Mercurial > hg > release > icedtea6-1.7

--- a/.hgignore	Thu Jul 22 09:24:52 2010 +0100
+++ b/.hgignore	Sun Jul 25 21:12:18 2010 +0100
@@ -7,7 +7,6 @@
 cacao
 netbeans
 visualvm
-openjdk
 bootstrap
 debian
 lib
--- a/ChangeLog	Thu Jul 22 09:24:52 2010 +0100
+++ b/ChangeLog	Sun Jul 25 21:12:18 2010 +0100
@@ -1,3 +1,16 @@
+2010-07-25  Andrew John Hughes  <ahughes@redhat.com>
+
+ 	* .hgignore: Remove 'openjdk' which hides files
+	added to overlays.
+	* Makefile.am: Add patch.
+	* patches/openjdk/6668231-ssl_cert.patch:
+	Backport SSL certificate fix 'Presence of a
+	critical subjectAltName causes JSSE's SunX509 to
+	fail trusted checks'.
+	* overlays/openjdk/jdk/test/sun/security/ssl/com/sun/net/ssl/internal/www/protocol/https/HttpsURLConnection/crisubn.jks,
+	* overlays/openjdk/jdk/test/sun/security/ssl/com/sun/net/ssl/internal/www/protocol/https/HttpsURLConnection/trusted.jks:
+	Keystores for the new test introduced by this patch.
+
 2010-07-21  Andrew John Hughes  <ahughes@redhat.com>

 	* INSTALL: Updated, with documentation
--- a/Makefile.am	Thu Jul 22 09:24:52 2010 +0100
+++ b/Makefile.am	Sun Jul 25 21:12:18 2010 +0100
@@ -341,7 +341,8 @@
 	patches/openjdk/6875861-docs-properties.patch \
 	patches/openjdk/6909563-docs-rmi.patch \
 	patches/openjdk/6917485-docs-corba.patch \
-	patches/openjdk/6921068-docs-specdefault.patch
+	patches/openjdk/6921068-docs-specdefault.patch \
+	patches/openjdk/6668231-ssl_cert.patch

 if WITH_RHINO
 ICEDTEA_PATCHES += \
Binary file overlays/openjdk/jdk/test/sun/security/ssl/com/sun/net/ssl/internal/www/protocol/https/HttpsURLConnection/crisubn.jks has changed
Binary file overlays/openjdk/jdk/test/sun/security/ssl/com/sun/net/ssl/internal/www/protocol/https/HttpsURLConnection/trusted.jks has changed
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/patches/openjdk/6668231-ssl_cert.patch	Sun Jul 25 21:12:18 2010 +0100
@@ -0,0 +1,306 @@
+# HG changeset patch
+# User xuelei
+# Date 1207190685 14400
+# Node ID df5d7e6ac15e2e2e0b6f8fd37b2240a0057c586d
+# Parent  99b3301fc27c218cb2fca3c585751d12be00d49a
+6668231: Presence of a critical subjectAltName causes JSSE's SunX509 to fail trusted checks
+Summary: make the critical extension known to end entity checker.
+Reviewed-by: wetmore, mullan
+
+diff -r 99b3301fc27c -r df5d7e6ac15e src/share/classes/sun/security/validator/EndEntityChecker.java
+--- openjdk.orig/jdk/src/share/classes/sun/security/validator/EndEntityChecker.java	Mon Mar 31 16:50:16 2008 -0700
++++ openjdk/jdk/src/share/classes/sun/security/validator/EndEntityChecker.java	Wed Apr 02 22:44:45 2008 -0400
+@@ -87,6 +87,9 @@
+     // the Microsoft Server-Gated-Cryptography EKU extension OID
+     private final static String OID_EKU_MS_SGC = "1.3.6.1.4.1.311.10.3.3";
+
++    // the recognized extension OIDs
++    private final static String OID_SUBJECT_ALT_NAME = "2.5.29.17";
++
+     private final static String NSCT_SSL_CLIENT =
+                                 NetscapeCertTypeExtension.SSL_CLIENT;
+
+@@ -171,6 +174,13 @@
+             throws CertificateException {
+         // basic constraints irrelevant in EE certs
+         exts.remove(SimpleValidator.OID_BASIC_CONSTRAINTS);
++
++        // If the subject field contains an empty sequence, the subjectAltName
++        // extension MUST be marked critical.
++        // We do not check the validity of the critical extension, just mark
++        // it recognizable here.
