archive/jdk
1
0
Fork 0
mirror of https://github.com/openjdk/jdk.git synced 2025-08-28 07:14:30 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge

Browse source
This commit is contained in:
Henry Jen 2019-01-15 10:55:26 -08:00
commit 776ef6a071
381 changed files with 8349 additions and 3043 deletions
Download patch file Download diff file Expand all files Collapse all files

6
src/java.base/share/classes/java/lang/Class.java
View file

@ -1,5 +1,5 @@
/*
* Copyright (c) 1994, 2018, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 1994, 2019, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -3420,8 +3420,8 @@ public final class Class<T> implements java.io.Serializable,
StringBuilder sb = new StringBuilder();
sb.append(getName() + "." + name + "(");
if (argTypes != null) {
Stream.of(argTypes).map(c -> {return (c == null) ? "null" : c.getName();}).
collect(Collectors.joining(","));
sb.append(Stream.of(argTypes).map(c -> {return (c == null) ? "null" : c.getName();}).
collect(Collectors.joining(",")));
}
sb.append(")");
return sb.toString();

12
src/java.base/share/classes/java/lang/ClassLoader.java
View file

@ -1864,12 +1864,12 @@ public abstract class ClassLoader {
* <p> The default system class loader is an implementation-dependent
* instance of this class.
*
* <p> If the system property "{@code java.system.class.loader}" is defined
* when this method is first invoked then the value of that property is
* taken to be the name of a class that will be returned as the system
* class loader. The class is loaded using the default system class loader
* and must define a public constructor that takes a single parameter of
* type {@code ClassLoader} which is used as the delegation parent. An
* <p> If the system property "{@systemProperty java.system.class.loader}"
* is defined when this method is first invoked then the value of that
* property is taken to be the name of a class that will be returned as the
* system class loader. The class is loaded using the default system class
* loader and must define a public constructor that takes a single parameter
* of type {@code ClassLoader} which is used as the delegation parent. An
* instance is then created using this constructor with the default system
* class loader as the parameter. The resulting class loader is defined
* to be the system class loader. During construction, the class loader

120
src/java.base/share/classes/java/lang/String.java
View file

@ -664,7 +664,7 @@ public final class String
* object.
*/
public int length() {
return isLatin1() ? value.length : value.length >> UTF16;
return value.length >> coder();
}
/**
@ -2813,8 +2813,7 @@ public final class String
* lines are then concatenated and returned.
* <p>
* If {@code n > 0} then {@code n} spaces (U+0020) are inserted at the
* beginning of each line. {@link String#isBlank() Blank lines} are
* unaffected.
* beginning of each line.
* <p>
* If {@code n < 0} then up to {@code n}
* {@link Character#isWhitespace(int) white space characters} are removed
@ -2849,7 +2848,7 @@ public final class String
: lines();
if (n > 0) {
final String spaces = " ".repeat(n);
stream = stream.map(s -> s.isBlank() ? s : spaces + s);
stream = stream.map(s -> spaces + s);
} else if (n == Integer.MIN_VALUE) {
stream = stream.map(s -> s.stripLeading());
} else if (n < 0) {
@ -2868,120 +2867,13 @@ public final class String
: StringUTF16.lastIndexOfNonWhitespace(value);
}
/**
* Removes vertical and horizontal white space margins from around the
* essential body of a multi-line string, while preserving relative
* indentation.
* <p>
* This string is first conceptually separated into lines as if by
* {@link String#lines()}.
* <p>
* Then, the <i>minimum indentation</i> (min) is determined as follows. For
* each non-blank line (as defined by {@link String#isBlank()}), the
* leading {@link Character#isWhitespace(int) white space} characters are
* counted. The <i>min</i> value is the smallest of these counts.
* <p>
* For each non-blank line, <i>min</i> leading white space characters are
* removed. Each white space character is treated as a single character. In
* particular, the tab character {@code "\t"} (U+0009) is considered a
* single character; it is not expanded.
* <p>
* Leading and trailing blank lines, if any, are removed. Trailing spaces are
* preserved.
* <p>
* Each line is suffixed with a line feed character {@code "\n"} (U+000A).
* <p>
* Finally, the lines are concatenated into a single string and returned.
*
* @apiNote
* This method's primary purpose is to shift a block of lines as far as
* possible to the left, while preserving relative indentation. Lines
* that were indented the least will thus have no leading white space.
*
* Example:
* <blockquote><pre>
* `
* This is the first line
* This is the second line
* `.align();
*
* returns
* This is the first line
* This is the second line
* </pre></blockquote>
*
* @return string with margins removed and line terminators normalized
*
* @see String#lines()
* @see String#isBlank()
* @see String#indent(int)
* @see Character#isWhitespace(int)
*
* @since 12
*/
public String align() {
return align(0);
}
/**
* Removes vertical and horizontal white space margins from around the
* essential body of a multi-line string, while preserving relative
* indentation and with optional indentation adjustment.
* <p>
* Invoking this method is equivalent to:
* <blockquote>
* {@code this.align().indent(n)}
* </blockquote>
*
* @apiNote
* Examples:
* <blockquote><pre>
* `
* This is the first line
* This is the second line
* `.align(0);
*
* returns
* This is the first line
* This is the second line
*
*
* `
* This is the first line
* This is the second line
* `.align(4);
* returns
* This is the first line
* This is the second line
* </pre></blockquote>
*
* @param n number of leading white space characters
* to add or remove
*
* @return string with margins removed, indentation adjusted and
* line terminators normalized
*
* @see String#align()
*
* @since 12
*/
public String align(int n) {
if (isEmpty()) {
return "";
}
int outdent = lines().filter(not(String::isBlank))
.mapToInt(String::indexOfNonWhitespace)
.min()
.orElse(0);
// overflow-conscious code
int indent = n - outdent;
return indent(indent > n ? Integer.MIN_VALUE : indent, true);
}
/**
* This method allows the application of a function to {@code this}
* string. The function should expect a single String argument
* and produce an {@code R} result.
* <p>
* Any exception thrown by {@code f()} will be propagated to the
* caller.
*
* @param f functional interface to a apply
*

12
src/java.base/share/classes/java/lang/constant/ClassDesc.java
View file

@ -1,5 +1,5 @@
/*
* Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2018, 2019, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -97,7 +97,10 @@ public interface ClassDesc
*/
static ClassDesc of(String packageName, String className) {
ConstantUtils.validateBinaryClassName(requireNonNull(packageName));
validateMemberName(requireNonNull(className));
if (packageName.isEmpty()) {
return of(className);
}
validateMemberName(requireNonNull(className), false);
return ofDescriptor(String.format("L%s%s%s;",
binaryToInternal(packageName),
(packageName.length() > 0 ? "/" : ""),
@ -130,6 +133,9 @@ public interface ClassDesc
*/
static ClassDesc ofDescriptor(String descriptor) {
requireNonNull(descriptor);
if (descriptor.isEmpty()) {
throw new IllegalArgumentException(String.format("not a valid reference type descriptor: %s", descriptor));
}
int depth = ConstantUtils.arrayDepth(descriptor);
if (depth > ConstantUtils.MAX_ARRAY_TYPE_DESC_DIMENSIONS) {
throw new IllegalArgumentException(String.format("Cannot create an array type descriptor with more than %d dimensions",
@ -192,7 +198,7 @@ public interface ClassDesc
* @throws IllegalArgumentException if the nested class name is invalid
*/
default ClassDesc nested(String nestedName) {
validateMemberName(nestedName);
validateMemberName(nestedName, false);
if (!isClassOrInterface())
throw new IllegalStateException("Outer class is not a class or interface type");
return ClassDesc.ofDescriptor(String.format("%s$%s;", dropLastChar(descriptorString()), nestedName));

114
src/java.base/share/classes/java/lang/constant/ConstantUtils.java
View file

@ -1,5 +1,5 @@
/*
* Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2018, 2019, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -65,7 +65,7 @@ class ConstantUtils {
* @return the name passed if valid
* @throws IllegalArgumentException if the member name is invalid
*/
public static String validateMemberName(String name) {
public static String validateMemberName(String name, boolean method) {
requireNonNull(name);
if (name.length() == 0)
throw new IllegalArgumentException("zero-length member name");
@ -73,7 +73,7 @@ class ConstantUtils {
char ch = name.charAt(i);
if (ch == '.' || ch == ';' || ch == '[' || ch == '/')
throw new IllegalArgumentException("Invalid member name: " + name);
if (ch == '<' || ch == '>') {
if (method && (ch == '<' || ch == '>')) {
if (!pointyNames.contains(name))
throw new IllegalArgumentException("Invalid member name: " + name);
}
@ -126,8 +126,8 @@ class ConstantUtils {
++cur; // skip '('
while (cur < end && descriptor.charAt(cur) != ')') {
int len = matchSig(descriptor, cur, end);
if (len == 0 || descriptor.charAt(cur) == 'V')
int len = skipOverFieldSignature(descriptor, cur, end, false);
if (len == 0)
throw new IllegalArgumentException("Bad method descriptor: " + descriptor);
ptypes.add(descriptor.substring(cur, cur + len));
cur += len;
@ -136,41 +136,103 @@ class ConstantUtils {
throw new IllegalArgumentException("Bad method descriptor: " + descriptor);
++cur; // skip ')'
int rLen = matchSig(descriptor, cur, end);
int rLen = skipOverFieldSignature(descriptor, cur, end, true);
if (rLen == 0 || cur + rLen != end)
throw new IllegalArgumentException("Bad method descriptor: " + descriptor);
ptypes.add(0, descriptor.substring(cur, cur + rLen));
return ptypes;
}
private static final char JVM_SIGNATURE_ARRAY = '[';
private static final char JVM_SIGNATURE_BYTE = 'B';
private static final char JVM_SIGNATURE_CHAR = 'C';
private static final char JVM_SIGNATURE_CLASS = 'L';
private static final char JVM_SIGNATURE_ENDCLASS = ';';
private static final char JVM_SIGNATURE_ENUM = 'E';
private static final char JVM_SIGNATURE_FLOAT = 'F';
private static final char JVM_SIGNATURE_DOUBLE = 'D';
private static final char JVM_SIGNATURE_FUNC = '(';
private static final char JVM_SIGNATURE_ENDFUNC = ')';
private static final char JVM_SIGNATURE_INT = 'I';
private static final char JVM_SIGNATURE_LONG = 'J';
private static final char JVM_SIGNATURE_SHORT = 'S';
private static final char JVM_SIGNATURE_VOID = 'V';
private static final char JVM_SIGNATURE_BOOLEAN = 'Z';
/**
* Validates that the characters at [start, end) within the provided string
* describe a valid field type descriptor.
*
* @param str the descriptor string
* @param descriptor the descriptor string
* @param start the starting index into the string
* @param end the ending index within the string
* @param voidOK is void acceptable?
* @return the length of the descriptor, or 0 if it is not a descriptor
* @throws IllegalArgumentException if the descriptor string is not valid
*/
static int matchSig(String str, int start, int end) {
if (start >= end || start >= str.length() || end > str.length())
return 0;
char c = str.charAt(start);
if (c == 'L') {
int endc = str.indexOf(';', start);
int badc = str.indexOf('.', start);
if (badc >= 0 && badc < endc)
return 0;
badc = str.indexOf('[', start);
if (badc >= 0 && badc < endc)
return 0;
return (endc < 0) ? 0 : endc - start + 1;
} else if (c == '[') {
int t = matchSig(str, start+1, end);
return (t > 0) ? t + 1 : 0;
} else {
return ("IJCSBFDZV".indexOf(c) >= 0) ? 1 : 0;
@SuppressWarnings("fallthrough")
static int skipOverFieldSignature(String descriptor, int start, int end, boolean voidOK) {
int arrayDim = 0;
int index = start;
while (index < end) {
switch (descriptor.charAt(index)) {
case JVM_SIGNATURE_VOID: if (!voidOK) { return index; }
case JVM_SIGNATURE_BOOLEAN:
case JVM_SIGNATURE_BYTE:
case JVM_SIGNATURE_CHAR:
case JVM_SIGNATURE_SHORT:
case JVM_SIGNATURE_INT:
case JVM_SIGNATURE_FLOAT:
case JVM_SIGNATURE_LONG:
case JVM_SIGNATURE_DOUBLE:
return index - start + 1;
case JVM_SIGNATURE_CLASS:
// Skip leading 'L' and ignore first appearance of ';'
index++;
int indexOfSemi = descriptor.indexOf(';', index);
if (indexOfSemi != -1) {
String unqualifiedName = descriptor.substring(index, indexOfSemi);
boolean legal = verifyUnqualifiedClassName(unqualifiedName);
if (!legal) {
return 0;
}
return index - start + unqualifiedName.length() + 1;
}
return 0;
case JVM_SIGNATURE_ARRAY:
arrayDim++;
if (arrayDim > MAX_ARRAY_TYPE_DESC_DIMENSIONS) {
throw new IllegalArgumentException(String.format("Cannot create an array type descriptor with more than %d dimensions",
ConstantUtils.MAX_ARRAY_TYPE_DESC_DIMENSIONS));
}
// The rest of what's there better be a legal descriptor
index++;
voidOK = false;
break;
default:
return 0;
}
}
return 0;
}
static boolean verifyUnqualifiedClassName(String name) {
for (int index = 0; index < name.length(); index++) {
char ch = name.charAt(index);
if (ch < 128) {
if (ch == '.' || ch == ';' || ch == '[' ) {
return false; // do not permit '.', ';', or '['
}
if (ch == '/') {
// check for '//' or leading or trailing '/' which are not legal
// unqualified name must not be empty
if (index == 0 || index + 1 >= name.length() || name.charAt(index + 1) == '/') {
return false;
}
}
} else {
index ++;
}
}
return true;
}
}

4
src/java.base/share/classes/java/lang/constant/DirectMethodHandleDescImpl.java
View file

@ -1,5 +1,5 @@
/*
* Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2018, 2019, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -68,7 +68,7 @@ final class DirectMethodHandleDescImpl implements DirectMethodHandleDesc {
requireNonNull(kind);
validateClassOrInterface(requireNonNull(owner));
validateMemberName(requireNonNull(name));
validateMemberName(requireNonNull(name), true);
requireNonNull(type);
switch (kind) {

4
src/java.base/share/classes/java/lang/constant/DynamicCallSiteDesc.java
View file

@ -1,5 +1,5 @@
/*
* Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2018, 2019, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -75,7 +75,7 @@ public class DynamicCallSiteDesc {
String invocationName,
MethodTypeDesc invocationType,
ConstantDesc[] bootstrapArgs) {
this.invocationName = validateMemberName(requireNonNull(invocationName));
this.invocationName = validateMemberName(requireNonNull(invocationName), true);
this.invocationType = requireNonNull(invocationType);
this.bootstrapMethod = requireNonNull(bootstrapMethod);
this.bootstrapArgs = requireNonNull(bootstrapArgs.clone());

4
src/java.base/share/classes/java/lang/constant/DynamicConstantDesc.java
View file

@ -1,5 +1,5 @@
/*
* Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2018, 2019, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -96,7 +96,7 @@ public abstract class DynamicConstantDesc<T>
ClassDesc constantType,
ConstantDesc... bootstrapArgs) {
this.bootstrapMethod = requireNonNull(bootstrapMethod);
this.constantName = validateMemberName(requireNonNull(constantName));
this.constantName = validateMemberName(requireNonNull(constantName), true);
this.constantType = requireNonNull(constantType);
this.bootstrapArgs = requireNonNull(bootstrapArgs).clone();

4
src/java.base/share/classes/java/lang/constant/ReferenceClassDescImpl.java
View file

@ -1,5 +1,5 @@
/*
* Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2018, 2019, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -49,7 +49,7 @@ final class ReferenceClassDescImpl implements ClassDesc {
*/
ReferenceClassDescImpl(String descriptor) {
requireNonNull(descriptor);
int len = ConstantUtils.matchSig(descriptor, 0, descriptor.length());
int len = ConstantUtils.skipOverFieldSignature(descriptor, 0, descriptor.length(), false);
if (len == 0 || len == 1
|| len != descriptor.length())
throw new IllegalArgumentException(String.format("not a valid reference type descriptor: %s", descriptor));

31
src/java.base/share/classes/java/lang/invoke/VarHandle.java
View file

@ -1,5 +1,5 @@
/*
* Copyright (c) 2014, 2018, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2014, 2019, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -1864,35 +1864,6 @@ public abstract class VarHandle implements Constable {
}
}
/**
* Compare this {@linkplain VarHandle} with another object for equality.
* Two {@linkplain VarHandle}s are considered equal if they both describe the
* same instance field, both describe the same static field, both describe
* array elements for arrays with the same component type, or both describe
* the same component of an off-heap structure.
*
* @param o the other object
* @return Whether this {@linkplain VarHandle} is equal to the other object
*/
@Override
public final boolean equals(Object o) {
if (this == o) return true;
if (o == null || getClass() != o.getClass()) return false;
VarHandle that = (VarHandle) o;
return accessModeType(AccessMode.GET).equals(that.accessModeType(AccessMode.GET)) &&
internalEquals(that);
}
abstract boolean internalEquals(VarHandle vh);
@Override
public final int hashCode() {
return 31 * accessModeType(AccessMode.GET).hashCode() + internalHashCode();
}
abstract int internalHashCode();
/**
* Returns a compact textual description of this {@linkplain VarHandle},
* including the type of variable described, and a description of its coordinates.

38
src/java.base/share/classes/java/lang/invoke/X-VarHandle.java.template
View file

@ -1,5 +1,5 @@
/*
* Copyright (c) 2015, 2018, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2015, 2019, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -63,17 +63,6 @@ final class VarHandle$Type$s {
return accessMode.at.accessModeType(receiverType, {#if[Object]?fieldType:$type$.class});
}
@Override
final boolean internalEquals(VarHandle vh) {
FieldInstanceReadOnly that = (FieldInstanceReadOnly) vh;
return fieldOffset == that.fieldOffset;
}
@Override
final int internalHashCode() {
return Long.hashCode(fieldOffset);
}
@Override
public Optional<VarHandleDesc> describeConstable() {
var receiverTypeRef = receiverType.describeConstable();
@ -349,17 +338,6 @@ final class VarHandle$Type$s {
#end[Object]
}
@Override
final boolean internalEquals(VarHandle vh) {
FieldStaticReadOnly that = (FieldStaticReadOnly) vh;
return base == that.base && fieldOffset == that.fieldOffset;
}
@Override
final int internalHashCode() {
return 31 * Long.hashCode(fieldOffset) + base.hashCode();
}
@Override
public Optional<VarHandleDesc> describeConstable() {
var fieldTypeRef = {#if[Object]?fieldType:$type$.class}.describeConstable();
@ -639,20 +617,6 @@ final class VarHandle$Type$s {
#end[Object]
}
@Override
final boolean internalEquals(VarHandle vh) {
// Equality of access mode types of AccessMode.GET is sufficient for
// equality checks
return true;
}
@Override
final int internalHashCode() {
// The hash code of the access mode types of AccessMode.GET is
// sufficient for hash code generation
return 0;
}
@Override
public Optional<VarHandleDesc> describeConstable() {
var arrayTypeRef = {#if[Object]?arrayType:$type$[].class}.describeConstable();

13
src/java.base/share/classes/java/lang/invoke/X-VarHandleByteArrayView.java.template
View file

@ -1,5 +1,5 @@
/*
* Copyright (c) 2015, 2018, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2015, 2019, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -67,17 +67,6 @@ final class VarHandleByteArrayAs$Type$s extends VarHandleByteArrayBase {
super(form);
this.be = be;
}
@Override
final boolean internalEquals(VarHandle vh) {
ByteArrayViewVarHandle that = (ByteArrayViewVarHandle) vh;
return be == that.be;
}
@Override
final int internalHashCode() {
return Boolean.hashCode(be);
}
}
static final class ArrayHandle extends ByteArrayViewVarHandle {

2
src/java.base/share/classes/java/net/URL.java
View file

@ -304,7 +304,7 @@ public final class URL implements java.io.Serializable {
* or all providers have been exhausted.
* <li>If the previous step fails to find a protocol handler, the
* constructor reads the value of the system property:
* <blockquote>{@code
* <blockquote>{@systemProperty
* java.protocol.handler.pkgs
* }</blockquote>
* If the value of that system property is not {@code null},

19
src/java.base/share/classes/java/security/AccessController.java
View file

@ -709,6 +709,13 @@ public final class AccessController {
return context;
}
/**
* The value needs to be physically located in the frame, so that it
* can be found by a stack walk.
*/
@Hidden
private static native void ensureMaterializedForStackWalk(Object o);
/**
* Sanity check that the caller context is indeed privileged.
*
@ -734,6 +741,11 @@ public final class AccessController {
AccessControlContext context,
Class<?> caller)
{
// Ensure context has a physical value in the frame
if (context != null) {
ensureMaterializedForStackWalk(context);
}
assert isPrivileged(); // sanity check invariant
T result = action.run();
assert isPrivileged(); // sanity check invariant
@ -742,7 +754,6 @@ public final class AccessController {
// retrieved by getStackAccessControlContext().
Reference.reachabilityFence(context);
Reference.reachabilityFence(caller);
Reference.reachabilityFence(action);
return result;
}
@ -761,6 +772,11 @@ public final class AccessController {
Class<?> caller)
throws Exception
{
// Ensure context has a physical value in the frame
if (context != null) {
ensureMaterializedForStackWalk(context);
}
assert isPrivileged(); // sanity check invariant
T result = action.run();
assert isPrivileged(); // sanity check invariant
@ -769,7 +785,6 @@ public final class AccessController {
// retrieved by getStackAccessControlContext().
Reference.reachabilityFence(context);
Reference.reachabilityFence(caller);
Reference.reachabilityFence(action);
return result;
}

4
src/java.base/share/classes/java/time/chrono/JapaneseEra.java
View file

@ -1,5 +1,5 @@
/*
* Copyright (c) 2012, 2018, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2012, 2019, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -94,7 +94,7 @@ import sun.util.calendar.CalendarDate;
* dates before Meiji 6, January 1 are not supported.
* The number of the valid eras may increase, as new eras may be
* defined by the Japanese government. Once an era is defined,
* subsequent versions of this class will add a singleton instance
* future versions of the platform may add a singleton instance
* for it. The defined era is expected to have a consecutive integer
* associated with it.
*

2
src/java.base/share/classes/java/time/zone/ZoneRulesProvider.java
View file

@ -99,7 +99,7 @@ import java.util.Collections;
* <p>
* The Java virtual machine has a default provider that provides zone rules
* for the time-zones defined by IANA Time Zone Database (TZDB). If the system
* property {@code java.time.zone.DefaultZoneRulesProvider} is defined then
* property {@systemProperty java.time.zone.DefaultZoneRulesProvider} is defined then
* it is taken to be the fully-qualified name of a concrete ZoneRulesProvider
* class to be loaded as the default provider, using the system class loader.
* If this system property is not defined, a system-default provider will be

2
src/java.base/share/classes/java/util/Currency.java
View file

@ -60,7 +60,7 @@ import sun.util.logging.PlatformLogger;
* the <code>getInstance</code> methods.
* <p>
* Users can supersede the Java runtime currency data by means of the system
* property {@code java.util.currency.data}. If this system property is
* property {@systemProperty java.util.currency.data}. If this system property is
* defined then its value is the location of a properties file, the contents of
* which are key/value pairs of the ISO 3166 country codes and the ISO 4217
* currency data respectively. The value part consists of three ISO 4217 values

2
src/java.base/share/classes/java/util/PropertyResourceBundle.java
View file

@ -115,7 +115,7 @@ import sun.util.ResourceBundleEnumeration;
* input stream, then the {@code PropertyResourceBundle} instance resets to the state
* before the exception, re-reads the input stream in {@code ISO-8859-1}, and
* continues reading. If the system property
* {@code java.util.PropertyResourceBundle.encoding} is set to either
* {@systemProperty java.util.PropertyResourceBundle.encoding} is set to either
* "ISO-8859-1" or "UTF-8", the input stream is solely read in that encoding,
* and throws the exception if it encounters an invalid sequence.
* If "ISO-8859-1" is specified, characters that cannot be represented in

23
src/java.base/share/classes/java/util/jar/Manifest.java
View file

@ -1,5 +1,5 @@
/*
* Copyright (c) 1997, 2018, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 1997, 2019, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -58,14 +58,10 @@ public class Manifest implements Cloneable {
// associated JarVerifier, not null when called by JarFile::getManifest.
private final JarVerifier jv;
// name of the corresponding jar archive if available.
private final String jarFilename;
/**
* Constructs a new, empty Manifest.
*/
public Manifest() {
jarFilename = null;
jv = null;
}
@ -84,7 +80,7 @@ public class Manifest implements Cloneable {
*
* @param is the input stream containing manifest data
* @param jarFilename the name of the corresponding jar archive if available
* @throws IOException if an I/O error has occured
* @throws IOException if an I/O error has occurred
*/
Manifest(InputStream is, String jarFilename) throws IOException {
this(null, is, jarFilename);
@ -93,10 +89,14 @@ public class Manifest implements Cloneable {
/**
* Constructs a new Manifest from the specified input stream
* and associates it with a JarVerifier.
*
* @param jv the JarVerifier to use
* @param is the input stream containing manifest data
* @param jarFilename the name of the corresponding jar archive if available
* @throws IOException if an I/O error has occurred
*/
Manifest(JarVerifier jv, InputStream is, String jarFilename) throws IOException {
read(is);
this.jarFilename = jarFilename;
read(is, jarFilename);
this.jv = jv;
}
@ -108,7 +108,6 @@ public class Manifest implements Cloneable {
public Manifest(Manifest man) {
attr.putAll(man.getMainAttributes());
entries.putAll(man.getEntries());
jarFilename = null;
jv = man.jv;
}
@ -250,6 +249,10 @@ public class Manifest implements Cloneable {
* @exception IOException if an I/O error has occurred
*/
public void read(InputStream is) throws IOException {
read(is, null);
}
private void read(InputStream is, String jarFilename) throws IOException {
// Buffered input stream for reading manifest data
FastInputStream fis = new FastInputStream(is);
// Line buffer
@ -285,7 +288,7 @@ public class Manifest implements Cloneable {
if (name == null) {
name = parseName(lbuf, len);
if (name == null) {
throw new IOException("invalid manifest format"
throw new IOException("invalid manifest format ("
+ getErrorPosition(jarFilename, lineNumber) + ")");
}
if (fis.peek() == ' ') {

4
src/java.base/share/classes/java/util/jar/Pack200.java
View file

@ -112,7 +112,7 @@ public abstract class Pack200 {
/**
* Obtain new instance of a class that implements Packer.
* <ul>
* <li><p>If the system property {@code java.util.jar.Pack200.Packer}
* <li><p>If the system property {@systemProperty java.util.jar.Pack200.Packer}
* is defined, then the value is taken to be the fully-qualified name
* of a concrete implementation class, which must implement Packer.
* This class is loaded and instantiated. If this process fails
@ -138,7 +138,7 @@ public abstract class Pack200 {
/**
* Obtain new instance of a class that implements Unpacker.
* <ul>
* <li><p>If the system property {@code java.util.jar.Pack200.Unpacker}
* <li><p>If the system property {@systemProperty java.util.jar.Pack200.Unpacker}
* is defined, then the value is taken to be the fully-qualified
* name of a concrete implementation class, which must implement Unpacker.
* The class is loaded and instantiated. If this process fails

2
src/java.base/share/classes/java/util/spi/LocaleServiceProvider.java
View file

@ -113,7 +113,7 @@ import java.util.Locale;
* described above as if the locale was not supported.
* <p>
* The search order of locale sensitive services can
* be configured by using the "java.locale.providers" system property.
* be configured by using the {@systemProperty java.locale.providers} system property.
* This system property declares the user's preferred order for looking up
* the locale sensitive services separated by a comma. It is only read at
* the Java runtime startup, so the later call to System.setProperty() won't

4
src/java.base/share/classes/sun/security/provider/certpath/DistributionPointFetcher.java
View file

