbnNpdGUt\n" + ++ "b2NzcC52ZXJpc2lnbi5jb20wgbUGA1UdIASBrTCBqjA5BgtghkgBhvhFAQcXAjAq\n" + ++ "MCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy52ZXJpc2lnbi5jb20vcnBhMG0GC2CG\n" + ++ "SAGG9wCDfZw/MF4wJwYIKwYBBQUHAgEWG2h0dHBzOi8vd3d3LnN1bi5jb20vcGtp\n" + ++ "L2NwczAzBggrBgEFBQcCAjAnFiVWYWxpZGF0ZWQgRm9yIFN1biBCdXNpbmVzcyBP\n" + ++ "cGVyYXRpb25zMBMGA1UdJQQMMAoGCCsGAQUFBwMDMA0GCSqGSIb3DQEBBQUAA4IB\n" + ++ "AQCG5soy3LFHTFbA8/5SzDRhQoJkHUnOP0t3b6nvX6vZYRp649fje7TQOPRm1pFd\n" + ++ "CZ17J+tggdZwgzTqY4aYpJ00jZaK6pV37q/vgFC/ia6jDs8Q+ly9cEcadBZ5loYg\n" + ++ "cmxp9p57W2MNWx8VA8oFdNtKfF0jUNXbLNtvwGHmgR6YcwLrGN1b6/9Lt9bO3ODl\n" + ++ "FO+ZDwkfQz5ClUVrTx2dGBvKRYFqSG5S8JAfsgYhPvcacUQkA7ExyKvfRXLWVrce\n" + ++ "ZiPpcElbx+819H2sAPvVvparVeAruZGMAtejHZp9NFoowKen5drJp9VxePS4eM49\n" + ++ "3DepB6lKRrNRw66LNQol4ZBz\n" + ++ "-----END CERTIFICATE-----"); ++ ++ ++ // ----------------------------------------------------------------- ++ // Compromised CAs of DigiNotar ++ // ++ // Reported by Fox-IT in its interim report on September 5, 2011, ++ // "DigiNotar Certificate Authority breach 'Operation Black Tulip'". ++ // ++ ++ // ++ // Compromised DigiNotar Cyber CA ++ // ++ ++ // DigiNotar intermediate, cross-signed by CyberTrust ++ // ++ // Subject: EMAILADDRESS=info@diginotar.nl, CN=DigiNotar Cyber CA, ++ // O=DigiNotar, C=NL ++ // Issuer: CN=GTE CyberTrust Global Root, ++ // OU=GTE CyberTrust Solutions, Inc., ++ // O=GTE Corporation, ++ // C=US ++ // Serial: 120000525 (07:27:10:0D) ++ add("info-at-diginotar-cyber-ca-cross-to-gte-cybertrust-0727100D", ++ "-----BEGIN CERTIFICATE-----\n" + ++ "MIIFWjCCBMOgAwIBAgIEBycQDTANBgkqhkiG9w0BAQUFADB1MQswCQYDVQQGEwJV\n" + ++ "UzEYMBYGA1UEChMPR1RFIENvcnBvcmF0aW9uMScwJQYDVQQLEx5HVEUgQ3liZXJU\n" + ++ "cnVzdCBTb2x1dGlvbnMsIEluYy4xIzAhBgNVBAMTGkdURSBDeWJlclRydXN0IEds\n" + ++ "b2JhbCBSb290MB4XDTA2MTAwNDEwNTQxMVoXDTExMTAwNDEwNTMxMVowYDELMAkG\n" + ++ "A1UEBhMCTkwxEjAQBgNVBAoTCURpZ2lOb3RhcjEbMBkGA1UEAxMSRGlnaU5vdGFy\n" + ++ "IEN5YmVyIENBMSAwHgYJKoZIhvcNAQkBFhFpbmZvQGRpZ2lub3Rhci5ubDCCAiIw\n" + ++ "DQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBANLOFQotqF6EZ639vu9Gx8i5z3P8\n" + ++ "9DS5+SxD52ATPXrjss87Z2yQrcC5P4RS8DVC3HTcKDu9UrSnrHJFF8bwieu0qiXy\n" + ++ "XUte0dmHutZ9fPXOMp8QM8WxSrtekTHC0OlBwpFkfglBO9uLCDdqqspS3rU5HsCI\n" + ++ "A6U/i5kTYUO1m4Kz7iBvz6FEouova0CfjytXraFTwoUiaZ2gP1HfC0GRDaXhqKpc\n" + ++ "SQhdvd5wQbEPyWNr0380dAIvNFp4dRxoeoFnivPaQPBgY/SSINcDpj2jHmfEhBtB\n" + ++ "pcmM5r3qSLYFFgizNxJa92E89zhvLpfgb1Y4VNMota0Ubi5LZLUnZbd1JQm2Bz2V\n" + ++ "VgIKgmCyc0XgMyZRdJq51FAc9k1bW1JSE1qmf6cO4ehBVGeYjIfVydNsy9NUkgYJ\n" + ++ "NEH3gW8/nsl8dVWw58Gzd+jDxAA1lUBwEEoF3iW7n1mlZLxHYL9g43aLE1Xd4XR6\n" + ++ "uc8kpmp/3mQiRFhogmoQ+T3lPhu5vfwi9GAEibtVbShV+t6OjRshFNc3izR7Tfay\n" + ++ "shDPM7F9HGKZSMsrbHaWVb8ZDR0fu2WqG46ZtcYokOWCLXhQIJr9eS8kf/CJKWn0\n" + ++ "fc1zvrPtTsHR7VJej/e4142HrbLZG1ES/1az4a80fVykeIgQnp0DxqWqoiRR90kU\n" + ++ "xbHuWUOV36toKDA/AgMBAAGjggGGMIIBgjASBgNVHRMBAf8ECDAGAQH/AgEBMFMG\n" + ++ "A1UdIARMMEowSAYJKwYBBAGxPgEAMDswOQYIKwYBBQUHAgEWLWh0dHA6Ly93d3cu\n" + ++ "cHVibGljLXRydXN0LmNvbS9DUFMvT21uaVJvb3QuaHRtbDAOBgNVHQ8BAf8EBAMC\n" + ++ "AQYwgaAGA1UdIwSBmDCBlYAUpgwdn2H/Bxe1vzhG20Mw1Y6wUgaheaR3MHUxCzAJ\n" + ++ "BgNVBAYTAlVTMRgwFgYDVQQKEw9HVEUgQ29ycG9yYXRpb24xJzAlBgNVBAsTHkdU\n" + ++ "RSBDeWJlclRydXN0IFNvbHV0aW9ucywgSW5jLjEjMCEGA1UEAxMaR1RFIEN5YmVy\n" + ++ "VHJ1c3QgR2xvYmFsIFJvb3SCAgGlMEUGA1UdHwQ+MDwwOqA4oDaGNGh0dHA6Ly93\n" + ++ "d3cucHVibGljLXRydXN0LmNvbS9jZ2ktYmluL0NSTC8yMDE4L2NkcC5jcmwwHQYD\n" + ++ "VR0OBBYEFKv5aN/PSjfXe0WMX3LeQETDZbvCMA0GCSqGSIb3DQEBBQUAA4GBAI9o\n" + ++ "a6VbB7pEZg4cqFwwezPkCiYE/O+eGjjWLqEf0JlHwnVkJP2eOyh2uSYoYZEMbSz4\n" + ++ "BJ98UAHV42mv7xXSRZskCSpmBU8lgcpdvqrBWSeuM46C9990sFWzjvjnN8huqlZE\n" + ++ "9r1TgSOWPbT6MopTZkQloiXGpjwljPDgKAYityZB\n" + ++ "-----END CERTIFICATE-----"); ++ ++ // DigiNotar intermediate, cross-signed by CyberTrust ++ // ++ // Subject: CN=DigiNotar Cyber CA, O=DigiNotar, C=NL ++ // Issuer: CN=GTE CyberTrust Global Root, ++ // OU=GTE CyberTrust Solutions, Inc., ++ // O=GTE Corporation, ++ // C=US ++ // Serial: 120000505 (07:27:0F:F9) ++ add("diginotar-cyber-ca-cross-to-gte-cybertrust-07270FF9", ++ "-----BEGIN CERTIFICATE-----\n" + ++ "MIIFODCCBKGgAwIBAgIEBycP+TANBgkqhkiG9w0BAQUFADB1MQswCQYDVQQGEwJV\n" + ++ "UzEYMBYGA1UEChMPR1RFIENvcnBvcmF0aW9uMScwJQYDVQQLEx5HVEUgQ3liZXJU\n" + ++ "cnVzdCBTb2x1dGlvbnMsIEluYy4xIzAhBgNVBAMTGkdURSBDeWJlclRydXN0IEds\n" + ++ "b2JhbCBSb290MB4XDTA2MDkyMDA5NDUzMloXDTEzMDkyMDA5NDQwNlowPjELMAkG\n" + ++ "A1UEBhMCTkwxEjAQBgNVBAoTCURpZ2lOb3RhcjEbMBkGA1UEAxMSRGlnaU5vdGFy\n" + ++ "IEN5YmVyIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA0s4VCi2o\n" + ++ "XoRnrf2+70bHyLnPc/z0NLn5LEPnYBM9euOyzztnbJCtwLk/hFLwNULcdNwoO71S\n" + ++ "tKesckUXxvCJ67SqJfJdS17R2Ye61n189c4ynxAzxbFKu16RMcLQ6UHCkWR+CUE7\n" + ++ "24sIN2qqylLetTkewIgDpT+LmRNhQ7WbgrPuIG/PoUSi6i9rQJ+PK1etoVPChSJp\n" + ++ "naA/Ud8LQZENpeGoqlxJCF293nBBsQ/JY2vTfzR0Ai80Wnh1HGh6gWeK89pA8GBj\n" + ++ "9JIg1wOmPaMeZ8SEG0GlyYzmvepItgUWCLM3Elr3YTz3OG8ul+BvVjhU0yi1rRRu\n" + ++ "LktktSdlt3UlCbYHPZVWAgqCYLJzReAzJlF0mrnUUBz2TVtbUlITWqZ/pw7h6EFU\n" + ++ "Z5iMh9XJ02zL01SSBgk0QfeBbz+eyXx1VbDnwbN36MPEADWVQHAQSgXeJbufWaVk\n" + ++ "vEdgv2DjdosTVd3hdHq5zySman/eZCJEWGiCahD5PeU+G7m9/CL0YASJu1VtKFX6\n" + ++ "3o6NGyEU1zeLNHtN9rKyEM8zsX0cYplIyytsdpZVvxkNHR+7Zaobjpm1xiiQ5YIt\n" + ++ "eFAgmv15LyR/8IkpafR9zXO+s+1OwdHtUl6P97jXjYetstkbURL/VrPhrzR9XKR4\n" + ++ "iBCenQPGpaqiJFH3SRTFse5ZQ5Xfq2goMD8CAwEAAaOCAYYwggGCMBIGA1UdEwEB\n" + ++ "/wQIMAYBAf8CAQEwUwYDVR0gBEwwSjBIBgkrBgEEAbE+AQAwOzA5BggrBgEFBQcC\n" + ++ "ARYtaHR0cDovL3d3dy5wdWJsaWMtdHJ1c3QuY29tL0NQUy9PbW5pUm9vdC5odG1s\n" + ++ "MA4GA1UdDwEB/wQEAwIBBjCBoAYDVR0jBIGYMIGVgBSmDB2fYf8HF7W/OEbbQzDV\n" + ++ "jrBSBqF5pHcwdTELMAkGA1UEBhMCVVMxGDAWBgNVBAoTD0dURSBDb3Jwb3JhdGlv\n" + ++ "bjEnMCUGA1UECxMeR1RFIEN5YmVyVHJ1c3QgU29sdXRpb25zLCBJbmMuMSMwIQYD\n" + ++ "VQQDExpHVEUgQ3liZXJUcnVzdCBHbG9iYWwgUm9vdIICAaUwRQYDVR0fBD4wPDA6\n" + ++ "oDigNoY0aHR0cDovL3d3dy5wdWJsaWMtdHJ1c3QuY29tL2NnaS1iaW4vQ1JMLzIw\n" + ++ "MTgvY2RwLmNybDAdBgNVHQ4EFgQUq/lo389KN9d7RYxfct5ARMNlu8IwDQYJKoZI\n" + ++ "hvcNAQEFBQADgYEACcpiD427SuDUejUrBi3RKGG2rAH7g0m8rtQvLYauGYOl1h0T\n" + ++ "4he+/jJ06XoUOMqUXvcpAWlxG5Ea/aO7qh3Ke+IW/aGjDvMMX7LhIDGUK16Sdu36\n" + ++ "6bUjpr8KOwOpb1JgVM1f6bcvfKIn/UGDdbYN+3gm87FF6TKVKho1IZXFonU=\n" + ++ "-----END CERTIFICATE-----"); ++ ++ // DigiNotar intermediate, cross-signed by CyberTrust ++ // ++ // Subject: CN=DigiNotar Cyber CA, O=DigiNotar, C=NL ++ // Issuer: CN=GTE CyberTrust Global Root, ++ // OU=GTE CyberTrust Solutions, Inc., ++ // O=GTE Corporation, ++ // C=US ++ // Serial: 120000515 (07:27:10:03) ++ add("diginotar-cyber-ca-cross-to-gte-cybertrust-07271003", ++ "-----BEGIN CERTIFICATE-----\n" + ++ "MIIFODCCBKGgAwIBAgIEBycQAzANBgkqhkiG9w0BAQUFADB1MQswCQYDVQQGEwJV\n" + ++ "UzEYMBYGA1UEChMPR1RFIENvcnBvcmF0aW9uMScwJQYDVQQLEx5HVEUgQ3liZXJU\n" + ++ "cnVzdCBTb2x1dGlvbnMsIEluYy4xIzAhBgNVBAMTGkdURSBDeWJlclRydXN0IEds\n" + ++ "b2JhbCBSb290MB4XDTA2MDkyNzEwNTMzMloXDTExMDkyNzEwNTIzMFowPjELMAkG\n" + ++ "A1UEBhMCTkwxEjAQBgNVBAoTCURpZ2lOb3RhcjEbMBkGA1UEAxMSRGlnaU5vdGFy\n" + ++ "IEN5YmVyIENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA0s4VCi2o\n" + ++ "XoRnrf2+70bHyLnPc/z0NLn5LEPnYBM9euOyzztnbJCtwLk/hFLwNULcdNwoO71S\n" + ++ "tKesckUXxvCJ67SqJfJdS17R2Ye61n189c4ynxAzxbFKu16RMcLQ6UHCkWR+CUE7\n" + ++ "24sIN2qqylLetTkewIgDpT+LmRNhQ7WbgrPuIG/PoUSi6i9rQJ+PK1etoVPChSJp\n" + ++ "naA/Ud8LQZENpeGoqlxJCF293nBBsQ/JY2vTfzR0Ai80Wnh1HGh6gWeK89pA8GBj\n" + ++ "9JIg1wOmPaMeZ8SEG0GlyYzmvepItgUWCLM3Elr3YTz3OG8ul+BvVjhU0yi1rRRu\n" + ++ "LktktSdlt3UlCbYHPZVWAgqCYLJzReAzJlF0mrnUUBz2TVtbUlITWqZ/pw7h6EFU\n" + ++ "Z5iMh9XJ02zL01SSBgk0QfeBbz+eyXx1VbDnwbN36MPEADWVQHAQSgXeJbufWaVk\n" + ++ "vEdgv2DjdosTVd3hdHq5zySman/eZCJEWGiCahD5PeU+G7m9/CL0YASJu1VtKFX6\n" + ++ "3o6NGyEU1zeLNHtN9rKyEM8zsX0cYplIyytsdpZVvxkNHR+7Zaobjpm1xiiQ5YIt\n" + ++ "eFAgmv15LyR/8IkpafR9zXO+s+1OwdHtUl6P97jXjYetstkbURL/VrPhrzR9XKR4\n" + ++ "iBCenQPGpaqiJFH3SRTFse5ZQ5Xfq2goMD8CAwEAAaOCAYYwggGCMBIGA1UdEwEB\n" + ++ "/wQIMAYBAf8CAQEwUwYDVR0gBEwwSjBIBgkrBgEEAbE+AQAwOzA5BggrBgEFBQcC\n" + ++ "ARYtaHR0cDovL3d3dy5wdWJsaWMtdHJ1c3QuY29tL0NQUy9PbW5pUm9vdC5odG1s\n" + ++ "MA4GA1UdDwEB/wQEAwIBBjCBoAYDVR0jBIGYMIGVgBSmDB2fYf8HF7W/OEbbQzDV\n" + ++ "jrBSBqF5pHcwdTELMAkGA1UEBhMCVVMxGDAWBgNVBAoTD0dURSBDb3Jwb3JhdGlv\n" + ++ "bjEnMCUGA1UECxMeR1RFIEN5YmVyVHJ1c3QgU29sdXRpb25zLCBJbmMuMSMwIQYD\n" + ++ "VQQDExpHVEUgQ3liZXJUcnVzdCBHbG9iYWwgUm9vdIICAaUwRQYDVR0fBD4wPDA6\n" + ++ "oDigNoY0aHR0cDovL3d3dy5wdWJsaWMtdHJ1c3QuY29tL2NnaS1iaW4vQ1JMLzIw\n" + ++ "MTgvY2RwLmNybDAdBgNVHQ4EFgQUq/lo389KN9d7RYxfct5ARMNlu8IwDQYJKoZI\n" + ++ "hvcNAQEFBQADgYEAWcyGZhizJlRP1jjNupZey+yZG6oMDW4Z11boriMHbYPCndBE\n" + ++ "bVh07zmPbZsihOw9w/vm5KbVX5CgxUv4Rhzh/20Faixf3P3bpWg0qgzHVVusNVR/\n" + ++ "P50aKkpdK3hp+QLl56e+lWOddSAINIpmcuyDI1hyuzB+GJEASm9tNU/6rs8=\n" + ++ "-----END CERTIFICATE-----"); ++ ++ // ++ // Compromised DigiNotar Root CA ++ // ++ ++ // DigiNotar intermediate, cross-signed by Entrust ++ // ++ // Subject: EMAILADDRESS=info@diginotar.nl, ++ // CN=DigiNotar Root CA, ++ // O=DigiNotar, C=NL ++ // Issuer: CN=Entrust.net Secure Server Certification Authority ++ // OU=(c) 1999 Entrust.net Limited, ++ // OU=www.entrust.net/CPS incorp. by ref. (limits liab.), ++ // O=Entrust.net, ++ // C=US, ++ // Serial: 1184644297 (46:9C:3C:C9) ++ add("info-at-diginotar-root-ca-cross-to-entrust-secure-server-469C3CC9", ++ "-----BEGIN CERTIFICATE-----\n" + ++ "MIIFSDCCBLGgAwIBAgIERpw8yTANBgkqhkiG9w0BAQUFADCBwzELMAkGA1UEBhMC\n" + ++ "VVMxFDASBgNVBAoTC0VudHJ1c3QubmV0MTswOQYDVQQLEzJ3d3cuZW50cnVzdC5u\n" + ++ "ZXQvQ1BTIGluY29ycC4gYnkgcmVmLiAobGltaXRzIGxpYWIuKTElMCMGA1UECxMc\n" + ++ "KGMpIDE5OTkgRW50cnVzdC5uZXQgTGltaXRlZDE6MDgGA1UEAxMxRW50cnVzdC5u\n" + ++ "ZXQgU2VjdXJlIFNlcnZlciBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0wNzA0\n" + ++ "MjYwNTAwMDBaFw0xMzA4MTQyMDEyMzZaMF8xCzAJBgNVBAYTAk5MMRIwEAYDVQQK\n" + ++ "EwlEaWdpTm90YXIxGjAYBgNVBAMTEURpZ2lOb3RhciBSb290IENBMSAwHgYJKoZI\n" + ++ "hvcNAQkBFhFpbmZvQGRpZ2lub3Rhci5ubDCCAiIwDQYJKoZIhvcNAQEBBQADggIP\n" + ++ "ADCCAgoCggIBAKywWMEAvdghCAsrmv5uVjAFnxt3kBBBXMMNhxF3joHxynzpjGrt\n" + ++ "OHQ1u9rf+bvACTe0lnOBfTMamDn3k2+Vfz25sXWHulFI6ItwPpUExdi2wxbZiLCx\n" + ++ "hx1w2oa0DxSLes8Q0XQ2ohJ7d4ZKeeZ73wIRaKVOhq40WJskE3hWIiUeAYtLUXH7\n" + ++ "gsxZlmmIWmhTxbkNAjfLS7xmSpB+KgsFB+0WX1WQddhGyRuD4gi+8SPMmR3WKg+D\n" + ++ "IBVYJ4Iu+uIiwkmxuQGBap1tnUB3aHZOISpthECFTnaZfILz87cCWdQmARuO361T\n" + ++ "BtGuGN3isjrL14g4jqxbKbkZ05j5GAPPSIKGZgsbaQ/J6ziIeiYaBUyS1yTUlvKs\n" + ++ "Ui2jR9VS9j/+zoQGcKaqPqLytlY0GFei5IFt58rwatPHkWsCg0F8Fe9rmmRe49A8\n" + ++ "5bHre12G+8vmd0nNo2Xc97mcuOQLX5PPzDAaMhzOHGOVpfnq4XSLnukrqTB7oBgf\n" + ++ "DhgL5Vup09FsHgdnj5FLqYq80maqkwGIspH6MVzVpsFSCAnNCmOi0yKm6KHZOQaX\n" + ++ "9W6NApCMFHs/gM0bnLrEWHIjr7ZWn8Z6QjMpBz+CyeYfBQ3NTCg2i9PIPhzGiO9e\n" + ++ "7olk6R3r2ol+MqZp0d3MiJ/R0MlmIdwGZ8WUepptYkx9zOBkgLKeR46jAgMBAAGj\n" + ++ "ggEmMIIBIjASBgNVHRMBAf8ECDAGAQH/AgEBMCcGA1UdJQQgMB4GCCsGAQUFBwMB\n" + ++ "BggrBgEFBQcDAgYIKwYBBQUHAwQwEQYDVR0gBAowCDAGBgRVHSAAMDMGCCsGAQUF\n" + ++ "BwEBBCcwJTAjBggrBgEFBQcwAYYXaHR0cDovL29jc3AuZW50cnVzdC5uZXQwMwYD\n" + ++ "VR0fBCwwKjAooCagJIYiaHR0cDovL2NybC5lbnRydXN0Lm5ldC9zZXJ2ZXIxLmNy\n" + ++ "bDAdBgNVHQ4EFgQUiGi/4I41xDs4a2L3KDuEgcgM100wCwYDVR0PBAQDAgEGMB8G\n" + ++ "A1UdIwQYMBaAFPAXYhNVPbP/CgBr+1CEl/PtYtAaMBkGCSqGSIb2fQdBAAQMMAob\n" + ++ "BFY3LjEDAgCBMA0GCSqGSIb3DQEBBQUAA4GBAI979rBep8tu3TeLunapgsZ0jtXp\n" + ++ "GDFjKWSk87dj1jCyYi+q/GyDyZ6ZQZNRP0sF+6twscq05lClWNy3TROMp7QeuoLO\n" + ++ "G7Utw3OJaswUtp4YglANMRTHEe3g9ltifUXRH5tSuy7u6yi4LD4WTm5ULP6r/g6l\n" + ++ "0CnjXYb0+b1Fmz6U\n" + ++ "-----END CERTIFICATE-----"); ++ ++ // DigiNotar intermediate, cross-signed by Entrust ++ // ++ // Subject: EMAILADDRESS=info@diginotar.nl, ++ // CN=DigiNotar Root CA, ++ // O=DigiNotar, C=NL ++ // Issuer: CN=Entrust.net Secure Server Certification Authority ++ // OU=(c) 1999 Entrust.net Limited, ++ // OU=www.entrust.net/CPS incorp. by ref. (limits liab.), ++ // O=Entrust.net, ++ // C=US, ++ // Serial: 1184640175 (46:9C:2C:AF) ++ add("info-at-diginotar-root-ca-cross-to-entrust-secure-server-469C2CAF", ++ "-----BEGIN CERTIFICATE-----\n" + ++ "MIIFSDCCBLGgAwIBAgIERpwsrzANBgkqhkiG9w0BAQUFADCBwzELMAkGA1UEBhMC\n" + ++ "VVMxFDASBgNVBAoTC0VudHJ1c3QubmV0MTswOQYDVQQLEzJ3d3cuZW50cnVzdC5u\n" + ++ "ZXQvQ1BTIGluY29ycC4gYnkgcmVmLiAobGltaXRzIGxpYWIuKTElMCMGA1UECxMc\n" + ++ "KGMpIDE5OTkgRW50cnVzdC5uZXQgTGltaXRlZDE6MDgGA1UEAxMxRW50cnVzdC5u\n" + ++ "ZXQgU2VjdXJlIFNlcnZlciBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0wNzA3\n" + ++ "MjYxNTU3MzlaFw0xMzA4MjYxNjI3MzlaMF8xCzAJBgNVBAYTAk5MMRIwEAYDVQQK\n" + ++ "EwlEaWdpTm90YXIxGjAYBgNVBAMTEURpZ2lOb3RhciBSb290IENBMSAwHgYJKoZI\n" + ++ "hvcNAQkBFhFpbmZvQGRpZ2lub3Rhci5ubDCCAiIwDQYJKoZIhvcNAQEBBQADggIP\n" + ++ "ADCCAgoCggIBAKywWMEAvdghCAsrmv5uVjAFnxt3kBBBXMMNhxF3joHxynzpjGrt\n" + ++ "OHQ1u9rf+bvACTe0lnOBfTMamDn3k2+Vfz25sXWHulFI6ItwPpUExdi2wxbZiLCx\n" + ++ "hx1w2oa0DxSLes8Q0XQ2ohJ7d4ZKeeZ73wIRaKVOhq40WJskE3hWIiUeAYtLUXH7\n" + ++ "gsxZlmmIWmhTxbkNAjfLS7xmSpB+KgsFB+0WX1WQddhGyRuD4gi+8SPMmR3WKg+D\n" + ++ "IBVYJ4Iu+uIiwkmxuQGBap1tnUB3aHZOISpthECFTnaZfILz87cCWdQmARuO361T\n" + ++ "BtGuGN3isjrL14g4jqxbKbkZ05j5GAPPSIKGZgsbaQ/J6ziIeiYaBUyS1yTUlvKs\n" + ++ "Ui2jR9VS9j/+zoQGcKaqPqLytlY0GFei5IFt58rwatPHkWsCg0F8Fe9rmmRe49A8\n" + ++ "5bHre12G+8vmd0nNo2Xc97mcuOQLX5PPzDAaMhzOHGOVpfnq4XSLnukrqTB7oBgf\n" + ++ "DhgL5Vup09FsHgdnj5FLqYq80maqkwGIspH6MVzVpsFSCAnNCmOi0yKm6KHZOQaX\n" + ++ "9W6NApCMFHs/gM0bnLrEWHIjr7ZWn8Z6QjMpBz+CyeYfBQ3NTCg2i9PIPhzGiO9e\n" + ++ "7olk6R3r2ol+MqZp0d3MiJ/R0MlmIdwGZ8WUepptYkx9zOBkgLKeR46jAgMBAAGj\n" + ++ "ggEmMIIBIjASBgNVHRMBAf8ECDAGAQH/AgEBMCcGA1UdJQQgMB4GCCsGAQUFBwMB\n" + ++ "BggrBgEFBQcDAgYIKwYBBQUHAwQwEQYDVR0gBAowCDAGBgRVHSAAMDMGCCsGAQUF\n" + ++ "BwEBBCcwJTAjBggrBgEFBQcwAYYXaHR0cDovL29jc3AuZW50cnVzdC5uZXQwMwYD\n" + ++ "VR0fBCwwKjAooCagJIYiaHR0cDovL2NybC5lbnRydXN0Lm5ldC9zZXJ2ZXIxLmNy\n" + ++ "bDAdBgNVHQ4EFgQUiGi/4I41xDs4a2L3KDuEgcgM100wCwYDVR0PBAQDAgEGMB8G\n" + ++ "A1UdIwQYMBaAFPAXYhNVPbP/CgBr+1CEl/PtYtAaMBkGCSqGSIb2fQdBAAQMMAob\n" + ++ "BFY3LjEDAgCBMA0GCSqGSIb3DQEBBQUAA4GBAEa6RcDNcEIGUlkDJUY/pWTds4zh\n" + ++ "xbVkp3wSmpwPFhx5fxTyF4HD2L60jl3aqjTB7gPpsL2Pk5QZlNsi3t4UkCV70UOd\n" + ++ "ueJRN3o/LOtk4+bjXY2lC0qTHbN80VMLqPjmaf9ghSA9hwhskdtMgRsgfd90q5QP\n" + ++ "ZFdYf+hthc3m6IcJ\n" + ++ "-----END CERTIFICATE-----"); ++ ++ // ++ // Compromised DigiNotar PKIoverheid CA Organisatie - G2 ++ // ++ ++ // DigiNotar intermediate, cross-signed by the Dutch government ++ // ++ // Subject: CN=DigiNotar PKIoverheid CA Organisatie - G2, ++ // O=DigiNotar B.V., ++ // C=NL ++ // Issuer: CN=Staat der Nederlanden Organisatie CA - G2, ++ // O=Staat der Nederlanden, ++ // C=NL ++ // Serial: 20001983 (01:31:34:bf) ++ add("diginotar-pkioverheid-organisatie-cross-to-nederlanden-013134BF", ++ "-----BEGIN CERTIFICATE-----\n" + ++ "MIIGnDCCBISgAwIBAgIEATE0vzANBgkqhkiG9w0BAQsFADBhMQswCQYDVQQGEwJO\n" + ++ "TDEeMBwGA1UECgwVU3RhYXQgZGVyIE5lZGVybGFuZGVuMTIwMAYDVQQDDClTdGFh\n" + ++ "dCBkZXIgTmVkZXJsYW5kZW4gT3JnYW5pc2F0aWUgQ0EgLSBHMjAeFw0xMDA1MTIw\n" + ++ "ODUxMzhaFw0yMDAzMjMwOTUwMDRaMFoxCzAJBgNVBAYTAk5MMRcwFQYDVQQKDA5E\n" + ++ "aWdpTm90YXIgQi5WLjEyMDAGA1UEAwwpRGlnaU5vdGFyIFBLSW92ZXJoZWlkIENB\n" + ++ "IE9yZ2FuaXNhdGllIC0gRzIwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoIC\n" + ++ "AQCxExkPJ+Zs1FWGS9DsiYpFkXisR71HK+T8RetPtCZzWzfTw3/2497Xo/gtaMUI\n" + ++ "PkuU1uSHJTZrhLUYdPMoWHMvm2rPvAQe9t7dr/xLqvXbZmIlASWC3vKXWhBu3V2p\n" + ++ "IrEEqSNzOvhxrR3PhETrR9Gvbch8KKvH8jd6dF9fxQIUiqNa4xtsAeNdjtlo1vQJ\n" + ++ "GzLckbUs9SDrjANtJkm4k8SFXdjSm69WaswFM8ygQp40VUSca6DUEtArVM23iQ3l\n" + ++ "9uvo+4UBM096a/GdcjOWDveyhKWlJ8Qn8VFzKXe6Z27+TNy04qGhgS85SY1DOBPO\n" + ++ "0KVcwoc6AGdlQiPxNlkKHaNRyLyjlCox3+M88p0aPASw77EKMBNzttfzo0wBdRSF\n" + ++ "eMDXijlYhVD6LubFvs+LP6+PNtQlCS3SD6xyk/K/i9RQs/kVUJuZ9RTZ+4uRozIm\n" + ++ "JqD43ztggYaDeVsr6xM9KTrBbd29no6H1kquNJcF7hSm9tw4fkrpJFQHPZdoN0Zr\n" + ++ "DceoIa8TVOQJavFNRgrJXfubT73e+7dUy7g4nKc5+2otwHuNq6WnV+xKkoozxeEg\n" + ++ "XHPYkJIrgNUPhhhpfDlPhIa890xb89W0yqDC8DciynlSH1PmqvOQsDvd8ij9rOvF\n" + ++ "BiSgydQvD1j9tZ7sD8+yWdCiBHo4aq5y+73wJWKUCacFCwIDAQABo4IBYTCCAV0w\n" + ++ "SAYDVR0gBEEwPzA9BgRVHSAAMDUwMwYIKwYBBQUHAgEWJ2h0dHA6Ly93d3cuZGln\n" + ++ "aW5vdGFyLm5sL2Nwcy9wa2lvdmVyaGVpZDAPBgNVHRMBAf8EBTADAQH/MA4GA1Ud\n" + ++ "DwEB/wQEAwIBBjCBhQYDVR0jBH4wfIAUORCLSZJc22ESIM1JnRqO2pxnQLmhXqRc\n" + ++ "MFoxCzAJBgNVBAYTAk5MMR4wHAYDVQQKDBVTdGFhdCBkZXIgTmVkZXJsYW5kZW4x\n" + ++ "KzApBgNVBAMMIlN0YWF0IGRlciBOZWRlcmxhbmRlbiBSb290IENBIC0gRzKCBACY\n" + ++ "lvQwSQYDVR0fBEIwQDA+oDygOoY4aHR0cDovL2NybC5wa2lvdmVyaGVpZC5ubC9E\n" + ++ "b21PcmdhbmlzYXRpZUxhdGVzdENSTC1HMi5jcmwwHQYDVR0OBBYEFLxdlDvZq3sD\n" + ++ "JXNhwtst7vyrj2WhMA0GCSqGSIb3DQEBCwUAA4ICAQCP/C1Mt9kt1R+978v0t2gX\n" + ++ "dZ1O1ffdnPEqJu2forYcA9VTs+wIzzTi48P0tRYvyMO+19NzqwA2+RpKftZj6V5G\n" + ++ "uqW2jhW3oyrYQx3vXcgfgYWzi/f/PPTZ9EYIP5y8HaDZqEzNJVJOCrEg9x/pQ9lU\n" + ++ "RoETmsBedGwqmDLq/He7DaWiMZgifnx859qkrey3LhoZcfhIUNpDjyyE3cFAJ+O1\n" + ++ "8BVOltT4XOOGKUYr1zsH6zh/yIZXl9PvKjPEF1DVZGlrK2tFXl0vF8paTs/D1zk8\n" + ++ "9TufRrmb5w5Jl53W1eMbD+qPAU6aE5RZCgIHSEsaYKt/T+0L2FUNaG9VnGllFULs\n" + ++ "wNzdbKzDFs4LHVabpMTE0i7gD+JEJytQaaTcYuiKISlCbMwAOpZ2m+9AwKRed4Qy\n" + ++ "bCYqOWauXeO5ubIsaB8empADOfCqs6TMSYsYNOk3yXspx4R8b0QVL+xhWQTJRcui\n" + ++ "1lKifH8pktZKxYtCqNT+6tjHhyMY5J16fXNAUpigrm7jBT8FD+Clxm1N7YM3iJzH\n" + ++ "89xCmmq21yFJNnfy7xhPxXDZnunetyuL9Lx+KN8NQMmFXK6dxTH/0FwOtah+8Okv\n" + ++ "uq+IruW10Vilr5xxpykBkINpN4IFuvwJwQhujHg7wzMCgD9EhQgd31VWCK0shS1d\n" + ++ "sQPhrqp0xaTzTro3mHuCuQ==\n" + ++ "-----END CERTIFICATE-----"); ++ ++ // ++ // Compromised DigiNotar PKIoverheid CA Overheid en Bedrijven ++ // ++ ++ // DigiNotar intermediate, cross-signed by the Dutch government ++ // ++ // Subject: CN=DigiNotar PKIoverheid CA Overheid en Bedrijven, ++ // O=DigiNotar B.V., ++ // C=NL ++ // Issuer: CN=Staat der Nederlanden Overheid CA ++ // O=Staat der Nederlanden, ++ // C=NL ++ // Serial: 20015536 (01:31:69:b0) ++ add("diginotar-pkioverheid-overheid-enb-cross-to-nederlanden-013169B0", ++ "-----BEGIN CERTIFICATE-----\n" + ++ "MIIEiDCCA3CgAwIBAgIEATFpsDANBgkqhkiG9w0BAQUFADBZMQswCQYDVQQGEwJO\n" + ++ "TDEeMBwGA1UEChMVU3RhYXQgZGVyIE5lZGVybGFuZGVuMSowKAYDVQQDEyFTdGFh\n" + ++ "dCBkZXIgTmVkZXJsYW5kZW4gT3ZlcmhlaWQgQ0EwHhcNMDcwNzA1MDg0MjA3WhcN\n" + ++ "MTUwNzI3MDgzOTQ2WjBfMQswCQYDVQQGEwJOTDEXMBUGA1UEChMORGlnaU5vdGFy\n" + ++ "IEIuVi4xNzA1BgNVBAMTLkRpZ2lOb3RhciBQS0lvdmVyaGVpZCBDQSBPdmVyaGVp\n" + ++ "ZCBlbiBCZWRyaWp2ZW4wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDc\n" + ++ "vdKnTmoKuzuiheF/AK2+tDBomAfNoHrElM9x+Yo35FPrV3bMi+Zs/u6HVcg+uwQ5\n" + ++ "AKeAeKxbT370vbhUuHE7BzFJOZNUfCA7eSuPu2GQfbGs5h+QLp1FAalkLU3DL7nn\n" + ++ "UNVOKlyrdnY3Rtd57EKZ96LspIlw3Dgrh6aqJOadkiQbvvb91C8ZF3rmMgeUVAVT\n" + ++ "Q+lsvK9Hy7zL/b07RBKB8WtLu+20z6slTxjSzAL8o0+1QjPLWc0J3NNQ/aB2jKx+\n" + ++ "ZopC9q0ckvO2+xRG603XLzDgbe5bNr5EdLcgBVeFTegAGaL2DOauocBC36esgl3H\n" + ++ "aLcY5olLmmv6znn58yynAgMBAAGjggFQMIIBTDBIBgNVHSAEQTA/MD0GBFUdIAAw\n" + ++ "NTAzBggrBgEFBQcCARYnaHR0cDovL3d3dy5kaWdpbm90YXIubmwvY3BzL3BraW92\n" + ++ "ZXJoZWlkMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMIGABgNVHSME\n" + ++ "eTB3gBQLhtYPd6NosftkCcOIblwEHFfpPaFZpFcwVTELMAkGA1UEBhMCTkwxHjAc\n" + ++ "BgNVBAoTFVN0YWF0IGRlciBOZWRlcmxhbmRlbjEmMCQGA1UEAxMdU3RhYXQgZGVy\n" + ++ "IE5lZGVybGFuZGVuIFJvb3QgQ0GCBACYmnkwPQYDVR0fBDYwNDAyoDCgLoYsaHR0\n" + ++ "cDovL2NybC5wa2lvdmVyaGVpZC5ubC9Eb21PdkxhdGVzdENSTC5jcmwwHQYDVR0O\n" + ++ "BBYEFEwIyY128ZjHPt881y91DbF2eZfMMA0GCSqGSIb3DQEBBQUAA4IBAQAMlIca\n" + ++ "v03jheLu19hjeQ5Q38aEW9K72fUxCho1l3TfFPoqDz7toOMI9tVOW6+mriXiRWsi\n" + ++ "D7dUKH6S3o0UbNEc5W50BJy37zRERd/Jgx0ZH8Apad+J1T/CsFNt5U4X5HNhIxMm\n" + ++ "cUP9TFnLw98iqiEr2b+VERqKpOKrp11Lbyn1UtHk0hWxi/7wA8+nfemZhzizDXMU\n" + ++ "5HIs4c71rQZIZPrTKbmi2Lv01QulQERDjqC/zlqlUkxk0xcxYczopIro5Ij76eUv\n" + ++ "BjMzm5RmZrGrUDqhCYF0U1onuabSJc/Tw6f/ltAv6uAejVLpGBwgCkegllYOQJBR\n" + ++ "RKwa/fHuhR/3Qlpl\n" + ++ "-----END CERTIFICATE-----"); ++ ++ // ++ // Compromised DigiNotar PKIoverheid CA Overheid ++ // ++ ++ // DigiNotar intermediate, cross-signed by the Dutch government ++ // ++ // Subject: CN=DigiNotar PKIoverheid CA Overheid ++ // O=DigiNotar B.V., ++ // C=NL ++ // Issuer: CN=Staat der Nederlanden Overheid CA ++ // O=Staat der Nederlanden, ++ // C=NL ++ // Serial: 20006006 (01:31:44:76) ++ add("diginotar-pkioverheid-overheid-cross-to-nederlanden-01314476", ++ "-----BEGIN CERTIFICATE-----\n" + ++ "MIIEezCCA2OgAwIBAgIEATFEdjANBgkqhkiG9w0BAQUFADBZMQswCQYDVQQGEwJO\n" + ++ "TDEeMBwGA1UEChMVU3RhYXQgZGVyIE5lZGVybGFuZGVuMSowKAYDVQQDEyFTdGFh\n" + ++ "dCBkZXIgTmVkZXJsYW5kZW4gT3ZlcmhlaWQgQ0EwHhcNMDQwNjI0MDgxOTMyWhcN\n" + ++ "MTAwNjIzMDgxNzM2WjBSMQswCQYDVQQGEwJOTDEXMBUGA1UEChMORGlnaU5vdGFy\n" + ++ "IEIuVi4xKjAoBgNVBAMTIURpZ2lOb3RhciBQS0lvdmVyaGVpZCBDQSBPdmVyaGVp\n" + ++ "ZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANSlrubta5tlOjVCi/gb\n" + ++ "yLCvRqfBjxG8H594VcKHu0WAYc99SPZF9cycj5mw2GyfQvy/WIrGrL4iyNq1gSqR\n" + ++ "0QA/mTXKZIaPqzpDhdm+VvrKkmjrbZfaQxgMSs3ChtBsjcP9Lc0X1zXZ4Q8nBe3k\n" + ++ "BTp+zehINfmbjoEgXLxsMR5RQ6GxzKjuC04PQpbJQgTIakglKaqYcDDZbEscWgPV\n" + ++ "Hgj/2aoHlj6leW/ThHZ+O41jUguEmBLZA3mu3HrCfrHntb5dPt0ihzSx7GtD/SaX\n" + ++ "5HBLxnP189YuqMk5iRA95CtiSdKauvon/xRKRLNgG6XAz0ctSoY7xLDdiBVU5kJd\n" + ++ "FScCAwEAAaOCAVAwggFMMEgGA1UdIARBMD8wPQYEVR0gADA1MDMGCCsGAQUFBwIB\n" + ++ "FidodHRwOi8vd3d3LmRpZ2lub3Rhci5ubC9jcHMvcGtpb3ZlcmhlaWQwDwYDVR0T\n" + ++ "AQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwgYAGA1UdIwR5MHeAFAuG1g93o2ix\n" + ++ "+2QJw4huXAQcV+k9oVmkVzBVMQswCQYDVQQGEwJOTDEeMBwGA1UEChMVU3RhYXQg\n" + ++ "ZGVyIE5lZGVybGFuZGVuMSYwJAYDVQQDEx1TdGFhdCBkZXIgTmVkZXJsYW5kZW4g\n" + ++ "Um9vdCBDQYIEAJiaeTA9BgNVHR8ENjA0MDKgMKAuhixodHRwOi8vY3JsLnBraW92\n" + ++ "ZXJoZWlkLm5sL0RvbU92TGF0ZXN0Q1JMLmNybDAdBgNVHQ4EFgQUvRaYQh2+kdE9\n" + ++ "wpcl4CjXWOC1f+IwDQYJKoZIhvcNAQEFBQADggEBAGhQsCWLiaN2EOhPAW+JQP6o\n" + ++ "XBOrLv5w6joahzBFVn1BiefzmlMKjibqKYxURRvMAsMkh82/MfL8V0w6ugxl81lu\n" + ++ "i42dcxl9cKSVXKMw4bbBzJ2VQI5HTIABwefeNuy/eX6idVwYdt3ajAH7fUA8Q9Cq\n" + ++ "vr6H8B+8mwoEqTVTEVlCSsC/EXsokYEUr06PPzRudKjDmijgj7zFaIioZNc8hk7g\n" + ++ "ufEgrs/tmcNGylrwRHgCXjCRBt2NHlZ08l7A1AGU8HcHlSbG9Un/2q9kVHUkps0D\n" + ++ "gtUaEK+x6jpAu/R8Ojezu/+ZEcwwjI/KOhG+84+ejFmtyEkrUdsAdEdLf/2dKsw=\n" + ++ "-----END CERTIFICATE-----"); ++ ++ // ++ // Compromised DigiNotar Services 1024 CA ++ // ++ ++ // DigiNotar intermediate, cross-signed by the Entrust ++ // ++ // Subject: EMAILADDRESS=info@diginotar.nl, ++ // CN=DigiNotar Services 1024 CA ++ // O=DigiNotar, C=NL ++ // Issuer: CN=Entrust.net Secure Server Certification Authority, ++ // OU=(c) 1999 Entrust.net Limited, ++ // OU=www.entrust.net/CPS incorp. by ref. (limits liab.), ++ // O=Entrust.net, ++ // C=US ++ // Serial: 1184640176 (46:9c:2c:b0) ++ add("diginotar-services-1024-ca-cross-to-entrust-469C2CB0", ++ "-----BEGIN CERTIFICATE-----\n" + ++ "MIIDzTCCAzagAwIBAgIERpwssDANBgkqhkiG9w0BAQUFADCBwzELMAkGA1UEBhMC\n" + ++ "VVMxFDASBgNVBAoTC0VudHJ1c3QubmV0MTswOQYDVQQLEzJ3d3cuZW50cnVzdC5u\n" + ++ "ZXQvQ1BTIGluY29ycC4gYnkgcmVmLiAobGltaXRzIGxpYWIuKTElMCMGA1UECxMc\n" + ++ "KGMpIDE5OTkgRW50cnVzdC5uZXQgTGltaXRlZDE6MDgGA1UEAxMxRW50cnVzdC5u\n" + ++ "ZXQgU2VjdXJlIFNlcnZlciBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0wNzA3\n" + ++ "MjYxNTU5MDBaFw0xMzA4MjYxNjI5MDBaMGgxCzAJBgNVBAYTAk5MMRIwEAYDVQQK\n" + ++ "EwlEaWdpTm90YXIxIzAhBgNVBAMTGkRpZ2lOb3RhciBTZXJ2aWNlcyAxMDI0IENB\n" + ++ "MSAwHgYJKoZIhvcNAQkBFhFpbmZvQGRpZ2lub3Rhci5ubDCBnzANBgkqhkiG9w0B\n" + ++ "AQEFAAOBjQAwgYkCgYEA2ptNXTz50eKLxsYIIMXZHkjsZlhneWIrQWP0iY1o2q+4\n" + ++ "lDaLGSSkoJPSmQ+yrS01Tc0vauH5mxkrvAQafi09UmTN8T5nD4ku6PJPrqYIoYX+\n" + ++ "oakJ5sarPkP8r3oDkdqmOaZh7phPGKjTs69mgumfvN1y+QYEvRLZGCTnq5NTi1kC\n" + ++ "AwEAAaOCASYwggEiMBIGA1UdEwEB/wQIMAYBAf8CAQAwJwYDVR0lBCAwHgYIKwYB\n" + ++ "BQUHAwEGCCsGAQUFBwMCBggrBgEFBQcDBDARBgNVHSAECjAIMAYGBFUdIAAwMwYI\n" + ++ "KwYBBQUHAQEEJzAlMCMGCCsGAQUFBzABhhdodHRwOi8vb2NzcC5lbnRydXN0Lm5l\n" + ++ "dDAzBgNVHR8ELDAqMCigJqAkhiJodHRwOi8vY3JsLmVudHJ1c3QubmV0L3NlcnZl\n" + ++ "cjEuY3JsMB0GA1UdDgQWBBT+3JRJDG/vXH/G8RKZTxZJrfuCZTALBgNVHQ8EBAMC\n" + ++ "AQYwHwYDVR0jBBgwFoAU8BdiE1U9s/8KAGv7UISX8+1i0BowGQYJKoZIhvZ9B0EA\n" + ++ "BAwwChsEVjcuMQMCAIEwDQYJKoZIhvcNAQEFBQADgYEAY3RqN6k/lpxmyFisCcnv\n" + ++ "9WWUf6MCxDgxvV0jh+zUVrLJsm7kBQb87PX6iHBZ1O7m3bV6oKNgLwIMq94SXa/w\n" + ++ "NUuqikeRGvWFLELHHe+VQ7NeuJWTpdrFKKqtci0xrZlrbP+MISevrZqRK8fdWMNu\n" + ++ "B8WfedLHjFW/TMcnXlEWKz4=\n" + ++ "-----END CERTIFICATE-----"); ++ ++ } ++} +diff --git a/src/share/classes/sun/security/validator/SimpleValidator.java b/src/share/classes/sun/security/validator/SimpleValidator.java +--- openjdk/jdk/src/share/classes/sun/security/validator/SimpleValidator.java ++++ openjdk/jdk/src/share/classes/sun/security/validator/SimpleValidator.java +@@ -1,5 +1,5 @@ + /* +- * Copyright (c) 2002, 2009, Oracle and/or its affiliates. All rights reserved. ++ * Copyright (c) 2002, 2012, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it +@@ -41,6 +41,7 @@ + import sun.security.util.ObjectIdentifier; + + import sun.security.provider.certpath.AlgorithmChecker; ++import sun.security.provider.certpath.UntrustedChecker; + + /** + * A simple validator implementation. It is based on code from the JSSE +@@ -129,11 +130,26 @@ + if (date == null) { + date = new Date(); + } ++ ++ // create distrusted certificates checker ++ UntrustedChecker untrustedChecker = new UntrustedChecker(); ++ + // verify top down, starting at the certificate issued by + // the trust anchor + for (int i = chain.length - 2; i >= 0; i--) { + X509Certificate issuerCert = chain[i + 1]; + X509Certificate cert = chain[i]; ++ ++ // check untrusted certificate ++ try { ++ // Untrusted checker does not care about the unresolved ++ // critical extensions. ++ untrustedChecker.check(cert, Collections.<String>emptySet()); ++ } catch (CertPathValidatorException cpve) { ++ throw new ValidatorException( ++ "Untrusted certificate: " + cert.getSubjectX500Principal(), ++ ValidatorException.T_UNTRUSTED_CERT, cert, cpve); ++ } + + // check certificate algorithm + try { +diff --git a/src/share/classes/sun/security/validator/ValidatorException.java b/src/share/classes/sun/security/validator/ValidatorException.java +--- openjdk/jdk/src/share/classes/sun/security/validator/ValidatorException.java ++++ openjdk/jdk/src/share/classes/sun/security/validator/ValidatorException.java +@@ -1,5 +1,5 @@ + /* +- * Copyright (c) 2002, 2009, Oracle and/or its affiliates. All rights reserved. ++ * Copyright (c) 2002, 2012, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it +@@ -58,6 +58,9 @@ + public final static Object T_ALGORITHM_DISABLED = + "Certificate signature algorithm disabled"; + ++ public final static Object T_UNTRUSTED_CERT = ++ "Untrusted certificate"; ++ + private Object type; + private X509Certificate cert; +
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/patches/security/20130219/8006446.patch Fri Feb 15 04:54:48 2013 +0000 @@ -0,0 +1,395 @@ +diff -Nru openjdk.orig/jdk/src/share/classes/com/sun/jmx/mbeanserver/ClassLoaderRepositorySupport.java openjdk/jdk/src/share/classes/com/sun/jmx/mbeanserver/ClassLoaderRepositorySupport.java +--- openjdk.orig/jdk/src/share/classes/com/sun/jmx/mbeanserver/ClassLoaderRepositorySupport.java 2011-11-14 22:11:44.000000000 +0000 ++++ openjdk/jdk/src/share/classes/com/sun/jmx/mbeanserver/ClassLoaderRepositorySupport.java 2013-02-15 03:40:40.511587149 +0000 +@@ -36,6 +36,7 @@ + + import javax.management.ObjectName; + import javax.management.loading.PrivateClassLoader; ++import sun.reflect.misc.ReflectUtil; + + /** + * This class keeps the list of Class Loaders registered in the MBean Server. +@@ -192,6 +193,7 @@ + final ClassLoader without, + final ClassLoader stop) + throws ClassNotFoundException { ++ ReflectUtil.checkPackageAccess(className); + final int size = list.length; + for(int i=0; i<size; i++) { + try { +diff -Nru openjdk.orig/jdk/src/share/classes/com/sun/jmx/mbeanserver/JmxMBeanServer.java openjdk/jdk/src/share/classes/com/sun/jmx/mbeanserver/JmxMBeanServer.java +--- openjdk.orig/jdk/src/share/classes/com/sun/jmx/mbeanserver/JmxMBeanServer.java 2011-11-14 22:11:44.000000000 +0000 ++++ openjdk/jdk/src/share/classes/com/sun/jmx/mbeanserver/JmxMBeanServer.java 2013-02-15 03:40:40.511587149 +0000 +@@ -57,6 +57,7 @@ + import javax.management.RuntimeOperationsException; + import javax.management.MBeanServer; + import javax.management.MBeanServerDelegate; ++import javax.management.MBeanServerPermission; + import javax.management.loading.ClassLoaderRepository; + + import static com.sun.jmx.defaults.JmxProperties.MBEANSERVER_LOGGER; +@@ -1413,6 +1414,8 @@ + // Default is true. + final boolean fairLock = DEFAULT_FAIR_LOCK_POLICY; + ++ checkNewMBeanServerPermission(); ++ + // This constructor happens to disregard the value of the interceptors + // flag - that is, it always uses the default value - false. + // This is admitedly a bug, but we chose not to fix it for now +@@ -1499,4 +1502,11 @@ + } + } + ++ private static void checkNewMBeanServerPermission() { ++ SecurityManager sm = System.getSecurityManager(); ++ if (sm != null) { ++ Permission perm = new MBeanServerPermission("newMBeanServer"); ++ sm.checkPermission(perm); ++ } ++ } + } +diff -Nru openjdk.orig/jdk/src/share/classes/com/sun/jmx/mbeanserver/MBeanInstantiator.java openjdk/jdk/src/share/classes/com/sun/jmx/mbeanserver/MBeanInstantiator.java +--- openjdk.orig/jdk/src/share/classes/com/sun/jmx/mbeanserver/MBeanInstantiator.java 2011-11-14 22:11:44.000000000 +0000 ++++ openjdk/jdk/src/share/classes/com/sun/jmx/mbeanserver/MBeanInstantiator.java 2013-02-15 03:40:40.511587149 +0000 +@@ -32,11 +32,13 @@ + import java.io.ObjectInputStream; + import java.lang.reflect.Constructor; + import java.lang.reflect.InvocationTargetException; ++import java.security.Permission; + import java.util.Map; + import java.util.logging.Level; + + import javax.management.InstanceNotFoundException; + import javax.management.MBeanException; ++import javax.management.MBeanPermission; + import javax.management.NotCompliantMBeanException; + import javax.management.ObjectName; + import javax.management.OperationsException; +@@ -44,7 +46,7 @@ + import javax.management.RuntimeErrorException; + import javax.management.RuntimeMBeanException; + import javax.management.RuntimeOperationsException; +- ++import sun.reflect.misc.ConstructorUtil; + import sun.reflect.misc.ReflectUtil; + + /** +@@ -56,7 +58,6 @@ + * @since 1.5 + */ + public class MBeanInstantiator { +- + private final ModifiableClassLoaderRepository clr; + // private MetaData meta = null; + +@@ -88,6 +89,7 @@ + "Exception occurred during object instantiation"); + } + ++ ReflectUtil.checkPackageAccess(className); + try { + if (clr == null) throw new ClassNotFoundException(className); + theClass = clr.loadClass(className); +@@ -162,6 +164,7 @@ + continue; + } + ++ ReflectUtil.checkPackageAccess(signature[i]); + // Ok we do not have a primitive type ! We need to build + // the signature of the method + // +@@ -205,6 +208,9 @@ + */ + public Object instantiate(Class theClass) + throws ReflectionException, MBeanException { ++ ++ checkMBeanPermission(theClass, null, null, "instantiate"); ++ + Object moi = null; + + +@@ -260,6 +266,9 @@ + public Object instantiate(Class theClass, Object params[], + String signature[], ClassLoader loader) + throws ReflectionException, MBeanException { ++ ++ checkMBeanPermission(theClass, null, null, "instantiate"); ++ + // Instantiate the new object + + // ------------------------------ +@@ -408,6 +417,8 @@ + throw new RuntimeOperationsException(new + IllegalArgumentException(), "Null className passed in parameter"); + } ++ ++ ReflectUtil.checkPackageAccess(className); + Class theClass = null; + if (loaderName == null) { + // Load the class using the agent class loader +@@ -620,13 +631,13 @@ + **/ + static Class loadClass(String className, ClassLoader loader) + throws ReflectionException { +- + Class theClass = null; + if (className == null) { + throw new RuntimeOperationsException(new + IllegalArgumentException("The class name cannot be null"), + "Exception occurred during object instantiation"); + } ++ ReflectUtil.checkPackageAccess(className); + try { + if (loader == null) + loader = MBeanInstantiator.class.getClassLoader(); +@@ -677,6 +688,7 @@ + // We need to load the class through the class + // loader of the target object. + // ++ ReflectUtil.checkPackageAccess(signature[i]); + tab[i] = Class.forName(signature[i], false, aLoader); + } + } catch (ClassNotFoundException e) { +@@ -702,7 +714,7 @@ + + private Constructor<?