++        exts.remove(OID_SUBJECT_ALT_NAME);
++
+         if (!exts.isEmpty()) {
+             throw new CertificateException("Certificate contains unsupported "
+                 + "critical extensions: " + exts);
+diff -r 99b3301fc27c -r df5d7e6ac15e test/sun/security/ssl/com/sun/net/ssl/internal/www/protocol/https/HttpsURLConnection/CriticalSubjectAltName.java
+--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
++++ openjdk/jdk/test/sun/security/ssl/com/sun/net/ssl/internal/www/protocol/https/HttpsURLConnection/CriticalSubjectAltName.java	Wed Apr 02 22:44:45 2008 -0400
+@@ -0,0 +1,262 @@
++/*
++ * Copyright 2001-2008 Sun Microsystems, Inc.  All Rights Reserved.
++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
++ *
++ * This code is free software; you can redistribute it and/or modify it
++ * under the terms of the GNU General Public License version 2 only, as
++ * published by the Free Software Foundation.
++ *
++ * This code is distributed in the hope that it will be useful, but WITHOUT
++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
++ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
++ * version 2 for more details (a copy is included in the LICENSE file that
++ * accompanied this code).
++ *
++ * You should have received a copy of the GNU General Public License version
++ * 2 along with this work; if not, write to the Free Software Foundation,
++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
++ *
++ * Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
++ * CA 95054 USA or visit www.sun.com if you need additional information or
++ * have any questions.
++ */
++
++/*
++ * @test
++ * @bug 6668231
++ * @summary Presence of a critical subjectAltName causes JSSE's SunX509 to
++ *          fail trusted checks
++ * @author Xuelei Fan
++ *
++ * This test depends on binary keystore, crisubn.jks and trusted.jks. Because
++ * JAVA keytool cannot generate X509 certificate with SubjectAltName extension,
++ * the certificates are generated with openssl toolkits and then imported into
++ * JAVA keystore.
++ *
++ * The crisubn.jks holds a private key entry and the corresponding X509
++ * certificate issued with an empty Subject field, and a critical
++ * SubjectAltName extension.
++ *
++ * The trusted.jks holds the trusted certificate.
++ */
++import java.io.*;
++import java.net.*;
++import javax.net.ssl.*;
++import java.security.cert.Certificate;
++
++public class CriticalSubjectAltName implements HostnameVerifier {
++    /*
++     * =============================================================
++     * Set the various variables needed for the tests, then
++     * specify what tests to run on each side.
++     */
++
++    /*
++     * Should we run the client or server in a separate thread?
++     * Both sides can throw exceptions, but do you have a preference
++     * as to which side should be the main thread.
++     */
++    static boolean separateServerThread = true;
++
++    /*
++     * Where do we find the keystores?
++     */
++    static String pathToStores = "./";
++    static String keyStoreFile = "crisubn.jks";
++    static String trustStoreFile = "trusted.jks";
++    static String passwd = "passphrase";
++
++    /*
++     * Is the server ready to serve?
++     */
++    volatile static boolean serverReady = false;
++
++    /*
++     * Turn on SSL debugging?
++     */
++    static boolean debug = false;
++
++    /*
++     * If the client or server is doing some kind of object creation
++     * that the other side depends on, and that thread prematurely
++     * exits, you may experience a hang.  The test harness will
++     * terminate all hung threads after its timeout has expired,
++     * currently 3 minutes by default, but you might try to be
++     * smart about it....
++     */
++
++    /*
++     * Define the server side of the test.
++     *
++     * If the server prematurely exits, serverReady will be set to true
++     * to avoid infinite hangs.
++     */
++    void doServerSide() throws Exception {
++        SSLServerSocketFactory sslssf =
++            (SSLServerSocketFactory) SSLServerSocketFactory.getDefault();
++        SSLServerSocket sslServerSocket =
++            (SSLServerSocket) sslssf.createServerSocket(serverPort);
++        serverPort = sslServerSocket.getLocalPort();
++
++        /*
++         * Signal Client, we're ready for his connect.
++         */
++        serverReady = true;
++
++        SSLSocket sslSocket = (SSLSocket) sslServerSocket.accept();
++        OutputStream sslOS = sslSocket.getOutputStream();
++        BufferedWriter bw = new BufferedWriter(new OutputStreamWriter(sslOS));
++        bw.write("HTTP/1.1 200 OK\r\n\r\n\r\n");
++        bw.flush();
++        Thread.sleep(5000);
++        sslSocket.close();
++    }
++
++    /*
++     * Define the client side of the test.
