| def4a695d1e00b10043901146d23952f39bb0aa1 |
17-Apr-2013 |
Brian Carlstrom <bdc@google.com> |
Merge "Do not include bogus certs in final chain output" into jb-mr2-dev
|
| e21b3caf3fb4e3e3d9244a000669a547621c16bd |
16-Apr-2013 |
Kenny Root <kroot@google.com> |
NativeCrypto: fix EOF at beginning of stream
Any InputStream where the first character was an EOF (-1) would cause
OpenSSLBIOInputStream to hang forever. This caused bad X.509
certificates to hang forever in the call to
CertificateFactory#generateCertificate(InputStream)
Bug: 8632056
Change-Id: Ia88f33aa356c3a6a23be872c7eef844873d73d5c
rovider/jsse/OpenSSLBIOInputStream.java
|
| 608ba9e25b0b4c2611197e9ad4cbb58c9db3aa57 |
27-Mar-2013 |
Brian Carlstrom <bdc@google.com> |
Do not include bogus certs in final chain output
(cherry-picked from 2cdf54071e7c62ceca7d40d7f6c704b91aad2a9f)
Bug: 8313312
Bug: https://code.google.com/p/android/issues/detail?id=52295
Change-Id: Ie9f58c1bdc676471eaaf3073a78b0b00c5d9a833
rovider/jsse/TrustManagerImpl.java
|
| 3725893865ddbdd2e9cebc2ea2f7ecfc357fcfbb |
15-Apr-2013 |
Kenny Root <kroot@google.com> |
NativeCrypto: set Calendar instances to 0 millis
X.509 does not have a notion of milliseconds so it was not being set
through the Calendar instances we used in OpenSSLX509Certificate, et al.
Instead it was getting whatever the current millisecond offset was from
the GregorianCalendar default constructor. That made two parsed
certificates unlikely to be equal when comparing since the milliseconds
were also checked.
Bug: 8616647
Change-Id: I756088d946191417bb3afcba082bed5371ed731a
rovider/jsse/OpenSSLX509CRL.java
rovider/jsse/OpenSSLX509CRLEntry.java
rovider/jsse/OpenSSLX509Certificate.java
|
| 5911a70a882d502d21b74dcdca6d9f4fcd5e36d5 |
06-Apr-2013 |
Brian Carlstrom <bdc@google.com> |
Don't forget to call sessionRemoved from removeEldestEntry
Also to prevent similar problems in the future, remember SSLSession we
are trying to use in case it disappears from SSLSessionContext.
Added test of SSLSocket SSLSession reuse.
Bug: https://code.google.com/p/android/issues/detail?id=52738
Bug: 8313208
(cherry picked from commit b88ab0efb05475fa9d4e2a06175e95e88f507cff)
Change-Id: I229e018c3acb427a7b580eaf880f86d9b263bac7
rovider/jsse/AbstractSessionContext.java
rovider/jsse/OpenSSLSocketImpl.java
|
| 90d02cbdbac93f6fee46082e25c1c67f75108442 |
03-Jan-2013 |
Chris Palmer <palmer@google.com> |
Check the EE's eKU extension field, if present.
BUG=https://code.google.com/p/chromium/issues/detail?id=167607 and
https://b.corp.google.com/issue?id=7920492
(cherry picked from commit 0da1515c5fe4e97fc2d4d24a41ebd4c078fec4db)
Change-Id: I4309d4a90a9d41390f41c748fa1442ed736e225f
rovider/jsse/TrustManagerImpl.java
|
| bc5800cc4ebcd5d778483851b73bdac6b1dc2f3c |
29-Mar-2013 |
Alex Klyubin <klyubin@google.com> |
Make KeyFactory.translateKey for OpenSSL keys a no-op.
There's no need for the OpenSSL-backed KeyFactory.translateKey to
create copies of Key instances which are already backed by OpenSSL.
(cherry picked from commit 3fb32505a22a01c95ff82435ac7f4d6da001c11c)
Change-Id: I49322aa2d29e44a06e6bd35aed3aebc0ea70a3f9
rovider/jsse/OpenSSLDSAKeyFactory.java
rovider/jsse/OpenSSLECKeyFactory.java
rovider/jsse/OpenSSLRSAKeyFactory.java
|
| 4556926f9dee32ac5b2a8ac0c442bc716d1303f3 |
05-Apr-2013 |
Kenny Root <kroot@google.com> |
NativeCrypto: catch another RSA error
Also add a generic fallback for certificate verification when the specific
type of error is unknown.
(cherry picked from commit f04fc33c88d2ad1f06d58d50a0734c0ef511c5b9)
Bug: 8550441
Change-Id: Ica617074718ccac224c9ce3cc8b89502e2abb90d
rovider/jsse/OpenSSLX509Certificate.java
|
| 325ce8a74236f16db63c1971a99aeabf55e61a57 |
01-Apr-2013 |
Kenny Root <kroot@google.com> |
NativeCrypto: adjust thrown exceptions
Should be throwing CertificateException when InputStream is null.
Sometimes OpenSSL doesn't push an error onto the list when PEM encoding
fails. This can be seen with the call to PEM_read_bio_X509 with
hyts_badpem.cer Throw a generic RuntimeException instead.
(cherry picked from commit d14eedd3c70f67a0d7af71b56dcf7b8e4f030bdd)
Bug: 8488314
Change-Id: I716c089c00ab477b4803bdd774681e52384eb95d
rovider/jsse/OpenSSLX509CertPath.java
rovider/jsse/OpenSSLX509CertificateFactory.java
|
| 39143413c9a4ccb11f0c16b50bdbf07cca79f19c |
01-Apr-2013 |
Kenny Root <kroot@google.com> |
NativeCrypto: adjust BasicConstraints check
OpenSSL checks KeyUsage for "Certificate Signing" when checking for a
CA, but Java just specifies that the getBasicConstraints call only looks
at the BasicConstraints itself.
(cherry picked from commit cd59afd3e34cb6b3645babdace22c03882e0ec19)
Bug: 8488314
Change-Id: I72f8d6679169480960630bd73745ebf4c55b383c
rovider/jsse/NativeCrypto.java
rovider/jsse/OpenSSLX509Certificate.java
|
| 699ec7b45e1648fb53333df33889971230058233 |
29-Mar-2013 |
Kenny Root <kroot@google.com> |
NativeCrypto: make generation bug compatible
generateCertPath, generateCertificates, and generateCRLs have slightly
different behavior on null input. Match the RI and (apparently) previous
BC behavior.
(cherry picked from commit ce0f579c5e7c384d2a3734e7327ce3a859ba52e3)
Bug: 8488314
Change-Id: I6d0f96829798c83b46201a74cd409ef828e0adb2
rovider/jsse/OpenSSLX509CertPath.java
rovider/jsse/OpenSSLX509CertificateFactory.java
|
| d961888f0666ccd4b797205aaeb60889688a9cb8 |
29-Mar-2013 |
Alex Klyubin <klyubin@google.com> |
Switch OpenSSLECDHKeyAgreement to KeyFactory.translateKey.
OpenSSL KeyFactory.translateKey encapsulates all the functionality
for translating arbitrary Key instances to OpenSSL-backed Key
instances. Thus, there's no need to replicate that functionality
elsewhere.
(cherry picked from commit 0469e3a6a9b5e854b8b985039de8ba4f6e6037bd)
Change-Id: I4caa0021e51a83be6932617117275fd033b6d5f7
rovider/jsse/NativeCrypto.java
rovider/jsse/OpenSSLECDHKeyAgreement.java
|
| 28a47ccf41ba39f227f0b075dd31cde42b7a5f49 |
20-Mar-2013 |
Alex Klyubin <klyubin@google.com> |
Disallow KeyFactory.translateKey between public and private
This fixes the bug where OpenSSL-backed KeyFactory instances (RSA,
DSA, EC) could translateKey from PrivateKey to PublicKey and vice
versa when presented with "opaque" keys whose translation is
performed via their primary encoded form.
(cherry picked from commit ddee4ef28dcce942e25fd7a24f27239cd74807fa)
Change-Id: Ia24a2591a06ac82c5225a3a9e3069af7a01a0c37
rovider/jsse/OpenSSLDSAKeyFactory.java
rovider/jsse/OpenSSLECKeyFactory.java
rovider/jsse/OpenSSLRSAKeyFactory.java
|
| ed7441ebfbc69821598a5bc060518b5c82ffb5c8 |
20-Mar-2013 |
Alex Klyubin <klyubin@google.com> |
InvalidKeyException for "opaque" keys null getEncoded()
This makes OpenSSL-backed KeyFactory instances (RSA, DSA, EC)
translateKey method throw InvalidKeyException for "opaque" keys whose
getFormat() returns non-null while getEncoded() returns null.
Prior to this change a NullPointerException was thrown.
Change-Id: Ie0f3ec27356307338839f4c2b248b0e79578e19b
rovider/jsse/OpenSSLDSAKeyFactory.java
rovider/jsse/OpenSSLECKeyFactory.java
rovider/jsse/OpenSSLRSAKeyFactory.java
|
| 223319e62fb4e34b2e82c0d72b3b8af8cb18b68b |
18-Mar-2013 |
Kenny Root <kroot@google.com> |
NativeCrypto: throw exception on invalid DNS altname
When we receive an invalid DNS alt name (e.g., contains characters
outside of the ASCII printable range), we should throw an exception to
match the previous behavior. This is not validated this against the RI
since the tests currently don't work, but it brings the behavior back to
what it was previously.
Also amend the previous ASN.1 string check to use
ASN1_PRINTABLE_type(...) which actually scans the string to check its
contents. This is what was meant in the last patch.
Bug: 8398461
Change-Id: I260f045a2e144fb9ded7e1d3aa46592da8f63272
rovider/jsse/NativeCrypto.java
|
| 41dbe2157cc4e6c8ec2beb4c17e88caa84ea7dfc |
15-Mar-2013 |
Kenny Root <kroot@google.com> |
NativeCrypto: catch null input streams in cert factory
Change-Id: I7b4a9d89cab8d35491d2d6efb6dfc0fae8e705d7
rovider/jsse/OpenSSLX509CertificateFactory.java
|
| 7885a9c6c62c6162a308913272447153b6a2e809 |
14-Mar-2013 |
Kenny Root <kroot@google.com> |
NativeCrypto: be more tolerant during translateKey
Change-Id: I284bdb4d037d511390a6beb8518eb9bf9c50f25f
rovider/jsse/OpenSSLDSAKeyFactory.java
rovider/jsse/OpenSSLECKeyFactory.java
rovider/jsse/OpenSSLECPrivateKey.java
rovider/jsse/OpenSSLECPublicKey.java
rovider/jsse/OpenSSLKey.java
rovider/jsse/OpenSSLRSAKeyFactory.java
|
| 0048f46694737c3e46ec3150db608c2cb19f26aa |
12-Mar-2013 |
Kenny Root <kroot@android.com> |
Merge "Switch TLS Channel ID API from ECPrivateKey to PrivateKey."
|
| c17bdfa469de6c48f16e454611caae3aaa82cc9d |
12-Mar-2013 |
Alex Klyubin <klyubin@google.com> |
Switch TLS Channel ID API from ECPrivateKey to PrivateKey.
This is to accept both the "transparent" and "opaque" ECC private
keys. "Transparent" keys provide structured access to their key
material -- these are instances of ECPrivateKey. "Opaque" private
keys are not required to provide structured (or even any) access to
their key material -- these are instances of PrivateKey.
Change-Id: I3fdc4c46675bde48c72424f1cc8f59c3d6b89f0e
rovider/jsse/NativeCrypto.java
rovider/jsse/OpenSSLSocketImpl.java
|
| ce14ab85f110ef6b4e5065ede5fd83ff91499d93 |
11-Mar-2013 |
Kenny Root <kroot@google.com> |
NativeCrypto: throw instead of return null
We should not return null for items that cannot be extracted. Instead
throw UnsupportedOperationException so we don't break the API contract.
