/hg/icedtea8-forest/jdk: 11 new changesets
andrew at icedtea.classpath.org
andrew at icedtea.classpath.org
Fri Jun 5 00:33:29 UTC 2015
changeset c5b4565befea in /hg/icedtea8-forest/jdk
details: http://icedtea.classpath.org/hg/icedtea8-forest/jdk?cmd=changeset;node=c5b4565befea
author: andrew
date: Thu Jun 04 02:31:55 2015 +0100
PR1413: Undefined reference to libz during link of unpack200
Contributed-by: Fridrich Strba <fridrich.strba at suse.com>
changeset 75acb9c0991b in /hg/icedtea8-forest/jdk
details: http://icedtea.classpath.org/hg/icedtea8-forest/jdk?cmd=changeset;node=75acb9c0991b
author: andrew
date: Thu Jun 04 18:00:35 2015 +0100
PR1937: Add configure option for -Werror
Summary: Make -Werror passed to javac and SCTP native code optional
changeset 6e3f4784affc in /hg/icedtea8-forest/jdk
details: http://icedtea.classpath.org/hg/icedtea8-forest/jdk?cmd=changeset;node=6e3f4784affc
author: andrew
date: Fri Apr 24 17:45:59 2015 +0100
4890063, PR2304, RH1214835: HPROF: default text truncated when using doe=n option
changeset 96fda20ef251 in /hg/icedtea8-forest/jdk
details: http://icedtea.classpath.org/hg/icedtea8-forest/jdk?cmd=changeset;node=96fda20ef251
author: ascarpino
date: Thu Feb 12 09:45:08 2015 -0800
8069072, PR1961, RH1135504: GHASH performance improvement
Summary: Eliminate allocations and vectorize
Reviewed-by: mullan, ascarpino
changeset 7401b7ccfd75 in /hg/icedtea8-forest/jdk
details: http://icedtea.classpath.org/hg/icedtea8-forest/jdk?cmd=changeset;node=7401b7ccfd75
author: andrew
date: Thu Jun 04 19:10:08 2015 +0100
PR2095, RH1163501: 2048-bit DH upper bound too small for Fedora infrastructure
changeset 7741f8bf3047 in /hg/icedtea8-forest/jdk
details: http://icedtea.classpath.org/hg/icedtea8-forest/jdk?cmd=changeset;node=7741f8bf3047
author: neugens
date: Mon Jan 19 17:57:52 2015 +0100
8067364, PR2146, RH114622: Printing to Postscript doesn't support dieresis
Summary: Fix regression caused by fix for 8023990
Reviewed-by: bae, prr
Contributed-by: neugens at redhat.com, philip.race at oracle.com
changeset c257a563155f in /hg/icedtea8-forest/jdk
details: http://icedtea.classpath.org/hg/icedtea8-forest/jdk?cmd=changeset;node=c257a563155f
author: prr
date: Thu Apr 30 14:20:26 2015 -0700
8078654, PR2332: CloseTTFontFileFunc callback should be removed
Reviewed-by: prr, martin
changeset 2c66506fc52f in /hg/icedtea8-forest/jdk
details: http://icedtea.classpath.org/hg/icedtea8-forest/jdk?cmd=changeset;node=2c66506fc52f
author: neugens
date: Fri Feb 27 15:50:03 2015 +0100
