Mercurial > hg > release > icedtea6-1.13
changeset 3248:06179516eff2
Update to build against the b39 tarball & April 2016 security fixes.
Upstream changes:
- S4459600: java -jar fails to run Main-Class if classname followed by whitespace.
- S4963723: Implement SHA-224
- S6378099: RFE: Use libfontconfig to create/synthesise a fontconfig.properties
- S6414899: P11Digest should support cloning
- S6452854: Provide a flag to print the java configuration
- S6578658: Request for raw RSA (NONEwithRSA) Signature support in SunMSCAPI
- S6604496: Support for CKM_AES_CTR (counter mode)
- S6742159: (launcher) improve the java launching mechanism
- S6752622: java.awt.Font.getPeer throws "java.lang.InternalError: Not implemented" on Linux
- S6753664: Support SHA256 (and higher) in SunMSCAPI
- S6758881: (launcher) needs to throw NoClassDefFoundError instead of JavaRuntimeException
- S6812738: SSL stress test with GF leads to 32 bit max process size in less than 5 minutes with PCKS11 provider
- S6856415: Enabling java security manager will make program thrown wrong exception ( main method not found )
- S6892493: potential memory leaks in 2D font code indentified by parfait.
- S6924489: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_OPERATION_NOT_INITIALIZED
- S6925851: Localize JRE into pt_BR
- S6956398: make ephemeral DH key match the length of the certificate key
- S6968053: (launcher) hide exceptions under certain launcher failures
- S6977738: Deadlock between java.lang.ClassLoader and java.util.Properties
- S6981001: (launcher) EnsureJREInstallation is not being called in order
- S7017734: jdk7 message drop 1 translation integration
- S7026184: (launcher) Regression: class with unicode name can't be launched by java.
- S7033170: Cipher.getMaxAllowedKeyLength(String) throws NoSuchAlgorithmException
- S7044060: Need to support NSA Suite B Cryptography algorithms
- S7104161: test/sun/tools/jinfo/Basic.sh fails on Ubuntu
- S7106773: 512 bits RSA key cannot work with SHA384 and SHA512
- S7125442: jar application located in two bytes character named folder cannot be run with JRE 7 u1/u2
- S7127906: (launcher) convert the launcher regression tests to java
- S7141141: Add 3 new test scenarios for testing Main-Class attribute in jar manifest file
- S7158988: jvm crashes while debugging on x86_32 and x86_64
- S7189944: (launcher) test/tools/launcher/Arrrrghs.java needs a couple of minor fixes
- S7193318: C2: remove number of inputs requirement from Node's new operator
- S8002116: This JdbReadTwiceTest.sh gets an exit 1
- S8004007: test/sun/tools/jinfo/Basic.sh fails on when runSA is set to true
- S8006935: Need to take care of long secret keys in HMAC/PRF compuation
- S8023990: Regression: postscript size increase from 6u18
- S8027705: com/sun/jdi/JdbMethodExitTest.sh fails when a background thread is generating events.
- S8028537: PPC64: Updated the JDK regression tests to run on AIX
- S8036132: Tab characters in test/com/sun/jdi files
- S8038963: com/sun/jdi tests fail because cygwin's ps sometimes misses processes
- S8039921: SHA1WithDSA with key > 1024 bits not working
- S8044419: TEST_BUG: com/sun/jdi/JdbReadTwiceTest.sh fails when run under root
- S8059661: Test SoftReference and OOM behavior
- S8067364: Printing to Postscript doesn't support dieresis
- S8072753: Nondeterministic wrong answer on arithmetic
- S8073735: [TEST_BUG] compiler/loopopts/CountedLoopProblem.java got OOME
- S8074146: [TEST_BUG] jdb has succeded to read an unreadable file
- S8075584: test for 8067364 depends on hardwired text advance
- S8087120: [GCC5] java.lang.StackOverflowError on Zero JVM initialization on non x86 platforms.
- S8129952: Ensure thread consistency
- S8132051: Better byte behavior
- S8134297: NPE in GSSNameElement nameType check
- S8134650: Xsl transformation gives different results in 8u66
- S8138593: Make DSA more fair
- S8141229: [Parfait] Null pointer dereference in cmsstrcasecmp of cmserr.c
- S8143002: [Parfait] JNI exception pending in fontpath.c:1300
- S8143167: Better buffering of XML strings
- S8144430: Improve JMX connections
- S8146477: [TEST_BUG] ClientJSSEServerJSSE.java failing again
- S8146494: Better ligature substitution
- S8146498: Better device table adjustments
- S8146967: [TEST_BUG] javax/security/auth/SubjectDomainCombiner/Optimize.java should use 4-args ProtectionDomain constructor
- S8147567: InterpreterRuntime::post_field_access not updated for boolean in JDK-8132051
- S8148446: (tz) Support tzdata2016a
- S8148475: Missing SA Bytecode updates.
- S8149170: Better byte behavior for native arguments
- S8149367: PolicyQualifierInfo/index_Ctor JCk test fails with IOE: Invalid encoding for PolicyQualifierInfo
- S8150012: Better byte behavior for reflection
- S8150790: 8u75 L10n resource file translation update
- S8154210: Zero: Better byte behaviour
- S8155261: Zero broken since HS23 update
- S8155699: Resolve issues created by backports in OpenJDK 6 b39
- S8155699: Resolve issues created by backports in OpenJDK 6 b39, part 2
- S8155746: Sync Windows export list in make/java/jli/Makefile with make/java/jli/mapfile-vers
ChangeLog:
2016-05-03 Andrew John Hughes <gnu.andrew@redhat.com>
* Makefile.am:
(OPENJDK_DATE): Bump to b39 creation date;
3rd of May, 2016.
(OPENJDK_SHA256SUM): Update for b39 tarball.
2016-05-03 Andrew John Hughes <gnu.andrew@member.fsf.org>
* patches/openjdk/8039921-sha1_1024plus.patch:
Remove further b39 patch missed in earlier batch.
2016-05-03 Andrew John Hughes <gnu.andrew@member.fsf.org>
* patches/openjdk/4963723-implement_sha-224.patch,
* patches/openjdk/6578658-sunmscapi_nonewithrsa.patch,
* patches/openjdk/6753664-sunmscapi_sha-256.patch,
* patches/openjdk/6956398-ephemeraldhkeysize.patch,
* patches/openjdk/7033170-getmaxallowedkeylength_throws_exception.patch,
* patches/openjdk/7044060-support_nsa_suite_b.patch,
* patches/openjdk/7106773-512_bits_rsa.patch,
* patches/openjdk/8006935-long_keys_in_hmac_prf.patch,
* patches/openjdk/8087120-zero_gcc5.patch,
* patches/openjdk/p11cipher-6414899-p11digest_should_support_cloning.patch,
* patches/openjdk/p11cipher-6604496-support_ckm_aes_ctr.patch,
* patches/openjdk/p11cipher-6812738-native_cleanup.patch,
* patches/openjdk/p11cipher-6924489-ckr_operation_not_initialized.patch,
* patches/pr2486-768_dh.patch,
* patches/pr2488-1024_dh.patch:
Remove patches upstreamed in b39.
* Makefile.am:
(ICEDTEA_PATCHES): Remove above patches.
* NEWS: Updated.
* patches/openjdk/7170638-systemtap.patch:
Regenerated due to copyright header change in jni.cpp.
2016-05-03 Andrew John Hughes <gnu.andrew@redhat.com>
* patches/hotspot/hs23/zero_fixes.patch:
Remove fragments upstreamed in 8155261.
* patches/hotspot/hs23/zero_hs22.patch:
Likewise.
2016-01-29 Andrew John Hughes <gnu.andrew@redhat.com>
* Makefile.am:
(OPENJDK_VERSION): Bump to next release, b39.
| author | Andrew John Hughes <gnu.andrew@redhat.com> |
|---|---|
| date | Wed, 04 May 2016 04:24:30 +0100 |
| parents | 49231b25f344 |
| children | ca47e59e06a7 |
| files | ChangeLog Makefile.am NEWS patches/hotspot/hs23/zero_fixes.patch patches/hotspot/hs23/zero_hs22.patch patches/openjdk/4963723-implement_sha-224.patch patches/openjdk/6578658-sunmscapi_nonewithrsa.patch patches/openjdk/6753664-sunmscapi_sha-256.patch patches/openjdk/6956398-ephemeraldhkeysize.patch patches/openjdk/7033170-getmaxallowedkeylength_throws_exception.patch patches/openjdk/7044060-support_nsa_suite_b.patch patches/openjdk/7106773-512_bits_rsa.patch patches/openjdk/7170638-systemtap.patch patches/openjdk/8006935-long_keys_in_hmac_prf.patch patches/openjdk/8039921-sha1_1024plus.patch patches/openjdk/8087120-zero_gcc5.patch patches/openjdk/p11cipher-6414899-p11digest_should_support_cloning.patch patches/openjdk/p11cipher-6604496-support_ckm_aes_ctr.patch patches/openjdk/p11cipher-6812738-native_cleanup.patch patches/openjdk/p11cipher-6924489-ckr_operation_not_initialized.patch patches/pr2486-768_dh.patch patches/pr2488-1024_dh.patch |
| diffstat | 22 files changed, 143 insertions(+), 16761 deletions(-) [+] |
line wrap: on
line diff
--- a/ChangeLog Wed May 04 02:55:09 2016 +0100 +++ b/ChangeLog Wed May 04 04:24:30 2016 +0100 @@ -1,3 +1,51 @@ +2016-05-03 Andrew John Hughes <gnu.andrew@redhat.com> + + * Makefile.am: + (OPENJDK_DATE): Bump to b39 creation date; + 3rd of May, 2016. + (OPENJDK_SHA256SUM): Update for b39 tarball. + +2016-05-03 Andrew John Hughes <gnu.andrew@member.fsf.org> + + * patches/openjdk/8039921-sha1_1024plus.patch: + Remove further b39 patch missed in earlier batch. + +2016-05-03 Andrew John Hughes <gnu.andrew@member.fsf.org> + + * patches/openjdk/4963723-implement_sha-224.patch, + * patches/openjdk/6578658-sunmscapi_nonewithrsa.patch, + * patches/openjdk/6753664-sunmscapi_sha-256.patch, + * patches/openjdk/6956398-ephemeraldhkeysize.patch, + * patches/openjdk/7033170-getmaxallowedkeylength_throws_exception.patch, + * patches/openjdk/7044060-support_nsa_suite_b.patch, + * patches/openjdk/7106773-512_bits_rsa.patch, + * patches/openjdk/8006935-long_keys_in_hmac_prf.patch, + * patches/openjdk/8087120-zero_gcc5.patch, + * patches/openjdk/p11cipher-6414899-p11digest_should_support_cloning.patch, + * patches/openjdk/p11cipher-6604496-support_ckm_aes_ctr.patch, + * patches/openjdk/p11cipher-6812738-native_cleanup.patch, + * patches/openjdk/p11cipher-6924489-ckr_operation_not_initialized.patch, + * patches/pr2486-768_dh.patch, + * patches/pr2488-1024_dh.patch: + Remove patches upstreamed in b39. + * Makefile.am: + (ICEDTEA_PATCHES): Remove above patches. + * NEWS: Updated. + * patches/openjdk/7170638-systemtap.patch: + Regenerated due to copyright header change in jni.cpp. + +2016-05-03 Andrew John Hughes <gnu.andrew@redhat.com> + + * patches/hotspot/hs23/zero_fixes.patch: + Remove fragments upstreamed in 8155261. + * patches/hotspot/hs23/zero_hs22.patch: + Likewise. + +2016-01-29 Andrew John Hughes <gnu.andrew@redhat.com> + + * Makefile.am: + (OPENJDK_VERSION): Bump to next release, b39. + 2016-05-03 Andrew John Hughes <gnu.andrew@member.fsf.org> PR2887: Location of 'stap' executable is hard-coded
--- a/Makefile.am Wed May 04 02:55:09 2016 +0100 +++ b/Makefile.am Wed May 04 04:24:30 2016 +0100 @@ -1,8 +1,8 @@ # Dependencies -OPENJDK_DATE = 20_jan_2016 -OPENJDK_SHA256SUM = ff88dbcbda6c3c7d80b7cbd28065a455cdb009de9874fcf9ff9ca8205d38a257 -OPENJDK_VERSION = b38 +OPENJDK_DATE = 03_may_2016 +OPENJDK_SHA256SUM = d11dc2ababe88e7891f1abbd7fa4fe033a65dea22c071331a641374b3247717f +OPENJDK_VERSION = b39 OPENJDK_URL = https://java.net/downloads/openjdk6/ CACAO_VERSION = 68fe50ac34ec @@ -465,11 +465,7 @@ patches/remove_multicatch_in_testrsa.patch \ patches/openjdk/p11cipher-6682411-fix_indexoutofboundsexception.patch \ patches/openjdk/p11cipher-6682417-fix_decrypted_data_not_multiple_of_blocks.patch \ - patches/openjdk/p11cipher-6812738-native_cleanup.patch \ patches/openjdk/p11cipher-6687725-throw_illegalblocksizeexception.patch \ - patches/openjdk/p11cipher-6924489-ckr_operation_not_initialized.patch \ - patches/openjdk/p11cipher-6604496-support_ckm_aes_ctr.patch \ - patches/openjdk/p11cipher-6414899-p11digest_should_support_cloning.patch \ patches/traceable.patch \ patches/pr1319-support_giflib_5.patch \ patches/openjdk/6718364-inference_failure.patch \ @@ -581,15 +577,8 @@ patches/shark_fixes_from_8003868.patch \ patches/8003992_support_6.patch \ patches/shark-drop_compile_method_arg_following_7083786.patch \ - patches/openjdk/4963723-implement_sha-224.patch \ patches/openjdk/7180907-jarsigner_sha-256.patch \ patches/openjdk/8049480-jarsigner_openjdk_9.patch \ - patches/openjdk/6753664-sunmscapi_sha-256.patch \ - patches/openjdk/6578658-sunmscapi_nonewithrsa.patch \ - patches/openjdk/7033170-getmaxallowedkeylength_throws_exception.patch \ - patches/openjdk/7044060-support_nsa_suite_b.patch \ - patches/openjdk/8006935-long_keys_in_hmac_prf.patch \ - patches/openjdk/7106773-512_bits_rsa.patch \ patches/pr1904-icedtea_and_distro_versioning.patch \ patches/openjdk/8017173-xml_cipher_rsa_oaep_cant_be_instantiated.patch \ patches/openjdk/8000897-pr2173-vm_crash_in_compilebroker.patch \ @@ -605,7 +594,6 @@ patches/pr2226-support_future_giflib_6_and_up.patch \ patches/openjdk/4890063-hprof_truncation.patch \ patches/openjdk/6562615-compiler_warnings.patch \ - patches/openjdk/6956398-ephemeraldhkeysize.patch \ patches/openjdk/6989466-compiler_warnings.patch \ patches/openjdk/6991580-ipv6_nameservers.patch \ patches/openjdk/7007905-javazic_line_numbers.patch \ @@ -615,7 +603,6 @@ patches/openjdk/7133138-timezone_io_improvement.patch \ patches/openjdk/8011709-canonshaping_memory_leak.patch \ patches/openjdk/8023052-jvm_crash_in_native_layout.patch \ - patches/openjdk/8039921-sha1_1024plus.patch \ patches/openjdk/8041451-ldap_read_timeout_abandon.patch \ patches/openjdk/8042855-indiclayoutengine_null_dereference.patch \ patches/openjdk/7094377-ldaps_timeout.patch \ @@ -627,12 +614,9 @@ patches/openjdk/8074761-ldap_empty_optional_params.patch \ patches/openjdk/8078654-closettfontfilefunc.patch \ patches/openjdk/8081315-giflib_interlacing.patch \ - patches/openjdk/8087120-zero_gcc5.patch \ patches/pr2319-policy_jar_checksum.patch \ patches/pr2460-policy_jar_timestamp.patch \ patches/pr2481_sysconfig_clock_spaces.patch \ - patches/pr2486-768_dh.patch \ - patches/pr2488-1024_dh.patch \ patches/openjdk/6440786-pr363-zero_entry_zips.patch \ patches/openjdk/6763122-no_zipfile_ctor_exception.patch \ patches/openjdk/6599383-pr363-large_zip_files.patch \
--- a/NEWS Wed May 04 02:55:09 2016 +0100 +++ b/NEWS Wed May 04 04:24:30 2016 +0100 @@ -14,6 +14,68 @@ New in release 1.13.11 (2016-04-XX): +* Security fixes + - S8129952, CVE-2016-0686: Ensure thread consistency + - S8132051, CVE-2016-0687: Better byte behavior + - S8138593, CVE-2016-0695: Make DSA more fair + - S8139008: Better state table management + - S8143167, CVE-2016-3425: Better buffering of XML strings + - S8144430, CVE-2016-3427: Improve JMX connections + - S8146494: Better ligature substitution + - S8146498: Better device table adjustments +* Import of OpenJDK6 b38 + - S4459600: java -jar fails to run Main-Class if classname followed by whitespace. + - S6378099: RFE: Use libfontconfig to create/synthesise a fontconfig.properties + - S6452854: Provide a flag to print the java configuration + - S6742159: (launcher) improve the java launching mechanism + - S6752622: java.awt.Font.getPeer throws "java.lang.InternalError: Not implemented" on Linux + - S6758881: (launcher) needs to throw NoClassDefFoundError instead of JavaRuntimeException + - S6856415: Enabling java security manager will make program thrown wrong exception ( main method not found ) + - S6892493: potential memory leaks in 2D font code indentified by parfait. + - S6925851: Localize JRE into pt_BR (corba) + - S6968053: (launcher) hide exceptions under certain launcher failures + - S6977738: Deadlock between java.lang.ClassLoader and java.util.Properties + - S6981001: (launcher) EnsureJREInstallation is not being called in order + - S7017734: jdk7 message drop 1 translation integration + - S7026184: (launcher) Regression: class with unicode name can't be launched by java. + - S7104161: test/sun/tools/jinfo/Basic.sh fails on Ubuntu + - S7125442: jar application located in two bytes character named folder cannot be run with JRE 7 u1/u2 + - S7127906: (launcher) convert the launcher regression tests to java + - S7141141: Add 3 new test scenarios for testing Main-Class attribute in jar manifest file + - S7158988: jvm crashes while debugging on x86_32 and x86_64 + - S7189944: (launcher) test/tools/launcher/Arrrrghs.java needs a couple of minor fixes + - S7193318: C2: remove number of inputs requirement from Node's new operator + - S8002116: This JdbReadTwiceTest.sh gets an exit 1 + - S8004007: test/sun/tools/jinfo/Basic.sh fails on when runSA is set to true + - S8023990: Regression: postscript size increase from 6u18 + - S8027705: com/sun/jdi/JdbMethodExitTest.sh fails when a background thread is generating events. + - S8028537: PPC64: Updated the JDK regression tests to run on AIX + - S8036132: Tab characters in test/com/sun/jdi files + - S8038963: com/sun/jdi tests fail because cygwin's ps sometimes misses processes + - S8044419: TEST_BUG: com/sun/jdi/JdbReadTwiceTest.sh fails when run under root + - S8059661: Test SoftReference and OOM behavior + - S8067364: Printing to Postscript doesn't support dieresis + - S8072753: Nondeterministic wrong answer on arithmetic + - S8073735: [TEST_BUG] compiler/loopopts/CountedLoopProblem.java got OOME + - S8074146: [TEST_BUG] jdb has succeded to read an unreadable file + - S8075584: test for 8067364 depends on hardwired text advance + - S8134297: NPE in GSSNameElement nameType check + - S8134650: Xsl transformation gives different results in 8u66 + - S8141229: [Parfait] Null pointer dereference in cmsstrcasecmp of cmserr.c + - S8143002: [Parfait] JNI exception pending in fontpath.c:1300 + - S8146477: [TEST_BUG] ClientJSSEServerJSSE.java failing again + - S8146967: [TEST_BUG] javax/security/auth/SubjectDomainCombiner/Optimize.java should use 4-args ProtectionDomain constructor + - S8147567: InterpreterRuntime::post_field_access not updated for boolean in JDK-8132051 + - S8148446: (tz) Support tzdata2016a + - S8148475: Missing SA Bytecode updates. + - S8149170: Better byte behavior for native arguments + - S8149367: PolicyQualifierInfo/index_Ctor JCk test fails with IOE: Invalid encoding for PolicyQualifierInfo + - S8150012: Better byte behavior for reflection + - S8150790: 8u75 L10n resource file translation update + - S8154210: Zero: Better byte behaviour + - S8155261: Zero broken since HS23 update + - S8155699: Resolve issues created by backports in OpenJDK 6 b39 + - S8155746: Sync Windows export list in make/java/jli/Makefile with make/java/jli/mapfile-vers * Backports - S6863746, PR2951: javap should not scan ct.sym by default - S8071705, PR2820, RH1182694: Java application menu misbehaves when running multiple screen stacked vertically
--- a/patches/hotspot/hs23/zero_fixes.patch Wed May 04 02:55:09 2016 +0100 +++ b/patches/hotspot/hs23/zero_fixes.patch Wed May 04 04:24:30 2016 +0100 @@ -1,60 +1,6 @@ -# HG changeset patch -# User andrew -# Date 1346354667 -3600 -# Thu Aug 30 20:24:27 2012 +0100 -# Node ID 2a413d946cb1acdcbe1110098f79b7a1f267bf75 -# Parent 3e0087ab5e924827bc198557c8e4e5b1c4ff1fa3 -Fix Zero FTBFS issues - -diff --git a/src/cpu/zero/vm/assembler_zero.cpp b/src/cpu/zero/vm/assembler_zero.cpp ---- openjdk/hotspot/src/cpu/zero/vm/assembler_zero.cpp -+++ openjdk/hotspot/src/cpu/zero/vm/assembler_zero.cpp -@@ -91,3 +91,11 @@ - address ShouldNotCallThisEntry() { - return (address) should_not_call; - } -+ -+static void zero_null_fn() { -+ return; -+} -+ -+address ZeroNullStubEntry(address fn) { -+ return (address) fn; -+} -diff --git a/src/cpu/zero/vm/assembler_zero.hpp b/src/cpu/zero/vm/assembler_zero.hpp ---- openjdk/hotspot/src/cpu/zero/vm/assembler_zero.hpp -+++ openjdk/hotspot/src/cpu/zero/vm/assembler_zero.hpp -@@ -65,5 +65,6 @@ - - address ShouldNotCallThisStub(); - address ShouldNotCallThisEntry(); -+address ZeroNullStubEntry(address fn); - - #endif // CPU_ZERO_VM_ASSEMBLER_ZERO_HPP -diff --git a/src/cpu/zero/vm/copy_zero.hpp b/src/cpu/zero/vm/copy_zero.hpp ---- openjdk/hotspot/src/cpu/zero/vm/copy_zero.hpp -+++ openjdk/hotspot/src/cpu/zero/vm/copy_zero.hpp -@@ -169,7 +169,7 @@ - } - - static void pd_fill_to_bytes(void* to, size_t count, jubyte value) { -- memset(to, value, count); -+ if ( count > 0 ) memset(to, value, count); - } - - static void pd_zero_to_words(HeapWord* tohw, size_t count) { -@@ -177,7 +177,7 @@ - } - - static void pd_zero_to_bytes(void* to, size_t count) { -- memset(to, 0, count); -+ if ( count > 0 ) memset(to, 0, count); - } - - #endif // CPU_ZERO_VM_COPY_ZERO_HPP -diff --git a/src/cpu/zero/vm/cppInterpreter_zero.cpp b/src/cpu/zero/vm/cppInterpreter_zero.cpp ---- openjdk/hotspot/src/cpu/zero/vm/cppInterpreter_zero.cpp -+++ openjdk/hotspot/src/cpu/zero/vm/cppInterpreter_zero.cpp +diff -Nru openjdk.orig/hotspot/src/cpu/zero/vm/cppInterpreter_zero.cpp openjdk/hotspot/src/cpu/zero/vm/cppInterpreter_zero.cpp +--- openjdk.orig/hotspot/src/cpu/zero/vm/cppInterpreter_zero.cpp 2016-05-03 20:18:13.388935986 +0100 ++++ openjdk/hotspot/src/cpu/zero/vm/cppInterpreter_zero.cpp 2016-05-03 20:19:21.099818351 +0100 @@ -36,6 +36,7 @@ #include "oops/oop.inline.hpp" #include "prims/jvmtiExport.hpp" @@ -77,81 +23,7 @@ int CppInterpreter::normal_entry(methodOop method, intptr_t UNUSED, TRAPS) { JavaThread *thread = (JavaThread *) THREAD; -@@ -699,6 +707,9 @@ - method_handle = adapter; - } - -+ CPPINT_DEBUG( tty->print_cr( "Process method_handle sp: 0x%x unwind_sp: 0x%x result_slots: %d.", \ -+ stack->sp(), unwind_sp, result_slots ); ) -+ - // Start processing - process_method_handle(method_handle, THREAD); - if (HAS_PENDING_EXCEPTION) -@@ -718,6 +729,8 @@ - } - - // Check -+ CPPINT_DEBUG( tty->print_cr( "Exiting method_handle_entry, sp: 0x%x unwind_sp: 0x%x result_slots: %d.", \ -+ stack->sp(), unwind_sp, result_slots ); ) - assert(stack->sp() == unwind_sp - result_slots, "should be"); - - // No deoptimized frames on the stack -@@ -725,6 +738,7 @@ - } - - void CppInterpreter::process_method_handle(oop method_handle, TRAPS) { -+ - JavaThread *thread = (JavaThread *) THREAD; - ZeroStack *stack = thread->zero_stack(); - intptr_t *vmslots = stack->sp(); -@@ -739,6 +753,7 @@ - (MethodHandles::EntryKind) (((intptr_t) entry) & 0xffffffff); - - methodOop method = NULL; -+ CPPINT_DEBUG( tty->print_cr( "\nEntering %s 0x%x.",MethodHandles::entry_name(entry_kind), (char *)vmslots ); ) - switch (entry_kind) { - case MethodHandles::_invokestatic_mh: - direct_to_method = true; -@@ -811,11 +826,15 @@ - case MethodHandles::_bound_int_mh: - case MethodHandles::_bound_long_mh: - { -- BasicType arg_type = T_ILLEGAL; -- int arg_mask = -1; -- int arg_slots = -1; -- MethodHandles::get_ek_bound_mh_info( -- entry_kind, arg_type, arg_mask, arg_slots); -+ // BasicType arg_type = T_ILLEGAL; -+ // int arg_mask = -1; -+ // int arg_slots = -1; -+ // MethodHandles::get_ek_bound_mh_info( -+ // entry_kind, arg_type, arg_mask, arg_slots); -+ BasicType arg_type = MethodHandles::ek_bound_mh_arg_type(entry_kind); -+ int arg_mask = 0; -+ int arg_slots = type2size[arg_type];; -+ - int arg_slot = - java_lang_invoke_BoundMethodHandle::vmargslot(method_handle); - -@@ -961,10 +980,13 @@ - java_lang_invoke_AdapterMethodHandle::conversion(method_handle); - int arg2 = MethodHandles::adapter_conversion_vminfo(conv); - -- int swap_bytes = 0, rotate = 0; -- MethodHandles::get_ek_adapter_opt_swap_rot_info( -- entry_kind, swap_bytes, rotate); -- int swap_slots = swap_bytes >> LogBytesPerWord; -+ // int swap_bytes = 0, rotate = 0; -+ // MethodHandles::get_ek_adapter_opt_swap_rot_info( -+ // entry_kind, swap_bytes, rotate); -+ int swap_slots = MethodHandles::ek_adapter_opt_swap_slots(entry_kind); -+ int rotate = MethodHandles::ek_adapter_opt_swap_mode(entry_kind); -+ int swap_bytes = swap_slots * Interpreter::stackElementSize; -+ swap_slots = swap_bytes >> LogBytesPerWord; - - intptr_t tmp; - switch (rotate) { -@@ -1080,12 +1102,309 @@ +@@ -1079,12 +1094,309 @@ } break; @@ -464,17 +336,9 @@ // Continue along the chain if (direct_to_method) { if (method == NULL) { -@@ -1138,6 +1457,7 @@ - tty->print_cr("dst_rtype = %s", type2name(dst_rtype)); - ShouldNotReachHere(); - } -+ CPPINT_DEBUG( tty->print_cr( "LEAVING %s\n",MethodHandles::entry_name(entry_kind) ); ) - } - - // The new slots will be inserted before slot insert_before. -diff --git a/src/cpu/zero/vm/frame_zero.inline.hpp b/src/cpu/zero/vm/frame_zero.inline.hpp ---- openjdk/hotspot/src/cpu/zero/vm/frame_zero.inline.hpp -+++ openjdk/hotspot/src/cpu/zero/vm/frame_zero.inline.hpp +diff -Nru openjdk.orig/hotspot/src/cpu/zero/vm/frame_zero.inline.hpp openjdk/hotspot/src/cpu/zero/vm/frame_zero.inline.hpp +--- openjdk.orig/hotspot/src/cpu/zero/vm/frame_zero.inline.hpp 2013-09-13 00:30:29.930952968 +0100 ++++ openjdk/hotspot/src/cpu/zero/vm/frame_zero.inline.hpp 2016-05-03 20:19:21.099818351 +0100 @@ -36,6 +36,8 @@ _deopt_state = unknown; } @@ -484,161 +348,3 @@ inline frame::frame(ZeroFrame* zf, intptr_t* sp) { _zeroframe = zf; _sp = sp; -diff --git a/src/cpu/zero/vm/methodHandles_zero.cpp b/src/cpu/zero/vm/methodHandles_zero.cpp ---- openjdk/hotspot/src/cpu/zero/vm/methodHandles_zero.cpp -+++ openjdk/hotspot/src/cpu/zero/vm/methodHandles_zero.cpp -@@ -28,6 +28,8 @@ - #include "memory/allocation.inline.hpp" - #include "prims/methodHandles.hpp" - -+#define __ _masm-> -+ - int MethodHandles::adapter_conversion_ops_supported_mask() { - return ((1<<java_lang_invoke_AdapterMethodHandle::OP_RETYPE_ONLY) - |(1<<java_lang_invoke_AdapterMethodHandle::OP_RETYPE_RAW) -@@ -38,12 +40,73 @@ - |(1<<java_lang_invoke_AdapterMethodHandle::OP_ROT_ARGS) - |(1<<java_lang_invoke_AdapterMethodHandle::OP_DUP_ARGS) - |(1<<java_lang_invoke_AdapterMethodHandle::OP_DROP_ARGS) -- //|(1<<java_lang_invoke_AdapterMethodHandle::OP_SPREAD_ARGS) //BUG! -+ |(1<<java_lang_invoke_AdapterMethodHandle::OP_SPREAD_ARGS) - ); -- // FIXME: MethodHandlesTest gets a crash if we enable OP_SPREAD_ARGS. - } - - void MethodHandles::generate_method_handle_stub(MacroAssembler* masm, - MethodHandles::EntryKind ek) { - init_entry(ek, (MethodHandleEntry *) ek); - } -+void MethodHandles::RicochetFrame::generate_ricochet_blob(MacroAssembler* _masm, -+ // output params: -+ int* bounce_offset, -+ int* exception_offset, -+ int* frame_size_in_words) { -+ (*frame_size_in_words) = 0; -+ address start = __ pc(); -+ (*bounce_offset) = __ pc() - start; -+ (*exception_offset) = __ pc() - start; -+} -+ -+frame MethodHandles::ricochet_frame_sender(const frame& fr, RegisterMap *map) { -+ //RicochetFrame* f = RicochetFrame::from_frame(fr); -+ // Cf. is_interpreted_frame path of frame::sender -+ // intptr_t* younger_sp = fr.sp(); -+ // intptr_t* sp = fr.sender_sp(); -+ // return frame(sp, younger_sp, this_frame_adjusted_stack); -+ ShouldNotCallThis(); -+} -+ -+void MethodHandles::ricochet_frame_oops_do(const frame& fr, OopClosure* blk, const RegisterMap* reg_map) { -+ // ResourceMark rm; -+ // RicochetFrame* f = RicochetFrame::from_frame(fr); -+ -+ // pick up the argument type descriptor: -+ // Thread* thread = Thread::current(); -+ // process fixed part -+ // blk->do_oop((oop*)f->saved_target_addr()); -+ // blk->do_oop((oop*)f->saved_args_layout_addr()); -+ -+ // process variable arguments: -+ // if (cookie.is_null()) return; // no arguments to describe -+ -+ // the cookie is actually the invokeExact method for my target -+ // his argument signature is what I'm interested in -+ // assert(cookie->is_method(), ""); -+ // methodHandle invoker(thread, methodOop(cookie())); -+ // assert(invoker->name() == vmSymbols::invokeExact_name(), "must be this kind of method"); -+ // assert(!invoker->is_static(), "must have MH argument"); -+ // int slot_count = invoker->size_of_parameters(); -+ // assert(slot_count >= 1, "must include 'this'"); -+ // intptr_t* base = f->saved_args_base(); -+ // intptr_t* retval = NULL; -+ // if (f->has_return_value_slot()) -+ // retval = f->return_value_slot_addr(); -+ // int slot_num = slot_count - 1; -+ // intptr_t* loc = &base[slot_num]; -+ //blk->do_oop((oop*) loc); // original target, which is irrelevant -+ // int arg_num = 0; -+ // for (SignatureStream ss(invoker->signature()); !ss.is_done(); ss.next()) { -+ // if (ss.at_return_type()) continue; -+ // BasicType ptype = ss.type(); -+ // if (ptype == T_ARRAY) ptype = T_OBJECT; // fold all refs to T_OBJECT -+ // assert(ptype >= T_BOOLEAN && ptype <= T_OBJECT, "not array or void"); -+ // slot_num -= type2size[ptype]; -+ // loc = &base[slot_num]; -+ // bool is_oop = (ptype == T_OBJECT && loc != retval); -+ // if (is_oop) blk->do_oop((oop*)loc); -+ // arg_num += 1; -+ // } -+ // assert(slot_num == 0, "must have processed all the arguments"); -+} -diff --git a/src/cpu/zero/vm/methodHandles_zero.hpp b/src/cpu/zero/vm/methodHandles_zero.hpp ---- openjdk/hotspot/src/cpu/zero/vm/methodHandles_zero.hpp -+++ openjdk/hotspot/src/cpu/zero/vm/methodHandles_zero.hpp -@@ -43,4 +43,12 @@ - saved_target *(rcx+&mh_vmtgt) L2_stgt - continuation #STUB_CON L1_cont - */ -+ public: -+ -+static void generate_ricochet_blob(MacroAssembler* _masm, -+ // output params: -+ int* bounce_offset, -+ int* exception_offset, -+ int* frame_size_in_words); -+ - }; -diff --git a/src/cpu/zero/vm/sharedRuntime_zero.cpp b/src/cpu/zero/vm/sharedRuntime_zero.cpp ---- openjdk/hotspot/src/cpu/zero/vm/sharedRuntime_zero.cpp -+++ openjdk/hotspot/src/cpu/zero/vm/sharedRuntime_zero.cpp -@@ -48,6 +48,11 @@ - - - -+static address zero_null_code_stub() { -+ address start = ShouldNotCallThisStub(); -+ return start; -+} -+ - int SharedRuntime::java_calling_convention(const BasicType *sig_bt, - VMRegPair *regs, - int total_args_passed, -@@ -64,9 +69,9 @@ - AdapterFingerPrint *fingerprint) { - return AdapterHandlerLibrary::new_entry( - fingerprint, -- ShouldNotCallThisStub(), -- ShouldNotCallThisStub(), -- ShouldNotCallThisStub()); -+ ZeroNullStubEntry( CAST_FROM_FN_PTR(address,zero_null_code_stub) ), -+ ZeroNullStubEntry( CAST_FROM_FN_PTR(address,zero_null_code_stub) ), -+ ZeroNullStubEntry( CAST_FROM_FN_PTR(address,zero_null_code_stub) )); - } - - nmethod *SharedRuntime::generate_native_wrapper(MacroAssembler *masm, -@@ -107,11 +112,11 @@ - } - - static SafepointBlob* generate_empty_safepoint_blob() { -- return NULL; -+ return CAST_FROM_FN_PTR(SafepointBlob*,zero_stub); - } - - static DeoptimizationBlob* generate_empty_deopt_blob() { -- return NULL; -+ return CAST_FROM_FN_PTR(DeoptimizationBlob*,zero_stub); - } - - void SharedRuntime::generate_deopt_blob() { -diff --git a/src/share/vm/asm/codeBuffer.cpp b/src/share/vm/asm/codeBuffer.cpp ---- openjdk/hotspot/src/share/vm/asm/codeBuffer.cpp -+++ openjdk/hotspot/src/share/vm/asm/codeBuffer.cpp -@@ -674,7 +674,7 @@ - } - } - -- if (dest->blob() == NULL) { -+ if ((dest->blob() == NULL) && dest_filled ) { - // Destination is a final resting place, not just another buffer. - // Normalize uninitialized bytes in the final padding. - Copy::fill_to_bytes(dest_filled, dest_end - dest_filled,
--- a/patches/hotspot/hs23/zero_hs22.patch Wed May 04 02:55:09 2016 +0100 +++ b/patches/hotspot/hs23/zero_hs22.patch Wed May 04 04:24:30 2016 +0100 @@ -1,6 +1,6 @@ diff -Nru openjdk.orig/hotspot/make/linux/makefiles/defs.make openjdk/hotspot/make/linux/makefiles/defs.make ---- openjdk.orig/hotspot/make/linux/makefiles/defs.make 2013-08-15 14:22:31.083536693 +0100 -+++ openjdk/hotspot/make/linux/makefiles/defs.make 2013-08-15 14:38:48.102899192 +0100 +--- openjdk.orig/hotspot/make/linux/makefiles/defs.make 2016-05-03 20:02:04.292927351 +0100 ++++ openjdk/hotspot/make/linux/makefiles/defs.make 2016-05-03 20:13:14.185874164 +0100 @@ -232,6 +232,7 @@ # client and server subdirectories have symbolic links to ../libjsig.so EXPORT_LIST += $(EXPORT_JRE_LIB_ARCH_DIR)/libjsig.$(LIBRARY_SUFFIX) @@ -49,128 +49,17 @@ ADD_SA_BINARIES/ia64 = ADD_SA_BINARIES/arm = diff -Nru openjdk.orig/hotspot/make/linux/platform_zero.in openjdk/hotspot/make/linux/platform_zero.in ---- openjdk.orig/hotspot/make/linux/platform_zero.in 2013-06-04 18:47:35.000000000 +0100 -+++ openjdk/hotspot/make/linux/platform_zero.in 2013-08-15 14:28:43.109389844 +0100 +--- openjdk.orig/hotspot/make/linux/platform_zero.in 2010-06-14 19:53:45.000000000 +0100 ++++ openjdk/hotspot/make/linux/platform_zero.in 2016-05-03 20:13:14.185874164 +0100 @@ -14,4 +14,4 @@ gnu_dis_arch = zero -sysdefs = -DLINUX -D_GNU_SOURCE -DCC_INTERP -DZERO -D@ZERO_ARCHDEF@ -DZERO_LIBARCH=\"@ZERO_LIBARCH@\" +sysdefs = -DLINUX -D_GNU_SOURCE -DCC_INTERP -DZERO -DTARGET_ARCH_NYI_6939861=1 -D@ZERO_ARCHDEF@ -DZERO_LIBARCH=\"@ZERO_LIBARCH@\" -diff -Nru openjdk.orig/hotspot/src/cpu/zero/vm/methodHandles_zero.hpp openjdk/hotspot/src/cpu/zero/vm/methodHandles_zero.hpp ---- openjdk.orig/hotspot/src/cpu/zero/vm/methodHandles_zero.hpp 2013-06-04 18:47:35.000000000 +0100 -+++ openjdk/hotspot/src/cpu/zero/vm/methodHandles_zero.hpp 2013-08-15 14:37:15.525444593 +0100 -@@ -1,6 +1,6 @@ - /* - * Copyright (c) 2011, Oracle and/or its affiliates. All rights reserved. -- * Copyright 2011 Red Hat, Inc. -+ * Copyright 2011, 2012 Red Hat, Inc. - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it -@@ -29,3 +29,18 @@ - adapter_code_size = 0 - }; - -+class RicochetFrame : public ResourceObj { -+ friend class MethodHandles; -+ private: -+ /* -+ RF field x86 SPARC -+ sender_pc *(rsp+0) I7-0x8 -+ sender_link rbp I6+BIAS -+ exact_sender_sp rsi/r13 I5_savedSP -+ conversion *(rcx+&amh_conv) L5_conv -+ saved_args_base rax L4_sab (cf. Gargs = G4) -+ saved_args_layout #NULL L3_sal -+ saved_target *(rcx+&mh_vmtgt) L2_stgt -+ continuation #STUB_CON L1_cont -+ */ -+}; -diff -Nru openjdk.orig/hotspot/src/cpu/zero/vm/sharedRuntime_zero.cpp openjdk/hotspot/src/cpu/zero/vm/sharedRuntime_zero.cpp ---- openjdk.orig/hotspot/src/cpu/zero/vm/sharedRuntime_zero.cpp 2013-06-04 18:47:35.000000000 +0100 -+++ openjdk/hotspot/src/cpu/zero/vm/sharedRuntime_zero.cpp 2013-08-15 14:29:56.398542324 +0100 -@@ -1,6 +1,6 @@ - /* - * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved. -- * Copyright 2007, 2008, 2009, 2010, 2011 Red Hat, Inc. -+ * Copyright 2007, 2008, 2009, 2010, 2011, 2012 Red Hat, Inc. - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it -@@ -47,6 +47,7 @@ - #endif - - -+ - int SharedRuntime::java_calling_convention(const BasicType *sig_bt, - VMRegPair *regs, - int total_args_passed, -@@ -96,19 +97,20 @@ - ShouldNotCallThis(); - } - -+JRT_LEAF(void, zero_stub()) -+ ShouldNotCallThis(); -+JRT_END -+ - static RuntimeStub* generate_empty_runtime_stub(const char* name) { -- CodeBuffer buffer(name, 0, 0); -- return RuntimeStub::new_runtime_stub(name, &buffer, 0, 0, NULL, false); -+ return CAST_FROM_FN_PTR(RuntimeStub*,zero_stub); - } - - static SafepointBlob* generate_empty_safepoint_blob() { -- CodeBuffer buffer("handler_blob", 0, 0); -- return SafepointBlob::create(&buffer, NULL, 0); -+ return NULL; - } - - static DeoptimizationBlob* generate_empty_deopt_blob() { -- CodeBuffer buffer("handler_blob", 0, 0); -- return DeoptimizationBlob::create(&buffer, NULL, 0, 0, 0, 0); -+ return NULL; - } - - -@@ -124,6 +126,7 @@ - return generate_empty_runtime_stub("resolve_blob"); - } - -+ - int SharedRuntime::c_calling_convention(const BasicType *sig_bt, - VMRegPair *regs, - int total_args_passed) { -diff -Nru openjdk.orig/hotspot/src/share/vm/runtime/vmStructs.cpp openjdk/hotspot/src/share/vm/runtime/vmStructs.cpp ---- openjdk.orig/hotspot/src/share/vm/runtime/vmStructs.cpp 2013-06-04 18:47:35.000000000 +0100 -+++ openjdk/hotspot/src/share/vm/runtime/vmStructs.cpp 2013-08-15 14:28:43.113389906 +0100 -@@ -827,10 +827,10 @@ - /* CodeBlobs (NOTE: incomplete, but only a little) */ \ - /***************************************************/ \ - \ -- X86_ONLY(nonstatic_field(MethodHandles::RicochetFrame, _sender_pc, address)) \ -- X86_ONLY(nonstatic_field(MethodHandles::RicochetFrame, _exact_sender_sp, intptr_t*)) \ -- X86_ONLY(nonstatic_field(MethodHandles::RicochetFrame, _sender_link, intptr_t*)) \ -- X86_ONLY(nonstatic_field(MethodHandles::RicochetFrame, _saved_args_base, intptr_t*)) \ -+ NOT_ZERO(X86_ONLY(nonstatic_field(MethodHandles::RicochetFrame, _sender_pc, address))) \ -+ NOT_ZERO(X86_ONLY(nonstatic_field(MethodHandles::RicochetFrame, _exact_sender_sp, intptr_t*))) \ -+ NOT_ZERO(X86_ONLY(nonstatic_field(MethodHandles::RicochetFrame, _sender_link, intptr_t*))) \ -+ NOT_ZERO(X86_ONLY(nonstatic_field(MethodHandles::RicochetFrame, _saved_args_base, intptr_t*))) \ - \ - static_field(SharedRuntime, _ricochet_blob, RicochetBlob*) \ - \ -@@ -2529,7 +2529,7 @@ - /* frame */ \ - /**********************/ \ - \ -- X86_ONLY(declare_constant(frame::entry_frame_call_wrapper_offset)) \ -+ NOT_ZERO(X86_ONLY(declare_constant(frame::entry_frame_call_wrapper_offset))) \ - declare_constant(frame::pc_return_offset) \ - \ - /*************/ \ diff -Nru openjdk.orig/hotspot/src/share/vm/shark/sharkCompiler.cpp openjdk/hotspot/src/share/vm/shark/sharkCompiler.cpp ---- openjdk.orig/hotspot/src/share/vm/shark/sharkCompiler.cpp 2013-06-04 18:47:35.000000000 +0100 -+++ openjdk/hotspot/src/share/vm/shark/sharkCompiler.cpp 2013-08-15 14:28:43.113389906 +0100 +--- openjdk.orig/hotspot/src/share/vm/shark/sharkCompiler.cpp 2013-09-13 00:30:29.750950170 +0100 ++++ openjdk/hotspot/src/share/vm/shark/sharkCompiler.cpp 2016-05-03 20:13:14.189874098 +0100 @@ -1,6 +1,6 @@ /* * Copyright (c) 1999, 2010, Oracle and/or its affiliates. All rights reserved. @@ -188,29 +77,3 @@ assert(SafepointSynchronize::is_at_safepoint(), "must be at safepoint"); SharkEntry *entry = (SharkEntry *) code; -diff -Nru openjdk.orig/hotspot/src/share/vm/utilities/macros.hpp openjdk/hotspot/src/share/vm/utilities/macros.hpp ---- openjdk.orig/hotspot/src/share/vm/utilities/macros.hpp 2013-06-04 18:47:35.000000000 +0100 -+++ openjdk/hotspot/src/share/vm/utilities/macros.hpp 2013-08-15 14:28:43.113389906 +0100 -@@ -177,6 +177,22 @@ - #define NOT_WIN64(code) code - #endif - -+#if defined(ZERO) -+#define ZERO_ONLY(code) code -+#define NOT_ZERO(code) -+#else -+#define ZERO_ONLY(code) -+#define NOT_ZERO(code) code -+#endif -+ -+#if defined(SHARK) -+#define SHARK_ONLY(code) code -+#define NOT_SHARK(code) -+#else -+#define SHARK_ONLY(code) -+#define NOT_SHARK(code) code -+#endif -+ - #if defined(IA32) || defined(AMD64) - #define X86 - #define X86_ONLY(code) code
--- a/patches/openjdk/4963723-implement_sha-224.patch Wed May 04 02:55:09 2016 +0100 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,2301 +0,0 @@ -diff -Nru openjdk.orig/jdk/src/share/classes/com/sun/crypto/provider/HmacCore.java openjdk/jdk/src/share/classes/com/sun/crypto/provider/HmacCore.java ---- openjdk.orig/jdk/src/share/classes/com/sun/crypto/provider/HmacCore.java 2015-07-20 17:22:00.184870879 +0100 -+++ openjdk/jdk/src/share/classes/com/sun/crypto/provider/HmacCore.java 2015-07-20 17:43:33.186332677 +0100 -@@ -1,5 +1,5 @@ - /* -- * Copyright (c) 2002, 2009, Oracle and/or its affiliates. All rights reserved. -+ * Copyright (c) 2002, 2012, Oracle and/or its affiliates. All rights reserved. - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it -@@ -38,16 +38,16 @@ - * This class constitutes the core of HMAC-<MD> algorithms, where - * <MD> can be SHA1 or MD5, etc. - * -- * It also contains the implementation classes for the SHA-256, -+ * It also contains the implementation classes for SHA-224, SHA-256, - * SHA-384, and SHA-512 HMACs. - * - * @author Jan Luehe - */ --final class HmacCore implements Cloneable { -+abstract class HmacCore extends MacSpi implements Cloneable { - -- private final MessageDigest md; -- private final byte[] k_ipad; // inner padding - key XORd with ipad -- private final byte[] k_opad; // outer padding - key XORd with opad -+ private MessageDigest md; -+ private byte[] k_ipad; // inner padding - key XORd with ipad -+ private byte[] k_opad; // outer padding - key XORd with opad - private boolean first; // Is this the first data to be processed? - - private final int blockLen; -@@ -73,22 +73,11 @@ - } - - /** -- * Constructor used for cloning. -- */ -- private HmacCore(HmacCore other) throws CloneNotSupportedException { -- this.md = (MessageDigest)other.md.clone(); -- this.blockLen = other.blockLen; -- this.k_ipad = (byte[])other.k_ipad.clone(); -- this.k_opad = (byte[])other.k_opad.clone(); -- this.first = other.first; -- } -- -- /** - * Returns the length of the HMAC in bytes. - * - * @return the HMAC length in bytes. - */ -- int getDigestLength() { -+ protected int engineGetMacLength() { - return this.md.getDigestLength(); - } - -@@ -103,9 +92,8 @@ - * @exception InvalidAlgorithmParameterException if the given algorithm - * parameters are inappropriate for this MAC. - */ -- void init(Key key, AlgorithmParameterSpec params) -+ protected void engineInit(Key key, AlgorithmParameterSpec params) - throws InvalidKeyException, InvalidAlgorithmParameterException { -- - if (params != null) { - throw new InvalidAlgorithmParameterException - ("HMAC does not use parameters"); -@@ -140,7 +128,7 @@ - Arrays.fill(secret, (byte)0); - secret = null; - -- reset(); -+ engineReset(); - } - - /** -@@ -148,7 +136,7 @@ - * - * @param input the input byte to be processed. - */ -- void update(byte input) { -+ protected void engineUpdate(byte input) { - if (first == true) { - // compute digest for 1st pass; start with inner pad - md.update(k_ipad); -@@ -167,7 +155,7 @@ - * @param offset the offset in <code>input</code> where the input starts. - * @param len the number of bytes to process. - */ -- void update(byte input[], int offset, int len) { -+ protected void engineUpdate(byte input[], int offset, int len) { - if (first == true) { - // compute digest for 1st pass; start with inner pad - md.update(k_ipad); -@@ -178,7 +166,13 @@ - md.update(input, offset, len); - } - -- void update(ByteBuffer input) { -+ /** -+ * Processes the <code>input.remaining()</code> bytes in the ByteBuffer -+ * <code>input</code>. -+ * -+ * @param input the input byte buffer. -+ */ -+ protected void engineUpdate(ByteBuffer input) { - if (first == true) { - // compute digest for 1st pass; start with inner pad - md.update(k_ipad); -@@ -194,7 +188,7 @@ - * - * @return the HMAC result. - */ -- byte[] doFinal() { -+ protected byte[] engineDoFinal() { - if (first == true) { - // compute digest for 1st pass; start with inner pad - md.update(k_ipad); -@@ -223,7 +217,7 @@ - * Resets the HMAC for further use, maintaining the secret key that the - * HMAC was initialized with. - */ -- void reset() { -+ protected void engineReset() { - if (first == false) { - md.reset(); - first = true; -@@ -234,115 +228,38 @@ - * Clones this object. - */ - public Object clone() throws CloneNotSupportedException { -- return new HmacCore(this); -+ HmacCore copy = (HmacCore) super.clone(); -+ copy.md = (MessageDigest) md.clone(); -+ copy.k_ipad = k_ipad.clone(); -+ copy.k_opad = k_opad.clone(); -+ return copy; -+ } -+ -+ // nested static class for the HmacSHA224 implementation -+ public static final class HmacSHA224 extends HmacCore { -+ public HmacSHA224() throws NoSuchAlgorithmException { -+ super("SHA-224", 64); -+ } - } - - // nested static class for the HmacSHA256 implementation -- public static final class HmacSHA256 extends MacSpi implements Cloneable { -- private final HmacCore core; -+ public static final class HmacSHA256 extends HmacCore { - public HmacSHA256() throws NoSuchAlgorithmException { -- core = new HmacCore("SHA-256", 64); -- } -- private HmacSHA256(HmacSHA256 base) throws CloneNotSupportedException { -- core = (HmacCore)base.core.clone(); -- } -- protected int engineGetMacLength() { -- return core.getDigestLength(); -- } -- protected void engineInit(Key key, AlgorithmParameterSpec params) -- throws InvalidKeyException, InvalidAlgorithmParameterException { -- core.init(key, params); -- } -- protected void engineUpdate(byte input) { -- core.update(input); -- } -- protected void engineUpdate(byte input[], int offset, int len) { -- core.update(input, offset, len); -- } -- protected void engineUpdate(ByteBuffer input) { -- core.update(input); -- } -- protected byte[] engineDoFinal() { -- return core.doFinal(); -- } -- protected void engineReset() { -- core.reset(); -- } -- public Object clone() throws CloneNotSupportedException { -- return new HmacSHA256(this); -+ super("SHA-256", 64); - } - } - - // nested static class for the HmacSHA384 implementation -- public static final class HmacSHA384 extends MacSpi implements Cloneable { -- private final HmacCore core; -+ public static final class HmacSHA384 extends HmacCore { - public HmacSHA384() throws NoSuchAlgorithmException { -- core = new HmacCore("SHA-384", 128); -- } -- private HmacSHA384(HmacSHA384 base) throws CloneNotSupportedException { -- core = (HmacCore)base.core.clone(); -- } -- protected int engineGetMacLength() { -- return core.getDigestLength(); -- } -- protected void engineInit(Key key, AlgorithmParameterSpec params) -- throws InvalidKeyException, InvalidAlgorithmParameterException { -- core.init(key, params); -- } -- protected void engineUpdate(byte input) { -- core.update(input); -- } -- protected void engineUpdate(byte input[], int offset, int len) { -- core.update(input, offset, len); -- } -- protected void engineUpdate(ByteBuffer input) { -- core.update(input); -- } -- protected byte[] engineDoFinal() { -- return core.doFinal(); -- } -- protected void engineReset() { -- core.reset(); -- } -- public Object clone() throws CloneNotSupportedException { -- return new HmacSHA384(this); -+ super("SHA-384", 128); - } - } - - // nested static class for the HmacSHA512 implementation -- public static final class HmacSHA512 extends MacSpi implements Cloneable { -- private final HmacCore core; -+ public static final class HmacSHA512 extends HmacCore { - public HmacSHA512() throws NoSuchAlgorithmException { -- core = new HmacCore("SHA-512", 128); -- } -- private HmacSHA512(HmacSHA512 base) throws CloneNotSupportedException { -- core = (HmacCore)base.core.clone(); -- } -- protected int engineGetMacLength() { -- return core.getDigestLength(); -- } -- protected void engineInit(Key key, AlgorithmParameterSpec params) -- throws InvalidKeyException, InvalidAlgorithmParameterException { -- core.init(key, params); -- } -- protected void engineUpdate(byte input) { -- core.update(input); -- } -- protected void engineUpdate(byte input[], int offset, int len) { -- core.update(input, offset, len); -- } -- protected void engineUpdate(ByteBuffer input) { -- core.update(input); -- } -- protected byte[] engineDoFinal() { -- return core.doFinal(); -- } -- protected void engineReset() { -- core.reset(); -- } -- public Object clone() throws CloneNotSupportedException { -- return new HmacSHA512(this); -+ super("SHA-512", 128); - } - } -- - } -diff -Nru openjdk.orig/jdk/src/share/classes/com/sun/crypto/provider/HmacMD5.java openjdk/jdk/src/share/classes/com/sun/crypto/provider/HmacMD5.java ---- openjdk.orig/jdk/src/share/classes/com/sun/crypto/provider/HmacMD5.java 2015-07-20 17:22:00.308868718 +0100 -+++ openjdk/jdk/src/share/classes/com/sun/crypto/provider/HmacMD5.java 2015-07-20 17:43:33.186332677 +0100 -@@ -1,5 +1,5 @@ - /* -- * Copyright (c) 1998, 2009, Oracle and/or its affiliates. All rights reserved. -+ * Copyright (c) 1998, 2012, Oracle and/or its affiliates. All rights reserved. - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it -@@ -37,97 +37,11 @@ - * - * @author Jan Luehe - */ --public final class HmacMD5 extends MacSpi implements Cloneable { -- -- private HmacCore hmac; -- private static final int MD5_BLOCK_LENGTH = 64; -- -+public final class HmacMD5 extends HmacCore { - /** - * Standard constructor, creates a new HmacMD5 instance. - */ - public HmacMD5() throws NoSuchAlgorithmException { -- hmac = new HmacCore(MessageDigest.getInstance("MD5"), -- MD5_BLOCK_LENGTH); -- } -- -- /** -- * Returns the length of the HMAC in bytes. -- * -- * @return the HMAC length in bytes. -- */ -- protected int engineGetMacLength() { -- return hmac.getDigestLength(); -- } -- -- /** -- * Initializes the HMAC with the given secret key and algorithm parameters. -- * -- * @param key the secret key. -- * @param params the algorithm parameters. -- * -- * @exception InvalidKeyException if the given key is inappropriate for -- * initializing this MAC. -- * @exception InvalidAlgorithmParameterException if the given algorithm -- * parameters are inappropriate for this MAC. -- */ -- protected void engineInit(Key key, AlgorithmParameterSpec params) -- throws InvalidKeyException, InvalidAlgorithmParameterException { -- hmac.init(key, params); -- } -- -- /** -- * Processes the given byte. -- * -- * @param input the input byte to be processed. -- */ -- protected void engineUpdate(byte input) { -- hmac.update(input); -- } -- -- /** -- * Processes the first <code>len</code> bytes in <code>input</code>, -- * starting at <code>offset</code>. -- * -- * @param input the input buffer. -- * @param offset the offset in <code>input</code> where the input starts. -- * @param len the number of bytes to process. -- */ -- protected void engineUpdate(byte input[], int offset, int len) { -- hmac.update(input, offset, len); -- } -- -- protected void engineUpdate(ByteBuffer input) { -- hmac.update(input); -- } -- -- /** -- * Completes the HMAC computation and resets the HMAC for further use, -- * maintaining the secret key that the HMAC was initialized with. -- * -- * @return the HMAC result. -- */ -- protected byte[] engineDoFinal() { -- return hmac.doFinal(); -- } -- -- /** -- * Resets the HMAC for further use, maintaining the secret key that the -- * HMAC was initialized with. -- */ -- protected void engineReset() { -- hmac.reset(); -- } -- -- /* -- * Clones this object. -- */ -- public Object clone() { -- HmacMD5 that = null; -- try { -- that = (HmacMD5) super.clone(); -- that.hmac = (HmacCore) this.hmac.clone(); -- } catch (CloneNotSupportedException e) { -- } -- return that; -+ super("MD5", 64); - } - } -diff -Nru openjdk.orig/jdk/src/share/classes/com/sun/crypto/provider/HmacPKCS12PBESHA1.java openjdk/jdk/src/share/classes/com/sun/crypto/provider/HmacPKCS12PBESHA1.java ---- openjdk.orig/jdk/src/share/classes/com/sun/crypto/provider/HmacPKCS12PBESHA1.java 2015-07-20 17:22:00.336868230 +0100 -+++ openjdk/jdk/src/share/classes/com/sun/crypto/provider/HmacPKCS12PBESHA1.java 2015-07-20 17:43:33.186332677 +0100 -@@ -1,5 +1,5 @@ - /* -- * Copyright (c) 2003, 2009, Oracle and/or its affiliates. All rights reserved. -+ * Copyright (c) 2003, 2012, Oracle and/or its affiliates. All rights reserved. - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it -@@ -41,26 +41,13 @@ - * - * @author Valerie Peng - */ --public final class HmacPKCS12PBESHA1 extends MacSpi implements Cloneable { -- -- private HmacCore hmac = null; -- private static final int SHA1_BLOCK_LENGTH = 64; -+public final class HmacPKCS12PBESHA1 extends HmacCore { - - /** - * Standard constructor, creates a new HmacSHA1 instance. - */ - public HmacPKCS12PBESHA1() throws NoSuchAlgorithmException { -- this.hmac = new HmacCore(MessageDigest.getInstance("SHA1"), -- SHA1_BLOCK_LENGTH); -- } -- -- /** -- * Returns the length of the HMAC in bytes. -- * -- * @return the HMAC length in bytes. -- */ -- protected int engineGetMacLength() { -- return hmac.getDigestLength(); -+ super("SHA1", 64); - } - - /** -@@ -71,7 +58,7 @@ - * - * @exception InvalidKeyException if the given key is inappropriate for - * initializing this MAC. -- u* @exception InvalidAlgorithmParameterException if the given algorithm -+ * @exception InvalidAlgorithmParameterException if the given algorithm - * parameters are inappropriate for this MAC. - */ - protected void engineInit(Key key, AlgorithmParameterSpec params) -@@ -140,64 +127,8 @@ - ("IterationCount must be a positive number"); - } - byte[] derivedKey = PKCS12PBECipherCore.derive(passwdChars, salt, -- iCount, hmac.getDigestLength(), PKCS12PBECipherCore.MAC_KEY); -+ iCount, engineGetMacLength(), PKCS12PBECipherCore.MAC_KEY); - SecretKey cipherKey = new SecretKeySpec(derivedKey, "HmacSHA1"); -- hmac.init(cipherKey, null); -- } -- -- /** -- * Processes the given byte. -- * -- * @param input the input byte to be processed. -- */ -- protected void engineUpdate(byte input) { -- hmac.update(input); -- } -- -- /** -- * Processes the first <code>len</code> bytes in <code>input</code>, -- * starting at <code>offset</code>. -- * -- * @param input the input buffer. -- * @param offset the offset in <code>input</code> where the input starts. -- * @param len the number of bytes to process. -- */ -- protected void engineUpdate(byte input[], int offset, int len) { -- hmac.update(input, offset, len); -- } -- -- protected void engineUpdate(ByteBuffer input) { -- hmac.update(input); -- } -- -- /** -- * Completes the HMAC computation and resets the HMAC for further use, -- * maintaining the secret key that the HMAC was initialized with. -- * -- * @return the HMAC result. -- */ -- protected byte[] engineDoFinal() { -- return hmac.doFinal(); -- } -- -- /** -- * Resets the HMAC for further use, maintaining the secret key that the -- * HMAC was initialized with. -- */ -- protected void engineReset() { -- hmac.reset(); -- } -- -- /* -- * Clones this object. -- */ -- public Object clone() { -- HmacPKCS12PBESHA1 that = null; -- try { -- that = (HmacPKCS12PBESHA1)super.clone(); -- that.hmac = (HmacCore)this.hmac.clone(); -- } catch (CloneNotSupportedException e) { -- } -- return that; -+ super.engineInit(cipherKey, null); - } - } -diff -Nru openjdk.orig/jdk/src/share/classes/com/sun/crypto/provider/HmacSHA1.java openjdk/jdk/src/share/classes/com/sun/crypto/provider/HmacSHA1.java ---- openjdk.orig/jdk/src/share/classes/com/sun/crypto/provider/HmacSHA1.java 2015-07-20 17:22:00.356867881 +0100 -+++ openjdk/jdk/src/share/classes/com/sun/crypto/provider/HmacSHA1.java 2015-07-20 17:43:33.186332677 +0100 -@@ -1,5 +1,5 @@ - /* -- * Copyright (c) 1998, 2009, Oracle and/or its affiliates. All rights reserved. -+ * Copyright (c) 1998, 2012, Oracle and/or its affiliates. All rights reserved. - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it -@@ -37,97 +37,11 @@ - * - * @author Jan Luehe - */ --public final class HmacSHA1 extends MacSpi implements Cloneable { -- -- private HmacCore hmac = null; -- private static final int SHA1_BLOCK_LENGTH = 64; -- -+public final class HmacSHA1 extends HmacCore { - /** - * Standard constructor, creates a new HmacSHA1 instance. - */ - public HmacSHA1() throws NoSuchAlgorithmException { -- this.hmac = new HmacCore(MessageDigest.getInstance("SHA1"), -- SHA1_BLOCK_LENGTH); -- } -- -- /** -- * Returns the length of the HMAC in bytes. -- * -- * @return the HMAC length in bytes. -- */ -- protected int engineGetMacLength() { -- return hmac.getDigestLength(); -- } -- -- /** -- * Initializes the HMAC with the given secret key and algorithm parameters. -- * -- * @param key the secret key. -- * @param params the algorithm parameters. -- * -- * @exception InvalidKeyException if the given key is inappropriate for -- * initializing this MAC. -- * @exception InvalidAlgorithmParameterException if the given algorithm -- * parameters are inappropriate for this MAC. -- */ -- protected void engineInit(Key key, AlgorithmParameterSpec params) -- throws InvalidKeyException, InvalidAlgorithmParameterException { -- hmac.init(key, params); -- } -- -- /** -- * Processes the given byte. -- * -- * @param input the input byte to be processed. -- */ -- protected void engineUpdate(byte input) { -- hmac.update(input); -- } -- -- /** -- * Processes the first <code>len</code> bytes in <code>input</code>, -- * starting at <code>offset</code>. -- * -- * @param input the input buffer. -- * @param offset the offset in <code>input</code> where the input starts. -- * @param len the number of bytes to process. -- */ -- protected void engineUpdate(byte input[], int offset, int len) { -- hmac.update(input, offset, len); -- } -- -- protected void engineUpdate(ByteBuffer input) { -- hmac.update(input); -- } -- -- /** -- * Completes the HMAC computation and resets the HMAC for further use, -- * maintaining the secret key that the HMAC was initialized with. -- * -- * @return the HMAC result. -- */ -- protected byte[] engineDoFinal() { -- return hmac.doFinal(); -- } -- -- /** -- * Resets the HMAC for further use, maintaining the secret key that the -- * HMAC was initialized with. -- */ -- protected void engineReset() { -- hmac.reset(); -- } -- -- /* -- * Clones this object. -- */ -- public Object clone() { -- HmacSHA1 that = null; -- try { -- that = (HmacSHA1)super.clone(); -- that.hmac = (HmacCore)this.hmac.clone(); -- } catch (CloneNotSupportedException e) { -- } -- return that; -+ super("SHA1", 64); - } - } -diff -Nru openjdk.orig/jdk/src/share/classes/com/sun/crypto/provider/KeyGeneratorCore.java openjdk/jdk/src/share/classes/com/sun/crypto/provider/KeyGeneratorCore.java ---- openjdk.orig/jdk/src/share/classes/com/sun/crypto/provider/KeyGeneratorCore.java 2015-07-20 17:22:00.700861885 +0100 -+++ openjdk/jdk/src/share/classes/com/sun/crypto/provider/KeyGeneratorCore.java 2015-07-20 17:43:33.186332677 +0100 -@@ -1,5 +1,5 @@ - /* -- * Copyright (c) 2003, 2009, Oracle and/or its affiliates. All rights reserved. -+ * Copyright (c) 2003, 2012, Oracle and/or its affiliates. All rights reserved. - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it -@@ -105,11 +105,11 @@ - return new SecretKeySpec(b, name); - } - -- // nested static class for the HmacSHA256 key generator -- public static final class HmacSHA256KG extends KeyGeneratorSpi { -+ // nested static classes for the HmacSHA-2 family of key generator -+ abstract static class HmacSHA2KG extends KeyGeneratorSpi { - private final KeyGeneratorCore core; -- public HmacSHA256KG() { -- core = new KeyGeneratorCore("HmacSHA256", 256); -+ protected HmacSHA2KG(String algoName, int len) { -+ core = new KeyGeneratorCore(algoName, len); - } - protected void engineInit(SecureRandom random) { - core.implInit(random); -@@ -124,50 +124,27 @@ - protected SecretKey engineGenerateKey() { - return core.implGenerateKey(); - } -+ public static final class SHA224 extends HmacSHA2KG { -+ public SHA224() { -+ super("HmacSHA224", 224); -+ } -+ } -+ public static final class SHA256 extends HmacSHA2KG { -+ public SHA256() { -+ super("HmacSHA256", 256); -+ } -+ } -+ public static final class SHA384 extends HmacSHA2KG { -+ public SHA384() { -+ super("HmacSHA384", 384); -+ } -+ } -+ public static final class SHA512 extends HmacSHA2KG { -+ public SHA512() { -+ super("HmacSHA512", 512); -+ } -+ } - } -- -- // nested static class for the HmacSHA384 key generator -- public static final class HmacSHA384KG extends KeyGeneratorSpi { -- private final KeyGeneratorCore core; -- public HmacSHA384KG() { -- core = new KeyGeneratorCore("HmacSHA384", 384); -- } -- protected void engineInit(SecureRandom random) { -- core.implInit(random); -- } -- protected void engineInit(AlgorithmParameterSpec params, -- SecureRandom random) throws InvalidAlgorithmParameterException { -- core.implInit(params, random); -- } -- protected void engineInit(int keySize, SecureRandom random) { -- core.implInit(keySize, random); -- } -- protected SecretKey engineGenerateKey() { -- return core.implGenerateKey(); -- } -- } -- -- // nested static class for the HmacSHA384 key generator -- public static final class HmacSHA512KG extends KeyGeneratorSpi { -- private final KeyGeneratorCore core; -- public HmacSHA512KG() { -- core = new KeyGeneratorCore("HmacSHA512", 512); -- } -- protected void engineInit(SecureRandom random) { -- core.implInit(random); -- } -- protected void engineInit(AlgorithmParameterSpec params, -- SecureRandom random) throws InvalidAlgorithmParameterException { -- core.implInit(params, random); -- } -- protected void engineInit(int keySize, SecureRandom random) { -- core.implInit(keySize, random); -- } -- protected SecretKey engineGenerateKey() { -- return core.implGenerateKey(); -- } -- } -- - // nested static class for the RC2 key generator - public static final class RC2KeyGenerator extends KeyGeneratorSpi { - private final KeyGeneratorCore core; -diff -Nru openjdk.orig/jdk/src/share/classes/com/sun/crypto/provider/OAEPParameters.java openjdk/jdk/src/share/classes/com/sun/crypto/provider/OAEPParameters.java ---- openjdk.orig/jdk/src/share/classes/com/sun/crypto/provider/OAEPParameters.java 2015-07-20 17:22:00.780860490 +0100 -+++ openjdk/jdk/src/share/classes/com/sun/crypto/provider/OAEPParameters.java 2015-07-20 17:43:33.190332609 +0100 -@@ -1,5 +1,5 @@ - /* -- * Copyright (c) 2003, 2007, Oracle and/or its affiliates. All rights reserved. -+ * Copyright (c) 2003, 2012, Oracle and/or its affiliates. All rights reserved. - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it -@@ -143,6 +143,8 @@ - String mgfDigestName = convertToStandardName(params.getName()); - if (mgfDigestName.equals("SHA-1")) { - mgfSpec = MGF1ParameterSpec.SHA1; -+ } else if (mgfDigestName.equals("SHA-224")) { -+ mgfSpec = new MGF1ParameterSpec("SHA-224"); - } else if (mgfDigestName.equals("SHA-256")) { - mgfSpec = MGF1ParameterSpec.SHA256; - } else if (mgfDigestName.equals("SHA-384")) { -diff -Nru openjdk.orig/jdk/src/share/classes/com/sun/crypto/provider/SunJCE.java openjdk/jdk/src/share/classes/com/sun/crypto/provider/SunJCE.java ---- openjdk.orig/jdk/src/share/classes/com/sun/crypto/provider/SunJCE.java 2015-07-20 17:22:01.612845988 +0100 -+++ openjdk/jdk/src/share/classes/com/sun/crypto/provider/SunJCE.java 2015-07-20 17:43:33.190332609 +0100 -@@ -1,5 +1,5 @@ - /* -- * Copyright (c) 1997, 2009, Oracle and/or its affiliates. All rights reserved. -+ * Copyright (c) 1997, 2012, Oracle and/or its affiliates. All rights reserved. - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it -@@ -70,7 +70,7 @@ - * - * - Diffie-Hellman Key Agreement - * -- * - HMAC-MD5, HMAC-SHA1, HMAC-SHA-256, HMAC-SHA-384, HMAC-SHA-512 -+ * - HMAC-MD5, HMAC-SHA1, HMAC-SHA-224, HMAC-SHA-256, HMAC-SHA-384, HMAC-SHA-512 - * - */ - -@@ -117,6 +117,7 @@ - "NOPADDING|PKCS1PADDING|OAEPWITHMD5ANDMGF1PADDING" - + "|OAEPWITHSHA1ANDMGF1PADDING" - + "|OAEPWITHSHA-1ANDMGF1PADDING" -+ + "|OAEPWITHSHA-224ANDMGF1PADDING" - + "|OAEPWITHSHA-256ANDMGF1PADDING" - + "|OAEPWITHSHA-384ANDMGF1PADDING" - + "|OAEPWITHSHA-512ANDMGF1PADDING"); -@@ -225,12 +226,25 @@ - put("KeyGenerator.HmacSHA1", - "com.sun.crypto.provider.HmacSHA1KeyGenerator"); - -+ put("KeyGenerator.HmacSHA224", -+ "com.sun.crypto.provider.KeyGeneratorCore$HmacSHA2KG$SHA224"); -+ put("Alg.Alias.KeyGenerator.OID.1.2.840.113549.2.8", "HmacSHA224"); -+ put("Alg.Alias.KeyGenerator.1.2.840.113549.2.8", "HmacSHA224"); -+ - put("KeyGenerator.HmacSHA256", -- "com.sun.crypto.provider.KeyGeneratorCore$HmacSHA256KG"); -+ "com.sun.crypto.provider.KeyGeneratorCore$HmacSHA2KG$SHA256"); -+ put("Alg.Alias.KeyGenerator.OID.1.2.840.113549.2.9", "HmacSHA256"); -+ put("Alg.Alias.KeyGenerator.1.2.840.113549.2.9", "HmacSHA256"); -+ - put("KeyGenerator.HmacSHA384", -- "com.sun.crypto.provider.KeyGeneratorCore$HmacSHA384KG"); -+ "com.sun.crypto.provider.KeyGeneratorCore$HmacSHA2KG$SHA384"); -+ put("Alg.Alias.KeyGenerator.OID.1.2.840.113549.2.10", "HmacSHA384"); -+ put("Alg.Alias.KeyGenerator.1.2.840.113549.2.10", "HmacSHA384"); -+ - put("KeyGenerator.HmacSHA512", -- "com.sun.crypto.provider.KeyGeneratorCore$HmacSHA512KG"); -+ "com.sun.crypto.provider.KeyGeneratorCore$HmacSHA2KG$SHA512"); -+ put("Alg.Alias.KeyGenerator.OID.1.2.840.113549.2.11", "HmacSHA512"); -+ put("Alg.Alias.KeyGenerator.1.2.840.113549.2.11", "HmacSHA512"); - - put("KeyPairGenerator.DiffieHellman", - "com.sun.crypto.provider.DHKeyPairGenerator"); -@@ -393,12 +407,23 @@ - */ - put("Mac.HmacMD5", "com.sun.crypto.provider.HmacMD5"); - put("Mac.HmacSHA1", "com.sun.crypto.provider.HmacSHA1"); -+ put("Mac.HmacSHA224", -+ "com.sun.crypto.provider.HmacCore$HmacSHA224"); -+ put("Alg.Alias.Mac.OID.1.2.840.113549.2.8", "HmacSHA224"); -+ put("Alg.Alias.Mac.1.2.840.113549.2.8", "HmacSHA224"); - put("Mac.HmacSHA256", - "com.sun.crypto.provider.HmacCore$HmacSHA256"); -+ put("Alg.Alias.Mac.OID.1.2.840.113549.2.9", "HmacSHA256"); -+ put("Alg.Alias.Mac.1.2.840.113549.2.9", "HmacSHA256"); - put("Mac.HmacSHA384", - "com.sun.crypto.provider.HmacCore$HmacSHA384"); -+ put("Alg.Alias.Mac.OID.1.2.840.113549.2.10", "HmacSHA384"); -+ put("Alg.Alias.Mac.1.2.840.113549.2.10", "HmacSHA384"); - put("Mac.HmacSHA512", - "com.sun.crypto.provider.HmacCore$HmacSHA512"); -+ put("Alg.Alias.Mac.OID.1.2.840.113549.2.11", "HmacSHA512"); -+ put("Alg.Alias.Mac.1.2.840.113549.2.11", "HmacSHA512"); -+ - put("Mac.HmacPBESHA1", - "com.sun.crypto.provider.HmacPKCS12PBESHA1"); - -@@ -409,6 +434,7 @@ - - put("Mac.HmacMD5 SupportedKeyFormats", "RAW"); - put("Mac.HmacSHA1 SupportedKeyFormats", "RAW"); -+ put("Mac.HmacSHA224 SupportedKeyFormats", "RAW"); - put("Mac.HmacSHA256 SupportedKeyFormats", "RAW"); - put("Mac.HmacSHA384 SupportedKeyFormats", "RAW"); - put("Mac.HmacSHA512 SupportedKeyFormats", "RAW"); -diff -Nru openjdk.orig/jdk/src/share/classes/java/security/spec/MGF1ParameterSpec.java openjdk/jdk/src/share/classes/java/security/spec/MGF1ParameterSpec.java ---- openjdk.orig/jdk/src/share/classes/java/security/spec/MGF1ParameterSpec.java 2015-07-20 17:22:19.176539837 +0100 -+++ openjdk/jdk/src/share/classes/java/security/spec/MGF1ParameterSpec.java 2015-07-20 17:43:33.190332609 +0100 -@@ -1,5 +1,5 @@ - /* -- * Copyright (c) 2003, 2006, Oracle and/or its affiliates. All rights reserved. -+ * Copyright (c) 2003, 2012, Oracle and/or its affiliates. All rights reserved. - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it -@@ -42,6 +42,7 @@ - * <pre> - * OAEP-PSSDigestAlgorithms ALGORITHM-IDENTIFIER ::= { - * { OID id-sha1 PARAMETERS NULL }| -+ * { OID id-sha224 PARAMETERS NULL }| - * { OID id-sha256 PARAMETERS NULL }| - * { OID id-sha384 PARAMETERS NULL }| - * { OID id-sha512 PARAMETERS NULL }, -diff -Nru openjdk.orig/jdk/src/share/classes/java/security/spec/PSSParameterSpec.java openjdk/jdk/src/share/classes/java/security/spec/PSSParameterSpec.java ---- openjdk.orig/jdk/src/share/classes/java/security/spec/PSSParameterSpec.java 2015-07-20 17:22:19.176539837 +0100 -+++ openjdk/jdk/src/share/classes/java/security/spec/PSSParameterSpec.java 2015-07-20 17:43:33.190332609 +0100 -@@ -1,5 +1,5 @@ - /* -- * Copyright (c) 2001, 2006, Oracle and/or its affiliates. All rights reserved. -+ * Copyright (c) 2001, 2012, Oracle and/or its affiliates. All rights reserved. - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it -@@ -47,6 +47,7 @@ - * <pre> - * OAEP-PSSDigestAlgorithms ALGORITHM-IDENTIFIER ::= { - * { OID id-sha1 PARAMETERS NULL }| -+ * { OID id-sha224 PARAMETERS NULL }| - * { OID id-sha256 PARAMETERS NULL }| - * { OID id-sha384 PARAMETERS NULL }| - * { OID id-sha512 PARAMETERS NULL }, -diff -Nru openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/P11Digest.java openjdk/jdk/src/share/classes/sun/security/pkcs11/P11Digest.java ---- openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/P11Digest.java 2015-07-20 17:41:00.580992729 +0100 -+++ openjdk/jdk/src/share/classes/sun/security/pkcs11/P11Digest.java 2015-07-20 17:43:33.190332609 +0100 -@@ -39,7 +39,7 @@ - - /** - * MessageDigest implementation class. This class currently supports -- * MD2, MD5, SHA-1, SHA-256, SHA-384, and SHA-512. -+ * MD2, MD5, SHA-1, SHA-224, SHA-256, SHA-384, and SHA-512. - * - * Note that many digest operations are on fairly small amounts of data - * (less than 100 bytes total). For example, the 2nd hashing in HMAC or -@@ -99,6 +99,9 @@ - case (int)CKM_SHA_1: - digestLength = 20; - break; -+ case (int)CKM_SHA224: -+ digestLength = 28; -+ break; - case (int)CKM_SHA256: - digestLength = 32; - break; -diff -Nru openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/P11Mac.java openjdk/jdk/src/share/classes/sun/security/pkcs11/P11Mac.java ---- openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/P11Mac.java 2015-07-20 17:22:22.852475762 +0100 -+++ openjdk/jdk/src/share/classes/sun/security/pkcs11/P11Mac.java 2015-07-20 17:43:33.190332609 +0100 -@@ -1,5 +1,5 @@ - /* -- * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved. -+ * Copyright (c) 2003, 2012, Oracle and/or its affiliates. All rights reserved. - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it -@@ -40,8 +40,8 @@ - - /** - * MAC implementation class. This class currently supports HMAC using -- * MD5, SHA-1, SHA-256, SHA-384, and SHA-512 and the SSL3 MAC using MD5 -- * and SHA-1. -+ * MD5, SHA-1, SHA-224, SHA-256, SHA-384, and SHA-512 and the SSL3 MAC -+ * using MD5 and SHA-1. - * - * Note that unlike other classes (e.g. Signature), this does not - * composite various operations if the token only supports part of the -@@ -107,6 +107,9 @@ - case (int)CKM_SHA_1_HMAC: - macLength = 20; - break; -+ case (int)CKM_SHA224_HMAC: -+ macLength = 28; -+ break; - case (int)CKM_SHA256_HMAC: - macLength = 32; - break; -diff -Nru openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/P11Signature.java openjdk/jdk/src/share/classes/sun/security/pkcs11/P11Signature.java ---- openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/P11Signature.java 2015-07-20 17:22:22.860475622 +0100 -+++ openjdk/jdk/src/share/classes/sun/security/pkcs11/P11Signature.java 2015-07-20 17:43:33.190332609 +0100 -@@ -54,12 +54,14 @@ - * . MD2withRSA - * . MD5withRSA - * . SHA1withRSA -+ * . SHA224withRSA - * . SHA256withRSA - * . SHA384withRSA - * . SHA512withRSA - * . ECDSA - * . NONEwithECDSA - * . SHA1withECDSA -+ * . SHA224withECDSA - * . SHA256withECDSA - * . SHA384withECDSA - * . SHA512withECDSA -@@ -144,6 +146,7 @@ - case (int)CKM_MD2_RSA_PKCS: - case (int)CKM_MD5_RSA_PKCS: - case (int)CKM_SHA1_RSA_PKCS: -+ case (int)CKM_SHA224_RSA_PKCS: - case (int)CKM_SHA256_RSA_PKCS: - case (int)CKM_SHA384_RSA_PKCS: - case (int)CKM_SHA512_RSA_PKCS: -@@ -182,6 +185,8 @@ - String digestAlg; - if (algorithm.equals("SHA1withECDSA")) { - digestAlg = "SHA-1"; -+ } else if (algorithm.equals("SHA224withECDSA")) { -+ digestAlg = "SHA-224"; - } else if (algorithm.equals("SHA256withECDSA")) { - digestAlg = "SHA-256"; - } else if (algorithm.equals("SHA384withECDSA")) { -@@ -209,6 +214,9 @@ - } else if (algorithm.equals("MD2withRSA")) { - md = MessageDigest.getInstance("MD2"); - digestOID = AlgorithmId.MD2_oid; -+ } else if (algorithm.equals("SHA224withRSA")) { -+ md = MessageDigest.getInstance("SHA-224"); -+ digestOID = AlgorithmId.SHA224_oid; - } else if (algorithm.equals("SHA256withRSA")) { - md = MessageDigest.getInstance("SHA-256"); - digestOID = AlgorithmId.SHA256_oid; -@@ -334,6 +342,8 @@ - encodedLength = 34; - } else if (algorithm.equals("SHA1withRSA")) { - encodedLength = 35; -+ } else if (algorithm.equals("SHA224withRSA")) { -+ encodedLength = 47; - } else if (algorithm.equals("SHA256withRSA")) { - encodedLength = 51; - } else if (algorithm.equals("SHA384withRSA")) { -diff -Nru openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java openjdk/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java ---- openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java 2015-07-20 17:41:00.524993705 +0100 -+++ openjdk/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java 2015-07-20 17:43:33.190332609 +0100 -@@ -328,6 +328,7 @@ - System.out.println("Library info:"); - System.out.println(p11Info); - } -+ - if ((slotID < 0) || showInfo) { - long[] slots = p11.C_GetSlotList(false); - if (showInfo) { -@@ -504,24 +505,37 @@ - m(CKM_MD2)); - d(MD, "MD5", P11Digest, - m(CKM_MD5)); -- d(MD, "SHA1", P11Digest, s("SHA", "SHA-1"), -+ d(MD, "SHA1", P11Digest, s("SHA", "SHA-1"), - m(CKM_SHA_1)); -+ -+ d(MD, "SHA-224", P11Digest, -+ s("2.16.840.1.101.3.4.2.4", "OID.2.16.840.1.101.3.4.2.4"), -+ m(CKM_SHA224)); - d(MD, "SHA-256", P11Digest, -+ s("2.16.840.1.101.3.4.2.1", "OID.2.16.840.1.101.3.4.2.1"), - m(CKM_SHA256)); - d(MD, "SHA-384", P11Digest, -+ s("2.16.840.1.101.3.4.2.2", "OID.2.16.840.1.101.3.4.2.2"), - m(CKM_SHA384)); - d(MD, "SHA-512", P11Digest, -+ s("2.16.840.1.101.3.4.2.3", "OID.2.16.840.1.101.3.4.2.3"), - m(CKM_SHA512)); - - d(MAC, "HmacMD5", P11MAC, - m(CKM_MD5_HMAC)); - d(MAC, "HmacSHA1", P11MAC, - m(CKM_SHA_1_HMAC)); -+ d(MAC, "HmacSHA224", P11MAC, -+ s("1.2.840.113549.2.8", "OID.1.2.840.113549.2.8"), -+ m(CKM_SHA224_HMAC)); - d(MAC, "HmacSHA256", P11MAC, -+ s("1.2.840.113549.2.9", "OID.1.2.840.113549.2.9"), - m(CKM_SHA256_HMAC)); - d(MAC, "HmacSHA384", P11MAC, -+ s("1.2.840.113549.2.10", "OID.1.2.840.113549.2.10"), - m(CKM_SHA384_HMAC)); - d(MAC, "HmacSHA512", P11MAC, -+ s("1.2.840.113549.2.11", "OID.1.2.840.113549.2.11"), - m(CKM_SHA512_HMAC)); - d(MAC, "SslMacMD5", P11MAC, - m(CKM_SSL3_MD5_MAC)); -@@ -619,11 +633,17 @@ - m(CKM_ECDSA)); - d(SIG, "SHA1withECDSA", P11Signature, s("ECDSA"), - m(CKM_ECDSA_SHA1, CKM_ECDSA)); -+ d(SIG, "SHA224withECDSA", P11Signature, -+ s("1.2.840.10045.4.3.1", "OID.1.2.840.10045.4.3.1"), -+ m(CKM_ECDSA)); - d(SIG, "SHA256withECDSA", P11Signature, -+ s("1.2.840.10045.4.3.2", "OID.1.2.840.10045.4.3.2"), - m(CKM_ECDSA)); - d(SIG, "SHA384withECDSA", P11Signature, -+ s("1.2.840.10045.4.3.3", "OID.1.2.840.10045.4.3.3"), - m(CKM_ECDSA)); - d(SIG, "SHA512withECDSA", P11Signature, -+ s("1.2.840.10045.4.3.4", "OID.1.2.840.10045.4.3.4"), - m(CKM_ECDSA)); - d(SIG, "MD2withRSA", P11Signature, - m(CKM_MD2_RSA_PKCS, CKM_RSA_PKCS, CKM_RSA_X_509)); -@@ -631,11 +651,17 @@ - m(CKM_MD5_RSA_PKCS, CKM_RSA_PKCS, CKM_RSA_X_509)); - d(SIG, "SHA1withRSA", P11Signature, - m(CKM_SHA1_RSA_PKCS, CKM_RSA_PKCS, CKM_RSA_X_509)); -+ d(SIG, "SHA224withRSA", P11Signature, -+ s("1.2.840.113549.1.1.14", "OID.1.2.840.113549.1.1.14"), -+ m(CKM_SHA224_RSA_PKCS, CKM_RSA_PKCS, CKM_RSA_X_509)); - d(SIG, "SHA256withRSA", P11Signature, -+ s("1.2.840.113549.1.1.11", "OID.1.2.840.113549.1.1.11"), - m(CKM_SHA256_RSA_PKCS, CKM_RSA_PKCS, CKM_RSA_X_509)); - d(SIG, "SHA384withRSA", P11Signature, -+ s("1.2.840.113549.1.1.12", "OID.1.2.840.113549.1.1.12"), - m(CKM_SHA384_RSA_PKCS, CKM_RSA_PKCS, CKM_RSA_X_509)); - d(SIG, "SHA512withRSA", P11Signature, -+ s("1.2.840.113549.1.1.13", "OID.1.2.840.113549.1.1.13"), - m(CKM_SHA512_RSA_PKCS, CKM_RSA_PKCS, CKM_RSA_X_509)); - - d(KG, "SunTlsRsaPremasterSecret", "sun.security.pkcs11.P11TlsRsaPremasterSecretGenerator", -diff -Nru openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/wrapper/Functions.java openjdk/jdk/src/share/classes/sun/security/pkcs11/wrapper/Functions.java ---- openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/wrapper/Functions.java 2015-07-20 17:24:47.085961640 +0100 -+++ openjdk/jdk/src/share/classes/sun/security/pkcs11/wrapper/Functions.java 2015-07-20 17:43:33.190332609 +0100 -@@ -614,6 +614,7 @@ - addMech(CKM_X9_42_DH_DERIVE, "CKM_X9_42_DH_DERIVE"); - addMech(CKM_X9_42_DH_HYBRID_DERIVE, "CKM_X9_42_DH_HYBRID_DERIVE"); - addMech(CKM_X9_42_MQV_DERIVE, "CKM_X9_42_MQV_DERIVE"); -+ addMech(CKM_SHA224_RSA_PKCS, "CKM_SHA224_RSA_PKCS"); - addMech(CKM_SHA256_RSA_PKCS, "CKM_SHA256_RSA_PKCS"); - addMech(CKM_SHA384_RSA_PKCS, "CKM_SHA384_RSA_PKCS"); - addMech(CKM_SHA512_RSA_PKCS, "CKM_SHA512_RSA_PKCS"); -@@ -659,6 +660,9 @@ - addMech(CKM_RIPEMD160, "CKM_RIPEMD160"); - addMech(CKM_RIPEMD160_HMAC, "CKM_RIPEMD160_HMAC"); - addMech(CKM_RIPEMD160_HMAC_GENERAL, "CKM_RIPEMD160_HMAC_GENERAL"); -+ addMech(CKM_SHA224, "CKM_SHA224"); -+ addMech(CKM_SHA224_HMAC, "CKM_SHA224_HMAC"); -+ addMech(CKM_SHA224_HMAC_GENERAL, "CKM_SHA224_HMAC_GENERAL"); - addMech(CKM_SHA256, "CKM_SHA256"); - addMech(CKM_SHA256_HMAC, "CKM_SHA256_HMAC"); - addMech(CKM_SHA256_HMAC_GENERAL, "CKM_SHA256_HMAC_GENERAL"); -@@ -718,6 +722,7 @@ - addMech(CKM_MD5_KEY_DERIVATION, "CKM_MD5_KEY_DERIVATION"); - addMech(CKM_MD2_KEY_DERIVATION, "CKM_MD2_KEY_DERIVATION"); - addMech(CKM_SHA1_KEY_DERIVATION, "CKM_SHA1_KEY_DERIVATION"); -+ addMech(CKM_SHA224_KEY_DERIVATION, "CKM_SHA224_KEY_DERIVATION"); - addMech(CKM_SHA256_KEY_DERIVATION, "CKM_SHA256_KEY_DERIVATION"); - addMech(CKM_SHA384_KEY_DERIVATION, "CKM_SHA384_KEY_DERIVATION"); - addMech(CKM_SHA512_KEY_DERIVATION, "CKM_SHA512_KEY_DERIVATION"); -diff -Nru openjdk.orig/jdk/src/share/classes/sun/security/provider/DigestBase.java openjdk/jdk/src/share/classes/sun/security/provider/DigestBase.java ---- openjdk.orig/jdk/src/share/classes/sun/security/provider/DigestBase.java 2015-07-20 17:22:23.412466001 +0100 -+++ openjdk/jdk/src/share/classes/sun/security/provider/DigestBase.java 2015-07-20 17:43:33.190332609 +0100 -@@ -39,7 +39,6 @@ - * . abstract void implCompress(byte[] b, int ofs); - * . abstract void implDigest(byte[] out, int ofs); - * . abstract void implReset(); -- * . public abstract Object clone(); - * - * See the inline documentation for details. - * -@@ -61,7 +60,7 @@ - // buffer to store partial blocks, blockSize bytes large - // Subclasses should not access this array directly except possibly in their - // implDigest() method. See MD5.java as an example. -- final byte[] buffer; -+ byte[] buffer; - // offset into buffer - private int bufOfs; - -@@ -83,18 +82,6 @@ - buffer = new byte[blockSize]; - } - -- /** -- * Constructor for cloning. Replicates common data. -- */ -- DigestBase(DigestBase base) { -- this.algorithm = base.algorithm; -- this.digestLength = base.digestLength; -- this.blockSize = base.blockSize; -- this.buffer = base.buffer.clone(); -- this.bufOfs = base.bufOfs; -- this.bytesProcessed = base.bytesProcessed; -- } -- - // return digest length. See JCA doc. - protected final int engineGetDigestLength() { - return digestLength; -@@ -206,12 +193,11 @@ - */ - abstract void implReset(); - -- /** -- * Clone this digest. Should be implemented as "return new MyDigest(this)". -- * That constructor should first call "super(baseDigest)" and then copy -- * subclass specific data. -- */ -- public abstract Object clone(); -+ public Object clone() throws CloneNotSupportedException { -+ DigestBase copy = (DigestBase) super.clone(); -+ copy.buffer = copy.buffer.clone(); -+ return copy; -+ } - - // padding used for the MD5, and SHA-* message digests - static final byte[] padding; -@@ -223,5 +209,4 @@ - padding = new byte[136]; - padding[0] = (byte)0x80; - } -- - } -diff -Nru openjdk.orig/jdk/src/share/classes/sun/security/provider/MD2.java openjdk/jdk/src/share/classes/sun/security/provider/MD2.java ---- openjdk.orig/jdk/src/share/classes/sun/security/provider/MD2.java 2015-07-20 17:22:23.416465932 +0100 -+++ openjdk/jdk/src/share/classes/sun/security/provider/MD2.java 2015-07-20 17:43:33.190332609 +0100 -@@ -39,14 +39,14 @@ - public final class MD2 extends