@ -1,5 +1,5 @@
/*
* Copyright (c) 2002, 2017, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2002, 2018, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -770,7 +770,7 @@ public class DistributionPointFetcher {
*
* In practice, conforming CAs MUST use the key identifier method,
* and MUST include authority key identifier extension in all CRLs
* issued. [section 5.2.1, RFC 2459]
* issued. [section 5.2.1, RFC 5280]
*/
AuthorityKeyIdentifierExtension crlAKID = crl.getAuthKeyIdExtension();
issuerSelector.setSkiAndSerialNumber(crlAKID);

4
src/java.base/share/classes/sun/security/provider/certpath/ForwardBuilder.java
View file

@ -1,5 +1,5 @@
/*
* Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2000, 2018, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -668,7 +668,7 @@ class ForwardBuilder extends Builder {
* Verifies a matching certificate.
*
* This method executes the validation steps in the PKIX path
* validation algorithm <draft-ietf-pkix-new-part1-08.txt> which were
* validation algorithm, RFC 5280, which were
* not satisfied by the selection criteria used by getCertificates()
* to find the certs and only the steps that can be executed in a
* forward direction (target to trust anchor). Those steps that can

26
src/java.base/share/classes/sun/security/ssl/Alert.java
View file

@ -122,11 +122,17 @@ enum Alert {
reason = (cause != null) ? cause.getMessage() : "";
}
SSLException ssle = (this == UNEXPECTED_MESSAGE) ?
new SSLProtocolException(reason) :
(handshakeOnly ?
new SSLHandshakeException(reason) :
new SSLException(reason));
SSLException ssle;
if ((cause != null) && (cause instanceof IOException)) {
ssle = new SSLException(reason);
} else if ((this == UNEXPECTED_MESSAGE)) {
ssle = new SSLProtocolException(reason);
} else if (handshakeOnly) {
ssle = new SSLHandshakeException(reason);
} else {
ssle = new SSLException(reason);
}
if (cause != null) {
ssle.initCause(cause);
}
@ -187,7 +193,7 @@ enum Alert {
// AlertDescription description;
// } Alert;
if (m.remaining() != 2) {
context.fatal(Alert.ILLEGAL_PARAMETER,
throw context.fatal(Alert.ILLEGAL_PARAMETER,
"Invalid Alert message: no sufficient data");
}
@ -241,14 +247,14 @@ enum Alert {
if (tc.peerUserCanceled) {
tc.closeOutbound();
} else if (tc.handshakeContext != null) {
tc.fatal(Alert.UNEXPECTED_MESSAGE,
throw tc.fatal(Alert.UNEXPECTED_MESSAGE,
"Received close_notify during handshake");
}
} else if (alert == Alert.USER_CANCELED) {
if (level == Level.WARNING) {
tc.peerUserCanceled = true;
} else {
tc.fatal(alert,
throw tc.fatal(alert,
"Received fatal close_notify alert", true, null);
}
} else if ((level == Level.WARNING) && (alert != null)) {
@ -263,7 +269,7 @@ enum Alert {
alert != Alert.NO_CERTIFICATE ||
(tc.sslConfig.clientAuthType !=
ClientAuthType.CLIENT_AUTH_REQUESTED)) {
tc.fatal(Alert.HANDSHAKE_FAILURE,
throw tc.fatal(Alert.HANDSHAKE_FAILURE,
"received handshake warning: " + alert.description);
} // Otherwise, ignore the warning
} // Otherwise, ignore the warning.
@ -276,7 +282,7 @@ enum Alert {
diagnostic = "Received fatal alert: " + alert.description;
}
tc.fatal(alert, diagnostic, true, null);
throw tc.fatal(alert, diagnostic, true, null);
}
}
}

29
src/java.base/share/classes/sun/security/ssl/AlpnExtension.java
View file

@ -174,7 +174,8 @@ final class AlpnExtension {
SSLLogger.severe(
"Application protocol name cannot be empty");
}
chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
throw chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Application protocol name cannot be empty");
}
@ -189,7 +190,8 @@ final class AlpnExtension {
") exceeds the size limit (" +
MAX_AP_LENGTH + " bytes)");
}
chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
throw chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Application protocol name (" + ap +
") exceeds the size limit (" +
MAX_AP_LENGTH + " bytes)");
@ -204,7 +206,8 @@ final class AlpnExtension {
") exceed the size limit (" +
MAX_AP_LIST_LENGTH + " bytes)");
}
chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
throw chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"The configured application protocols (" +
Arrays.toString(laps) +
") exceed the size limit (" +
@ -283,8 +286,7 @@ final class AlpnExtension {
try {
spec = new AlpnSpec(buffer);
} catch (IOException ioe) {
shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
return; // fatal() always throws, make the compiler happy.
throw shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
}
// Update the context.
@ -302,7 +304,7 @@ final class AlpnExtension {
}
if (!matched) {
shc.conContext.fatal(Alert.NO_APPLICATION_PROTOCOL,
throw shc.conContext.fatal(Alert.NO_APPLICATION_PROTOCOL,
"No matching application layer protocol values");
}
} // Otherwise, applicationProtocol will be set by the
@ -379,7 +381,8 @@ final class AlpnExtension {
if ((shc.applicationProtocol == null) ||
(!shc.applicationProtocol.isEmpty() &&
!alps.contains(shc.applicationProtocol))) {
shc.conContext.fatal(Alert.NO_APPLICATION_PROTOCOL,
throw shc.conContext.fatal(
Alert.NO_APPLICATION_PROTOCOL,
"No matching application layer protocol values");
}
}
@ -391,7 +394,8 @@ final class AlpnExtension {
if ((shc.applicationProtocol == null) ||
(!shc.applicationProtocol.isEmpty() &&
!alps.contains(shc.applicationProtocol))) {
shc.conContext.fatal(Alert.NO_APPLICATION_PROTOCOL,
throw shc.conContext.fatal(
Alert.NO_APPLICATION_PROTOCOL,
"No matching application layer protocol values");
}
}
@ -454,7 +458,7 @@ final class AlpnExtension {
if (requestedAlps == null ||
requestedAlps.applicationProtocols == null ||
requestedAlps.applicationProtocols.isEmpty()) {
chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
"Unexpected " + SSLExtension.CH_ALPN.name + " extension");
}
@ -463,13 +467,12 @@ final class AlpnExtension {
try {
spec = new AlpnSpec(buffer);
} catch (IOException ioe) {
chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
return; // fatal() always throws, make the compiler happy.
throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
}
// Only one application protocol is allowed.
if (spec.applicationProtocols.size() != 1) {
chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
"Invalid " + SSLExtension.CH_ALPN.name + " extension: " +
"Only one application protocol name " +
"is allowed in ServerHello message");
@ -478,7 +481,7 @@ final class AlpnExtension {
// The respond application protocol must be one of the requested.
if (!requestedAlps.applicationProtocols.containsAll(
spec.applicationProtocols)) {
chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
"Invalid " + SSLExtension.CH_ALPN.name + " extension: " +
"Only client specified application protocol " +
"is allowed in ServerHello message");

6
src/java.base/share/classes/sun/security/ssl/CertSignAlgsExtension.java
View file

@ -153,8 +153,7 @@ final class CertSignAlgsExtension {
try {
spec = new SignatureSchemesSpec(buffer);
} catch (IOException ioe) {
shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
return; // fatal() always throws, make the compiler happy.
throw shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
}
// Update the context.
@ -297,8 +296,7 @@ final class CertSignAlgsExtension {
try {
spec = new SignatureSchemesSpec(buffer);
} catch (IOException ioe) {
chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
return; // fatal() always throws, make the compiler happy.
throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
}
// Update the context.

21
src/java.base/share/classes/sun/security/ssl/CertStatusExtension.java
View file

@ -606,8 +606,7 @@ final class CertStatusExtension {
try {
spec = new CertStatusRequestSpec(buffer);
} catch (IOException ioe) {
shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
return; // fatal() always throws, make the compiler happy.
throw shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
}
// Update the context.
@ -711,13 +710,13 @@ final class CertStatusExtension {
CertStatusRequestSpec requestedCsr = (CertStatusRequestSpec)
chc.handshakeExtensions.get(CH_STATUS_REQUEST);
if (requestedCsr == null) {
chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
"Unexpected status_request extension in ServerHello");
}
// Parse the extension.
if (buffer.hasRemaining()) {
chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
"Invalid status_request extension in ServerHello message: " +
"the extension data must be empty");
}
@ -964,8 +963,7 @@ final class CertStatusExtension {
try {
spec = new CertStatusRequestV2Spec(buffer);
} catch (IOException ioe) {
shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
return; // fatal() always throws, make the compiler happy.
throw shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
}
// Update the context.
@ -1067,13 +1065,13 @@ final class CertStatusExtension {
CertStatusRequestV2Spec requestedCsr = (CertStatusRequestV2Spec)
chc.handshakeExtensions.get(CH_STATUS_REQUEST_V2);
if (requestedCsr == null) {
chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
"Unexpected status_request_v2 extension in ServerHello");
}
// Parse the extension.
if (buffer.hasRemaining()) {
chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
"Invalid status_request_v2 extension in ServerHello: " +
"the extension data must be empty");
}
@ -1157,10 +1155,10 @@ final class CertStatusExtension {
respBytes);
producedData = certResp.toByteArray();
} catch (CertificateException ce) {
shc.conContext.fatal(Alert.BAD_CERTIFICATE,
throw shc.conContext.fatal(Alert.BAD_CERTIFICATE,
"Failed to parse server certificates", ce);
} catch (IOException ioe) {
shc.conContext.fatal(Alert.BAD_CERT_STATUS_RESPONSE,
throw shc.conContext.fatal(Alert.BAD_CERT_STATUS_RESPONSE,
"Failed to parse certificate status response", ioe);
}
@ -1188,8 +1186,7 @@ final class CertStatusExtension {
try {
spec = new CertStatusResponseSpec(buffer);
} catch (IOException ioe) {
chc.conContext.fatal(Alert.DECODE_ERROR, ioe);
return; // fatal() always throws, make the compiler happy.
throw chc.conContext.fatal(Alert.DECODE_ERROR, ioe);
}
if (chc.sslContext.isStaplingEnabled(true)) {

51
src/java.base/share/classes/sun/security/ssl/CertificateMessage.java
View file

@ -111,10 +111,10 @@ final class CertificateMessage {
encodedCerts.add(cert.getEncoded());
} catch (CertificateEncodingException cee) {
// unlikely
handshakeContext.conContext.fatal(Alert.INTERNAL_ERROR,
throw handshakeContext.conContext.fatal(
Alert.INTERNAL_ERROR,
"Could not encode certificate (" +
cert.getSubjectX500Principal() + ")", cee);
break;
}
}
@ -127,7 +127,8 @@ final class CertificateMessage {
int listLen = Record.getInt24(m);
if (listLen > m.remaining()) {
handshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER,
throw handshakeContext.conContext.fatal(
Alert.ILLEGAL_PARAMETER,
"Error parsing certificate message:no sufficient data");
}
if (listLen > 0) {
@ -248,10 +249,8 @@ final class CertificateMessage {
}
if (x509Possession == null) { // unlikely
shc.conContext.fatal(Alert.INTERNAL_ERROR,
throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
"No expected X.509 certificate for server authentication");
return null; // make the compiler happy
}
shc.handshakeSession.setLocalPrivateKey(
@ -375,7 +374,7 @@ final class CertificateMessage {
if (shc.sslConfig.clientAuthType !=
ClientAuthType.CLIENT_AUTH_REQUESTED) {
// unexpected or require client authentication
shc.conContext.fatal(Alert.BAD_CERTIFICATE,
throw shc.conContext.fatal(Alert.BAD_CERTIFICATE,
"Empty server certificate chain");
} else {
return;
@ -392,7 +391,7 @@ final class CertificateMessage {
new ByteArrayInputStream(encodedCert));
}
} catch (CertificateException ce) {
shc.conContext.fatal(Alert.BAD_CERTIFICATE,
throw shc.conContext.fatal(Alert.BAD_CERTIFICATE,
"Failed to parse server certificates", ce);
}
@ -410,7 +409,7 @@ final class CertificateMessage {
T12CertificateMessage certificateMessage) throws IOException {
List<byte[]> encodedCerts = certificateMessage.encodedCertChain;
if (encodedCerts == null || encodedCerts.isEmpty()) {
chc.conContext.fatal(Alert.BAD_CERTIFICATE,
throw chc.conContext.fatal(Alert.BAD_CERTIFICATE,
"Empty server certificate chain");
}
@ -424,7 +423,7 @@ final class CertificateMessage {
new ByteArrayInputStream(encodedCert));
}
} catch (CertificateException ce) {
chc.conContext.fatal(Alert.BAD_CERTIFICATE,
throw chc.conContext.fatal(Alert.BAD_CERTIFICATE,
"Failed to parse server certificates", ce);
}
@ -443,7 +442,7 @@ final class CertificateMessage {
if ((identityAlg == null || identityAlg.isEmpty()) &&
!isIdentityEquivalent(x509Certs[0],
chc.reservedServerCerts[0])) {
chc.conContext.fatal(Alert.BAD_CERTIFICATE,
throw chc.conContext.fatal(Alert.BAD_CERTIFICATE,
"server certificate change is restricted " +
"during renegotiation");
}
@ -639,7 +638,7 @@ final class CertificateMessage {
// the certificate chain in the TLS session.
chc.handshakeSession.setPeerCertificates(certs);
} catch (CertificateException ce) {
chc.conContext.fatal(getCertificateAlert(chc, ce), ce);
throw chc.conContext.fatal(getCertificateAlert(chc, ce), ce);
}
}
@ -685,7 +684,7 @@ final class CertificateMessage {
"Improper X509TrustManager implementation");
}
} catch (CertificateException ce) {
shc.conContext.fatal(Alert.CERTIFICATE_UNKNOWN, ce);
throw shc.conContext.fatal(Alert.CERTIFICATE_UNKNOWN, ce);
}
}
@ -942,22 +941,20 @@ final class CertificateMessage {
SSLPossession pos = choosePossession(shc, clientHello);
if (pos == null) {
shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"No available authentication scheme");
return null; // make the complier happy
}
if (!(pos instanceof X509Possession)) {
shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"No X.509 certificate for server authentication");
}
X509Possession x509Possession = (X509Possession)pos;
X509Certificate[] localCerts = x509Possession.popCerts;
if (localCerts == null || localCerts.length == 0) {
shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"No X.509 certificate for server authentication");
return null; // make the complier happy
}
// update the context
@ -969,9 +966,8 @@ final class CertificateMessage {
try {
cm = new T13CertificateMessage(shc, (new byte[0]), localCerts);
} catch (SSLException | CertificateException ce) {
shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Failed to produce server Certificate message", ce);
return null; // make the complier happy
}
// Check the OCSP stapling extensions and attempt
@ -1108,9 +1104,8 @@ final class CertificateMessage {
cm = new T13CertificateMessage(
chc, chc.certRequestContext, localCerts);
} catch (SSLException | CertificateException ce) {
chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Failed to produce client Certificate message", ce);
return null;
}
if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
SSLLogger.fine("Produced client Certificate message", cm);
@ -1163,7 +1158,7 @@ final class CertificateMessage {
if (certificateMessage.certEntries == null ||
certificateMessage.certEntries.isEmpty()) {
if (shc.sslConfig.clientAuthType == CLIENT_AUTH_REQUIRED) {
shc.conContext.fatal(Alert.BAD_CERTIFICATE,
throw shc.conContext.fatal(Alert.BAD_CERTIFICATE,
"Empty client certificate chain");
} else {
// optional client authentication
@ -1187,7 +1182,7 @@ final class CertificateMessage {
T13CertificateMessage certificateMessage )throws IOException {
if (certificateMessage.certEntries == null ||
certificateMessage.certEntries.isEmpty()) {
chc.conContext.fatal(Alert.BAD_CERTIFICATE,
throw chc.conContext.fatal(Alert.BAD_CERTIFICATE,
"Empty server certificate chain");
}
@ -1224,7 +1219,7 @@ final class CertificateMessage {
new ByteArrayInputStream(entry.encoded));
}
} catch (CertificateException ce) {
shc.conContext.fatal(Alert.BAD_CERTIFICATE,
throw shc.conContext.fatal(Alert.BAD_CERTIFICATE,
"Failed to parse server certificates", ce);
}
@ -1270,7 +1265,7 @@ final class CertificateMessage {
// the certificate chain in the TLS session.
shc.handshakeSession.setPeerCertificates(certs);
} catch (CertificateException ce) {
shc.conContext.fatal(Alert.CERTIFICATE_UNKNOWN, ce);
throw shc.conContext.fatal(Alert.CERTIFICATE_UNKNOWN, ce);
}
return certs;
@ -1289,7 +1284,7 @@ final class CertificateMessage {
new ByteArrayInputStream(entry.encoded));
}
} catch (CertificateException ce) {
chc.conContext.fatal(Alert.BAD_CERTIFICATE,
throw chc.conContext.fatal(Alert.BAD_CERTIFICATE,
"Failed to parse server certificates", ce);
}
@ -1326,7 +1321,7 @@ final class CertificateMessage {
// the certificate chain in the TLS session.
chc.handshakeSession.setPeerCertificates(certs);
} catch (CertificateException ce) {
chc.conContext.fatal(getCertificateAlert(chc, ce), ce);
throw chc.conContext.fatal(getCertificateAlert(chc, ce), ce);
}
return certs;

22
src/java.base/share/classes/sun/security/ssl/CertificateRequest.java
View file

@ -171,14 +171,14 @@ final class CertificateRequest {
// DistinguishedName certificate_authorities<0..2^16-1>;
// } CertificateRequest;
if (m.remaining() < 4) {
handshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER,
throw handshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Incorrect CertificateRequest message: no sufficient data");
}
this.types = Record.getBytes8(m);
int listLen = Record.getInt16(m);
if (listLen > m.remaining()) {
handshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER,
throw handshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Incorrect CertificateRequest message:no sufficient data");
}
@ -407,7 +407,7 @@ final class CertificateRequest {
this.types = ClientCertificateType.CERT_TYPES;
if (signatureSchemes == null || signatureSchemes.isEmpty()) {
handshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER,
throw handshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"No signature algorithms specified for " +
"CertificateRequest hanshake message");
}
@ -437,7 +437,7 @@ final class CertificateRequest {
// certificate_authorities
if (m.remaining() < 8) {
handshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER,
throw handshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Invalid CertificateRequest handshake message: " +
"no sufficient data");
}
@ -445,14 +445,14 @@ final class CertificateRequest {
// supported_signature_algorithms
if (m.remaining() < 6) {
handshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER,
throw handshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Invalid CertificateRequest handshake message: " +
"no sufficient data");
}
byte[] algs = Record.getBytes16(m);
if (algs == null || algs.length == 0 || (algs.length & 0x01) != 0) {
handshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER,
throw handshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Invalid CertificateRequest handshake message: " +
"incomplete signature algorithms");
}
@ -466,14 +466,14 @@ final class CertificateRequest {
// certificate_authorities
if (m.remaining() < 2) {
handshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER,
throw handshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Invalid CertificateRequest handshake message: " +
"no sufficient data");
}
int listLen = Record.getInt16(m);
if (listLen > m.remaining()) {
handshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER,
throw handshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Invalid CertificateRequest message: no sufficient data");
}
@ -597,7 +597,7 @@ final class CertificateRequest {
if (shc.localSupportedSignAlgs == null ||
shc.localSupportedSignAlgs.isEmpty()) {
shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"No supported signature algorithm");
}
@ -783,14 +783,14 @@ final class CertificateRequest {
// Extension extensions<2..2^16-1>;
// } CertificateRequest;
if (m.remaining() < 5) {
handshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER,
throw handshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Invalid CertificateRequest handshake message: " +
"no sufficient data");
}
this.requestContext = Record.getBytes8(m);
if (m.remaining() < 4) {
handshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER,
throw handshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Invalid CertificateRequest handshake message: " +
"no sufficient extensions data");
}

9
src/java.base/share/classes/sun/security/ssl/CertificateStatus.java
View file

@ -154,7 +154,8 @@ final class CertificateStatus {
encodedResponses.add(respDER);
encodedResponsesLen = 3 + respDER.length;
} else {
handshakeContext.conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw handshakeContext.conContext.fatal(
Alert.HANDSHAKE_FAILURE,
"Zero-length OCSP Response");
}
} else if (statusType == CertStatusRequestType.OCSP_MULTI) {
@ -172,11 +173,13 @@ final class CertificateStatus {
}
if (respListLen != 0) {
handshakeContext.conContext.fatal(Alert.INTERNAL_ERROR,
throw handshakeContext.conContext.fatal(
Alert.INTERNAL_ERROR,
"Bad OCSP response list length");
}
} else {
handshakeContext.conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw handshakeContext.conContext.fatal(
Alert.HANDSHAKE_FAILURE,
"Unsupported StatusResponseType: " + statusType);
}
messageLength = messageLength();

68
src/java.base/share/classes/sun/security/ssl/CertificateVerify.java
View file

@ -83,11 +83,11 @@ final class CertificateVerify {
signer.update(hashes);
temproary = signer.sign();
} catch (NoSuchAlgorithmException nsae) {
chc.conContext.fatal(Alert.INTERNAL_ERROR,
throw chc.conContext.fatal(Alert.INTERNAL_ERROR,
"Unsupported signature algorithm (" + algorithm +
") used in CertificateVerify handshake message", nsae);
} catch (GeneralSecurityException gse) {
chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Cannot produce CertificateVerify signature", gse);
}
@ -112,7 +112,7 @@ final class CertificateVerify {
// };
// } Signature;
if (m.remaining() < 2) {
shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
throw shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Invalid CertificateVerify message: no sufficient data");
}
@ -128,7 +128,7 @@ final class CertificateVerify {
if (x509Credentials == null ||
x509Credentials.popPublicKey == null) {
shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"No X509 credentials negotiated for CertificateVerify");
}
@ -140,15 +140,15 @@ final class CertificateVerify {
shc.handshakeSession.getMasterSecret());
signer.update(hashes);
if (!signer.verify(signature)) {
shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Invalid CertificateVerify message: invalid signature");
}
} catch (NoSuchAlgorithmException nsae) {
shc.conContext.fatal(Alert.INTERNAL_ERROR,
throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
"Unsupported signature algorithm (" + algorithm +
") used in CertificateVerify handshake message", nsae);
} catch (GeneralSecurityException gse) {
shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Cannot verify CertificateVerify signature", gse);
}
}
@ -327,11 +327,11 @@ final class CertificateVerify {
signer.update(hashes);
temproary = signer.sign();
} catch (NoSuchAlgorithmException nsae) {
chc.conContext.fatal(Alert.INTERNAL_ERROR,
throw chc.conContext.fatal(Alert.INTERNAL_ERROR,
"Unsupported signature algorithm (" + algorithm +
") used in CertificateVerify handshake message", nsae);
} catch (GeneralSecurityException gse) {
chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Cannot produce CertificateVerify signature", gse);
}
@ -356,7 +356,7 @@ final class CertificateVerify {
// };
// } Signature;
if (m.remaining() < 2) {
shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
throw shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Invalid CertificateVerify message: no sufficient data");
}
@ -372,7 +372,7 @@ final class CertificateVerify {
if (x509Credentials == null ||
x509Credentials.popPublicKey == null) {
shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"No X509 credentials negotiated for CertificateVerify");
}
@ -383,15 +383,15 @@ final class CertificateVerify {
byte[] hashes = shc.handshakeHash.digest(algorithm);
signer.update(hashes);
if (!signer.verify(signature)) {
shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Invalid CertificateVerify message: invalid signature");
}
} catch (NoSuchAlgorithmException nsae) {
shc.conContext.fatal(Alert.INTERNAL_ERROR,
throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
"Unsupported signature algorithm (" + algorithm +
") used in CertificateVerify handshake message", nsae);
} catch (GeneralSecurityException gse) {
shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Cannot verify CertificateVerify signature", gse);
}
}
@ -570,7 +570,7 @@ final class CertificateVerify {
if (signatureScheme == null) {
// Unlikely, the credentials generator should have
// selected the preferable signature algorithm properly.
chc.conContext.fatal(Alert.INTERNAL_ERROR,
throw chc.conContext.fatal(Alert.INTERNAL_ERROR,
"No preferred signature algorithm for CertificateVerify");
}
@ -582,12 +582,12 @@ final class CertificateVerify {
temproary = signer.sign();
} catch (NoSuchAlgorithmException |
InvalidAlgorithmParameterException nsae) {
chc.conContext.fatal(Alert.INTERNAL_ERROR,
throw chc.conContext.fatal(Alert.INTERNAL_ERROR,
"Unsupported signature algorithm (" +
signatureScheme.name +
") used in CertificateVerify handshake message", nsae);
} catch (InvalidKeyException | SignatureException ikse) {
chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Cannot produce CertificateVerify signature", ikse);
}
@ -607,7 +607,7 @@ final class CertificateVerify {
// opaque signature<0..2^16-1>;
// } DigitallySigned;
if (m.remaining() < 4) {
shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
throw shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Invalid CertificateVerify message: no sufficient data");
}
@ -615,13 +615,13 @@ final class CertificateVerify {
int ssid = Record.getInt16(m);
this.signatureScheme = SignatureScheme.valueOf(ssid);
if (signatureScheme == null) {
shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Invalid signature algorithm (" + ssid +
") used in CertificateVerify handshake message");
}
if (!shc.localSupportedSignAlgs.contains(signatureScheme)) {
shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Unsupported signature algorithm (" +
signatureScheme.name +
") used in CertificateVerify handshake message");
@ -638,7 +638,7 @@ final class CertificateVerify {
if (x509Credentials == null ||
x509Credentials.popPublicKey == null) {
shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"No X509 credentials negotiated for CertificateVerify");
}
@ -649,17 +649,17 @@ final class CertificateVerify {
signatureScheme.getSignature(x509Credentials.popPublicKey);
signer.update(shc.handshakeHash.archived());
if (!signer.verify(signature)) {
shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Invalid CertificateVerify signature");
}
} catch (NoSuchAlgorithmException |
InvalidAlgorithmParameterException nsae) {
shc.conContext.fatal(Alert.INTERNAL_ERROR,
throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
"Unsupported signature algorithm (" +
signatureScheme.name +
") used in CertificateVerify handshake message", nsae);
} catch (InvalidKeyException | SignatureException ikse) {
shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Cannot verify CertificateVerify signature", ikse);
}
}
@ -871,7 +871,7 @@ final class CertificateVerify {
if (signatureScheme == null) {
// Unlikely, the credentials generator should have
// selected the preferable signature algorithm properly.
context.conContext.fatal(Alert.INTERNAL_ERROR,
throw context.conContext.fatal(Alert.INTERNAL_ERROR,
"No preferred signature algorithm for CertificateVerify");
}
@ -897,12 +897,12 @@ final class CertificateVerify {
temproary = signer.sign();
} catch (NoSuchAlgorithmException |
InvalidAlgorithmParameterException nsae) {
context.conContext.fatal(Alert.INTERNAL_ERROR,
throw context.conContext.fatal(Alert.INTERNAL_ERROR,
"Unsupported signature algorithm (" +
signatureScheme.name +
") used in CertificateVerify handshake message", nsae);
} catch (InvalidKeyException | SignatureException ikse) {
context.conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw context.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Cannot produce CertificateVerify signature", ikse);
}
@ -918,7 +918,7 @@ final class CertificateVerify {
// opaque signature<0..2^16-1>;
// } DigitallySigned;
if (m.remaining() < 4) {
context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
throw context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Invalid CertificateVerify message: no sufficient data");
}
@ -926,13 +926,13 @@ final class CertificateVerify {
int ssid = Record.getInt16(m);
this.signatureScheme = SignatureScheme.valueOf(ssid);
if (signatureScheme == null) {
context.conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw context.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Invalid signature algorithm (" + ssid +
") used in CertificateVerify handshake message");
}
if (!context.localSupportedSignAlgs.contains(signatureScheme)) {
context.conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw context.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Unsupported signature algorithm (" +
signatureScheme.name +
") used in CertificateVerify handshake message");
@ -949,7 +949,7 @@ final class CertificateVerify {
if (x509Credentials == null ||
x509Credentials.popPublicKey == null) {
context.conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw context.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"No X509 credentials negotiated for CertificateVerify");
}
@ -975,17 +975,17 @@ final class CertificateVerify {
signatureScheme.getSignature(x509Credentials.popPublicKey);
signer.update(contentCovered);
if (!signer.verify(signature)) {
context.conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw context.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Invalid CertificateVerify signature");
}
} catch (NoSuchAlgorithmException |
InvalidAlgorithmParameterException nsae) {
context.conContext.fatal(Alert.INTERNAL_ERROR,
throw context.conContext.fatal(Alert.INTERNAL_ERROR,
"Unsupported signature algorithm (" +
signatureScheme.name +
") used in CertificateVerify handshake message", nsae);
} catch (InvalidKeyException | SignatureException ikse) {
context.conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw context.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Cannot verify CertificateVerify signature", ikse);
}
}

