Mercurial > hg > release > icedtea7-forest-2.4 > jdk
changeset 4306:7b7c1ffd0752
Merge
| author | mduigou |
|---|---|
| date | Thu, 28 Apr 2011 10:14:12 -0700 |
| parents | 37722a0a1c65 (current diff) c3f5333e10e3 (diff) |
| children | 67f411052dd6 |
| files | src/share/classes/sun/security/util/SignatureFileManifest.java |
| diffstat | 33 files changed, 1041 insertions(+), 865 deletions(-) [+] |
line wrap: on
line diff
--- a/make/docs/Makefile Thu Apr 28 10:12:02 2011 -0700 +++ b/make/docs/Makefile Thu Apr 28 10:14:12 2011 -0700 @@ -1144,56 +1144,6 @@ ############################################################# # -# tracingdocs -# - -ALL_OTHER_TARGETS += tracingdocs - -TRACING_DOCDIR := $(JRE_API_DOCSDIR)/tracing -TRACING2COREAPI := ../$(JDKJRE2COREAPI) -TRACING_DOCTITLE := Java$(TRADEMARK) Platform Tracing -TRACING_WINDOWTITLE := Platform Tracing -TRACING_HEADER := <strong>Platform Tracing</strong> -TRACING_BOTTOM := $(call CommonBottom,$(TRACING_FIRST_COPYRIGHT_YEAR)) -# TRACING_PKGS is located in NON_CORE_PKGS.gmk - -TRACING_INDEX_HTML = $(TRACING_DOCDIR)/index.html -TRACING_OPTIONS_FILE = $(DOCSTMPDIR)/tracing.options -TRACING_PACKAGES_FILE = $(DOCSTMPDIR)/tracing.packages - -tracingdocs: $(TRACING_INDEX_HTML) - -# Set relative location to core api document root -$(TRACING_INDEX_HTML): GET2DOCSDIR=$(TRACING2COREAPI)/.. - -# Run javadoc if the index file is out of date or missing -$(TRACING_INDEX_HTML): $(TRACING_OPTIONS_FILE) $(TRACING_PACKAGES_FILE) - $(prep-javadoc) - $(call JavadocSummary,$(TRACING_OPTIONS_FILE),$(TRACING_PACKAGES_FILE)) - $(JAVADOC_CMD) $(JAVADOC_VM_MEMORY_FLAGS) -d $(@D) \ - @$(TRACING_OPTIONS_FILE) @$(TRACING_PACKAGES_FILE) - -# Create file with javadoc options in it -$(TRACING_OPTIONS_FILE): - $(prep-target) - @($(call OptionOnly,$(COMMON_JAVADOCFLAGS)) ; \ - $(call OptionPair,-sourcepath,$(RELEASEDOCS_SOURCEPATH)) ; \ - $(call OptionPair,-encoding,ascii) ; \ - $(call OptionOnly,-nodeprecatedlist) ; \ - $(call OptionPair,-doctitle,$(TRACING_DOCTITLE)) ; \ - $(call OptionPair,-windowtitle,$(TRACING_WINDOWTITLE) $(DRAFT_WINTITLE));\ - $(call OptionPair,-header,$(TRACING_HEADER)$(DRAFT_HEADER)) ; \ - $(call OptionPair,-bottom,$(TRACING_BOTTOM)$(DRAFT_BOTTOM)) ; \ - $(call OptionTrip,-linkoffline,$(TRACING2COREAPI),$(COREAPI_DOCSDIR)/); \ - ) >> $@ - -# Create a file with the package names in it -$(TRACING_PACKAGES_FILE): $(DIRECTORY_CACHE) $(call PackageDependencies,$(TRACING_PKGS)) - $(prep-target) - $(call PackageFilter,$(TRACING_PKGS)) - -############################################################# -# # Get a cache of all the directories $(DIRECTORY_CACHE): $(ALL_EXISTING_SOURCE_DIRS)
--- a/make/docs/NON_CORE_PKGS.gmk Thu Apr 28 10:12:02 2011 -0700 +++ b/make/docs/NON_CORE_PKGS.gmk Thu Apr 28 10:14:12 2011 -0700 @@ -88,9 +88,6 @@ SCTPAPI_PKGS = com.sun.nio.sctp -TRACING_PKGS = com.sun.tracing \ - com.sun.tracing.dtrace - # non-core packages in rt.jar NON_CORE_PKGS = $(DOMAPI_PKGS) \ $(MGMT_PKGS) \ @@ -100,6 +97,5 @@ $(OLD_JSSE_PKGS) \ $(HTTPSERVER_PKGS) \ $(SMARTCARDIO_PKGS) \ - $(TRACING_PKGS) \ $(SCTPAPI_PKGS)
--- a/make/java/nio/mapfile-linux Thu Apr 28 10:12:02 2011 -0700 +++ b/make/java/nio/mapfile-linux Thu Apr 28 10:14:12 2011 -0700 @@ -44,7 +44,6 @@ Java_sun_nio_ch_EPollArrayWrapper_interrupt; Java_sun_nio_ch_EPollArrayWrapper_offsetofData; Java_sun_nio_ch_EPollArrayWrapper_sizeofEPollEvent; - Java_sun_nio_ch_EPoll_init; Java_sun_nio_ch_EPoll_eventSize; Java_sun_nio_ch_EPoll_eventsOffset; Java_sun_nio_ch_EPoll_dataOffset; @@ -129,7 +128,6 @@ Java_sun_nio_fs_GnomeFileTypeDetector_probeUsingGio; Java_sun_nio_fs_GnomeFileTypeDetector_initializeGnomeVfs; Java_sun_nio_fs_GnomeFileTypeDetector_probeUsingGnomeVfs; - Java_sun_nio_fs_LinuxWatchService_init; Java_sun_nio_fs_LinuxWatchService_eventSize; Java_sun_nio_fs_LinuxWatchService_eventOffsets; Java_sun_nio_fs_LinuxWatchService_inotifyInit;
--- a/src/share/classes/java/nio/charset/Charset.java Thu Apr 28 10:12:02 2011 -0700 +++ b/src/share/classes/java/nio/charset/Charset.java Thu Apr 28 10:14:12 2011 -0700 @@ -143,6 +143,8 @@ * * <h4>Standard charsets</h4> * + * <a name="standard"> + * * <p> Every implementation of the Java platform is required to support the * following standard charsets. Consult the release documentation for your * implementation to see if any other charsets are supported. The behavior @@ -213,6 +215,8 @@ * determined during virtual-machine startup and typically depends upon the * locale and charset being used by the underlying operating system. </p> * + * <p>The {@link StandardCharset} class defines constants for each of the + * standard charsets. * * <h4>Terminology</h4> *
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/src/share/classes/java/nio/charset/StandardCharset.java Thu Apr 28 10:14:12 2011 -0700 @@ -0,0 +1,66 @@ +/* + * Copyright (c) 2011, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. Oracle designates this + * particular file as subject to the "Classpath" exception as provided + * by Oracle in the LICENSE file that accompanied this code. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ +package java.nio.charset; + +/** + * Constant definitions for the standard {@link Charset Charsets}. These + * charsets are guaranteed to be available on every implementation of the Java + * platform. + * + * @see <a href="Charset#standard">Standard Charsets</a> + * @since 1.7 + */ +public final class StandardCharset { + + private StandardCharset() { + throw new AssertionError("No java.nio.charset.StandardCharset instances for you!"); + } + /** + * Seven-bit ASCII, a.k.a. ISO646-US, a.k.a. the Basic Latin block of the + * Unicode character set + */ + public static final Charset US_ASCII = Charset.forName("US-ASCII"); + /** + * ISO Latin Alphabet No. 1, a.k.a. ISO-LATIN-1 + */ + public static final Charset ISO_8859_1 = Charset.forName("ISO-8859-1"); + /** + * Eight-bit UCS Transformation Format + */ + public static final Charset UTF_8 = Charset.forName("UTF-8"); + /** + * Sixteen-bit UCS Transformation Format, big-endian byte order + */ + public static final Charset UTF_16BE = Charset.forName("UTF-16BE"); + /** + * Sixteen-bit UCS Transformation Format, little-endian byte order + */ + public static final Charset UTF_16LE = Charset.forName("UTF-16LE"); + /** + * Sixteen-bit UCS Transformation Format, byte order identified by an + * optional byte-order mark + */ + public static final Charset UTF_16 = Charset.forName("UTF-16"); +}
--- a/src/share/classes/java/nio/file/Path.java Thu Apr 28 10:12:02 2011 -0700 +++ b/src/share/classes/java/nio/file/Path.java Thu Apr 28 10:14:12 2011 -0700 @@ -72,7 +72,7 @@ * directory and is UTF-8 encoded. * <pre> * Path path = FileSystems.getDefault().getPath("logs", "access.log"); - * BufferReader reader = Files.newBufferedReader(path, Charset.forName("UTF-8")); + * BufferReader reader = Files.newBufferedReader(path, StandardCharset.UTF_8); * </pre> * * <a name="interop"><h4>Interoperability</h4></a>
--- a/src/share/classes/java/sql/BatchUpdateException.java Thu Apr 28 10:12:02 2011 -0700 +++ b/src/share/classes/java/sql/BatchUpdateException.java Thu Apr 28 10:14:12 2011 -0700 @@ -1,5 +1,5 @@ /* - * Copyright (c) 1998, 2005, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1998, 2011, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -25,6 +25,8 @@ package java.sql; +import java.util.Arrays; + /** * The subclass of {@link SQLException} thrown when an error * occurs during a batch update operation. In addition to the @@ -77,8 +79,7 @@ */ public BatchUpdateException( String reason, String SQLState, int vendorCode, int[] updateCounts ) { - super(reason, SQLState, vendorCode); - this.updateCounts = updateCounts; + this(reason, SQLState, vendorCode, updateCounts, null); } /** @@ -105,8 +106,7 @@ */ public BatchUpdateException(String reason, String SQLState, int[] updateCounts) { - super(reason, SQLState); - this.updateCounts = updateCounts; + this(reason, SQLState, 0, updateCounts, null); } /** @@ -132,8 +132,7 @@ * @since 1.2 */ public BatchUpdateException(String reason, int[] updateCounts) { - super(reason); - this.updateCounts = updateCounts; + this(reason, null, 0, updateCounts, null); } /** @@ -156,8 +155,7 @@ * @since 1.2 */ public BatchUpdateException(int[] updateCounts) { - super(); - this.updateCounts = updateCounts; + this(null, null, 0, updateCounts, null); } /** @@ -172,8 +170,7 @@ * @since 1.2 */ public BatchUpdateException() { - super(); - this.updateCounts = null; + this(null, null, 0, null, null); } /** @@ -191,8 +188,7 @@ * @since 1.6 */ public BatchUpdateException(Throwable cause) { - super(cause); - this.updateCounts = null; + this(null, null, 0, null, cause); } /** @@ -218,8 +214,7 @@ * @since 1.6 */ public BatchUpdateException(int []updateCounts , Throwable cause) { - super(cause); - this.updateCounts = updateCounts; + this(null, null, 0, updateCounts, cause); } /** @@ -243,8 +238,7 @@ * @since 1.6 */ public BatchUpdateException(String reason, int []updateCounts, Throwable cause) { - super(reason,cause); - this.updateCounts = updateCounts; + this(reason, null, 0, updateCounts, cause); } /** @@ -269,8 +263,7 @@ */ public BatchUpdateException(String reason, String SQLState, int []updateCounts, Throwable cause) { - super(reason,SQLState,cause); - this.updateCounts = updateCounts; + this(reason, SQLState, 0, updateCounts, cause); } /** @@ -297,8 +290,8 @@ */ public BatchUpdateException(String reason, String SQLState, int vendorCode, int []updateCounts,Throwable cause) { - super(reason,SQLState,vendorCode,cause); - this.updateCounts = updateCounts; + super(reason, SQLState, vendorCode, cause); + this.updateCounts = (updateCounts == null) ? null : Arrays.copyOf(updateCounts, updateCounts.length); } /** @@ -332,7 +325,7 @@ * @since 1.3 */ public int[] getUpdateCounts() { - return updateCounts; + return (updateCounts == null) ? null : Arrays.copyOf(updateCounts, updateCounts.length); } /** @@ -340,7 +333,7 @@ * @serial * @since 1.2 */ - private int[] updateCounts; + private final int[] updateCounts; private static final long serialVersionUID = 5977529877145521757L; }