DigestBase { - - // state, 48 ints -- private final int[] X; -+ private int[] X; - - // checksum, 16 ints. they are really bytes, but byte arithmetic in - // the JVM is much slower that int arithmetic. -- private final int[] C; -+ private int[] C; - - // temporary store for checksum C during final digest -- private final byte[] cBytes; -+ private byte[] cBytes; - - /** - * Create a new MD2 digest. Called by the JCA framework -@@ -58,15 +58,12 @@ - cBytes = new byte[16]; - } - -- private MD2(MD2 base) { -- super(base); -- this.X = base.X.clone(); -- this.C = base.C.clone(); -- cBytes = new byte[16]; -- } -- -- public Object clone() { -- return new MD2(this); -+ public Object clone() throws CloneNotSupportedException { -+ MD2 copy = (MD2) super.clone(); -+ copy.X = copy.X.clone(); -+ copy.C = copy.C.clone(); -+ copy.cBytes = new byte[16]; -+ return copy; - } - - // reset state and checksum -diff -Nru openjdk.orig/jdk/src/share/classes/sun/security/provider/MD4.java openjdk/jdk/src/share/classes/sun/security/provider/MD4.java ---- openjdk.orig/jdk/src/share/classes/sun/security/provider/MD4.java 2015-07-20 17:22:23.416465932 +0100 -+++ openjdk/jdk/src/share/classes/sun/security/provider/MD4.java 2015-07-20 17:43:33.190332609 +0100 -@@ -44,9 +44,9 @@ - public final class MD4 extends DigestBase { - - // state of this object -- private final int[] state; -+ private int[] state; - // temporary buffer, used by implCompress() -- private final int[] x; -+ private int[] x; - - // rotation constants - private static final int S11 = 3; -@@ -91,16 +91,12 @@ - implReset(); - } - -- // Cloning constructor -- private MD4(MD4 base) { -- super(base); -- this.state = base.state.clone(); -- this.x = new int[16]; -- } -- - // clone this object -- public Object clone() { -- return new MD4(this); -+ public Object clone() throws CloneNotSupportedException { -+ MD4 copy = (MD4) super.clone(); -+ copy.state = copy.state.clone(); -+ copy.x = new int[16]; -+ return copy; - } - - /** -diff -Nru openjdk.orig/jdk/src/share/classes/sun/security/provider/MD5.java openjdk/jdk/src/share/classes/sun/security/provider/MD5.java ---- openjdk.orig/jdk/src/share/classes/sun/security/provider/MD5.java 2015-07-20 17:22:23.416465932 +0100 -+++ openjdk/jdk/src/share/classes/sun/security/provider/MD5.java 2015-07-20 17:43:33.190332609 +0100 -@@ -39,9 +39,9 @@ - public final class MD5 extends DigestBase { - - // state of this object -- private final int[] state; -+ private int[] state; - // temporary buffer, used by implCompress() -- private final int[] x; -+ private int[] x; - - // rotation constants - private static final int S11 = 7; -@@ -69,16 +69,12 @@ - implReset(); - } - -- // Cloning constructor -- private MD5(MD5 base) { -- super(base); -- this.state = base.state.clone(); -- this.x = new int[16]; -- } -- - // clone this object -- public Object clone() { -- return new MD5(this); -+ public Object clone() throws CloneNotSupportedException { -+ MD5 copy = (MD5) super.clone(); -+ copy.state = copy.state.clone(); -+ copy.x = new int[16]; -+ return copy; - } - - /** -diff -Nru openjdk.orig/jdk/src/share/classes/sun/security/provider/SHA2.java openjdk/jdk/src/share/classes/sun/security/provider/SHA2.java ---- openjdk.orig/jdk/src/share/classes/sun/security/provider/SHA2.java 2015-07-20 17:22:23.444465443 +0100 -+++ openjdk/jdk/src/share/classes/sun/security/provider/SHA2.java 2015-07-20 17:43:33.190332609 +0100 -@@ -1,5 +1,5 @@ - /* -- * Copyright (c) 2002, 2006, Oracle and/or its affiliates. All rights reserved. -+ * Copyright (c) 2002, 2012, Oracle and/or its affiliates. All rights reserved. - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it -@@ -40,7 +40,7 @@ - * @author Valerie Peng - * @author Andreas Sterbenz - */ --public final class SHA2 extends DigestBase { -+abstract class SHA2 extends DigestBase { - - private static final int ITERATION = 64; - // Constants for each round -@@ -64,46 +64,30 @@ - }; - - // buffer used by implCompress() -- private final int[] W; -+ private int[] W; - - // state of this object -- private final int[] state; -+ private int[] state; -+ -+ // initial state value. different between SHA-224 and SHA-256 -+ private final int[] initialHashes; - - /** - * Creates a new SHA object. - */ -- public SHA2() { -- super("SHA-256", 32, 64); -+ SHA2(String name, int digestLength, int[] initialHashes) { -+ super(name, digestLength, 64); -+ this.initialHashes = initialHashes; - state = new int[8]; - W = new int[64]; - implReset(); - } - - /** -- * Creates a SHA2 object.with state (for cloning) -- */ -- private SHA2(SHA2 base) { -- super(base); -- this.state = base.state.clone(); -- this.W = new int[64]; -- } -- -- public Object clone() { -- return new SHA2(this); -- } -- -- /** - * Resets the buffers and hash value to start a new hash. - */ - void implReset() { -- state[0] = 0x6a09e667; -- state[1] = 0xbb67ae85; -- state[2] = 0x3c6ef372; -- state[3] = 0xa54ff53a; -- state[4] = 0x510e527f; -- state[5] = 0x9b05688c; -- state[6] = 0x1f83d9ab; -- state[7] = 0x5be0cd19; -+ System.arraycopy(initialHashes, 0, state, 0, state.length); - } - - void implDigest(byte[] out, int ofs) { -@@ -242,4 +226,38 @@ - state[7] += h; - } - -+ public Object clone() throws CloneNotSupportedException { -+ SHA2 copy = (SHA2) super.clone(); -+ copy.state = copy.state.clone(); -+ copy.W = new int[64]; -+ return copy; -+ } -+ -+ /** -+ * SHA-224 implementation class. -+ */ -+ public static final class SHA224 extends SHA2 { -+ private static final int[] INITIAL_HASHES = { -+ 0xc1059ed8, 0x367cd507, 0x3070dd17, 0xf70e5939, -+ 0xffc00b31, 0x68581511, 0x64f98fa7, 0xbefa4fa4 -+ }; -+ -+ public SHA224() { -+ super("SHA-224", 28, INITIAL_HASHES); -+ } -+ } -+ -+ /** -+ * SHA-256 implementation class. -+ */ -+ public static final class SHA256 extends SHA2 { -+ private static final int[] INITIAL_HASHES = { -+ 0x6a09e667, 0xbb67ae85, 0x3c6ef372, 0xa54ff53a, -+ 0x510e527f, 0x9b05688c, 0x1f83d9ab, 0x5be0cd19 -+ }; -+ -+ public SHA256() { -+ super("SHA-256", 32, INITIAL_HASHES); -+ } -+ } - } -diff -Nru openjdk.orig/jdk/src/share/classes/sun/security/provider/SHA5.java openjdk/jdk/src/share/classes/sun/security/provider/SHA5.java ---- openjdk.orig/jdk/src/share/classes/sun/security/provider/SHA5.java 2015-07-20 17:22:23.448465374 +0100 -+++ openjdk/jdk/src/share/classes/sun/security/provider/SHA5.java 2015-07-20 17:43:33.190332609 +0100 -@@ -82,10 +82,10 @@ - }; - - // buffer used by implCompress() -- private final long[] W; -+ private long[] W; - - // state of this object -- private final long[] state; -+ private long[] state; - - // initial state value. different between SHA-384 and SHA-512 - private final long[] initialHashes; -@@ -101,16 +101,6 @@ - implReset(); - } - -- /** -- * Creates a SHA object with state (for cloning) -- */ -- SHA5(SHA5 base) { -- super(base); -- this.initialHashes = base.initialHashes; -- this.state = base.state.clone(); -- this.W = new long[80]; -- } -- - final void implReset() { - System.arraycopy(initialHashes, 0, state, 0, state.length); - } -@@ -255,6 +245,13 @@ - state[7] += h; - } - -+ public Object clone() throws CloneNotSupportedException { -+ SHA5 copy = (SHA5) super.clone(); -+ copy.state = copy.state.clone(); -+ copy.W = new long[80]; -+ return copy; -+ } -+ - /** - * SHA-512 implementation class. - */ -@@ -270,14 +267,6 @@ - public SHA512() { - super("SHA-512", 64, INITIAL_HASHES); - } -- -- private SHA512(SHA512 base) { -- super(base); -- } -- -- public Object clone() { -- return new SHA512(this); -- } - } - - /** -@@ -295,14 +284,5 @@ - public SHA384() { - super("SHA-384", 48, INITIAL_HASHES); - } -- -- private SHA384(SHA384 base) { -- super(base); -- } -- -- public Object clone() { -- return new SHA384(this); -- } - } -- - } -diff -Nru openjdk.orig/jdk/src/share/classes/sun/security/provider/SHA.java openjdk/jdk/src/share/classes/sun/security/provider/SHA.java ---- openjdk.orig/jdk/src/share/classes/sun/security/provider/SHA.java 2015-07-20 17:22:23.444465443 +0100 -+++ openjdk/jdk/src/share/classes/sun/security/provider/SHA.java 2015-07-20 17:43:33.190332609 +0100 -@@ -47,10 +47,10 @@ - // 64 bytes are included in each hash block so the low order - // bits of count are used to know how to pack the bytes into ints - // and to know when to compute the block and start the next one. -- private final int[] W; -+ private int[] W; - - // state of this -- private final int[] state; -+ private int[] state; - - /** - * Creates a new SHA object. -@@ -62,19 +62,14 @@ - implReset(); - } - -- /** -- * Creates a SHA object.with state (for cloning) */ -- private SHA(SHA base) { -- super(base); -- this.state = base.state.clone(); -- this.W = new int[80]; -- } -- - /* - * Clones this object. - */ -- public Object clone() { -- return new SHA(this); -+ public Object clone() throws CloneNotSupportedException { -+ SHA copy = (SHA) super.clone(); -+ copy.state = copy.state.clone(); -+ copy.W = new int[80]; -+ return copy; - } - - /** -diff -Nru openjdk.orig/jdk/src/share/classes/sun/security/provider/SunEntries.java openjdk/jdk/src/share/classes/sun/security/provider/SunEntries.java ---- openjdk.orig/jdk/src/share/classes/sun/security/provider/SunEntries.java 2015-07-20 17:22:23.448465374 +0100 -+++ openjdk/jdk/src/share/classes/sun/security/provider/SunEntries.java 2015-07-20 17:43:33.190332609 +0100 -@@ -1,5 +1,5 @@ - /* -- * Copyright (c) 1996, 2006, Oracle and/or its affiliates. All rights reserved. -+ * Copyright (c) 1996, 2012, Oracle and/or its affiliates. All rights reserved. - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it -@@ -43,6 +43,10 @@ - * identifier strings "OID.1.3.14.3.2.13", "OID.1.3.14.3.2.27" and - * "OID.1.2.840.10040.4.3". - * -+ * - SHA-2 is a set of message digest schemes described in FIPS 180-2. -+ * SHA-2 family of hash functions includes SHA-224, SHA-256, SHA-384, -+ * and SHA-512. -+ * - * - DSA is the key generation scheme as described in FIPS 186. - * Aliases for DSA include the OID strings "OID.1.3.14.3.2.12" - * and "OID.1.2.840.10040.4.1". -@@ -140,9 +144,19 @@ - map.put("Alg.Alias.MessageDigest.SHA-1", "SHA"); - map.put("Alg.Alias.MessageDigest.SHA1", "SHA"); - -- map.put("MessageDigest.SHA-256", "sun.security.provider.SHA2"); -+ map.put("MessageDigest.SHA-224", "sun.security.provider.SHA2$SHA224"); -+ map.put("Alg.Alias.MessageDigest.2.16.840.1.101.3.4.2.4", "SHA-224"); -+ map.put("Alg.Alias.MessageDigest.OID.2.16.840.1.101.3.4.2.4", "SHA-224"); -+ -+ map.put("MessageDigest.SHA-256", "sun.security.provider.SHA2$SHA256"); -+ map.put("Alg.Alias.MessageDigest.2.16.840.1.101.3.4.2.1", "SHA-256"); -+ map.put("Alg.Alias.MessageDigest.OID.2.16.840.1.101.3.4.2.1", "SHA-256"); - map.put("MessageDigest.SHA-384", "sun.security.provider.SHA5$SHA384"); -+ map.put("Alg.Alias.MessageDigest.2.16.840.1.101.3.4.2.2", "SHA-384"); -+ map.put("Alg.Alias.MessageDigest.OID.2.16.840.1.101.3.4.2.2", "SHA-384"); - map.put("MessageDigest.SHA-512", "sun.security.provider.SHA5$SHA512"); -+ map.put("Alg.Alias.MessageDigest.2.16.840.1.101.3.4.2.3", "SHA-512"); -+ map.put("Alg.Alias.MessageDigest.OID.2.16.840.1.101.3.4.2.3", "SHA-512"); - - /* - * Algorithm Parameter Generator engines -diff -Nru openjdk.orig/jdk/src/share/classes/sun/security/rsa/RSASignature.java openjdk/jdk/src/share/classes/sun/security/rsa/RSASignature.java ---- openjdk.orig/jdk/src/share/classes/sun/security/rsa/RSASignature.java 2015-07-20 17:24:47.093961501 +0100 -+++ openjdk/jdk/src/share/classes/sun/security/rsa/RSASignature.java 2015-07-20 17:43:33.190332609 +0100 -@@ -39,8 +39,8 @@ - * PKCS#1 RSA signatures with the various message digest algorithms. - * This file contains an abstract base class with all the logic plus - * a nested static class for each of the message digest algorithms -- * (see end of the file). We support MD2, MD5, SHA-1, SHA-256, SHA-384, -- * and SHA-512. -+ * (see end of the file). We support MD2, MD5, SHA-1, SHA-224, SHA-256, -+ * SHA-384, and SHA-512. - * - * @since 1.5 - * @author Andreas Sterbenz -@@ -270,6 +270,13 @@ - } - } - -+ // Nested class for SHA224withRSA signatures -+ public static final class SHA224withRSA extends RSASignature { -+ public SHA224withRSA() { -+ super("SHA-224", AlgorithmId.SHA224_oid, 11); -+ } -+ } -+ - // Nested class for SHA256withRSA signatures - public static final class SHA256withRSA extends RSASignature { - public SHA256withRSA() { -diff -Nru openjdk.orig/jdk/src/share/classes/sun/security/rsa/SunRsaSignEntries.java openjdk/jdk/src/share/classes/sun/security/rsa/SunRsaSignEntries.java ---- openjdk.orig/jdk/src/share/classes/sun/security/rsa/SunRsaSignEntries.java 2015-07-20 17:22:24.016455473 +0100 -+++ openjdk/jdk/src/share/classes/sun/security/rsa/SunRsaSignEntries.java 2015-07-20 17:43:33.190332609 +0100 -@@ -1,5 +1,5 @@ - /* -- * Copyright (c) 2003, 2006, Oracle and/or its affiliates. All rights reserved. -+ * Copyright (c) 2003, 2012, Oracle and/or its affiliates. All rights reserved. - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it -@@ -52,6 +52,8 @@ - "sun.security.rsa.RSASignature$MD5withRSA"); - map.put("Signature.SHA1withRSA", - "sun.security.rsa.RSASignature$SHA1withRSA"); -+ map.put("Signature.SHA224withRSA", -+ "sun.security.rsa.RSASignature$SHA224withRSA"); - map.put("Signature.SHA256withRSA", - "sun.security.rsa.RSASignature$SHA256withRSA"); - map.put("Signature.SHA384withRSA", -@@ -66,6 +68,7 @@ - map.put("Signature.MD2withRSA SupportedKeyClasses", rsaKeyClasses); - map.put("Signature.MD5withRSA SupportedKeyClasses", rsaKeyClasses); - map.put("Signature.SHA1withRSA SupportedKeyClasses", rsaKeyClasses); -+ map.put("Signature.SHA224withRSA SupportedKeyClasses", rsaKeyClasses); - map.put("Signature.SHA256withRSA SupportedKeyClasses", rsaKeyClasses); - map.put("Signature.SHA384withRSA SupportedKeyClasses", rsaKeyClasses); - map.put("Signature.SHA512withRSA SupportedKeyClasses", rsaKeyClasses); -@@ -88,6 +91,9 @@ - map.put("Alg.Alias.Signature.OID.1.2.840.113549.1.1.5", "SHA1withRSA"); - map.put("Alg.Alias.Signature.1.3.14.3.2.29", "SHA1withRSA"); - -+ map.put("Alg.Alias.Signature.1.2.840.113549.1.1.14", "SHA224withRSA"); -+ map.put("Alg.Alias.Signature.OID.1.2.840.113549.1.1.14", "SHA224withRSA"); -+ - map.put("Alg.Alias.Signature.1.2.840.113549.1.1.11", "SHA256withRSA"); - map.put("Alg.Alias.Signature.OID.1.2.840.113549.1.1.11", "SHA256withRSA"); - -diff -Nru openjdk.orig/jdk/src/share/classes/sun/security/x509/AlgorithmId.java openjdk/jdk/src/share/classes/sun/security/x509/AlgorithmId.java ---- openjdk.orig/jdk/src/share/classes/sun/security/x509/AlgorithmId.java 2015-07-20 17:41:00.468994682 +0100 -+++ openjdk/jdk/src/share/classes/sun/security/x509/AlgorithmId.java 2015-07-20 17:43:33.194332538 +0100 -@@ -1,5 +1,5 @@ - /* -- * Copyright (c) 1996, 2010, Oracle and/or its affiliates. All rights reserved. -+ * Copyright (c) 1996, 2012, Oracle and/or its affiliates. All rights reserved. - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it -@@ -175,9 +175,9 @@ - // it's NULL. They are --- - // rfc3370 2.1: Implementations SHOULD generate SHA-1 - // AlgorithmIdentifiers with absent parameters. -- // rfc3447 C1: When id-sha1, id-sha256, id-sha384 and id-sha512 -- // are used in an AlgorithmIdentifier the parameters (which are -- // optional) SHOULD be omitted. -+ // rfc3447 C1: When id-sha1, id-sha224, id-sha256, id-sha384 and -+ // id-sha512 are used in an AlgorithmIdentifier the parameters -+ // (which are optional) SHOULD be omitted. - // rfc3279 2.3.2: The id-dsa algorithm syntax includes optional - // domain parameters... When omitted, the parameters component - // MUST be omitted entirely -@@ -185,6 +185,7 @@ - // is used, the AlgorithmIdentifier parameters field MUST be absent. - /*if ( - algid.equals((Object)SHA_oid) || -+ algid.equals((Object)SHA224_oid) || - algid.equals((Object)SHA256_oid) || - algid.equals((Object)SHA384_oid) || - algid.equals((Object)SHA512_oid) || -@@ -488,7 +489,10 @@ - name.equalsIgnoreCase("SHA512")) { - return AlgorithmId.SHA512_oid; - } -- -+ if (name.equalsIgnoreCase("SHA-224") || -+ name.equalsIgnoreCase("SHA224")) { -+ return AlgorithmId.SHA224_oid; -+ } - - // Various public key algorithms - if (name.equalsIgnoreCase("RSA")) { -@@ -613,6 +617,9 @@ - public static final ObjectIdentifier SHA_oid = - ObjectIdentifier.newInternal(new int[] {1, 3, 14, 3, 2, 26}); - -+ public static final ObjectIdentifier SHA224_oid = -+ ObjectIdentifier.newInternal(new int[] {2, 16, 840, 1, 101, 3, 4, 2, 4}); -+ - public static final ObjectIdentifier SHA256_oid = - ObjectIdentifier.newInternal(new int[] {2, 16, 840, 1, 101, 3, 4, 2, 1}); - -@@ -652,6 +659,8 @@ - { 1, 2, 840, 113549, 1, 1, 5 }; - private static final int sha1WithRSAEncryption_OIW_data[] = - { 1, 3, 14, 3, 2, 29 }; -+ private static final int sha224WithRSAEncryption_data[] = -+ { 1, 2, 840, 113549, 1, 1, 14 }; - private static final int sha256WithRSAEncryption_data[] = - { 1, 2, 840, 113549, 1, 1, 11 }; - private static final int sha384WithRSAEncryption_data[] = -@@ -669,6 +678,7 @@ - public static final ObjectIdentifier md5WithRSAEncryption_oid; - public static final ObjectIdentifier sha1WithRSAEncryption_oid; - public static final ObjectIdentifier sha1WithRSAEncryption_OIW_oid; -+ public static final ObjectIdentifier sha224WithRSAEncryption_oid; - public static final ObjectIdentifier sha256WithRSAEncryption_oid; - public static final ObjectIdentifier sha384WithRSAEncryption_oid; - public static final ObjectIdentifier sha512WithRSAEncryption_oid; -@@ -798,6 +808,14 @@ - ObjectIdentifier.newInternal(sha1WithRSAEncryption_OIW_data); - - /** -+ * Identifies a signing algorithm where a SHA224 digest is -+ * encrypted using an RSA private key; defined by PKCS #1. -+ * OID = 1.2.840.113549.1.1.14 -+ */ -+ sha224WithRSAEncryption_oid = -+ ObjectIdentifier.newInternal(sha224WithRSAEncryption_data); -+ -+ /** - * Identifies a signing algorithm where a SHA256 digest is - * encrypted using an RSA private key; defined by PKCS #1. - * OID = 1.2.840.113549.1.1.11 -@@ -847,6 +865,7 @@ - nameTable.put(MD5_oid, "MD5"); - nameTable.put(MD2_oid, "MD2"); - nameTable.put(SHA_oid, "SHA"); -+ nameTable.put(SHA224_oid, "SHA224"); - nameTable.put(SHA256_oid, "SHA256"); - nameTable.put(SHA384_oid, "SHA384"); - nameTable.put(SHA512_oid, "SHA512"); -@@ -869,6 +888,7 @@ - nameTable.put(shaWithDSA_OIW_oid, "SHA1withDSA"); - nameTable.put(sha1WithRSAEncryption_oid, "SHA1withRSA"); - nameTable.put(sha1WithRSAEncryption_OIW_oid, "SHA1withRSA"); -+ nameTable.put(sha224WithRSAEncryption_oid, "SHA224withRSA"); - nameTable.put(sha256WithRSAEncryption_oid, "SHA256withRSA"); - nameTable.put(sha384WithRSAEncryption_oid, "SHA384withRSA"); - nameTable.put(sha512WithRSAEncryption_oid, "SHA512withRSA"); -diff -Nru openjdk.orig/jdk/src/windows/classes/sun/security/mscapi/RSASignature.java openjdk/jdk/src/windows/classes/sun/security/mscapi/RSASignature.java ---- openjdk.orig/jdk/src/windows/classes/sun/security/mscapi/RSASignature.java 2015-07-20 17:21:55.340955313 +0100 -+++ openjdk/jdk/src/windows/classes/sun/security/mscapi/RSASignature.java 2015-07-20 17:43:33.194332538 +0100 -@@ -49,6 +49,7 @@ - * following algorithm names: - * - * . "SHA1withRSA" -+ * . "SHA224withRSA" - * . "MD5withRSA" - * . "MD2withRSA" - * -@@ -90,6 +91,12 @@ - } - } - -+ public static final class SHA224 extends RSASignature { -+ public SHA224() { -+ super("SHA-224"); -+ } -+ } -+ - public static final class MD5 extends RSASignature { - public MD5() { - super("MD5"); -diff -Nru openjdk.orig/jdk/src/windows/classes/sun/security/mscapi/SunMSCAPI.java openjdk/jdk/src/windows/classes/sun/security/mscapi/SunMSCAPI.java ---- openjdk.orig/jdk/src/windows/classes/sun/security/mscapi/SunMSCAPI.java 2015-07-20 17:21:55.688949247 +0100 -+++ openjdk/jdk/src/windows/classes/sun/security/mscapi/SunMSCAPI.java 2015-07-20 17:43:33.194332538 +0100 -@@ -1,5 +1,5 @@ - /* -- * Copyright (c) 2005, 2007, Oracle and/or its affiliates. All rights reserved. -+ * Copyright (c) 2005, 2012, Oracle and/or its affiliates. All rights reserved. - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it -@@ -81,6 +81,10 @@ - */ - map.put("Signature.SHA1withRSA", - "sun.security.mscapi.RSASignature$SHA1"); -+ map.put("Signature.SHA224withRSA", -+ "sun.security.mscapi.RSASignature$SHA224"); -+ map.put("Alg.Alias.Signature.1.2.840.113549.1.1.14", "SHA224withRSA"); -+ map.put("Alg.Alias.Signature.OID.1.2.840.113549.1.1.14", "SHA224withRSA"); - map.put("Signature.MD5withRSA", - "sun.security.mscapi.RSASignature$MD5"); - map.put("Signature.MD2withRSA", -@@ -89,6 +93,8 @@ - // supported key classes - map.put("Signature.SHA1withRSA SupportedKeyClasses", - "sun.security.mscapi.Key"); -+ map.put("Signature.SHA224withRSA SupportedKeyClasses", -+ "sun.security.mscapi.Key"); - map.put("Signature.MD5withRSA SupportedKeyClasses", - "sun.security.mscapi.Key"); - map.put("Signature.MD2withRSA SupportedKeyClasses", -diff -Nru openjdk.orig/jdk/test/com/sun/crypto/provider/Cipher/RSA/TestOAEP.java openjdk/jdk/test/com/sun/crypto/provider/Cipher/RSA/TestOAEP.java ---- openjdk.orig/jdk/test/com/sun/crypto/provider/Cipher/RSA/TestOAEP.java 2015-07-20 17:22:00.164871228 +0100 -+++ openjdk/jdk/test/com/sun/crypto/provider/Cipher/RSA/TestOAEP.java 2015-07-20 17:43:33.194332538 +0100 -@@ -1,5 +1,5 @@ - /* -- * Copyright (c) 2003, 2007, Oracle and/or its affiliates. All rights reserved. -+ * Copyright (c) 2003, 2012, Oracle and/or its affiliates. All rights reserved. - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it -@@ -58,6 +58,7 @@ - Cipher.getInstance("RSA/ECB/OAEPwithMD5andMGF1Padding"); - Cipher.getInstance("RSA/ECB/OAEPwithSHA1andMGF1Padding"); - Cipher.getInstance("RSA/ECB/OAEPwithSHA-1andMGF1Padding"); -+ Cipher.getInstance("RSA/ECB/OAEPwithSHA-224andMGF1Padding"); - Cipher.getInstance("RSA/ECB/OAEPwithSHA-256andMGF1Padding"); - Cipher.getInstance("RSA/ECB/OAEPwithSHA-384andMGF1Padding"); - Cipher.getInstance("RSA/ECB/OAEPwithSHA-512andMGF1Padding"); -@@ -88,6 +89,18 @@ - // tests alias works - testEncryptDecrypt("SHA-1", 16); - -+ // basic test using SHA-224 -+ testEncryptDecrypt("SHA-224", 0); -+ testEncryptDecrypt("SHA-224", 16); -+ testEncryptDecrypt("SHA-224", 38); -+ try { -+ testEncryptDecrypt("SHA-224", 39); -+ throw new Exception("Unexpectedly completed call"); -+ } catch (IllegalBlockSizeException e) { -+ // ok -+ System.out.println(e); -+ } -+ - // basic test using SHA-256 - testEncryptDecrypt("SHA-256", 0); - testEncryptDecrypt("SHA-256", 16); -@@ -195,6 +208,7 @@ - System.out.println("Done (" + (stop - start) + " ms)."); - } - -+ // NOTE: OAEP can process up to (modLen - 2*digestLen - 2) bytes of data - private static void testEncryptDecrypt(String hashAlg, int dataLength) throws Exception { - System.out.println("Testing OAEP with hash " + hashAlg + ", " + dataLength + " bytes"); - Cipher c = Cipher.getInstance("RSA/ECB/OAEPwith" + hashAlg + "andMGF1Padding", cp); -diff -Nru openjdk.orig/jdk/test/com/sun/crypto/provider/Cipher/RSA/TestOAEPParameterSpec.java openjdk/jdk/test/com/sun/crypto/provider/Cipher/RSA/TestOAEPParameterSpec.java ---- openjdk.orig/jdk/test/com/sun/crypto/provider/Cipher/RSA/TestOAEPParameterSpec.java 2015-07-20 17:22:00.172871088 +0100 -+++ openjdk/jdk/test/com/sun/crypto/provider/Cipher/RSA/TestOAEPParameterSpec.java 2015-07-20 17:43:33.194332538 +0100 -@@ -1,5 +1,5 @@ - /* -- * Copyright (c) 2003, 2007, Oracle and/or its affiliates. All rights reserved. -+ * Copyright (c) 2003, 2012, Oracle and/or its affiliates. All rights reserved. - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it -@@ -121,6 +121,7 @@ - public static void main(String[] argv) throws Exception { - boolean status = true; - byte[] p = { (byte) 0x01, (byte) 0x02, (byte) 0x03, (byte) 0x04 }; -+ status &= runTest("SHA-224", MGF1ParameterSpec.SHA224, p); - status &= runTest("SHA-256", MGF1ParameterSpec.SHA256, p); - status &= runTest("SHA-384", MGF1ParameterSpec.SHA384, p); - status &= runTest("SHA-512", MGF1ParameterSpec.SHA512, p); -diff -Nru openjdk.orig/jdk/test/com/sun/crypto/provider/Cipher/RSA/TestOAEPWithParams.java openjdk/jdk/test/com/sun/crypto/provider/Cipher/RSA/TestOAEPWithParams.java ---- openjdk.orig/jdk/test/com/sun/crypto/provider/Cipher/RSA/TestOAEPWithParams.java 2015-07-20 17:22:00.172871088 +0100 -+++ openjdk/jdk/test/com/sun/crypto/provider/Cipher/RSA/TestOAEPWithParams.java 2015-07-20 17:43:33.194332538 +0100 -@@ -1,5 +1,5 @@ - /* -- * Copyright (c) 2003, 2007, Oracle and/or its affiliates. All rights reserved. -+ * Copyright (c) 2003, 2012, Oracle and/or its affiliates. All rights reserved. - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it -@@ -47,10 +47,10 @@ - private static Random random = new Random(); - - private static String MD[] = { -- "MD5", "SHA1", "SHA-256" -+ "MD5", "SHA1", "SHA-224", "SHA-256" - }; - private static int DATA_LENGTH[] = { -- 62, 54, 30 -+ 62, 54, 34, 30 - }; - public static void main(String[] args) throws Exception { - long start = System.currentTimeMillis(); -diff -Nru openjdk.orig/jdk/test/com/sun/crypto/provider/KeyGenerator/Test4628062.java openjdk/jdk/test/com/sun/crypto/provider/KeyGenerator/Test4628062.java ---- openjdk.orig/jdk/test/com/sun/crypto/provider/KeyGenerator/Test4628062.java 2015-07-20 17:22:00.244869833 +0100 -+++ openjdk/jdk/test/com/sun/crypto/provider/KeyGenerator/Test4628062.java 2015-07-20 17:43:33.194332538 +0100 -@@ -23,7 +23,7 @@ - - /* - * @test -- * @bug 4628062 -+ * @bug 4628062 4963723 - * @summary Verify that AES KeyGenerator supports default initialization - * when init is not called - * @author Valerie Peng -@@ -34,39 +34,45 @@ - - public class Test4628062 { - -- private static final String ALGO = "AES"; -- private static final int[] KEYSIZES = -- { 16, 24, 32 }; // in bytes -+ private static final int[] AES_SIZES = { 16, 24, 32 }; // in bytes -+ private static final int[] HMACSHA224_SIZES = { 28 }; -+ private static final int[] HMACSHA256_SIZES = { 32 }; -+ private static final int[] HMACSHA384_SIZES = { 48 }; -+ private static final int[] HMACSHA512_SIZES = { 64 }; - -- public boolean execute() throws Exception { -- KeyGenerator kg = KeyGenerator.getInstance(ALGO, "SunJCE"); -+ public boolean execute(String algo, int[] keySizes) throws Exception { -+ KeyGenerator kg = KeyGenerator.getInstance(algo, "SunJCE"); - - // TEST FIX 4628062 - Key keyWithDefaultSize = kg.generateKey(); - byte[] encoding = keyWithDefaultSize.getEncoded(); -- if (encoding.length == 0) { -+ int defKeyLen = encoding.length ; -+ if (defKeyLen == 0) { - throw new Exception("default key length is 0!"); -+ } else if (defKeyLen != keySizes[0]) { -+ throw new Exception("default key length mismatch!"); - } - - // BONUS TESTS -- // 1. call init(int keysize) with various valid key sizes -- // and see if the generated key is the right size. -- for (int i=0; i<KEYSIZES.length; i++) { -- kg.init(KEYSIZES[i]*8); // in bits -- Key key = kg.generateKey(); -- if (key.getEncoded().length != KEYSIZES[i]) { -- throw new Exception("key is generated with the wrong length!"); -+ if (keySizes.length > 1) { -+ // 1. call init(int keysize) with various valid key sizes -+ // and see if the generated key is the right size. -+ for (int i=0; i<keySizes.length; i++) { -+ kg.init(keySizes[i]*8); // in bits -+ Key key = kg.generateKey(); -+ if (key.getEncoded().length != keySizes[i]) { -+ throw new Exception("key is generated with the wrong length!"); -+ } -+ } -+ // 2. call init(int keysize) with invalid key size and see -+ // if the expected InvalidParameterException is thrown. -+ try { -+ kg.init(keySizes[0]*8+1); -+ } catch (InvalidParameterException ex) { -+ } catch (Exception ex) { -+ throw new Exception("wrong exception is thrown for invalid key size!"); - } - } -- // 2. call init(int keysize) with invalid key size and see -- // if the expected InvalidParameterException is thrown. -- try { -- kg.init(KEYSIZES[0]*8+1); -- } catch (InvalidParameterException ex) { -- } catch (Exception ex) { -- throw new Exception("wrong exception is thrown for invalid key size!"); -- } -- - // passed all tests...hooray! - return true; - } -@@ -76,8 +82,20 @@ - - Test4628062 test = new Test4628062(); - String testName = test.getClass().getName(); -- if (test.execute()) { -- System.out.println(testName + ": Passed!"); -+ if (test.execute("AES", AES_SIZES)) { -+ System.out.println(testName + ": AES Passed!"); -+ } -+ if (test.execute("HmacSHA224", HMACSHA224_SIZES)) { -+ System.out.println(testName + ": HmacSHA224 Passed!"); -+ } -+ if (test.execute("HmacSHA256", HMACSHA256_SIZES)) { -+ System.out.println(testName + ": HmacSHA256 Passed!"); -+ } -+ if (test.execute("HmacSHA384", HMACSHA384_SIZES)) { -+ System.out.println(testName + ": HmacSHA384 Passed!"); -+ } -+ if (test.execute("HmacSHA512", HMACSHA512_SIZES)) { -+ System.out.println(testName + ": HmacSHA512 Passed!"); - } - } - } -diff -Nru openjdk.orig/jdk/test/com/sun/crypto/provider/Mac/MacClone.java openjdk/jdk/test/com/sun/crypto/provider/Mac/MacClone.java ---- openjdk.orig/jdk/test/com/sun/crypto/provider/Mac/MacClone.java 2015-07-20 17:22:00.248869764 +0100 -+++ openjdk/jdk/test/com/sun/crypto/provider/Mac/MacClone.java 2015-07-20 17:43:33.194332538 +0100 -@@ -28,15 +28,33 @@ - * @author Jan Luehe - */ - import javax.crypto.*; -+import javax.crypto.spec.SecretKeySpec; - - public class MacClone { - - public static void main(String[] args) throws Exception { - -+ String[] algos = { "HmacMD5", "HmacSHA1", "HmacSHA224", "HmacSHA256", -+ "HmacSHA384", "HmacSHA512" }; -+ KeyGenerator kgen = KeyGenerator.getInstance("DES"); -+ SecretKey skey = kgen.generateKey(); -+ for (String algo : algos) { -+ doTest(algo, skey); -+ } -+ -+ String[] algos2 = { "HmacPBESHA1" }; -+ skey = new SecretKeySpec("whatever".getBytes(), "PBE"); -+ for (String algo : algos2) { -+ doTest(algo, skey); -+ } -+ System.out.println("Test Passed"); -+ } -+ -+ private static void doTest(String algo, SecretKey skey) throws Exception { - // -- // Clone uninitialized Mac object -+ // Clone an uninitialized Mac object - // -- Mac mac = Mac.getInstance("HmacSHA1", "SunJCE"); -+ Mac mac = Mac.getInstance(algo, "SunJCE"); - Mac macClone = (Mac)mac.clone(); - System.out.println(macClone.getProvider().toString()); - System.out.println(macClone.getAlgorithm()); -@@ -51,12 +69,9 @@ - } - - // -- // Clone initialized Mac object -+ // Clone an initialized Mac object - // -- KeyGenerator kgen = KeyGenerator.getInstance("DES"); -- SecretKey skey = kgen.generateKey(); -- -- mac = Mac.getInstance("HmacSHA1"); -+ mac = Mac.getInstance(algo, "SunJCE"); - mac.init(skey); - macClone = (Mac)mac.clone(); - System.out.println(macClone.getProvider().toString()); -@@ -66,7 +81,20 @@ - byte[] macFinal = mac.doFinal(); - byte[] macCloneFinal = macClone.doFinal(); - if (!java.util.Arrays.equals(macFinal, macCloneFinal)) { -- throw new Exception("MAC results are different"); -- } -+ throw new Exception("ERROR: MAC result of init clone is different"); -+ } else System.out.println("MAC check#1 passed"); -+ -+ // -+ // Clone an updated Mac object -+ // -+ mac.update((byte)0x12); -+ macClone = (Mac)mac.clone(); -+ mac.update((byte)0x34); -+ macClone.update((byte)0x34); -+ macFinal = mac.doFinal(); -+ macCloneFinal = macClone.doFinal(); -+ if (!java.util.Arrays.equals(macFinal, macCloneFinal)) { -+ throw new Exception("ERROR: MAC result of updated clone is different"); -+ } else System.out.println("MAC check#2 passed"); - } - } -diff -Nru openjdk.orig/jdk/test/com/sun/crypto/provider/Mac/MacKAT.java openjdk/jdk/test/com/sun/crypto/provider/Mac/MacKAT.java ---- openjdk.orig/jdk/test/com/sun/crypto/provider/Mac/MacKAT.java 2015-07-20 17:22:00.252869694 +0100 -+++ openjdk/jdk/test/com/sun/crypto/provider/Mac/MacKAT.java 2015-07-20 17:43:33.194332538 +0100 -@@ -1,5 +1,5 @@ - /* -- * Copyright (c) 2003, 2007, Oracle and/or its affiliates. All rights reserved. -+ * Copyright (c) 2003, 2012, Oracle and/or its affiliates. All rights reserved. - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it -@@ -23,7 +23,7 @@ - - /** - * @test -- * @bug 4846410 6313661 -+ * @bug 4846410 6313661 4963723 - * @summary Basic known-answer-test for Hmac and SslMac algorithms - * @author Andreas Sterbenz - */ -@@ -147,7 +147,9 @@ - private static Test t(String alg, String input, String macvalue, String key) { - return new MacTest(alg, b(input), b(macvalue), b(key)); - } -- -+ private static Test t(String alg, String input, String macvalue, byte[] key) { -+ return new MacTest(alg, b(input), b(macvalue), key); -+ } - private static Test t(String alg, byte[] input, String macvalue, String key) { - return new MacTest(alg, input, b(macvalue), b(key)); - } -@@ -155,8 +157,8 @@ - private static Test t(String alg, byte[] input, String macvalue, byte[] key) { - return new MacTest(alg, input, b(macvalue), key); - } -- - private final static byte[] ALONG, BLONG, BKEY; -+ private final static byte[] BKEY_20, DDDATA_50, AAKEY_20, CDDATA_50, AAKEY_131; - - static { - ALONG = new byte[1024 * 128]; -@@ -166,6 +168,16 @@ - random.nextBytes(BLONG); - BKEY = new byte[128]; - random.nextBytes(BKEY); -+ BKEY_20 = new byte[20]; -+ Arrays.fill(BKEY_20, (byte) 0x0b); -+ DDDATA_50 = new byte[50]; -+ Arrays.fill(DDDATA_50, (byte) 0xdd); -+ AAKEY_20 = new byte[20]; -+ Arrays.fill(AAKEY_20, (byte) 0xaa); -+ CDDATA_50 = new byte[50]; -+ Arrays.fill(CDDATA_50, (byte) 0xcd); -+ AAKEY_131 = new byte[131]; -+ Arrays.fill(AAKEY_131, (byte) 0xaa); - } - - private final static Test[] tests = { -@@ -203,15 +215,24 @@ - "1b:34:61:29:05:0d:73:db:25:d0:dd:64:06:29:f6:8a"), - t("HmacSHA512", BLONG, "fb:cf:4b:c6:d5:49:5a:5b:0b:d9:2a:32:f5:fa:68:d2:68:a4:0f:ae:53:fc:49:12:e6:1d:53:cf:b2:cb:c5:c5:f2:2d:86:bd:14:61:30:c3:a6:6f:44:1f:77:9b:aa:a1:22:48:a9:dd:d0:45:86:d1:a1:82:53:13:c4:03:06:a3", - BKEY), -+ // Test vectors From RFC4231 -+ t("HmacSHA224", s("Hi There"), "89:6f:b1:12:8a:bb:df:19:68:32:10:7c:d4:9d:f3:3f:47:b4:b1:16:99:12:ba:4f:53:68:4b:22", BKEY_20), -+ t("HmacSHA224", s("what do ya want for nothing?"), "a3:0e:01:09:8b:c6:db:bf:45:69:0f:3a:7e:9e:6d:0f:8b:be:a2:a3:9e:61:48:00:8f:d0:5e:44", s("Jefe")), -+ t("HmacSHA224", DDDATA_50, "7f:b3:cb:35:88:c6:c1:f6:ff:a9:69:4d:7d:6a:d2:64:93:65:b0:c1:f6:5d:69:d1:ec:83:33:ea", AAKEY_20), -+ t("HmacSHA224", CDDATA_50, "6c:11:50:68:74:01:3c:ac:6a:2a:bc:1b:b3:82:62:7c:ec:6a:90:d8:6e:fc:01:2d:e7:af:ec:5a", "01:02:03:04:05:06:07:08:09:0a:0b:0c:0d:0e:0f:10:11:12:13:14:15:16:17:18:19"), -+ t("HmacSHA224", s("Test Using Larger Than Block-Size Key - Hash Key First"), "95:e9:a0:db:96:20:95:ad:ae:be:9b:2d:6f:0d:bc:e2:d4:99:f1:12:f2:d2:b7:27:3f:a6:87:0e", AAKEY_131), -+ t("HmacSHA224", s("This is a test using a larger than block-size key and a larger than block-size data. The key needs to be hashed before being used by the HMAC algorithm."), "3a:85:41:66:ac:5d:9f:02:3f:54:d5:17:d0:b3:9d:bd:94:67:70:db:9c:2b:95:c9:f6:f5:65:d1", AAKEY_131), - }; - - static void runTests(Test[] tests) throws Exception { - long start = System.currentTimeMillis(); - Provider p = Security.getProvider("SunJCE"); - System.out.println("Testing provider " + p.getName() + "..."); -+ Mac.getInstance("HmacSHA224", p); - Mac.getInstance("HmacSHA256", p); - Mac.getInstance("HmacSHA384", p); - Mac.getInstance("HmacSHA512", p); -+ KeyGenerator.getInstance("HmacSHA224", p); - KeyGenerator.getInstance("HmacSHA256", p); - KeyGenerator.getInstance("HmacSHA384", p); - KeyGenerator.getInstance("HmacSHA512", p); -diff -Nru openjdk.orig/jdk/test/sun/security/pkcs11/ec/TestCurves.java openjdk/jdk/test/sun/security/pkcs11/ec/TestCurves.java ---- openjdk.orig/jdk/test/sun/security/pkcs11/ec/TestCurves.java 2015-07-20 17:21:58.956892284 +0100 -+++ openjdk/jdk/test/sun/security/pkcs11/ec/TestCurves.java 2015-07-20 17:43:33.194332538 +0100 -@@ -1,5 +1,5 @@ - /* -- * Copyright (c) 2006, 2007, Oracle and/or its affiliates. All rights reserved. -+ * Copyright (c) 2006, 2012, Oracle and/or its affiliates. All rights reserved. - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it -@@ -68,6 +68,7 @@ - kp2 = kpg.generateKeyPair(); - - testSigning(p, "SHA1withECDSA", data, kp1, kp2); -+ testSigning(p, "SHA224withECDSA", data, kp1, kp2); - testSigning(p, "SHA256withECDSA", data, kp1, kp2); - testSigning(p, "SHA384withECDSA", data, kp1, kp2); - testSigning(p, "SHA512withECDSA", data, kp1, kp2); -diff -Nru openjdk.orig/jdk/test/sun/security/pkcs11/MessageDigest/DigestKAT.java openjdk/jdk/test/sun/security/pkcs11/MessageDigest/DigestKAT.java ---- openjdk.orig/jdk/test/sun/security/pkcs11/MessageDigest/DigestKAT.java 2015-07-20 17:21:58.932892703 +0100 -+++ openjdk/jdk/test/sun/security/pkcs11/MessageDigest/DigestKAT.java 2015-07-20 17:43:33.194332538 +0100 -@@ -1,5 +1,5 @@ - /* -- * Copyright (c) 2003, Oracle and/or its affiliates. All rights reserved. -+ * Copyright (c) 2003, 2012, Oracle and/or its affiliates. All rights reserved. - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it -@@ -174,6 +174,12 @@ - t("SHA1", s("12345678901234567890123456789012345678901234567890123456789012345678901234567890"), "50:ab:f5:70:6a:15:09:90:a0:8b:2c:5e:a4:0f:a0:e5:85:55:47:32"), - t("SHA1", ALONG, "ce:56:53:59:08:04:ba:a9:36:9f:72:d4:83:ed:9e:ba:72:f0:4d:29"), - -+ t("SHA-224", s(""), "d1:4a:02:8c:2a:3a:2b:c9:47:61:02:bb:28:82:34:c4:15:a2:b0:1f:82:8e:a6:2a:c5:b3:e4:2f"), -+ t("SHA-224", s("abc"), "23:09:7d:22:34:05:d8:22:86:42:a4:77:bd:a2:55:b3:2a:ad:bc:e4:bd:a0:b3:f7:e3:6c:9d:a7"), -+ t("SHA-224", s("abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq"), "75:38:8b:16:51:27:76:cc:5d:ba:5d:a1:fd:89:01:50:b0:c6:45:5c:b4:f5:8b:19:52:52:25:25"), -+ t("SHA-224", s("The quick brown fox jumps over the lazy dog"), "73:0e:10:9b:d7:a8:a3:2b:1c:b9:d9:a0:9a:a2:32:5d:24:30:58:7d:db:c0:c3:8b:ad:91:15:25"), -+ t("SHA-224", s("The quick brown fox jumps over the lazy dog."), "61:9c:ba:8e:8e:05:82:6e:9b:8c:51:9c:0a:5c:68:f4:fb:65:3e:8a:3d:8a:a0:4b:b2:c8:cd:4c"), -+ - t("SHA-256", s(""), "e3:b0:c4:42:98:fc:1c:14:9a:fb:f4:c8:99:6f:b9:24:27:ae:41:e4:64:9b:93:4c:a4:95:99:1b:78:52:b8:55"), - t("SHA-256", s("a"), "ca:97:81:12:ca:1b:bd:ca:fa:c2:31:b3:9a:23:dc:4d:a7:86:ef:f8:14:7c:4e:72:b9:80:77:85:af:ee:48:bb"), - t("SHA-256", s("abc"), "ba:78:16:bf:8f:01:cf:ea:41:41:40:de:5d:ae:22:23:b0:03:61:a3:96:17:7a:9c:b4:10:ff:61:f2:00:15:ad"), -diff -Nru openjdk.orig/jdk/test/sun/security/pkcs11/rsa/TestKeyPairGenerator.java openjdk/jdk/test/sun/security/pkcs11/rsa/TestKeyPairGenerator.java ---- openjdk.orig/jdk/test/sun/security/pkcs11/rsa/TestKeyPairGenerator.java 2015-07-20 17:21:59.204887961 +0100 -+++ openjdk/jdk/test/sun/security/pkcs11/rsa/TestKeyPairGenerator.java 2015-07-20 17:43:33.194332538 +0100 -@@ -1,5 +1,5 @@ - /* -- * Copyright (c) 2003, Oracle and/or its affiliates. All rights reserved. -+ * Copyright (c) 2003, 2012, Oracle and/or its affiliates. All rights reserved. - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it -@@ -61,6 +61,7 @@ - testSignature("MD2withRSA", privateKey, publicKey); - testSignature("MD5withRSA", privateKey, publicKey); - testSignature("SHA1withRSA", privateKey, publicKey); -+ testSignature("SHA224withRSA", privateKey, publicKey); - testSignature("SHA256withRSA", privateKey, publicKey); - RSAPublicKey rsaKey = (RSAPublicKey)publicKey; - if (rsaKey.getModulus().bitLength() > 512) { -diff -Nru openjdk.orig/jdk/test/sun/security/pkcs11/rsa/TestSignatures.java openjdk/jdk/test/sun/security/pkcs11/rsa/TestSignatures.java ---- openjdk.orig/jdk/test/sun/security/pkcs11/rsa/TestSignatures.java 2015-07-20 17:21:59.240887334 +0100 -+++ openjdk/jdk/test/sun/security/pkcs11/rsa/TestSignatures.java 2015-07-20 17:43:33.194332538 +0100 -@@ -1,5 +1,5 @@ - /* -- * Copyright (c) 2003, Oracle and/or its affiliates. All rights reserved. -+ * Copyright (c) 2003, 2012, Oracle and/or its affiliates. All rights reserved. - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it -@@ -81,6 +81,7 @@ - testSignature("MD2withRSA", privateKey, publicKey); - testSignature("MD5withRSA", privateKey, publicKey); - testSignature("SHA1withRSA", privateKey, publicKey); -+ testSignature("SHA224withRSA", privateKey, publicKey); - testSignature("SHA256withRSA", privateKey, publicKey); - RSAPublicKey rsaKey = (RSAPublicKey)publicKey; - if (rsaKey.getModulus().bitLength() > 512) { -diff -Nru openjdk.orig/jdk/test/sun/security/pkcs11/Signature/TestRSAKeyLength.java openjdk/jdk/test/sun/security/pkcs11/Signature/TestRSAKeyLength.java ---- openjdk.orig/jdk/test/sun/security/pkcs11/Signature/TestRSAKeyLength.java 2015-07-20 17:21:58.944892493 +0100 -+++ openjdk/jdk/test/sun/security/pkcs11/Signature/TestRSAKeyLength.java 2015-07-20 17:43:33.194332538 +0100 -@@ -1,5 +1,5 @@ - /* -- * Copyright (c) 2010, Oracle and/or its affiliates. All rights reserved. -+ * Copyright (c) 2010, 2012, Oracle and/or its affiliates. All rights reserved. - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it -@@ -37,7 +37,7 @@ - } - public void main(Provider p) throws Exception { - boolean isValidKeyLength[] = { true, true, false, false }; -- String algos[] = { "SHA1withRSA", "SHA256withRSA", -+ String algos[] = { "SHA1withRSA", "SHA224withRSA", "SHA256withRSA", - "SHA384withRSA", "SHA512withRSA" }; - KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA", p); - kpg.initialize(512); -diff -Nru openjdk.orig/jdk/test/sun/security/provider/MessageDigest/DigestKAT.java openjdk/jdk/test/sun/security/provider/MessageDigest/DigestKAT.java ---- openjdk.orig/jdk/test/sun/security/provider/MessageDigest/DigestKAT.java 2015-07-20 17:22:00.528864883 +0100 -+++ openjdk/jdk/test/sun/security/provider/MessageDigest/DigestKAT.java 2015-07-20 17:43:33.194332538 +0100 -@@ -1,5 +1,5 @@ - /* -- * Copyright (c) 2003, 2005, Oracle and/or its affiliates. All rights reserved. -+ * Copyright (c) 2003, 2012, Oracle and/or its affiliates. All rights reserved. - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it -@@ -23,7 +23,7 @@ - - /** - * @test -- * @bug 4819771 4834179 5008306 -+ * @bug 4819771 4834179 5008306 4963723 - * @summary Basic known-answer-test for all our MessageDigest algorithms - * @author Andreas Sterbenz - */ -@@ -190,6 +190,12 @@ - t("SHA1", ALONG, "ce:56:53:59:08:04:ba:a9:36:9f:72:d4:83:ed:9e:ba:72:f0:4d:29"), - t("SHA1", BLONG, "1d:a8:1a:de:8d:1e:d0:82:ba:12:13:e2:56:26:30:fc:05:b8:8d:a6"), - -+ t("SHA-224", s(""), "d1:4a:02:8c:2a:3a:2b:c9:47:61:02:bb:28:82:34:c4:15:a2:b0:1f:82:8e:a6:2a:c5:b3:e4:2f"), -+ t("SHA-224", s("abc"), "23:09:7d:22:34:05:d8:22:86:42:a4:77:bd:a2:55:b3:2a:ad:bc:e4:bd:a0:b3:f7:e3:6c:9d:a7"), -+ t("SHA-224", s("abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq"), "75:38:8b:16:51:27:76:cc:5d:ba:5d:a1:fd:89:01:50:b0:c6:45:5c:b4:f5:8b:19:52:52:25:25"), -+ t("SHA-224", s("The quick brown fox jumps over the lazy dog"), "73:0e:10:9b:d7:a8:a3:2b:1c:b9:d9:a0:9a:a2:32:5d:24:30:58:7d:db:c0:c3:8b:ad:91:15:25"), -+ t("SHA-224", s("The quick brown fox jumps over the lazy dog."), "61:9c:ba:8e:8e:05:82:6e:9b:8c:51:9c:0a:5c:68:f4:fb:65:3e:8a:3d:8a:a0:4b:b2:c8:cd:4c"), -+ - t("SHA-256", s(""), "e3:b0:c4:42:98:fc:1c:14:9a:fb:f4:c8:99:6f:b9:24:27:ae:41:e4:64:9b:93:4c:a4:95:99:1b:78:52:b8:55"), - t("SHA-256", s("a"), "ca:97:81:12:ca:1b:bd:ca:fa:c2:31:b3:9a:23:dc:4d:a7:86:ef:f8:14:7c:4e:72:b9:80:77:85:af:ee:48:bb"), - t("SHA-256", s("abc"), "ba:78:16:bf:8f:01:cf:ea:41:41:40:de:5d:ae:22:23:b0:03:61:a3:96:17:7a:9c:b4:10:ff:61:f2:00:15:ad"), -diff -Nru openjdk.orig/jdk/test/sun/security/provider/MessageDigest/Offsets.java openjdk/jdk/test/sun/security/provider/MessageDigest/Offsets.java ---- openjdk.orig/jdk/test/sun/security/provider/MessageDigest/Offsets.java 2015-07-20 17:22:00.564864256 +0100 -+++ openjdk/jdk/test/sun/security/provider/MessageDigest/Offsets.java 2015-07-20 17:43:33.194332538 +0100 -@@ -1,5 +1,5 @@ - /* -- * Copyright (c) 2006, Oracle and/or its affiliates. All rights reserved. -+ * Copyright (c) 2006, 2012, Oracle and/or its affiliates. All rights reserved. - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it -@@ -80,6 +80,7 @@ - test("MD2", 0, 64, 0, 128); - test("MD5", 0, 64, 0, 128); - test("SHA1", 0, 64, 0, 128); -+ test("SHA-224", 0, 64, 0, 128); - test("SHA-256", 0, 64, 0, 128); - test("SHA-384", 0, 128, 0, 256); - test("SHA-512", 0, 128, 0, 256); -diff -Nru openjdk.orig/jdk/test/sun/security/provider/MessageDigest/TestSHAClone.java openjdk/jdk/test/sun/security/provider/MessageDigest/TestSHAClone.java ---- openjdk.orig/jdk/test/sun/security/provider/MessageDigest/TestSHAClone.java 2015-07-20 17:22:00.744861118 +0100 -+++ openjdk/jdk/test/sun/security/provider/MessageDigest/TestSHAClone.java 2015-07-20 17:43:33.194332538 +0100 -@@ -1,5 +1,5 @@ - /* -- * Copyright (c) 2002, 2003, Oracle and/or its affiliates. All rights reserved. -+ * Copyright (c) 2002, 2012, Oracle and/or its affiliates. All rights reserved. - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it -@@ -24,7 +24,7 @@ - /** - * @test - * @bug 4775971 -- * @summary test the clone implementation of SHA, SHA-256, -+ * @summary test the clone implementation of SHA, SHA-224, SHA-256, - * SHA-384, SHA-512 MessageDigest implementation. - */ - import java.security.*; -@@ -33,7 +33,7 @@ - public class TestSHAClone { - - private static final String[] ALGOS = { -- "SHA", "SHA-256", "SHA-512", "SHA-384" -+ "SHA", "SHA-224", "SHA-256", "SHA-512", "SHA-384" - }; - - private static byte[] input1 = { -diff -Nru openjdk.orig/jdk/test/sun/security/rsa/TestKeyPairGenerator.java openjdk/jdk/test/sun/security/rsa/TestKeyPairGenerator.java ---- openjdk.orig/jdk/test/sun/security/rsa/TestKeyPairGenerator.java 2015-07-20 17:22:01.512847732 +0100 -+++ openjdk/jdk/test/sun/security/rsa/TestKeyPairGenerator.java 2015-07-20 17:43:33.194332538 +0100 -@@ -23,7 +23,7 @@ - - /** - * @test -- * @bug 4853305 4865198 4888410 -+ * @bug 4853305 4865198 4888410 4963723 - * @summary Verify that the RSA KeyPairGenerator works - * @author Andreas Sterbenz - */ -@@ -60,6 +60,7 @@ - testSignature("MD2withRSA", privateKey, publicKey); - testSignature("MD5withRSA", privateKey, publicKey); - testSignature("SHA1withRSA", privateKey, publicKey); -+ testSignature("SHA224withRSA", privateKey, publicKey); - testSignature("SHA256withRSA", privateKey, publicKey); - RSAPublicKey rsaKey = (RSAPublicKey)publicKey; - if (rsaKey.getModulus().bitLength() > 512) { -diff -Nru openjdk.orig/jdk/test/sun/security/rsa/TestSignatures.java openjdk/jdk/test/sun/security/rsa/TestSignatures.java ---- openjdk.orig/jdk/test/sun/security/rsa/TestSignatures.java 2015-07-20 17:22:01.516847662 +0100 -+++ openjdk/jdk/test/sun/security/rsa/TestSignatures.java 2015-07-20 17:43:33.194332538 +0100 -@@ -1,5 +1,5 @@ - /* -- * Copyright (c) 2003, Oracle and/or its affiliates. All rights reserved. -+ * Copyright (c) 2003, 2012, Oracle and/or its affiliates. All rights reserved. - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it -@@ -23,7 +23,7 @@ - - /** - * @test -- * @bug 4853305 -+ * @bug 4853305 4963723 - * @summary Test signing/verifying using all the signature algorithms - * @author Andreas Sterbenz - */ -@@ -80,6 +80,7 @@ - testSignature("MD2withRSA", privateKey, publicKey); - testSignature("MD5withRSA", privateKey, publicKey); - testSignature("SHA1withRSA", privateKey, publicKey); -+ testSignature("SHA224withRSA", privateKey, publicKey); - testSignature("SHA256withRSA", privateKey, publicKey); - RSAPublicKey rsaKey = (RSAPublicKey)publicKey; - if (rsaKey.getModulus().bitLength() > 512) {
--- a/patches/openjdk/6578658-sunmscapi_nonewithrsa.patch Wed May 04 02:55:09 2016 +0100 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,602 +0,0 @@ -# HG changeset patch -# User vinnie -# Date 1412805665 -3600 -# Wed Oct 08 23:01:05 2014 +0100 -# Node ID 29dda8a543712fa28e76a963b6310e6a6a1b66d6 -# Parent c4a0ef23f3c4f3f7ab264e518fe8c6b4fa4f6683 -6578658: Request for raw RSA (NONEwithRSA) Signature support in SunMSCAPI -Reviewed-by: wetmore - -diff -r c4a0ef23f3c4 -r 29dda8a54371 src/windows/classes/sun/security/mscapi/RSASignature.java ---- openjdk/jdk/src/windows/classes/sun/security/mscapi/RSASignature.java Wed Oct 08 22:54:43 2014 +0100 -+++ openjdk/jdk/src/windows/classes/sun/security/mscapi/RSASignature.java Wed Oct 08 23:01:05 2014 +0100 -@@ -48,6 +48,7 @@ - * Objects should be instantiated by calling Signature.getInstance() using the - * following algorithm names: - * -+ * . "NONEwithRSA" - * . "SHA1withRSA" - * . "SHA224withRSA" - * . "SHA256withRSA" -@@ -56,7 +57,12 @@ - * . "MD5withRSA" - * . "MD2withRSA" - * -- * Note: RSA keys must be at least 512 bits long -+ * NOTE: RSA keys must be at least 512 bits long. -+ * -+ * NOTE: NONEwithRSA must be supplied with a pre-computed message digest. -+ * Only the following digest algorithms are supported: MD5, SHA-1, -+ * SHA-224, SHA-256, SHA-384, SHA-512 and a special-purpose digest -+ * algorithm which is a concatenation of SHA-1 and MD5 digests. - * - * @since 1.6 - * @author Stanley Man-Kit Ho -@@ -67,7 +73,7 @@ - private final MessageDigest messageDigest; - - // message digest name -- private final String messageDigestAlgorithm; -+ private String messageDigestAlgorithm; - - // flag indicating whether the digest has been reset - private boolean needsReset; -@@ -78,6 +84,13 @@ - // the verification key - private Key publicKey = null; - -+ /** -+ * Constructs a new RSASignature. Used by Raw subclass. -+ */ -+ RSASignature() { -+ messageDigest = null; -+ messageDigestAlgorithm = null; -+ } - - /** - * Constructs a new RSASignature. Used by subclasses. -@@ -96,6 +109,96 @@ - needsReset = false; - } - -+ // Nested class for NONEwithRSA signatures -+ public static final class Raw extends RSASignature { -+ -+ // the longest supported digest is 512 bits (SHA-512) -+ private static final int RAW_RSA_MAX = 64; -+ -+ private final byte[] precomputedDigest; -+ private int offset = 0; -+ -+ public Raw() { -+ precomputedDigest = new byte[RAW_RSA_MAX]; -+ } -+ -+ // Stores the precomputed message digest value. -+ @Override -+ protected void engineUpdate(byte b) throws SignatureException { -+ if (offset >= precomputedDigest.length) { -+ offset = RAW_RSA_MAX + 1; -+ return; -+ } -+ precomputedDigest[offset++] = b; -+ } -+ -+ // Stores the precomputed message digest value. -+ @Override -+ protected void engineUpdate(byte[] b, int off, int len) -+ throws SignatureException { -+ if (offset + len > precomputedDigest.length) { -+ offset = RAW_RSA_MAX + 1; -+ return; -+ } -+ System.arraycopy(b, off, precomputedDigest, offset, len); -+ offset += len; -+ } -+ -+ // Stores the precomputed message digest value. -+ @Override -+ protected void engineUpdate(ByteBuffer byteBuffer) { -+ int len = byteBuffer.remaining(); -+ if (len <= 0) { -+ return; -+ } -+ if (offset + len > precomputedDigest.length) { -+ offset = RAW_RSA_MAX + 1; -+ return; -+ } -+ byteBuffer.get(precomputedDigest, offset, len); -+ offset += len; -+ } -+ -+ @Override -+ protected void resetDigest(){ -+ offset = 0; -+ } -+ -+ // Returns the precomputed message digest value. -+ @Override -+ protected byte[] getDigestValue() throws SignatureException { -+ if (offset > RAW_RSA_MAX) { -+ throw new SignatureException("Message digest is too long"); -+ } -+ -+ // Determine the digest algorithm from the digest length -+ if (offset == 20) { -+ setDigestName("SHA1"); -+ } else if (offset == 36) { -+ setDigestName("SHA1+MD5"); -+ } else if (offset == 32) { -+ setDigestName("SHA-256"); -+ } else if (offset == 48) { -+ setDigestName("SHA-384"); -+ } else if (offset == 64) { -+ setDigestName("SHA-512"); -+ } else if (offset == 16) { -+ setDigestName("MD5"); -+ } else if (offset == 28) { -+ setDigestName("SHA-224"); -+ } else { -+ throw new SignatureException( -+ "Message digest length is not supported"); -+ } -+ -+ byte[] result = new byte[offset]; -+ System.arraycopy(precomputedDigest, 0, result, 0, offset); -+ offset = 0; -+ -+ return result; -+ } -+ } -+ - public static final class SHA1 extends RSASignature { - public SHA1() { - super("SHA1"); -@@ -205,18 +308,22 @@ - /** - * Resets the message digest if needed. - */ -- private void resetDigest() { -+ protected void resetDigest() { - if (needsReset) { - messageDigest.reset(); - needsReset = false; - } - } - -- private byte[] getDigestValue() { -+ protected byte[] getDigestValue() throws SignatureException { - needsReset = false; - return messageDigest.digest(); - } - -+ protected void setDigestName(String name) { -+ messageDigestAlgorithm = name; -+ } -+ - /** - * Updates the data to be signed or verified - * using the specified byte. -@@ -278,9 +385,12 @@ - - byte[] hash = getDigestValue(); - -+ // Omit the hash OID when generating a Raw signature -+ boolean noHashOID = this instanceof Raw; -+ - // Sign hash using MS Crypto APIs - -- byte[] result = signHash(hash, hash.length, -+ byte[] result = signHash(noHashOID, hash, hash.length, - messageDigestAlgorithm, privateKey.getHCryptProvider(), - privateKey.getHCryptKey()); - -@@ -309,8 +419,8 @@ - * Sign hash using Microsoft Crypto API with HCRYPTKEY. - * The returned data is in little-endian. - */ -- private native static byte[] signHash(byte[] hash, int hashSize, -- String hashAlgorithm, long hCryptProv, long hCryptKey) -+ private native static byte[] signHash(boolean noHashOID, byte[] hash, -+ int hashSize, String hashAlgorithm, long hCryptProv, long hCryptKey) - throws SignatureException; - - /** -diff -r c4a0ef23f3c4 -r 29dda8a54371 src/windows/classes/sun/security/mscapi/SunMSCAPI.java ---- openjdk/jdk/src/windows/classes/sun/security/mscapi/SunMSCAPI.java Wed Oct 08 22:54:43 2014 +0100 -+++ openjdk/jdk/src/windows/classes/sun/security/mscapi/SunMSCAPI.java Wed Oct 08 23:01:05 2014 +0100 -@@ -79,6 +79,12 @@ - /* - * Signature engines - */ -+ // NONEwithRSA must be supplied with a pre-computed message digest. -+ // Only the following digest algorithms are supported: MD5, SHA-1, -+ // SHA-224, SHA-256, SHA-384, SHA-512 and a special-purpose digest -+ // algorithm which is a concatenation of SHA-1 and MD5 digests. -+ map.put("Signature.NONEwithRSA", -+ "sun.security.mscapi.RSASignature$Raw"); - map.put("Signature.SHA1withRSA", - "sun.security.mscapi.RSASignature$SHA1"); - map.put("Signature.SHA224withRSA", -@@ -105,6 +111,8 @@ - "sun.security.mscapi.RSASignature$MD2"); - - // supported key classes -+ map.put("Signature.NONEwithRSA SupportedKeyClasses", -+ "sun.security.mscapi.Key"); - map.put("Signature.SHA1withRSA SupportedKeyClasses", - "sun.security.mscapi.Key"); - map.put("Signature.SHA224withRSA SupportedKeyClasses", -diff -r c4a0ef23f3c4 -r 29dda8a54371 src/windows/native/sun/security/mscapi/security.cpp ---- openjdk/jdk/src/windows/native/sun/security/mscapi/security.cpp Wed Oct 08 22:54:43 2014 +0100 -+++ openjdk/jdk/src/windows/native/sun/security/mscapi/security.cpp Wed Oct 08 23:01:05 2014 +0100 -@@ -79,6 +79,8 @@ - (strcmp("SHA-1", pszHashAlgorithm) == 0)) { - - algId = CALG_SHA1; -+ } else if (strcmp("SHA1+MD5", pszHashAlgorithm) == 0) { -+ algId = CALG_SSL3_SHAMD5; // a 36-byte concatenation of SHA-1 and MD5 - } else if (strcmp("SHA-256", pszHashAlgorithm) == 0) { - algId = CALG_SHA_256; - } else if (strcmp("SHA-384", pszHashAlgorithm) == 0) { -@@ -471,11 +473,12 @@ - /* - * Class: sun_security_mscapi_RSASignature - * Method: signHash -- * Signature: ([BILjava/lang/String;JJ)[B -+ * Signature: (Z[BILjava/lang/String;JJ)[B - */ - JNIEXPORT jbyteArray JNICALL Java_sun_security_mscapi_RSASignature_signHash -- (JNIEnv *env, jclass clazz, jbyteArray jHash, jint jHashSize, -- jstring jHashAlgorithm, jlong hCryptProv, jlong hCryptKey) -+ (JNIEnv *env, jclass clazz, jboolean noHashOID, jbyteArray jHash, -+ jint jHashSize, jstring jHashAlgorithm, jlong hCryptProv, -+ jlong hCryptKey) - { - HCRYPTHASH hHash = NULL; - jbyte* pHashBuffer = NULL; -@@ -546,14 +549,20 @@ - - // Determine size of buffer - DWORD dwBufLen = 0; -- if (::CryptSignHash(hHash, dwKeySpec, NULL, NULL, NULL, &dwBufLen) == FALSE) -+ DWORD dwFlags = 0; -+ -+ if (noHashOID == JNI_TRUE) { -+ dwFlags = CRYPT_NOHASHOID; // omit hash OID in NONEwithRSA signature -+ } -+ -+ if (::CryptSignHash(hHash, dwKeySpec, NULL, dwFlags, NULL, &dwBufLen) == FALSE) - { - ThrowException(env, SIGNATURE_EXCEPTION, GetLastError()); - __leave; - } - - pSignedHashBuffer = new jbyte[dwBufLen]; -- if (::CryptSignHash(hHash, dwKeySpec, NULL, NULL, (BYTE*)pSignedHashBuffer, &dwBufLen) == FALSE) -+ if (::CryptSignHash(hHash, dwKeySpec, NULL, dwFlags, (BYTE*)pSignedHashBuffer, &dwBufLen) == FALSE) - { - ThrowException(env, SIGNATURE_EXCEPTION, GetLastError()); - __leave; -diff -r c4a0ef23f3c4 -r 29dda8a54371 test/sun/security/mscapi/SignUsingNONEwithRSA.java ---- /dev/null Thu Jan 01 00:00:00 1970 +0000 -+++ openjdk/jdk/test/sun/security/mscapi/SignUsingNONEwithRSA.java Wed Oct 08 23:01:05 2014 +0100 -@@ -0,0 +1,231 @@ -+/* -+ * Copyright (c) 2011, 2012, Oracle and/or its affiliates. All rights reserved. -+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. -+ * -+ * This code is free software; you can redistribute it and/or modify it -+ * under the terms of the GNU General Public License version 2 only, as -+ * published by the Free Software Foundation. -+ * -+ * This code is distributed in the hope that it will be useful, but WITHOUT -+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or -+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License -+ * version 2 for more details (a copy is included in the LICENSE file that -+ * accompanied this code). -+ * -+ * You should have received a copy of the GNU General Public License version -+ * 2 along with this work; if not, write to the Free Software Foundation, -+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. -+ * -+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA -+ * or visit www.oracle.com if you need additional information or have any -+ * questions. -+ */ -+ -+/** -+ * @see SignUsingNONEwithRSA.sh -+ */ -+ -+import java.security.*; -+import java.util.*; -+ -+public class SignUsingNONEwithRSA { -+ -+ private static final List<byte[]> precomputedHashes = Arrays.asList( -+ // A MD5 hash -+ new byte[] { -+ 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x10, -+ 0x11, 0x12, 0x13, 0x14, 0x15, 0x16 -+ }, -+ // A SHA-1 hash -+ new byte[] { -+ 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x10, -+ 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x20 -+ }, -+ // A concatenation of SHA-1 and MD5 hashes (used during SSL handshake) -+ new byte[] { -+ 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x10, -+ 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x20, -+ 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x30, -+ 0x31, 0x32, 0x33, 0x34, 0x35, 0x36 -+ }, -+ // A SHA-224 hash -+ new byte[] { -+ 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x10, -+ 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x20, -+ 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28 -+ }, -+ // A SHA-256 hash -+ new byte[] { -+ 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x10, -+ 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x20, -+ 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x30, -+ 0x31, 0x32 -+ }, -+ // A SHA-384 hash -+ new byte[] { -+ 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x10, -+ 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x20, -+ 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x30, -+ 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x40, -+ 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47, 0x48 -+ }, -+ // A SHA-512 hash -+ new byte[] { -+ 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x10, -+ 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x20, -+ 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x30, -+ 0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x40, -+ 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47, 0x48, 0x49, 0x50, -+ 0x51, 0x52, 0x53, 0x54, 0x55, 0x56, 0x57, 0x58, 0x59, 0x60, -+ 0x61, 0x62, 0x63, 0x64 -+ }); -+ -+ private static List<byte[]> generatedSignatures = new ArrayList<>(); -+ -+ public static void main(String[] args) throws Exception { -+ -+ Provider[] providers = Security.getProviders("Signature.NONEwithRSA"); -+ if (providers == null) { -+ System.out.println("No JCE providers support the " + -+ "'Signature.NONEwithRSA' algorithm"); -+ System.out.println("Skipping this test..."); -+ return; -+ -+ } else { -+ System.out.println("The following JCE providers support the " + -+ "'Signature.NONEwithRSA' algorithm: "); -+ for (Provider provider : providers) { -+ System.out.println(" " + provider.getName()); -+ } -+ } -+ System.out.println("-------------------------------------------------"); -+ -+ KeyPair keys = getKeysFromKeyStore(); -+ signAllUsing("SunMSCAPI", keys.getPrivate()); -+ System.out.println("-------------------------------------------------"); -+ -+ verifyAllUsing("SunMSCAPI", keys.getPublic()); -+ System.out.println("-------------------------------------------------"); -+ -+ verifyAllUsing("SunJCE", keys.getPublic()); -+ System.out.println("-------------------------------------------------"); -+ -+ keys = generateKeys(); -+ signAllUsing("SunJCE", keys.getPrivate()); -+ System.out.println("-------------------------------------------------"); -+ -+ verifyAllUsing("SunMSCAPI", keys.getPublic()); -+ System.out.println("-------------------------------------------------"); -+ -+ } -+ -+ private static KeyPair getKeysFromKeyStore() throws Exception { -+ KeyStore ks = KeyStore.getInstance("Windows-MY", "SunMSCAPI"); -+ ks.load(null, null); -+ System.out.println("Loaded keystore: Windows-MY"); -+ -+ Enumeration e = ks.aliases(); -+ PrivateKey privateKey = null; -+ PublicKey publicKey = null; -+ -+ while (e.hasMoreElements()) { -+ String alias = (String) e.nextElement(); -+ if (alias.equals("6578658")) { -+ System.out.println("Loaded entry: " + alias); -+ privateKey = (PrivateKey) ks.getKey(alias, null); -+ publicKey = (PublicKey) ks.getCertificate(alias).getPublicKey(); -+ } -+ } -+ if (privateKey == null || publicKey == null) { -+ throw new Exception("Cannot load the keys need to run this test"); -+ } -+ -+ return new KeyPair(publicKey, privateKey); -+ } -+ -+ -+ private static KeyPair generateKeys() throws Exception { -+ KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA"); -+ keyGen.initialize(1024, null); -+ KeyPair pair = keyGen.generateKeyPair(); -+ PrivateKey privateKey = pair.getPrivate(); -+ PublicKey publicKey = pair.getPublic(); -+ -+ if (privateKey == null || publicKey == null) { -+ throw new Exception("Cannot load the keys need to run this test"); -+ } -+ -+ return new KeyPair(publicKey, privateKey); -+ } -+ -+ private static void signAllUsing(String providerName, PrivateKey privateKey) -+ throws Exception { -+ Signature sig1 = Signature.getInstance("NONEwithRSA", providerName); -+ if (sig1 == null) { -+ throw new Exception("'NONEwithRSA' is not supported"); -+ } -+ if (sig1.getProvider() != null) { -+ System.out.println("Using NONEwithRSA signer from the " + -+ sig1.getProvider().getName() + " JCE provider"); -+ } else { -+ System.out.println( -+ "Using NONEwithRSA signer from the internal JCE provider"); -+ } -+ -+ System.out.println("Using key: " + privateKey); -+ generatedSignatures.clear(); -+ for (byte[] hash : precomputedHashes) { -+ sig1.initSign(privateKey); -+ sig1.update(hash); -+ -+ try { -+ -+ byte [] sigBytes = sig1.sign(); -+ System.out.println("\nGenerated RSA signature over a " + -+ hash.length + "-byte hash (signature length: " + -+ sigBytes.length * 8 + " bits)"); -+ System.out.println(String.format("0x%0" + -+ (sigBytes.length * 2) + "x", -+ new java.math.BigInteger(1, sigBytes))); -+ generatedSignatures.add(sigBytes); -+ -+ } catch (SignatureException se) { -+ System.out.println("Error generating RSA signature: " + se); -+ } -+ } -+ } -+ -+ private static void verifyAllUsing(String providerName, PublicKey publicKey) -+ throws Exception { -+ Signature sig1 = Signature.getInstance("NONEwithRSA", providerName); -+ if (sig1.getProvider() != null) { -+ System.out.println("\nUsing NONEwithRSA verifier from the " + -+ sig1.getProvider().getName() + " JCE provider"); -+ } else { -+ System.out.println( -+ "\nUsing NONEwithRSA verifier from the internal JCE provider"); -+ } -+ -+ System.out.println("Using key: " + publicKey); -+ -+ int i = 0; -+ for (byte[] hash : precomputedHashes) { -+ -+ byte[] sigBytes = generatedSignatures.get(i++); -+ System.out.println("\nVerifying RSA Signature over a " + -+ hash.length + "-byte hash (signature length: " + -+ sigBytes.length * 8 + " bits)"); -+ System.out.println(String.format("0x%0" + -+ (sigBytes.length * 2) + "x", -+ new java.math.BigInteger(1, sigBytes))); -+ -+ sig1.initVerify(publicKey); -+ sig1.update(hash); -+ if (sig1.verify(sigBytes)) { -+ System.out.println("Verify PASSED"); -+ } else { -+ throw new Exception("Verify FAILED"); -+ } -+ } -+ } -+} -diff -r c4a0ef23f3c4 -r 29dda8a54371 test/sun/security/mscapi/SignUsingNONEwithRSA.sh ---- /dev/null Thu Jan 01 00:00:00 1970 +0000 -+++ openjdk/jdk/test/sun/security/mscapi/SignUsingNONEwithRSA.sh Wed Oct 08 23:01:05 2014 +0100 -@@ -0,0 +1,83 @@ -+#!/bin/sh -+ -+# -+# Copyright (c) 2011, Oracle and/or its affiliates. All rights reserved. -+# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. -+# -+# This code is free software; you can redistribute it and/or modify it -+# under the terms of the GNU General Public License version 2 only, as -+# published by the Free Software Foundation. -+# -+# This code is distributed in the hope that it will be useful, but WITHOUT -+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or -+# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License -+# version 2 for more details (a copy is included in the LICENSE file that -+# accompanied this code). -+# -+# You should have received a copy of the GNU General Public License version -+# 2 along with this work; if not, write to the Free Software Foundation, -+# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. -+# -+# Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA -+# or visit www.oracle.com if you need additional information or have any -+# questions. -+# -+ -+ -+# @test -+# @bug 6578658 -+# @run shell SignUsingNONEwithRSA.sh -+# @summary Sign using the NONEwithRSA signature algorithm from SunMSCAPI -+ -+# set a few environment variables so that the shell-script can run stand-alone -+# in the source directory -+if [ "${TESTSRC}" = "" ] ; then -+ TESTSRC="." -+fi -+ -+if [ "${TESTCLASSES}" = "" ] ; then -+ TESTCLASSES="." -+fi -+ -+if [ "${TESTJAVA}" = "" ] ; then -+ echo "TESTJAVA not set. Test cannot execute." -+ echo "FAILED!!!" -+ exit 1 -+fi -+ -+OS=`uname -s` -+case "$OS" in -+ Windows* | CYGWIN* ) -+ -+ echo "Creating a temporary RSA keypair in the Windows-My store..." -+ ${TESTJAVA}/bin/keytool \ -+ -genkeypair \ -+ -storetype Windows-My \ -+ -keyalg RSA \ -+ -alias 6578658 \ -+ -dname "cn=6578658,c=US" \ -+ -noprompt -+ -+ echo -+ echo "Running the test..." -+ ${TESTJAVA}/bin/javac -d . ${TESTSRC}\\SignUsingNONEwithRSA.java -+ ${TESTJAVA}/bin/java SignUsingNONEwithRSA -+ -+ rc=$? -+ -+ echo -+ echo "Removing the temporary RSA keypair from the Windows-My store..." -+ ${TESTJAVA}/bin/keytool \ -+ -delete \ -+ -storetype Windows-My \ -+ -alias 6578658 -+ -+ echo done. -+ exit $rc -+ ;; -+ -+ * ) -+ echo "This test is not intended for '$OS' - passing test" -+ exit 0 -+ ;; -+esac
--- a/patches/openjdk/6753664-sunmscapi_sha-256.patch Wed May 04 02:55:09 2016 +0100 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,640 +0,0 @@ -# HG changeset patch -# User vinnie -# Date 1412805283 -3600 -# Wed Oct 08 22:54:43 2014 +0100 -# Node ID c4a0ef23f3c4f3f7ab264e518fe8c6b4fa4f6683 -# Parent 2adb6892881f4e3b359026854562b2ac70c63bef -6753664: Support SHA256 (and higher) in SunMSCAPI -Reviewed-by: mullan - -diff -r 2adb6892881f -r c4a0ef23f3c4 src/windows/classes/sun/security/mscapi/RSASignature.java ---- openjdk/jdk/src/windows/classes/sun/security/mscapi/RSASignature.java Wed Oct 08 22:42:49 2014 +0100 -+++ openjdk/jdk/src/windows/classes/sun/security/mscapi/RSASignature.java Wed Oct 08 22:54:43 2014 +0100 -@@ -50,6 +50,9 @@ - * - * . "SHA1withRSA" - * . "SHA224withRSA" -+ * . "SHA256withRSA" -+ * . "SHA384withRSA" -+ * . "SHA512withRSA" - * . "MD5withRSA" - * . "MD2withRSA" - * -@@ -63,7 +66,10 @@ - // message digest implementation we use - private final MessageDigest messageDigest; - -- // flag indicating whether the digest is reset -+ // message digest name -+ private final String messageDigestAlgorithm; -+ -+ // flag indicating whether the digest has been reset - private boolean needsReset; - - // the signing key -@@ -73,10 +79,15 @@ - private Key publicKey = null; - - -+ /** -+ * Constructs a new RSASignature. Used by subclasses. -+ */ - RSASignature(String digestName) { - - try { - messageDigest = MessageDigest.getInstance(digestName); -+ // Get the digest's canonical name -+ messageDigestAlgorithm = messageDigest.getAlgorithm(); - - } catch (NoSuchAlgorithmException e) { - throw new ProviderException(e); -@@ -97,6 +108,24 @@ - } - } - -+ public static final class SHA256 extends RSASignature { -+ public SHA256() { -+ super("SHA-256"); -+ } -+ } -+ -+ public static final class SHA384 extends RSASignature { -+ public SHA384() { -+ super("SHA-384"); -+ } -+ } -+ -+ public static final class SHA512 extends RSASignature { -+ public SHA512() { -+ super("SHA-512"); -+ } -+ } -+ - public static final class MD5 extends RSASignature { - public MD5() { - super("MD5"); -@@ -109,16 +138,7 @@ - } - } - -- /** -- * Initializes this signature object with the specified -- * public key for verification operations. -- * -- * @param publicKey the public key of the identity whose signature is -- * going to be verified. -- * -- * @exception InvalidKeyException if the key is improperly -- * encoded, parameters are missing, and so on. -- */ -+ // initialize for signing. See JCA doc - protected void engineInitVerify(PublicKey key) - throws InvalidKeyException - { -@@ -159,24 +179,12 @@ - publicKey = (sun.security.mscapi.RSAPublicKey) key; - } - -- if (needsReset) { -- messageDigest.reset(); -- needsReset = false; -- } -+ this.privateKey = null; -+ resetDigest(); - } - -- /** -- * Initializes this signature object with the specified -- * private key for signing operations. -- * -- * @param privateKey the private key of the identity whose signature -- * will be generated. -- * -- * @exception InvalidKeyException if the key is improperly -- * encoded, parameters are missing, and so on. -- */ -- protected void engineInitSign(PrivateKey key) -- throws InvalidKeyException -+ // initialize for signing. See JCA doc -+ protected void engineInitSign(PrivateKey key) throws InvalidKeyException - { - // This signature accepts only RSAPrivateKey - if ((key instanceof sun.security.mscapi.RSAPrivateKey) == false) { -@@ -190,12 +198,25 @@ - null, RSAKeyPairGenerator.KEY_SIZE_MIN, - RSAKeyPairGenerator.KEY_SIZE_MAX); - -+ this.publicKey = null; -+ resetDigest(); -+ } -+ -+ /** -+ * Resets the message digest if needed. -+ */ -+ private void resetDigest() { - if (needsReset) { - messageDigest.reset(); - needsReset = false; - } - } - -+ private byte[] getDigestValue() { -+ needsReset = false; -+ return messageDigest.digest(); -+ } -+ - /** - * Updates the data to be signed or verified - * using the specified byte. -@@ -255,13 +276,12 @@ - */ - protected byte[] engineSign() throws SignatureException { - -- byte[] hash = messageDigest.digest(); -- needsReset = false; -+ byte[] hash = getDigestValue(); - - // Sign hash using MS Crypto APIs - - byte[] result = signHash(hash, hash.length, -- messageDigest.getAlgorithm(), privateKey.getHCryptProvider(), -+ messageDigestAlgorithm, privateKey.getHCryptProvider(), - privateKey.getHCryptKey()); - - // Convert signature array from little endian to big endian -@@ -315,11 +335,10 @@ - protected boolean engineVerify(byte[] sigBytes) - throws SignatureException - { -- byte[] hash = messageDigest.digest(); -- needsReset = false; -+ byte[] hash = getDigestValue(); - - return verifySignedHash(hash, hash.length, -- messageDigest.getAlgorithm(), convertEndianArray(sigBytes), -+ messageDigestAlgorithm, convertEndianArray(sigBytes), - sigBytes.length, publicKey.getHCryptProvider(), - publicKey.getHCryptKey()); - } -diff -r 2adb6892881f -r c4a0ef23f3c4 src/windows/classes/sun/security/mscapi/SunMSCAPI.java ---- openjdk/jdk/src/windows/classes/sun/security/mscapi/SunMSCAPI.java Wed Oct 08 22:42:49 2014 +0100 -+++ openjdk/jdk/src/windows/classes/sun/security/mscapi/SunMSCAPI.java Wed Oct 08 22:54:43 2014 +0100 -@@ -85,6 +85,20 @@ - "sun.security.mscapi.RSASignature$SHA224"); - map.put("Alg.Alias.Signature.1.2.840.113549.1.1.14", "SHA224withRSA"); - map.put("Alg.Alias.Signature.OID.1.2.840.113549.1.1.14", "SHA224withRSA"); -+ map.put("Signature.SHA256withRSA", -+ "sun.security.mscapi.RSASignature$SHA256"); -+ map.put("Alg.Alias.Signature.1.2.840.113549.1.1.11", "SHA256withRSA"); -+ map.put("Alg.Alias.Signature.OID.1.2.840.113549.1.1.11", "SHA256withRSA"); -+ map.put("Signature.SHA384withRSA", -+ "sun.security.mscapi.RSASignature$SHA384"); -+ map.put("Alg.Alias.Signature.1.2.840.113549.1.1.12", "SHA384withRSA"); -+ map.put("Alg.Alias.Signature.OID.1.2.840.113549.1.1.12", "SHA384withRSA"); -+ -+ map.put("Signature.SHA512withRSA", -+ "sun.security.mscapi.RSASignature$SHA512"); -+ map.put("Alg.Alias.Signature.1.2.840.113549.1.1.13", "SHA512withRSA"); -+ map.put("Alg.Alias.Signature.OID.1.2.840.113549.1.1.13", "SHA512withRSA"); -+ - map.put("Signature.MD5withRSA", - "sun.security.mscapi.RSASignature$MD5"); - map.put("Signature.MD2withRSA", -@@ -95,12 +109,16 @@ - "sun.security.mscapi.Key"); - map.put("Signature.SHA224withRSA SupportedKeyClasses", - "sun.security.mscapi.Key"); -+ map.put("Signature.SHA256withRSA SupportedKeyClasses", -+ "sun.security.mscapi.Key"); -+ map.put("Signature.SHA384withRSA SupportedKeyClasses", -+ "sun.security.mscapi.Key"); -+ map.put("Signature.SHA512withRSA SupportedKeyClasses", -+ "sun.security.mscapi.Key"); - map.put("Signature.MD5withRSA SupportedKeyClasses", - "sun.security.mscapi.Key"); - map.put("Signature.MD2withRSA SupportedKeyClasses", - "sun.security.mscapi.Key"); -- map.put("Signature.NONEwithRSA SupportedKeyClasses", -- "sun.security.mscapi.Key"); - - /* - * Key Pair Generator engines -diff -r 2adb6892881f -r c4a0ef23f3c4 src/windows/native/sun/security/mscapi/security.cpp ---- openjdk/jdk/src/windows/native/sun/security/mscapi/security.cpp Wed Oct 08 22:42:49 2014 +0100 -+++ openjdk/jdk/src/windows/native/sun/security/mscapi/security.cpp Wed Oct 08 22:54:43 2014 +0100 -@@ -481,6 +481,7 @@ - jbyte* pHashBuffer = NULL; - jbyte* pSignedHashBuffer = NULL; - jbyteArray jSignedHash = NULL; -+ HCRYPTPROV hCryptProvAlt = NULL; - - __try - { -@@ -490,8 +491,32 @@ - // Acquire a hash object handle. - if (::CryptCreateHash(HCRYPTPROV(hCryptProv), algId, 0, 0, &hHash) == FALSE) - { -- ThrowException(env, SIGNATURE_EXCEPTION, GetLastError()); -- __leave; -+ // Failover to using the PROV_RSA_AES CSP -+ -+ DWORD cbData = 256; -+ BYTE pbData[256]; -+ pbData[0] = '\0'; -+ -+ // Get name of the key container -+ ::CryptGetProvParam((HCRYPTPROV)hCryptProv, PP_CONTAINER, -+ (BYTE *)pbData, &cbData, 0); -+ -+ // Acquire an alternative CSP handle -+ if (::CryptAcquireContext(&hCryptProvAlt, LPCSTR(pbData), NULL, -+ PROV_RSA_AES, 0) == FALSE) -+ { -+ -+ ThrowException(env, SIGNATURE_EXCEPTION, GetLastError()); -+ __leave; -+ } -+ -+ // Acquire a hash object handle. -+ if (::CryptCreateHash(HCRYPTPROV(hCryptProvAlt), algId, 0, 0, -+ &hHash) == FALSE) -+ { -+ ThrowException(env, SIGNATURE_EXCEPTION, GetLastError()); -+ __leave; -+ } - } - - // Copy hash from Java to native buffer -@@ -544,6 +569,9 @@ - } - __finally - { -+ if (hCryptProvAlt) -+ ::CryptReleaseContext(hCryptProvAlt, 0); -+ - if (pSignedHashBuffer) - delete [] pSignedHashBuffer; - -@@ -572,6 +600,7 @@ - jbyte* pSignedHashBuffer = NULL; - DWORD dwSignedHashBufferLen = jSignedHashSize; - jboolean result = JNI_FALSE; -+ HCRYPTPROV hCryptProvAlt = NULL; - - __try - { -@@ -582,8 +611,32 @@ - if (::CryptCreateHash(HCRYPTPROV(hCryptProv), algId, 0, 0, &hHash) - == FALSE) - { -- ThrowException(env, SIGNATURE_EXCEPTION, GetLastError()); -- __leave; -+ // Failover to using the PROV_RSA_AES CSP -+ -+ DWORD cbData = 256; -+ BYTE pbData[256]; -+ pbData[0] = '\0'; -+ -+ // Get name of the key container -+ ::CryptGetProvParam((HCRYPTPROV)hCryptProv, PP_CONTAINER, -+ (BYTE *)pbData, &cbData, 0); -+ -+ // Acquire an alternative CSP handle -+ if (::CryptAcquireContext(&hCryptProvAlt, LPCSTR(pbData), NULL, -+ PROV_RSA_AES, 0) == FALSE) -+ { -+ -+ ThrowException(env, SIGNATURE_EXCEPTION, GetLastError()); -+ __leave; -+ } -+ -+ // Acquire a hash object handle. -+ if (::CryptCreateHash(HCRYPTPROV(hCryptProvAlt), algId, 0, 0, -+ &hHash) == FALSE) -+ { -+ ThrowException(env, SIGNATURE_EXCEPTION, GetLastError()); -+ __leave; -+ } - } - - // Copy hash and signedHash from Java to native buffer -@@ -614,6 +667,9 @@ - - __finally - { -+ if (hCryptProvAlt) -+ ::CryptReleaseContext(hCryptProvAlt, 0); -+ - if (pSignedHashBuffer) - delete [] pSignedHashBuffer; - -@@ -646,15 +702,27 @@ - pszKeyContainerName = env->GetStringUTFChars(keyContainerName, NULL); - - // Acquire a CSP context (create a new key container). -+ // Prefer a PROV_RSA_AES CSP, when available, due to its support -+ // for SHA-2-based signatures. - if (::CryptAcquireContext( - &hCryptProv, - pszKeyContainerName, - NULL, -- PROV_RSA_FULL, -+ PROV_RSA_AES, - CRYPT_NEWKEYSET) == FALSE) - { -- ThrowException(env, KEY_EXCEPTION, GetLastError()); -- __leave; -+ // Failover to using the default CSP (PROV_RSA_FULL) -+ -+ if (::CryptAcquireContext( -+ &hCryptProv, -+ pszKeyContainerName, -+ NULL, -+ PROV_RSA_FULL, -+ CRYPT_NEWKEYSET) == FALSE) -+ { -+ ThrowException(env, KEY_EXCEPTION, GetLastError()); -+ __leave; -+ } - } - - // Generate an RSA keypair -@@ -1847,15 +1915,27 @@ - pbKeyBlob = (BYTE *) env->GetByteArrayElements(keyBlob, 0); - - // Acquire a CSP context (create a new key container). -+ // Prefer a PROV_RSA_AES CSP, when available, due to its support -+ // for SHA-2-based signatures. - if (::CryptAcquireContext( - &hCryptProv, - NULL, - NULL, -- PROV_RSA_FULL, -+ PROV_RSA_AES, - CRYPT_VERIFYCONTEXT) == FALSE) - { -- ThrowException(env, KEYSTORE_EXCEPTION, GetLastError()); -- __leave; -+ // Failover to using the default CSP (PROV_RSA_FULL) -+ -+ if (::CryptAcquireContext( -+ &hCryptProv, -+ NULL, -+ NULL, -+ PROV_RSA_FULL, -+ CRYPT_VERIFYCONTEXT) == FALSE) -+ { -+ ThrowException(env, KEYSTORE_EXCEPTION, GetLastError()); -+ __leave; -+ } - } - - // Import the public key -diff -r 2adb6892881f -r c4a0ef23f3c4 test/sun/security/mscapi/SignUsingSHA2withRSA.java ---- /dev/null Thu Jan 01 00:00:00 1970 +0000 -+++ openjdk/jdk/test/sun/security/mscapi/SignUsingSHA2withRSA.java Wed Oct 08 22:54:43 2014 +0100 -@@ -0,0 +1,157 @@ -+/* -+ * Copyright (c) 2011, 2012, Oracle and/or its affiliates. All rights reserved. -+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. -+ * -+ * This code is free software; you can redistribute it and/or modify it -+ * under the terms of the GNU General Public License version 2 only, as -+ * published by the Free Software Foundation. -+ * -+ * This code is distributed in the hope that it will be useful, but WITHOUT -+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or -+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License -+ * version 2 for more details (a copy is included in the LICENSE file that -+ * accompanied this code). -+ * -+ * You should have received a copy of the GNU General Public License version -+ * 2 along with this work; if not, write to the Free Software Foundation, -+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. -+ * -+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA -+ * or visit www.oracle.com if you need additional information or have any -+ * questions. -+ */ -+ -+/** -+ * @see SignUsingSHA2withRSA.sh -+ */ -+ -+import java.security.*; -+import java.util.*; -+ -+public class SignUsingSHA2withRSA { -+ -+ private static final byte[] toBeSigned = new byte[] { -+ 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x10 -+ }; -+ -+ private static List<byte[]> generatedSignatures = new ArrayList<byte[]>(); -+ -+ public static void main(String[] args) throws Exception { -+ -+ Provider[] providers = Security.getProviders("Signature.SHA256withRSA"); -+ if (providers == null) { -+ System.out.println("No JCE providers support the " + -+ "'Signature.SHA256withRSA' algorithm"); -+ System.out.println("Skipping this test..."); -+ return; -+ -+ } else { -+ System.out.println("The following JCE providers support the " + -+ "'Signature.SHA256withRSA' algorithm: "); -+ for (Provider provider : providers) { -+ System.out.println(" " + provider.getName()); -+ } -+ } -+ System.out.println("-------------------------------------------------"); -+ -+ KeyStore ks = KeyStore.getInstance("Windows-MY", "SunMSCAPI"); -+ ks.load(null, null); -+ System.out.println("Loaded keystore: Windows-MY"); -+ -+ Enumeration e = ks.aliases(); -+ PrivateKey privateKey = null; -+ PublicKey publicKey = null; -+ -+ while (e.hasMoreElements()) { -+ String alias = (String) e.nextElement(); -+ if (alias.equals("6753664")) { -+ System.out.println("Loaded entry: " + alias); -+ privateKey = (PrivateKey) ks.getKey(alias, null); -+ publicKey = (PublicKey) ks.getCertificate(alias).getPublicKey(); -+ } -+ } -+ if (privateKey == null || publicKey == null) { -+ throw new Exception("Cannot load the keys need to run this test"); -+ } -+ System.out.println("-------------------------------------------------"); -+ -+ generatedSignatures.add(signUsing("SHA256withRSA", privateKey)); -+ generatedSignatures.add(signUsing("SHA384withRSA", privateKey)); -+ generatedSignatures.add(signUsing("SHA512withRSA", privateKey)); -+ generatedSignatures.add(signUsing("SHA224withRSA", privateKey)); -+ -+ -+ System.out.println("-------------------------------------------------"); -+ -+ verifyUsing("SHA256withRSA", publicKey, generatedSignatures.get(0)); -+ verifyUsing("SHA384withRSA", publicKey, generatedSignatures.get(1)); -+ verifyUsing("SHA512withRSA", publicKey, generatedSignatures.get(2)); -+ verifyUsing("SHA224withRSA", publicKey, generatedSignatures.get(3)); -+ -+ -+ System.out.println("-------------------------------------------------"); -+ } -+ -+ private static byte[] signUsing(String signAlgorithm, -+ PrivateKey privateKey) throws Exception { -+ -+ // Must explicitly specify the SunMSCAPI JCE provider -+ // (otherwise SunJCE is chosen because it appears earlier in the list) -+ Signature sig1 = Signature.getInstance(signAlgorithm, "SunMSCAPI"); -+ if (sig1 == null) { -+ throw new Exception("'" + signAlgorithm + "' is not supported"); -+ } -+ System.out.println("Using " + signAlgorithm + " signer from the " + -+ sig1.getProvider().getName() + " JCE provider"); -+ -+ System.out.println("Using key: " + privateKey); -+ sig1.initSign(privateKey); -+ sig1.update(toBeSigned); -+ byte [] sigBytes = null; -+ -+ try { -+ sigBytes = sig1.sign(); -+ System.out.println("Generated RSA signature over a " + -+ toBeSigned.length + "-byte data (signature length: " + -+ sigBytes.length * 8 + " bits)"); -+ System.out.println(String.format("0x%0" + -+ (sigBytes.length * 2) + "x", -+ new java.math.BigInteger(1, sigBytes))); -+ -+ } catch (SignatureException se) { -+ System.out.println("Error generating RSA signature: " + se); -+ } -+ -+ return sigBytes; -+ } -+ -+ private static void verifyUsing(String signAlgorithm, PublicKey publicKey, -+ byte[] signature) throws Exception { -+ -+ // Must explicitly specify the SunMSCAPI JCE provider -+ // (otherwise SunJCE is chosen because it appears earlier in the list) -+ Signature sig1 = Signature.getInstance(signAlgorithm, "SunMSCAPI"); -+ if (sig1 == null) { -+ throw new Exception("'" + signAlgorithm + "' is not supported"); -+ } -+ System.out.println("Using " + signAlgorithm + " verifier from the " -+ + sig1.getProvider().getName() + " JCE provider"); -+ -+ System.out.println("Using key: " + publicKey); -+ -+ System.out.println("\nVerifying RSA Signature over a " + -+ toBeSigned.length + "-byte data (signature length: " + -+ signature.length * 8 + " bits)"); -+ System.out.println(String.format("0x%0" + (signature.length * 2) + -+ "x", new java.math.BigInteger(1, signature))); -+ -+ sig1.initVerify(publicKey); -+ sig1.update(toBeSigned); -+ -+ if (sig1.verify(signature)) { -+ System.out.println("Verify PASSED\n"); -+ } else { -+ throw new Exception("Verify FAILED"); -+ } -+ } -+} -diff -r 2adb6892881f -r c4a0ef23f3c4 test/sun/security/mscapi/SignUsingSHA2withRSA.sh ---- /dev/null Thu Jan 01 00:00:00 1970 +0000 -+++ openjdk/jdk/test/sun/security/mscapi/SignUsingSHA2withRSA.sh Wed Oct 08 22:54:43 2014 +0100 -@@ -0,0 +1,83 @@ -+#!/bin/sh -+ -+# -+# Copyright (c) 2011, Oracle and/or its affiliates. All rights reserved. -+# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. -+# -+# This code is free software; you can redistribute it and/or modify it -+# under the terms of the GNU General Public License version 2 only, as -+# published by the Free Software Foundation. -+# -+# This code is distributed in the hope that it will be useful, but WITHOUT -+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or -+# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License -+# version 2 for more details (a copy is included in the LICENSE file that -+# accompanied this code). -+# -+# You should have received a copy of the GNU General Public License version -+# 2 along with this work; if not, write to the Free Software Foundation, -+# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. -+# -+# Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA -+# or visit www.oracle.com if you need additional information or have any -+# questions. -+# -+ -+ -+# @test -+# @bug 6753664 -+# @run shell SignUsingSHA2withRSA.sh -+# @summary Support SHA256 (and higher) in SunMSCAPI -+ -+# set a few environment variables so that the shell-script can run stand-alone -+# in the source directory -+if [ "${TESTSRC}" = "" ] ; then -+ TESTSRC="." -+fi -+ -+if [ "${TESTCLASSES}" = "" ] ; then -+ TESTCLASSES="." -+fi -+ -+if [ "${TESTJAVA}" = "" ] ; then -+ echo "TESTJAVA not set. Test cannot execute." -+ echo "FAILED!!!" -+ exit 1 -+fi -+ -+OS=`uname -s` -+case "$OS" in -+ Windows* | CYGWIN* ) -+ -+ echo "Creating a temporary RSA keypair in the Windows-My store..." -+ ${TESTJAVA}/bin/keytool \ -+ -genkeypair \ -+ -storetype Windows-My \ -+ -keyalg RSA \ -+ -alias 6753664 \ -+ -dname "cn=6753664,c=US" \ -+ -noprompt -+ -+ echo -+ echo "Running the test..." -+ ${TESTJAVA}/bin/javac -d . ${TESTSRC}\\SignUsingSHA2withRSA.java -+ ${TESTJAVA}/bin/java SignUsingSHA2withRSA -+ -+ rc=$? -+ -+ echo -+ echo "Removing the temporary RSA keypair from the Windows-My store..." -+ ${TESTJAVA}/bin/keytool \ -+ -delete \ -+ -storetype Windows-My \ -+ -alias 6753664 -+ -+ echo done. -+ exit $rc -+ ;; -+ -+ * ) -+ echo "This test is not intended for '$OS' - passing test" -+ exit 0 -+ ;; -+esac