Change-Id: I09b0854c36f02b5b7ead2fb802f1454353b4cf6e
rovider/jsse/OpenSSLDSAPrivateKey.java
rovider/jsse/OpenSSLECPrivateKey.java
rovider/jsse/OpenSSLRSAPrivateCrtKey.java
rovider/jsse/OpenSSLRSAPrivateKey.java
|
| e741559fd878ee6e3deca9102f7c27e1c1ca70d0 |
11-Mar-2013 |
Alex Klyubin <klyubin@google.com> |
Add support for ECDH KeyAgreement to OpenSSLProvider.
Change-Id: I07d369de0199505d22f2809c815cc2852388a7b7
rovider/jsse/NativeCrypto.java
rovider/jsse/OpenSSLECDHKeyAgreement.java
rovider/jsse/OpenSSLProvider.java
|
| e6de385bae91943cae91d88ad8e1bfdd951930f4 |
08-Mar-2013 |
Kenny Root <kroot@google.com> |
NativeCrypto: various fixes
* JNI_TRACE debug messages were misleading in some cases.
* MD object reference was being passed as a jint
* kusage wasn't being checked for null
Change-Id: I15bcba4d8b7291dc232ea20671917bb0848c3180
rovider/jsse/OpenSSLMac.java
rovider/jsse/OpenSSLX509Certificate.java
|
| 15cfd91abf3e6d6f905d572fe70cf2b3b4cfee60 |
08-Mar-2013 |
Kenny Root <kroot@google.com> |
NativeCrypto: add CertPath encoding PkiPath
Set the default encoding to be PkiPath to conform to other
implementations. This now passes all the tests.
Change-Id: I8475e328e8440aa3ecccd88c34e2aba6bc169be5
rovider/jsse/NativeCrypto.java
rovider/jsse/OpenSSLX509CertPath.java
|
| 52055836ff1f8c235a558b3754b3f3dd25f5d38c |
08-Mar-2013 |
Kenny Root <kroot@google.com> |
NativeCrypto: add CertPath support with PKCS7
Add support for generating CertPath with the
OpenSSLX509CertificateFactory implementation.
This only will encode withrPKCS7 currently. This means it fails the
CertPath serialization test because the serialization and
de-serialization code only uses a provider's default serialization
format. Since this provider is not the default provider and the
default provider uses PkiPath as its default format, the
OpenSSLX509CertPath still fails the tests.
This seems like a problem with the way CertPath is serialized. The
impact of this seems to be that a CertPath implementation must have
"PkiPath" as its default encoding.
Change-Id: Ie0e3577746345108301b02e7a1d4e8ea189f2bda
rovider/jsse/NativeCrypto.java
rovider/jsse/OpenSSLX509CertPath.java
rovider/jsse/OpenSSLX509Certificate.java
rovider/jsse/OpenSSLX509CertificateFactory.java
|
| 4e74f18c791e6d005c78a421875ae9bf89228981 |
07-Mar-2013 |
Kenny Root <kroot@google.com> |
NativeCrypto: eliminate some unneeded suppressions
Refactoring eliminated the need for these suppressions, so just remove
them.
Change-Id: Ia7f0160d4b5db09a1d23029f3cd2755ef2bd59d6
rovider/jsse/OpenSSLX509CertificateFactory.java
|
| 75dc9601af8ab3c65114e3c8c57d29ce5ac64125 |
19-Dec-2012 |
Kenny Root <kroot@google.com> |
NativeCrypto: add OpenSSL X.509 certificate/CRLs
Initial implementation of parsing X.509 certificates and certificate
revocation lists (CRLs). This lacks support for generating CertPath
objects, but that will be added at a later time.
This currently isn't the default provider so anything that doesn't
explicitly request this provider will not get this implementation.
Change-Id: I07ae9f333763087cb6ce47e20e12ceeed750920d
rovider/jsse/NativeCrypto.java
rovider/jsse/OpenSSLBIOInputStream.java
rovider/jsse/OpenSSLProvider.java
rovider/jsse/OpenSSLX509CRL.java
rovider/jsse/OpenSSLX509CRLEntry.java
rovider/jsse/OpenSSLX509Certificate.java
rovider/jsse/OpenSSLX509CertificateFactory.java
|
| c1f6588cf2400b3118bb4fcc65f695491110a4f3 |
04-Mar-2013 |
Kenny Root <kroot@google.com> |
NativeCrypto: add OpenSSLBIOInputStream
Any APIs that deal with potentially unbounded input data need a better
way of reading in data than byte arrays. This provides a building block
to implement those APIs with OpenSSL.
Change-Id: I58fef4388dc2731cc004ec5cb9ccc805acc55888
rovider/jsse/NativeCrypto.java
rovider/jsse/OpenSSLBIOInputStream.java
|
| 8acd6134dc84b387608746fbf2054c6d7dcd4f52 |
28-Feb-2013 |
Joel Dice <joel.dice@gmail.com> |
use longs instead of ints to store pointers in OpenSSL binding
This allows the code to be used on 64-bit VMs.
Change-Id: I6c0ef28c55160186c7d59e88ef6fcde4f4a41907
rovider/jsse/AbstractSessionContext.java
rovider/jsse/NativeCrypto.java
rovider/jsse/OpenSSLCipher.java
rovider/jsse/OpenSSLCipherContext.java
rovider/jsse/OpenSSLDigestContext.java
rovider/jsse/OpenSSLECGroupContext.java
rovider/jsse/OpenSSLECPointContext.java
rovider/jsse/OpenSSLECPrivateKey.java
rovider/jsse/OpenSSLECPublicKey.java
rovider/jsse/OpenSSLEngine.java
rovider/jsse/OpenSSLKey.java
rovider/jsse/OpenSSLMac.java
rovider/jsse/OpenSSLMessageDigestJDK.java
rovider/jsse/OpenSSLSessionImpl.java
rovider/jsse/OpenSSLSignature.java
rovider/jsse/OpenSSLSocketImpl.java
|
| 004df9b49863d5449c0c70d0ade0203813f4e676 |
16-Feb-2013 |
Alex Klyubin <klyubin@google.com> |
Add support for SECG names for NIST P-192 and P-256 ECC curves.
SECG names of the two curve specs are "secp192r1" and "secp256r1".
OpenSSL doesn't support these names (see crypto/ec/ec_curve.c) because:
* "SECG secp192r1 is the same as X9.62 prime192v1 and hence omitted"
* "SECG secp256r1 is the same as X9.62 prime256v1 and hence omitted"
The BouncyCastle-based EC provider, which was the default on older
Android platforms, supported both the SECG (secp...) and ANSI X9.62
(prime...) names for these curves.
This change also makes java.security.KeyPairGeneratorTest assert that
both the SECG and the ANSI X9.62 names of the two curves are
supported by EC* KeyPairGenerators of all the registered Providers.
Change-Id: I9531f05020971fd47afac2367021e3e3e6345d50
rovider/jsse/OpenSSLECGroupContext.java
|
| e5e09174c6239dcb22b015466ca1724193da612d |
07-Feb-2013 |
Kenny Root <kroot@google.com> |
Merge "NativeCrypto: serialize EC keys differently"
|
| 3039d83af05c3dee6d2f0d33cc4b9b167b1a4391 |
06-Feb-2013 |
Kenny Root <kroot@google.com> |
NativeCrypto: serialize EC keys differently
Change-Id: Iff593c707723811347b5b7e91bed52b07c490c9d
rovider/jsse/OpenSSLECPrivateKey.java
rovider/jsse/OpenSSLECPublicKey.java
|
| 3fefbd8abaf356e842705f8ebd24b414dcea8aac |
07-Feb-2013 |
Kenny Root <kroot@google.com> |
NativeCrypto: update curve names to match OpenSSL
Some of the curve names were incorrect in the ECKeyPairGenerator, so
renamed them to match what OpenSSL expects.
Change-Id: Ib56fe8ce30b95f7faee34a3e18add7c4037e4c47
rovider/jsse/OpenSSLECKeyPairGenerator.java
|
| 92e388f87a6a830793e7e33c6328c8ca6a89aef4 |
06-Feb-2013 |
Kenny Root <kroot@google.com> |
NativeCrypto: reduce strict Class equality check
For requested keySpec, we don't necessarily need the strict equality
check.
Also, remove code that is unreachable: RSAPrivateCrtKeySpec is a child
of RSAPrivateKeySpec, so there is no need to check whether the keySpec
is assignable to the CRT spec.
Change-Id: I8070541b015167d9314b83b45bd1410663487865
rovider/jsse/OpenSSLDSAKeyFactory.java
rovider/jsse/OpenSSLECKeyFactory.java
rovider/jsse/OpenSSLRSAKeyFactory.java
|
| a812f61dc1102c8089c1acd48c24b36829ce2482 |
06-Feb-2013 |
Kenny Root <kroot@google.com> |
NativeCrypto: fix more DSA/ECDSA key generation
* Add hidden API to pass along the EC curve name in ECParameterSpec.
The lack of name passing made KeyFactory2Test fail because the
reconstructed ECDSA key had explicit curve parameters instead of an
OID naming the curve.
* Fix some mixing of PKCS8/X509EncodedKeySpec in DSA/ECDSA KeyFactory
implementations.
* Fix the KeyFactory2Test to output more useful error messages.
* Remove known failure which is no longer happening.
* Change EC_GROUP_get_curve_name to return the "shortName" string
which matches the EC_GROUP_new_by_curve_name
Bug: 3483365
Change-Id: I0a80be88bef728b2177f3593cc3421fa47b79470
rovider/jsse/NativeCrypto.java
rovider/jsse/OpenSSLDSAKeyFactory.java
rovider/jsse/OpenSSLECGroupContext.java
rovider/jsse/OpenSSLECKeyFactory.java
|
| 8c4b6ac9b5a3346af8b474949c501fbb2d464c50 |
05-Feb-2013 |
Kenny Root <kroot@google.com> |
NativeCrypto: fix some DSA/ECDSA key generation
We were trying to generate a public key from a private key spec which
obviously doesn't work.
Also fix the error messages that indicated public key when it meant
private key.
Change-Id: Ifae417bc3e4c56aced5b7583a34965c7f31c9c66
rovider/jsse/OpenSSLDSAKeyFactory.java
rovider/jsse/OpenSSLECKeyFactory.java
|
| fc5480d13eb8b32c325ba79ba4221df2145727b7 |
05-Feb-2013 |
Kenny Root <kroot@google.com> |
NativeCrypto: DSA keys do not always have parameters
DSA keys do not always have parameters. When validating a certificate
chain, the DSA key will inherit parameters from the next DSA key up the
chain if DSAPublicKey#getParams() returns "null".
Change-Id: I052b42219829157ebdf148abb53048044cc83f8d
rovider/jsse/OpenSSLDSAParams.java
rovider/jsse/OpenSSLDSAPublicKey.java
|
| eca901e0699ed0b1026dacabc81aed33fba10ead |
04-Feb-2013 |
Kenny Root <kroot@google.com> |
OpenSSLCipher: fix short buffer error message
Change-Id: I4f16bee3c57c80a113bd92509451606d5fd2b666
rovider/jsse/OpenSSLCipher.java
|
| c9989de40c23c579bc9dc0231fb643436bbf73cc |
01-Feb-2013 |
Kenny Root <kroot@google.com> |
OpenSSL KeyFactory for DSA and EC
Add KeyFactory for EC. Uncomment the KeyFactory for DSA.
Remove useless template parameters from RSA KeyFactory.
Change-Id: Id7c4d3624719b5088abf239482ba58c7a2557d61
rovider/jsse/OpenSSLECKeyFactory.java
rovider/jsse/OpenSSLECPrivateKey.java
rovider/jsse/OpenSSLECPublicKey.java
rovider/jsse/OpenSSLProvider.java
rovider/jsse/OpenSSLRSAKeyFactory.java
|
| 7245d2ec05c8488f0bd82720eedac6a2dda17059 |
01-Feb-2013 |
Kenny Root <kroot@google.com> |
NativeCrypto: fix Channel ID tests
The NativeCryptoTest runs from a different class loader, so we need to
make the OpenSSLECGroupContext public to use it from there.
Also make sure we explicitly initialize the EC key at the beginning of
the test.