--- a/src/share/classes/java/util/jar/JarFile.java Thu Apr 28 10:12:02 2011 -0700 +++ b/src/share/classes/java/util/jar/JarFile.java Thu Apr 28 10:14:12 2011 -0700 @@ -37,7 +37,6 @@ import sun.security.action.GetPropertyAction; import sun.security.util.ManifestEntryVerifier; import sun.misc.SharedSecrets; -import sun.security.util.SignatureFileVerifier; /** * The <code>JarFile</code> class is used to read the contents of a jar file @@ -179,7 +178,7 @@ byte[] b = getBytes(manEntry); man = new Manifest(new ByteArrayInputStream(b)); if (!jvInitialized) { - jv = new JarVerifier(b, man); + jv = new JarVerifier(b); } } else { man = new Manifest(super.getInputStream(manEntry)); @@ -298,7 +297,10 @@ if (names != null) { for (int i = 0; i < names.length; i++) { String name = names[i].toUpperCase(Locale.ENGLISH); - if (SignatureFileVerifier.isBlockOrSF(name)) { + if (name.endsWith(".DSA") || + name.endsWith(".RSA") || + name.endsWith(".EC") || + name.endsWith(".SF")) { // Assume since we found a signature-related file // that the jar is signed and that we therefore // need a JarVerifier and Manifest @@ -327,17 +329,17 @@ if (names != null) { for (int i = 0; i < names.length; i++) { JarEntry e = getJarEntry(names[i]); - if (!e.isDirectory() && - SignatureFileVerifier.isBlock(names[i])) { + if (!e.isDirectory()) { if (mev == null) { mev = new ManifestEntryVerifier (getManifestFromReference()); } - String key = names[i].substring( - 0, names[i].lastIndexOf(".")); - jv.verifyBlock(names[i], - getBytes(e), - super.getInputStream(getJarEntry(key + ".SF"))); + byte[] b = getBytes(e); + if (b != null && b.length > 0) { + jv.beginEntry(e, mev); + jv.update(b.length, b, 0, b.length, mev); + jv.update(-1, null, 0, 0, mev); + } } } }
--- a/src/share/classes/java/util/jar/JarInputStream.java Thu Apr 28 10:12:02 2011 -0700 +++ b/src/share/classes/java/util/jar/JarInputStream.java Thu Apr 28 10:14:12 2011 -0700 @@ -95,7 +95,7 @@ man.read(new ByteArrayInputStream(bytes)); closeEntry(); if (doVerify) { - jv = new JarVerifier(bytes, man); + jv = new JarVerifier(bytes); mev = new ManifestEntryVerifier(man); } return (JarEntry)super.getNextEntry();
--- a/src/share/classes/java/util/jar/JarVerifier.java Thu Apr 28 10:12:02 2011 -0700 +++ b/src/share/classes/java/util/jar/JarVerifier.java Thu Apr 28 10:14:12 2011 -0700 @@ -48,18 +48,35 @@ /* a table mapping names to code signers, for jar entries that have had their actual hashes verified */ - private Map verifiedSigners; + private Hashtable verifiedSigners; /* a table mapping names to code signers, for jar entries that have passed the .SF/.DSA/.EC -> MANIFEST check */ - private Map sigFileSigners; + private Hashtable sigFileSigners; + + /* a hash table to hold .SF bytes */ + private Hashtable sigFileData; + + /** "queue" of pending PKCS7 blocks that we couldn't parse + * until we parsed the .SF file */ + private ArrayList pendingBlocks; /* cache of CodeSigner objects */ private ArrayList signerCache; + /* Are we parsing a block? */ + private boolean parsingBlockOrSF = false; + + /* Are we done parsing META-INF entries? */ + private boolean parsingMeta = true; + /* Are there are files to verify? */ private boolean anyToVerify = true; + /* The output stream to use when keeping track of files we are interested + in */ + private ByteArrayOutputStream baos; + /** The ManifestDigester object */ private volatile ManifestDigester manDig; @@ -75,20 +92,20 @@ /** collect -DIGEST-MANIFEST values for blacklist */ private List manifestDigests; - /** The manifest object */ - Manifest man = null; - - public JarVerifier(byte rawBytes[], Manifest man) { - this.man = man; + public JarVerifier(byte rawBytes[]) { manifestRawBytes = rawBytes; - sigFileSigners = new HashMap(); - verifiedSigners = new HashMap(); + sigFileSigners = new Hashtable(); + verifiedSigners = new Hashtable(); + sigFileData = new Hashtable(11); + pendingBlocks = new ArrayList(); + baos = new ByteArrayOutputStream(); manifestDigests = new ArrayList(); } /** - * This method scans to see which entry we're parsing and keeps - * various state information depending on the file being parsed. + * This method scans to see which entry we're parsing and + * keeps various state information depending on what type of + * file is being parsed. */ public void beginEntry(JarEntry je, ManifestEntryVerifier mev) throws IOException @@ -112,6 +129,30 @@ * b. digest mismatch between the actual jar entry and the manifest */ + if (parsingMeta) { + String uname = name.toUpperCase(Locale.ENGLISH); + if ((uname.startsWith("META-INF/") || + uname.startsWith("/META-INF/"))) { + + if (je.isDirectory()) { + mev.setEntry(null, je); + return; + } + + if (SignatureFileVerifier.isBlockOrSF(uname)) { + /* We parse only DSA, RSA or EC PKCS7 blocks. */ + parsingBlockOrSF = true; + baos.reset(); + mev.setEntry(null, je); + } + return; + } + } + + if (parsingMeta) { + doneWithMeta(); + } + if (je.isDirectory()) { mev.setEntry(null, je); return; @@ -147,7 +188,11 @@ throws IOException { if (b != -1) { - mev.update((byte)b); + if (parsingBlockOrSF) { + baos.write(b); + } else { + mev.update((byte)b); + } } else { processEntry(mev); } @@ -162,7 +207,11 @@ throws IOException { if (n != -1) { - mev.update(b, off, n); + if (parsingBlockOrSF) { + baos.write(b, off, n); + } else { + mev.update(b, off, n); + } } else { processEntry(mev); } @@ -174,10 +223,101 @@ private void processEntry(ManifestEntryVerifier mev) throws IOException { - JarEntry je = mev.getEntry(); - if ((je != null) && (je.signers == null)) { - je.signers = mev.verify(verifiedSigners, sigFileSigners); - je.certs = mapSignersToCertArray(je.signers); + if (!parsingBlockOrSF) { + JarEntry je = mev.getEntry(); + if ((je != null) && (je.signers == null)) { + je.signers = mev.verify(verifiedSigners, sigFileSigners); + je.certs = mapSignersToCertArray(je.signers); + } + } else { + + try { + parsingBlockOrSF = false; + + if (debug != null) { + debug.println("processEntry: processing block"); + } + + String uname = mev.getEntry().getName() + .toUpperCase(Locale.ENGLISH); + + if (uname.endsWith(".SF")) { + String key = uname.substring(0, uname.length()-3); + byte bytes[] = baos.toByteArray(); + // add to sigFileData in case future blocks need it + sigFileData.put(key, bytes); + // check pending blocks, we can now process + // anyone waiting for this .SF file + Iterator it = pendingBlocks.iterator(); + while (it.hasNext()) { + SignatureFileVerifier sfv = + (SignatureFileVerifier) it.next(); + if (sfv.needSignatureFile(key)) { + if (debug != null) { + debug.println( + "processEntry: processing pending block"); + } + + sfv.setSignatureFile(bytes); + sfv.process(sigFileSigners, manifestDigests); + } + } + return; + } + + // now we are parsing a signature block file + + String key = uname.substring(0, uname.lastIndexOf(".")); + + if (signerCache == null) + signerCache = new ArrayList(); + + if (manDig == null) { + synchronized(manifestRawBytes) { + if (manDig == null) { + manDig = new ManifestDigester(manifestRawBytes); + manifestRawBytes = null; + } + } + } + + SignatureFileVerifier sfv = + new SignatureFileVerifier(signerCache, + manDig, uname, baos.toByteArray()); + + if (sfv.needSignatureFileBytes()) { + // see if we have already parsed an external .SF file + byte[] bytes = (byte[]) sigFileData.get(key); + + if (bytes == null) { + // put this block on queue for later processing + // since we don't have the .SF bytes yet + // (uname, block); + if (debug != null) { + debug.println("adding pending block"); + } + pendingBlocks.add(sfv); + return; + } else { + sfv.setSignatureFile(bytes); + } + } + sfv.process(sigFileSigners, manifestDigests); + + } catch (IOException ioe) { + // e.g. sun.security.pkcs.ParsingException + if (debug != null) debug.println("processEntry caught: "+ioe); + // ignore and treat as unsigned + } catch (SignatureException se) { + if (debug != null) debug.println("processEntry caught: "+se); + // ignore and treat as unsigned + } catch (NoSuchAlgorithmException nsae) { + if (debug != null) debug.println("processEntry caught: "+nsae); + // ignore and treat as unsigned + } catch (CertificateException ce) { + if (debug != null) debug.println("processEntry caught: "+ce); + // ignore and treat as unsigned + } } } @@ -214,15 +354,15 @@ * Force a read of the entry data to generate the * verification hash. */ - try (InputStream s = jar.getInputStream(entry)) { + try { + InputStream s = jar.getInputStream(entry); byte[] buffer = new byte[1024]; int n = buffer.length; while (n != -1) { n = s.read(buffer, 0, buffer.length); } + s.close(); } catch (IOException e) { - // Ignore. When an exception is thrown, code signer - // will not be assigned. } } return getCodeSigners(name); @@ -268,7 +408,11 @@ */ void doneWithMeta() { + parsingMeta = false; anyToVerify = !sigFileSigners.isEmpty(); + baos = null; + sigFileData = null; + pendingBlocks = null; signerCache = null; manDig = null; // MANIFEST.MF is always treated as signed and verified, @@ -279,41 +423,6 @@ } } - /** - * Verifies a PKCS7 SignedData block - * @param key name of block - * @param block the pkcs7 file - * @param ins the clear data - */ - void verifyBlock(String key, byte[] block, InputStream ins) { - try { - if (signerCache == null) - signerCache = new ArrayList(); - - if (manDig == null) { - synchronized(manifestRawBytes) { - if (manDig == null) { - manDig = new ManifestDigester(manifestRawBytes); - manifestRawBytes = null; - } - } - } - SignatureFileVerifier sfv = - new SignatureFileVerifier(signerCache, man, - manDig, key, block); - - if (sfv.needSignatureFile()) { - // see if we have already parsed an external .SF file - sfv.setSignatureFile(ins); - } - sfv.process(sigFileSigners, manifestDigests); - } catch (Exception e) { - if (debug != null) { - e.printStackTrace(); - } - } - } - static class VerifierStream extends java.io.InputStream { private InputStream is; @@ -444,7 +553,10 @@ * but this handles a CodeSource of any type, just in case. */ CodeSource[] sources = mapSignersToCodeSources(cs.getLocation(), getJarCodeSigners(), true); - List sourceList = Arrays.asList(sources); + List sourceList = new ArrayList(); + for (int i = 0; i < sources.length; i++) { + sourceList.add(sources[i]); + } int j = sourceList.indexOf(cs); if (j != -1) { CodeSigner[] match;
