/hg/release/icedtea6-1.7: 3 new changesets
andrew at icedtea.classpath.org
andrew at icedtea.classpath.org
Sun Jul 25 14:43:52 PDT 2010
changeset 6abc3a568866 in /hg/release/icedtea6-1.7
details: http://icedtea.classpath.org/hg/release/icedtea6-1.7?cmd=changeset;node=6abc3a568866
author: Andrew John Hughes <ahughes at redhat.com>
date: Sun Jul 25 21:12:18 2010 +0100
Backport S6668231: Presence of a critical subjectAltName causes
JSSE's SunX509 to fail trusted checks.
2010-07-25 Andrew John Hughes <ahughes at redhat.com>
* .hgignore: Remove 'openjdk' which hides files
added to overlays.
* Makefile.am: Add patch.
* patches/openjdk/6668231-ssl_cert.patch: Backport SSL
certificate fix 'Presence of a critical subjectAltName
causes JSSE's SunX509 to fail trusted checks'.
* overlays/openjdk/jdk/test/sun/security/ssl/com/sun/net/ssl/internal/
www/protocol/https/HttpsURLConnection/crisubn.jks,
* overlays/openjdk/jdk/test/sun/security/ssl/com/sun/net/ssl/internal/
www/protocol/https/HttpsURLConnection/trusted.jks: Keystores
for the new test introduced by this patch.
changeset 00d39eef8e59 in /hg/release/icedtea6-1.7
details: http://icedtea.classpath.org/hg/release/icedtea6-1.7?cmd=changeset;node=00d39eef8e59
author: Andrew John Hughes <ahughes at redhat.com>
date: Sun Jul 25 22:36:52 2010 +0100
Backpatch S6963870: Eliminate NullPointerEx in swing class
CompoundBorder method getBorderInsets
* patches/openjdk/6963870.patch: New file. Backpatched from
jdk7 for upstream bug#6963870. Fixes IcedTea Bug#477:
NullPointerEx in swing class CompoundBorder method
getBorderInsets.
* Makefile.am: Include above patch.
changeset 81bc6674c223 in /hg/release/icedtea6-1.7
details: http://icedtea.classpath.org/hg/release/icedtea6-1.7?cmd=changeset;node=81bc6674c223
author: Andrew John Hughes <ahughes at redhat.com>
date: Sun Jul 25 22:43:38 2010 +0100
List backported upstream fixes in NEWS.
2010-07-25 Andrew John Hughes <ahughes at redhat.com>
* NEWS: Update with list of backported fixes.
diffstat:
6 files changed, 442 insertions(+), 2 deletions(-)
.hgignore | 1
ChangeLog | 25 ++
Makefile.am | 4
NEWS | 9
patches/openjdk/6668231-ssl_cert.patch | 306 +++++++++++++++++++++++++++++++
patches/openjdk/6963870-swing_npe.patch | 99 ++++++++++
diffs (493 lines):
diff -r 36fc1b3ae030 -r 81bc6674c223 .hgignore
--- a/.hgignore Thu Jul 22 09:24:52 2010 +0100
+++ b/.hgignore Sun Jul 25 22:43:38 2010 +0100
@@ -7,7 +7,6 @@ cacao
cacao
netbeans
visualvm
-openjdk
bootstrap
debian
lib
diff -r 36fc1b3ae030 -r 81bc6674c223 ChangeLog
--- a/ChangeLog Thu Jul 22 09:24:52 2010 +0100
+++ b/ChangeLog Sun Jul 25 22:43:38 2010 +0100
@@ -1,3 +1,28 @@ 2010-07-21 Andrew John Hughes <ahughes
+2010-07-25 Andrew John Hughes <ahughes at redhat.com>
+
+ * NEWS: Update with list of backported
+ fixes.
+
+2010-07-23 Jon VanAlten <jon.vanalten at redhat.com>
+
+ * patches/openjdk/6963870.patch: New file. Backpatched from jdk7 for
+ upstream bug#6963870. Fixes IcedTea Bug#477: NullPointerEx in swing
+ class CompoundBorder method getBorderInsets.
+ * Makefile.am: Include above patch.
+
+2010-07-25 Andrew John Hughes <ahughes at redhat.com>
+
+ * .hgignore: Remove 'openjdk' which hides files
+ added to overlays.
+ * Makefile.am: Add patch.
+ * patches/openjdk/6668231-ssl_cert.patch:
+ Backport SSL certificate fix 'Presence of a
+ critical subjectAltName causes JSSE's SunX509 to
+ fail trusted checks'.