Change-Id: I733fe6263ef2ef72988987bf608cb806752033f5
rovider/jsse/OpenSSLECGroupContext.java
|
| a45d02e5fbf1ec387dcb1e6c91e867d32ab36193 |
23-Jan-2013 |
Kenny Root <kroot@google.com> |
NativeCrypto: add OpenSSLSecretKey for HMAC
Change-Id: Id5a77b41549944d7deffda0e2a4e60dbbd26184e
rovider/jsse/OpenSSLEngine.java
rovider/jsse/OpenSSLKey.java
rovider/jsse/OpenSSLMac.java
rovider/jsse/OpenSSLSecretKey.java
|
| 6914efca8fe737a753d234d7e91222da6a8cdabe |
28-Jan-2013 |
Kenny Root <kroot@google.com> |
NativeCrypto: add test base for OpenSSL ENGINEs
This sets up some of the testing infrastructure to allow us to test all
the ENGINE-related test paths in the NativeCrypto code.
Change-Id: I21f3dbebbaa90327d48a99020ae3a3e90624cc75
rovider/jsse/NativeCrypto.java
|
| 0731d6d00c5e30c05e035d3ae96327029d07a606 |
22-Jan-2013 |
Kenny Root <kroot@google.com> |
OpenSSLKey: easier creation and use of OpenSSL keys
For some future changes, it will be easier to convert OpenSSL objects to
real objects and back from native pointers. Make it easier to add new
EVP_PKEY types without adding them in if/else statements everywhere.
Change-Id: I19095bfc5f00835a266f572bc62e2e8d0a8cd544
rovider/jsse/NativeCrypto.java
rovider/jsse/OpenSSLDSAPrivateKey.java
rovider/jsse/OpenSSLDSAPublicKey.java
rovider/jsse/OpenSSLECGroupContext.java
rovider/jsse/OpenSSLECPrivateKey.java
rovider/jsse/OpenSSLECPublicKey.java
rovider/jsse/OpenSSLEngine.java
rovider/jsse/OpenSSLKey.java
rovider/jsse/OpenSSLKeyHolder.java
rovider/jsse/OpenSSLRSAPrivateCrtKey.java
rovider/jsse/OpenSSLRSAPrivateKey.java
rovider/jsse/OpenSSLRSAPublicKey.java
rovider/jsse/OpenSSLSignature.java
rovider/jsse/OpenSSLSignatureRawRSA.java
rovider/jsse/OpenSSLSocketImpl.java
|
| 4b88b3ded5c026282bf3a38cc006dc5f764603a1 |
19-Jan-2013 |
Brian Carlstrom <bdc@google.com> |
Merge "Add support for TLS Channel ID to OpenSSL-backed sockets."
|
| 7e5832d1a709558fca80ecb25fdd0626b2d4312d |
19-Jan-2013 |
Kenny Root <kroot@google.com> |
Merge changes Idfb18017,Ifbba9fdf
* changes:
OpenSSLMac: fix initialization with new key
HarmonyJSSE: convert byte correctly in padding check
|
| 0d4ee1f9b8c37fb33cd74da4efac5905ba138e45 |
19-Jan-2013 |
Kenny Root <kroot@google.com> |
OpenSSLMac: fix initialization with new key
If an OpenSSLMac instance was re-initialized with a new key, it wouldn't
produce correct results. Make sure to re-initialize the EVP_MD_CTX as
well.
Change-Id: Idfb18017407ff65866ae7e6f6fca3d646a970803
rovider/jsse/NativeCrypto.java
rovider/jsse/OpenSSLMac.java
|
| 3247af087973af299112cde32101592e86992c6f |
18-Jan-2013 |
Kenny Root <kroot@google.com> |
HarmonyJSSE: convert byte correctly in padding check
This gives a better error message since the byte could be negative
without the mask.
Change-Id: Ifbba9fdf647b7ecf8bc300fb1034011ba8357401
rovider/jsse/ConnectionStateSSLv3.java
rovider/jsse/ConnectionStateTLS.java
|
| de30700ecd96af43e2f3ee2e03f398896f5bb1e9 |
17-Jan-2013 |
Alex Klyubin <klyubin@google.com> |
Add support for TLS Channel ID to OpenSSL-backed sockets.
On the client, TLS Channel ID is enabled by passing an ECDSA P-256
private key to OpenSSLSocketImpl via the new setChannelIdPrivateKey
method.
On the server, TLS Channel ID is enabled via the new method
OpenSSLServerSocketImpl.setChannelIdEnabled. After the TLS/SSL
handshake, the Channel ID can be obtained via the new method
getChannelId.
See http://tools.ietf.org/html/draft-balfanz-tls-channelid-00.
Change-Id: I035e86d36678ae5956e6c1837afefcd668b3d750
rovider/jsse/NativeCrypto.java
rovider/jsse/OpenSSLServerSocketImpl.java
rovider/jsse/OpenSSLSocketImpl.java
|
| 90c22063c0c26c1f9762dcaa91eef2f1ae607d67 |
18-Jan-2013 |
Brian Carlstrom <bdc@google.com> |
Track new value of SSL_MODE_HANDSHAKE_CUTTHROUGH in external/openssl
Change-Id: Ie5cd6d4201ce2f361384eebe37487a3586321e8b
rovider/jsse/NativeCrypto.java
|
| c9acbf1c80d90952f7a4bce83e37c2540e42f6fc |
17-Jan-2013 |
Kenny Root <kroot@google.com> |
NativeCrypto: output named curves when possible
When converting to ASN.1 format from a named curve, try to make sure we
can output those named curves whenever possible instead of all the
parameters.
Also make sure we output in uncompressed point format for compatibility
with other implementations.
Change-Id: I3f370be694ac709f02e3043a2c1152ad4838ef41
rovider/jsse/NativeCrypto.java
rovider/jsse/OpenSSLECGroupContext.java
rovider/jsse/OpenSSLSocketImpl.java
|
| 8c4a407e34de1b348316a9175bd1c0577c887181 |
09-Jan-2013 |
Brian Carlstrom <bdc@google.com> |
verifyCertificateChain should convert unknown exceptions to CertificateException
Bug: http://code.google.com/p/android/issues/detail?id=42533
Change-Id: Id0e0eb8f007987decb4fee94135be8a92d2f8981
rovider/jsse/OpenSSLSocketImpl.java
|
| df99092f30a7bdc9f40f2fa0c3546a30d925edc0 |
01-Nov-2012 |
Brian Carlstrom <bdc@google.com> |
resolved conflicts for merge of eef7e935 to jb-mr1-dev-plus-aosp
Change-Id: I1af764dffabdfa63bc383b606d0c86451bdf64dd
|
| eef7e9357c272a9154f007e8bee2a09eed66d101 |
01-Nov-2012 |
Brian Carlstrom <bdc@google.com> |
Test to verify BC Signature algorithms by OID
Bug: 7453821
Change-Id: I69408d0bb4063e34441ed1d7632fd1ccac39965b
rovider/jsse/OpenSSLProvider.java
|
| 9fb84f4bee364d44b1d0d425109c98e964b23ae4 |
30-Oct-2012 |
Brian Carlstrom <bdc@google.com> |
am adcea0bf: Merge "Prefer PKIX algorithm name for TrustManagerFactory and KeyManagerFactory"
* commit 'adcea0bf53b5b932013d8290619f17715b33f139':
Prefer PKIX algorithm name for TrustManagerFactory and KeyManagerFactory
|
| c934a095e1f863f00bf6f7c0b37fbd05ebeaaff5 |
29-Oct-2012 |
Brian Carlstrom <bdc@google.com> |
Prefer PKIX algorithm name for TrustManagerFactory and KeyManagerFactory
Change-Id: I3da5bdf6739c6aee5ec0174e93cd6c06d6dfeeb3
rovider/jsse/DefaultSSLContextImpl.java
rovider/jsse/JSSEProvider.java
|
| c323184c9221d119b8b06a1fff6731f5119a64c0 |
16-Oct-2012 |
Kenny Root <kroot@google.com> |
am 196687f6: Merge "Use OpenSSL to convert from OID to name"
* commit '196687f6ed88a0935813efec5ca49c86fd536bf2':
Use OpenSSL to convert from OID to name
|
| 196687f6ed88a0935813efec5ca49c86fd536bf2 |
16-Oct-2012 |
Kenny Root <kroot@google.com> |
Merge "Use OpenSSL to convert from OID to name"
|
| 0130cf9705455a63eca0a4651986bb0806a7f5bc |
16-Oct-2012 |
Geremy Condra <gcondra@google.com> |
am f2df9e57: Merge "Adding minimum cryptographic strength check for cert chains."
* commit 'f2df9e575e6f0a20b1b27f0fca6a62e2b19729b1':
Adding minimum cryptographic strength check for cert chains.
|
| f2df9e575e6f0a20b1b27f0fca6a62e2b19729b1 |
16-Oct-2012 |
Geremy Condra <gcondra@google.com> |
Merge "Adding minimum cryptographic strength check for cert chains."
|
| 200be7055e30cd0f67b79df768b71bca19c5c596 |
11-Oct-2012 |
Geremy Condra <gcondra@google.com> |
Adding minimum cryptographic strength check for cert chains.
Change-Id: Id8a3fc28a07c086182183090cd79372ac81582e6
rovider/jsse/ChainStrengthAnalyzer.java
rovider/jsse/TrustManagerImpl.java
|
| 4a8388aeb988c5ed88f1105f9fa66a5ebd2ffbe3 |
15-Oct-2012 |
Kenny Root <kroot@google.com> |
Use OpenSSL to convert from OID to name
OpenSSL has a large database of OID mappings, so fall back to it if the
built-in Harmony database doesn't find it.
Change-Id: I72daa0b4f697d406a0d3f8285ce20d4e9ec04d27
rovider/jsse/NativeCrypto.java
|
| b762206996492843be768a7ae061bbc85b5491da |
15-Oct-2012 |
Kenny Root <kroot@google.com> |
am 70798f65: Merge "OpenSSLCipher: add ARC4 support"
* commit '70798f652c21e9bec770d0b965130311a84d5959':
OpenSSLCipher: add ARC4 support
|
| edefa57a822c27f3e9def050fd50e375c5908551 |
02-Oct-2012 |
Kenny Root <kroot@google.com> |
OpenSSLCipher: add ARC4 support
Change-Id: Iccdd76260af1afab0855816b3ccdd34fbc52295b
rovider/jsse/NativeCrypto.java
rovider/jsse/OpenSSLCipher.java
rovider/jsse/OpenSSLProvider.java
|
| 9dbe25c174d4f7e5099db1ea278513971e058ff8 |
12-Oct-2012 |
Kenny Root <kroot@google.com> |
am 0bf8e7a3: Merge "Add support for ECDSA signatures on jar files"
* commit '0bf8e7a3145bbc6a32f5b88364a923af40434b61':
Add support for ECDSA signatures on jar files
|
| 52c906b82c75e811284a1788e5ca0b4330a55a36 |
10-Oct-2012 |
Kenny Root <kroot@google.com> |
Add support for ECDSA signatures on jar files
Change-Id: If928f2244b3a0809255d6619c25268beb84f76d3
rovider/jsse/OpenSSLProvider.java
|
| 9679c42bd37a2539b7306891cba53731c7a8b91b |
12-Oct-2012 |
Kenny Root <kroot@google.com> |
am d5d84f6c: Merge "NativeCrypto: add EC key pairs"
* commit 'd5d84f6c657b9d130b4d34c77f151f425ae70ff4':
NativeCrypto: add EC key pairs
|
| 9d2fb535e5d43ad34af09195d490da18a7694a48 |
11-Oct-2012 |
Kenny Root <kroot@google.com> |
NativeCrypto: add EC key pairs
Change-Id: I8240df5ff12e38dd935258def099aed4663955ea
rovider/jsse/NativeCrypto.java
rovider/jsse/OpenSSLECGroupContext.java
rovider/jsse/OpenSSLECKeyPairGenerator.java
rovider/jsse/OpenSSLECPointContext.java
rovider/jsse/OpenSSLECPrivateKey.java
rovider/jsse/OpenSSLECPublicKey.java
rovider/jsse/OpenSSLProvider.java
rovider/jsse/OpenSSLSignature.java
|
| 46d6243e9e39a2b68b985bfd534cc891e52df274 |
09-Oct-2012 |
Brian Carlstrom <bdc@google.com> |
Change OpenSSLCipherRSA.{engineGetBlockSize,engineGetOutputSize} to return result based on key size
Includes cherry-pick of 847f22adbd0e829b84491d7202dcbed5bf67a98c
Bug: 7192453
Change-Id: Ib5fa1e313d942d2c1034e8e7831af285ad24d71d
rovider/jsse/OpenSSLCipherRSA.java
|
| 72e44404c32a98e7675a6e7cfbf856adb499a434 |
09-Oct-2012 |
Brian Carlstrom <bdc@google.com> |
Change OpenSSLCipherRSA.{engineGetBlockSize,engineGetOutputSize} to return result based on key size
Includes cherry-pick of 847f22adbd0e829b84491d7202dcbed5bf67a98c
Bug: 7192453
Change-Id: Ib5fa1e313d942d2c1034e8e7831af285ad24d71d
rovider/jsse/OpenSSLCipherRSA.java
|
| b3bc3cd743d06f5fb59a1c950a7634b47f3cafc4 |
10-Oct-2012 |
Kenny Root <kroot@google.com> |
resolved conflicts for merge of 30d217ad to jb-mr1-dev-plus-aosp
Change-Id: Iedafef8005b3d26a16f8b279408f113f3afe7a8a
|
| 3d1643390a0d624a27b8eccc589b337949657c76 |
10-Oct-2012 |
Kenny Root <kroot@google.com> |
Add OIDs for algorithms
This allows things from a PKCS#7 container (or any other container that
specifies algorithms by OID) to get an instance via OID instead of the
common name.