--- a/patches/openjdk/6956398-ephemeraldhkeysize.patch Wed May 04 02:55:09 2016 +0100 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,761 +0,0 @@ -# HG changeset patch -# User xuelei -# Date 1428081992 -3600 -# Fri Apr 03 18:26:32 2015 +0100 -# Node ID e7690bee9a7722b20bde481fb2da0bb6b903a258 -# Parent bf4c2a6c354db2c6b6d036908749a27eef1c5968 -6956398, PR2486: make ephemeral DH key match the length of the certificate key -Reviewed-by: weijun - -diff -Nru openjdk.orig/jdk/src/share/classes/sun/security/ssl/ServerHandshaker.java openjdk/jdk/src/share/classes/sun/security/ssl/ServerHandshaker.java ---- openjdk.orig/jdk/src/share/classes/sun/security/ssl/ServerHandshaker.java 2015-07-20 17:24:47.000000000 +0100 -+++ openjdk/jdk/src/share/classes/sun/security/ssl/ServerHandshaker.java 2015-07-22 21:02:12.190511032 +0100 -@@ -48,7 +48,9 @@ - - import com.sun.net.ssl.internal.ssl.X509ExtendedTrustManager; - -+import sun.security.action.GetPropertyAction; - import sun.security.util.AlgorithmConstraints; -+import sun.security.util.KeyUtil; - import sun.security.util.LegacyAlgorithmConstraints; - import sun.security.ssl.HandshakeMessage.*; - import sun.security.ssl.CipherSuite.*; -@@ -106,6 +108,50 @@ - LegacyAlgorithmConstraints.PROPERTY_TLS_LEGACY_ALGS, - new SSLAlgorithmDecomposer()); - -+ // Flag to use smart ephemeral DH key which size matches the corresponding -+ // authentication key -+ private static final boolean useSmartEphemeralDHKeys; -+ -+ // Flag to use legacy ephemeral DH key which size is 512 bits for -+ // exportable cipher suites, and 768 bits for others -+ private static final boolean useLegacyEphemeralDHKeys; -+ -+ // The customized ephemeral DH key size for non-exportable cipher suites. -+ private static final int customizedDHKeySize; -+ -+ static { -+ String property = AccessController.doPrivileged( -+ new GetPropertyAction("jdk.tls.ephemeralDHKeySize")); -+ if (property == null || property.length() == 0) { -+ useLegacyEphemeralDHKeys = false; -+ useSmartEphemeralDHKeys = false; -+ customizedDHKeySize = -1; -+ } else if ("matched".equals(property)) { -+ useLegacyEphemeralDHKeys = false; -+ useSmartEphemeralDHKeys = true; -+ customizedDHKeySize = -1; -+ } else if ("legacy".equals(property)) { -+ useLegacyEphemeralDHKeys = true; -+ useSmartEphemeralDHKeys = false; -+ customizedDHKeySize = -1; -+ } else { -+ useLegacyEphemeralDHKeys = false; -+ useSmartEphemeralDHKeys = false; -+ -+ try { -+ customizedDHKeySize = parseUnsignedInt(property); -+ if (customizedDHKeySize < 1024 || customizedDHKeySize > 2048) { -+ throw new IllegalArgumentException( -+ "Customized DH key size should be positive integer " + -+ "between 1024 and 2048 bits, inclusive"); -+ } -+ } catch (NumberFormatException nfe) { -+ throw new IllegalArgumentException( -+ "Invalid system property jdk.tls.ephemeralDHKeySize"); -+ } -+ } -+ } -+ - /* - * Constructor ... use the keys found in the auth context. - */ -@@ -898,7 +944,7 @@ - return false; - } - } else if (keyExchange == K_DHE_RSA) { -- setupEphemeralDHKeys(suite.exportable); -+ setupEphemeralDHKeys(suite.exportable, privateKey); - } else if (keyExchange == K_ECDHE_RSA) { - if (setupEphemeralECDHKeys() == false) { - return false; -@@ -910,7 +956,8 @@ - if (setupPrivateKeyAndChain("DSA") == false) { - return false; - } -- setupEphemeralDHKeys(suite.exportable); -+ -+ setupEphemeralDHKeys(suite.exportable, privateKey); - break; - case K_ECDHE_ECDSA: - // need EC cert signed using EC -@@ -944,7 +991,7 @@ - break; - case K_DH_ANON: - // no certs needed for anonymous -- setupEphemeralDHKeys(suite.exportable); -+ setupEphemeralDHKeys(suite.exportable, null); - break; - case K_ECDH_ANON: - // no certs needed for anonymous -@@ -985,15 +1032,70 @@ - * Acquire some "ephemeral" Diffie-Hellman keys for this handshake. - * We don't reuse these, for improved forward secrecy. - */ -- private void setupEphemeralDHKeys(boolean export) { -+ private void setupEphemeralDHKeys(boolean export, Key key) { - /* -- * Diffie-Hellman keys ... we use 768 bit private keys due -- * to the "use twice as many key bits as bits you want secret" -- * rule of thumb, assuming we want the same size premaster -- * secret with Diffie-Hellman and RSA key exchanges. Except -- * that exportable ciphers max out at 512 bits modulus values. -+ * 768 bits ephemeral DH private keys were used to be used in -+ * ServerKeyExchange except that exportable ciphers max out at 512 -+ * bits modulus values. We still adhere to this behavior in legacy -+ * mode (system property "jdk.tls.ephemeralDHKeySize" is defined -+ * as "legacy"). -+ * -+ * Old JDK (JDK 7 and previous) releases don't support DH keys bigger -+ * than 1024 bits. We have to consider the compatibility requirement. -+ * 1024 bits DH key is always used for non-exportable cipher suites -+ * in default mode (system property "jdk.tls.ephemeralDHKeySize" -+ * is not defined). -+ * -+ * However, if applications want more stronger strength, setting -+ * system property "jdk.tls.ephemeralDHKeySize" to "matched" -+ * is a workaround to use ephemeral DH key which size matches the -+ * corresponding authentication key. For example, if the public key -+ * size of an authentication certificate is 2048 bits, then the -+ * ephemeral DH key size should be 2048 bits accordingly unless -+ * the cipher suite is exportable. This key sizing scheme keeps -+ * the cryptographic strength consistent between authentication -+ * keys and key-exchange keys. -+ * -+ * Applications may also want to customize the ephemeral DH key size -+ * to a fixed length for non-exportable cipher suites. This can be -+ * approached by setting system property "jdk.tls.ephemeralDHKeySize" -+ * to a valid positive integer between 1024 and 2048 bits, inclusive. -+ * -+ * Note that the minimum acceptable key size is 1024 bits except -+ * exportable cipher suites or legacy mode. -+ * -+ * Note that the maximum acceptable key size is 2048 bits because -+ * DH keys bigger than 2048 are not always supported by underlying -+ * JCE providers. -+ * -+ * Note that per RFC 2246, the key size limit of DH is 512 bits for -+ * exportable cipher suites. Because of the weakness, exportable -+ * cipher suites are deprecated since TLS v1.1 and they are not -+ * enabled by default in Oracle provider. The legacy behavior is -+ * reserved and 512 bits DH key is always used for exportable -+ * cipher suites. - */ -- dh = new DHCrypt((export ? 512 : 768), sslContext.getSecureRandom()); -+ int keySize = export ? 512 : 1024; // default mode -+ if (!export) { -+ if (useLegacyEphemeralDHKeys) { // legacy mode -+ keySize = 768; -+ } else if (useSmartEphemeralDHKeys) { // matched mode -+ if (key != null) { -+ int ks = KeyUtil.getKeySize(key); -+ // Note that SunJCE provider only supports 2048 bits DH -+ // keys bigger than 1024. Please DON'T use value other -+ // than 1024 and 2048 at present. We may improve the -+ // underlying providers and key size here in the future. -+ // -+ // keySize = ks <= 1024 ? 1024 : (ks >= 2048 ? 2048 : ks); -+ keySize = ks <= 1024 ? 1024 : 2048; -+ } // Otherwise, anonymous cipher suites, 1024-bit is used. -+ } else if (customizedDHKeySize > 0) { // customized mode -+ keySize = customizedDHKeySize; -+ } -+ } -+ -+ dh = new DHCrypt(keySize, sslContext.getSecureRandom()); - } - - // Setup the ephemeral ECDH parameters. -@@ -1483,4 +1585,100 @@ - - session.setPeerCertificates(peerCerts); - } -+ -+ /** -+ * Parses the string argument as an unsigned integer in the radix -+ * specified by the second argument. An unsigned integer maps the -+ * values usually associated with negative numbers to positive -+ * numbers larger than {@code MAX_VALUE}. -+ * -+ * The characters in the string must all be digits of the -+ * specified radix (as determined by whether {@link -+ * java.lang.Character#digit(char, int)} returns a nonnegative -+ * value), except that the first character may be an ASCII plus -+ * sign {@code '+'} (<code>'\u002B'</code>). The resulting -+ * integer value is returned. -+ * -+ * <p>An exception of type {@code NumberFormatException} is -+ * thrown if any of the following situations occurs: -+ * <ul> -+ * <li>The first argument is {@code null} or is a string of -+ * length zero. -+ * -+ * <li>The radix is either smaller than -+ * {@link java.lang.Character#MIN_RADIX} or -+ * larger than {@link java.lang.Character#MAX_RADIX}. -+ * -+ * <li>Any character of the string is not a digit of the specified -+ * radix, except that the first character may be a plus sign -+ * {@code '+'} (<code>'\u002B'</code>) provided that the -+ * string is longer than length 1. -+ * -+ * <li>The value represented by the string is larger than the -+ * largest unsigned {@code int}, 2<sup>32</sup>-1. -+ * -+ * </ul> -+ * -+ * -+ * @param s the {@code String} containing the unsigned integer -+ * representation to be parsed -+ * @param radix the radix to be used while parsing {@code s}. -+ * @return the integer represented by the string argument in the -+ * specified radix. -+ * @throws NumberFormatException if the {@code String} -+ * does not contain a parsable {@code int}. -+ * @since 1.8 -+ */ -+ private static int parseUnsignedInt(String s, int radix) -+ throws NumberFormatException { -+ if (s == null) { -+ throw new NumberFormatException("null"); -+ } -+ -+ int len = s.length(); -+ if (len > 0) { -+ char firstChar = s.charAt(0); -+ if (firstChar == '-') { -+ throw new -+ NumberFormatException(String.format("Illegal leading minus sign " + -+ "on unsigned string %s.", s)); -+ } else { -+ if (len <= 5 || // Integer.MAX_VALUE in Character.MAX_RADIX is 6 digits -+ (radix == 10 && len <= 9) ) { // Integer.MAX_VALUE in base 10 is 10 digits -+ return Integer.parseInt(s, radix); -+ } else { -+ long ell = Long.parseLong(s, radix); -+ if ((ell & 0xffffffff00000000L) == 0) { -+ return (int) ell; -+ } else { -+ throw new -+ NumberFormatException(String.format("String value %s exceeds " + -+ "range of unsigned int.", s)); -+ } -+ } -+ } -+ } else { -+ throw new NumberFormatException("For input string: \"" + s + "\""); -+ } -+ } -+ -+ /** -+ * Parses the string argument as an unsigned decimal integer. The -+ * characters in the string must all be decimal digits, except -+ * that the first character may be an an ASCII plus sign {@code -+ * '+'} (<code>'\u002B'</code>). The resulting integer value -+ * is returned, exactly as if the argument and the radix 10 were -+ * given as arguments to the {@link -+ * #parseUnsignedInt(java.lang.String, int)} method. -+ * -+ * @param s a {@code String} containing the unsigned {@code int} -+ * representation to be parsed -+ * @return the unsigned integer value represented by the argument in decimal. -+ * @throws NumberFormatException if the string does not contain a -+ * parsable unsigned integer. -+ * @since 1.8 -+ */ -+ private static int parseUnsignedInt(String s) throws NumberFormatException { -+ return parseUnsignedInt(s, 10); -+ } - } -diff -Nru openjdk.orig/jdk/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/DHKeyExchange/DHEKeySizing.java openjdk/jdk/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/DHKeyExchange/DHEKeySizing.java ---- openjdk.orig/jdk/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/DHKeyExchange/DHEKeySizing.java 1970-01-01 01:00:00.000000000 +0100 -+++ openjdk/jdk/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/DHKeyExchange/DHEKeySizing.java 2015-07-22 21:01:02.635723436 +0100 -@@ -0,0 +1,477 @@ -+/* -+ * Copyright (c) 2013, Oracle and/or its affiliates. All rights reserved. -+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. -+ * -+ * This code is free software; you can redistribute it and/or modify it -+ * under the terms of the GNU General Public License version 2 only, as -+ * published by the Free Software Foundation. -+ * -+ * This code is distributed in the hope that it will be useful, but WITHOUT -+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or -+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License -+ * version 2 for more details (a copy is included in the LICENSE file that -+ * accompanied this code). -+ * -+ * You should have received a copy of the GNU General Public License version -+ * 2 along with this work; if not, write to the Free Software Foundation, -+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. -+ * -+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA -+ * or visit www.oracle.com if you need additional information or have any -+ * questions. -+ */ -+ -+// -+// SunJSSE does not support dynamic system properties, no way to re-use -+// system properties in samevm/agentvm mode. -+// -+ -+/* -+ * @test -+ * @bug 6956398 -+ * @summary make ephemeral DH key match the length of the certificate key -+ * @run main/othervm -+ * DHEKeySizing SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA true 1318 75 -+ * @run main/othervm -Djdk.tls.ephemeralDHKeySize=matched -+ * DHEKeySizing SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA true 1318 75 -+ * @run main/othervm -Djdk.tls.ephemeralDHKeySize=legacy -+ * DHEKeySizing SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA true 1318 75 -+ * @run main/othervm -Djdk.tls.ephemeralDHKeySize=1024 -+ * DHEKeySizing SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA true 1318 75 -+ * -+ * @run main/othervm -+ * DHEKeySizing SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA true 292 75 -+ * -+ * @run main/othervm -+ * DHEKeySizing TLS_DHE_RSA_WITH_AES_128_CBC_SHA false 1510 139 -+ * @run main/othervm -Djdk.tls.ephemeralDHKeySize=legacy -+ * DHEKeySizing TLS_DHE_RSA_WITH_AES_128_CBC_SHA false 1414 107 -+ * @run main/othervm -Djdk.tls.ephemeralDHKeySize=matched -+ * DHEKeySizing TLS_DHE_RSA_WITH_AES_128_CBC_SHA false 1894 267 -+ * @run main/othervm -Djdk.tls.ephemeralDHKeySize=1024 -+ * DHEKeySizing TLS_DHE_RSA_WITH_AES_128_CBC_SHA false 1510 139 -+ * -+ * @run main/othervm -+ * DHEKeySizing SSL_DH_anon_WITH_RC4_128_MD5 false 484 139 -+ * @run main/othervm -Djdk.tls.ephemeralDHKeySize=legacy -+ * DHEKeySizing SSL_DH_anon_WITH_RC4_128_MD5 false 388 107 -+ * @run main/othervm -Djdk.tls.ephemeralDHKeySize=matched -+ * DHEKeySizing SSL_DH_anon_WITH_RC4_128_MD5 false 484 139 -+ * @run main/othervm -Djdk.tls.ephemeralDHKeySize=1024 -+ * DHEKeySizing SSL_DH_anon_WITH_RC4_128_MD5 false 484 139 -+ */ -+ -+/* -+ * This is a simple hack to test key sizes of Diffie-Hellman key exchanging -+ * during SSL/TLS handshaking. -+ * -+ * The record length of DH ServerKeyExchange and ClientKeyExchange. -+ * ServerKeyExchange message are wrapped in ServerHello series messages, which -+ * contains ServerHello, Certificate and ServerKeyExchange message. -+ * -+ * struct { -+ * opaque dh_p<1..2^16-1>; -+ * opaque dh_g<1..2^16-1>; -+ * opaque dh_Ys<1..2^16-1>; -+ * } ServerDHParams; // Ephemeral DH parameters -+ * -+ * struct { -+ * select (PublicValueEncoding) { -+ * case implicit: struct { }; -+ * case explicit: opaque dh_Yc<1..2^16-1>; -+ * } dh_public; -+ * } ClientDiffieHellmanPublic; -+ * -+ * Fomr above structures, it is clear that if the DH key size increasing 128 -+ * bits (16 bytes), the ServerHello series messages increases 48 bytes -+ * (becuase dh_p, dh_g and dh_Ys each increase 16 bytes) and ClientKeyExchange -+ * increases 16 bytes (because of the size increasing of dh_Yc). -+ * -+ * Here is a summary of the record length in the test case. -+ * -+ * | ServerHello Series | ClientKeyExchange | ServerHello Anon -+ * 512-bit | 1318 bytes | 75 bytes | 292 bytes -+ * 768-bit | 1414 bytes | 107 bytes | 388 bytes -+ * 1024-bit | 1510 bytes | 139 bytes | 484 bytes -+ * 2048-bit | 1894 bytes | 267 bytes | 484 bytes -+ */ -+ -+import javax.net.ssl.*; -+import javax.net.ssl.SSLEngineResult.*; -+import java.io.*; -+import java.nio.*; -+import java.security.KeyStore; -+import java.security.KeyFactory; -+import java.security.cert.Certificate; -+import java.security.cert.CertificateFactory; -+import java.security.spec.PKCS8EncodedKeySpec; -+import java.security.spec.*; -+import java.security.interfaces.*; -+import java.util.Base64; -+ -+public class DHEKeySizing { -+ -+ private static boolean debug = true; -+ -+ private SSLContext sslc; -+ private SSLEngine ssle1; // client -+ private SSLEngine ssle2; // server -+ -+ private ByteBuffer appOut1; // write side of ssle1 -+ private ByteBuffer appIn1; // read side of ssle1 -+ private ByteBuffer appOut2; // write side of ssle2 -+ private ByteBuffer appIn2; // read side of ssle2 -+ -+ private ByteBuffer oneToTwo; // "reliable" transport ssle1->ssle2 -+ private ByteBuffer twoToOne; // "reliable" transport ssle2->ssle1 -+ -+ /* -+ * Where do we find the keystores? -+ */ -+ // Certificates and key used in the test. -+ static String trustedCertStr = -+ "-----BEGIN CERTIFICATE-----\n" + -+ "MIIC8jCCAdqgAwIBAgIEUjkuRzANBgkqhkiG9w0BAQUFADA7MR0wGwYDVQQLExRT\n" + -+ "dW5KU1NFIFRlc3QgU2VyaXZjZTENMAsGA1UEChMESmF2YTELMAkGA1UEBhMCVVMw\n" + -+ "HhcNMTMwOTE4MDQzODMxWhcNMTMxMjE3MDQzODMxWjA7MR0wGwYDVQQLExRTdW5K\n" + -+ "U1NFIFRlc3QgU2VyaXZjZTENMAsGA1UEChMESmF2YTELMAkGA1UEBhMCVVMwggEi\n" + -+ "MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCO+IGeaskJAvEcYc7pCl9neK3E\n" + -+ "a28fwWLtChufYNaC9hQfZlUdETWYjV7fZJVJKT/oLzdDNMWuVA0LKXArpI3thLNK\n" + -+ "QLXisdF9hKPlZRDazACL9kWUUtJ0FzpEySK4e8wW/z9FuU6e6iO19FbjxAfInJqk\n" + -+ "3EDiEhB5g73S2vtvPCxgq2DvWw9TDl/LIqdKG2JCS93koXCCaHmQ7MrIOqHPd+8r\n" + -+ "RbGpatXT9qyHKppUv9ATxVygO4rA794mgCFxpT+fkhz+NEB0twTkM65T1hnnOv5n\n" + -+ "ZIxkcjBggt85UlZtnP3b9P7SYxsWIa46Oc38Od2f3YejfVg6B+PqPgWNl3+/AgMB\n" + -+ "AAEwDQYJKoZIhvcNAQEFBQADggEBAAlrP6DFLRPSy0IgQhcI2i56tR/na8pezSte\n" + -+ "ZHcCdaCZPDy4UP8mpLJ9QCjEB5VJv8hPm4xdK7ULnKGOGHgYqDpV2ZHvQlhV1woQ\n" + -+ "TZGb/LM3c6kAs0j4j9KM2fq3iYUYexjIkS1KzsziflxMM6igS9BRMBR2LQyU+cYq\n" + -+ "YEsFzkF7Aj2ET4v/+tgot9mRr2NioJcaJkdsPDpMU3IKB1cczfu+OuLQ/GCG0Fqu\n" + -+ "6ijCeCqfnaAbemHbJeVZZ6Qgka3uC2YMntLBmLkhqEo1d9zGYLoh7oWL77y5ibQZ\n" + -+ "LK5/H/zikcu579TWjlDHcqL3arCwBcrtsjSaPrRSWMrWV/6c0qw=\n" + -+ "-----END CERTIFICATE-----"; -+ -+ // Private key in the format of PKCS#8 -+ static String targetPrivateKey = -+ "MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCO+IGeaskJAvEc\n" + -+ "Yc7pCl9neK3Ea28fwWLtChufYNaC9hQfZlUdETWYjV7fZJVJKT/oLzdDNMWuVA0L\n" + -+ "KXArpI3thLNKQLXisdF9hKPlZRDazACL9kWUUtJ0FzpEySK4e8wW/z9FuU6e6iO1\n" + -+ "9FbjxAfInJqk3EDiEhB5g73S2vtvPCxgq2DvWw9TDl/LIqdKG2JCS93koXCCaHmQ\n" + -+ "7MrIOqHPd+8rRbGpatXT9qyHKppUv9ATxVygO4rA794mgCFxpT+fkhz+NEB0twTk\n" + -+ "M65T1hnnOv5nZIxkcjBggt85UlZtnP3b9P7SYxsWIa46Oc38Od2f3YejfVg6B+Pq\n" + -+ "PgWNl3+/AgMBAAECggEAPdb5Ycc4m4A9QBSCRcRpzbyiFLKPh0HDg1n65q4hOtYr\n" + -+ "kAVYTVFTSF/lqGS+Ob3w2YIKujQKSUQrvCc5UHdFuHXMgxKIWbymK0+DAMb9SlYw\n" + -+ "6lkkcWp9gx9E4dnJ/df2SAAxovvrKMuHlL1SFASHhVtPfH2URvSfUaANLDXxyYOs\n" + -+ "8BX0Nr6wazhWjLjXo9yIGnKSvFfB8XisYcA78kEgas43zhmIGCDPqaYyyffOfRbx\n" + -+ "pM1KNwGmlN86iWR1CbwA/wwhcMySWQueS+s7cHbpRqZIYJF9jEeELiwi0vxjealS\n" + -+ "EMuHYedIRFMWaDIq9XyjrvXamHb0Z25jlXBNZHaM0QKBgQDE9adl+zAezR/n79vw\n" + -+ "0XiX2Fx1UEo3ApZHuoA2Q/PcBk+rlKqqQ3IwTcy6Wo648wK7v6Nq7w5nEWcsf0dU\n" + -+ "QA2Ng/AJEev/IfF34x7sKGYxtk1gcE0EuSBA3R+ocEZxnNw1Ryd5nUU24s8d4jCP\n" + -+ "Mkothnyaim+zE2raDlEtVc0CaQKBgQC509av+02Uq5oMjzbQp5PBJfQFjATOQT15\n" + -+ "eefYnVYurkQ1kcVfixkrO2ORhg4SjmI2Z5hJDgGtXdwgidpzkad+R2epS5qLMyno\n" + -+ "lQVpY6bMpEZ7Mos0yQygxnm8uNohEcTExOe+nP5fNJVpzBsGmfeyYOhnPQlf6oqf\n" + -+ "0cHizedb5wKBgQC/l5LyMil6HOGHlhzmIm3jj7VI7QR0hJC5T6N+phVml8ESUDjA\n" + -+ "DYHbmSKouISTRtkG14FY+RiSjCxH7bvuKazFV2289PETquogTA/9e8MFYqfcQwG4\n" + -+ "sXi9gBxWlnj/9a2EKiYtOB5nKLR/BlNkSHA93tAA6N+FXEMZwMmYhxk42QKBgAuY\n" + -+ "HQgD3PZOsqDf+qKQIhbmAFCsSMx5o5VFtuJ8BpmJA/Z3ruHkMuDQpsi4nX4o5hXQ\n" + -+ "5t6AAjjH52kcUMXvK40kdWJJtk3DFnVNfvXxYsHX6hHbuHXFqYUKfSP6QJnZmvZP\n" + -+ "9smcz/4usLfWJUWHK740b6upUkFqx9Vq5/b3s9y3AoGAdM5TW7LkkOFsdMGVAUzR\n" + -+ "9iXmCWElHTK2Pcp/3yqDBHSfiQx6Yp5ANyPnE9NBM0yauCfOyBB2oxLO4Rdv3Rqk\n" + -+ "9V9kyR/YAGr7dJaPcQ7pZX0OpkzgueAOJYPrx5VUzPYUtklYV1ycFZTfKlpFCxT+\n" + -+ "Ei6KUo0NXSdUIcB4yib1J10="; -+ -+ static char passphrase[] = "passphrase".toCharArray(); -+ -+ /* -+ * Majority of the test case is here, setup is done below. -+ */ -+ -+ private void createSSLEngines() throws Exception { -+ ssle1 = sslc.createSSLEngine("client", 1); -+ ssle1.setUseClientMode(true); -+ -+ ssle2 = sslc.createSSLEngine("server", 2); -+ ssle2.setUseClientMode(false); -+ } -+ -+ private boolean isHandshaking(SSLEngine e) { -+ return (e.getHandshakeStatus() != HandshakeStatus.NOT_HANDSHAKING); -+ } -+ -+ private void checkResult(ByteBuffer bbIn, ByteBuffer bbOut, -+ SSLEngineResult result, -+ Status status, HandshakeStatus hsStatus, -+ int consumed, int produced) -+ throws Exception { -+ -+ if ((status != null) && (result.getStatus() != status)) { -+ throw new Exception("Unexpected Status: need = " + status + -+ " got = " + result.getStatus()); -+ } -+ -+ if ((hsStatus != null) && (result.getHandshakeStatus() != hsStatus)) { -+ throw new Exception("Unexpected hsStatus: need = " + hsStatus + -+ " got = " + result.getHandshakeStatus()); -+ } -+ -+ if ((consumed != -1) && (consumed != result.bytesConsumed())) { -+ throw new Exception("Unexpected consumed: need = " + consumed + -+ " got = " + result.bytesConsumed()); -+ } -+ -+ if ((produced != -1) && (produced != result.bytesProduced())) { -+ throw new Exception("Unexpected produced: need = " + produced + -+ " got = " + result.bytesProduced()); -+ } -+ -+ if ((consumed != -1) && (bbIn.position() != result.bytesConsumed())) { -+ throw new Exception("Consumed " + bbIn.position() + -+ " != " + consumed); -+ } -+ -+ if ((produced != -1) && (bbOut.position() != result.bytesProduced())) { -+ throw new Exception("produced " + bbOut.position() + -+ " != " + produced); -+ } -+ } -+ -+ private void test(String cipherSuite, boolean exportable, -+ int lenServerKeyEx, int lenClientKeyEx) throws Exception { -+ -+ createSSLEngines(); -+ createBuffers(); -+ -+ SSLEngineResult result1; // ssle1's results from last operation -+ SSLEngineResult result2; // ssle2's results from last operation -+ -+ String[] suites = new String [] {cipherSuite}; -+ -+ ssle1.setEnabledCipherSuites(suites); -+ ssle2.setEnabledCipherSuites(suites); -+ -+ log("======================================"); -+ log("==================="); -+ log("client hello"); -+ result1 = ssle1.wrap(appOut1, oneToTwo); -+ checkResult(appOut1, oneToTwo, result1, -+ Status.OK, HandshakeStatus.NEED_UNWRAP, 0, -1); -+ oneToTwo.flip(); -+ -+ result2 = ssle2.unwrap(oneToTwo, appIn2); -+ checkResult(oneToTwo, appIn2, result2, -+ Status.OK, HandshakeStatus.NEED_TASK, result1.bytesProduced(), 0); -+ runDelegatedTasks(ssle2); -+ oneToTwo.compact(); -+ -+ log("==================="); -+ log("ServerHello"); -+ result2 = ssle2.wrap(appOut2, twoToOne); -+ checkResult(appOut2, twoToOne, result2, -+ Status.OK, HandshakeStatus.NEED_UNWRAP, 0, -1); -+ twoToOne.flip(); -+ -+ log("Message length of ServerHello series: " + twoToOne.remaining()); -+ if (lenServerKeyEx != twoToOne.remaining()) { -+ throw new Exception( -+ "Expected to generate ServerHello series messages of " + -+ lenServerKeyEx + " bytes, but not " + twoToOne.remaining()); -+ } -+ -+ result1 = ssle1.unwrap(twoToOne, appIn1); -+ checkResult(twoToOne, appIn1, result1, -+ Status.OK, HandshakeStatus.NEED_TASK, result2.bytesProduced(), 0); -+ runDelegatedTasks(ssle1); -+ twoToOne.compact(); -+ -+ log("==================="); -+ log("Key Exchange"); -+ result1 = ssle1.wrap(appOut1, oneToTwo); -+ checkResult(appOut1, oneToTwo, result1, -+ Status.OK, HandshakeStatus.NEED_WRAP, 0, -1); -+ oneToTwo.flip(); -+ -+ log("Message length of ClientKeyExchange: " + oneToTwo.remaining()); -+ if (lenClientKeyEx != oneToTwo.remaining()) { -+ throw new Exception( -+ "Expected to generate ClientKeyExchange message of " + -+ lenClientKeyEx + " bytes, but not " + oneToTwo.remaining()); -+ } -+ result2 = ssle2.unwrap(oneToTwo, appIn2); -+ checkResult(oneToTwo, appIn2, result2, -+ Status.OK, HandshakeStatus.NEED_TASK, result1.bytesProduced(), 0); -+ runDelegatedTasks(ssle2); -+ oneToTwo.compact(); -+ -+ log("==================="); -+ log("Client CCS"); -+ result1 = ssle1.wrap(appOut1, oneToTwo); -+ checkResult(appOut1, oneToTwo, result1, -+ Status.OK, HandshakeStatus.NEED_WRAP, 0, -1); -+ oneToTwo.flip(); -+ -+ result2 = ssle2.unwrap(oneToTwo, appIn2); -+ checkResult(oneToTwo, appIn2, result2, -+ Status.OK, HandshakeStatus.NEED_UNWRAP, -+ result1.bytesProduced(), 0); -+ oneToTwo.compact(); -+ -+ log("==================="); -+ log("Client Finished"); -+ result1 = ssle1.wrap(appOut1, oneToTwo); -+ checkResult(appOut1, oneToTwo, result1, -+ Status.OK, HandshakeStatus.NEED_UNWRAP, 0, -1); -+ oneToTwo.flip(); -+ -+ result2 = ssle2.unwrap(oneToTwo, appIn2); -+ checkResult(oneToTwo, appIn2, result2, -+ Status.OK, HandshakeStatus.NEED_WRAP, -+ result1.bytesProduced(), 0); -+ oneToTwo.compact(); -+ -+ log("==================="); -+ log("Server CCS"); -+ result2 = ssle2.wrap(appOut2, twoToOne); -+ checkResult(appOut2, twoToOne, result2, -+ Status.OK, HandshakeStatus.NEED_WRAP, 0, -1); -+ twoToOne.flip(); -+ -+ result1 = ssle1.unwrap(twoToOne, appIn1); -+ checkResult(twoToOne, appIn1, result1, -+ Status.OK, HandshakeStatus.NEED_UNWRAP, result2.bytesProduced(), 0); -+ twoToOne.compact(); -+ -+ log("==================="); -+ log("Server Finished"); -+ result2 = ssle2.wrap(appOut2, twoToOne); -+ checkResult(appOut2, twoToOne, result2, -+ Status.OK, HandshakeStatus.FINISHED, 0, -1); -+ twoToOne.flip(); -+ -+ result1 = ssle1.unwrap(twoToOne, appIn1); -+ checkResult(twoToOne, appIn1, result1, -+ Status.OK, HandshakeStatus.FINISHED, result2.bytesProduced(), 0); -+ twoToOne.compact(); -+ -+ log("==================="); -+ log("Check Session/Ciphers"); -+ String cs = ssle1.getSession().getCipherSuite(); -+ if (!cs.equals(suites[0])) { -+ throw new Exception("suites not equal: " + cs + "/" + suites[0]); -+ } -+ -+ cs = ssle2.getSession().getCipherSuite(); -+ if (!cs.equals(suites[0])) { -+ throw new Exception("suites not equal: " + cs + "/" + suites[0]); -+ } -+ -+ log("==================="); -+ log("Done with SSL/TLS handshaking"); -+ } -+ -+ public static void main(String args[]) throws Exception { -+ if (args.length != 4) { -+ System.out.println( -+ "Usage: java DHEKeySizing cipher-suite " + -+ "exportable(true|false)\n" + -+ " size-of-server-hello-record size-of-client-key-exchange"); -+ throw new Exception("Incorrect usage!"); -+ } -+ -+ (new DHEKeySizing()).test(args[0], -+ Boolean.parseBoolean(args[1]), -+ Integer.parseInt(args[2]), -+ Integer.parseInt(args[3])); -+ System.out.println("Test Passed."); -+ } -+ -+ /* -+ * ********************************************************** -+ * Majority of the test case is above, below is just setup stuff -+ * ********************************************************** -+ */ -+ -+ public DHEKeySizing() throws Exception { -+ sslc = getSSLContext(); -+ } -+ -+ /* -+ * Create an initialized SSLContext to use for this test. -+ */ -+ private SSLContext getSSLContext() throws Exception { -+ -+ // generate certificate from cert string -+ CertificateFactory cf = CertificateFactory.getInstance("X.509"); -+ -+ // create a key store -+ KeyStore ts = KeyStore.getInstance("JKS"); -+ KeyStore ks = KeyStore.getInstance("JKS"); -+ ts.load(null, null); -+ ks.load(null, null); -+ -+ // import the trused cert -+ ByteArrayInputStream is = -+ new ByteArrayInputStream(trustedCertStr.getBytes()); -+ Certificate trusedCert = cf.generateCertificate(is); -+ is.close(); -+ ts.setCertificateEntry("rsa-trusted-2048", trusedCert); -+ -+ // generate the private key. -+ String keySpecStr = targetPrivateKey; -+ PKCS8EncodedKeySpec priKeySpec = new PKCS8EncodedKeySpec( -+ Base64.getMimeDecoder().decode(keySpecStr)); -+ KeyFactory kf = KeyFactory.getInstance("RSA"); -+ RSAPrivateKey priKey = (RSAPrivateKey)kf.generatePrivate(priKeySpec); -+ -+ Certificate[] chain = new Certificate[1]; -+ chain[0] = trusedCert; -+ -+ // import the key entry. -+ ks.setKeyEntry("rsa-key-2048", priKey, passphrase, chain); -+ -+ // create SSL context -+ KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509"); -+ kmf.init(ks, passphrase); -+ -+ TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509"); -+ tmf.init(ts); -+ -+ SSLContext sslCtx = SSLContext.getInstance("TLS"); -+ sslCtx.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null); -+ -+ return sslCtx; -+ } -+ -+ private void createBuffers() { -+ // Size the buffers as appropriate. -+ -+ SSLSession session = ssle1.getSession(); -+ int appBufferMax = session.getApplicationBufferSize(); -+ int netBufferMax = session.getPacketBufferSize(); -+ -+ appIn1 = ByteBuffer.allocateDirect(appBufferMax + 50); -+ appIn2 = ByteBuffer.allocateDirect(appBufferMax + 50); -+ -+ oneToTwo = ByteBuffer.allocateDirect(netBufferMax); -+ twoToOne = ByteBuffer.allocateDirect(netBufferMax); -+ -+ appOut1 = ByteBuffer.wrap("Hi Engine2, I'm SSLEngine1".getBytes()); -+ appOut2 = ByteBuffer.wrap("Hello Engine1, I'm SSLEngine2".getBytes()); -+ -+ log("AppOut1 = " + appOut1); -+ log("AppOut2 = " + appOut2); -+ log(""); -+ } -+ -+ private static void runDelegatedTasks(SSLEngine engine) throws Exception { -+ -+ Runnable runnable; -+ while ((runnable = engine.getDelegatedTask()) != null) { -+ log("running delegated task..."); -+ runnable.run(); -+ } -+ } -+ -+ private static void log(String str) { -+ if (debug) { -+ System.out.println(str); -+ } -+ } -+}
--- a/patches/openjdk/7033170-getmaxallowedkeylength_throws_exception.patch Wed May 04 02:55:09 2016 +0100 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,117 +0,0 @@ -# HG changeset patch -# User valeriep -# Date 1326944130 28800 -# Wed Jan 18 19:35:30 2012 -0800 -# Node ID b2488252ba0c238d37b24069808b0ac8c2da1c76 -# Parent 9ec80e94c5cda0fb59fbfe217e3505f597ccbe90 -7033170: Cipher.getMaxAllowedKeyLength(String) throws NoSuchAlgorithmException -Summary: Changed to always use full transformation as provider properties. -Reviewed-by: mullan - -diff -r 9ec80e94c5cd -r b2488252ba0c src/share/classes/sun/security/pkcs11/SunPKCS11.java ---- openjdk/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java Wed Jan 18 19:33:50 2012 -0800 -+++ openjdk/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java Wed Jan 18 19:35:30 2012 -0800 -@@ -1,5 +1,5 @@ - /* -- * Copyright (c) 2003, 2011, Oracle and/or its affiliates. All rights reserved. -+ * Copyright (c) 2003, 2012, Oracle and/or its affiliates. All rights reserved. - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it -@@ -606,24 +606,31 @@ - m(CKM_DES_CBC)); - d(CIP, "DES/CBC/PKCS5Padding", P11Cipher, - m(CKM_DES_CBC_PAD, CKM_DES_CBC)); -- d(CIP, "DES/ECB", P11Cipher, s("DES"), -+ d(CIP, "DES/ECB/NoPadding", P11Cipher, - m(CKM_DES_ECB)); -- -+ d(CIP, "DES/ECB/PKCS5Padding", P11Cipher, s("DES"), -+ m(CKM_DES_ECB)); - d(CIP, "DESede/CBC/NoPadding", P11Cipher, - m(CKM_DES3_CBC)); - d(CIP, "DESede/CBC/PKCS5Padding", P11Cipher, - m(CKM_DES3_CBC_PAD, CKM_DES3_CBC)); -- d(CIP, "DESede/ECB", P11Cipher, s("DESede"), -+ d(CIP, "DESede/ECB/NoPadding", P11Cipher, -+ m(CKM_DES3_ECB)); -+ d(CIP, "DESede/ECB/PKCS5Padding", P11Cipher, s("DESede"), - m(CKM_DES3_ECB)); - d(CIP, "AES/CBC/NoPadding", P11Cipher, - m(CKM_AES_CBC)); - d(CIP, "AES/CBC/PKCS5Padding", P11Cipher, - m(CKM_AES_CBC_PAD, CKM_AES_CBC)); -- d(CIP, "AES/ECB", P11Cipher, s("AES"), -+ d(CIP, "AES/ECB/NoPadding", P11Cipher, -+ m(CKM_AES_ECB)); -+ d(CIP, "AES/ECB/PKCS5Padding", P11Cipher, s("AES"), - m(CKM_AES_ECB)); - d(CIP, "AES/CTR/NoPadding", P11Cipher, - m(CKM_AES_CTR)); -- d(CIP, "Blowfish/CBC", P11Cipher, -+ d(CIP, "Blowfish/CBC/NoPadding", P11Cipher, -+ m(CKM_BLOWFISH_CBC)); -+ d(CIP, "Blowfish/CBC/PKCS5Padding", P11Cipher, - m(CKM_BLOWFISH_CBC)); - - // XXX RSA_X_509, RSA_OAEP not yet supported -diff -r 9ec80e94c5cd -r b2488252ba0c test/javax/crypto/Cipher/GetMaxAllowed.java ---- openjdk/jdk/test/javax/crypto/Cipher/GetMaxAllowed.java Wed Jan 18 19:33:50 2012 -0800 -+++ openjdk/jdk/test/javax/crypto/Cipher/GetMaxAllowed.java Wed Jan 18 19:35:30 2012 -0800 -@@ -1,5 +1,5 @@ - /* -- * Copyright (c) 2003, 2007, Oracle and/or its affiliates. All rights reserved. -+ * Copyright (c) 2003, 2012, Oracle and/or its affiliates. All rights reserved. - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it -@@ -23,7 +23,7 @@ - - /** - * @test -- * @bug 4807942 -+ * @bug 4807942 7033170 - * @summary Test the Cipher.getMaxAllowedKeyLength(String) and - * getMaxAllowedParameterSpec(String) methods - * @author Valerie Peng -@@ -40,7 +40,7 @@ - - public class GetMaxAllowed { - -- private static void runTest(boolean isUnlimited) throws Exception { -+ private static void runTest1(boolean isUnlimited) throws Exception { - System.out.println("Testing " + (isUnlimited? "un":"") + - "limited policy..."); - -@@ -78,6 +78,20 @@ - System.out.println("All tests passed"); - } - -+ private static void runTest2() throws Exception { -+ System.out.println("Testing against Security.getAlgorithms()"); -+ -+ Set<String> algorithms = Security.getAlgorithms("Cipher"); -+ -+ for (String algorithm: algorithms) { -+ int keylength = -1; -+ -+ // if 7033170 is not fixed, NoSuchAlgorithmException is thrown -+ keylength = Cipher.getMaxAllowedKeyLength(algorithm); -+ -+ } -+ } -+ - public static void main(String[] args) throws Exception { - // decide if the installed jurisdiction policy file is the - // unlimited version -@@ -88,6 +102,9 @@ - } catch (InvalidKeyException ike) { - isUnlimited = false; - } -- runTest(isUnlimited); -+ runTest1(isUnlimited); -+ -+ // test using the set of algorithms returned by Security.getAlgorithms() -+ runTest2(); - } - }
--- a/patches/openjdk/7044060-support_nsa_suite_b.patch Wed May 04 02:55:09 2016 +0100 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,3214 +0,0 @@ -diff -Nru openjdk.orig/jdk/src/share/classes/com/sun/crypto/provider/AESCipher.java openjdk/jdk/src/share/classes/com/sun/crypto/provider/AESCipher.java ---- openjdk.orig/jdk/src/share/classes/com/sun/crypto/provider/AESCipher.java 2014-12-24 18:49:01.952432946 +0000 -+++ openjdk/jdk/src/share/classes/com/sun/crypto/provider/AESCipher.java 2014-12-24 20:19:58.491124251 +0000 -@@ -1,5 +1,5 @@ - /* -- * Copyright (c) 2002, 2009, Oracle and/or its affiliates. All rights reserved. -+ * Copyright (c) 2002, 2012, Oracle and/or its affiliates. All rights reserved. - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it -@@ -47,18 +47,122 @@ - * @see OutputFeedback - */ - --public final class AESCipher extends CipherSpi { -+abstract class AESCipher extends CipherSpi { -+ public static final class General extends AESCipher { -+ public General() { -+ super(-1); -+ } -+ } -+ abstract static class OidImpl extends AESCipher { -+ protected OidImpl(int keySize, String mode, String padding) { -+ super(keySize); -+ try { -+ engineSetMode(mode); -+ engineSetPadding(padding); -+ } catch (GeneralSecurityException gse) { -+ // internal error; re-throw as provider exception -+ ProviderException pe =new ProviderException("Internal Error"); -+ pe.initCause(gse); -+ throw pe; -+ } -+ } -+ } -+ public static final class AES128_ECB_NoPadding extends OidImpl { -+ public AES128_ECB_NoPadding() { -+ super(16, "ECB", "NOPADDING"); -+ } -+ } -+ public static final class AES192_ECB_NoPadding extends OidImpl { -+ public AES192_ECB_NoPadding() { -+ super(24, "ECB", "NOPADDING"); -+ } -+ } -+ public static final class AES256_ECB_NoPadding extends OidImpl { -+ public AES256_ECB_NoPadding() { -+ super(32, "ECB", "NOPADDING"); -+ } -+ } -+ public static final class AES128_CBC_NoPadding extends OidImpl { -+ public AES128_CBC_NoPadding() { -+ super(16, "CBC", "NOPADDING"); -+ } -+ } -+ public static final class AES192_CBC_NoPadding extends OidImpl { -+ public AES192_CBC_NoPadding() { -+ super(24, "CBC", "NOPADDING"); -+ } -+ } -+ public static final class AES256_CBC_NoPadding extends OidImpl { -+ public AES256_CBC_NoPadding() { -+ super(32, "CBC", "NOPADDING"); -+ } -+ } -+ public static final class AES128_OFB_NoPadding extends OidImpl { -+ public AES128_OFB_NoPadding() { -+ super(16, "OFB", "NOPADDING"); -+ } -+ } -+ public static final class AES192_OFB_NoPadding extends OidImpl { -+ public AES192_OFB_NoPadding() { -+ super(24, "OFB", "NOPADDING"); -+ } -+ } -+ public static final class AES256_OFB_NoPadding extends OidImpl { -+ public AES256_OFB_NoPadding() { -+ super(32, "OFB", "NOPADDING"); -+ } -+ } -+ public static final class AES128_CFB_NoPadding extends OidImpl { -+ public AES128_CFB_NoPadding() { -+ super(16, "CFB", "NOPADDING"); -+ } -+ } -+ public static final class AES192_CFB_NoPadding extends OidImpl { -+ public AES192_CFB_NoPadding() { -+ super(24, "CFB", "NOPADDING"); -+ } -+ } -+ public static final class AES256_CFB_NoPadding extends OidImpl { -+ public AES256_CFB_NoPadding() { -+ super(32, "CFB", "NOPADDING"); -+ } -+ } -+ -+ // utility method used by AESCipher and AESWrapCipher -+ static final void checkKeySize(Key key, int fixedKeySize) -+ throws InvalidKeyException { -+ if (fixedKeySize != -1) { -+ if (key == null) { -+ throw new InvalidKeyException("The key must not be null"); -+ } -+ byte[] value = key.getEncoded(); -+ if (value == null) { -+ throw new InvalidKeyException("Key encoding must not be null"); -+ } else if (value.length != fixedKeySize) { -+ throw new InvalidKeyException("The key must be " + -+ fixedKeySize*8 + " bits"); -+ } -+ } -+ } -+ - /* - * internal CipherCore object which does the real work. - */ - private CipherCore core = null; - -+ /* -+ * needed to support AES oids which associates a fixed key size -+ * to the cipher object. -+ */ -+ private final int fixedKeySize; // in bytes, -1 if no restriction -+ - /** - * Creates an instance of AES cipher with default ECB mode and - * PKCS5Padding. - */ -- public AESCipher() { -+ protected AESCipher(int keySize) { - core = new CipherCore(new AESCrypt(), AESConstants.AES_BLOCK_SIZE); -+ fixedKeySize = keySize; - } - - /** -@@ -183,6 +287,7 @@ - */ - protected void engineInit(int opmode, Key key, SecureRandom random) - throws InvalidKeyException { -+ checkKeySize(key, fixedKeySize); - core.init(opmode, key, random); - } - -@@ -214,6 +319,7 @@ - AlgorithmParameterSpec params, - SecureRandom random) - throws InvalidKeyException, InvalidAlgorithmParameterException { -+ checkKeySize(key, fixedKeySize); - core.init(opmode, key, params, random); - } - -@@ -221,6 +327,7 @@ - AlgorithmParameters params, - SecureRandom random) - throws InvalidKeyException, InvalidAlgorithmParameterException { -+ checkKeySize(key, fixedKeySize); - core.init(opmode, key, params, random); - } - -diff -Nru openjdk.orig/jdk/src/share/classes/com/sun/crypto/provider/AESWrapCipher.java openjdk/jdk/src/share/classes/com/sun/crypto/provider/AESWrapCipher.java ---- openjdk.orig/jdk/src/share/classes/com/sun/crypto/provider/AESWrapCipher.java 2014-12-24 18:49:01.952432946 +0000 -+++ openjdk/jdk/src/share/classes/com/sun/crypto/provider/AESWrapCipher.java 2014-12-24 20:19:27.306753452 +0000 -@@ -1,5 +1,5 @@ - /* -- * Copyright (c) 2004, 2009, Oracle and/or its affiliates. All rights reserved. -+ * Copyright (c) 2004, 2012, Oracle and/or its affiliates. All rights reserved. - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it -@@ -43,8 +43,27 @@ - * - * @see AESCipher - */ --public final class AESWrapCipher extends CipherSpi { -- -+abstract class AESWrapCipher extends CipherSpi { -+ public static final class General extends AESWrapCipher { -+ public General() { -+ super(-1); -+ } -+ } -+ public static final class AES128 extends AESWrapCipher { -+ public AES128() { -+ super(16); -+ } -+ } -+ public static final class AES192 extends AESWrapCipher { -+ public AES192() { -+ super(24); -+ } -+ } -+ public static final class AES256 extends AESWrapCipher { -+ public AES256() { -+ super(32); -+ } -+ } - private static final byte[] IV = { - (byte) 0xA6, (byte) 0xA6, (byte) 0xA6, (byte) 0xA6, - (byte) 0xA6, (byte) 0xA6, (byte) 0xA6, (byte) 0xA6 -@@ -62,12 +81,19 @@ - */ - private boolean decrypting = false; - -+ /* -+ * needed to support AES oids which associates a fixed key size -+ * to the cipher object. -+ */ -+ private final int fixedKeySize; // in bytes, -1 if no restriction -+ - /** - * Creates an instance of AES KeyWrap cipher with default - * mode, i.e. "ECB" and padding scheme, i.e. "NoPadding". - */ -- public AESWrapCipher() { -+ public AESWrapCipher(int keySize) { - cipher = new AESCrypt(); -+ fixedKeySize = keySize; - } - - /** -@@ -170,6 +196,7 @@ - throw new UnsupportedOperationException("This cipher can " + - "only be used for key wrapping and unwrapping"); - } -+ AESCipher.checkKeySize(key, fixedKeySize); - cipher.init(decrypting, key.getAlgorithm(), key.getEncoded()); - } - -diff -Nru openjdk.orig/jdk/src/share/classes/com/sun/crypto/provider/DHKeyPairGenerator.java openjdk/jdk/src/share/classes/com/sun/crypto/provider/DHKeyPairGenerator.java ---- openjdk.orig/jdk/src/share/classes/com/sun/crypto/provider/DHKeyPairGenerator.java 2013-08-21 20:33:03.876325741 +0100 -+++ openjdk/jdk/src/share/classes/com/sun/crypto/provider/DHKeyPairGenerator.java 2014-12-24 20:18:40.126192669 +0000 -@@ -1,5 +1,5 @@ - /* -- * Copyright (c) 1997, 2007, Oracle and/or its affiliates. All rights reserved. -+ * Copyright (c) 1997, 2012, Oracle and/or its affiliates. All rights reserved. - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it -@@ -80,10 +80,10 @@ - * @param random the source of randomness - */ - public void initialize(int keysize, SecureRandom random) { -- if ((keysize < 512) || (keysize > 1024) || (keysize % 64 != 0)) { -+ if ((keysize < 512) || (keysize > 2048) || (keysize % 64 != 0)) { - throw new InvalidParameterException("Keysize must be multiple " - + "of 64, and can only range " -- + "from 512 to 1024 " -+ + "from 512 to 2048 " - + "(inclusive)"); - } - this.pSize = keysize; -@@ -115,11 +115,11 @@ - - params = (DHParameterSpec)algParams; - pSize = params.getP().bitLength(); -- if ((pSize < 512) || (pSize > 1024) || -+ if ((pSize < 512) || (pSize > 2048) || - (pSize % 64 != 0)) { - throw new InvalidAlgorithmParameterException - ("Prime size must be multiple of 64, and can only range " -- + "from 512 to 1024 (inclusive)"); -+ + "from 512 to 2048 (inclusive)"); - } - - // exponent size is optional, could be 0 -@@ -156,10 +156,11 @@ - BigInteger g = params.getG(); - - if (lSize <= 0) { -+ lSize = pSize >> 1; - // use an exponent size of (pSize / 2) but at least 384 bits -- lSize = Math.max(384, pSize >> 1); -- // if lSize is larger than pSize, limit by pSize -- lSize = Math.min(lSize, pSize); -+ if (lSize < 384) { -+ lSize = 384; -+ } - } - - BigInteger x; -diff -Nru openjdk.orig/jdk/src/share/classes/com/sun/crypto/provider/DHParameterGenerator.java openjdk/jdk/src/share/classes/com/sun/crypto/provider/DHParameterGenerator.java ---- openjdk.orig/jdk/src/share/classes/com/sun/crypto/provider/DHParameterGenerator.java 2013-08-21 20:33:03.892325999 +0100 -+++ openjdk/jdk/src/share/classes/com/sun/crypto/provider/DHParameterGenerator.java 2014-12-24 20:18:40.126192669 +0000 -@@ -1,5 +1,5 @@ - /* -- * Copyright (c) 1997, 2007, Oracle and/or its affiliates. All rights reserved. -+ * Copyright (c) 1997, 2012, Oracle and/or its affiliates. All rights reserved. - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it -@@ -68,10 +68,10 @@ - * @param random the source of randomness - */ - protected void engineInit(int keysize, SecureRandom random) { -- if ((keysize < 512) || (keysize > 1024) || (keysize % 64 != 0)) { -+ if ((keysize < 512) || (keysize > 2048) || (keysize % 64 != 0)) { - throw new InvalidParameterException("Keysize must be multiple " - + "of 64, and can only range " -- + "from 512 to 1024 " -+ + "from 512 to 2048 " - + "(inclusive)"); - } - this.primeSize = keysize; -@@ -100,10 +100,10 @@ - DHGenParameterSpec dhParamSpec = (DHGenParameterSpec)genParamSpec; - - primeSize = dhParamSpec.getPrimeSize(); -- if ((primeSize<512) || (primeSize>1024) || (primeSize%64 != 0)) { -+ if ((primeSize<512) || (primeSize>2048) || (primeSize%64 != 0)) { - throw new InvalidAlgorithmParameterException - ("Modulus size must be multiple of 64, and can only range " -- + "from 512 to 1024 (inclusive)"); -+ + "from 512 to 2048 (inclusive)"); - } - - exponentSize = dhParamSpec.getExponentSize(); -diff -Nru openjdk.orig/jdk/src/share/classes/com/sun/crypto/provider/SunJCE.java openjdk/jdk/src/share/classes/com/sun/crypto/provider/SunJCE.java ---- openjdk.orig/jdk/src/share/classes/com/sun/crypto/provider/SunJCE.java 2014-12-24 20:10:36.400459042 +0000 -+++ openjdk/jdk/src/share/classes/com/sun/crypto/provider/SunJCE.java 2014-12-24 20:18:40.130192717 +0000 -@@ -172,16 +172,67 @@ - put("Cipher.Blowfish SupportedKeyFormats", "RAW"); - - put("Cipher.AES", "com.sun.crypto.provider.AESCipher"); -+ put("Cipher.AES", "com.sun.crypto.provider.AESCipher$General"); - put("Alg.Alias.Cipher.Rijndael", "AES"); - put("Cipher.AES SupportedModes", BLOCK_MODES128); - put("Cipher.AES SupportedPaddings", BLOCK_PADS); - put("Cipher.AES SupportedKeyFormats", "RAW"); - -- put("Cipher.AESWrap", "com.sun.crypto.provider.AESWrapCipher"); -+ put("Cipher.AES_128/ECB/NoPadding", "com.sun.crypto.provider.AESCipher$AES128_ECB_NoPadding"); -+ put("Alg.Alias.Cipher.2.16.840.1.101.3.4.1.1", "AES_128/ECB/NoPadding"); -+ put("Alg.Alias.Cipher.OID.2.16.840.1.101.3.4.1.1", "AES_128/ECB/NoPadding"); -+ put("Cipher.AES_128/CBC/NoPadding", "com.sun.crypto.provider.AESCipher$AES128_CBC_NoPadding"); -+ put("Alg.Alias.Cipher.2.16.840.1.101.3.4.1.2", "AES_128/CBC/NoPadding"); -+ put("Alg.Alias.Cipher.OID.2.16.840.1.101.3.4.1.2", "AES_128/CBC/NoPadding"); -+ put("Cipher.AES_128/OFB/NoPadding", "com.sun.crypto.provider.AESCipher$AES128_OFB_NoPadding"); -+ put("Alg.Alias.Cipher.2.16.840.1.101.3.4.1.3", "AES_128/OFB/NoPadding"); -+ put("Alg.Alias.Cipher.OID.2.16.840.1.101.3.4.1.3", "AES_128/OFB/NoPadding"); -+ put("Cipher.AES_128/CFB/NoPadding", "com.sun.crypto.provider.AESCipher$AES128_CFB_NoPadding"); -+ put("Alg.Alias.Cipher.2.16.840.1.101.3.4.1.4", "AES_128/CFB/NoPadding"); -+ put("Alg.Alias.Cipher.OID.2.16.840.1.101.3.4.1.4", "AES_128/CFB/NoPadding"); -+ -+ put("Cipher.AES_192/ECB/NoPadding", "com.sun.crypto.provider.AESCipher$AES192_ECB_NoPadding"); -+ put("Alg.Alias.Cipher.2.16.840.1.101.3.4.1.21", "AES_192/ECB/NoPadding"); -+ put("Alg.Alias.Cipher.OID.2.16.840.1.101.3.4.1.21", "AES_192/ECB/NoPadding"); -+ put("Cipher.AES_192/CBC/NoPadding", "com.sun.crypto.provider.AESCipher$AES192_CBC_NoPadding"); -+ put("Alg.Alias.Cipher.2.16.840.1.101.3.4.1.22", "AES_192/CBC/NoPadding"); -+ put("Alg.Alias.Cipher.OID.2.16.840.1.101.3.4.1.22", "AES_192/CBC/NoPadding"); -+ put("Cipher.AES_192/OFB/NoPadding", "com.sun.crypto.provider.AESCipher$AES192_OFB_NoPadding"); -+ put("Alg.Alias.Cipher.2.16.840.1.101.3.4.1.23", "AES_192/OFB/NoPadding"); -+ put("Alg.Alias.Cipher.OID.2.16.840.1.101.3.4.1.23", "AES_192/OFB/NoPadding"); -+ put("Cipher.AES_192/CFB/NoPadding", "com.sun.crypto.provider.AESCipher$AES192_CFB_NoPadding"); -+ put("Alg.Alias.Cipher.2.16.840.1.101.3.4.1.24", "AES_192/CFB/NoPadding"); -+ put("Alg.Alias.Cipher.OID.2.16.840.1.101.3.4.1.24", "AES_192/CFB/NoPadding"); -+ -+ -+ put("Cipher.AES_256/ECB/NoPadding", "com.sun.crypto.provider.AESCipher$AES256_ECB_NoPadding"); -+ put("Alg.Alias.Cipher.2.16.840.1.101.3.4.1.41", "AES_256/ECB/NoPadding"); -+ put("Alg.Alias.Cipher.OID.2.16.840.1.101.3.4.1.41", "AES_256/ECB/NoPadding"); -+ put("Cipher.AES_256/CBC/NoPadding", "com.sun.crypto.provider.AESCipher$AES256_CBC_NoPadding"); -+ put("Alg.Alias.Cipher.2.16.840.1.101.3.4.1.42", "AES_256/CBC/NoPadding"); -+ put("Alg.Alias.Cipher.OID.2.16.840.1.101.3.4.1.42", "AES_256/CBC/NoPadding"); -+ put("Cipher.AES_256/OFB/NoPadding", "com.sun.crypto.provider.AESCipher$AES256_OFB_NoPadding"); -+ put("Alg.Alias.Cipher.2.16.840.1.101.3.4.1.43", "AES_256/OFB/NoPadding"); -+ put("Alg.Alias.Cipher.OID.2.16.840.1.101.3.4.1.43", "AES_256/OFB/NoPadding"); -+ put("Cipher.AES_256/CFB/NoPadding", "com.sun.crypto.provider.AESCipher$AES256_CFB_NoPadding"); -+ put("Alg.Alias.Cipher.2.16.840.1.101.3.4.1.44", "AES_256/CFB/NoPadding"); -+ put("Alg.Alias.Cipher.OID.2.16.840.1.101.3.4.1.44", "AES_256/CFB/NoPadding"); -+ -+ put("Cipher.AESWrap", "com.sun.crypto.provider.AESWrapCipher$General"); - put("Cipher.AESWrap SupportedModes", "ECB"); - put("Cipher.AESWrap SupportedPaddings", "NOPADDING"); - put("Cipher.AESWrap SupportedKeyFormats", "RAW"); - -+ put("Cipher.AESWrap_128", "com.sun.crypto.provider.AESWrapCipher$AES128"); -+ put("Alg.Alias.Cipher.2.16.840.1.101.3.4.1.5", "AESWrap_128"); -+ put("Alg.Alias.Cipher.OID.2.16.840.1.101.3.4.1.5", "AESWrap_128"); -+ put("Cipher.AESWrap_192", "com.sun.crypto.provider.AESWrapCipher$AES192"); -+ put("Alg.Alias.Cipher.2.16.840.1.101.3.4.1.25", "AESWrap_192"); -+ put("Alg.Alias.Cipher.OID.2.16.840.1.101.3.4.1.25", "AESWrap_192"); -+ put("Cipher.AESWrap_256", "com.sun.crypto.provider.AESWrapCipher$AES256"); -+ put("Alg.Alias.Cipher.2.16.840.1.101.3.4.1.45", "AESWrap_256"); -+ put("Alg.Alias.Cipher.OID.2.16.840.1.101.3.4.1.45", "AESWrap_256"); -+ - put("Cipher.RC2", - "com.sun.crypto.provider.RC2Cipher"); - put("Cipher.RC2 SupportedModes", BLOCK_MODES); -@@ -196,7 +247,7 @@ - put("Cipher.ARCFOUR SupportedKeyFormats", "RAW"); - - /* -- * Key(pair) Generator engines -+ * Key(pair) Generator engines - */ - put("KeyGenerator.DES", - "com.sun.crypto.provider.DESKeyGenerator"); -@@ -225,6 +276,8 @@ - - put("KeyGenerator.HmacSHA1", - "com.sun.crypto.provider.HmacSHA1KeyGenerator"); -+ put("Alg.Alias.KeyGenerator.OID.1.2.840.113549.2.7", "HmacSHA1"); -+ put("Alg.Alias.KeyGenerator.1.2.840.113549.2.7", "HmacSHA1"); - - put("KeyGenerator.HmacSHA224", - "com.sun.crypto.provider.KeyGeneratorCore$HmacSHA2KG$SHA224"); -@@ -407,6 +460,8 @@ - */ - put("Mac.HmacMD5", "com.sun.crypto.provider.HmacMD5"); - put("Mac.HmacSHA1", "com.sun.crypto.provider.HmacSHA1"); -+ put("Alg.Alias.Mac.OID.1.2.840.113549.2.7", "HmacSHA1"); -+ put("Alg.Alias.Mac.1.2.840.113549.2.7", "HmacSHA1"); - put("Mac.HmacSHA224", - "com.sun.crypto.provider.HmacCore$HmacSHA224"); - put("Alg.Alias.Mac.OID.1.2.840.113549.2.8", "HmacSHA224"); -diff -Nru openjdk.orig/jdk/src/share/classes/java/security/interfaces/DSAKeyPairGenerator.java openjdk/jdk/src/share/classes/java/security/interfaces/DSAKeyPairGenerator.java ---- openjdk.orig/jdk/src/share/classes/java/security/interfaces/DSAKeyPairGenerator.java 2013-08-21 20:33:07.800389240 +0100 -+++ openjdk/jdk/src/share/classes/java/security/interfaces/DSAKeyPairGenerator.java 2014-12-24 20:18:40.130192717 +0000 -@@ -1,5 +1,5 @@ - /* -- * Copyright (c) 1997, 2005, Oracle and/or its affiliates. All rights reserved. -+ * Copyright (c) 1997, 2012, Oracle and/or its affiliates. All rights reserved. - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it -@@ -62,6 +62,9 @@ - * interface is all that is needed when you accept defaults for algorithm-specific - * parameters. - * -+ * <p>Note: Some earlier implementations of this interface may not support -+ * larger sizes of DSA parameters such as 2048 and 3072-bit. -+ * - * @see java.security.KeyPairGenerator - */ - public interface DSAKeyPairGenerator { -@@ -78,7 +81,7 @@ - * can be null. - * - * @exception InvalidParameterException if the <code>params</code> -- * value is invalid or null. -+ * value is invalid, null, or unsupported. - */ - public void initialize(DSAParams params, SecureRandom random) - throws InvalidParameterException; -@@ -97,7 +100,7 @@ - * default parameters for modulus lengths of 512 and 1024 bits. - * - * @param modlen the modulus length in bits. Valid values are any -- * multiple of 8 between 512 and 1024, inclusive. -+ * multiple of 64 between 512 and 1024, inclusive, 2048, and 3072. - * - * @param random the random bit source to use to generate key bits; - * can be null. -@@ -105,10 +108,9 @@ - * @param genParams whether or not to generate new parameters for - * the modulus length requested. - * -- * @exception InvalidParameterException if <code>modlen</code> is not -- * between 512 and 1024, or if <code>genParams</code> is false and -- * there are no precomputed parameters for the requested modulus -- * length. -+ * @exception InvalidParameterException if <code>modlen</code> is -+ * invalid, or unsupported, or if <code>genParams</code> is false and there -+ * are no precomputed parameters for the requested modulus length. - */ - public void initialize(int modlen, boolean genParams, SecureRandom random) - throws InvalidParameterException; -diff -Nru openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/P11Cipher.java openjdk/jdk/src/share/classes/sun/security/pkcs11/P11Cipher.java ---- openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/P11Cipher.java 2014-12-24 20:10:34.252433649 +0000 -+++ openjdk/jdk/src/share/classes/sun/security/pkcs11/P11Cipher.java 2014-12-24 20:18:40.130192717 +0000 -@@ -164,6 +164,10 @@ - // if we do the padding - private int bytesBuffered; - -+ // length of key size in bytes; currently only used by AES given its oid -+ // specification mandates a fixed size of the key -+ private int fixedKeySize = -1; -+ - P11Cipher(Token token, String algorithm, long mechanism) - throws PKCS11Exception, NoSuchAlgorithmException { - super(); -@@ -172,19 +176,26 @@ - this.mechanism = mechanism; - - String algoParts[] = algorithm.split("/"); -- keyAlgorithm = algoParts[0]; - -- if (keyAlgorithm.equals("AES")) { -+ if (algoParts[0].startsWith("AES")) { - blockSize = 16; -- } else if (keyAlgorithm.equals("RC4") || -- keyAlgorithm.equals("ARCFOUR")) { -- blockSize = 0; -- } else { // DES, DESede, Blowfish -- blockSize = 8; -- } -- this.blockMode = -+ int index = algoParts[0].indexOf('_'); -+ if (index != -1) { -+ // should be well-formed since we specify what we support -+ fixedKeySize = Integer.parseInt(algoParts[0].substring(index+1))/8; -+ } -+ keyAlgorithm = "AES"; -+ } else { -+ keyAlgorithm = algoParts[0]; -+ if (keyAlgorithm.equals("RC4") || -+ keyAlgorithm.equals("ARCFOUR")) { -+ blockSize = 0; -+ } else { // DES, DESede, Blowfish -+ blockSize = 8; -+ } -+ this.blockMode = - (algoParts.length > 1 ? parseMode(algoParts[1]) : MODE_ECB); -- -+ } - String defPadding = (blockSize == 0 ? "NoPadding" : "PKCS5Padding"); - String paddingStr = - (algoParts.length > 2 ? algoParts[2] : defPadding); -@@ -333,6 +344,9 @@ - SecureRandom random) - throws InvalidKeyException, InvalidAlgorithmParameterException { - cancelOperation(); -+ if (fixedKeySize != -1 && key.getEncoded().length != fixedKeySize) { -+ throw new InvalidKeyException("Key size is invalid"); -+ } - switch (opmode) { - case Cipher.ENCRYPT_MODE: - encrypt = true; -diff -Nru openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java openjdk/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java ---- openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java 2014-12-24 20:10:36.604461454 +0000 -+++ openjdk/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java 2014-12-24 20:18:40.130192717 +0000 -@@ -383,12 +383,8 @@ - return System.identityHashCode(this); - } - -- private static String[] s(String s1) { -- return new String[] {s1}; -- } -- -- private static String[] s(String s1, String s2) { -- return new String[] {s1, s2}; -+ private static String[] s(String ...aliases) { -+ return aliases; - } - - private static final class Descriptor { -@@ -505,7 +501,8 @@ - m(CKM_MD2)); - d(MD, "MD5", P11Digest, - m(CKM_MD5)); -- d(MD, "SHA1", P11Digest, s("SHA", "SHA-1"), -+ d(MD, "SHA1", P11Digest, -+ s("SHA", "SHA-1", "1.3.14.3.2.26", "OID.1.3.14.3.2.26"), - m(CKM_SHA_1)); - - d(MD, "SHA-224", P11Digest, -@@ -524,6 +521,7 @@ - d(MAC, "HmacMD5", P11MAC, - m(CKM_MD5_HMAC)); - d(MAC, "HmacSHA1", P11MAC, -+ s("1.2.840.113549.2.7", "OID.1.2.840.113549.2.7"), - m(CKM_SHA_1_HMAC)); - d(MAC, "HmacSHA224", P11MAC, - s("1.2.840.113549.2.8", "OID.1.2.840.113549.2.8"), -@@ -545,6 +543,7 @@ - d(KPG, "RSA", P11KeyPairGenerator, - m(CKM_RSA_PKCS_KEY_PAIR_GEN)); - d(KPG, "DSA", P11KeyPairGenerator, -+ s("1.3.14.3.2.12", "1.2.840.10040.4.1", "OID.1.2.840.10040.4.1"), - m(CKM_DSA_KEY_PAIR_GEN)); - d(KPG, "DH", P11KeyPairGenerator, s("DiffieHellman"), - m(CKM_DH_PKCS_KEY_PAIR_GEN)); -@@ -567,6 +566,7 @@ - d(KF, "RSA", P11RSAKeyFactory, - m(CKM_RSA_PKCS_KEY_PAIR_GEN, CKM_RSA_PKCS, CKM_RSA_X_509)); - d(KF, "DSA", P11DSAKeyFactory, -+ s("1.3.14.3.2.12", "1.2.840.10040.4.1", "OID.1.2.840.10040.4.1"), - m(CKM_DSA_KEY_PAIR_GEN, CKM_DSA, CKM_DSA_SHA1)); - d(KF, "DH", P11DHKeyFactory, s("DiffieHellman"), - m(CKM_DH_PKCS_KEY_PAIR_GEN, CKM_DH_PKCS_DERIVE)); -@@ -590,6 +590,7 @@ - d(SKF, "DESede", P11SecretKeyFactory, - m(CKM_DES3_CBC)); - d(SKF, "AES", P11SecretKeyFactory, -+ s("2.16.840.1.101.3.4.1", "OID.2.16.840.1.101.3.4.1"), - m(CKM_AES_CBC)); - d(SKF, "Blowfish", P11SecretKeyFactory, - m(CKM_BLOWFISH_CBC)); -@@ -615,10 +616,28 @@ - m(CKM_DES3_ECB)); - d(CIP, "AES/CBC/NoPadding", P11Cipher, - m(CKM_AES_CBC)); -+ d(CIP, "AES_128/CBC/NoPadding", P11Cipher, -+ s("2.16.840.1.101.3.4.1.2", "OID.2.16.840.1.101.3.4.1.2"), -+ m(CKM_AES_CBC)); -+ d(CIP, "AES_192/CBC/NoPadding", P11Cipher, -+ s("2.16.840.1.101.3.4.1.22", "OID.2.16.840.1.101.3.4.1.22"), -+ m(CKM_AES_CBC)); -+ d(CIP, "AES_256/CBC/NoPadding", P11Cipher, -+ s("2.16.840.1.101.3.4.1.42", "OID.2.16.840.1.101.3.4.1.42"), -+ m(CKM_AES_CBC)); - d(CIP, "AES/CBC/PKCS5Padding", P11Cipher, - m(CKM_AES_CBC_PAD, CKM_AES_CBC)); - d(CIP, "AES/ECB/NoPadding", P11Cipher, - m(CKM_AES_ECB)); -+ d(CIP, "AES_128/ECB/NoPadding", P11Cipher, -+ s("2.16.840.1.101.3.4.1.1", "OID.2.16.840.1.101.3.4.1.1"), -+ m(CKM_AES_ECB)); -+ d(CIP, "AES_192/ECB/NoPadding", P11Cipher, -+ s("2.16.840.1.101.3.4.1.21", "OID.2.16.840.1.101.3.4.1.21"), -+ m(CKM_AES_ECB)); -+ d(CIP, "AES_256/ECB/NoPadding", P11Cipher, -+ s("2.16.840.1.101.3.4.1.41", "OID.2.16.840.1.101.3.4.1.41"), -+ m(CKM_AES_ECB)); - d(CIP, "AES/ECB/PKCS5Padding", P11Cipher, s("AES"), - m(CKM_AES_ECB)); - d(CIP, "AES/CTR/NoPadding", P11Cipher, -@@ -632,13 +651,16 @@ - d(CIP, "RSA/ECB/PKCS1Padding", P11RSACipher, - m(CKM_RSA_PKCS)); - -- d(SIG, "RawDSA", P11Signature, s("NONEwithDSA"), -+ d(SIG, "RawDSA", P11Signature, s("NONEwithDSA"), - m(CKM_DSA)); -- d(SIG, "DSA", P11Signature, s("SHA1withDSA"), -+ d(SIG, "DSA", P11Signature, -+ s("SHA1withDSA", "1.3.14.3.2.13", "1.3.14.3.2.27", -+ "1.2.840.10040.4.3", "OID.1.2.840.10040.4.3"), - m(CKM_DSA_SHA1, CKM_DSA)); - d(SIG, "NONEwithECDSA", P11Signature, - m(CKM_ECDSA)); -- d(SIG, "SHA1withECDSA", P11Signature, s("ECDSA"), -+ d(SIG, "SHA1withECDSA", P11Signature, -+ s("ECDSA", "1.2.840.10045.4.1", "OID.1.2.840.10045.4.1"), - m(CKM_ECDSA_SHA1, CKM_ECDSA)); - d(SIG, "SHA224withECDSA", P11Signature, - s("1.2.840.10045.4.3.1", "OID.1.2.840.10045.4.3.1"), -@@ -653,10 +675,14 @@ - s("1.2.840.10045.4.3.4", "OID.1.2.840.10045.4.3.4"), - m(CKM_ECDSA)); - d(SIG, "MD2withRSA", P11Signature, -+ s("1.2.840.113549.1.1.2", "OID.1.2.840.113549.1.1.2"), - m(CKM_MD2_RSA_PKCS, CKM_RSA_PKCS, CKM_RSA_X_509)); - d(SIG, "MD5withRSA", P11Signature, -+ s("1.2.840.113549.1.1.4", "OID.1.2.840.113549.1.1.4"), - m(CKM_MD5_RSA_PKCS, CKM_RSA_PKCS, CKM_RSA_X_509)); - d(SIG, "SHA1withRSA", P11Signature, -+ s("1.2.840.113549.1.1.5", "OID.1.2.840.113549.1.1.5", -+ "1.3.14.3.2.29"), - m(CKM_SHA1_RSA_PKCS, CKM_RSA_PKCS, CKM_RSA_X_509)); - d(SIG, "SHA224withRSA", P11Signature, - s("1.2.840.113549.1.1.14", "OID.1.2.840.113549.1.1.14"), -diff -Nru openjdk.orig/jdk/src/share/classes/sun/security/provider/DSA.java openjdk/jdk/src/share/classes/sun/security/provider/DSA.java ---- openjdk.orig/jdk/src/share/classes/sun/security/provider/DSA.java 2013-08-21 20:33:03.312316612 +0100 -+++ openjdk/jdk/src/share/classes/sun/security/provider/DSA.java 2014-12-24 20:18:40.130192717 +0000 -@@ -1,5 +1,5 @@ - /* -- * Copyright (c) 1996, 2004, Oracle and/or its affiliates. All rights reserved. -+ * Copyright (c) 1996, 2012, Oracle and/or its affiliates. All rights reserved. - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it -@@ -45,14 +45,15 @@ - - /** - * The Digital Signature Standard (using the Digital Signature -- * Algorithm), as described in fips186 of the National Instute of -- * Standards and Technology (NIST), using fips180-1 (SHA-1). -+ * Algorithm), as described in fips186-3 of the National Instute of -+ * Standards and Technology (NIST), using SHA digest algorithms -+ * from FIPS180-3. - * - * This file contains both the signature implementation for the -- * commonly used SHA1withDSA (DSS) as well as RawDSA, used by TLS -- * among others. RawDSA expects the 20 byte SHA-1 digest as input -- * via update rather than the original data like other signature -- * implementations. -+ * commonly used SHA1withDSA (DSS), SHA224withDSA, SHA256withDSA, -+ * as well as RawDSA, used by TLS among others. RawDSA expects -+ * the 20 byte SHA-1 digest as input via update rather than the -+ * original data like other signature implementations. - * - * @author Benjamin Renaud - * -@@ -78,129 +79,19 @@ - /* The private key, if any */ - private BigInteger presetX; - -- /* The random seed used to generate k */ -- private int[] Kseed; -- -- /* The random seed used to generate k (specified by application) */ -- private byte[] KseedAsByteArray; -- -- /* -- * The random seed used to generate k -- * (prevent the same Kseed from being used twice in a row -- */ -- private int[] previousKseed; -- - /* The RNG used to output a seed for generating k */ - private SecureRandom signingRandom; - -+ /* The message digest object used */ -+ private final MessageDigest md; -+ - /** - * Construct a blank DSA object. It must be - * initialized before being usable for signing or verifying. - */ -- DSA() { -+ DSA(MessageDigest md) { - super(); -- } -- -- /** -- * Return the 20 byte hash value and reset the digest. -- */ -- abstract byte[] getDigest() throws SignatureException; -- -- /** -- * Reset the digest. -- */ -- abstract void resetDigest(); -- -- /** -- * Standard SHA1withDSA implementation. -- */ -- public static final class SHA1withDSA extends DSA { -- -- /* The SHA hash for the data */ -- private final MessageDigest dataSHA; -- -- public SHA1withDSA() throws NoSuchAlgorithmException { -- dataSHA = MessageDigest.getInstance("SHA-1"); -- } -- -- /** -- * Update a byte to be signed or verified. -- */ -- protected void engineUpdate(byte b) { -- dataSHA.update(b); -- } -- -- /** -- * Update an array of bytes to be signed or verified. -- */ -- protected void engineUpdate(byte[] data, int off, int len) { -- dataSHA.update(data, off, len); -- } -- -- protected void engineUpdate(ByteBuffer b) { -- dataSHA.update(b); -- } -- -- byte[] getDigest() { -- return dataSHA.digest(); -- } -- -- void resetDigest() { -- dataSHA.reset(); -- } -- } -- -- /** -- * RawDSA implementation. -- * -- * RawDSA requires the data to be exactly 20 bytes long. If it is -- * not, a SignatureException is thrown when sign()/verify() is called -- * per JCA spec. -- */ -- public static final class RawDSA extends DSA { -- -- // length of the SHA-1 digest (20 bytes) -- private final static int SHA1_LEN = 20; -- -- // 20 byte digest buffer -- private final byte[] digestBuffer; -- -- // offset into the buffer -- private int ofs; -- -- public RawDSA() { -- digestBuffer = new byte[SHA1_LEN]; -- } -- -- protected void engineUpdate(byte b) { -- if (ofs == SHA1_LEN) { -- ofs = SHA1_LEN + 1; -- return; -- } -- digestBuffer[ofs++] = b; -- } -- -- protected void engineUpdate(byte[] data, int off, int len) { -- if (ofs + len > SHA1_LEN) { -- ofs = SHA1_LEN + 1; -- return; -- } -- System.arraycopy(data, off, digestBuffer, ofs, len); -- ofs += len; -- } -- -- byte[] getDigest() throws SignatureException { -- if (ofs != SHA1_LEN) { -- throw new SignatureException -- ("Data for RawDSA must be exactly 20 bytes long"); -- } -- ofs = 0; -- return digestBuffer; -- } -- -- void resetDigest() { -- ofs = 0; -- } -+ this.md = md; - } - - /** -@@ -217,13 +108,25 @@ - throw new InvalidKeyException("not a DSA private key: " + - privateKey); - } -+ - java.security.interfaces.DSAPrivateKey priv = - (java.security.interfaces.DSAPrivateKey)privateKey; -+ -+ // check for algorithm specific constraints before doing initialization -+ DSAParams params = priv.getParams(); -+ if (params == null) { -+ throw new InvalidKeyException("DSA private key lacks parameters"); -+ } -+ checkKey(params); -+ -+ this.params = params; - this.presetX = priv.getX(); - this.presetY = null; -- initialize(priv.getParams()); -+ this.presetP = params.getP(); -+ this.presetQ = params.getQ(); -+ this.presetG = params.getG(); -+ this.md.reset(); - } -- - /** - * Initialize the DSA object with a DSA public key. - * -@@ -240,17 +143,43 @@ - } - java.security.interfaces.DSAPublicKey pub = - (java.security.interfaces.DSAPublicKey)publicKey; -+ -+ // check for algorithm specific constraints before doing initialization -+ DSAParams params = pub.getParams(); -+ if (params == null) { -+ throw new InvalidKeyException("DSA public key lacks parameters"); -+ } -+ checkKey(params); -+ -+ this.params = params; - this.presetY = pub.getY(); - this.presetX = null; -- initialize(pub.getParams()); -+ this.presetP = params.getP(); -+ this.presetQ = params.getQ(); -+ this.presetG = params.getG(); -+ this.md.reset(); - } - -- private void initialize(DSAParams params) throws InvalidKeyException { -- resetDigest(); -- setParams(params); -+ /** -+ * Update a byte to be signed or verified. -+ */ -+ protected void engineUpdate(byte b) { -+ md.update(b); - } - - /** -+ * Update an array of bytes to be signed or verified. -+ */ -+ protected void engineUpdate(byte[] data, int off, int len) { -+ md.update(data, off, len); -+ } -+ -+ protected void engineUpdate(ByteBuffer b) { -+ md.update(b); -+ } -+ -+ -+ /** - * Sign all the data thus far updated. The signature is formatted - * according to the Canonical Encoding Rules, returned as a DER - * sequence of Integer, r and s. -@@ -352,23 +281,51 @@ - } - } - -+ @Deprecated -+ protected void engineSetParameter(String key, Object param) { -+ throw new InvalidParameterException("No parameter accepted"); -+ } -+ -+ @Deprecated -+ protected Object engineGetParameter(String key) { -+ return null; -+ } -+ -+ protected void checkKey(DSAParams params) throws InvalidKeyException { -+ // FIPS186-3 states in sec4.2 that a hash function which provides -+ // a lower security strength than the (L, N) pair ordinarily should -+ // not be used. -+ int valueN = params.getQ().bitLength(); -+ if (valueN > md.getDigestLength()*8) { -+ throw new InvalidKeyException("Key is too strong for this signature algorithm"); -+ } -+ } -+ - private BigInteger generateR(BigInteger p, BigInteger q, BigInteger g, - BigInteger k) { - BigInteger temp = g.modPow(k, p); -- return temp.remainder(q); -- } -+ return temp.mod(q); -+ } - - private BigInteger generateS(BigInteger x, BigInteger q, - BigInteger r, BigInteger k) throws SignatureException { - -- byte[] s2 = getDigest(); -- BigInteger temp = new BigInteger(1, s2); -+ byte[] s2; -+ try { -+ s2 = md.digest(); -+ } catch (RuntimeException re) { -+ // Only for RawDSA due to its 20-byte length restriction -+ throw new SignatureException(re.getMessage()); -+ } -+ // get the leftmost min(N, outLen) bits of the digest value -+ int nBytes = q.bitLength()/8; -+ if (nBytes < s2.length) { -+ s2 = Arrays.copyOfRange(s2, 0, nBytes); -+ } -+ BigInteger z = new BigInteger(1, s2); - BigInteger k1 = k.modInverse(q); - -- BigInteger s = x.multiply(r); -- s = temp.add(s); -- s = k1.multiply(s); -- return s.remainder(q); -+ return x.multiply(r).add(z).multiply(k1).mod(q); - } - - private BigInteger generateW(BigInteger p, BigInteger q, -@@ -380,54 +337,41 @@ - BigInteger q, BigInteger g, BigInteger w, BigInteger r) - throws SignatureException { - -- byte[] s2 = getDigest(); -- BigInteger temp = new BigInteger(1, s2); -- -- temp = temp.multiply(w); -- BigInteger u1 = temp.remainder(q); -+ byte[] s2; -+ try { -+ s2 = md.digest(); -+ } catch (RuntimeException re) { -+ // Only for RawDSA due to its 20-byte length restriction -+ throw new SignatureException(re.getMessage()); -+ } -+ // get the leftmost min(N, outLen) bits of the digest value -+ int nBytes = q.bitLength()/8; -+ if (nBytes < s2.length) { -+ s2 = Arrays.copyOfRange(s2, 0, nBytes); -+ } -+ BigInteger z = new BigInteger(1, s2); - -- BigInteger u2 = (r.multiply(w)).remainder(q); -+ BigInteger u1 = z.multiply(w).mod(q); -+ BigInteger u2 = (r.multiply(w)).mod(q); - - BigInteger t1 = g.modPow(u1,p); - BigInteger t2 = y.modPow(u2,p); - BigInteger t3 = t1.multiply(t2); -- BigInteger t5 = t3.remainder(p); -- return t5.remainder(q); -+ BigInteger t5 = t3.mod(p); -+ return t5.mod(q); - } - -- /* -- * Please read bug report 4044247 for an alternative, faster, -- * NON-FIPS approved method to generate K -- */ -- private BigInteger generateK(BigInteger q) { -- -- BigInteger k = null; -- -- // The application specified a Kseed for us to use. -- // Note that we do not allow usage of the same Kseed twice in a row -- if (Kseed != null && !Arrays.equals(Kseed, previousKseed)) { -- k = generateK(Kseed, q); -- if (k.signum() > 0 && k.compareTo(q) < 0) { -- previousKseed = new int [Kseed.length]; -- System.arraycopy(Kseed, 0, previousKseed, 0, Kseed.length); -- return k; -- } -- } -- -- // The application did not specify a Kseed for us to use. -- // We'll generate a new Kseed by getting random bytes from -- // a SecureRandom object. -+ // NOTE: This following impl is defined in FIPS 186-3 AppendixB.2.2. -+ // Original DSS algos such as SHA1withDSA and RawDSA uses a different -+ // algorithm defined in FIPS 186-1 Sec3.2, and thus need to override this. -+ protected BigInteger generateK(BigInteger q) { - SecureRandom random = getSigningRandom(); -+ byte[] kValue = new byte[q.bitLength()/8]; - - while (true) { -- int[] seed = new int[5]; -- -- for (int i = 0; i < 5; i++) -- seed[i] = random.nextInt(); -- k = generateK(seed, q); -+ random.nextBytes(kValue); -+ BigInteger k = new BigInteger(1, kValue).mod(q); - if (k.signum() > 0 && k.compareTo(q) < 0) { -- previousKseed = new int [seed.length]; -- System.arraycopy(seed, 0, previousKseed, 0, seed.length); - return k; - } - } -@@ -435,7 +379,7 @@ - - // Use the application-specified SecureRandom Object if provided. - // Otherwise, use our default SecureRandom Object. -- private SecureRandom getSigningRandom() { -+ protected SecureRandom getSigningRandom() { - if (signingRandom == null) { - if (appRandom != null) { - signingRandom = appRandom; -@@ -447,171 +391,6 @@ - } - - /** -- * Compute k for a DSA signature. -- * -- * @param seed the seed for generating k. This seed should be -- * secure. This is what is refered to as the KSEED in the DSA -- * specification. -- * -- * @param g the g parameter from the DSA key pair. -- */ -- private BigInteger generateK(int[] seed, BigInteger q) { -- -- // check out t in the spec. -- int[] t = { 0xEFCDAB89, 0x98BADCFE, 0x10325476, -- 0xC3D2E1F0, 0x67452301 }; -- // -- int[] tmp = DSA.SHA_7(seed, t); -- byte[] tmpBytes = new byte[tmp.length * 4]; -- for (int i = 0; i < tmp.length; i++) { -- int k = tmp[i]; -- for (int j = 0; j < 4; j++) { -- tmpBytes[(i * 4) + j] = (byte) (k >>> (24 - (j * 8))); -- } -- } -- BigInteger k = new BigInteger(1, tmpBytes).mod(q); -- return k; -- } -- -- // Constants for each round -- private static final int round1_kt = 0x5a827999; -- private static final int round2_kt = 0x6ed9eba1; -- private static final int round3_kt = 0x8f1bbcdc; -- private static final int round4_kt = 0xca62c1d6; -- -- /** -- * Computes set 1 thru 7 of SHA-1 on m1. */ -- static int[] SHA_7(int[] m1, int[] h) { -- -- int[] W = new int[80]; -- System.arraycopy(m1,0,W,0,m1.length); -- int temp = 0; -- -- for (int t = 16; t <= 79; t++){ -- temp = W[t-3] ^ W[t-8] ^ W[t-14] ^ W[t-16]; -- W[t] = ((temp << 1) | (temp >>>(32 - 1))); -- } -- -- int a = h[0],b = h[1],c = h[2], d = h[3], e = h[4]; -- for (int i = 0; i < 20; i++) { -- temp = ((a<<5) | (a>>>(32-5))) + -- ((b&c)|((~b)&d))+ e + W[i] + round1_kt; -- e = d; -- d = c; -- c = ((b<<30) | (b>>>(32-30))); -- b = a; -- a = temp; -- } -- -- // Round 2 -- for (int i = 20; i < 40; i++) { -- temp = ((a<<5) | (a>>>(32-5))) + -- (b ^ c ^ d) + e + W[i] + round2_kt; -- e = d; -- d = c; -- c = ((b<<30) | (b>>>(32-30))); -- b = a; -- a = temp; -- } -- -- // Round 3 -- for (int i = 40; i < 60; i++) { -- temp = ((a<<5) | (a>>>(32-5))) + -- ((b&c)|(b&d)|(c&d)) + e + W[i] + round3_kt; -- e = d; -- d = c; -- c = ((b<<30) | (b>>>(32-30))); -- b = a; -- a = temp; -- } -- -- // Round 4 -- for (int i = 60; i < 80; i++) { -- temp = ((a<<5) | (a>>>(32-5))) + -- (b ^ c ^ d) + e + W[i] + round4_kt; -- e = d; -- d = c; -- c = ((b<<30) | (b>>>(32-30))); -- b = a; -- a = temp; -- } -- int[] md = new int[5]; -- md[0] = h[0] + a; -- md[1] = h[1] + b; -- md[2] = h[2] + c; -- md[3] = h[3] + d; -- md[4] = h[4] + e; -- return md; -- } -- -- -- /** -- * This implementation recognizes the following parameter:<dl> -- * -- * <dt><tt>Kseed</tt> -- * -- * <dd>a byte array. -- * -- * </dl> -- * -- * @deprecated -- */ -- @Deprecated -- protected void engineSetParameter(String key, Object param) { -- if (key.equals("KSEED")) { -- if (param instanceof byte[]) { -- Kseed = byteArray2IntArray((byte[])param); -- KseedAsByteArray = (byte[])param; -- } else { -- debug("unrecognized param: " + key); -- throw new InvalidParameterException("Kseed not a byte array"); -- } -- } else { -- throw new InvalidParameterException("invalid parameter"); -- } -- } -- -- /** -- * Return the value of the requested parameter. Recognized -- * parameters are: -- * -- * <dl> -- * -- * <dt><tt>Kseed</tt> -- * -- * <dd>a byte array. -- * -- * </dl> -- * -- * @return the value of the requested parameter. -- * -- * @see java.security.SignatureEngine -- * -- * @deprecated -- */ -- @Deprecated -- protected Object engineGetParameter(String key) { -- if (key.equals("KSEED")) { -- return KseedAsByteArray; -- } else { -- return null; -- } -- } -- -- /** -- * Set the algorithm object. -- */ -- private void setParams(DSAParams params) throws InvalidKeyException { -- if (params == null) { -- throw new InvalidKeyException("DSA public key lacks parameters"); -- } -- this.params = params; -- this.presetP = params.getP(); -- this.presetQ = params.getQ(); -- this.presetG = params.getG(); -- } -- -- /** - * Return a human readable rendition of the engine. - */ - public String toString() { -@@ -632,47 +411,336 @@ - return printable; - } - -- /* -- * Utility routine for converting a byte array into an int array -+ private static void debug(Exception e) { -+ if (debug) { -+ e.printStackTrace(); -+ } -+ } -+ -+ private static void debug(String s) { -+ if (debug) { -+ System.err.println(s); -+ } -+ } -+ -+ /** -+ * Standard SHA224withDSA implementation as defined in FIPS186-3. - */ -- private int[] byteArray2IntArray(byte[] byteArray) { -+ public static final class SHA224withDSA extends DSA { -+ public SHA224withDSA() throws NoSuchAlgorithmException { -+ super(MessageDigest.getInstance("SHA-224")); -+ } -+ } -+ -+ /** -+ * Standard SHA256withDSA implementation as defined in FIPS186-3. -+ */ -+ public static final class SHA256withDSA extends DSA { -+ public SHA256withDSA() throws NoSuchAlgorithmException { -+ super(MessageDigest.getInstance("SHA-256")); -+ } -+ } -+ -+ static class LegacyDSA extends DSA { -+ /* The random seed used to generate k */ -+ private int[] kSeed; -+ /* The random seed used to generate k (specified by application) */ -+ private byte[] kSeedAsByteArray; -+ /* -+ * The random seed used to generate k -+ * (prevent the same Kseed from being used twice in a row -+ */ -+ private int[] kSeedLast; -+ -+ public LegacyDSA(MessageDigest md) throws NoSuchAlgorithmException { -+ super(md); -+ } -+ -+ @Deprecated -+ protected void engineSetParameter(String key, Object param) { -+ if (key.equals("KSEED")) { -+ if (param instanceof byte[]) { -+ kSeed = byteArray2IntArray((byte[])param); -+ kSeedAsByteArray = (byte[])param; -+ } else { -+ debug("unrecognized param: " + key); -+ throw new InvalidParameterException("kSeed not a byte array"); -+ } -+ } else { -+ throw new InvalidParameterException("Unsupported parameter"); -+ } -+ } -+ -+ @Deprecated -+ protected Object engineGetParameter(String key) { -+ if (key.equals("KSEED")) { -+ return kSeedAsByteArray; -+ } else { -+ return null; -+ } -+ } -+ -+ @Override -+ protected void checkKey(DSAParams params) throws InvalidKeyException { -+ int valueL = params.getP().bitLength(); -+ if (valueL > 1024) { -+ throw new InvalidKeyException("Key is too long for this algorithm"); -+ } -+ } -+ -+ /* -+ * Please read bug report 4044247 for an alternative, faster, -+ * NON-FIPS approved method to generate K -+ */ -+ @Override -+ protected BigInteger generateK(BigInteger q) { -+ BigInteger k = null; -+ -+ // The application specified a kSeed for us to use. -+ // Note: we dis-allow usage of the same Kseed twice in a row -+ if (kSeed != null && !Arrays.equals(kSeed, kSeedLast)) { -+ k = generateKUsingKSeed(kSeed, q); -+ if (k.signum() > 0 && k.compareTo(q) < 0) { -+ kSeedLast = kSeed.clone(); -+ return k; -+ } -+ } -+ -+ // The application did not specify a Kseed for us to use. -+ // We'll generate a new Kseed by getting random bytes from -+ // a SecureRandom object. -+ SecureRandom random = getSigningRandom(); -+ -+ while (true) { -+ int[] seed = new int[5]; -+ -+ for (int i = 0; i < 5; i++) seed[i] = random.nextInt(); -+ -+ k = generateKUsingKSeed(seed, q); -+ if (k.signum() > 0 && k.compareTo(q) < 0) { -+ kSeedLast = seed; -+ return k; -+ } -+ } -+ } -+ -+ /** -+ * Compute k for the DSA signature as defined in the original DSS, -+ * i.e. FIPS186. -+ * -+ * @param seed the seed for generating k. This seed should be -+ * secure. This is what is refered to as the KSEED in the DSA -+ * specification. -+ * -+ * @param g the g parameter from the DSA key pair. -+ */ -+ private BigInteger generateKUsingKSeed(int[] seed, BigInteger q) { -+ -+ // check out t in the spec. -+ int[] t = { 0xEFCDAB89, 0x98BADCFE, 0x10325476, -+ 0xC3D2E1F0, 0x67452301 }; -+ // -+ int[] tmp = SHA_7(seed, t); -+ byte[] tmpBytes = new byte[tmp.length * 4]; -+ for (int i = 0; i < tmp.length; i++) { -+ int k = tmp[i]; -+ for (int j = 0; j < 4; j++) { -+ tmpBytes[(i * 4) + j] = (byte) (k >>> (24 - (j * 8))); -+ } -+ } -+ BigInteger k = new BigInteger(1, tmpBytes).mod(q); -+ return k; -+ } -+ -+ // Constants for each round -+ private static final int round1_kt = 0x5a827999; -+ private static final int round2_kt = 0x6ed9eba1; -+ private static final int round3_kt = 0x8f1bbcdc; -+ private static final int round4_kt = 0xca62c1d6; -+ -+ /** -+ * Computes set 1 thru 7 of SHA-1 on m1. */ -+ static int[] SHA_7(int[] m1, int[] h) { - -- int j = 0; -- byte[] newBA; -- int mod = byteArray.length % 4; -- -- // guarantee that the incoming byteArray is a multiple of 4 -- // (pad with 0's) -- switch (mod) { -+ int[] W = new int[80]; -+ System.arraycopy(m1,0,W,0,m1.length); -+ int temp = 0; -+ -+ for (int t = 16; t <= 79; t++){ -+ temp = W[t-3] ^ W[t-8] ^ W[t-14] ^ W[t-16]; -+ W[t] = ((temp << 1) | (temp >>>(32 - 1))); -+ } -+ -+ int a = h[0],b = h[1],c = h[2], d = h[3], e = h[4]; -+ for (int i = 0; i < 20; i++) { -+ temp = ((a<<5) | (a>>>(32-5))) + -+ ((b&c)|((~b)&d))+ e + W[i] + round1_kt; -+ e = d; -+ d = c; -+ c = ((b<<30) | (b>>>(32-30))); -+ b = a; -+ a = temp; -+ } -+ -+ // Round 2 -+ for (int i = 20; i < 40; i++) { -+ temp = ((a<<5) | (a>>>(32-5))) + -+ (b ^ c ^ d) + e + W[i] + round2_kt; -+ e = d; -+ d = c; -+ c = ((b<<30) | (b>>>(32-30))); -+ b = a; -+ a = temp; -+ } -+ -+ // Round 3 -+ for (int i = 40; i < 60; i++) { -+ temp = ((a<<5) | (a>>>(32-5))) + -+ ((b&c)|(b&d)|(c&d)) + e + W[i] + round3_kt; -+ e = d; -+ d = c; -+ c = ((b<<30) | (b>>>(32-30))); -+ b = a; -+ a = temp; -+ } -+ -+ // Round 4 -+ for (int i = 60; i < 80; i++) { -+ temp = ((a<<5) | (a>>>(32-5))) + -+ (b ^ c ^ d) + e + W[i] + round4_kt; -+ e = d; -+ d = c; -+ c = ((b<<30) | (b>>>(32-30))); -+ b = a; -+ a = temp; -+ } -+ int[] md = new int[5]; -+ md[0] = h[0] + a; -+ md[1] = h[1] + b; -+ md[2] = h[2] + c; -+ md[3] = h[3] + d; -+ md[4] = h[4] + e; -+ return md; -+ } -+ -+ /* -+ * Utility routine for converting a byte array into an int array -+ */ -+ private int[] byteArray2IntArray(byte[] byteArray) { -+ -+ int j = 0; -+ byte[] newBA; -+ int mod = byteArray.length % 4; -+ -+ // guarantee that the incoming byteArray is a multiple of 4 -+ // (pad with 0's) -+ switch (mod) { - case 3: newBA = new byte[byteArray.length + 1]; break; - case 2: newBA = new byte[byteArray.length + 2]; break; - case 1: newBA = new byte[byteArray.length + 3]; break; - default: newBA = new byte[byteArray.length + 0]; break; -- } -- System.arraycopy(byteArray, 0, newBA, 0, byteArray.length); -+ } -+ System.arraycopy(byteArray, 0, newBA, 0, byteArray.length); - -- // copy each set of 4 bytes in the byte array into an integer -- int[] newSeed = new int[newBA.length / 4]; -- for (int i = 0; i < newBA.length; i += 4) { -- newSeed[j] = newBA[i + 3] & 0xFF; -- newSeed[j] |= (newBA[i + 2] << 8) & 0xFF00; -- newSeed[j] |= (newBA[i + 1] << 16) & 0xFF0000; -- newSeed[j] |= (newBA[i + 0] << 24) & 0xFF000000; -- j++; -- } -+ // copy each set of 4 bytes in the byte array into an integer -+ int[] newSeed = new int[newBA.length / 4]; -+ for (int i = 0; i < newBA.length; i += 4) { -+ newSeed[j] = newBA[i + 3] & 0xFF; -+ newSeed[j] |= (newBA[i + 2] << 8) & 0xFF00; -+ newSeed[j] |= (newBA[i + 1] << 16) & 0xFF0000; -+ newSeed[j] |= (newBA[i + 0] << 24) & 0xFF000000; -+ j++; -+ } - -- return newSeed; -+ return newSeed; -+ } - } - -- private static void debug(Exception e) { -- if (debug) { -- e.printStackTrace(); -+ public static final class SHA1withDSA extends LegacyDSA { -+ public SHA1withDSA() throws NoSuchAlgorithmException { -+ super(MessageDigest.getInstance("SHA-1")); - } - } - -- private static void debug(String s) { -- if (debug) { -- System.err.println(s); -+ /** -+ * RawDSA implementation. -+ * -+ * RawDSA requires the data to be exactly 20 bytes long. If it is -+ * not, a SignatureException is thrown when sign()/verify() is called -+ * per JCA spec. -+ */ -+ public static final class RawDSA extends LegacyDSA { -+ // Internal special-purpose MessageDigest impl for RawDSA -+ // Only override whatever methods used -+ // NOTE: no clone support -+ public static final class NullDigest20 extends MessageDigest { -+ // 20 byte digest buffer -+ private final byte[] digestBuffer = new byte[20]; -+ -+ // offset into the buffer; use Integer.MAX_VALUE to indicate -+ // out-of-bound condition -+ private int ofs = 0; -+ -+ protected NullDigest20() { -+ super("NullDigest20"); -+ } -+ protected void engineUpdate(byte input) { -+ if (ofs == digestBuffer.length) { -+ ofs = Integer.MAX_VALUE; -+ } else { -+ digestBuffer[ofs++] = input; -+ } -+ } -+ protected void engineUpdate(byte[] input, int offset, int len) { -+ if (ofs + len > digestBuffer.length) { -+ ofs = Integer.MAX_VALUE; -+ } else { -+ System.arraycopy(input, offset, digestBuffer, ofs, len); -+ ofs += len; -+ } -+ } -+ protected final void engineUpdate(ByteBuffer input) { -+ int inputLen = input.remaining(); -+ if (ofs + inputLen > digestBuffer.length) { -+ ofs = Integer.MAX_VALUE; -+ } else { -+ input.get(digestBuffer, ofs, inputLen); -+ ofs += inputLen; -+ } -+ } -+ protected byte[] engineDigest() throws RuntimeException { -+ if (ofs != digestBuffer.length) { -+ throw new RuntimeException -+ ("Data for RawDSA must be exactly 20 bytes long"); -+ } -+ reset(); -+ return digestBuffer; -+ } -+ protected int engineDigest(byte[] buf, int offset, int len) -+ throws DigestException { -+ if (ofs != digestBuffer.length) { -+ throw new DigestException -+ ("Data for RawDSA must be exactly 20 bytes long"); -+ } -+ if (len < digestBuffer.length) { -+ throw new DigestException -+ ("Output buffer too small; must be at least 20 bytes"); -+ } -+ System.arraycopy(digestBuffer, 0, buf, offset, digestBuffer.length); -+ reset(); -+ return digestBuffer.length; -+ } -+ -+ protected void engineReset() { -+ ofs = 0; -+ } -+ protected final int engineGetDigestLength() { -+ return digestBuffer.length; -+ } -+ } -+ -+ public RawDSA() throws NoSuchAlgorithmException { -+ super(new NullDigest20()); - } - } - } -diff -Nru openjdk.orig/jdk/src/share/classes/sun/security/provider/DSAKeyPairGenerator.java openjdk/jdk/src/share/classes/sun/security/provider/DSAKeyPairGenerator.java ---- openjdk.orig/jdk/src/share/classes/sun/security/provider/DSAKeyPairGenerator.java 2013-08-21 20:33:03.316316678 +0100 -+++ openjdk/jdk/src/share/classes/sun/security/provider/DSAKeyPairGenerator.java 2014-12-24 20:18:40.130192717 +0000 -@@ -1,5 +1,5 @@ - /* -- * Copyright (c) 1997, 2005, Oracle and/or its affiliates. All rights reserved. -+ * Copyright (c) 1997, 2012, Oracle and/or its affiliates. All rights reserved. - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it -@@ -48,8 +48,9 @@ - public class DSAKeyPairGenerator extends KeyPairGenerator - implements java.security.interfaces.DSAKeyPairGenerator { - -- /* The modulus length */ -- private int modlen; -+ /* Length for prime P and subPrime Q in bits */ -+ private int plen; -+ private int qlen; - - /* whether to force new parameters to be generated for each KeyPair */ - private boolean forceNewParameters; -@@ -65,20 +66,23 @@ - initialize(1024, null); - } - -- private static void checkStrength(int strength) { -- if ((strength < 512) || (strength > 1024) || (strength % 64 != 0)) { -+ private static void checkStrength(int sizeP, int sizeQ) { -+ if ((sizeP >= 512) && (sizeP <= 1024) && (sizeP % 64 == 0) -+ && sizeQ == 160) { -+ // traditional - allow for backward compatibility -+ // L=multiples of 64 and between 512 and 1024 (inclusive) -+ // N=160 -+ } else if (sizeP == 2048 && (sizeQ == 224 || sizeQ == 256)) { -+ // L=2048, N=224 or 256 -+ } else { - throw new InvalidParameterException -- ("Modulus size must range from 512 to 1024 " -- + "and be a multiple of 64"); -+ ("Unsupported prime and subprime size combination: " + -+ sizeP + ", " + sizeQ); - } - } - - public void initialize(int modlen, SecureRandom random) { -- checkStrength(modlen); -- this.random = random; -- this.modlen = modlen; -- this.params = null; -- this.forceNewParameters = false; -+ initialize(modlen, false, random); - } - - /** -@@ -86,18 +90,27 @@ - * is false, a set of pre-computed parameters is used. - */ - public void initialize(int modlen, boolean genParams, SecureRandom random) { -- checkStrength(modlen); -+ int subPrimeLen = -1; -+ if (modlen <= 1024) { -+ subPrimeLen = 160; -+ } else if (modlen == 2048) { -+ subPrimeLen = 224; -+ } -+ checkStrength(modlen, subPrimeLen); - if (genParams) { - params = null; - } else { -- params = ParameterCache.getCachedDSAParameterSpec(modlen); -+ params = ParameterCache.getCachedDSAParameterSpec(modlen, -+ subPrimeLen); - if (params == null) { - throw new InvalidParameterException - ("No precomputed parameters for requested modulus size " - + "available"); - } -+ - } -- this.modlen = modlen; -+ this.plen = modlen; -+ this.qlen = subPrimeLen; - this.random = random; - this.forceNewParameters = genParams; - } -@@ -136,9 +149,11 @@ - } - - private void initialize0(DSAParameterSpec params, SecureRandom random) { -- int modlen = params.getP().bitLength(); -- checkStrength(modlen); -- this.modlen = modlen; -+ int sizeP = params.getP().bitLength(); -+ int sizeQ = params.getQ().bitLength(); -+ checkStrength(sizeP, sizeQ); -+ this.plen = sizeP; -+ this.qlen = sizeQ; - this.params = params; - this.random = random; - this.forceNewParameters = false; -@@ -156,11 +171,11 @@ - try { - if (forceNewParameters) { - // generate new parameters each time -- spec = ParameterCache.getNewDSAParameterSpec(modlen, random); -+ spec = ParameterCache.getNewDSAParameterSpec(plen, qlen, random); - } else { - if (params == null) { - params = -- ParameterCache.getDSAParameterSpec(modlen, random); -+ ParameterCache.getDSAParameterSpec(plen, qlen, random); - } - spec = params; - } -@@ -203,43 +218,14 @@ - */ - private BigInteger generateX(SecureRandom random, BigInteger q) { - BigInteger x = null; -+ byte[] temp = new byte[qlen]; - while (true) { -- int[] seed = new int[5]; -- for (int i = 0; i < 5; i++) { -- seed[i] = random.nextInt(); -- } -- x = generateX(seed, q); -+ random.nextBytes(temp); -+ x = new BigInteger(1, temp).mod(q); - if (x.signum() > 0 && (x.compareTo(q) < 0)) { -- break; -- } -- } -- return x; -- } -- -- /** -- * Given a seed, generate the private key component of the key -- * pair. In the terminology used in the DSA specification -- * (FIPS-186) seed is the XSEED quantity. -- * -- * @param seed the seed to use to generate the private key. -- */ -- BigInteger generateX(int[] seed, BigInteger q) { -- -- // check out t in the spec. -- int[] t = { 0x67452301, 0xEFCDAB89, 0x98BADCFE, -- 0x10325476, 0xC3D2E1F0 }; -- // -- -- int[] tmp = DSA.SHA_7(seed, t); -- byte[] tmpBytes = new byte[tmp.length * 4]; -- for (int i = 0; i < tmp.length; i++) { -- int k = tmp[i]; -- for (int j = 0; j < 4; j++) { -- tmpBytes[(i * 4) + j] = (byte) (k >>> (24 - (j * 8))); -+ return x; - } - } -- BigInteger x = new BigInteger(1, tmpBytes).mod(q); -- return x; - } - - /** -diff -Nru openjdk.orig/jdk/src/share/classes/sun/security/provider/DSAParameterGenerator.java openjdk/jdk/src/share/classes/sun/security/provider/DSAParameterGenerator.java ---- openjdk.orig/jdk/src/share/classes/sun/security/provider/DSAParameterGenerator.java 2013-08-21 20:33:03.316316678 +0100 -+++ openjdk/jdk/src/share/classes/sun/security/provider/DSAParameterGenerator.java 2014-12-24 20:18:40.130192717 +0000 -@@ -1,5 +1,5 @@ - /* -- * Copyright (c) 1997, 2006, Oracle and/or its affiliates. All rights reserved. -+ * Copyright (c) 1997, 2012, Oracle and/or its affiliates. All rights reserved. - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it -@@ -32,10 +32,12 @@ - import java.security.NoSuchAlgorithmException; - import java.security.NoSuchProviderException; - import java.security.InvalidParameterException; -+import java.security.MessageDigest; - import java.security.SecureRandom; - import java.security.spec.AlgorithmParameterSpec; - import java.security.spec.InvalidParameterSpecException; - import java.security.spec.DSAParameterSpec; -+import sun.security.spec.DSAGenParameterSpec; - - /** - * This class generates parameters for the DSA algorithm. It uses a default -@@ -54,8 +56,14 @@ - - public class DSAParameterGenerator extends AlgorithmParameterGeneratorSpi { - -- // the modulus length -- private int modLen = 1024; // default -+ // the default parameters -+ private static final DSAGenParameterSpec DEFAULTS = -+ new DSAGenParameterSpec(1024, 160, 160); -+ -+ // the length of prime P, subPrime Q, and seed in bits -+ private int valueL = -1; -+ private int valueN = -1; -+ private int seedLen = -1; - - // the source of randomness - private SecureRandom random; -@@ -65,11 +73,7 @@ - private static final BigInteger ONE = BigInteger.valueOf(1); - private static final BigInteger TWO = BigInteger.valueOf(2); - -- // Make a SHA-1 hash function -- private SHA sha; -- - public DSAParameterGenerator() { -- this.sha = new SHA(); - } - - /** -@@ -80,19 +84,18 @@ - * @param random the source of randomness - */ - protected void engineInit(int strength, SecureRandom random) { -- /* -- * Bruce Schneier, "Applied Cryptography", 2nd Edition, -- * Description of DSA: -- * [...] The algorithm uses the following parameter: -- * p=a prime number L bits long, when L ranges from 512 to 1024 and is -- * a multiple of 64. [...] -- */ -- if ((strength < 512) || (strength > 1024) || (strength % 64 != 0)) { -+ if ((strength >= 512) && (strength <= 1024) && (strength % 64 == 0)) { -+ this.valueN = 160; -+ } else if (strength == 2048) { -+ this.valueN = 224; -+// } else if (strength == 3072) { -+// this.valueN = 256; -+ } else { - throw new InvalidParameterException -- ("Prime size must range from 512 to 1024 " -- + "and be a multiple of 64"); -+ ("Prime size should be 512 - 1024, or 2048"); - } -- this.modLen = strength; -+ this.valueL = strength; -+ this.seedLen = valueN; - this.random = random; - } - -@@ -100,7 +103,7 @@ - * Initializes this parameter generator with a set of - * algorithm-specific parameter generation values. - * -- * @param params the set of algorithm-specific parameter generation values -+ * @param genParamSpec the set of algorithm-specific parameter generation values - * @param random the source of randomness - * - * @exception InvalidAlgorithmParameterException if the given parameter -@@ -109,7 +112,19 @@ - protected void engineInit(AlgorithmParameterSpec genParamSpec, - SecureRandom random) - throws InvalidAlgorithmParameterException { -+ if (!(genParamSpec instanceof DSAGenParameterSpec)) { - throw new InvalidAlgorithmParameterException("Invalid parameter"); -+ } -+ DSAGenParameterSpec dsaGenParams = (DSAGenParameterSpec) genParamSpec; -+ if (dsaGenParams.getPrimePLength() > 2048) { -+ throw new InvalidParameterException -+ ("Prime size should be 512 - 1024, or 2048"); -+ } -+ // directly initialize using the already validated values -+ this.valueL = dsaGenParams.getPrimePLength(); -+ this.valueN = dsaGenParams.getSubprimeQLength(); -+ this.seedLen = dsaGenParams.getSeedLength(); -+ this.random = random; - } - - /** -@@ -123,15 +138,21 @@ - if (this.random == null) { - this.random = new SecureRandom(); - } -- -- BigInteger[] pAndQ = generatePandQ(this.random, this.modLen); -+ if (valueL == -1) { -+ try { -+ engineInit(DEFAULTS, this.random); -+ } catch (InvalidAlgorithmParameterException iape) { -+ // should never happen -+ } -+ } -+ BigInteger[] pAndQ = generatePandQ(this.random, valueL, -+ valueN, seedLen); - BigInteger paramP = pAndQ[0]; - BigInteger paramQ = pAndQ[1]; - BigInteger paramG = generateG(paramP, paramQ); - -- DSAParameterSpec dsaParamSpec = new DSAParameterSpec(paramP, -- paramQ, -- paramG); -+ DSAParameterSpec dsaParamSpec = -+ new DSAParameterSpec(paramP, paramQ, paramG); - algParams = AlgorithmParameters.getInstance("DSA", "SUN"); - algParams.init(dsaParamSpec); - } catch (InvalidParameterSpecException e) { -@@ -156,102 +177,98 @@ - * - * @param random the source of randomness to generate the - * seed -- * @param L the size of <code>p</code>, in bits. -+ * @param valueL the size of <code>p</code>, in bits. -+ * @param valueN the size of <code>q</code>, in bits. -+ * @param seedLen the length of <code>seed</code>, in bits. - * - * @return an array of BigInteger, with <code>p</code> at index 0 and -- * <code>q</code> at index 1. -+ * <code>q</code> at index 1, the seed at index 2, and the counter value -+ * at index 3. - */ -- BigInteger[] generatePandQ(SecureRandom random, int L) { -- BigInteger[] result = null; -- byte[] seed = new byte[20]; -- -- while(result == null) { -- for (int i = 0; i < 20; i++) { -- seed[i] = (byte)random.nextInt(); -- } -- result = generatePandQ(seed, L); -+ private static BigInteger[] generatePandQ(SecureRandom random, int valueL, -+ int valueN, int seedLen) { -+ String hashAlg = null; -+ if (valueN == 160) { -+ hashAlg = "SHA"; -+ } else if (valueN == 224) { -+ hashAlg = "SHA-224"; -+ } else if (valueN == 256) { -+ hashAlg = "SHA-256"; -+ } -+ MessageDigest hashObj = null; -+ try { -+ hashObj = MessageDigest.getInstance(hashAlg); -+ } catch (NoSuchAlgorithmException nsae) { -+ // should never happen -+ nsae.printStackTrace(); - } -- return result; -- } - -- /* -- * Generates the prime and subprime parameters for DSA. -- * -- * <p>The seed parameter corresponds to the <code>SEED</code> parameter -- * referenced in the FIPS specification of the DSA algorithm, -- * and L is the size of <code>p</code>, in bits. -- * -- * @param seed the seed to generate the parameters -- * @param L the size of <code>p</code>, in bits. -- * -- * @return an array of BigInteger, with <code>p</code> at index 0, -- * <code>q</code> at index 1, the seed at index 2, and the counter value -- * at index 3, or null if the seed does not yield suitable numbers. -- */ -- BigInteger[] generatePandQ(byte[] seed, int L) { -+ /* Step 3, 4: Useful variables */ -+ int outLen = hashObj.getDigestLength()*8; -+ int n = (valueL - 1) / outLen; -+ int b = (valueL - 1) % outLen; -+ byte[] seedBytes = new byte[seedLen/8]; -+ BigInteger twoSl = TWO.pow(seedLen); -+ int primeCertainty = 80; // for 1024-bit prime P -+ if (valueL == 2048) { -+ primeCertainty = 112; -+ //} else if (valueL == 3072) { -+ // primeCertainty = 128; -+ } - -- /* Useful variables */ -- int g = seed.length * 8; -- int n = (L - 1) / 160; -- int b = (L - 1) % 160; -- -- BigInteger SEED = new BigInteger(1, seed); -- BigInteger TWOG = TWO.pow(2 * g); -- -- /* Step 2 (Step 1 is getting seed). */ -- byte[] U1 = SHA(seed); -- byte[] U2 = SHA(toByteArray((SEED.add(ONE)).mod(TWOG))); -- -- xor(U1, U2); -- byte[] U = U1; -- -- /* Step 3: For q by setting the msb and lsb to 1 */ -- U[0] |= 0x80; -- U[19] |= 1; -- BigInteger q = new BigInteger(1, U); -- -- /* Step 5 */ -- if (!q.isProbablePrime(80)) { -- return null; -- -- } else { -- BigInteger V[] = new BigInteger[n + 1]; -- BigInteger offset = TWO; -- -- /* Step 6 */ -- for (int counter = 0; counter < 4096; counter++) { -- -- /* Step 7 */ -- for (int k = 0; k <= n; k++) { -- BigInteger K = BigInteger.valueOf(k); -- BigInteger tmp = (SEED.add(offset).add(K)).mod(TWOG); -- V[k] = new BigInteger(1, SHA(toByteArray(tmp))); -- } -- -- /* Step 8 */ -- BigInteger W = V[0]; -- for (int i = 1; i < n; i++) { -- W = W.add(V[i].multiply(TWO.pow(i * 160))); -- } -- W = W.add((V[n].mod(TWO.pow(b))).multiply(TWO.pow(n * 160))); -- -- BigInteger TWOLm1 = TWO.pow(L - 1); -- BigInteger X = W.add(TWOLm1); -- -- /* Step 9 */ -- BigInteger c = X.mod(q.multiply(TWO)); -- BigInteger p = X.subtract(c.subtract(ONE)); -- -- /* Step 10 - 13 */ -- if (p.compareTo(TWOLm1) > -1 && p.isProbablePrime(80)) { -- BigInteger[] result = {p, q, SEED, -- BigInteger.valueOf(counter)}; -- return result; -- } -- offset = offset.add(BigInteger.valueOf(n)).add(ONE); -+ BigInteger resultP, resultQ, seed = null; -+ int counter; -+ while (true) { -+ do { -+ /* Step 5 */ -+ random.nextBytes(seedBytes); -+ seed = new BigInteger(1, seedBytes); -+ -+ /* Step 6 */ -+ BigInteger U = new BigInteger(1, hashObj.digest(seedBytes)). -+ mod(TWO.pow(valueN - 1)); -+ -+ /* Step 7 */ -+ resultQ = TWO.pow(valueN - 1).add(U).add(ONE). subtract(U.mod(TWO)); -+ } while (!resultQ.isProbablePrime(primeCertainty)); -+ -+ /* Step 10 */ -+ BigInteger offset = ONE; -+ /* Step 11 */ -+ for (counter = 0; counter < 4*valueL; counter++) { -+ BigInteger V[] = new BigInteger[n + 1]; -+ /* Step 11.1 */ -+ for (int j = 0; j <= n; j++) { -+ BigInteger J = BigInteger.valueOf(j); -+ BigInteger tmp = (seed.add(offset).add(J)).mod(twoSl); -+ byte[] vjBytes = hashObj.digest(toByteArray(tmp)); -+ V[j] = new BigInteger(1, vjBytes); -+ } -+ /* Step 11.2 */ -+ BigInteger W = V[0]; -+ for (int i = 1; i < n; i++) { -+ W = W.add(V[i].multiply(TWO.pow(i * outLen))); -+ } -+ W = W.add((V[n].mod(TWO.pow(b))).multiply(TWO.pow(n * outLen))); -+ /* Step 11.3 */ -+ BigInteger twoLm1 = TWO.pow(valueL - 1); -+ BigInteger X = W.add(twoLm1); -+ /* Step 11.4, 11.5 */ -+ BigInteger c = X.mod(resultQ.multiply(TWO)); -+ resultP = X.subtract(c.subtract(ONE)); -+ /* Step 11.6, 11.7 */ -+ if (resultP.compareTo(twoLm1) > -1 -+ && resultP.isProbablePrime(primeCertainty)) { -+ /* Step 11.8 */ -+ BigInteger[] result = {resultP, resultQ, seed, -+ BigInteger.valueOf(counter)}; -+ return result; -+ } -+ /* Step 11.9 */ -+ offset = offset.add(BigInteger.valueOf(n)).add(ONE); - } -- return null; -- } -+ } -+ - } - - /* -@@ -262,31 +279,24 @@ - * - * @param the <code>g</code> - */ -- BigInteger generateG(BigInteger p, BigInteger q) { -+ private static BigInteger generateG(BigInteger p, BigInteger q) { - BigInteger h = ONE; -+ /* Step 1 */ - BigInteger pMinusOneOverQ = (p.subtract(ONE)).divide(q); -- BigInteger g = ONE; -- while (g.compareTo(TWO) < 0) { -- g = h.modPow(pMinusOneOverQ, p); -+ BigInteger resultG = ONE; -+ while (resultG.compareTo(TWO) < 0) { -+ /* Step 3 */ -+ resultG = h.modPow(pMinusOneOverQ, p); - h = h.add(ONE); - } -- return g; -- } -- -- /* -- * Returns the SHA-1 digest of some data -- */ -- private byte[] SHA(byte[] array) { -- sha.engineReset(); -- sha.engineUpdate(array, 0, array.length); -- return sha.engineDigest(); -+ return resultG; - } - - /* - * Converts the result of a BigInteger.toByteArray call to an exact - * signed magnitude representation for any positive number. - */ -- private byte[] toByteArray(BigInteger bigInt) { -+ private static byte[] toByteArray(BigInteger bigInt) { - byte[] result = bigInt.toByteArray(); - if (result[0] == 0) { - byte[] tmp = new byte[result.length - 1]; -@@ -295,13 +305,4 @@ - } - return result; - } -- -- /* -- * XORs U2 into U1 -- */ -- private void xor(byte[] U1, byte[] U2) { -- for (int i = 0; i < U1.length; i++) { -- U1[i] ^= U2[i]; -- } -- } - } -diff -Nru openjdk.orig/jdk/src/share/classes/sun/security/provider/ParameterCache.java openjdk/jdk/src/share/classes/sun/security/provider/ParameterCache.java ---- openjdk.orig/jdk/src/share/classes/sun/security/provider/ParameterCache.java 2013-08-21 20:33:03.320316743 +0100 -+++ openjdk/jdk/src/share/classes/sun/security/provider/ParameterCache.java 2014-12-24 20:18:40.130192717 +0000 -@@ -1,5 +1,5 @@ - /* -- * Copyright (c) 2003, Oracle and/or its affiliates. All rights reserved. -+ * Copyright (c) 2003, 2012, Oracle and/or its affiliates. All rights reserved. - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it -@@ -26,6 +26,7 @@ - package sun.security.provider; - - import java.util.*; -+import java.util.concurrent.ConcurrentHashMap; - import java.math.BigInteger; - - import java.security.*; -@@ -34,6 +35,8 @@ - - import javax.crypto.spec.DHParameterSpec; - -+import sun.security.spec.DSAGenParameterSpec; -+ - /** - * Cache for DSA and DH parameter specs. Used by the KeyPairGenerators - * in the Sun, SunJCE, and SunPKCS11 provider if no parameters have been -@@ -55,11 +58,17 @@ - private final static Map<Integer,DHParameterSpec> dhCache; - - /** -- * Return cached DSA parameters for the given keylength, or null if none -- * are available in the cache. -+ * Return cached DSA parameters for the given length combination of -+ * prime and subprime, or null if none are available in the cache. - */ -- public static DSAParameterSpec getCachedDSAParameterSpec(int keyLength) { -- return dsaCache.get(Integer.valueOf(keyLength)); -+ public static DSAParameterSpec getCachedDSAParameterSpec(int primeLen, -+ int subprimeLen) { -+ // ensure the sum is unique in all cases, i.e. -+ // case#1: (512 <= p <= 1024) AND q=160 -+ // case#2: p=2048 AND q=224 -+ // case#3: p=2048 AND q=256 -+ // (NOT-YET-SUPPORTED)case#4: p=3072 AND q=256 -+ return dsaCache.get(Integer.valueOf(primeLen+subprimeLen)); - } - - /** -@@ -71,18 +80,39 @@ - } - - /** -- * Return DSA parameters for the given keylength. Uses cache if possible, -- * generates new parameters and adds them to the cache otherwise. -+ * Return DSA parameters for the given primeLen. Uses cache if -+ * possible, generates new parameters and adds them to the cache -+ * otherwise. - */ -- public static DSAParameterSpec getDSAParameterSpec(int keyLength, -+ public static DSAParameterSpec getDSAParameterSpec(int primeLen, - SecureRandom random) -- throws NoSuchAlgorithmException, InvalidParameterSpecException { -- DSAParameterSpec spec = getCachedDSAParameterSpec(keyLength); -+ throws NoSuchAlgorithmException, InvalidParameterSpecException, -+ InvalidAlgorithmParameterException { -+ if (primeLen <= 1024) { -+ return getDSAParameterSpec(primeLen, 160, random); -+ } else if (primeLen == 2048) { -+ return getDSAParameterSpec(primeLen, 224, random); -+ } else { -+ return null; -+ } -+ } -+ -+ /** -+ * Return DSA parameters for the given primeLen and subprimeLen. -+ * Uses cache if possible, generates new parameters and adds them to the -+ * cache otherwise. -+ */ -+ public static DSAParameterSpec getDSAParameterSpec(int primeLen, -+ int subprimeLen, SecureRandom random) -+ throws NoSuchAlgorithmException, InvalidParameterSpecException, -+ InvalidAlgorithmParameterException { -+ DSAParameterSpec spec = -+ getCachedDSAParameterSpec(primeLen, subprimeLen); - if (spec != null) { - return spec; - } -- spec = getNewDSAParameterSpec(keyLength, random); -- dsaCache.put(Integer.valueOf(keyLength), spec); -+ spec = getNewDSAParameterSpec(primeLen, subprimeLen, random); -+ dsaCache.put(Integer.valueOf(primeLen + subprimeLen), spec); - return spec; - } - -@@ -107,28 +137,28 @@ - } - - /** -- * Return new DSA parameters for the given keylength. Do not lookup in -- * cache and do not cache the newly generated parameters. This method -- * really only exists for the legacy method -+ * Return new DSA parameters for the given length combination of prime and -+ * sub prime. Do not lookup in cache and do not cache the newly generated -+ * parameters. This method really only exists for the legacy method - * DSAKeyPairGenerator.initialize(int, boolean, SecureRandom). - */ -- public static DSAParameterSpec getNewDSAParameterSpec(int keyLength, -- SecureRandom random) -- throws NoSuchAlgorithmException, InvalidParameterSpecException { -+ public static DSAParameterSpec getNewDSAParameterSpec(int primeLen, -+ int subprimeLen, SecureRandom random) -+ throws NoSuchAlgorithmException, InvalidParameterSpecException, -+ InvalidAlgorithmParameterException { - AlgorithmParameterGenerator gen = - AlgorithmParameterGenerator.getInstance("DSA"); -- gen.init(keyLength, random); -+ DSAGenParameterSpec genParams = -+ new DSAGenParameterSpec(primeLen, subprimeLen); -+ gen.init(genParams, random); - AlgorithmParameters params = gen.generateParameters(); - DSAParameterSpec spec = params.getParameterSpec(DSAParameterSpec.class); - return spec; - } - - static { -- // XXX change to ConcurrentHashMap once available -- dhCache = Collections.synchronizedMap -- (new HashMap<Integer,DHParameterSpec>()); -- dsaCache = Collections.synchronizedMap -- (new HashMap<Integer,DSAParameterSpec>()); -+ dhCache = new ConcurrentHashMap<Integer,DHParameterSpec>(); -+ dsaCache = new ConcurrentHashMap<Integer,DSAParameterSpec>(); - - /* - * We support precomputed parameter for 512, 768 and 1024 bit -@@ -210,17 +240,99 @@ - "83dfe15ae59f06928b665e807b552564014c3bfecf" + - "492a", 16); - -- dsaCache.put(Integer.valueOf(512), -+ dsaCache.put(Integer.valueOf(512+160), - new DSAParameterSpec(p512, q512, g512)); -- dsaCache.put(Integer.valueOf(768), -+ dsaCache.put(Integer.valueOf(768+160), - new DSAParameterSpec(p768, q768, g768)); -- dsaCache.put(Integer.valueOf(1024), -+ dsaCache.put(Integer.valueOf(1024+160), - new DSAParameterSpec(p1024, q1024, g1024)); -+ /* -+ * L = 2048, N = 224 -+ * SEED = 584236080cfa43c09b02354135f4cc5198a19efada08bd866d601ba4 -+ * counter = 2666 -+ */ -+ BigInteger p2048_224 = -+ new BigInteger("8f7935d9b9aae9bfabed887acf4951b6f32ec59e3b" + -+ "af3718e8eac4961f3efd3606e74351a9c4183339b8" + -+ "09e7c2ae1c539ba7475b85d011adb8b47987754984" + -+ "695cac0e8f14b3360828a22ffa27110a3d62a99345" + -+ "3409a0fe696c4658f84bdd20819c3709a01057b195" + -+ "adcd00233dba5484b6291f9d648ef883448677979c" + -+ "ec04b434a6ac2e75e9985de23db0292fc1118c9ffa" + -+ "9d8181e7338db792b730d7b9e349592f6809987215" + -+ "3915ea3d6b8b4653c633458f803b32a4c2e0f27290" + -+ "256e4e3f8a3b0838a1c450e4e18c1a29a37ddf5ea1" + -+ "43de4b66ff04903ed5cf1623e158d487c608e97f21" + -+ "1cd81dca23cb6e380765f822e342be484c05763939" + -+ "601cd667", 16); -+ -+ BigInteger q2048_224 = -+ new BigInteger("baf696a68578f7dfdee7fa67c977c785ef32b233ba" + -+ "e580c0bcd5695d", 16); -+ -+ BigInteger g2048_224 = -+ new BigInteger("16a65c58204850704e7502a39757040d34da3a3478" + -+ "c154d4e4a5c02d242ee04f96e61e4bd0904abdac8f" + -+ "37eeb1e09f3182d23c9043cb642f88004160edf9ca" + -+ "09b32076a79c32a627f2473e91879ba2c4e744bd20" + -+ "81544cb55b802c368d1fa83ed489e94e0fa0688e32" + -+ "428a5c78c478c68d0527b71c9a3abb0b0be12c4468" + -+ "9639e7d3ce74db101a65aa2b87f64c6826db3ec72f" + -+ "4b5599834bb4edb02f7c90e9a496d3a55d535bebfc" + -+ "45d4f619f63f3dedbb873925c2f224e07731296da8" + -+ "87ec1e4748f87efb5fdeb75484316b2232dee553dd" + -+ "af02112b0d1f02da30973224fe27aeda8b9d4b2922" + -+ "d9ba8be39ed9e103a63c52810bc688b7e2ed4316e1" + -+ "ef17dbde", 16); -+ dsaCache.put(Integer.valueOf(2048+224), -+ new DSAParameterSpec(p2048_224, q2048_224, g2048_224)); -+ -+ /* -+ * L = 2048, N = 256 -+ * SEED = b0b4417601b59cbc9d8ac8f935cadaec4f5fbb2f23785609ae466748d9b5a536 -+ * counter = 497 -+ */ -+ BigInteger p2048_256 = -+ new BigInteger("95475cf5d93e596c3fcd1d902add02f427f5f3c721" + -+ "0313bb45fb4d5bb2e5fe1cbd678cd4bbdd84c9836b" + -+ "e1f31c0777725aeb6c2fc38b85f48076fa76bcd814" + -+ "6cc89a6fb2f706dd719898c2083dc8d896f84062e2" + -+ "c9c94d137b054a8d8096adb8d51952398eeca852a0" + -+ "af12df83e475aa65d4ec0c38a9560d5661186ff98b" + -+ "9fc9eb60eee8b030376b236bc73be3acdbd74fd61c" + -+ "1d2475fa3077b8f080467881ff7e1ca56fee066d79" + -+ "506ade51edbb5443a563927dbc4ba520086746175c" + -+ "8885925ebc64c6147906773496990cb714ec667304" + -+ "e261faee33b3cbdf008e0c3fa90650d97d3909c927" + -+ "5bf4ac86ffcb3d03e6dfc8ada5934242dd6d3bcca2" + -+ "a406cb0b", 16); -+ -+ BigInteger q2048_256 = -+ new BigInteger("f8183668ba5fc5bb06b5981e6d8b795d30b8978d43" + -+ "ca0ec572e37e09939a9773", 16); -+ -+ BigInteger g2048_256 = -+ new BigInteger("42debb9da5b3d88cc956e08787ec3f3a09bba5f48b" + -+ "889a74aaf53174aa0fbe7e3c5b8fcd7a53bef563b0" + -+ "e98560328960a9517f4014d3325fc7962bf1e04937" + -+ "0d76d1314a76137e792f3f0db859d095e4a5b93202" + -+ "4f079ecf2ef09c797452b0770e1350782ed57ddf79" + -+ "4979dcef23cb96f183061965c4ebc93c9c71c56b92" + -+ "5955a75f94cccf1449ac43d586d0beee43251b0b22" + -+ "87349d68de0d144403f13e802f4146d882e057af19" + -+ "b6f6275c6676c8fa0e3ca2713a3257fd1b27d0639f" + -+ "695e347d8d1cf9ac819a26ca9b04cb0eb9b7b03598" + -+ "8d15bbac65212a55239cfc7e58fae38d7250ab9991" + -+ "ffbc97134025fe8ce04c4399ad96569be91a546f49" + -+ "78693c7a", 16); -+ dsaCache.put(Integer.valueOf(2048+256), -+ new DSAParameterSpec(p2048_256, q2048_256, g2048_256)); - - // use DSA parameters for DH as well - dhCache.put(Integer.valueOf(512), new DHParameterSpec(p512, g512)); - dhCache.put(Integer.valueOf(768), new DHParameterSpec(p768, g768)); - dhCache.put(Integer.valueOf(1024), new DHParameterSpec(p1024, g1024)); -+ dhCache.put(Integer.valueOf(2048), new DHParameterSpec(p2048_224, g2048_224)); - } - - } -diff -Nru openjdk.orig/jdk/src/share/classes/sun/security/provider/SunEntries.java openjdk/jdk/src/share/classes/sun/security/provider/SunEntries.java ---- openjdk.orig/jdk/src/share/classes/sun/security/provider/SunEntries.java 2014-12-24 20:10:36.404459089 +0000 -+++ openjdk/jdk/src/share/classes/sun/security/provider/SunEntries.java 2014-12-24 20:18:40.130192717 +0000 -@@ -47,6 +47,10 @@ - * SHA-2 family of hash functions includes SHA-224, SHA-256, SHA-384, - * and SHA-512. - * -+ * - SHA-224withDSA/SHA-256withDSA are the signature schemes -+ * described in FIPS 186-3. The associated object identifiers are -+ * "OID.2.16.840.1.101.3.4.3.1", and "OID.2.16.840.1.101.3.4.3.2". -+ - * - DSA is the key generation scheme as described in FIPS 186. - * Aliases for DSA include the OID strings "OID.1.3.14.3.2.12" - * and "OID.1.2.840.10040.4.1". -@@ -106,11 +110,15 @@ - map.put("Signature.SHA1withDSA", "sun.security.provider.DSA$SHA1withDSA"); - map.put("Signature.NONEwithDSA", "sun.security.provider.DSA$RawDSA"); - map.put("Alg.Alias.Signature.RawDSA", "NONEwithDSA"); -+ map.put("Signature.SHA224withDSA", "sun.security.provider.DSA$SHA224withDSA"); -+ map.put("Signature.SHA256withDSA", "sun.security.provider.DSA$SHA256withDSA"); - - String dsaKeyClasses = "java.security.interfaces.DSAPublicKey" + - "|java.security.interfaces.DSAPrivateKey"; - map.put("Signature.SHA1withDSA SupportedKeyClasses", dsaKeyClasses); - map.put("Signature.NONEwithDSA SupportedKeyClasses", dsaKeyClasses); -+ map.put("Signature.SHA224withDSA SupportedKeyClasses", dsaKeyClasses); -+ map.put("Signature.SHA256withDSA SupportedKeyClasses", dsaKeyClasses); - - map.put("Alg.Alias.Signature.DSA", "SHA1withDSA"); - map.put("Alg.Alias.Signature.DSS", "SHA1withDSA"); -@@ -124,6 +132,10 @@ - map.put("Alg.Alias.Signature.1.2.840.10040.4.3", "SHA1withDSA"); - map.put("Alg.Alias.Signature.1.3.14.3.2.13", "SHA1withDSA"); - map.put("Alg.Alias.Signature.1.3.14.3.2.27", "SHA1withDSA"); -+ map.put("Alg.Alias.Signature.OID.2.16.840.1.101.3.4.3.1", "SHA224withDSA"); -+ map.put("Alg.Alias.Signature.2.16.840.1.101.3.4.3.1", "SHA224withDSA"); -+ map.put("Alg.Alias.Signature.OID.2.16.840.1.101.3.4.3.2", "SHA256withDSA"); -+ map.put("Alg.Alias.Signature.2.16.840.1.101.3.4.3.2", "SHA256withDSA"); - - /* - * Key Pair Generator engines -@@ -143,6 +155,8 @@ - - map.put("Alg.Alias.MessageDigest.SHA-1", "SHA"); - map.put("Alg.Alias.MessageDigest.SHA1", "SHA"); -+ map.put("Alg.Alias.MessageDigest.1.3.14.3.2.26", "SHA"); -+ map.put("Alg.Alias.MessageDigest.OID.1.3.14.3.2.26", "SHA"); - - map.put("MessageDigest.SHA-224", "sun.security.provider.SHA2$SHA224"); - map.put("Alg.Alias.MessageDigest.2.16.840.1.101.3.4.2.4", "SHA-224"); -@@ -169,15 +183,17 @@ - */ - map.put("AlgorithmParameters.DSA", - "sun.security.provider.DSAParameters"); -- map.put("Alg.Alias.AlgorithmParameters.1.3.14.3.2.12", "DSA"); -+ map.put("Alg.Alias.AlgorithmParameters.OID.1.2.840.10040.4.1", "DSA"); - map.put("Alg.Alias.AlgorithmParameters.1.2.840.10040.4.1", "DSA"); -+ map.put("Alg.Alias.AlgorithmParameters.1.3.14.3.2.12", "DSA"); - - /* - * Key factories - */ - map.put("KeyFactory.DSA", "sun.security.provider.DSAKeyFactory"); -- map.put("Alg.Alias.KeyFactory.1.3.14.3.2.12", "DSA"); -+ map.put("Alg.Alias.KeyFactory.OID.1.2.840.10040.4.1", "DSA"); - map.put("Alg.Alias.KeyFactory.1.2.840.10040.4.1", "DSA"); -+ map.put("Alg.Alias.KeyFactory.1.3.14.3.2.12", "DSA"); - - /* - * Certificates -@@ -234,9 +250,13 @@ - /* - * KeySize - */ -+ map.put("Signature.NONEwithDSA KeySize", "1024"); - map.put("Signature.SHA1withDSA KeySize", "1024"); -- map.put("KeyPairGenerator.DSA KeySize", "1024"); -- map.put("AlgorithmParameterGenerator.DSA KeySize", "1024"); -+ map.put("Signature.SHA224withDSA KeySize", "2048"); -+ map.put("Signature.SHA256withDSA KeySize", "2048"); -+ -+ map.put("KeyPairGenerator.DSA KeySize", "2048"); -+ map.put("AlgorithmParameterGenerator.DSA KeySize", "2048"); - - /* - * Implementation type: software or hardware -diff -Nru openjdk.orig/jdk/src/share/classes/sun/security/spec/DSAGenParameterSpec.java openjdk/jdk/src/share/classes/sun/security/spec/DSAGenParameterSpec.java ---- openjdk.orig/jdk/src/share/classes/sun/security/spec/DSAGenParameterSpec.java 1970-01-01 01:00:00.000000000 +0100 -+++ openjdk/jdk/src/share/classes/sun/security/spec/DSAGenParameterSpec.java 2014-12-24 20:18:40.130192717 +0000 -@@ -0,0 +1,129 @@ -+/* -+ * Copyright (c) 2012, Oracle and/or its affiliates. All rights reserved. -+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. -+ * -+ * This code is free software; you can redistribute it and/or modify it -+ * under the terms of the GNU General Public License version 2 only, as -+ * published by the Free Software Foundation. Oracle designates this -+ * particular file as subject to the "Classpath" exception as provided -+ * by Oracle in the LICENSE file that accompanied this code. -+ * -+ * This code is distributed in the hope that it will be useful, but WITHOUT -+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or -+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License -+ * version 2 for more details (a copy is included in the LICENSE file that -+ * accompanied this code). -+ * -+ * You should have received a copy of the GNU General Public License version -+ * 2 along with this work; if not, write to the Free Software Foundation, -+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. -+ * -+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA -+ * or visit www.oracle.com if you need additional information or have any -+ * questions. -+ */ -+package sun.security.spec; -+ -+import java.security.spec.AlgorithmParameterSpec; -+ -+/** -+ * This immutable class specifies the set of parameters used for -+ * generating DSA parameters as specified in -+ * <a href="http://csrc.nist.gov/publications/fips/fips186-3/fips_186-3.pdf">FIPS 186-3 Digital Signature Standard (DSS)</a>. -+ * -+ * @see AlgorithmParameterSpec -+ * -+ * @since 8 -+ */ -+public final class DSAGenParameterSpec implements AlgorithmParameterSpec { -+ -+ private final int pLen; -+ private final int qLen; -+ private final int seedLen; -+ -+ /** -+ * Creates a domain parameter specification for DSA parameter -+ * generation using <code>primePLen</code> and <code>subprimeQLen</code>. -+ * The value of <code>subprimeQLen</code> is also used as the default -+ * length of the domain parameter seed in bits. -+ * @param primePLen the desired length of the prime P in bits. -+ * @param subprimeQLen the desired length of the sub-prime Q in bits. -+ * @exception IllegalArgumentException if <code>primePLen</code> -+ * or <code>subprimeQLen</code> is illegal per the specification of -+ * FIPS 186-3. -+ */ -+ public DSAGenParameterSpec(int primePLen, int subprimeQLen) { -+ this(primePLen, subprimeQLen, subprimeQLen); -+ } -+ -+ /** -+ * Creates a domain parameter specification for DSA parameter -+ * generation using <code>primePLen</code>, <code>subprimeQLen</code>, -+ * and <code>seedLen</code>. -+ * @param primePLen the desired length of the prime P in bits. -+ * @param subprimeQLen the desired length of the sub-prime Q in bits. -+ * @param seedLen the desired length of the domain parameter seed in bits, -+ * shall be equal to or greater than <code>subprimeQLen</code>. -+ * @exception IllegalArgumentException if <code>primePLenLen</code>, -+ * <code>subprimeQLen</code>, or <code>seedLen</code> is illegal per the -+ * specification of FIPS 186-3. -+ */ -+ public DSAGenParameterSpec(int primePLen, int subprimeQLen, int seedLen) { -+ switch (primePLen) { -+ case 1024: -+ if (subprimeQLen != 160) { -+ throw new IllegalArgumentException -+ ("subprimeQLen must be 160 when primePLen=1024"); -+ } -+ break; -+ case 2048: -+ if (subprimeQLen != 224 && subprimeQLen != 256) { -+ throw new IllegalArgumentException -+ ("subprimeQLen must be 224 or 256 when primePLen=2048"); -+ } -+ break; -+ case 3072: -+ if (subprimeQLen != 256) { -+ throw new IllegalArgumentException -+ ("subprimeQLen must be 256 when primePLen=3072"); -+ } -+ break; -+ default: -+ throw new IllegalArgumentException -+ ("primePLen must be 1024, 2048, or 3072"); -+ } -+ if (seedLen < subprimeQLen) { -+ throw new IllegalArgumentException -+ ("seedLen must be equal to or greater than subprimeQLen"); -+ } -+ this.pLen = primePLen; -+ this.qLen = subprimeQLen; -+ this.seedLen = seedLen; -+ } -+ -+ /** -+ * Returns the desired length of the prime P of the -+ * to-be-generated DSA domain parameters in bits. -+ * @return the length of the prime P. -+ */ -+ public int getPrimePLength() { -+ return pLen; -+ } -+ -+ /** -+ * Returns the desired length of the sub-prime Q of the -+ * to-be-generated DSA domain parameters in bits. -+ * @return the length of the sub-prime Q. -+ */ -+ public int getSubprimeQLength() { -+ return qLen; -+ } -+ -+ /** -+ * Returns the desired length of the domain parameter seed in bits. -+ * @return the length of the domain parameter seed. -+ */ -+ public int getSeedLength() { -+ return seedLen; -+ } -+} -diff -Nru openjdk.orig/jdk/src/share/classes/sun/security/x509/AlgorithmId.java openjdk/jdk/src/share/classes/sun/security/x509/AlgorithmId.java ---- openjdk.orig/jdk/src/share/classes/sun/security/x509/AlgorithmId.java 2014-12-24 20:10:36.520460461 +0000 -+++ openjdk/jdk/src/share/classes/sun/security/x509/AlgorithmId.java 2014-12-24 20:18:40.130192717 +0000 -@@ -508,6 +508,9 @@ - if (name.equalsIgnoreCase("EC")) { - return EC_oid; - } -+ if (name.equalsIgnoreCase("ECDH")) { -+ return AlgorithmId.ECDH_oid; -+ } - - // Common signature types - if (name.equalsIgnoreCase("MD5withRSA") -@@ -527,6 +530,12 @@ - || name.equalsIgnoreCase("SHA-1/DSA")) { - return AlgorithmId.sha1WithDSA_oid; - } -+ if (name.equalsIgnoreCase("SHA224WithDSA")) { -+ return AlgorithmId.sha224WithDSA_oid; -+ } -+ if (name.equalsIgnoreCase("SHA256WithDSA")) { -+ return AlgorithmId.sha256WithDSA_oid; -+ } - if (name.equalsIgnoreCase("SHA1WithRSA") - || name.equalsIgnoreCase("SHA1/RSA")) { - return AlgorithmId.sha1WithRSAEncryption_oid; -@@ -645,6 +654,7 @@ - public static final ObjectIdentifier DSA_oid; - public static final ObjectIdentifier DSA_OIW_oid; - public static final ObjectIdentifier EC_oid = oid(1, 2, 840, 10045, 2, 1); -+ public static final ObjectIdentifier ECDH_oid = oid(1, 3, 132, 1, 12); - public static final ObjectIdentifier RSA_oid; - public static final ObjectIdentifier RSAEncryption_oid; - -@@ -685,6 +695,10 @@ - public static final ObjectIdentifier shaWithDSA_OIW_oid; - public static final ObjectIdentifier sha1WithDSA_OIW_oid; - public static final ObjectIdentifier sha1WithDSA_oid; -+ public static final ObjectIdentifier sha224WithDSA_oid = -+ oid(2, 16, 840, 1, 101, 3, 4, 3, 1); -+ public static final ObjectIdentifier sha256WithDSA_oid = -+ oid(2, 16, 840, 1, 101, 3, 4, 3, 2); - - public static final ObjectIdentifier sha1WithECDSA_oid = - oid(1, 2, 840, 10045, 4, 1); -@@ -716,7 +730,6 @@ - public static ObjectIdentifier pbeWithSHA1AndRC2_40_oid = - ObjectIdentifier.newInternal(new int[] {1, 2, 840, 113549, 1, 12, 1, 6}); - -- - static { - /* - * Note the preferred OIDs are named simply with no "OIW" or -@@ -876,6 +889,8 @@ - nameTable.put(DSA_oid, "DSA"); - nameTable.put(DSA_OIW_oid, "DSA"); - nameTable.put(EC_oid, "EC"); -+ nameTable.put(ECDH_oid, "ECDH"); -+ - nameTable.put(sha1WithECDSA_oid, "SHA1withECDSA"); - nameTable.put(sha224WithECDSA_oid, "SHA224withECDSA"); - nameTable.put(sha256WithECDSA_oid, "SHA256withECDSA"); -@@ -886,6 +901,8 @@ - nameTable.put(sha1WithDSA_oid, "SHA1withDSA"); - nameTable.put(sha1WithDSA_OIW_oid, "SHA1withDSA"); - nameTable.put(shaWithDSA_OIW_oid, "SHA1withDSA"); -+ nameTable.put(sha224WithDSA_oid, "SHA224withDSA"); -+ nameTable.put(sha256WithDSA_oid, "SHA256withDSA"); - nameTable.put(sha1WithRSAEncryption_oid, "SHA1withRSA"); - nameTable.put(sha1WithRSAEncryption_OIW_oid, "SHA1withRSA"); - nameTable.put(sha224WithRSAEncryption_oid, "SHA224withRSA"); -diff -Nru openjdk.orig/jdk/test/com/sun/crypto/provider/KeyAgreement/TestExponentSize.java openjdk/jdk/test/com/sun/crypto/provider/KeyAgreement/TestExponentSize.java ---- openjdk.orig/jdk/test/com/sun/crypto/provider/KeyAgreement/TestExponentSize.java 2013-08-21 20:32:58.224234259 +0100 -+++ openjdk/jdk/test/com/sun/crypto/provider/KeyAgreement/TestExponentSize.java 2014-12-24 20:18:40.130192717 +0000 -@@ -1,5 +1,5 @@ - /* -- * Copyright (c) 2005, 2007, Oracle and/or its affiliates. All rights reserved. -+ * Copyright (c) 2005, 2012, Oracle and/or its affiliates. All rights reserved. - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it -@@ -23,7 +23,7 @@ - - /** - * @test -- * @bug 6330287 6331386 -+ * @bug 6330287 6331386 7044060 - * @summary verify that DHKeyPairGenerator returns keys of the expected size - * (modulus and exponent) - * -and- -@@ -57,7 +57,8 @@ - * Sizes and values for various lengths. - */ - private enum Sizes { -- two56(256), three84(384), five12(512), seven68(768), ten24(1024); -+ two56(256), three84(384), five12(512), seven68(768), ten24(1024), -+ twenty48(2048); - - private final int intSize; - private final BigInteger bigIntValue; -@@ -82,7 +83,8 @@ - KeyPair kp; - KeyPairGenerator kpg = KeyPairGenerator.getInstance("DH", "SunJCE"); - -- // Sun's default uses a default psize of 1024/lsize of 512 -+ // Sun's default uses a default psize of 1024 and -+ // lsize of (pSize / 2) but at least 384 bits - kp = kpg.generateKeyPair(); - checkKeyPair(kp, Sizes.ten24, Sizes.five12); - -@@ -114,6 +116,20 @@ - kp = kpg.generateKeyPair(); - checkKeyPair(kp, Sizes.seven68, Sizes.three84); - -+ // test w/ only pSize -+ kpg.initialize(Sizes.twenty48.getIntSize()); -+ kp = kpg.generateKeyPair(); -+ checkKeyPair(kp, Sizes.twenty48, Sizes.ten24); -+ -+ publicKey = (DHPublicKey)kp.getPublic(); -+ p = publicKey.getParams().getP(); -+ g = publicKey.getParams().getG(); -+ -+ // test w/ all values specified -+ kpg.initialize(new DHParameterSpec(p, g, Sizes.five12.getIntSize())); -+ kp = kpg.generateKeyPair(); -+ checkKeyPair(kp, Sizes.twenty48, Sizes.five12); -+ - System.out.println("OK"); - } - -diff -Nru openjdk.orig/jdk/test/sun/security/pkcs11/ec/TestECDH2.java openjdk/jdk/test/sun/security/pkcs11/ec/TestECDH2.java ---- openjdk.orig/jdk/test/sun/security/pkcs11/ec/TestECDH2.java 1970-01-01 01:00:00.000000000 +0100 -+++ openjdk/jdk/test/sun/security/pkcs11/ec/TestECDH2.java 2014-12-24 20:18:40.134192764 +0000 -@@ -0,0 +1,127 @@ -+/* -+ * Copyright (c) 2012, Oracle and/or its affiliates. All rights reserved. -+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. -+ * -+ * This code is free software; you can redistribute it and/or modify it -+ * under the terms of the GNU General Public License version 2 only, as -+ * published by the Free Software Foundation. -+ * -+ * This code is distributed in the hope that it will be useful, but WITHOUT -+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or -+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License -+ * version 2 for more details (a copy is included in the LICENSE file that -+ * accompanied this code). -+ * -+ * You should have received a copy of the GNU General Public License version -+ * 2 along with this work; if not, write to the Free Software Foundation, -+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. -+ * -+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA -+ * or visit www.oracle.com if you need additional information or have any -+ * questions. -+ */ -+ -+/** -+ * @test -+ * @bug 6405536 -+ * @summary basic test of ECDSA signatures for P-256 and P-384 from the -+ * example data in "Suite B Implementer's Guide to FIPS 186-3". -+ * @library .. -+ * @library ../../../../java/security/testlibrary -+ * @compile -XDignore.symbol.file TestECDH2.java -+ * @run main TestECDH2 -+ */ -+ -+import java.io.*; -+import java.util.*; -+import java.math.BigInteger; -+ -+import java.security.*; -+import java.security.spec.*; -+import java.security.interfaces.*; -+import javax.crypto.*; -+ -+import sun.security.ec.NamedCurve; -+ -+public class TestECDH2 extends PKCS11Test { -+ -+ // values of the keys we use for the tests -+ -+ // keypair using NIST P-256 -+ private final static String privD256 = "70a12c2db16845ed56ff68cfc21a472b3f04d7d6851bf6349f2d7d5b3452b38a"; -+ private final static String pubX256 = "8101ece47464a6ead70cf69a6e2bd3d88691a3262d22cba4f7635eaff26680a8"; -+ private final static String pubY256 = "d8a12ba61d599235f67d9cb4d58f1783d3ca43e78f0a5abaa624079936c0c3a9"; -+ -+ // keypair using NIST P-384 -+ private final static String privD384 = "c838b85253ef8dc7394fa5808a5183981c7deef5a69ba8f4f2117ffea39cfcd90e95f6cbc854abacab701d50c1f3cf24"; -+ private final static String pubX384 = "1fbac8eebd0cbf35640b39efe0808dd774debff20a2a329e91713baf7d7f3c3e81546d883730bee7e48678f857b02ca0"; -+ private final static String pubY384 = "eb213103bd68ce343365a8a4c3d4555fa385f5330203bdd76ffad1f3affb95751c132007e1b240353cb0a4cf1693bdf9"; -+ -+ private KeyFactory kf = null; -+ private KeyPairGenerator kpg = null; -+ -+ private static void testKeyAgreement(KeyPair kpA, KeyPair kpB, Provider p) -+ throws Exception { -+ KeyAgreement ka1 = KeyAgreement.getInstance("ECDH", p); -+ ka1.init(kpA.getPrivate()); -+ ka1.doPhase(kpB.getPublic(), true); -+ byte[] s1 = ka1.generateSecret(); -+ -+ KeyAgreement ka2 = KeyAgreement.getInstance("ECDH", p); -+ ka2.init(kpB.getPrivate()); -+ ka2.doPhase(kpA.getPublic(), true); -+ byte[] s2 = ka2.generateSecret(); -+ if (Arrays.equals(s1, s2) == false) { -+ System.out.println("expected: " + toString(s1)); -+ System.out.println("actual: " + toString(s2)); -+ throw new Exception("Generated secrets do not match"); -+ } -+ } -+ -+ private KeyPair genECKeyPair(String curvName, String privD, String pubX, -+ String pubY) throws Exception { -+ ECParameterSpec ecParams = NamedCurve.getECParameterSpec(curvName); -+ ECPrivateKeySpec privKeySpec = -+ new ECPrivateKeySpec(new BigInteger(privD, 16), ecParams); -+ ECPublicKeySpec pubKeySpec = -+ new ECPublicKeySpec(new ECPoint(new BigInteger(pubX, 16), -+ new BigInteger(pubY, 16)), -+ ecParams); -+ PrivateKey privKey = kf.generatePrivate(privKeySpec); -+ PublicKey pubKey = kf.generatePublic(pubKeySpec); -+ return new KeyPair(pubKey, privKey); -+ } -+ private KeyPair genECKeyPair(String curvName) throws Exception { -+ ECGenParameterSpec genParams = new ECGenParameterSpec(curvName); -+ kpg.initialize(genParams, null); -+ return kpg.generateKeyPair(); -+ } -+ public static void main(String[] args) throws Exception { -+ main(new TestECDH2()); -+ } -+ -+ public void main(Provider provider) throws Exception { -+ if (provider.getService("KeyAgreement", "ECDH") == null) { -+ System.out.println("ECDH not supported, skipping"); -+ return; -+ } -+ -+ kf = KeyFactory.getInstance("EC", provider); -+ kpg = KeyPairGenerator.getInstance("EC", provider); -+ -+ System.out.println("Testing against NIST P-256"); -+ -+ long start = System.currentTimeMillis(); -+ KeyPair kp256A = genECKeyPair("secp256r1", privD256, pubX256, pubY256); -+ KeyPair kp256B = genECKeyPair("secp256r1"); -+ testKeyAgreement(kp256A, kp256B, provider); -+ -+ System.out.println("Testing against NIST P-384"); -+ KeyPair kp384A = genECKeyPair("secp384r1", privD384, pubX384, pubY384); -+ KeyPair kp384B = genECKeyPair("secp384r1"); -+ testKeyAgreement(kp384A, kp384B, provider); -+ -+ long stop = System.currentTimeMillis(); -+ System.out.println("All tests passed (" + (stop - start) + " ms)."); -+ } -+} -diff -Nru openjdk.orig/jdk/test/sun/security/pkcs11/ec/TestECDSA2.java openjdk/jdk/test/sun/security/pkcs11/ec/TestECDSA2.java ---- openjdk.orig/jdk/test/sun/security/pkcs11/ec/TestECDSA2.java 1970-01-01 01:00:00.000000000 +0100 -+++ openjdk/jdk/test/sun/security/pkcs11/ec/TestECDSA2.java 2014-12-24 20:18:40.134192764 +0000 -@@ -0,0 +1,122 @@ -+/* -+ * Copyright (c) 2012, Oracle and/or its affiliates. All rights reserved. -+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. -+ * -+ * This code is free software; you can redistribute it and/or modify it -+ * under the terms of the GNU General Public License version 2 only, as -+ * published by the Free Software Foundation. -+ * -+ * This code is distributed in the hope that it will be useful, but WITHOUT -+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or -+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License -+ * version 2 for more details (a copy is included in the LICENSE file that -+ * accompanied this code). -+ * -+ * You should have received a copy of the GNU General Public License version -+ * 2 along with this work; if not, write to the Free Software Foundation, -+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. -+ * -+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA -+ * or visit www.oracle.com if you need additional information or have any -+ * questions. -+ */ -+ -+/** -+ * @test -+ * @bug 6405536 -+ * @summary basic test of ECDSA signatures for P-256 and P-384 from the -+ * example data in "Suite B Implementer's Guide to FIPS 186-3". -+ * @library .. -+ * @library ../../../../java/security/testlibrary -+ * @compile -XDignore.symbol.file TestECDSA2.java -+ * @run main TestECDSA2 -+ */ -+ -+import java.io.*; -+import java.util.*; -+import java.math.BigInteger; -+ -+import java.security.*; -+import java.security.spec.*; -+import java.security.interfaces.*; -+ -+import sun.security.ec.NamedCurve; -+ -+public class TestECDSA2 extends PKCS11Test { -+ -+ // values of the keys we use for the tests -+ -+ // keypair using NIST P-256 -+ private final static String privD256 = "70a12c2db16845ed56ff68cfc21a472b3f04d7d6851bf6349f2d7d5b3452b38a"; -+ private final static String pubX256 = "8101ece47464a6ead70cf69a6e2bd3d88691a3262d22cba4f7635eaff26680a8"; -+ private final static String pubY256 = "d8a12ba61d599235f67d9cb4d58f1783d3ca43e78f0a5abaa624079936c0c3a9"; -+ -+ // keypair using NIST P-384 -+ private final static String privD384 = "c838b85253ef8dc7394fa5808a5183981c7deef5a69ba8f4f2117ffea39cfcd90e95f6cbc854abacab701d50c1f3cf24"; -+ private final static String pubX384 = "1fbac8eebd0cbf35640b39efe0808dd774debff20a2a329e91713baf7d7f3c3e81546d883730bee7e48678f857b02ca0"; -+ private final static String pubY384 = "eb213103bd68ce343365a8a4c3d4555fa385f5330203bdd76ffad1f3affb95751c132007e1b240353cb0a4cf1693bdf9"; -+ -+ // data to be signed -+ private final static byte[] data = "This is only a test message. It is 48 bytes long".getBytes(); -+ -+ private KeyFactory kf = null; -+ -+ private static void testSignAndVerify(String alg, KeyPair kp, Provider p) throws Exception { -+ Signature s = Signature.getInstance(alg, p); -+ s.initSign(kp.getPrivate()); -+ s.update(data); -+ byte[] result = s.sign(); -+ -+ s.initVerify(kp.getPublic()); -+ s.update(data); -+ if (!s.verify(result)) { -+ throw new Exception("Error: Signature verification failed"); -+ } -+ System.out.println(p.getName() + ": " + alg + " Passed"); -+ } -+ -+ private KeyPair genECKeyPair(String curvName, String privD, String pubX, String pubY) throws Exception { -+ ECParameterSpec ecParams = NamedCurve.getECParameterSpec(curvName); -+ ECPrivateKeySpec privKeySpec = -+ new ECPrivateKeySpec(new BigInteger(privD, 16), ecParams); -+ ECPublicKeySpec pubKeySpec = -+ new ECPublicKeySpec(new ECPoint(new BigInteger(pubX, 16), new BigInteger(pubY, 16)), -+ ecParams); -+ PrivateKey privKey = kf.generatePrivate(privKeySpec); -+ PublicKey pubKey = kf.generatePublic(pubKeySpec); -+ return new KeyPair(pubKey, privKey); -+ } -+ -+ public static void main(String[] args) throws Exception { -+ main(new TestECDSA2()); -+ } -+ -+ public void main(Provider provider) throws Exception { -+ boolean testP256 = -+ (provider.getService("Signature", "SHA256withECDSA") != null); -+ -+ boolean testP384 = -+ (provider.getService("Signature", "SHA384withECDSA") != null); -+ -+ if (!testP256 && !testP384) { -+ System.out.println("ECDSA not supported, skipping"); -+ return; -+ } -+ -+ kf = KeyFactory.getInstance("EC", provider); -+ -+ long start = System.currentTimeMillis(); -+ if (testP256) { -+ // can use secp256r1, NIST P-256, X9.62 prime256v1, or 1.2.840.10045.3.1.7 -+ KeyPair kp = genECKeyPair("secp256r1", privD256, pubX256, pubY256); -+ testSignAndVerify("SHA256withECDSA", kp, provider); -+ } -+ if (testP384) { -+ // can use secp384r1, NIST P-384, 1.3.132.0.34 -+ KeyPair kp = genECKeyPair("secp384r1", privD384, pubX384, pubY384); -+ testSignAndVerify("SHA384withECDSA", kp, provider); -+ } -+ long stop = System.currentTimeMillis(); -+ System.out.println("All tests passed (" + (stop - start) + " ms)."); -+ } -+} -diff -Nru openjdk.orig/jdk/test/sun/security/provider/DSA/TestAlgParameterGenerator.java openjdk/jdk/test/sun/security/provider/DSA/TestAlgParameterGenerator.java ---- openjdk.orig/jdk/test/sun/security/provider/DSA/TestAlgParameterGenerator.java 1970-01-01 01:00:00.000000000 +0100 -+++ openjdk/jdk/test/sun/security/provider/DSA/TestAlgParameterGenerator.java 2014-12-24 20:18:40.134192764 +0000 -@@ -0,0 +1,117 @@ -+/* -+ * Copyright (c) 2012, Oracle and/or its affiliates. All rights reserved. -+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. -+ * -+ * This code is free software; you can redistribute it and/or modify it -+ * under the terms of the GNU General Public License version 2 only, as -+ * published by the Free Software Foundation. -+ * -+ * This code is distributed in the hope that it will be useful, but WITHOUT -+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or -+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License -+ * version 2 for more details (a copy is included in the LICENSE file that -+ * accompanied this code). -+ * -+ * You should have received a copy of the GNU General Public License version -+ * 2 along with this work; if not, write to the Free Software Foundation, -+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. -+ * -+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA -+ * or visit www.oracle.com if you need additional information or have any -+ * questions. -+ */ -+ -+/* -+ * @test -+ * @bug 7044060 -+ * @summary verify that DSA parameter generation works -+ * @run main/othervm/timeout=300 TestAlgParameterGenerator -+ */ -+import java.security.*; -+import java.security.spec.*; -+import java.security.interfaces.*; -+ -+public class TestAlgParameterGenerator { -+ -+ private static void checkParamStrength(AlgorithmParameters param, -+ int strength) throws Exception { -+ String algo = param.getAlgorithm(); -+ if (!algo.equalsIgnoreCase("DSA")) { -+ throw new Exception("Unexpected type of parameters: " + algo); -+ } -+ DSAParameterSpec spec = param.getParameterSpec(DSAParameterSpec.class); -+ int valueL = spec.getP().bitLength(); -+ if (strength != valueL) { -+ System.out.println("Expected " + strength + " but actual " + valueL); -+ throw new Exception("Wrong P strength"); -+ } -+ } -+ private static void checkParamStrength(AlgorithmParameters param, -+ DSAGenParameterSpec genParam) -+ throws Exception { -+ String algo = param.getAlgorithm(); -+ if (!algo.equalsIgnoreCase("DSA")) { -+ throw new Exception("Unexpected type of parameters: " + algo); -+ } -+ DSAParameterSpec spec = param.getParameterSpec(DSAParameterSpec.class); -+ int valueL = spec.getP().bitLength(); -+ int strength = genParam.getPrimePLength(); -+ if (strength != valueL) { -+ System.out.println("P: Expected " + strength + " but actual " + valueL); -+ throw new Exception("Wrong P strength"); -+ } -+ int valueN = spec.getQ().bitLength(); -+ strength = genParam.getSubprimeQLength(); -+ if (strength != valueN) { -+ System.out.println("Q: Expected " + strength + " but actual " + valueN); -+ throw new Exception("Wrong Q strength"); -+ } -+ } -+ -+ public static void main(String[] args) throws Exception { -+ AlgorithmParameterGenerator apg = -+ AlgorithmParameterGenerator.getInstance("DSA", "SUN"); -+ -+ long start, stop; -+ // make sure no-init still works -+ start = System.currentTimeMillis(); -+ AlgorithmParameters param = apg.generateParameters(); -+ stop = System.currentTimeMillis(); -+ System.out.println("Time: " + (stop - start) + " ms."); -+ checkParamStrength(param, 1024); -+ -+ // make sure the old model works -+ int[] strengths = { 512, 768, 1024 }; -+ for (int i = 0; i < strengths.length; i++) { -+ int sizeP = strengths[i]; -+ System.out.println("Generating " + sizeP + "-bit DSA Parameters"); -+ start = System.currentTimeMillis(); -+ apg.init(sizeP); -+ param = apg.generateParameters(); -+ stop = System.currentTimeMillis(); -+ System.out.println("Time: " + (stop - start) + " ms."); -+ checkParamStrength(param, sizeP); -+ } -+ -+ // now the newer model -+ DSAGenParameterSpec spec1 = new DSAGenParameterSpec(1024, 160); -+ DSAGenParameterSpec spec2 = new DSAGenParameterSpec(2048, 224); -+ DSAGenParameterSpec spec3 = new DSAGenParameterSpec(2048, 256); -+ //DSAGenParameterSpec spec4 = new DSAGenParameterSpec(3072, 256); -+ DSAGenParameterSpec[] specSet = { -+ spec1, spec2, spec3//, spec4 -+ }; -+ for (int i = 0; i < specSet.length; i++) { -+ DSAGenParameterSpec genParam = specSet[i]; -+ System.out.println("Generating (" + genParam.getPrimePLength() + -+ ", " + genParam.getSubprimeQLength() + -+ ") DSA Parameters"); -+ start = System.currentTimeMillis(); -+ apg.init(genParam, null); -+ param = apg.generateParameters(); -+ stop = System.currentTimeMillis(); -+ System.out.println("Time: " + (stop - start) + " ms."); -+ checkParamStrength(param, genParam); -+ } -+ } -+} -diff -Nru openjdk.orig/jdk/test/sun/security/provider/DSA/TestDSA2.java openjdk/jdk/test/sun/security/provider/DSA/TestDSA2.java ---- openjdk.orig/jdk/test/sun/security/provider/DSA/TestDSA2.java 1970-01-01 01:00:00.000000000 +0100 -+++ openjdk/jdk/test/sun/security/provider/DSA/TestDSA2.java 2014-12-24 20:18:40.134192764 +0000 -@@ -0,0 +1,96 @@ -+/* -+ * Copyright (c) 2012, Oracle and/or its affiliates. All rights reserved. -+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. -+ * -+ * This code is free software; you can redistribute it and/or modify it -+ * under the terms of the GNU General Public License version 2 only, as -+ * published by the Free Software Foundation. -+ * -+ * This code is distributed in the hope that it will be useful, but WITHOUT -+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or -+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License -+ * version 2 for more details (a copy is included in the LICENSE file that -+ * accompanied this code). -+ * -+ * You should have received a copy of the GNU General Public License version -+ * 2 along with this work; if not, write to the Free Software Foundation, -+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. -+ * -+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA -+ * or visit www.oracle.com if you need additional information or have any -+ * questions. -+ */ -+/* -+ * @test -+ * @bug 7044060 -+ * @run main/othervm/timeout=250 TestDSA2 -+ * @summary verify that DSA signature works using SHA and SHA-224 and SHA-256 digests. -+ */ -+ -+ -+import java.security.*; -+import java.security.spec.*; -+import java.security.interfaces.*; -+ -+public class TestDSA2 { -+ -+ // NOTE: need to explictly specify provider since the more -+ // preferred provider SunPKCS11 provider only supports up -+ // 1024 bits. -+ private static final String PROV = "SUN"; -+ -+ private static final String[] SIG_ALGOS = { -+ "SHA1withDSA", "SHA224withDSA", "SHA256withDSA" -+ }; -+ -+ private static final int[] KEYSIZES = { -+ 1024, 2048 -+ }; -+ -+ public static void main(String[] args) throws Exception { -+ boolean[] expectedToPass = { true, true, true }; -+ test(1024, expectedToPass); -+ boolean[] expectedToPass2 = { false, true, true }; -+ test(2048, expectedToPass2); -+ } -+ -+ private static void test(int keySize, boolean[] testStatus) -+ throws Exception { -+ byte[] data = "1234567890".getBytes(); -+ System.out.println("Test against key size: " + keySize); -+ -+ KeyPairGenerator keyGen = KeyPairGenerator.getInstance("DSA", PROV); -+ keyGen.initialize(keySize, new SecureRandom()); -+ KeyPair pair = keyGen.generateKeyPair(); -+ -+ if (testStatus.length != SIG_ALGOS.length) { -+ throw new RuntimeException("TestError: incorrect status array!"); -+ } -+ for (int i = 0; i < SIG_ALGOS.length; i++) { -+ Signature dsa = Signature.getInstance(SIG_ALGOS[i], PROV); -+ try { -+ dsa.initSign(pair.getPrivate()); -+ dsa.update(data); -+ byte[] sig = dsa.sign(); -+ dsa.initVerify(pair.getPublic()); -+ dsa.update(data); -+ boolean verifies = dsa.verify(sig); -+ if (verifies == testStatus[i]) { -+ System.out.println(SIG_ALGOS[i] + ": Passed"); -+ } else { -+ System.out.println(SIG_ALGOS[i] + ": should " + -+ (testStatus[i]? "pass":"fail")); -+ throw new RuntimeException(SIG_ALGOS[i] + ": Unexpected Test result!"); -+ -+ } -+ } catch (Exception ex) { -+ if (testStatus[i]) { -+ ex.printStackTrace(); -+ throw new RuntimeException(SIG_ALGOS[i] + ": Unexpected exception " + ex); -+ } else { -+ System.out.println(SIG_ALGOS[i] + ": Passed, expected " + ex); -+ } -+ } -+ } -+ } -+} -diff -Nru openjdk.orig/jdk/test/sun/security/provider/DSA/TestKeyPairGenerator.java openjdk/jdk/test/sun/security/provider/DSA/TestKeyPairGenerator.java ---- openjdk.orig/jdk/test/sun/security/provider/DSA/TestKeyPairGenerator.java 2013-08-21 20:32:58.044231344 +0100 -+++ openjdk/jdk/test/sun/security/provider/DSA/TestKeyPairGenerator.java 2014-12-24 20:18:40.134192764 +0000 -@@ -24,7 +24,7 @@ - /* - * @test - * @bug 4800108 -- * @summary verify that precomputed DSA parameters are always used (512, 768, 1024 bit) -+ * @summary verify that precomputed DSA parameters are always used (512, 768, 1024, 2048 bit) - * @run main/othervm/timeout=15 TestKeyPairGenerator - */ - -@@ -78,6 +78,10 @@ - kp = kpg.generateKeyPair(); - checkKeyLength(kp, 512); - -+ kpg.initialize(2048); -+ kp = kpg.generateKeyPair(); -+ checkKeyLength(kp, 2048); -+ - long stop = System.currentTimeMillis(); - System.out.println("Time: " + (stop - start) + " ms."); - }