--- a/src/share/classes/java/util/zip/ZipCoder.java Thu Apr 28 10:12:02 2011 -0700 +++ b/src/share/classes/java/util/zip/ZipCoder.java Thu Apr 28 10:14:12 2011 -0700 @@ -28,6 +28,7 @@ import java.nio.ByteBuffer; import java.nio.CharBuffer; import java.nio.charset.Charset; +import java.nio.charset.StandardCharset; import java.nio.charset.CharsetDecoder; import java.nio.charset.CharsetEncoder; import java.nio.charset.CoderResult; @@ -87,7 +88,7 @@ if (isutf8) return getBytes(s); if (utf8 == null) - utf8 = new ZipCoder(Charset.forName("UTF-8")); + utf8 = new ZipCoder(StandardCharset.UTF_8); return utf8.getBytes(s); } @@ -96,7 +97,7 @@ if (isutf8) return toString(ba, len); if (utf8 == null) - utf8 = new ZipCoder(Charset.forName("UTF-8")); + utf8 = new ZipCoder(StandardCharset.UTF_8); return utf8.toString(ba, len); } @@ -112,7 +113,7 @@ private ZipCoder(Charset cs) { this.cs = cs; - this.isutf8 = cs.name().equals("UTF-8"); + this.isutf8 = cs.name().equals(StandardCharset.UTF_8.name()); } static ZipCoder get(Charset charset) {
--- a/src/share/classes/java/util/zip/ZipFile.java Thu Apr 28 10:12:02 2011 -0700 +++ b/src/share/classes/java/util/zip/ZipFile.java Thu Apr 28 10:14:12 2011 -0700 @@ -31,6 +31,7 @@ import java.io.EOFException; import java.io.File; import java.nio.charset.Charset; +import java.nio.charset.StandardCharset; import java.util.ArrayDeque; import java.util.Deque; import java.util.Enumeration; @@ -140,7 +141,7 @@ * @since 1.3 */ public ZipFile(File file, int mode) throws IOException { - this(file, mode, Charset.forName("UTF-8")); + this(file, mode, StandardCharset.UTF_8); } /**
--- a/src/share/classes/java/util/zip/ZipInputStream.java Thu Apr 28 10:12:02 2011 -0700 +++ b/src/share/classes/java/util/zip/ZipInputStream.java Thu Apr 28 10:14:12 2011 -0700 @@ -30,6 +30,7 @@ import java.io.EOFException; import java.io.PushbackInputStream; import java.nio.charset.Charset; +import java.nio.charset.StandardCharset; import static java.util.zip.ZipConstants64.*; /** @@ -75,7 +76,7 @@ * @param in the actual input stream */ public ZipInputStream(InputStream in) { - this(in, Charset.forName("UTF-8")); + this(in, StandardCharset.UTF_8); } /**
--- a/src/share/classes/java/util/zip/ZipOutputStream.java Thu Apr 28 10:12:02 2011 -0700 +++ b/src/share/classes/java/util/zip/ZipOutputStream.java Thu Apr 28 10:14:12 2011 -0700 @@ -28,6 +28,7 @@ import java.io.OutputStream; import java.io.IOException; import java.nio.charset.Charset; +import java.nio.charset.StandardCharset; import java.util.Vector; import java.util.HashSet; import static java.util.zip.ZipConstants64.*; @@ -100,7 +101,7 @@ * @param out the actual output stream */ public ZipOutputStream(OutputStream out) { - this(out, Charset.forName("UTF-8")); + this(out, StandardCharset.UTF_8); } /**
--- a/src/share/classes/sun/awt/FontDescriptor.java Thu Apr 28 10:12:02 2011 -0700 +++ b/src/share/classes/sun/awt/FontDescriptor.java Thu Apr 28 10:14:12 2011 -0700 @@ -26,6 +26,7 @@ import java.nio.charset.Charset; import java.nio.charset.CharsetEncoder; +import java.nio.charset.StandardCharset; import sun.nio.cs.HistoricallyNamedCharset; public class FontDescriptor implements Cloneable { @@ -104,8 +105,8 @@ if (useUnicode && unicodeEncoder == null) { try { this.unicodeEncoder = isLE? - Charset.forName("UTF_16LE").newEncoder(): - Charset.forName("UTF_16BE").newEncoder(); + StandardCharset.UTF_16LE.newEncoder(): + StandardCharset.UTF_16BE.newEncoder(); } catch (IllegalArgumentException x) {} } return useUnicode;
--- a/src/share/classes/sun/security/pkcs/PKCS7.java Thu Apr 28 10:12:02 2011 -0700 +++ b/src/share/classes/sun/security/pkcs/PKCS7.java Thu Apr 28 10:14:12 2011 -0700 @@ -38,7 +38,6 @@ import sun.security.util.*; import sun.security.x509.AlgorithmId; import sun.security.x509.CertificateIssuerName; -import sun.security.x509.KeyUsageExtension; import sun.security.x509.X509CertImpl; import sun.security.x509.X509CertInfo; import sun.security.x509.X509CRLImpl; @@ -493,7 +492,7 @@ // CRLs (optional) if (crls != null && crls.length != 0) { // cast to X509CRLImpl[] since X509CRLImpl implements DerEncoder - Set<X509CRLImpl> implCRLs = new HashSet<>(crls.length); + Set<X509CRLImpl> implCRLs = new HashSet<X509CRLImpl>(crls.length); for (X509CRL crl: crls) { if (crl instanceof X509CRLImpl) implCRLs.add((X509CRLImpl) crl); @@ -531,168 +530,6 @@ } /** - * Verifying signed data using an external chunked data source. - */ - public static class PKCS7Verifier { - - private final SignerInfo si; // Signer to verify - private final MessageDigest md; // MessageDigest object for chunks - private final Signature sig; // Signature object for chunks - - private PKCS7Verifier(SignerInfo si, MessageDigest md, Signature sig) { - this.si = si; - this.md = md; - this.sig = sig; - } - - public static PKCS7Verifier from(PKCS7 block, SignerInfo si) throws - SignatureException, NoSuchAlgorithmException { - - try { - MessageDigest md = null; - Signature sig; - - ContentInfo content = block.getContentInfo(); - String digestAlgname = si.getDigestAlgorithmId().getName(); - - // if there are authenticate attributes, feed data chunks to - // the message digest. In this case, pv.md is not null - if (si.authenticatedAttributes != null) { - // first, check content type - ObjectIdentifier contentType = (ObjectIdentifier) - si.authenticatedAttributes.getAttributeValue( - PKCS9Attribute.CONTENT_TYPE_OID); - if (contentType == null || - !contentType.equals(content.contentType)) - return null; // contentType does not match, bad SignerInfo - - // now, check message digest - byte[] messageDigest = (byte[]) - si.authenticatedAttributes.getAttributeValue( - PKCS9Attribute.MESSAGE_DIGEST_OID); - - if (messageDigest == null) // fail if there is no message digest - return null; - - md = MessageDigest.getInstance(digestAlgname); - } - - // put together digest algorithm and encryption algorithm - // to form signing algorithm - String encryptionAlgname = - si.getDigestEncryptionAlgorithmId().getName(); - - // Workaround: sometimes the encryptionAlgname is actually - // a signature name - String tmp = AlgorithmId.getEncAlgFromSigAlg(encryptionAlgname); - if (tmp != null) encryptionAlgname = tmp; - String algname = AlgorithmId.makeSigAlg( - digestAlgname, encryptionAlgname); - - sig = Signature.getInstance(algname); - X509Certificate cert = si.getCertificate(block); - - if (cert == null) { - return null; - } - if (cert.hasUnsupportedCriticalExtension()) { - throw new SignatureException("Certificate has unsupported " - + "critical extension(s)"); - } - - // Make sure that if the usage of the key in the certificate is - // restricted, it can be used for digital signatures. - // XXX We may want to check for additional extensions in the - // future. - boolean[] keyUsageBits = cert.getKeyUsage(); - if (keyUsageBits != null) { - KeyUsageExtension keyUsage; - try { - // We don't care whether or not this extension was marked - // critical in the certificate. - // We're interested only in its value (i.e., the bits set) - // and treat the extension as critical. - keyUsage = new KeyUsageExtension(keyUsageBits); - } catch (IOException ioe) { - throw new SignatureException("Failed to parse keyUsage " - + "extension"); - } - - boolean digSigAllowed = ((Boolean)keyUsage.get( - KeyUsageExtension.DIGITAL_SIGNATURE)).booleanValue(); - - boolean nonRepuAllowed = ((Boolean)keyUsage.get( - KeyUsageExtension.NON_REPUDIATION)).booleanValue(); - - if (!digSigAllowed && !nonRepuAllowed) { - throw new SignatureException("Key usage restricted: " - + "cannot be used for " - + "digital signatures"); - } - } - - PublicKey key = cert.getPublicKey(); - sig.initVerify(key); - return new PKCS7Verifier(si, md, sig); - } catch (IOException e) { - throw new SignatureException("IO error verifying signature:\n" + - e.getMessage()); - - } catch (InvalidKeyException e) { - throw new SignatureException("InvalidKey: " + e.getMessage()); - - } - } - - public void update(byte[] data, int off, int end) - throws SignatureException { - if (md != null) { - md.update(data, off, end-off); - } else { - sig.update(data, off, end-off); - } - } - - public SignerInfo verify() throws SignatureException { - try { - // if there are authenticate attributes, get the message - // digest and compare it with the digest of data - if (md != null) { - // now, check message digest - byte[] messageDigest = (byte[]) - si.authenticatedAttributes.getAttributeValue( - PKCS9Attribute.MESSAGE_DIGEST_OID); - - byte[] computedMessageDigest = md.digest(); - - if (!MessageDigest.isEqual( - messageDigest, computedMessageDigest)) { - return null; - } - - // message digest attribute matched - // digest of original data - - // the data actually signed is the DER encoding of - // the authenticated attributes (tagged with - // the "SET OF" tag, not 0xA0). - byte[] dataSigned = si.authenticatedAttributes.getDerEncoding(); - sig.update(dataSigned); - } - - if (sig.verify(si.getEncryptedDigest())) { - return si; - } - - } catch (IOException e) { - throw new SignatureException("IO error verifying signature:\n" + - e.getMessage()); - } - return null; - } - } - - /** * This verifies a given SignerInfo. * * @param info the signer information. @@ -717,16 +554,19 @@ public SignerInfo[] verify(byte[] bytes) throws NoSuchAlgorithmException, SignatureException { - List<SignerInfo> intResult = new ArrayList<>(); + Vector<SignerInfo> intResult = new Vector<SignerInfo>(); for (int i = 0; i < signerInfos.length; i++) { SignerInfo signerInfo = verify(signerInfos[i], bytes); if (signerInfo != null) { - intResult.add(signerInfo); + intResult.addElement(signerInfo); } } - if (!intResult.isEmpty()) { - return intResult.toArray(new SignerInfo[intResult.size()]); + if (intResult.size() != 0) { + + SignerInfo[] result = new SignerInfo[intResult.size()]; + intResult.copyInto(result); + return result; } return null; }