> findConstructor(Class<?> c, Class<?>[] params) { + try { +- return c.getConstructor(params); ++ return ConstructorUtil.getConstructor(c, params); + } catch (Exception e) { + return null; + } +@@ -716,4 +728,18 @@ + char.class, boolean.class}) + primitiveClasses.put(c.getName(), c); + } ++ ++ private static void checkMBeanPermission(Class<?> clazz, ++ String member, ++ ObjectName objectName, ++ String actions) { ++ SecurityManager sm = System.getSecurityManager(); ++ if (clazz != null && sm != null) { ++ Permission perm = new MBeanPermission(clazz.getName(), ++ member, ++ objectName, ++ actions); ++ sm.checkPermission(perm); ++ } ++ } + } +diff -Nru openjdk.orig/jdk/src/share/classes/com/sun/jmx/mbeanserver/MBeanSupport.java openjdk/jdk/src/share/classes/com/sun/jmx/mbeanserver/MBeanSupport.java +--- openjdk.orig/jdk/src/share/classes/com/sun/jmx/mbeanserver/MBeanSupport.java 2011-11-14 22:11:44.000000000 +0000 ++++ openjdk/jdk/src/share/classes/com/sun/jmx/mbeanserver/MBeanSupport.java 2013-02-15 03:40:40.511587149 +0000 +@@ -38,6 +38,7 @@ + import javax.management.NotCompliantMBeanException; + import javax.management.ObjectName; + import javax.management.ReflectionException; ++import sun.reflect.misc.ReflectUtil; + + /** + * Base class for MBeans. There is one instance of this class for +@@ -131,6 +132,7 @@ + " is not an instance of " + mbeanInterface.getName(); + throw new NotCompliantMBeanException(msg); + } ++ ReflectUtil.checkPackageAccess(mbeanInterface); + this.resource = resource; + MBeanIntrospector<M> introspector = getMBeanIntrospector(); + this.perInterface = introspector.getPerInterface(mbeanInterface); +diff -Nru openjdk.orig/jdk/src/share/classes/sun/management/LockDataConverter.java openjdk/jdk/src/share/classes/sun/management/LockDataConverter.java +--- openjdk.orig/jdk/src/share/classes/sun/management/LockDataConverter.java 2011-11-14 22:12:00.000000000 +0000 ++++ openjdk/jdk/src/share/classes/sun/management/LockDataConverter.java 2013-02-15 03:40:40.511587149 +0000 +@@ -27,6 +27,8 @@ + + import java.lang.management.LockInfo; + import java.lang.management.ThreadInfo; ++import java.security.AccessController; ++import java.security.PrivilegedAction; + import javax.management.Attribute; + import javax.management.StandardMBean; + import javax.management.openmbean.CompositeData; +@@ -40,13 +42,13 @@ + private LockInfo lockInfo; + private LockInfo[] lockedSyncs; + +- LockDataConverter() { ++ private LockDataConverter() { + super(LockDataConverterMXBean.class, true); + this.lockInfo = null; + this.lockedSyncs = null; + } + +- LockDataConverter(ThreadInfo ti) { ++ private LockDataConverter(ThreadInfo ti) { + super(LockDataConverterMXBean.class, true); + this.lockInfo = ti.getLockInfo(); + this.lockedSyncs = ti.getLockedSynchronizers(); +@@ -104,8 +106,24 @@ + } + + static CompositeData toLockInfoCompositeData(LockInfo l) { +- LockDataConverter ldc = new LockDataConverter(); ++ LockDataConverter ldc = newLockDataConverter(); + ldc.setLockInfo(l); + return ldc.toLockInfoCompositeData(); + } ++ ++ static LockDataConverter newLockDataConverter() { ++ return AccessController.doPrivileged(new PrivilegedAction<LockDataConverter>() { ++ public LockDataConverter run() { ++ return new LockDataConverter(); ++ } ++ }); ++ } ++ ++ static LockDataConverter newLockDataConverter(final ThreadInfo ti) { ++ LockDataConverter result = newLockDataConverter(); ++ result.lockInfo = ti.getLockInfo(); ++ result.lockedSyncs = ti.getLockedSynchronizers(); ++ return result; ++ } + } ++ +diff -Nru openjdk.orig/jdk/src/share/classes/sun/management/ThreadInfoCompositeData.java openjdk/jdk/src/share/classes/sun/management/ThreadInfoCompositeData.java +--- openjdk.orig/jdk/src/share/classes/sun/management/ThreadInfoCompositeData.java 2011-11-14 22:12:01.000000000 +0000 ++++ openjdk/jdk/src/share/classes/sun/management/ThreadInfoCompositeData.java 2013-02-15 03:40:40.511587149 +0000 +@@ -85,7 +85,7 @@ + } + + // Convert MonitorInfo[] and LockInfo[] to CompositeData[] +- LockDataConverter converter = new LockDataConverter(threadInfo); ++ LockDataConverter converter = LockDataConverter.newLockDataConverter(threadInfo); + CompositeData lockInfoData = converter.toLockInfoCompositeData(); + CompositeData[] lockedSyncsData = converter.toLockedSynchronizersCompositeData(); + +@@ -315,7 +315,7 @@ + + // 6.0 new attributes + public LockInfo lockInfo() { +- LockDataConverter converter = new LockDataConverter(); ++ LockDataConverter converter = LockDataConverter.newLockDataConverter(); + CompositeData lockInfoData = (CompositeData) cdata.get(LOCK_INFO); + return converter.toLockInfo(lockInfoData); + } +@@ -336,7 +336,7 @@ + } + + public LockInfo[] lockedSynchronizers() { +- LockDataConverter converter = new LockDataConverter(); ++ LockDataConverter converter = LockDataConverter.newLockDataConverter(); + CompositeData[] lockedSyncsData = + (CompositeData[]) cdata.get(LOCKED_SYNCS); + +diff -Nru openjdk.orig/jdk/src/share/lib/security/java.security openjdk/jdk/src/share/lib/security/java.security +--- openjdk.orig/jdk/src/share/lib/security/java.security 2013-02-15 03:39:56.922892783 +0000 ++++ openjdk/jdk/src/share/lib/security/java.security 2013-02-15 03:40:40.511587149 +0000 +@@ -131,8 +131,7 @@ + com.sun.xml.internal.,\ + com.sun.imageio.,\ + com.sun.istack.internal.,\ +- com.sun.jmx.defaults.,\ +- com.sun.jmx.remote.util. ++ com.sun.jmx. + + # + # List of comma-separated packages that start with or equal this string +@@ -148,8 +147,7 @@ + com.sun.xml.internal.,\ + com.sun.imageio.,\ + com.sun.istack.internal.,\ +- com.sun.jmx.defaults.,\ +- com.sun.jmx.remote.util. ++ com.sun.jmx. + + # + # Determines whether this properties file can be appended to +diff -Nru openjdk.orig/jdk/src/share/lib/security/java.security-solaris openjdk/jdk/src/share/lib/security/java.security-solaris +--- openjdk.orig/jdk/src/share/lib/security/java.security-solaris 2013-02-15 03:39:56.902892466 +0000 ++++ openjdk/jdk/src/share/lib/security/java.security-solaris 2013-02-15 03:41:36.996489851 +0000 +@@ -131,6 +131,8 @@ + package.access=sun.,\ + com.sun.xml.internal.,\ + com.sun.imageio. ++ com.sun.istack.internal.,\ ++ com.sun.jmx. + + # + # List of comma-separated packages that start with or equal this string +@@ -145,6 +147,8 @@ + package.definition=sun.,\ + com.sun.xml.internal.,\ + com.sun.imageio. ++ com.sun.istack.internal.,\ ++ com.sun.jmx. + + # + # Determines whether this properties file can be appended to +diff -Nru openjdk.orig/jdk/src/share/lib/security/java.security-windows openjdk/jdk/src/share/lib/security/java.security-windows +--- openjdk.orig/jdk/src/share/lib/security/java.security-windows 2013-02-15 03:39:56.902892466 +0000 ++++ openjdk/jdk/src/share/lib/security/java.security-windows 2013-02-15 03:42:05.304943135 +0000 +@@ -131,6 +131,8 @@ + package.access=sun.,\ + com.sun.xml.internal.,\ + com.sun.imageio. ++ com.sun.istack.internal.,\ ++ com.sun.jmx. + + # + # List of comma-separated packages that start with or equal this string +@@ -145,6 +147,8 @@ + package.definition=sun.,\ + com.sun.xml.internal.,\ + com.sun.imageio. ++ com.sun.istack.internal.,\ ++ com.sun.jmx. + + # + # Determines whether this properties file can be appended to +diff -Nru openjdk.orig/jdk/test/javax/management/remote/mandatory/subjectDelegation/SubjectDelegation2Test.java openjdk/jdk/test/javax/management/remote/mandatory/subjectDelegation/SubjectDelegation2Test.java +--- openjdk.orig/jdk/test/javax/management/remote/mandatory/subjectDelegation/SubjectDelegation2Test.java 2011-11-14 22:12:28.000000000 +0000 ++++ openjdk/jdk/test/javax/management/remote/mandatory/subjectDelegation/SubjectDelegation2Test.java 2013-02-15 03:40:40.511587149 +0000 +@@ -119,9 +119,6 @@ + System.out.println("Create SimpleStandard MBean"); + SimpleStandard s = new SimpleStandard("monitorRole"); + mbs.registerMBean(s, new ObjectName("MBeans:type=SimpleStandard")); +- // Set Security Manager +- // +- System.setSecurityManager(new SecurityManager()); + // Create Properties containing the username/password entries + // + Properties props = new Properties(); +@@ -132,6 +129,9 @@ + HashMap env = new HashMap(); + env.put("jmx.remote.authenticator", + new JMXPluggableAuthenticator(props)); ++ // Set Security Manager ++ // ++ System.setSecurityManager(new SecurityManager()); + // Create an RMI connector server + // + System.out.println("Create an RMI connector server"); +diff -Nru openjdk.orig/jdk/test/javax/management/remote/mandatory/subjectDelegation/SubjectDelegation3Test.java openjdk/jdk/test/javax/management/remote/mandatory/subjectDelegation/SubjectDelegation3Test.java +--- openjdk.orig/jdk/test/javax/management/remote/mandatory/subjectDelegation/SubjectDelegation3Test.java 2011-11-14 22:12:28.000000000 +0000 ++++ openjdk/jdk/test/javax/management/remote/mandatory/subjectDelegation/SubjectDelegation3Test.java 2013-02-15 03:40:40.511587149 +0000 +@@ -120,9 +120,6 @@ + System.out.println("Create SimpleStandard MBean"); + SimpleStandard s = new SimpleStandard("delegate"); + mbs.registerMBean(s, new ObjectName("MBeans:type=SimpleStandard")); +- // Set Security Manager +- // +- System.setSecurityManager(new SecurityManager()); + // Create Properties containing the username/password entries + // + Properties props = new Properties(); +@@ -133,6 +130,9 @@ + HashMap env = new HashMap(); + env.put("jmx.remote.authenticator", + new JMXPluggableAuthenticator(props)); ++ // Set Security Manager ++ // ++ System.setSecurityManager(new SecurityManager()); + // Create an RMI connector server + // + System.out.println("Create an RMI connector server");