--- a/patches/openjdk/7106773-512_bits_rsa.patch Wed May 04 02:55:09 2016 +0100 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,1336 +0,0 @@ -diff -Nru openjdk.orig/jdk/src/share/classes/sun/security/util/KeyLength.java openjdk/jdk/src/share/classes/sun/security/util/KeyLength.java ---- openjdk.orig/jdk/src/share/classes/sun/security/util/KeyLength.java 1970-01-01 01:00:00.000000000 +0100 -+++ openjdk/jdk/src/share/classes/sun/security/util/KeyLength.java 2014-10-08 23:56:02.320447941 +0100 -@@ -0,0 +1,91 @@ -+/* -+ * Copyright (c) 2012, Oracle and/or its affiliates. All rights reserved. -+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. -+ * -+ * This code is free software; you can redistribute it and/or modify it -+ * under the terms of the GNU General Public License version 2 only, as -+ * published by the Free Software Foundation. Oracle designates this -+ * particular file as subject to the "Classpath" exception as provided -+ * by Oracle in the LICENSE file that accompanied this code. -+ * -+ * This code is distributed in the hope that it will be useful, but WITHOUT -+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or -+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License -+ * version 2 for more details (a copy is included in the LICENSE file that -+ * accompanied this code). -+ * -+ * You should have received a copy of the GNU General Public License version -+ * 2 along with this work; if not, write to the Free Software Foundation, -+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. -+ * -+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA -+ * or visit www.oracle.com if you need additional information or have any -+ * questions. -+ */ -+ -+package sun.security.util; -+ -+import java.security.Key; -+import java.security.PrivilegedAction; -+import java.security.AccessController; -+import java.security.interfaces.ECKey; -+import java.security.interfaces.RSAKey; -+import java.security.interfaces.DSAKey; -+import javax.crypto.SecretKey; -+import javax.crypto.interfaces.DHKey; -+ -+/** -+ * A utility class to get key length -+ */ -+public final class KeyLength { -+ -+ /** -+ * Returns the key size of the given key object in bits. -+ * -+ * @param key the key object, cannot be null -+ * @return the key size of the given key object in bits, or -1 if the -+ * key size is not accessible -+ */ -+ final public static int getKeySize(Key key) { -+ int size = -1; -+ -+ if (key instanceof Length) { -+ try { -+ Length ruler = (Length)key; -+ size = ruler.length(); -+ } catch (UnsupportedOperationException usoe) { -+ // ignore the exception -+ } -+ -+ if (size >= 0) { -+ return size; -+ } -+ } -+ -+ // try to parse the length from key specification -+ if (key instanceof SecretKey) { -+ SecretKey sk = (SecretKey)key; -+ String format = sk.getFormat(); -+ if ("RAW".equals(format) && sk.getEncoded() != null) { -+ size = (sk.getEncoded().length * 8); -+ } // Otherwise, it may be a unextractable key of PKCS#11, or -+ // a key we are not able to handle. -+ } else if (key instanceof RSAKey) { -+ RSAKey pubk = (RSAKey)key; -+ size = pubk.getModulus().bitLength(); -+ } else if (key instanceof ECKey) { -+ ECKey pubk = (ECKey)key; -+ size = pubk.getParams().getOrder().bitLength(); -+ } else if (key instanceof DSAKey) { -+ DSAKey pubk = (DSAKey)key; -+ size = pubk.getParams().getP().bitLength(); -+ } else if (key instanceof DHKey) { -+ DHKey pubk = (DHKey)key; -+ size = pubk.getParams().getP().bitLength(); -+ } // Otherwise, it may be a unextractable key of PKCS#11, or -+ // a key we are not able to handle. -+ -+ return size; -+ } -+} -+ -diff -Nru openjdk.orig/jdk/src/windows/classes/sun/security/mscapi/Key.java openjdk/jdk/src/windows/classes/sun/security/mscapi/Key.java ---- openjdk.orig/jdk/src/windows/classes/sun/security/mscapi/Key.java 2014-07-14 04:24:44.000000000 +0100 -+++ openjdk/jdk/src/windows/classes/sun/security/mscapi/Key.java 2014-10-08 23:56:02.320447941 +0100 -@@ -1,5 +1,5 @@ - /* -- * Copyright (c) 2005, Oracle and/or its affiliates. All rights reserved. -+ * Copyright (c) 2005, 2012, Oracle and/or its affiliates. All rights reserved. - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it -@@ -25,6 +25,8 @@ - - package sun.security.mscapi; - -+import sun.security.util.Length; -+ - /** - * The handle for an RSA or DSA key using the Microsoft Crypto API. - * -@@ -35,7 +37,7 @@ - * @since 1.6 - * @author Stanley Man-Kit Ho - */ --abstract class Key implements java.security.Key -+abstract class Key implements java.security.Key, Length - { - - // Native handle -@@ -81,7 +83,8 @@ - /** - * Return bit length of the key. - */ -- public int bitLength() -+ @Override -+ public int length() - { - return keyLength; - } -diff -Nru openjdk.orig/jdk/src/windows/classes/sun/security/mscapi/RSACipher.java openjdk/jdk/src/windows/classes/sun/security/mscapi/RSACipher.java ---- openjdk.orig/jdk/src/windows/classes/sun/security/mscapi/RSACipher.java 2014-07-14 04:24:44.000000000 +0100 -+++ openjdk/jdk/src/windows/classes/sun/security/mscapi/RSACipher.java 2014-10-08 23:57:43.965856392 +0100 -@@ -1,5 +1,5 @@ - /* -- * Copyright (c) 2005, 2009, Oracle and/or its affiliates. All rights reserved. -+ * Copyright (c) 2005, 2012, Oracle and/or its affiliates. All rights reserved. - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it -@@ -198,12 +198,12 @@ - mode = encrypt ? MODE_ENCRYPT : MODE_VERIFY; - publicKey = (sun.security.mscapi.Key)key; - privateKey = null; -- outputSize = publicKey.bitLength() / 8; -+ outputSize = publicKey.length() / 8; - } else if (key instanceof PrivateKey) { - mode = encrypt ? MODE_SIGN : MODE_DECRYPT; - privateKey = (sun.security.mscapi.Key)key; - publicKey = null; -- outputSize = privateKey.bitLength() / 8; -+ outputSize = privateKey.length() / 8; - } else { - throw new InvalidKeyException("Unknown key type: " + key); - } -@@ -358,7 +358,7 @@ - protected int engineGetKeySize(Key key) throws InvalidKeyException { - - if (key instanceof sun.security.mscapi.Key) { -- return ((sun.security.mscapi.Key) key).bitLength(); -+ return ((sun.security.mscapi.Key) key).length(); - } else { - throw new InvalidKeyException("Unsupported key type: " + key); - } -diff -Nru openjdk.orig/jdk/src/windows/classes/sun/security/mscapi/RSASignature.java openjdk/jdk/src/windows/classes/sun/security/mscapi/RSASignature.java ---- openjdk.orig/jdk/src/windows/classes/sun/security/mscapi/RSASignature.java 2014-10-08 23:52:11.237246746 +0100 -+++ openjdk/jdk/src/windows/classes/sun/security/mscapi/RSASignature.java 2014-10-08 23:56:50.913121240 +0100 -@@ -1,5 +1,5 @@ - /* -- * Copyright (c) 2005, 2008, Oracle and/or its affiliates. All rights reserved. -+ * Copyright (c) 2005, 2012, Oracle and/or its affiliates. All rights reserved. - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it -@@ -297,7 +297,7 @@ - - // Check against the local and global values to make sure - // the sizes are ok. Round up to nearest byte. -- RSAKeyFactory.checkKeyLengths(((privateKey.bitLength() + 7) & ~7), -+ RSAKeyFactory.checkKeyLengths(((privateKey.length() + 7) & ~7), - null, RSAKeyPairGenerator.KEY_SIZE_MIN, - RSAKeyPairGenerator.KEY_SIZE_MAX); - -diff -Nru openjdk.orig/jdk/test/sun/security/mscapi/ShortRSAKey1024.sh openjdk/jdk/test/sun/security/mscapi/ShortRSAKey1024.sh ---- openjdk.orig/jdk/test/sun/security/mscapi/ShortRSAKey1024.sh 1970-01-01 01:00:00.000000000 +0100 -+++ openjdk/jdk/test/sun/security/mscapi/ShortRSAKey1024.sh 2014-10-08 23:56:02.320447941 +0100 -@@ -0,0 +1,85 @@ -+#!/bin/sh -+ -+# -+# Copyright (c) 2012, Oracle and/or its affiliates. All rights reserved. -+# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. -+# -+# This code is free software; you can redistribute it and/or modify it -+# under the terms of the GNU General Public License version 2 only, as -+# published by the Free Software Foundation. -+# -+# This code is distributed in the hope that it will be useful, but WITHOUT -+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or -+# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License -+# version 2 for more details (a copy is included in the LICENSE file that -+# accompanied this code). -+# -+# You should have received a copy of the GNU General Public License version -+# 2 along with this work; if not, write to the Free Software Foundation, -+# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. -+# -+# Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA -+# or visit www.oracle.com if you need additional information or have any -+# questions. -+# -+ -+ -+# @test -+# @bug 7106773 -+# @summary 512 bits RSA key cannot work with SHA384 and SHA512 -+# @run shell ShortRSAKey1024.sh -+ -+# set a few environment variables so that the shell-script can run stand-alone -+# in the source directory -+if [ "${TESTSRC}" = "" ] ; then -+ TESTSRC="." -+fi -+ -+if [ "${TESTCLASSES}" = "" ] ; then -+ TESTCLASSES="." -+fi -+ -+if [ "${TESTJAVA}" = "" ] ; then -+ echo "TESTJAVA not set. Test cannot execute." -+ echo "FAILED!!!" -+ exit 1 -+fi -+ -+OS=`uname -s` -+case "$OS" in -+ Windows* | CYGWIN* ) -+ -+ echo "Creating a temporary RSA keypair in the Windows-My store..." -+ ${TESTJAVA}/bin/keytool \ -+ -genkeypair \ -+ -storetype Windows-My \ -+ -keyalg RSA \ -+ -alias 7106773.1024 \ -+ -keysize 1024 \ -+ -dname "cn=localhost,c=US" \ -+ -noprompt -+ -+ echo -+ echo "Running the test..." -+ ${TESTJAVA}/bin/javac -d . ${TESTSRC}\\ShortRSAKeyWithinTLS.java -+ ${TESTJAVA}/bin/java ShortRSAKeyWithinTLS 7106773.1024 1024 \ -+ TLSv1.2 TLS_DHE_RSA_WITH_AES_128_CBC_SHA -+ -+ rc=$? -+ -+ echo -+ echo "Removing the temporary RSA keypair from the Windows-My store..." -+ ${TESTJAVA}/bin/keytool \ -+ -delete \ -+ -storetype Windows-My \ -+ -alias 7106773.1024 -+ -+ echo done. -+ exit $rc -+ ;; -+ -+ * ) -+ echo "This test is not intended for '$OS' - passing test" -+ exit 0 -+ ;; -+esac -diff -Nru openjdk.orig/jdk/test/sun/security/mscapi/ShortRSAKey512.sh openjdk/jdk/test/sun/security/mscapi/ShortRSAKey512.sh ---- openjdk.orig/jdk/test/sun/security/mscapi/ShortRSAKey512.sh 1970-01-01 01:00:00.000000000 +0100 -+++ openjdk/jdk/test/sun/security/mscapi/ShortRSAKey512.sh 2014-10-08 23:56:02.320447941 +0100 -@@ -0,0 +1,86 @@ -+#!/bin/sh -+ -+# -+# Copyright (c) 2012, Oracle and/or its affiliates. All rights reserved. -+# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. -+# -+# This code is free software; you can redistribute it and/or modify it -+# under the terms of the GNU General Public License version 2 only, as -+# published by the Free Software Foundation. -+# -+# This code is distributed in the hope that it will be useful, but WITHOUT -+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or -+# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License -+# version 2 for more details (a copy is included in the LICENSE file that -+# accompanied this code). -+# -+# You should have received a copy of the GNU General Public License version -+# 2 along with this work; if not, write to the Free Software Foundation, -+# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. -+# -+# Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA -+# or visit www.oracle.com if you need additional information or have any -+# questions. -+# -+ -+ -+# @test -+# @bug 7106773 -+# @summary 512 bits RSA key cannot work with SHA384 and SHA512 -+# @run shell ShortRSAKey512.sh -+ -+# set a few environment variables so that the shell-script can run stand-alone -+# in the source directory -+if [ "${TESTSRC}" = "" ] ; then -+ TESTSRC="." -+fi -+ -+if [ "${TESTCLASSES}" = "" ] ; then -+ TESTCLASSES="." -+fi -+ -+if [ "${TESTJAVA}" = "" ] ; then -+ echo "TESTJAVA not set. Test cannot execute." -+ echo "FAILED!!!" -+ exit 1 -+fi -+ -+OS=`uname -s` -+case "$OS" in -+ Windows* | CYGWIN* ) -+ -+ echo "Creating a temporary RSA keypair in the Windows-My store..." -+ ${TESTJAVA}/bin/keytool \ -+ -genkeypair \ -+ -storetype Windows-My \ -+ -keyalg RSA \ -+ -alias 7106773.512 \ -+ -keysize 512 \ -+ -dname "cn=localhost,c=US" \ -+ -noprompt -+ -+ echo -+ echo "Running the test..." -+ ${TESTJAVA}/bin/javac -d . ${TESTSRC}\\ShortRSAKeyWithinTLS.java -+ ${TESTJAVA}/bin/java ShortRSAKeyWithinTLS 7106773.512 512 \ -+ TLSv1.2 TLS_DHE_RSA_WITH_AES_128_CBC_SHA -+ -+ -+ rc=$? -+ -+ echo -+ echo "Removing the temporary RSA keypair from the Windows-My store..." -+ ${TESTJAVA}/bin/keytool \ -+ -delete \ -+ -storetype Windows-My \ -+ -alias 7106773.512 -+ -+ echo done. -+ exit $rc -+ ;; -+ -+ * ) -+ echo "This test is not intended for '$OS' - passing test" -+ exit 0 -+ ;; -+esac -diff -Nru openjdk.orig/jdk/test/sun/security/mscapi/ShortRSAKey768.sh openjdk/jdk/test/sun/security/mscapi/ShortRSAKey768.sh ---- openjdk.orig/jdk/test/sun/security/mscapi/ShortRSAKey768.sh 1970-01-01 01:00:00.000000000 +0100 -+++ openjdk/jdk/test/sun/security/mscapi/ShortRSAKey768.sh 2014-10-08 23:56:02.320447941 +0100 -@@ -0,0 +1,85 @@ -+#!/bin/sh -+ -+# -+# Copyright (c) 2012, Oracle and/or its affiliates. All rights reserved. -+# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. -+# -+# This code is free software; you can redistribute it and/or modify it -+# under the terms of the GNU General Public License version 2 only, as -+# published by the Free Software Foundation. -+# -+# This code is distributed in the hope that it will be useful, but WITHOUT -+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or -+# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License -+# version 2 for more details (a copy is included in the LICENSE file that -+# accompanied this code). -+# -+# You should have received a copy of the GNU General Public License version -+# 2 along with this work; if not, write to the Free Software Foundation, -+# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. -+# -+# Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA -+# or visit www.oracle.com if you need additional information or have any -+# questions. -+# -+ -+ -+# @test -+# @bug 7106773 -+# @summary 512 bits RSA key cannot work with SHA384 and SHA512 -+# @run shell ShortRSAKey768.sh -+ -+# set a few environment variables so that the shell-script can run stand-alone -+# in the source directory -+if [ "${TESTSRC}" = "" ] ; then -+ TESTSRC="." -+fi -+ -+if [ "${TESTCLASSES}" = "" ] ; then -+ TESTCLASSES="." -+fi -+ -+if [ "${TESTJAVA}" = "" ] ; then -+ echo "TESTJAVA not set. Test cannot execute." -+ echo "FAILED!!!" -+ exit 1 -+fi -+ -+OS=`uname -s` -+case "$OS" in -+ Windows* | CYGWIN* ) -+ -+ echo "Creating a temporary RSA keypair in the Windows-My store..." -+ ${TESTJAVA}/bin/keytool \ -+ -genkeypair \ -+ -storetype Windows-My \ -+ -keyalg RSA \ -+ -alias 7106773.768 \ -+ -keysize 768 \ -+ -dname "cn=localhost,c=US" \ -+ -noprompt -+ -+ echo -+ echo "Running the test..." -+ ${TESTJAVA}/bin/javac -d . ${TESTSRC}\\ShortRSAKeyWithinTLS.java -+ ${TESTJAVA}/bin/java ShortRSAKeyWithinTLS 7106773.768 768 \ -+ TLSv1.2 TLS_DHE_RSA_WITH_AES_128_CBC_SHA -+ -+ rc=$? -+ -+ echo -+ echo "Removing the temporary RSA keypair from the Windows-My store..." -+ ${TESTJAVA}/bin/keytool \ -+ -delete \ -+ -storetype Windows-My \ -+ -alias 7106773.768 -+ -+ echo done. -+ exit $rc -+ ;; -+ -+ * ) -+ echo "This test is not intended for '$OS' - passing test" -+ exit 0 -+ ;; -+esac -diff -Nru openjdk.orig/jdk/test/sun/security/mscapi/ShortRSAKeyWithinTLS.java openjdk/jdk/test/sun/security/mscapi/ShortRSAKeyWithinTLS.java ---- openjdk.orig/jdk/test/sun/security/mscapi/ShortRSAKeyWithinTLS.java 1970-01-01 01:00:00.000000000 +0100 -+++ openjdk/jdk/test/sun/security/mscapi/ShortRSAKeyWithinTLS.java 2014-10-08 23:56:02.324447997 +0100 -@@ -0,0 +1,355 @@ -+/* -+ * Copyright (c) 2012, Oracle and/or its affiliates. All rights reserved. -+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. -+ * -+ * This code is free software; you can redistribute it and/or modify it -+ * under the terms of the GNU General Public License version 2 only, as -+ * published by the Free Software Foundation. -+ * -+ * This code is distributed in the hope that it will be useful, but WITHOUT -+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or -+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License -+ * version 2 for more details (a copy is included in the LICENSE file that -+ * accompanied this code). -+ * -+ * You should have received a copy of the GNU General Public License version -+ * 2 along with this work; if not, write to the Free Software Foundation, -+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. -+ * -+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA -+ * or visit www.oracle.com if you need additional information or have any -+ * questions. -+ */ -+ -+import java.io.*; -+import java.net.*; -+import java.util.*; -+import java.security.*; -+import javax.net.*; -+import javax.net.ssl.*; -+import java.lang.reflect.*; -+ -+import sun.security.util.KeyLength; -+ -+public class ShortRSAKeyWithinTLS { -+ -+ /* -+ * ============================================================= -+ * Set the various variables needed for the tests, then -+ * specify what tests to run on each side. -+ */ -+ -+ /* -+ * Should we run the client or server in a separate thread? -+ * Both sides can throw exceptions, but do you have a preference -+ * as to which side should be the main thread. -+ */ -+ static boolean separateServerThread = false; -+ -+ /* -+ * Is the server ready to serve? -+ */ -+ volatile static boolean serverReady = false; -+ -+ /* -+ * Turn on SSL debugging? -+ */ -+ static boolean debug = false; -+ -+ /* -+ * If the client or server is doing some kind of object creation -+ * that the other side depends on, and that thread prematurely -+ * exits, you may experience a hang. The test harness will -+ * terminate all hung threads after its timeout has expired, -+ * currently 3 minutes by default, but you might try to be -+ * smart about it.... -+ */ -+ -+ /* -+ * Define the server side of the test. -+ * -+ * If the server prematurely exits, serverReady will be set to true -+ * to avoid infinite hangs. -+ */ -+ void doServerSide() throws Exception { -+ -+ // load the key store -+ KeyStore ks = KeyStore.getInstance("Windows-MY", "SunMSCAPI"); -+ ks.load(null, null); -+ System.out.println("Loaded keystore: Windows-MY"); -+ -+ // check key size -+ checkKeySize(ks); -+ -+ // initialize the SSLContext -+ KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509"); -+ kmf.init(ks, null); -+ -+ TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509"); -+ tmf.init(ks); -+ -+ SSLContext ctx = SSLContext.getInstance("TLS"); -+ ctx.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null); -+ -+ ServerSocketFactory ssf = ctx.getServerSocketFactory(); -+ SSLServerSocket sslServerSocket = (SSLServerSocket) -+ ssf.createServerSocket(serverPort); -+ sslServerSocket.setNeedClientAuth(true); -+ serverPort = sslServerSocket.getLocalPort(); -+ System.out.println("serverPort = " + serverPort); -+ -+ /* -+ * Signal Client, we're ready for his connect. -+ */ -+ serverReady = true; -+ -+ SSLSocket sslSocket = (SSLSocket) sslServerSocket.accept(); -+ InputStream sslIS = sslSocket.getInputStream(); -+ OutputStream sslOS = sslSocket.getOutputStream(); -+ -+ sslIS.read(); -+ sslOS.write(85); -+ sslOS.flush(); -+ -+ sslSocket.close(); -+ } -+ -+ /* -+ * Define the client side of the test. -+ * -+ * If the server prematurely exits, serverReady will be set to true -+ * to avoid infinite hangs. -+ */ -+ void doClientSide() throws Exception { -+ -+ /* -+ * Wait for server to get started. -+ */ -+ while (!serverReady) { -+ Thread.sleep(50); -+ } -+ -+ // load the key store -+ KeyStore ks = KeyStore.getInstance("Windows-MY", "SunMSCAPI"); -+ ks.load(null, null); -+ System.out.println("Loaded keystore: Windows-MY"); -+ -+ // initialize the SSLContext -+ KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509"); -+ kmf.init(ks, null); -+ -+ TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509"); -+ tmf.init(ks); -+ -+ SSLContext ctx = SSLContext.getInstance("TLS"); -+ ctx.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null); -+ -+ SSLSocketFactory sslsf = ctx.getSocketFactory(); -+ SSLSocket sslSocket = (SSLSocket) -+ sslsf.createSocket("localhost", serverPort); -+ -+ if (clientProtocol != null) { -+ sslSocket.setEnabledProtocols(new String[] {clientProtocol}); -+ } -+ -+ if (clientCiperSuite != null) { -+ sslSocket.setEnabledCipherSuites(new String[] {clientCiperSuite}); -+ } -+ -+ InputStream sslIS = sslSocket.getInputStream(); -+ OutputStream sslOS = sslSocket.getOutputStream(); -+ -+ sslOS.write(280); -+ sslOS.flush(); -+ sslIS.read(); -+ -+ sslSocket.close(); -+ } -+ -+ private void checkKeySize(KeyStore ks) throws Exception { -+ PrivateKey privateKey = null; -+ PublicKey publicKey = null; -+ -+ if (ks.containsAlias(keyAlias)) { -+ System.out.println("Loaded entry: " + keyAlias); -+ privateKey = (PrivateKey)ks.getKey(keyAlias, null); -+ publicKey = (PublicKey)ks.getCertificate(keyAlias).getPublicKey(); -+ -+ int privateKeySize = KeyLength.getKeySize(privateKey); -+ if (privateKeySize != keySize) { -+ throw new Exception("Expected key size is " + keySize + -+ ", but the private key size is " + privateKeySize); -+ } -+ -+ int publicKeySize = KeyLength.getKeySize(publicKey); -+ if (publicKeySize != keySize) { -+ throw new Exception("Expected key size is " + keySize + -+ ", but the public key size is " + publicKeySize); -+ } -+ } -+ } -+ -+ /* -+ * ============================================================= -+ * The remainder is just support stuff -+ */ -+ -+ // use any free port by default -+ volatile int serverPort = 0; -+ -+ volatile Exception serverException = null; -+ volatile Exception clientException = null; -+ -+ private static String keyAlias; -+ private static int keySize; -+ private static String clientProtocol = null; -+ private static String clientCiperSuite = null; -+ -+ private static void parseArguments(String[] args) { -+ keyAlias = args[0]; -+ keySize = Integer.parseInt(args[1]); -+ -+ if (args.length > 2) { -+ clientProtocol = args[2]; -+ } -+ -+ if (args.length > 3) { -+ clientCiperSuite = args[3]; -+ } -+ } -+ -+ public static void main(String[] args) throws Exception { -+ if (debug) { -+ System.setProperty("javax.net.debug", "all"); -+ } -+ -+ // Get the customized arguments. -+ parseArguments(args); -+ -+ new ShortRSAKeyWithinTLS(); -+ } -+ -+ Thread clientThread = null; -+ Thread serverThread = null; -+ -+ /* -+ * Primary constructor, used to drive remainder of the test. -+ * -+ * Fork off the other side, then do your work. -+ */ -+ ShortRSAKeyWithinTLS() throws Exception { -+ try { -+ if (separateServerThread) { -+ startServer(true); -+ startClient(false); -+ } else { -+ startClient(true); -+ startServer(false); -+ } -+ } catch (Exception e) { -+ // swallow for now. Show later -+ } -+ -+ /* -+ * Wait for other side to close down. -+ */ -+ if (separateServerThread) { -+ serverThread.join(); -+ } else { -+ clientThread.join(); -+ } -+ -+ /* -+ * When we get here, the test is pretty much over. -+ * Which side threw the error? -+ */ -+ Exception local; -+ Exception remote; -+ String whichRemote; -+ -+ if (separateServerThread) { -+ remote = serverException; -+ local = clientException; -+ whichRemote = "server"; -+ } else { -+ remote = clientException; -+ local = serverException; -+ whichRemote = "client"; -+ } -+ -+ /* -+ * If both failed, return the curthread's exception, but also -+ * print the remote side Exception -+ */ -+ if ((local != null) && (remote != null)) { -+ System.out.println(whichRemote + " also threw:"); -+ remote.printStackTrace(); -+ System.out.println(); -+ throw local; -+ } -+ -+ if (remote != null) { -+ throw remote; -+ } -+ -+ if (local != null) { -+ throw local; -+ } -+ } -+ -+ void startServer(boolean newThread) throws Exception { -+ if (newThread) { -+ serverThread = new Thread() { -+ public void run() { -+ try { -+ doServerSide(); -+ } catch (Exception e) { -+ /* -+ * Our server thread just died. -+ * -+ * Release the client, if not active already... -+ */ -+ System.err.println("Server died..."); -+ serverReady = true; -+ serverException = e; -+ } -+ } -+ }; -+ serverThread.start(); -+ } else { -+ try { -+ doServerSide(); -+ } catch (Exception e) { -+ serverException = e; -+ } finally { -+ serverReady = true; -+ } -+ } -+ } -+ -+ void startClient(boolean newThread) throws Exception { -+ if (newThread) { -+ clientThread = new Thread() { -+ public void run() { -+ try { -+ doClientSide(); -+ } catch (Exception e) { -+ /* -+ * Our client thread just died. -+ */ -+ System.err.println("Client died..."); -+ clientException = e; -+ } -+ } -+ }; -+ clientThread.start(); -+ } else { -+ try { -+ doClientSide(); -+ } catch (Exception e) { -+ clientException = e; -+ } -+ } -+ } -+} -+ -diff -Nru openjdk.orig/jdk/test/sun/security/pkcs11/KeyStore/ClientAuth.java openjdk/jdk/test/sun/security/pkcs11/KeyStore/ClientAuth.java ---- openjdk.orig/jdk/test/sun/security/pkcs11/KeyStore/ClientAuth.java 2014-07-14 04:24:44.000000000 +0100 -+++ openjdk/jdk/test/sun/security/pkcs11/KeyStore/ClientAuth.java 2014-10-08 23:56:02.324447997 +0100 -@@ -1,5 +1,5 @@ - /* -- * Copyright (c) 2003, 2007, Oracle and/or its affiliates. All rights reserved. -+ * Copyright (c) 2003, 2012, Oracle and/or its affiliates. All rights reserved. - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it -@@ -155,6 +155,14 @@ - SSLSocket sslSocket = (SSLSocket) - sslsf.createSocket("localhost", serverPort); - -+ if (clientProtocol != null) { -+ sslSocket.setEnabledProtocols(new String[] {clientProtocol}); -+ } -+ -+ if (clientCiperSuite != null) { -+ sslSocket.setEnabledCipherSuites(new String[] {clientCiperSuite}); -+ } -+ - InputStream sslIS = sslSocket.getInputStream(); - OutputStream sslOS = sslSocket.getOutputStream(); - -@@ -176,7 +184,22 @@ - volatile Exception serverException = null; - volatile Exception clientException = null; - -+ private static String clientProtocol = null; -+ private static String clientCiperSuite = null; -+ -+ private static void parseArguments(String[] args) { -+ if (args.length > 0) { -+ clientProtocol = args[0]; -+ } -+ -+ if (args.length > 1) { -+ clientCiperSuite = args[1]; -+ } -+ } -+ - public static void main(String[] args) throws Exception { -+ // Get the customized arguments. -+ parseArguments(args); - main(new ClientAuth()); - } - -diff -Nru openjdk.orig/jdk/test/sun/security/pkcs11/KeyStore/ClientAuth.sh openjdk/jdk/test/sun/security/pkcs11/KeyStore/ClientAuth.sh ---- openjdk.orig/jdk/test/sun/security/pkcs11/KeyStore/ClientAuth.sh 2014-07-14 04:24:44.000000000 +0100 -+++ openjdk/jdk/test/sun/security/pkcs11/KeyStore/ClientAuth.sh 2014-10-08 23:56:02.324447997 +0100 -@@ -1,5 +1,5 @@ - # --# Copyright (c) 2003, 2006, Oracle and/or its affiliates. All rights reserved. -+# Copyright (c) 2003, 2012, Oracle and/or its affiliates. All rights reserved. - # DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - # - # This code is free software; you can redistribute it and/or modify it -@@ -22,8 +22,9 @@ - # - - # @test --# @bug 4938185 -+# @bug 4938185 7106773 - # @summary KeyStore support for NSS cert/key databases -+# 512 bits RSA key cannot work with SHA384 and SHA512 - # - # @run shell ClientAuth.sh - -@@ -126,6 +127,7 @@ - ${TESTSRC}${FS}ClientAuth.java - - # run test -+echo "Run ClientAuth ..." - ${TESTJAVA}${FS}bin${FS}java \ - -classpath ${TESTCLASSES}${PS}${TESTSRC}${FS}loader.jar \ - -DDIR=${TESTSRC}${FS}ClientAuthData${FS} \ -@@ -139,6 +141,27 @@ - - # save error status - status=$? -+ -+# return if failed -+if [ "${status}" != "0" ] ; then -+ exit $status -+fi -+ -+# run test with specified TLS protocol and cipher suite -+echo "Run ClientAuth TLSv1.2 TLS_DHE_RSA_WITH_AES_128_CBC_SHA" -+${TESTJAVA}${FS}bin${FS}java \ -+ -classpath ${TESTCLASSES}${PS}${TESTSRC}${FS}loader.jar \ -+ -DDIR=${TESTSRC}${FS}ClientAuthData${FS} \ -+ -DCUSTOM_DB_DIR=${TESTCLASSES} \ -+ -DCUSTOM_P11_CONFIG=${TESTSRC}${FS}ClientAuthData${FS}p11-nss.txt \ -+ -DNO_DEFAULT=true \ -+ -DNO_DEIMOS=true \ -+ -Dtest.src=${TESTSRC} \ -+ -Dtest.classes=${TESTCLASSES} \ -+ ClientAuth TLSv1.2 TLS_DHE_RSA_WITH_AES_128_CBC_SHA -+ -+# save error status -+status=$? - - # return - exit $status -diff -Nru openjdk.orig/jdk/test/sun/security/ssl/javax/net/ssl/TLSv12/ShortRSAKey512.java openjdk/jdk/test/sun/security/ssl/javax/net/ssl/TLSv12/ShortRSAKey512.java ---- openjdk.orig/jdk/test/sun/security/ssl/javax/net/ssl/TLSv12/ShortRSAKey512.java 1970-01-01 01:00:00.000000000 +0100 -+++ openjdk/jdk/test/sun/security/ssl/javax/net/ssl/TLSv12/ShortRSAKey512.java 2014-10-08 23:56:03.904469889 +0100 -@@ -0,0 +1,414 @@ -+/* -+ * Copyright (c) 2012, Oracle and/or its affiliates. All rights reserved. -+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. -+ * -+ * This code is free software; you can redistribute it and/or modify it -+ * under the terms of the GNU General Public License version 2 only, as -+ * published by the Free Software Foundation. Oracle designates this -+ * particular file as subject to the "Classpath" exception as provided -+ * by Oracle in the LICENSE file that accompanied this code. -+ * -+ * This code is distributed in the hope that it will be useful, but WITHOUT -+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or -+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License -+ * version 2 for more details (a copy is included in the LICENSE file that -+ * accompanied this code). -+ * -+ * You should have received a copy of the GNU General Public License version -+ * 2 along with this work; if not, write to the Free Software Foundation, -+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. -+ * -+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA -+ * or visit www.oracle.com if you need additional information or have any -+ * questions. -+ */ -+ -+/* -+ * @test -+ * @bug 7106773 -+ * @summary 512 bits RSA key cannot work with SHA384 and SHA512 -+ * -+ * SunJSSE does not support dynamic system properties, no way to re-use -+ * system properties in samevm/agentvm mode. -+ * @run main/othervm ShortRSAKey512 PKIX -+ * @run main/othervm ShortRSAKey512 SunX509 -+ */ -+ -+import java.net.*; -+import java.util.*; -+import java.io.*; -+import javax.net.ssl.*; -+import java.security.KeyStore; -+import java.security.KeyFactory; -+import java.security.cert.Certificate; -+import java.security.cert.CertificateFactory; -+import java.security.spec.*; -+import java.security.interfaces.*; -+import sun.misc.BASE64Decoder; -+ -+ -+public class ShortRSAKey512 { -+ -+ /* -+ * ============================================================= -+ * Set the various variables needed for the tests, then -+ * specify what tests to run on each side. -+ */ -+ -+ /* -+ * Should we run the client or server in a separate thread? -+ * Both sides can throw exceptions, but do you have a preference -+ * as to which side should be the main thread. -+ */ -+ static boolean separateServerThread = false; -+ -+ /* -+ * Where do we find the keystores? -+ */ -+ // Certificates and key used in the test. -+ static String trustedCertStr = -+ "-----BEGIN CERTIFICATE-----\n" + -+ "MIICkjCCAfugAwIBAgIBADANBgkqhkiG9w0BAQQFADA7MQswCQYDVQQGEwJVUzEN\n" + -+ "MAsGA1UEChMESmF2YTEdMBsGA1UECxMUU3VuSlNTRSBUZXN0IFNlcml2Y2UwHhcN\n" + -+ "MTEwODE5MDE1MjE5WhcNMzIwNzI5MDE1MjE5WjA7MQswCQYDVQQGEwJVUzENMAsG\n" + -+ "A1UEChMESmF2YTEdMBsGA1UECxMUU3VuSlNTRSBUZXN0IFNlcml2Y2UwgZ8wDQYJ\n" + -+ "KoZIhvcNAQEBBQADgY0AMIGJAoGBAM8orG08DtF98TMSscjGsidd1ZoN4jiDpi8U\n" + -+ "ICz+9dMm1qM1d7O2T+KH3/mxyox7Rc2ZVSCaUD0a3CkhPMnlAx8V4u0H+E9sqso6\n" + -+ "iDW3JpOyzMExvZiRgRG/3nvp55RMIUV4vEHOZ1QbhuqG4ebN0Vz2DkRft7+flthf\n" + -+ "vDld6f5JAgMBAAGjgaUwgaIwHQYDVR0OBBYEFLl81dnfp0wDrv0OJ1sxlWzH83Xh\n" + -+ "MGMGA1UdIwRcMFqAFLl81dnfp0wDrv0OJ1sxlWzH83XhoT+kPTA7MQswCQYDVQQG\n" + -+ "EwJVUzENMAsGA1UEChMESmF2YTEdMBsGA1UECxMUU3VuSlNTRSBUZXN0IFNlcml2\n" + -+ "Y2WCAQAwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAQYwDQYJKoZIhvcNAQEE\n" + -+ "BQADgYEALlgaH1gWtoBZ84EW8Hu6YtGLQ/L9zIFmHonUPZwn3Pr//icR9Sqhc3/l\n" + -+ "pVTxOINuFHLRz4BBtEylzRIOPzK3tg8XwuLb1zd0db90x3KBCiAL6E6cklGEPwLe\n" + -+ "XYMHDn9eDsaq861Tzn6ZwzMgw04zotPMoZN0mVd/3Qca8UJFucE=\n" + -+ "-----END CERTIFICATE-----"; -+ -+ static String targetCertStr = -+ "-----BEGIN CERTIFICATE-----\n" + -+ "MIICNDCCAZ2gAwIBAgIBDDANBgkqhkiG9w0BAQQFADA7MQswCQYDVQQGEwJVUzEN\n" + -+ "MAsGA1UEChMESmF2YTEdMBsGA1UECxMUU3VuSlNTRSBUZXN0IFNlcml2Y2UwHhcN\n" + -+ "MTExMTA3MTM1NTUyWhcNMzEwNzI1MTM1NTUyWjBPMQswCQYDVQQGEwJVUzENMAsG\n" + -+ "A1UEChMESmF2YTEdMBsGA1UECxMUU3VuSlNTRSBUZXN0IFNlcml2Y2UxEjAQBgNV\n" + -+ "BAMTCWxvY2FsaG9zdDBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQC3Pb49OSPfOD2G\n" + -+ "HSXFCFx1GJEZfqG9ZUf7xuIi/ra5dLjPGAaoY5QF2QOa8VnOriQCXDfyXHxsuRnE\n" + -+ "OomxL7EVAgMBAAGjeDB2MAsGA1UdDwQEAwID6DAdBgNVHQ4EFgQUXNCJK3/dtCIc\n" + -+ "xb+zlA/JINlvs/MwHwYDVR0jBBgwFoAUuXzV2d+nTAOu/Q4nWzGVbMfzdeEwJwYD\n" + -+ "VR0lBCAwHgYIKwYBBQUHAwEGCCsGAQUFBwMCBggrBgEFBQcDAzANBgkqhkiG9w0B\n" + -+ "AQQFAAOBgQB2qIDUxA2caMPpGtUACZAPRUtrGssCINIfItETXJZCx/cRuZ5sP4D9\n" + -+ "N1acoNDn0hCULe3lhXAeTC9NZ97680yJzregQMV5wATjo1FGsKY30Ma+sc/nfzQW\n" + -+ "+h/7RhYtoG0OTsiaDCvyhI6swkNJzSzrAccPY4+ZgU8HiDLzZTmM3Q==\n" + -+ "-----END CERTIFICATE-----"; -+ -+ // Private key in the format of PKCS#8, key size is 512 bits. -+ static String targetPrivateKey = -+ "MIIBVAIBADANBgkqhkiG9w0BAQEFAASCAT4wggE6AgEAAkEAtz2+PTkj3zg9hh0l\n" + -+ "xQhcdRiRGX6hvWVH+8biIv62uXS4zxgGqGOUBdkDmvFZzq4kAlw38lx8bLkZxDqJ\n" + -+ "sS+xFQIDAQABAkByx/5Oo2hQ/w2q4L8z+NTRlJ3vdl8iIDtC/4XPnfYfnGptnpG6\n" + -+ "ZThQRvbMZiai0xHQPQMszvAHjZVme1eDl3EBAiEA3aKJHynPVCEJhpfCLWuMwX5J\n" + -+ "1LntwJO7NTOyU5m8rPECIQDTpzn5X44r2rzWBDna/Sx7HW9IWCxNgUD2Eyi2nA7W\n" + -+ "ZQIgJerEorw4aCAuzQPxiGu57PB6GRamAihEAtoRTBQlH0ECIQDN08FgTtnesgCU\n" + -+ "DFYLLcw1CiHvc7fZw4neBDHCrC8NtQIgA8TOUkGnpCZlQ0KaI8KfKWI+vxFcgFnH\n" + -+ "3fnqsTgaUs4="; -+ -+ static char passphrase[] = "passphrase".toCharArray(); -+ -+ /* -+ * Is the server ready to serve? -+ */ -+ volatile static boolean serverReady = false; -+ -+ /* -+ * Turn on SSL debugging? -+ */ -+ static boolean debug = false; -+ -+ /* -+ * Define the server side of the test. -+ * -+ * If the server prematurely exits, serverReady will be set to true -+ * to avoid infinite hangs. -+ */ -+ void doServerSide() throws Exception { -+ SSLContext context = generateSSLContext(null, targetCertStr, -+ targetPrivateKey); -+ SSLServerSocketFactory sslssf = context.getServerSocketFactory(); -+ SSLServerSocket sslServerSocket = -+ (SSLServerSocket)sslssf.createServerSocket(serverPort); -+ serverPort = sslServerSocket.getLocalPort(); -+ -+ /* -+ * Signal Client, we're ready for his connect. -+ */ -+ serverReady = true; -+ -+ SSLSocket sslSocket = (SSLSocket)sslServerSocket.accept(); -+ InputStream sslIS = sslSocket.getInputStream(); -+ OutputStream sslOS = sslSocket.getOutputStream(); -+ -+ sslIS.read(); -+ sslOS.write('A'); -+ sslOS.flush(); -+ -+ sslSocket.close(); -+ } -+ -+ /* -+ * Define the client side of the test. -+ * -+ * If the server prematurely exits, serverReady will be set to true -+ * to avoid infinite hangs. -+ */ -+ void doClientSide() throws Exception { -+ -+ /* -+ * Wait for server to get started. -+ */ -+ while (!serverReady) { -+ Thread.sleep(50); -+ } -+ -+ SSLContext context = generateSSLContext(trustedCertStr, null, null); -+ SSLSocketFactory sslsf = context.getSocketFactory(); -+ -+ SSLSocket sslSocket = -+ (SSLSocket)sslsf.createSocket("localhost", serverPort); -+ -+ // enable TLSv1.2 only -+ sslSocket.setEnabledProtocols(new String[] {"TLSv1.2"}); -+ -+ // enable a block cipher -+ sslSocket.setEnabledCipherSuites( -+ new String[] {"TLS_DHE_RSA_WITH_AES_128_CBC_SHA"}); -+ -+ InputStream sslIS = sslSocket.getInputStream(); -+ OutputStream sslOS = sslSocket.getOutputStream(); -+ -+ sslOS.write('B'); -+ sslOS.flush(); -+ sslIS.read(); -+ -+ sslSocket.close(); -+ } -+ -+ /* -+ * ============================================================= -+ * The remainder is just support stuff -+ */ -+ private static String tmAlgorithm; // trust manager -+ -+ private static void parseArguments(String[] args) { -+ tmAlgorithm = args[0]; -+ } -+ -+ private static SSLContext generateSSLContext(String trustedCertStr, -+ String keyCertStr, String keySpecStr) throws Exception { -+ -+ // generate certificate from cert string -+ CertificateFactory cf = CertificateFactory.getInstance("X.509"); -+ -+ // create a key store -+ KeyStore ks = KeyStore.getInstance("JKS"); -+ ks.load(null, null); -+ -+ // import the trused cert -+ Certificate trusedCert = null; -+ ByteArrayInputStream is = null; -+ if (trustedCertStr != null) { -+ is = new ByteArrayInputStream(trustedCertStr.getBytes()); -+ trusedCert = cf.generateCertificate(is); -+ is.close(); -+ -+ ks.setCertificateEntry("RSA Export Signer", trusedCert); -+ } -+ -+ if (keyCertStr != null) { -+ // generate the private key. -+ PKCS8EncodedKeySpec priKeySpec = new PKCS8EncodedKeySpec( -+ new BASE64Decoder().decodeBuffer(keySpecStr)); -+ KeyFactory kf = KeyFactory.getInstance("RSA"); -+ RSAPrivateKey priKey = -+ (RSAPrivateKey)kf.generatePrivate(priKeySpec); -+ -+ // generate certificate chain -+ is = new ByteArrayInputStream(keyCertStr.getBytes()); -+ Certificate keyCert = cf.generateCertificate(is); -+ is.close(); -+ -+ Certificate[] chain = null; -+ if (trusedCert != null) { -+ chain = new Certificate[2]; -+ chain[0] = keyCert; -+ chain[1] = trusedCert; -+ } else { -+ chain = new Certificate[1]; -+ chain[0] = keyCert; -+ } -+ -+ // import the key entry. -+ ks.setKeyEntry("Whatever", priKey, passphrase, chain); -+ } -+ -+ // create SSL context -+ TrustManagerFactory tmf = TrustManagerFactory.getInstance(tmAlgorithm); -+ tmf.init(ks); -+ -+ SSLContext ctx = SSLContext.getInstance("TLS"); -+ if (keyCertStr != null && !keyCertStr.isEmpty()) { -+ KeyManagerFactory kmf = KeyManagerFactory.getInstance("NewSunX509"); -+ kmf.init(ks, passphrase); -+ -+ ctx.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null); -+ ks = null; -+ } else { -+ ctx.init(null, tmf.getTrustManagers(), null); -+ } -+ -+ return ctx; -+ } -+ -+ -+ // use any free port by default -+ volatile int serverPort = 0; -+ -+ volatile Exception serverException = null; -+ volatile Exception clientException = null; -+ -+ public static void main(String[] args) throws Exception { -+ if (debug) -+ System.setProperty("javax.net.debug", "all"); -+ -+ /* -+ * Get the customized arguments. -+ */ -+ parseArguments(args); -+ -+ /* -+ * Start the tests. -+ */ -+ new ShortRSAKey512(); -+ } -+ -+ Thread clientThread = null; -+ Thread serverThread = null; -+ -+ /* -+ * Primary constructor, used to drive remainder of the test. -+ * -+ * Fork off the other side, then do your work. -+ */ -+ ShortRSAKey512() throws Exception { -+ try { -+ if (separateServerThread) { -+ startServer(true); -+ startClient(false); -+ } else { -+ startClient(true); -+ startServer(false); -+ } -+ } catch (Exception e) { -+ // swallow for now. Show later -+ } -+ -+ /* -+ * Wait for other side to close down. -+ */ -+ if (separateServerThread) { -+ serverThread.join(); -+ } else { -+ clientThread.join(); -+ } -+ -+ /* -+ * When we get here, the test is pretty much over. -+ * Which side threw the error? -+ */ -+ Exception local; -+ Exception remote; -+ String whichRemote; -+ -+ if (separateServerThread) { -+ remote = serverException; -+ local = clientException; -+ whichRemote = "server"; -+ } else { -+ remote = clientException; -+ local = serverException; -+ whichRemote = "client"; -+ } -+ -+ /* -+ * If both failed, return the curthread's exception, but also -+ * print the remote side Exception -+ */ -+ if ((local != null) && (remote != null)) { -+ System.out.println(whichRemote + " also threw:"); -+ remote.printStackTrace(); -+ System.out.println(); -+ throw local; -+ } -+ -+ if (remote != null) { -+ throw remote; -+ } -+ -+ if (local != null) { -+ throw local; -+ } -+ } -+ -+ void startServer(boolean newThread) throws Exception { -+ if (newThread) { -+ serverThread = new Thread() { -+ public void run() { -+ try { -+ doServerSide(); -+ } catch (Exception e) { -+ /* -+ * Our server thread just died. -+ * -+ * Release the client, if not active already... -+ */ -+ System.err.println("Server died..."); -+ serverReady = true; -+ serverException = e; -+ } -+ } -+ }; -+ serverThread.start(); -+ } else { -+ try { -+ doServerSide(); -+ } catch (Exception e) { -+ serverException = e; -+ } finally { -+ serverReady = true; -+ } -+ } -+ } -+ -+ void startClient(boolean newThread) throws Exception { -+ if (newThread) { -+ clientThread = new Thread() { -+ public void run() { -+ try { -+ doClientSide(); -+ } catch (Exception e) { -+ /* -+ * Our client thread just died. -+ */ -+ System.err.println("Client died..."); -+ clientException = e; -+ } -+ } -+ }; -+ clientThread.start(); -+ } else { -+ try { -+ doClientSide(); -+ } catch (Exception e) { -+ clientException = e; -+ } -+ } -+ } -+}
--- a/patches/openjdk/7170638-systemtap.patch Wed May 04 02:55:09 2016 +0100 +++ b/patches/openjdk/7170638-systemtap.patch Wed May 04 04:24:30 2016 +0100 @@ -10,8 +10,8 @@ Contributed-by: Mark Wielaard <mjw@redhat.com> diff -Nru openjdk.orig/hotspot/make/bsd/makefiles/buildtree.make openjdk/hotspot/make/bsd/makefiles/buildtree.make ---- openjdk.orig/hotspot/make/bsd/makefiles/buildtree.make 2015-04-09 02:20:24.000000000 +0100 -+++ openjdk/hotspot/make/bsd/makefiles/buildtree.make 2015-07-22 03:46:03.362170724 +0100 +--- openjdk.orig/hotspot/make/bsd/makefiles/buildtree.make 2016-05-03 23:39:23.113016118 +0100 ++++ openjdk/hotspot/make/bsd/makefiles/buildtree.make 2016-05-04 00:26:06.226759102 +0100 @@ -162,6 +162,13 @@ endif endif @@ -35,8 +35,8 @@ echo "# Used for platform dispatching"; \ echo "TARGET_DEFINES = -DTARGET_OS_FAMILY_\$$(Platform_os_family)"; \ diff -Nru openjdk.orig/hotspot/make/linux/makefiles/buildtree.make openjdk/hotspot/make/linux/makefiles/buildtree.make ---- openjdk.orig/hotspot/make/linux/makefiles/buildtree.make 2015-07-22 03:45:38.710600424 +0100 -+++ openjdk/hotspot/make/linux/makefiles/buildtree.make 2015-07-22 03:46:19.929881934 +0100 +--- openjdk.orig/hotspot/make/linux/makefiles/buildtree.make 2016-05-04 00:25:18.651544017 +0100 ++++ openjdk/hotspot/make/linux/makefiles/buildtree.make 2016-05-04 00:26:06.226759102 +0100 @@ -155,6 +155,13 @@ endif endif @@ -60,8 +60,8 @@ echo "DISTRIBUTION_ID = $(DISTRIBUTION_ID)"; \ echo; \ diff -Nru openjdk.orig/hotspot/make/linux/makefiles/dtrace.make openjdk/hotspot/make/linux/makefiles/dtrace.make ---- openjdk.orig/hotspot/make/linux/makefiles/dtrace.make 2015-04-09 02:20:11.000000000 +0100 -+++ openjdk/hotspot/make/linux/makefiles/dtrace.make 2015-07-22 03:46:03.362170724 +0100 +--- openjdk.orig/hotspot/make/linux/makefiles/dtrace.make 2016-05-03 23:39:06.653287621 +0100 ++++ openjdk/hotspot/make/linux/makefiles/dtrace.make 2016-05-04 00:26:06.226759102 +0100 @@ -1,5 +1,6 @@ # -# Copyright (c) 2005, 2008, Oracle and/or its affiliates. All rights reserved. @@ -112,8 +112,8 @@ +# It doesn't support HAVE_DTRACE_H though. + diff -Nru openjdk.orig/hotspot/make/linux/makefiles/vm.make openjdk/hotspot/make/linux/makefiles/vm.make ---- openjdk.orig/hotspot/make/linux/makefiles/vm.make 2015-07-22 03:45:38.714600354 +0100 -+++ openjdk/hotspot/make/linux/makefiles/vm.make 2015-07-22 03:46:42.457489257 +0100 +--- openjdk.orig/hotspot/make/linux/makefiles/vm.make 2016-05-04 00:25:18.651544017 +0100 ++++ openjdk/hotspot/make/linux/makefiles/vm.make 2016-05-04 00:26:06.226759102 +0100 @@ -394,7 +394,7 @@ #---------------------------------------------------------------------- @@ -124,8 +124,8 @@ install: install_jvm install_jsig install_saproc diff -Nru openjdk.orig/hotspot/make/solaris/makefiles/buildtree.make openjdk/hotspot/make/solaris/makefiles/buildtree.make ---- openjdk.orig/hotspot/make/solaris/makefiles/buildtree.make 2015-04-09 02:20:13.000000000 +0100 -+++ openjdk/hotspot/make/solaris/makefiles/buildtree.make 2015-07-22 03:46:03.362170724 +0100 +--- openjdk.orig/hotspot/make/solaris/makefiles/buildtree.make 2016-05-03 23:39:09.757236421 +0100 ++++ openjdk/hotspot/make/solaris/makefiles/buildtree.make 2016-05-04 00:26:06.226759102 +0100 @@ -147,6 +147,13 @@ endif endif @@ -149,16 +149,16 @@ echo; \ echo "# Used for platform dispatching"; \ diff -Nru openjdk.orig/hotspot/src/share/vm/prims/jni.cpp openjdk/hotspot/src/share/vm/prims/jni.cpp ---- openjdk.orig/hotspot/src/share/vm/prims/jni.cpp 2015-04-09 02:20:26.000000000 +0100 -+++ openjdk/hotspot/src/share/vm/prims/jni.cpp 2015-07-22 03:46:03.366170655 +0100 +--- openjdk.orig/hotspot/src/share/vm/prims/jni.cpp 2016-05-03 23:59:23.705202879 +0100 ++++ openjdk/hotspot/src/share/vm/prims/jni.cpp 2016-05-04 00:26:20.690520468 +0100 @@ -1,5 +1,6 @@ /* - * Copyright (c) 1997, 2012, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1997, 2016, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2012 Red Hat, Inc. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it -@@ -2819,10 +2820,9 @@ +@@ -2841,10 +2842,9 @@ JNI_QUICK_ENTRY(void, jni_Set##Result##Field(JNIEnv *env, jobject obj, jfieldID fieldID, Argument value)) \ JNIWrapper("Set" XSTR(Result) "Field"); \ \ @@ -172,7 +172,7 @@ \ oop o = JNIHandles::resolve_non_null(obj); \ klassOop k = o->klass(); \ -@@ -3129,10 +3129,9 @@ +@@ -3152,10 +3152,9 @@ \ JNI_ENTRY(void, jni_SetStatic##Result##Field(JNIEnv *env, jclass clazz, jfieldID fieldID, Argument value)) \ JNIWrapper("SetStatic" XSTR(Result) "Field"); \ @@ -187,8 +187,8 @@ JNIid* id = jfieldIDWorkaround::from_static_jfieldID(fieldID); \ assert(id->is_static_field_id(), "invalid static field id"); \ diff -Nru openjdk.orig/hotspot/src/share/vm/utilities/dtrace.hpp openjdk/hotspot/src/share/vm/utilities/dtrace.hpp ---- openjdk.orig/hotspot/src/share/vm/utilities/dtrace.hpp 2015-04-09 02:20:21.000000000 +0100 -+++ openjdk/hotspot/src/share/vm/utilities/dtrace.hpp 2015-07-22 03:46:03.366170655 +0100 +--- openjdk.orig/hotspot/src/share/vm/utilities/dtrace.hpp 2016-05-03 23:39:18.405093776 +0100 ++++ openjdk/hotspot/src/share/vm/utilities/dtrace.hpp 2016-05-04 00:26:06.226759102 +0100 @@ -1,5 +1,6 @@ /* - * Copyright (c) 2005, 2010, Oracle and/or its affiliates. All rights reserved.
--- a/patches/openjdk/8006935-long_keys_in_hmac_prf.patch Wed May 04 02:55:09 2016 +0100 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,41 +0,0 @@ -diff -Nru openjdk.orig/jdk/src/share/classes/com/sun/crypto/provider/TlsPrfGenerator.java openjdk/jdk/src/share/classes/com/sun/crypto/provider/TlsPrfGenerator.java ---- openjdk.orig/jdk/src/share/classes/com/sun/crypto/provider/TlsPrfGenerator.java 2014-07-14 04:24:43.000000000 +0100 -+++ openjdk/jdk/src/share/classes/com/sun/crypto/provider/TlsPrfGenerator.java 2014-10-08 23:47:13.825128435 +0100 -@@ -1,5 +1,5 @@ - /* -- * Copyright (c) 2005, 2009, Oracle and/or its affiliates. All rights reserved. -+ * Copyright (c) 2005, 2013, Oracle and/or its affiliates. All rights reserved. - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it -@@ -181,13 +181,28 @@ - int off = secret.length >> 1; - int seclen = off + (secret.length & 1); - -+ byte[] secKey = secret; -+ int keyLen = seclen; - byte[] output = new byte[outputLength]; - - // P_MD5(S1, label + seed) -- expand(md5, 16, secret, 0, seclen, labelBytes, seed, output); -+ // If we have a long secret, digest it first. -+ if (seclen > 64) { // 64: block size of HMAC-MD5 -+ md5.update(secret, 0, seclen); -+ secKey = md5.digest(); -+ keyLen = secKey.length; -+ } -+ expand(md5, 16, secKey, 0, keyLen, labelBytes, seed, output); - - // P_SHA-1(S2, label + seed) -- expand(sha, 20, secret, off, seclen, labelBytes, seed, output); -+ // If we have a long secret, digest it first. -+ if (seclen > 64) { // 64: block size of HMAC-SHA1 -+ sha.update(secret, off, seclen); -+ secKey = sha.digest(); -+ keyLen = secKey.length; -+ off = 0; -+ } -+ expand(sha, 20, secKey, off, keyLen, labelBytes, seed, output); - - return output; - }
--- a/patches/openjdk/8039921-sha1_1024plus.patch Wed May 04 02:55:09 2016 +0100 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,87 +0,0 @@ -# HG changeset patch -# User andrew -# Date 1436281867 -3600 -# Tue Jul 07 16:11:07 2015 +0100 -# Node ID 38e2f59188166b2dcc2c7655a4c4d6ad948c4c59 -# Parent 67d5d1b652e7c475140d9eabe687681c6e55b0af -8039921, PR2468: SHA1WithDSA with key > 1024 bits not working -Summary: Removed the key size limits for all SHAXXXWithDSA signatures -Reviewed-by: weijun - -diff -r 67d5d1b652e7 -r 38e2f5918816 src/share/classes/sun/security/provider/DSA.java ---- openjdk/jdk/src/share/classes/sun/security/provider/DSA.java Tue Jul 07 16:05:01 2015 +0100 -+++ openjdk/jdk/src/share/classes/sun/security/provider/DSA.java Tue Jul 07 16:11:07 2015 +0100 -@@ -1,5 +1,5 @@ - /* -- * Copyright (c) 1996, 2012, Oracle and/or its affiliates. All rights reserved. -+ * Copyright (c) 1996, 2015, Oracle and/or its affiliates. All rights reserved. - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it -@@ -117,7 +117,6 @@ - if (params == null) { - throw new InvalidKeyException("DSA private key lacks parameters"); - } -- checkKey(params); - - this.params = params; - this.presetX = priv.getX(); -@@ -149,7 +148,6 @@ - if (params == null) { - throw new InvalidKeyException("DSA public key lacks parameters"); - } -- checkKey(params); - - this.params = params; - this.presetY = pub.getY(); -@@ -291,16 +289,6 @@ - return null; - } - -- protected void checkKey(DSAParams params) throws InvalidKeyException { -- // FIPS186-3 states in sec4.2 that a hash function which provides -- // a lower security strength than the (L, N) pair ordinarily should -- // not be used. -- int valueN = params.getQ().bitLength(); -- if (valueN > md.getDigestLength()*8) { -- throw new InvalidKeyException("Key is too strong for this signature algorithm"); -- } -- } -- - private BigInteger generateR(BigInteger p, BigInteger q, BigInteger g, - BigInteger k) { - BigInteger temp = g.modPow(k, p); -@@ -480,14 +468,6 @@ - } - } - -- @Override -- protected void checkKey(DSAParams params) throws InvalidKeyException { -- int valueL = params.getP().bitLength(); -- if (valueL > 1024) { -- throw new InvalidKeyException("Key is too long for this algorithm"); -- } -- } -- - /* - * Please read bug report 4044247 for an alternative, faster, - * NON-FIPS approved method to generate K -diff -r 67d5d1b652e7 -r 38e2f5918816 test/sun/security/provider/DSA/TestDSA2.java ---- openjdk/jdk/test/sun/security/provider/DSA/TestDSA2.java Tue Jul 07 16:05:01 2015 +0100 -+++ openjdk/jdk/test/sun/security/provider/DSA/TestDSA2.java Tue Jul 07 16:11:07 2015 +0100 -@@ -1,5 +1,5 @@ - /* -- * Copyright (c) 2012, Oracle and/or its affiliates. All rights reserved. -+ * Copyright (c) 2012, 2015, Oracle and/or its affiliates. All rights reserved. - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it -@@ -50,7 +50,7 @@ - public static void main(String[] args) throws Exception { - boolean[] expectedToPass = { true, true, true }; - test(1024, expectedToPass); -- boolean[] expectedToPass2 = { false, true, true }; -+ boolean[] expectedToPass2 = { true, true, true }; - test(2048, expectedToPass2); - } -
--- a/patches/openjdk/8087120-zero_gcc5.patch Wed May 04 02:55:09 2016 +0100 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,24 +0,0 @@ -# HG changeset patch -# User sgehwolf -# Date 1434121785 -3600 -# Fri Jun 12 16:09:45 2015 +0100 -# Node ID b19bc5aeaa099ac73ee8341e337a007180409593 -# Parent 4ce44f68d86dcf88b27142e5ec031dec29d47d6f -8087120, RH1206656, PR2554: [GCC5] java.lang.StackOverflowError on Zero JVM initialization on non x86 platforms. -Summary: Use __builtin_frame_address(0) rather than returning address of local variable. -Reviewed-by: dholmes - -diff -r 4ce44f68d86d -r b19bc5aeaa09 src/os_cpu/linux_zero/vm/os_linux_zero.cpp ---- openjdk/hotspot/src/os_cpu/linux_zero/vm/os_linux_zero.cpp Sun Jul 19 18:19:32 2015 +0100 -+++ openjdk/hotspot/src/os_cpu/linux_zero/vm/os_linux_zero.cpp Fri Jun 12 16:09:45 2015 +0100 -@@ -61,8 +61,8 @@ - #endif - - address os::current_stack_pointer() { -- address dummy = (address) &dummy; -- return dummy; -+ // return the address of the current function -+ return (address)__builtin_frame_address(0); - } - - frame os::get_sender_for_C_frame(frame* fr) {
--- a/patches/openjdk/p11cipher-6414899-p11digest_should_support_cloning.patch Wed May 04 02:55:09 2016 +0100 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,1511 +0,0 @@ -diff -Nru openjdk.orig/jdk/make/sun/security/pkcs11/mapfile-vers openjdk/jdk/make/sun/security/pkcs11/mapfile-vers ---- openjdk.orig/jdk/make/sun/security/pkcs11/mapfile-vers 2012-05-01 22:18:01.000000000 +0100 -+++ openjdk/jdk/make/sun/security/pkcs11/mapfile-vers 2012-08-08 18:42:13.064667047 +0100 -@@ -1,5 +1,5 @@ - # --# Copyright (c) 2003, 2005, Oracle and/or its affiliates. All rights reserved. -+# Copyright (c) 2003, 2012, Oracle and/or its affiliates. All rights reserved. - # DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - # - # This code is free software; you can redistribute it and/or modify it -@@ -47,8 +47,8 @@ - Java_sun_security_pkcs11_wrapper_PKCS11_C_1CloseSession; - # Java_sun_security_pkcs11_wrapper_PKCS11_C_1CloseAllSessions; - Java_sun_security_pkcs11_wrapper_PKCS11_C_1GetSessionInfo; --# Java_sun_security_pkcs11_wrapper_PKCS11_C_1GetOperationState; --# Java_sun_security_pkcs11_wrapper_PKCS11_C_1SetOperationState; -+ Java_sun_security_pkcs11_wrapper_PKCS11_C_1GetOperationState; -+ Java_sun_security_pkcs11_wrapper_PKCS11_C_1SetOperationState; - Java_sun_security_pkcs11_wrapper_PKCS11_C_1Login; - Java_sun_security_pkcs11_wrapper_PKCS11_C_1Logout; - Java_sun_security_pkcs11_wrapper_PKCS11_C_1CreateObject; -diff -Nru openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/P11Digest.java openjdk/jdk/src/share/classes/sun/security/pkcs11/P11Digest.java ---- openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/P11Digest.java 2012-05-01 22:18:26.000000000 +0100 -+++ openjdk/jdk/src/share/classes/sun/security/pkcs11/P11Digest.java 2012-08-08 18:42:13.076667253 +0100 -@@ -1,5 +1,5 @@ - /* -- * Copyright (c) 2003, 2010, Oracle and/or its affiliates. All rights reserved. -+ * Copyright (c) 2003, 2012, Oracle and/or its affiliates. All rights reserved. - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it -@@ -49,13 +49,12 @@ - * @author Andreas Sterbenz - * @since 1.5 - */ --final class P11Digest extends MessageDigestSpi { -+final class P11Digest extends MessageDigestSpi implements Cloneable { - -- /* unitialized, fields uninitialized, no session acquired */ -+ /* fields initialized, no session acquired */ - private final static int S_BLANK = 1; - -- // data in buffer, all fields valid, session acquired -- // but digest not initialized -+ /* data in buffer, session acquired, but digest not initialized */ - private final static int S_BUFFERED = 2; - - /* session initialized for digesting */ -@@ -69,8 +68,8 @@ - // algorithm name - private final String algorithm; - -- // mechanism id -- private final long mechanism; -+ // mechanism id object -+ private final CK_MECHANISM mechanism; - - // length of the digest in bytes - private final int digestLength; -@@ -81,11 +80,8 @@ - // current state, one of S_* above - private int state; - -- // one byte buffer for the update(byte) method, initialized on demand -- private byte[] oneByte; -- - // buffer to reduce number of JNI calls -- private final byte[] buffer; -+ private byte[] buffer; - - // offset into the buffer - private int bufOfs; -@@ -94,7 +90,7 @@ - super(); - this.token = token; - this.algorithm = algorithm; -- this.mechanism = mechanism; -+ this.mechanism = new CK_MECHANISM(mechanism); - switch ((int)mechanism) { - case (int)CKM_MD2: - case (int)CKM_MD5: -@@ -117,7 +113,6 @@ - } - buffer = new byte[BUFFER_SIZE]; - state = S_BLANK; -- engineReset(); - } - - // see JCA spec -@@ -125,44 +120,31 @@ - return digestLength; - } - -- private void cancelOperation() { -- token.ensureValid(); -- if (session == null) { -- return; -- } -- if ((state != S_INIT) || (token.explicitCancel == false)) { -- return; -- } -- // need to explicitly "cancel" active op by finishing it -- try { -- token.p11.C_DigestFinal(session.id(), buffer, 0, buffer.length); -- } catch (PKCS11Exception e) { -- throw new ProviderException("cancel() failed", e); -- } finally { -- state = S_BUFFERED; -- } -- } -- - private void fetchSession() { - token.ensureValid(); - if (state == S_BLANK) { -- engineReset(); -+ try { -+ session = token.getOpSession(); -+ state = S_BUFFERED; -+ } catch (PKCS11Exception e) { -+ throw new ProviderException("No more session available", e); -+ } - } - } - - // see JCA spec - protected void engineReset() { -- try { -- cancelOperation(); -- bufOfs = 0; -- if (session == null) { -- session = token.getOpSession(); -+ token.ensureValid(); -+ -+ if (session != null) { -+ if (state == S_INIT && token.explicitCancel == true) { -+ session = token.killSession(session); -+ } else { -+ session = token.releaseSession(session); - } -- state = S_BUFFERED; -- } catch (PKCS11Exception e) { -- state = S_BLANK; -- throw new ProviderException("reset() failed, ", e); - } -+ state = S_BLANK; -+ bufOfs = 0; - } - - // see JCA spec -@@ -180,18 +162,22 @@ - protected int engineDigest(byte[] digest, int ofs, int len) - throws DigestException { - if (len < digestLength) { -- throw new DigestException("Length must be at least " + digestLength); -+ throw new DigestException("Length must be at least " + -+ digestLength); - } -+ - fetchSession(); - try { - int n; - if (state == S_BUFFERED) { -- n = token.p11.C_DigestSingle(session.id(), -- new CK_MECHANISM(mechanism), -- buffer, 0, bufOfs, digest, ofs, len); -+ n = token.p11.C_DigestSingle(session.id(), mechanism, buffer, 0, -+ bufOfs, digest, ofs, len); -+ bufOfs = 0; - } else { - if (bufOfs != 0) { -- doUpdate(buffer, 0, bufOfs); -+ token.p11.C_DigestUpdate(session.id(), 0, buffer, 0, -+ bufOfs); -+ bufOfs = 0; - } - n = token.p11.C_DigestFinal(session.id(), digest, ofs, len); - } -@@ -202,36 +188,44 @@ - } catch (PKCS11Exception e) { - throw new ProviderException("digest() failed", e); - } finally { -- state = S_BLANK; -- bufOfs = 0; -- session = token.releaseSession(session); -+ engineReset(); - } - } - - // see JCA spec - protected void engineUpdate(byte in) { -- if (oneByte == null) { -- oneByte = new byte[1]; -- } -- oneByte[0] = in; -- engineUpdate(oneByte, 0, 1); -+ byte[] temp = { in }; -+ engineUpdate(temp, 0, 1); - } - - // see JCA spec - protected void engineUpdate(byte[] in, int ofs, int len) { -- fetchSession(); - if (len <= 0) { - return; - } -- if ((bufOfs != 0) && (bufOfs + len > buffer.length)) { -- doUpdate(buffer, 0, bufOfs); -- bufOfs = 0; -- } -- if (bufOfs + len > buffer.length) { -- doUpdate(in, ofs, len); -- } else { -- System.arraycopy(in, ofs, buffer, bufOfs, len); -- bufOfs += len; -+ -+ fetchSession(); -+ try { -+ if (state == S_BUFFERED) { -+ token.p11.C_DigestInit(session.id(), mechanism); -+ state = S_INIT; -+ } -+ if ((bufOfs != 0) && (bufOfs + len > buffer.length)) { -+ // process the buffered data -+ token.p11.C_DigestUpdate(session.id(), 0, buffer, 0, bufOfs); -+ bufOfs = 0; -+ } -+ if (bufOfs + len > buffer.length) { -+ // process the new data -+ token.p11.C_DigestUpdate(session.id(), 0, in, ofs, len); -+ } else { -+ // buffer the new data -+ System.arraycopy(in, ofs, buffer, bufOfs, len); -+ bufOfs += len; -+ } -+ } catch (PKCS11Exception e) { -+ engineReset(); -+ throw new ProviderException("update() failed", e); - } - } - -@@ -239,11 +233,7 @@ - // the master secret is sensitive. We may want to consider making this - // method public in a future release. - protected void implUpdate(SecretKey key) throws InvalidKeyException { -- fetchSession(); -- if (bufOfs != 0) { -- doUpdate(buffer, 0, bufOfs); -- bufOfs = 0; -- } -+ - // SunJSSE calls this method only if the key does not have a RAW - // encoding, i.e. if it is sensitive. Therefore, no point in calling - // SecretKeyFactory to try to convert it. Just verify it ourselves. -@@ -252,60 +242,77 @@ - } - P11Key p11Key = (P11Key)key; - if (p11Key.token != token) { -- throw new InvalidKeyException("Not a P11Key of this provider: " + key); -+ throw new InvalidKeyException("Not a P11Key of this provider: " + -+ key); - } -+ -+ fetchSession(); - try { - if (state == S_BUFFERED) { -- token.p11.C_DigestInit(session.id(), new CK_MECHANISM(mechanism)); -+ token.p11.C_DigestInit(session.id(), mechanism); - state = S_INIT; - } -+ -+ if (bufOfs != 0) { -+ token.p11.C_DigestUpdate(session.id(), 0, buffer, 0, bufOfs); -+ bufOfs = 0; -+ } - token.p11.C_DigestKey(session.id(), p11Key.keyID); - } catch (PKCS11Exception e) { -+ engineReset(); - throw new ProviderException("update(SecretKey) failed", e); - } - } - - // see JCA spec - protected void engineUpdate(ByteBuffer byteBuffer) { -- fetchSession(); - int len = byteBuffer.remaining(); - if (len <= 0) { - return; - } -+ - if (byteBuffer instanceof DirectBuffer == false) { - super.engineUpdate(byteBuffer); - return; - } -+ -+ fetchSession(); - long addr = ((DirectBuffer)byteBuffer).address(); - int ofs = byteBuffer.position(); - try { - if (state == S_BUFFERED) { -- token.p11.C_DigestInit(session.id(), new CK_MECHANISM(mechanism)); -+ token.p11.C_DigestInit(session.id(), mechanism); - state = S_INIT; -- if (bufOfs != 0) { -- doUpdate(buffer, 0, bufOfs); -- bufOfs = 0; -- } -+ } -+ if (bufOfs != 0) { -+ token.p11.C_DigestUpdate(session.id(), 0, buffer, 0, bufOfs); -+ bufOfs = 0; - } - token.p11.C_DigestUpdate(session.id(), addr + ofs, null, 0, len); - byteBuffer.position(ofs + len); - } catch (PKCS11Exception e) { -+ engineReset(); - throw new ProviderException("update() failed", e); - } - } - -- private void doUpdate(byte[] in, int ofs, int len) { -- if (len <= 0) { -- return; -- } -+ public Object clone() throws CloneNotSupportedException { -+ P11Digest copy = (P11Digest) super.clone(); -+ copy.buffer = buffer.clone(); - try { -- if (state == S_BUFFERED) { -- token.p11.C_DigestInit(session.id(), new CK_MECHANISM(mechanism)); -- state = S_INIT; -+ if (session != null) { -+ copy.session = copy.token.getOpSession(); -+ } -+ if (state == S_INIT) { -+ byte[] stateValues = -+ token.p11.C_GetOperationState(session.id()); -+ token.p11.C_SetOperationState(copy.session.id(), -+ stateValues, 0, 0); - } -- token.p11.C_DigestUpdate(session.id(), 0, in, ofs, len); - } catch (PKCS11Exception e) { -- throw new ProviderException("update() failed", e); -+ throw (CloneNotSupportedException) -+ (new CloneNotSupportedException(algorithm).initCause(e)); - } -+ return copy; - } - } -diff -Nru openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/wrapper/PKCS11.java openjdk/jdk/src/share/classes/sun/security/pkcs11/wrapper/PKCS11.java ---- openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/wrapper/PKCS11.java 2012-05-01 22:18:26.000000000 +0100 -+++ openjdk/jdk/src/share/classes/sun/security/pkcs11/wrapper/PKCS11.java 2012-08-08 18:42:13.080667322 +0100 -@@ -1,5 +1,5 @@ - /* -- * Copyright (c) 2003, 2005, Oracle and/or its affiliates. All rights reserved. -+ * Copyright (c) 2003, 2012, Oracle and/or its affiliates. All rights reserved. - */ - - /* Copyright (c) 2002 Graz University of Technology. All rights reserved. -@@ -133,14 +133,15 @@ - * @preconditions (pkcs11ModulePath <> null) - * @postconditions - */ -- PKCS11(String pkcs11ModulePath, String functionListName) throws IOException { -+ PKCS11(String pkcs11ModulePath, String functionListName) -+ throws IOException { - connect(pkcs11ModulePath, functionListName); - this.pkcs11ModulePath = pkcs11ModulePath; - } - -- public static synchronized PKCS11 getInstance(String pkcs11ModulePath, String functionList, -- CK_C_INITIALIZE_ARGS pInitArgs, boolean omitInitialize) -- throws IOException, PKCS11Exception { -+ public static synchronized PKCS11 getInstance(String pkcs11ModulePath, -+ String functionList, CK_C_INITIALIZE_ARGS pInitArgs, -+ boolean omitInitialize) throws IOException, PKCS11Exception { - // we may only call C_Initialize once per native .so/.dll - // so keep a cache using the (non-canonicalized!) path - PKCS11 pkcs11 = moduleMap.get(pkcs11ModulePath); -@@ -177,7 +178,8 @@ - * @preconditions (pkcs11ModulePath <> null) - * @postconditions - */ -- private native void connect(String pkcs11ModulePath, String functionListName) throws IOException; -+ private native void connect(String pkcs11ModulePath, String functionListName) -+ throws IOException; - - /** - * Disconnects the PKCS#11 library from this object. After calling this -@@ -255,7 +257,8 @@ - * @preconditions - * @postconditions (result <> null) - */ -- public native long[] C_GetSlotList(boolean tokenPresent) throws PKCS11Exception; -+ public native long[] C_GetSlotList(boolean tokenPresent) -+ throws PKCS11Exception; - - - /** -@@ -287,7 +290,8 @@ - * @preconditions - * @postconditions (result <> null) - */ -- public native CK_TOKEN_INFO C_GetTokenInfo(long slotID) throws PKCS11Exception; -+ public native CK_TOKEN_INFO C_GetTokenInfo(long slotID) -+ throws PKCS11Exception; - - - /** -@@ -322,7 +326,8 @@ - * @preconditions - * @postconditions (result <> null) - */ -- public native CK_MECHANISM_INFO C_GetMechanismInfo(long slotID, long type) throws PKCS11Exception; -+ public native CK_MECHANISM_INFO C_GetMechanismInfo(long slotID, long type) -+ throws PKCS11Exception; - - - /** -@@ -339,7 +344,8 @@ - * @preconditions - * @postconditions - */ --// public native void C_InitToken(long slotID, char[] pPin, char[] pLabel) throws PKCS11Exception; -+// public native void C_InitToken(long slotID, char[] pPin, char[] pLabel) -+// throws PKCS11Exception; - - - /** -@@ -354,7 +360,8 @@ - * @preconditions - * @postconditions - */ --// public native void C_InitPIN(long hSession, char[] pPin) throws PKCS11Exception; -+// public native void C_InitPIN(long hSession, char[] pPin) -+// throws PKCS11Exception; - - - /** -@@ -371,7 +378,8 @@ - * @preconditions - * @postconditions - */ --// public native void C_SetPIN(long hSession, char[] pOldPin, char[] pNewPin) throws PKCS11Exception; -+// public native void C_SetPIN(long hSession, char[] pOldPin, char[] pNewPin) -+// throws PKCS11Exception; - - - -@@ -398,7 +406,8 @@ - * @preconditions - * @postconditions - */ -- public native long C_OpenSession(long slotID, long flags, Object pApplication, CK_NOTIFY Notify) throws PKCS11Exception; -+ public native long C_OpenSession(long slotID, long flags, -+ Object pApplication, CK_NOTIFY Notify) throws PKCS11Exception; - - - /** -@@ -440,7 +449,8 @@ - * @preconditions - * @postconditions (result <> null) - */ -- public native CK_SESSION_INFO C_GetSessionInfo(long hSession) throws PKCS11Exception; -+ public native CK_SESSION_INFO C_GetSessionInfo(long hSession) -+ throws PKCS11Exception; - - - /** -@@ -457,7 +467,8 @@ - * @preconditions - * @postconditions (result <> null) - */ --// public native byte[] C_GetOperationState(long hSession) throws PKCS11Exception; -+ public native byte[] C_GetOperationState(long hSession) -+ throws PKCS11Exception; - - - /** -@@ -478,7 +489,8 @@ - * @preconditions - * @postconditions - */ --// public native void C_SetOperationState(long hSession, byte[] pOperationState, long hEncryptionKey, long hAuthenticationKey) throws PKCS11Exception; -+ public native void C_SetOperationState(long hSession, byte[] pOperationState, -+ long hEncryptionKey, long hAuthenticationKey) throws PKCS11Exception; - - - /** -@@ -495,7 +507,8 @@ - * @preconditions - * @postconditions - */ -- public native void C_Login(long hSession, long userType, char[] pPin) throws PKCS11Exception; -+ public native void C_Login(long hSession, long userType, char[] pPin) -+ throws PKCS11Exception; - - - /** -@@ -531,7 +544,8 @@ - * @preconditions - * @postconditions - */ -- public native long C_CreateObject(long hSession, CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception; -+ public native long C_CreateObject(long hSession, CK_ATTRIBUTE[] pTemplate) -+ throws PKCS11Exception; - - - /** -@@ -552,7 +566,8 @@ - * @preconditions - * @postconditions - */ -- public native long C_CopyObject(long hSession, long hObject, CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception; -+ public native long C_CopyObject(long hSession, long hObject, -+ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception; - - - /** -@@ -567,7 +582,8 @@ - * @preconditions - * @postconditions - */ -- public native void C_DestroyObject(long hSession, long hObject) throws PKCS11Exception; -+ public native void C_DestroyObject(long hSession, long hObject) -+ throws PKCS11Exception; - - - /** -@@ -584,7 +600,8 @@ - * @preconditions - * @postconditions - */ --// public native long C_GetObjectSize(long hSession, long hObject) throws PKCS11Exception; -+// public native long C_GetObjectSize(long hSession, long hObject) -+// throws PKCS11Exception; - - - /** -@@ -604,7 +621,8 @@ - * @preconditions (pTemplate <> null) - * @postconditions (result <> null) - */ -- public native void C_GetAttributeValue(long hSession, long hObject, CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception; -+ public native void C_GetAttributeValue(long hSession, long hObject, -+ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception; - - - /** -@@ -623,7 +641,8 @@ - * @preconditions (pTemplate <> null) - * @postconditions - */ -- public native void C_SetAttributeValue(long hSession, long hObject, CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception; -+ public native void C_SetAttributeValue(long hSession, long hObject, -+ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception; - - - /** -@@ -640,7 +659,8 @@ - * @preconditions - * @postconditions - */ -- public native void C_FindObjectsInit(long hSession, CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception; -+ public native void C_FindObjectsInit(long hSession, CK_ATTRIBUTE[] pTemplate) -+ throws PKCS11Exception; - - - /** -@@ -659,7 +679,8 @@ - * @preconditions - * @postconditions (result <> null) - */ -- public native long[] C_FindObjects(long hSession, long ulMaxObjectCount) throws PKCS11Exception; -+ public native long[] C_FindObjects(long hSession, long ulMaxObjectCount) -+ throws PKCS11Exception; - - - /** -@@ -695,7 +716,8 @@ - * @preconditions - * @postconditions - */ -- public native void C_EncryptInit(long hSession, CK_MECHANISM pMechanism, long hKey) throws PKCS11Exception; -+ public native void C_EncryptInit(long hSession, CK_MECHANISM pMechanism, -+ long hKey) throws PKCS11Exception; - - - /** -@@ -713,7 +735,8 @@ - * @preconditions (pData <> null) - * @postconditions (result <> null) - */ -- public native int C_Encrypt(long hSession, byte[] in, int inOfs, int inLen, byte[] out, int outOfs, int outLen) throws PKCS11Exception; -+ public native int C_Encrypt(long hSession, byte[] in, int inOfs, int inLen, -+ byte[] out, int outOfs, int outLen) throws PKCS11Exception; - - - /** -@@ -732,7 +755,9 @@ - * @preconditions (pPart <> null) - * @postconditions - */ -- public native int C_EncryptUpdate(long hSession, long directIn, byte[] in, int inOfs, int inLen, long directOut, byte[] out, int outOfs, int outLen) throws PKCS11Exception; -+ public native int C_EncryptUpdate(long hSession, long directIn, byte[] in, -+ int inOfs, int inLen, long directOut, byte[] out, int outOfs, -+ int outLen) throws PKCS11Exception; - - - /** -@@ -749,7 +774,8 @@ - * @preconditions - * @postconditions (result <> null) - */ -- public native int C_EncryptFinal(long hSession, long directOut, byte[] out, int outOfs, int outLen) throws PKCS11Exception; -+ public native int C_EncryptFinal(long hSession, long directOut, byte[] out, -+ int outOfs, int outLen) throws PKCS11Exception; - - - /** -@@ -766,7 +792,8 @@ - * @preconditions - * @postconditions - */ -- public native void C_DecryptInit(long hSession, CK_MECHANISM pMechanism, long hKey) throws PKCS11Exception; -+ public native void C_DecryptInit(long hSession, CK_MECHANISM pMechanism, -+ long hKey) throws PKCS11Exception; - - - /** -@@ -785,7 +812,8 @@ - * @preconditions (pEncryptedPart <> null) - * @postconditions (result <> null) - */ -- public native int C_Decrypt(long hSession, byte[] in, int inOfs, int inLen, byte[] out, int outOfs, int outLen) throws PKCS11Exception; -+ public native int C_Decrypt(long hSession, byte[] in, int inOfs, int inLen, -+ byte[] out, int outOfs, int outLen) throws PKCS11Exception; - - - /** -@@ -805,7 +833,9 @@ - * @preconditions (pEncryptedPart <> null) - * @postconditions - */ -- public native int C_DecryptUpdate(long hSession, long directIn, byte[] in, int inOfs, int inLen, long directOut, byte[] out, int outOfs, int outLen) throws PKCS11Exception; -+ public native int C_DecryptUpdate(long hSession, long directIn, byte[] in, -+ int inOfs, int inLen, long directOut, byte[] out, int outOfs, -+ int outLen) throws PKCS11Exception; - - - /** -@@ -822,7 +852,8 @@ - * @preconditions - * @postconditions (result <> null) - */ -- public native int C_DecryptFinal(long hSession, long directOut, byte[] out, int outOfs, int outLen) throws PKCS11Exception; -+ public native int C_DecryptFinal(long hSession, long directOut, byte[] out, -+ int outOfs, int outLen) throws PKCS11Exception; - - - -@@ -842,7 +873,8 @@ - * @preconditions - * @postconditions - */ -- public native void C_DigestInit(long hSession, CK_MECHANISM pMechanism) throws PKCS11Exception; -+ public native void C_DigestInit(long hSession, CK_MECHANISM pMechanism) -+ throws PKCS11Exception; - - - // note that C_DigestSingle does not exist in PKCS#11 -@@ -863,7 +895,9 @@ - * @preconditions (data <> null) - * @postconditions (result <> null) - */ -- public native int C_DigestSingle(long hSession, CK_MECHANISM pMechanism, byte[] in, int inOfs, int inLen, byte[] digest, int digestOfs, int digestLen) throws PKCS11Exception; -+ public native int C_DigestSingle(long hSession, CK_MECHANISM pMechanism, -+ byte[] in, int inOfs, int inLen, byte[] digest, int digestOfs, -+ int digestLen) throws PKCS11Exception; - - - /** -@@ -879,7 +913,8 @@ - * @preconditions (pPart <> null) - * @postconditions - */ -- public native void C_DigestUpdate(long hSession, long directIn, byte[] in, int inOfs, int inLen) throws PKCS11Exception; -+ public native void C_DigestUpdate(long hSession, long directIn, byte[] in, -+ int inOfs, int inLen) throws PKCS11Exception; - - - /** -@@ -896,7 +931,8 @@ - * @preconditions - * @postconditions - */ -- public native void C_DigestKey(long hSession, long hKey) throws PKCS11Exception; -+ public native void C_DigestKey(long hSession, long hKey) -+ throws PKCS11Exception; - - - /** -@@ -912,7 +948,8 @@ - * @preconditions - * @postconditions (result <> null) - */ -- public native int C_DigestFinal(long hSession, byte[] pDigest, int digestOfs, int digestLen) throws PKCS11Exception; -+ public native int C_DigestFinal(long hSession, byte[] pDigest, int digestOfs, -+ int digestLen) throws PKCS11Exception; - - - -@@ -937,7 +974,8 @@ - * @preconditions - * @postconditions - */ -- public native void C_SignInit(long hSession, CK_MECHANISM pMechanism, long hKey) throws PKCS11Exception; -+ public native void C_SignInit(long hSession, CK_MECHANISM pMechanism, -+ long hKey) throws PKCS11Exception; - - - /** -@@ -957,7 +995,8 @@ - * @preconditions (pData <> null) - * @postconditions (result <> null) - */ -- public native byte[] C_Sign(long hSession, byte[] pData) throws PKCS11Exception; -+ public native byte[] C_Sign(long hSession, byte[] pData) -+ throws PKCS11Exception; - - - /** -@@ -974,7 +1013,8 @@ - * @preconditions (pPart <> null) - * @postconditions - */ -- public native void C_SignUpdate(long hSession, long directIn, byte[] in, int inOfs, int inLen) throws PKCS11Exception; -+ public native void C_SignUpdate(long hSession, long directIn, byte[] in, -+ int inOfs, int inLen) throws PKCS11Exception; - - - /** -@@ -991,7 +1031,8 @@ - * @preconditions - * @postconditions (result <> null) - */ -- public native byte[] C_SignFinal(long hSession, int expectedLen) throws PKCS11Exception; -+ public native byte[] C_SignFinal(long hSession, int expectedLen) -+ throws PKCS11Exception; - - - /** -@@ -1009,7 +1050,8 @@ - * @preconditions - * @postconditions - */ -- public native void C_SignRecoverInit(long hSession, CK_MECHANISM pMechanism, long hKey) throws PKCS11Exception; -+ public native void C_SignRecoverInit(long hSession, CK_MECHANISM pMechanism, -+ long hKey) throws PKCS11Exception; - - - /** -@@ -1028,7 +1070,9 @@ - * @preconditions (pData <> null) - * @postconditions (result <> null) - */ -- public native int C_SignRecover(long hSession, byte[] in, int inOfs, int inLen, byte[] out, int outOufs, int outLen) throws PKCS11Exception; -+ public native int C_SignRecover(long hSession, byte[] in, int inOfs, -+ int inLen, byte[] out, int outOufs, int outLen) -+ throws PKCS11Exception; - - - -@@ -1052,7 +1096,8 @@ - * @preconditions - * @postconditions - */ -- public native void C_VerifyInit(long hSession, CK_MECHANISM pMechanism, long hKey) throws PKCS11Exception; -+ public native void C_VerifyInit(long hSession, CK_MECHANISM pMechanism, -+ long hKey) throws PKCS11Exception; - - - /** -@@ -1071,7 +1116,8 @@ - * @preconditions (pData <> null) and (pSignature <> null) - * @postconditions - */ -- public native void C_Verify(long hSession, byte[] pData, byte[] pSignature) throws PKCS11Exception; -+ public native void C_Verify(long hSession, byte[] pData, byte[] pSignature) -+ throws PKCS11Exception; - - - /** -@@ -1088,7 +1134,8 @@ - * @preconditions (pPart <> null) - * @postconditions - */ -- public native void C_VerifyUpdate(long hSession, long directIn, byte[] in, int inOfs, int inLen) throws PKCS11Exception; -+ public native void C_VerifyUpdate(long hSession, long directIn, byte[] in, -+ int inOfs, int inLen) throws PKCS11Exception; - - - /** -@@ -1104,7 +1151,8 @@ - * @preconditions (pSignature <> null) - * @postconditions - */ -- public native void C_VerifyFinal(long hSession, byte[] pSignature) throws PKCS11Exception; -+ public native void C_VerifyFinal(long hSession, byte[] pSignature) -+ throws PKCS11Exception; - - - /** -@@ -1122,7 +1170,8 @@ - * @preconditions - * @postconditions - */ -- public native void C_VerifyRecoverInit(long hSession, CK_MECHANISM pMechanism, long hKey) throws PKCS11Exception; -+ public native void C_VerifyRecoverInit(long hSession, -+ CK_MECHANISM pMechanism, long hKey) throws PKCS11Exception; - - - /** -@@ -1140,7 +1189,9 @@ - * @preconditions (pSignature <> null) - * @postconditions (result <> null) - */ -- public native int C_VerifyRecover(long hSession, byte[] in, int inOfs, int inLen, byte[] out, int outOufs, int outLen) throws PKCS11Exception; -+ public native int C_VerifyRecover(long hSession, byte[] in, int inOfs, -+ int inLen, byte[] out, int outOufs, int outLen) -+ throws PKCS11Exception; - - - -@@ -1164,7 +1215,8 @@ - * @preconditions (pPart <> null) - * @postconditions - */ --// public native byte[] C_DigestEncryptUpdate(long