8071705. PR2399, RH1182694: Java application menu misbehaves when running multiple screen stacked vertically
Summary: JMenu miscalculates the position of the Popup origin when on multiple monitors stacked vertically
Reviewed-by: alexsch
changeset ea26a8f4db7e in /hg/icedtea8-forest/jdk
details: http://icedtea.classpath.org/hg/icedtea8-forest/jdk?cmd=changeset;node=ea26a8f4db7e
author: andrew
date: Thu Jun 04 20:13:40 2015 +0100
PR2237: ppc64le should report its os.arch as ppc64le so tools can detect it
Summary: Use ppc64le as the arch directory on that platform and report it in os.arch
changeset 25793dbc6569 in /hg/icedtea8-forest/jdk
details: http://icedtea.classpath.org/hg/icedtea8-forest/jdk?cmd=changeset;node=25793dbc6569
author: robm
date: Mon Apr 27 17:17:07 2015 +0100
6991580, PR2403: IPv6 Nameservers in resolv.conf throws NumberFormatException
Reviewed-by: michaelm, andrew, alanb, rriggs
Contributed-by: sgehwolf at redhat.com
changeset 8450ad6fa3f5 in /hg/icedtea8-forest/jdk
details: http://icedtea.classpath.org/hg/icedtea8-forest/jdk?cmd=changeset;node=8450ad6fa3f5
author: robm
date: Mon Mar 23 17:05:01 2015 +0000
8072385, PR2404: Only the first DNSName entry is checked for endpoint identification
Reviewed-by: xuelei
diffstat:
make/CompileLaunchers.gmk | 4 +-
make/Setup.gmk | 2 +-
make/lib/Awt2dLibraries.gmk | 4 +-
make/lib/NioLibraries.gmk | 5 +-
make/lib/SoundLibraries.gmk | 4 +
src/share/classes/com/sun/crypto/provider/DHKeyPairGenerator.java | 9 +-
src/share/classes/com/sun/crypto/provider/DHParameterGenerator.java | 5 +-
src/share/classes/com/sun/crypto/provider/GHASH.java | 143 ++++--
src/share/classes/javax/swing/JMenu.java | 3 +-
src/share/classes/sun/security/pkcs11/P11KeyPairGenerator.java | 4 +-
src/share/classes/sun/security/ssl/ClientHandshaker.java | 107 +++-
src/share/demo/jvmti/hprof/hprof_init.c | 2 +-
src/share/native/com/sun/media/sound/SoundDefs.h | 1 +
src/share/native/sun/font/freetypeScaler.c | 16 +-
src/solaris/classes/sun/font/FcFontConfiguration.java | 2 +-
src/solaris/classes/sun/net/dns/ResolverConfigurationImpl.java | 9 +
test/com/sun/crypto/provider/Cipher/AES/TestGHASH.java | 166 ++++++++
test/com/sun/crypto/provider/KeyAgreement/TestExponentSize.java | 16 +-
test/com/sun/jndi/dns/IPv6NameserverPlatformParsingTest.java | 104 +++++
test/javax/print/PrintSEUmlauts/PrintSEUmlauts.java | 120 +++++
test/javax/swing/JMenu/8071705/bug8071705.java | 207 ++++++++++
21 files changed, 810 insertions(+), 123 deletions(-)
diffs (truncated from 1266 to 500 lines):