Bug: http://code.google.com/p/android/issues/detail?id=38321
Change-Id: Ie766751a3f7894a558f7e40e7d520800bf7a8a08
rovider/jsse/OpenSSLProvider.java
|
| a8e0ac07166ba25fa50e83773cd18ac9f36bf18e |
05-Oct-2012 |
Kenny Root <kroot@google.com> |
am f2c8382b: am 5a1225cc: Merge "NativeCrypto: add assertions for no OpenSSL errors"
* commit 'f2c8382b0aa0fca4b79601cb21a9136b862996c2':
NativeCrypto: add assertions for no OpenSSL errors
|
| 008e8a74088c7508b49d8ea2323deef40c5076a7 |
05-Oct-2012 |
Kenny Root <kroot@google.com> |
NativeCrypto: add assertions for no OpenSSL errors
Some calls in NativeCrypto appear to be not clearing error states. Add
an assertion at the end of each test to make sure this doesn't happen.
Change-Id: I9030891a8dc9e7715e65071fe949a11d7a560e56
rovider/jsse/NativeCrypto.java
|
| a7789931a001d62e02dfb8238c1664cc1103609d |
05-Oct-2012 |
Kenny Root <kroot@google.com> |
am 353e8448: am 3f83b9c8: Merge "OpenSSLCipher: account for padding on doFinal"
* commit '353e84483aa2be779d3938d76890e8b218358d89':
OpenSSLCipher: account for padding on doFinal
|
| 2d77ba4ab779bfb5dcd1ee7fe063850d51a92ca3 |
05-Oct-2012 |
Kenny Root <kroot@google.com> |
am 9e1cd813: am 26d9dc15: Merge "Do not use OpenSSLCipherContext in tests"
* commit '9e1cd813f618c738007dc7ea3eaf15ee5863a4cc':
Do not use OpenSSLCipherContext in tests
|
| 3f83b9c80bda2de1927efaca193000ae30f22f01 |
05-Oct-2012 |
Kenny Root <kroot@google.com> |
Merge "OpenSSLCipher: account for padding on doFinal"
|
| 7ca2e3509b2b8578de48ac5e226d1b675a66c69f |
05-Oct-2012 |
Kenny Root <kroot@google.com> |
Do not use OpenSSLCipherContext in tests
Change-Id: I422954e7e9a9d1021d4281a254cdd732f37ca2bf
rovider/jsse/OpenSSLCipherContext.java
|
| 5b5904640b44fe2fd760b5d427edeffe20f55630 |
05-Oct-2012 |
Kenny Root <kroot@google.com> |
OpenSSLCipher: account for padding on doFinal
Decrypting also needs to check padding on the last block, so special
case encrypting in getOutputSize
Change-Id: I0bfaf6f40f5d618e4dd1853668ec5400058e6b67
rovider/jsse/OpenSSLCipher.java
|
| 0804bbcc7de405ce92436cf82d72194666017b43 |
05-Oct-2012 |
Kenny Root <kroot@google.com> |
am 206730de: am dfa280ba: Merge "OpenSSLMac: add license header"
* commit '206730de97cf8f3ebbe8998a86a3f8405c34f2a4':
OpenSSLMac: add license header
|
| 7842ba5ddb88f17c180bba8bfc32f2ef7270b382 |
05-Oct-2012 |
Kenny Root <kroot@google.com> |
am 080cda4a: am 7ae5f93f: Merge "OpenSSLMac: new OpenSSL HMAC connector"
* commit '080cda4ad77052269b3ac9a7db48cec05c49f3b4':
OpenSSLMac: new OpenSSL HMAC connector
|
| 725daeb9049fcbe761314e6263c14608ae7bb087 |
05-Oct-2012 |
Kenny Root <kroot@google.com> |
OpenSSLMac: add license header
Change-Id: Id205d75d0c82ee33698758f1d6fbec850971322b
rovider/jsse/OpenSSLMac.java
|
| 7ae5f93f03f60b349f611122c4944634cfba4f39 |
05-Oct-2012 |
Kenny Root <kroot@google.com> |
Merge "OpenSSLMac: new OpenSSL HMAC connector"
|
| a9a21fc20ac86e723c141bc145f582a2ab83268a |
04-Oct-2012 |
Kenny Root <kroot@google.com> |
OpenSSLMac: new OpenSSL HMAC connector
Change-Id: I6a6a9cbdcdc490a0bc1c313bbaf045a4fd99555e
rovider/jsse/NativeCrypto.java
rovider/jsse/OpenSSLDigestContext.java
rovider/jsse/OpenSSLMac.java
rovider/jsse/OpenSSLProvider.java
|
| 130e5d6b0281470f03abf810eb38aaa5aa1ca746 |
05-Oct-2012 |
Kenny Root <kroot@google.com> |
am a0592d4e: am d0670a67: Merge "OpenSSLCipher: use OpenSSL buf_len data"
* commit 'a0592d4ed7c71d5c1269d4e71611f10627fff8e7':
OpenSSLCipher: use OpenSSL buf_len data
|
| 81508e23428cffc070132f461c1166077910e836 |
05-Oct-2012 |
Kenny Root <kroot@google.com> |
OpenSSLCipher: use OpenSSL buf_len data
This allows us to exactly match other implementation outputs for the
same input values. What we were doing before was technically to the
API's documented behavior, but broke some other things.
Change-Id: I7e95dab4a7be8d737e862f6b6ddb04f6bbcd0dbe
rovider/jsse/NativeCrypto.java
rovider/jsse/OpenSSLCipher.java
|
| f3cf8f7daed90edec16c9c1582d60fc21723eeb6 |
04-Oct-2012 |
Kenny Root <kroot@google.com> |
am a8969127: am 77be92fe: Merge "OpenSSLCipher: don\'t explode during null decrypt"
* commit 'a8969127cda9984754f758e1e3f839a83c5719f6':
OpenSSLCipher: don't explode during null decrypt
|
| d57f3547302678e7f61016b121530105e4fc0819 |
04-Oct-2012 |
Kenny Root <kroot@google.com> |
am 46b18865: am 7efb2a19: Merge "OpenSSLCipher: only return block size multiples"
* commit '46b18865ebf78a72f5bf9faf3b33485ea3dfd6c9':
OpenSSLCipher: only return block size multiples
|
| 77be92fe27e1cc9204b0bac3b9a9a324fd41eb57 |
04-Oct-2012 |
Kenny Root <kroot@google.com> |
Merge "OpenSSLCipher: don't explode during null decrypt"
|
| e0a42275cfb7edeb10118f2ab6005bb3095f38b5 |
04-Oct-2012 |
Kenny Root <kroot@google.com> |
OpenSSLCipher: only return block size multiples
There is a faulty test that called .getOutputSize(inputLen) and then
used the output of that to provide inputLen for the .doFinal(...) call.
Unfortunately, this is the only cipher that failed since we're not
returning exact multiples of block size for .getOutputSize(...) calls.
Instead we'll just return exact block size multiples so we don't run
afoul of any other broken code.
Change-Id: I1ca860d6df300ee67df90e575fc476d8291ec9c1
rovider/jsse/OpenSSLCipher.java
|
| fac659c013ec9c2783f60afce39e83eb107f117d |
04-Oct-2012 |
Kenny Root <kroot@google.com> |
OpenSSLCipher: don't explode during null decrypt
Other Cipher implementations return "null" when calling "doFinal()"
during decrypt mode without having ever called .update(...)
Change OpenSSLCipher to do the same.
Change-Id: I76e22702a446912df125af0ff518fb123d62f5a3
rovider/jsse/OpenSSLCipher.java
|
| d5db85f89e11e1ad4f78686b86d27ad26cb1c938 |
04-Oct-2012 |
Brian Carlstrom <bdc@google.com> |
am d26da2f6: am 9ac72760: Merge "OpenSSLCipher: remove buffer for partial blocks"
* commit 'd26da2f66c9139280a7fbd434980b3bd8349b612':
OpenSSLCipher: remove buffer for partial blocks
|
| 5189c980ebdc842e0e5ca7d6794b4880aa0b6cd5 |
04-Oct-2012 |
Kenny Root <kroot@google.com> |
OpenSSLCipher: remove buffer for partial blocks
Some block ciphers buffer the first block used. We weren't accounting
for this so we started failing with DES3. This led to another issue that
OpenSSL can sometimes keep things in its internal buffer. Instead of
having multiple levels of buffering, just rely on OpenSSL to do the
buffering.
Change-Id: I40a6c7e92e70d3c9ae530f35e8a4234f62e8d225
rovider/jsse/NativeCrypto.java
rovider/jsse/OpenSSLCipher.java
|
| 5db76d31870b0ef3ced3b0f01584118b4b9a3e3d |
03-Oct-2012 |
Kenny Root <kroot@google.com> |
am ed07842e: am db3690a2: Merge "Fix some failing unit tests"
* commit 'ed07842e67e28e57c0ef596e2e1e4772d54926da':
Fix some failing unit tests
|
| db3690a2d37331bd48b67ba177f7fc1bb33c9276 |
03-Oct-2012 |
Kenny Root <kroot@google.com> |
Merge "Fix some failing unit tests"
|
| a56d856815c0974298fbdd9210b8f5a890756add |
03-Oct-2012 |
Kenny Root <kroot@google.com> |
am bec17d88: am dac74262: Merge "OpenSSLCipher: 3DES cipher name depends on key size"
* commit 'bec17d88296d0729e8f5047e91e156d2fbce3b08':
OpenSSLCipher: 3DES cipher name depends on key size
|
| 1fe411ff4e4aa4f24158effb6dbfd786bb30048a |
03-Oct-2012 |
Kenny Root <kroot@google.com> |
Fix some failing unit tests
evpCipher can be null to handle re-initialization of CIPHER_CTX
instances.
Make the constructor of OpenSSLCipherContext public so it can be used in
testing.
Fix all of the things hidden by JNI_DEBUG that were not correct.
Throw a BadPaddingException when a decrypt fails. This particular error
is returned by OpenSSL in evp_enc.c from EVP_DecryptFinal_ex when the
padding check fails.
Change-Id: I77cad024db52986fe726443cd9b3ff52430a30dd
rovider/jsse/OpenSSLCipherContext.java
|
| 46a749879a6d52408e51938b9e63683b238d0bee |
03-Oct-2012 |
Kenny Root <kroot@google.com> |
OpenSSLCipher: 3DES cipher name depends on key size
OpenSSL doesn't infer from the key size whether to use two-key or
three-key 3DES, so explicitly call it out.