22
src/java.base/share/classes/sun/security/ssl/ChangeCipherSpec.java
View file

@ -105,6 +105,12 @@ final class ChangeCipherSpec {
throw new SSLException("Algorithm missing: ", gse);
}
if (writeCipher == null) {
throw hc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Illegal cipher suite (" + ncs +
") and protocol version (" + hc.negotiatedProtocol + ")");
}
if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
SSLLogger.fine("Produced ChangeCipherSpec message");
}
@ -136,7 +142,7 @@ final class ChangeCipherSpec {
// parse
if (message.remaining() != 1 || message.get() != 1) {
tc.fatal(Alert.UNEXPECTED_MESSAGE,
throw tc.fatal(Alert.UNEXPECTED_MESSAGE,
"Malformed or unexpected ChangeCipherSpec message");
}
if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
@ -145,7 +151,7 @@ final class ChangeCipherSpec {
// validate
if (tc.handshakeContext == null) {
tc.fatal(Alert.HANDSHAKE_FAILURE,
throw tc.fatal(Alert.HANDSHAKE_FAILURE,
"Unexpected ChangeCipherSpec message");
}
@ -153,7 +159,7 @@ final class ChangeCipherSpec {
HandshakeContext hc = tc.handshakeContext;
if (hc.handshakeKeyDerivation == null) {
tc.fatal(Alert.UNEXPECTED_MESSAGE,
throw tc.fatal(Alert.UNEXPECTED_MESSAGE,
"Unexpected ChangeCipherSpec message");
}
@ -195,6 +201,14 @@ final class ChangeCipherSpec {
// unlikely
throw new SSLException("Algorithm missing: ", gse);
}
if (readCipher == null) {
throw hc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Illegal cipher suite (" + hc.negotiatedCipherSuite +
") and protocol version (" + hc.negotiatedProtocol +
")");
}
tc.inputRecord.changeReadCiphers(readCipher);
} else {
throw new UnsupportedOperationException("Not supported.");
@ -225,7 +239,7 @@ final class ChangeCipherSpec {
// parse
if (message.remaining() != 1 || message.get() != 1) {
tc.fatal(Alert.UNEXPECTED_MESSAGE,
throw tc.fatal(Alert.UNEXPECTED_MESSAGE,
"Malformed or unexpected ChangeCipherSpec message");
}
if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {

2
src/java.base/share/classes/sun/security/ssl/Ciphertext.java
View file

@ -31,8 +31,6 @@ import javax.net.ssl.SSLEngineResult.HandshakeStatus;
* Ciphertext
*/
final class Ciphertext {
static final Ciphertext CIPHERTEXT_NULL = new Ciphertext();
final byte contentType;
final byte handshakeType;
final long recordSN;

35
src/java.base/share/classes/sun/security/ssl/ClientHello.java
View file

@ -144,8 +144,8 @@ final class ClientHello {
if (id == SSLExtension.CH_PRE_SHARED_KEY.id) {
// ensure pre_shared_key is the last extension
if (remaining > 0) {
tc.fatal(Alert.ILLEGAL_PARAMETER,
"pre_shared_key extension is not last");
throw tc.fatal(Alert.ILLEGAL_PARAMETER,
"pre_shared_key extension is not last");
}
// read only up to the IDs
Record.getBytes16(m);
@ -169,7 +169,8 @@ final class ClientHello {
try {
sessionId.checkLength(clientVersion);
} catch (SSLProtocolException ex) {
handshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER, ex);
throw handshakeContext.conContext.fatal(
Alert.ILLEGAL_PARAMETER, ex);
}
if (isDTLS) {
this.cookie = Record.getBytes8(m);
@ -179,8 +180,9 @@ final class ClientHello {
byte[] encodedIds = Record.getBytes16(m);
if (encodedIds.length == 0 || (encodedIds.length & 0x01) != 0) {
handshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Invalid ClientHello message");
throw handshakeContext.conContext.fatal(
Alert.ILLEGAL_PARAMETER,
"Invalid ClientHello message");
}
this.cipherSuiteIds = new int[encodedIds.length >> 1];
@ -702,7 +704,8 @@ final class ClientHello {
try {
chc.kickstart();
} catch (IOException ioe) {
chc.conContext.fatal(Alert.HANDSHAKE_FAILURE, ioe);
throw chc.conContext.fatal(
Alert.HANDSHAKE_FAILURE, ioe);
}
// The handshake message has been delivered.
@ -790,7 +793,7 @@ final class ClientHello {
// clean up this consumer
shc.handshakeConsumers.remove(SSLHandshake.CLIENT_HELLO.id);
if (!shc.handshakeConsumers.isEmpty()) {
shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
throw shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
"No more handshake message allowed " +
"in a ClientHello flight");
}
@ -877,7 +880,7 @@ final class ClientHello {
context.activeProtocols, chv);
if (pv == null || pv == ProtocolVersion.NONE ||
pv == ProtocolVersion.SSL20Hello) {
context.conContext.fatal(Alert.PROTOCOL_VERSION,
throw context.conContext.fatal(Alert.PROTOCOL_VERSION,
"Client requested protocol " +
ProtocolVersion.nameOf(clientHelloVersion) +
" is not enabled or supported in server context");
@ -910,13 +913,11 @@ final class ClientHello {
}
// No protocol version can be negotiated.
context.conContext.fatal(Alert.PROTOCOL_VERSION,
throw context.conContext.fatal(Alert.PROTOCOL_VERSION,
"The client supported protocol versions " + Arrays.toString(
ProtocolVersion.toStringArray(clientSupportedVersions)) +
" are not accepted by server preferences " +
context.activeProtocols);
return null; // make the compiler happy
}
}
@ -957,13 +958,13 @@ final class ClientHello {
if (shc.conContext.isNegotiated) {
if (!shc.conContext.secureRenegotiation &&
!HandshakeContext.allowUnsafeRenegotiation) {
shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Unsafe renegotiation is not allowed");
}
if (ServerHandshakeContext.rejectClientInitiatedRenego &&
!shc.kickstartMessageDelivered) {
shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Client initiated renegotiation is not allowed");
}
}
@ -1170,13 +1171,13 @@ final class ClientHello {
handshakeProducer.produce(shc, clientHello);
} else {
// unlikely
shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"No HelloRetryRequest producer: " + shc.handshakeProducers);
}
if (!shc.handshakeProducers.isEmpty()) {
// unlikely, but please double check.
shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"unknown handshake producers: " + shc.handshakeProducers);
}
}
@ -1264,13 +1265,13 @@ final class ClientHello {
if (shc.conContext.isNegotiated) {
if (!shc.conContext.secureRenegotiation &&
!HandshakeContext.allowUnsafeRenegotiation) {
shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Unsafe renegotiation is not allowed");
}
if (ServerHandshakeContext.rejectClientInitiatedRenego &&
!shc.kickstartMessageDelivered) {
shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Client initiated renegotiation is not allowed");
}
}

5
src/java.base/share/classes/sun/security/ssl/ClientKeyExchange.java
View file

@ -68,9 +68,8 @@ final class ClientKeyExchange {
}
// not consumer defined.
chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
"Unexpected ClientKeyExchange handshake message.");
return null; // make the compiler happe
}
}
@ -105,7 +104,7 @@ final class ClientKeyExchange {
}
// not consumer defined.
shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
throw shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
"Unexpected ClientKeyExchange handshake message.");
}
}

9
src/java.base/share/classes/sun/security/ssl/CookieExtension.java
View file

@ -163,8 +163,7 @@ public class CookieExtension {
try {
spec = new CookieSpec(buffer);
} catch (IOException ioe) {
shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
return; // fatal() always throws, make the compiler happy.
throw shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
}
shc.handshakeExtensions.put(SSLExtension.CH_COOKIE, spec);
@ -201,9 +200,8 @@ public class CookieExtension {
HelloCookieManager hcm =
shc.sslContext.getHelloCookieManager(shc.negotiatedProtocol);
if (!hcm.isCookieValid(shc, clientHello, spec.cookie)) {
shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
throw shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
"unrecognized cookie");
return; // fatal() always throws, make the compiler happy.
}
}
}
@ -270,8 +268,7 @@ public class CookieExtension {
try {
spec = new CookieSpec(buffer);
} catch (IOException ioe) {
chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
return; // fatal() always throws, make the compiler happy.
throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
}
chc.handshakeExtensions.put(SSLExtension.HRR_COOKIE, spec);

18
src/java.base/share/classes/sun/security/ssl/DHClientKeyExchange.java
View file

@ -87,7 +87,7 @@ final class DHClientKeyExchange {
if (dhePossession == null) {
// unlikely
chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"No DHE credentials negotiated for client key exchange");
}
@ -104,14 +104,14 @@ final class DHClientKeyExchange {
(ServerHandshakeContext)handshakeContext;
if (m.remaining() < 3) {
shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Invalid DH ClientKeyExchange message: insufficient data");
}
this.y = Record.getBytes16(m);
if (m.hasRemaining()) {
shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Invalid DH ClientKeyExchange message: unknown extra data");
}
}
@ -177,7 +177,7 @@ final class DHClientKeyExchange {
}
if (dheCredentials == null) {
chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"No DHE credentials negotiated for client key exchange");
}
@ -202,7 +202,7 @@ final class DHClientKeyExchange {
chc.negotiatedProtocol);
if (ke == null) {
// unlikely
chc.conContext.fatal(Alert.INTERNAL_ERROR,
throw chc.conContext.fatal(Alert.INTERNAL_ERROR,
"Not supported key exchange type");
} else {
SSLKeyDerivation masterKD = ke.createKeyDerivation(chc);
@ -214,7 +214,7 @@ final class DHClientKeyExchange {
SSLTrafficKeyDerivation.valueOf(chc.negotiatedProtocol);
if (kd == null) {
// unlikely
chc.conContext.fatal(Alert.INTERNAL_ERROR,
throw chc.conContext.fatal(Alert.INTERNAL_ERROR,
"Not supported key derivation: " +
chc.negotiatedProtocol);
} else {
@ -254,7 +254,7 @@ final class DHClientKeyExchange {
if (dhePossession == null) {
// unlikely
shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"No expected DHE possessions for client key exchange");
}
@ -263,7 +263,7 @@ final class DHClientKeyExchange {
shc.negotiatedProtocol);
if (ke == null) {
// unlikely
shc.conContext.fatal(Alert.INTERNAL_ERROR,
throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
"Not supported key exchange type");
}
@ -310,7 +310,7 @@ final class DHClientKeyExchange {
SSLTrafficKeyDerivation.valueOf(shc.negotiatedProtocol);
if (kd == null) {
// unlikely
shc.conContext.fatal(Alert.INTERNAL_ERROR,
throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
"Not supported key derivation: " + shc.negotiatedProtocol);
} else {
shc.handshakeKeyDerivation =

2
src/java.base/share/classes/sun/security/ssl/DHKeyExchange.java
View file

@ -438,7 +438,7 @@ final class DHKeyExchange {
}
if (dhePossession == null || dheCredentials == null) {
context.conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw context.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"No sufficient DHE key agreement parameters negotiated");
}

36
src/java.base/share/classes/sun/security/ssl/DHServerKeyExchange.java
View file

@ -106,7 +106,7 @@ final class DHServerKeyExchange {
if (dhePossession == null) {
// unlikely
shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
throw shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"No DHE credentials negotiated for server key exchange");
}
DHPublicKey publicKey = dhePossession.publicKey;
@ -132,7 +132,7 @@ final class DHServerKeyExchange {
if (signatureScheme == null) {
// Unlikely, the credentials generator should have
// selected the preferable signature algorithm properly.
shc.conContext.fatal(Alert.INTERNAL_ERROR,
throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
"No preferred signature algorithm");
}
try {
@ -140,7 +140,7 @@ final class DHServerKeyExchange {
x509Possession.popPrivateKey);
} catch (NoSuchAlgorithmException | InvalidKeyException |
InvalidAlgorithmParameterException nsae) {
shc.conContext.fatal(Alert.INTERNAL_ERROR,
throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
"Unsupported signature algorithm: " +
signatureScheme.name, nsae);
}
@ -151,7 +151,7 @@ final class DHServerKeyExchange {
x509Possession.popPrivateKey.getAlgorithm(),
x509Possession.popPrivateKey);
} catch (NoSuchAlgorithmException | InvalidKeyException e) {
shc.conContext.fatal(Alert.INTERNAL_ERROR,
throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
"Unsupported signature algorithm: " +
x509Possession.popPrivateKey.getAlgorithm(), e);
}
@ -163,7 +163,7 @@ final class DHServerKeyExchange {
shc.serverHelloRandom.randomBytes);
signature = signer.sign();
} catch (SignatureException ex) {
shc.conContext.fatal(Alert.INTERNAL_ERROR,
throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
"Failed to sign dhe parameters: " +
x509Possession.popPrivateKey.getAlgorithm(), ex);
}
@ -189,7 +189,7 @@ final class DHServerKeyExchange {
new BigInteger(1, p),
new BigInteger(1, p)));
} catch (InvalidKeyException ike) {
chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Invalid DH ServerKeyExchange: invalid parameters", ike);
}
@ -204,7 +204,7 @@ final class DHServerKeyExchange {
if (x509Credentials == null) {
// anonymous, no authentication, no signature
if (m.hasRemaining()) {
chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Invalid DH ServerKeyExchange: unknown extra data");
}
@ -221,13 +221,13 @@ final class DHServerKeyExchange {
int ssid = Record.getInt16(m);
signatureScheme = SignatureScheme.valueOf(ssid);
if (signatureScheme == null) {
chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Invalid signature algorithm (" + ssid +
") used in DH ServerKeyExchange handshake message");
}
if (!chc.localSupportedSignAlgs.contains(signatureScheme)) {
chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Unsupported signature algorithm (" +
signatureScheme.name +
") used in DH ServerKeyExchange handshake message");
@ -245,11 +245,9 @@ final class DHServerKeyExchange {
x509Credentials.popPublicKey);
} catch (NoSuchAlgorithmException | InvalidKeyException |
InvalidAlgorithmParameterException nsae) {
chc.conContext.fatal(Alert.INTERNAL_ERROR,
throw chc.conContext.fatal(Alert.INTERNAL_ERROR,
"Unsupported signature algorithm: " +
signatureScheme.name, nsae);
return; // make the compiler happe
}
} else {
try {
@ -257,11 +255,9 @@ final class DHServerKeyExchange {
x509Credentials.popPublicKey.getAlgorithm(),
x509Credentials.popPublicKey);
} catch (NoSuchAlgorithmException | InvalidKeyException e) {
chc.conContext.fatal(Alert.INTERNAL_ERROR,
throw chc.conContext.fatal(Alert.INTERNAL_ERROR,
"Unsupported signature algorithm: " +
x509Credentials.popPublicKey.getAlgorithm(), e);
return; // make the compiler happe
}
}
@ -271,11 +267,11 @@ final class DHServerKeyExchange {
chc.serverHelloRandom.randomBytes);
if (!signer.verify(paramsSignature)) {
chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Invalid signature on DH ServerKeyExchange message");
}
} catch (SignatureException ex) {
chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Cannot verify DH ServerKeyExchange signature", ex);
}
}
@ -535,15 +531,13 @@ final class DHServerKeyExchange {
new BigInteger(1, skem.g));
publicKey = (DHPublicKey)kf.generatePublic(spec);
} catch (GeneralSecurityException gse) {
chc.conContext.fatal(Alert.INSUFFICIENT_SECURITY,
throw chc.conContext.fatal(Alert.INSUFFICIENT_SECURITY,
"Could not generate DHPublicKey", gse);
return; // make the compiler happy
}
if (!chc.algorithmConstraints.permits(
EnumSet.of(CryptoPrimitive.KEY_AGREEMENT), publicKey)) {
chc.conContext.fatal(Alert.INSUFFICIENT_SECURITY,
throw chc.conContext.fatal(Alert.INSUFFICIENT_SECURITY,
"DH ServerKeyExchange does not comply to " +
"algorithm constraints");
}

38
src/java.base/share/classes/sun/security/ssl/ECDHClientKeyExchange.java
View file

@ -190,20 +190,20 @@ final class ECDHClientKeyExchange {
}
if (x509Credentials == null) {
chc.conContext.fatal(Alert.INTERNAL_ERROR,
throw chc.conContext.fatal(Alert.INTERNAL_ERROR,
"No server certificate for ECDH client key exchange");
}
PublicKey publicKey = x509Credentials.popPublicKey;
if (!publicKey.getAlgorithm().equals("EC")) {
chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
throw chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Not EC server certificate for ECDH client key exchange");
}
ECParameterSpec params = ((ECPublicKey)publicKey).getParams();
NamedGroup namedGroup = NamedGroup.valueOf(params);
if (namedGroup == null) {
chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
throw chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Unsupported EC server cert for ECDH client key exchange");
}
@ -228,7 +228,7 @@ final class ECDHClientKeyExchange {
chc.negotiatedProtocol);
if (ke == null) {
// unlikely
chc.conContext.fatal(Alert.INTERNAL_ERROR,
throw chc.conContext.fatal(Alert.INTERNAL_ERROR,
"Not supported key exchange type");
} else {
SSLKeyDerivation masterKD = ke.createKeyDerivation(chc);
@ -240,7 +240,7 @@ final class ECDHClientKeyExchange {
SSLTrafficKeyDerivation.valueOf(chc.negotiatedProtocol);
if (kd == null) {
// unlikely
chc.conContext.fatal(Alert.INTERNAL_ERROR,
throw chc.conContext.fatal(Alert.INTERNAL_ERROR,
"Not supported key derivation: " +
chc.negotiatedProtocol);
} else {
@ -280,15 +280,14 @@ final class ECDHClientKeyExchange {
if (x509Possession == null) {
// unlikely, have been checked during cipher suite negotiation.
shc.conContext.fatal(Alert.INTERNAL_ERROR,
throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
"No expected EC server cert for ECDH client key exchange");
return; // make the compiler happy
}
PrivateKey privateKey = x509Possession.popPrivateKey;
if (!privateKey.getAlgorithm().equals("EC")) {
// unlikely, have been checked during cipher suite negotiation.
shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
throw shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Not EC server cert for ECDH client key exchange");
}
@ -296,7 +295,7 @@ final class ECDHClientKeyExchange {
NamedGroup namedGroup = NamedGroup.valueOf(params);
if (namedGroup == null) {
// unlikely, have been checked during cipher suite negotiation.
shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
throw shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Unsupported EC server cert for ECDH client key exchange");
}
@ -305,9 +304,8 @@ final class ECDHClientKeyExchange {
shc.negotiatedProtocol);
if (ke == null) {
// unlikely
shc.conContext.fatal(Alert.INTERNAL_ERROR,
throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
"Not supported key exchange type");
return; // make the compiler happy
}
// parse the handshake message
@ -353,7 +351,7 @@ final class ECDHClientKeyExchange {
SSLTrafficKeyDerivation.valueOf(shc.negotiatedProtocol);
if (kd == null) {
// unlikely
shc.conContext.fatal(Alert.INTERNAL_ERROR,
throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
"Not supported key derivation: " + shc.negotiatedProtocol);
} else {
shc.handshakeKeyDerivation =
@ -387,7 +385,7 @@ final class ECDHClientKeyExchange {
}
if (ecdheCredentials == null) {
chc.conContext.fatal(Alert.INTERNAL_ERROR,
throw chc.conContext.fatal(Alert.INTERNAL_ERROR,
"No ECDHE credentials negotiated for client key exchange");
}
@ -412,7 +410,7 @@ final class ECDHClientKeyExchange {
chc.negotiatedProtocol);
if (ke == null) {
// unlikely
chc.conContext.fatal(Alert.INTERNAL_ERROR,
throw chc.conContext.fatal(Alert.INTERNAL_ERROR,
"Not supported key exchange type");
} else {
SSLKeyDerivation masterKD = ke.createKeyDerivation(chc);
@ -424,7 +422,7 @@ final class ECDHClientKeyExchange {
SSLTrafficKeyDerivation.valueOf(chc.negotiatedProtocol);
if (kd == null) {
// unlikely
chc.conContext.fatal(Alert.INTERNAL_ERROR,
throw chc.conContext.fatal(Alert.INTERNAL_ERROR,
"Not supported key derivation: " +
chc.negotiatedProtocol);
} else {
@ -463,16 +461,15 @@ final class ECDHClientKeyExchange {
}
if (ecdhePossession == null) {
// unlikely
shc.conContext.fatal(Alert.INTERNAL_ERROR,
throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
"No expected ECDHE possessions for client key exchange");
return; // make the compiler happy
}
ECParameterSpec params = ecdhePossession.publicKey.getParams();
NamedGroup namedGroup = NamedGroup.valueOf(params);
if (namedGroup == null) {
// unlikely, have been checked during cipher suite negotiation.
shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
throw shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Unsupported EC server cert for ECDHE client key exchange");
}
@ -481,9 +478,8 @@ final class ECDHClientKeyExchange {
shc.negotiatedProtocol);
if (ke == null) {
// unlikely
shc.conContext.fatal(Alert.INTERNAL_ERROR,
throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
"Not supported key exchange type");
return; // make the compiler happy
}
// parse the handshake message
@ -529,7 +525,7 @@ final class ECDHClientKeyExchange {
SSLTrafficKeyDerivation.valueOf(shc.negotiatedProtocol);
if (kd == null) {
// unlikely
shc.conContext.fatal(Alert.INTERNAL_ERROR,
throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
"Not supported key derivation: " + shc.negotiatedProtocol);
} else {
shc.handshakeKeyDerivation =

10
src/java.base/share/classes/sun/security/ssl/ECDHKeyExchange.java
View file

@ -274,7 +274,7 @@ final class ECDHKeyExchange {
NamedGroup ng = NamedGroup.valueOf(params);
if (ng == null) {
// unlikely, have been checked during cipher suite negotiation.
shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
throw shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Unsupported EC server cert for ECDH key exchange");
}
@ -295,7 +295,7 @@ final class ECDHKeyExchange {
}
if (x509Possession == null || ecdheCredentials == null) {
shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"No sufficient ECDHE key agreement parameters negotiated");
}
@ -327,7 +327,7 @@ final class ECDHKeyExchange {
NamedGroup namedGroup = NamedGroup.valueOf(params);
if (namedGroup == null) {
// unlikely, should have been checked previously
chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
throw chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Unsupported EC server cert for ECDH key exchange");
}
@ -344,7 +344,7 @@ final class ECDHKeyExchange {
}
if (ecdhePossession == null || x509Credentials == null) {
chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"No sufficient ECDH key agreement parameters negotiated");
}
@ -388,7 +388,7 @@ final class ECDHKeyExchange {
}
if (ecdhePossession == null || ecdheCredentials == null) {
context.conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw context.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"No sufficient ECDHE key agreement parameters negotiated");
}

46
src/java.base/share/classes/sun/security/ssl/ECDHServerKeyExchange.java
View file

@ -113,7 +113,7 @@ final class ECDHServerKeyExchange {
if (ecdhePossession == null) {
// unlikely
shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
throw shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"No ECDHE credentials negotiated for server key exchange");
}
@ -125,7 +125,7 @@ final class ECDHServerKeyExchange {
this.namedGroup = NamedGroup.valueOf(params);
if ((namedGroup == null) || (namedGroup.oid == null) ) {
// unlikely
shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
throw shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Unnamed EC parameter spec: " + params);
}
@ -146,7 +146,7 @@ final class ECDHServerKeyExchange {
if (signatureScheme == null) {
// Unlikely, the credentials generator should have
// selected the preferable signature algorithm properly.
shc.conContext.fatal(Alert.INTERNAL_ERROR,
throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
"No preferred signature algorithm for " +
x509Possession.popPrivateKey.getAlgorithm() +
" key");
@ -156,7 +156,7 @@ final class ECDHServerKeyExchange {
x509Possession.popPrivateKey);
} catch (NoSuchAlgorithmException | InvalidKeyException |
InvalidAlgorithmParameterException nsae) {
shc.conContext.fatal(Alert.INTERNAL_ERROR,
throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
"Unsupported signature algorithm: " +
signatureScheme.name, nsae);
}
@ -167,7 +167,7 @@ final class ECDHServerKeyExchange {
x509Possession.popPrivateKey.getAlgorithm(),
x509Possession.popPrivateKey);
} catch (NoSuchAlgorithmException | InvalidKeyException e) {
shc.conContext.fatal(Alert.INTERNAL_ERROR,
throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
"Unsupported signature algorithm: " +
x509Possession.popPrivateKey.getAlgorithm(), e);
}
@ -180,7 +180,7 @@ final class ECDHServerKeyExchange {
namedGroup.id, publicPoint);
signature = signer.sign();
} catch (SignatureException ex) {
shc.conContext.fatal(Alert.INTERNAL_ERROR,
throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
"Failed to sign ecdhe parameters: " +
x509Possession.popPrivateKey.getAlgorithm(), ex);
}
@ -199,37 +199,37 @@ final class ECDHServerKeyExchange {
byte curveType = (byte)Record.getInt8(m);
if (curveType != CURVE_NAMED_CURVE) {
// Unlikely as only the named curves should be negotiated.
chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
throw chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Unsupported ECCurveType: " + curveType);
}
int namedGroupId = Record.getInt16(m);
this.namedGroup = NamedGroup.valueOf(namedGroupId);
if (namedGroup == null) {
chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
throw chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Unknown named group ID: " + namedGroupId);
}
if (!SupportedGroups.isSupported(namedGroup)) {
chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
throw chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Unsupported named group: " + namedGroup);
}
if (namedGroup.oid == null) {
chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
throw chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Unknown named EC curve: " + namedGroup);
}
ECParameterSpec parameters =
JsseJce.getECParameterSpec(namedGroup.oid);
if (parameters == null) {
chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
throw chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"No supported EC parameter: " + namedGroup);
}
publicPoint = Record.getBytes8(m);
if (publicPoint.length == 0) {
chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
throw chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Insufficient ECPoint data: " + namedGroup);
}
@ -242,7 +242,7 @@ final class ECDHServerKeyExchange {
new ECPublicKeySpec(point, parameters));
} catch (NoSuchAlgorithmException |
InvalidKeySpecException | IOException ex) {
chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
throw chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Invalid ECPoint: " + namedGroup, ex);
}
@ -259,7 +259,7 @@ final class ECDHServerKeyExchange {
if (x509Credentials == null) {
// anonymous, no authentication, no signature
if (m.hasRemaining()) {
chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Invalid DH ServerKeyExchange: unknown extra data");
}
this.signatureScheme = null;
@ -275,13 +275,13 @@ final class ECDHServerKeyExchange {
int ssid = Record.getInt16(m);
signatureScheme = SignatureScheme.valueOf(ssid);
if (signatureScheme == null) {
chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Invalid signature algorithm (" + ssid +
") used in ECDH ServerKeyExchange handshake message");
}
if (!chc.localSupportedSignAlgs.contains(signatureScheme)) {
chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Unsupported signature algorithm (" +
signatureScheme.name +
") used in ECDH ServerKeyExchange handshake message");
@ -299,11 +299,9 @@ final class ECDHServerKeyExchange {
x509Credentials.popPublicKey);
} catch (NoSuchAlgorithmException | InvalidKeyException |
InvalidAlgorithmParameterException nsae) {
chc.conContext.fatal(Alert.INTERNAL_ERROR,
throw chc.conContext.fatal(Alert.INTERNAL_ERROR,
"Unsupported signature algorithm: " +
signatureScheme.name, nsae);
return; // make the compiler happe
}
} else {
try {
@ -311,11 +309,9 @@ final class ECDHServerKeyExchange {
x509Credentials.popPublicKey.getAlgorithm(),
x509Credentials.popPublicKey);
} catch (NoSuchAlgorithmException | InvalidKeyException e) {
chc.conContext.fatal(Alert.INTERNAL_ERROR,
throw chc.conContext.fatal(Alert.INTERNAL_ERROR,
"Unsupported signature algorithm: " +
x509Credentials.popPublicKey.getAlgorithm(), e);
return; // make the compiler happe
}
}
@ -326,11 +322,11 @@ final class ECDHServerKeyExchange {
namedGroup.id, publicPoint);
if (!signer.verify(paramsSignature)) {
chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Invalid ECDH ServerKeyExchange signature");
}
} catch (SignatureException ex) {
chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Cannot verify ECDH ServerKeyExchange signature", ex);
}
}
@ -546,7 +542,7 @@ final class ECDHServerKeyExchange {
if (!chc.algorithmConstraints.permits(
EnumSet.of(CryptoPrimitive.KEY_AGREEMENT),
skem.publicKey)) {
chc.conContext.fatal(Alert.INSUFFICIENT_SECURITY,
throw chc.conContext.fatal(Alert.INSUFFICIENT_SECURITY,
"ECDH ServerKeyExchange does not comply " +
"to algorithm constraints");
}