--- a/src/share/classes/sun/security/pkcs/SignerInfo.java Thu Apr 28 10:12:02 2011 -0700 +++ b/src/share/classes/sun/security/pkcs/SignerInfo.java Thu Apr 28 10:14:12 2011 -0700 @@ -230,7 +230,7 @@ if (userCert == null) return null; - ArrayList<X509Certificate> certList = new ArrayList<>(); + ArrayList<X509Certificate> certList = new ArrayList<X509Certificate>(); certList.add(userCert); X509Certificate[] pkcsCerts = block.getCertificates(); @@ -276,20 +276,132 @@ /* Returns null if verify fails, this signerInfo if verify succeeds. */ SignerInfo verify(PKCS7 block, byte[] data) - throws NoSuchAlgorithmException, SignatureException { + throws NoSuchAlgorithmException, SignatureException { + + try { + + ContentInfo content = block.getContentInfo(); + if (data == null) { + data = content.getContentBytes(); + } + + String digestAlgname = getDigestAlgorithmId().getName(); + + byte[] dataSigned; + + // if there are authenticate attributes, get the message + // digest and compare it with the digest of data + if (authenticatedAttributes == null) { + dataSigned = data; + } else { + + // first, check content type + ObjectIdentifier contentType = (ObjectIdentifier) + authenticatedAttributes.getAttributeValue( + PKCS9Attribute.CONTENT_TYPE_OID); + if (contentType == null || + !contentType.equals(content.contentType)) + return null; // contentType does not match, bad SignerInfo + + // now, check message digest + byte[] messageDigest = (byte[]) + authenticatedAttributes.getAttributeValue( + PKCS9Attribute.MESSAGE_DIGEST_OID); + + if (messageDigest == null) // fail if there is no message digest + return null; + + MessageDigest md = MessageDigest.getInstance(digestAlgname); + byte[] computedMessageDigest = md.digest(data); + + if (messageDigest.length != computedMessageDigest.length) + return null; + for (int i = 0; i < messageDigest.length; i++) { + if (messageDigest[i] != computedMessageDigest[i]) + return null; + } + + // message digest attribute matched + // digest of original data + + // the data actually signed is the DER encoding of + // the authenticated attributes (tagged with + // the "SET OF" tag, not 0xA0). + dataSigned = authenticatedAttributes.getDerEncoding(); + } + + // put together digest algorithm and encryption algorithm + // to form signing algorithm + String encryptionAlgname = + getDigestEncryptionAlgorithmId().getName(); - PKCS7.PKCS7Verifier p7v = PKCS7.PKCS7Verifier.from(block, this); - if (p7v == null) return null; - if (data == null) { - try { - data = block.getContentInfo().getContentBytes(); - } catch (IOException e) { - throw new SignatureException("IO error verifying signature:\n" + - e.getMessage()); + // Workaround: sometimes the encryptionAlgname is actually + // a signature name + String tmp = AlgorithmId.getEncAlgFromSigAlg(encryptionAlgname); + if (tmp != null) encryptionAlgname = tmp; + String algname = AlgorithmId.makeSigAlg( + digestAlgname, encryptionAlgname); + + Signature sig = Signature.getInstance(algname); + X509Certificate cert = getCertificate(block); + + if (cert == null) { + return null; + } + if (cert.hasUnsupportedCriticalExtension()) { + throw new SignatureException("Certificate has unsupported " + + "critical extension(s)"); } + + // Make sure that if the usage of the key in the certificate is + // restricted, it can be used for digital signatures. + // XXX We may want to check for additional extensions in the + // future. + boolean[] keyUsageBits = cert.getKeyUsage(); + if (keyUsageBits != null) { + KeyUsageExtension keyUsage; + try { + // We don't care whether or not this extension was marked + // critical in the certificate. + // We're interested only in its value (i.e., the bits set) + // and treat the extension as critical. + keyUsage = new KeyUsageExtension(keyUsageBits); + } catch (IOException ioe) { + throw new SignatureException("Failed to parse keyUsage " + + "extension"); + } + + boolean digSigAllowed = ((Boolean)keyUsage.get( + KeyUsageExtension.DIGITAL_SIGNATURE)).booleanValue(); + + boolean nonRepuAllowed = ((Boolean)keyUsage.get( + KeyUsageExtension.NON_REPUDIATION)).booleanValue(); + + if (!digSigAllowed && !nonRepuAllowed) { + throw new SignatureException("Key usage restricted: " + + "cannot be used for " + + "digital signatures"); + } + } + + PublicKey key = cert.getPublicKey(); + sig.initVerify(key); + + sig.update(dataSigned); + + if (sig.verify(encryptedDigest)) { + return this; + } + + } catch (IOException e) { + throw new SignatureException("IO error verifying signature:\n" + + e.getMessage()); + + } catch (InvalidKeyException e) { + throw new SignatureException("InvalidKey: " + e.getMessage()); + } - p7v.update(data, 0, data.length); - return p7v.verify(); + return null; } /* Verify the content of the pkcs7 block. */
--- a/src/share/classes/sun/security/util/ManifestEntryVerifier.java Thu Apr 28 10:12:02 2011 -0700 +++ b/src/share/classes/sun/security/util/ManifestEntryVerifier.java Thu Apr 28 10:14:12 2011 -0700 @@ -191,8 +191,8 @@ * * */ - public CodeSigner[] verify(Map<String, CodeSigner[]> verifiedSigners, - Map<String, CodeSigner[]> sigFileSigners) + public CodeSigner[] verify(Hashtable<String, CodeSigner[]> verifiedSigners, + Hashtable<String, CodeSigner[]> sigFileSigners) throws JarException { if (skip) {
--- a/src/share/classes/sun/security/util/SignatureFileManifest.java Thu Apr 28 10:12:02 2011 -0700 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,251 +0,0 @@ -/* - * Copyright (c) 2011, Oracle and/or its affiliates. All rights reserved. - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License version 2 only, as - * published by the Free Software Foundation. Oracle designates this - * particular file as subject to the "Classpath" exception as provided - * by Oracle in the LICENSE file that accompanied this code. - * - * This code is distributed in the hope that it will be useful, but WITHOUT - * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or - * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * version 2 for more details (a copy is included in the LICENSE file that - * accompanied this code). - * - * You should have received a copy of the GNU General Public License version - * 2 along with this work; if not, write to the Free Software Foundation, - * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. - * - * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA - * or visit www.oracle.com if you need additional information or have any - * questions. - */ - -package sun.security.util; - -import java.io.IOException; -import java.io.InputStream; -import java.util.Arrays; -import java.util.jar.Attributes; -import java.util.jar.Manifest; - -/** - * This class provides streaming mode reading of manifest files. - * Used by {@link SignatureFileVerifier}. - */ -class SignatureFileManifest extends Manifest { - - /* - * Reading a manifest into this object by calling update(byte[]) on chunks. - * During the reading, the bytes are saved in (@code current} until a line - * is complete and the key-value pair is saved in {@code currentAttr}. When - * a section is complete, {@code consumeAttr} is called to merge - * {@code currentAttr} into main attributes or a named entry. - */ - - // Internal state during update() style reading - // 0. not in update mode - // 1, in update mode but main attributes not completed yet - // 2. main attributes completed, still reading the entries - private int state = 0; - - // The partial line read - private byte[] current; - - // Number of bytes in current - private int currentPos = 0; - - // The current Attribute - private Attributes currentAttr; - - /** - * Reads a manifest in chunks. - * <p> - * This method must be called in a row, reading chunks from a single - * manifest file by order. After all chunks are read, caller must call - * {@code update(null)} to fully consume the manifest. - * <p> - * The entry names and attributes read will be merged in with the current - * manifest entries. The {@link #read} method cannot be called inside a - * row of update calls. - * <p> - * Along with the calls, caller can call {@link #getMainAttributes()}, - * {@link #getAttributes(java.lang.String)} or {@link #getEntries()} - * to get already available contents. However, in order not to return - * partial result, when the main attributes in the new manifest is not - * consumed completely, {@link #getMainAttributes()} throws an - * {@code IllegalStateException}. When a certain named entry is not - * consumed completely, {@link #getAttributes(java.lang.String)} - * returns the old {@code Attributes} for the name (if it exists). - * - * @param data null for last call, otherwise, feeding chunks - * @param offset offset into data to begin read - * @param length length of data after offset to read - * @exception IOException if an I/O error has occurred - * @exception IllegalStateException if {@code update(null)} is called - * without any previous {@code update(non-null)} call - */ - public void update(byte[] data, int offset, int length) throws IOException { - - // The last call - if (data == null) { - if (state == 0) { - throw new IllegalStateException("No data to update"); - } - // We accept manifest not ended with \n or \n\n - if (hasLastByte()) { - consumeCurrent(); - } - // We accept empty lines at the end - if (!currentAttr.isEmpty()) { - consumeAttr(); - } - state = 0; // back to non-update state - current = null; - currentAttr = null; - return; - } - - // The first call - if (state == 0) { - current = new byte[1024]; - currentAttr = super.getMainAttributes(); // the main attribute - state = 1; - } - - int end = offset + length; - - while (offset < end) { - switch (data[offset]) { - case '\r': - break; // always skip - case '\n': - if (hasLastByte() && lastByte() == '\n') { // new section - consumeCurrent(); - consumeAttr(); - if (state == 1) { - state = 2; - } - currentAttr = new Attributes(2); - } else { - if (hasLastByte()) { - // save \n into current but do not parse, - // there might be a continuation later - ensureCapacity(); - current[currentPos++] = data[offset]; - } else if (state == 1) { - // there can be multiple empty lines between - // sections, but cannot be at the beginning - throw new IOException("invalid manifest format"); - } - } - break; - case ' ': - if (!hasLastByte()) { - throw new IOException("invalid manifest format"); - } else if (lastByte() == '\n') { - currentPos--; // continuation, remove last \n - } else { // a very normal ' ' - ensureCapacity(); - current[currentPos++] = data[offset]; - } - break; - default: - if (hasLastByte() && lastByte() == '\n') { - // The start of a new pair, not continuation - consumeCurrent(); // the last line read - } - ensureCapacity(); - current[currentPos++] = data[offset]; - break; - } - offset++; - } - } - - /** - * Returns the main Attributes for the Manifest. - * @exception IllegalStateException the main attributes is being read - * @return the main Attributes for the Manifest - */ - public Attributes getMainAttributes() { - if (state == 1) { - throw new IllegalStateException(); - } - return super.getMainAttributes(); - } - - /** - * Reads the Manifest from the specified InputStream. The entry - * names and attributes read will be merged in with the current - * manifest entries. - * - * @param is the input stream - * @exception IOException if an I/O error has occurred - * @exception IllegalStateException if called between two {@link #update} - * calls - */ - public void read(InputStream is) throws IOException { - if (state != 0) { - throw new IllegalStateException("Cannot call read between updates"); - } - super.read(is); - } - - /* - * ---------- Helper methods ----------------- - */ - - private void ensureCapacity() { - if (currentPos >= current.length-1) { - current = Arrays.copyOf(current, current.length*2); - } - } - - private boolean hasLastByte() { - return currentPos > 0; - } - - private byte lastByte() { - return current[currentPos-1]; - } - - // Parse current as key:value and save into currentAttr. - // There MUST be something inside current. - private void consumeCurrent() throws IOException { - // current normally has a \n end, except for the last line - if (current[currentPos-1] == '\n') currentPos--; - for (int i=0; i<currentPos; i++) { - if (current[i] == ':') { - String key = new String(current, 0, 0, i); - i++; - while (i < currentPos && current[i] == ' ') { i++; } - String value = new String(current, i, currentPos-i, "UTF-8"); - currentAttr.putValue(key, value); - currentPos = 0; - return; - } - } - throw new IOException("invalid header field"); - } - - // Merge currentAttr into Manifest - private void consumeAttr() throws IOException { - // Only needed for named entries. For the main attribute, key/value - // is added into attr directly, but since getMainAttributes() throws - // an exception, the partial data is not leaked. - if (state != 1) { - String name = currentAttr.getValue("Name"); - if (name != null) { - currentAttr.remove(new Attributes.Name("Name")); - Attributes old = getAttributes(name); - if (old != null) old.putAll(currentAttr); - else getEntries().put(name, currentAttr); - } else { - throw new IOException("invalid manifest format"); - } - } - } -}
--- a/src/share/classes/sun/security/util/SignatureFileVerifier.java Thu Apr 28 10:12:02 2011 -0700 +++ b/src/share/classes/sun/security/util/SignatureFileVerifier.java Thu Apr 28 10:14:12 2011 -0700 @@ -55,8 +55,8 @@ /** the PKCS7 block for this .DSA/.RSA/.EC file */ private PKCS7 block; - // the content of the raw .SF file as an InputStream - private InputStream sfStream; + /** the raw bytes of the .SF file */ + private byte sfBytes[]; /** the name of the signature block file, uppercased and without * the extension (.DSA/.RSA/.EC) @@ -66,9 +66,6 @@ /** the ManifestDigester */ private ManifestDigester md; - /** The MANIFEST.MF */ - private Manifest man; - /** cache of created MessageDigest objects */ private HashMap<String, MessageDigest> createdDigests; @@ -86,7 +83,6 @@ * @param rawBytes the raw bytes of the signature block file */ public SignatureFileVerifier(ArrayList<CodeSigner[]> signerCache, - Manifest man, ManifestDigester md, String name, byte rawBytes[]) @@ -98,18 +94,13 @@ try { obj = Providers.startJarVerification(); block = new PKCS7(rawBytes); - byte[] contentData = block.getContentInfo().getData(); - if (contentData != null) { - sfStream = new ByteArrayInputStream(contentData); - } + sfBytes = block.getContentInfo().getData(); certificateFactory = CertificateFactory.getInstance("X509"); } finally { Providers.stopJarVerification(obj); } this.name = name.substring(0, name.lastIndexOf(".")) .toUpperCase(Locale.ENGLISH); - - this.man = man; this.md = md; this.signerCache = signerCache; } @@ -117,13 +108,31 @@ /** * returns true if we need the .SF file */ - public boolean needSignatureFile() + public boolean needSignatureFileBytes() { - return sfStream == null; + + return sfBytes == null; } - public void setSignatureFile(InputStream ins) { - this.sfStream = ins; + + /** + * returns true if we need this .SF file. + * + * @param name the name of the .SF file without the extension + * + */ + public boolean needSignatureFile(String name) + { + return this.name.equalsIgnoreCase(name); + } + + /** + * used to set the raw bytes of the .SF file when it + * is external to the signature block file. + */ + public void setSignatureFile(byte sfBytes[]) + { + this.sfBytes = sfBytes; } /** @@ -136,18 +145,12 @@ * Signature File or PKCS7 block file name */ public static boolean isBlockOrSF(String s) { - return s.endsWith(".SF") || isBlock(s); - } - - /** - * Utility method used by JarVerifier to determine PKCS7 block - * files names that are supported - * - * @param s file name - * @return true if the input file name is a PKCS7 block file name - */ - public static boolean isBlock(String s) { - return s.endsWith(".DSA") || s.endsWith(".RSA") || s.endsWith(".EC"); + // we currently only support DSA and RSA PKCS7 blocks + if (s.endsWith(".SF") || s.endsWith(".DSA") || + s.endsWith(".RSA") || s.endsWith(".EC")) { + return true; + } + return false; } /** get digest from cache */ @@ -177,7 +180,7 @@ * * */ - public void process(Map<String, CodeSigner[]> signers, + public void process(Hashtable<String, CodeSigner[]> signers, List manifestDigests) throws IOException, SignatureException, NoSuchAlgorithmException, JarException, CertificateException @@ -194,86 +197,31 @@ } - private void processImpl(Map<String, CodeSigner[]> signers, + private void processImpl(Hashtable<String, CodeSigner[]> signers, List manifestDigests) throws IOException, SignatureException, NoSuchAlgorithmException, JarException, CertificateException { - SignatureFileManifest sf = new SignatureFileManifest(); - InputStream ins = sfStream; + Manifest sf = new Manifest(); + sf.read(new ByteArrayInputStream(sfBytes)); - byte[] buffer = new byte[4096]; - int sLen = block.getSignerInfos().length; - boolean mainOK = false; // main attributes of SF is available... - boolean manifestSigned = false; // and it matches MANIFEST.MF - BASE64Decoder decoder = new BASE64Decoder(); + String version = + sf.getMainAttributes().getValue(Attributes.Name.SIGNATURE_VERSION); - PKCS7.PKCS7Verifier[] pvs = new PKCS7.PKCS7Verifier[sLen]; - for (int i=0; i<sLen; i++) { - pvs[i] = PKCS7.PKCS7Verifier.from(block, block.getSignerInfos()[i]); + if ((version == null) || !(version.equalsIgnoreCase("1.0"))) { + // XXX: should this be an exception? + // for now we just ignore this signature file + return; } - /* - * Verify SF in streaming mode. The chunks of the file are fed into - * the Manifest object sf and all PKCS7Verifiers. As soon as the main - * attributes is available, we'll check if manifestSigned is true. If - * yes, there is no need to fill in sf's entries field, since it should - * be identical to entries in man. - */ - while (true) { - int len = ins.read(buffer); - if (len < 0) { - if (!manifestSigned) { - sf.update(null, 0, 0); - } - break; - } else { - for (int i=0; i<sLen; i++) { - if (pvs[i] != null) pvs[i].update(buffer, 0, len); - } - // Continue reading if verifyManifestHash fails (or, the - // main attributes is not available yet) - if (!manifestSigned) { - sf.update(buffer, 0, len); - if (!mainOK) { - try { - Attributes attr = sf.getMainAttributes(); - String version = attr.getValue( - Attributes.Name.SIGNATURE_VERSION); + SignerInfo[] infos = block.verify(sfBytes); - if ((version == null) || - !(version.equalsIgnoreCase("1.0"))) { - // XXX: should this be an exception? - // for now we just ignore this signature file - return; - } - - mainOK = true; - manifestSigned = verifyManifestHash( - sf, md, decoder, manifestDigests); - } catch (IllegalStateException ise) { - // main attributes not available yet - } - } - } - } - } - List<SignerInfo> intResult = new ArrayList<>(sLen); - for (int i = 0; i < sLen; i++) { - if (pvs[i] != null) { - SignerInfo signerInfo = pvs[i].verify(); - if (signerInfo != null) { - intResult.add(signerInfo); - } - } - } - if (intResult.isEmpty()) { + if (infos == null) { throw new SecurityException("cannot verify signature block file " + name); } - SignerInfo[] infos = - intResult.toArray(new SignerInfo[intResult.size()]); + BASE64Decoder decoder = new BASE64Decoder(); CodeSigner[] newSigners = getSigners(infos, block); @@ -281,37 +229,26 @@ if (newSigners == null) return; + Iterator<Map.Entry<String,Attributes>> entries = + sf.getEntries().entrySet().iterator(); + + // see if we can verify the whole manifest first + boolean manifestSigned = verifyManifestHash(sf, md, decoder, manifestDigests); + // verify manifest main attributes if (!manifestSigned && !verifyManifestMainAttrs(sf, md, decoder)) { throw new SecurityException ("Invalid signature file digest for Manifest main attributes"); } - Iterator<Map.Entry<String,Attributes>> entries; - - if (manifestSigned) { - if (debug != null) { - debug.println("full manifest signature match, " - + "update signer info from MANIFEST.MF"); - } - entries = man.getEntries().entrySet().iterator(); - } else { - if (debug != null) { - debug.println("full manifest signature unmatch, " - + "update signer info from SF file"); - } - entries = sf.getEntries().entrySet().iterator(); - } - - // go through each section - + // go through each section in the signature file while(entries.hasNext()) { Map.Entry<String,Attributes> e = entries.next(); String name = e.getKey(); if (manifestSigned || - (verifySection(e.getValue(), name, md, decoder))) { + (verifySection(e.getValue(), name, md, decoder))) { if (name.startsWith("./")) name = name.substring(2); @@ -656,6 +593,7 @@ if (set == subset) return true; + boolean match; for (int i = 0; i < subset.length; i++) { if (!contains(set, subset[i])) return false; @@ -675,6 +613,8 @@ if ((oldSigners == null) && (signers == newSigners)) return true; + boolean match; + // make sure all oldSigners are in signers if ((oldSigners != null) && !isSubSet(oldSigners, signers)) return false; @@ -698,7 +638,7 @@ } void updateSigners(CodeSigner[] newSigners, - Map<String, CodeSigner[]> signers, String name) { + Hashtable<String, CodeSigner[]> signers, String name) { CodeSigner[] oldSigners = signers.get(name);