Change-Id: Ibd93088844e7585e72a7c7857dd2af8a150b3780
rovider/jsse/OpenSSLCipher.java
|
| c2f3e11588854db37f609f60cea8ef946211a02f |
03-Oct-2012 |
Kenny Root <kroot@google.com> |
am f8dac9e9: am d85dfd8d: Merge changes I81f1bec8,I4aa6e3a2
* commit 'f8dac9e9410705895e64187fd8ad75431e147957':
OpenSSLCipher: Add DESede support
Add Cipher support for AES through OpenSSL
|
| 9961a1e1fc3cf3fa8ceab5917eb49cedc996a2f6 |
01-Oct-2012 |
Kenny Root <kroot@google.com> |
OpenSSLCipher: Add DESede support
Change-Id: I81f1bec8e3562c3ed90b35a60829ca0dfc4d8341
rovider/jsse/OpenSSLCipher.java
rovider/jsse/OpenSSLProvider.java
|
| 13cf08b2f06e1f5f0278c449072898f5e147db49 |
24-Sep-2012 |
Kenny Root <kroot@google.com> |
Add Cipher support for AES through OpenSSL
Timings using encrypt with 256-bit key in CTR mode and PKCS5Padding:
implementation inputSize us linear runtime
OpenSSL 16 11.4 =
OpenSSL 32 12.1 =
OpenSSL 64 13.2 =
OpenSSL 128 15.1 =
OpenSSL 1024 44.0 =
OpenSSL 8192 275.0 ===
BouncyCastle 16 11.5 =
BouncyCastle 32 15.9 =
BouncyCastle 64 24.6 =
BouncyCastle 128 41.5 =
BouncyCastle 1024 277.2 ===
BouncyCastle 8192 2196.9 ==============================
Change-Id: I4aa6e3a2ca2b368fab2c602733b4f97e740d04fd
rovider/jsse/NativeCrypto.java
rovider/jsse/OpenSSLCipher.java
rovider/jsse/OpenSSLCipherContext.java
rovider/jsse/OpenSSLProvider.java
|
| 0df5a7ea6de1b66a1a27678e66909b85c1e464fe |
27-Sep-2012 |
Kenny Root <kroot@google.com> |
am 96612f9c: am a233144d: Merge "Add serialization to OpenSSL-based keys"
* commit '96612f9cbfe5666958ec3608a669e6c585432049':
Add serialization to OpenSSL-based keys
|
| d3df366d3fd59237f1fbf099e979e6843047032c |
27-Sep-2012 |
Kenny Root <kroot@google.com> |
Add serialization to OpenSSL-based keys
Any OpenSSL keys that aren't ENGINE-based are serializable, so add the
code to be able to keep the Serializable contract.
Bug: http://code.google.com/p/android/issues/detail?id=37880
Change-Id: I6d5fd9a1c6817d97d7890e4cccd8c95253e95279
rovider/jsse/OpenSSLDSAPrivateKey.java
rovider/jsse/OpenSSLDSAPublicKey.java
rovider/jsse/OpenSSLRSAPrivateCrtKey.java
rovider/jsse/OpenSSLRSAPrivateKey.java
rovider/jsse/OpenSSLRSAPublicKey.java
|
| b2fc6057db8c0c833db90f7ebe01d945213613fc |
25-Sep-2012 |
Brian Carlstrom <bdc@google.com> |
am f80f3547: am 5e05b783: Merge "Fix Generic[Stream|Generic]Cipher to Generic[Stream|Block]Cipher in comments"
* commit 'f80f354718d9790ec98db3fd9377a7c40a99710f':
Fix Generic[Stream|Generic]Cipher to Generic[Stream|Block]Cipher in comments
|
| ca3fd60b58369806a7d02f2204e4140ab70b353e |
25-Sep-2012 |
Brian Carlstrom <bdc@google.com> |
Fix Generic[Stream|Generic]Cipher to Generic[Stream|Block]Cipher in comments
Change-Id: Iee2a86c764e5bd19135b371b100865fab2690965
rovider/jsse/ConnectionState.java
|
| 615225a35dbd838210270b282d1196deff643b51 |
22-Sep-2012 |
Brian Carlstrom <bdc@google.com> |
Add OpenSSLSocketImpl.setSoWriteTimeout to allow SO_SNDTIMEO to be specified
Bug: 6693087
Change-Id: Ie6903168ca0ada4516c55dfab5f7194baf965b4c
rovider/jsse/NativeCrypto.java
rovider/jsse/OpenSSLSocketImpl.java
|
| 9473606aca0af1a6410b2ea396c8a6609cf16940 |
20-Sep-2012 |
Geremy Condra <gcondra@google.com> |
Add cached trust anchors to the chain prior to checking pinning.
This avoids an issue where intermediate certs are assumed cached
rather than provided by the server.
Bug: 7195828
Change-Id: I44e033ddc40a7a259bac888bf2b873d9bb81becc
rovider/jsse/TrustManagerImpl.java
|
| 7b5bf805d03c2b71266886fa75513400817de9f1 |
19-Sep-2012 |
Geremy Condra <gcondra@google.com> |
Move null check for cert store to the consumer code.
This allows the check to operate if TrustManagerImpl gets a non-
AndroidCAStore cert store.
Bug:7190096
Change-Id: I7c55e48afdbee293e08a0594ad3957b4695a6415
rovider/jsse/PinListEntry.java
|
| 5ab2ad7ebf828d06710868f33458fb1fbe1aa50b |
19-Sep-2012 |
Geremy Condra <gcondra@google.com> |
Migrate PinFailureLogger to use the DropBox.
Also change the DropBox add* methods to be static, since they can be.
Change-Id: Iedab6948754dfc0db5d432a918bdc6297e3b8f02
rovider/jsse/PinFailureLogger.java
|
| 924af71bb26b7c35f702de9a3425109c73184a53 |
19-Sep-2012 |
Geremy Condra <gcondra@google.com> |
Restructure logging to ease the transition to dropbox.
Bug: 7190096
Change-Id: Ib16bcd47712890fd627027ebacacc511870b31b0
rovider/jsse/CertPinManager.java
rovider/jsse/PinFailureLogger.java
rovider/jsse/PinListEntry.java
rovider/jsse/TrustManagerImpl.java
|
| 5c9add3e84fd426fafbec289738f1f09c49aaf90 |
18-Sep-2012 |
Geremy Condra <gcondra@google.com> |
Add logging to detect cert pin failures caused by MITM proxies.
Change-Id: Ie9554aaa824506a75534d888432ed8a91e14e386
rovider/jsse/TrustManagerImpl.java
rovider/jsse/TrustedCertificateStore.java
|
| 5a97188382a40d3345300b92147f80b230b620bc |
17-Sep-2012 |
Brian Carlstrom <bdc@google.com> |
Make PinListEntry and PinEntryException public for CertPinManagerTest
Change-Id: If61f800e20613e37a076bf049c259abca1072e4b
rovider/jsse/PinEntryException.java
rovider/jsse/PinListEntry.java
|
| d43b9ef11a1095967a3396b246639b563e1a4128 |
12-Sep-2012 |
Kenny Root <kroot@google.com> |
Add consistent reasons for NullPointerException
Semi-automated replacement of empty and non-conforming
NullPointerException reason messages.
(cherry-pick of 86acc043d3334651ee26c65467d78d6cefedd397.)
Change-Id: I6d893979f5c20a50e841e32af9fd7b2d8bc9d54d
rovider/jsse/FileClientSessionCache.java
|
| 86acc043d3334651ee26c65467d78d6cefedd397 |
12-Sep-2012 |
Kenny Root <kroot@google.com> |
Add consistent reasons for NullPointerException
Semi-automated replacement of empty and non-conforming
NullPointerException reason messages.
Change-Id: Iedeb4b21949e973c4042ce5982dda315f2e785e1
rovider/jsse/FileClientSessionCache.java
|
| e88bbba97a2a68287b93fecba822d11f272325b7 |
12-Sep-2012 |
Geremy Condra <gcondra@google.com> |
Added event logging to PinListEntry.
This is done by adding a stub EventLogger that writes to the
usual logs if not overriden by the framework. If it has been
then we will wind up writing the code + Objects to the event
log.
cherry-picked from 52dc295e93679baa72f95b5b873dd21d5a2ccb32
Change-Id: I2c887c233d019910c9b018c4639a36c0808efc02
rovider/jsse/PinListEntry.java
|
| 6d2a17ab04ab0967e3bff7fe6280066ef66d1d76 |
11-Jun-2012 |
Geremy Condra <gcondra@google.com> |
Added basic cert pinning support.
This has four main changes:
First, it adds a CertPinManager to TrustManagerImpl that checks to
ensure that the chain is properly pinned.
Second, it adds the CertPinManager and associated classes to
implement cert pinning at this level.
Third, it changes the callers of checkServerTrusted to pass in a
hostname where possible, allowing them to make use of the pinning
transparently.
Finally, it changes checkServerTrusted to return the ultimate
chain that was verified, which is useful for implementing pinning
at a higher level.
cherry-picked from 5315f29b2de4aace0077b78f0b99634fda440b85
Change-Id: I150e010da3e2aeed57bd5330ff113d3a7fbbee2a
rovider/jsse/CertPinManager.java
rovider/jsse/ClientHandshakeImpl.java
rovider/jsse/OpenSSLSocketImpl.java
rovider/jsse/PinEntryException.java
rovider/jsse/PinListEntry.java
rovider/jsse/PinManagerException.java
rovider/jsse/SSLSocketFactoryImpl.java
rovider/jsse/SSLSocketImpl.java
rovider/jsse/SSLSocketWrapper.java
rovider/jsse/TrustManagerImpl.java
|
| fe8b870db2b374e21c69c2ff0050e6a34e0d8d94 |
05-Sep-2012 |
Brian Carlstrom <bdc@google.com> |
Tracking upgrade to bouncycastle 1.47
Change-Id: Ie1f2ae92638e81ccd7e4ec2459199e6eecdac75f
rovider/jsse/OpenSSLProvider.java
|
| f0993272562ebc6e8d77024b985c45fae9f92ed4 |
12-Sep-2012 |
Brian Carlstrom <bdc@google.com> |
am a1359997: am 9f519e17: Merge "Add OpenSSLProvider support for Cipher.RSA/None/PKCS1Padding"
* commit 'a1359997a83e4d1aefdb7ae23f73b61420d37964':
Add OpenSSLProvider support for Cipher.RSA/None/PKCS1Padding
|
| 0a156e0126e8015f2791e9a7dd48bbdaeae0c335 |
12-Sep-2012 |
Brian Carlstrom <bdc@google.com> |
Add OpenSSLProvider support for Cipher.RSA/None/PKCS1Padding
Summary:
- Add OpenSSLProvider support for Cipher.RSA/None/PKCS1Padding
Added NativeCrypto.RSA_private_decrypt and NativeCrypto.RSA_public_encrypt
- Changed OpenSSLSignatureRawRSA to use new Cipher.RSA/None/PKCS1Padding
Removed now obsoleted NativeCrypto APIs for
RSA_padding_add_PKCS1_type_1 and RSA_padding_check_PKCS1_type_1
- added wrap/unwrap support OpenSSLCipherRSA
Needed for SSLEngine (and fallback SSLSocket implementation)
which are now picking up the new Cipher.RSA/None/PKCS1Padding
- expanded CipherTest to sanity test all algorithms and PKCS1 padding
Change-Id: I03566cc86ffce07d44d5e0094fa82c9c24587c26
rovider/jsse/NativeCrypto.java
rovider/jsse/OpenSSLCipherRSA.java
rovider/jsse/OpenSSLCipherRawRSA.java
rovider/jsse/OpenSSLProvider.java
rovider/jsse/OpenSSLSignatureRawRSA.java
|
| c44b3f5d857d0d3f4d3668de905cdac5080ede3b |
01-Sep-2012 |
Kenny Root <kroot@google.com> |
Better OpenSSL key comparison
Use native code to compare OpenSSL keys instead of converting them to
Java BigIntegers first.