12
src/java.base/share/classes/sun/security/ssl/ECPointFormatsExtension.java
View file

@ -231,13 +231,12 @@ final class ECPointFormatsExtension {
try {
spec = new ECPointFormatsSpec(buffer);
} catch (IOException ioe) {
shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
return; // fatal() always throws, make the compiler happy.
throw shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
}
// per RFC 4492, uncompressed points must always be supported.
if (!spec.hasUncompressedFormat()) {
shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
throw shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
"Invalid ec_point_formats extension data: " +
"peer does not support uncompressed points");
}
@ -272,7 +271,7 @@ final class ECPointFormatsExtension {
ECPointFormatsSpec requestedSpec = (ECPointFormatsSpec)
chc.handshakeExtensions.get(CH_EC_POINT_FORMATS);
if (requestedSpec == null) {
chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
"Unexpected ec_point_formats extension in ServerHello");
}
@ -281,13 +280,12 @@ final class ECPointFormatsExtension {
try {
spec = new ECPointFormatsSpec(buffer);
} catch (IOException ioe) {
chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
return; // fatal() always throws, make the compiler happy.
throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
}
// per RFC 4492, uncompressed points must always be supported.
if (!spec.hasUncompressedFormat()) {
chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
"Invalid ec_point_formats extension data: " +
"peer does not support uncompressed points");
}

2
src/java.base/share/classes/sun/security/ssl/EncryptedExtensions.java
View file

@ -60,7 +60,7 @@ final class EncryptedExtensions {
// Extension extensions<0..2^16-1>;
// } EncryptedExtensions;
if (m.remaining() < 2) {
handshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER,
throw handshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Invalid EncryptedExtensions handshake message: " +
"no sufficient data");
}

22
src/java.base/share/classes/sun/security/ssl/ExtendedMasterSecretExtension.java
View file

@ -172,8 +172,7 @@ final class ExtendedMasterSecretExtension {
try {
spec = new ExtendedMasterSecretSpec(buffer);
} catch (IOException ioe) {
shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
return; // fatal() always throws, make the compiler happy.
throw shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
}
if (shc.isResumption && shc.resumingSession != null &&
@ -232,7 +231,7 @@ final class ExtendedMasterSecretExtension {
//
// As if extended master extension is required for full
// handshake, it MUST be used in abbreviated handshake too.
shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Extended Master Secret extension is required");
}
@ -242,7 +241,7 @@ final class ExtendedMasterSecretExtension {
// session used the "extended_master_secret" extension
// but the new ClientHello does not contain it, the
// server MUST abort the abbreviated handshake.
shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Missing Extended Master Secret extension " +
"on session resumption");
} else {
@ -250,7 +249,7 @@ final class ExtendedMasterSecretExtension {
// original session nor the new ClientHello uses the
// extension, the server SHOULD abort the handshake.
if (!SSLConfiguration.allowLegacyResumption) {
shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Missing Extended Master Secret extension " +
"on session resumption");
} else { // Otherwise, continue with a full handshake.
@ -318,7 +317,7 @@ final class ExtendedMasterSecretExtension {
ExtendedMasterSecretSpec requstedSpec = (ExtendedMasterSecretSpec)
chc.handshakeExtensions.get(CH_EXTENDED_MASTER_SECRET);
if (requstedSpec == null) {
chc.conContext.fatal(Alert.UNSUPPORTED_EXTENSION,
throw chc.conContext.fatal(Alert.UNSUPPORTED_EXTENSION,
"Server sent the extended_master_secret " +
"extension improperly");
}
@ -328,13 +327,12 @@ final class ExtendedMasterSecretExtension {
try {
spec = new ExtendedMasterSecretSpec(buffer);
} catch (IOException ioe) {
chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
return; // fatal() always throws, make the compiler happy.
throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
}
if (chc.isResumption && chc.resumingSession != null &&
!chc.resumingSession.useExtendedMasterSecret) {
chc.conContext.fatal(Alert.UNSUPPORTED_EXTENSION,
throw chc.conContext.fatal(Alert.UNSUPPORTED_EXTENSION,
"Server sent an unexpected extended_master_secret " +
"extension on session resumption");
}
@ -364,7 +362,7 @@ final class ExtendedMasterSecretExtension {
// For full handshake, if a client receives a ServerHello
// without the extension, it SHOULD abort the handshake if
// it does not wish to interoperate with legacy servers.
chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Extended Master Secret extension is required");
}
@ -374,14 +372,14 @@ final class ExtendedMasterSecretExtension {
// the "extended_master_secret" extension but the new
// ServerHello does not contain the extension, the client
// MUST abort the handshake.
chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Missing Extended Master Secret extension " +
"on session resumption");
} else if (SSLConfiguration.useExtendedMasterSecret &&
!SSLConfiguration.allowLegacyResumption &&
chc.negotiatedProtocol.useTLS10PlusSpec()) {
// Unlikely, abbreviated handshake should be discarded.
chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Extended Master Secret extension is required");
}
}

86
src/java.base/share/classes/sun/security/ssl/Finished.java
View file

@ -83,7 +83,7 @@ final class Finished {
try {
vd = vds.createVerifyData(context, false);
} catch (IOException ioe) {
context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
throw context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Failed to generate verify_data", ioe);
}
@ -102,7 +102,7 @@ final class Finished {
}
if (m.remaining() != verifyDataLen) {
context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
throw context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Inappropriate finished message: need " + verifyDataLen +
" but remaining " + m.remaining() + " bytes verify_data");
}
@ -116,12 +116,11 @@ final class Finished {
try {
myVerifyData = vd.createVerifyData(context, true);
} catch (IOException ioe) {
context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
throw context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Failed to generate verify_data", ioe);
return; // make the compiler happy
}
if (!MessageDigest.isEqual(myVerifyData, verifyData)) {
context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
throw context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"The Finished message cannot be verified.");
}
}
@ -518,7 +517,7 @@ final class Finished {
// we have received ChangeCipherSpec
if (hc.conContext.consumers.containsKey(
ContentType.CHANGE_CIPHER_SPEC.id)) {
hc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
throw hc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
"Missing ChangeCipherSpec message");
}
@ -679,19 +678,17 @@ final class Finished {
SSLKeyDerivation kd = chc.handshakeKeyDerivation;
if (kd == null) {
// unlikely
chc.conContext.fatal(Alert.INTERNAL_ERROR,
throw chc.conContext.fatal(Alert.INTERNAL_ERROR,
"no key derivation");
return null; // make the compiler happy
}
SSLTrafficKeyDerivation kdg =
SSLTrafficKeyDerivation.valueOf(chc.negotiatedProtocol);
if (kdg == null) {
// unlikely
chc.conContext.fatal(Alert.INTERNAL_ERROR,
throw chc.conContext.fatal(Alert.INTERNAL_ERROR,
"Not supported key derivation: " +
chc.negotiatedProtocol);
return null; // make the compiler happy
}
try {
@ -713,22 +710,29 @@ final class Finished {
chc.negotiatedProtocol, writeKey, writeIv,
chc.sslContext.getSecureRandom());
if (writeCipher == null) {
throw chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Illegal cipher suite (" + chc.negotiatedCipherSuite +
") and protocol version (" + chc.negotiatedProtocol +
")");
}
chc.baseWriteSecret = writeSecret;
chc.conContext.outputRecord.changeWriteCiphers(
writeCipher, false);
} catch (GeneralSecurityException gse) {
chc.conContext.fatal(Alert.INTERNAL_ERROR,
throw chc.conContext.fatal(Alert.INTERNAL_ERROR,
"Failure to derive application secrets", gse);
return null; // make the compiler happy
}
// The resumption master secret is stored in the session so
// it can be used after the handshake is completed.
SSLSecretDerivation sd = ((SSLSecretDerivation) kd).forContext(chc);
SecretKey resumptionMasterSecret = sd.deriveKey(
"TlsResumptionMasterSecret", null);
chc.handshakeSession.setResumptionMasterSecret(resumptionMasterSecret);
"TlsResumptionMasterSecret", null);
chc.handshakeSession.setResumptionMasterSecret(
resumptionMasterSecret);
chc.conContext.conSession = chc.handshakeSession.finish();
chc.conContext.protocolVersion = chc.negotiatedProtocol;
@ -762,19 +766,17 @@ final class Finished {
SSLKeyDerivation kd = shc.handshakeKeyDerivation;
if (kd == null) {
// unlikely
shc.conContext.fatal(Alert.INTERNAL_ERROR,
throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
"no key derivation");
return null; // make the compiler happy
}
SSLTrafficKeyDerivation kdg =
SSLTrafficKeyDerivation.valueOf(shc.negotiatedProtocol);
if (kdg == null) {
// unlikely
shc.conContext.fatal(Alert.INTERNAL_ERROR,
throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
"Not supported key derivation: " +
shc.negotiatedProtocol);
return null; // make the compiler happy
}
// derive salt secret
@ -810,6 +812,13 @@ final class Finished {
shc.negotiatedProtocol, writeKey, writeIv,
shc.sslContext.getSecureRandom());
if (writeCipher == null) {
throw shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Illegal cipher suite (" + shc.negotiatedCipherSuite +
") and protocol version (" + shc.negotiatedProtocol +
")");
}
shc.baseWriteSecret = writeSecret;
shc.conContext.outputRecord.changeWriteCiphers(
writeCipher, false);
@ -817,9 +826,8 @@ final class Finished {
// update the context for the following key derivation
shc.handshakeKeyDerivation = secretKD;
} catch (GeneralSecurityException gse) {
shc.conContext.fatal(Alert.INTERNAL_ERROR,
throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
"Failure to derive application secrets", gse);
return null; // make the compiler happy
}
/*
@ -892,19 +900,17 @@ final class Finished {
SSLKeyDerivation kd = chc.handshakeKeyDerivation;
if (kd == null) {
// unlikely
chc.conContext.fatal(Alert.INTERNAL_ERROR,
throw chc.conContext.fatal(Alert.INTERNAL_ERROR,
"no key derivation");
return; // make the compiler happy
}
SSLTrafficKeyDerivation kdg =
SSLTrafficKeyDerivation.valueOf(chc.negotiatedProtocol);
if (kdg == null) {
// unlikely
chc.conContext.fatal(Alert.INTERNAL_ERROR,
throw chc.conContext.fatal(Alert.INTERNAL_ERROR,
"Not supported key derivation: " +
chc.negotiatedProtocol);
return; // make the compiler happy
}
// save the session
@ -947,15 +953,21 @@ final class Finished {
chc.negotiatedProtocol, readKey, readIv,
chc.sslContext.getSecureRandom());
if (readCipher == null) {
throw chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Illegal cipher suite (" + chc.negotiatedCipherSuite +
") and protocol version (" + chc.negotiatedProtocol +
")");
}
chc.baseReadSecret = readSecret;
chc.conContext.inputRecord.changeReadCiphers(readCipher);
// update the context for the following key derivation
chc.handshakeKeyDerivation = secretKD;
} catch (GeneralSecurityException gse) {
chc.conContext.fatal(Alert.INTERNAL_ERROR,
throw chc.conContext.fatal(Alert.INTERNAL_ERROR,
"Failure to derive application secrets", gse);
return; // make the compiler happy
}
//
@ -1003,19 +1015,17 @@ final class Finished {
SSLKeyDerivation kd = shc.handshakeKeyDerivation;
if (kd == null) {
// unlikely
shc.conContext.fatal(Alert.INTERNAL_ERROR,
throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
"no key derivation");
return; // make the compiler happy
}
SSLTrafficKeyDerivation kdg =
SSLTrafficKeyDerivation.valueOf(shc.negotiatedProtocol);
if (kdg == null) {
// unlikely
shc.conContext.fatal(Alert.INTERNAL_ERROR,
throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
"Not supported key derivation: " +
shc.negotiatedProtocol);
return; // make the compiler happy
}
// save the session
@ -1044,20 +1054,28 @@ final class Finished {
shc.negotiatedProtocol, readKey, readIv,
shc.sslContext.getSecureRandom());
if (readCipher == null) {
throw shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Illegal cipher suite (" + shc.negotiatedCipherSuite +
") and protocol version (" + shc.negotiatedProtocol +
")");
}
shc.baseReadSecret = readSecret;
shc.conContext.inputRecord.changeReadCiphers(readCipher);
// The resumption master secret is stored in the session so
// it can be used after the handshake is completed.
shc.handshakeHash.update();
SSLSecretDerivation sd = ((SSLSecretDerivation)kd).forContext(shc);
SSLSecretDerivation sd =
((SSLSecretDerivation)kd).forContext(shc);
SecretKey resumptionMasterSecret = sd.deriveKey(
"TlsResumptionMasterSecret", null);
shc.handshakeSession.setResumptionMasterSecret(resumptionMasterSecret);
shc.handshakeSession.setResumptionMasterSecret(
resumptionMasterSecret);
} catch (GeneralSecurityException gse) {
shc.conContext.fatal(Alert.INTERNAL_ERROR,
throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
"Failure to derive application secrets", gse);
return; // make the compiler happy
}
// update connection context

17
src/java.base/share/classes/sun/security/ssl/HandshakeContext.java
View file

@ -365,26 +365,20 @@ abstract class HandshakeContext implements ConnectionContext {
// } Handshake;
if (plaintext.contentType != ContentType.HANDSHAKE.id) {
conContext.fatal(Alert.INTERNAL_ERROR,
throw conContext.fatal(Alert.INTERNAL_ERROR,
"Unexpected operation for record: " + plaintext.contentType);
return 0;
}
if (plaintext.fragment == null || plaintext.fragment.remaining() < 4) {
conContext.fatal(Alert.UNEXPECTED_MESSAGE,
throw conContext.fatal(Alert.UNEXPECTED_MESSAGE,
"Invalid handshake message: insufficient data");
return 0;
}
byte handshakeType = (byte)Record.getInt8(plaintext.fragment);
int handshakeLen = Record.getInt24(plaintext.fragment);
if (handshakeLen != plaintext.fragment.remaining()) {
conContext.fatal(Alert.UNEXPECTED_MESSAGE,
throw conContext.fatal(Alert.UNEXPECTED_MESSAGE,
"Invalid handshake message: insufficient handshake body");
return 0;
}
return handshakeType;
@ -438,16 +432,15 @@ abstract class HandshakeContext implements ConnectionContext {
}
if (consumer == null) {
conContext.fatal(Alert.UNEXPECTED_MESSAGE,
throw conContext.fatal(Alert.UNEXPECTED_MESSAGE,
"Unexpected handshake message: " +
SSLHandshake.nameOf(handshakeType));
return;
}
try {
consumer.consume(this, fragment);
} catch (UnsupportedOperationException unsoe) {
conContext.fatal(Alert.UNEXPECTED_MESSAGE,
throw conContext.fatal(Alert.UNEXPECTED_MESSAGE,
"Unsupported handshake message: " +
SSLHandshake.nameOf(handshakeType), unsoe);
}

4
src/java.base/share/classes/sun/security/ssl/HelloRequest.java
View file

@ -59,7 +59,7 @@ final class HelloRequest {
ByteBuffer m) throws IOException {
super(handshakeContext);
if (m.hasRemaining()) {
handshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER,
throw handshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Error parsing HelloRequest message: not empty");
}
}
@ -185,7 +185,7 @@ final class HelloRequest {
if (!chc.kickstartMessageDelivered) {
if (!chc.conContext.secureRenegotiation &&
!HandshakeContext.allowUnsafeRenegotiation) {
chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Unsafe renegotiation is not allowed");
}

4
src/java.base/share/classes/sun/security/ssl/HelloVerifyRequest.java
View file

@ -73,7 +73,7 @@ final class HelloVerifyRequest {
// opaque cookie<0..2^8-1>;
// } HelloVerifyRequest;
if (m.remaining() < 3) {
chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
throw chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Invalid HelloVerifyRequest: no sufficient data");
}
@ -186,7 +186,7 @@ final class HelloVerifyRequest {
chc.handshakeConsumers.remove(SSLHandshake.SERVER_HELLO.id);
}
if (!chc.handshakeConsumers.isEmpty()) {
chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
"No more message expected before " +
"HelloVerifyRequest is processed");
}

59
src/java.base/share/classes/sun/security/ssl/KeyShareExtension.java
View file

@ -337,8 +337,7 @@ final class KeyShareExtension {
try {
spec = new CHKeyShareSpec(buffer);
} catch (IOException ioe) {
shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
return; // fatal() always throws, make the compiler happy.
throw shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
}
List<SSLCredentials> credentials = new LinkedList<>();
@ -610,16 +609,14 @@ final class KeyShareExtension {
if (chc.clientRequestedNamedGroups == null ||
chc.clientRequestedNamedGroups.isEmpty()) {
// No supported groups.
chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
"Unexpected key_share extension in ServerHello");
return; // fatal() always throws, make the compiler happy.
}
// Is it a supported and enabled extension?
if (!chc.sslConfig.isAvailable(SSLExtension.SH_KEY_SHARE)) {
chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
"Unsupported key_share extension in ServerHello");
return; // fatal() always throws, make the compiler happy.
}
// Parse the extension
@ -627,25 +624,22 @@ final class KeyShareExtension {
try {
spec = new SHKeyShareSpec(buffer);
} catch (IOException ioe) {
chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
return; // fatal() always throws, make the compiler happy.
throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
}
KeyShareEntry keyShare = spec.serverShare;
NamedGroup ng = NamedGroup.valueOf(keyShare.namedGroupId);
if (ng == null || !SupportedGroups.isActivatable(
chc.sslConfig.algorithmConstraints, ng)) {
chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
"Unsupported named group: " +
NamedGroup.nameOf(keyShare.namedGroupId));
return; // fatal() always throws, make the compiler happy.
}
SSLKeyExchange ke = SSLKeyExchange.valueOf(ng);
if (ke == null) {
chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
"No key exchange for named group " + ng.name);
return; // fatal() always throws, make the compiler happy.
}
SSLCredentials credentials = null;
@ -657,7 +651,7 @@ final class KeyShareExtension {
if (!chc.algorithmConstraints.permits(
EnumSet.of(CryptoPrimitive.KEY_AGREEMENT),
ecdhec.popPublicKey)) {
chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
"ECDHE key share entry does not " +
"comply to algorithm constraints");
} else {
@ -665,7 +659,7 @@ final class KeyShareExtension {
}
}
} catch (IOException | GeneralSecurityException ex) {
chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
"Cannot decode named group: " +
NamedGroup.nameOf(keyShare.namedGroupId));
}
@ -677,7 +671,7 @@ final class KeyShareExtension {
if (!chc.algorithmConstraints.permits(
EnumSet.of(CryptoPrimitive.KEY_AGREEMENT),
dhec.popPublicKey)) {
chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
"DHE key share entry does not " +
"comply to algorithm constraints");
} else {
@ -685,18 +679,18 @@ final class KeyShareExtension {
}
}
} catch (IOException | GeneralSecurityException ex) {
chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
"Cannot decode named group: " +
NamedGroup.nameOf(keyShare.namedGroupId));
}
} else {
chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
"Unsupported named group: " +
NamedGroup.nameOf(keyShare.namedGroupId));
}
if (credentials == null) {
chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
"Unsupported named group: " + ng.name);
}
@ -794,17 +788,15 @@ final class KeyShareExtension {
// Is it a supported and enabled extension?
if (!shc.sslConfig.isAvailable(SSLExtension.HRR_KEY_SHARE)) {
shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
throw shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
"Unsupported key_share extension in HelloRetryRequest");
return null; // make the compiler happy.
}
if (shc.clientRequestedNamedGroups == null ||
shc.clientRequestedNamedGroups.isEmpty()) {
// No supported groups.
shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
throw shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
"Unexpected key_share extension in HelloRetryRequest");
return null; // make the compiler happy.
}
NamedGroup selectedGroup = null;
@ -823,9 +815,8 @@ final class KeyShareExtension {
}
if (selectedGroup == null) {
shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
new IOException("No common named group"));
return null; // make the complier happy
throw shc.conContext.fatal(
Alert.UNEXPECTED_MESSAGE, "No common named group");
}
byte[] extdata = new byte[] {
@ -861,9 +852,8 @@ final class KeyShareExtension {
// Is it a supported and enabled extension?
if (!shc.sslConfig.isAvailable(SSLExtension.HRR_KEY_SHARE)) {
shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
throw shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
"Unsupported key_share extension in HelloRetryRequest");
return null; // make the compiler happy.
}
CHKeyShareSpec spec = (CHKeyShareSpec)shc.handshakeExtensions.get(
@ -903,17 +893,15 @@ final class KeyShareExtension {
// Is it a supported and enabled extension?
if (!chc.sslConfig.isAvailable(SSLExtension.HRR_KEY_SHARE)) {
chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
"Unsupported key_share extension in HelloRetryRequest");
return; // make the compiler happy.
}
if (chc.clientRequestedNamedGroups == null ||
chc.clientRequestedNamedGroups.isEmpty()) {
// No supported groups.
chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
"Unexpected key_share extension in HelloRetryRequest");
return; // make the compiler happy.
}
// Parse the extension
@ -921,23 +909,20 @@ final class KeyShareExtension {
try {
spec = new HRRKeyShareSpec(buffer);
} catch (IOException ioe) {
chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
return; // fatal() always throws, make the compiler happy.
throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
}
NamedGroup serverGroup = NamedGroup.valueOf(spec.selectedGroup);
if (serverGroup == null) {
chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
"Unsupported HelloRetryRequest selected group: " +
NamedGroup.nameOf(spec.selectedGroup));
return; // fatal() always throws, make the compiler happy.
}
if (!chc.clientRequestedNamedGroups.contains(serverGroup)) {
chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
"Unexpected HelloRetryRequest selected group: " +
serverGroup.name);
return; // fatal() always throws, make the compiler happy.
}
// update the context

38
src/java.base/share/classes/sun/security/ssl/KeyUpdate.java
View file

@ -78,7 +78,7 @@ final class KeyUpdate {
super(context);
if (m.remaining() != 1) {
context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
throw context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"KeyUpdate has an unexpected length of "+
m.remaining());
}
@ -86,7 +86,7 @@ final class KeyUpdate {
byte request = m.get();
this.status = KeyUpdateRequest.valueOf(request);
if (status == null) {
context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
throw context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Invalid KeyUpdate message value: " +
KeyUpdateRequest.nameOf(request));
}
@ -198,18 +198,17 @@ final class KeyUpdate {
SSLTrafficKeyDerivation.valueOf(hc.conContext.protocolVersion);
if (kdg == null) {
// unlikely
hc.conContext.fatal(Alert.INTERNAL_ERROR,
throw hc.conContext.fatal(Alert.INTERNAL_ERROR,
"Not supported key derivation: " +
hc.conContext.protocolVersion);
return;
}
SSLKeyDerivation skd = kdg.createKeyDerivation(hc,
hc.conContext.inputRecord.readCipher.baseSecret);
if (skd == null) {
// unlikely
hc.conContext.fatal(Alert.INTERNAL_ERROR, "no key derivation");
return;
throw hc.conContext.fatal(
Alert.INTERNAL_ERROR, "no key derivation");
}
SecretKey nplus1 = skd.deriveKey("TlsUpdateNplus1", null);
@ -223,15 +222,22 @@ final class KeyUpdate {
Authenticator.valueOf(hc.conContext.protocolVersion),
hc.conContext.protocolVersion, key, ivSpec,
hc.sslContext.getSecureRandom());
if (rc == null) {
throw hc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Illegal cipher suite (" + hc.negotiatedCipherSuite +
") and protocol version (" + hc.negotiatedProtocol +
")");
}
rc.baseSecret = nplus1;
hc.conContext.inputRecord.changeReadCiphers(rc);
if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
SSLLogger.fine("KeyUpdate: read key updated");
}
} catch (GeneralSecurityException gse) {
hc.conContext.fatal(Alert.INTERNAL_ERROR,
throw hc.conContext.fatal(Alert.INTERNAL_ERROR,
"Failure to derive read secrets", gse);
return;
}
if (km.status == KeyUpdateRequest.REQUESTED) {
@ -271,18 +277,17 @@ final class KeyUpdate {
SSLTrafficKeyDerivation.valueOf(hc.conContext.protocolVersion);
if (kdg == null) {
// unlikely
hc.conContext.fatal(Alert.INTERNAL_ERROR,
throw hc.conContext.fatal(Alert.INTERNAL_ERROR,
"Not supported key derivation: " +
hc.conContext.protocolVersion);
return null;
}
SSLKeyDerivation skd = kdg.createKeyDerivation(hc,
hc.conContext.outputRecord.writeCipher.baseSecret);
if (skd == null) {
// unlikely
hc.conContext.fatal(Alert.INTERNAL_ERROR, "no key derivation");
return null;
throw hc.conContext.fatal(
Alert.INTERNAL_ERROR, "no key derivation");
}
SecretKey nplus1 = skd.deriveKey("TlsUpdateNplus1", null);
@ -298,9 +303,14 @@ final class KeyUpdate {
hc.conContext.protocolVersion, key, ivSpec,
hc.sslContext.getSecureRandom());
} catch (GeneralSecurityException gse) {
hc.conContext.fatal(Alert.INTERNAL_ERROR,
throw hc.conContext.fatal(Alert.INTERNAL_ERROR,
"Failure to derive write secrets", gse);
return null;
}
if (wc == null) {
throw hc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Illegal cipher suite (" + hc.negotiatedCipherSuite +
") and protocol version (" + hc.negotiatedProtocol + ")");
}
// Output the handshake message and change the write cipher.