+ * overlays/openjdk/jdk/test/sun/security/ssl/com/sun/net/ssl/internal/www/protocol/https/HttpsURLConnection/crisubn.jks,
+ * overlays/openjdk/jdk/test/sun/security/ssl/com/sun/net/ssl/internal/www/protocol/https/HttpsURLConnection/trusted.jks:
+ Keystores for the new test introduced by this patch.
+
2010-07-21 Andrew John Hughes <ahughes at redhat.com>
* INSTALL: Updated, with documentation
diff -r 36fc1b3ae030 -r 81bc6674c223 Makefile.am
--- a/Makefile.am Thu Jul 22 09:24:52 2010 +0100
+++ b/Makefile.am Sun Jul 25 22:43:38 2010 +0100
@@ -341,7 +341,9 @@ ICEDTEA_PATCHES = \
patches/openjdk/6875861-docs-properties.patch \
patches/openjdk/6909563-docs-rmi.patch \
patches/openjdk/6917485-docs-corba.patch \
- patches/openjdk/6921068-docs-specdefault.patch
+ patches/openjdk/6921068-docs-specdefault.patch \
+ patches/openjdk/6668231-ssl_cert.patch \
+ patches/openjdk/6963870-swing_npe.patch
if WITH_RHINO
ICEDTEA_PATCHES += \
diff -r 36fc1b3ae030 -r 81bc6674c223 NEWS
--- a/NEWS Thu Jul 22 09:24:52 2010 +0100
+++ b/NEWS Sun Jul 25 22:43:38 2010 +0100
@@ -5,6 +5,15 @@ New in release 1.7.4 (2010-XX-XX):
* Restore icedtea-override-metacity.patch to allow full screen apps and
other expected behavioral improvements.
* S6678385, RH551835: Fixes JVM crashes when window is resized.
+* S6668231: Presence of a critical subjectAltName causes JSSE's SunX509 to fail trusted checks.
+* S6963870: Eliminate NullPointerEx in swing class CompoundBorder method getBorderInsets.
+* S4891262: API spec, javax/accessibility: few invalid javadoc tags.
+* S6737212: Fixed javadoc warning messages in RowSet classes.
+* S6875861: javadoc build warning on java.util.Properites from unconventional @see ordering.
+* S6909563: Javadoc build warnings in rmi, security, management.
+* S6879689: Fix warning about ignored return value when compiling with -O2
+* S6917485: Corba doc warnings.
+* S6921068: Remove javadoc build warnings from specdefault tag.
* Make the new plugin the default. This is now the main supported
plugin. Use --disable-npplugin to use the old one.
* New plugin:
diff -r 36fc1b3ae030 -r 81bc6674c223 overlays/openjdk/jdk/test/sun/security/ssl/com/sun/net/ssl/internal/www/protocol/https/HttpsURLConnection/crisubn.jks
Binary file overlays/openjdk/jdk/test/sun/security/ssl/com/sun/net/ssl/internal/www/protocol/https/HttpsURLConnection/crisubn.jks has changed
diff -r 36fc1b3ae030 -r 81bc6674c223 overlays/openjdk/jdk/test/sun/security/ssl/com/sun/net/ssl/internal/www/protocol/https/HttpsURLConnection/trusted.jks
Binary file overlays/openjdk/jdk/test/sun/security/ssl/com/sun/net/ssl/internal/www/protocol/https/HttpsURLConnection/trusted.jks has changed
diff -r 36fc1b3ae030 -r 81bc6674c223 patches/openjdk/6668231-ssl_cert.patch
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/patches/openjdk/6668231-ssl_cert.patch Sun Jul 25 22:43:38 2010 +0100
@@ -0,0 +1,306 @@
+# HG changeset patch
+# User xuelei
+# Date 1207190685 14400
+# Node ID df5d7e6ac15e2e2e0b6f8fd37b2240a0057c586d
+# Parent 99b3301fc27c218cb2fca3c585751d12be00d49a
+6668231: Presence of a critical subjectAltName causes JSSE's SunX509 to fail trusted checks
+Summary: make the critical extension known to end entity checker.