Change-Id: If795c9c26e41174755cdab34ff70e01c7487c9bd
rovider/jsse/NativeCrypto.java
rovider/jsse/OpenSSLRSAPrivateCrtKey.java
rovider/jsse/OpenSSLRSAPrivateKey.java
|
| 7695a9b3261bfee3a810e0829bd8082fe1fcb6a4 |
30-Aug-2012 |
Brian Carlstrom <bdc@google.com> |
Disable SSL compression
Bug: 7079965
Change-Id: I8e060a827613e212bbcced66507fbf124bb04543
rovider/jsse/NativeCrypto.java
rovider/jsse/OpenSSLServerSocketImpl.java
rovider/jsse/OpenSSLSessionImpl.java
rovider/jsse/OpenSSLSocketImpl.java
|
| 796b0d2f4508e3933e53df2d372090c8634164ee |
21-Aug-2012 |
Kenny Root <kroot@google.com> |
Remember key aliases for OpenSSLKeys from ENGINEs
Since it's not easy (or sometimes impossible) to retrieve key IDs for
keys loaded from an ENGINE, remember them when we create them.
(cherry-picked from 86bdaf9b40263efae243d685d449e1ae30b0b161)
Change-Id: I3920f56214d9eade87d51d30b024f5aeda9e8344
rovider/jsse/OpenSSLDSAPrivateKey.java
rovider/jsse/OpenSSLEngine.java
rovider/jsse/OpenSSLKey.java
rovider/jsse/OpenSSLRSAPrivateKey.java
|
| 783004cceef470884b3ee6946cbbfc4af0f28ae7 |
20-Aug-2012 |
Brian Carlstrom <bdc@google.com> |
Restore ability for SSLSocket.close() to interrupt reads and writes
SSLSocketTest.test_SSLSocket_interrupt didn't catch this regression so
added new test_SSLSocket_interrupt_read to cover this case
specifically. Also cleanup SSLSocketTest to use Executors like
NativeCryptoTest instead of Threads for better error checking.
Bug: 7014266
Change-Id: I1160cd283310a0c6197cd3271a25830e0e2b1524
rovider/jsse/OpenSSLSocketImpl.java
|
| 62fc526d80608925cad24c3d6d91657f63a56fcf |
16-Aug-2012 |
Kenny Root <kroot@google.com> |
Add new Android-only algos to StandardNames
The ProviderTest fails if we don't add these to StandardNames.
Change the name of Signature.RAWRSA to "NONEwithRSA" so it matches the
convention in existing algorithms.
Change-Id: Id126eca46ee3b9f9d19aee596c1babd489693c7a
rovider/jsse/OpenSSLProvider.java
|
| cdad5434dff71f87b4e85c6faf6e0c30a80672d7 |
16-Aug-2012 |
Kenny Root <kroot@google.com> |
Merge "Call ENGINE_add to prevent ENGINEs from unloading"
|
| 106a8928fb4249f2f3d4dba1dddbe73ca5cb3d61 |
16-Aug-2012 |
Kenny Root <kroot@google.com> |
Call ENGINE_add to prevent ENGINEs from unloading
The only user of the OpenSSLEngine interface is a dynamic engine (loaded
from eng_dyn.c), so it will unload the .so when references to it
decrease to zero.
Calling ENGINE_add will add the loaded engine to the list of loaded
engines. The next time ENGINE_by_id is called, it will just use the one
from the list instead of loading the .so again.
You can still control whether the engine is ref-counted or copied with
ENGINE_set_flags(ret, ENGINE_FLAGS_BY_ID_COPY) in the engine
initialization method.
Change-Id: Ic005e9ea22a3c6027e3a5aab2adf41fb7995c1f0
rovider/jsse/NativeCrypto.java
rovider/jsse/OpenSSLEngine.java
|
| 84818197ed60f59a86ba8d9274e1639d222f4040 |
15-Aug-2012 |
Kenny Root <kroot@google.com> |
Do better comparisons for ENGINE-based keys
ENGINE-based keys need only be compared by their modulus in actuality,
because given a good random number generator each modulus should be
unique.
Change-Id: Iea1f19126c5ce306d63b3a1bcb05a43139a86846
rovider/jsse/OpenSSLRSAPrivateCrtKey.java
rovider/jsse/OpenSSLRSAPrivateKey.java
|
| d762af619aa85042c08553425a4ca4ef7900d45a |
10-Aug-2012 |
Kenny Root <kroot@google.com> |
Fix OpenSSLCipherRawRSA doFinal array copy
System.arraycopy was pointing the wrong way making calls to doFinal()
with offset markers get zeroed output instead of the actual output.
Also fix tests that checked RSA cipher behavior to match RI.
Bug: 6951038
Change-Id: Ife84c177a2c06a2c27b98df9960cbd3c4b62d984
rovider/jsse/OpenSSLCipherRawRSA.java
|
| 83a7cea6ad5c5f066e55aeddd6da27d3ef5e62c1 |
07-Aug-2012 |
Kenny Root <kroot@google.com> |
Add chain building to TrustedCertificateStore
Since TrustedCertificateStore has information needed, use it to build
certificate chains.
OpenSSL uses Authority Key Identifier in extensions to determine if the
certificate is the same as itself. There are problems with key rotation
when a different certificate serial signs a key with the same subject
identifier. It appears to be the same with the old code, but it may
generate an invalid chain.
(cherry-picked from 3fb088d79e446063ef743362a030e1cfb80b2178)
Change-Id: I8149bed1a0ae537f75da5dc3f3d7e3ccab353f91
rovider/jsse/TrustedCertificateStore.java
|
| c5ddc93173f32383ab456c0a24739e7cb2d19c42 |
02-Aug-2012 |
Kenny Root <kroot@google.com> |
Add raw RSA Cipher to OpenSSLProvider
Recent changes in the way that Android Keystore (accessed via KeyChain)
necessitate all key operations be done with a provider that understands
the new OpenSSLKey object.
This adds Cipher support for the RSA algorithm in "RSA/ECB/NoPadding"
and "RSA/None/NoPadding" modes.
Change-Id: I98a8eaf3514763a863b2751bba999fbd48609c96
rovider/jsse/OpenSSLCipherRawRSA.java
rovider/jsse/OpenSSLProvider.java
|
| 7501e29e0182accf28cc317870a3bbe1e25f4bfa |
31-Jul-2012 |
Kenny Root <kroot@google.com> |
Add raw RSA signature support
With the new Keystore changes, this is the only way you can get raw RSA
signatures which a lot of native code expects to be able to do.
(cherry-picked from c531f5f402b4cedcc35a0b7f0b540dc84c545106)
Bug: 6787078
Change-Id: I1c5ddd5287be1ab71347eedc864a41c24e156cb4
rovider/jsse/NativeCrypto.java
rovider/jsse/OpenSSLProvider.java
rovider/jsse/OpenSSLSignatureRawRSA.java
|
| 46aabcb28b0e3b807f6db8c33173962d6f2cb71f |
12-Jun-2012 |
Kenny Root <kroot@google.com> |
Add OpenSSL provider for SHA1PRNG
(cherry-pick of 4718b07e482ccb083ce3dfff228d0615b96a8dd2 and 84fb77d814b0ad04d70addb04847797925acf805.)
Change-Id: Ib45c646a8596bf5ea0629408d6057d3828a1ac94
rovider/jsse/NativeCrypto.java
rovider/jsse/OpenSSLProvider.java
rovider/jsse/OpenSSLRandom.java
|
| 20484654bc7c2407da40226d5188acfc37ee1c2b |
09-Aug-2011 |
Elliott Hughes <enh@google.com> |
Remove more cruft.
Unused imports and bogus comments.
(cherry-pick of 9af8c0318fac8bf03ee145da01b0c38a503791fc.)
Change-Id: I2bddb32028b71964407e86c4dbef5516673c27eb
rovider/jsse/ClientHandshakeImpl.java
rovider/jsse/Logger.java
rovider/jsse/OpenSSLSessionImpl.java
rovider/jsse/ServerHandshakeImpl.java
|
| 52ec5bcc7d5d042d7ba6d0244d98ee72007a95e4 |
24-Jul-2012 |
Brian Carlstrom <bdc@google.com> |
Signature.verify should not throw if called twice
Bug: http://code.google.com/p/android/issues/detail?id=34933
Change-Id: Iad18e46729dcd283f4cecd65994ac7b741bd3036
rovider/jsse/OpenSSLSignature.java
|
| df9f5967a3b8dc2f61183d155791393b67980511 |
24-Jul-2012 |
Brian Carlstrom <bdc@google.com> |
Fix OpenSSLSocketImpl.close race
Move the NativeCrypto.SSL_interrupt call within the close
synchronization. Otherwise there can be problems if
NativeCrypto_SSL_interrupt tries to use the SSL* and another thread
has called NativeCrypto_SSL_free.
Bug: 6707288
Change-Id: Id8b0311b10124f2a08f8e0f24595a6ee46805c33
rovider/jsse/OpenSSLSocketImpl.java
|
| f0c85fa16995e1c715c679aea704392a162f493a |
13-Jul-2012 |
Brian Carlstrom <bdc@google.com> |
Merge "CertificateRequest should handle case where certificate is requested but none is available."
|
| 7c935d4e4ca990334200cf5eb4fbcfac718c6b45 |
04-Jun-2012 |
gcollins <gcollins@antennasoftware.com> |
CertificateRequest should handle case where certificate is requested but none is available.
Android SSL client was not handling a CertificateRequest where there was no cert to send.
It had a problem because it was assuming that if the CertificateMessage response is not null,
it means there is a cert included, which is not true (if it has no cert to send an empty CertificateMessage
is sent to the server). So I updated the CertificateVerify creation check to also check whether the CertificateMessage
contained any certs (ClientHandshakeImpl.java).
In testing I found that the same error was in the server code so I made the same change there
(ServerHandshakeImpl.java).
I added two test cases to SSLEngineTest - one to directly test the scenario (test_SSLEngine_clientAuthWantedNoClientCert)
and one to just double-check that the server would not allow the connection if setNeedClientAuth (test_SSLEngine_clientAuthNeededNoClientCert).
Bug: http://code.google.com/p/android/issues/detail?id=31903
Change-Id: Ideb57d6ccbcdd54ca24dc3063e60aba2653c8414
rovider/jsse/ClientHandshakeImpl.java
rovider/jsse/ServerHandshakeImpl.java
|
| 1982194cb9067e3311ac491b4d02a6ead611fd59 |
17-May-2012 |
Jesse Wilson <jessewilson@google.com> |
Change OpenSSLSocketImpl to forbid empty lists of NPN protocols.
Change-Id: I65d5d7b8d69ddfd551cbbe6da063f5ac277c5f45
rovider/jsse/OpenSSLSocketImpl.java
|
| 679ac55c3c037887edfc6ce6f42a23cd7c11cd12 |
12-May-2012 |
Jesse Wilson <jessewilson@google.com> |
Only use SSL CUTTHROUGH (False Start) if the server supports NPN.
We enable cutthrough on the client if the server supports NPN.
We never enable cutthrough on the server because most relevant
protocols (ie. HTTP) are client-speaks-first and those don't
benefit from cutthrough on the server.
I verified this by enabling NPN on both client and server and
checking that the client's Application Data was sent before the
server's Change Cipher Spec. To increase the likelihood of this
otherwise racy situation I put the server in SSL debug mode
after it receiving next_protos_advertised_callback. OpenSSL's
debug mode adds a 1-second sleep before each read and write.
Bug: http://b/6331035
Change-Id: I879b5fb26dc237392a36fe0585c8a6519c0e5220
rovider/jsse/OpenSSLSocketImpl.java
|
| 908975092f7ac7b7562f242c5fd99fbf228acf0f |
02-May-2012 |
Selim Gurun <sgurun@google.com> |
Provide key context
Bug: 6249185
Make the key context available.