diff -r 3eab93411bc8 -r 8450ad6fa3f5 make/CompileLaunchers.gmk
--- a/make/CompileLaunchers.gmk Wed May 27 14:33:35 2015 +0100
+++ b/make/CompileLaunchers.gmk Mon Mar 23 17:05:01 2015 +0000
@@ -427,7 +427,7 @@
# binary (at least on linux) which causes the size to differ between old and new build.
ifeq ($(USE_EXTERNAL_LIBZ), true)
UNPACKEXE_CFLAGS := -DSYSTEM_ZLIB
- UNPACKEXE_ZIPOBJS := -lz
+ UNPACKEXE_LIBS := -lz
else
UNPACKEXE_CFLAGS := -I$(JDK_TOPDIR)/src/share/native/java/util/zip/zlib-1.2.8
UNPACKEXE_ZIPOBJS := $(JDK_OUTPUTDIR)/objs/libzip/zcrc32$(OBJ_SUFFIX) \
@@ -490,7 +490,7 @@
$(call SET_SHARED_LIBRARY_ORIGIN), \
LDFLAGS_linux := -lc, \
LDFLAGS_solaris := $(UNPACKEXE_LDFLAGS_solaris) -lc, \
- LDFLAGS_SUFFIX := $(LIBCXX), \
+ LDFLAGS_SUFFIX := $(UNPACKEXE_LIBS) $(LIBCXX), \
OBJECT_DIR := $(JDK_OUTPUTDIR)/objs/unpackexe$(OUTPUT_SUBDIR), \
OUTPUT_DIR := $(JDK_OUTPUTDIR)/objs/unpackexe$(OUTPUT_SUBDIR), \
PROGRAM := unpack200, \
diff -r 3eab93411bc8 -r 8450ad6fa3f5 make/Setup.gmk
--- a/make/Setup.gmk Wed May 27 14:33:35 2015 +0100
+++ b/make/Setup.gmk Mon Mar 23 17:05:01 2015 +0000
@@ -27,7 +27,7 @@
# To build with all warnings enabled, do the following:
# make JAVAC_WARNINGS="-Xlint:all -Xmaxwarns 10000"
-JAVAC_WARNINGS := -Xlint:-unchecked,-deprecation,-overrides,auxiliaryclass,classfile,dep-ann,divzero,empty,try,varargs -Werror
+JAVAC_WARNINGS := -Xlint:-unchecked,-deprecation,-overrides,auxiliaryclass,classfile,dep-ann,divzero,empty,try,varargs $(JAVAC_WERROR)
# Any java code executed during a JDK build to build other parts of the JDK must be
# executed by the bootstrap JDK (probably with -Xbootclasspath/p: ) and for this
diff -r 3eab93411bc8 -r 8450ad6fa3f5 make/lib/Awt2dLibraries.gmk
--- a/make/lib/Awt2dLibraries.gmk Wed May 27 14:33:35 2015 +0100
+++ b/make/lib/Awt2dLibraries.gmk Mon Mar 23 17:05:01 2015 +0000
@@ -778,10 +778,10 @@
$(BUILD_LIBJAVAJPEG_CLOSED_INCLUDES) \
$(BUILD_LIBJAVAJPEG_HEADERS), \
MAPFILE := $(BUILD_LIBJAVAJPEG_MAPFILE), \
- LDFLAGS := $(LDFLAGS_JDKLIB) $(LIBJPEG_LIBS) \
+ LDFLAGS := $(LDFLAGS_JDKLIB) \
$(call SET_SHARED_LIBRARY_ORIGIN), \
LDFLAGS_windows := $(WIN_JAVA_LIB) jvm.lib, \
- LDFLAGS_SUFFIX := $(LDFLAGS_JDKLIB_SUFFIX), \
+ LDFLAGS_SUFFIX := $(LIBJPEG_LIBS) $(LDFLAGS_JDKLIB_SUFFIX), \
VERSIONINFO_RESOURCE := $(JDK_TOPDIR)/src/windows/resource/version.rc, \
RC_FLAGS := $(RC_FLAGS) \
-D "JDK_FNAME=javajpeg.dll" \
diff -r 3eab93411bc8 -r 8450ad6fa3f5 make/lib/NioLibraries.gmk
--- a/make/lib/NioLibraries.gmk Wed May 27 14:33:35 2015 +0100
+++ b/make/lib/NioLibraries.gmk Mon Mar 23 17:05:01 2015 +0000
@@ -170,10 +170,7 @@
ifeq (, $(filter $(OPENJDK_TARGET_OS), macosx aix))