+Reviewed-by: wetmore, mullan
+
+diff -r 99b3301fc27c -r df5d7e6ac15e src/share/classes/sun/security/validator/EndEntityChecker.java
+--- openjdk.orig/jdk/src/share/classes/sun/security/validator/EndEntityChecker.java Mon Mar 31 16:50:16 2008 -0700
++++ openjdk/jdk/src/share/classes/sun/security/validator/EndEntityChecker.java Wed Apr 02 22:44:45 2008 -0400
+@@ -87,6 +87,9 @@
+ // the Microsoft Server-Gated-Cryptography EKU extension OID
+ private final static String OID_EKU_MS_SGC = "1.3.6.1.4.1.311.10.3.3";
+
++ // the recognized extension OIDs
++ private final static String OID_SUBJECT_ALT_NAME = "2.5.29.17";
++
+ private final static String NSCT_SSL_CLIENT =
+ NetscapeCertTypeExtension.SSL_CLIENT;
+
+@@ -171,6 +174,13 @@
+ throws CertificateException {
+ // basic constraints irrelevant in EE certs
+ exts.remove(SimpleValidator.OID_BASIC_CONSTRAINTS);
++
++ // If the subject field contains an empty sequence, the subjectAltName
++ // extension MUST be marked critical.
++ // We do not check the validity of the critical extension, just mark
++ // it recognizable here.
++ exts.remove(OID_SUBJECT_ALT_NAME);
++
+ if (!exts.isEmpty()) {
+ throw new CertificateException("Certificate contains unsupported "
+ + "critical extensions: " + exts);
+diff -r 99b3301fc27c -r df5d7e6ac15e test/sun/security/ssl/com/sun/net/ssl/internal/www/protocol/https/HttpsURLConnection/CriticalSubjectAltName.java
+--- /dev/null Thu Jan 01 00:00:00 1970 +0000
++++ openjdk/jdk/test/sun/security/ssl/com/sun/net/ssl/internal/www/protocol/https/HttpsURLConnection/CriticalSubjectAltName.java Wed Apr 02 22:44:45 2008 -0400
+@@ -0,0 +1,262 @@
++/*
++ * Copyright 2001-2008 Sun Microsystems, Inc. All Rights Reserved.
++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
++ *
++ * This code is free software; you can redistribute it and/or modify it
++ * under the terms of the GNU General Public License version 2 only, as
++ * published by the Free Software Foundation.
++ *
++ * This code is distributed in the hope that it will be useful, but WITHOUT
++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
++ * version 2 for more details (a copy is included in the LICENSE file that
++ * accompanied this code).
++ *
++ * You should have received a copy of the GNU General Public License version
++ * 2 along with this work; if not, write to the Free Software Foundation,
++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
++ *
++ * Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
++ * CA 95054 USA or visit www.sun.com if you need additional information or
++ * have any questions.
++ */
++
++/*
++ * @test
++ * @bug 6668231
++ * @summary Presence of a critical subjectAltName causes JSSE's SunX509 to
++ * fail trusted checks
++ * @author Xuelei Fan
++ *
++ * This test depends on binary keystore, crisubn.jks and trusted.jks. Because
++ * JAVA keytool cannot generate X509 certificate with SubjectAltName extension,
++ * the certificates are generated with openssl toolkits and then imported into
++ * JAVA keystore.
++ *
++ * The crisubn.jks holds a private key entry and the corresponding X509
++ * certificate issued with an empty Subject field, and a critical
++ * SubjectAltName extension.
++ *
++ * The trusted.jks holds the trusted certificate.
++ */
++import java.io.*;
++import java.net.*;
++import javax.net.ssl.*;
++import java.security.cert.Certificate;
++
++public class CriticalSubjectAltName implements HostnameVerifier {
++ /*
++ * =============================================================
++ * Set the various variables needed for the tests, then
++ * specify what tests to run on each side.
++ */
++
++ /*
++ * Should we run the client or server in a separate thread?
++ * Both sides can throw exceptions, but do you have a preference
++ * as to which side should be the main thread.
++ */
++ static boolean separateServerThread = true;
++
++ /*
++ * Where do we find the keystores?
++ */
++ static String pathToStores = "./";
++ static String keyStoreFile = "crisubn.jks";
++ static String trustStoreFile = "trusted.jks";
++ static String passwd = "passphrase";
++
++ /*
++ * Is the server ready to serve?
++ */
++ volatile static boolean serverReady = false;
++
++ /*
++ * Turn on SSL debugging?
++ */
++ static boolean debug = false;
++
++ /*
++ * If the client or server is doing some kind of object creation
++ * that the other side depends on, and that thread prematurely
++ * exits, you may experience a hang. The test harness will
++ * terminate all hung threads after its timeout has expired,
++ * currently 3 minutes by default, but you might try to be
++ * smart about it....
++ */
++
++ /*
++ * Define the server side of the test.
++ *
++ * If the server prematurely exits, serverReady will be set to true
++ * to avoid infinite hangs.
++ */
++ void doServerSide() throws Exception {
++ SSLServerSocketFactory sslssf =
++ (SSLServerSocketFactory) SSLServerSocketFactory.getDefault();
++ SSLServerSocket sslServerSocket =
++ (SSLServerSocket) sslssf.createServerSocket(serverPort);
++ serverPort = sslServerSocket.getLocalPort();
++
++ /*
++ * Signal Client, we're ready for his connect.