Change-Id: I51967e2a164b3f83d5d5096add7199c3a121da06
rovider/jsse/OpenSSLDSAPrivateKey.java
rovider/jsse/OpenSSLRSAPrivateKey.java
|
| 88f3ec9ebfd60998eb321f8c182009dace9bf983 |
01-May-2012 |
Brian Carlstrom <bdc@google.com> |
NativeCrypto should honor timeout less than one second
Bug: http://code.google.com/p/android/issues/detail?id=29680
Change-Id: I4507a1e9fe37b1c095f7bb4d3e3a55d6d738f7ad
rovider/jsse/NativeCrypto.java
|
| 0afb10f667ef9c19aa2ea4797af6ba0bc328f148 |
01-May-2012 |
Brian Carlstrom <bdc@google.com> |
Avoid session reuse to fix test_SSL_do_handshake_clientCertificateRequested_throws_after_renegotiate for OpenSSL 1.0.1
Bug: 6229570
Change-Id: I891d10db104fda9978310b8be3420e1729971b27
rovider/jsse/NativeCrypto.java
|
| 4b2058331094aa5a3b26e65026748ba406594816 |
30-Apr-2012 |
Brian Carlstrom <bdc@google.com> |
Tracking openssl-1.0.1b
Change-Id: I418a5b36670c6cc72e1e6cc29add950409f97f9f
rovider/jsse/NativeCrypto.java
|
| ebe87d125b8cc83238914f84f5f7aa799c0d83bd |
15-Apr-2012 |
Brian Carlstrom <bdc@google.com> |
Use SSL_CTX_set_session_id_context in ServerSessionContext
Without this, OpenSSL with fail when SSLSessions are reused on an
SSLServerSocket when client certificates are requested.
Bug: 6329719
Change-Id: I9b14b32cccee1e5aba1215cebf81eb05a788d63b
rovider/jsse/NativeCrypto.java
rovider/jsse/ServerSessionContext.java
|
| 3d74b4bec8543e6e3f89eafe3afe0925f3a69f01 |
28-Mar-2012 |
Brian Carlstrom <bdc@google.com> |
Disable TLSv1.1 and TLSv1.2 by default
Bug: 6234791
Change-Id: I5d829211c9e1d5672fc96e42ef603c53d789e695
rovider/jsse/NativeCrypto.java
rovider/jsse/OpenSSLSocketImpl.java
|
| 12b42fd0252d5423e167dbccd2e09b82018b7a5b |
28-Mar-2012 |
Brian Carlstrom <bdc@google.com> |
Merge "Use WRAP/UNWRAP for key exchange"
|
| b9f9831a0800adbb6b67ab5bdc62292aa034992b |
28-Mar-2012 |
Brian Carlstrom <bdc@google.com> |
Use WRAP/UNWRAP for key exchange
Bug: http://code.google.com/p/android/issues/detail?id=12955
Change-Id: I1a2be021e0a22ec6a00ba354fb3f19a78c601be9
rovider/jsse/ClientHandshakeImpl.java
rovider/jsse/ServerHandshakeImpl.java
|
| 087043baca7e2de81bd10c7955f73f8597d7bb83 |
26-Mar-2012 |
Kenny Root <kroot@google.com> |
Merge "More support for ENGINE-based keys"
|
| beac31ef5949d994a7096f20f12fcf929b06884d |
26-Mar-2012 |
Kenny Root <kroot@google.com> |
More support for ENGINE-based keys
Tweak some of the parameters for RSA and DSA keys to allow ENGINE-based
keys to exist without needing to define private key material.
Change-Id: Ide2884d6d97636ae2178f8e789eaeec1babd9650
rovider/jsse/OpenSSLDSAParams.java
rovider/jsse/OpenSSLDSAPrivateKey.java
rovider/jsse/OpenSSLKey.java
rovider/jsse/OpenSSLRSAPrivateCrtKey.java
rovider/jsse/OpenSSLRSAPrivateKey.java
|
| 600dc4949de6bf5608e5f5a5214cde59299b683a |
26-Mar-2012 |
Jesse Wilson <jessewilson@google.com> |
Don't use the SSL_CTX prefix for a method that takes an SSL.
The implementation is asymmetric: enabling NPN is per-context, but
actually looking up the negotiated protocol is per-SSL. This caused
me to screw up in following the SSL_CTX naming scheme; I applied it
in too many places.
Change-Id: I5bd1be334d513f220086c901527d0b8416f2ba3f
rovider/jsse/NativeCrypto.java
rovider/jsse/OpenSSLSocketImpl.java
|
| 3a906b6e3555a999b929a129bc896f3e64afc659 |
26-Mar-2012 |
Jesse Wilson <jessewilson@google.com> |
Merge "Expose NPN in OpenSSL."
|
| 25977e422febea04dac9fb9c35d7271d55d3b6b8 |
23-Mar-2012 |
Jesse Wilson <jessewilson@google.com> |
Expose NPN in OpenSSL.
This is derived from costin's change Ib18da136cb628515d6909c438cd0809452d7058a.
It moves the protocols data to the AppData's callbacks so the memory can be
released when the handshake completes.
Change-Id: Id61feaa6f28250e393f5c8093688b099e92dce9c
rovider/jsse/NativeCrypto.java
rovider/jsse/OpenSSLSocketImpl.java
|
| 5b7f91c1e6e208187cef57ab8a5de0a7f35e817f |
22-Mar-2012 |
Brian Carlstrom <bdc@google.com> |
Split OpenSSLRSAPrivateCrtKey from OpenSSLRSAPrivateKey
Change-Id: I6a58044162758b3b74db5d17e9044f97dbe53bae
rovider/jsse/OpenSSLEngine.java
rovider/jsse/OpenSSLRSAKeyFactory.java
rovider/jsse/OpenSSLRSAKeyPairGenerator.java
rovider/jsse/OpenSSLRSAPrivateCrtKey.java
rovider/jsse/OpenSSLRSAPrivateKey.java
rovider/jsse/OpenSSLSignature.java
|
| 3e6dd45baa0d7f9b4fa06f4ade76e088b59cc7bf |
16-Mar-2012 |
Brian Carlstrom <bdc@google.com> |
Tracking openssl-1.0.1
Bug: 6168278
Change-Id: I240d2cbc91f616fd486efc5203e2221c9896d90f
rovider/jsse/NativeCrypto.java
rovider/jsse/OpenSSLProvider.java
rovider/jsse/OpenSSLServerSocketImpl.java
rovider/jsse/OpenSSLSocketImpl.java
rovider/jsse/SSLRecordProtocol.java
rovider/jsse/ServerHandshakeImpl.java
|
| 95ae73a81948944b24aa4962e9e0ec375fae8467 |
13-Mar-2012 |
Kenny Root <kroot@google.com> |
Merge "Add support for OpenSSL engines"
|
| 41e34229c07e8d05090560ff80558fa222623769 |
09-Mar-2012 |
Kenny Root <kroot@google.com> |
Add support for OpenSSL engines
This allows OpenSSL ENGINE to be used for RSA and DSA private key
operations.
Also add in support for directly passing an OpenSSLKey to the
OpenSSLSocketImpl in case we are using ENGINEs.
Change-Id: Ia31735109052a13e421900b69ba5de13bbce0f6f
rovider/jsse/NativeCrypto.java
rovider/jsse/OpenSSLDSAPrivateKey.java
rovider/jsse/OpenSSLEngine.java
rovider/jsse/OpenSSLKey.java
rovider/jsse/OpenSSLRSAPrivateKey.java
rovider/jsse/OpenSSLSocketImpl.java
|
| f52b35a5bc22f53b663ea22954135b69f8636bf4 |
08-Mar-2012 |
Brian Carlstrom <bdc@google.com> |
getPeerHostName should check for null InetAddress
The address can be null for SSLSockets that have not been connected.
Bug: 5835165
(cherry picked from commit cb047c49abcf3b7b5c231b68431c291fe2d81b52)
Change-Id: I12eb92ab0cdb42b89333361a485979c48365d5da
rovider/jsse/OpenSSLSocketImpl.java
|
| ffec9b8990adcdaab295e112ca3c3ebf83488199 |
08-Mar-2012 |
Brian Carlstrom <bdc@google.com> |
Use KeyManagementException with causes to report errors
Before the code would squash excecptions into null values, then turn
the values back into KeyManagementException. Now the code preservers
the underlying exception as the cause of the KeyManagementException.
(cherry picked from commit b6d100ca03dd4c576c6735ce510cecc70d2e6617)
Change-Id: Ia833145839578760ed9b49c626e8d4ab86ceacbe
rovider/jsse/SSLParametersImpl.java
|
| 60003bff55e4d9fa936078063bf007ffccc79553 |
16-Feb-2012 |
Selim Gurun <sgurun@google.com> |
Merge "Add a way to clear stored trusted certificates."
|
| 7a61ad51ba5f5a0b439b2f3eacb1e0f99f909606 |
16-Feb-2012 |
Selim Gurun <sgurun@google.com> |
Add a way to clear stored trusted certificates.
Bug: 6009802
Update the TrustManagerImpl Api to allow clearing stored certificates.
This is needed so we can remove CAs when credential storage is updated.
Change-Id: I024f7e8b12b60ea0ee35d7f94280e0e3d6db039f
rovider/jsse/TrustManagerImpl.java
rovider/jsse/TrustedCertificateIndex.java
|
| 68dc9c0f9ea2913a627aa3df81f4956efa48a980 |
06-Feb-2012 |
Kenny Root <kroot@google.com> |
OpenSSL block ciphers, part 1
This implements the NativeCrypto piece necessary to do basic block
cipher operations. More work will need to be done to enable useful
modes.
This gives us the ability to replace BouncyCastle's ECB mode that it
bases the higher level CBC, CTR, etc modes on. However, calling through
JNI to OpenSSL for 16-byte blocks for AES ends up being the same speed
as the Java implementation.
Further enhancements to use large blocks during the JNI call should show
marked improvements in speed.
Change-Id: I594a6d13ce5101a1ef2877b84edaa5e5b65e1e71
rovider/jsse/NativeCrypto.java
|
| d036721c2ecd146acef9f36408c7a397dd0a0785 |
03-Feb-2012 |
Kenny Root <kroot@google.com> |
OpenSSL keys add hashCode, equals, and toString
Change-Id: I8d0d8eac1e5a4ee455de1ed51bc8b610df1f45d7
rovider/jsse/OpenSSLDSAParams.java
rovider/jsse/OpenSSLDSAPrivateKey.java
rovider/jsse/OpenSSLDSAPublicKey.java
rovider/jsse/OpenSSLKey.java
rovider/jsse/OpenSSLRSAPrivateKey.java
rovider/jsse/OpenSSLRSAPublicKey.java
|
| 91bb5fbe55b854df891ff7720e30d42081dbcd58 |
03-Feb-2012 |
Kenny Root <kroot@google.com> |
Throw exceptions on wrong key type in Signature
Our engine can handle both RSA and DSA, but we need to throw an error if
the wrong key type is supplied after we've initialized to emulate other
providers.
Also, apparently OpenSSL is really flexible, because calling
EVP_SignInit had the same effect as EVP_VerifyInit. Change this to be
correct even though the underlying implementation in OpenSSL doesn't
care.
Change-Id: If9223d17909fcf86437b9669c204fc544e6d12ff
rovider/jsse/OpenSSLDSAPrivateKey.java
rovider/jsse/OpenSSLDSAPublicKey.java
rovider/jsse/OpenSSLRSAPrivateKey.java
rovider/jsse/OpenSSLRSAPublicKey.java
rovider/jsse/OpenSSLSignature.java
|
| 746a236e2be5dee62c482e27f4c682496d071d8b |
01-Feb-2012 |
Kenny Root <kroot@google.com> |
Add OpenSSL KeyPairGenerator and KeyFactory
Refactor the way OpenSSL keys are handled so we can generate OpenSSL
keys with the KeyPairGenerator and KeyFactory and pass them around
without keeping the context in the OpenSSLSignature where it originated.
