Mercurial > hg > release > icedtea6-1.7
changeset 1951:6abc3a568866
Backport S6668231: Presence of a critical subjectAltName causes JSSE's SunX509 to fail trusted checks.
2010-07-25 Andrew John Hughes <ahughes@redhat.com>
* .hgignore: Remove 'openjdk' which hides files
added to overlays.
* Makefile.am: Add patch.
* patches/openjdk/6668231-ssl_cert.patch:
Backport SSL certificate fix 'Presence of a
critical subjectAltName causes JSSE's SunX509 to
fail trusted checks'.
* overlays/openjdk/jdk/test/sun/security/ssl/com/sun/net/ssl/internal/www/protocol/https/HttpsURLConnection/crisubn.jks,
* overlays/openjdk/jdk/test/sun/security/ssl/com/sun/net/ssl/internal/www/protocol/https/HttpsURLConnection/trusted.jks:
Keystores for the new test introduced by this patch.
author | Andrew John Hughes <ahughes@redhat.com> |
---|---|
date | Sun, 25 Jul 2010 21:12:18 +0100 |
parents | 36fc1b3ae030 |
children | 00d39eef8e59 |
files | .hgignore ChangeLog Makefile.am overlays/openjdk/jdk/test/sun/security/ssl/com/sun/net/ssl/internal/www/protocol/https/HttpsURLConnection/crisubn.jks overlays/openjdk/jdk/test/sun/security/ssl/com/sun/net/ssl/internal/www/protocol/https/HttpsURLConnection/trusted.jks patches/openjdk/6668231-ssl_cert.patch |
diffstat | 6 files changed, 321 insertions(+), 2 deletions(-) [+] |
line wrap: on
line diff
--- a/.hgignore Thu Jul 22 09:24:52 2010 +0100 +++ b/.hgignore Sun Jul 25 21:12:18 2010 +0100 @@ -7,7 +7,6 @@ cacao netbeans visualvm -openjdk bootstrap debian lib
--- a/ChangeLog Thu Jul 22 09:24:52 2010 +0100 +++ b/ChangeLog Sun Jul 25 21:12:18 2010 +0100 @@ -1,3 +1,16 @@ +2010-07-25 Andrew John Hughes <ahughes@redhat.com> + + * .hgignore: Remove 'openjdk' which hides files + added to overlays. + * Makefile.am: Add patch. + * patches/openjdk/6668231-ssl_cert.patch: + Backport SSL certificate fix 'Presence of a + critical subjectAltName causes JSSE's SunX509 to + fail trusted checks'. + * overlays/openjdk/jdk/test/sun/security/ssl/com/sun/net/ssl/internal/www/protocol/https/HttpsURLConnection/crisubn.jks, + * overlays/openjdk/jdk/test/sun/security/ssl/com/sun/net/ssl/internal/www/protocol/https/HttpsURLConnection/trusted.jks: + Keystores for the new test introduced by this patch. + 2010-07-21 Andrew John Hughes <ahughes@redhat.com> * INSTALL: Updated, with documentation
--- a/Makefile.am Thu Jul 22 09:24:52 2010 +0100 +++ b/Makefile.am Sun Jul 25 21:12:18 2010 +0100 @@ -341,7 +341,8 @@ patches/openjdk/6875861-docs-properties.patch \ patches/openjdk/6909563-docs-rmi.patch \ patches/openjdk/6917485-docs-corba.patch \ - patches/openjdk/6921068-docs-specdefault.patch + patches/openjdk/6921068-docs-specdefault.patch \ + patches/openjdk/6668231-ssl_cert.patch if WITH_RHINO ICEDTEA_PATCHES += \
Binary file overlays/openjdk/jdk/test/sun/security/ssl/com/sun/net/ssl/internal/www/protocol/https/HttpsURLConnection/crisubn.jks has changed
Binary file overlays/openjdk/jdk/test/sun/security/ssl/com/sun/net/ssl/internal/www/protocol/https/HttpsURLConnection/trusted.jks has changed
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/patches/openjdk/6668231-ssl_cert.patch Sun Jul 25 21:12:18 2010 +0100 @@ -0,0 +1,306 @@ +# HG changeset patch +# User xuelei +# Date 1207190685 14400 +# Node ID df5d7e6ac15e2e2e0b6f8fd37b2240a0057c586d +# Parent 99b3301fc27c218cb2fca3c585751d12be00d49a +6668231: Presence of a critical subjectAltName causes JSSE's SunX509 to fail trusted checks +Summary: make the critical extension known to end entity checker. +Reviewed-by: wetmore, mullan + +diff -r 99b3301fc27c -r df5d7e6ac15e src/share/classes/sun/security/validator/EndEntityChecker.java +--- openjdk.orig/jdk/src/share/classes/sun/security/validator/EndEntityChecker.java Mon Mar 31 16:50:16 2008 -0700 ++++ openjdk/jdk/src/share/classes/sun/security/validator/EndEntityChecker.java Wed Apr 02 22:44:45 2008 -0400 +@@ -87,6 +87,9 @@ + // the Microsoft Server-Gated-Cryptography EKU extension OID + private final static String OID_EKU_MS_SGC = "1.3.6.1.4.1.311.10.3.3"; + ++ // the recognized extension OIDs ++ private final static String OID_SUBJECT_ALT_NAME = "2.5.29.17"; ++ + private final static String NSCT_SSL_CLIENT = + NetscapeCertTypeExtension.SSL_CLIENT; + +@@ -171,6 +174,13 @@ + throws CertificateException { + // basic constraints irrelevant in EE certs + exts.remove(SimpleValidator.OID_BASIC_CONSTRAINTS); ++ ++ // If the subject field contains an empty sequence, the subjectAltName ++ // extension MUST be marked critical. ++ // We do not check the validity of the critical extension, just mark ++ // it recognizable here. ++ exts.remove(OID_SUBJECT_ALT_NAME); ++ + if (!exts.isEmpty()) { + throw new CertificateException("Certificate contains unsupported " + + "critical extensions: " + exts); +diff -r 99b3301fc27c -r df5d7e6ac15e test/sun/security/ssl/com/sun/net/ssl/internal/www/protocol/https/HttpsURLConnection/CriticalSubjectAltName.java +--- /dev/null Thu Jan 01 00:00:00 1970 +0000 ++++ openjdk/jdk/test/sun/security/ssl/com/sun/net/ssl/internal/www/protocol/https/HttpsURLConnection/CriticalSubjectAltName.java Wed Apr 02 22:44:45 2008 -0400 +@@ -0,0 +1,262 @@ ++/* ++ * Copyright 2001-2008 Sun Microsystems, Inc. All Rights Reserved. ++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. ++ * ++ * This code is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License version 2 only, as ++ * published by the Free Software Foundation. ++ * ++ * This code is distributed in the hope that it will be useful, but WITHOUT ++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or ++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ++ * version 2 for more details (a copy is included in the LICENSE file that ++ * accompanied this code). ++ * ++ * You should have received a copy of the GNU General Public License version ++ * 2 along with this work; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. ++ * ++ * Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, ++ * CA 95054 USA or visit www.sun.com if you need additional information or ++ * have any questions. ++ */ ++ ++/* ++ * @test ++ * @bug 6668231 ++ * @summary Presence of a critical subjectAltName causes JSSE's SunX509 to ++ * fail trusted checks ++ * @author Xuelei Fan ++ * ++ * This test depends on binary keystore, crisubn.jks and trusted.jks. Because ++ * JAVA keytool cannot generate X509 certificate with SubjectAltName extension, ++ * the certificates are generated with openssl toolkits and then imported into ++ * JAVA keystore. ++ * ++ * The crisubn.jks holds a private key entry and the corresponding X509 ++ * certificate issued with an empty Subject field, and a critical ++ * SubjectAltName extension. ++ * ++ * The trusted.jks holds the trusted certificate. ++ */ ++import java.io.*; ++import java.net.*; ++import javax.net.ssl.*; ++import java.security.cert.Certificate; ++ ++public class CriticalSubjectAltName implements HostnameVerifier { ++ /* ++ * ============================================================= ++ * Set the various variables needed for the tests, then ++ * specify what tests to run on each side. ++ */ ++ ++ /* ++ * Should we run the client or server in a separate thread? ++ * Both sides can throw exceptions, but do you have a preference ++ * as to which side should be the main thread. ++ */ ++ static boolean separateServerThread = true; ++ ++ /* ++ * Where do we find the keystores? ++ */ ++ static String pathToStores = "./"; ++ static String keyStoreFile = "crisubn.jks"; ++ static String trustStoreFile = "trusted.jks"; ++ static String passwd = "passphrase"; ++ ++ /* ++ * Is the server ready to serve? ++ */ ++ volatile static boolean serverReady = false; ++ ++ /* ++ * Turn on SSL debugging? ++ */ ++ static boolean debug = false; ++ ++ /* ++ * If the client or server is doing some kind of object creation ++ * that the other side depends on, and that thread prematurely ++ * exits, you may experience a hang. The test harness will ++ * terminate all hung threads after its timeout has expired, ++ * currently 3 minutes by default, but you might try to be ++ * smart about it.... ++ */ ++ ++ /* ++ * Define the server side of the test. ++ * ++ * If the server prematurely exits, serverReady will be set to true ++ * to avoid infinite hangs. ++ */ ++ void doServerSide() throws Exception { ++ SSLServerSocketFactory sslssf = ++ (SSLServerSocketFactory) SSLServerSocketFactory.getDefault(); ++ SSLServerSocket sslServerSocket = ++ (SSLServerSocket) sslssf.createServerSocket(serverPort); ++ serverPort = sslServerSocket.getLocalPort(); ++ ++ /* ++ * Signal Client, we're ready for his connect. ++ */ ++ serverReady = true; ++ ++ SSLSocket sslSocket = (SSLSocket) sslServerSocket.accept(); ++ OutputStream sslOS = sslSocket.getOutputStream(); ++ BufferedWriter bw = new BufferedWriter(new OutputStreamWriter(sslOS)); ++ bw.write("HTTP/1.1 200 OK\r\n\r\n\r\n"); ++ bw.flush(); ++ Thread.sleep(5000); ++ sslSocket.close(); ++ } ++ ++ /* ++ * Define the client side of the test. ++ * ++ * If the server prematurely exits, serverReady will be set to true ++ * to avoid infinite hangs. ++ */ ++ void doClientSide() throws Exception { ++ ++ /* ++ * Wait for server to get started. ++ */ ++ while (!serverReady) { ++ Thread.sleep(50); ++ } ++ ++ URL url = new URL("https://localhost:"+serverPort+"/index.html"); ++ HttpsURLConnection urlc = (HttpsURLConnection)url.openConnection(); ++ urlc.setHostnameVerifier(this); ++ urlc.getInputStream(); ++ ++ if (urlc.getResponseCode() == -1) { ++ throw new RuntimeException("getResponseCode() returns -1"); ++ } ++ } ++ ++ /* ++ * ============================================================= ++ * The remainder is just support stuff ++ */ ++ ++ // use any free port by default ++ volatile int serverPort = 0; ++ ++ volatile Exception serverException = null; ++ volatile Exception clientException = null; ++ ++ public static void main(String[] args) throws Exception { ++ String keyFilename = ++ System.getProperty("test.src", "./") + "/" + pathToStores + ++ "/" + keyStoreFile; ++ String trustFilename = ++ System.getProperty("test.src", "./") + "/" + pathToStores + ++ "/" + trustStoreFile; ++ ++ System.setProperty("javax.net.ssl.keyStore", keyFilename); ++ System.setProperty("javax.net.ssl.keyStorePassword", passwd); ++ System.setProperty("javax.net.ssl.trustStore", trustFilename); ++ System.setProperty("javax.net.ssl.trustStorePassword", passwd); ++ ++ if (debug) ++ System.setProperty("javax.net.debug", "all"); ++ ++ /* ++ * Start the tests. ++ */ ++ new CriticalSubjectAltName(); ++ } ++ ++ Thread clientThread = null; ++ Thread serverThread = null; ++ ++ /* ++ * Primary constructor, used to drive remainder of the test. ++ * ++ * Fork off the other side, then do your work. ++ */ ++ CriticalSubjectAltName() throws Exception { ++ if (separateServerThread) { ++ startServer(true); ++ startClient(false); ++ } else { ++ startClient(true); ++ startServer(false); ++ } ++ ++ /* ++ * Wait for other side to close down. ++ */ ++ if (separateServerThread) { ++ serverThread.join(); ++ } else { ++ clientThread.join(); ++ } ++ ++ /* ++ * When we get here, the test is pretty much over. ++ * ++ * If the main thread excepted, that propagates back ++ * immediately. If the other thread threw an exception, we ++ * should report back. ++ */ ++ if (serverException != null) ++ throw serverException; ++ if (clientException != null) ++ throw clientException; ++ } ++ ++ void startServer(boolean newThread) throws Exception { ++ if (newThread) { ++ serverThread = new Thread() { ++ public void run() { ++ try { ++ doServerSide(); ++ } catch (Exception e) { ++ /* ++ * Our server thread just died. ++ * ++ * Release the client, if not active already... ++ */ ++ System.err.println("Server died..."); ++ serverReady = true; ++ serverException = e; ++ } ++ } ++ }; ++ serverThread.start(); ++ } else { ++ doServerSide(); ++ } ++ } ++ ++ void startClient(boolean newThread) throws Exception { ++ if (newThread) { ++ clientThread = new Thread() { ++ public void run() { ++ try { ++ doClientSide(); ++ } catch (Exception e) { ++ /* ++ * Our client thread just died. ++ */ ++ System.err.println("Client died..."); ++ clientException = e; ++ } ++ } ++ }; ++ clientThread.start(); ++ } else { ++ doClientSide(); ++ } ++ } ++ ++ // Simple test method to blindly agree that hostname and certname match ++ public boolean verify(String hostname, SSLSession session) { ++ return true; ++ } ++ ++} +diff -r 99b3301fc27c -r df5d7e6ac15e test/sun/security/ssl/com/sun/net/ssl/internal/www/protocol/https/HttpsURLConnection/crisubn.jks +Binary file test/sun/security/ssl/com/sun/net/ssl/internal/www/protocol/https/HttpsURLConnection/crisubn.jks has changed +diff -r 99b3301fc27c -r df5d7e6ac15e test/sun/security/ssl/com/sun/net/ssl/internal/www/protocol/https/HttpsURLConnection/trusted.jks +Binary file test/sun/security/ssl/com/sun/net/ssl/internal/www/protocol/https/HttpsURLConnection/trusted.jks has changed