hSession, byte[] pPart) throws PKCS11Exception; -+// public native byte[] C_DigestEncryptUpdate(long hSession, byte[] pPart) -+// throws PKCS11Exception; - - - /** -@@ -1184,7 +1236,8 @@ - * @preconditions (pEncryptedPart <> null) - * @postconditions - */ --// public native byte[] C_DecryptDigestUpdate(long hSession, byte[] pEncryptedPart) throws PKCS11Exception; -+// public native byte[] C_DecryptDigestUpdate(long hSession, -+// byte[] pEncryptedPart) throws PKCS11Exception; - - - /** -@@ -1204,7 +1257,8 @@ - * @preconditions (pPart <> null) - * @postconditions - */ --// public native byte[] C_SignEncryptUpdate(long hSession, byte[] pPart) throws PKCS11Exception; -+// public native byte[] C_SignEncryptUpdate(long hSession, byte[] pPart) -+// throws PKCS11Exception; - - - /** -@@ -1224,7 +1278,8 @@ - * @preconditions (pEncryptedPart <> null) - * @postconditions - */ --// public native byte[] C_DecryptVerifyUpdate(long hSession, byte[] pEncryptedPart) throws PKCS11Exception; -+// public native byte[] C_DecryptVerifyUpdate(long hSession, -+// byte[] pEncryptedPart) throws PKCS11Exception; - - - -@@ -1250,7 +1305,8 @@ - * @preconditions - * @postconditions - */ -- public native long C_GenerateKey(long hSession, CK_MECHANISM pMechanism, CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception; -+ public native long C_GenerateKey(long hSession, CK_MECHANISM pMechanism, -+ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception; - - - /** -@@ -1280,9 +1336,8 @@ - * @postconditions (result <> null) and (result.length == 2) - */ - public native long[] C_GenerateKeyPair(long hSession, -- CK_MECHANISM pMechanism, -- CK_ATTRIBUTE[] pPublicKeyTemplate, -- CK_ATTRIBUTE[] pPrivateKeyTemplate) throws PKCS11Exception; -+ CK_MECHANISM pMechanism, CK_ATTRIBUTE[] pPublicKeyTemplate, -+ CK_ATTRIBUTE[] pPrivateKeyTemplate) throws PKCS11Exception; - - - -@@ -1305,7 +1360,8 @@ - * @preconditions - * @postconditions (result <> null) - */ -- public native byte[] C_WrapKey(long hSession, CK_MECHANISM pMechanism, long hWrappingKey, long hKey) throws PKCS11Exception; -+ public native byte[] C_WrapKey(long hSession, CK_MECHANISM pMechanism, -+ long hWrappingKey, long hKey) throws PKCS11Exception; - - - /** -@@ -1331,8 +1387,8 @@ - * @postconditions - */ - public native long C_UnwrapKey(long hSession, CK_MECHANISM pMechanism, -- long hUnwrappingKey, byte[] pWrappedKey, -- CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception; -+ long hUnwrappingKey, byte[] pWrappedKey, CK_ATTRIBUTE[] pTemplate) -+ throws PKCS11Exception; - - - /** -@@ -1356,7 +1412,7 @@ - * @postconditions - */ - public native long C_DeriveKey(long hSession, CK_MECHANISM pMechanism, -- long hBaseKey, CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception; -+ long hBaseKey, CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception; - - - -@@ -1377,7 +1433,8 @@ - * @preconditions (pSeed <> null) - * @postconditions - */ -- public native void C_SeedRandom(long hSession, byte[] pSeed) throws PKCS11Exception; -+ public native void C_SeedRandom(long hSession, byte[] pSeed) -+ throws PKCS11Exception; - - - /** -@@ -1393,7 +1450,8 @@ - * @preconditions (randomData <> null) - * @postconditions - */ -- public native void C_GenerateRandom(long hSession, byte[] randomData) throws PKCS11Exception; -+ public native void C_GenerateRandom(long hSession, byte[] randomData) -+ throws PKCS11Exception; - - - -@@ -1413,7 +1471,8 @@ - * @preconditions - * @postconditions - */ --// public native void C_GetFunctionStatus(long hSession) throws PKCS11Exception; -+// public native void C_GetFunctionStatus(long hSession) -+// throws PKCS11Exception; - - - /** -@@ -1450,7 +1509,8 @@ - * @preconditions (pRserved == null) - * @postconditions - */ --// public native long C_WaitForSlotEvent(long flags, Object pRserved) throws PKCS11Exception; -+// public native long C_WaitForSlotEvent(long flags, Object pRserved) -+// throws PKCS11Exception; - - /** - * Returns the string representation of this object. -@@ -1476,7 +1536,8 @@ - // parent. Used for tokens that only support single threaded access - static class SynchronizedPKCS11 extends PKCS11 { - -- SynchronizedPKCS11(String pkcs11ModulePath, String functionListName) throws IOException { -+ SynchronizedPKCS11(String pkcs11ModulePath, String functionListName) -+ throws IOException { - super(pkcs11ModulePath, functionListName); - } - -@@ -1484,7 +1545,8 @@ - super.C_Initialize(pInitArgs); - } - -- public synchronized void C_Finalize(Object pReserved) throws PKCS11Exception { -+ public synchronized void C_Finalize(Object pReserved) -+ throws PKCS11Exception { - super.C_Finalize(pReserved); - } - -@@ -1492,39 +1554,48 @@ - return super.C_GetInfo(); - } - -- public synchronized long[] C_GetSlotList(boolean tokenPresent) throws PKCS11Exception { -+ public synchronized long[] C_GetSlotList(boolean tokenPresent) -+ throws PKCS11Exception { - return super.C_GetSlotList(tokenPresent); - } - -- public synchronized CK_SLOT_INFO C_GetSlotInfo(long slotID) throws PKCS11Exception { -+ public synchronized CK_SLOT_INFO C_GetSlotInfo(long slotID) -+ throws PKCS11Exception { - return super.C_GetSlotInfo(slotID); - } - -- public synchronized CK_TOKEN_INFO C_GetTokenInfo(long slotID) throws PKCS11Exception { -+ public synchronized CK_TOKEN_INFO C_GetTokenInfo(long slotID) -+ throws PKCS11Exception { - return super.C_GetTokenInfo(slotID); - } - -- public synchronized long[] C_GetMechanismList(long slotID) throws PKCS11Exception { -+ public synchronized long[] C_GetMechanismList(long slotID) -+ throws PKCS11Exception { - return super.C_GetMechanismList(slotID); - } - -- public synchronized CK_MECHANISM_INFO C_GetMechanismInfo(long slotID, long type) throws PKCS11Exception { -+ public synchronized CK_MECHANISM_INFO C_GetMechanismInfo(long slotID, -+ long type) throws PKCS11Exception { - return super.C_GetMechanismInfo(slotID, type); - } - -- public synchronized long C_OpenSession(long slotID, long flags, Object pApplication, CK_NOTIFY Notify) throws PKCS11Exception { -+ public synchronized long C_OpenSession(long slotID, long flags, -+ Object pApplication, CK_NOTIFY Notify) throws PKCS11Exception { - return super.C_OpenSession(slotID, flags, pApplication, Notify); - } - -- public synchronized void C_CloseSession(long hSession) throws PKCS11Exception { -+ public synchronized void C_CloseSession(long hSession) -+ throws PKCS11Exception { - super.C_CloseSession(hSession); - } - -- public synchronized CK_SESSION_INFO C_GetSessionInfo(long hSession) throws PKCS11Exception { -+ public synchronized CK_SESSION_INFO C_GetSessionInfo(long hSession) -+ throws PKCS11Exception { - return super.C_GetSessionInfo(hSession); - } - -- public synchronized void C_Login(long hSession, long userType, char[] pPin) throws PKCS11Exception { -+ public synchronized void C_Login(long hSession, long userType, char[] pPin) -+ throws PKCS11Exception { - super.C_Login(hSession, userType, pPin); - } - -@@ -1532,157 +1603,207 @@ - super.C_Logout(hSession); - } - -- public synchronized long C_CreateObject(long hSession, CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception { -+ public synchronized long C_CreateObject(long hSession, -+ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception { - return super.C_CreateObject(hSession, pTemplate); - } - -- public synchronized long C_CopyObject(long hSession, long hObject, CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception { -+ public synchronized long C_CopyObject(long hSession, long hObject, -+ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception { - return super.C_CopyObject(hSession, hObject, pTemplate); - } - -- public synchronized void C_DestroyObject(long hSession, long hObject) throws PKCS11Exception { -+ public synchronized void C_DestroyObject(long hSession, long hObject) -+ throws PKCS11Exception { - super.C_DestroyObject(hSession, hObject); - } - -- public synchronized void C_GetAttributeValue(long hSession, long hObject, CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception { -+ public synchronized void C_GetAttributeValue(long hSession, long hObject, -+ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception { - super.C_GetAttributeValue(hSession, hObject, pTemplate); - } - -- public synchronized void C_SetAttributeValue(long hSession, long hObject, CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception { -+ public synchronized void C_SetAttributeValue(long hSession, long hObject, -+ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception { - super.C_SetAttributeValue(hSession, hObject, pTemplate); - } - -- public synchronized void C_FindObjectsInit(long hSession, CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception { -+ public synchronized void C_FindObjectsInit(long hSession, -+ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception { - super.C_FindObjectsInit(hSession, pTemplate); - } - -- public synchronized long[] C_FindObjects(long hSession, long ulMaxObjectCount) throws PKCS11Exception { -+ public synchronized long[] C_FindObjects(long hSession, -+ long ulMaxObjectCount) throws PKCS11Exception { - return super.C_FindObjects(hSession, ulMaxObjectCount); - } - -- public synchronized void C_FindObjectsFinal(long hSession) throws PKCS11Exception { -+ public synchronized void C_FindObjectsFinal(long hSession) -+ throws PKCS11Exception { - super.C_FindObjectsFinal(hSession); - } - -- public synchronized void C_EncryptInit(long hSession, CK_MECHANISM pMechanism, long hKey) throws PKCS11Exception { -+ public synchronized void C_EncryptInit(long hSession, -+ CK_MECHANISM pMechanism, long hKey) throws PKCS11Exception { - super.C_EncryptInit(hSession, pMechanism, hKey); - } - -- public synchronized int C_Encrypt(long hSession, byte[] in, int inOfs, int inLen, byte[] out, int outOfs, int outLen) throws PKCS11Exception { -+ public synchronized int C_Encrypt(long hSession, byte[] in, int inOfs, -+ int inLen, byte[] out, int outOfs, int outLen) -+ throws PKCS11Exception { - return super.C_Encrypt(hSession, in, inOfs, inLen, out, outOfs, outLen); - } - -- public synchronized int C_EncryptUpdate(long hSession, long directIn, byte[] in, int inOfs, int inLen, long directOut, byte[] out, int outOfs, int outLen) throws PKCS11Exception { -- return super.C_EncryptUpdate(hSession, directIn, in, inOfs, inLen, directOut, out, outOfs, outLen); -+ public synchronized int C_EncryptUpdate(long hSession, long directIn, -+ byte[] in, int inOfs, int inLen, long directOut, byte[] out, -+ int outOfs, int outLen) throws PKCS11Exception { -+ return super.C_EncryptUpdate(hSession, directIn, in, inOfs, inLen, -+ directOut, out, outOfs, outLen); - } - -- public synchronized int C_EncryptFinal(long hSession, long directOut, byte[] out, int outOfs, int outLen) throws PKCS11Exception { -+ public synchronized int C_EncryptFinal(long hSession, long directOut, -+ byte[] out, int outOfs, int outLen) throws PKCS11Exception { - return super.C_EncryptFinal(hSession, directOut, out, outOfs, outLen); - } - -- public synchronized void C_DecryptInit(long hSession, CK_MECHANISM pMechanism, long hKey) throws PKCS11Exception { -+ public synchronized void C_DecryptInit(long hSession, -+ CK_MECHANISM pMechanism, long hKey) throws PKCS11Exception { - super.C_DecryptInit(hSession, pMechanism, hKey); - } - -- public synchronized int C_Decrypt(long hSession, byte[] in, int inOfs, int inLen, byte[] out, int outOfs, int outLen) throws PKCS11Exception { -+ public synchronized int C_Decrypt(long hSession, byte[] in, int inOfs, -+ int inLen, byte[] out, int outOfs, int outLen) -+ throws PKCS11Exception { - return super.C_Decrypt(hSession, in, inOfs, inLen, out, outOfs, outLen); - } - -- public synchronized int C_DecryptUpdate(long hSession, long directIn, byte[] in, int inOfs, int inLen, long directOut, byte[] out, int outOfs, int outLen) throws PKCS11Exception { -- return super.C_DecryptUpdate(hSession, directIn, in, inOfs, inLen, directOut, out, outOfs, outLen); -+ public synchronized int C_DecryptUpdate(long hSession, long directIn, -+ byte[] in, int inOfs, int inLen, long directOut, byte[] out, -+ int outOfs, int outLen) throws PKCS11Exception { -+ return super.C_DecryptUpdate(hSession, directIn, in, inOfs, inLen, -+ directOut, out, outOfs, outLen); - } - -- public synchronized int C_DecryptFinal(long hSession, long directOut, byte[] out, int outOfs, int outLen) throws PKCS11Exception { -+ public synchronized int C_DecryptFinal(long hSession, long directOut, -+ byte[] out, int outOfs, int outLen) throws PKCS11Exception { - return super.C_DecryptFinal(hSession, directOut, out, outOfs, outLen); - } - -- public synchronized void C_DigestInit(long hSession, CK_MECHANISM pMechanism) throws PKCS11Exception { -+ public synchronized void C_DigestInit(long hSession, CK_MECHANISM pMechanism) -+ throws PKCS11Exception { - super.C_DigestInit(hSession, pMechanism); - } - -- public synchronized int C_DigestSingle(long hSession, CK_MECHANISM pMechanism, byte[] in, int inOfs, int inLen, byte[] digest, int digestOfs, int digestLen) throws PKCS11Exception { -- return super.C_DigestSingle(hSession, pMechanism, in, inOfs, inLen, digest, digestOfs, digestLen); -+ public synchronized int C_DigestSingle(long hSession, -+ CK_MECHANISM pMechanism, byte[] in, int inOfs, int inLen, -+ byte[] digest, int digestOfs, int digestLen) throws PKCS11Exception { -+ return super.C_DigestSingle(hSession, pMechanism, in, inOfs, inLen, -+ digest, digestOfs, digestLen); - } - -- public synchronized void C_DigestUpdate(long hSession, long directIn, byte[] in, int inOfs, int inLen) throws PKCS11Exception { -+ public synchronized void C_DigestUpdate(long hSession, long directIn, -+ byte[] in, int inOfs, int inLen) throws PKCS11Exception { - super.C_DigestUpdate(hSession, directIn, in, inOfs, inLen); - } - -- public synchronized void C_DigestKey(long hSession, long hKey) throws PKCS11Exception { -+ public synchronized void C_DigestKey(long hSession, long hKey) -+ throws PKCS11Exception { - super.C_DigestKey(hSession, hKey); - } - -- public synchronized int C_DigestFinal(long hSession, byte[] pDigest, int digestOfs, int digestLen) throws PKCS11Exception { -+ public synchronized int C_DigestFinal(long hSession, byte[] pDigest, -+ int digestOfs, int digestLen) throws PKCS11Exception { - return super.C_DigestFinal(hSession, pDigest, digestOfs, digestLen); - } - -- public synchronized void C_SignInit(long hSession, CK_MECHANISM pMechanism, long hKey) throws PKCS11Exception { -+ public synchronized void C_SignInit(long hSession, CK_MECHANISM pMechanism, -+ long hKey) throws PKCS11Exception { - super.C_SignInit(hSession, pMechanism, hKey); - } - -- public synchronized byte[] C_Sign(long hSession, byte[] pData) throws PKCS11Exception { -+ public synchronized byte[] C_Sign(long hSession, byte[] pData) -+ throws PKCS11Exception { - return super.C_Sign(hSession, pData); - } - -- public synchronized void C_SignUpdate(long hSession, long directIn, byte[] in, int inOfs, int inLen) throws PKCS11Exception { -+ public synchronized void C_SignUpdate(long hSession, long directIn, -+ byte[] in, int inOfs, int inLen) throws PKCS11Exception { - super.C_SignUpdate(hSession, directIn, in, inOfs, inLen); - } - -- public synchronized byte[] C_SignFinal(long hSession, int expectedLen) throws PKCS11Exception { -+ public synchronized byte[] C_SignFinal(long hSession, int expectedLen) -+ throws PKCS11Exception { - return super.C_SignFinal(hSession, expectedLen); - } - -- public synchronized void C_SignRecoverInit(long hSession, CK_MECHANISM pMechanism, long hKey) throws PKCS11Exception { -+ public synchronized void C_SignRecoverInit(long hSession, -+ CK_MECHANISM pMechanism, long hKey) throws PKCS11Exception { - super.C_SignRecoverInit(hSession, pMechanism, hKey); - } - -- public synchronized int C_SignRecover(long hSession, byte[] in, int inOfs, int inLen, byte[] out, int outOufs, int outLen) throws PKCS11Exception { -- return super.C_SignRecover(hSession, in, inOfs, inLen, out, outOufs, outLen); -+ public synchronized int C_SignRecover(long hSession, byte[] in, int inOfs, -+ int inLen, byte[] out, int outOufs, int outLen) -+ throws PKCS11Exception { -+ return super.C_SignRecover(hSession, in, inOfs, inLen, out, outOufs, -+ outLen); - } - -- public synchronized void C_VerifyInit(long hSession, CK_MECHANISM pMechanism, long hKey) throws PKCS11Exception { -+ public synchronized void C_VerifyInit(long hSession, CK_MECHANISM pMechanism, -+ long hKey) throws PKCS11Exception { - super.C_VerifyInit(hSession, pMechanism, hKey); - } - -- public synchronized void C_Verify(long hSession, byte[] pData, byte[] pSignature) throws PKCS11Exception { -+ public synchronized void C_Verify(long hSession, byte[] pData, -+ byte[] pSignature) throws PKCS11Exception { - super.C_Verify(hSession, pData, pSignature); - } - -- public synchronized void C_VerifyUpdate(long hSession, long directIn, byte[] in, int inOfs, int inLen) throws PKCS11Exception { -+ public synchronized void C_VerifyUpdate(long hSession, long directIn, -+ byte[] in, int inOfs, int inLen) throws PKCS11Exception { - super.C_VerifyUpdate(hSession, directIn, in, inOfs, inLen); - } - -- public synchronized void C_VerifyFinal(long hSession, byte[] pSignature) throws PKCS11Exception { -+ public synchronized void C_VerifyFinal(long hSession, byte[] pSignature) -+ throws PKCS11Exception { - super.C_VerifyFinal(hSession, pSignature); - } - -- public synchronized void C_VerifyRecoverInit(long hSession, CK_MECHANISM pMechanism, long hKey) throws PKCS11Exception { -+ public synchronized void C_VerifyRecoverInit(long hSession, -+ CK_MECHANISM pMechanism, long hKey) throws PKCS11Exception { - super.C_VerifyRecoverInit(hSession, pMechanism, hKey); - } - -- public synchronized int C_VerifyRecover(long hSession, byte[] in, int inOfs, int inLen, byte[] out, int outOufs, int outLen) throws PKCS11Exception { -- return super.C_VerifyRecover(hSession, in, inOfs, inLen, out, outOufs, outLen); -+ public synchronized int C_VerifyRecover(long hSession, byte[] in, int inOfs, -+ int inLen, byte[] out, int outOufs, int outLen) -+ throws PKCS11Exception { -+ return super.C_VerifyRecover(hSession, in, inOfs, inLen, out, outOufs, -+ outLen); - } - -- public synchronized long C_GenerateKey(long hSession, CK_MECHANISM pMechanism, CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception { -+ public synchronized long C_GenerateKey(long hSession, -+ CK_MECHANISM pMechanism, CK_ATTRIBUTE[] pTemplate) -+ throws PKCS11Exception { - return super.C_GenerateKey(hSession, pMechanism, pTemplate); - } - - public synchronized long[] C_GenerateKeyPair(long hSession, -- CK_MECHANISM pMechanism, -- CK_ATTRIBUTE[] pPublicKeyTemplate, -- CK_ATTRIBUTE[] pPrivateKeyTemplate) throws PKCS11Exception { -- return super.C_GenerateKeyPair(hSession, pMechanism, pPublicKeyTemplate, pPrivateKeyTemplate); -+ CK_MECHANISM pMechanism, CK_ATTRIBUTE[] pPublicKeyTemplate, -+ CK_ATTRIBUTE[] pPrivateKeyTemplate) -+ throws PKCS11Exception { -+ return super.C_GenerateKeyPair(hSession, pMechanism, pPublicKeyTemplate, -+ pPrivateKeyTemplate); - } - -- public synchronized byte[] C_WrapKey(long hSession, CK_MECHANISM pMechanism, long hWrappingKey, long hKey) throws PKCS11Exception { -+ public synchronized byte[] C_WrapKey(long hSession, CK_MECHANISM pMechanism, -+ long hWrappingKey, long hKey) throws PKCS11Exception { - return super.C_WrapKey(hSession, pMechanism, hWrappingKey, hKey); - } - - public synchronized long C_UnwrapKey(long hSession, CK_MECHANISM pMechanism, -- long hUnwrappingKey, byte[] pWrappedKey, -- CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception { -- return super.C_UnwrapKey(hSession, pMechanism, hUnwrappingKey, pWrappedKey, pTemplate); -+ long hUnwrappingKey, byte[] pWrappedKey, CK_ATTRIBUTE[] pTemplate) -+ throws PKCS11Exception { -+ return super.C_UnwrapKey(hSession, pMechanism, hUnwrappingKey, -+ pWrappedKey, pTemplate); - } - - public synchronized long C_DeriveKey(long hSession, CK_MECHANISM pMechanism, -@@ -1690,14 +1811,14 @@ - return super.C_DeriveKey(hSession, pMechanism, hBaseKey, pTemplate); - } - -- public synchronized void C_SeedRandom(long hSession, byte[] pSeed) throws PKCS11Exception { -+ public synchronized void C_SeedRandom(long hSession, byte[] pSeed) -+ throws PKCS11Exception { - super.C_SeedRandom(hSession, pSeed); - } - -- public synchronized void C_GenerateRandom(long hSession, byte[] randomData) throws PKCS11Exception { -+ public synchronized void C_GenerateRandom(long hSession, byte[] randomData) -+ throws PKCS11Exception { - super.C_GenerateRandom(hSession, randomData); - } -- - } -- - } -diff -Nru openjdk.orig/jdk/src/share/lib/security/sunpkcs11-solaris.cfg openjdk/jdk/src/share/lib/security/sunpkcs11-solaris.cfg ---- openjdk.orig/jdk/src/share/lib/security/sunpkcs11-solaris.cfg 2012-05-01 22:18:31.000000000 +0100 -+++ openjdk/jdk/src/share/lib/security/sunpkcs11-solaris.cfg 2012-08-08 18:44:13.570735299 +0100 -@@ -14,17 +14,22 @@ - attributes = compatibility - - disabledMechanisms = { -+ CKM_DSA_KEY_PAIR_GEN -+# the following mechanisms are disabled due to CKR_SAVED_STATE_INVALID bug -+# (Solaris bug 7058108) - CKM_MD2 - CKM_MD5 - CKM_SHA_1 -+# the following mechanisms are disabled due to no cloning support -+# (Solaris bug 7050617) - CKM_SHA256 - CKM_SHA384 - CKM_SHA512 -- CKM_DSA_KEY_PAIR_GEN - # KEY_AND_MAC_DERIVE disabled due to Solaris bug 6306708 - CKM_SSL3_KEY_AND_MAC_DERIVE - CKM_TLS_KEY_AND_MAC_DERIVE --# the following mechanisms are disabled due to performance issues (Solaris bug 6337157) -+# the following mechanisms are disabled due to performance issues -+# (Solaris bug 6337157) - CKM_DSA_SHA1 - CKM_MD5_RSA_PKCS - CKM_SHA1_RSA_PKCS -diff -Nru openjdk.orig/jdk/src/share/native/sun/security/pkcs11/wrapper/pkcs11wrapper.h openjdk/jdk/src/share/native/sun/security/pkcs11/wrapper/pkcs11wrapper.h ---- openjdk.orig/jdk/src/share/native/sun/security/pkcs11/wrapper/pkcs11wrapper.h 2012-08-08 18:39:27.921768411 +0100 -+++ openjdk/jdk/src/share/native/sun/security/pkcs11/wrapper/pkcs11wrapper.h 2012-08-08 18:42:13.080667322 +0100 -@@ -1,5 +1,5 @@ - /* -- * Copyright (c) 2003, 2011, Oracle and/or its affiliates. All rights reserved. -+ * Copyright (c) 2003, 2012, Oracle and/or its affiliates. All rights reserved. - */ - - /* Copyright (c) 2002 Graz University of Technology. All rights reserved. -@@ -96,8 +96,8 @@ - #define P11_ENABLE_C_CLOSESESSION - #undef P11_ENABLE_C_CLOSEALLSESSIONS - #define P11_ENABLE_C_GETSESSIONINFO --#undef P11_ENABLE_C_GETOPERATIONSTATE --#undef P11_ENABLE_C_SETOPERATIONSTATE -+#define P11_ENABLE_C_GETOPERATIONSTATE -+#define P11_ENABLE_C_SETOPERATIONSTATE - #define P11_ENABLE_C_LOGIN - #define P11_ENABLE_C_LOGOUT - #define P11_ENABLE_C_CREATEOBJECT -diff -Nru openjdk.orig/jdk/test/sun/security/pkcs11/MessageDigest/TestCloning.java openjdk/jdk/test/sun/security/pkcs11/MessageDigest/TestCloning.java ---- openjdk.orig/jdk/test/sun/security/pkcs11/MessageDigest/TestCloning.java 1970-01-01 01:00:00.000000000 +0100 -+++ openjdk/jdk/test/sun/security/pkcs11/MessageDigest/TestCloning.java 2012-08-08 18:42:13.080667322 +0100 -@@ -0,0 +1,141 @@ -+/* -+ * Copyright (c) 2012, Oracle and/or its affiliates. All rights reserved. -+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. -+ * -+ * This code is free software; you can redistribute it and/or modify it -+ * under the terms of the GNU General Public License version 2 only, as -+ * published by the Free Software Foundation. -+ * -+ * This code is distributed in the hope that it will be useful, but WITHOUT -+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or -+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License -+ * version 2 for more details (a copy is included in the LICENSE file that -+ * accompanied this code). -+ * -+ * You should have received a copy of the GNU General Public License version -+ * 2 along with this work; if not, write to the Free Software Foundation, -+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. -+ * -+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA -+ * or visit www.oracle.com if you need additional information or have any -+ * questions. -+ */ -+ -+/** -+ * @test -+ * @bug 6414899 -+ * @summary Ensure the cloning functionality works. -+ * @author Valerie Peng -+ * @library .. -+ */ -+ -+import java.util.*; -+ -+import java.security.*; -+ -+public class TestCloning extends PKCS11Test { -+ -+ private static final String[] ALGOS = { -+ "MD2", "MD5", "SHA1", "SHA-256", "SHA-384", "SHA-512" -+ }; -+ -+ public static void main(String[] args) throws Exception { -+ main(new TestCloning()); -+ } -+ -+ private static final byte[] data1 = new byte[10]; -+ private static final byte[] data2 = new byte[10*1024]; -+ -+ -+ public void main(Provider p) throws Exception { -+ Random r = new Random(); -+ byte[] data1 = new byte[10]; -+ byte[] data2 = new byte[2*1024]; -+ r.nextBytes(data1); -+ r.nextBytes(data2); -+ System.out.println("Testing against provider " + p.getName()); -+ for (int i = 0; i < ALGOS.length; i++) { -+ if (p.getService("MessageDigest", ALGOS[i]) == null) { -+ System.out.println(ALGOS[i] + " is not supported, skipping"); -+ continue; -+ } else { -+ System.out.println("Testing " + ALGOS[i] + " of " + p.getName()); -+ MessageDigest md = MessageDigest.getInstance(ALGOS[i], p); -+ try { -+ md = testCloning(md, p); -+ // repeat the test again after generating digest once -+ for (int j = 0; j < 10; j++) { -+ md = testCloning(md, p); -+ } -+ } catch (Exception ex) { -+ if (ALGOS[i] == "MD2" && -+ p.getName().equalsIgnoreCase("SunPKCS11-NSS")) { -+ // known bug in NSS; ignore for now -+ System.out.println("Ignore Known bug in MD2 of NSS"); -+ continue; -+ } -+ throw ex; -+ } -+ } -+ } -+ } -+ -+ private static MessageDigest testCloning(MessageDigest mdObj, Provider p) -+ throws Exception { -+ -+ // copy#0: clone at state BLANK w/o any data -+ MessageDigest mdCopy0 = (MessageDigest) mdObj.clone(); -+ -+ // copy#1: clone again at state BUFFERED w/ very short data -+ mdObj.update(data1); -+ mdCopy0.update(data1); -+ MessageDigest mdCopy1 = (MessageDigest) mdObj.clone(); -+ -+ // copy#2: clone again after updating it w/ long data to trigger -+ // the state into INIT -+ mdObj.update(data2); -+ mdCopy0.update(data2); -+ mdCopy1.update(data2); -+ MessageDigest mdCopy2 = (MessageDigest) mdObj.clone(); -+ -+ // copy#3: clone again after updating it w/ very short data -+ mdObj.update(data1); -+ mdCopy0.update(data1); -+ mdCopy1.update(data1); -+ mdCopy2.update(data1); -+ MessageDigest mdCopy3 = (MessageDigest) mdObj.clone(); -+ -+ // copy#4: clone again after updating it w/ long data -+ mdObj.update(data2); -+ mdCopy0.update(data2); -+ mdCopy1.update(data2); -+ mdCopy2.update(data2); -+ mdCopy3.update(data2); -+ MessageDigest mdCopy4 = (MessageDigest) mdObj.clone(); -+ -+ // check digest equalities -+ byte[] answer = mdObj.digest(); -+ byte[] result0 = mdCopy0.digest(); -+ byte[] result1 = mdCopy1.digest(); -+ byte[] result2 = mdCopy2.digest(); -+ byte[] result3 = mdCopy3.digest(); -+ byte[] result4 = mdCopy4.digest(); -+ -+ -+ check(answer, result0, "copy0"); -+ check(answer, result1, "copy1"); -+ check(answer, result2, "copy2"); -+ check(answer, result3, "copy3"); -+ check(answer, result4, "copy4"); -+ -+ return mdCopy3; -+ } -+ -+ private static void check(byte[] d1, byte[] d2, String copyName) -+ throws Exception { -+ if (Arrays.equals(d1, d2) == false) { -+ throw new RuntimeException(copyName + " digest mismatch!"); -+ } -+ } -+} -+
--- a/patches/openjdk/p11cipher-6604496-support_ckm_aes_ctr.patch Wed May 04 02:55:09 2016 +0100 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,608 +0,0 @@ -diff -Nru openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/P11Cipher.java openjdk/jdk/src/share/classes/sun/security/pkcs11/P11Cipher.java ---- openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/P11Cipher.java 2012-10-23 18:11:19.306081852 +0100 -+++ openjdk/jdk/src/share/classes/sun/security/pkcs11/P11Cipher.java 2012-10-24 03:20:31.807709327 +0100 -@@ -42,14 +42,12 @@ - * Cipher implementation class. This class currently supports - * DES, DESede, AES, ARCFOUR, and Blowfish. - * -- * This class is designed to support ECB and CBC with NoPadding and -- * PKCS5Padding for both. It will use its own padding impl if the -- * native mechanism does not support padding. -+ * This class is designed to support ECB, CBC, CTR with NoPadding -+ * and ECB, CBC with PKCS5Padding. It will use its own padding impl -+ * if the native mechanism does not support padding. - * -- * Note that PKCS#11 current only supports ECB and CBC. There are no -- * provisions for other modes such as CFB, OFB, PCBC, or CTR mode. -- * However, CTR could be implemented relatively easily (and efficiently) -- * on top of ECB mode in this class, if need be. -+ * Note that PKCS#11 currently only supports ECB, CBC, and CTR. -+ * There are no provisions for other modes such as CFB, OFB, and PCBC. - * - * @author Andreas Sterbenz - * @since 1.5 -@@ -60,6 +58,8 @@ - private final static int MODE_ECB = 3; - // mode constant for CBC mode - private final static int MODE_CBC = 4; -+ // mode constant for CTR mode -+ private final static int MODE_CTR = 5; - - // padding constant for NoPadding - private final static int PAD_NONE = 5; -@@ -157,7 +157,7 @@ - private byte[] padBuffer; - private int padBufferLen; - -- // original IV, if in MODE_CBC -+ // original IV, if in MODE_CBC or MODE_CTR - private byte[] iv; - - // number of bytes buffered internally by the native mechanism and padBuffer -@@ -213,6 +213,8 @@ - ("CBC mode not supported with stream ciphers"); - } - result = MODE_CBC; -+ } else if (mode.equals("CTR")) { -+ result = MODE_CTR; - } else { - throw new NoSuchAlgorithmException("Unsupported mode " + mode); - } -@@ -228,6 +230,10 @@ - if (padding.equals("NOPADDING")) { - paddingType = PAD_NONE; - } else if (padding.equals("PKCS5PADDING")) { -+ if (this.blockMode == MODE_CTR) { -+ throw new NoSuchPaddingException -+ ("PKCS#5 padding not supported with CTR mode"); -+ } - paddingType = PAD_PKCS5; - if (mechanism != CKM_DES_CBC_PAD && mechanism != CKM_DES3_CBC_PAD && - mechanism != CKM_AES_CBC_PAD) { -@@ -348,11 +354,14 @@ - ("IV not used in ECB mode"); - } - } -- } else { // MODE_CBC -+ } else { // MODE_CBC or MODE_CTR - if (iv == null) { - if (encrypt == false) { -- throw new InvalidAlgorithmParameterException -- ("IV must be specified for decryption in CBC mode"); -+ String exMsg = -+ (blockMode == MODE_CBC ? -+ "IV must be specified for decryption in CBC mode" : -+ "IV must be specified for decryption in CTR mode"); -+ throw new InvalidAlgorithmParameterException(exMsg); - } - // generate random IV - if (random == null) { -@@ -410,13 +419,15 @@ - if (session == null) { - session = token.getOpSession(); - } -+ CK_MECHANISM mechParams = (blockMode == MODE_CTR? -+ new CK_MECHANISM(mechanism, new CK_AES_CTR_PARAMS(iv)) : -+ new CK_MECHANISM(mechanism, iv)); -+ - try { - if (encrypt) { -- token.p11.C_EncryptInit(session.id(), -- new CK_MECHANISM(mechanism, iv), p11Key.keyID); -+ token.p11.C_EncryptInit(session.id(), mechParams, p11Key.keyID); - } else { -- token.p11.C_DecryptInit(session.id(), -- new CK_MECHANISM(mechanism, iv), p11Key.keyID); -+ token.p11.C_DecryptInit(session.id(), mechParams, p11Key.keyID); - } - } catch (PKCS11Exception ex) { - // release session when initialization failed -diff -Nru openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java openjdk/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java ---- openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java 2012-10-23 18:11:19.250080966 +0100 -+++ openjdk/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java 2012-10-24 03:20:31.807709327 +0100 -@@ -1,5 +1,5 @@ - /* -- * Copyright (c) 2003, 2009, Oracle and/or its affiliates. All rights reserved. -+ * Copyright (c) 2003, 2011, Oracle and/or its affiliates. All rights reserved. - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it -@@ -620,6 +620,8 @@ - m(CKM_AES_CBC_PAD, CKM_AES_CBC)); - d(CIP, "AES/ECB", P11Cipher, s("AES"), - m(CKM_AES_ECB)); -+ d(CIP, "AES/CTR/NoPadding", P11Cipher, -+ m(CKM_AES_CTR)); - d(CIP, "Blowfish/CBC", P11Cipher, - m(CKM_BLOWFISH_CBC)); - -diff -Nru openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/wrapper/CK_AES_CTR_PARAMS.java openjdk/jdk/src/share/classes/sun/security/pkcs11/wrapper/CK_AES_CTR_PARAMS.java ---- openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/wrapper/CK_AES_CTR_PARAMS.java 1970-01-01 01:00:00.000000000 +0100 -+++ openjdk/jdk/src/share/classes/sun/security/pkcs11/wrapper/CK_AES_CTR_PARAMS.java 2012-10-24 03:20:31.823709582 +0100 -@@ -0,0 +1,66 @@ -+/* -+ * Copyright (c) 2011, Oracle and/or its affiliates. All rights reserved. -+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. -+ * -+ * This code is free software; you can redistribute it and/or modify it -+ * under the terms of the GNU General Public License version 2 only, as -+ * published by the Free Software Foundation. Oracle designates this -+ * particular file as subject to the "Classpath" exception as provided -+ * by Oracle in the LICENSE file that accompanied this code. -+ * -+ * This code is distributed in the hope that it will be useful, but WITHOUT -+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or -+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License -+ * version 2 for more details (a copy is included in the LICENSE file that -+ * accompanied this code). -+ * -+ * You should have received a copy of the GNU General Public License version -+ * 2 along with this work; if not, write to the Free Software Foundation, -+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. -+ * -+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA -+ * or visit www.oracle.com if you need additional information or have any -+ * questions. -+ */ -+ -+package sun.security.pkcs11.wrapper; -+ -+/** -+ * This class represents the necessary parameters required by -+ * the CKM_AES_CTR mechanism as defined in CK_AES_CTR_PARAMS structure.<p> -+ * <B>PKCS#11 structure:</B> -+ * <PRE> -+ * typedef struct CK_AES_CTR_PARAMS { -+ * CK_ULONG ulCounterBits; -+ * CK_BYTE cb[16]; -+ * } CK_AES_CTR_PARAMS; -+ * </PRE> -+ * -+ * @author Yu-Ching Valerie Peng -+ * @since 1.7 -+ */ -+public class CK_AES_CTR_PARAMS { -+ -+ private final long ulCounterBits; -+ private final byte cb[]; -+ -+ public CK_AES_CTR_PARAMS(byte[] cb) { -+ ulCounterBits = 128; -+ this.cb = cb.clone(); -+ } -+ -+ public String toString() { -+ StringBuffer buffer = new StringBuffer(); -+ -+ buffer.append(Constants.INDENT); -+ buffer.append("ulCounterBits: "); -+ buffer.append(ulCounterBits); -+ buffer.append(Constants.NEWLINE); -+ -+ buffer.append(Constants.INDENT); -+ buffer.append("cb: "); -+ buffer.append(Functions.toHexString(cb)); -+ -+ return buffer.toString(); -+ } -+} -diff -Nru openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/wrapper/CK_MECHANISM.java openjdk/jdk/src/share/classes/sun/security/pkcs11/wrapper/CK_MECHANISM.java ---- openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/wrapper/CK_MECHANISM.java 2012-09-21 20:03:48.000000000 +0100 -+++ openjdk/jdk/src/share/classes/sun/security/pkcs11/wrapper/CK_MECHANISM.java 2012-10-24 03:20:31.823709582 +0100 -@@ -1,5 +1,5 @@ - /* -- * Copyright (c) 2003, 2006, Oracle and/or its affiliates. All rights reserved. -+ * Copyright (c) 2003, 2011, Oracle and/or its affiliates. All rights reserved. - */ - - /* Copyright (c) 2002 Graz University of Technology. All rights reserved. -@@ -48,6 +48,7 @@ - package sun.security.pkcs11.wrapper; - - import java.math.BigInteger; -+import static sun.security.pkcs11.wrapper.PKCS11Constants.*; - - /** - * class CK_MECHANISM specifies a particular mechanism and any parameters it -@@ -127,6 +128,10 @@ - init(mechanism, params); - } - -+ public CK_MECHANISM(long mechanism, CK_AES_CTR_PARAMS params) { -+ init(mechanism, params); -+ } -+ - private void init(long mechanism, Object pParameter) { - this.mechanism = mechanism; - this.pParameter = pParameter; -diff -Nru openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/wrapper/PKCS11Constants.java openjdk/jdk/src/share/classes/sun/security/pkcs11/wrapper/PKCS11Constants.java ---- openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/wrapper/PKCS11Constants.java 2012-09-21 20:03:48.000000000 +0100 -+++ openjdk/jdk/src/share/classes/sun/security/pkcs11/wrapper/PKCS11Constants.java 2012-10-24 03:20:31.823709582 +0100 -@@ -1,5 +1,5 @@ - /* -- * Copyright (c) 2003, 2006, Oracle and/or its affiliates. All rights reserved. -+ * Copyright (c) 2003, 2011, Oracle and/or its affiliates. All rights reserved. - */ - - /* Copyright (c) 2002 Graz University of Technology. All rights reserved. -@@ -47,8 +47,6 @@ - - package sun.security.pkcs11.wrapper; - -- -- - /** - * This interface holds constants of the PKCS#11 v2.11 standard. - * This is mainly the content of the 'pkcs11t.h' header file. -@@ -306,6 +304,10 @@ - - public static final long CKK_VENDOR_DEFINED = 0x80000000L; - -+ // new for v2.20 amendment 3 -+ //public static final long CKK_CAMELLIA = 0x00000025L; -+ //public static final long CKK_ARIA = 0x00000026L; -+ - // pseudo key type ANY (for template manager) - public static final long PCKK_ANY = 0x7FFFFF22L; - -@@ -690,6 +692,34 @@ - - public static final long CKM_VENDOR_DEFINED = 0x80000000L; - -+ // new for v2.20 amendment 3 -+ public static final long CKM_SHA224 = 0x00000255L; -+ public static final long CKM_SHA224_HMAC = 0x00000256L; -+ public static final long CKM_SHA224_HMAC_GENERAL = 0x00000257L; -+ public static final long CKM_SHA224_KEY_DERIVATION = 0x00000396L; -+ public static final long CKM_SHA224_RSA_PKCS = 0x00000046L; -+ public static final long CKM_SHA224_RSA_PKCS_PSS = 0x00000047L; -+ public static final long CKM_AES_CTR = 0x00001086L; -+ /* -+ public static final long CKM_CAMELLIA_KEY_GEN = 0x00000550L; -+ public static final long CKM_CAMELLIA_ECB = 0x00000551L; -+ public static final long CKM_CAMELLIA_CBC = 0x00000552L; -+ public static final long CKM_CAMELLIA_MAC = 0x00000553L; -+ public static final long CKM_CAMELLIA_MAC_GENERAL = 0x00000554L; -+ public static final long CKM_CAMELLIA_CBC_PAD = 0x00000555L; -+ public static final long CKM_CAMELLIA_ECB_ENCRYPT_DATA = 0x00000556L; -+ public static final long CKM_CAMELLIA_CBC_ENCRYPT_DATA = 0x00000557L; -+ public static final long CKM_CAMELLIA_CTR = 0x00000558L; -+ public static final long CKM_ARIA_KEY_GEN = 0x00000560L; -+ public static final long CKM_ARIA_ECB = 0x00000561L; -+ public static final long CKM_ARIA_CBC = 0x00000562L; -+ public static final long CKM_ARIA_MAC = 0x00000563L; -+ public static final long CKM_ARIA_MAC_GENERAL = 0x00000564L; -+ public static final long CKM_ARIA_CBC_PAD = 0x00000565L; -+ public static final long CKM_ARIA_ECB_ENCRYPT_DATA = 0x00000566L; -+ public static final long CKM_ARIA_CBC_ENCRYPT_DATA = 0x00000567L; -+ */ -+ - // NSS private - public static final long CKM_NSS_TLS_PRF_GENERAL = 0x80000373L; - -@@ -881,7 +911,8 @@ - - /* The following MGFs are defined */ - public static final long CKG_MGF1_SHA1 = 0x00000001L; -- -+ // new for v2.20 amendment 3 -+ public static final long CKG_MGF1_SHA224 = 0x00000005L; - - /* The following encoding parameter sources are defined */ - public static final long CKZ_DATA_SPECIFIED = 0x00000001L; -diff -Nru openjdk.orig/jdk/src/share/native/sun/security/pkcs11/wrapper/p11_convert.c openjdk/jdk/src/share/native/sun/security/pkcs11/wrapper/p11_convert.c ---- openjdk.orig/jdk/src/share/native/sun/security/pkcs11/wrapper/p11_convert.c 2012-10-23 18:11:19.274081347 +0100 -+++ openjdk/jdk/src/share/native/sun/security/pkcs11/wrapper/p11_convert.c 2012-10-24 03:20:31.823709582 +0100 -@@ -1,5 +1,5 @@ - /* -- * Copyright (c) 2003, 2005, Oracle and/or its affiliates. All rights reserved. -+ * Copyright (c) 2003, 2011, Oracle and/or its affiliates. All rights reserved. - */ - - /* Copyright (c) 2002 Graz University of Technology. All rights reserved. -@@ -695,6 +695,46 @@ - } - - /* -+ * converts the Java CK_AES_CTR_PARAMS object to a CK_AES_CTR_PARAMS structure -+ * -+ * @param env - used to call JNI funktions to get the Java classes and objects -+ * @param jParam - the Java CK_AES_CTR_PARAMS object to convert -+ * @param ckpParam - pointer to the new CK_AES_CTR_PARAMS structure -+ */ -+void jAesCtrParamsToCKAesCtrParam(JNIEnv *env, jobject jParam, -+ CK_AES_CTR_PARAMS_PTR ckpParam) { -+ jclass jAesCtrParamsClass; -+ jfieldID fieldID; -+ jlong jCounterBits; -+ jobject jCb; -+ CK_BYTE_PTR ckBytes; -+ CK_ULONG ckTemp; -+ -+ /* get ulCounterBits */ -+ jAesCtrParamsClass = (*env)->FindClass(env, CLASS_AES_CTR_PARAMS); -+ if (jAesCtrParamsClass == NULL) { return; } -+ fieldID = (*env)->GetFieldID(env, jAesCtrParamsClass, "ulCounterBits", "J"); -+ if (fieldID == NULL) { return; } -+ jCounterBits = (*env)->GetLongField(env, jParam, fieldID); -+ -+ /* get cb */ -+ fieldID = (*env)->GetFieldID(env, jAesCtrParamsClass, "cb", "[B"); -+ if (fieldID == NULL) { return; } -+ jCb = (*env)->GetObjectField(env, jParam, fieldID); -+ -+ /* populate java values */ -+ ckpParam->ulCounterBits = jLongToCKULong(jCounterBits); -+ jByteArrayToCKByteArray(env, jCb, &ckBytes, &ckTemp); -+ if ((*env)->ExceptionCheck(env)) { return; } -+ if (ckTemp != 16) { -+ TRACE1("ERROR: WRONG CTR IV LENGTH %d", ckTemp); -+ } else { -+ memcpy(ckpParam->cb, ckBytes, ckTemp); -+ free(ckBytes); -+ } -+} -+ -+/* - * converts a Java CK_MECHANISM object into a CK_MECHANISM structure - * - * @param env - used to call JNI funktions to get the values out of the Java object -@@ -937,12 +977,10 @@ - { - /* get all Java mechanism parameter classes */ - jclass jVersionClass, jSsl3MasterKeyDeriveParamsClass, jSsl3KeyMatParamsClass; -- jclass jTlsPrfParamsClass, jRsaPkcsOaepParamsClass, jPbeParamsClass; -- jclass jPkcs5Pbkd2ParamsClass, jRsaPkcsPssParamsClass; -+ jclass jTlsPrfParamsClass, jAesCtrParamsClass, jRsaPkcsOaepParamsClass; -+ jclass jPbeParamsClass, jPkcs5Pbkd2ParamsClass, jRsaPkcsPssParamsClass; - jclass jEcdh1DeriveParamsClass, jEcdh2DeriveParamsClass; - jclass jX942Dh1DeriveParamsClass, jX942Dh2DeriveParamsClass; -- -- /* get all Java mechanism parameter classes */ - TRACE0("\nDEBUG: jMechanismParameterToCKMechanismParameter"); - - /* most common cases, i.e. NULL/byte[]/long, are already handled by -@@ -1045,6 +1083,33 @@ - *ckpParamPtr = ckpParam; - return; - } -+ -+ jAesCtrParamsClass = (*env)->FindClass(env, CLASS_AES_CTR_PARAMS); -+ if (jAesCtrParamsClass == NULL) { return; } -+ if ((*env)->IsInstanceOf(env, jParam, jAesCtrParamsClass)) { -+ /* -+ * CK_AES_CTR_PARAMS -+ */ -+ CK_AES_CTR_PARAMS_PTR ckpParam; -+ -+ ckpParam = (CK_AES_CTR_PARAMS_PTR) malloc(sizeof(CK_AES_CTR_PARAMS)); -+ if (ckpParam == NULL) { -+ JNU_ThrowOutOfMemoryError(env, 0); -+ return; -+ } -+ -+ /* convert jParameter to CKParameter */ -+ jAesCtrParamsToCKAesCtrParam(env, jParam, ckpParam); -+ if ((*env)->ExceptionCheck(env)) { -+ free(ckpParam); -+ return; -+ } -+ -+ /* get length and pointer of parameter */ -+ *ckpLength = sizeof(CK_AES_CTR_PARAMS); -+ *ckpParamPtr = ckpParam; -+ return; -+ } - - jRsaPkcsOaepParamsClass = (*env)->FindClass(env, CLASS_RSA_PKCS_OAEP_PARAMS); - if (jRsaPkcsOaepParamsClass == NULL) { return; } -diff -Nru openjdk.orig/jdk/src/share/native/sun/security/pkcs11/wrapper/pkcs-11v2-20a3.h openjdk/jdk/src/share/native/sun/security/pkcs11/wrapper/pkcs-11v2-20a3.h ---- openjdk.orig/jdk/src/share/native/sun/security/pkcs11/wrapper/pkcs-11v2-20a3.h 1970-01-01 01:00:00.000000000 +0100 -+++ openjdk/jdk/src/share/native/sun/security/pkcs11/wrapper/pkcs-11v2-20a3.h 2012-10-24 03:20:31.823709582 +0100 -@@ -0,0 +1,124 @@ -+/* pkcs-11v2-20a3.h include file for the PKCS #11 Version 2.20 Amendment 3 -+ document. */ -+ -+/* $Revision: 1.4 $ */ -+ -+/* License to copy and use this software is granted provided that it is -+ * identified as "RSA Security Inc. PKCS #11 Cryptographic Token Interface -+ * (Cryptoki) Version 2.20 Amendment 3" in all material mentioning or -+ * referencing this software. -+ -+ * RSA Security Inc. makes no representations concerning either the -+ * merchantability of this software or the suitability of this software for -+ * any particular purpose. It is provided "as is" without express or implied -+ * warranty of any kind. -+ */ -+ -+/* This file is preferably included after inclusion of pkcs11.h */ -+ -+#ifndef _PKCS_11V2_20A3_H_ -+#define _PKCS_11V2_20A3_H_ 1 -+ -+/* Are the definitions of this file already included in pkcs11t.h ? */ -+#ifndef CKK_CAMELLIA -+ -+#ifdef __cplusplus -+extern "C" { -+#endif -+ -+/* Key types */ -+ -+/* Camellia is new for PKCS #11 v2.20 amendment 3 */ -+#define CKK_CAMELLIA 0x00000025 -+/* ARIA is new for PKCS #11 v2.20 amendment 3 */ -+#define CKK_ARIA 0x00000026 -+ -+ -+/* Mask-generating functions */ -+ -+/* SHA-224 is new for PKCS #11 v2.20 amendment 3 */ -+#define CKG_MGF1_SHA224 0x00000005 -+ -+ -+/* Mechanism Identifiers */ -+ -+/* SHA-224 is new for PKCS #11 v2.20 amendment 3 */ -+#define CKM_SHA224 0x00000255 -+#define CKM_SHA224_HMAC 0x00000256 -+#define CKM_SHA224_HMAC_GENERAL 0x00000257 -+ -+/* SHA-224 key derivation is new for PKCS #11 v2.20 amendment 3 */ -+#define CKM_SHA224_KEY_DERIVATION 0x00000396 -+ -+/* SHA-224 RSA mechanisms are new for PKCS #11 v2.20 amendment 3 */ -+#define CKM_SHA224_RSA_PKCS 0x00000046 -+#define CKM_SHA224_RSA_PKCS_PSS 0x00000047 -+ -+/* AES counter mode is new for PKCS #11 v2.20 amendment 3 */ -+#define CKM_AES_CTR 0x00001086 -+ -+/* Camellia is new for PKCS #11 v2.20 amendment 3 */ -+#define CKM_CAMELLIA_KEY_GEN 0x00000550 -+#define CKM_CAMELLIA_ECB 0x00000551 -+#define CKM_CAMELLIA_CBC 0x00000552 -+#define CKM_CAMELLIA_MAC 0x00000553 -+#define CKM_CAMELLIA_MAC_GENERAL 0x00000554 -+#define CKM_CAMELLIA_CBC_PAD 0x00000555 -+#define CKM_CAMELLIA_ECB_ENCRYPT_DATA 0x00000556 -+#define CKM_CAMELLIA_CBC_ENCRYPT_DATA 0x00000557 -+#define CKM_CAMELLIA_CTR 0x00000558 -+ -+/* ARIA is new for PKCS #11 v2.20 amendment 3 */ -+#define CKM_ARIA_KEY_GEN 0x00000560 -+#define CKM_ARIA_ECB 0x00000561 -+#define CKM_ARIA_CBC 0x00000562 -+#define CKM_ARIA_MAC 0x00000563 -+#define CKM_ARIA_MAC_GENERAL 0x00000564 -+#define CKM_ARIA_CBC_PAD 0x00000565 -+#define CKM_ARIA_ECB_ENCRYPT_DATA 0x00000566 -+#define CKM_ARIA_CBC_ENCRYPT_DATA 0x00000567 -+ -+ -+/* Mechanism parameters */ -+ -+/* CK_AES_CTR_PARAMS is new for PKCS #11 v2.20 amendment 3 */ -+typedef struct CK_AES_CTR_PARAMS { -+ CK_ULONG ulCounterBits; -+ CK_BYTE cb[16]; -+} CK_AES_CTR_PARAMS; -+ -+typedef CK_AES_CTR_PARAMS CK_PTR CK_AES_CTR_PARAMS_PTR; -+ -+/* CK_CAMELLIA_CTR_PARAMS is new for PKCS #11 v2.20 amendment 3 */ -+typedef struct CK_CAMELLIA_CTR_PARAMS { -+ CK_ULONG ulCounterBits; -+ CK_BYTE cb[16]; -+} CK_CAMELLIA_CTR_PARAMS; -+ -+typedef CK_CAMELLIA_CTR_PARAMS CK_PTR CK_CAMELLIA_CTR_PARAMS_PTR; -+ -+/* CK_CAMELLIA_CBC_ENCRYPT_DATA_PARAMS is new for PKCS #11 v2.20 amendment 3 */ -+typedef struct CK_CAMELLIA_CBC_ENCRYPT_DATA_PARAMS { -+ CK_BYTE iv[16]; -+ CK_BYTE_PTR pData; -+ CK_ULONG length; -+} CK_CAMELLIA_CBC_ENCRYPT_DATA_PARAMS; -+ -+typedef CK_CAMELLIA_CBC_ENCRYPT_DATA_PARAMS CK_PTR CK_CAMELLIA_CBC_ENCRYPT_DATA_PARAMS_PTR; -+ -+/* CK_ARIA_CBC_ENCRYPT_DATA_PARAMS is new for PKCS #11 v2.20 amendment 3 */ -+typedef struct CK_ARIA_CBC_ENCRYPT_DATA_PARAMS { -+ CK_BYTE iv[16]; -+ CK_BYTE_PTR pData; -+ CK_ULONG length; -+} CK_ARIA_CBC_ENCRYPT_DATA_PARAMS; -+ -+typedef CK_ARIA_CBC_ENCRYPT_DATA_PARAMS CK_PTR CK_ARIA_CBC_ENCRYPT_DATA_PARAMS_PTR; -+ -+#ifdef __cplusplus -+} -+#endif -+ -+#endif -+ -+#endif -diff -Nru openjdk.orig/jdk/src/share/native/sun/security/pkcs11/wrapper/pkcs11wrapper.h openjdk/jdk/src/share/native/sun/security/pkcs11/wrapper/pkcs11wrapper.h ---- openjdk.orig/jdk/src/share/native/sun/security/pkcs11/wrapper/pkcs11wrapper.h 2012-10-23 18:11:19.282081473 +0100 -+++ openjdk/jdk/src/share/native/sun/security/pkcs11/wrapper/pkcs11wrapper.h 2012-10-24 03:20:31.823709582 +0100 -@@ -1,5 +1,5 @@ - /* -- * Copyright (c) 2003, 2006, Oracle and/or its affiliates. All rights reserved. -+ * Copyright (c) 2003, 2011, Oracle and/or its affiliates. All rights reserved. - */ - - /* Copyright (c) 2002 Graz University of Technology. All rights reserved. -@@ -153,6 +153,7 @@ - #include "p11_md.h" - - #include "pkcs11.h" -+#include "pkcs-11v2-20a3.h" - #include <jni.h> - #include <jni_util.h> - -@@ -272,6 +273,7 @@ - #define CLASS_SSL3_MASTER_KEY_DERIVE_PARAMS "sun/security/pkcs11/wrapper/CK_SSL3_MASTER_KEY_DERIVE_PARAMS" - #define CLASS_SSL3_KEY_MAT_PARAMS "sun/security/pkcs11/wrapper/CK_SSL3_KEY_MAT_PARAMS" - #define CLASS_TLS_PRF_PARAMS "sun/security/pkcs11/wrapper/CK_TLS_PRF_PARAMS" -+#define CLASS_AES_CTR_PARAMS "sun/security/pkcs11/wrapper/CK_AES_CTR_PARAMS" - - /* function to convert a PKCS#11 return value other than CK_OK into a Java Exception - * or to throw a PKCS11RuntimeException -diff -Nru openjdk.orig/jdk/test/sun/security/pkcs11/Cipher/TestSymmCiphers.java openjdk/jdk/test/sun/security/pkcs11/Cipher/TestSymmCiphers.java ---- openjdk.orig/jdk/test/sun/security/pkcs11/Cipher/TestSymmCiphers.java 2012-10-23 18:11:19.250080966 +0100 -+++ openjdk/jdk/test/sun/security/pkcs11/Cipher/TestSymmCiphers.java 2012-10-24 03:20:31.823709582 +0100 -@@ -33,7 +33,7 @@ - - /** - * @test %I% %E% -- * @bug 4898461 -+ * @bug 4898461 6604496 - * @summary basic test for symmetric ciphers with padding - * @author Valerie Peng - * @library .. -@@ -80,9 +80,13 @@ - new CI("DES/ECB/PKCS5Padding", "DES", 6400), - new CI("DESede/ECB/PKCS5Padding", "DESede", 400), - new CI("AES/ECB/PKCS5Padding", "AES", 64), -+ - new CI("DES", "DES", 6400), - new CI("DESede", "DESede", 408), -- new CI("AES", "AES", 128) -+ new CI("AES", "AES", 128), -+ -+ new CI("AES/CTR/NoPadding", "AES", 3200) -+ - }; - private static StringBuffer debugBuf = new StringBuffer(); - -diff -Nru openjdk.orig/jdk/test/sun/security/pkcs11/Cipher/TestSymmCiphersNoPad.java openjdk/jdk/test/sun/security/pkcs11/Cipher/TestSymmCiphersNoPad.java ---- openjdk.orig/jdk/test/sun/security/pkcs11/Cipher/TestSymmCiphersNoPad.java 2012-09-21 20:04:16.000000000 +0100 -+++ openjdk/jdk/test/sun/security/pkcs11/Cipher/TestSymmCiphersNoPad.java 2012-10-24 03:20:31.823709582 +0100 -@@ -1,5 +1,5 @@ - /* -- * Copyright (c) 2007, Oracle and/or its affiliates. All rights reserved. -+ * Copyright (c) 2007, 2011, Oracle and/or its affiliates. All rights reserved. - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it -@@ -23,7 +23,7 @@ - - /** - * @test -- * @bug 4898484 -+ * @bug 4898484 6604496 - * @summary basic test for symmetric ciphers with no padding - * @author Valerie Peng - * @library .. -@@ -59,7 +59,8 @@ - new CI("DES/CBC/NoPadding", "DES", 400), - new CI("DESede/CBC/NoPadding", "DESede", 160), - new CI("AES/CBC/NoPadding", "AES", 4800), -- new CI("Blowfish/CBC/NoPadding", "Blowfish", 24) -+ new CI("Blowfish/CBC/NoPadding", "Blowfish", 24), -+ new CI("AES/CTR/NoPadding", "AES", 1600) - }; - - private static StringBuffer debugBuf;
--- a/patches/openjdk/p11cipher-6812738-native_cleanup.patch Wed May 04 02:55:09 2016 +0100 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,4832 +0,0 @@ -diff -Nru openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/P11RSACipher.java openjdk/jdk/src/share/classes/sun/security/pkcs11/P11RSACipher.java ---- openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/P11RSACipher.java 2014-10-08 16:35:09.000000000 +0100 -+++ openjdk/jdk/src/share/classes/sun/security/pkcs11/P11RSACipher.java 2014-10-08 17:30:03.986103813 +0100 -@@ -202,7 +202,9 @@ - throw new InvalidKeyException - ("Unwrap has to be used with private keys"); - } -- encrypt = false; -+ // No further setup needed for C_Unwrap(). We'll initialize later -+ // if we can't use C_Unwrap(). -+ return; - } else { - throw new InvalidKeyException("Unsupported mode: " + opmode); - } -diff -Nru openjdk.orig/jdk/src/share/native/sun/security/pkcs11/wrapper/p11_convert.c openjdk/jdk/src/share/native/sun/security/pkcs11/wrapper/p11_convert.c ---- openjdk.orig/jdk/src/share/native/sun/security/pkcs11/wrapper/p11_convert.c 2014-10-08 16:35:09.000000000 +0100 -+++ openjdk/jdk/src/share/native/sun/security/pkcs11/wrapper/p11_convert.c 2014-10-08 17:30:03.986103813 +0100 -@@ -89,21 +89,24 @@ - - /* load CK_DATE class */ - jDateClass = (*env)->FindClass(env, CLASS_DATE); -- assert(jDateClass != 0); -+ if (jDateClass == NULL) { return NULL; } - - /* load CK_DATE constructor */ - jCtrId = (*env)->GetMethodID(env, jDateClass, "<init>", "([C[C[C)V"); -- assert(jCtrId != 0); -+ if (jCtrId == NULL) { return NULL; } - - /* prep all fields */ - jYear = ckCharArrayToJCharArray(env, (CK_CHAR_PTR)(ckpDate->year), 4); -+ if (jYear == NULL) { return NULL; } - jMonth = ckCharArrayToJCharArray(env, (CK_CHAR_PTR)(ckpDate->month), 2); -+ if (jMonth == NULL) { return NULL; } - jDay = ckCharArrayToJCharArray(env, (CK_CHAR_PTR)(ckpDate->day), 2); -+ if (jDay == NULL) { return NULL; } - - /* create new CK_DATE object */ - jDateObject = - (*env)->NewObject(env, jDateClass, jCtrId, jYear, jMonth, jDay); -- assert(jDateObject != 0); -+ if (jDateObject == NULL) { return NULL; } - - /* free local references */ - (*env)->DeleteLocalRef(env, jDateClass); -@@ -131,11 +134,11 @@ - - /* load CK_VERSION class */ - jVersionClass = (*env)->FindClass(env, CLASS_VERSION); -- assert(jVersionClass != 0); -+ if (jVersionClass == NULL) { return NULL; } - - /* load CK_VERSION constructor */ - jCtrId = (*env)->GetMethodID(env, jVersionClass, "<init>", "(II)V"); -- assert(jCtrId != 0); -+ if (jCtrId == NULL) { return NULL; } - - /* prep both fields */ - jMajor = ckpVersion->major; -@@ -144,7 +147,7 @@ - /* create new CK_VERSION object */ - jVersionObject = - (*env)->NewObject(env, jVersionClass, jCtrId, jMajor, jMinor); -- assert(jVersionObject != 0); -+ if (jVersionObject == NULL) { return NULL; } - - /* free local references */ - (*env)->DeleteLocalRef(env, jVersionClass); -@@ -171,11 +174,11 @@ - - /* load CK_SESSION_INFO class */ - jSessionInfoClass = (*env)->FindClass(env, CLASS_SESSION_INFO); -- assert(jSessionInfoClass != 0); -+ if (jSessionInfoClass == NULL) { return NULL; } - - /* load CK_SESSION_INFO constructor */ - jCtrId = (*env)->GetMethodID(env, jSessionInfoClass, "<init>", "(JJJJ)V"); -- assert(jCtrId != 0); -+ if (jCtrId == NULL) { return NULL; } - - /* prep all fields */ - jSlotID = ckULongToJLong(ckpSessionInfo->slotID); -@@ -187,7 +190,7 @@ - jSessionInfoObject = - (*env)->NewObject(env, jSessionInfoClass, jCtrId, jSlotID, jState, - jFlags, jDeviceError); -- assert(jSessionInfoObject != 0); -+ if (jSessionInfoObject == NULL) { return NULL; } - - /* free local references */ - (*env)->DeleteLocalRef(env, jSessionInfoClass); -@@ -211,20 +214,21 @@ - jobject jPValue = NULL; - - jAttributeClass = (*env)->FindClass(env, CLASS_ATTRIBUTE); -- assert(jAttributeClass != 0); -+ if (jAttributeClass == NULL) { return NULL; } - - /* load CK_INFO constructor */ - jCtrId = (*env)->GetMethodID(env, jAttributeClass, "<init>", "(JLjava/lang/Object;)V"); -- assert(jCtrId != 0); -+ if (jCtrId == NULL) { return NULL; } - - /* prep both fields */ - jType = ckULongToJLong(ckpAttribute->type); - jPValue = ckAttributeValueToJObject(env, ckpAttribute); -+ if ((*env)->ExceptionCheck(env)) { return NULL; } - - /* create new CK_ATTRIBUTE object */ - jAttributeObject = - (*env)->NewObject(env, jAttributeClass, jCtrId, jType, jPValue); -- assert(jAttributeObject != 0); -+ if (jAttributeObject == NULL) { return NULL; } - - /* free local references */ - (*env)->DeleteLocalRef(env, jAttributeClass); -@@ -252,23 +256,27 @@ - return NULL; - } - -- /* allocate memory for CK_VERSION pointer */ -- ckpVersion = (CK_VERSION_PTR) malloc(sizeof(CK_VERSION)); -- - /* get CK_VERSION class */ - jVersionClass = (*env)->GetObjectClass(env, jVersion); -- assert(jVersionClass != 0); -+ if (jVersionClass == NULL) { return NULL; } - - /* get Major */ - jFieldID = (*env)->GetFieldID(env, jVersionClass, "major", "B"); -- assert(jFieldID != 0); -+ if (jFieldID == NULL) { return NULL; } - jMajor = (*env)->GetByteField(env, jVersion, jFieldID); -- ckpVersion->major = jByteToCKByte(jMajor); - - /* get Minor */ - jFieldID = (*env)->GetFieldID(env, jVersionClass, "minor", "B"); -- assert(jFieldID != 0); -+ if (jFieldID == NULL) { return NULL; } - jMinor = (*env)->GetByteField(env, jVersion, jFieldID); -+ -+ /* allocate memory for CK_VERSION pointer */ -+ ckpVersion = (CK_VERSION_PTR) malloc(sizeof(CK_VERSION)); -+ if (ckpVersion == NULL) { -+ JNU_ThrowOutOfMemoryError(env, 0); -+ return NULL; -+ } -+ ckpVersion->major = jByteToCKByte(jMajor); - ckpVersion->minor = jByteToCKByte(jMinor); - - return ckpVersion ; -@@ -292,18 +300,36 @@ - jchar *jTempChars; - CK_ULONG i; - -- /* allocate memory for CK_DATE pointer */ -- ckpDate = (CK_DATE *) malloc(sizeof(CK_DATE)); -+ if (jDate == NULL) { -+ return NULL; -+ } - - /* get CK_DATE class */ - jDateClass = (*env)->FindClass(env, CLASS_DATE); -- assert(jDateClass != 0); -+ if (jDateClass == NULL) { return NULL; } - - /* get Year */ - jFieldID = (*env)->GetFieldID(env, jDateClass, "year", "[C"); -- assert(jFieldID != 0); -+ if (jFieldID == NULL) { return NULL; } - jYear = (*env)->GetObjectField(env, jDate, jFieldID); - -+ /* get Month */ -+ jFieldID = (*env)->GetFieldID(env, jDateClass, "month", "[C"); -+ if (jFieldID == NULL) { return NULL; } -+ jMonth = (*env)->GetObjectField(env, jDate, jFieldID); -+ -+ /* get Day */ -+ jFieldID = (*env)->GetFieldID(env, jDateClass, "day", "[C"); -+ if (jFieldID == NULL) { return NULL; } -+ jDay = (*env)->GetObjectField(env, jDate, jFieldID); -+ -+ /* allocate memory for CK_DATE pointer */ -+ ckpDate = (CK_DATE *) malloc(sizeof(CK_DATE)); -+ if (ckpDate == NULL) { -+ JNU_ThrowOutOfMemoryError(env, 0); -+ return NULL; -+ } -+ - if (jYear == NULL) { - ckpDate->year[0] = 0; - ckpDate->year[1] = 0; -@@ -312,43 +338,66 @@ - } else { - ckLength = (*env)->GetArrayLength(env, jYear); - jTempChars = (jchar*) malloc((ckLength) * sizeof(jchar)); -+ if (jTempChars == NULL) { -+ free(ckpDate); -+ JNU_ThrowOutOfMemoryError(env, 0); -+ return NULL; -+ } - (*env)->GetCharArrayRegion(env, jYear, 0, ckLength, jTempChars); -+ if ((*env)->ExceptionCheck(env)) { -+ free(ckpDate); -+ free(jTempChars); -+ return NULL; -+ } -+ - for (i = 0; (i < ckLength) && (i < 4) ; i++) { - ckpDate->year[i] = jCharToCKChar(jTempChars[i]); - } - free(jTempChars); - } - -- /* get Month */ -- jFieldID = (*env)->GetFieldID(env, jDateClass, "month", "[C"); -- assert(jFieldID != 0); -- jMonth = (*env)->GetObjectField(env, jDate, jFieldID); -- - if (jMonth == NULL) { - ckpDate->month[0] = 0; - ckpDate->month[1] = 0; - } else { - ckLength = (*env)->GetArrayLength(env, jMonth); - jTempChars = (jchar*) malloc((ckLength) * sizeof(jchar)); -+ if (jTempChars == NULL) { -+ free(ckpDate); -+ JNU_ThrowOutOfMemoryError(env, 0); -+ return NULL; -+ } - (*env)->GetCharArrayRegion(env, jMonth, 0, ckLength, jTempChars); -+ if ((*env)->ExceptionCheck(env)) { -+ free(ckpDate); -+ free(jTempChars); -+ return NULL; -+ } -+ - for (i = 0; (i < ckLength) && (i < 4) ; i++) { - ckpDate->month[i] = jCharToCKChar(jTempChars[i]); - } - free(jTempChars); - } - -- /* get Day */ -- jFieldID = (*env)->GetFieldID(env, jDateClass, "day", "[C"); -- assert(jFieldID != 0); -- jDay = (*env)->GetObjectField(env, jDate, jFieldID); -- - if (jDay == NULL) { - ckpDate->day[0] = 0; - ckpDate->day[1] = 0; - } else { - ckLength = (*env)->GetArrayLength(env, jDay); - jTempChars = (jchar*) malloc((ckLength) * sizeof(jchar)); -+ if (jTempChars == NULL) { -+ free(ckpDate); -+ JNU_ThrowOutOfMemoryError(env, 0); -+ return NULL; -+ } - (*env)->GetCharArrayRegion(env, jDay, 0, ckLength, jTempChars); -+ if ((*env)->ExceptionCheck(env)) { -+ free(ckpDate); -+ free(jTempChars); -+ return NULL; -+ } -+ - for (i = 0; (i < ckLength) && (i < 4) ; i++) { - ckpDate->day[i] = jCharToCKChar(jTempChars[i]); - } -@@ -374,23 +423,25 @@ - jlong jType; - jobject jPValue; - -+ // TBD: what if jAttribute == NULL?! -+ - TRACE0("\nDEBUG: jAttributeToCKAttribute"); - /* get CK_ATTRIBUTE class */ - TRACE0(", getting attribute object class"); - jAttributeClass = (*env)->GetObjectClass(env, jAttribute); -- assert(jAttributeClass != 0); -+ if (jAttributeClass == NULL) { return ckAttribute; } - - /* get type */ - TRACE0(", getting type field"); - jFieldID = (*env)->GetFieldID(env, jAttributeClass, "type", "J"); -- assert(jFieldID != 0); -+ if (jFieldID == NULL) { return ckAttribute; } - jType = (*env)->GetLongField(env, jAttribute, jFieldID); - TRACE1(", type=0x%X", jType); - - /* get pValue */ - TRACE0(", getting pValue field"); - jFieldID = (*env)->GetFieldID(env, jAttributeClass, "pValue", "Ljava/lang/Object;"); -- assert(jFieldID != 0); -+ if (jFieldID == NULL) { return ckAttribute; } - jPValue = (*env)->GetObjectField(env, jAttribute, jFieldID); - TRACE1(", pValue=%p", jPValue); - -@@ -417,36 +468,50 @@ - { - // XXX don't return structs - // XXX prefetch class and field ids -- jclass jSsl3MasterKeyDeriveParamsClass = (*env)->FindClass(env, CLASS_SSL3_MASTER_KEY_DERIVE_PARAMS); -+ jclass jSsl3MasterKeyDeriveParamsClass; - CK_SSL3_MASTER_KEY_DERIVE_PARAMS ckParam; - jfieldID fieldID; -- jobject jObject; - jclass jSsl3RandomDataClass; -- jobject jRandomInfo; -+ jobject jRandomInfo, jRIClientRandom, jRIServerRandom, jVersion; - - /* get RandomInfo */ -- jSsl3RandomDataClass = (*env)->FindClass(env, CLASS_SSL3_RANDOM_DATA); -+ jSsl3MasterKeyDeriveParamsClass = (*env)->FindClass(env, CLASS_SSL3_MASTER_KEY_DERIVE_PARAMS); -+ if (jSsl3MasterKeyDeriveParamsClass == NULL) { return ckParam; } - fieldID = (*env)->GetFieldID(env, jSsl3MasterKeyDeriveParamsClass, "RandomInfo", "Lsun/security/pkcs11/wrapper/CK_SSL3_RANDOM_DATA;"); -- assert(fieldID != 0); -+ if (fieldID == NULL) { return ckParam; } - jRandomInfo = (*env)->GetObjectField(env, jParam, fieldID); - - /* get pClientRandom and ulClientRandomLength out of RandomInfo */ -+ jSsl3RandomDataClass = (*env)->FindClass(env, CLASS_SSL3_RANDOM_DATA); -+ if (jSsl3RandomDataClass == NULL) { return ckParam; } - fieldID = (*env)->GetFieldID(env, jSsl3RandomDataClass, "pClientRandom", "[B"); -- assert(fieldID != 0); -- jObject = (*env)->GetObjectField(env, jRandomInfo, fieldID); -- jByteArrayToCKByteArray(env, jObject, &(ckParam.RandomInfo.pClientRandom), &(ckParam.RandomInfo.ulClientRandomLen)); -+ if (fieldID == NULL) { return ckParam; } -+ jRIClientRandom = (*env)->GetObjectField(env, jRandomInfo, fieldID); - - /* get pServerRandom and ulServerRandomLength out of RandomInfo */ - fieldID = (*env)->GetFieldID(env, jSsl3RandomDataClass, "pServerRandom", "[B"); -- assert(fieldID != 0); -- jObject = (*env)->GetObjectField(env, jRandomInfo, fieldID); -- jByteArrayToCKByteArray(env, jObject, &(ckParam.RandomInfo.pServerRandom), &(ckParam.RandomInfo.ulServerRandomLen)); -+ if (fieldID == NULL) { return ckParam; } -+ jRIServerRandom = (*env)->GetObjectField(env, jRandomInfo, fieldID); - - /* get pVersion */ - fieldID = (*env)->GetFieldID(env, jSsl3MasterKeyDeriveParamsClass, "pVersion", "Lsun/security/pkcs11/wrapper/CK_VERSION;"); -- assert(fieldID != 0); -- jObject = (*env)->GetObjectField(env, jParam, fieldID); -- ckParam.pVersion = jVersionToCKVersionPtr(env, jObject); -+ if (fieldID == NULL) { return ckParam; } -+ jVersion = (*env)->GetObjectField(env, jParam, fieldID); -+ -+ /* populate java values */ -+ ckParam.pVersion = jVersionToCKVersionPtr(env, jVersion); -+ if ((*env)->ExceptionCheck(env)) { return ckParam; } -+ jByteArrayToCKByteArray(env, jRIClientRandom, &(ckParam.RandomInfo.pClientRandom), &(ckParam.RandomInfo.ulClientRandomLen)); -+ if ((*env)->ExceptionCheck(env)) { -+ free(ckParam.pVersion); -+ return ckParam; -+ } -+ jByteArrayToCKByteArray(env, jRIServerRandom, &(ckParam.RandomInfo.pServerRandom), &(ckParam.RandomInfo.ulServerRandomLen)); -+ if ((*env)->ExceptionCheck(env)) { -+ free(ckParam.pVersion); -+ free(ckParam.RandomInfo.pClientRandom); -+ return ckParam; -+ } - - return ckParam ; - } -@@ -457,27 +522,52 @@ - */ - CK_TLS_PRF_PARAMS jTlsPrfParamsToCKTlsPrfParam(JNIEnv *env, jobject jParam) - { -- jclass jTlsPrfParamsClass = (*env)->FindClass(env, CLASS_TLS_PRF_PARAMS); -+ jclass jTlsPrfParamsClass; - CK_TLS_PRF_PARAMS ckParam; - jfieldID fieldID; -- jobject jObject; -+ jobject jSeed, jLabel, jOutput; - -+ // TBD: what if jParam == NULL?! -+ -+ /* get pSeed */ -+ jTlsPrfParamsClass = (*env)->FindClass(env, CLASS_TLS_PRF_PARAMS); -+ if (jTlsPrfParamsClass == NULL) { return ckParam; } - fieldID = (*env)->GetFieldID(env, jTlsPrfParamsClass, "pSeed", "[B"); -- assert(fieldID != 0); -- jObject = (*env)->GetObjectField(env, jParam, fieldID); -- jByteArrayToCKByteArray(env, jObject, &(ckParam.pSeed), &(ckParam.ulSeedLen)); -+ if (fieldID == NULL) { return ckParam; } -+ jSeed = (*env)->GetObjectField(env, jParam, fieldID); - -+ /* get pLabel */ - fieldID = (*env)->GetFieldID(env, jTlsPrfParamsClass, "pLabel", "[B"); -- assert(fieldID != 0); -- jObject = (*env)->GetObjectField(env, jParam, fieldID); -- jByteArrayToCKByteArray(env, jObject, &(ckParam.pLabel), &(ckParam.ulLabelLen)); -- -- ckParam.pulOutputLen = malloc(sizeof(CK_ULONG)); -+ if (fieldID == NULL) { return ckParam; } -+ jLabel = (*env)->GetObjectField(env, jParam, fieldID); - -+ /* get pOutput */ - fieldID = (*env)->GetFieldID(env, jTlsPrfParamsClass, "pOutput", "[B"); -- assert(fieldID != 0); -- jObject = (*env)->GetObjectField(env, jParam, fieldID); -- jByteArrayToCKByteArray(env, jObject, &(ckParam.pOutput), ckParam.pulOutputLen); -+ if (fieldID == NULL) { return ckParam; } -+ jOutput = (*env)->GetObjectField(env, jParam, fieldID); -+ -+ /* populate java values */ -+ jByteArrayToCKByteArray(env, jSeed, &(ckParam.pSeed), &(ckParam.ulSeedLen)); -+ if ((*env)->ExceptionCheck(env)) { return ckParam; } -+ jByteArrayToCKByteArray(env, jLabel, &(ckParam.pLabel), &(ckParam.ulLabelLen)); -+ if ((*env)->ExceptionCheck(env)) { -+ free(ckParam.pSeed); -+ return ckParam; -+ } -+ ckParam.pulOutputLen = malloc(sizeof(CK_ULONG)); -+ if (ckParam.pulOutputLen == NULL) { -+ free(ckParam.pSeed); -+ free(ckParam.pLabel); -+ JNU_ThrowOutOfMemoryError(env, 0); -+ return ckParam; -+ } -+ jByteArrayToCKByteArray(env, jOutput, &(ckParam.pOutput), ckParam.pulOutputLen); -+ if ((*env)->ExceptionCheck(env)) { -+ free(ckParam.pSeed); -+ free(ckParam.pLabel); -+ free(ckParam.pulOutputLen); -+ return ckParam; -+ } - - return ckParam ; - } -@@ -493,68 +583,91 @@ - { - // XXX don't return structs - // XXX prefetch class and field ids -- jclass jSsl3KeyMatParamsClass = (*env)->FindClass(env, CLASS_SSL3_KEY_MAT_PARAMS); -+ jclass jSsl3KeyMatParamsClass, jSsl3RandomDataClass, jSsl3KeyMatOutClass; - CK_SSL3_KEY_MAT_PARAMS ckParam; - jfieldID fieldID; -- jlong jLong; -- jboolean jBoolean; -- jobject jObject; -- jobject jRandomInfo; -- jobject jReturnedKeyMaterial; -- jclass jSsl3RandomDataClass; -- jclass jSsl3KeyMatOutClass; -+ jlong jMacSizeInBits, jKeySizeInBits, jIVSizeInBits; -+ jboolean jIsExport; -+ jobject jRandomInfo, jRIClientRandom, jRIServerRandom; -+ jobject jReturnedKeyMaterial, jRMIvClient, jRMIvServer; - CK_ULONG ckTemp; - - /* get ulMacSizeInBits */ -+ jSsl3KeyMatParamsClass = (*env)->FindClass(env, CLASS_SSL3_KEY_MAT_PARAMS); -+ if (jSsl3KeyMatParamsClass == NULL) { return ckParam; } - fieldID = (*env)->GetFieldID(env, jSsl3KeyMatParamsClass, "ulMacSizeInBits", "J"); -- assert(fieldID != 0); -- jLong = (*env)->GetLongField(env, jParam, fieldID); -- ckParam.ulMacSizeInBits = jLongToCKULong(jLong); -+ if (fieldID == NULL) { return ckParam; } -+ jMacSizeInBits = (*env)->GetLongField(env, jParam, fieldID); - - /* get ulKeySizeInBits */ - fieldID = (*env)->GetFieldID(env, jSsl3KeyMatParamsClass, "ulKeySizeInBits", "J"); -- assert(fieldID != 0); -- jLong = (*env)->GetLongField(env, jParam, fieldID); -- ckParam.ulKeySizeInBits = jLongToCKULong(jLong); -+ if (fieldID == NULL) { return ckParam; } -+ jKeySizeInBits = (*env)->GetLongField(env, jParam, fieldID); - - /* get ulIVSizeInBits */ - fieldID = (*env)->GetFieldID(env, jSsl3KeyMatParamsClass, "ulIVSizeInBits", "J"); -- assert(fieldID != 0); -- jLong = (*env)->GetLongField(env, jParam, fieldID); -- ckParam.ulIVSizeInBits = jLongToCKULong(jLong); -+ if (fieldID == NULL) { return ckParam; } -+ jIVSizeInBits = (*env)->GetLongField(env, jParam, fieldID); - - /* get bIsExport */ - fieldID = (*env)->GetFieldID(env, jSsl3KeyMatParamsClass, "bIsExport", "Z"); -- assert(fieldID != 0); -- jBoolean = (*env)->GetBooleanField(env, jParam, fieldID); -- ckParam.bIsExport = jBooleanToCKBBool(jBoolean); -+ if (fieldID == NULL) { return ckParam; } -+ jIsExport = (*env)->GetBooleanField(env, jParam, fieldID); - - /* get RandomInfo */ - jSsl3RandomDataClass = (*env)->FindClass(env, CLASS_SSL3_RANDOM_DATA); -+ if (jSsl3RandomDataClass == NULL) { return ckParam; } - fieldID = (*env)->GetFieldID(env, jSsl3KeyMatParamsClass, "RandomInfo", "Lsun/security/pkcs11/wrapper/CK_SSL3_RANDOM_DATA;"); -- assert(fieldID != 0); -+ if (fieldID == NULL) { return ckParam; } - jRandomInfo = (*env)->GetObjectField(env, jParam, fieldID); - - /* get pClientRandom and ulClientRandomLength out of RandomInfo */ - fieldID = (*env)->GetFieldID(env, jSsl3RandomDataClass, "pClientRandom", "[B"); -- assert(fieldID != 0); -- jObject = (*env)->GetObjectField(env, jRandomInfo, fieldID); -- jByteArrayToCKByteArray(env, jObject, &(ckParam.RandomInfo.pClientRandom), &(ckParam.RandomInfo.ulClientRandomLen)); -+ if (fieldID == NULL) { return ckParam; } -+ jRIClientRandom = (*env)->GetObjectField(env, jRandomInfo, fieldID); - - /* get pServerRandom and ulServerRandomLength out of RandomInfo */ - fieldID = (*env)->GetFieldID(env, jSsl3RandomDataClass, "pServerRandom", "[B"); -- assert(fieldID != 0); -- jObject = (*env)->GetObjectField(env, jRandomInfo, fieldID); -- jByteArrayToCKByteArray(env, jObject, &(ckParam.RandomInfo.pServerRandom), &(ckParam.RandomInfo.ulServerRandomLen)); -+ if (fieldID == NULL) { return ckParam; } -+ jRIServerRandom = (*env)->GetObjectField(env, jRandomInfo, fieldID); - - /* get pReturnedKeyMaterial */ - jSsl3KeyMatOutClass = (*env)->FindClass(env, CLASS_SSL3_KEY_MAT_OUT); -+ if (jSsl3KeyMatOutClass == NULL) { return ckParam; } - fieldID = (*env)->GetFieldID(env, jSsl3KeyMatParamsClass, "pReturnedKeyMaterial", "Lsun/security/pkcs11/wrapper/CK_SSL3_KEY_MAT_OUT;"); -- assert(fieldID != 0); -+ if (fieldID == NULL) { return ckParam; } - jReturnedKeyMaterial = (*env)->GetObjectField(env, jParam, fieldID); - -+ /* get pIVClient out of pReturnedKeyMaterial */ -+ fieldID = (*env)->GetFieldID(env, jSsl3KeyMatOutClass, "pIVClient", "[B"); -+ if (fieldID == NULL) { return ckParam; } -+ jRMIvClient = (*env)->GetObjectField(env, jReturnedKeyMaterial, fieldID); -+ -+ /* get pIVServer out of pReturnedKeyMaterial */ -+ fieldID = (*env)->GetFieldID(env, jSsl3KeyMatOutClass, "pIVServer", "[B"); -+ if (fieldID == NULL) { return ckParam; } -+ jRMIvServer = (*env)->GetObjectField(env, jReturnedKeyMaterial, fieldID); -+ -+ /* populate java values */ -+ ckParam.ulMacSizeInBits = jLongToCKULong(jMacSizeInBits); -+ ckParam.ulKeySizeInBits = jLongToCKULong(jKeySizeInBits); -+ ckParam.ulIVSizeInBits = jLongToCKULong(jIVSizeInBits); -+ ckParam.bIsExport = jBooleanToCKBBool(jIsExport); -+ jByteArrayToCKByteArray(env, jRIClientRandom, &(ckParam.RandomInfo.pClientRandom), &(ckParam.RandomInfo.ulClientRandomLen)); -+ if ((*env)->ExceptionCheck(env)) { return ckParam; } -+ jByteArrayToCKByteArray(env, jRIServerRandom, &(ckParam.RandomInfo.pServerRandom), &(ckParam.RandomInfo.ulServerRandomLen)); -+ if ((*env)->ExceptionCheck(env)) { -+ free(ckParam.RandomInfo.pClientRandom); -+ return ckParam; -+ } - /* allocate memory for pRetrunedKeyMaterial */ - ckParam.pReturnedKeyMaterial = (CK_SSL3_KEY_MAT_OUT_PTR) malloc(sizeof(CK_SSL3_KEY_MAT_OUT)); -+ if (ckParam.pReturnedKeyMaterial == NULL) { -+ free(ckParam.RandomInfo.pClientRandom); -+ free(ckParam.RandomInfo.pServerRandom); -+ JNU_ThrowOutOfMemoryError(env, 0); -+ return ckParam; -+ } - - // the handles are output params only, no need to fetch them from Java - ckParam.pReturnedKeyMaterial->hClientMacSecret = 0; -@@ -562,17 +675,21 @@ - ckParam.pReturnedKeyMaterial->hClientKey = 0; - ckParam.pReturnedKeyMaterial->hServerKey = 0; - -- /* get pIVClient out of pReturnedKeyMaterial */ -- fieldID = (*env)->GetFieldID(env, jSsl3KeyMatOutClass, "pIVClient", "[B"); -- assert(fieldID != 0); -- jObject = (*env)->GetObjectField(env, jReturnedKeyMaterial, fieldID); -- jByteArrayToCKByteArray(env, jObject, &(ckParam.pReturnedKeyMaterial->pIVClient), &ckTemp); -- -- /* get pIVServer out of pReturnedKeyMaterial */ -- fieldID = (*env)->GetFieldID(env, jSsl3KeyMatOutClass, "pIVServer", "[B"); -- assert(fieldID != 0); -- jObject = (*env)->GetObjectField(env, jReturnedKeyMaterial, fieldID); -- jByteArrayToCKByteArray(env, jObject, &(ckParam.pReturnedKeyMaterial->pIVServer), &ckTemp); -+ jByteArrayToCKByteArray(env, jRMIvClient, &(ckParam.pReturnedKeyMaterial->pIVClient), &ckTemp); -+ if ((*env)->ExceptionCheck(env)) { -+ free(ckParam.RandomInfo.pClientRandom); -+ free(ckParam.RandomInfo.pServerRandom); -+ free(ckParam.pReturnedKeyMaterial); -+ return ckParam; -+ } -+ jByteArrayToCKByteArray(env, jRMIvServer, &(ckParam.pReturnedKeyMaterial->pIVServer), &ckTemp); -+ if ((*env)->ExceptionCheck(env)) { -+ free(ckParam.RandomInfo.pClientRandom); -+ free(ckParam.RandomInfo.pServerRandom); -+ free(ckParam.pReturnedKeyMaterial); -+ free(ckParam.pReturnedKeyMaterial->pIVClient); -+ return ckParam; -+ } - - return ckParam ; - } -@@ -811,7 +928,7 @@ - *ckpParamPtr = jLongObjectToCKULongPtr(env, jParam); - *ckpLength = sizeof(CK_ULONG); - } else { -- /* printf("slow path jMechanismParameterToCKMechanismParameter\n"); */ -+ TRACE0("\nSLOW PATH jMechanismParameterToCKMechanismParameter\n"); - jMechanismParameterToCKMechanismParameterSlow(env, jParam, ckpParamPtr, ckpLength); - } - } -@@ -819,40 +936,24 @@ - void jMechanismParameterToCKMechanismParameterSlow(JNIEnv *env, jobject jParam, CK_VOID_PTR *ckpParamPtr, CK_ULONG *ckpLength) - { - /* get all Java mechanism parameter classes */ -- jclass jVersionClass = (*env)->FindClass(env, CLASS_VERSION); -- jclass jRsaPkcsOaepParamsClass = (*env)->FindClass(env, CLASS_RSA_PKCS_OAEP_PARAMS); -- jclass jPbeParamsClass = (*env)->FindClass(env, CLASS_PBE_PARAMS); -- jclass jPkcs5Pbkd2ParamsClass = (*env)->FindClass(env, CLASS_PKCS5_PBKD2_PARAMS); -- -- jclass jRsaPkcsPssParamsClass = (*env)->FindClass(env, CLASS_RSA_PKCS_PSS_PARAMS); -- jclass jEcdh1DeriveParamsClass = (*env)->FindClass(env, CLASS_ECDH1_DERIVE_PARAMS); -- jclass jEcdh2DeriveParamsClass = (*env)->FindClass(env, CLASS_ECDH2_DERIVE_PARAMS); -- jclass jX942Dh1DeriveParamsClass = (*env)->FindClass(env, CLASS_X9_42_DH1_DERIVE_PARAMS); -- jclass jX942Dh2DeriveParamsClass = (*env)->FindClass(env, CLASS_X9_42_DH2_DERIVE_PARAMS); -- -- jclass jSsl3MasterKeyDeriveParamsClass = (*env)->FindClass(env, CLASS_SSL3_MASTER_KEY_DERIVE_PARAMS); -- jclass jSsl3KeyMatParamsClass = (*env)->FindClass(env, CLASS_SSL3_KEY_MAT_PARAMS); -- jclass jTlsPrfParamsClass = (*env)->FindClass(env, CLASS_TLS_PRF_PARAMS); -+ jclass jVersionClass, jSsl3MasterKeyDeriveParamsClass, jSsl3KeyMatParamsClass; -+ jclass jTlsPrfParamsClass, jRsaPkcsOaepParamsClass, jPbeParamsClass; -+ jclass jPkcs5Pbkd2ParamsClass, jRsaPkcsPssParamsClass; -+ jclass jEcdh1DeriveParamsClass, jEcdh2DeriveParamsClass; -+ jclass jX942Dh1DeriveParamsClass, jX942Dh2DeriveParamsClass; - -+ /* get all Java mechanism parameter classes */ - TRACE0("\nDEBUG: jMechanismParameterToCKMechanismParameter"); - -- /* first check the most common cases */ --/* -- if (jParam == NULL) { -- *ckpParamPtr = NULL; -- *ckpLength = 0; -- } else if ((*env)->IsInstanceOf(env, jParam, jByteArrayClass)) { -- jByteArrayToCKByteArray(env, jParam, (CK_BYTE_PTR *)ckpParamPtr, ckpLength); -- } else if ((*env)->IsInstanceOf(env, jParam, jLongClass)) { -- *ckpParamPtr = jLongObjectToCKULongPtr(env, jParam); -- *ckpLength = sizeof(CK_ULONG); -- } else if ((*env)->IsInstanceOf(env, jParam, jVersionClass)) { --*/ -+ /* most common cases, i.e. NULL/byte[]/long, are already handled by -+ * jMechanismParameterToCKMechanismParameter before calling this method. -+ */ -+ jVersionClass = (*env)->FindClass(env, CLASS_VERSION); -+ if (jVersionClass == NULL) { return; } - if ((*env)->IsInstanceOf(env, jParam, jVersionClass)) { - /* - * CK_VERSION used by CKM_SSL3_PRE_MASTER_KEY_GEN - */ -- - CK_VERSION_PTR ckpParam; - - /* convert jParameter to CKParameter */ -@@ -861,191 +962,312 @@ - /* get length and pointer of parameter */ - *ckpLength = sizeof(CK_VERSION); - *ckpParamPtr = ckpParam; -+ return; -+ } - -- } else if ((*env)->IsInstanceOf(env, jParam, jSsl3MasterKeyDeriveParamsClass)) { -+ jSsl3MasterKeyDeriveParamsClass = (*env)->FindClass(env, CLASS_SSL3_MASTER_KEY_DERIVE_PARAMS); -+ if (jSsl3MasterKeyDeriveParamsClass == NULL) { return; } -+ if ((*env)->IsInstanceOf(env, jParam, jSsl3MasterKeyDeriveParamsClass)) { - /* - * CK_SSL3_MASTER_KEY_DERIVE_PARAMS - */ -- - CK_SSL3_MASTER_KEY_DERIVE_PARAMS_PTR ckpParam; - - ckpParam = (CK_SSL3_MASTER_KEY_DERIVE_PARAMS_PTR) malloc(sizeof(CK_SSL3_MASTER_KEY_DERIVE_PARAMS)); -+ if (ckpParam == NULL) { -+ JNU_ThrowOutOfMemoryError(env, 0); -+ return; -+ } - - /* convert jParameter to CKParameter */ - *ckpParam = jSsl3MasterKeyDeriveParamToCKSsl3MasterKeyDeriveParam(env, jParam); -+ if ((*env)->ExceptionCheck(env)) { -+ free(ckpParam); -+ return; -+ } - - /* get length and