# Suppress unused parameters required by exported JNI functions.
- SCTP_WERROR := -Werror -Wno-error=unused-parameter
- ifeq ($(OPENJDK_TARGET_CPU_ARCH), ppc)
- SCTP_WERROR :=
- endif
+ SCTP_WERROR := $(CFLAGS_WARNINGS_ARE_ERRORS)
$(eval $(call SetupNativeCompilation,BUILD_LIBSCTP, \
LIBRARY := sctp, \
diff -r 3eab93411bc8 -r 8450ad6fa3f5 make/lib/SoundLibraries.gmk
--- a/make/lib/SoundLibraries.gmk Wed May 27 14:33:35 2015 +0100
+++ b/make/lib/SoundLibraries.gmk Mon Mar 23 17:05:01 2015 +0000
@@ -172,6 +172,10 @@
LIBJSOUND_CFLAGS += -DX_ARCH=X_SH
endif
+ ifeq ($(OPENJDK_TARGET_CPU), ppc64le)
+ LIBJSOUND_CFLAGS += -DX_ARCH=X_PPC64LE
+ endif
+
ifeq ($(OPENJDK_TARGET_CPU), aarch64)
LIBJSOUND_CFLAGS += -DX_ARCH=X_AARCH64
endif
diff -r 3eab93411bc8 -r 8450ad6fa3f5 src/share/classes/com/sun/crypto/provider/DHKeyPairGenerator.java
--- a/src/share/classes/com/sun/crypto/provider/DHKeyPairGenerator.java Wed May 27 14:33:35 2015 +0100
+++ b/src/share/classes/com/sun/crypto/provider/DHKeyPairGenerator.java Mon Mar 23 17:05:01 2015 +0000
@@ -1,5 +1,6 @@
/*
* Copyright (c) 1997, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2014 Red Hat Inc.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -80,10 +81,10 @@
* @param random the source of randomness
*/
public void initialize(int keysize, SecureRandom random) {
- if ((keysize < 512) || (keysize > 2048) || (keysize % 64 != 0)) {
+ if ((keysize < 512) || (keysize > 4096) || (keysize % 64 != 0)) {
throw new InvalidParameterException("Keysize must be multiple "
+ "of 64, and can only range "
- + "from 512 to 2048 "
+ + "from 512 to 4096 "
+ "(inclusive)");
}
this.pSize = keysize;
@@ -115,11 +116,11 @@
params = (DHParameterSpec)algParams;
pSize = params.getP().bitLength();
- if ((pSize < 512) || (pSize > 2048) ||
+ if ((pSize < 512) || (pSize > 4096) ||
(pSize % 64 != 0)) {
throw new InvalidAlgorithmParameterException
("Prime size must be multiple of 64, and can only range "
- + "from 512 to 2048 (inclusive)");
+ + "from 512 to 4096 (inclusive)");
}
// exponent size is optional, could be 0
diff -r 3eab93411bc8 -r 8450ad6fa3f5 src/share/classes/com/sun/crypto/provider/DHParameterGenerator.java
--- a/src/share/classes/com/sun/crypto/provider/DHParameterGenerator.java Wed May 27 14:33:35 2015 +0100
+++ b/src/share/classes/com/sun/crypto/provider/DHParameterGenerator.java Mon Mar 23 17:05:01 2015 +0000
@@ -1,5 +1,6 @@
/*
* Copyright (c) 1997, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2014 Red Hat Inc.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -60,11 +61,11 @@
private static void checkKeySize(int keysize)
throws InvalidAlgorithmParameterException {
- if ((keysize != 2048) &&
+ if ((keysize != 2048) && (keysize != 4096) &&
((keysize < 512) || (keysize > 1024) || (keysize % 64 != 0))) {
throw new InvalidAlgorithmParameterException(
"Keysize must be multiple of 64 ranging from "
- + "512 to 1024 (inclusive), or 2048");
+ + "512 to 1024 (inclusive), or 2048, or 4096");
}
}
diff -r 3eab93411bc8 -r 8450ad6fa3f5 src/share/classes/com/sun/crypto/provider/GHASH.java
--- a/src/share/classes/com/sun/crypto/provider/GHASH.java Wed May 27 14:33:35 2015 +0100
+++ b/src/share/classes/com/sun/crypto/provider/GHASH.java Mon Mar 23 17:05:01 2015 +0000
@@ -1,5 +1,6 @@
/*
* Copyright (c) 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2015 Red Hat, Inc.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -28,9 +29,7 @@
package com.sun.crypto.provider;
-import java.util.Arrays;
-import java.security.*;
-import static com.sun.crypto.provider.AESConstants.AES_BLOCK_SIZE;
+import java.security.ProviderException;
/**
* This class represents the GHASH function defined in NIST 800-38D
@@ -44,62 +43,90 @@
*/
final class GHASH {
- private static final byte P128 = (byte) 0xe1; //reduction polynomial
-
- private static boolean getBit(byte[] b, int pos) {
- int p = pos / 8;
- pos %= 8;
- int i = (b[p] >>> (7 - pos)) & 1;
- return i != 0;
+ private static long getLong(byte[] buffer, int offset) {
+ long result = 0;
+ int end = offset + 8;
+ for (int i = offset; i < end; ++i) {
+ result = (result << 8) + (buffer[i] & 0xFF);
+ }
+ return result;
}
- private static void shift(byte[] b) {
- byte temp, temp2;
- temp2 = 0;
- for (int i = 0; i < b.length; i++) {
- temp = (byte) ((b[i] & 0x01) << 7);
- b[i] = (byte) ((b[i] & 0xff) >>> 1);
- b[i] = (byte) (b[i] | temp2);
- temp2 = temp;
+ private static void putLong(byte[] buffer, int offset, long value) {
+ int end = offset + 8;
+ for (int i = end - 1; i >= offset; --i) {
+ buffer[i] = (byte) value;
+ value >>= 8;
}
}
- // Given block X and Y, returns the muliplication of X * Y
- private static byte[] blockMult(byte[] x, byte[] y) {
- if (x.length != AES_BLOCK_SIZE || y.length != AES_BLOCK_SIZE) {
- throw new RuntimeException("illegal input sizes");
+ private static final int AES_BLOCK_SIZE = 16;
+
+ // Multiplies state0, state1 by V0, V1.