--- a/src/solaris/classes/sun/nio/ch/EPoll.java Thu Apr 28 10:12:02 2011 -0700 +++ b/src/solaris/classes/sun/nio/ch/EPoll.java Thu Apr 28 10:14:12 2011 -0700 @@ -99,8 +99,6 @@ // -- Native methods -- - private static native void init(); - private static native int eventSize(); private static native int eventsOffset(); @@ -116,6 +114,5 @@ static { Util.load(); - init(); } }
--- a/src/solaris/classes/sun/nio/fs/LinuxWatchService.java Thu Apr 28 10:12:02 2011 -0700 +++ b/src/solaris/classes/sun/nio/fs/LinuxWatchService.java Thu Apr 28 10:14:12 2011 -0700 @@ -432,8 +432,6 @@ // -- native methods -- - private static native void init(); - // sizeof inotify_event private static native int eventSize(); @@ -461,6 +459,5 @@ System.loadLibrary("nio"); return null; }}); - init(); } }
--- a/src/solaris/native/sun/nio/ch/EPoll.c Thu Apr 28 10:12:02 2011 -0700 +++ b/src/solaris/native/sun/nio/ch/EPoll.c Thu Apr 28 10:14:12 2011 -0700 @@ -34,55 +34,7 @@ #include <dlfcn.h> #include <unistd.h> #include <sys/types.h> - -#ifdef __cplusplus -extern "C" { -#endif - -/* epoll_wait(2) man page */ - -typedef union epoll_data { - void *ptr; - int fd; - __uint32_t u32; - __uint64_t u64; -} epoll_data_t; - -struct epoll_event { - __uint32_t events; /* Epoll events */ - epoll_data_t data; /* User data variable */ -} __attribute__ ((__packed__)); - -#ifdef __cplusplus -} -#endif - -/* - * epoll event notification is new in 2.6 kernel. As the offical build - * platform for the JDK is on a 2.4-based distribution then we must - * obtain the addresses of the epoll functions dynamically. - */ -typedef int (*epoll_create_t)(int size); -typedef int (*epoll_ctl_t) (int epfd, int op, int fd, struct epoll_event *event); -typedef int (*epoll_wait_t) (int epfd, struct epoll_event *events, int maxevents, int timeout); - -static epoll_create_t epoll_create_func; -static epoll_ctl_t epoll_ctl_func; -static epoll_wait_t epoll_wait_func; - - -JNIEXPORT void JNICALL -Java_sun_nio_ch_EPoll_init(JNIEnv *env, jclass this) -{ - epoll_create_func = (epoll_create_t) dlsym(RTLD_DEFAULT, "epoll_create"); - epoll_ctl_func = (epoll_ctl_t) dlsym(RTLD_DEFAULT, "epoll_ctl"); - epoll_wait_func = (epoll_wait_t) dlsym(RTLD_DEFAULT, "epoll_wait"); - - if ((epoll_create_func == NULL) || (epoll_ctl_func == NULL) || - (epoll_wait_func == NULL)) { - JNU_ThrowInternalError(env, "unable to get address of epoll functions, pre-2.6 kernel?"); - } -} +#include <sys/epoll.h> JNIEXPORT jint JNICALL Java_sun_nio_ch_EPoll_eventSize(JNIEnv* env, jclass this) @@ -108,7 +60,7 @@ * epoll_create expects a size as a hint to the kernel about how to * dimension internal structures. We can't predict the size in advance. */ - int epfd = (*epoll_create_func)(256); + int epfd = epoll_create(256); if (epfd < 0) { JNU_ThrowIOExceptionWithLastError(env, "epoll_create failed"); } @@ -125,7 +77,7 @@ event.events = events; event.data.fd = fd; - RESTARTABLE((*epoll_ctl_func)(epfd, (int)opcode, (int)fd, &event), res); + RESTARTABLE(epoll_ctl(epfd, (int)opcode, (int)fd, &event), res); return (res == 0) ? 0 : errno; } @@ -137,7 +89,7 @@ struct epoll_event *events = jlong_to_ptr(address); int res; - RESTARTABLE((*epoll_wait_func)(epfd, events, numfds, -1), res); + RESTARTABLE(epoll_wait(epfd, events, numfds, -1), res); if (res < 0) { JNU_ThrowIOExceptionWithLastError(env, "epoll_wait failed"); }
--- a/src/solaris/native/sun/nio/fs/LinuxWatchService.c Thu Apr 28 10:12:02 2011 -0700 +++ b/src/solaris/native/sun/nio/fs/LinuxWatchService.c Thu Apr 28 10:14:12 2011 -0700 @@ -33,33 +33,10 @@ #include <sys/types.h> #include <sys/socket.h> #include <sys/poll.h> +#include <sys/inotify.h> #include "sun_nio_fs_LinuxWatchService.h" -/* inotify.h may not be available at build time */ -#ifdef __cplusplus -extern "C" { -#endif -struct inotify_event -{ - int wd; - uint32_t mask; - uint32_t cookie; - uint32_t len; - char name __flexarr; -}; -#ifdef __cplusplus -} -#endif - -typedef int inotify_init_func(void); -typedef int inotify_add_watch_func(int fd, const char* path, uint32_t mask); -typedef int inotify_rm_watch_func(int fd, uint32_t wd); - -inotify_init_func* my_inotify_init_func = NULL; -inotify_add_watch_func* my_inotify_add_watch_func = NULL; -inotify_rm_watch_func* my_inotify_rm_watch_func = NULL; - static void throwUnixException(JNIEnv* env, int errnum) { jobject x = JNU_NewObjectByName(env, "sun/nio/fs/UnixException", "(I)V", errnum); @@ -68,22 +45,6 @@ } } -JNIEXPORT void JNICALL -Java_sun_nio_fs_LinuxWatchService_init(JNIEnv *env, jclass clazz) -{ - my_inotify_init_func = (inotify_init_func*) - dlsym(RTLD_DEFAULT, "inotify_init"); - my_inotify_add_watch_func = - (inotify_add_watch_func*) dlsym(RTLD_DEFAULT, "inotify_add_watch"); - my_inotify_rm_watch_func = - (inotify_rm_watch_func*) dlsym(RTLD_DEFAULT, "inotify_rm_watch"); - - if ((my_inotify_init_func == NULL) || (my_inotify_add_watch_func == NULL) || - (my_inotify_rm_watch_func == NULL)) { - JNU_ThrowInternalError(env, "unable to get address of inotify functions"); - } -} - JNIEXPORT jint JNICALL Java_sun_nio_fs_LinuxWatchService_eventSize(JNIEnv *env, jclass clazz) { @@ -111,7 +72,7 @@ Java_sun_nio_fs_LinuxWatchService_inotifyInit (JNIEnv* env, jclass clazz) { - int ifd = (*my_inotify_init_func)(); + int ifd = inotify_init(); if (ifd == -1) { throwUnixException(env, errno); } @@ -125,7 +86,7 @@ int wfd = -1; const char* path = (const char*)jlong_to_ptr(address); - wfd = (*my_inotify_add_watch_func)((int)fd, path, mask); + wfd = inotify_add_watch((int)fd, path, mask); if (wfd == -1) { throwUnixException(env, errno); } @@ -136,7 +97,7 @@ Java_sun_nio_fs_LinuxWatchService_inotifyRmWatch (JNIEnv* env, jclass clazz, jint fd, jint wd) { - int err = (*my_inotify_rm_watch_func)((int)fd, (int)wd); + int err = inotify_rm_watch((int)fd, (int)wd); if (err == -1) throwUnixException(env, errno); } @@ -166,7 +127,6 @@ res[1] = (jint)sp[1]; (*env)->SetIntArrayRegion(env, sv, 0, 2, &res[0]); } - } JNIEXPORT jint JNICALL @@ -190,6 +150,4 @@ } } return (jint)n; - - }
--- a/src/windows/classes/sun/security/mscapi/RSASignature.java Thu Apr 28 10:12:02 2011 -0700 +++ b/src/windows/classes/sun/security/mscapi/RSASignature.java Thu Apr 28 10:14:12 2011 -0700 @@ -50,6 +50,9 @@ * following algorithm names: * * . "SHA1withRSA" + * . "SHA256withRSA" + * . "SHA384withRSA" + * . "SHA512withRSA" * . "MD5withRSA" * . "MD2withRSA" * @@ -63,7 +66,10 @@ // message digest implementation we use private final MessageDigest messageDigest; - // flag indicating whether the digest is reset + // message digest name + private final String messageDigestAlgorithm; + + // flag indicating whether the digest has been reset private boolean needsReset; // the signing key @@ -73,10 +79,15 @@ private Key publicKey = null; + /** + * Constructs a new RSASignature. Used by subclasses. + */ RSASignature(String digestName) { try { messageDigest = MessageDigest.getInstance(digestName); + // Get the digest's canonical name + messageDigestAlgorithm = messageDigest.getAlgorithm(); } catch (NoSuchAlgorithmException e) { throw new ProviderException(e); @@ -91,6 +102,24 @@ } } + public static final class SHA256 extends RSASignature { + public SHA256() { + super("SHA-256"); + } + } + + public static final class SHA384 extends RSASignature { + public SHA384() { + super("SHA-384"); + } + } + + public static final class SHA512 extends RSASignature { + public SHA512() { + super("SHA-512"); + } + } + public static final class MD5 extends RSASignature { public MD5() { super("MD5"); @@ -103,16 +132,7 @@ } } - /** - * Initializes this signature object with the specified - * public key for verification operations. - * - * @param publicKey the public key of the identity whose signature is - * going to be verified. - * - * @exception InvalidKeyException if the key is improperly - * encoded, parameters are missing, and so on. - */ + // initialize for signing. See JCA doc protected void engineInitVerify(PublicKey key) throws InvalidKeyException { @@ -158,24 +178,12 @@ publicKey = (sun.security.mscapi.RSAPublicKey) key; } - if (needsReset) { - messageDigest.reset(); - needsReset = false; - } + this.privateKey = null; + resetDigest(); } - /** - * Initializes this signature object with the specified - * private key for signing operations. - * - * @param privateKey the private key of the identity whose signature - * will be generated. - * - * @exception InvalidKeyException if the key is improperly - * encoded, parameters are missing, and so on. - */ - protected void engineInitSign(PrivateKey key) - throws InvalidKeyException + // initialize for signing. See JCA doc + protected void engineInitSign(PrivateKey key) throws InvalidKeyException { // This signature accepts only RSAPrivateKey if ((key instanceof sun.security.mscapi.RSAPrivateKey) == false) { @@ -189,12 +197,25 @@ null, RSAKeyPairGenerator.KEY_SIZE_MIN, RSAKeyPairGenerator.KEY_SIZE_MAX); + this.publicKey = null; + resetDigest(); + } + + /** + * Resets the message digest if needed. + */ + private void resetDigest() { if (needsReset) { messageDigest.reset(); needsReset = false; } } + private byte[] getDigestValue() { + needsReset = false; + return messageDigest.digest(); + } + /** * Updates the data to be signed or verified * using the specified byte. @@ -254,13 +275,12 @@ */ protected byte[] engineSign() throws SignatureException { - byte[] hash = messageDigest.digest(); - needsReset = false; + byte[] hash = getDigestValue(); // Sign hash using MS Crypto APIs byte[] result = signHash(hash, hash.length, - messageDigest.getAlgorithm(), privateKey.getHCryptProvider(), + messageDigestAlgorithm, privateKey.getHCryptProvider(), privateKey.getHCryptKey()); // Convert signature array from little endian to big endian @@ -314,11 +334,10 @@ protected boolean engineVerify(byte[] sigBytes) throws SignatureException { - byte[] hash = messageDigest.digest(); - needsReset = false; + byte[] hash = getDigestValue(); return verifySignedHash(hash, hash.length, - messageDigest.getAlgorithm(), convertEndianArray(sigBytes), + messageDigestAlgorithm, convertEndianArray(sigBytes), sigBytes.length, publicKey.getHCryptProvider(), publicKey.getHCryptKey()); }