pointer of parameter */ - *ckpLength = sizeof(CK_SSL3_MASTER_KEY_DERIVE_PARAMS); - *ckpParamPtr = ckpParam; -+ return; -+ } - -- } else if ((*env)->IsInstanceOf(env, jParam, jSsl3KeyMatParamsClass)) { -+ jSsl3KeyMatParamsClass = (*env)->FindClass(env, CLASS_SSL3_KEY_MAT_PARAMS); -+ if (jSsl3KeyMatParamsClass == NULL) { return; } -+ if ((*env)->IsInstanceOf(env, jParam, jSsl3KeyMatParamsClass)) { - /* - * CK_SSL3_KEY_MAT_PARAMS - */ -- - CK_SSL3_KEY_MAT_PARAMS_PTR ckpParam; - - ckpParam = (CK_SSL3_KEY_MAT_PARAMS_PTR) malloc(sizeof(CK_SSL3_KEY_MAT_PARAMS)); -+ if (ckpParam == NULL) { -+ JNU_ThrowOutOfMemoryError(env, 0); -+ return; -+ } - - /* convert jParameter to CKParameter */ - *ckpParam = jSsl3KeyMatParamToCKSsl3KeyMatParam(env, jParam); -+ if ((*env)->ExceptionCheck(env)) { -+ free(ckpParam); -+ return; -+ } - - /* get length and pointer of parameter */ - *ckpLength = sizeof(CK_SSL3_KEY_MAT_PARAMS); - *ckpParamPtr = ckpParam; -+ return; -+ } - -- } else if ((*env)->IsInstanceOf(env, jParam, jTlsPrfParamsClass)) { -- // -- // CK_TLS_PRF_PARAMS -- // -- -+ jTlsPrfParamsClass = (*env)->FindClass(env, CLASS_TLS_PRF_PARAMS); -+ if (jTlsPrfParamsClass == NULL) { return; } -+ if ((*env)->IsInstanceOf(env, jParam, jTlsPrfParamsClass)) { -+ /* -+ * CK_TLS_PRF_PARAMS -+ */ - CK_TLS_PRF_PARAMS_PTR ckpParam; - - ckpParam = (CK_TLS_PRF_PARAMS_PTR) malloc(sizeof(CK_TLS_PRF_PARAMS)); -+ if (ckpParam == NULL) { -+ JNU_ThrowOutOfMemoryError(env, 0); -+ return; -+ } - -- // convert jParameter to CKParameter -+ /* convert jParameter to CKParameter */ - *ckpParam = jTlsPrfParamsToCKTlsPrfParam(env, jParam); -+ if ((*env)->ExceptionCheck(env)) { -+ free(ckpParam); -+ return; -+ } - -- // get length and pointer of parameter -+ /* get length and pointer of parameter */ - *ckpLength = sizeof(CK_TLS_PRF_PARAMS); - *ckpParamPtr = ckpParam; -+ return; -+ } - -- } else if ((*env)->IsInstanceOf(env, jParam, jRsaPkcsOaepParamsClass)) { -+ jRsaPkcsOaepParamsClass = (*env)->FindClass(env, CLASS_RSA_PKCS_OAEP_PARAMS); -+ if (jRsaPkcsOaepParamsClass == NULL) { return; } -+ if ((*env)->IsInstanceOf(env, jParam, jRsaPkcsOaepParamsClass)) { - /* - * CK_RSA_PKCS_OAEP_PARAMS - */ -- - CK_RSA_PKCS_OAEP_PARAMS_PTR ckpParam; - - ckpParam = (CK_RSA_PKCS_OAEP_PARAMS_PTR) malloc(sizeof(CK_RSA_PKCS_OAEP_PARAMS)); -+ if (ckpParam == NULL) { -+ JNU_ThrowOutOfMemoryError(env, 0); -+ return; -+ } - - /* convert jParameter to CKParameter */ - *ckpParam = jRsaPkcsOaepParamToCKRsaPkcsOaepParam(env, jParam); -+ if ((*env)->ExceptionCheck(env)) { -+ free(ckpParam); -+ return; -+ } - - /* get length and pointer of parameter */ - *ckpLength = sizeof(CK_RSA_PKCS_OAEP_PARAMS); - *ckpParamPtr = ckpParam; -+ return; -+ } - -- } else if ((*env)->IsInstanceOf(env, jParam, jPbeParamsClass)) { -+ jPbeParamsClass = (*env)->FindClass(env, CLASS_PBE_PARAMS); -+ if (jPbeParamsClass == NULL) { return; } -+ if ((*env)->IsInstanceOf(env, jParam, jPbeParamsClass)) { - /* - * CK_PBE_PARAMS - */ -- - CK_PBE_PARAMS_PTR ckpParam; - - ckpParam = (CK_PBE_PARAMS_PTR) malloc(sizeof(CK_PBE_PARAMS)); -+ if (ckpParam == NULL) { -+ JNU_ThrowOutOfMemoryError(env, 0); -+ return; -+ } - - /* convert jParameter to CKParameter */ - *ckpParam = jPbeParamToCKPbeParam(env, jParam); -+ if ((*env)->ExceptionCheck(env)) { -+ free(ckpParam); -+ return; -+ } - - /* get length and pointer of parameter */ - *ckpLength = sizeof(CK_PBE_PARAMS); - *ckpParamPtr = ckpParam; -+ return; -+ } - -- } else if ((*env)->IsInstanceOf(env, jParam, jPkcs5Pbkd2ParamsClass)) { -+ jPkcs5Pbkd2ParamsClass = (*env)->FindClass(env, CLASS_PKCS5_PBKD2_PARAMS); -+ if (jPkcs5Pbkd2ParamsClass == NULL) { return; } -+ if ((*env)->IsInstanceOf(env, jParam, jPkcs5Pbkd2ParamsClass)) { - /* - * CK_PKCS5_PBKD2_PARAMS - */ -- - CK_PKCS5_PBKD2_PARAMS_PTR ckpParam; - - ckpParam = (CK_PKCS5_PBKD2_PARAMS_PTR) malloc(sizeof(CK_PKCS5_PBKD2_PARAMS)); -+ if (ckpParam == NULL) { -+ JNU_ThrowOutOfMemoryError(env, 0); -+ return; -+ } - - /* convert jParameter to CKParameter */ - *ckpParam = jPkcs5Pbkd2ParamToCKPkcs5Pbkd2Param(env, jParam); -+ if ((*env)->ExceptionCheck(env)) { -+ free(ckpParam); -+ return; -+ } - - /* get length and pointer of parameter */ - *ckpLength = sizeof(CK_PKCS5_PBKD2_PARAMS); - *ckpParamPtr = ckpParam; -+ return; -+ } - -- } else if ((*env)->IsInstanceOf(env, jParam, jRsaPkcsPssParamsClass)) { -+ jRsaPkcsPssParamsClass = (*env)->FindClass(env, CLASS_RSA_PKCS_PSS_PARAMS); -+ if (jRsaPkcsPssParamsClass == NULL) { return; } -+ if ((*env)->IsInstanceOf(env, jParam, jRsaPkcsPssParamsClass)) { - /* - * CK_RSA_PKCS_PSS_PARAMS - */ -- - CK_RSA_PKCS_PSS_PARAMS_PTR ckpParam; - - ckpParam = (CK_RSA_PKCS_PSS_PARAMS_PTR) malloc(sizeof(CK_RSA_PKCS_PSS_PARAMS)); -+ if (ckpParam == NULL) { -+ JNU_ThrowOutOfMemoryError(env, 0); -+ return; -+ } - - /* convert jParameter to CKParameter */ - *ckpParam = jRsaPkcsPssParamToCKRsaPkcsPssParam(env, jParam); -+ if ((*env)->ExceptionCheck(env)) { -+ free(ckpParam); -+ return; -+ } - - /* get length and pointer of parameter */ - *ckpLength = sizeof(CK_RSA_PKCS_PSS_PARAMS); - *ckpParamPtr = ckpParam; -+ return; -+ } - -- } else if ((*env)->IsInstanceOf(env, jParam, jEcdh1DeriveParamsClass)) { -+ jEcdh1DeriveParamsClass = (*env)->FindClass(env, CLASS_ECDH1_DERIVE_PARAMS); -+ if (jEcdh1DeriveParamsClass == NULL) { return; } -+ if ((*env)->IsInstanceOf(env, jParam, jEcdh1DeriveParamsClass)) { - /* - * CK_ECDH1_DERIVE_PARAMS - */ -- - CK_ECDH1_DERIVE_PARAMS_PTR ckpParam; - - ckpParam = (CK_ECDH1_DERIVE_PARAMS_PTR) malloc(sizeof(CK_ECDH1_DERIVE_PARAMS)); -+ if (ckpParam == NULL) { -+ JNU_ThrowOutOfMemoryError(env, 0); -+ return; -+ } - - /* convert jParameter to CKParameter */ - *ckpParam = jEcdh1DeriveParamToCKEcdh1DeriveParam(env, jParam); -+ if ((*env)->ExceptionCheck(env)) { -+ free(ckpParam); -+ return; -+ } - - /* get length and pointer of parameter */ - *ckpLength = sizeof(CK_ECDH1_DERIVE_PARAMS); - *ckpParamPtr = ckpParam; -+ return; -+ } - -- } else if ((*env)->IsInstanceOf(env, jParam, jEcdh2DeriveParamsClass)) { -+ jEcdh2DeriveParamsClass = (*env)->FindClass(env, CLASS_ECDH2_DERIVE_PARAMS); -+ if (jEcdh2DeriveParamsClass == NULL) { return; } -+ if ((*env)->IsInstanceOf(env, jParam, jEcdh2DeriveParamsClass)) { - /* - * CK_ECDH2_DERIVE_PARAMS - */ -- - CK_ECDH2_DERIVE_PARAMS_PTR ckpParam; - - ckpParam = (CK_ECDH2_DERIVE_PARAMS_PTR) malloc(sizeof(CK_ECDH2_DERIVE_PARAMS)); -+ if (ckpParam == NULL) { -+ JNU_ThrowOutOfMemoryError(env, 0); -+ return; -+ } - - /* convert jParameter to CKParameter */ - *ckpParam = jEcdh2DeriveParamToCKEcdh2DeriveParam(env, jParam); -+ if ((*env)->ExceptionCheck(env)) { -+ free(ckpParam); -+ return; -+ } - - /* get length and pointer of parameter */ - *ckpLength = sizeof(CK_ECDH2_DERIVE_PARAMS); - *ckpParamPtr = ckpParam; -+ return; -+ } - -- } else if ((*env)->IsInstanceOf(env, jParam, jX942Dh1DeriveParamsClass)) { -+ jX942Dh1DeriveParamsClass = (*env)->FindClass(env, CLASS_X9_42_DH1_DERIVE_PARAMS); -+ if (jX942Dh1DeriveParamsClass == NULL) { return; } -+ if ((*env)->IsInstanceOf(env, jParam, jX942Dh1DeriveParamsClass)) { - /* - * CK_X9_42_DH1_DERIVE_PARAMS - */ -- - CK_X9_42_DH1_DERIVE_PARAMS_PTR ckpParam; - - ckpParam = (CK_X9_42_DH1_DERIVE_PARAMS_PTR) malloc(sizeof(CK_X9_42_DH1_DERIVE_PARAMS)); -+ if (ckpParam == NULL) { -+ JNU_ThrowOutOfMemoryError(env, 0); -+ return; -+ } - - /* convert jParameter to CKParameter */ - *ckpParam = jX942Dh1DeriveParamToCKX942Dh1DeriveParam(env, jParam); -+ if ((*env)->ExceptionCheck(env)) { -+ free(ckpParam); -+ return; -+ } - - /* get length and pointer of parameter */ - *ckpLength = sizeof(CK_X9_42_DH1_DERIVE_PARAMS); - *ckpParamPtr = ckpParam; -+ return; -+ } - -- } else if ((*env)->IsInstanceOf(env, jParam, jX942Dh2DeriveParamsClass)) { -+ jX942Dh2DeriveParamsClass = (*env)->FindClass(env, CLASS_X9_42_DH2_DERIVE_PARAMS); -+ if (jX942Dh2DeriveParamsClass == NULL) { return; } -+ if ((*env)->IsInstanceOf(env, jParam, jX942Dh2DeriveParamsClass)) { - /* - * CK_X9_42_DH2_DERIVE_PARAMS - */ -- - CK_X9_42_DH2_DERIVE_PARAMS_PTR ckpParam; - - ckpParam = (CK_X9_42_DH2_DERIVE_PARAMS_PTR) malloc(sizeof(CK_X9_42_DH2_DERIVE_PARAMS)); -+ if (ckpParam == NULL) { -+ JNU_ThrowOutOfMemoryError(env, 0); -+ return; -+ } - - /* convert jParameter to CKParameter */ - *ckpParam = jX942Dh2DeriveParamToCKX942Dh2DeriveParam(env, jParam); -+ if ((*env)->ExceptionCheck(env)) { -+ free(ckpParam); -+ return; -+ } - - /* get length and pointer of parameter */ - *ckpLength = sizeof(CK_X9_42_DH2_DERIVE_PARAMS); - *ckpParamPtr = ckpParam; -- -- } else { -- /* if everything faild up to here */ -- /* try if the parameter is a primitive Java type */ -- jObjectToPrimitiveCKObjectPtrPtr(env, jParam, ckpParamPtr, ckpLength); -- /* *ckpParamPtr = jObjectToCKVoidPtr(jParam); */ -- /* *ckpLength = 1; */ -+ return; - } - -+ /* if everything faild up to here */ -+ /* try if the parameter is a primitive Java type */ -+ jObjectToPrimitiveCKObjectPtrPtr(env, jParam, ckpParamPtr, ckpLength); -+ /* *ckpParamPtr = jObjectToCKVoidPtr(jParam); */ -+ /* *ckpLength = 1; */ -+ - TRACE0("FINISHED\n"); - } - -@@ -1061,36 +1283,41 @@ - */ - CK_RSA_PKCS_OAEP_PARAMS jRsaPkcsOaepParamToCKRsaPkcsOaepParam(JNIEnv *env, jobject jParam) - { -- jclass jRsaPkcsOaepParamsClass = (*env)->FindClass(env, CLASS_RSA_PKCS_OAEP_PARAMS); -+ jclass jRsaPkcsOaepParamsClass; - CK_RSA_PKCS_OAEP_PARAMS ckParam; - jfieldID fieldID; -- jlong jLong; -- jobject jObject; -+ jlong jHashAlg, jMgf, jSource; -+ jobject jSourceData; - CK_BYTE_PTR ckpByte; - - /* get hashAlg */ -+ jRsaPkcsOaepParamsClass = (*env)->FindClass(env, CLASS_RSA_PKCS_OAEP_PARAMS); -+ if (jRsaPkcsOaepParamsClass == NULL) { return ckParam; } - fieldID = (*env)->GetFieldID(env, jRsaPkcsOaepParamsClass, "hashAlg", "J"); -- assert(fieldID != 0); -- jLong = (*env)->GetLongField(env, jParam, fieldID); -- ckParam.hashAlg = jLongToCKULong(jLong); -+ if (fieldID == NULL) { return ckParam; } -+ jHashAlg = (*env)->GetLongField(env, jParam, fieldID); - - /* get mgf */ - fieldID = (*env)->GetFieldID(env, jRsaPkcsOaepParamsClass, "mgf", "J"); -- assert(fieldID != 0); -- jLong = (*env)->GetLongField(env, jParam, fieldID); -- ckParam.mgf = jLongToCKULong(jLong); -+ if (fieldID == NULL) { return ckParam; } -+ jMgf = (*env)->GetLongField(env, jParam, fieldID); - - /* get source */ - fieldID = (*env)->GetFieldID(env, jRsaPkcsOaepParamsClass, "source", "J"); -- assert(fieldID != 0); -- jLong = (*env)->GetLongField(env, jParam, fieldID); -- ckParam.source = jLongToCKULong(jLong); -+ if (fieldID == NULL) { return ckParam; } -+ jSource = (*env)->GetLongField(env, jParam, fieldID); - - /* get sourceData and sourceDataLength */ - fieldID = (*env)->GetFieldID(env, jRsaPkcsOaepParamsClass, "pSourceData", "[B"); -- assert(fieldID != 0); -- jObject = (*env)->GetObjectField(env, jParam, fieldID); -- jByteArrayToCKByteArray(env, jObject, &ckpByte, &(ckParam.ulSourceDataLen)); -+ if (fieldID == NULL) { return ckParam; } -+ jSourceData = (*env)->GetObjectField(env, jParam, fieldID); -+ -+ /* populate java values */ -+ ckParam.hashAlg = jLongToCKULong(jHashAlg); -+ ckParam.mgf = jLongToCKULong(jMgf); -+ ckParam.source = jLongToCKULong(jSource); -+ jByteArrayToCKByteArray(env, jSourceData, & ckpByte, &(ckParam.ulSourceDataLen)); -+ if ((*env)->ExceptionCheck(env)) { return ckParam; } - ckParam.pSourceData = (CK_VOID_PTR) ckpByte; - - return ckParam ; -@@ -1105,36 +1332,50 @@ - */ - CK_PBE_PARAMS jPbeParamToCKPbeParam(JNIEnv *env, jobject jParam) - { -- jclass jPbeParamsClass = (*env)->FindClass(env, CLASS_PBE_PARAMS); -+ jclass jPbeParamsClass; - CK_PBE_PARAMS ckParam; - jfieldID fieldID; -- jlong jLong; -- jobject jObject; -+ jlong jIteration; -+ jobject jInitVector, jPassword, jSalt; - CK_ULONG ckTemp; - - /* get pInitVector */ -+ jPbeParamsClass = (*env)->FindClass(env, CLASS_PBE_PARAMS); -+ if (jPbeParamsClass == NULL) { return ckParam; } - fieldID = (*env)->GetFieldID(env, jPbeParamsClass, "pInitVector", "[C"); -- assert(fieldID != 0); -- jObject = (*env)->GetObjectField(env, jParam, fieldID); -- jCharArrayToCKCharArray(env, jObject, &(ckParam.pInitVector), &ckTemp); -+ if (fieldID == NULL) { return ckParam; } -+ jInitVector = (*env)->GetObjectField(env, jParam, fieldID); - - /* get pPassword and ulPasswordLength */ - fieldID = (*env)->GetFieldID(env, jPbeParamsClass, "pPassword", "[C"); -- assert(fieldID != 0); -- jObject = (*env)->GetObjectField(env, jParam, fieldID); -- jCharArrayToCKCharArray(env, jObject, &(ckParam.pPassword), &(ckParam.ulPasswordLen)); -+ if (fieldID == NULL) { return ckParam; } -+ jPassword = (*env)->GetObjectField(env, jParam, fieldID); - - /* get pSalt and ulSaltLength */ - fieldID = (*env)->GetFieldID(env, jPbeParamsClass, "pSalt", "[C"); -- assert(fieldID != 0); -- jObject = (*env)->GetObjectField(env, jParam, fieldID); -- jCharArrayToCKCharArray(env, jObject, &(ckParam.pSalt), &(ckParam.ulSaltLen)); -+ if (fieldID == NULL) { return ckParam; } -+ jSalt = (*env)->GetObjectField(env, jParam, fieldID); - - /* get ulIteration */ - fieldID = (*env)->GetFieldID(env, jPbeParamsClass, "ulIteration", "J"); -- assert(fieldID != 0); -- jLong = (*env)->GetLongField(env, jParam, fieldID); -- ckParam.ulIteration = jLongToCKULong(jLong); -+ if (fieldID == NULL) { return ckParam; } -+ jIteration = (*env)->GetLongField(env, jParam, fieldID); -+ -+ /* populate java values */ -+ ckParam.ulIteration = jLongToCKULong(jIteration); -+ jCharArrayToCKCharArray(env, jInitVector, &(ckParam.pInitVector), &ckTemp); -+ if ((*env)->ExceptionCheck(env)) { return ckParam; } -+ jCharArrayToCKCharArray(env, jPassword, &(ckParam.pPassword), &(ckParam.ulPasswordLen)); -+ if ((*env)->ExceptionCheck(env)) { -+ free(ckParam.pInitVector); -+ return ckParam; -+ } -+ jCharArrayToCKCharArray(env, jSalt, &(ckParam.pSalt), &(ckParam.ulSaltLen)); -+ if ((*env)->ExceptionCheck(env)) { -+ free(ckParam.pInitVector); -+ free(ckParam.pPassword); -+ return ckParam; -+ } - - return ckParam ; - } -@@ -1147,8 +1388,7 @@ - */ - void copyBackPBEInitializationVector(JNIEnv *env, CK_MECHANISM *ckMechanism, jobject jMechanism) - { -- jclass jMechanismClass= (*env)->FindClass(env, CLASS_MECHANISM); -- jclass jPbeParamsClass = (*env)->FindClass(env, CLASS_PBE_PARAMS); -+ jclass jMechanismClass, jPbeParamsClass; - CK_PBE_PARAMS *ckParam; - jfieldID fieldID; - CK_MECHANISM_TYPE ckMechanismType; -@@ -1161,8 +1401,10 @@ - jchar* jInitVectorChars; - - /* get mechanism */ -+ jMechanismClass = (*env)->FindClass(env, CLASS_MECHANISM); -+ if (jMechanismClass == NULL) { return; } - fieldID = (*env)->GetFieldID(env, jMechanismClass, "mechanism", "J"); -- assert(fieldID != 0); -+ if (fieldID == NULL) { return; } - jMechanismType = (*env)->GetLongField(env, jMechanism, fieldID); - ckMechanismType = jLongToCKULong(jMechanismType); - if (ckMechanismType != ckMechanism->mechanism) { -@@ -1170,21 +1412,25 @@ - return; - } - -+ jPbeParamsClass = (*env)->FindClass(env, CLASS_PBE_PARAMS); -+ if (jPbeParamsClass == NULL) { return; } - ckParam = (CK_PBE_PARAMS *) ckMechanism->pParameter; - if (ckParam != NULL_PTR) { - initVector = ckParam->pInitVector; - if (initVector != NULL_PTR) { - /* get pParameter */ - fieldID = (*env)->GetFieldID(env, jMechanismClass, "pParameter", "Ljava/lang/Object;"); -- assert(fieldID != 0); -+ if (fieldID == NULL) { return; } - jParameter = (*env)->GetObjectField(env, jMechanism, fieldID); - fieldID = (*env)->GetFieldID(env, jPbeParamsClass, "pInitVektor", "[C"); -- assert(fieldID != 0); -+ if (fieldID == NULL) { return; } - jInitVector = (*env)->GetObjectField(env, jParameter, fieldID); - - if (jInitVector != NULL) { - jInitVectorLength = (*env)->GetArrayLength(env, jInitVector); - jInitVectorChars = (*env)->GetCharArrayElements(env, jInitVector, NULL); -+ if (jInitVectorChars == NULL) { return; } -+ - /* copy the chars to the Java buffer */ - for (i=0; i < jInitVectorLength; i++) { - jInitVectorChars[i] = ckCharToJChar(initVector[i]); -@@ -1205,41 +1451,50 @@ - */ - CK_PKCS5_PBKD2_PARAMS jPkcs5Pbkd2ParamToCKPkcs5Pbkd2Param(JNIEnv *env, jobject jParam) - { -- jclass jPkcs5Pbkd2ParamsClass = (*env)->FindClass(env, CLASS_PKCS5_PBKD2_PARAMS); -+ jclass jPkcs5Pbkd2ParamsClass; - CK_PKCS5_PBKD2_PARAMS ckParam; - jfieldID fieldID; -- jlong jLong; -- jobject jObject; -+ jlong jSaltSource, jIteration, jPrf; -+ jobject jSaltSourceData, jPrfData; - - /* get saltSource */ -+ jPkcs5Pbkd2ParamsClass = (*env)->FindClass(env, CLASS_PKCS5_PBKD2_PARAMS); -+ if (jPkcs5Pbkd2ParamsClass == NULL) { return ckParam; } - fieldID = (*env)->GetFieldID(env, jPkcs5Pbkd2ParamsClass, "saltSource", "J"); -- assert(fieldID != 0); -- jLong = (*env)->GetLongField(env, jParam, fieldID); -- ckParam.saltSource = jLongToCKULong(jLong); -+ if (fieldID == NULL) { return ckParam; } -+ jSaltSource = (*env)->GetLongField(env, jParam, fieldID); - - /* get pSaltSourceData */ - fieldID = (*env)->GetFieldID(env, jPkcs5Pbkd2ParamsClass, "pSaltSourceData", "[B"); -- assert(fieldID != 0); -- jObject = (*env)->GetObjectField(env, jParam, fieldID); -- jByteArrayToCKByteArray(env, jObject, (CK_BYTE_PTR *) &(ckParam.pSaltSourceData), &(ckParam.ulSaltSourceDataLen)); -+ if (fieldID == NULL) { return ckParam; } -+ jSaltSourceData = (*env)->GetObjectField(env, jParam, fieldID); - - /* get iterations */ - fieldID = (*env)->GetFieldID(env, jPkcs5Pbkd2ParamsClass, "iterations", "J"); -- assert(fieldID != 0); -- jLong = (*env)->GetLongField(env, jParam, fieldID); -- ckParam.iterations = jLongToCKULong(jLong); -+ if (fieldID == NULL) { return ckParam; } -+ jIteration = (*env)->GetLongField(env, jParam, fieldID); - - /* get prf */ - fieldID = (*env)->GetFieldID(env, jPkcs5Pbkd2ParamsClass, "prf", "J"); -- assert(fieldID != 0); -- jLong = (*env)->GetLongField(env, jParam, fieldID); -- ckParam.prf = jLongToCKULong(jLong); -+ if (fieldID == NULL) { return ckParam; } -+ jPrf = (*env)->GetLongField(env, jParam, fieldID); - - /* get pPrfData and ulPrfDataLength in byte */ - fieldID = (*env)->GetFieldID(env, jPkcs5Pbkd2ParamsClass, "pPrfData", "[B"); -- assert(fieldID != 0); -- jObject = (*env)->GetObjectField(env, jParam, fieldID); -- jByteArrayToCKByteArray(env, jObject, (CK_BYTE_PTR *) &(ckParam.pPrfData), &(ckParam.ulPrfDataLen)); -+ if (fieldID == NULL) { return ckParam; } -+ jPrfData = (*env)->GetObjectField(env, jParam, fieldID); -+ -+ /* populate java values */ -+ ckParam.saltSource = jLongToCKULong(jSaltSource); -+ jByteArrayToCKByteArray(env, jSaltSourceData, (CK_BYTE_PTR *) &(ckParam.pSaltSourceData), &(ckParam.ulSaltSourceDataLen)); -+ if ((*env)->ExceptionCheck(env)) { return ckParam; } -+ ckParam.iterations = jLongToCKULong(jIteration); -+ ckParam.prf = jLongToCKULong(jPrf); -+ jByteArrayToCKByteArray(env, jPrfData, (CK_BYTE_PTR *) &(ckParam.pPrfData), &(ckParam.ulPrfDataLen)); -+ if ((*env)->ExceptionCheck(env)) { -+ free(ckParam.pSaltSourceData); -+ return ckParam; -+ } - - return ckParam ; - } -@@ -1253,28 +1508,32 @@ - */ - CK_RSA_PKCS_PSS_PARAMS jRsaPkcsPssParamToCKRsaPkcsPssParam(JNIEnv *env, jobject jParam) - { -- jclass jRsaPkcsPssParamsClass = (*env)->FindClass(env, CLASS_RSA_PKCS_PSS_PARAMS); -+ jclass jRsaPkcsPssParamsClass; - CK_RSA_PKCS_PSS_PARAMS ckParam; - jfieldID fieldID; -- jlong jLong; -+ jlong jHashAlg, jMgf, jSLen; - - /* get hashAlg */ -+ jRsaPkcsPssParamsClass = (*env)->FindClass(env, CLASS_RSA_PKCS_PSS_PARAMS); -+ if (jRsaPkcsPssParamsClass == NULL) { return ckParam; } - fieldID = (*env)->GetFieldID(env, jRsaPkcsPssParamsClass, "hashAlg", "J"); -- assert(fieldID != 0); -- jLong = (*env)->GetLongField(env, jParam, fieldID); -- ckParam.hashAlg = jLongToCKULong(jLong); -+ if (fieldID == NULL) { return ckParam; } -+ jHashAlg = (*env)->GetLongField(env, jParam, fieldID); - - /* get mgf */ - fieldID = (*env)->GetFieldID(env, jRsaPkcsPssParamsClass, "mgf", "J"); -- assert(fieldID != 0); -- jLong = (*env)->GetLongField(env, jParam, fieldID); -- ckParam.mgf = jLongToCKULong(jLong); -+ if (fieldID == NULL) { return ckParam; } -+ jMgf = (*env)->GetLongField(env, jParam, fieldID); - - /* get sLen */ - fieldID = (*env)->GetFieldID(env, jRsaPkcsPssParamsClass, "sLen", "J"); -- assert(fieldID != 0); -- jLong = (*env)->GetLongField(env, jParam, fieldID); -- ckParam.sLen = jLongToCKULong(jLong); -+ if (fieldID == NULL) { return ckParam; } -+ jSLen = (*env)->GetLongField(env, jParam, fieldID); -+ -+ /* populate java values */ -+ ckParam.hashAlg = jLongToCKULong(jHashAlg); -+ ckParam.mgf = jLongToCKULong(jMgf); -+ ckParam.sLen = jLongToCKULong(jSLen); - - return ckParam ; - } -@@ -1288,29 +1547,39 @@ - */ - CK_ECDH1_DERIVE_PARAMS jEcdh1DeriveParamToCKEcdh1DeriveParam(JNIEnv *env, jobject jParam) - { -- jclass jEcdh1DeriveParamsClass = (*env)->FindClass(env, CLASS_ECDH1_DERIVE_PARAMS); -+ jclass jEcdh1DeriveParamsClass; - CK_ECDH1_DERIVE_PARAMS ckParam; - jfieldID fieldID; - jlong jLong; -- jobject jObject; -+ jobject jSharedData, jPublicData; - - /* get kdf */ -+ jEcdh1DeriveParamsClass = (*env)->FindClass(env, CLASS_ECDH1_DERIVE_PARAMS); -+ if (jEcdh1DeriveParamsClass == NULL) { return ckParam; } - fieldID = (*env)->GetFieldID(env, jEcdh1DeriveParamsClass, "kdf", "J"); -- assert(fieldID != 0); -+ if (fieldID == NULL) { return ckParam; } - jLong = (*env)->GetLongField(env, jParam, fieldID); - ckParam.kdf = jLongToCKULong(jLong); - - /* get pSharedData and ulSharedDataLen */ - fieldID = (*env)->GetFieldID(env, jEcdh1DeriveParamsClass, "pSharedData", "[B"); -- assert(fieldID != 0); -- jObject = (*env)->GetObjectField(env, jParam, fieldID); -- jByteArrayToCKByteArray(env, jObject, &(ckParam.pSharedData), &(ckParam.ulSharedDataLen)); -+ if (fieldID == NULL) { return ckParam; } -+ jSharedData = (*env)->GetObjectField(env, jParam, fieldID); - - /* get pPublicData and ulPublicDataLen */ - fieldID = (*env)->GetFieldID(env, jEcdh1DeriveParamsClass, "pPublicData", "[B"); -- assert(fieldID != 0); -- jObject = (*env)->GetObjectField(env, jParam, fieldID); -- jByteArrayToCKByteArray(env, jObject, &(ckParam.pPublicData), &(ckParam.ulPublicDataLen)); -+ if (fieldID == NULL) { return ckParam; } -+ jPublicData = (*env)->GetObjectField(env, jParam, fieldID); -+ -+ /* populate java values */ -+ ckParam.kdf = jLongToCKULong(jLong); -+ jByteArrayToCKByteArray(env, jSharedData, &(ckParam.pSharedData), &(ckParam.ulSharedDataLen)); -+ if ((*env)->ExceptionCheck(env)) { return ckParam; } -+ jByteArrayToCKByteArray(env, jPublicData, &(ckParam.pPublicData), &(ckParam.ulPublicDataLen)); -+ if ((*env)->ExceptionCheck(env)) { -+ free(ckParam.pSharedData); -+ return ckParam; -+ } - - return ckParam ; - } -@@ -1324,48 +1593,61 @@ - */ - CK_ECDH2_DERIVE_PARAMS jEcdh2DeriveParamToCKEcdh2DeriveParam(JNIEnv *env, jobject jParam) - { -- jclass jEcdh2DeriveParamsClass = (*env)->FindClass(env, CLASS_ECDH2_DERIVE_PARAMS); -+ jclass jEcdh2DeriveParamsClass; - CK_ECDH2_DERIVE_PARAMS ckParam; - jfieldID fieldID; -- jlong jLong; -- jobject jObject; -+ jlong jKdf, jPrivateDataLen, jPrivateData; -+ jobject jSharedData, jPublicData, jPublicData2; - - /* get kdf */ -+ jEcdh2DeriveParamsClass = (*env)->FindClass(env, CLASS_ECDH2_DERIVE_PARAMS); -+ if (jEcdh2DeriveParamsClass == NULL) { return ckParam; } - fieldID = (*env)->GetFieldID(env, jEcdh2DeriveParamsClass, "kdf", "J"); -- assert(fieldID != 0); -- jLong = (*env)->GetLongField(env, jParam, fieldID); -- ckParam.kdf = jLongToCKULong(jLong); -+ if (fieldID == NULL) { return ckParam; } -+ jKdf = (*env)->GetLongField(env, jParam, fieldID); - - /* get pSharedData and ulSharedDataLen */ - fieldID = (*env)->GetFieldID(env, jEcdh2DeriveParamsClass, "pSharedData", "[B"); -- assert(fieldID != 0); -- jObject = (*env)->GetObjectField(env, jParam, fieldID); -- jByteArrayToCKByteArray(env, jObject, &(ckParam.pSharedData), &(ckParam.ulSharedDataLen)); -+ if (fieldID == NULL) { return ckParam; } -+ jSharedData = (*env)->GetObjectField(env, jParam, fieldID); - - /* get pPublicData and ulPublicDataLen */ - fieldID = (*env)->GetFieldID(env, jEcdh2DeriveParamsClass, "pPublicData", "[B"); -- assert(fieldID != 0); -- jObject = (*env)->GetObjectField(env, jParam, fieldID); -- jByteArrayToCKByteArray(env, jObject, &(ckParam.pPublicData), &(ckParam.ulPublicDataLen)); -+ if (fieldID == NULL) { return ckParam; } -+ jPublicData = (*env)->GetObjectField(env, jParam, fieldID); - - /* get ulPrivateDataLen */ - fieldID = (*env)->GetFieldID(env, jEcdh2DeriveParamsClass, "ulPrivateDataLen", "J"); -- assert(fieldID != 0); -- jLong = (*env)->GetLongField(env, jParam, fieldID); -- ckParam.ulPrivateDataLen = jLongToCKULong(jLong); -+ if (fieldID == NULL) { return ckParam; } -+ jPrivateDataLen = (*env)->GetLongField(env, jParam, fieldID); - - /* get hPrivateData */ - fieldID = (*env)->GetFieldID(env, jEcdh2DeriveParamsClass, "hPrivateData", "J"); -- assert(fieldID != 0); -- jLong = (*env)->GetLongField(env, jParam, fieldID); -- ckParam.hPrivateData = jLongToCKULong(jLong); -+ if (fieldID == NULL) { return ckParam; } -+ jPrivateData = (*env)->GetLongField(env, jParam, fieldID); - - /* get pPublicData2 and ulPublicDataLen2 */ - fieldID = (*env)->GetFieldID(env, jEcdh2DeriveParamsClass, "pPublicData2", "[B"); -- assert(fieldID != 0); -- jObject = (*env)->GetObjectField(env, jParam, fieldID); -- jByteArrayToCKByteArray(env, jObject, &(ckParam.pPublicData2), &(ckParam.ulPublicDataLen2)); -+ if (fieldID == NULL) { return ckParam; } -+ jPublicData2 = (*env)->GetObjectField(env, jParam, fieldID); - -+ /* populate java values */ -+ ckParam.kdf = jLongToCKULong(jKdf); -+ jByteArrayToCKByteArray(env, jSharedData, &(ckParam.pSharedData), &(ckParam.ulSharedDataLen)); -+ if ((*env)->ExceptionCheck(env)) { return ckParam; } -+ jByteArrayToCKByteArray(env, jPublicData, &(ckParam.pPublicData), &(ckParam.ulPublicDataLen)); -+ if ((*env)->ExceptionCheck(env)) { -+ free(ckParam.pSharedData); -+ return ckParam; -+ } -+ ckParam.ulPrivateDataLen = jLongToCKULong(jPrivateDataLen); -+ ckParam.hPrivateData = jLongToCKULong(jPrivateData); -+ jByteArrayToCKByteArray(env, jPublicData2, &(ckParam.pPublicData2), &(ckParam.ulPublicDataLen2)); -+ if ((*env)->ExceptionCheck(env)) { -+ free(ckParam.pSharedData); -+ free(ckParam.pPublicData); -+ return ckParam; -+ } - return ckParam ; - } - -@@ -1378,29 +1660,38 @@ - */ - CK_X9_42_DH1_DERIVE_PARAMS jX942Dh1DeriveParamToCKX942Dh1DeriveParam(JNIEnv *env, jobject jParam) - { -- jclass jX942Dh1DeriveParamsClass = (*env)->FindClass(env, CLASS_X9_42_DH1_DERIVE_PARAMS); -+ jclass jX942Dh1DeriveParamsClass; - CK_X9_42_DH1_DERIVE_PARAMS ckParam; - jfieldID fieldID; -- jlong jLong; -- jobject jObject; -+ jlong jKdf; -+ jobject jOtherInfo, jPublicData; - - /* get kdf */ -+ jX942Dh1DeriveParamsClass = (*env)->FindClass(env, CLASS_X9_42_DH1_DERIVE_PARAMS); -+ if (jX942Dh1DeriveParamsClass == NULL) { return ckParam; } - fieldID = (*env)->GetFieldID(env, jX942Dh1DeriveParamsClass, "kdf", "J"); -- assert(fieldID != 0); -- jLong = (*env)->GetLongField(env, jParam, fieldID); -- ckParam.kdf = jLongToCKULong(jLong); -+ if (fieldID == NULL) { return ckParam; } -+ jKdf = (*env)->GetLongField(env, jParam, fieldID); - - /* get pOtherInfo and ulOtherInfoLen */ - fieldID = (*env)->GetFieldID(env, jX942Dh1DeriveParamsClass, "pOtherInfo", "[B"); -- assert(fieldID != 0); -- jObject = (*env)->GetObjectField(env, jParam, fieldID); -- jByteArrayToCKByteArray(env, jObject, &(ckParam.pOtherInfo), &(ckParam.ulOtherInfoLen)); -+ if (fieldID == NULL) { return ckParam; } -+ jOtherInfo = (*env)->GetObjectField(env, jParam, fieldID); - - /* get pPublicData and ulPublicDataLen */ - fieldID = (*env)->GetFieldID(env, jX942Dh1DeriveParamsClass, "pPublicData", "[B"); -- assert(fieldID != 0); -- jObject = (*env)->GetObjectField(env, jParam, fieldID); -- jByteArrayToCKByteArray(env, jObject, &(ckParam.pPublicData), &(ckParam.ulPublicDataLen)); -+ if (fieldID == NULL) { return ckParam; } -+ jPublicData = (*env)->GetObjectField(env, jParam, fieldID); -+ -+ /* populate java values */ -+ ckParam.kdf = jLongToCKULong(jKdf); -+ jByteArrayToCKByteArray(env, jOtherInfo, &(ckParam.pOtherInfo), &(ckParam.ulOtherInfoLen)); -+ if ((*env)->ExceptionCheck(env)) { return ckParam; } -+ jByteArrayToCKByteArray(env, jPublicData, &(ckParam.pPublicData), &(ckParam.ulPublicDataLen)); -+ if ((*env)->ExceptionCheck(env)) { -+ free(ckParam.pOtherInfo); -+ return ckParam; -+ } - - return ckParam ; - } -@@ -1414,47 +1705,61 @@ - */ - CK_X9_42_DH2_DERIVE_PARAMS jX942Dh2DeriveParamToCKX942Dh2DeriveParam(JNIEnv *env, jobject jParam) - { -- jclass jX942Dh2DeriveParamsClass = (*env)->FindClass(env, CLASS_X9_42_DH2_DERIVE_PARAMS); -+ jclass jX942Dh2DeriveParamsClass; - CK_X9_42_DH2_DERIVE_PARAMS ckParam; - jfieldID fieldID; -- jlong jLong; -- jobject jObject; -+ jlong jKdf, jPrivateDataLen, jPrivateData; -+ jobject jOtherInfo, jPublicData, jPublicData2; - - /* get kdf */ -+ jX942Dh2DeriveParamsClass = (*env)->FindClass(env, CLASS_X9_42_DH2_DERIVE_PARAMS); -+ if (jX942Dh2DeriveParamsClass == NULL) { return ckParam; } - fieldID = (*env)->GetFieldID(env, jX942Dh2DeriveParamsClass, "kdf", "J"); -- assert(fieldID != 0); -- jLong = (*env)->GetLongField(env, jParam, fieldID); -- ckParam.kdf = jLongToCKULong(jLong); -+ if (fieldID == NULL) { return ckParam; } -+ jKdf = (*env)->GetLongField(env, jParam, fieldID); - - /* get pOtherInfo and ulOtherInfoLen */ - fieldID = (*env)->GetFieldID(env, jX942Dh2DeriveParamsClass, "pOtherInfo", "[B"); -- assert(fieldID != 0); -- jObject = (*env)->GetObjectField(env, jParam, fieldID); -- jByteArrayToCKByteArray(env, jObject, &(ckParam.pOtherInfo), &(ckParam.ulOtherInfoLen)); -+ if (fieldID == NULL) { return ckParam; } -+ jOtherInfo = (*env)->GetObjectField(env, jParam, fieldID); - - /* get pPublicData and ulPublicDataLen */ - fieldID = (*env)->GetFieldID(env, jX942Dh2DeriveParamsClass, "pPublicData", "[B"); -- assert(fieldID != 0); -- jObject = (*env)->GetObjectField(env, jParam, fieldID); -- jByteArrayToCKByteArray(env, jObject, &(ckParam.pPublicData), &(ckParam.ulPublicDataLen)); -+ if (fieldID == NULL) { return ckParam; } -+ jPublicData = (*env)->GetObjectField(env, jParam, fieldID); - - /* get ulPrivateDataLen */ - fieldID = (*env)->GetFieldID(env, jX942Dh2DeriveParamsClass, "ulPrivateDataLen", "J"); -- assert(fieldID != 0); -- jLong = (*env)->GetLongField(env, jParam, fieldID); -- ckParam.ulPrivateDataLen = jLongToCKULong(jLong); -+ if (fieldID == NULL) { return ckParam; } -+ jPrivateDataLen = (*env)->GetLongField(env, jParam, fieldID); - - /* get hPrivateData */ - fieldID = (*env)->GetFieldID(env, jX942Dh2DeriveParamsClass, "hPrivateData", "J"); -- assert(fieldID != 0); -- jLong = (*env)->GetLongField(env, jParam, fieldID); -- ckParam.hPrivateData = jLongToCKULong(jLong); -+ if (fieldID == NULL) { return ckParam; } -+ jPrivateData = (*env)->GetLongField(env, jParam, fieldID); - - /* get pPublicData2 and ulPublicDataLen2 */ - fieldID = (*env)->GetFieldID(env, jX942Dh2DeriveParamsClass, "pPublicData2", "[B"); -- assert(fieldID != 0); -- jObject = (*env)->GetObjectField(env, jParam, fieldID); -- jByteArrayToCKByteArray(env, jObject, &(ckParam.pPublicData2), &(ckParam.ulPublicDataLen2)); -+ if (fieldID == NULL) { return ckParam; } -+ jPublicData2 = (*env)->GetObjectField(env, jParam, fieldID); -+ -+ /* populate java values */ -+ ckParam.kdf = jLongToCKULong(jKdf); -+ jByteArrayToCKByteArray(env, jOtherInfo, &(ckParam.pOtherInfo), &(ckParam.ulOtherInfoLen)); -+ if ((*env)->ExceptionCheck(env)) { return ckParam; } -+ jByteArrayToCKByteArray(env, jPublicData, &(ckParam.pPublicData), &(ckParam.ulPublicDataLen)); -+ if ((*env)->ExceptionCheck(env)) { -+ free(ckParam.pOtherInfo); -+ return ckParam; -+ } -+ ckParam.ulPrivateDataLen = jLongToCKULong(jPrivateDataLen); -+ ckParam.hPrivateData = jLongToCKULong(jPrivateData); -+ jByteArrayToCKByteArray(env, jPublicData2, &(ckParam.pPublicData2), &(ckParam.ulPublicDataLen2)); -+ if ((*env)->ExceptionCheck(env)) { -+ free(ckParam.pOtherInfo); -+ free(ckParam.pPublicData); -+ return ckParam; -+ } - - return ckParam ; - } -diff -Nru openjdk.orig/jdk/src/share/native/sun/security/pkcs11/wrapper/p11_crypt.c openjdk/jdk/src/share/native/sun/security/pkcs11/wrapper/p11_crypt.c ---- openjdk.orig/jdk/src/share/native/sun/security/pkcs11/wrapper/p11_crypt.c 2014-10-08 16:35:09.000000000 +0100 -+++ openjdk/jdk/src/share/native/sun/security/pkcs11/wrapper/p11_crypt.c 2014-10-08 17:30:03.986103813 +0100 -@@ -81,6 +81,7 @@ - ckSessionHandle = jLongToCKULong(jSessionHandle); - ckKeyHandle = jLongToCKULong(jKeyHandle); - jMechanismToCKMechanism(env, jMechanism, &ckMechanism); -+ if ((*env)->ExceptionCheck(env)) { return; } - - rv = (*ckpFunctions->C_EncryptInit)(ckSessionHandle, &ckMechanism, - ckKeyHandle); -@@ -126,14 +127,29 @@ - - if (jInLen > MAX_STACK_BUFFER_LEN) { - inBufP = (CK_BYTE_PTR)malloc((size_t)jInLen); -+ if (inBufP == NULL) { -+ JNU_ThrowOutOfMemoryError(env, 0); -+ return 0; -+ } - } else { - inBufP = IBUF; - } - (*env)->GetByteArrayRegion(env, jIn, jInOfs, jInLen, (jbyte *)inBufP); -+ if ((*env)->ExceptionCheck(env)) { -+ if (inBufP != IBUF) { free(inBufP); } -+ return 0; -+ } - - ckEncryptedPartLen = jOutLen; - if (jOutLen > MAX_STACK_BUFFER_LEN) { - outBufP = (CK_BYTE_PTR)malloc((size_t)jOutLen); -+ if (outBufP == NULL) { -+ if (inBufP != IBUF) { -+ free(inBufP); -+ } -+ JNU_ThrowOutOfMemoryError(env, 0); -+ return 0; -+ } - } else { - outBufP = OBUF; - } -@@ -193,10 +209,18 @@ - } else { - if (jInLen > MAX_STACK_BUFFER_LEN) { - inBufP = (CK_BYTE_PTR)malloc((size_t)jInLen); -+ if (inBufP == NULL) { -+ JNU_ThrowOutOfMemoryError(env, 0); -+ return 0; -+ } - } else { - inBufP = IBUF; - } - (*env)->GetByteArrayRegion(env, jIn, jInOfs, jInLen, (jbyte *)inBufP); -+ if ((*env)->ExceptionCheck(env)) { -+ if (directIn == 0 && inBufP != IBUF) { free(inBufP); } -+ return 0; -+ } - } - - ckEncryptedPartLen = jOutLen; -@@ -205,6 +229,13 @@ - } else { - if (jOutLen > MAX_STACK_BUFFER_LEN) { - outBufP = (CK_BYTE_PTR)malloc((size_t)jOutLen); -+ if (outBufP == NULL) { -+ if (directIn == 0 && inBufP != IBUF) { -+ free(inBufP); -+ } -+ JNU_ThrowOutOfMemoryError(env, 0); -+ return 0; -+ } - } else { - outBufP = OBUF; - } -@@ -317,6 +348,7 @@ - ckSessionHandle = jLongToCKULong(jSessionHandle); - ckKeyHandle = jLongToCKULong(jKeyHandle); - jMechanismToCKMechanism(env, jMechanism, &ckMechanism); -+ if ((*env)->ExceptionCheck(env)) { return; } - - rv = (*ckpFunctions->C_DecryptInit)(ckSessionHandle, &ckMechanism, - ckKeyHandle); -@@ -362,14 +394,29 @@ - - if (jInLen > MAX_STACK_BUFFER_LEN) { - inBufP = (CK_BYTE_PTR)malloc((size_t)jInLen); -+ if (inBufP == NULL) { -+ JNU_ThrowOutOfMemoryError(env, 0); -+ return 0; -+ } - } else { - inBufP = IBUF; - } - (*env)->GetByteArrayRegion(env, jIn, jInOfs, jInLen, (jbyte *)inBufP); -+ if ((*env)->ExceptionCheck(env)) { -+ if (inBufP != IBUF) { free(inBufP); } -+ return 0; -+ } - - ckPartLen = jOutLen; - if (jOutLen > MAX_STACK_BUFFER_LEN) { - outBufP = (CK_BYTE_PTR)malloc((size_t)jOutLen); -+ if (outBufP == NULL) { -+ if (inBufP != IBUF) { -+ free(inBufP); -+ } -+ JNU_ThrowOutOfMemoryError(env, 0); -+ return 0; -+ } - } else { - outBufP = OBUF; - } -@@ -429,10 +476,18 @@ - } else { - if (jInLen > MAX_STACK_BUFFER_LEN) { - inBufP = (CK_BYTE_PTR)malloc((size_t)jInLen); -+ if (inBufP == NULL) { -+ JNU_ThrowOutOfMemoryError(env, 0); -+ return 0; -+ } - } else { - inBufP = IBUF; - } - (*env)->GetByteArrayRegion(env, jIn, jInOfs, jInLen, (jbyte *)inBufP); -+ if ((*env)->ExceptionCheck(env)) { -+ if (directIn == 0 && inBufP != IBUF) { free(inBufP); } -+ return 0; -+ } - } - - ckDecryptedPartLen = jOutLen; -@@ -441,6 +496,13 @@ - } else { - if (jOutLen > MAX_STACK_BUFFER_LEN) { - outBufP = (CK_BYTE_PTR)malloc((size_t)jOutLen); -+ if (outBufP == NULL) { -+ if (directIn == 0 && inBufP != IBUF) { -+ free(inBufP); -+ } -+ JNU_ThrowOutOfMemoryError(env, 0); -+ return 0; -+ } - } else { - outBufP = OBUF; - } -diff -Nru openjdk.orig/jdk/src/share/native/sun/security/pkcs11/wrapper/p11_digest.c openjdk/jdk/src/share/native/sun/security/pkcs11/wrapper/p11_digest.c ---- openjdk.orig/jdk/src/share/native/sun/security/pkcs11/wrapper/p11_digest.c 2014-10-08 16:35:09.000000000 +0100 -+++ openjdk/jdk/src/share/native/sun/security/pkcs11/wrapper/p11_digest.c 2014-10-08 17:30:03.986103813 +0100 -@@ -75,6 +75,7 @@ - - ckSessionHandle = jLongToCKULong(jSessionHandle); - jMechanismToCKMechanism(env, jMechanism, &ckMechanism); -+ if ((*env)->ExceptionCheck(env)) { return; } - - rv = (*ckpFunctions->C_DigestInit)(ckSessionHandle, &ckMechanism); - -@@ -82,7 +83,7 @@ - free(ckMechanism.pParameter); - } - -- if(ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return; } -+ if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return; } - } - #endif - -@@ -114,6 +115,7 @@ - - ckSessionHandle = jLongToCKULong(jSessionHandle); - jMechanismToCKMechanism(env, jMechanism, &ckMechanism); -+ if ((*env)->ExceptionCheck(env)) { return 0; } - - rv = (*ckpFunctions->C_DigestInit)(ckSessionHandle, &ckMechanism); - -@@ -121,29 +123,32 @@ - free(ckMechanism.pParameter); - } - -- if(ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return 0; } -+ if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return 0; } - - if (jInLen <= MAX_STACK_BUFFER_LEN) { - bufP = BUF; - } else { - /* always use single part op, even for large data */ -- bufP = (CK_BYTE_PTR)malloc((size_t)jInLen); -+ bufP = (CK_BYTE_PTR) malloc((size_t)jInLen); -+ if (bufP == NULL) { -+ JNU_ThrowOutOfMemoryError(env, 0); -+ return 0; -+ } - } - - (*env)->GetByteArrayRegion(env, jIn, jInOfs, jInLen, (jbyte *)bufP); -- rv = (*ckpFunctions->C_Digest)(ckSessionHandle, bufP, jInLen, DIGESTBUF, &ckDigestLength); -- if(ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { -- if (bufP != BUF) { -- free(bufP); -- } -+ if ((*env)->ExceptionCheck(env)) { -+ if (bufP != BUF) { free(bufP); } - return 0; - } - -- (*env)->SetByteArrayRegion(env, jDigest, jDigestOfs, ckDigestLength, (jbyte *)DIGESTBUF); -- -- if (bufP != BUF) { -- free(bufP); -+ rv = (*ckpFunctions->C_Digest)(ckSessionHandle, bufP, jInLen, DIGESTBUF, &ckDigestLength); -+ if (ckAssertReturnValueOK(env, rv) == CK_ASSERT_OK) { -+ (*env)->SetByteArrayRegion(env, jDigest, jDigestOfs, ckDigestLength, (jbyte *)DIGESTBUF); - } -+ -+ if (bufP != BUF) { free(bufP); } -+ - return ckDigestLength; - } - #endif -@@ -183,17 +188,23 @@ - bufP = BUF; - } else { - bufLen = min(MAX_HEAP_BUFFER_LEN, jInLen); -- bufP = (CK_BYTE_PTR)malloc((size_t)bufLen); -+ bufP = (CK_BYTE_PTR) malloc((size_t)bufLen); -+ if (bufP == NULL) { -+ JNU_ThrowOutOfMemoryError(env, 0); -+ return; -+ } - } - - while (jInLen > 0) { - jsize chunkLen = min(bufLen, jInLen); - (*env)->GetByteArrayRegion(env, jIn, jInOfs, chunkLen, (jbyte *)bufP); -+ if ((*env)->ExceptionCheck(env)) { -+ if (bufP != BUF) { free(bufP); } -+ return; -+ } - rv = (*ckpFunctions->C_DigestUpdate)(ckSessionHandle, bufP, chunkLen); -- if(ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { -- if (bufP != BUF) { -- free(bufP); -- } -+ if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { -+ if (bufP != BUF) { free(bufP); } - return; - } - jInOfs += chunkLen; -@@ -229,7 +240,7 @@ - ckKeyHandle = jLongToCKULong(jKeyHandle); - - rv = (*ckpFunctions->C_DigestKey)(ckSessionHandle, ckKeyHandle); -- if(ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return; } -+ if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return; } - } - #endif - -@@ -257,10 +268,9 @@ - ckSessionHandle = jLongToCKULong(jSessionHandle); - - rv = (*ckpFunctions->C_DigestFinal)(ckSessionHandle, BUF, &ckDigestLength); -- if(ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return 0 ; } -- -- (*env)->SetByteArrayRegion(env, jDigest, jDigestOfs, ckDigestLength, (jbyte *)BUF); -- -+ if (ckAssertReturnValueOK(env, rv) == CK_ASSERT_OK) { -+ (*env)->SetByteArrayRegion(env, jDigest, jDigestOfs, ckDigestLength, (jbyte *)BUF); -+ } - return ckDigestLength; - } - #endif -@@ -288,12 +298,13 @@ - - ckSessionHandle = jLongToCKULong(jSessionHandle); - jByteArrayToCKByteArray(env, jSeed, &ckpSeed, &ckSeedLength); -+ if ((*env)->ExceptionCheck(env)) { return; } - - rv = (*ckpFunctions->C_SeedRandom)(ckSessionHandle, ckpSeed, ckSeedLength); - - free(ckpSeed); - -- if(ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return; } -+ if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return; } - } - #endif - -@@ -322,6 +333,7 @@ - - jRandomBufferLength = (*env)->GetArrayLength(env, jRandomData); - jRandomBuffer = (*env)->GetByteArrayElements(env, jRandomData, NULL); -+ if (jRandomBuffer == NULL) { return; } - - rv = (*ckpFunctions->C_GenerateRandom)(ckSessionHandle, - (CK_BYTE_PTR) jRandomBuffer, -@@ -330,6 +342,6 @@ - /* copy back generated bytes */ - (*env)->ReleaseByteArrayElements(env, jRandomData, jRandomBuffer, 0); - -- if(ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return; } -+ if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return; } - } - #endif -diff -Nru openjdk.orig/jdk/src/share/native/sun/security/pkcs11/wrapper/p11_dual.c openjdk/jdk/src/share/native/sun/security/pkcs11/wrapper/p11_dual.c ---- openjdk.orig/jdk/src/share/native/sun/security/pkcs11/wrapper/p11_dual.c 2014-10-08 16:35:09.000000000 +0100 -+++ openjdk/jdk/src/share/native/sun/security/pkcs11/wrapper/p11_dual.c 2014-10-08 17:30:03.986103813 +0100 -@@ -73,7 +73,7 @@ - CK_SESSION_HANDLE ckSessionHandle; - CK_BYTE_PTR ckpPart = NULL_PTR, ckpEncryptedPart; - CK_ULONG ckPartLength, ckEncryptedPartLength = 0; -- jbyteArray jEncryptedPart; -+ jbyteArray jEncryptedPart = NULL; - CK_RV rv; - - CK_FUNCTION_LIST_PTR ckpFunctions = getFunctionList(env, obj); -@@ -81,20 +81,28 @@ - - ckSessionHandle = jLongToCKULong(jSessionHandle); - jByteArrayToCKByteArray(env, jPart, &ckpPart, &ckPartLength); -+ if ((*env)->ExceptionCheck(env)) { return NULL; } - - rv = (*ckpFunctions->C_DigestEncryptUpdate)(ckSessionHandle, ckpPart, ckPartLength, NULL_PTR, &ckEncryptedPartLength); -- if(ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return NULL ; } -+ if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { -+ free(ckpPart); -+ return NULL; -+ } - - ckpEncryptedPart = (CK_BYTE_PTR) malloc(ckEncryptedPartLength * sizeof(CK_BYTE)); -+ if (ckpEncryptedPart == NULL) { -+ free(ckpPart); -+ JNU_ThrowOutOfMemoryError(env, 0); -+ return NULL; -+ } - - rv = (*ckpFunctions->C_DigestEncryptUpdate)(ckSessionHandle, ckpPart, ckPartLength, ckpEncryptedPart, &ckEncryptedPartLength); -- -- jEncryptedPart = ckByteArrayToJByteArray(env, ckpEncryptedPart, ckEncryptedPartLength); -+ if (ckAssertReturnValueOK(env, rv) == CK_ASSERT_OK) { -+ jEncryptedPart = ckByteArrayToJByteArray(env, ckpEncryptedPart, ckEncryptedPartLength); -+ } - free(ckpPart); - free(ckpEncryptedPart); - -- if(ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return NULL ; } -- - return jEncryptedPart ; - } - #endif -@@ -117,7 +125,7 @@ - CK_SESSION_HANDLE ckSessionHandle; - CK_BYTE_PTR ckpPart, ckpEncryptedPart = NULL_PTR; - CK_ULONG ckPartLength = 0, ckEncryptedPartLength; -- jbyteArray jPart; -+ jbyteArray jPart = NULL; - CK_RV rv; - - CK_FUNCTION_LIST_PTR ckpFunctions = getFunctionList(env, obj); -@@ -125,19 +133,27 @@ - - ckSessionHandle = jLongToCKULong(jSessionHandle); - jByteArrayToCKByteArray(env, jEncryptedPart, &ckpEncryptedPart, &ckEncryptedPartLength); -+ if ((*env)->ExceptionCheck(env)) { return NULL; } - - rv = (*ckpFunctions->C_DecryptDigestUpdate)(ckSessionHandle, ckpEncryptedPart, ckEncryptedPartLength, NULL_PTR, &ckPartLength); -- if(ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return NULL; } -+ if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { -+ free(ckpEncryptedPart); -+ return NULL; -+ } - - ckpPart = (CK_BYTE_PTR) malloc(ckPartLength * sizeof(CK_BYTE)); -+ if (ckpPart == NULL) { -+ free(ckpEncryptedPart); -+ JNU_ThrowOutOfMemoryError(env, 0); -+ return NULL; -+ } - - rv = (*ckpFunctions->C_DecryptDigestUpdate)(ckSessionHandle, ckpEncryptedPart, ckEncryptedPartLength, ckpPart, &ckPartLength); -- -- jPart = ckByteArrayToJByteArray(env, ckpPart, ckPartLength); -- free(ckpPart); -+ if (ckAssertReturnValueOK(env, rv) == CK_ASSERT_OK) { -+ jPart = ckByteArrayToJByteArray(env, ckpPart, ckPartLength); -+ } - free(ckpEncryptedPart); -- -- if(ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return NULL ; } -+ free(ckpPart); - - return jPart ; - } -@@ -161,7 +177,7 @@ - CK_SESSION_HANDLE ckSessionHandle; - CK_BYTE_PTR ckpPart = NULL_PTR, ckpEncryptedPart; - CK_ULONG ckPartLength, ckEncryptedPartLength = 0; -- jbyteArray jEncryptedPart; -+ jbyteArray jEncryptedPart = NULL; - CK_RV rv; - - CK_FUNCTION_LIST_PTR ckpFunctions = getFunctionList(env, obj); -@@ -169,20 +185,28 @@ - - ckSessionHandle = jLongToCKULong(jSessionHandle); - jByteArrayToCKByteArray(env, jPart, &ckpPart, &ckPartLength); -+ if ((*env)->ExceptionCheck(env)) { return NULL; } - - rv = (*ckpFunctions->C_SignEncryptUpdate)(ckSessionHandle, ckpPart, ckPartLength, NULL_PTR, &ckEncryptedPartLength); -- if(ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return NULL ; } -+ if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { -+ free(ckpPart); -+ return NULL; -+ } - - ckpEncryptedPart = (CK_BYTE_PTR) malloc(ckEncryptedPartLength * sizeof(CK_BYTE)); -+ if (ckpEncryptedPart == NULL) { -+ free(ckpPart); -+ JNU_ThrowOutOfMemoryError(env, 0); -+ return NULL; -+ } - - rv = (*ckpFunctions->C_SignEncryptUpdate)(ckSessionHandle, ckpPart, ckPartLength, ckpEncryptedPart, &ckEncryptedPartLength); -- -- jEncryptedPart = ckByteArrayToJByteArray(env, ckpEncryptedPart, ckEncryptedPartLength); -+ if (ckAssertReturnValueOK(env, rv) == CK_ASSERT_OK) { -+ jEncryptedPart = ckByteArrayToJByteArray(env, ckpEncryptedPart, ckEncryptedPartLength); -+ } - free(ckpPart); - free(ckpEncryptedPart); - -- if(ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return NULL ; } -- - return jEncryptedPart ; - } - #endif -@@ -205,7 +229,7 @@ - CK_SESSION_HANDLE ckSessionHandle; - CK_BYTE_PTR ckpPart, ckpEncryptedPart = NULL_PTR; - CK_ULONG ckPartLength = 0, ckEncryptedPartLength; -- jbyteArray jPart; -+ jbyteArray jPart = NULL; - CK_RV rv; - - CK_FUNCTION_LIST_PTR ckpFunctions = getFunctionList(env, obj); -@@ -213,19 +237,28 @@ - - ckSessionHandle = jLongToCKULong(jSessionHandle); - jByteArrayToCKByteArray(env, jEncryptedPart, &ckpEncryptedPart, &ckEncryptedPartLength); -+ if ((*env)->ExceptionCheck(env)) { return NULL; } - - rv = (*ckpFunctions->C_DecryptVerifyUpdate)(ckSessionHandle, ckpEncryptedPart, ckEncryptedPartLength, NULL_PTR, &ckPartLength); -- if(ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return NULL ; } -+ if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { -+ free(ckpEncryptedPart); -+ return NULL; -+ } - - ckpPart = (CK_BYTE_PTR) malloc(ckPartLength * sizeof(CK_BYTE)); -+ if (ckpPart == NULL) { -+ free(ckpEncryptedPart); -+ JNU_ThrowOutOfMemoryError(env, 0); -+ return NULL; -+ } - - rv = (*ckpFunctions->C_DecryptVerifyUpdate)(ckSessionHandle, ckpEncryptedPart, ckEncryptedPartLength, ckpPart, &ckPartLength); - -- jPart = ckByteArrayToJByteArray(env, ckpPart, ckPartLength); -- free(ckpPart); -+ if (ckAssertReturnValueOK(env, rv) == CK_ASSERT_OK) { -+ jPart = ckByteArrayToJByteArray(env, ckpPart, ckPartLength); -+ } - free(ckpEncryptedPart); -- -- if(ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return NULL ; } -+ free(ckpPart); - - return jPart ; - } -@@ -252,7 +285,7 @@ - - /* C_GetFunctionStatus should always return CKR_FUNCTION_NOT_PARALLEL */ - rv = (*ckpFunctions->C_GetFunctionStatus)(ckSessionHandle); -- if(ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return; } -+ if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return; } - } - #endif - -@@ -277,6 +310,6 @@ - - /* C_GetFunctionStatus should always return CKR_FUNCTION_NOT_PARALLEL */ - rv = (*ckpFunctions->C_CancelFunction)(ckSessionHandle); -- if(ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return; } -+ if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return; } - } - #endif -diff -Nru openjdk.orig/jdk/src/share/native/sun/security/pkcs11/wrapper/p11_general.c openjdk/jdk/src/share/native/sun/security/pkcs11/wrapper/p11_general.c ---- openjdk.orig/jdk/src/share/native/sun/security/pkcs11/wrapper/p11_general.c 2014-10-08 16:35:09.000000000 +0100 -+++ openjdk/jdk/src/share/native/sun/security/pkcs11/wrapper/p11_general.c 2014-10-08 17:30:03.986103813 +0100 -@@ -102,6 +102,7 @@ - - jclass fetchClass(JNIEnv *env, const char *name) { - jclass tmpClass = (*env)->FindClass(env, name); -+ if (tmpClass == NULL) { return NULL; } - return (*env)->NewGlobalRef(env, tmpClass); - } - -@@ -110,14 +111,18 @@ - - /* PKCS11 */ - pNativeDataID = (*env)->GetFieldID(env, thisClass, "pNativeData", "J"); -+ if (pNativeDataID == NULL) { return; } - - /* CK_MECHANISM */ - tmpClass = (*env)->FindClass(env, CLASS_MECHANISM); -+ if (tmpClass == NULL) { return; } - mech_mechanismID = (*env)->GetFieldID(env, tmpClass, "mechanism", "J"); -+ if (mech_mechanismID == NULL) { return; } - mech_pParameterID = (*env)->GetFieldID(env, tmpClass, "pParameter", - "Ljava/lang/Object;"); -- -+ if (mech_pParameterID == NULL) { return; } - jByteArrayClass = fetchClass(env, "[B"); -+ if (jByteArrayClass == NULL) { return; } - jLongClass = fetchClass(env, "java/lang/Long"); - } - -@@ -252,10 +257,9 @@ - if (ckpFunctions == NULL) { return NULL; } - - rv = (*ckpFunctions->C_GetInfo)(&ckLibInfo); -- if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return NULL ; } -- -- jInfoObject = ckInfoPtrToJInfo(env, &ckLibInfo); -- -+ if (ckAssertReturnValueOK(env, rv) == CK_ASSERT_OK) { -+ jInfoObject = ckInfoPtrToJInfo(env, &ckLibInfo); -+ } - return jInfoObject ; - } - -@@ -279,28 +283,31 @@ - - /* load CK_INFO class */ - jInfoClass = (*env)->FindClass(env, CLASS_INFO); -- assert(jInfoClass != 0); -+ if (jInfoClass == NULL) { return NULL; }; - - /* load CK_INFO constructor */ - jCtrId = (*env)->GetMethodID - (env, jInfoClass, "<init>", - "(Lsun/security/pkcs11/wrapper/CK_VERSION;[CJ[CLsun/security/pkcs11/wrapper/CK_VERSION;)V"); -- -- assert(jCtrId != 0); -+ if (jCtrId == NULL) { return NULL; } - - /* prep all fields */ - jCryptokiVer = ckVersionPtrToJVersion(env, &(ckpInfo->cryptokiVersion)); -+ if (jCryptokiVer == NULL) { return NULL; } - jVendor = - ckUTF8CharArrayToJCharArray(env, &(ckpInfo->manufacturerID[0]), 32); -+ if (jVendor == NULL) { return NULL; } - jFlags = ckULongToJLong(ckpInfo->flags); - jLibraryDesc = - ckUTF8CharArrayToJCharArray(env, &(ckpInfo->libraryDescription[0]), 32); -+ if (jLibraryDesc == NULL) { return NULL; } - jLibraryVer = ckVersionPtrToJVersion(env, &(ckpInfo->libraryVersion)); -+ if (jLibraryVer == NULL) { return NULL; } - - /* create new CK_INFO object */ - jInfoObject = (*env)->NewObject(env, jInfoClass, jCtrId, jCryptokiVer, - jVendor, jFlags, jLibraryDesc, jLibraryVer); -- assert(jInfoObject != 0); -+ if (jInfoObject == NULL) { return NULL; } - - /* free local references */ - (*env)->DeleteLocalRef(env, jInfoClass); -@@ -343,15 +350,18 @@ - if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return NULL ; } - - ckpSlotList = (CK_SLOT_ID_PTR) malloc(ckTokenNumber * sizeof(CK_SLOT_ID)); -+ if (ckpSlotList == NULL) { -+ JNU_ThrowOutOfMemoryError(env, 0); -+ return NULL; -+ } - - rv = (*ckpFunctions->C_GetSlotList)(ckTokenPresent, ckpSlotList, - &ckTokenNumber); -- -- jSlotList = ckULongArrayToJLongArray(env, ckpSlotList, ckTokenNumber); -+ if (ckAssertReturnValueOK(env, rv) == CK_ASSERT_OK) { -+ jSlotList = ckULongArrayToJLongArray(env, ckpSlotList, ckTokenNumber); -+ } - free(ckpSlotList); - -- if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return NULL ; } -- - return jSlotList ; - } - #endif -@@ -380,10 +390,9 @@ - ckSlotID = jLongToCKULong(jSlotID); - - rv = (*ckpFunctions->C_GetSlotInfo)(ckSlotID, &ckSlotInfo); -- if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return NULL ; } -- -- jSlotInfoObject = ckSlotInfoPtrToJSlotInfo(env, &ckSlotInfo); -- -+ if (ckAssertReturnValueOK(env, rv) == CK_ASSERT_OK) { -+ jSlotInfoObject = ckSlotInfoPtrToJSlotInfo(env, &ckSlotInfo); -+ } - return jSlotInfoObject ; - } - -@@ -410,28 +419,32 @@ - - /* load CK_SLOT_INFO class */ - jSlotInfoClass = (*env)->FindClass(env, CLASS_SLOT_INFO); -- assert(jSlotInfoClass != 0); -+ if (jSlotInfoClass == NULL) { return NULL; }; - - /* load CK_SLOT_INFO constructor */ - jCtrId = (*env)->GetMethodID - (env, jSlotInfoClass, "<init>", - "([C[CJLsun/security/pkcs11/wrapper/CK_VERSION;Lsun/security/pkcs11/wrapper/CK_VERSION;)V"); -- assert(jCtrId != 0); -+ if (jCtrId == NULL) { return NULL; } - - /* prep all fields */ - jSlotDesc = - ckUTF8CharArrayToJCharArray(env, &(ckpSlotInfo->slotDescription[0]), 64); -+ if (jSlotDesc == NULL) { return NULL; } - jVendor = - ckUTF8CharArrayToJCharArray(env, &(ckpSlotInfo->manufacturerID[0]), 32); -+ if (jVendor == NULL) { return NULL; } - jFlags = ckULongToJLong(ckpSlotInfo->flags); - jHardwareVer = ckVersionPtrToJVersion(env, &(ckpSlotInfo->hardwareVersion)); -+ if (jHardwareVer == NULL) { return NULL; } - jFirmwareVer = ckVersionPtrToJVersion(env, &(ckpSlotInfo->firmwareVersion)); -+ if (jFirmwareVer == NULL) { return NULL; } - - /* create new CK_SLOT_INFO object */ - jSlotInfoObject = (*env)->NewObject - (env, jSlotInfoClass, jCtrId, jSlotDesc, jVendor, jFlags, - jHardwareVer, jFirmwareVer); -- assert(jSlotInfoObject != 0); -+ if (jSlotInfoObject == NULL) { return NULL; } - - /* free local references */ - (*env)->DeleteLocalRef(env, jSlotInfoClass); -@@ -460,7 +473,7 @@ - { - CK_SLOT_ID ckSlotID; - CK_TOKEN_INFO ckTokenInfo; -- jobject jInfoTokenObject; -+ jobject jInfoTokenObject = NULL; - CK_RV rv; - - CK_FUNCTION_LIST_PTR ckpFunctions = getFunctionList(env, obj); -@@ -469,10 +482,9 @@ - ckSlotID = jLongToCKULong(jSlotID); - - rv = (*ckpFunctions->C_GetTokenInfo)(ckSlotID, &ckTokenInfo); -- if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return NULL ; } -- -- jInfoTokenObject = ckTokenInfoPtrToJTokenInfo(env, &ckTokenInfo); -- -+ if (ckAssertReturnValueOK(env, rv) == CK_ASSERT_OK) { -+ jInfoTokenObject = ckTokenInfoPtrToJTokenInfo(env, &ckTokenInfo); -+ } - return jInfoTokenObject ; - } - -@@ -512,21 +524,25 @@ - - /* load CK_TOKEN_INFO class */ - jTokenInfoClass = (*env)->FindClass(env, CLASS_TOKEN_INFO); -- assert(jTokenInfoClass != 0); -+ if (jTokenInfoClass == NULL) { return NULL; }; - - /* load CK_TOKEN_INFO constructor */ - jCtrId = (*env)->GetMethodID - (env, jTokenInfoClass, "<init>", - "([C[C[C[CJJJJJJJJJJJLsun/security/pkcs11/wrapper/CK_VERSION;Lsun/security/pkcs11/wrapper/CK_VERSION;[C)V"); -- assert(jCtrId != 0); -+ if (jCtrId == NULL) { return NULL; }; - - /* prep all fields */ - jLabel = ckUTF8CharArrayToJCharArray(env, &(ckpTokenInfo->label[0]), 32); -+ if (jLabel == NULL) { return NULL; }; - jVendor = - ckUTF8CharArrayToJCharArray(env, &(ckpTokenInfo->manufacturerID[0]), 32); -+ if (jVendor == NULL) { return NULL; }; - jModel = ckUTF8CharArrayToJCharArray(env, &(ckpTokenInfo->model[0]), 16); -+ if (jModel == NULL) { return NULL; }; - jSerialNo = - ckUTF8CharArrayToJCharArray(env, &(ckpTokenInfo->serialNumber[0]), 16); -+ if (jSerialNo == NULL) { return NULL; }; - jFlags = ckULongToJLong(ckpTokenInfo->flags); - jMaxSnCnt = ckULongSpecialToJLong(ckpTokenInfo->ulMaxSessionCount); - jSnCnt = ckULongSpecialToJLong(ckpTokenInfo->ulSessionCount); -@@ -540,10 +556,13 @@ - jFreePrivMem = ckULongSpecialToJLong(ckpTokenInfo->ulFreePrivateMemory); - jHardwareVer = - ckVersionPtrToJVersion(env, &(ckpTokenInfo->hardwareVersion)); -+ if (jHardwareVer == NULL) { return NULL; } - jFirmwareVer = - ckVersionPtrToJVersion(env, &(ckpTokenInfo->firmwareVersion)); -+ if (jFirmwareVer == NULL) { return NULL; } - jUtcTime = - ckUTF8CharArrayToJCharArray(env, &(ckpTokenInfo->utcTime[0]), 16); -+ if (jUtcTime == NULL) { return NULL; } - - /* create new CK_TOKEN_INFO object */ - jTokenInfoObject = -@@ -553,7 +572,7 @@ - jMaxPinLen, jMinPinLen, - jTotalPubMem, jFreePubMem, jTotalPrivMem, jFreePrivMem, - jHardwareVer, jFirmwareVer, jUtcTime); -- assert(jTokenInfoObject != 0); -+ if (jTokenInfoObject == NULL) { return NULL; } - - /* free local references */ - (*env)->DeleteLocalRef(env, jTokenInfoClass); -@@ -584,7 +603,7 @@ - { - CK_FLAGS ckFlags; - CK_SLOT_ID ckSlotID; -- jlong jSlotID; -+ jlong jSlotID = 0L; - CK_RV rv; - - CK_FUNCTION_LIST_PTR ckpFunctions = getFunctionList(env, obj); -@@ -593,9 +612,9 @@ - ckFlags = jLongToCKULong(jFlags); - - rv = (*ckpFunctions->C_WaitForSlotEvent)(ckFlags, &ckSlotID, NULL_PTR); -- if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return 0L; } -- -- jSlotID = ckULongToJLong(ckSlotID); -+ if (ckAssertReturnValueOK(env, rv) == CK_ASSERT_OK) { -+ jSlotID = ckULongToJLong(ckSlotID); -+ } - - return jSlotID ; - } -@@ -632,16 +651,19 @@ - - ckpMechanismList = (CK_MECHANISM_TYPE_PTR) - malloc(ckMechanismNumber * sizeof(CK_MECHANISM_TYPE)); -+ if (ckpMechanismList == NULL) { -+ JNU_ThrowOutOfMemoryError(env, 0); -+ return NULL; -+ } - - rv = (*ckpFunctions->C_GetMechanismList)(ckSlotID, ckpMechanismList, - &ckMechanismNumber); -- -- jMechanismList = ckULongArrayToJLongArray(env, ckpMechanismList, -- ckMechanismNumber); -+ if (ckAssertReturnValueOK(env, rv) == CK_ASSERT_OK) { -+ jMechanismList = ckULongArrayToJLongArray(env, ckpMechanismList, -+ ckMechanismNumber); -+ } - free(ckpMechanismList); - -- if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return NULL ; } -- - return jMechanismList ; - } - #endif -@@ -663,7 +685,7 @@ - CK_SLOT_ID ckSlotID; - CK_MECHANISM_TYPE ckMechanismType; - CK_MECHANISM_INFO ckMechanismInfo; -- jobject jMechanismInfo; -+ jobject jMechanismInfo = NULL; - CK_RV rv; - - CK_FUNCTION_LIST_PTR ckpFunctions = getFunctionList(env, obj); -@@ -674,10 +696,9 @@ - - rv = (*ckpFunctions->C_GetMechanismInfo)(ckSlotID, ckMechanismType, - &ckMechanismInfo); -- if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return NULL ; } -- -- jMechanismInfo = ckMechanismInfoPtrToJMechanismInfo(env, &ckMechanismInfo); -- -+ if (ckAssertReturnValueOK(env, rv) == CK_ASSERT_OK) { -+ jMechanismInfo = ckMechanismInfoPtrToJMechanismInfo(env, &ckMechanismInfo); -+ } - return jMechanismInfo ; - } - -@@ -703,11 +724,11 @@ - - /* load CK_MECHANISM_INFO class */ - jMechanismInfoClass = (*env)->FindClass(env, CLASS_MECHANISM_INFO); -- assert(jMechanismInfoClass != 0); -+ if (jMechanismInfoClass == NULL) { return NULL; }; - - /* load CK_MECHANISM_INFO constructor */ - jCtrId = (*env)->GetMethodID(env, jMechanismInfoClass, "<init>", "(JJJ)V"); -- assert(jCtrId != 0); -+ if (jCtrId == NULL) { return NULL; }; - - /* prep all fields */ - jMinKeySize = ckULongToJLong(ckpMechanismInfo->ulMinKeySize); -@@ -717,7 +738,7 @@ - /* create new CK_MECHANISM_INFO object */ - jMechanismInfoObject = (*env)->NewObject(env, jMechanismInfoClass, jCtrId, - jMinKeySize, jMaxKeySize, jFlags); -- assert(jMechanismInfoObject != 0); -+ if (jMechanismInfoObject == NULL) { return NULL; }; - - /* free local references */ - (*env)->DeleteLocalRef(env, jMechanismInfoClass); -@@ -753,8 +774,13 @@ - - ckSlotID = jLongToCKULong(jSlotID); - jCharArrayToCKCharArray(env, jPin, &ckpPin, &ckPinLength); -- jCharArrayToCKUTF8CharArray(env, jLabel, &ckpLabel, &ckLabelLength); -+ if ((*env)->ExceptionCheck(env)) { return; } - /* ckLabelLength <= 32 !!! */ -+ jCharArrayToCKUTF8CharArray(env, jLabel, &ckpLabel, &ckLabelLength); -+ if ((*env)->ExceptionCheck(env)) { -+ free(ckpPin); -+ return; -+ } - - rv = (*ckpFunctions->C_InitToken)(ckSlotID, ckpPin, ckPinLength, ckpLabel); - TRACE1("InitToken return code: %d", rv); -@@ -790,6 +816,7 @@ - - ckSessionHandle = jLongToCKULong(jSessionHandle); - jCharArrayToCKCharArray(env, jPin, &ckpPin, &ckPinLength); -+ if ((*env)->ExceptionCheck(env)) { return; } - - rv = (*ckpFunctions->C_InitPIN)(ckSessionHandle, ckpPin, ckPinLength); - -@@ -828,7 +855,12 @@ - - ckSessionHandle = jLongToCKULong(jSessionHandle); - jCharArrayToCKCharArray(env, jOldPin, &ckpOldPin, &ckOldPinLength); -+ if ((*env)->ExceptionCheck(env)) { return; } - jCharArrayToCKCharArray(env, jNewPin, &ckpNewPin, &ckNewPinLength); -+ if ((*env)->ExceptionCheck(env)) { -+ free(ckpOldPin); -+ return; -+ } - - rv = (*ckpFunctions->C_SetPIN)(ckSessionHandle, ckpOldPin, ckOldPinLength, - ckpNewPin, ckNewPinLength); -diff -Nru openjdk.orig/jdk/src/share/native/sun/security/pkcs11/wrapper/p11_keymgmt.c openjdk/jdk/src/share/native/sun/security/pkcs11/wrapper/p11_keymgmt.c ---- openjdk.orig/jdk/src/share/native/sun/security/pkcs11/wrapper/p11_keymgmt.c 2014-10-08 16:35:09.000000000 +0100 -+++ openjdk/jdk/src/share/native/sun/security/pkcs11/wrapper/p11_keymgmt.c 2014-10-08 17:30:03.990103869 +0100 -@@ -74,7 +74,7 @@ - CK_ATTRIBUTE_PTR ckpAttributes = NULL_PTR; - CK_ULONG ckAttributesLength; - CK_OBJECT_HANDLE ckKeyHandle; -- jlong jKeyHandle; -+ jlong jKeyHandle = 0L; - CK_ULONG i; - CK_RV rv; - -@@ -83,21 +83,23 @@ - - ckSessionHandle = jLongToCKULong(jSessionHandle); - jMechanismToCKMechanism(env, jMechanism, &ckMechanism); -- if ((*env)->ExceptionOccurred(env)) { return 0L ; } -+ if ((*env)->ExceptionCheck(env)) { return 0L ; } -+ - jAttributeArrayToCKAttributeArray(env, jTemplate, &ckpAttributes, &ckAttributesLength); -+ if ((*env)->ExceptionCheck(env)) { -+ if (ckMechanism.pParameter != NULL_PTR) { -+ free(ckMechanism.pParameter); -+ } -+ return 0L; -+ } - - rv = (*ckpFunctions->C_GenerateKey)(ckSessionHandle, &ckMechanism, ckpAttributes, ckAttributesLength, &ckKeyHandle); - -- jKeyHandle = ckULongToJLong(ckKeyHandle); -- for(i=0; i<ckAttributesLength; i++) { -- if(ckpAttributes[i].pValue != NULL_PTR) { -- free(ckpAttributes[i].pValue); -- } -- } -- free(ckpAttributes); -+ if (ckAssertReturnValueOK(env, rv) == CK_ASSERT_OK) { -+ jKeyHandle = ckULongToJLong(ckKeyHandle); - -- /* cheack, if we must give a initialization vector back to Java */ -- switch (ckMechanism.mechanism) { -+ /* cheack, if we must give a initialization vector back to Java */ -+ switch (ckMechanism.mechanism) { - case CKM_PBE_MD2_DES_CBC: - case CKM_PBE_MD5_DES_CBC: - case CKM_PBE_MD5_CAST_CBC: -@@ -109,13 +111,13 @@ - /* we must copy back the initialization vector to the jMechanism object */ - copyBackPBEInitializationVector(env, &ckMechanism, jMechanism); - break; -+ } - } - -- if(ckMechanism.pParameter != NULL_PTR) { -+ if (ckMechanism.pParameter != NULL_PTR) { - free(ckMechanism.pParameter); - } -- -- if(ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return 0L ; } -+ freeCKAttributeArray(ckpAttributes, ckAttributesLength); - - return jKeyHandle ; - } -@@ -158,40 +160,53 @@ - - ckSessionHandle = jLongToCKULong(jSessionHandle); - jMechanismToCKMechanism(env, jMechanism, &ckMechanism); -- jAttributeArrayToCKAttributeArray(env, jPublicKeyTemplate, &ckpPublicKeyAttributes, &ckPublicKeyAttributesLength); -- jAttributeArrayToCKAttributeArray(env, jPrivateKeyTemplate, &ckpPrivateKeyAttributes, &ckPrivateKeyAttributesLength); -+ if ((*env)->ExceptionCheck(env)) { return NULL; } -+ - ckpKeyHandles = (CK_OBJECT_HANDLE_PTR) malloc(2 * sizeof(CK_OBJECT_HANDLE)); -+ if (ckpKeyHandles == NULL) { -+ if (ckMechanism.pParameter != NULL_PTR) { -+ free(ckMechanism.pParameter); -+ } -+ JNU_ThrowOutOfMemoryError(env, 0); -+ return NULL; -+ } - ckpPublicKeyHandle = ckpKeyHandles; /* first element of array is Public Key */ - ckpPrivateKeyHandle = (ckpKeyHandles + 1); /* second element of array is Private Key */ - -+ jAttributeArrayToCKAttributeArray(env, jPublicKeyTemplate, &ckpPublicKeyAttributes, &ckPublicKeyAttributesLength); -+ if ((*env)->ExceptionCheck(env)) { -+ if (ckMechanism.pParameter != NULL_PTR) { -+ free(ckMechanism.pParameter); -+ } -+ free(ckpKeyHandles); -+ return NULL; -+ } -+ -+ jAttributeArrayToCKAttributeArray(env, jPrivateKeyTemplate, &ckpPrivateKeyAttributes, &ckPrivateKeyAttributesLength); -+ if ((*env)->ExceptionCheck(env)) { -+ if (ckMechanism.pParameter != NULL_PTR) { -+ free(ckMechanism.pParameter); -+ } -+ free(ckpKeyHandles); -+ freeCKAttributeArray(ckpPublicKeyAttributes, ckPublicKeyAttributesLength); -+ return NULL; -+ } -+ - rv = (*ckpFunctions->C_GenerateKeyPair)(ckSessionHandle, &ckMechanism, - ckpPublicKeyAttributes, ckPublicKeyAttributesLength, - ckpPrivateKeyAttributes, ckPrivateKeyAttributesLength, - ckpPublicKeyHandle, ckpPrivateKeyHandle); - -- jKeyHandles = ckULongArrayToJLongArray(env, ckpKeyHandles, 2); -- -- for(i=0; i<ckPublicKeyAttributesLength; i++) { -- if(ckpPublicKeyAttributes[i].pValue != NULL_PTR) { -- free(ckpPublicKeyAttributes[i].pValue); -- } -- } -- free(ckpPublicKeyAttributes); -- -- for(i=0; i<ckPrivateKeyAttributesLength; i++) { -- if(ckpPrivateKeyAttributes[i].pValue != NULL_PTR) { -- free(ckpPrivateKeyAttributes[i].pValue); -- } -+ if (ckAssertReturnValueOK(env, rv) == CK_ASSERT_OK) { -+ jKeyHandles = ckULongArrayToJLongArray(env, ckpKeyHandles, 2); - } -- free(ckpPrivateKeyAttributes); - - if(ckMechanism.pParameter != NULL_PTR) { - free(ckMechanism.pParameter); - } -- - free(ckpKeyHandles); -- -- if(ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return NULL; } -+ freeCKAttributeArray(ckpPublicKeyAttributes, ckPublicKeyAttributesLength); -+ freeCKAttributeArray(ckpPrivateKeyAttributes, ckPrivateKeyAttributesLength); - - return jKeyHandles ; - } -@@ -217,7 +232,7 @@ - CK_MECHANISM ckMechanism; - CK_OBJECT_HANDLE ckWrappingKeyHandle; - CK_OBJECT_HANDLE ckKeyHandle; -- jbyteArray jWrappedKey; -+ jbyteArray jWrappedKey = NULL; - CK_RV rv; - CK_BYTE BUF[MAX_STACK_BUFFER_LEN]; - CK_BYTE_PTR ckpWrappedKey = BUF; -@@ -228,24 +243,32 @@ - - ckSessionHandle = jLongToCKULong(jSessionHandle); - jMechanismToCKMechanism(env, jMechanism, &ckMechanism); -+ if ((*env)->ExceptionCheck(env)) { return NULL; } -+ - ckWrappingKeyHandle = jLongToCKULong(jWrappingKeyHandle); - ckKeyHandle = jLongToCKULong(jKeyHandle); - - rv = (*ckpFunctions->C_WrapKey)(ckSessionHandle, &ckMechanism, ckWrappingKeyHandle, ckKeyHandle, ckpWrappedKey, &ckWrappedKeyLength); - if (rv == CKR_BUFFER_TOO_SMALL) { - ckpWrappedKey = (CK_BYTE_PTR) malloc(ckWrappedKeyLength); -+ if (ckpWrappedKey == NULL) { -+ if (ckMechanism.pParameter != NULL_PTR) { -+ free(ckMechanism.pParameter); -+ } -+ JNU_ThrowOutOfMemoryError(env, 0); -+ return NULL; -+ } -+ - rv = (*ckpFunctions->C_WrapKey)(ckSessionHandle, &ckMechanism, ckWrappingKeyHandle, ckKeyHandle, ckpWrappedKey, &ckWrappedKeyLength); - } - if (ckAssertReturnValueOK(env, rv) == CK_ASSERT_OK) { - jWrappedKey = ckByteArrayToJByteArray(env, ckpWrappedKey, ckWrappedKeyLength); - } - -- if (ckpWrappedKey != BUF) { -- free(ckpWrappedKey); -- } -- if(ckMechanism.pParameter != NULL_PTR) -+ if (ckpWrappedKey != BUF) { free(ckpWrappedKey); } -+ if (ckMechanism.pParameter != NULL_PTR) { - free(ckMechanism.pParameter); -- -+ } - return jWrappedKey ; - } - #endif -@@ -277,7 +300,7 @@ - CK_ATTRIBUTE_PTR ckpAttributes = NULL_PTR; - CK_ULONG ckAttributesLength; - CK_OBJECT_HANDLE ckKeyHandle; -- jlong jKeyHandle; -+ jlong jKeyHandle = 0L; - CK_ULONG i; - CK_RV rv; - -@@ -286,37 +309,48 @@ - - ckSessionHandle = jLongToCKULong(jSessionHandle); - jMechanismToCKMechanism(env, jMechanism, &ckMechanism); -+ if ((*env)->ExceptionCheck(env)) { return 0L; } -+ - ckUnwrappingKeyHandle = jLongToCKULong(jUnwrappingKeyHandle); - jByteArrayToCKByteArray(env, jWrappedKey, &ckpWrappedKey, &ckWrappedKeyLength); -+ if ((*env)->ExceptionCheck(env)) { -+ if (ckMechanism.pParameter != NULL_PTR) { -+ free(ckMechanism.pParameter); -+ } -+ return 0L; -+ } -+ - jAttributeArrayToCKAttributeArray(env, jTemplate, &ckpAttributes, &ckAttributesLength); -+ if ((*env)->ExceptionCheck(env)) { -+ if (ckMechanism.pParameter != NULL_PTR) { -+ free(ckMechanism.pParameter); -+ } -+ free(ckpWrappedKey); -+ return 0L; -+ } -+ - - rv = (*ckpFunctions->C_UnwrapKey)(ckSessionHandle, &ckMechanism, ckUnwrappingKeyHandle, - ckpWrappedKey, ckWrappedKeyLength, - ckpAttributes, ckAttributesLength, &ckKeyHandle); - -- jKeyHandle = ckLongToJLong(ckKeyHandle); -- -- for(i=0; i<ckAttributesLength; i++) { -- if(ckpAttributes[i].pValue != NULL_PTR) { -- free(ckpAttributes[i].pValue); -- } -- } -- free(ckpAttributes); -+ if (ckAssertReturnValueOK(env, rv) == CK_ASSERT_OK) { -+ jKeyHandle = ckLongToJLong(ckKeyHandle); - - #if 0 -- /* cheack, if we must give a initialization vector back to Java */ -- if (ckMechanism.mechanism == CKM_KEY_WRAP_SET_OAEP) { -- /* we must copy back the unwrapped key info to the jMechanism object */ -- copyBackSetUnwrappedKey(env, &ckMechanism, jMechanism); -- } -+ /* cheack, if we must give a initialization vector back to Java */ -+ if (ckMechanism.mechanism == CKM_KEY_WRAP_SET_OAEP) { -+ /* we must copy back the unwrapped key info to the jMechanism object */ -+ copyBackSetUnwrappedKey(env, &ckMechanism, jMechanism); -+ } - #endif -+ } - -- free(ckpWrappedKey); -- if(ckMechanism.pParameter != NULL_PTR) { -+ if (ckMechanism.pParameter != NULL_PTR) { - free(ckMechanism.pParameter); - } -- -- if(ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return 0L ; } -+ freeCKAttributeArray(ckpAttributes, ckAttributesLength); -+ free(ckpWrappedKey); - - return jKeyHandle ; - } -@@ -360,8 +394,7 @@ - */ - void copyBackTLSPrfParams(JNIEnv *env, CK_MECHANISM *ckMechanism, jobject jMechanism) - { -- jclass jMechanismClass= (*env)->FindClass(env, CLASS_MECHANISM); -- jclass jTLSPrfParamsClass = (*env)->FindClass(env, CLASS_TLS_PRF_PARAMS); -+ jclass jMechanismClass, jTLSPrfParamsClass; - CK_TLS_PRF_PARAMS *ckTLSPrfParams; - jobject jTLSPrfParams; - jfieldID fieldID; -@@ -374,8 +407,10 @@ - int i; - - /* get mechanism */ -+ jMechanismClass = (*env)->FindClass(env, CLASS_MECHANISM); -+ if (jMechanismClass == NULL) { return; } - fieldID = (*env)->GetFieldID(env, jMechanismClass, "mechanism", "J"); -- assert(fieldID != 0); -+ if (fieldID == NULL) { return; } - jMechanismType = (*env)->GetLongField(env, jMechanism, fieldID); - ckMechanismType = jLongToCKULong(jMechanismType); - if (ckMechanismType != ckMechanism->mechanism) { -@@ -388,12 +423,14 @@ - if (ckTLSPrfParams != NULL_PTR) { - /* get the Java CK_TLS_PRF_PARAMS object (pParameter) */ - fieldID = (*env)->GetFieldID(env, jMechanismClass, "pParameter", "Ljava/lang/Object;"); -- assert(fieldID != 0); -+ if (fieldID == NULL) { return; } - jTLSPrfParams = (*env)->GetObjectField(env, jMechanism, fieldID); - - /* copy back the client IV */ -+ jTLSPrfParamsClass = (*env)->FindClass(env, CLASS_TLS_PRF_PARAMS); -+ if (jTLSPrfParamsClass == NULL) { return; } - fieldID = (*env)->GetFieldID(env, jTLSPrfParamsClass, "pOutput", "[B"); -- assert(fieldID != 0); -+ if (fieldID == NULL) { return; } - jOutput = (*env)->GetObjectField(env, jTLSPrfParams, fieldID); - output = ckTLSPrfParams->pOutput; - -@@ -402,26 +439,21 @@ - if (jOutput != NULL) { - jLength = (*env)->GetArrayLength(env, jOutput); - jBytes = (*env)->GetByteArrayElements(env, jOutput, NULL); -+ if (jBytes == NULL) { return; } -+ - /* copy the bytes to the Java buffer */ - for (i=0; i < jLength; i++) { - jBytes[i] = ckByteToJByte(output[i]); - } - /* copy back the Java buffer to the object */ - (*env)->ReleaseByteArrayElements(env, jOutput, jBytes, 0); -- // free malloc'd data -- free(output); - } - - // free malloc'd data -- if (ckTLSPrfParams->pSeed != NULL) { -- free(ckTLSPrfParams->pSeed); -- } -- if (ckTLSPrfParams->pLabel != NULL) { -- free(ckTLSPrfParams->pLabel); -- } -- if (ckTLSPrfParams->pulOutputLen != NULL) { -- free(ckTLSPrfParams->pulOutputLen); -- } -+ free(ckTLSPrfParams->pSeed); -+ free(ckTLSPrfParams->pLabel); -+ free(ckTLSPrfParams->pulOutputLen); -+ free(ckTLSPrfParams->pOutput); - } - } - -@@ -456,8 +488,16 @@ - - ckSessionHandle = jLongToCKULong(jSessionHandle); - jMechanismToCKMechanism(env, jMechanism, &ckMechanism); -+ if ((*env)->ExceptionCheck(env)) { return 0L; } -+ - ckBaseKeyHandle = jLongToCKULong(jBaseKeyHandle); - jAttributeArrayToCKAttributeArray(env, jTemplate, &ckpAttributes, &ckAttributesLength); -+ if ((*env)->ExceptionCheck(env)) { -+ if (ckMechanism.pParameter != NULL_PTR) { -+ free(ckMechanism.pParameter); -+ } -+ return 0L; -+ } - - switch (ckMechanism.mechanism) { - case CKM_SSL3_KEY_AND_MAC_DERIVE: -@@ -476,14 +516,8 @@ - ckpAttributes, ckAttributesLength, phKey); - - jKeyHandle = ckLongToJLong(ckKeyHandle); -- for(i=0; i<ckAttributesLength; i++) { -- if(ckpAttributes[i].pValue != NULL_PTR) { -- free(ckpAttributes[i].pValue); -- } -- } -- if (ckpAttributes != NULL) { -- free(ckpAttributes); -- } -+ -+ freeCKAttributeArray(ckpAttributes, ckAttributesLength); - - switch (ckMechanism.mechanism) { - case CKM_SSL3_MASTER_KEY_DERIVE: -@@ -512,11 +546,10 @@ - break; - } - -- if(ckMechanism.pParameter != NULL_PTR) { -+ if (ckMechanism.pParameter != NULL_PTR) { - free(ckMechanism.pParameter); - } -- -- if(ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return 0L ; } -+ if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return 0L ; } - - return jKeyHandle ; - } -@@ -529,9 +562,7 @@ - */ - void copyBackClientVersion(JNIEnv *env, CK_MECHANISM *ckMechanism, jobject jMechanism) - { -- jclass jMechanismClass= (*env)->FindClass(env, CLASS_MECHANISM); -- jclass jSSL3MasterKeyDeriveParamsClass = (*env)->FindClass(env, CLASS_SSL3_MASTER_KEY_DERIVE_PARAMS); -- jclass jVersionClass = (*env)->FindClass(env, CLASS_VERSION); -+ jclass jMechanismClass, jSSL3MasterKeyDeriveParamsClass, jVersionClass; - CK_SSL3_MASTER_KEY_DERIVE_PARAMS *ckSSL3MasterKeyDeriveParams; - CK_VERSION *ckVersion; - jfieldID fieldID; -@@ -541,8 +572,10 @@ - jobject jVersion; - - /* get mechanism */ -+ jMechanismClass = (*env)->FindClass(env, CLASS_MECHANISM); -+ if (jMechanismClass == NULL) { return; } - fieldID = (*env)->GetFieldID(env, jMechanismClass, "mechanism", "J"); -- assert(fieldID != 0); -+ if (fieldID == NULL) { return; } - jMechanismType = (*env)->GetLongField(env, jMechanism, fieldID); - ckMechanismType = jLongToCKULong(jMechanismType); - if (ckMechanismType != ckMechanism->mechanism) { -@@ -558,27 +591,31 @@ - if (ckVersion != NULL_PTR) { - /* get the Java CK_SSL3_MASTER_KEY_DERIVE_PARAMS (pParameter) */ - fieldID = (*env)->GetFieldID(env, jMechanismClass, "pParameter", "Ljava/lang/Object;"); -- assert(fieldID != 0); -+ if (fieldID == NULL) { return; } -+ - jSSL3MasterKeyDeriveParams = (*env)->GetObjectField(env, jMechanism, fieldID); - - /* get the Java CK_VERSION */ -+ jSSL3MasterKeyDeriveParamsClass = (*env)->FindClass(env, CLASS_SSL3_MASTER_KEY_DERIVE_PARAMS); -+ if (jSSL3MasterKeyDeriveParamsClass == NULL) { return; } - fieldID = (*env)->GetFieldID(env, jSSL3MasterKeyDeriveParamsClass, "pVersion", "L"CLASS_VERSION";"); -- assert(fieldID != 0); -+ if (fieldID == NULL) { return; } - jVersion = (*env)->GetObjectField(env, jSSL3MasterKeyDeriveParams, fieldID); - - /* now copy back the version from the native structure to the Java structure */ - - /* copy back the major version */ -+ jVersionClass = (*env)->FindClass(env, CLASS_VERSION); -+ if (jVersionClass == NULL) { return; } - fieldID = (*env)->GetFieldID(env, jVersionClass, "major", "B"); -- assert(fieldID != 0); -+ if (fieldID == NULL) { return; } - (*env)->SetByteField(env, jVersion, fieldID, ckByteToJByte(ckVersion->major)); - - /* copy back the minor version */ - fieldID = (*env)->GetFieldID(env, jVersionClass, "minor", "B"); -- assert(fieldID != 0); -+ if (fieldID == NULL) { return; } - (*env)->SetByteField(env, jVersion, fieldID, ckByteToJByte(ckVersion->minor)); - } -- - } - } - -@@ -591,9 +628,7 @@ - */ - void copyBackSSLKeyMatParams(JNIEnv *env, CK_MECHANISM *ckMechanism, jobject jMechanism) - { -- jclass jMechanismClass= (*env)->FindClass(env, CLASS_MECHANISM); -- jclass jSSL3KeyMatParamsClass = (*env)->FindClass(env, CLASS_SSL3_KEY_MAT_PARAMS); -- jclass jSSL3KeyMatOutClass = (*env)->FindClass(env, CLASS_SSL3_KEY_MAT_OUT); -+ jclass jMechanismClass, jSSL3KeyMatParamsClass, jSSL3KeyMatOutClass; - CK_SSL3_KEY_MAT_PARAMS *ckSSL3KeyMatParam; - CK_SSL3_KEY_MAT_OUT *ckSSL3KeyMatOut; - jfieldID fieldID; -@@ -608,8 +643,10 @@ - int i; - - /* get mechanism */ -+ jMechanismClass= (*env)->FindClass(env, CLASS_MECHANISM); -+ if (jMechanismClass == NULL) { return; } - fieldID = (*env)->GetFieldID(env, jMechanismClass, "mechanism", "J"); -- assert(fieldID != 0); -+ if (fieldID == NULL) { return; } - jMechanismType = (*env)->GetLongField(env, jMechanism, fieldID); - ckMechanismType = jLongToCKULong(jMechanismType); - if (ckMechanismType != ckMechanism->mechanism) { -@@ -633,74 +670,78 @@ - if (ckSSL3KeyMatOut != NULL_PTR) { - /* get the Java CK_SSL3_KEY_MAT_PARAMS (pParameter) */ - fieldID = (*env)->GetFieldID(env, jMechanismClass, "pParameter", "Ljava/lang/Object;"); -- assert(fieldID != 0); -+ if (fieldID == NULL) { return; } - jSSL3KeyMatParam = (*env)->GetObjectField(env, jMechanism, fieldID); - - /* get the Java CK_SSL3_KEY_MAT_OUT */ -+ jSSL3KeyMatParamsClass = (*env)->FindClass(env, CLASS_SSL3_KEY_MAT_PARAMS); -+ if (jSSL3KeyMatParamsClass == NULL) { return; } - fieldID = (*env)->GetFieldID(env, jSSL3KeyMatParamsClass, "pReturnedKeyMaterial", "L"CLASS_SSL3_KEY_MAT_OUT";"); -- assert(fieldID != 0); -+ if (fieldID == NULL) { return; } - jSSL3KeyMatOut = (*env)->GetObjectField(env, jSSL3KeyMatParam, fieldID); - - /* now copy back all the key handles and the initialization vectors */ - /* copy back client MAC secret handle */ -+ jSSL3KeyMatOutClass = (*env)->FindClass(env, CLASS_SSL3_KEY_MAT_OUT); -+ if (jSSL3KeyMatOutClass == NULL) { return; } - fieldID = (*env)->GetFieldID(env, jSSL3KeyMatOutClass, "hClientMacSecret", "J"); -- assert(fieldID != 0); -+ if (fieldID == NULL) { return; } - (*env)->SetLongField(env, jSSL3KeyMatOut, fieldID, ckULongToJLong(ckSSL3KeyMatOut->hClientMacSecret)); - - /* copy back server MAC secret handle */ - fieldID = (*env)->GetFieldID(env, jSSL3KeyMatOutClass, "hServerMacSecret", "J"); -- assert(fieldID != 0); -+ if (fieldID == NULL) { return; } - (*env)->SetLongField(env, jSSL3KeyMatOut, fieldID, ckULongToJLong(ckSSL3KeyMatOut->hServerMacSecret)); - - /* copy back client secret key handle */ - fieldID = (*env)->GetFieldID(env, jSSL3KeyMatOutClass, "hClientKey", "J"); -- assert(fieldID != 0); -+ if (fieldID == NULL) { return; } - (*env)->SetLongField(env, jSSL3KeyMatOut, fieldID, ckULongToJLong(ckSSL3KeyMatOut->hClientKey)); - - /* copy back server secret key handle */ - fieldID = (*env)->GetFieldID(env, jSSL3KeyMatOutClass, "hServerKey", "J"); -- assert(fieldID != 0); -+ if (fieldID == NULL) { return; } - (*env)->SetLongField(env, jSSL3KeyMatOut, fieldID, ckULongToJLong(ckSSL3KeyMatOut->hServerKey)); - - /* copy back the client IV */ - fieldID = (*env)->GetFieldID(env, jSSL3KeyMatOutClass, "pIVClient", "[B"); -- assert(fieldID != 0); -+ if (fieldID == NULL) { return; } - jIV = (*env)->GetObjectField(env, jSSL3KeyMatOut, fieldID); - iv = ckSSL3KeyMatOut->pIVClient; - - if (jIV != NULL) { - jLength = (*env)->GetArrayLength(env, jIV); - jBytes = (*env)->GetByteArrayElements(env, jIV, NULL); -+ if (jBytes == NULL) { return; } - /* copy the bytes to the Java buffer */ - for (i=0; i < jLength; i++) { - jBytes[i] = ckByteToJByte(iv[i]); - } - /* copy back the Java buffer to the object */ - (*env)->ReleaseByteArrayElements(env, jIV, jBytes, 0); -- // free malloc'd data -- free(iv); - } -+ // free malloc'd data -+ free(ckSSL3KeyMatOut->pIVClient); - - /* copy back the server IV */ - fieldID = (*env)->GetFieldID(env, jSSL3KeyMatOutClass, "pIVServer", "[B"); -- assert(fieldID != 0); -+ if (fieldID == NULL) { return; } - jIV = (*env)->GetObjectField(env, jSSL3KeyMatOut, fieldID); - iv = ckSSL3KeyMatOut->pIVServer; - - if (jIV != NULL) { - jLength = (*env)->GetArrayLength(env, jIV); - jBytes = (*env)->GetByteArrayElements(env, jIV, NULL); -+ if (jBytes == NULL) { return; } - /* copy the bytes to the Java buffer */ - for (i=0; i < jLength; i++) { - jBytes[i] = ckByteToJByte(iv[i]); - } - /* copy back the Java buffer to the object */ - (*env)->ReleaseByteArrayElements(env, jIV, jBytes, 0); -- // free malloc'd data -- free(iv); - } -- - // free malloc'd data -+ free(ckSSL3KeyMatOut->pIVServer); - free(ckSSL3KeyMatOut); - } - } -diff -Nru openjdk.orig/jdk/src/share/native/sun/security/pkcs11/wrapper/p11_mutex.c openjdk/jdk/src/share/native/sun/security/pkcs11/wrapper/p11_mutex.c ---- openjdk.orig/jdk/src/share/native/sun/security/pkcs11/wrapper/p11_mutex.c 2014-10-08 16:35:09.000000000 +0100 -+++ openjdk/jdk/src/share/native/sun/security/pkcs11/wrapper/p11_mutex.c 2014-10-08 17:30:03.990103869 +0100 -@@ -76,7 +76,7 @@ - CK_C_INITIALIZE_ARGS_PTR makeCKInitArgsAdapter(JNIEnv *env, jobject jInitArgs) - { - CK_C_INITIALIZE_ARGS_PTR ckpInitArgs; -- jclass jInitArgsClass = (*env)->FindClass(env, CLASS_C_INITIALIZE_ARGS); -+ jclass jInitArgsClass; - jfieldID fieldID; - jlong jFlags; - jobject jReserved; -@@ -91,10 +91,20 @@ - - /* convert the Java InitArgs object to a pointer to a CK_C_INITIALIZE_ARGS structure */ - ckpInitArgs = (CK_C_INITIALIZE_ARGS_PTR) malloc(sizeof(CK_C_INITIALIZE_ARGS)); -+ if (ckpInitArgs == NULL) { -+ JNU_ThrowOutOfMemoryError(env, 0); -+ return NULL_PTR; -+ } - - /* Set the mutex functions that will call the Java mutex functions, but - * only set it, if the field is not null. - */ -+ jInitArgsClass = (*env)->FindClass(env, CLASS_C_INITIALIZE_ARGS); -+ if (jInitArgsClass == NULL) { -+ free(ckpInitArgs); -+ return NULL; -+ } -+ - #ifdef NO_CALLBACKS - ckpInitArgs->CreateMutex = NULL_PTR; - ckpInitArgs->DestroyMutex = NULL_PTR; -@@ -102,22 +112,22 @@ - ckpInitArgs->UnlockMutex = NULL_PTR; - #else - fieldID = (*env)->GetFieldID(env, jInitArgsClass, "CreateMutex", "Lsun/security/pkcs11/wrapper/CK_CREATEMUTEX;"); -- assert(fieldID != 0); -+ if (fieldID == NULL) { return NULL; } - jMutexHandler = (*env)->GetObjectField(env, jInitArgs, fieldID); - ckpInitArgs->CreateMutex = (jMutexHandler != NULL) ? &callJCreateMutex : NULL_PTR; - - fieldID = (*env)->GetFieldID(env, jInitArgsClass, "DestroyMutex", "Lsun/security/pkcs11/wrapper/CK_DESTROYMUTEX;"); -- assert(fieldID != 0); -+ if (fieldID == NULL) { return NULL; } - jMutexHandler = (*env)->GetObjectField(env, jInitArgs, fieldID); - ckpInitArgs->DestroyMutex = (jMutexHandler != NULL) ? &callJDestroyMutex : NULL_PTR; - - fieldID = (*env)->GetFieldID(env, jInitArgsClass, "LockMutex", "Lsun/security/pkcs11/wrapper/CK_LOCKMUTEX;"); -- assert(fieldID != 0); -+ if (fieldID == NULL) { return NULL; } - jMutexHandler = (*env)->GetObjectField(env, jInitArgs, fieldID); - ckpInitArgs->LockMutex = (jMutexHandler != NULL) ? &callJLockMutex : NULL_PTR; - - fieldID = (*env)->GetFieldID(env, jInitArgsClass, "UnlockMutex", "Lsun/security/pkcs11/wrapper/CK_UNLOCKMUTEX;"); -- assert(fieldID != 0); -+ if (fieldID == NULL) { return NULL; } - jMutexHandler = (*env)->GetObjectField(env, jInitArgs, fieldID); - ckpInitArgs->UnlockMutex = (jMutexHandler != NULL) ? &callJUnlockMutex : NULL_PTR; - -@@ -129,19 +139,25 @@ - /* set the global object jInitArgs so that the right Java mutex functions will be called */ - jInitArgsObject = (*env)->NewGlobalRef(env, jInitArgs); - ckpGlobalInitArgs = (CK_C_INITIALIZE_ARGS_PTR) malloc(sizeof(CK_C_INITIALIZE_ARGS)); -+ if (ckpGlobalInitArgs == NULL) { -+ free(ckpInitArgs); -+ JNU_ThrowOutOfMemoryError(env, 0); -+ return NULL_PTR; -+ } -+ - memcpy(ckpGlobalInitArgs, ckpInitArgs, sizeof(CK_C_INITIALIZE_ARGS)); - } - #endif /* NO_CALLBACKS */ - - /* convert and set the flags field */ - fieldID = (*env)->GetFieldID(env, jInitArgsClass, "flags", "J"); -- assert(fieldID != 0); -+ if (fieldID == NULL) { return NULL; } - jFlags = (*env)->GetLongField(env, jInitArgs, fieldID); - ckpInitArgs->flags = jLongToCKULong(jFlags); - - /* pReserved should be NULL_PTR in this version */ - fieldID = (*env)->GetFieldID(env, jInitArgsClass, "pReserved", "Ljava/lang/Object;"); -- assert(fieldID != 0); -+ if (fieldID == NULL) { return NULL; } - jReserved = (*env)->GetObjectField(env, jInitArgs, fieldID); - - /* we try to convert the reserved parameter also */ -@@ -201,20 +217,21 @@ - wasAttached = 1; - } - -- - jCreateMutexClass = (*env)->FindClass(env, CLASS_CREATEMUTEX); -+ if (jCreateMutexClass == NULL) { return rv; } - jInitArgsClass = (*env)->FindClass(env, CLASS_C_INITIALIZE_ARGS); -+ if (jInitArgsClass == NULL) { return rv; } - - /* get the CreateMutex object out of the jInitArgs object */ - fieldID = (*env)->GetFieldID(env, jInitArgsClass, "CreateMutex", "Lsun/security/pkcs11/wrapper/CK_CREATEMUTEX;"); -- assert(fieldID != 0); -+ if (fieldID == NULL) { return rv; } - jCreateMutex = (*env)->GetObjectField(env, jInitArgsObject, fieldID); - assert(jCreateMutex != 0); - - /* call the CK_CREATEMUTEX function of the CreateMutex object */ - /* and get the new Java mutex object */ - methodID = (*env)->GetMethodID(env, jCreateMutexClass, "CK_CREATEMUTEX", "()Ljava/lang/Object;"); -- assert(methodID != 0); -+ if (methodID == NULL) { return rv; } - jMutex = (*env)->CallObjectMethod(env, jCreateMutex, methodID); - - /* set a global reference on the Java mutex */ -@@ -227,10 +244,13 @@ - pkcs11Exception = (*env)->ExceptionOccurred(env); - - if (pkcs11Exception != NULL) { -+ /* TBD: clear the pending exception with ExceptionClear? */ - /* The was an exception thrown, now we get the error-code from it */ - pkcs11ExceptionClass = (*env)->FindClass(env, CLASS_PKCS11EXCEPTION); -+ if (pkcs11ExceptionClass == NULL) { return rv; } - methodID = (*env)->GetMethodID(env, pkcs11ExceptionClass, "getErrorCode", "()J"); -- assert(methodID != 0); -+ if (methodID == NULL) { return rv; } -+ - errorCode = (*env)->CallLongMethod(env, pkcs11Exception, methodID); - rv = jLongToCKULong(errorCode); - } -@@ -292,22 +312,23 @@ - wasAttached = 1; - } - -- - jDestroyMutexClass = (*env)->FindClass(env, CLASS_DESTROYMUTEX); -+ if (jDestroyMutexClass == NULL) { return rv; } - jInitArgsClass = (*env)->FindClass(env, CLASS_C_INITIALIZE_ARGS); -+ if (jInitArgsClass == NULL) { return rv; } - - /* convert the CK mutex to a Java mutex */ - jMutex = ckVoidPtrToJObject(pMutex); - - /* get the DestroyMutex object out of the jInitArgs object */ - fieldID = (*env)->GetFieldID(env, jInitArgsClass, "DestroyMutex", "Lsun/security/pkcs11/wrapper/CK_DESTROYMUTEX;"); -- assert(fieldID != 0); -+ if (fieldID == NULL) { return rv; } - jDestroyMutex = (*env)->GetObjectField(env, jInitArgsObject, fieldID); - assert(jDestroyMutex != 0); - - /* call the CK_DESTROYMUTEX method of the DestroyMutex object */ - methodID = (*env)->GetMethodID(env, jDestroyMutexClass, "CK_DESTROYMUTEX", "(Ljava/lang/Object;)V"); -- assert(methodID != 0); -+ if (methodID == NULL) { return rv; } - (*env)->CallVoidMethod(env, jDestroyMutex, methodID, jMutex); - - /* delete the global reference on the Java mutex */ -@@ -318,10 +339,12 @@ - pkcs11Exception = (*env)->ExceptionOccurred(env); - - if (pkcs11Exception != NULL) { -+ /* TBD: clear the pending exception with ExceptionClear? */ - /* The was an exception thrown, now we get the error-code from it */ - pkcs11ExceptionClass = (*env)->FindClass(env, CLASS_PKCS11EXCEPTION); -+ if (pkcs11ExceptionClass == NULL) { return rv; } - methodID = (*env)->GetMethodID(env, pkcs11ExceptionClass, "getErrorCode", "()J"); -- assert(methodID != 0); -+ if (methodID == NULL) { return rv; } - errorCode = (*env)->CallLongMethod(env, pkcs11Exception, methodID); - rv = jLongToCKULong(errorCode); - } -@@ -383,33 +406,35 @@ - wasAttached = 1; - } - -- - jLockMutexClass = (*env)->FindClass(env, CLASS_LOCKMUTEX); -+ if (jLockMutexClass == NULL) { return rv; } - jInitArgsClass = (*env)->FindClass(env, CLASS_C_INITIALIZE_ARGS); -+ if (jInitArgsClass == NULL) { return rv; } - - /* convert the CK mutex to a Java mutex */ - jMutex = ckVoidPtrToJObject(pMutex); - - /* get the LockMutex object out of the jInitArgs object */ - fieldID = (*env)->GetFieldID(env, jInitArgsClass, "LockMutex", "Lsun/security/pkcs11/wrapper/CK_LOCKMUTEX;"); -- assert(fieldID != 0); -+ if (fieldID == NULL) { return rv; } - jLockMutex = (*env)->GetObjectField(env, jInitArgsObject, fieldID); - assert(jLockMutex != 0); - - /* call the CK_LOCKMUTEX method of the LockMutex object */ - methodID = (*env)->GetMethodID(env, jLockMutexClass, "CK_LOCKMUTEX", "(Ljava/lang/Object;)V"); -- assert(methodID != 0); -+ if (methodID == NULL) { return rv; } - (*env)->CallVoidMethod(env, jLockMutex, methodID, jMutex); - -- - /* check, if callback threw an exception */ - pkcs11Exception = (*env)->ExceptionOccurred(env); - - if (pkcs11Exception != NULL) { -+ /* TBD: clear the pending exception with ExceptionClear? */ - /* The was an exception thrown, now we get the error-code from it */ - pkcs11ExceptionClass = (*env)->FindClass(env, CLASS_PKCS11EXCEPTION); -+ if (pkcs11ExceptionClass == NULL) { return rv; } - methodID = (*env)->GetMethodID(env, pkcs11ExceptionClass, "getErrorCode", "()J"); -- assert(methodID != 0); -+ if (methodID == NULL) { return rv; } - errorCode = (*env)->CallLongMethod(env, pkcs11Exception, methodID); - rv = jLongToCKULong(errorCode); - } -@@ -471,33 +496,35 @@ - wasAttached = 1; - } - -- - jUnlockMutexClass = (*env)->FindClass(env, CLASS_UNLOCKMUTEX); -+ if (jUnlockMutexClass == NULL) { return rv; } - jInitArgsClass = (*env)->FindClass(env, CLASS_C_INITIALIZE_ARGS); -+ if (jInitArgsClass == NULL) { return rv; } - - /* convert the CK-type mutex to a Java mutex */ - jMutex = ckVoidPtrToJObject(pMutex); - - /* get the UnlockMutex object out of the jInitArgs object */ - fieldID = (*env)->GetFieldID(env, jInitArgsClass, "UnlockMutex", "Lsun/security/pkcs11/wrapper/CK_UNLOCKMUTEX;"); -- assert(fieldID != 0); -+ if (fieldID == NULL) { return rv; } - jUnlockMutex = (*env)->GetObjectField(env, jInitArgsObject, fieldID); - assert(jUnlockMutex != 0); - - /* call the CK_UNLOCKMUTEX method of the UnLockMutex object */ - methodID = (*env)->GetMethodID(env, jUnlockMutexClass, "CK_UNLOCKMUTEX", "(Ljava/lang/Object;)V"); -- assert(methodID != 0); -+ if (methodID == NULL) { return rv; } - (*env)->CallVoidMethod(env, jUnlockMutex, methodID, jMutex); - -- - /* check, if callback threw an exception */ - pkcs11Exception = (*env)->ExceptionOccurred(env); - - if (pkcs11Exception != NULL) { -+ /* TBD: clear the pending exception with ExceptionClear? */ - /* The was an exception thrown, now we get the error-code from it */ - pkcs11ExceptionClass = (*env)->FindClass(env, CLASS_PKCS11EXCEPTION); -+ if (pkcs11ExceptionClass == NULL) { return rv; } - methodID = (*env)->GetMethodID(env, pkcs11ExceptionClass, "getErrorCode", "()J"); -- assert(methodID != 0); -+ if (methodID == NULL) { return rv; } - errorCode = (*env)->CallLongMethod(env, pkcs11Exception, methodID); - rv = jLongToCKULong(errorCode); - } -diff -Nru openjdk.orig/jdk/src/share/native/sun/security/pkcs11/wrapper/p11_objmgmt.c openjdk/jdk/src/share/native/sun/security/pkcs11/wrapper/p11_objmgmt.c ---- openjdk.orig/jdk/src/share/native/sun/security/pkcs11/wrapper/p11_objmgmt.c 2014-10-08 16:35:09.000000000 +0100 -+++ openjdk/jdk/src/share/native/sun/security/pkcs11/wrapper/p11_objmgmt.c 2014-10-08 17:30:03.990103869 +0100 -@@ -81,16 +81,14 @@ - - ckSessionHandle = jLongToCKULong(jSessionHandle); - jAttributeArrayToCKAttributeArray(env, jTemplate, &ckpAttributes, &ckAttributesLength); -+ if ((*env)->ExceptionCheck(env)) { return 0L; } - - rv = (*ckpFunctions->C_CreateObject)(ckSessionHandle, ckpAttributes, ckAttributesLength, &ckObjectHandle); - - jObjectHandle = ckULongToJLong(ckObjectHandle); -- for(i=0; i<ckAttributesLength; i++) -- if(ckpAttributes[i].pValue != NULL_PTR) -- free(ckpAttributes[i].pValue); -- free(ckpAttributes); -+ freeCKAttributeArray(ckpAttributes, ckAttributesLength); - -- if(ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return 0L ; } -+ if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return 0L ; } - - return jObjectHandle ; - } -@@ -126,14 +124,12 @@ - ckSessionHandle = jLongToCKULong(jSessionHandle); - ckObjectHandle = jLongToCKULong(jObjectHandle); - jAttributeArrayToCKAttributeArray(env, jTemplate, &ckpAttributes, &ckAttributesLength); -+ if ((*env)->ExceptionCheck(env)) { return 0L; } - - rv = (*ckpFunctions->C_CopyObject)(ckSessionHandle, ckObjectHandle, ckpAttributes, ckAttributesLength, &ckNewObjectHandle); - - jNewObjectHandle = ckULongToJLong(ckNewObjectHandle); -- for(i=0; i<ckAttributesLength; i++) -- if(ckpAttributes[i].pValue != NULL_PTR) -- free(ckpAttributes[i].pValue); -- free(ckpAttributes); -+ freeCKAttributeArray(ckpAttributes, ckAttributesLength); - - if(ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return 0L ; } - -@@ -164,7 +160,7 @@ - ckObjectHandle = jLongToCKULong(jObjectHandle); - - rv = (*ckpFunctions->C_DestroyObject)(ckSessionHandle, ckObjectHandle); -- if(ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return; } -+ if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return; } - } - #endif - -@@ -194,7 +190,7 @@ - ckObjectHandle = jLongToCKULong(jObjectHandle); - - rv = (*ckpFunctions->C_GetObjectSize)(ckSessionHandle, ckObjectHandle, &ckObjectSize); -- if(ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return 0L ; } -+ if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return 0L ; } - - jObjectSize = ckULongToJLong(ckObjectSize); - -@@ -221,7 +217,7 @@ - CK_ATTRIBUTE_PTR ckpAttributes = NULL_PTR; - CK_ULONG ckAttributesLength; - CK_ULONG ckBufferLength; -- CK_ULONG i; -+ CK_ULONG i, j; - jobject jAttribute; - CK_RV rv; - -@@ -238,19 +234,20 @@ - ckObjectHandle = jLongToCKULong(jObjectHandle); - TRACE1("jAttributeArrayToCKAttributeArray now with jTemplate = %d", jTemplate); - jAttributeArrayToCKAttributeArray(env, jTemplate, &ckpAttributes, &ckAttributesLength); -+ if ((*env)->ExceptionCheck(env)) { return; } -+ - TRACE2("DEBUG: jAttributeArrayToCKAttributeArray finished with ckpAttribute = %d, Length = %d\n", ckpAttributes, ckAttributesLength); - - /* first set all pValue to NULL, to get the needed buffer length */ - for(i = 0; i < ckAttributesLength; i++) { -- if(ckpAttributes[i].pValue != NULL_PTR) { -+ if (ckpAttributes[i].pValue != NULL_PTR) { - free(ckpAttributes[i].pValue); -+ ckpAttributes[i].pValue = NULL_PTR; - } - } -- for (i = 0; i < ckAttributesLength; i++) { -- ckpAttributes[i].pValue = NULL_PTR; -- } -+ - rv = (*ckpFunctions->C_GetAttributeValue)(ckSessionHandle, ckObjectHandle, ckpAttributes, ckAttributesLength); -- if(ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { -+ if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { - free(ckpAttributes); - return ; - } -@@ -261,27 +258,34 @@ - for (i = 0; i < ckAttributesLength; i++) { - ckBufferLength = sizeof(CK_BYTE) * ckpAttributes[i].ulValueLen; - ckpAttributes[i].pValue = (void *) malloc(ckBufferLength); -+ if (ckpAttributes[i].pValue == NULL) { -+ freeCKAttributeArray(ckpAttributes, i); -+ JNU_ThrowOutOfMemoryError(env, 0); -+ return; -+ } - ckpAttributes[i].ulValueLen = ckBufferLength; - } - - /* now get the attributes with all values */ - rv = (*ckpFunctions->C_GetAttributeValue)(ckSessionHandle, ckObjectHandle, ckpAttributes, ckAttributesLength); - -- /* copy back the values to the Java attributes */ -- for (i = 0; i < ckAttributesLength; i++) { -- jAttribute = ckAttributePtrToJAttribute(env, &(ckpAttributes[i])); -- (*env)->SetObjectArrayElement(env, jTemplate, i, jAttribute); -- } -- -- for(i=0; i<ckAttributesLength; i++) { -- if(ckpAttributes[i].pValue != NULL_PTR) { -- free(ckpAttributes[i].pValue); -+ if (ckAssertReturnValueOK(env, rv) == CK_ASSERT_OK) { -+ /* copy back the values to the Java attributes */ -+ for (i = 0; i < ckAttributesLength; i++) { -+ jAttribute = ckAttributePtrToJAttribute(env, &(ckpAttributes[i])); -+ if (jAttribute == NULL) { -+ freeCKAttributeArray(ckpAttributes, ckAttributesLength); -+ return; -+ } -+ (*env)->SetObjectArrayElement(env, jTemplate, i, jAttribute); -+ if ((*env)->ExceptionCheck(env)) { -+ freeCKAttributeArray(ckpAttributes, ckAttributesLength); -+ return; -+ } - } - } -- free(ckpAttributes); -+ freeCKAttributeArray(ckpAttributes, ckAttributesLength); - TRACE0("FINISHED\n"); -- -- if(ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return ; } - } - #endif - -@@ -312,15 +316,11 @@ - ckSessionHandle = jLongToCKULong(jSessionHandle); - ckObjectHandle = jLongToCKULong(jObjectHandle); - jAttributeArrayToCKAttributeArray(env, jTemplate, &ckpAttributes, &ckAttributesLength); -+ if ((*env)->ExceptionCheck(env)) { return; } - - rv = (*ckpFunctions->C_SetAttributeValue)(ckSessionHandle, ckObjectHandle, ckpAttributes, ckAttributesLength); - -- for(i=0; i<ckAttributesLength; i++) { -- if(ckpAttributes[i].pValue != NULL_PTR) { -- free(ckpAttributes[i].pValue); -- } -- } -- free(ckpAttributes); -+ freeCKAttributeArray(ckpAttributes, ckAttributesLength); - - if(ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return; } - } -@@ -355,15 +355,11 @@ - - ckSessionHandle = jLongToCKULong(jSessionHandle); - jAttributeArrayToCKAttributeArray(env, jTemplate, &ckpAttributes, &ckAttributesLength); -+ if ((*env)->ExceptionCheck(env)) { return; } - - rv = (*ckpFunctions->C_FindObjectsInit)(ckSessionHandle, ckpAttributes, ckAttributesLength); - -- for(i=0; i<ckAttributesLength; i++) { -- if(ckpAttributes[i].pValue != NULL_PTR) { -- free(ckpAttributes[i].pValue); -- } -- } -- free(ckpAttributes); -+ freeCKAttributeArray(ckpAttributes, ckAttributesLength); - TRACE0("FINISHED\n"); - - if(ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return; } -@@ -397,14 +393,18 @@ - ckSessionHandle = jLongToCKULong(jSessionHandle); - ckMaxObjectLength = jLongToCKULong(jMaxObjectCount); - ckpObjectHandleArray = (CK_OBJECT_HANDLE_PTR) malloc(sizeof(CK_OBJECT_HANDLE) * ckMaxObjectLength); -+ if (ckpObjectHandleArray == NULL) { -+ JNU_ThrowOutOfMemoryError(env, 0); -+ return NULL; -+ } - - rv = (*ckpFunctions->C_FindObjects)(ckSessionHandle, ckpObjectHandleArray, ckMaxObjectLength, &ckActualObjectCount); -+ if (ckAssertReturnValueOK(env, rv) == CK_ASSERT_OK) { -+ jObjectHandleArray = ckULongArrayToJLongArray(env, ckpObjectHandleArray, ckActualObjectCount); -+ } - -- jObjectHandleArray = ckULongArrayToJLongArray(env, ckpObjectHandleArray, ckActualObjectCount); - free(ckpObjectHandleArray); - -- if(ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return NULL ; } -- - return jObjectHandleArray ; - } - #endif -diff -Nru openjdk.orig/jdk/src/share/native/sun/security/pkcs11/wrapper/p11_sessmgmt.c openjdk/jdk/src/share/native/sun/security/pkcs11/wrapper/p11_sessmgmt.c ---- openjdk.orig/jdk/src/share/native/sun/security/pkcs11/wrapper/p11_sessmgmt.c 2014-10-08 16:35:09.000000000 +0100 -+++ openjdk/jdk/src/share/native/sun/security/pkcs11/wrapper/p11_sessmgmt.c 2014-10-08 17:30:03.990103869 +0100 -@@ -97,6 +97,10 @@ - #ifndef NO_CALLBACKS - if (jNotify != NULL) { - notifyEncapsulation = (NotifyEncapsulation *) malloc(sizeof(NotifyEncapsulation)); -+ if (notifyEncapsulation == NULL) { -+ JNU_ThrowOutOfMemoryError(env, 0); -+ return 0L; -+ } - notifyEncapsulation->jApplicationData = (jApplication != NULL) - ? (*env)->NewGlobalRef(env, jApplication) - : NULL; -@@ -118,7 +122,18 @@ - TRACE0(" ... "); - - rv = (*ckpFunctions->C_OpenSession)(ckSlotID, ckFlags, ckpApplication, ckNotify, &ckSessionHandle); -- if(ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return 0L ; } -+ if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { -+#ifndef NO_CALLBACKS -+ if (notifyEncapsulation != NULL) { -+ if (notifyEncapsulation->jApplicationData != NULL) { -+ (*env)->DeleteGlobalRef(env, jApplication); -+ } -+ (*env)->DeleteGlobalRef(env, jNotify); -+ free(notifyEncapsulation); -+ } -+#endif /* NO_CALLBACKS */ -+ return 0L; -+ } - - TRACE0("got session"); - TRACE1(", SessionHandle=%u", ckSessionHandle); -@@ -163,7 +178,7 @@ - ckSessionHandle = jLongToCKULong(jSessionHandle); - - rv = (*ckpFunctions->C_CloseSession)(ckSessionHandle); -- if(ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return; } -+ if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return; } - - #ifndef NO_CALLBACKS - notifyEncapsulation = removeNotifyEntry(env, ckSessionHandle); -@@ -208,7 +223,7 @@ - ckSlotID = jLongToCKULong(jSlotID); - - rv = (*ckpFunctions->C_CloseAllSessions)(ckSlotID); -- if(ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return; } -+ if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return; } - - #ifndef NO_CALLBACKS - /* Remove all notify callback helper objects. */ -@@ -250,10 +265,9 @@ - ckSessionHandle = jLongToCKULong(jSessionHandle); - - rv = (*ckpFunctions->C_GetSessionInfo)(ckSessionHandle, &ckSessionInfo); -- if(ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return NULL ; } -- -- jSessionInfo = ckSessionInfoPtrToJSessionInfo(env, &ckSessionInfo); -- -+ if (ckAssertReturnValueOK(env, rv) == CK_ASSERT_OK) { -+ jSessionInfo = ckSessionInfoPtrToJSessionInfo(env, &ckSessionInfo); -+ } - return jSessionInfo ; - } - #endif -@@ -274,7 +288,7 @@ - CK_SESSION_HANDLE ckSessionHandle; - CK_BYTE_PTR ckpState; - CK_ULONG ckStateLength; -- jbyteArray jState; -+ jbyteArray jState = NULL; - CK_RV rv; - - CK_FUNCTION_LIST_PTR ckpFunctions = getFunctionList(env, obj); -@@ -283,17 +297,20 @@ - ckSessionHandle = jLongToCKULong(jSessionHandle); - - rv = (*ckpFunctions->C_GetOperationState)(ckSessionHandle, NULL_PTR, &ckStateLength); -- if(ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return NULL ; } -+ if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return NULL ; } - - ckpState = (CK_BYTE_PTR) malloc(ckStateLength); -+ if (ckpState == NULL) { -+ JNU_ThrowOutOfMemoryError(env, 0); -+ return NULL; -+ } - - rv = (*ckpFunctions->C_GetOperationState)(ckSessionHandle, ckpState, &ckStateLength); -- -- jState = ckByteArrayToJByteArray(env, ckpState, ckStateLength); -+ if (ckAssertReturnValueOK(env, rv) == CK_ASSERT_OK) { -+ jState = ckByteArrayToJByteArray(env, ckpState, ckStateLength); -+ } - free(ckpState); - -- if(ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return NULL ; } -- - return jState ; - } - #endif -@@ -325,6 +342,8 @@ - - ckSessionHandle = jLongToCKULong(jSessionHandle); - jByteArrayToCKByteArray(env, jOperationState, &ckpState, &ckStateLength); -+ if ((*env)->ExceptionCheck(env)) { return; } -+ - ckEncryptionKeyHandle = jLongToCKULong(jEncryptionKeyHandle); - ckAuthenticationKeyHandle = jLongToCKULong(jAuthenticationKeyHandle); - -@@ -332,7 +351,7 @@ - - free(ckpState); - -- if(ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return; } -+ if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return; } - } - #endif - -@@ -362,12 +381,13 @@ - ckSessionHandle = jLongToCKULong(jSessionHandle); - ckUserType = jLongToCKULong(jUserType); - jCharArrayToCKCharArray(env, jPin, &ckpPinArray, &ckPinLength); -+ if ((*env)->ExceptionCheck(env)) { return; } - - rv = (*ckpFunctions->C_Login)(ckSessionHandle, ckUserType, ckpPinArray, ckPinLength); - - free(ckpPinArray); - -- if(ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return; } -+ if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return; } - } - #endif - -@@ -391,7 +411,7 @@ - ckSessionHandle = jLongToCKULong(jSessionHandle); - - rv = (*ckpFunctions->C_Logout)(ckSessionHandle); -- if(ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return; } -+ if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return; } - } - #endif - -@@ -410,10 +430,14 @@ - NotifyListNode *currentNode, *newNode; - - if (notifyEncapsulation == NULL) { -- return ; -+ return; - } - - newNode = (NotifyListNode *) malloc(sizeof(NotifyListNode)); -+ if (newNode == NULL) { -+ JNU_ThrowOutOfMemoryError(env, 0); -+ return; -+ } - newNode->hSession = hSession; - newNode->notifyEncapsulation = notifyEncapsulation; - newNode->next = NULL; -@@ -578,9 +602,10 @@ - jEvent = ckULongToJLong(event); - - ckNotifyClass = (*env)->FindClass(env, CLASS_NOTIFY); -- assert(ckNotifyClass != 0); -+ if (ckNotifyClass == NULL) { return rv; } - jmethod = (*env)->GetMethodID(env, ckNotifyClass, "CK_NOTIFY", "(JJLjava/lang/Object;)V"); -- assert(jmethod != 0); -+ if (jmethod == NULL) { return rv; } -+ - (*env)->CallVoidMethod(env, notifyEncapsulation->jNotifyObject, jmethod, - jSessionHandle, jEvent, notifyEncapsulation->jApplicationData); - -@@ -588,10 +613,14 @@ - pkcs11Exception = (*env)->ExceptionOccurred(env); - - if (pkcs11Exception != NULL) { -+ /* TBD: clear the pending exception with ExceptionClear? */ - /* The was an exception thrown, now we get the error-code from it */ - pkcs11ExceptionClass = (*env)->FindClass(env, CLASS_PKCS11EXCEPTION); -+ if (pkcs11ExceptionClass == NULL) { return rv; } -+ - jmethod = (*env)->GetMethodID(env, pkcs11ExceptionClass, "getErrorCode", "()J"); -- assert(jmethod != 0); -+ if (jmethod == NULL) { return rv; } -+ - errorCode = (*env)->CallLongMethod(env, pkcs11Exception, jmethod); - rv = jLongToCKULong(errorCode); - } -diff -Nru openjdk.orig/jdk/src/share/native/sun/security/pkcs11/wrapper/p11_sign.c openjdk/jdk/src/share/native/sun/security/pkcs11/wrapper/p11_sign.c ---- openjdk.orig/jdk/src/share/native/sun/security/pkcs11/wrapper/p11_sign.c 2014-10-08 16:35:09.000000000 +0100 -+++ openjdk/jdk/src/share/native/sun/security/pkcs11/wrapper/p11_sign.c 2014-10-08 17:30:03.990103869 +0100 -@@ -77,15 +77,16 @@ - - ckSessionHandle = jLongToCKULong(jSessionHandle); - jMechanismToCKMechanism(env, jMechanism, &ckMechanism); -+ if ((*env)->ExceptionCheck(env)) { return; } - ckKeyHandle = jLongToCKULong(jKeyHandle); - - rv = (*ckpFunctions->C_SignInit)(ckSessionHandle, &ckMechanism, ckKeyHandle); - -- if(ckMechanism.pParameter != NULL_PTR) { -+ if (ckMechanism.pParameter != NULL_PTR) { - free(ckMechanism.pParameter); - } - -- if(ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return; } -+ if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return; } - } - #endif - -@@ -117,14 +118,23 @@ - - ckSessionHandle = jLongToCKULong(jSessionHandle); - jByteArrayToCKByteArray(env, jData, &ckpData, &ckDataLength); -+ if ((*env)->ExceptionCheck(env)) { return NULL; } - - /* START standard code */ - - /* first determine the length of the signature */ - rv = (*ckpFunctions->C_Sign)(ckSessionHandle, ckpData, ckDataLength, NULL_PTR, &ckSignatureLength); -- if(ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return NULL ; } -+ if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { -+ free(ckpData); -+ return NULL; -+ } - - ckpSignature = (CK_BYTE_PTR) malloc(ckSignatureLength * sizeof(CK_BYTE)); -+ if (ckpSignature == NULL) { -+ free(ckpData); -+ JNU_ThrowOutOfMemoryError(env, 0); -+ return NULL; -+ } - - /* now get the signature */ - rv = (*ckpFunctions->C_Sign)(ckSessionHandle, ckpData, ckDataLength, ckpSignature, &ckSignatureLength); -@@ -134,22 +144,31 @@ - /* START workaround code for operation abort bug in pkcs#11 of Datakey and iButton */ - /* - ckpSignature = (CK_BYTE_PTR) malloc(256 * sizeof(CK_BYTE)); -+ if (ckpSignature == NULL) { -+ free(ckpData); -+ JNU_ThrowOutOfMemoryError(env, 0); -+ return NULL; -+ } - rv = (*ckpFunctions->C_Sign)(ckSessionHandle, ckpData, ckDataLength, ckpSignature, &ckSignatureLength); - - if (rv == CKR_BUFFER_TOO_SMALL) { - free(ckpSignature); - ckpSignature = (CK_BYTE_PTR) malloc(ckSignatureLength * sizeof(CK_BYTE)); -+ if (ckpSignature == NULL) { -+ free(ckpData); -+ JNU_ThrowOutOfMemoryError(env, 0); -+ return NULL; -+ } - rv = (*ckpFunctions->C_Sign)(ckSessionHandle, ckpData, ckDataLength, ckpSignature, &ckSignatureLength); - } - */ - /* END workaround code */ -- -- jSignature = ckByteArrayToJByteArray(env, ckpSignature, ckSignatureLength); -+ if (ckAssertReturnValueOK(env, rv) == CK_ASSERT_OK) { -+ jSignature = ckByteArrayToJByteArray(env, ckpSignature, ckSignatureLength); -+ } - free(ckpData); - free(ckpSignature); - -- if(ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return NULL ; } -- - return jSignature ; - } - #endif -@@ -189,14 +208,22 @@ - bufP = BUF; - } else { - bufLen = min(MAX_HEAP_BUFFER_LEN, jInLen); -- bufP = (CK_BYTE_PTR)malloc((size_t)bufLen); -+ bufP = (CK_BYTE_PTR) malloc((size_t)bufLen); -+ if (bufP == NULL) { -+ JNU_ThrowOutOfMemoryError(env, 0); -+ return; -+ } - } - - while (jInLen > 0) { - jsize chunkLen = min(bufLen, jInLen); - (*env)->GetByteArrayRegion(env, jIn, jInOfs, chunkLen, (jbyte *)bufP); -+ if ((*env)->ExceptionCheck(env)) { -+ if (bufP != BUF) { free(bufP); } -+ return; -+ } - rv = (*ckpFunctions->C_SignUpdate)(ckSessionHandle, bufP, chunkLen); -- if(ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { -+ if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { - if (bufP != BUF) { - free(bufP); - } -@@ -206,9 +233,7 @@ - jInLen -= chunkLen; - } - -- if (bufP != BUF) { -- free(bufP); -- } -+ if (bufP != BUF) { free(bufP); } - } - #endif - -@@ -244,15 +269,18 @@ - rv = (*ckpFunctions->C_SignFinal)(ckSessionHandle, bufP, &ckSignatureLength); - if (rv == CKR_BUFFER_TOO_SMALL) { - bufP = (CK_BYTE_PTR) malloc(ckSignatureLength); -+ if (bufP == NULL) { -+ JNU_ThrowOutOfMemoryError(env, 0); -+ return NULL; -+ } - rv = (*ckpFunctions->C_SignFinal)(ckSessionHandle, bufP, &ckSignatureLength); - } - if (ckAssertReturnValueOK(env, rv) == CK_ASSERT_OK) { - jSignature = ckByteArrayToJByteArray(env, bufP, ckSignatureLength); - } - -- if (bufP != BUF) { -- free(bufP); -- } -+ if (bufP != BUF) { free(bufP); } -+ - return jSignature; - } - #endif -@@ -280,11 +308,13 @@ - - ckSessionHandle = jLongToCKULong(jSessionHandle); - jMechanismToCKMechanism(env, jMechanism, &ckMechanism); -+ if ((*env)->ExceptionCheck(env)) { return; } -+ - ckKeyHandle = jLongToCKULong(jKeyHandle); - - rv = (*ckpFunctions->C_SignRecoverInit)(ckSessionHandle, &ckMechanism, ckKeyHandle); - -- if(ckMechanism.pParameter != NULL_PTR) { -+ if (ckMechanism.pParameter != NULL_PTR) { - free(ckMechanism.pParameter); - } - -@@ -323,26 +353,38 @@ - if (jInLen <= MAX_STACK_BUFFER_LEN) { - inBufP = INBUF; - } else { -- inBufP = (CK_BYTE_PTR)malloc((size_t)jInLen); -+ inBufP = (CK_BYTE_PTR) malloc((size_t)jInLen); -+ if (inBufP == NULL) { -+ JNU_ThrowOutOfMemoryError(env, 0); -+ return 0; -+ } - } - - (*env)->GetByteArrayRegion(env, jIn, jInOfs, jInLen, (jbyte *)inBufP); -+ if ((*env)->ExceptionCheck(env)) { -+ if (inBufP != INBUF) { free(inBufP); } -+ return 0; -+ } - rv = (*ckpFunctions->C_SignRecover)(ckSessionHandle, inBufP, jInLen, outBufP, &ckSignatureLength); - /* re-alloc larger buffer if it fits into our Java buffer */ - if ((rv == CKR_BUFFER_TOO_SMALL) && (ckSignatureLength <= jIntToCKULong(jOutLen))) { - outBufP = (CK_BYTE_PTR) malloc(ckSignatureLength); -+ if (outBufP == NULL) { -+ if (inBufP != INBUF) { -+ free(inBufP); -+ } -+ JNU_ThrowOutOfMemoryError(env, 0); -+ return 0; -+ } - rv = (*ckpFunctions->C_SignRecover)(ckSessionHandle, inBufP, jInLen, outBufP, &ckSignatureLength); - } - if (ckAssertReturnValueOK(env, rv) == CK_ASSERT_OK) { - (*env)->SetByteArrayRegion(env, jOut, jOutOfs, ckSignatureLength, (jbyte *)outBufP); - } - -- if (inBufP != INBUF) { -- free(inBufP); -- } -- if (outBufP != OUTBUF) { -- free(outBufP); -- } -+ if (inBufP != INBUF) { free(inBufP); } -+ if (outBufP != OUTBUF) { free(outBufP); } -+ - return ckSignatureLength; - } - #endif -@@ -370,6 +412,8 @@ - - ckSessionHandle = jLongToCKULong(jSessionHandle); - jMechanismToCKMechanism(env, jMechanism, &ckMechanism); -+ if ((*env)->ExceptionCheck(env)) { return; } -+ - ckKeyHandle = jLongToCKULong(jKeyHandle); - - rv = (*ckpFunctions->C_VerifyInit)(ckSessionHandle, &ckMechanism, ckKeyHandle); -@@ -378,7 +422,7 @@ - free(ckMechanism.pParameter); - } - -- if(ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return; } -+ if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return; } - } - #endif - -@@ -409,7 +453,13 @@ - - ckSessionHandle = jLongToCKULong(jSessionHandle); - jByteArrayToCKByteArray(env, jData, &ckpData, &ckDataLength); -+ if ((*env)->ExceptionCheck(env)) { return; } -+ - jByteArrayToCKByteArray(env, jSignature, &ckpSignature, &ckSignatureLength); -+ if ((*env)->ExceptionCheck(env)) { -+ free(ckpData); -+ return; -+ } - - /* verify the signature */ - rv = (*ckpFunctions->C_Verify)(ckSessionHandle, ckpData, ckDataLength, ckpSignature, ckSignatureLength); -@@ -417,7 +467,7 @@ - free(ckpData); - free(ckpSignature); - -- if(ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return; } -+ if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return; } - } - #endif - -@@ -456,26 +506,31 @@ - bufP = BUF; - } else { - bufLen = min(MAX_HEAP_BUFFER_LEN, jInLen); -- bufP = (CK_BYTE_PTR)malloc((size_t)bufLen); -+ bufP = (CK_BYTE_PTR) malloc((size_t)bufLen); -+ if (bufP == NULL) { -+ JNU_ThrowOutOfMemoryError(env, 0); -+ return; -+ } - } - - while (jInLen > 0) { - jsize chunkLen = min(bufLen, jInLen); - (*env)->GetByteArrayRegion(env, jIn, jInOfs, chunkLen, (jbyte *)bufP); -+ if ((*env)->ExceptionCheck(env)) { -+ if (bufP != BUF) { free(bufP); } -+ return; -+ } -+ - rv = (*ckpFunctions->C_VerifyUpdate)(ckSessionHandle, bufP, chunkLen); -- if(ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { -- if (bufP != BUF) { -- free(bufP); -- } -+ if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { -+ if (bufP != BUF) { free(bufP); } - return; - } - jInOfs += chunkLen; - jInLen -= chunkLen; - } - -- if (bufP != BUF) { -- free(bufP); -- } -+ if (bufP != BUF) { free(bufP); } - } - #endif - -@@ -502,13 +557,14 @@ - - ckSessionHandle = jLongToCKULong(jSessionHandle); - jByteArrayToCKByteArray(env, jSignature, &ckpSignature, &ckSignatureLength); -+ if ((*env)->ExceptionCheck(env)) { return; } - - /* verify the signature */ - rv = (*ckpFunctions->C_VerifyFinal)(ckSessionHandle, ckpSignature, ckSignatureLength); - - free(ckpSignature); - -- if(ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return; } -+ if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return; } - } - #endif - -@@ -535,15 +591,17 @@ - - ckSessionHandle = jLongToCKULong(jSessionHandle); - jMechanismToCKMechanism(env, jMechanism, &ckMechanism); -+ if ((*env)->ExceptionCheck(env)) { return; } -+ - ckKeyHandle = jLongToCKULong(jKeyHandle); - - rv = (*ckpFunctions->C_VerifyRecoverInit)(ckSessionHandle, &ckMechanism, ckKeyHandle); - -- if(ckMechanism.pParameter != NULL_PTR) { -+ if (ckMechanism.pParameter != NULL_PTR) { - free(ckMechanism.pParameter); - } - -- if(ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return; } -+ if (ckAssertReturnValueOK(env, rv) != CK_ASSERT_OK) { return; } - } - #endif - -@@ -578,26 +636,38 @@ - if (jInLen <= MAX_STACK_BUFFER_LEN) { - inBufP = INBUF; - } else { -- inBufP = (CK_BYTE_PTR)malloc((size_t)jInLen); -+ inBufP = (CK_BYTE_PTR) malloc((size_t)jInLen); -+ if (inBufP == NULL) { -+ JNU_ThrowOutOfMemoryError(env, 0); -+ return 0; -+ } - } - - (*env)->GetByteArrayRegion(env, jIn, jInOfs, jInLen, (jbyte *)inBufP); -+ if ((*env)->ExceptionCheck(env)) { -+ if (inBufP != INBUF) { free(inBufP); } -+ return 0; -+ } -+ - rv = (*ckpFunctions->C_VerifyRecover)(ckSessionHandle, inBufP, jInLen, outBufP, &ckDataLength); -+ - /* re-alloc larger buffer if it fits into our Java buffer */ - if ((rv == CKR_BUFFER_TOO_SMALL) && (ckDataLength <= jIntToCKULong(jOutLen))) { - outBufP = (CK_BYTE_PTR) malloc(ckDataLength); -+ if (outBufP == NULL) { -+ if (inBufP != INBUF) { free(inBufP); } -+ JNU_ThrowOutOfMemoryError(env, 0); -+ return 0; -+ } - rv = (*ckpFunctions->C_VerifyRecover)(ckSessionHandle, inBufP, jInLen, outBufP, &ckDataLength); - } - if (ckAssertReturnValueOK(env, rv) == CK_ASSERT_OK) { - (*env)->SetByteArrayRegion(env, jOut, jOutOfs, ckDataLength, (jbyte *)outBufP); - } - -- if (inBufP != INBUF) { -- free(inBufP); -- } -- if (outBufP != OUTBUF) { -- free(outBufP); -- } -+ if (inBufP != INBUF) { free(inBufP); } -+ if (outBufP != OUTBUF) { free(outBufP); } -+ - return ckDataLength; - } - #endif -diff -Nru openjdk.orig/jdk/src/share/native/sun/security/pkcs11/wrapper/p11_util.c openjdk/jdk/src/share/native/sun/security/pkcs11/wrapper/p11_util.c ---- openjdk.orig/jdk/src/share/native/sun/security/pkcs11/wrapper/p11_util.c 2014-10-08 16:35:09.000000000 +0100 -+++ openjdk/jdk/src/share/native/sun/security/pkcs11/wrapper/p11_util.c 2014-10-08 17:30:03.990103869 +0100 -@@ -73,11 +73,11 @@ - jmethodID jConstructor; - - jObjectClass = (*env)->FindClass(env, "java/lang/Object"); -- assert(jObjectClass != 0); -+ if (jObjectClass == NULL) { return NULL; } - jConstructor = (*env)->GetMethodID(env, jObjectClass, "<init>", "()V"); -- assert(jConstructor != 0); -+ if (jConstructor == NULL) { return NULL; } - jLockObject = (*env)->NewObject(env, jObjectClass, jConstructor); -- assert(jLockObject != 0); -+ if (jLockObject == NULL) { return NULL; } - jLockObject = (*env)->NewGlobalRef(env, jLockObject); - - return jLockObject ; -@@ -200,84 +200,30 @@ - return 0L ; - } else { - jPKCS11ExceptionClass = (*env)->FindClass(env, CLASS_PKCS11EXCEPTION); -- assert(jPKCS11ExceptionClass != 0); -- jConstructor = (*env)->GetMethodID(env, jPKCS11ExceptionClass, "<init>", "(J)V"); -- assert(jConstructor != 0); -- jErrorCode = ckULongToJLong(returnValue); -- jPKCS11Exception = (jthrowable) (*env)->NewObject(env, jPKCS11ExceptionClass, jConstructor, jErrorCode); -- (*env)->Throw(env, jPKCS11Exception); -+ if (jPKCS11ExceptionClass != NULL) { -+ jConstructor = (*env)->GetMethodID(env, jPKCS11ExceptionClass, "<init>", "(J)V"); -+ if (jConstructor != NULL) { -+ jErrorCode = ckULongToJLong(returnValue); -+ jPKCS11Exception = (jthrowable) (*env)->NewObject(env, jPKCS11ExceptionClass, jConstructor, jErrorCode); -+ if (jPKCS11Exception != NULL) { -+ (*env)->Throw(env, jPKCS11Exception); -+ } -+ } -+ } -+ (*env)->DeleteLocalRef(env, jPKCS11ExceptionClass); - return jErrorCode ; - } - } - - /* -- * this function simply throws a FileNotFoundException -- * -- * @param env Used to call JNI funktions and to get the Exception class. -- * @param jmessage The message string of the Exception object. -- */ --void throwFileNotFoundException(JNIEnv *env, jstring jmessage) --{ -- jclass jFileNotFoundExceptionClass; -- jmethodID jConstructor; -- jthrowable jFileNotFoundException; -- -- jFileNotFoundExceptionClass = (*env)->FindClass(env, CLASS_FILE_NOT_FOUND_EXCEPTION); -- assert(jFileNotFoundExceptionClass != 0); -- -- jConstructor = (*env)->GetMethodID(env, jFileNotFoundExceptionClass, "<init>", "(Ljava/lang/String;)V"); -- assert(jConstructor != 0); -- jFileNotFoundException = (jthrowable) (*env)->NewObject(env, jFileNotFoundExceptionClass, jConstructor, jmessage); -- (*env)->Throw(env, jFileNotFoundException); --} -- --/* -- * this function simply throws an IOException -+ * This function simply throws an IOException - * - * @param env Used to call JNI funktions and to get the Exception class. - * @param message The message string of the Exception object. - */ --void throwIOException(JNIEnv *env, const char * message) -+void throwIOException(JNIEnv *env, const char *message) - { -- jclass jIOExceptionClass; -- -- jIOExceptionClass = (*env)->FindClass(env, CLASS_IO_EXCEPTION); -- assert(jIOExceptionClass != 0); -- -- (*env)->ThrowNew(env, jIOExceptionClass, message); --} -- --/* -- * this function simply throws an IOException and takes a unicode -- * messge. -- * -- * @param env Used to call JNI funktions and to get the Exception class. -- * @param message The unicode message string of the Exception object. -- */ --void throwIOExceptionUnicodeMessage(JNIEnv *env, const short *message) --{ -- jclass jIOExceptionClass; -- jmethodID jConstructor; -- jthrowable jIOException; -- jstring jmessage; -- jsize length; -- short *currentCharacter; -- -- jIOExceptionClass = (*env)->FindClass(env, CLASS_IO_EXCEPTION); -- assert(jIOExceptionClass != 0); -- -- length = 0; -- if (message != NULL) { -- currentCharacter = (short *) message; -- while (*(currentCharacter++) != 0) length++; -- } -- -- jmessage = (*env)->NewString(env, (const jchar *)message, length); -- -- jConstructor = (*env)->GetMethodID(env, jIOExceptionClass, "<init>", "(Ljava/lang/String;)V"); -- assert(jConstructor != 0); -- jIOException = (jthrowable) (*env)->NewObject(env, jIOExceptionClass, jConstructor, jmessage); -- (*env)->Throw(env, jIOException); -+ JNU_ThrowByName(env, CLASS_IO_EXCEPTION, message); - } - - /* -@@ -288,26 +234,9 @@ - * @param env Used to call JNI funktions and to get the Exception class. - * @param jmessage The message string of the Exception object. - */ --void throwPKCS11RuntimeException(JNIEnv *env, jstring jmessage) -+void throwPKCS11RuntimeException(JNIEnv *env, const char *message) - { -- jclass jPKCS11RuntimeExceptionClass; -- jmethodID jConstructor; -- jthrowable jPKCS11RuntimeException; -- -- jPKCS11RuntimeExceptionClass = (*env)->FindClass(env, CLASS_PKCS11RUNTIMEEXCEPTION); -- assert(jPKCS11RuntimeExceptionClass != 0); -- -- if (jmessage == NULL) { -- jConstructor = (*env)->GetMethodID(env, jPKCS11RuntimeExceptionClass, "<init>", "()V"); -- assert(jConstructor != 0); -- jPKCS11RuntimeException = (jthrowable) (*env)->NewObject(env, jPKCS11RuntimeExceptionClass, jConstructor); -- (*env)->Throw(env, jPKCS11RuntimeException); -- } else { -- jConstructor = (*env)->GetMethodID(env, jPKCS11RuntimeExceptionClass, "<init>", "(Ljava/lang/String;)V"); -- assert(jConstructor != 0); -- jPKCS11RuntimeException = (jthrowable) (*env)->NewObject(env, jPKCS11RuntimeExceptionClass, jConstructor, jmessage); -- (*env)->Throw(env, jPKCS11RuntimeException); -- } -+ JNU_ThrowByName(env, CLASS_PKCS11RUNTIMEEXCEPTION, message); - } - - /* -@@ -318,9 +247,24 @@ - */ - void throwDisconnectedRuntimeException(JNIEnv *env) - { -- jstring jExceptionMessage = (*env)->NewStringUTF(env, "This object is not connected to a module."); -+ throwPKCS11RuntimeException(env, "This object is not connected to a module."); -+} - -- throwPKCS11RuntimeException(env, jExceptionMessage); -+/* This function frees the specified CK_ATTRIBUTE array. -+ * -+ * @param attrPtr pointer to the to-be-freed CK_ATTRIBUTE array. -+ * @param len the length of the array -+ */ -+void freeCKAttributeArray(CK_ATTRIBUTE_PTR attrPtr, int len) -+{ -+ int i; -+ -+ for (i=0; i<len; i++) { -+ if (attrPtr[i].pValue != NULL_PTR) { -+ free(attrPtr[i].pValue); -+ } -+ } -+ free(attrPtr); - } - - /* -@@ -375,8 +319,22 @@ - } - *ckpLength = (*env)->GetArrayLength(env, jArray); - jpTemp = (jboolean*) malloc((*ckpLength) * sizeof(jboolean)); -+ if (jpTemp == NULL) { -+ JNU_ThrowOutOfMemoryError(env, 0); -+ return; -+ } - (*env)->GetBooleanArrayRegion(env, jArray, 0, *ckpLength, jpTemp); -+ if ((*env)->ExceptionCheck(env)) { -+ free(jpTemp); -+ return; -+ } -+ - *ckpArray = (CK_BBOOL*) malloc ((*ckpLength) * sizeof(CK_BBOOL)); -+ if (*ckpArray == NULL) { -+ free(jpTemp); -+ JNU_ThrowOutOfMemoryError(env, 0); -+ return; -+ } - for (i=0; i<(*ckpLength); i++) { - (*ckpArray)[i] = jBooleanToCKBBool(jpTemp[i]); - } -@@ -403,13 +361,26 @@ - } - *ckpLength = (*env)->GetArrayLength(env, jArray); - jpTemp = (jbyte*) malloc((*ckpLength) * sizeof(jbyte)); -+ if (jpTemp == NULL) { -+ JNU_ThrowOutOfMemoryError(env, 0); -+ return; -+ } - (*env)->GetByteArrayRegion(env, jArray, 0, *ckpLength, jpTemp); -+ if ((*env)->ExceptionCheck(env)) { -+ free(jpTemp); -+ return; -+ } - - /* if CK_BYTE is the same size as jbyte, we save an additional copy */ - if (sizeof(CK_BYTE) == sizeof(jbyte)) { - *ckpArray = (CK_BYTE_PTR) jpTemp; - } else { - *ckpArray = (CK_BYTE_PTR) malloc ((*ckpLength) * sizeof(CK_BYTE)); -+ if (*ckpArray == NULL) { -+ free(jpTemp); -+ JNU_ThrowOutOfMemoryError(env, 0); -+ return; -+ } - for (i=0; i<(*ckpLength); i++) { - (*ckpArray)[i] = jByteToCKByte(jpTemp[i]); - } -@@ -437,8 +408,22 @@ - } - *ckpLength = (*env)->GetArrayLength(env, jArray); - jTemp = (jlong*) malloc((*ckpLength) * sizeof(jlong)); -+ if (jTemp == NULL) { -+ JNU_ThrowOutOfMemoryError(env, 0); -+ return; -+ } - (*env)->GetLongArrayRegion(env, jArray, 0, *ckpLength, jTemp); -+ if ((*env)->ExceptionCheck(env)) { -+ free(jTemp); -+ return; -+ } -+ - *ckpArray = (CK_ULONG_PTR) malloc (*ckpLength * sizeof(CK_ULONG)); -+ if (*ckpArray == NULL) { -+ free(jTemp); -+ JNU_ThrowOutOfMemoryError(env, 0); -+ return; -+ } - for (i=0; i<(*ckpLength); i++) { - (*ckpArray)[i] = jLongToCKULong(jTemp[i]); - } -@@ -465,8 +450,22 @@ - } - *ckpLength = (*env)->GetArrayLength(env, jArray); - jpTemp = (jchar*) malloc((*ckpLength) * sizeof(jchar)); -+ if (jpTemp == NULL) { -+ JNU_ThrowOutOfMemoryError(env, 0); -+ return; -+ } - (*env)->GetCharArrayRegion(env, jArray, 0, *ckpLength, jpTemp); -+ if ((*env)->ExceptionCheck(env)) { -+ free(jpTemp); -+ return; -+ } -+ - *ckpArray = (CK_CHAR_PTR) malloc (*ckpLength * sizeof(CK_CHAR)); -+ if (*ckpArray == NULL) { -+ free(jpTemp); -+ JNU_ThrowOutOfMemoryError(env, 0); -+ return; -+ } - for (i=0; i<(*ckpLength); i++) { - (*ckpArray)[i] = jCharToCKChar(jpTemp[i]); - } -@@ -493,8 +492,22 @@ - } - *ckpLength = (*env)->GetArrayLength(env, jArray); - jTemp = (jchar*) malloc((*ckpLength) * sizeof(jchar)); -+ if (jTemp == NULL) { -+ JNU_ThrowOutOfMemoryError(env, 0); -+ return; -+ } - (*env)->GetCharArrayRegion(env, jArray, 0, *ckpLength, jTemp); -+ if ((*env)->ExceptionCheck(env)) { -+ free(jTemp); -+ return; -+ } -+ - *ckpArray = (CK_UTF8CHAR_PTR) malloc (*ckpLength * sizeof(CK_UTF8CHAR)); -+ if (*ckpArray == NULL) { -+ free(jTemp); -+ JNU_ThrowOutOfMemoryError(env, 0); -+ return; -+ } - for (i=0; i<(*ckpLength); i++) { - (*ckpArray)[i] = jCharToCKUTF8Char(jTemp[i]); - } -@@ -521,8 +534,15 @@ - } - - pCharArray = (*env)->GetStringUTFChars(env, jArray, &isCopy); -+ if (pCharArray == NULL) { return; } -+ - *ckpLength = strlen(pCharArray); - *ckpArray = (CK_UTF8CHAR_PTR) malloc((*ckpLength + 1) * sizeof(CK_UTF8CHAR)); -+ if (*ckpArray == NULL) { -+ (*env)->ReleaseStringUTFChars(env, (jstring) jArray, pCharArray); -+ JNU_ThrowOutOfMemoryError(env, 0); -+ return; -+ } - strcpy((char*)*ckpArray, pCharArray); - (*env)->ReleaseStringUTFChars(env, (jstring) jArray, pCharArray); - } -@@ -552,55 +572,36 @@ - jLength = (*env)->GetArrayLength(env, jArray); - *ckpLength = jLongToCKULong(jLength); - *ckpArray = (CK_ATTRIBUTE_PTR) malloc(*ckpLength * sizeof(CK_ATTRIBUTE)); -+ if (*ckpArray == NULL) { -+ JNU_ThrowOutOfMemoryError(env, 0); -+ return; -+ } - TRACE1(", converting %d attibutes", jLength); - for (i=0; i<(*ckpLength); i++) { - TRACE1(", getting %d. attibute", i); - jAttribute = (*env)->GetObjectArrayElement(env, jArray, i); -+ if ((*env)->ExceptionCheck(env)) { -+ freeCKAttributeArray(*ckpArray, i); -+ return; -+ } - TRACE1(", jAttribute = %d", jAttribute); - TRACE1(", converting %d. attibute", i); - (*ckpArray)[i] = jAttributeToCKAttribute(env, jAttribute); -+ if ((*env)->ExceptionCheck(env)) { -+ freeCKAttributeArray(*ckpArray, i); -+ return; -+ } - } - TRACE0("FINISHED\n"); - } - - /* -- * converts a jobjectArray to a CK_VOID_PTR array. The allocated memory has to be freed after -- * use! -- * NOTE: this function does not work and is not used yet -- * -- * @param env - used to call JNI funktions to get the array informtaion -- * @param jArray - the Java object array to convert -- * @param ckpArray - the reference, where the pointer to the new CK_VOID_PTR array will be stored -- * @param ckpLength - the reference, where the array length will be stored -- */ --/* --void jObjectArrayToCKVoidPtrArray(JNIEnv *env, const jobjectArray jArray, CK_VOID_PTR_PTR *ckpArray, CK_ULONG_PTR ckpLength) --{ -- jobject jTemp; -- CK_ULONG i; -- -- if(jArray == NULL) { -- *ckpArray = NULL_PTR; -- *ckpLength = 0L; -- return; -- } -- *ckpLength = (*env)->GetArrayLength(env, jArray); -- *ckpArray = (CK_VOID_PTR_PTR) malloc (*ckpLength * sizeof(CK_VOID_PTR)); -- for (i=0; i<(*ckpLength); i++) { -- jTemp = (*env)->GetObjectArrayElement(env, jArray, i); -- (*ckpArray)[i] = jObjectToCKVoidPtr(jTemp); -- } -- free(jTemp); --} --*/ -- --/* - * converts a CK_BYTE array and its length to a jbyteArray. - * - * @param env - used to call JNI funktions to create the new Java array - * @param ckpArray - the pointer to the CK_BYTE array to convert - * @param ckpLength - the length of the array to convert -- * @return - the new Java byte array -+ * @return - the new Java byte array or NULL if error occurred - */ - jbyteArray ckByteArrayToJByteArray(JNIEnv *env, const CK_BYTE_PTR ckpArray, CK_ULONG ckLength) - { -@@ -613,18 +614,22 @@ - jpTemp = (jbyte*) ckpArray; - } else { - jpTemp = (jbyte*) malloc((ckLength) * sizeof(jbyte)); -+ if (jpTemp == NULL) { -+ JNU_ThrowOutOfMemoryError(env, 0); -+ return NULL; -+ } - for (i=0; i<ckLength; i++) { - jpTemp[i] = ckByteToJByte(ckpArray[i]); - } - } - - jArray = (*env)->NewByteArray(env, ckULongToJSize(ckLength)); -- (*env)->SetByteArrayRegion(env, jArray, 0, ckULongToJSize(ckLength), jpTemp); -- -- if (sizeof(CK_BYTE) != sizeof(jbyte)) { -- free(jpTemp); -+ if (jArray != NULL) { -+ (*env)->SetByteArrayRegion(env, jArray, 0, ckULongToJSize(ckLength), jpTemp); - } - -+ if (sizeof(CK_BYTE) != sizeof(jbyte)) { free(jpTemp); } -+ - return jArray ; - } - -@@ -643,11 +648,17 @@ - jlongArray jArray; - - jpTemp = (jlong*) malloc((ckLength) * sizeof(jlong)); -+ if (jpTemp == NULL) { -+ JNU_ThrowOutOfMemoryError(env, 0); -+ return NULL; -+ } - for (i=0; i<ckLength; i++) { - jpTemp[i] = ckLongToJLong(ckpArray[i]); - } - jArray = (*env)->NewLongArray(env, ckULongToJSize(ckLength)); -- (*env)->SetLongArrayRegion(env, jArray, 0, ckULongToJSize(ckLength), jpTemp); -+ if (jArray != NULL) { -+ (*env)->SetLongArrayRegion(env, jArray, 0, ckULongToJSize(ckLength), jpTemp); -+ } - free(jpTemp); - - return jArray ; -@@ -668,11 +679,17 @@ - jcharArray jArray; - - jpTemp = (jchar*) malloc(ckLength * sizeof(jchar)); -+ if (jpTemp == NULL) { -+ JNU_ThrowOutOfMemoryError(env, 0); -+ return NULL; -+ } - for (i=0; i<ckLength; i++) { - jpTemp[i] = ckCharToJChar(ckpArray[i]); - } - jArray = (*env)->NewCharArray(env, ckULongToJSize(ckLength)); -- (*env)->SetCharArrayRegion(env, jArray, 0, ckULongToJSize(ckLength), jpTemp); -+ if (jArray != NULL) { -+ (*env)->SetCharArrayRegion(env, jArray, 0, ckULongToJSize(ckLength), jpTemp); -+ } - free(jpTemp); - - return jArray ; -@@ -693,11 +710,17 @@ - jcharArray jArray; - - jpTemp = (jchar*) malloc(ckLength * sizeof(jchar)); -+ if (jpTemp == NULL) { -+ JNU_ThrowOutOfMemoryError(env, 0); -+ return NULL; -+ } - for (i=0; i<ckLength; i++) { - jpTemp[i] = ckUTF8CharToJChar(ckpArray[i]); - } - jArray = (*env)->NewCharArray(env, ckULongToJSize(ckLength)); -- (*env)->SetCharArrayRegion(env, jArray, 0, ckULongToJSize(ckLength), jpTemp); -+ if (jArray != NULL) { -+ (*env)->SetCharArrayRegion(env, jArray, 0, ckULongToJSize(ckLength), jpTemp); -+ } - free(jpTemp); - - return jArray ; -@@ -736,12 +759,11 @@ - jboolean jValue; - - jValueObjectClass = (*env)->FindClass(env, "java/lang/Boolean"); -- assert(jValueObjectClass != 0); -+ if (jValueObjectClass == NULL) { return NULL; } - jConstructor = (*env)->GetMethodID(env, jValueObjectClass, "<init>", "(Z)V"); -- assert(jConstructor != 0); -+ if (jConstructor == NULL) { return NULL; } - jValue = ckBBoolToJBoolean(*ckpValue); - jValueObject = (*env)->NewObject(env, jValueObjectClass, jConstructor, jValue); -- assert(jValueObject != 0); - - return jValueObject ; - } -@@ -761,12 +783,11 @@ - jlong jValue; - - jValueObjectClass = (*env)->FindClass(env, "java/lang/Long"); -- assert(jValueObjectClass != 0); -+ if (jValueObjectClass == NULL) { return NULL; } - jConstructor = (*env)->GetMethodID(env, jValueObjectClass, "<init>", "(J)V"); -- assert(jConstructor != 0); -+ if (jConstructor == NULL) { return NULL; } - jValue = ckULongToJLong(*ckpValue); - jValueObject = (*env)->NewObject(env, jValueObjectClass, jConstructor, jValue); -- assert(jValueObject != 0); - - return jValueObject ; - } -@@ -787,11 +808,15 @@ - CK_BBOOL *ckpValue; - - jObjectClass = (*env)->FindClass(env, "java/lang/Boolean"); -- assert(jObjectClass != 0); -+ if (jObjectClass == NULL) { return NULL; } - jValueMethod = (*env)->GetMethodID(env, jObjectClass, "booleanValue", "()Z"); -- assert(jValueMethod != 0); -+ if (jValueMethod == NULL) { return NULL; } - jValue = (*env)->CallBooleanMethod(env, jObject, jValueMethod); - ckpValue = (CK_BBOOL *) malloc(sizeof(CK_BBOOL)); -+ if (ckpValue == NULL) { -+ JNU_ThrowOutOfMemoryError(env, 0); -+ return NULL; -+ } - *ckpValue = jBooleanToCKBBool(jValue); - - return ckpValue ; -@@ -813,13 +838,16 @@ - CK_BYTE_PTR ckpValue; - - jObjectClass = (*env)->FindClass(env, "java/lang/Byte"); -- assert(jObjectClass != 0); -+ if (jObjectClass == NULL) { return NULL; } - jValueMethod = (*env)->GetMethodID(env, jObjectClass, "byteValue", "()B"); -- assert(jValueMethod != 0); -+ if (jValueMethod == NULL) { return NULL; } - jValue = (*env)->CallByteMethod(env, jObject, jValueMethod); - ckpValue = (CK_BYTE_PTR) malloc(sizeof(CK_BYTE)); -+ if (ckpValue == NULL) { -+ JNU_ThrowOutOfMemoryError(env, 0); -+ return NULL; -+ } - *ckpValue = jByteToCKByte(jValue); -- - return ckpValue ; - } - -@@ -839,13 +867,16 @@ - CK_ULONG *ckpValue; - - jObjectClass = (*env)->FindClass(env, "java/lang/Integer"); -- assert(jObjectClass != 0); -+ if (jObjectClass == NULL) { return NULL; } - jValueMethod = (*env)->GetMethodID(env, jObjectClass, "intValue", "()I"); -- assert(jValueMethod != 0); -+ if (jValueMethod == NULL) { return NULL; } - jValue = (*env)->CallIntMethod(env, jObject, jValueMethod); - ckpValue = (CK_ULONG *) malloc(sizeof(CK_ULONG)); -+ if (ckpValue == NULL) { -+ JNU_ThrowOutOfMemoryError(env, 0); -+ return NULL; -+ } - *ckpValue = jLongToCKLong(jValue); -- - return ckpValue ; - } - -@@ -865,11 +896,15 @@ - CK_ULONG *ckpValue; - - jObjectClass = (*env)->FindClass(env, "java/lang/Long"); -- assert(jObjectClass != 0); -+ if (jObjectClass == NULL) { return NULL; } - jValueMethod = (*env)->GetMethodID(env, jObjectClass, "longValue", "()J"); -- assert(jValueMethod != 0); -+ if (jValueMethod == NULL) { return NULL; } - jValue = (*env)->CallLongMethod(env, jObject, jValueMethod); - ckpValue = (CK_ULONG *) malloc(sizeof(CK_ULONG)); -+ if (ckpValue == NULL) { -+ JNU_ThrowOutOfMemoryError(env, 0); -+ return NULL; -+ } - *ckpValue = jLongToCKULong(jValue); - - return ckpValue ; -@@ -891,11 +926,15 @@ - CK_CHAR_PTR ckpValue; - - jObjectClass = (*env)->FindClass(env, "java/lang/Char"); -- assert(jObjectClass != 0); -+ if (jObjectClass == NULL) { return NULL; } - jValueMethod = (*env)->GetMethodID(env, jObjectClass, "charValue", "()C"); -- assert(jValueMethod != 0); -+ if (jValueMethod == NULL) { return NULL; } - jValue = (*env)->CallCharMethod(env, jObject, jValueMethod); - ckpValue = (CK_CHAR_PTR) malloc(sizeof(CK_CHAR)); -+ if (ckpValue == NULL) { -+ JNU_ThrowOutOfMemoryError(env, 0); -+ return NULL; -+ } - *ckpValue = jCharToCKChar(jValue); - - return ckpValue ; -@@ -913,124 +952,172 @@ - */ - void jObjectToPrimitiveCKObjectPtrPtr(JNIEnv *env, jobject jObject, CK_VOID_PTR *ckpObjectPtr, CK_ULONG *ckpLength) - { -- jclass jBooleanClass = (*env)->FindClass(env, "java/lang/Boolean"); -- jclass jByteClass = (*env)->FindClass(env, "java/lang/Byte"); -- jclass jCharacterClass = (*env)->FindClass(env, "java/lang/Character"); -- jclass jClassClass = (*env)->FindClass(env, "java/lang/Class"); -- /* jclass jShortClass = (*env)->FindClass(env, "java/lang/Short"); */ -- jclass jIntegerClass = (*env)->FindClass(env, "java/lang/Integer"); -- jclass jLongClass = (*env)->FindClass(env, "java/lang/Long"); -- /* jclass jFloatClass = (*env)->FindClass(env, "java/lang/Float"); */ -- /* jclass jDoubleClass = (*env)->FindClass(env, "java/lang/Double"); */ -- jclass jDateClass = (*env)->FindClass(env, CLASS_DATE); -- jclass jStringClass = (*env)->FindClass(env, "java/lang/String"); -- jclass jStringBufferClass = (*env)->FindClass(env, "java/lang/StringBuffer"); -- jclass jBooleanArrayClass = (*env)->FindClass(env, "[Z"); -- jclass jByteArrayClass = (*env)->FindClass(env, "[B"); -- jclass jCharArrayClass = (*env)->FindClass(env, "[C"); -- /* jclass jShortArrayClass = (*env)->FindClass(env, "[S"); */ -- jclass jIntArrayClass = (*env)->FindClass(env, "[I"); -- jclass jLongArrayClass = (*env)->FindClass(env, "[J"); -- /* jclass jFloatArrayClass = (*env)->FindClass(env, "[F"); */ -- /* jclass jDoubleArrayClass = (*env)->FindClass(env, "[D"); */ -- jclass jObjectClass = (*env)->FindClass(env, "java/lang/Object"); -- /* jclass jObjectArrayClass = (*env)->FindClass(env, "[java/lang/Object"); */ -- /* ATTENTION: jObjectArrayClass is always NULL !! */ -- /* CK_ULONG ckArrayLength; */ -- /* CK_VOID_PTR *ckpElementObject; */ -- /* CK_ULONG ckElementLength; */ -- /* CK_ULONG i; */ -+ jclass jLongClass, jBooleanClass, jByteArrayClass, jCharArrayClass; -+ jclass jByteClass, jDateClass, jCharacterClass, jIntegerClass; -+ jclass jBooleanArrayClass, jIntArrayClass, jLongArrayClass; -+ jclass jStringClass; -+ jclass jObjectClass, jClassClass; - CK_VOID_PTR ckpVoid = *ckpObjectPtr; - jmethodID jMethod; - jobject jClassObject; - jstring jClassNameString; -- jstring jExceptionMessagePrefix; -- jobject jExceptionMessageStringBuffer; -- jstring jExceptionMessage; -+ char *classNameString, *exceptionMsgPrefix, *exceptionMsg; - - TRACE0("\nDEBUG: jObjectToPrimitiveCKObjectPtrPtr"); - if (jObject == NULL) { - *ckpObjectPtr = NULL; - *ckpLength = 0; -- } else if ((*env)->IsInstanceOf(env, jObject, jLongClass)) { -+ return; -+ } -+ -+ jLongClass = (*env)->FindClass(env, "java/lang/Long"); -+ if (jLongClass == NULL) { return; } -+ if ((*env)->IsInstanceOf(env, jObject, jLongClass)) { - *ckpObjectPtr = jLongObjectToCKULongPtr(env, jObject); - *ckpLength = sizeof(CK_ULONG); - TRACE1("<converted long value %X>", *((CK_ULONG *) *ckpObjectPtr)); -- } else if ((*env)->IsInstanceOf(env, jObject, jBooleanClass)) { -+ return; -+ } -+ -+ jBooleanClass = (*env)->FindClass(env, "java/lang/Boolean"); -+ if (jBooleanClass == NULL) { return; } -+ if ((*env)->IsInstanceOf(env, jObject, jBooleanClass)) { - *ckpObjectPtr = jBooleanObjectToCKBBoolPtr(env, jObject); - *ckpLength = sizeof(CK_BBOOL); - TRACE0(" <converted boolean value "); - TRACE0((*((CK_BBOOL *) *ckpObjectPtr) == TRUE) ? "TRUE>" : "FALSE>"); -- } else if ((*env)->IsInstanceOf(env, jObject, jByteArrayClass)) { -+ return; -+ } -+ -+ jByteArrayClass = (*env)->FindClass(env, "[B"); -+ if (jByteArrayClass == NULL) { return; } -+ if ((*env)->IsInstanceOf(env, jObject, jByteArrayClass)) { - jByteArrayToCKByteArray(env, jObject, (CK_BYTE_PTR*)ckpObjectPtr, ckpLength); -- } else if ((*env)->IsInstanceOf(env, jObject, jCharArrayClass)) { -+ return; -+ } -+ -+ jCharArrayClass = (*env)->FindClass(env, "[C"); -+ if (jCharArrayClass == NULL) { return; } -+ if ((*env)->IsInstanceOf(env, jObject, jCharArrayClass)) { - jCharArrayToCKUTF8CharArray(env, jObject, (CK_UTF8CHAR_PTR*)ckpObjectPtr, ckpLength); -- } else if ((*env)->IsInstanceOf(env, jObject, jByteClass)) { -+ return; -+ } -+ -+ jByteClass = (*env)->FindClass(env, "java/lang/Byte"); -+ if (jByteClass == NULL) { return; } -+ if ((*env)->IsInstanceOf(env, jObject, jByteClass)) { - *ckpObjectPtr = jByteObjectToCKBytePtr(env, jObject); - *ckpLength = sizeof(CK_BYTE); - TRACE1("<converted byte value %X>", *((CK_BYTE *) *ckpObjectPtr)); -- } else if ((*env)->IsInstanceOf(env, jObject, jDateClass)) { -+ return; -+ } -+ -+ jDateClass = (*env)->FindClass(env, CLASS_DATE); -+ if (jDateClass == NULL) { return; } -+ if ((*env)->IsInstanceOf(env, jObject, jDateClass)) { - *ckpObjectPtr = jDateObjectPtrToCKDatePtr(env, jObject); - *ckpLength = sizeof(CK_DATE); -- TRACE3("<converted date value %.4s-%.2s-%.2s>", (*((CK_DATE *) *ckpObjectPtr)).year, -- (*((CK_DATE *) *ckpObjectPtr)).month, -- (*((CK_DATE *) *ckpObjectPtr)).day); -- } else if ((*env)->IsInstanceOf(env, jObject, jCharacterClass)) { -+ TRACE3("<converted date value %.4s-%.2s-%.2s>", (*((CK_DATE *) *ckpObjectPtr)).year, (*((CK_DATE *) *ckpObjectPtr)).month, (*((CK_DATE *) *ckpObjectPtr)).day); -+ return; -+ } -+ -+ jCharacterClass = (*env)->FindClass(env, "java/lang/Character"); -+ if (jCharacterClass == NULL) { return; } -+ if ((*env)->IsInstanceOf(env, jObject, jCharacterClass)) { - *ckpObjectPtr = jCharObjectToCKCharPtr(env, jObject); - *ckpLength = sizeof(CK_UTF8CHAR); - TRACE1("<converted char value %c>", *((CK_CHAR *) *ckpObjectPtr)); -- } else if ((*env)->IsInstanceOf(env, jObject, jIntegerClass)) { -+ return; -+ } -+ -+ jIntegerClass = (*env)->FindClass(env, "java/lang/Integer"); -+ if (jIntegerClass == NULL) { return; } -+ if ((*env)->IsInstanceOf(env, jObject, jIntegerClass)) { - *ckpObjectPtr = jIntegerObjectToCKULongPtr(env, jObject); - *ckpLength = sizeof(CK_ULONG); - TRACE1("<converted integer value %X>", *((CK_ULONG *) *ckpObjectPtr)); -- } else if ((*env)->IsInstanceOf(env, jObject, jBooleanArrayClass)) { -+ return; -+ } -+ -+ jBooleanArrayClass = (*env)->FindClass(env, "[Z"); -+ if (jBooleanArrayClass == NULL) { return; } -+ if ((*env)->IsInstanceOf(env, jObject, jBooleanArrayClass)) { - jBooleanArrayToCKBBoolArray(env, jObject, (CK_BBOOL**)ckpObjectPtr, ckpLength); -- } else if ((*env)->IsInstanceOf(env, jObject, jIntArrayClass)) { -- jLongArrayToCKULongArray(env, jObject, (CK_ULONG_PTR*)ckpObjectPtr, ckpLength); -- } else if ((*env)->IsInstanceOf(env, jObject, jLongArrayClass)) { -+ return; -+ } -+ -+ jIntArrayClass = (*env)->FindClass(env, "[I"); -+ if (jIntArrayClass == NULL) { return; } -+ if ((*env)->IsInstanceOf(env, jObject, jIntArrayClass)) { - jLongArrayToCKULongArray(env, jObject, (CK_ULONG_PTR*)ckpObjectPtr, ckpLength); -- } else if ((*env)->IsInstanceOf(env, jObject, jStringClass)) { -- jStringToCKUTF8CharArray(env, jObject, (CK_UTF8CHAR_PTR*)ckpObjectPtr, ckpLength); -+ return; -+ } - -- /* a Java object array is not used by CK_ATTRIBUTE by now... */ --/* } else if ((*env)->IsInstanceOf(env, jObject, jObjectArrayClass)) { -- ckArrayLength = (*env)->GetArrayLength(env, (jarray) jObject); -- ckpObjectPtr = (CK_VOID_PTR_PTR) malloc(sizeof(CK_VOID_PTR) * ckArrayLength); -- *ckpLength = 0; -- for (i = 0; i < ckArrayLength; i++) { -- jObjectToPrimitiveCKObjectPtrPtr(env, (*env)->GetObjectArrayElement(env, (jarray) jObject, i), -- ckpElementObject, &ckElementLength); -- (*ckpObjectPtr)[i] = *ckpElementObject; -- *ckpLength += ckElementLength; -- } --*/ -- } else { -- /* type of jObject unknown, throw PKCS11RuntimeException */ -- jMethod = (*env)->GetMethodID(env, jObjectClass, "getClass", "()Ljava/lang/Class;"); -- assert(jMethod != 0); -- jClassObject = (*env)->CallObjectMethod(env, jObject, jMethod); -- assert(jClassObject != 0); -- jMethod = (*env)->GetMethodID(env, jClassClass, "getName", "()Ljava/lang/String;"); -- assert(jMethod != 0); -- jClassNameString = (jstring) -- (*env)->CallObjectMethod(env, jClassObject, jMethod); -- assert(jClassNameString != 0); -- jExceptionMessagePrefix = (*env)->NewStringUTF(env, "Java object of this class cannot be converted to native PKCS#11 type: "); -- jMethod = (*env)->GetMethodID(env, jStringBufferClass, "<init>", "(Ljava/lang/String;)V"); -- assert(jMethod != 0); -- jExceptionMessageStringBuffer = (*env)->NewObject(env, jStringBufferClass, jMethod, jExceptionMessagePrefix); -- assert(jClassNameString != 0); -- jMethod = (*env)->GetMethodID(env, jStringBufferClass, "append", "(Ljava/lang/String;)Ljava/lang/StringBuffer;"); -- assert(jMethod != 0); -- jExceptionMessage = (jstring) -- (*env)->CallObjectMethod(env, jExceptionMessageStringBuffer, jMethod, jClassNameString); -- assert(jExceptionMessage != 0); -+ jLongArrayClass = (*env)->FindClass(env, "[J"); -+ if (jLongArrayClass == NULL) { return; } -+ if ((*env)->IsInstanceOf(env, jObject, jLongArrayClass)) { -+ jLongArrayToCKULongArray(env, jObject, (CK_ULONG_PTR*)ckpObjectPtr, ckpLength); -+ return; -+ } - -- throwPKCS11RuntimeException(env, jExceptionMessage); -+ jStringClass = (*env)->FindClass(env, "java/lang/String"); -+ if (jStringClass == NULL) { return; } -+ if ((*env)->IsInstanceOf(env, jObject, jStringClass)) { -+ jStringToCKUTF8CharArray(env, jObject, (CK_UTF8CHAR_PTR*)ckpObjectPtr, ckpLength); -+ return; -+ } - -- *ckpObjectPtr = NULL; -- *ckpLength = 0; -+ /* type of jObject unknown, throw PKCS11RuntimeException */ -+ jObjectClass = (*env)->FindClass(env, "java/lang/Object"); -+ if (jObjectClass == NULL) { return; } -+ jMethod = (*env)->GetMethodID(env, jObjectClass, "getClass", "()Ljava/lang/Class;"); -+ if (jMethod == NULL) { return; } -+ jClassObject = (*env)->CallObjectMethod(env, jObject, jMethod); -+ assert(jClassObject != 0); -+ jClassClass = (*env)->FindClass(env, "java/lang/Class"); -+ if (jClassClass == NULL) { return; } -+ jMethod = (*env)->GetMethodID(env, jClassClass, "getName", "()Ljava/lang/String;"); -+ if (jMethod == NULL) { return; } -+ jClassNameString = (jstring) -+ (*env)->CallObjectMethod(env, jClassObject, jMethod); -+ assert(jClassNameString != 0); -+ classNameString = (char*) -+ (*env)->GetStringUTFChars(env, jClassNameString, NULL); -+ if (classNameString == NULL) { return; } -+ exceptionMsgPrefix = "Java object of this class cannot be converted to native PKCS#11 type: "; -+ exceptionMsg = (char *) -+ malloc((strlen(exceptionMsgPrefix) + strlen(classNameString) + 1)); -+ if (exceptionMsg == NULL) { -+ (*env)->ReleaseStringUTFChars(env, jClassNameString, classNameString); -+ JNU_ThrowOutOfMemoryError(env, 0); -+ return; - } -+ strcpy(exceptionMsg, exceptionMsgPrefix); -+ strcat(exceptionMsg, classNameString); -+ (*env)->ReleaseStringUTFChars(env, jClassNameString, classNameString); -+ throwPKCS11RuntimeException(env, exceptionMsg); -+ free(exceptionMsg); -+ *ckpObjectPtr = NULL; -+ *ckpLength = 0; - - TRACE0("FINISHED\n"); - } -+ -+#ifdef P11_MEMORYDEBUG -+ -+#undef malloc -+#undef free -+ -+void *p11malloc(size_t c, char *file, int line) { -+ void *p = malloc(c); -+ printf("malloc\t%08x\t%d\t%s:%d\n", p, c, file, line); fflush(stdout); -+ return p; -+} -+ -+void p11free(void *p, char *file, int line) { -+ printf("free\t%08x\t\t%s:%d\n", p, file, line); fflush(stdout); -+ free(p); -+} -+ -+#endif -+ -diff -Nru openjdk.orig/jdk/src/share/native/sun/security/pkcs11/wrapper/pkcs11wrapper.h openjdk/jdk/src/share/native/sun/security/pkcs11/wrapper/pkcs11wrapper.h ---- openjdk.orig/jdk/src/share/native/sun/security/pkcs11/wrapper/pkcs11wrapper.h 2014-10-08 16:35:09.000000000 +0100 -+++ openjdk/jdk/src/share/native/sun/security/pkcs11/wrapper/pkcs11wrapper.h 2014-10-08 17:30:03.990103869 +0100 -@@ -154,6 +154,7 @@ - - #include "pkcs11.h" - #include <jni.h> -+#include <jni_util.h> - - #define MAX_STACK_BUFFER_LEN (4 * 1024) - #define MAX_HEAP_BUFFER_LEN (64 * 1024) -@@ -277,12 +278,14 @@ - */ - - jlong ckAssertReturnValueOK(JNIEnv *env, CK_RV returnValue); --void throwPKCS11RuntimeException(JNIEnv *env, jstring jmessage); --void throwFileNotFoundException(JNIEnv *env, jstring jmessage); - void throwIOException(JNIEnv *env, const char *message); --void throwIOExceptionUnicodeMessage(JNIEnv *env, const short *message); -+void throwPKCS11RuntimeException(JNIEnv *env, const char *message); - void throwDisconnectedRuntimeException(JNIEnv *env); - -+/* function to free CK_ATTRIBUTE array -+ */ -+void freeCKAttributeArray(CK_ATTRIBUTE_PTR attrPtr, int len); -+ - /* funktions to convert Java arrays to a CK-type array and the array length */ - - void jBooleanArrayToCKBBoolArray(JNIEnv *env, const jbooleanArray jArray, CK_BBOOL **ckpArray, CK_ULONG_PTR ckLength); -@@ -438,3 +441,15 @@ - extern jobject jInitArgsObject; - extern CK_C_INITIALIZE_ARGS_PTR ckpGlobalInitArgs; - #endif /* NO_CALLBACKS */ -+ -+#ifdef P11_MEMORYDEBUG -+#include <stdlib.h> -+ -+/* Simple malloc/free dumper */ -+void *p11malloc(size_t c, char *file, int line); -+void p11free(void *p, char *file, int line); -+ -+#define malloc(c) (p11malloc((c), __FILE__, __LINE__)) -+#define free(c) (p11free((c), __FILE__, __LINE__)) -+ -+#endif
--- a/patches/openjdk/p11cipher-6924489-ckr_operation_not_initialized.patch Wed May 04 02:55:09 2016 +0100 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,102 +0,0 @@ -# HG changeset patch -# User valeriep -# Date 1293074372 28800 -# Node ID adff75ebdc00374c41e2516fca5c4d40fec0ca9f -# Parent d4c2d2d72cfc45e3a66e52f792af6dc90a833d95 -6924489: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_OPERATION_NOT_INITIALIZED -Summary: Reset cipher state to un-initialized wherever necessary. -Reviewed-by: weijun - -diff --git a/src/share/classes/sun/security/pkcs11/P11Cipher.java b/src/share/classes/sun/security/pkcs11/P11Cipher.java ---- openjdk/jdk/src/share/classes/sun/security/pkcs11/P11Cipher.java -+++ openjdk/jdk/src/share/classes/sun/security/pkcs11/P11Cipher.java -@@ -395,6 +395,8 @@ - } - } catch (PKCS11Exception e) { - throw new ProviderException("Cancel failed", e); -+ } finally { -+ reset(); - } - } - -@@ -408,12 +410,18 @@ - if (session == null) { - session = token.getOpSession(); - } -- if (encrypt) { -- token.p11.C_EncryptInit(session.id(), -- new CK_MECHANISM(mechanism, iv), p11Key.keyID); -- } else { -- token.p11.C_DecryptInit(session.id(), -- new CK_MECHANISM(mechanism, iv), p11Key.keyID); -+ try { -+ if (encrypt) { -+ token.p11.C_EncryptInit(session.id(), -+ new CK_MECHANISM(mechanism, iv), p11Key.keyID); -+ } else { -+ token.p11.C_DecryptInit(session.id(), -+ new CK_MECHANISM(mechanism, iv), p11Key.keyID); -+ } -+ } catch (PKCS11Exception ex) { -+ // release session when initialization failed -+ session = token.releaseSession(session); -+ throw ex; - } - bytesBuffered = 0; - padBufferLen = 0; -@@ -448,6 +456,16 @@ - return result; - } - -+ // reset the states to the pre-initialized values -+ private void reset() { -+ initialized = false; -+ bytesBuffered = 0; -+ padBufferLen = 0; -+ if (session != null) { -+ session = token.releaseSession(session); -+ } -+ } -+ - // see JCE spec - protected byte[] engineUpdate(byte[] in, int inOfs, int inLen) { - try { -@@ -566,6 +584,7 @@ - throw (ShortBufferException) - (new ShortBufferException().initCause(e)); - } -+ reset(); - throw new ProviderException("update() failed", e); - } - } -@@ -683,6 +702,7 @@ - throw (ShortBufferException) - (new ShortBufferException().initCause(e)); - } -+ reset(); - throw new ProviderException("update() failed", e); - } - } -@@ -729,10 +749,7 @@ - handleException(e); - throw new ProviderException("doFinal() failed", e); - } finally { -- initialized = false; -- bytesBuffered = 0; -- padBufferLen = 0; -- session = token.releaseSession(session); -+ reset(); - } - } - -@@ -806,9 +823,7 @@ - handleException(e); - throw new ProviderException("doFinal() failed", e); - } finally { -- initialized = false; -- bytesBuffered = 0; -- session = token.releaseSession(session); -+ reset(); - } - } -
--- a/patches/pr2486-768_dh.patch Wed May 04 02:55:09 2016 +0100 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,52 +0,0 @@ -# HG changeset patch -# User andrew -# Date 1428077961 -3600 -# Fri Apr 03 17:19:21 2015 +0100 -# Node ID 25ae097ee625609d0ca677afbcb4fa7669fd5ea4 -# Parent e7690bee9a7722b20bde481fb2da0bb6b903a258 -PR2486: JSSE server is still limited to 768-bit DHE -Summary: Alter 6956398 so that legacy mode is default and 1024-bit keys come with "jdk8" mode. - -diff -r e7690bee9a77 -r 25ae097ee625 src/share/classes/sun/security/ssl/ServerHandshaker.java ---- openjdk/jdk/src/share/classes/sun/security/ssl/ServerHandshaker.java Fri Apr 03 18:26:32 2015 +0100 -+++ openjdk/jdk/src/share/classes/sun/security/ssl/ServerHandshaker.java Fri Apr 03 17:19:21 2015 +0100 -@@ -111,15 +111,15 @@ - String property = AccessController.doPrivileged( - new GetPropertyAction("jdk.tls.ephemeralDHKeySize")); - if (property == null || property.length() == 0) { -- useLegacyEphemeralDHKeys = false; -+ useLegacyEphemeralDHKeys = true; - useSmartEphemeralDHKeys = false; - customizedDHKeySize = -1; - } else if ("matched".equals(property)) { - useLegacyEphemeralDHKeys = false; - useSmartEphemeralDHKeys = true; - customizedDHKeySize = -1; -- } else if ("legacy".equals(property)) { -- useLegacyEphemeralDHKeys = true; -+ } else if ("jdk8".equals(property)) { -+ useLegacyEphemeralDHKeys = false; - useSmartEphemeralDHKeys = false; - customizedDHKeySize = -1; - } else { -@@ -1230,14 +1230,13 @@ - * 768 bits ephemeral DH private keys were used to be used in - * ServerKeyExchange except that exportable ciphers max out at 512 - * bits modulus values. We still adhere to this behavior in legacy -- * mode (system property "jdk.tls.ephemeralDHKeySize" is defined -- * as "legacy"). -+ * mode (system property "jdk.tls.ephemeralDHKeySize" -+ * is not defined). - * -- * Old JDK (JDK 7 and previous) releases don't support DH keys bigger -- * than 1024 bits. We have to consider the compatibility requirement. -- * 1024 bits DH key is always used for non-exportable cipher suites -- * in default mode (system property "jdk.tls.ephemeralDHKeySize" -- * is not defined). -+ * New JDK (JDK 8 and later) releases use a 1024 bit DH key for -+ * non-exportable cipher suites in default mode and this can -+ * be enabled when the system property "jdk.tls.ephemeralDHKeySize" -+ * is defined as "jdk8". - * - * However, if applications want more stronger strength, setting - * system property "jdk.tls.ephemeralDHKeySize" to "matched"
--- a/patches/pr2488-1024_dh.patch Wed May 04 02:55:09 2016 +0100 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,53 +0,0 @@ -# HG changeset patch -# User andrew -# Date 1437347486 -3600 -# Mon Jul 20 00:11:26 2015 +0100 -# Node ID c1787ebf3df9ed96cd93bbd533ccf066418ade8a -# Parent ff3cd846027abce97fe5e7cc5a1df16fa6e5afc8 -PR2488: Make jdk8 mode the default for jdk.tls.ephemeralDHKeySize -Summary: Backout 45680a70921daf8a5929b890de22c2fa5d117d82 - -diff -r ff3cd846027a -r c1787ebf3df9 src/share/classes/sun/security/ssl/ServerHandshaker.java ---- openjdk/jdk/src/share/classes/sun/security/ssl/ServerHandshaker.java Sun Jul 19 18:19:29 2015 +0100 -+++ openjdk/jdk/src/share/classes/sun/security/ssl/ServerHandshaker.java Mon Jul 20 00:11:26 2015 +0100 -@@ -120,15 +120,15 @@ - String property = AccessController.doPrivileged( - new GetPropertyAction("jdk.tls.ephemeralDHKeySize")); - if (property == null || property.length() == 0) { -- useLegacyEphemeralDHKeys = true; -+ useLegacyEphemeralDHKeys = false; - useSmartEphemeralDHKeys = false; - customizedDHKeySize = -1; - } else if ("matched".equals(property)) { - useLegacyEphemeralDHKeys = false; - useSmartEphemeralDHKeys = true; - customizedDHKeySize = -1; -- } else if ("jdk8".equals(property)) { -- useLegacyEphemeralDHKeys = false; -+ } else if ("legacy".equals(property)) { -+ useLegacyEphemeralDHKeys = true; - useSmartEphemeralDHKeys = false; - customizedDHKeySize = -1; - } else { -@@ -1253,14 +1253,15 @@ - * 768 bits ephemeral DH private keys were used to be used in - * ServerKeyExchange except that exportable ciphers max out at 512 - * bits modulus values. We still adhere to this behavior in legacy -- * mode (system property "jdk.tls.ephemeralDHKeySize" -+ * mode (system property "jdk.tls.ephemeralDHKeySize" is defined -+ * as "legacy"). -+ * -+ * Older versions of OpenJDK don't support DH keys bigger -+ * than 1024 bits. We have to consider the compatibility requirement. -+ * 1024 bits DH key is always used for non-exportable cipher suites -+ * in default mode (system property "jdk.tls.ephemeralDHKeySize" - * is not defined). - * -- * New JDK (JDK 8 and later) releases use a 1024 bit DH key for -- * non-exportable cipher suites in default mode and this can -- * be enabled when the system property "jdk.tls.ephemeralDHKeySize" -- * is defined as "jdk8". -- * - * However, if applications want more stronger strength, setting - * system property "jdk.tls.ephemeralDHKeySize" to "matched" - * is a workaround to use ephemeral DH key which size matches the