23
src/java.base/share/classes/sun/security/ssl/MaxFragExtension.java
View file

@ -253,13 +253,12 @@ final class MaxFragExtension {
try {
spec = new MaxFragLenSpec(buffer);
} catch (IOException ioe) {
shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
return; // fatal() always throws, make the compiler happy.
throw shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
}
MaxFragLenEnum mfle = MaxFragLenEnum.valueOf(spec.id);
if (mfle == null) {
shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
throw shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"the requested maximum fragment length is other " +
"than the allowed values");
}
@ -359,7 +358,7 @@ final class MaxFragExtension {
MaxFragLenSpec requestedSpec = (MaxFragLenSpec)
chc.handshakeExtensions.get(CH_MAX_FRAGMENT_LENGTH);
if (requestedSpec == null) {
chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
"Unexpected max_fragment_length extension in ServerHello");
}
@ -368,18 +367,17 @@ final class MaxFragExtension {
try {
spec = new MaxFragLenSpec(buffer);
} catch (IOException ioe) {
chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
return; // fatal() always throws, make the compiler happy.
throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
}
if (spec.id != requestedSpec.id) {
chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
throw chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"The maximum fragment length response is not requested");
}
MaxFragLenEnum mfle = MaxFragLenEnum.valueOf(spec.id);
if (mfle == null) {
chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
throw chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"the requested maximum fragment length is other " +
"than the allowed values");
}
@ -532,7 +530,7 @@ final class MaxFragExtension {
MaxFragLenSpec requestedSpec = (MaxFragLenSpec)
chc.handshakeExtensions.get(CH_MAX_FRAGMENT_LENGTH);
if (requestedSpec == null) {
chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
"Unexpected max_fragment_length extension in ServerHello");
}
@ -541,18 +539,17 @@ final class MaxFragExtension {
try {
spec = new MaxFragLenSpec(buffer);
} catch (IOException ioe) {
chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
return; // fatal() always throws, make the compiler happy.
throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
}
if (spec.id != requestedSpec.id) {
chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
throw chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"The maximum fragment length response is not requested");
}
MaxFragLenEnum mfle = MaxFragLenEnum.valueOf(spec.id);
if (mfle == null) {
chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
throw chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"the requested maximum fragment length is other " +
"than the allowed values");
}

8
src/java.base/share/classes/sun/security/ssl/NewSessionTicket.java
View file

@ -86,7 +86,7 @@ final class NewSessionTicket {
// Extension extensions<0..2^16-2>;
// } NewSessionTicket;
if (m.remaining() < 14) {
context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
throw context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Invalid NewSessionTicket message: no sufficient data");
}
@ -95,18 +95,18 @@ final class NewSessionTicket {
this.ticketNonce = Record.getBytes8(m);
if (m.remaining() < 5) {
context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
throw context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Invalid NewSessionTicket message: no sufficient data");
}
this.ticket = Record.getBytes16(m);
if (ticket.length == 0) {
context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
throw context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"No ticket in the NewSessionTicket handshake message");
}
if (m.remaining() < 2) {
context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
throw context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Invalid NewSessionTicket message: no sufficient data");
}

7
src/java.base/share/classes/sun/security/ssl/PostHandshakeContext.java
View file

@ -43,7 +43,7 @@ final class PostHandshakeContext extends HandshakeContext {
super(context);
if (!negotiatedProtocol.useTLS13PlusSpec()) {
conContext.fatal(Alert.UNEXPECTED_MESSAGE,
throw conContext.fatal(Alert.UNEXPECTED_MESSAGE,
"Post-handshake not supported in " + negotiatedProtocol.name);
}
@ -63,16 +63,15 @@ final class PostHandshakeContext extends HandshakeContext {
void dispatch(byte handshakeType, ByteBuffer fragment) throws IOException {
SSLConsumer consumer = handshakeConsumers.get(handshakeType);
if (consumer == null) {
conContext.fatal(Alert.UNEXPECTED_MESSAGE,
throw conContext.fatal(Alert.UNEXPECTED_MESSAGE,
"Unexpected post-handshake message: " +
SSLHandshake.nameOf(handshakeType));
return;
}
try {
consumer.consume(this, fragment);
} catch (UnsupportedOperationException unsoe) {
conContext.fatal(Alert.UNEXPECTED_MESSAGE,
throw conContext.fatal(Alert.UNEXPECTED_MESSAGE,
"Unsupported post-handshake message: " +
SSLHandshake.nameOf(handshakeType), unsoe);
}

71
src/java.base/share/classes/sun/security/ssl/PreSharedKeyExtension.java
View file

@ -111,14 +111,14 @@ final class PreSharedKeyExtension {
// PskBinderEntry binders<33..2^16-1>;
// } OfferedPsks;
if (m.remaining() < 44) {
context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
throw context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Invalid pre_shared_key extension: " +
"insufficient data (length=" + m.remaining() + ")");
}
int idEncodedLength = Record.getInt16(m);
if (idEncodedLength < 7) {
context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
throw context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Invalid pre_shared_key extension: " +
"insufficient identities (length=" + idEncodedLength + ")");
}
@ -128,7 +128,7 @@ final class PreSharedKeyExtension {
while (idReadLength < idEncodedLength) {
byte[] id = Record.getBytes16(m);
if (id.length < 1) {
context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
throw context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Invalid pre_shared_key extension: " +
"insufficient identity (length=" + id.length + ")");
}
@ -140,7 +140,7 @@ final class PreSharedKeyExtension {
}
if (m.remaining() < 35) {
context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
throw context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Invalid pre_shared_key extension: " +
"insufficient binders data (length=" +
m.remaining() + ")");
@ -148,7 +148,7 @@ final class PreSharedKeyExtension {
int bindersEncodedLen = Record.getInt16(m);
if (bindersEncodedLen < 33) {
context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
throw context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Invalid pre_shared_key extension: " +
"insufficient binders (length=" +
bindersEncodedLen + ")");
@ -159,7 +159,7 @@ final class PreSharedKeyExtension {
while (bindersReadLength < bindersEncodedLen) {
byte[] binder = Record.getBytes8(m);
if (binder.length < 32) {
context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
throw context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Invalid pre_shared_key extension: " +
"insufficient binder entry (length=" +
binder.length + ")");
@ -171,7 +171,7 @@ final class PreSharedKeyExtension {
int getIdsEncodedLength() {
int idEncodedLength = 0;
for(PskIdentity curId : identities) {
for (PskIdentity curId : identities) {
idEncodedLength += curId.getEncodedLength();
}
@ -194,7 +194,7 @@ final class PreSharedKeyExtension {
byte[] buffer = new byte[encodedLength];
ByteBuffer m = ByteBuffer.wrap(buffer);
Record.putInt16(m, idsEncodedLength);
for(PskIdentity curId : identities) {
for (PskIdentity curId : identities) {
curId.writeEncoded(m);
}
Record.putInt16(m, bindersEncodedLength);
@ -271,7 +271,7 @@ final class PreSharedKeyExtension {
SHPreSharedKeySpec(HandshakeContext context,
ByteBuffer m) throws IOException {
if (m.remaining() < 2) {
context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
throw context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Invalid pre_shared_key extension: " +
"insufficient selected_identity (length=" +
m.remaining() + ")");
@ -348,21 +348,20 @@ final class PreSharedKeyExtension {
try {
pskSpec = new CHPreSharedKeySpec(shc, buffer);
} catch (IOException ioe) {
shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
return; // fatal() always throws, make the compiler happy.
throw shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
}
// The "psk_key_exchange_modes" extension should have been loaded.
if (!shc.handshakeExtensions.containsKey(
SSLExtension.PSK_KEY_EXCHANGE_MODES)) {
shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
throw shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Client sent PSK but not PSK modes, or the PSK " +
"extension is not the last extension");
}
// error if id and binder lists are not the same length
if (pskSpec.identities.size() != pskSpec.binders.size()) {
shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
throw shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"PSK extension has incorrect number of binders");
}
@ -506,7 +505,7 @@ final class PreSharedKeyExtension {
SHPreSharedKeySpec shPsk = (SHPreSharedKeySpec)
shc.handshakeExtensions.get(SSLExtension.SH_PRE_SHARED_KEY);
if (chPsk == null || shPsk == null) {
shc.conContext.fatal(Alert.INTERNAL_ERROR,
throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
"Required extensions are unavailable");
}
@ -533,17 +532,17 @@ final class PreSharedKeyExtension {
HandshakeHash pskBinderHash, byte[] binder) throws IOException {
Optional<SecretKey> pskOpt = session.getPreSharedKey();
if (!pskOpt.isPresent()) {
shc.conContext.fatal(Alert.INTERNAL_ERROR,
throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
"Session has no PSK");
}
SecretKey psk = pskOpt.get();
SecretKey binderKey = deriveBinderKey(psk, session);
SecretKey binderKey = deriveBinderKey(shc, psk, session);
byte[] computedBinder =
computeBinder(binderKey, session, pskBinderHash);
computeBinder(shc, binderKey, session, pskBinderHash);
if (!Arrays.equals(binder, computedBinder)) {
shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Incorect PSK binder value");
throw shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Incorect PSK binder value");
}
}
@ -687,13 +686,14 @@ final class PreSharedKeyExtension {
ageMillis + chc.resumingSession.getTicketAgeAdd();
identities.add(new PskIdentity(chc.pskIdentity, obfuscatedAge));
SecretKey binderKey = deriveBinderKey(psk, chc.resumingSession);
SecretKey binderKey =
deriveBinderKey(chc, psk, chc.resumingSession);
ClientHelloMessage clientHello = (ClientHelloMessage)message;
CHPreSharedKeySpec pskPrototype = createPskPrototype(
chc.resumingSession.getSuite().hashAlg.hashLength, identities);
HandshakeHash pskBinderHash = chc.handshakeHash.copy();
byte[] binder = computeBinder(binderKey, pskBinderHash,
byte[] binder = computeBinder(chc, binderKey, pskBinderHash,
chc.resumingSession, chc, clientHello, pskPrototype);
List<byte[]> binders = new ArrayList<>();
@ -717,7 +717,8 @@ final class PreSharedKeyExtension {
}
}
private static byte[] computeBinder(SecretKey binderKey,
private static byte[] computeBinder(
HandshakeContext context, SecretKey binderKey,
SSLSessionImpl session,
HandshakeHash pskBinderHash) throws IOException {
@ -726,10 +727,11 @@ final class PreSharedKeyExtension {
pskBinderHash.update();
byte[] digest = pskBinderHash.digest();
return computeBinder(binderKey, session, digest);
return computeBinder(context, binderKey, session, digest);
}
private static byte[] computeBinder(SecretKey binderKey,
private static byte[] computeBinder(
HandshakeContext context, SecretKey binderKey,
HandshakeHash hash, SSLSessionImpl session,
HandshakeContext ctx, ClientHello.ClientHelloMessage hello,
CHPreSharedKeySpec pskPrototype) throws IOException {
@ -745,10 +747,11 @@ final class PreSharedKeyExtension {
hash.update();
byte[] digest = hash.digest();
return computeBinder(binderKey, session, digest);
return computeBinder(context, binderKey, session, digest);
}
private static byte[] computeBinder(SecretKey binderKey,
private static byte[] computeBinder(HandshakeContext context,
SecretKey binderKey,
SSLSessionImpl session, byte[] digest) throws IOException {
try {
CipherSuite.HashAlg hashAlg = session.getSuite().hashAlg;
@ -766,15 +769,15 @@ final class PreSharedKeyExtension {
hmac.init(finishedKey);
return hmac.doFinal(digest);
} catch (NoSuchAlgorithmException | InvalidKeyException ex) {
throw new IOException(ex);
throw context.conContext.fatal(Alert.INTERNAL_ERROR, ex);
}
} catch (GeneralSecurityException ex) {
throw new IOException(ex);
throw context.conContext.fatal(Alert.INTERNAL_ERROR, ex);
}
}
private static SecretKey deriveBinderKey(SecretKey psk,
SSLSessionImpl session) throws IOException {
private static SecretKey deriveBinderKey(HandshakeContext context,
SecretKey psk, SSLSessionImpl session) throws IOException {
try {
CipherSuite.HashAlg hashAlg = session.getSuite().hashAlg;
HKDF hkdf = new HKDF(hashAlg.name);
@ -788,7 +791,7 @@ final class PreSharedKeyExtension {
return hkdf.expand(earlySecret,
hkdfInfo, hashAlg.hashLength, "TlsBinderKey");
} catch (GeneralSecurityException ex) {
throw new IOException(ex);
throw context.conContext.fatal(Alert.INTERNAL_ERROR, ex);
}
}
@ -827,7 +830,7 @@ final class PreSharedKeyExtension {
// Is it a response of the specific request?
if (!chc.handshakeExtensions.containsKey(
SSLExtension.CH_PRE_SHARED_KEY)) {
chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
"Server sent unexpected pre_shared_key extension");
}
@ -838,13 +841,13 @@ final class PreSharedKeyExtension {
}
if (shPsk.selectedIdentity != 0) {
chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
throw chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Selected identity index is not in correct range.");
}
if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
SSLLogger.fine(
"Resuming session: ", chc.resumingSession);
"Resuming session: ", chc.resumingSession);
}
}
}

5
src/java.base/share/classes/sun/security/ssl/PskKeyExchangeModesExtension.java
View file

@ -201,8 +201,7 @@ final class PskKeyExchangeModesExtension {
try {
spec = new PskKeyExchangeModesSpec(buffer);
} catch (IOException ioe) {
shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
return; // fatal() always throws, make the compiler happy.
throw shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
}
// Update the context.
@ -324,7 +323,7 @@ final class PskKeyExchangeModesExtension {
SSLExtensionSpec spec =
shc.handshakeExtensions.get(SSLExtension.CH_PRE_SHARED_KEY);
if (spec != null) {
shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"pre_shared_key key extension is offered " +
"without a psk_key_exchange_modes extension");
}

24
src/java.base/share/classes/sun/security/ssl/RSAClientKeyExchange.java
View file

@ -75,7 +75,7 @@ final class RSAClientKeyExchange {
super(context);
if (m.remaining() < 2) {
context.conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw context.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Invalid RSA ClientKeyExchange message: insufficient data");
}
@ -167,14 +167,14 @@ final class RSAClientKeyExchange {
}
if (rsaCredentials == null && x509Credentials == null) {
chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
throw chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"No RSA credentials negotiated for client key exchange");
}
PublicKey publicKey = (rsaCredentials != null) ?
rsaCredentials.popPublicKey : x509Credentials.popPublicKey;
if (!publicKey.getAlgorithm().equals("RSA")) { // unlikely
chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
throw chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Not RSA public key for client key exchange");
}
@ -186,10 +186,8 @@ final class RSAClientKeyExchange {
ckem = new RSAClientKeyExchangeMessage(
chc, premaster, publicKey);
} catch (GeneralSecurityException gse) {
chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
throw chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Cannot generate RSA premaster secret", gse);
return null; // make the compiler happy
}
if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
SSLLogger.fine(
@ -205,7 +203,7 @@ final class RSAClientKeyExchange {
chc.negotiatedCipherSuite.keyExchange,
chc.negotiatedProtocol);
if (ke == null) { // unlikely
chc.conContext.fatal(Alert.INTERNAL_ERROR,
throw chc.conContext.fatal(Alert.INTERNAL_ERROR,
"Not supported key exchange type");
} else {
SSLKeyDerivation masterKD = ke.createKeyDerivation(chc);
@ -217,7 +215,7 @@ final class RSAClientKeyExchange {
SSLTrafficKeyDerivation kd =
SSLTrafficKeyDerivation.valueOf(chc.negotiatedProtocol);
if (kd == null) { // unlikely
chc.conContext.fatal(Alert.INTERNAL_ERROR,
throw chc.conContext.fatal(Alert.INTERNAL_ERROR,
"Not supported key derivation: " +
chc.negotiatedProtocol);
} else {
@ -262,14 +260,14 @@ final class RSAClientKeyExchange {
}
if (rsaPossession == null && x509Possession == null) { // unlikely
shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
throw shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"No RSA possessions negotiated for client key exchange");
}
PrivateKey privateKey = (rsaPossession != null) ?
rsaPossession.popPrivateKey : x509Possession.popPrivateKey;
if (!privateKey.getAlgorithm().equals("RSA")) { // unlikely
shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
throw shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Not RSA private key for client key exchange");
}
@ -287,7 +285,7 @@ final class RSAClientKeyExchange {
RSAPremasterSecret.decode(shc, privateKey, ckem.encrypted);
shc.handshakeCredentials.add(premaster);
} catch (GeneralSecurityException gse) {
shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
throw shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Cannot decode RSA premaster secret", gse);
}
@ -296,7 +294,7 @@ final class RSAClientKeyExchange {
shc.negotiatedCipherSuite.keyExchange,
shc.negotiatedProtocol);
if (ke == null) { // unlikely
shc.conContext.fatal(Alert.INTERNAL_ERROR,
throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
"Not supported key exchange type");
} else {
SSLKeyDerivation masterKD = ke.createKeyDerivation(shc);
@ -308,7 +306,7 @@ final class RSAClientKeyExchange {
SSLTrafficKeyDerivation kd =
SSLTrafficKeyDerivation.valueOf(shc.negotiatedProtocol);
if (kd == null) { // unlikely
shc.conContext.fatal(Alert.INTERNAL_ERROR,
throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
"Not supported key derivation: " +
shc.negotiatedProtocol);
} else {

2
src/java.base/share/classes/sun/security/ssl/RSAKeyExchange.java
View file

@ -274,7 +274,7 @@ final class RSAKeyExchange {
}
if (premaster == null) {
context.conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw context.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"No sufficient RSA key agreement parameters negotiated");
}

21
src/java.base/share/classes/sun/security/ssl/RSAServerKeyExchange.java
View file

@ -94,7 +94,7 @@ final class RSAServerKeyExchange {
signature = signer.sign();
} catch (NoSuchAlgorithmException |
InvalidKeyException | SignatureException ex) {
shc.conContext.fatal(Alert.INTERNAL_ERROR,
throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
"Failed to sign ephemeral RSA parameters", ex);
}
@ -122,7 +122,7 @@ final class RSAServerKeyExchange {
}
if (x509Credentials == null) {
chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
throw chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"No RSA credentials negotiated for server key exchange");
}
@ -133,12 +133,12 @@ final class RSAServerKeyExchange {
chc.clientHelloRandom.randomBytes,
chc.serverHelloRandom.randomBytes);
if (!signer.verify(paramsSignature)) {
chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Invalid signature of RSA ServerKeyExchange message");
}
} catch (NoSuchAlgorithmException |
InvalidKeyException | SignatureException ex) {
chc.conContext.fatal(Alert.INTERNAL_ERROR,
throw chc.conContext.fatal(Alert.INTERNAL_ERROR,
"Failed to sign ephemeral RSA parameters", ex);
}
}
@ -250,12 +250,12 @@ final class RSAServerKeyExchange {
return null;
} else if (x509Possession == null) {
// unlikely
shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
throw shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"No RSA certificate negotiated for server key exchange");
} else if (!"RSA".equals(
x509Possession.popPrivateKey.getAlgorithm())) {
// unlikely
shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
throw shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"No X.509 possession can be used for " +
"ephemeral RSA ServerKeyExchange");
}
@ -312,15 +312,13 @@ final class RSAServerKeyExchange {
new BigInteger(1, skem.exponent));
publicKey = (RSAPublicKey)kf.generatePublic(spec);
} catch (GeneralSecurityException gse) {
chc.conContext.fatal(Alert.INSUFFICIENT_SECURITY,
throw chc.conContext.fatal(Alert.INSUFFICIENT_SECURITY,
"Could not generate RSAPublicKey", gse);
return; // make the compiler happy
}
if (!chc.algorithmConstraints.permits(
EnumSet.of(CryptoPrimitive.KEY_AGREEMENT), publicKey)) {
chc.conContext.fatal(Alert.INSUFFICIENT_SECURITY,
throw chc.conContext.fatal(Alert.INSUFFICIENT_SECURITY,
"RSA ServerKeyExchange does not comply to " +
"algorithm constraints");
}
@ -328,7 +326,8 @@ final class RSAServerKeyExchange {
//
// update
//
chc.handshakeCredentials.add(new EphemeralRSACredentials(publicKey));
chc.handshakeCredentials.add(
new EphemeralRSACredentials(publicKey));
//
// produce

40
src/java.base/share/classes/sun/security/ssl/RenegoInfoExtension.java
View file

@ -185,12 +185,10 @@ final class RenegoInfoExtension {
return null;
} else {
// terminate the session.
chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"insecure renegotiation is not allowed");
}
}
return null;
}
}
@ -226,14 +224,13 @@ final class RenegoInfoExtension {
try {
spec = new RenegotiationInfoSpec(buffer);
} catch (IOException ioe) {
shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
return; // fatal() always throws, make the compiler happy.
throw shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
}
if (!shc.conContext.isNegotiated) {
// initial handshaking.
if (spec.renegotiatedConnection.length != 0) {
shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
throw shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
"Invalid renegotiation_info extension data: not empty");
}
shc.conContext.secureRenegotiation = true;
@ -241,14 +238,14 @@ final class RenegoInfoExtension {
if (!shc.conContext.secureRenegotiation) {
// Unexpected RI extension for insecure renegotiation,
// abort the handshake with a fatal handshake_failure alert.
shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"The renegotiation_info is present in a insecure " +
"renegotiation");
} else {
// verify the client_verify_data value
if (!Arrays.equals(shc.conContext.clientVerifyData,
spec.renegotiatedConnection)) {
shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
throw shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
"Invalid renegotiation_info extension data: " +
"incorrect verify data in ClientHello");
}
@ -295,7 +292,7 @@ final class RenegoInfoExtension {
}
if (!HandshakeContext.allowLegacyHelloMessages) {
shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Failed to negotiate the use of secure renegotiation");
} // otherwise, allow legacy hello message
@ -307,7 +304,7 @@ final class RenegoInfoExtension {
shc.conContext.secureRenegotiation = false;
} else if (shc.conContext.secureRenegotiation) {
// Require secure renegotiation, terminate the connection.
shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Inconsistent secure renegotiation indication");
} else { // renegotiation, not secure
if (HandshakeContext.allowUnsafeRenegotiation) {
@ -320,7 +317,7 @@ final class RenegoInfoExtension {
if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
SSLLogger.fine("Terminate insecure renegotiation");
}
shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Unsafe renegotiation is not allowed");
}
}
@ -430,7 +427,7 @@ final class RenegoInfoExtension {
if (requestedSpec == null &&
!chc.activeCipherSuites.contains(
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV)) {
chc.conContext.fatal(Alert.INTERNAL_ERROR,
throw chc.conContext.fatal(Alert.INTERNAL_ERROR,
"Missing renegotiation_info and SCSV detected in " +
"ClientHello");
}
@ -440,8 +437,7 @@ final class RenegoInfoExtension {
try {
spec = new RenegotiationInfoSpec(buffer);
} catch (IOException ioe) {
chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
return; // fatal() always throws, make the compiler happy.
throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
}
@ -452,7 +448,7 @@ final class RenegoInfoExtension {
// and if it is not, MUST abort the handshake (by sending
// a fatal handshake_failure alert). [RFC 5746]
if (spec.renegotiatedConnection.length != 0) {
chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Invalid renegotiation_info in ServerHello: " +
"not empty renegotiated_connection");
}
@ -467,7 +463,7 @@ final class RenegoInfoExtension {
int infoLen = chc.conContext.clientVerifyData.length +
chc.conContext.serverVerifyData.length;
if (spec.renegotiatedConnection.length != infoLen) {
chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Invalid renegotiation_info in ServerHello: " +
"invalid renegotiated_connection length (" +
spec.renegotiatedConnection.length + ")");
@ -476,14 +472,14 @@ final class RenegoInfoExtension {
byte[] cvd = chc.conContext.clientVerifyData;
if (!Arrays.equals(spec.renegotiatedConnection,
0, cvd.length, cvd, 0, cvd.length)) {
chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Invalid renegotiation_info in ServerHello: " +
"unmatched client_verify_data value");
}
byte[] svd = chc.conContext.serverVerifyData;
if (!Arrays.equals(spec.renegotiatedConnection,
cvd.length, infoLen, svd, 0, svd.length)) {
chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Invalid renegotiation_info in ServerHello: " +
"unmatched server_verify_data value");
}
@ -516,7 +512,7 @@ final class RenegoInfoExtension {
if (requestedSpec == null &&
!chc.activeCipherSuites.contains(
CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV)) {
chc.conContext.fatal(Alert.INTERNAL_ERROR,
throw chc.conContext.fatal(Alert.INTERNAL_ERROR,
"Missing renegotiation_info and SCSV detected in " +
"ClientHello");
}
@ -524,7 +520,7 @@ final class RenegoInfoExtension {
if (!chc.conContext.isNegotiated) {
// initial handshaking.
if (!HandshakeContext.allowLegacyHelloMessages) {
chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Failed to negotiate the use of secure renegotiation");
} // otherwise, allow legacy hello message
@ -536,7 +532,7 @@ final class RenegoInfoExtension {
chc.conContext.secureRenegotiation = false;
} else if (chc.conContext.secureRenegotiation) {
// Require secure renegotiation, terminate the connection.
chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Inconsistent secure renegotiation indication");
} else { // renegotiation, not secure
if (HandshakeContext.allowUnsafeRenegotiation) {
@ -549,7 +545,7 @@ final class RenegoInfoExtension {
if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
SSLLogger.fine("Terminate insecure renegotiation");
}
chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Unsafe renegotiation is not allowed");
}
}

2
src/java.base/share/classes/sun/security/ssl/SSLConfiguration.java
View file

@ -29,8 +29,6 @@ import java.security.AccessControlContext;
import java.security.AccessController;
import java.security.AlgorithmConstraints;
import java.security.NoSuchAlgorithmException;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;

41
src/java.base/share/classes/sun/security/ssl/SSLEngineImpl.java
View file

@ -102,10 +102,10 @@ final class SSLEngineImpl extends SSLEngine implements SSLTransport {
try {
conContext.kickstart();
} catch (IOException ioe) {
conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Couldn't kickstart handshaking", ioe);
} catch (Exception ex) { // including RuntimeException
conContext.fatal(Alert.INTERNAL_ERROR,
throw conContext.fatal(Alert.INTERNAL_ERROR,
"Fail to begin handshake", ex);
}
}
@ -137,16 +137,14 @@ final class SSLEngineImpl extends SSLEngine implements SSLTransport {
srcs, srcsOffset, srcsLength, dsts, dstsOffset, dstsLength);
} catch (SSLProtocolException spe) {
// may be an unexpected handshake message
conContext.fatal(Alert.UNEXPECTED_MESSAGE, spe);
throw conContext.fatal(Alert.UNEXPECTED_MESSAGE, spe);
} catch (IOException ioe) {
conContext.fatal(Alert.INTERNAL_ERROR,
throw conContext.fatal(Alert.INTERNAL_ERROR,
"problem wrapping app data", ioe);
} catch (Exception ex) { // including RuntimeException
conContext.fatal(Alert.INTERNAL_ERROR,
throw conContext.fatal(Alert.INTERNAL_ERROR,
"Fail to wrap application data", ex);
}
return null; // make compiler happy
}
private SSLEngineResult writeRecord(
@ -249,6 +247,19 @@ final class SSLEngineImpl extends SSLEngine implements SSLTransport {
hsStatus = ciphertext.handshakeStatus;
} else {
hsStatus = getHandshakeStatus();
if (ciphertext == null && !conContext.isNegotiated &&
conContext.isInboundClosed() &&
hsStatus == HandshakeStatus.NEED_WRAP) {
// Even the outboud is open, no futher data could be wrapped as:
// 1. the outbound is empty
// 2. no negotiated connection
// 3. the inbound has closed, cannot complete the handshake
//
// Mark the engine as closed if the handshake status is
// NEED_WRAP. Otherwise, it could lead to dead loops in
// applications.
status = Status.CLOSED;
}
}
int deltaSrcs = srcsRemains;
@ -275,13 +286,13 @@ final class SSLEngineImpl extends SSLEngine implements SSLTransport {
srcs, srcsOffset, srcsLength, dsts, dstsOffset, dstsLength);
} catch (SSLHandshakeException she) {
// may be record sequence number overflow
conContext.fatal(Alert.HANDSHAKE_FAILURE, she);
throw conContext.fatal(Alert.HANDSHAKE_FAILURE, she);
} catch (IOException e) {
conContext.fatal(Alert.UNEXPECTED_MESSAGE, e);
throw conContext.fatal(Alert.UNEXPECTED_MESSAGE, e);
}
if (ciphertext == null) {
return Ciphertext.CIPHERTEXT_NULL;
return null;
}
// Is the handshake completed?
@ -444,7 +455,7 @@ final class SSLEngineImpl extends SSLEngine implements SSLTransport {
srcs, srcsOffset, srcsLength, dsts, dstsOffset, dstsLength);
} catch (SSLProtocolException spe) {
// may be an unexpected handshake message
conContext.fatal(Alert.UNEXPECTED_MESSAGE,
throw conContext.fatal(Alert.UNEXPECTED_MESSAGE,
spe.getMessage(), spe);
} catch (IOException ioe) {
/*
@ -453,14 +464,12 @@ final class SSLEngineImpl extends SSLEngine implements SSLTransport {
* got us into this situation, so report that much back.
* Our days of consuming are now over anyway.
*/
conContext.fatal(Alert.INTERNAL_ERROR,
throw conContext.fatal(Alert.INTERNAL_ERROR,
"problem unwrapping net record", ioe);
} catch (Exception ex) { // including RuntimeException
conContext.fatal(Alert.INTERNAL_ERROR,
throw conContext.fatal(Alert.INTERNAL_ERROR,
"Fail to unwrap network record", ex);
}
return null; // make compiler happy
}
private SSLEngineResult readRecord(
@ -721,7 +730,7 @@ final class SSLEngineImpl extends SSLEngine implements SSLTransport {
if (!conContext.isInputCloseNotified &&
(conContext.isNegotiated || conContext.handshakeContext != null)) {
conContext.fatal(Alert.INTERNAL_ERROR,
throw conContext.fatal(Alert.INTERNAL_ERROR,
"closing inbound before receiving peer's close_notify");
}