+ private void blockMult(long V0, long V1) {
+ long Z0 = 0;
+ long Z1 = 0;
+ long X;
+
+ // Separate loops for processing state0 and state1.
+ X = state0;
+ for (int i = 0; i < 64; i++) {
+ // Zi+1 = Zi if bit i of x is 0
+ long mask = X >> 63;
+ Z0 ^= V0 & mask;
+ Z1 ^= V1 & mask;
+
+ // Save mask for conditional reduction below.
+ mask = (V1 << 63) >> 63;
+
+ // V = rightshift(V)
+ long carry = V0 & 1;
+ V0 = V0 >>> 1;
+ V1 = (V1 >>> 1) | (carry << 63);
+
+ // Conditional reduction modulo P128.
+ V0 ^= 0xe100000000000000L & mask;
+ X <<= 1;
}
- byte[] z = new byte[AES_BLOCK_SIZE];
- byte[] v = y.clone();
- // calculate Z1-Z127 and V1-V127
- for (int i = 0; i < 127; i++) {
+
+ X = state1;
+ for (int i = 64; i < 127; i++) {
// Zi+1 = Zi if bit i of x is 0
- if (getBit(x, i)) {
- for (int n = 0; n < z.length; n++) {
- z[n] ^= v[n];
- }
- }
- boolean lastBitOfV = getBit(v, 127);
- shift(v);
- if (lastBitOfV) v[0] ^= P128;
+ long mask = X >> 63;
+ Z0 ^= V0 & mask;
+ Z1 ^= V1 & mask;
+
+ // Save mask for conditional reduction below.
+ mask = (V1 << 63) >> 63;
+
+ // V = rightshift(V)
+ long carry = V0 & 1;
+ V0 = V0 >>> 1;
+ V1 = (V1 >>> 1) | (carry << 63);
+
+ // Conditional reduction.
+ V0 ^= 0xe100000000000000L & mask;
+ X <<= 1;
}
+
// calculate Z128
- if (getBit(x, 127)) {
- for (int n = 0; n < z.length; n++) {
- z[n] ^= v[n];
- }
- }
- return z;
+ long mask = X >> 63;
+ Z0 ^= V0 & mask;
+ Z1 ^= V1 & mask;
+
+ // Save result.
+ state0 = Z0;
+ state1 = Z1;
}
// hash subkey H; should not change after the object has been constructed
- private final byte[] subkeyH;
+ private final long subkeyH0, subkeyH1;
// buffer for storing hash
- private byte[] state;
+ private long state0, state1;
// variables for save/restore calls
- private byte[] stateSave = null;
+ private long stateSave0, stateSave1;
/**
* Initializes the cipher in the specified mode with the given key
@@ -114,8 +141,8 @@
if ((subkeyH == null) || subkeyH.length != AES_BLOCK_SIZE) {
throw new ProviderException("Internal error");
}
- this.subkeyH = subkeyH;
- this.state = new byte[AES_BLOCK_SIZE];
+ this.subkeyH0 = getLong(subkeyH, 0);
+ this.subkeyH1 = getLong(subkeyH, 8);
}
/**
@@ -124,31 +151,33 @@
* this object for different data w/ the same H.