++ */
++ serverReady = true;
++
++ SSLSocket sslSocket = (SSLSocket) sslServerSocket.accept();
++ OutputStream sslOS = sslSocket.getOutputStream();
++ BufferedWriter bw = new BufferedWriter(new OutputStreamWriter(sslOS));
++ bw.write("HTTP/1.1 200 OK\r\n\r\n\r\n");
++ bw.flush();
++ Thread.sleep(5000);
++ sslSocket.close();
++ }
++
++ /*
++ * Define the client side of the test.
++ *
++ * If the server prematurely exits, serverReady will be set to true
++ * to avoid infinite hangs.
++ */
++ void doClientSide() throws Exception {
++
++ /*
++ * Wait for server to get started.
++ */
++ while (!serverReady) {
++ Thread.sleep(50);
++ }
++
++ URL url = new URL("https://localhost:"+serverPort+"/index.html");
++ HttpsURLConnection urlc = (HttpsURLConnection)url.openConnection();
++ urlc.setHostnameVerifier(this);
++ urlc.getInputStream();
++
++ if (urlc.getResponseCode() == -1) {
++ throw new RuntimeException("getResponseCode() returns -1");
++ }
++ }
++
++ /*
++ * =============================================================
++ * The remainder is just support stuff
++ */
++
++ // use any free port by default
++ volatile int serverPort = 0;
++
++ volatile Exception serverException = null;
++ volatile Exception clientException = null;
++
++ public static void main(String[] args) throws Exception {
++ String keyFilename =
++ System.getProperty("test.src", "./") + "/" + pathToStores +
++ "/" + keyStoreFile;
++ String trustFilename =
++ System.getProperty("test.src", "./") + "/" + pathToStores +
++ "/" + trustStoreFile;
++
++ System.setProperty("javax.net.ssl.keyStore", keyFilename);
++ System.setProperty("javax.net.ssl.keyStorePassword", passwd);
++ System.setProperty("javax.net.ssl.trustStore", trustFilename);
++ System.setProperty("javax.net.ssl.trustStorePassword", passwd);
++
++ if (debug)
++ System.setProperty("javax.net.debug", "all");
++
++ /*
++ * Start the tests.
++ */
++ new CriticalSubjectAltName();
++ }
++
++ Thread clientThread = null;
++ Thread serverThread = null;
++
++ /*
++ * Primary constructor, used to drive remainder of the test.
++ *
++ * Fork off the other side, then do your work.
++ */
++ CriticalSubjectAltName() throws Exception {
++ if (separateServerThread) {
++ startServer(true);
++ startClient(false);
++ } else {
++ startClient(true);
++ startServer(false);
++ }
++
++ /*
++ * Wait for other side to close down.
++ */
++ if (separateServerThread) {
++ serverThread.join();
++ } else {
++ clientThread.join();
++ }
++
++ /*
++ * When we get here, the test is pretty much over.
++ *
++ * If the main thread excepted, that propagates back
++ * immediately. If the other thread threw an exception, we
++ * should report back.
++ */
++ if (serverException != null)
++ throw serverException;
++ if (clientException != null)
++ throw clientException;
++ }
++
++ void startServer(boolean newThread) throws Exception {
++ if (newThread) {
++ serverThread = new Thread() {
++ public void run() {
++ try {
++ doServerSide();
++ } catch (Exception e) {
++ /*
++ * Our server thread just died.
++ *
++ * Release the client, if not active already...
++ */
++ System.err.println("Server died...");
++ serverReady = true;
++ serverException = e;
++ }
++ }
++ };
++ serverThread.start();
++ } else {
++ doServerSide();
++ }
++ }
++
++ void startClient(boolean newThread) throws Exception {
++ if (newThread) {
++ clientThread = new Thread() {
++ public void run() {
++ try {
++ doClientSide();
++ } catch (Exception e) {
++ /*
++ * Our client thread just died.