7
src/java.base/share/classes/sun/security/ssl/SSLExtensions.java
View file

@ -60,7 +60,8 @@ final class SSLExtensions {
int extId = Record.getInt16(m);
int extLen = Record.getInt16(m);
if (extLen > m.remaining()) {
hm.handshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER,
throw hm.handshakeContext.conContext.fatal(
Alert.ILLEGAL_PARAMETER,
"Error parsing extension (" + extId +
"): no sufficient data");
}
@ -86,7 +87,7 @@ final class SSLExtensions {
"in the ServerHello handshake message");
}
} else {
hm.handshakeContext.conContext.fatal(
throw hm.handshakeContext.conContext.fatal(
Alert.UNSUPPORTED_EXTENSION,
"extension (" + extId +
") should not be presented in " + handshakeType.name);
@ -102,7 +103,7 @@ final class SSLExtensions {
}
if (extension.handshakeType != handshakeType) {
hm.handshakeContext.conContext.fatal(
throw hm.handshakeContext.conContext.fatal(
Alert.UNSUPPORTED_EXTENSION,
"extension (" + extId + ") should not be " +
"presented in " + handshakeType.name);

42
src/java.base/share/classes/sun/security/ssl/SSLSocketImpl.java
View file

@ -402,7 +402,7 @@ public final class SSLSocketImpl
readHandshakeRecord();
}
} catch (IOException ioe) {
conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Couldn't kickstart handshaking", ioe);
} catch (Exception oe) { // including RuntimeException
handleException(oe);
@ -608,7 +608,12 @@ public final class SSLSocketImpl
}
} else {
if (!conContext.isInboundClosed()) {
conContext.inputRecord.close();
try (conContext.inputRecord) {
// Try the best to use up the input records and close the
// socket gracefully, without impact the performance too
// much.
appInput.deplete();
}
}
if ((autoClose || !isLayered()) && !super.isInputShutdown()) {
@ -642,7 +647,7 @@ public final class SSLSocketImpl
if (checkCloseNotify && !conContext.isInputCloseNotified &&
(conContext.isNegotiated || conContext.handshakeContext != null)) {
conContext.fatal(Alert.INTERNAL_ERROR,
throw conContext.fatal(Alert.INTERNAL_ERROR,
"closing inbound before receiving peer's close_notify");
}
@ -907,6 +912,30 @@ public final class SSLSocketImpl
return false;
}
/**
* Try the best to use up the input records so as to close the
* socket gracefully, without impact the performance too much.
*/
private synchronized void deplete() {
if (!conContext.isInboundClosed()) {
if (!(conContext.inputRecord instanceof SSLSocketInputRecord)) {
return;
}
SSLSocketInputRecord socketInputRecord =
(SSLSocketInputRecord)conContext.inputRecord;
try {
socketInputRecord.deplete(
conContext.isNegotiated && (getSoTimeout() > 0));
} catch (IOException ioe) {
if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
SSLLogger.warning(
"input stream close depletion failed", ioe);
}
}
}
}
}
@Override
@ -982,9 +1011,9 @@ public final class SSLSocketImpl
conContext.outputRecord.deliver(b, off, len);
} catch (SSLHandshakeException she) {
// may be record sequence number overflow
conContext.fatal(Alert.HANDSHAKE_FAILURE, she);
throw conContext.fatal(Alert.HANDSHAKE_FAILURE, she);
} catch (IOException e) {
conContext.fatal(Alert.UNEXPECTED_MESSAGE, e);
throw conContext.fatal(Alert.UNEXPECTED_MESSAGE, e);
}
// Is the sequence number is nearly overflow, or has the key usage
@ -1309,7 +1338,8 @@ public final class SSLSocketImpl
alert = Alert.INTERNAL_ERROR;
}
}
conContext.fatal(alert, cause);
throw conContext.fatal(alert, cause);
}
private Plaintext handleEOF(EOFException eofe) throws IOException {

13
src/java.base/share/classes/sun/security/ssl/SSLSocketInputRecord.java
View file

@ -463,4 +463,17 @@ final class SSLSocketInputRecord extends InputRecord implements SSLRecord {
return n;
}
// Try to use up the input stream without impact the performance too much.
void deplete(boolean tryToRead) throws IOException {
int remaining = is.available();
if (tryToRead && (remaining == 0)) {
// try to wait and read one byte if no buffered input
is.read();
}
while ((remaining = is.available()) != 0) {
is.skip(remaining);
}
}
}

10
src/java.base/share/classes/sun/security/ssl/SSLTransport.java
View file

@ -115,7 +115,7 @@ interface SSLTransport {
}
}
context.fatal(Alert.UNEXPECTED_MESSAGE, unsoe);
throw context.fatal(Alert.UNEXPECTED_MESSAGE, unsoe);
} catch (BadPaddingException bpe) {
/*
* The basic SSLv3 record protection involves (optional)
@ -126,15 +126,15 @@ interface SSLTransport {
Alert alert = (context.handshakeContext != null) ?
Alert.HANDSHAKE_FAILURE :
Alert.BAD_RECORD_MAC;
context.fatal(alert, bpe);
throw context.fatal(alert, bpe);
} catch (SSLHandshakeException she) {
// may be record sequence number overflow
context.fatal(Alert.HANDSHAKE_FAILURE, she);
throw context.fatal(Alert.HANDSHAKE_FAILURE, she);
} catch (EOFException eofe) {
// rethrow EOFException, the call will handle it if neede.
throw eofe;
} catch (IOException ioe) {
context.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
throw context.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
}
if (plaintexts == null || plaintexts.length == 0) {
@ -191,7 +191,7 @@ interface SSLTransport {
}
if (remains > 0) {
context.fatal(Alert.INTERNAL_ERROR,
throw context.fatal(Alert.INTERNAL_ERROR,
"no sufficient room in the destination buffers");
}
}

111
src/java.base/share/classes/sun/security/ssl/ServerHello.java
View file

@ -133,7 +133,7 @@ final class ServerHello {
this.serverVersion = ProtocolVersion.valueOf(major, minor);
if (this.serverVersion == null) {
// The client should only request for known protocol versions.
context.conContext.fatal(Alert.PROTOCOL_VERSION,
throw context.conContext.fatal(Alert.PROTOCOL_VERSION,
"Unsupported protocol version: " +
ProtocolVersion.nameOf(major, minor));
}
@ -143,20 +143,21 @@ final class ServerHello {
try {
sessionId.checkLength(serverVersion.id);
} catch (SSLProtocolException ex) {
handshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER, ex);
throw handshakeContext.conContext.fatal(
Alert.ILLEGAL_PARAMETER, ex);
}
int cipherSuiteId = Record.getInt16(m);
this.cipherSuite = CipherSuite.valueOf(cipherSuiteId);
if (cipherSuite == null || !context.isNegotiable(cipherSuite)) {
context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
throw context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Server selected improper ciphersuite " +
CipherSuite.nameOf(cipherSuiteId));
}
this.compressionMethod = m.get();
if (compressionMethod != 0) {
context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
throw context.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"compression type not supported, " + compressionMethod);
}
@ -293,10 +294,8 @@ final class ServerHello {
KeyExchangeProperties credentials =
chooseCipherSuite(shc, clientHello);
if (credentials == null) {
shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"no cipher suites in common");
return null; // make the compiler happy
}
shc.negotiatedCipherSuite = credentials.cipherSuite;
shc.handshakeKeyExchange = credentials.keyExchange;
@ -374,7 +373,7 @@ final class ServerHello {
SSLTrafficKeyDerivation.valueOf(shc.negotiatedProtocol);
if (kdg == null) {
// unlikely
shc.conContext.fatal(Alert.INTERNAL_ERROR,
throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
"Not supported key derivation: " +
shc.negotiatedProtocol);
} else {
@ -458,10 +457,8 @@ final class ServerHello {
}
}
shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"no cipher suites in common");
return null; // make the compiler happy.
}
private static final class KeyExchangeProperties {
@ -524,9 +521,8 @@ final class ServerHello {
// negotiate the cipher suite.
CipherSuite cipherSuite = chooseCipherSuite(shc, clientHello);
if (cipherSuite == null) {
shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"no cipher suites in common");
return null; // make the compiler happy
}
shc.negotiatedCipherSuite = cipherSuite;
shc.handshakeSession.setSuite(cipherSuite);
@ -592,9 +588,8 @@ final class ServerHello {
SSLKeyExchange ke = shc.handshakeKeyExchange;
if (ke == null) {
// unlikely
shc.conContext.fatal(Alert.INTERNAL_ERROR,
throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
"Not negotiated key shares");
return null; // make the compiler happy
}
SSLKeyDerivation handshakeKD = ke.createKeyDerivation(shc);
@ -605,10 +600,9 @@ final class ServerHello {
SSLTrafficKeyDerivation.valueOf(shc.negotiatedProtocol);
if (kdg == null) {
// unlikely
shc.conContext.fatal(Alert.INTERNAL_ERROR,
throw shc.conContext.fatal(Alert.INTERNAL_ERROR,
"Not supported key derivation: " +
shc.negotiatedProtocol);
return null; // make the compiler happy
}
SSLKeyDerivation kd =
@ -634,9 +628,15 @@ final class ServerHello {
shc.sslContext.getSecureRandom());
} catch (GeneralSecurityException gse) {
// unlikely
shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Missing cipher algorithm", gse);
return null; // make the compiler happy
}
if (readCipher == null) {
throw shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Illegal cipher suite (" + shc.negotiatedCipherSuite +
") and protocol version (" + shc.negotiatedProtocol +
")");
}
shc.baseReadSecret = readSecret;
@ -662,9 +662,15 @@ final class ServerHello {
shc.sslContext.getSecureRandom());
} catch (GeneralSecurityException gse) {
// unlikely
shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Missing cipher algorithm", gse);
return null; // make the compiler happy
}
if (writeCipher == null) {
throw shc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Illegal cipher suite (" + shc.negotiatedCipherSuite +
") and protocol version (" + shc.negotiatedProtocol +
")");
}
shc.baseWriteSecret = writeSecret;
@ -746,9 +752,8 @@ final class ServerHello {
CipherSuite cipherSuite =
T13ServerHelloProducer.chooseCipherSuite(shc, clientHello);
if (cipherSuite == null) {
shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"no cipher suites in common for hello retry request");
return null; // make the compiler happy
}
ServerHelloMessage hhrm = new ServerHelloMessage(shc,
@ -857,7 +862,7 @@ final class ServerHello {
SSLHandshake.HELLO_VERIFY_REQUEST.id);
}
if (!chc.handshakeConsumers.isEmpty()) {
chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
"No more message expected before ServerHello is processed");
}
@ -895,14 +900,14 @@ final class ServerHello {
}
if (!chc.activeProtocols.contains(serverVersion)) {
chc.conContext.fatal(Alert.PROTOCOL_VERSION,
throw chc.conContext.fatal(Alert.PROTOCOL_VERSION,
"The server selected protocol version " + serverVersion +
" is not accepted by client preferences " +
chc.activeProtocols);
}
if (!serverVersion.useTLS13PlusSpec()) {
chc.conContext.fatal(Alert.PROTOCOL_VERSION,
throw chc.conContext.fatal(Alert.PROTOCOL_VERSION,
"Unexpected HelloRetryRequest for " + serverVersion.name);
}
@ -947,7 +952,7 @@ final class ServerHello {
}
if (!chc.activeProtocols.contains(serverVersion)) {
chc.conContext.fatal(Alert.PROTOCOL_VERSION,
throw chc.conContext.fatal(Alert.PROTOCOL_VERSION,
"The server selected protocol version " + serverVersion +
" is not accepted by client preferences " +
chc.activeProtocols);
@ -964,7 +969,7 @@ final class ServerHello {
}
if (serverHello.serverRandom.isVersionDowngrade(chc)) {
chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
throw chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"A potential protocol version downgrade attack");
}
@ -1007,7 +1012,7 @@ final class ServerHello {
ClientHandshakeContext chc = (ClientHandshakeContext)context;
ServerHelloMessage serverHello = (ServerHelloMessage)message;
if (!chc.isNegotiable(serverHello.serverVersion)) {
chc.conContext.fatal(Alert.PROTOCOL_VERSION,
throw chc.conContext.fatal(Alert.PROTOCOL_VERSION,
"Server chose " + serverHello.serverVersion +
", but that protocol version is not enabled or " +
"not supported by the client.");
@ -1019,7 +1024,7 @@ final class ServerHello {
chc.negotiatedProtocol, chc.negotiatedCipherSuite);
chc.serverHelloRandom = serverHello.serverRandom;
if (chc.negotiatedCipherSuite.keyExchange == null) {
chc.conContext.fatal(Alert.PROTOCOL_VERSION,
throw chc.conContext.fatal(Alert.PROTOCOL_VERSION,
"TLS 1.2 or prior version does not support the " +
"server cipher suite: " + chc.negotiatedCipherSuite.name);
}
@ -1045,7 +1050,7 @@ final class ServerHello {
// Verify that the session ciphers are unchanged.
CipherSuite sessionSuite = chc.resumingSession.getSuite();
if (chc.negotiatedCipherSuite != sessionSuite) {
chc.conContext.fatal(Alert.PROTOCOL_VERSION,
throw chc.conContext.fatal(Alert.PROTOCOL_VERSION,
"Server returned wrong cipher suite for session");
}
@ -1053,7 +1058,7 @@ final class ServerHello {
ProtocolVersion sessionVersion =
chc.resumingSession.getProtocolVersion();
if (chc.negotiatedProtocol != sessionVersion) {
chc.conContext.fatal(Alert.PROTOCOL_VERSION,
throw chc.conContext.fatal(Alert.PROTOCOL_VERSION,
"Server resumed with wrong protocol version");
}
@ -1072,7 +1077,7 @@ final class ServerHello {
}
chc.isResumption = false;
if (!chc.sslConfig.enableSessionCreation) {
chc.conContext.fatal(Alert.PROTOCOL_VERSION,
throw chc.conContext.fatal(Alert.PROTOCOL_VERSION,
"New session creation is disabled");
}
}
@ -1091,7 +1096,7 @@ final class ServerHello {
}
if (!chc.sslConfig.enableSessionCreation) {
chc.conContext.fatal(Alert.PROTOCOL_VERSION,
throw chc.conContext.fatal(Alert.PROTOCOL_VERSION,
"New session creation is disabled");
}
chc.handshakeSession = new SSLSessionImpl(chc,
@ -1112,7 +1117,7 @@ final class ServerHello {
SSLTrafficKeyDerivation.valueOf(chc.negotiatedProtocol);
if (kdg == null) {
// unlikely
chc.conContext.fatal(Alert.INTERNAL_ERROR,
throw chc.conContext.fatal(Alert.INTERNAL_ERROR,
"Not supported key derivation: " +
chc.negotiatedProtocol);
} else {
@ -1183,7 +1188,7 @@ final class ServerHello {
ClientHandshakeContext chc = (ClientHandshakeContext)context;
ServerHelloMessage serverHello = (ServerHelloMessage)message;
if (serverHello.serverVersion != ProtocolVersion.TLS12) {
chc.conContext.fatal(Alert.PROTOCOL_VERSION,
throw chc.conContext.fatal(Alert.PROTOCOL_VERSION,
"The ServerHello.legacy_version field is not TLS 1.2");
}
@ -1208,7 +1213,7 @@ final class ServerHello {
}
if (!chc.sslConfig.enableSessionCreation) {
chc.conContext.fatal(Alert.PROTOCOL_VERSION,
throw chc.conContext.fatal(Alert.PROTOCOL_VERSION,
"New session creation is disabled");
}
chc.handshakeSession = new SSLSessionImpl(chc,
@ -1221,7 +1226,7 @@ final class ServerHello {
Optional<SecretKey> psk =
chc.resumingSession.consumePreSharedKey();
if(!psk.isPresent()) {
chc.conContext.fatal(Alert.INTERNAL_ERROR,
throw chc.conContext.fatal(Alert.INTERNAL_ERROR,
"No PSK available. Unable to resume.");
}
@ -1242,9 +1247,8 @@ final class ServerHello {
SSLKeyExchange ke = chc.handshakeKeyExchange;
if (ke == null) {
// unlikely
chc.conContext.fatal(Alert.INTERNAL_ERROR,
throw chc.conContext.fatal(Alert.INTERNAL_ERROR,
"Not negotiated key shares");
return; // make the compiler happy
}
SSLKeyDerivation handshakeKD = ke.createKeyDerivation(chc);
@ -1254,10 +1258,9 @@ final class ServerHello {
SSLTrafficKeyDerivation.valueOf(chc.negotiatedProtocol);
if (kdg == null) {
// unlikely
chc.conContext.fatal(Alert.INTERNAL_ERROR,
throw chc.conContext.fatal(Alert.INTERNAL_ERROR,
"Not supported key derivation: " +
chc.negotiatedProtocol);
return; // make the compiler happy
}
SSLKeyDerivation secretKD =
@ -1284,9 +1287,15 @@ final class ServerHello {
chc.sslContext.getSecureRandom());
} catch (GeneralSecurityException gse) {
// unlikely
chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Missing cipher algorithm", gse);
return; // make the compiler happy
}
if (readCipher == null) {
throw chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Illegal cipher suite (" + chc.negotiatedCipherSuite +
") and protocol version (" + chc.negotiatedProtocol +
")");
}
chc.baseReadSecret = readSecret;
@ -1312,9 +1321,15 @@ final class ServerHello {
chc.sslContext.getSecureRandom());
} catch (GeneralSecurityException gse) {
// unlikely
chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Missing cipher algorithm", gse);
return; // make the compiler happy
}
if (writeCipher == null) {
throw chc.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Illegal cipher suite (" + chc.negotiatedCipherSuite +
") and protocol version (" + chc.negotiatedProtocol +
")");
}
chc.baseWriteSecret = writeSecret;
@ -1376,7 +1391,7 @@ final class ServerHello {
ClientHandshakeContext chc = (ClientHandshakeContext)context;
ServerHelloMessage helloRetryRequest = (ServerHelloMessage)message;
if (helloRetryRequest.serverVersion != ProtocolVersion.TLS12) {
chc.conContext.fatal(Alert.PROTOCOL_VERSION,
throw chc.conContext.fatal(Alert.PROTOCOL_VERSION,
"The HelloRetryRequest.legacy_version is not TLS 1.2");
}
@ -1406,7 +1421,7 @@ final class ServerHello {
chc.initialClientHelloMsg.write(hos);
} catch (IOException ioe) {
// unlikely
chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"Failed to construct message hash", ioe);
}
chc.handshakeHash.deliver(hos.toByteArray());

2
src/java.base/share/classes/sun/security/ssl/ServerHelloDone.java
View file

@ -50,7 +50,7 @@ final class ServerHelloDone {
ByteBuffer m) throws IOException {
super(handshakeContext);
if (m.hasRemaining()) {
handshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER,
throw handshakeContext.conContext.fatal(Alert.ILLEGAL_PARAMETER,
"Error parsing ServerHelloDone message: not empty");
}
}

5
src/java.base/share/classes/sun/security/ssl/ServerKeyExchange.java
View file

@ -68,9 +68,8 @@ final class ServerKeyExchange {
}
// not producer defined.
shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw shc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"No ServerKeyExchange handshake message can be produced.");
return null; // make the compiler happe
}
}
@ -107,7 +106,7 @@ final class ServerKeyExchange {
}
// no consumer defined.
chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
"Unexpected ServerKeyExchange handshake message.");
}
}

13
src/java.base/share/classes/sun/security/ssl/ServerNameExtension.java
View file

@ -295,8 +295,7 @@ final class ServerNameExtension {
try {
spec = new CHServerNamesSpec(buffer);
} catch (IOException ioe) {
shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
return; // fatal() always throws, make the compiler happy.
throw shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
}
// Update the context.
@ -314,7 +313,7 @@ final class ServerNameExtension {
}
} else {
// We do not reject client without SNI extension currently.
shc.conContext.fatal(Alert.UNRECOGNIZED_NAME,
throw shc.conContext.fatal(Alert.UNRECOGNIZED_NAME,
"Unrecognized server name indication");
}
} else {
@ -483,13 +482,13 @@ final class ServerNameExtension {
CHServerNamesSpec spec = (CHServerNamesSpec)
chc.handshakeExtensions.get(CH_SERVER_NAME);
if (spec == null) {
chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
"Unexpected ServerHello server_name extension");
}
// Parse the extension.
if (buffer.remaining() != 0) {
chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
"Invalid ServerHello server_name extension");
}
@ -570,13 +569,13 @@ final class ServerNameExtension {
CHServerNamesSpec spec = (CHServerNamesSpec)
chc.handshakeExtensions.get(CH_SERVER_NAME);
if (spec == null) {
chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
"Unexpected EncryptedExtensions server_name extension");
}
// Parse the extension.
if (buffer.remaining() != 0) {
chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE,
"Invalid EncryptedExtensions server_name extension");
}

16
src/java.base/share/classes/sun/security/ssl/SignatureAlgorithmsExtension.java
View file

@ -238,8 +238,7 @@ final class SignatureAlgorithmsExtension {
try {
spec = new SignatureSchemesSpec(buffer);
} catch (IOException ioe) {
shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
return; // fatal() always throws, make the compiler happy.
throw shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
}
// Update the context.
@ -329,7 +328,7 @@ final class SignatureAlgorithmsExtension {
// We may support the server authentication other than X.509
// certificate later.
if (shc.negotiatedProtocol.useTLS13PlusSpec()) {
shc.conContext.fatal(Alert.MISSING_EXTENSION,
throw shc.conContext.fatal(Alert.MISSING_EXTENSION,
"No mandatory signature_algorithms extension in the " +
"received CertificateRequest handshake message");
}
@ -403,10 +402,9 @@ final class SignatureAlgorithmsExtension {
// handshake message in TLS 1.3.
if (!shc.sslConfig.isAvailable(
SSLExtension.CR_SIGNATURE_ALGORITHMS)) {
shc.conContext.fatal(Alert.MISSING_EXTENSION,
throw shc.conContext.fatal(Alert.MISSING_EXTENSION,
"No available signature_algorithms extension " +
"for client certificate authentication");
return null; // make the compiler happy
}
// Produce the extension.
@ -454,10 +452,9 @@ final class SignatureAlgorithmsExtension {
// handshake message in TLS 1.3.
if (!chc.sslConfig.isAvailable(
SSLExtension.CR_SIGNATURE_ALGORITHMS)) {
chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
throw chc.conContext.fatal(Alert.HANDSHAKE_FAILURE,
"No available signature_algorithms extension " +
"for client certificate authentication");
return; // make the compiler happy
}
// Parse the extension.
@ -465,8 +462,7 @@ final class SignatureAlgorithmsExtension {
try {
spec = new SignatureSchemesSpec(buffer);
} catch (IOException ioe) {
chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
return; // fatal() always throws, make the compiler happy.
throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
}
List<SignatureScheme> knownSignatureSchemes = new LinkedList<>();
@ -545,7 +541,7 @@ final class SignatureAlgorithmsExtension {
// This is a mandatory extension for CertificateRequest handshake
// message in TLS 1.3.
chc.conContext.fatal(Alert.MISSING_EXTENSION,
throw chc.conContext.fatal(Alert.MISSING_EXTENSION,
"No mandatory signature_algorithms extension in the " +
"received CertificateRequest handshake message");
}

6
src/java.base/share/classes/sun/security/ssl/SupportedGroupsExtension.java
View file

@ -900,8 +900,7 @@ final class SupportedGroupsExtension {
try {
spec = new SupportedGroupsSpec(buffer);
} catch (IOException ioe) {
shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
return; // fatal() always throws, make the compiler happy.
throw shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
}
// Update the context.
@ -1024,8 +1023,7 @@ final class SupportedGroupsExtension {
try {
spec = new SupportedGroupsSpec(buffer);
} catch (IOException ioe) {
chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
return; // fatal() always throws, make the compiler happy.
throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
}
// Update the context.

9
src/java.base/share/classes/sun/security/ssl/SupportedVersionsExtension.java
View file

@ -225,8 +225,7 @@ final class SupportedVersionsExtension {
try {
spec = new CHSupportedVersionsSpec(buffer);
} catch (IOException ioe) {
shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
return; // fatal() always throws, make the compiler happy.
throw shc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
}
// Update the context.
@ -368,8 +367,7 @@ final class SupportedVersionsExtension {
try {
spec = new SHSupportedVersionsSpec(buffer);
} catch (IOException ioe) {
chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
return; // fatal() always throws, make the compiler happy.
throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
}
// Update the context.
@ -458,8 +456,7 @@ final class SupportedVersionsExtension {
try {
spec = new SHSupportedVersionsSpec(buffer);
} catch (IOException ioe) {
chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
return; // fatal() always throws, make the compiler happy.
throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, ioe);
}
// Update the context.