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/patches/security/20130219/8006777.patch Fri Feb 15 04:54:48 2013 +0000 @@ -0,0 +1,1019 @@ +diff -Nru openjdk.orig/jdk/src/share/classes/sun/security/ssl/CipherBox.java openjdk/jdk/src/share/classes/sun/security/ssl/CipherBox.java +--- openjdk.orig/jdk/src/share/classes/sun/security/ssl/CipherBox.java 2011-11-14 22:12:06.000000000 +0000 ++++ openjdk/jdk/src/share/classes/sun/security/ssl/CipherBox.java 2013-02-15 03:43:47.934589522 +0000 +@@ -1,5 +1,5 @@ + /* +- * Copyright (c) 1996, 2011, Oracle and/or its affiliates. All rights reserved. ++ * Copyright (c) 1996, 2013, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it +@@ -244,7 +244,8 @@ + * Decrypts a block of data, returning the size of the + * resulting block if padding was required. + */ +- int decrypt(byte[] buf, int offset, int len) throws BadPaddingException { ++ int decrypt(byte[] buf, int offset, int len, ++ int tagLen) throws BadPaddingException { + if (cipher == null) { + return len; + } +@@ -268,8 +269,8 @@ + } catch (IOException e) { } + } + if (blockSize != 0) { +- newLen = removePadding(buf, offset, newLen, +- blockSize, protocolVersion); ++ newLen = removePadding( ++ buf, offset, newLen, tagLen, blockSize, protocolVersion); + } + return newLen; + } catch (ShortBufferException e) { +@@ -285,7 +286,7 @@ + * limit and new limit may be different, given we may + * have stripped off some padding bytes. + */ +- int decrypt(ByteBuffer bb) throws BadPaddingException { ++ int decrypt(ByteBuffer bb, int tagLen) throws BadPaddingException { + + int len = bb.remaining(); + +@@ -309,7 +310,6 @@ + } + + if (debug != null && Debug.isOn("plaintext")) { +- bb.position(pos); + try { + HexDumpEncoder hd = new HexDumpEncoder(); + +@@ -317,7 +317,8 @@ + "Padded plaintext after DECRYPTION: len = " + + newLen); + +- hd.encodeBuffer(bb, System.out); ++ hd.encodeBuffer( ++ (ByteBuffer)bb.duplicate().position(pos), System.out); + } catch (IOException e) { } + } + +@@ -326,7 +327,8 @@ + */ + if (blockSize != 0) { + bb.position(pos); +- newLen = removePadding(bb, blockSize, protocolVersion); ++ newLen = removePadding( ++ bb, tagLen, blockSize, protocolVersion); + } + return newLen; + } catch (ShortBufferException e) { +@@ -400,6 +402,65 @@ + return newlen; + } + ++ /* ++ * A constant-time check of the padding. ++ * ++ * NOTE that we are checking both the padding and the padLen bytes here. ++ * ++ * The caller MUST ensure that the len parameter is a positive number. ++ */ ++ private static int[] checkPadding( ++ byte[] buf, int offset, int len, byte pad) { ++ ++ if (len <= 0) { ++ throw new RuntimeException("padding len must be positive"); ++ } ++ ++ // An array of hits is used to prevent Hotspot optimization for ++ // the purpose of a constant-time check ++ int[] results = {0, 0}; // {missed #, matched #} ++ for (int i = 0; i <= 256;) { ++ for (int j = 0; j < len && i <= 256; j++, i++) { // j <= i ++ if (buf[offset + j] != pad) { ++ results[0]++; // mismatched padding data ++ } else { ++ results[1]++; // matched padding data ++ } ++ } ++ } ++ ++ return results; ++ } ++ ++ /* ++ * A constant-time check of the padding. ++ * ++ * NOTE that we are checking both the padding and the padLen bytes here. ++ * ++ * The caller MUST ensure that the bb parameter has remaining. ++ */ ++ private static int[] checkPadding(ByteBuffer bb, byte pad) { ++ ++ if (!bb.hasRemaining()) { ++ throw new RuntimeException("hasRemaining() must be positive"); ++ } ++ ++ // An array of hits is used to prevent Hotspot optimization for ++ // the purpose of a constant-time check. ++ int[] results = {0, 0}; // {missed #, matched #} ++ bb.mark(); ++ for (int i = 0; i <= 256; bb.reset()) { ++ for (; bb.hasRemaining() && i <= 256; i++) { ++ if (bb.get() != pad) { ++ results[0]++; // mismatched padding data ++ } else { ++ results[1]++; // matched padding data ++ } ++ } ++ } ++ ++ return results; ++ } + + /* + * Typical TLS padding format for a 64 bit block cipher is as follows: +@@ -412,86 +473,95 @@ + * as it makes the data a multiple of the block size + */ + private static int removePadding(byte[] buf, int offset, int len, +- int blockSize, ProtocolVersion protocolVersion) +- throws BadPaddingException { ++ int tagLen, int blockSize, ++ ProtocolVersion protocolVersion) throws BadPaddingException { ++ + // last byte is length byte (i.e. actual padding length - 1) + int padOffset = offset + len - 1; +- int pad = buf[padOffset] & 0x0ff; +- +- int newlen = len - (pad + 1); +- if (newlen < 0) { +- throw new BadPaddingException("Padding length invalid: " + pad); +- } ++ int padLen = buf[padOffset] & 0xFF; + ++ int newLen = len - (padLen + 1); ++ if ((newLen - tagLen) < 0) { ++ // If the buffer is not long enough to contain the padding plus ++ // a MAC tag, do a dummy constant-time padding check. ++ // ++ // Note that it is a dummy check, so we won't care about what is ++ // the actual padding data. ++ checkPadding(buf, offset, len, (byte)(padLen & 0xFF)); ++ ++ throw new BadPaddingException("Invalid Padding length: " + padLen); ++ } ++ ++ // The padding data should be filled with the padding length value. ++ int[] results = checkPadding(buf, offset + newLen, ++ padLen + 1, (byte)(padLen & 0xFF)); + if (protocolVersion.v >= ProtocolVersion.TLS10.v) { +- for (int i = 1; i <= pad; i++) { +- int val = buf[padOffset - i] & 0xff; +- if (val != pad) { +- throw new BadPaddingException +- ("Invalid TLS padding: " + val); +- } ++ if (results[0] != 0) { // padding data has invalid bytes ++ throw new BadPaddingException("Invalid TLS padding data"); + } + } else { // SSLv3 + // SSLv3 requires 0 <= length byte < block size + // some implementations do 1 <= length byte <= block size, + // so accept that as well + // v3 does not require any particular value for the other bytes +- if (pad > blockSize) { +- throw new BadPaddingException("Invalid SSLv3 padding: " + pad); ++ if (padLen > blockSize) { ++ throw new BadPaddingException("Invalid SSLv3 padding"); + } + } +- return newlen; ++ return newLen; + } + + /* + * Position/limit is equal the removed padding. + */ + private static int removePadding(ByteBuffer bb, +- int blockSize, ProtocolVersion protocolVersion) +- throws BadPaddingException { ++ int tagLen, int blockSize, ++ ProtocolVersion protocolVersion) throws BadPaddingException { + + int len = bb.remaining(); + int offset = bb.position(); + + // last byte is length byte (i.e. actual padding length - 1) + int padOffset = offset + len - 1; +- int pad = bb.get(padOffset) & 0x0ff; +- +- int newlen = len - (pad + 1); +- if (newlen < 0) { +- throw new BadPaddingException("Padding length invalid: " + pad); +- } ++ int padLen = bb.get(padOffset) & 0xFF; + +- /* +- * We could zero the padding area, but not much useful +- * information there. +- */ ++ int newLen = len - (padLen + 1); ++ if ((newLen - tagLen) < 0) { ++ // If the buffer is not long enough to contain the padding plus ++ // a MAC tag, do a dummy constant-time padding check. ++ // ++ // Note that it is a dummy check, so we won't care about what is ++ // the actual padding data. ++ checkPadding(bb.duplicate(), (byte)(padLen & 0xFF)); ++ ++ throw new BadPaddingException("Invalid Padding length: " + padLen); ++ } ++ ++ // The padding data should be filled with the padding length value. ++ int[] results = checkPadding( ++ (ByteBuffer)bb.duplicate().position(offset + newLen), ++ (byte)(padLen & 0xFF)); + if (protocolVersion.v >= ProtocolVersion.TLS10.v) { +- bb.put(padOffset, (byte)0); // zero the padding. +- for (int i = 1; i <= pad; i++) { +- int val = bb.get(padOffset - i) & 0xff; +- if (val != pad) { +- throw new BadPaddingException +- ("Invalid TLS padding: " + val); +- } ++ if (results[0] != 0) { // padding data has invalid bytes ++ throw new BadPaddingException("Invalid TLS padding data"); + } + } else { // SSLv3 + // SSLv3 requires 0 <= length byte < block size + // some implementations do 1 <= length byte <= block size, + // so accept that as well + // v3 does not require any particular value for the other bytes +- if (pad > blockSize) { +- throw new BadPaddingException("Invalid SSLv3 padding: " + pad); ++ if (padLen > blockSize) { ++ throw new BadPaddingException("Invalid SSLv3 padding"); + } + } + + /* + * Reset buffer limit to remove padding. + */ +- bb.position(offset + newlen); +- bb.limit(offset + newlen); ++ bb.position(offset + newLen); ++ bb.limit(offset + newLen); + +- return newlen; ++ return newLen; + } + + /* +@@ -502,4 +572,40 @@ + boolean isCBCMode() { + return isCBCMode; + } ++ ++ /** ++ * Is the cipher null? ++ * ++ * @return true if the cipher is null, false otherwise. ++ */ ++ boolean isNullCipher() { ++ return cipher == null; ++ } ++ ++ /** ++ * Sanity check the length of a fragment before decryption. ++ * ++ * In CBC mode, check that the fragment length is one or multiple times ++ * of the block size of the cipher suite, and is at least one (one is the ++ * smallest size of padding in CBC mode) bigger than the tag size of the ++ * MAC algorithm. ++ * ++ * In non-CBC mode, check that the fragment length is not less than the ++ * tag size of the MAC algorithm. ++ * ++ * @return true if the length of a fragment matches above requirements ++ */ ++ boolean sanityCheck(int tagLen, int fragmentLen) { ++ if (!isCBCMode) { ++ return fragmentLen >= tagLen; ++ } ++ ++ if ((fragmentLen % blockSize) == 0) { ++ int minimal = tagLen + 1; ++ minimal = (minimal >= blockSize) ? minimal : blockSize; ++ return (fragmentLen >= minimal); ++ } ++ ++ return false; ++ } + } +diff -Nru openjdk.orig/jdk/src/share/classes/sun/security/ssl/CipherSuite.java openjdk/jdk/src/share/classes/sun/security/ssl/CipherSuite.java +--- openjdk.orig/jdk/src/share/classes/sun/security/ssl/CipherSuite.java 2011-11-14 22:12:06.000000000 +0000 ++++ openjdk/jdk/src/share/classes/sun/security/ssl/CipherSuite.java 2013-02-15 03:43:47.934589522 +0000 +@@ -1,5 +1,5 @@ + /* +- * Copyright (c) 2002, 2011, Oracle and/or its affiliates. All