--- a/src/windows/classes/sun/security/mscapi/SunMSCAPI.java Thu Apr 28 10:12:02 2011 -0700 +++ b/src/windows/classes/sun/security/mscapi/SunMSCAPI.java Thu Apr 28 10:14:12 2011 -0700 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2005, 2009, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2005, 2011, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -81,6 +81,12 @@ */ map.put("Signature.SHA1withRSA", "sun.security.mscapi.RSASignature$SHA1"); + map.put("Signature.SHA256withRSA", + "sun.security.mscapi.RSASignature$SHA256"); + map.put("Signature.SHA384withRSA", + "sun.security.mscapi.RSASignature$SHA384"); + map.put("Signature.SHA512withRSA", + "sun.security.mscapi.RSASignature$SHA512"); map.put("Signature.MD5withRSA", "sun.security.mscapi.RSASignature$MD5"); map.put("Signature.MD2withRSA", @@ -89,12 +95,16 @@ // supported key classes map.put("Signature.SHA1withRSA SupportedKeyClasses", "sun.security.mscapi.Key"); + map.put("Signature.SHA256withRSA SupportedKeyClasses", + "sun.security.mscapi.Key"); + map.put("Signature.SHA384withRSA SupportedKeyClasses", + "sun.security.mscapi.Key"); + map.put("Signature.SHA512withRSA SupportedKeyClasses", + "sun.security.mscapi.Key"); map.put("Signature.MD5withRSA SupportedKeyClasses", "sun.security.mscapi.Key"); map.put("Signature.MD2withRSA SupportedKeyClasses", "sun.security.mscapi.Key"); - map.put("Signature.NONEwithRSA SupportedKeyClasses", - "sun.security.mscapi.Key"); /* * Key Pair Generator engines
--- a/src/windows/native/sun/security/mscapi/security.cpp Thu Apr 28 10:12:02 2011 -0700 +++ b/src/windows/native/sun/security/mscapi/security.cpp Thu Apr 28 10:14:12 2011 -0700 @@ -483,6 +483,7 @@ jbyte* pHashBuffer = NULL; jbyte* pSignedHashBuffer = NULL; jbyteArray jSignedHash = NULL; + HCRYPTPROV hCryptProvAlt = NULL; __try { @@ -492,8 +493,32 @@ // Acquire a hash object handle. if (::CryptCreateHash(HCRYPTPROV(hCryptProv), algId, 0, 0, &hHash) == FALSE) { - ThrowException(env, SIGNATURE_EXCEPTION, GetLastError()); - __leave; + // Failover to using the PROV_RSA_AES CSP + + DWORD cbData = 256; + BYTE pbData[256]; + pbData[0] = '\0'; + + // Get name of the key container + ::CryptGetProvParam((HCRYPTPROV)hCryptProv, PP_CONTAINER, + (BYTE *)pbData, &cbData, 0); + + // Acquire an alternative CSP handle + if (::CryptAcquireContext(&hCryptProvAlt, LPCSTR(pbData), NULL, + PROV_RSA_AES, 0) == FALSE) + { + + ThrowException(env, SIGNATURE_EXCEPTION, GetLastError()); + __leave; + } + + // Acquire a hash object handle. + if (::CryptCreateHash(HCRYPTPROV(hCryptProvAlt), algId, 0, 0, + &hHash) == FALSE) + { + ThrowException(env, SIGNATURE_EXCEPTION, GetLastError()); + __leave; + } } // Copy hash from Java to native buffer @@ -546,6 +571,9 @@ } __finally { + if (hCryptProvAlt) + ::CryptReleaseContext(hCryptProvAlt, 0); + if (pSignedHashBuffer) delete [] pSignedHashBuffer; @@ -574,6 +602,7 @@ jbyte* pSignedHashBuffer = NULL; DWORD dwSignedHashBufferLen = jSignedHashSize; jboolean result = JNI_FALSE; + HCRYPTPROV hCryptProvAlt = NULL; __try { @@ -584,8 +613,32 @@ if (::CryptCreateHash(HCRYPTPROV(hCryptProv), algId, 0, 0, &hHash) == FALSE) { - ThrowException(env, SIGNATURE_EXCEPTION, GetLastError()); - __leave; + // Failover to using the PROV_RSA_AES CSP + + DWORD cbData = 256; + BYTE pbData[256]; + pbData[0] = '\0'; + + // Get name of the key container + ::CryptGetProvParam((HCRYPTPROV)hCryptProv, PP_CONTAINER, + (BYTE *)pbData, &cbData, 0); + + // Acquire an alternative CSP handle + if (::CryptAcquireContext(&hCryptProvAlt, LPCSTR(pbData), NULL, + PROV_RSA_AES, 0) == FALSE) + { + + ThrowException(env, SIGNATURE_EXCEPTION, GetLastError()); + __leave; + } + + // Acquire a hash object handle. + if (::CryptCreateHash(HCRYPTPROV(hCryptProvAlt), algId, 0, 0, + &hHash) == FALSE) + { + ThrowException(env, SIGNATURE_EXCEPTION, GetLastError()); + __leave; + } } // Copy hash and signedHash from Java to native buffer @@ -616,6 +669,9 @@ __finally { + if (hCryptProvAlt) + ::CryptReleaseContext(hCryptProvAlt, 0); + if (pSignedHashBuffer) delete [] pSignedHashBuffer; @@ -648,15 +704,27 @@ pszKeyContainerName = env->GetStringUTFChars(keyContainerName, NULL); // Acquire a CSP context (create a new key container). + // Prefer a PROV_RSA_AES CSP, when available, due to its support + // for SHA-2-based signatures. if (::CryptAcquireContext( &hCryptProv, pszKeyContainerName, NULL, - PROV_RSA_FULL, + PROV_RSA_AES, CRYPT_NEWKEYSET) == FALSE) { - ThrowException(env, KEY_EXCEPTION, GetLastError()); - __leave; + // Failover to using the default CSP (PROV_RSA_FULL) + + if (::CryptAcquireContext( + &hCryptProv, + pszKeyContainerName, + NULL, + PROV_RSA_FULL, + CRYPT_NEWKEYSET) == FALSE) + { + ThrowException(env, KEY_EXCEPTION, GetLastError()); + __leave; + } } // Generate an RSA keypair @@ -1849,15 +1917,27 @@ pbKeyBlob = (BYTE *) env->GetByteArrayElements(keyBlob, 0); // Acquire a CSP context (create a new key container). + // Prefer a PROV_RSA_AES CSP, when available, due to its support + // for SHA-2-based signatures. if (::CryptAcquireContext( &hCryptProv, NULL, NULL, - PROV_RSA_FULL, + PROV_RSA_AES, CRYPT_VERIFYCONTEXT) == FALSE) { - ThrowException(env, KEYSTORE_EXCEPTION, GetLastError()); - __leave; + // Failover to using the default CSP (PROV_RSA_FULL) + + if (::CryptAcquireContext( + &hCryptProv, + NULL, + NULL, + PROV_RSA_FULL, + CRYPT_VERIFYCONTEXT) == FALSE) + { + ThrowException(env, KEYSTORE_EXCEPTION, GetLastError()); + __leave; + } } // Import the public key
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/test/java/nio/charset/StandardCharset/Standard.java Thu Apr 28 10:14:12 2011 -0700 @@ -0,0 +1,91 @@ +/* + * Copyright (c) 2011, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +/* + * @test + * @bug 4884238 + * @summary Test standard charset name constants. + * @author Mike Duigou + * @run main Standard + */ + +import java.nio.charset.*; + +public class Standard { + + public static void realMain(String[] args) { + check(StandardCharset.US_ASCII instanceof Charset); + check(StandardCharset.ISO_8859_1 instanceof Charset); + check(StandardCharset.UTF_8 instanceof Charset); + check(StandardCharset.UTF_16BE instanceof Charset); + check(StandardCharset.UTF_16LE instanceof Charset); + check(StandardCharset.UTF_16 instanceof Charset); + + check("US-ASCII".equals(StandardCharset.US_ASCII.name()); + check("ISO-8859-1".equals(StandardCharset.ISO_8859_1.name()); + check("UTF-8".equals(StandardCharset.UTF_8.name()); + check("UTF-16BE".equals(StandardCharset.UTF_16BE.name()); + check("UTF-16LE".equals(StandardCharset.UTF_16LE.name()); + check("UTF-16".equals(StandardCharset.UTF_16.name()); + } + + //--------------------- Infrastructure --------------------------- + static volatile int passed = 0, failed = 0; + static void pass() { passed++; } + static void fail() { failed++; Thread.dumpStack(); } + static void fail(String msg) { System.out.println(msg); fail(); } + static void unexpected(Throwable t) { failed++; t.printStackTrace(); } + static void check(boolean cond) { if (cond) pass(); else fail(); } + static void equal(Object x, Object y) { + if (x == null ? y == null : x.equals(y)) pass(); + else {System.out.println(x + " not equal to " + y); fail();}} + static void equal2(Object x, Object y) {equal(x, y); equal(y, x);} + public static void main(String[] args) throws Throwable { + try { realMain(args); } catch (Throwable t) { unexpected(t); } + + System.out.printf("%nPassed = %d, failed = %d%n%n", passed, failed); + if (failed > 0) throw new Exception("Some tests failed"); + } + private static abstract class Fun {abstract void f() throws Throwable;} + private static void THROWS(Class<? extends Throwable> k, Fun... fs) { + for (Fun f : fs) + try { f.f(); fail("Expected " + k.getName() + " not thrown"); } + catch (Throwable t) { + if (k.isAssignableFrom(t.getClass())) pass(); + else unexpected(t);}} + static byte[] serializedForm(Object obj) { + try { + ByteArrayOutputStream baos = new ByteArrayOutputStream(); + new ObjectOutputStream(baos).writeObject(obj); + return baos.toByteArray(); + } catch (IOException e) { throw new Error(e); }} + static Object readObject(byte[] bytes) + throws IOException, ClassNotFoundException { + InputStream is = new ByteArrayInputStream(bytes); + return new ObjectInputStream(is).readObject();} + @SuppressWarnings("unchecked") + static <T> T serialClone(T obj) { + try { return (T) readObject(serializedForm(obj)); } + catch (Exception e) { throw new Error(e); }} + +}
--- a/test/java/util/jar/JarInputStream/ScanSignedJar.java Thu Apr 28 10:12:02 2011 -0700 +++ b/test/java/util/jar/JarInputStream/ScanSignedJar.java Thu Apr 28 10:14:12 2011 -0700 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2005, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2005, 2011, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -27,11 +27,9 @@ * @summary Confirm that JarEntry.getCertificates identifies signed entries. */ -import java.io.*; import java.net.URL; import java.security.CodeSigner; import java.security.cert.Certificate; -import java.util.Enumeration; import java.util.jar.*; /* @@ -72,6 +70,9 @@ if (signers == null && certificates == null) { System.out.println("[unsigned]\t" + name + "\t(" + size + " bytes)"); + if (name.equals("Count.class")) { + throw new Exception("Count.class should be signed"); + } } else if (signers != null && certificates != null) { System.out.println("[" + signers.length + (signers.length == 1 ? " signer" : " signers") + "]\t" +
--- a/test/java/util/jar/JarInputStream/TestIndexedJarWithBadSignature.java Thu Apr 28 10:12:02 2011 -0700 +++ b/test/java/util/jar/JarInputStream/TestIndexedJarWithBadSignature.java Thu Apr 28 10:14:12 2011 -0700 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2010, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2010, 2011, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -37,7 +37,7 @@ public static void main(String...args) throws Throwable { try (JarInputStream jis = new JarInputStream( - new FileInputStream(System.getProperty("tst.src", ".") + + new FileInputStream(System.getProperty("test.src", ".") + System.getProperty("file.separator") + "BadSignedJar.jar"))) {