37
src/java.base/share/classes/sun/security/ssl/TransportContext.java
View file

@ -148,9 +148,8 @@ class TransportContext implements ConnectionContext {
ContentType ct = ContentType.valueOf(plaintext.contentType);
if (ct == null) {
fatal(Alert.UNEXPECTED_MESSAGE,
throw fatal(Alert.UNEXPECTED_MESSAGE,
"Unknown content type: " + plaintext.contentType);
return;
}
switch (ct) {
@ -164,7 +163,7 @@ class TransportContext implements ConnectionContext {
protocolVersion.useTLS13PlusSpec()) {
handshakeContext = new PostHandshakeContext(this);
} else {
fatal(Alert.UNEXPECTED_MESSAGE,
throw fatal(Alert.UNEXPECTED_MESSAGE,
"Unexpected post-handshake message: " +
SSLHandshake.nameOf(type));
}
@ -185,7 +184,7 @@ class TransportContext implements ConnectionContext {
if (consumer != null) {
consumer.consume(this, plaintext.fragment);
} else {
fatal(Alert.UNEXPECTED_MESSAGE,
throw fatal(Alert.UNEXPECTED_MESSAGE,
"Unexpected content: " + plaintext.contentType);
}
}
@ -250,22 +249,22 @@ class TransportContext implements ConnectionContext {
}
}
void fatal(Alert alert,
SSLException fatal(Alert alert,
String diagnostic) throws SSLException {
fatal(alert, diagnostic, null);
return fatal(alert, diagnostic, null);
}
void fatal(Alert alert, Throwable cause) throws SSLException {
fatal(alert, null, cause);
SSLException fatal(Alert alert, Throwable cause) throws SSLException {
return fatal(alert, null, cause);
}
void fatal(Alert alert,
SSLException fatal(Alert alert,
String diagnostic, Throwable cause) throws SSLException {
fatal(alert, diagnostic, false, cause);
return fatal(alert, diagnostic, false, cause);
}
// Note: close_notify is not delivered via fatal() methods.
void fatal(Alert alert, String diagnostic,
SSLException fatal(Alert alert, String diagnostic,
boolean recvFatalAlert, Throwable cause) throws SSLException {
// If we've already shutdown because of an error, there is nothing we
// can do except rethrow the exception.
@ -328,6 +327,8 @@ class TransportContext implements ConnectionContext {
if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
SSLLogger.warning("Fatal: input record closure failed", ioe);
}
closeReason.addSuppressed(ioe);
}
// invalidate the session
@ -353,6 +354,8 @@ class TransportContext implements ConnectionContext {
SSLLogger.warning(
"Fatal: failed to send fatal alert " + alert, ioe);
}
closeReason.addSuppressed(ioe);
}
}
@ -363,6 +366,8 @@ class TransportContext implements ConnectionContext {
if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
SSLLogger.warning("Fatal: output record closure failed", ioe);
}
closeReason.addSuppressed(ioe);
}
// terminate the handshake context
@ -377,6 +382,8 @@ class TransportContext implements ConnectionContext {
if (SSLLogger.isOn && SSLLogger.isOn("ssl")) {
SSLLogger.warning("Fatal: transport closure failed", ioe);
}
closeReason.addSuppressed(ioe);
} finally {
isBroken = true;
}
@ -570,13 +577,7 @@ class TransportContext implements ConnectionContext {
} else if (!isOutboundClosed()) {
// Special case that the inbound was closed, but outbound open.
return HandshakeStatus.NEED_WRAP;
}
} else if (isOutboundClosed() && !isInboundClosed()) {
// Special case that the outbound was closed, but inbound open.
return HandshakeStatus.NEED_UNWRAP;
} else if (!isOutboundClosed() && isInboundClosed()) {
// Special case that the inbound was closed, but outbound open.
return HandshakeStatus.NEED_WRAP;
} // Otherwise, both inbound and outbound are closed.
}
return HandshakeStatus.NOT_HANDSHAKING;

67
src/java.base/share/classes/sun/security/tools/keytool/Resources_ja.java
View file

@ -61,16 +61,16 @@ public class Resources_ja extends java.util.ListResourceBundle {
{"Exports.certificate",
"\u8A3C\u660E\u66F8\u3092\u30A8\u30AF\u30B9\u30DD\u30FC\u30C8\u3057\u307E\u3059"}, //-exportcert
{"Generates.a.key.pair",
"\u9375\u30DA\u30A2\u3092\u751F\u6210\u3057\u307E\u3059"}, //-genkeypair
"\u30AD\u30FC\u30FB\u30DA\u30A2\u3092\u751F\u6210\u3057\u307E\u3059"}, //-genkeypair
{"Generates.a.secret.key",
"\u79D8\u5BC6\u9375\u3092\u751F\u6210\u3057\u307E\u3059"}, //-genseckey
"\u79D8\u5BC6\u30AD\u30FC\u3092\u751F\u6210\u3057\u307E\u3059"}, //-genseckey
{"Generates.certificate.from.a.certificate.request",
"\u8A3C\u660E\u66F8\u30EA\u30AF\u30A8\u30B9\u30C8\u304B\u3089\u8A3C\u660E\u66F8\u3092\u751F\u6210\u3057\u307E\u3059"}, //-gencert
{"Generates.CRL", "CRL\u3092\u751F\u6210\u3057\u307E\u3059"}, //-gencrl
{"Generated.keyAlgName.secret.key",
"{0}\u79D8\u5BC6\u9375\u3092\u751F\u6210\u3057\u307E\u3057\u305F"}, //-genseckey
"{0}\u79D8\u5BC6\u30AD\u30FC\u3092\u751F\u6210\u3057\u307E\u3057\u305F"}, //-genseckey
{"Generated.keysize.bit.keyAlgName.secret.key",
"{0}\u30D3\u30C3\u30C8{1}\u79D8\u5BC6\u9375\u3092\u751F\u6210\u3057\u307E\u3057\u305F"}, //-genseckey
"{0}\u30D3\u30C3\u30C8{1}\u79D8\u5BC6\u30AD\u30FC\u3092\u751F\u6210\u3057\u307E\u3057\u305F"}, //-genseckey
{"Imports.entries.from.a.JDK.1.1.x.style.identity.database",
"JDK 1.1.x-style\u30A2\u30A4\u30C7\u30F3\u30C6\u30A3\u30C6\u30A3\u30FB\u30C7\u30FC\u30BF\u30D9\u30FC\u30B9\u304B\u3089\u30A8\u30F3\u30C8\u30EA\u3092\u30A4\u30F3\u30DD\u30FC\u30C8\u3057\u307E\u3059"}, //-identitydb
{"Imports.a.certificate.or.a.certificate.chain",
@ -80,9 +80,9 @@ public class Resources_ja extends java.util.ListResourceBundle {
{"Imports.one.or.all.entries.from.another.keystore",
"\u5225\u306E\u30AD\u30FC\u30B9\u30C8\u30A2\u304B\u30891\u3064\u307E\u305F\u306F\u3059\u3079\u3066\u306E\u30A8\u30F3\u30C8\u30EA\u3092\u30A4\u30F3\u30DD\u30FC\u30C8\u3057\u307E\u3059"}, //-importkeystore
{"Clones.a.key.entry",
"\u9375\u30A8\u30F3\u30C8\u30EA\u306E\u30AF\u30ED\u30FC\u30F3\u3092\u4F5C\u6210\u3057\u307E\u3059"}, //-keyclone
"\u30AD\u30FC\u30FB\u30A8\u30F3\u30C8\u30EA\u306E\u30AF\u30ED\u30FC\u30F3\u3092\u4F5C\u6210\u3057\u307E\u3059"}, //-keyclone
{"Changes.the.key.password.of.an.entry",
"\u30A8\u30F3\u30C8\u30EA\u306E\u9375\u30D1\u30B9\u30EF\u30FC\u30C9\u3092\u5909\u66F4\u3057\u307E\u3059"}, //-keypasswd
"\u30A8\u30F3\u30C8\u30EA\u306E\u30AD\u30FC\u30FB\u30D1\u30B9\u30EF\u30FC\u30C9\u3092\u5909\u66F4\u3057\u307E\u3059"}, //-keypasswd
{"Lists.entries.in.a.keystore",
"\u30AD\u30FC\u30B9\u30C8\u30A2\u5185\u306E\u30A8\u30F3\u30C8\u30EA\u3092\u30EA\u30B9\u30C8\u3057\u307E\u3059"}, //-list
{"Prints.the.content.of.a.certificate",
@ -98,6 +98,8 @@ public class Resources_ja extends java.util.ListResourceBundle {
// keytool: help: options
{"alias.name.of.the.entry.to.process",
"\u51E6\u7406\u3059\u308B\u30A8\u30F3\u30C8\u30EA\u306E\u5225\u540D"}, //-alias
{"groupname.option.help",
"\u30B0\u30EB\u30FC\u30D7\u540D\u3002\u305F\u3068\u3048\u3070\u3001\u6955\u5186\u66F2\u7DDA\u540D\u3067\u3059\u3002"}, //-groupname
{"destination.alias",
"\u51FA\u529B\u5148\u306E\u5225\u540D"}, //-destalias
{"destination.key.password",
@ -121,11 +123,11 @@ public class Resources_ja extends java.util.ListResourceBundle {
{"input.file.name",
"\u5165\u529B\u30D5\u30A1\u30A4\u30EB\u540D"}, //-file and -infile
{"key.algorithm.name",
"\u9375\u30A2\u30EB\u30B4\u30EA\u30BA\u30E0\u540D"}, //-keyalg
"\u30AD\u30FC\u30FB\u30A2\u30EB\u30B4\u30EA\u30BA\u30E0\u540D"}, //-keyalg
{"key.password",
"\u9375\u306E\u30D1\u30B9\u30EF\u30FC\u30C9"}, //-keypass
"\u30AD\u30FC\u306E\u30D1\u30B9\u30EF\u30FC\u30C9"}, //-keypass
{"key.bit.size",
"\u9375\u306E\u30D3\u30C3\u30C8\u30FB\u30B5\u30A4\u30BA"}, //-keysize
"\u30AD\u30FC\u306E\u30D3\u30C3\u30C8\u30FB\u30B5\u30A4\u30BA"}, //-keysize
{"keystore.name",
"\u30AD\u30FC\u30B9\u30C8\u30A2\u540D"}, //-keystore
{"access.the.cacerts.keystore",
@ -196,7 +198,7 @@ public class Resources_ja extends java.util.ListResourceBundle {
{"Cannot.find.file.", "\u30D5\u30A1\u30A4\u30EB\u304C\u898B\u3064\u304B\u308A\u307E\u305B\u3093: "},
{"Command.option.flag.needs.an.argument.", "\u30B3\u30DE\u30F3\u30C9\u30FB\u30AA\u30D7\u30B7\u30E7\u30F3{0}\u306B\u306F\u5F15\u6570\u304C\u5FC5\u8981\u3067\u3059\u3002"},
{"Warning.Different.store.and.key.passwords.not.supported.for.PKCS12.KeyStores.Ignoring.user.specified.command.value.",
"\u8B66\u544A: PKCS12\u30AD\u30FC\u30B9\u30C8\u30A2\u3067\u306F\u3001\u30B9\u30C8\u30A2\u306E\u30D1\u30B9\u30EF\u30FC\u30C9\u3068\u9375\u306E\u30D1\u30B9\u30EF\u30FC\u30C9\u304C\u7570\u306A\u308B\u72B6\u6CC1\u306F\u30B5\u30DD\u30FC\u30C8\u3055\u308C\u307E\u305B\u3093\u3002\u30E6\u30FC\u30B6\u30FC\u304C\u6307\u5B9A\u3057\u305F{0}\u306E\u5024\u306F\u7121\u8996\u3057\u307E\u3059\u3002"},
"\u8B66\u544A: PKCS12\u30AD\u30FC\u30B9\u30C8\u30A2\u3067\u306F\u3001\u30B9\u30C8\u30A2\u306E\u30D1\u30B9\u30EF\u30FC\u30C9\u3068\u30AD\u30FC\u306E\u30D1\u30B9\u30EF\u30FC\u30C9\u304C\u7570\u306A\u308B\u72B6\u6CC1\u306F\u30B5\u30DD\u30FC\u30C8\u3055\u308C\u307E\u305B\u3093\u3002\u30E6\u30FC\u30B6\u30FC\u304C\u6307\u5B9A\u3057\u305F{0}\u306E\u5024\u306F\u7121\u8996\u3057\u307E\u3059\u3002"},
{"the.keystore.or.storetype.option.cannot.be.used.with.the.cacerts.option",
"-keystore\u307E\u305F\u306F-storetype\u30AA\u30D7\u30B7\u30E7\u30F3\u306F\u3001-cacerts\u30AA\u30D7\u30B7\u30E7\u30F3\u3068\u3068\u3082\u306B\u4F7F\u7528\u3067\u304D\u307E\u305B\u3093"},
{".keystore.must.be.NONE.if.storetype.is.{0}",
@ -229,7 +231,7 @@ public class Resources_ja extends java.util.ListResourceBundle {
{"Must.not.specify.both.v.and.rfc.with.list.command",
"'list'\u30B3\u30DE\u30F3\u30C9\u306B-v\u3068-rfc\u306E\u4E21\u65B9\u3092\u6307\u5B9A\u3059\u308B\u3053\u3068\u306F\u3067\u304D\u307E\u305B\u3093"},
{"Key.password.must.be.at.least.6.characters",
"\u9375\u306E\u30D1\u30B9\u30EF\u30FC\u30C9\u306F6\u6587\u5B57\u4EE5\u4E0A\u3067\u3042\u308B\u5FC5\u8981\u304C\u3042\u308A\u307E\u3059"},
"\u30AD\u30FC\u306E\u30D1\u30B9\u30EF\u30FC\u30C9\u306F6\u6587\u5B57\u4EE5\u4E0A\u3067\u3042\u308B\u5FC5\u8981\u304C\u3042\u308A\u307E\u3059"},
{"New.password.must.be.at.least.6.characters",
"\u65B0\u898F\u30D1\u30B9\u30EF\u30FC\u30C9\u306F6\u6587\u5B57\u4EE5\u4E0A\u3067\u3042\u308B\u5FC5\u8981\u304C\u3042\u308A\u307E\u3059"},
{"Keystore.file.exists.but.is.empty.",
@ -280,31 +282,35 @@ public class Resources_ja extends java.util.ListResourceBundle {
"\u8A3C\u660E\u66F8\u304C\u30AD\u30FC\u30B9\u30C8\u30A2\u306B\u8FFD\u52A0\u3055\u308C\u307E\u305B\u3093\u3067\u3057\u305F"},
{".Storing.ksfname.", "[{0}\u3092\u683C\u7D0D\u4E2D]"},
{"alias.has.no.public.key.certificate.",
"{0}\u306B\u306F\u516C\u958B\u9375(\u8A3C\u660E\u66F8)\u304C\u3042\u308A\u307E\u305B\u3093"},
"{0}\u306B\u306F\u516C\u958B\u30AD\u30FC(\u8A3C\u660E\u66F8)\u304C\u3042\u308A\u307E\u305B\u3093"},
{"Cannot.derive.signature.algorithm",
"\u7F72\u540D\u30A2\u30EB\u30B4\u30EA\u30BA\u30E0\u3092\u53D6\u5F97\u3067\u304D\u307E\u305B\u3093"},
{"Alias.alias.does.not.exist",
"\u5225\u540D<{0}>\u306F\u5B58\u5728\u3057\u307E\u305B\u3093"},
{"Alias.alias.has.no.certificate",
"\u5225\u540D<{0}>\u306B\u306F\u8A3C\u660E\u66F8\u304C\u3042\u308A\u307E\u305B\u3093"},
{"groupname.keysize.coexist",
"-groupname\u3068-keysize\u306E\u4E21\u65B9\u3092\u6307\u5B9A\u3067\u304D\u307E\u305B\u3093"},
{"deprecate.keysize.for.ec",
"-keysize\u306E\u6307\u5B9A\u306B\u3088\u308BEC\u30AD\u30FC\u306E\u751F\u6210\u306F\u975E\u63A8\u5968\u3067\u3059\u3002\u304B\u308F\u308A\u306B\"-groupname %s\"\u3092\u4F7F\u7528\u3057\u3066\u304F\u3060\u3055\u3044\u3002"},
{"Key.pair.not.generated.alias.alias.already.exists",
"\u9375\u30DA\u30A2\u306F\u751F\u6210\u3055\u308C\u307E\u305B\u3093\u3067\u3057\u305F\u3002\u5225\u540D<{0}>\u306F\u3059\u3067\u306B\u5B58\u5728\u3057\u307E\u3059"},
"\u30AD\u30FC\u30FB\u30DA\u30A2\u306F\u751F\u6210\u3055\u308C\u307E\u305B\u3093\u3067\u3057\u305F\u3002\u5225\u540D<{0}>\u306F\u3059\u3067\u306B\u5B58\u5728\u3057\u307E\u3059"},
{"Generating.keysize.bit.keyAlgName.key.pair.and.self.signed.certificate.sigAlgName.with.a.validity.of.validality.days.for",
"{3}\u65E5\u9593\u6709\u52B9\u306A{0}\u30D3\u30C3\u30C8\u306E{1}\u306E\u9375\u30DA\u30A2\u3068\u81EA\u5DF1\u7F72\u540D\u578B\u8A3C\u660E\u66F8({2})\u3092\u751F\u6210\u3057\u3066\u3044\u307E\u3059\n\t\u30C7\u30A3\u30EC\u30AF\u30C8\u30EA\u540D: {4}"},
{"Enter.key.password.for.alias.", "<{0}>\u306E\u9375\u30D1\u30B9\u30EF\u30FC\u30C9\u3092\u5165\u529B\u3057\u3066\u304F\u3060\u3055\u3044"},
"{3}\u65E5\u9593\u6709\u52B9\u306A{0}\u30D3\u30C3\u30C8\u306E{1}\u306E\u30AD\u30FC\u30FB\u30DA\u30A2\u3068\u81EA\u5DF1\u7F72\u540D\u578B\u8A3C\u660E\u66F8({2})\u3092\u751F\u6210\u3057\u3066\u3044\u307E\u3059\n\t\u30C7\u30A3\u30EC\u30AF\u30C8\u30EA\u540D: {4}"},
{"Enter.key.password.for.alias.", "<{0}>\u306E\u30AD\u30FC\u30FB\u30D1\u30B9\u30EF\u30FC\u30C9\u3092\u5165\u529B\u3057\u3066\u304F\u3060\u3055\u3044"},
{".RETURN.if.same.as.keystore.password.",
"\t(\u30AD\u30FC\u30B9\u30C8\u30A2\u306E\u30D1\u30B9\u30EF\u30FC\u30C9\u3068\u540C\u3058\u5834\u5408\u306FRETURN\u3092\u62BC\u3057\u3066\u304F\u3060\u3055\u3044): "},
{"Key.password.is.too.short.must.be.at.least.6.characters",
"\u9375\u306E\u30D1\u30B9\u30EF\u30FC\u30C9\u304C\u77ED\u3059\u304E\u307E\u3059 - 6\u6587\u5B57\u4EE5\u4E0A\u3092\u6307\u5B9A\u3057\u3066\u304F\u3060\u3055\u3044"},
"\u30AD\u30FC\u306E\u30D1\u30B9\u30EF\u30FC\u30C9\u304C\u77ED\u3059\u304E\u307E\u3059 - 6\u6587\u5B57\u4EE5\u4E0A\u3092\u6307\u5B9A\u3057\u3066\u304F\u3060\u3055\u3044"},
{"Too.many.failures.key.not.added.to.keystore",
"\u969C\u5BB3\u304C\u591A\u3059\u304E\u307E\u3059 - \u9375\u306F\u30AD\u30FC\u30B9\u30C8\u30A2\u306B\u8FFD\u52A0\u3055\u308C\u307E\u305B\u3093\u3067\u3057\u305F"},
"\u969C\u5BB3\u304C\u591A\u3059\u304E\u307E\u3059 - \u30AD\u30FC\u306F\u30AD\u30FC\u30B9\u30C8\u30A2\u306B\u8FFD\u52A0\u3055\u308C\u307E\u305B\u3093\u3067\u3057\u305F"},
{"Destination.alias.dest.already.exists",
"\u51FA\u529B\u5148\u306E\u5225\u540D<{0}>\u306F\u3059\u3067\u306B\u5B58\u5728\u3057\u307E\u3059"},
{"Password.is.too.short.must.be.at.least.6.characters",
"\u30D1\u30B9\u30EF\u30FC\u30C9\u304C\u77ED\u3059\u304E\u307E\u3059 - 6\u6587\u5B57\u4EE5\u4E0A\u3092\u6307\u5B9A\u3057\u3066\u304F\u3060\u3055\u3044"},
{"Too.many.failures.Key.entry.not.cloned",
"\u969C\u5BB3\u304C\u591A\u3059\u304E\u307E\u3059\u3002\u9375\u30A8\u30F3\u30C8\u30EA\u306E\u30AF\u30ED\u30FC\u30F3\u306F\u4F5C\u6210\u3055\u308C\u307E\u305B\u3093\u3067\u3057\u305F"},
{"key.password.for.alias.", "<{0}>\u306E\u9375\u306E\u30D1\u30B9\u30EF\u30FC\u30C9"},
"\u969C\u5BB3\u304C\u591A\u3059\u304E\u307E\u3059\u3002\u30AD\u30FC\u30FB\u30A8\u30F3\u30C8\u30EA\u306E\u30AF\u30ED\u30FC\u30F3\u306F\u4F5C\u6210\u3055\u308C\u307E\u305B\u3093\u3067\u3057\u305F"},
{"key.password.for.alias.", "<{0}>\u306E\u30AD\u30FC\u306E\u30D1\u30B9\u30EF\u30FC\u30C9"},
{"Keystore.entry.for.id.getName.already.exists",
"<{0}>\u306E\u30AD\u30FC\u30B9\u30C8\u30A2\u30FB\u30A8\u30F3\u30C8\u30EA\u306F\u3059\u3067\u306B\u5B58\u5728\u3057\u307E\u3059"},
{"Creating.keystore.entry.for.id.getName.",
@ -330,7 +336,7 @@ public class Resources_ja extends java.util.ListResourceBundle {
{"Failed.to.parse.input", "\u5165\u529B\u306E\u69CB\u6587\u89E3\u6790\u306B\u5931\u6557\u3057\u307E\u3057\u305F"},
{"Empty.input", "\u5165\u529B\u304C\u3042\u308A\u307E\u305B\u3093"},
{"Not.X.509.certificate", "X.509\u8A3C\u660E\u66F8\u3067\u306F\u3042\u308A\u307E\u305B\u3093"},
{"alias.has.no.public.key", "{0}\u306B\u306F\u516C\u958B\u9375\u304C\u3042\u308A\u307E\u305B\u3093"},
{"alias.has.no.public.key", "{0}\u306B\u306F\u516C\u958B\u30AD\u30FC\u304C\u3042\u308A\u307E\u305B\u3093"},
{"alias.has.no.X.509.certificate", "{0}\u306B\u306FX.509\u8A3C\u660E\u66F8\u304C\u3042\u308A\u307E\u305B\u3093"},
{"New.certificate.self.signed.", "\u65B0\u3057\u3044\u8A3C\u660E\u66F8(\u81EA\u5DF1\u7F72\u540D\u578B):"},
{"Reply.has.no.certificates", "\u5FDC\u7B54\u306B\u306F\u8A3C\u660E\u66F8\u304C\u3042\u308A\u307E\u305B\u3093"},
@ -377,9 +383,9 @@ public class Resources_ja extends java.util.ListResourceBundle {
{"y", "y"},
{".defaultValue.", " [{0}]: "},
{"Alias.alias.has.no.key",
"\u5225\u540D<{0}>\u306B\u306F\u9375\u304C\u3042\u308A\u307E\u305B\u3093"},
"\u5225\u540D<{0}>\u306B\u306F\u30AD\u30FC\u304C\u3042\u308A\u307E\u305B\u3093"},
{"Alias.alias.references.an.entry.type.that.is.not.a.private.key.entry.The.keyclone.command.only.supports.cloning.of.private.key",
"\u5225\u540D<{0}>\u304C\u53C2\u7167\u3057\u3066\u3044\u308B\u30A8\u30F3\u30C8\u30EA\u30FB\u30BF\u30A4\u30D7\u306F\u79D8\u5BC6\u9375\u30A8\u30F3\u30C8\u30EA\u3067\u306F\u3042\u308A\u307E\u305B\u3093\u3002-keyclone\u30B3\u30DE\u30F3\u30C9\u306F\u79D8\u5BC6\u9375\u30A8\u30F3\u30C8\u30EA\u306E\u30AF\u30ED\u30FC\u30F3\u4F5C\u6210\u306E\u307F\u3092\u30B5\u30DD\u30FC\u30C8\u3057\u307E\u3059"},
"\u5225\u540D<{0}>\u304C\u53C2\u7167\u3057\u3066\u3044\u308B\u30A8\u30F3\u30C8\u30EA\u30FB\u30BF\u30A4\u30D7\u306F\u79D8\u5BC6\u30AD\u30FC\u30FB\u30A8\u30F3\u30C8\u30EA\u3067\u306F\u3042\u308A\u307E\u305B\u3093\u3002-keyclone\u30B3\u30DE\u30F3\u30C9\u306F\u79D8\u5BC6\u30AD\u30FC\u30FB\u30A8\u30F3\u30C8\u30EA\u306E\u30AF\u30ED\u30FC\u30F3\u4F5C\u6210\u306E\u307F\u3092\u30B5\u30DD\u30FC\u30C8\u3057\u307E\u3059"},
{".WARNING.WARNING.WARNING.",
"***************** WARNING WARNING WARNING *****************"},
@ -398,7 +404,7 @@ public class Resources_ja extends java.util.ListResourceBundle {
"*\u30BD\u30FC\u30B9\u30FB\u30AD\u30FC\u30B9\u30C8\u30A2\u306B\u4FDD\u5B58\u3055\u308C\u305F\u60C5\u5831\u306E\u6574\u5408\u6027\u306F*\n*\u691C\u8A3C\u3055\u308C\u3066\u3044\u307E\u305B\u3093\u3002\u6574\u5408\u6027\u3092\u691C\u8A3C\u3059\u308B\u306B\u306F*\n*\u30BD\u30FC\u30B9\u30FB\u30AD\u30FC\u30B9\u30C8\u30A2\u306E\u30D1\u30B9\u30EF\u30FC\u30C9\u3092\u5165\u529B\u3059\u308B\u5FC5\u8981\u304C\u3042\u308A\u307E\u3059\u3002*"},
{"Certificate.reply.does.not.contain.public.key.for.alias.",
"\u8A3C\u660E\u66F8\u5FDC\u7B54\u306B\u306F\u3001<{0}>\u306E\u516C\u958B\u9375\u306F\u542B\u307E\u308C\u307E\u305B\u3093"},
"\u8A3C\u660E\u66F8\u5FDC\u7B54\u306B\u306F\u3001<{0}>\u306E\u516C\u958B\u30AD\u30FC\u306F\u542B\u307E\u308C\u307E\u305B\u3093"},
{"Incomplete.certificate.chain.in.reply",
"\u5FDC\u7B54\u3057\u305F\u8A3C\u660E\u66F8\u30C1\u30A7\u30FC\u30F3\u306F\u4E0D\u5B8C\u5168\u3067\u3059"},
{"Certificate.chain.in.reply.does.not.verify.",
@ -409,7 +415,7 @@ public class Resources_ja extends java.util.ListResourceBundle {
{"Install.reply.anyway.no.", "\u5FDC\u7B54\u3092\u30A4\u30F3\u30B9\u30C8\u30FC\u30EB\u3057\u307E\u3059\u304B\u3002[\u3044\u3044\u3048]: "},
{"NO", "\u3044\u3044\u3048"},
{"Public.keys.in.reply.and.keystore.don.t.match",
"\u5FDC\u7B54\u3057\u305F\u516C\u958B\u9375\u3068\u30AD\u30FC\u30B9\u30C8\u30A2\u304C\u4E00\u81F4\u3057\u307E\u305B\u3093"},
"\u5FDC\u7B54\u3057\u305F\u516C\u958B\u30AD\u30FC\u3068\u30AD\u30FC\u30B9\u30C8\u30A2\u304C\u4E00\u81F4\u3057\u307E\u305B\u3093"},
{"Certificate.reply.and.certificate.in.keystore.are.identical",
"\u8A3C\u660E\u66F8\u5FDC\u7B54\u3068\u30AD\u30FC\u30B9\u30C8\u30A2\u5185\u306E\u8A3C\u660E\u66F8\u304C\u540C\u3058\u3067\u3059"},
{"Failed.to.establish.chain.from.reply",
@ -417,9 +423,9 @@ public class Resources_ja extends java.util.ListResourceBundle {
{"n", "n"},
{"Wrong.answer.try.again", "\u5FDC\u7B54\u304C\u9593\u9055\u3063\u3066\u3044\u307E\u3059\u3002\u3082\u3046\u4E00\u5EA6\u5B9F\u884C\u3057\u3066\u304F\u3060\u3055\u3044"},
{"Secret.key.not.generated.alias.alias.already.exists",
"\u79D8\u5BC6\u9375\u306F\u751F\u6210\u3055\u308C\u307E\u305B\u3093\u3067\u3057\u305F\u3002\u5225\u540D<{0}>\u306F\u3059\u3067\u306B\u5B58\u5728\u3057\u307E\u3059"},
"\u79D8\u5BC6\u30AD\u30FC\u306F\u751F\u6210\u3055\u308C\u307E\u305B\u3093\u3067\u3057\u305F\u3002\u5225\u540D<{0}>\u306F\u3059\u3067\u306B\u5B58\u5728\u3057\u307E\u3059"},
{"Please.provide.keysize.for.secret.key.generation",
"\u79D8\u5BC6\u9375\u306E\u751F\u6210\u6642\u306B\u306F -keysize\u3092\u6307\u5B9A\u3057\u3066\u304F\u3060\u3055\u3044"},
"\u79D8\u5BC6\u30AD\u30FC\u306E\u751F\u6210\u6642\u306B\u306F -keysize\u3092\u6307\u5B9A\u3057\u3066\u304F\u3060\u3055\u3044"},
{"warning.not.verified.make.sure.keystore.is.correct",
"\u8B66\u544A: \u691C\u8A3C\u3055\u308C\u3066\u3044\u307E\u305B\u3093\u3002-keystore\u304C\u6B63\u3057\u3044\u3053\u3068\u3092\u78BA\u8A8D\u3057\u3066\u304F\u3060\u3055\u3044\u3002"},
@ -453,13 +459,13 @@ public class Resources_ja extends java.util.ListResourceBundle {
{"alias.in.cacerts", "cacerts\u5185\u306E\u767A\u884C\u8005<%s>"},
{"alias.in.keystore", "\u767A\u884C\u8005<%s>"},
{"with.weak", "%s (\u5F31)"},
{"key.bit", "%1$d\u30D3\u30C3\u30C8%2$s\u9375"},
{"key.bit.weak", "%1$d\u30D3\u30C3\u30C8%2$s\u9375(\u5F31)"},
{"key.bit", "%1$d\u30D3\u30C3\u30C8%2$s\u30AD\u30FC"},
{"key.bit.weak", "%1$d\u30D3\u30C3\u30C8%2$s\u30AD\u30FC(\u5F31)"},
{"unknown.size.1", "\u4E0D\u660E\u306A\u30B5\u30A4\u30BA\u306E%s\u30AD\u30FC"},
{".PATTERN.printX509Cert.with.weak",
"\u6240\u6709\u8005: {0}\n\u767A\u884C\u8005: {1}\n\u30B7\u30EA\u30A2\u30EB\u756A\u53F7: {2}\n\u6709\u52B9\u671F\u9593\u306E\u958B\u59CB\u65E5: {3}\u7D42\u4E86\u65E5: {4}\n\u8A3C\u660E\u66F8\u306E\u30D5\u30A3\u30F3\u30AC\u30D7\u30EA\u30F3\u30C8:\n\t SHA1: {5}\n\t SHA256: {6}\n\u7F72\u540D\u30A2\u30EB\u30B4\u30EA\u30BA\u30E0\u540D: {7}\n\u30B5\u30D6\u30B8\u30A7\u30AF\u30C8\u516C\u958B\u9375\u30A2\u30EB\u30B4\u30EA\u30BA\u30E0: {8}\n\u30D0\u30FC\u30B8\u30E7\u30F3: {9}"},
"\u6240\u6709\u8005: {0}\n\u767A\u884C\u8005: {1}\n\u30B7\u30EA\u30A2\u30EB\u756A\u53F7: {2}\n\u6709\u52B9\u671F\u9593\u306E\u958B\u59CB\u65E5: {3}\u7D42\u4E86\u65E5: {4}\n\u8A3C\u660E\u66F8\u306E\u30D5\u30A3\u30F3\u30AC\u30D7\u30EA\u30F3\u30C8:\n\t SHA1: {5}\n\t SHA256: {6}\n\u7F72\u540D\u30A2\u30EB\u30B4\u30EA\u30BA\u30E0\u540D: {7}\n\u30B5\u30D6\u30B8\u30A7\u30AF\u30C8\u516C\u958B\u30AD\u30FC\u30FB\u30A2\u30EB\u30B4\u30EA\u30BA\u30E0: {8}\n\u30D0\u30FC\u30B8\u30E7\u30F3: {9}"},
{"PKCS.10.with.weak",
"PKCS #10\u8A3C\u660E\u66F8\u30EA\u30AF\u30A8\u30B9\u30C8(\u30D0\u30FC\u30B8\u30E7\u30F31.0)\n\u30B5\u30D6\u30B8\u30A7\u30AF\u30C8: %1$s\n\u30D5\u30A9\u30FC\u30DE\u30C3\u30C8: %2$s\n\u516C\u958B\u9375: %3$s\n\u7F72\u540D\u30A2\u30EB\u30B4\u30EA\u30BA\u30E0: %4$s\n"},
"PKCS #10\u8A3C\u660E\u66F8\u30EA\u30AF\u30A8\u30B9\u30C8(\u30D0\u30FC\u30B8\u30E7\u30F31.0)\n\u30B5\u30D6\u30B8\u30A7\u30AF\u30C8: %1$s\n\u30D5\u30A9\u30FC\u30DE\u30C3\u30C8: %2$s\n\u516C\u958B\u30AD\u30FC: %3$s\n\u7F72\u540D\u30A2\u30EB\u30B4\u30EA\u30BA\u30E0: %4$s\n"},
{"verified.by.s.in.s.weak", "%2$s\u5185\u306E%1$s\u306B\u3088\u308A%3$s\u3067\u691C\u8A3C\u3055\u308C\u307E\u3057\u305F"},
{"whose.sigalg.risk", "%1$s\u306F%2$s\u7F72\u540D\u30A2\u30EB\u30B4\u30EA\u30BA\u30E0\u3092\u4F7F\u7528\u3057\u3066\u304A\u308A\u3001\u3053\u308C\u306F\u30BB\u30AD\u30E5\u30EA\u30C6\u30A3\u30FB\u30EA\u30B9\u30AF\u3068\u307F\u306A\u3055\u308C\u307E\u3059\u3002"},
{"whose.key.risk", "%1$s\u306F%2$s\u3092\u4F7F\u7528\u3057\u3066\u304A\u308A\u3001\u3053\u308C\u306F\u30BB\u30AD\u30E5\u30EA\u30C6\u30A3\u30FB\u30EA\u30B9\u30AF\u3068\u307F\u306A\u3055\u308C\u307E\u3059\u3002"},
@ -467,6 +473,7 @@ public class Resources_ja extends java.util.ListResourceBundle {
{"migrate.keystore.warning", "\"%1$s\"\u304C%4$s\u306B\u79FB\u884C\u3055\u308C\u307E\u3057\u305F\u3002%2$s\u30AD\u30FC\u30B9\u30C8\u30A2\u306F\"%3$s\"\u3068\u3057\u3066\u30D0\u30C3\u30AF\u30A2\u30C3\u30D7\u3055\u308C\u307E\u3059\u3002"},
{"backup.keystore.warning", "\u5143\u306E\u30AD\u30FC\u30B9\u30C8\u30A2\"%1$s\"\u306F\"%3$s\"\u3068\u3057\u3066\u30D0\u30C3\u30AF\u30A2\u30C3\u30D7\u3055\u308C\u307E\u3059..."},
{"importing.keystore.status", "\u30AD\u30FC\u30B9\u30C8\u30A2%1$s\u3092%2$s\u306B\u30A4\u30F3\u30DD\u30FC\u30C8\u3057\u3066\u3044\u307E\u3059..."},
{"keyalg.option.1.missing.warning", "-keyalg\u30AA\u30D7\u30B7\u30E7\u30F3\u304C\u3042\u308A\u307E\u305B\u3093\u3002\u30C7\u30D5\u30A9\u30EB\u30C8\u306E\u30AD\u30FC\u30FB\u30A2\u30EB\u30B4\u30EA\u30BA\u30E0(%s)\u306F\u3001\u65E7\u5F0F\u306E\u30A2\u30EB\u30B4\u30EA\u30BA\u30E0\u3067\u3001\u73FE\u5728\u306F\u63A8\u5968\u3055\u308C\u307E\u305B\u3093\u3002JDK\u306E\u5F8C\u7D9A\u306E\u30EA\u30EA\u30FC\u30B9\u3067\u306F\u3001\u30C7\u30D5\u30A9\u30EB\u30C8\u306F\u524A\u9664\u3055\u308C\u308B\u4E88\u5B9A\u3067\u3001-keyalg\u30AA\u30D7\u30B7\u30E7\u30F3\u3092\u6307\u5B9A\u3059\u308B\u5FC5\u8981\u304C\u3042\u308A\u307E\u3059\u3002"},
};