*/
void reset() {
- Arrays.fill(state, (byte) 0);
+ state0 = 0;
+ state1 = 0;
}
/**
* Save the current snapshot of this GHASH object.
*/
void save() {
- stateSave = state.clone();
+ stateSave0 = state0;
+ stateSave1 = state1;
}
/**
* Restores this object using the saved snapshot.
*/
void restore() {
- state = stateSave;
+ state0 = stateSave0;
+ state1 = stateSave1;
}
private void processBlock(byte[] data, int ofs) {
if (data.length - ofs < AES_BLOCK_SIZE) {
throw new RuntimeException("need complete block");
}
- for (int n = 0; n < state.length; n++) {
- state[n] ^= data[ofs + n];
- }
- state = blockMult(state, subkeyH);
+ state0 ^= getLong(data, ofs);
+ state1 ^= getLong(data, ofs + 8);
+ blockMult(subkeyH0, subkeyH1);
}
void update(byte[] in) {
@@ -169,10 +198,10 @@
}
byte[] digest() {
- try {
- return state.clone();
- } finally {
- reset();
- }
+ byte[] result = new byte[AES_BLOCK_SIZE];
+ putLong(result, 0, state0);
+ putLong(result, 8, state1);
+ reset();
+ return result;
}
}
diff -r 3eab93411bc8 -r 8450ad6fa3f5 src/share/classes/javax/swing/JMenu.java
--- a/src/share/classes/javax/swing/JMenu.java Wed May 27 14:33:35 2015 +0100
+++ b/src/share/classes/javax/swing/JMenu.java Mon Mar 23 17:05:01 2015 +0000
@@ -475,7 +475,8 @@
}
// Then the y:
y = s.height + yOffset; // Prefer dropping down
- if (position.y + y + pmSize.height >= screenBounds.height &&
+ if (position.y + y + pmSize.height >= screenBounds.height
+ + screenBounds.y &&
// popup doesn't fit - place it wherever there's more room
screenBounds.height - s.height < 2*(position.y
- screenBounds.y)) {
diff -r 3eab93411bc8 -r 8450ad6fa3f5 src/share/classes/sun/security/pkcs11/P11KeyPairGenerator.java
--- a/src/share/classes/sun/security/pkcs11/P11KeyPairGenerator.java Wed May 27 14:33:35 2015 +0100
+++ b/src/share/classes/sun/security/pkcs11/P11KeyPairGenerator.java Mon Mar 23 17:05:01 2015 +0000
@@ -278,11 +278,11 @@
// this restriction is in the spec for DSA
// since we currently use DSA parameters for DH as well,
// it also applies to DH if no parameters are specified
- if ((keySize != 2048) &&
+ if ((keySize != 2048) && (keySize != 4096) &&
((keySize > 1024) || ((keySize & 0x3f) != 0))) {
throw new InvalidAlgorithmParameterException(algorithm +
" key must be multiples of 64 if less than 1024 bits" +
- ", or 2048 bits");
+ ", or 2048 bits, or 4096 bits");
}
}
}
diff -r 3eab93411bc8 -r 8450ad6fa3f5 src/share/classes/sun/security/ssl/ClientHandshaker.java
--- a/src/share/classes/sun/security/ssl/ClientHandshaker.java Wed May 27 14:33:35 2015 +0100
+++ b/src/share/classes/sun/security/ssl/ClientHandshaker.java Mon Mar 23 17:05:01 2015 +0000
@@ -59,6 +59,10 @@
*/
final class ClientHandshaker extends Handshaker {
+ // constants for subject alt names of type DNS and IP
+ private final static int ALTNAME_DNS = 2;
+ private final static int ALTNAME_IP = 7;
+
// the server's public key from its certificate.