--- a/test/sun/security/krb5/auto/BadKdc.java Thu Apr 28 10:12:02 2011 -0700 +++ b/test/sun/security/krb5/auto/BadKdc.java Thu Apr 28 10:14:12 2011 -0700 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2009, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2009, 2011, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -22,8 +22,14 @@ */ import java.io.*; +import java.net.BindException; +import java.net.DatagramPacket; +import java.net.DatagramSocket; +import java.net.InetAddress; import java.util.regex.Matcher; import java.util.regex.Pattern; +import javax.security.auth.login.LoginException; +import sun.security.krb5.Asn1Exception; import sun.security.krb5.Config; public class BadKdc { @@ -34,8 +40,51 @@ static final Pattern re = Pattern.compile( ">>> KDCCommunication: kdc=kdc.rabbit.hole UDP:(\\d)...., " + "timeout=(\\d)000,"); + + /* + * There are several cases this test fails: + * + * 1. The random selected port is used by another process. No good way to + * prevent this happening, coz krb5.conf must be written before KDC starts. + * There are two different outcomes: + * + * a. Cannot start the KDC. A BindException thrown. + * b. When trying to access a non-existing KDC, a response is received! + * Most likely a Asn1Exception thrown + * + * 2. Even if a KDC is started, and more than 20 seconds pass by, a timeout + * can still happens for the first UDP request. In fact, the KDC did not + * received it at all. This happens on almost all platforms, especially + * solaris-i586 and solaris-x64. + * + * To avoid them: + * + * 1. Catch those exceptions and ignore + * + * 2. a. Make the timeout longer? useless + * b. Read the output carefully, if there is a timeout, it's OK. + * Just make sure the retries times and KDCs are correct. + * This is tough. + * c. Feed the KDC a UDP packet first. The current "solution". + */ public static void go(int[]... expected) throws Exception { + try { + go0(expected); + } catch (BindException be) { + System.out.println("The random port is used by another process"); + } catch (LoginException le) { + Throwable cause = le.getCause(); + if (cause instanceof Asn1Exception) { + System.out.println("Bad packet possibly from another process"); + return; + } + throw le; + } + } + + public static void go0(int[]... expected) + throws Exception { System.setProperty("sun.security.krb5.debug", "true"); // Make sure KDCs' ports starts with 1 and 2 and 3, @@ -78,20 +127,39 @@ KDC k = new KDC(OneKDC.REALM, OneKDC.KDCHOST, p, true); k.addPrincipal(OneKDC.USER, OneKDC.PASS); k.addPrincipalRandKey("krbtgt/" + OneKDC.REALM); + // Feed a packet to newly started KDC to warm it up + System.err.println("-------- IGNORE THIS ERROR MESSAGE --------"); + new DatagramSocket().send( + new DatagramPacket("Hello".getBytes(), 5, + InetAddress.getByName(OneKDC.KDCHOST), p)); return k; } + private static void test(int... expected) throws Exception { + ByteArrayOutputStream bo = new ByteArrayOutputStream(); + try { + test0(bo, expected); + } catch (Exception e) { + System.out.println("----------------- ERROR -----------------"); + System.out.println(new String(bo.toByteArray())); + System.out.println("--------------- ERROR END ---------------"); + throw e; + } + } + /** * One round of test for max_retries and timeout. - * @param timeout the expected timeout * @param expected the expected kdc# timeout kdc# timeout... */ - private static void test(int... expected) throws Exception { - ByteArrayOutputStream bo = new ByteArrayOutputStream(); + private static void test0(ByteArrayOutputStream bo, int... expected) + throws Exception { PrintStream oldout = System.out; System.setOut(new PrintStream(bo)); - Context c = Context.fromUserPass(OneKDC.USER, OneKDC.PASS, false); - System.setOut(oldout); + try { + Context.fromUserPass(OneKDC.USER, OneKDC.PASS, false); + } finally { + System.setOut(oldout); + } String[] lines = new String(bo.toByteArray()).split("\n"); System.out.println("----------------- TEST -----------------");
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/test/sun/security/mscapi/SignUsingSHA2withRSA.java Thu Apr 28 10:14:12 2011 -0700 @@ -0,0 +1,153 @@ +/* + * Copyright (c) 2011, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +/** + * @see SignUsingSHA2withRSA.sh + */ + +import java.security.*; +import java.util.*; + +public class SignUsingSHA2withRSA { + + private static final byte[] toBeSigned = new byte[] { + 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x10 + }; + + private static List<byte[]> generatedSignatures = new ArrayList<>(); + + public static void main(String[] args) throws Exception { + + Provider[] providers = Security.getProviders("Signature.SHA256withRSA"); + if (providers == null) { + System.out.println("No JCE providers support the " + + "'Signature.SHA256withRSA' algorithm"); + System.out.println("Skipping this test..."); + return; + + } else { + System.out.println("The following JCE providers support the " + + "'Signature.SHA256withRSA' algorithm: "); + for (Provider provider : providers) { + System.out.println(" " + provider.getName()); + } + } + System.out.println("-------------------------------------------------"); + + KeyStore ks = KeyStore.getInstance("Windows-MY", "SunMSCAPI"); + ks.load(null, null); + System.out.println("Loaded keystore: Windows-MY"); + + Enumeration e = ks.aliases(); + PrivateKey privateKey = null; + PublicKey publicKey = null; + + while (e.hasMoreElements()) { + String alias = (String) e.nextElement(); + if (alias.equals("6753664")) { + System.out.println("Loaded entry: " + alias); + privateKey = (PrivateKey) ks.getKey(alias, null); + publicKey = (PublicKey) ks.getCertificate(alias).getPublicKey(); + } + } + if (privateKey == null || publicKey == null) { + throw new Exception("Cannot load the keys need to run this test"); + } + System.out.println("-------------------------------------------------"); + + generatedSignatures.add(signUsing("SHA256withRSA", privateKey)); + generatedSignatures.add(signUsing("SHA384withRSA", privateKey)); + generatedSignatures.add(signUsing("SHA512withRSA", privateKey)); + + System.out.println("-------------------------------------------------"); + + verifyUsing("SHA256withRSA", publicKey, generatedSignatures.get(0)); + verifyUsing("SHA384withRSA", publicKey, generatedSignatures.get(1)); + verifyUsing("SHA512withRSA", publicKey, generatedSignatures.get(2)); + + System.out.println("-------------------------------------------------"); + } + + private static byte[] signUsing(String signAlgorithm, + PrivateKey privateKey) throws Exception { + + // Must explicitly specify the SunMSCAPI JCE provider + // (otherwise SunJCE is chosen because it appears earlier in the list) + Signature sig1 = Signature.getInstance(signAlgorithm, "SunMSCAPI"); + if (sig1 == null) { + throw new Exception("'" + signAlgorithm + "' is not supported"); + } + System.out.println("Using " + signAlgorithm + " signer from the " + + sig1.getProvider().getName() + " JCE provider"); + + System.out.println("Using key: " + privateKey); + sig1.initSign(privateKey); + sig1.update(toBeSigned); + byte [] sigBytes = null; + + try { + sigBytes = sig1.sign(); + System.out.println("Generated RSA signature over a " + + toBeSigned.length + "-byte data (signature length: " + + sigBytes.length * 8 + " bits)"); + System.out.println(String.format("0x%0" + + (sigBytes.length * 2) + "x", + new java.math.BigInteger(1, sigBytes))); + + } catch (SignatureException se) { + System.out.println("Error generating RSA signature: " + se); + } + + return sigBytes; + } + + private static void verifyUsing(String signAlgorithm, PublicKey publicKey, + byte[] signature) throws Exception { + + // Must explicitly specify the SunMSCAPI JCE provider + // (otherwise SunJCE is chosen because it appears earlier in the list) + Signature sig1 = Signature.getInstance(signAlgorithm, "SunMSCAPI"); + if (sig1 == null) { + throw new Exception("'" + signAlgorithm + "' is not supported"); + } + System.out.println("Using " + signAlgorithm + " verifier from the " + + sig1.getProvider().getName() + " JCE provider"); + + System.out.println("Using key: " + publicKey); + + System.out.println("\nVerifying RSA Signature over a " + + toBeSigned.length + "-byte data (signature length: " + + signature.length * 8 + " bits)"); + System.out.println(String.format("0x%0" + (signature.length * 2) + + "x", new java.math.BigInteger(1, signature))); + + sig1.initVerify(publicKey); + sig1.update(toBeSigned); + + if (sig1.verify(signature)) { + System.out.println("Verify PASSED\n"); + } else { + throw new Exception("Verify FAILED"); + } + } +}
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/test/sun/security/mscapi/SignUsingSHA2withRSA.sh Thu Apr 28 10:14:12 2011 -0700 @@ -0,0 +1,83 @@ +#!/bin/sh + +# +# Copyright (c) 2011, Oracle and/or its affiliates. All rights reserved. +# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. +# +# This code is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License version 2 only, as +# published by the Free Software Foundation. +# +# This code is distributed in the hope that it will be useful, but WITHOUT +# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or +# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License +# version 2 for more details (a copy is included in the LICENSE file that +# accompanied this code). +# +# You should have received a copy of the GNU General Public License version +# 2 along with this work; if not, write to the Free Software Foundation, +# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA +# or visit www.oracle.com if you need additional information or have any +# questions. +# + + +# @test +# @bug 6753664 +# @run shell SignUsingSHA2withRSA.sh +# @summary Support SHA256 (and higher) in SunMSCAPI + +# set a few environment variables so that the shell-script can run stand-alone +# in the source directory +if [ "${TESTSRC}" = "" ] ; then + TESTSRC="." +fi + +if [ "${TESTCLASSES}" = "" ] ; then + TESTCLASSES="." +fi + +if [ "${TESTJAVA}" = "" ] ; then + echo "TESTJAVA not set. Test cannot execute." + echo "FAILED!!!" + exit 1 +fi + +OS=`uname -s` +case "$OS" in + Windows* | CYGWIN* ) + + echo "Creating a temporary RSA keypair in the Windows-My store..." + ${TESTJAVA}/bin/keytool \ + -genkeypair \ + -storetype Windows-My \ + -keyalg RSA \ + -alias 6753664 \ + -dname "cn=6753664,c=US" \ + -noprompt + + echo + echo "Running the test..." + ${TESTJAVA}/bin/javac -d . ${TESTSRC}\\SignUsingSHA2withRSA.java + ${TESTJAVA}/bin/java SignUsingSHA2withRSA + + rc=$? + + echo + echo "Removing the temporary RSA keypair from the Windows-My store..." + ${TESTJAVA}/bin/keytool \ + -delete \ + -storetype Windows-My \ + -alias 6753664 + + echo done. + exit $rc + ;; + + * ) + echo "This test is not intended for '$OS' - passing test" + exit 0 + ;; +esac