++ */
++ System.err.println("Client died...");
++ clientException = e;
++ }
++ }
++ };
++ clientThread.start();
++ } else {
++ doClientSide();
++ }
++ }
++
++ // Simple test method to blindly agree that hostname and certname match
++ public boolean verify(String hostname, SSLSession session) {
++ return true;
++ }
++
++}
+diff -r 99b3301fc27c -r df5d7e6ac15e test/sun/security/ssl/com/sun/net/ssl/internal/www/protocol/https/HttpsURLConnection/crisubn.jks
+Binary file test/sun/security/ssl/com/sun/net/ssl/internal/www/protocol/https/HttpsURLConnection/crisubn.jks has changed
+diff -r 99b3301fc27c -r df5d7e6ac15e test/sun/security/ssl/com/sun/net/ssl/internal/www/protocol/https/HttpsURLConnection/trusted.jks
+Binary file test/sun/security/ssl/com/sun/net/ssl/internal/www/protocol/https/HttpsURLConnection/trusted.jks has changed
diff -r 36fc1b3ae030 -r 81bc6674c223 patches/openjdk/6963870-swing_npe.patch
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/patches/openjdk/6963870-swing_npe.patch Sun Jul 25 22:43:38 2010 +0100
@@ -0,0 +1,99 @@
+# HG changeset patch
+# User peterz
+# Date 1277808150 -14400
+# Node ID f1bafc4f249d2e5a4f0ff12af78e90b3109404e0
+# Parent a05e047c5b98766ef05cac94e2edce7dc5764916
+6963870: NPE in CompoundBorder.getInsets()
+Reviewed-by: alexp
+Contributed-by: jon.vanalten at redhat.com
+
+diff -r a05e047c5b98 -r f1bafc4f249d src/share/classes/com/sun/java/swing/plaf/gtk/GTKPainter.java
+--- openjdk.orig/jdk/src/share/classes/com/sun/java/swing/plaf/gtk/GTKPainter.java Tue Jun 22 20:36:55 2010 +0400
++++ openjdk/jdk/src/share/classes/com/sun/java/swing/plaf/gtk/GTKPainter.java Tue Jun 29 14:42:30 2010 +0400
+@@ -1440,10 +1440,6 @@
+ }
+ }
+
+- public Insets getBorderInsets(Component c) {
+- return getBorderInsets(c, null);
+- }
+-
+ public Insets getBorderInsets(Component c, Insets i) {
+ SynthContext context = getContext(c);
+
+diff -r a05e047c5b98 -r f1bafc4f249d test/com/sun/java/swing/plaf/gtk/Test6963870.java
+--- /dev/null Thu Jan 01 00:00:00 1970 +0000
++++ openjdk/jdk/test/com/sun/java/swing/plaf/gtk/Test6963870.java Tue Jun 29 14:42:30 2010 +0400
+@@ -0,0 +1,72 @@
++/*
++ * Copyright (c) 2010, Oracle and/or its affiliates. All rights reserved.
++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
++ *
++ * This code is free software; you can redistribute it and/or modify it
++ * under the terms of the GNU General Public License version 2 only, as
++ * published by the Free Software Foundation.
++ *
++ * This code is distributed in the hope that it will be useful, but WITHOUT
++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
++ * version 2 for more details (a copy is included in the LICENSE file that
++ * accompanied this code).
++ *
++ * You should have received a copy of the GNU General Public License version
++ * 2 along with this work; if not, write to the Free Software Foundation,
++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
++ *
++ * Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
++ * CA 95054 USA or visit www.sun.com if you need additional information or
++ * have any questions.
++ */
++
++/* @test
++ @bug 6963870
++ @summary Tests that GTKPainter.ListTableFocusBorder.getBorderInsets()
++ doesn't return null
++ @author Peter Zhelezniakov
++ @run main Test6963870
++*/
++
++import java.awt.Insets;
++import javax.swing.SwingUtilities;
++import javax.swing.UIManager;
++import javax.swing.border.Border;
++
++public class Test6963870 implements Runnable {
++
++ final static String[] UI_NAMES = {
++ "List.focusCellHighlightBorder",
++ "List.focusSelectedCellHighlightBorder",
++ "List.noFocusBorder",
++ "Table.focusCellHighlightBorder",
++ "Table.focusSelectedCellHighlightBorder",
++ };
++
++ public void run() {
++ for (String uiName: UI_NAMES) {
++ test(uiName);
++ }
++ }
++
++ void test(String uiName) {
++ Border b = UIManager.getBorder(uiName);
++ Insets i = b.getBorderInsets(null);
++ if (i == null) {
++ throw new RuntimeException("getBorderInsets() returns null for " + uiName);
++ }
++ }
++
++ public static void main(String[] args) throws Exception {
++ try {
++ UIManager.setLookAndFeel("com.sun.java.swing.plaf.gtk.GTKLookAndFeel");
++ } catch (Exception e) {
++ System.out.println("GTKLookAndFeel cannot be set, skipping this test");
++ return;
++ }
++
++ SwingUtilities.invokeAndWait(new Test6963870());
++ }
++}
++
More information about the distro-pkg-dev
mailing list