++     *
++     * If the server prematurely exits, serverReady will be set to true
++     * to avoid infinite hangs.
++     */
++    void doClientSide() throws Exception {
++
++        /*
++         * Wait for server to get started.
++         */
++        while (!serverReady) {
++            Thread.sleep(50);
++        }
++
++        URL url = new URL("https://localhost:"+serverPort+"/index.html");
++        HttpsURLConnection urlc = (HttpsURLConnection)url.openConnection();
++        urlc.setHostnameVerifier(this);
++        urlc.getInputStream();
++
++        if (urlc.getResponseCode() == -1) {
++            throw new RuntimeException("getResponseCode() returns -1");
++        }
++    }
++
++    /*
++     * =============================================================
++     * The remainder is just support stuff
++     */
++
++    // use any free port by default
++    volatile int serverPort = 0;
++
++    volatile Exception serverException = null;
++    volatile Exception clientException = null;
++
++    public static void main(String[] args) throws Exception {
++        String keyFilename =
++            System.getProperty("test.src", "./") + "/" + pathToStores +
++                "/" + keyStoreFile;
++        String trustFilename =
++            System.getProperty("test.src", "./") + "/" + pathToStores +
++                "/" + trustStoreFile;
++
++        System.setProperty("javax.net.ssl.keyStore", keyFilename);
++        System.setProperty("javax.net.ssl.keyStorePassword", passwd);
++        System.setProperty("javax.net.ssl.trustStore", trustFilename);
++        System.setProperty("javax.net.ssl.trustStorePassword", passwd);
++
++        if (debug)
++            System.setProperty("javax.net.debug", "all");
++
++        /*
++         * Start the tests.
++         */
++        new CriticalSubjectAltName();
++    }
++
++    Thread clientThread = null;
++    Thread serverThread = null;
++
++    /*
++     * Primary constructor, used to drive remainder of the test.
++     *
++     * Fork off the other side, then do your work.
++     */
++    CriticalSubjectAltName() throws Exception {
++        if (separateServerThread) {
++            startServer(true);
++            startClient(false);
++        } else {
++            startClient(true);
++            startServer(false);
++        }
++
++        /*
++         * Wait for other side to close down.
++         */
++        if (separateServerThread) {
++            serverThread.join();
++        } else {
++            clientThread.join();
++        }
++
++        /*
++         * When we get here, the test is pretty much over.
++         *
++         * If the main thread excepted, that propagates back
++         * immediately.  If the other thread threw an exception, we
++         * should report back.
++         */
++        if (serverException != null)
++            throw serverException;
++        if (clientException != null)
++            throw clientException;
++    }
++
++    void startServer(boolean newThread) throws Exception {
++        if (newThread) {
++            serverThread = new Thread() {
++                public void run() {
++                    try {
++                        doServerSide();
++                    } catch (Exception e) {
++                        /*
++                         * Our server thread just died.
++                         *
++                         * Release the client, if not active already...
++                         */
++                        System.err.println("Server died...");
++                        serverReady = true;
++                        serverException = e;
++                    }
++                }
++            };
++            serverThread.start();
++        } else {
++            doServerSide();
++        }
++    }
++
++    void startClient(boolean newThread) throws Exception {
++        if (newThread) {
++            clientThread = new Thread() {
++                public void run() {
++                    try {
++                        doClientSide();
++                    } catch (Exception e) {
++                        /*
++                         * Our client thread just died.
++                         */
++                        System.err.println("Client died...");
++                        clientException = e;
++                    }
++                }
++            };
++            clientThread.start();
++        } else {
++            doClientSide();
++        }
++    }
++
++    // Simple test method to blindly agree that hostname and certname match
++    public boolean verify(String hostname, SSLSession session) {
++        return true;
++    }
++
++}
+diff -r 99b3301fc27c -r df5d7e6ac15e test/sun/security/ssl/com/sun/net/ssl/internal/www/protocol/https/HttpsURLConnection/crisubn.jks
+Binary file test/sun/security/ssl/com/sun/net/ssl/internal/www/protocol/https/HttpsURLConnection/crisubn.jks has changed
+diff -r 99b3301fc27c -r df5d7e6ac15e test/sun/security/ssl/com/sun/net/ssl/internal/www/protocol/https/HttpsURLConnection/trusted.jks
+Binary file test/sun/security/ssl/com/sun/net/ssl/internal/www/protocol/https/HttpsURLConnection/trusted.jks has changed