rights reserved. ++ * Copyright (c) 2002, 2013, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it +@@ -451,9 +451,18 @@ + // size of the MAC value (and MAC key) in bytes + final int size; + +- MacAlg(String name, int size) { ++ // block size of the underlying hash algorithm ++ final int hashBlockSize; ++ ++ // minimal padding size of the underlying hash algorithm ++ final int minimalPaddingSize; ++ ++ MacAlg(String name, int size, ++ int hashBlockSize, int minimalPaddingSize) { + this.name = name; + this.size = size; ++ this.hashBlockSize = hashBlockSize; ++ this.minimalPaddingSize = minimalPaddingSize; + } + + /** +@@ -497,9 +506,9 @@ + new BulkCipher(CIPHER_AES, 32, 16, true); + + // MACs +- final static MacAlg M_NULL = new MacAlg("NULL", 0); +- final static MacAlg M_MD5 = new MacAlg("MD5", 16); +- final static MacAlg M_SHA = new MacAlg("SHA", 20); ++ final static MacAlg M_NULL = new MacAlg("NULL", 0, 0, 0); ++ final static MacAlg M_MD5 = new MacAlg("MD5", 16, 64, 9); ++ final static MacAlg M_SHA = new MacAlg("SHA", 20, 64, 9); + + static { + idMap = new HashMap<Integer,CipherSuite>(); +diff -Nru openjdk.orig/jdk/src/share/classes/sun/security/ssl/EngineInputRecord.java openjdk/jdk/src/share/classes/sun/security/ssl/EngineInputRecord.java +--- openjdk.orig/jdk/src/share/classes/sun/security/ssl/EngineInputRecord.java 2011-11-14 22:12:06.000000000 +0000 ++++ openjdk/jdk/src/share/classes/sun/security/ssl/EngineInputRecord.java 2013-02-15 03:43:47.934589522 +0000 +@@ -1,5 +1,5 @@ + /* +- * Copyright (c) 2003, 2007, Oracle and/or its affiliates. All rights reserved. ++ * Copyright (c) 2003, 2013, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it +@@ -177,91 +177,169 @@ + } + + /* +- * Verifies and removes the MAC value. Returns true if +- * the MAC checks out OK. ++ * Pass the data down if it's internally cached, otherwise ++ * do it here. + * +- * On entry: +- * position = beginning of app/MAC data +- * limit = end of MAC data. ++ * If internal data, data is decrypted internally. + * +- * On return: +- * position = beginning of app data +- * limit = end of app data ++ * If external data(app), return a new ByteBuffer with data to ++ * process. + */ +- boolean checkMAC(MAC signer, ByteBuffer bb) { ++ ByteBuffer decrypt(MAC signer, ++ CipherBox box, ByteBuffer bb) throws BadPaddingException { ++ + if (internalData) { +- return checkMAC(signer); ++ decrypt(signer, box); // MAC is checked during decryption ++ return tmpBB; + } + +- int len = signer.MAClen(); +- if (len == 0) { // no mac +- return true; ++ BadPaddingException reservedBPE = null; ++ int tagLen = signer.MAClen(); ++ int cipheredLength = bb.remaining(); ++ ++ if (!box.isNullCipher()) { ++ // sanity check length of the ciphertext ++ if (!box.sanityCheck(tagLen, cipheredLength)) { ++ throw new BadPaddingException( ++ "ciphertext sanity check failed"); ++ } ++ ++ try { ++ // Note that the CipherBox.decrypt() does not change ++ // the capacity of the buffer. ++ box.decrypt(bb, tagLen); ++ } catch (BadPaddingException bpe) { ++ // RFC 2246 states that decryption_failed should be used ++ // for this purpose. However, that allows certain attacks, ++ // so we just send bad record MAC. We also need to make ++ // sure to always check the MAC to avoid a timing attack ++ // for the same issue. See paper by Vaudenay et al and the ++ // update in RFC 4346/5246. ++ // ++ // Failover to message authentication code checking. ++ reservedBPE = bpe; ++ } finally { ++ bb.rewind(); ++ } + } + +- /* +- * Grab the original limit +- */ +- int lim = bb.limit(); ++ if (tagLen != 0) { ++ int macOffset = bb.limit() - tagLen; + +- /* +- * Delineate the area to apply a MAC on. +- */ +- int macData = lim - len; +- bb.limit(macData); ++ // Note that although it is not necessary, we run the same MAC ++ // computation and comparison on the payload for both stream ++ // cipher and CBC block cipher. ++ if (bb.remaining() < tagLen) { ++ // negative data length, something is wrong ++ if (reservedBPE == null) { ++ reservedBPE = new BadPaddingException("bad record"); ++ } ++ ++ // set offset of the dummy MAC ++ macOffset = cipheredLength - tagLen; ++ bb.limit(cipheredLength); ++ } ++ ++ // Run MAC computation and comparison on the payload. ++ if (checkMacTags(contentType(), bb, signer, false)) { ++ if (reservedBPE == null) { ++ reservedBPE = new BadPaddingException("bad record MAC"); ++ } ++ } ++ ++ // Run MAC computation and comparison on the remainder. ++ // ++ // It is only necessary for CBC block cipher. It is used to get a ++ // constant time of MAC computation and comparison on each record. ++ if (box.isCBCMode()) { ++ int remainingLen = calculateRemainingLen( ++ signer, cipheredLength, macOffset); ++ ++ // NOTE: here we use the InputRecord.buf because I did not find ++ // an effective way to work on ByteBuffer when its capacity is ++ // less than remainingLen. ++ ++ // NOTE: remainingLen may be bigger (less than 1 block of the ++ // hash algorithm of the MAC) than the cipheredLength. However, ++ // We won't need to worry about it because we always use a ++ // maximum buffer for every record. We need a change here if ++ // we use small buffer size in the future. ++ if (remainingLen > buf.length) { ++ // unlikely to happen, just a placehold ++ throw new RuntimeException( ++ "Internal buffer capacity error"); ++ } ++ ++ // Won't need to worry about the result on the remainder. And ++ // then we won't need to worry about what's actual data to ++ // check MAC tag on. We start the check from the header of the ++ // buffer so that we don't need to construct a new byte buffer. ++ checkMacTags(contentType(), buf, 0, remainingLen, signer, true); ++ } ++ ++ bb.limit(macOffset); ++ } ++ ++ // Is it a failover? ++ if (reservedBPE != null) { ++ throw reservedBPE; ++ } ++ ++ return bb.slice(); ++ } + +- byte[] mac = signer.compute(contentType(), bb); ++ /* ++ * Run MAC computation and comparison ++ * ++ * Please DON'T change the content of the ByteBuffer parameter! ++ */ ++ private static boolean checkMacTags(byte contentType, ByteBuffer bb, ++ MAC signer, boolean isSimulated) { + +- if (len != mac.length) { ++ int tagLen = signer.MAClen(); ++ int lim = bb.limit(); ++ int macData = lim - tagLen; ++ ++ bb.limit(macData); ++ byte[] hash = signer.compute(contentType, bb, isSimulated); ++ if (hash == null || tagLen != hash.length) { ++ // Something is wrong with MAC implementation. + throw new RuntimeException("Internal MAC error"); + } + +- /* +- * Delineate the MAC values, position was already set +- * by doing the compute above. +- * +- * We could zero the MAC area, but not much useful information +- * there anyway. +- */ + bb.position(macData); + bb.limit(lim); +- + try { +- for (int i = 0; i < len; i++) { +- if (bb.get() != mac[i]) { // No BB.equals(byte []); ! +- return false; +- } +- } +- return true; ++ int[] results = compareMacTags(bb, hash); ++ return (results[0] != 0); + } finally { +- /* +- * Position to the data. +- */ + bb.rewind(); + bb.limit(macData); + } + } + + /* +- * Pass the data down if it's internally cached, otherwise +- * do it here. ++ * A constant-time comparison of the MAC tags. + * +- * If internal data, data is decrypted internally. +- * +- * If external data(app), return a new ByteBuffer with data to +- * process. ++ * Please DON'T change the content of the ByteBuffer parameter! + */ +- ByteBuffer decrypt(CipherBox box, ByteBuffer bb) +- throws BadPaddingException { ++ private static int[] compareMacTags(ByteBuffer bb, byte[] tag) { + +- if (internalData) { +- decrypt(box); +- return tmpBB; ++ // An array of hits is used to prevent Hotspot optimization for ++ // the purpose of a constant-time check. ++ int[] results = {0, 0}; // {missed #, matched #} ++ ++ // The caller ensures there are enough bytes available in the buffer. ++ // So we won't need to check the remaining of the buffer. ++ for (int i = 0; i < tag.length; i++) { ++ if (bb.get() != tag[i]) { ++ results[0]++; // mismatched bytes ++ } else { ++ results[1]++; // matched bytes ++ } + } + +- box.decrypt(bb); +- bb.rewind(); +- +- return bb.slice(); ++ return results; + } + + /* +diff -Nru openjdk.orig/jdk/src/share/classes/sun/security/ssl/EngineOutputRecord.java openjdk/jdk/src/share/classes/sun/security/ssl/EngineOutputRecord.java +--- openjdk.orig/jdk/src/share/classes/sun/security/ssl/EngineOutputRecord.java 2011-11-14 22:12:06.000000000 +0000 ++++ openjdk/jdk/src/share/classes/sun/security/ssl/EngineOutputRecord.java 2013-02-15 03:44:15.967039768 +0000 +@@ -1,5 +1,5 @@ + /* +- * Copyright (c) 2003, 2011, Oracle and/or its affiliates. All rights reserved. ++ * Copyright (c) 2003, 2013, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it +@@ -120,7 +120,7 @@ + throws IOException { + + if (signer.MAClen() != 0) { +- byte[] hash = signer.compute(contentType(), bb); ++ byte[] hash = signer.compute(contentType(), bb, false); + + /* + * position was advanced to limit in compute above. +diff -Nru openjdk.orig/jdk/src/share/classes/sun/security/ssl/InputRecord.java openjdk/jdk/src/share/classes/sun/security/ssl/InputRecord.java +--- openjdk.orig/jdk/src/share/classes/sun/security/ssl/InputRecord.java 2011-11-14 22:12:06.000000000 +0000 ++++ openjdk/jdk/src/share/classes/sun/security/ssl/InputRecord.java 2013-02-15 03:43:47.938589586 +0000 +@@ -1,5 +1,5 @@ + /* +- * Copyright (c) 1996, 2007, Oracle and/or its affiliates. All rights reserved. ++ * Copyright (c) 1996, 2013, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it +@@ -135,43 +135,173 @@ + return handshakeHash; + } + +- /* +- * Verify and remove the MAC ... used for all records. +- */ +- boolean checkMAC(MAC signer) { +- int len = signer.MAClen(); +- if (len == 0) { // no mac +- return true; ++ void decrypt(MAC signer, CipherBox box) throws BadPaddingException { ++ ++ BadPaddingException reservedBPE = null; ++ int tagLen = signer.MAClen(); ++ int cipheredLength = count - headerSize; ++ ++ if (!box.isNullCipher()) { ++ // sanity check length of the ciphertext ++ if (!box.sanityCheck(tagLen, cipheredLength)) { ++ throw new BadPaddingException( ++ "ciphertext sanity check failed"); ++ } ++ ++ try { ++ // Note that the CipherBox.decrypt() does not change ++ // the capacity of the buffer. ++ count = headerSize + ++ box.decrypt(buf, headerSize, cipheredLength, tagLen); ++ } catch (BadPaddingException bpe) { ++ // RFC 2246 states that decryption_failed should be used ++ // for this purpose. However, that allows certain attacks, ++ // so we just send bad record MAC. We also need to make ++ // sure to always check the MAC to avoid a timing attack ++ // for the same issue. See paper by Vaudenay et al and the ++ // update in RFC 4346/5246. ++ // ++ // Failover to message authentication code checking. ++ reservedBPE = bpe; ++ } + } + +- int offset = count - len; ++ if (tagLen != 0) { ++ int macOffset = count - tagLen; ++ int contentLen = macOffset - headerSize; ++ ++ // Note that although it is not necessary, we run the same MAC ++ // computation and comparison on the payload for both stream ++ // cipher and CBC block cipher. ++ if (contentLen < 0) { ++ // negative data length, something is wrong ++ if (reservedBPE == null) { ++ reservedBPE = new BadPaddingException("bad record"); ++ } ++ ++ // set offset of the dummy MAC ++ macOffset = headerSize + cipheredLength - tagLen; ++ contentLen = macOffset - headerSize; ++ } + +- if (offset < headerSize) { +- // data length would be negative, something is wrong +- return false; ++ count -= tagLen; // Set the count before any MAC checking ++ // exception occurs, so that the following ++ // process can read the actual decrypted ++ // content (minus the MAC) in the fragment ++ // if necessary. ++ ++ // Run MAC computation and comparison on the payload. ++ if (checkMacTags(contentType(), ++ buf, headerSize, contentLen, signer, false)) { ++ if (reservedBPE == null) { ++ reservedBPE = new BadPaddingException("bad record MAC"); ++ } ++ } ++ ++ // Run MAC computation and comparison on the remainder. ++ // ++ // It is only necessary for CBC block cipher. It is used to get a ++ // constant time of MAC computation and comparison on each record. ++ if (box.isCBCMode()) { ++ int remainingLen = calculateRemainingLen( ++ signer, cipheredLength, contentLen); ++ ++ // NOTE: remainingLen may be bigger (less than 1 block of the ++ // hash algorithm of the MAC) than the cipheredLength. However, ++ // We won't need to worry about it because we always use a ++ // maximum buffer for every record. We need a change here if ++ // we use small buffer size in the future. ++ if (remainingLen > buf.length) { ++ // unlikely to happen, just a placehold ++ throw new RuntimeException( ++ "Internal buffer capacity error"); ++ } ++ ++ // Won't need to worry about the result on the remainder. And ++ // then we won't need to worry about what's actual data to ++ // check MAC tag on. We start the check from the header of the ++ // buffer so that we don't need to construct a new byte buffer. ++ checkMacTags(contentType(), buf, 0, remainingLen, signer, true); ++ } + } + +- byte[] mac = signer.compute(contentType(), buf, +- headerSize, offset - headerSize); ++ // Is it a failover? ++ if (reservedBPE != null) { ++ throw reservedBPE; ++ } ++ } ++ ++ /* ++ * Run MAC computation and comparison ++ * ++ * Please DON'T change the content of the byte buffer parameter! ++ */ ++ static boolean checkMacTags(byte contentType, byte[] buffer, ++ int offset, int contentLen, MAC signer, boolean isSimulated) { + +- if (len != mac.length) { ++ int tagLen = signer.MAClen(); ++ byte[] hash = signer.compute( ++ contentType, buffer, offset, contentLen, isSimulated); ++ if (hash == null || tagLen != hash.length) { ++ // Something is wrong with MAC implementation. + throw new RuntimeException("Internal MAC error"); + } + +- for (int i = 0; i < len; i++) { +- if (buf[offset + i] != mac[i]) { +- return false; ++ int[] results = compareMacTags(buffer, offset + contentLen, hash); ++ return (results[0] != 0); ++ } ++ ++ /* ++ * A constant-time comparison of the MAC tags. ++ * ++ * Please DON'T change the content of the byte buffer parameter! ++ */ ++ private static int[] compareMacTags( ++ byte[] buffer, int offset, byte[] tag) { ++ ++ // An array of hits is used to prevent Hotspot optimization for ++ // the purpose of a constant-time check. ++ int[] results = {0, 0}; // {missed #, matched #} ++ ++ // The caller ensures there are enough bytes available in the buffer. ++ // So we won't need to check the length of the buffer. ++ for (int i = 0; i < tag.length; i++) { ++ if (buffer[offset + i] != tag[i]) { ++ results[0]++; // mismatched bytes ++ } else { ++ results[1]++; // matched bytes + } + } +- count -= len; +- return true; +- } + +- void decrypt(CipherBox box) throws BadPaddingException { +- int len = count - headerSize; +- count = headerSize + box.decrypt(buf, headerSize, len); ++ return results; + } + ++ /* ++ * Calculate the length of a dummy buffer to run MAC computation ++ * and comparison on the remainder. ++ * ++ * The caller MUST ensure that the fullLen is not less than usedLen. ++ */ ++ static int calculateRemainingLen( ++ MAC signer, int fullLen, int usedLen) { ++ ++ int blockLen = signer.hashBlockLen(); ++ int minimalPaddingLen = signer.minimalPaddingLen(); ++ ++ // (blockLen - minimalPaddingLen) is the maximum message size of ++ // the last block of hash function operation. See FIPS 180-4, or ++ // MD5 specification. ++ fullLen += 13 - (blockLen - minimalPaddingLen); ++ usedLen += 13 - (blockLen - minimalPaddingLen); ++ ++ // Note: fullLen is always not less than usedLen, and blockLen ++ // is always bigger than minimalPaddingLen, so we don't worry ++ // about negative values. 0x01 is added to the result to ensure ++ // that the return value is positive. The extra one byte does ++ // not impact the overall MAC compression function evaluations. ++ return 0x01 + (int)(Math.ceil(fullLen/(1.0d * blockLen)) - ++ Math.ceil(usedLen/(1.0d * blockLen))) * signer.hashBlockLen(); ++ } + + /* + * Well ... hello_request messages are _never_ hashed since we can't +diff -Nru openjdk.orig/jdk/src/share/classes/sun/security/ssl/MAC.java openjdk/jdk/src/share/classes/sun/security/ssl/MAC.java +--- openjdk.orig/jdk/src/share/classes/sun/security/ssl/MAC.java 2011-11-14 22:12:06.000000000 +0000 ++++ openjdk/jdk/src/share/classes/sun/security/ssl/MAC.java 2013-02-15 03:43:47.938589586 +0000 +@@ -1,5 +1,5 @@ + /* +- * Copyright (c) 1996, 2007, Oracle and/or its affiliates. All rights reserved. ++ * Copyright (c) 1996, 2013, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it +@@ -44,7 +44,8 @@ + * one of several keyed hashes, as associated with the cipher suite and + * protocol version. (SSL v3.0 uses one construct, TLS uses another.) + * +- * <P>NOTE: MAC computation is the only place in the SSL protocol that the ++ * <P> ++ * NOTE: MAC computation is the only place in the SSL protocol that the + * sequence number is used. It's also reset to zero with each change of + * a cipher spec, so this is the only place this state is needed. + * +@@ -129,15 +130,31 @@ + } + + /** ++ * Returns the hash function block length of the MAC alorithm. ++ */ ++ int hashBlockLen() { ++ return macAlg.hashBlockSize; ++ } ++ ++ /** ++ * Returns the hash function minimal padding length of the MAC alorithm. ++ */ ++ int minimalPaddingLen() { ++ return macAlg.minimalPaddingSize; ++ } ++ ++ /** + * Computes and returns the MAC for the data in this byte array. + * + * @param type record type + * @param buf compressed record on which the MAC is computed + * @param offset start of compressed record data + * @param len the size of the compressed record ++ * @param isSimulated if true, simulate the the MAC computation + */ +- final byte[] compute(byte type, byte buf[], int offset, int len) { +- return compute(type, null, buf, offset, len); ++ final byte[] compute(byte type, byte buf[], ++ int offset, int len, boolean isSimulated) { ++ return compute(type, null, buf, offset, len, isSimulated); + } + + /** +@@ -150,9 +167,10 @@ + * @param type record type + * @param bb a ByteBuffer in which the position and limit + * demarcate the data to be MAC'd. ++ * @param isSimulated if true, simulate the the MAC computation + */ +- final byte[] compute(byte type, ByteBuffer bb) { +- return compute(type, bb, null, 0, bb.remaining()); ++ final byte[] compute(byte type, ByteBuffer bb, boolean isSimulated) { ++ return compute(type, bb, null, 0, bb.remaining(), isSimulated); + } + + // increment the sequence number in the block array +@@ -168,18 +186,22 @@ + * Compute based on either buffer type, either bb.position/limit + * or buf/offset/len. + */ +- private byte[] compute(byte type, ByteBuffer bb, byte[] buf, int offset, int len) { ++ private byte[] compute(byte type, ByteBuffer bb, byte[] buf, ++ int offset, int len, boolean isSimulated) { + + if (macSize == 0) { + return nullMAC; + } + +- block[BLOCK_OFFSET_TYPE] = type; +- block[block.length - 2] = (byte)(len >> 8); +- block[block.length - 1] = (byte)(len ); ++ // MUST NOT increase the sequence number for a simulated computation. ++ if (!isSimulated) { ++ block[BLOCK_OFFSET_TYPE] = type; ++ block[block.length - 2] = (byte)(len >> 8); ++ block[block.length - 1] = (byte)(len ); + +- mac.update(block); +- incrementSequenceNumber(); ++ mac.update(block); ++ incrementSequenceNumber(); ++ } + + // content + if (bb != null) { +diff -Nru openjdk.orig/jdk/src/share/classes/sun/security/ssl/OutputRecord.java openjdk/jdk/src/share/classes/sun/security/ssl/OutputRecord.java +--- openjdk.orig/jdk/src/share/classes/sun/security/ssl/OutputRecord.java 2011-11-14 22:12:06.000000000 +0000 ++++ openjdk/jdk/src/share/classes/sun/security/ssl/OutputRecord.java 2013-02-15 03:44:06.990895579 +0000 +@@ -1,5 +1,5 @@ + /* +- * Copyright (c) 1996, 2010, Oracle and/or its affiliates. All rights reserved. ++ * Copyright (c) 1996, 2013, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it +@@ -203,7 +203,7 @@ + } + if (signer.MAClen() != 0) { + byte[] hash = signer.compute(contentType, buf, +- headerSize, count - headerSize); ++ headerSize, count - headerSize, false); + write(hash); + } + } +diff -Nru openjdk.orig/jdk/src/share/classes/sun/security/ssl/SSLEngineImpl.java openjdk/jdk/src/share/classes/sun/security/ssl/SSLEngineImpl.java +--- openjdk.orig/jdk/src/share/classes/sun/security/ssl/SSLEngineImpl.java 2011-11-14 22:12:06.000000000 +0000 ++++ openjdk/jdk/src/share/classes/sun/security/ssl/SSLEngineImpl.java 2013-02-15 03:44:27.031217521 +0000 +@@ -1,5 +1,5 @@ + /* +- * Copyright (c) 2003, 2011, Oracle and/or its affiliates. All rights reserved. ++ * Copyright (c) 2003, 2013, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it +@@ -919,34 +919,13 @@ + * throw a fatal alert if the integrity check fails. + */ + try { +- decryptedBB = inputRecord.decrypt(readCipher, readBB); ++ decryptedBB = inputRecord.decrypt(readMAC, readCipher, readBB); + } catch (BadPaddingException e) { +- // RFC 2246 states that decryption_failed should be used +- // for this purpose. However, that allows certain attacks, +- // so we just send bad record MAC. We also need to make +- // sure to always check the MAC to avoid a timing attack +- // for the same issue. See paper by Vaudenay et al. +- // +- // rewind the BB if necessary. +- readBB.rewind(); +- +- inputRecord.checkMAC(readMAC, readBB); +- +- // use the same alert types as for MAC failure below + byte alertType = (inputRecord.contentType() == + Record.ct_handshake) ? + Alerts.alert_handshake_failure : + Alerts.alert_bad_record_mac; +- fatal(alertType, "Invalid padding", e); +- } +- +- if (!inputRecord.checkMAC(readMAC, decryptedBB)) { +- if (inputRecord.contentType() == Record.ct_handshake) { +- fatal(Alerts.alert_handshake_failure, +- "bad handshake record MAC"); +- } else { +- fatal(Alerts.alert_bad_record_mac, "bad record MAC"); +- } ++ fatal(alertType, e.getMessage(), e); + } + + // if (!inputRecord.decompress(c)) +diff -Nru openjdk.orig/jdk/src/share/classes/sun/security/ssl/SSLSocketImpl.java openjdk/jdk/src/share/classes/sun/security/ssl/SSLSocketImpl.java +--- openjdk.orig/jdk/src/share/classes/sun/security/ssl/SSLSocketImpl.java 2011-11-14 22:12:06.000000000 +0000 ++++ openjdk/jdk/src/share/classes/sun/security/ssl/SSLSocketImpl.java 2013-02-15 03:44:36.343367142 +0000 +@@ -1,5 +1,5 @@ + /* +- * Copyright (c) 1996, 2011, Oracle and/or its affiliates. All rights reserved. ++ * Copyright (c) 1996, 2013, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it +@@ -889,27 +889,12 @@ + * throw a fatal alert if the integrity check fails. + */ + try { +- r.decrypt(readCipher); ++ r.decrypt(readMAC, readCipher); + } catch (BadPaddingException e) { +- // RFC 2246 states that decryption_failed should be used +- // for this purpose. However, that allows certain attacks, +- // so we just send bad record MAC. We also need to make +- // sure to always check the MAC to avoid a timing attack +- // for the same issue. See paper by Vaudenay et al. +- r.checkMAC(readMAC); +- // use the same alert types as for MAC failure below + byte alertType = (r.contentType() == Record.ct_handshake) + ? Alerts.alert_handshake_failure + : Alerts.alert_bad_record_mac; +- fatal(alertType, "Invalid padding", e); +- } +- if (!r.checkMAC(readMAC)) { +- if (r.contentType() == Record.ct_handshake) { +- fatal(Alerts.alert_handshake_failure, +- "bad handshake record MAC"); +- } else { +- fatal(Alerts.alert_bad_record_mac, "bad record MAC"); +- } ++ fatal(alertType, e.getMessage(), e); + } + + // if (!r.decompress(c))
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/patches/security/20130219/8007688.patch Fri Feb 15 04:54:48 2013 +0000 @@ -0,0 +1,130 @@ +# HG changeset patch +# User coffeys +# Date 1360873966 0 +# Node ID 617e68a3948824283f15c36fcd8cf264c1dd0a99 +# Parent 25e83b78298b71abb46eb5a337ed7bddef418ca4 +8007688: Blacklist known bad certificate +Reviewed-by: mullan + +diff --git a/src/share/classes/sun/security/util/UntrustedCertificates.java b/src/share/classes/sun/security/util/UntrustedCertificates.java +--- openjdk/jdk/src/share/classes/sun/security/util/UntrustedCertificates.java ++++ openjdk/jdk/src/share/classes/sun/security/util/UntrustedCertificates.java +@@ -1,5 +1,5 @@ + /* +- * Copyright (c) 2012, Oracle and/or its affiliates. All rights reserved. ++ * Copyright (c) 2012, 2013, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it +@@ -739,5 +739,111 @@ public final class UntrustedCertificates + "B8WfedLHjFW/TMcnXlEWKz4=\n" + + "-----END CERTIFICATE-----"); + ++ // ++ // Revoked DigiCert code signing certificates used to sign malware ++ // ++ ++ // Subject: CN=Buster Paper Comercial Ltda, ++ // O=Buster Paper Comercial Ltda, ++ // L=S?o Jos? Dos Campos, ++ // ST=S?o Paulo, ++ // C=BR ++ // Issuer: CN=DigiCert Assured ID Code Signing CA-1, ++ // OU=www.digicert.com, ++ // O=DigiCert Inc, ++ // C=US ++ // Serial: 07:b4:4c:db:ff:fb:78:de:05:f4:26:16:72:a6:73:12 ++ add("buster-paper-comercial-ltda-72A67312", ++ "-----BEGIN CERTIFICATE-----\n" + ++ "MIIGwzCCBaugAwIBAgIQB7RM2//7eN4F9CYWcqZzEjANBgkqhkiG9w0BAQUFADBv\n" + ++ "MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3\n" + ++ "d3cuZGlnaWNlcnQuY29tMS4wLAYDVQQDEyVEaWdpQ2VydCBBc3N1cmVkIElEIENv\n" + ++ "ZGUgU2lnbmluZyBDQS0xMB4XDTEzMDExNzAwMDAwMFoXDTE0MDEyMjEyMDAwMFow\n" + ++ "gY4xCzAJBgNVBAYTAkJSMRMwEQYDVQQIDApTw6NvIFBhdWxvMR4wHAYDVQQHDBVT\n" + ++ "w6NvIEpvc8OpIERvcyBDYW1wb3MxJDAiBgNVBAoTG0J1c3RlciBQYXBlciBDb21l\n" + ++ "cmNpYWwgTHRkYTEkMCIGA1UEAxMbQnVzdGVyIFBhcGVyIENvbWVyY2lhbCBMdGRh\n" + ++ "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzO0l6jWIpEfO2oUpVHpL\n" + ++ "HETj5lzivNb0S9jKHgGJax917czh81PnGTxwxFXd6gLJuy/XFHvmiSi8g8jzlymn\n" + ++ "2Ji5zQ3CPaz7nomJokSUDlMVJ2qYWtctw4jrdjuI4qtn+koXXUFkWjkf8h8251I4\n" + ++ "tUs7S49HE2Go5owCYP3byajj7fsFAYR/Xb7TdVtndkZsUB/YgOjHovyACjouaNCi\n" + ++ "mDiRyQ6zLLjZGiyeD65Yiseuhp5b8/BL5h1p7w76QYMYMVQNAdtDKut2R8MBpuWf\n" + ++ "Ny7Eoi0x/gm1p9X5Rcl5aN7K0G4UtTAJKbkuUfXddsyFoM0Nx8uo8SgNQ8Y/X5Jx\n" + ++ "BwIDAQABo4IDOTCCAzUwHwYDVR0jBBgwFoAUe2jOKarAF75JeuHlP9an90WPNTIw\n" + ++ "HQYDVR0OBBYEFFLZ3n5nt/Eer7n1bvtOqMb1qKO5MA4GA1UdDwEB/wQEAwIHgDAT\n" + ++ "BgNVHSUEDDAKBggrBgEFBQcDAzBzBgNVHR8EbDBqMDOgMaAvhi1odHRwOi8vY3Js\n" + ++ "My5kaWdpY2VydC5jb20vYXNzdXJlZC1jcy0yMDExYS5jcmwwM6AxoC+GLWh0dHA6\n" + ++ "Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9hc3N1cmVkLWNzLTIwMTFhLmNybDCCAcQGA1Ud\n" + ++ "IASCAbswggG3MIIBswYJYIZIAYb9bAMBMIIBpDA6BggrBgEFBQcCARYuaHR0cDov\n" + ++ "L3d3dy5kaWdpY2VydC5jb20vc3NsLWNwcy1yZXBvc2l0b3J5Lmh0bTCCAWQGCCsG\n" + ++ "AQUFBwICMIIBVh6CAVIAQQBuAHkAIAB1AHMAZQAgAG8AZgAgAHQAaABpAHMAIABD\n" + ++ "AGUAcgB0AGkAZgBpAGMAYQB0AGUAIABjAG8AbgBzAHQAaQB0AHUAdABlAHMAIABh\n" + ++ "AGMAYwBlAHAAdABhAG4AYwBlACAAbwBmACAAdABoAGUAIABEAGkAZwBpAEMAZQBy\n" + ++ "AHQAIABDAFAALwBDAFAAUwAgAGEAbgBkACAAdABoAGUAIABSAGUAbAB5AGkAbgBn\n" + ++ "ACAAUABhAHIAdAB5ACAAQQBnAHIAZQBlAG0AZQBuAHQAIAB3AGgAaQBjAGgAIABs\n" + ++ "AGkAbQBpAHQAIABsAGkAYQBiAGkAbABpAHQAeQAgAGEAbgBkACAAYQByAGUAIABp\n" + ++ "AG4AYwBvAHIAcABvAHIAYQB0AGUAZAAgAGgAZQByAGUAaQBuACAAYgB5ACAAcgBl\n" + ++ "AGYAZQByAGUAbgBjAGUALjCBggYIKwYBBQUHAQEEdjB0MCQGCCsGAQUFBzABhhho\n" + ++ "dHRwOi8vb2NzcC5kaWdpY2VydC5jb20wTAYIKwYBBQUHMAKGQGh0dHA6Ly9jYWNl\n" + ++ "cnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEFzc3VyZWRJRENvZGVTaWduaW5nQ0Et\n" + ++ "MS5jcnQwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQUFAAOCAQEAPTTQvpOIikXI\n" + ++ "hTLnNbajaFRR5GhQpTzUNgBfF9VYSlNw/wMjpGsrh5RxaJCip52jbehmTgjMRhft\n" + ++ "jRYyml44PAVsCcR9uEoDpCZYpI1fHI1R+F8jd1C9rqprbSwwOG4xlg4SmvTHYs6e\n" + ++ "gBItQ/1p9XY+Sf4Wv1qOuOFL1qvV/5VyR2zdlOQCmKCeMgxt6a/tHLBDiAA67D44\n" + ++ "/vfdoNJl0CU2It0PO60jdCPFNWIRcxL+OSDqAoePeUC7xQ+JsTEIxuUE8+d6w6fc\n" + ++ "BV2mYb1flh22t46GLjh4gyo7xw3aL6L0L0jzlTT6IcEw6NIbaPbIKj/npQnHobYj\n" + ++ "XMuKLxbh7g==\n" + ++ "-----END CERTIFICATE-----"); ++ ++ // Subject: CN=BUSTER ASSISTENCIA TECNICA ELETRONICA LTDA - ME, ++ // O=BUSTER ASSISTENCIA TECNICA ELETRONICA LTDA - ME, ++ // L=S?o Paulo, ++ // ST=S?o Paulo, ++ // C=BR ++ // Issuer: CN=DigiCert Assured ID Code Signing CA-1, ++ // OU=www.digicert.com, ++ // O=DigiCert Inc, ++ // C=US ++ // Serial: 0a:38:9b:95:ee:73:6d:d1:3b:c0:ed:74:3f:d7:4d:2f ++ add("buster-assistencia-tecnica-electronica-ltda-3FD74D2F", ++ "-----BEGIN CERTIFICATE-----\n" + ++ "MIIG4DCCBcigAwIBAgIQCjible5zbdE7wO10P9dNLzANBgkqhkiG9w0BAQUFADBv\n" + ++ "MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3\n" + ++ "d3cuZGlnaWNlcnQuY29tMS4wLAYDVQQDEyVEaWdpQ2VydCBBc3N1cmVkIElEIENv\n" + ++ "ZGUgU2lnbmluZyBDQS0xMB4XDTEyMTEwOTAwMDAwMFoXDTEzMTExNDEyMDAwMFow\n" + ++ "gasxCzAJBgNVBAYTAkJSMRMwEQYDVQQIDApTw6NvIFBhdWxvMRMwEQYDVQQHDApT\n" + ++ "w6NvIFBhdWxvMTgwNgYDVQQKEy9CVVNURVIgQVNTSVNURU5DSUEgVEVDTklDQSBF\n" + ++ "TEVUUk9OSUNBIExUREEgLSBNRTE4MDYGA1UEAxMvQlVTVEVSIEFTU0lTVEVOQ0lB\n" + ++ "IFRFQ05JQ0EgRUxFVFJPTklDQSBMVERBIC0gTUUwggEiMA0GCSqGSIb3DQEBAQUA\n" + ++ "A4IBDwAwggEKAoIBAQDAqNeEs5/B2CTXGjTOkUIdu6jV6qulOZwdw4sefHWYj1UR\n" + ++ "4z6zPk9kjpUgbnb402RFq88QtfInwddZ/wXn9OxMtDd/3TnC7HrhNS7ga79ZFL2V\n" + ++ "JnmzKHum2Yvh0q82QEJ9tHBR2X9VdKpUIH08Zs3k6cWWM1H0YX0cxA/HohhesQJW\n" + ++ "kwJ3urOIJiH/HeByDk8a1NS8safcCxk5vxvW4WvCg43iT09LeHY5Aa8abKw8lqVb\n" + ++ "0tD5ZSIjdmdj3TT1U37iAHLLRM2DXbxfdbhouUX1c5U1ZHAMA67HwjKiseOiDaHj\n" + ++ "NUGbC37C+cgbc9VVM/cURD8WvS0Kj6fQv7F2QtJDAgMBAAGjggM5MIIDNTAfBgNV\n" + ++ "HSMEGDAWgBR7aM4pqsAXvkl64eU/1qf3RY81MjAdBgNVHQ4EFgQU88EXKAyDsh30\n" + ++ "o9+Gu9a4xUy+FSMwDgYDVR0PAQH/BAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMD\n" + ++ "MHMGA1UdHwRsMGowM6AxoC+GLWh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9hc3N1\n" + ++ "cmVkLWNzLTIwMTFhLmNybDAzoDGgL4YtaHR0cDovL2NybDQuZGlnaWNlcnQuY29t\n" + ++ "L2Fzc3VyZWQtY3MtMjAxMWEuY3JsMIIBxAYDVR0gBIIBuzCCAbcwggGzBglghkgB\n" + ++ "hv1sAwEwggGkMDoGCCsGAQUFBwIBFi5odHRwOi8vd3d3LmRpZ2ljZXJ0LmNvbS9z\n" + ++ "c2wtY3BzLXJlcG9zaXRvcnkuaHRtMIIBZAYIKwYBBQUHAgIwggFWHoIBUgBBAG4A\n" + ++ "eQAgAHUAcwBlACAAbwBmACAAdABoAGkAcwAgAEMAZQByAHQAaQBmAGkAYwBhAHQA\n" + ++ "ZQAgAGMAbwBuAHMAdABpAHQAdQB0AGUAcwAgAGEAYwBjAGUAcAB0AGEAbgBjAGUA\n" + ++ "IABvAGYAIAB0AGgAZQAgAEQAaQBnAGkAQwBlAHIAdAAgAEMAUAAvAEMAUABTACAA\n" + ++ "YQBuAGQAIAB0AGgAZQAgAFIAZQBsAHkAaQBuAGcAIABQAGEAcgB0AHkAIABBAGcA\n" + ++ "cgBlAGUAbQBlAG4AdAAgAHcAaABpAGMAaAAgAGwAaQBtAGkAdAAgAGwAaQBhAGIA\n" + ++ "aQBsAGkAdAB5ACAAYQBuAGQAIABhAHIAZQAgAGkAbgBjAG8AcgBwAG8AcgBhAHQA\n" + ++ "ZQBkACAAaABlAHIAZQBpAG4AIABiAHkAIAByAGUAZgBlAHIAZQBuAGMAZQAuMIGC\n" + ++ "BggrBgEFBQcBAQR2MHQwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0\n" + ++ "LmNvbTBMBggrBgEFBQcwAoZAaHR0cDovL2NhY2VydHMuZGlnaWNlcnQuY29tL0Rp\n" + ++ "Z2lDZXJ0QXNzdXJlZElEQ29kZVNpZ25pbmdDQS0xLmNydDAMBgNVHRMBAf8EAjAA\n" + ++ "MA0GCSqGSIb3DQEBBQUAA4IBAQAei1QmiXepje8OIfo/WonD4MIXgpPr2dfRaquQ\n" + ++ "A8q63OpTRSveyqdQDCSPpDRF/nvO1Y30yksZvIH1tNBsW5LBdxAKN3lFdBlqBwtE\n" + ++ "Q3jHc0KVVYRJ0FBaGE/PJHmRajscdAhYIcMPhTga0u0tDK+wOHEq3993dfl6yHjA\n" + ++ "XHU2iW5pnk75ZoE39zALD5eKXT8ZXrET5c3XUFJKWA+XuGmdmyzqo0Au49PanBv9\n" + ++ "UlZnabYfqoMArqMS0tGSX4cGgi9/2E+pHG9BX4sFW+ZDumroOA2pxyMWEKjxePEL\n" + ++ "zCOfhbsRWdMLYepauaNZOIMZXmFwcrIl0TGMkTAtATz+XmZc\n" + ++ "-----END CERTIFICATE-----"); ++ + } + }