7
src/java.base/share/classes/sun/security/tools/keytool/Resources_zh_CN.java
View file

@ -98,6 +98,8 @@ public class Resources_zh_CN extends java.util.ListResourceBundle {
// keytool: help: options
{"alias.name.of.the.entry.to.process",
"\u8981\u5904\u7406\u7684\u6761\u76EE\u7684\u522B\u540D"}, //-alias
{"groupname.option.help",
"\u7EC4\u540D\u3002\u4F8B\u5982\uFF0C\u692D\u5706\u66F2\u7EBF\u540D\u79F0\u3002"}, //-groupname
{"destination.alias",
"\u76EE\u6807\u522B\u540D"}, //-destalias
{"destination.key.password",
@ -287,6 +289,10 @@ public class Resources_zh_CN extends java.util.ListResourceBundle {
"\u522B\u540D <{0}> \u4E0D\u5B58\u5728"},
{"Alias.alias.has.no.certificate",
"\u522B\u540D <{0}> \u6CA1\u6709\u8BC1\u4E66"},
{"groupname.keysize.coexist",
"\u65E0\u6CD5\u540C\u65F6\u6307\u5B9A -groupname \u548C -keysize"},
{"deprecate.keysize.for.ec",
"\u4E3A\u751F\u6210 EC \u5BC6\u94A5\u6307\u5B9A -keysize \u5DF2\u8FC7\u65F6\uFF0C\u8BF7\u6539\u4E3A\u4F7F\u7528 \"-groupname %s\"\u3002"},
{"Key.pair.not.generated.alias.alias.already.exists",
"\u672A\u751F\u6210\u5BC6\u94A5\u5BF9, \u522B\u540D <{0}> \u5DF2\u7ECF\u5B58\u5728"},
{"Generating.keysize.bit.keyAlgName.key.pair.and.self.signed.certificate.sigAlgName.with.a.validity.of.validality.days.for",
@ -467,6 +473,7 @@ public class Resources_zh_CN extends java.util.ListResourceBundle {
{"migrate.keystore.warning", "\u5DF2\u5C06 \"%1$s\" \u8FC1\u79FB\u5230 %4$s\u3002\u5C06 %2$s \u5BC6\u94A5\u5E93\u4F5C\u4E3A \"%3$s\" \u8FDB\u884C\u4E86\u5907\u4EFD\u3002"},
{"backup.keystore.warning", "\u5DF2\u5C06\u539F\u59CB\u5BC6\u94A5\u5E93 \"%1$s\" \u5907\u4EFD\u4E3A \"%3$s\"..."},
{"importing.keystore.status", "\u6B63\u5728\u5C06\u5BC6\u94A5\u5E93 %1$s \u5BFC\u5165\u5230 %2$s..."},
{"keyalg.option.1.missing.warning", "\u65E0 -keyalg \u9009\u9879\u3002\u9ED8\u8BA4\u5BC6\u94A5\u7B97\u6CD5 (%s) \u662F\u4F20\u7EDF\u7B97\u6CD5\uFF0C\u4E0D\u518D\u63A8\u8350\u3002\u5728 JDK \u7684\u540E\u7EED\u53D1\u884C\u7248\u4E2D\uFF0C\u5C06\u5220\u9664\u9ED8\u8BA4\u503C\uFF0C\u60A8\u5FC5\u987B\u6307\u5B9A -keyalg \u9009\u9879\u3002"},
};

2
src/java.base/share/classes/sun/security/util/AuthResources_ja.java
View file

@ -88,7 +88,7 @@ public class AuthResources_ja extends java.util.ListResourceBundle {
{"Keystore.alias.","\u30AD\u30FC\u30B9\u30C8\u30A2\u306E\u5225\u540D: "},
{"Keystore.password.","\u30AD\u30FC\u30B9\u30C8\u30A2\u306E\u30D1\u30B9\u30EF\u30FC\u30C9: "},
{"Private.key.password.optional.",
"\u79D8\u5BC6\u9375\u306E\u30D1\u30B9\u30EF\u30FC\u30C9(\u30AA\u30D7\u30B7\u30E7\u30F3): "},
"\u79D8\u5BC6\u30AD\u30FC\u306E\u30D1\u30B9\u30EF\u30FC\u30C9(\u30AA\u30D7\u30B7\u30E7\u30F3): "},
// com.sun.security.auth.module.Krb5LoginModule
{"Kerberos.username.defUsername.",

18
src/java.base/share/classes/sun/security/util/SignatureUtil.java
View file

@ -28,8 +28,6 @@ package sun.security.util;
import java.io.IOException;
import java.security.*;
import java.security.spec.*;
import sun.security.util.ObjectIdentifier;
import sun.security.x509.AlgorithmId;
import sun.security.rsa.RSAUtil;
/**
@ -86,13 +84,12 @@ public class SignatureUtil {
// specified Signature object as signature parameters.
public static void specialSetParameter(Signature sig, byte[] paramBytes)
throws InvalidAlgorithmParameterException, ProviderException {
AlgorithmParameters params = null;
if (paramBytes != null) {
String sigName = sig.getAlgorithm();
params = createAlgorithmParameters(sigName, paramBytes);
AlgorithmParameters params =
createAlgorithmParameters(sigName, paramBytes);
specialSetParameter(sig, params);
}
specialSetParameter(sig, params);
}
// Special method for setting the specified AlgorithmParameter object
@ -100,16 +97,9 @@ public class SignatureUtil {
public static void specialSetParameter(Signature sig,
AlgorithmParameters params)
throws InvalidAlgorithmParameterException, ProviderException {
String sigName = sig.getAlgorithm();
if (params != null) {
String sigName = sig.getAlgorithm();
sig.setParameter(getParamSpec(sigName, params));
} else {
try {
sig.setParameter(null);
} catch (UnsupportedOperationException e) {
// ignore for maintaining backward compatibility
}
}
}
}

2
src/java.base/share/classes/sun/security/x509/AVA.java
View file

@ -1045,7 +1045,7 @@ public class AVA implements DerEncoder {
if (valStr == null) {
// rfc1779 specifies that attribute values associated
// RFC 1779 specifies that attribute values associated
// with non-standard keyword attributes may be represented
// using the hex format below. This will be used only
// when the value is not a string type

8
src/java.base/share/classes/sun/security/x509/AlgorithmId.java
View file

@ -166,15 +166,15 @@ public class AlgorithmId implements Serializable, DerEncoder {
// Several AlgorithmId should omit the whole parameter part when
// it's NULL. They are ---
// rfc3370 2.1: Implementations SHOULD generate SHA-1
// RFC 3370 2.1: Implementations SHOULD generate SHA-1
// AlgorithmIdentifiers with absent parameters.
// rfc3447 C1: When id-sha1, id-sha224, id-sha256, id-sha384 and
// RFC 3447 C1: When id-sha1, id-sha224, id-sha256, id-sha384 and
// id-sha512 are used in an AlgorithmIdentifier the parameters
// (which are optional) SHOULD be omitted.
// rfc3279 2.3.2: The id-dsa algorithm syntax includes optional
// RFC 3279 2.3.2: The id-dsa algorithm syntax includes optional
// domain parameters... When omitted, the parameters component
// MUST be omitted entirely
// rfc3370 3.1: When the id-dsa-with-sha1 algorithm identifier
// RFC 3370 3.1: When the id-dsa-with-sha1 algorithm identifier
// is used, the AlgorithmIdentifier parameters field MUST be absent.
/*if (
algid.equals((Object)SHA_oid) ||

4
src/java.base/share/classes/sun/security/x509/CertificatePoliciesExtension.java
View file

@ -1,5 +1,5 @@
/*
* Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2000, 2018, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -45,7 +45,7 @@ import sun.security.util.DerOutputStream;
* certificate.
* <p>
* Optional qualifiers are not supported in this implementation, as they are
* not recommended by RFC2459.
* not recommended by RFC 5280.
*
* The ASN.1 syntax for this is (IMPLICIT tagging is defined in the
* module definition):

2
src/java.base/share/classes/sun/security/x509/DNSName.java
View file

@ -181,7 +181,7 @@ public class DNSName implements GeneralNameInterface {
* For example, www.host.example.com would satisfy the constraint but
* host1.example.com would not.
* <p>
* draft-ietf-pkix-new-part1-00.txt: DNSName restrictions are expressed as foo.bar.com.
* RFC 5280: DNSName restrictions are expressed as foo.bar.com.
* Any DNSName that
* can be constructed by simply adding to the left hand side of the name
* satisfies the name constraint. For example, www.foo.bar.com would

55
src/java.base/share/classes/sun/security/x509/IPAddressName.java
View file

@ -1,5 +1,5 @@
/*
* Copyright (c) 1997, 2002, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 1997, 2018, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -37,27 +37,27 @@ import sun.security.util.DerValue;
/**
* This class implements the IPAddressName as required by the GeneralNames
* ASN.1 object. Both IPv4 and IPv6 addresses are supported using the
* formats specified in IETF PKIX RFC2459.
* formats specified in IETF PKIX RFC 5280.
* <p>
* [RFC2459 4.2.1.7 Subject Alternative Name]
* When the subjectAltName extension contains a iPAddress, the address
* MUST be stored in the octet string in "network byte order," as
* specified in RFC 791. The least significant bit (LSB) of
* each octet is the LSB of the corresponding byte in the network
* address. For IP Version 4, as specified in RFC 791, the octet string
* MUST contain exactly four octets. For IP Version 6, as specified in
* RFC 1883, the octet string MUST contain exactly sixteen octets.
* [RFC 5280 4.2.1.6 Subject Alternative Name]
* When the subjectAltName extension contains an iPAddress, the address
* MUST be stored in the octet string in "network byte order", as
* specified in [RFC791]. The least significant bit (LSB) of each octet
* is the LSB of the corresponding byte in the network address. For IP
* version 4, as specified in [RFC791], the octet string MUST contain
* exactly four octets. For IP version 6, as specified in
* [RFC 2460], the octet string MUST contain exactly sixteen octets.
* <p>
* [RFC2459 4.2.1.11 Name Constraints]
* The syntax of iPAddress MUST be as described in section 4.2.1.7 with
* the following additions specifically for Name Constraints. For IPv4
* addresses, the ipAddress field of generalName MUST contain eight (8)
* octets, encoded in the style of RFC 1519 (CIDR) to represent an
* address range.[RFC 1519] For IPv6 addresses, the ipAddress field
* [RFC 5280 4.2.1.10 Name Constraints]
* The syntax of iPAddress MUST be as described in Section 4.2.1.6 with
* the following additions specifically for name constraints. For IPv4
* addresses, the iPAddress field of GeneralName MUST contain eight (8)
* octets, encoded in the style of RFC 4632 (CIDR) to represent an
* address range [RFC 4632]. For IPv6 addresses, the iPAddress field
* MUST contain 32 octets similarly encoded. For example, a name
* constraint for "class C" subnet 10.9.8.0 shall be represented as the
* octets 0A 09 08 00 FF FF FF 00, representing the CIDR notation
* 10.9.8.0/255.255.255.0.
* constraint for "class C" subnet 192.0.2.0 is represented as the
* octets C0 00 02 00 FF FF FF 00, representing the CIDR notation
* 192.0.2.0/24 (mask 255.255.255.0).
* <p>
* @see GeneralName
* @see GeneralNameInterface
@ -376,15 +376,16 @@ public class IPAddressName implements GeneralNameInterface {
* </ul>. These results are used in checking NameConstraints during
* certification path verification.
* <p>
* [RFC2459] The syntax of iPAddress MUST be as described in section
* 4.2.1.7 with the following additions specifically for Name Constraints.
* For IPv4 addresses, the ipAddress field of generalName MUST contain
* eight (8) octets, encoded in the style of RFC 1519 (CIDR) to represent an
* address range.[RFC 1519] For IPv6 addresses, the ipAddress field
* [RFC 5280 4.2.1.10 Name Constraints]
* The syntax of iPAddress MUST be as described in Section 4.2.1.6 with
* the following additions specifically for name constraints. For IPv4
* addresses, the iPAddress field of GeneralName MUST contain eight (8)
* octets, encoded in the style of RFC 4632 (CIDR) to represent an
* address range [RFC 4632]. For IPv6 addresses, the iPAddress field
* MUST contain 32 octets similarly encoded. For example, a name
* constraint for "class C" subnet 10.9.8.0 shall be represented as the
* octets 0A 09 08 00 FF FF FF 00, representing the CIDR notation
* 10.9.8.0/255.255.255.0.
* constraint for "class C" subnet 192.0.2.0 is represented as the
* octets C0 00 02 00 FF FF FF 00, representing the CIDR notation
* 192.0.2.0/24 (mask 255.255.255.0).
*
* @param inputName to be checked for being constrained
* @return constraint type above

4
src/java.base/share/classes/sun/security/x509/KeyIdentifier.java
View file

@ -1,5 +1,5 @@
/*
* Copyright (c) 1997, 1999, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 1997, 2018, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -63,7 +63,7 @@ public class KeyIdentifier {
/**
* Creates a KeyIdentifier from a public-key value.
*
* <p>From RFC2459: Two common methods for generating key identifiers from
* <p>From RFC 5280: Two common methods for generating key identifiers from
* the public key are:
* <ol>
* <li>The keyIdentifier is composed of the 160-bit SHA-1 hash of the

4
src/java.base/share/classes/sun/security/x509/NameConstraintsExtension.java
View file

@ -1,5 +1,5 @@
/*
* Copyright (c) 1997, 2017, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 1997, 2018, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -326,7 +326,7 @@ implements CertAttrSet<String>, Cloneable {
* expanded by a merge, just remain constant or become more
* limiting.
* <p>
* IETF RFC2459 specifies the processing of Name Constraints as
* IETF RFC 5280 specifies the processing of Name Constraints as
* follows:
* <p>
* (j) If permittedSubtrees is present in the certificate, set the

4
src/java.base/share/classes/sun/security/x509/OIDName.java
View file

@ -1,5 +1,5 @@
/*
* Copyright (c) 1997, 2015, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 1997, 2018, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -156,7 +156,7 @@ public class OIDName implements GeneralNameInterface {
else if (this.equals((OIDName)inputName))
constraintType = NAME_MATCH;
else
//widens and narrows not defined in RFC2459 for OIDName (aka registeredID)
//widens and narrows not defined in RFC 5280 for OIDName (aka registeredID)
throw new UnsupportedOperationException("Narrowing and widening are not supported for OIDNames");
return constraintType;
}

25
src/java.base/share/classes/sun/security/x509/RFC822Name.java
View file

@ -1,5 +1,5 @@
/*
* Copyright (c) 1997, 2011, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 1997, 2018, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -68,7 +68,7 @@ public class RFC822Name implements GeneralNameInterface
/**
* Parse an RFC822Name string to see if it is a valid
* addr-spec according to IETF RFC822 and RFC2459:
* addr-spec according to IETF RFC 822 and RFC 5280:
* [local-part@]domain
* <p>
* local-part@ could be empty for an RFC822Name NameConstraint,
@ -131,7 +131,7 @@ public class RFC822Name implements GeneralNameInterface
* Compares this name with another, for equality.
*
* @return true iff the names are equivalent
* according to RFC2459.
* according to RFC 5280.
*/
public boolean equals(Object obj) {
if (this == obj)
@ -142,7 +142,7 @@ public class RFC822Name implements GeneralNameInterface
RFC822Name other = (RFC822Name)obj;
// RFC2459 mandates that these names are
// RFC 5280 mandates that these names are
// not case-sensitive
return name.equalsIgnoreCase(other.name);
}
@ -166,14 +166,15 @@ public class RFC822Name implements GeneralNameInterface
* </ul>. These results are used in checking NameConstraints during
* certification path verification.
* <p>
* [RFC2459] When the subjectAltName extension contains an Internet mail address,
* the address MUST be included as an rfc822Name. The format of an
* rfc822Name is an "addr-spec" as defined in RFC 822 [RFC 822]. An
* addr-spec has the form "local-part@domain". Note that an addr-spec
* has no phrase (such as a common name) before it, has no comment (text
*
* [RFC 5280]:
* When the subjectAltName extension contains an Internet mail address,
* the address MUST be stored in the rfc822Name. The format of an
* rfc822Name is a "Mailbox" as defined in Section 4.1.2 of [RFC2821].
* A Mailbox has the form "Local-part@Domain". Note that a Mailbox has
* no phrase (such as a common name) before it, has no comment (text
* surrounded in parentheses) after it, and is not surrounded by "&lt;" and
* "&gt;". Note that while upper and lower case letters are allowed in an
* RFC 822 addr-spec, no significance is attached to the case.
* "&gt;".
*
* @param inputName to be checked for being constrained
* @return constraint type above
@ -187,7 +188,7 @@ public class RFC822Name implements GeneralNameInterface
else if (inputName.getType() != (GeneralNameInterface.NAME_RFC822)) {
constraintType = NAME_DIFF_TYPE;
} else {
//RFC2459 specifies that case is not significant in RFC822Names
//RFC 5280 specifies that case is not significant in RFC822Names
String inName =
(((RFC822Name)inputName).getName()).toLowerCase(Locale.ENGLISH);
String thisName = name.toLowerCase(Locale.ENGLISH);

4
src/java.base/share/classes/sun/security/x509/URIName.java
View file

@ -1,5 +1,5 @@
/*
* Copyright (c) 1997, 2014, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 1997, 2018, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -213,7 +213,7 @@ public class URIName implements GeneralNameInterface {
/**
* Compares this name with another, for equality.
*
* @return true iff the names are equivalent according to RFC2459.
* @return true iff the names are equivalent according to RFC 5280.
*/
public boolean equals(Object obj) {
if (this == obj) {

4
src/java.base/share/classes/sun/security/x509/X400Address.java
View file

@ -1,5 +1,5 @@
/*
* Copyright (c) 2000, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2000, 2018, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -403,7 +403,7 @@ public class X400Address implements GeneralNameInterface {
else if (inputName.getType() != NAME_X400)
constraintType = NAME_DIFF_TYPE;
else
//Narrowing, widening, and match constraints not defined in rfc2459 for X400Address
//Narrowing, widening, and match constraints not defined in RFC 5280 for X400Address
throw new UnsupportedOperationException("Narrowing, widening, and match are not supported for X400Address.");
return constraintType;
}

12
src/java.base/share/classes/sun/security/x509/X509CertImpl.java
View file

@ -1,5 +1,5 @@
/*
* Copyright (c) 1996, 2017, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 1996, 2018, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@ -63,14 +63,8 @@ import sun.security.provider.X509Factory;
* direct knowledge of each other. CA certificates are either signed by
* themselves, or by some other CA such as a "root" CA.
*
* <P>RFC 1422 is very informative, though it does not describe much
* of the recent work being done with X.509 certificates. That includes
* a 1996 version (X.509v3) and a variety of enhancements being made to
* facilitate an explosion of personal certificates used as "Internet
* Drivers' Licences", or with SET for credit card transactions.
*
* <P>More recent work includes the IETF PKIX Working Group efforts,
* especially RFC2459.
* <P> Standards relating to X.509 Public Key Infrastructure for the Internet
* can be referenced in RFC 5280.
*
* @author Dave Brownell
* @author Amit Kapoor