private PublicKey serverKey;
@@ -1490,20 +1494,49 @@
return true;
}
- // check the iPAddress field in subjectAltName extension
- Object thisIPAddress = getSubjectAltName(thisCert, 7); // 7: iPAddress
- Object prevIPAddress = getSubjectAltName(prevCert, 7);
- if (thisIPAddress != null && prevIPAddress!= null) {
- // only allow the exactly match
- return Objects.equals(thisIPAddress, prevIPAddress);
+ // check subject alternative names
+ Collection<List<?>> thisSubjectAltNames = null;
+ try {
+ thisSubjectAltNames = thisCert.getSubjectAlternativeNames();
+ } catch (CertificateParsingException cpe) {
+ if (debug != null && Debug.isOn("handshake")) {
+ System.out.println(
+ "Attempt to obtain subjectAltNames extension failed!");
+ }
}
- // check the dNSName field in subjectAltName extension
- Object thisDNSName = getSubjectAltName(thisCert, 2); // 2: dNSName
- Object prevDNSName = getSubjectAltName(prevCert, 2);
- if (thisDNSName != null && prevDNSName!= null) {
- // only allow the exactly match
- return Objects.equals(thisDNSName, prevDNSName);
+ Collection<List<?>> prevSubjectAltNames = null;
+ try {
+ prevSubjectAltNames = prevCert.getSubjectAlternativeNames();
+ } catch (CertificateParsingException cpe) {
+ if (debug != null && Debug.isOn("handshake")) {
+ System.out.println(
+ "Attempt to obtain subjectAltNames extension failed!");
+ }
+ }
+
+ if ((thisSubjectAltNames != null) && (prevSubjectAltNames != null)) {
+ // check the iPAddress field in subjectAltName extension
+ Collection<String> thisSubAltIPAddrs =
+ getSubjectAltNames(thisSubjectAltNames, ALTNAME_IP);
+ Collection<String> prevSubAltIPAddrs =
+ getSubjectAltNames(prevSubjectAltNames, ALTNAME_IP);
+ if ((thisSubAltIPAddrs != null) && (prevSubAltIPAddrs != null) &&
+ (isEquivalent(thisSubAltIPAddrs, prevSubAltIPAddrs))) {
+
+ return true;
+ }
+
+ // check the dNSName field in subjectAltName extension
+ Collection<String> thisSubAltDnsNames =
+ getSubjectAltNames(thisSubjectAltNames, ALTNAME_DNS);
+ Collection<String> prevSubAltDnsNames =
+ getSubjectAltNames(prevSubjectAltNames, ALTNAME_DNS);
+ if ((thisSubAltDnsNames != null) && (prevSubAltDnsNames != null) &&
+ (isEquivalent(thisSubAltDnsNames, prevSubAltDnsNames))) {
+
+ return true;
+ }
}
// check the certificate subject and issuer
@@ -1524,29 +1557,43 @@
/*
* Returns the subject alternative name of the specified type in the
* subjectAltNames extension of a certificate.
+ *
+ * Note that only those subjectAltName types that use String data
+ * should be passed into this function.
*/
- private static Object getSubjectAltName(X509Certificate cert, int type) {
- Collection<List<?>> subjectAltNames;
+ private static Collection<String> getSubjectAltNames(
+ Collection<List<?>> subjectAltNames, int type) {
- try {
- subjectAltNames = cert.getSubjectAlternativeNames();
- } catch (CertificateParsingException cpe) {
- if (debug != null && Debug.isOn("handshake")) {
- System.out.println(
- "Attempt to obtain subjectAltNames extension failed!");
- }
- return null;
- }
-
- if (subjectAltNames != null) {
- for (List<?> subjectAltName : subjectAltNames) {
- int subjectAltNameType = (Integer)subjectAltName.get(0);
- if (subjectAltNameType == type) {
- return subjectAltName.get(1);
+ HashSet<String> subAltDnsNames = null;
+ for (List<?> subjectAltName : subjectAltNames) {
+ int subjectAltNameType = (Integer)subjectAltName.get(0);
+ if (subjectAltNameType == type) {
+ String subAltDnsName = (String)subjectAltName.get(1);
+ if ((subAltDnsName != null) && !subAltDnsName.isEmpty()) {
+ if (subAltDnsNames == null) {
More information about the distro-pkg-dev
mailing list