Change-Id: Ib66bd1914e241a240cd97b1ea37e8526998107d9
rovider/jsse/NativeCrypto.java
rovider/jsse/OpenSSLDSAKeyFactory.java
rovider/jsse/OpenSSLDSAKeyPairGenerator.java
rovider/jsse/OpenSSLDSAParams.java
rovider/jsse/OpenSSLDSAPrivateKey.java
rovider/jsse/OpenSSLDSAPublicKey.java
rovider/jsse/OpenSSLKey.java
rovider/jsse/OpenSSLProvider.java
rovider/jsse/OpenSSLRSAKeyFactory.java
rovider/jsse/OpenSSLRSAKeyPairGenerator.java
rovider/jsse/OpenSSLRSAPrivateKey.java
rovider/jsse/OpenSSLRSAPublicKey.java
rovider/jsse/OpenSSLSignature.java
|
| 5b57eb538f8da8e97cf88a310d75d14dfc91624c |
31-Jan-2012 |
Kenny Root <kroot@google.com> |
Add signatures to the OpenSSLProvider
Now that OpenSSLSignature is a full-fledged Signature provider, we can
add it to our OpenSSLProvider.
Change-Id: If8539acdf895082cef38eed97a706dbbcdff6853
rovider/jsse/OpenSSLProvider.java
rovider/jsse/OpenSSLSignature.java
|
| 1dfb8aa653d52268087f450e9b5a865e08b56d98 |
31-Jan-2012 |
Kenny Root <kroot@google.com> |
Add signature generation to OpenSSLSignature
Change-Id: I1203516d95a937edb48959146bbec64b338e4f1e
rovider/jsse/NativeCrypto.java
rovider/jsse/OpenSSLSignature.java
|
| 7eeb1d7024f830b89f17489befeb5688624ae6dd |
30-Jan-2012 |
Brian Carlstrom <bdc@google.com> |
am a5aec70a: am 806d834d: Ensure faster OpenSSLSignature is used when possible by doing proper case insensitive comparison
* commit 'a5aec70ab8db56172804108077d5c9d7d8ced789':
Ensure faster OpenSSLSignature is used when possible by doing proper case insensitive comparison
|
| 806d834df24db86be0540ce0846e03fc4d43cb0b |
28-Jan-2012 |
Brian Carlstrom <bdc@google.com> |
Ensure faster OpenSSLSignature is used when possible by doing proper case insensitive comparison
Bug: 5934554
Change-Id: I640cd54c227df2bf662d484cb2af95ece4d13421
rovider/jsse/OpenSSLSignature.java
|
| 27c744cc67c7b155bd2d47551205fb1720e7e196 |
20-Dec-2011 |
Jesse Wilson <jessewilson@google.com> |
Support in-memory HTTPS session caching for wrapped sockets.
Previously we couldn't reuse sessions with HttpsURLConnection
because the host was incorrect (getInetAddress returns null
for wrapped sockets) and because the compression method was
different (NULL vs. ZLIB).
This improves HttpsURLConnection request/response time on
localhost from ~275ms to ~145ms (without connection pooling).
Change-Id: I97bc343326658690b00589c0c804c2378b91ae61
rovider/jsse/NativeCrypto.java
rovider/jsse/OpenSSLSocketImpl.java
|
| e3df4987da1cc4af786b54e6a446687ec148d5a9 |
24-Oct-2011 |
Brian Carlstrom <bdc@google.com> |
Move OpenSSLSocketImpl.close resource cleanup into a finally clause
Bug: 5466273
(cherry picked from commit d3433cea484f380ab2c889c10e9d9d3268046a6c)
Change-Id: I8618be21a2227d66ea66352342b530906605160f
rovider/jsse/NativeCrypto.java
rovider/jsse/OpenSSLSocketImpl.java
|
| d3433cea484f380ab2c889c10e9d9d3268046a6c |
24-Oct-2011 |
Brian Carlstrom <bdc@google.com> |
Move OpenSSLSocketImpl.close resource cleanup into a finally clause
Bug: 5466273
Change-Id: I64758dfd3ca1c35d08616c63982223d84fdc2759
rovider/jsse/NativeCrypto.java
rovider/jsse/OpenSSLSocketImpl.java
|
| 3267a46b52d848e1e9e20c226512688f0c50d4c3 |
25-Aug-2011 |
Jeff Sharkey <jsharkey@android.com> |
Return real FileDescriptor in Socket wrappers.
In classes that wrap another Socket, return the real FileDescriptor
from the wrapped Socket.
Bug: 5189186
Change-Id: I157feb6991def9110eaf0ea82365b6f5b95b9372
rovider/jsse/OpenSSLSocketImpl.java
rovider/jsse/SSLSocketWrapper.java
|
| 29b3bd4475263c4a16c6850d45aca045ed4a926a |
24-Jul-2011 |
Jesse Wilson <jessewilson@google.com> |
Update both SSLSessions to not use AccessControlContext.
When we fully removed the security manager security theatre
we broke 'equals' on some AccessControlContexts that were used
in map keys. Now we don't include the AccessControlContexts in
the map keys.
This fixes this test:
tests.api.javax.net.ssl.SSLSessionBindingListenerTest#test_valueUnbound
Change-Id: I685416c65056c9c540bf75c4aab5e884b66a4394
rovider/jsse/OpenSSLSessionImpl.java
rovider/jsse/SSLSessionImpl.java
|
| 487c58a9ff0cb4c6e074b2f5d99a0c3efa54fa37 |
16-Jul-2011 |
Brian Carlstrom <bdc@google.com> |
Replace NativeCrypto.verifySignature with OpenSSLSignature
Bug: http://code.google.com/p/android/issues/detail?id=18458
Bug: 5037994
Change-Id: Ie9521df80b3b50e69b5cf9e6f8eb861845b4d30e
rovider/jsse/NativeCrypto.java
|
| eda571883445b108e7f9e7337e2d80f1d8329fc8 |
07-Jul-2011 |
Brian Carlstrom <bdc@google.com> |
Avoid NullPointerException with IoUtils.closeQuietly
Change-Id: Ibe9ab00205701ad5eaeb3b4299f1fe4508625d1b
rovider/jsse/TrustedCertificateStore.java
|
| 9bb229396a11df479dbc0688de0b925d23a82869 |
02-Jul-2011 |
Brian Carlstrom <bdc@google.com> |
Merge "Small code cleanup in TrustedCertificateStore.findIssuer"
|
| bd7005d38883b9917b6452bbbadbda14fd141dad |
01-Jul-2011 |
Brian Carlstrom <bdc@google.com> |
Small code cleanup in TrustedCertificateStore.findIssuer
Change-Id: Ia51868df6856e14b5b82d78745c2390ce11bf6e0
rovider/jsse/TrustedCertificateStore.java
|
| d8e6e701b29c32484b062933fa905601ce638513 |
01-Jul-2011 |
Brian Carlstrom <bdc@google.com> |
Updating comment to reflect move from keychain uid to system uid
Bug: 4970237
Change-Id: I9d207a3d226019d8f9e584b7be7f586176a133cc
rovider/jsse/TrustedCertificateStore.java
|
| 638000042da777f6d628d88dadde957c52597710 |
29-Jun-2011 |
Brian Carlstrom <bdc@google.com> |
Add ExceptionCheck after all places we setCallbackState
Also remove byte versions of SSL_read and SSL_write matching rest of
libcore to avoid making the change in even more places.
Note that testing this change required improving SSL_renegotiate which
is only used for testing.
Change-Id: If425764da3a36508a6c65d90eb3d36c5a018fd18
rovider/jsse/NativeCrypto.java
rovider/jsse/OpenSSLSocketImpl.java
|
| 5f7beb162c46a281b272d11fec6fe23b8e0796c3 |
27-Jun-2011 |
Brian Carlstrom <bdc@google.com> |
TrustedCertificateStore additions for TrustedCredentials Fragment
Avoid StrictMode violation by not touching file system in constructor
Change-Id: Ic22387752617a5d8142c16c415b6996e62414442
rovider/jsse/TrustedCertificateStore.java
|
| 0c58d22d44cfb56f0c80f0fa1c69297ba45f3afc |
23-Jun-2011 |
Jesse Wilson <jessewilson@google.com> |
Don't trigger a reverse DNS lookup from a log statement.
Also nuke a bunch of redundant Javadoc and promote the
shutdownInput/shutdownOutput methods that always throw
to SSLSocket.
Change-Id: I077f7413bb6cba66be6204c68f7911b51a191643
http://code.google.com/p/android/issues/detail?id=13117
http://b/3478027
rovider/jsse/AbstractSessionContext.java
rovider/jsse/FileClientSessionCache.java
rovider/jsse/NativeCrypto.java
rovider/jsse/OpenSSLSocketImpl.java
rovider/jsse/SSLSocketImpl.java
|
| 90b140190f219fd63ede200a63da40bf9e6ca98d |
06-Jun-2011 |
Elliott Hughes <enh@google.com> |
Remove some unnecessary cruft.
Change-Id: I8d83954d42f3511a24a44a33c3b28f04af6d3b82
rovider/jsse/ClientHandshakeImpl.java
rovider/jsse/DelegatedTask.java
rovider/jsse/ServerHandshakeImpl.java
|
| 54709bdf6b22d02efed7d2fd967cbd4d11b3942d |
25-May-2011 |
Brian Carlstrom <bdc@google.com> |
am e2fdfbde: Merge "OpenSSLSocketImpl should tolerate X509KeyManager returning null values"
* commit 'e2fdfbde569a4cc284590c92bc57dc15dcc29a9c':
OpenSSLSocketImpl should tolerate X509KeyManager returning null values
|
| aba5e8c281fb9c6be23229246473fa0b433dd997 |
25-May-2011 |
Brian Carlstrom <bdc@google.com> |
OpenSSLSocketImpl should tolerate X509KeyManager returning null values
While this started out as the small fix in
OpenSSLSocketImpl.setCertificate and the corresponding test
test_SSLSocket_clientAuth_bogusAlias, the need to test the behavior of
the X509KeyManager returning null on the RI led to test maintenance to
get libcore.javax.net.ssl tests working on RI 7 thanks to a test
dependency that was added on the new InetAddress.getLoopbackAddress().
Change-Id: I3d8ed1ce453cc3a0b53e23e39c02e6a71413649c
rovider/jsse/OpenSSLSocketImpl.java
|
| c3d80a43de12b7b012d44dc2bea82f0b624e408e |
20-May-2011 |
Brian Carlstrom <bdc@google.com> |
am c77290ea: Remove IndexedPKIXParameters
* commit 'c77290eaef032e5e8952d65e0456b091b6b50804':
Remove IndexedPKIXParameters
|
| c77290eaef032e5e8952d65e0456b091b6b50804 |
20-May-2011 |
Brian Carlstrom <bdc@google.com> |
Remove IndexedPKIXParameters
Change-Id: Idaaa1952d1b6148c51b3da5d1771105e8bde8a03
rovider/jsse/IndexedPKIXParameters.java
rovider/jsse/JSSEProvider.java
rovider/jsse/RootKeyStoreSpi.java
rovider/jsse/SSLParametersImpl.java
rovider/jsse/TrustManagerImpl.java
rovider/jsse/TrustedCertificateIndex.java
rovider/jsse/TrustedCertificateKeyStoreSpi.java
rovider/jsse/TrustedCertificateStore.java
|
| 20024ef4bbd35a0450b9f21bd2ccfef04ce13787 |
18-May-2011 |
Brian Carlstrom <bdc@google.com> |
am 0162c72d: Merge "Simplify KeyChain API by removing now unneeded CA certificate lookup (2 of 3)"
* commit '0162c72d58f1683cf0be369709de2450daab375c':
Simplify KeyChain API by removing now unneeded CA certificate lookup (2 of 3)
|
| 17da3dfaf359de021b753570e25a033ae8927432 |
17-May-2011 |
Brian Carlstrom <bdc@google.com> |
am 3041d84e: Merge "Make CertInstaller installed CA certs trusted by applications via default TrustManager (2 of 6)"
* commit '3041d84e3c0ac7711868bdd7556047a3422e3052':
Make CertInstaller installed CA certs trusted by applications via default TrustManager (2 of 6)
|
| dfe69fa450bb1c92c589e703c6dc72aa0e364bb3 |
17-May-2011 |
Brian Carlstrom <bdc@google.com> |
Simplify KeyChain API by removing now unneeded CA certificate lookup (2 of 3)
frameworks/base
Remove getCaCertificates and findIssuer from IKeyChainService,
these are now done via libcore's TrustedCertificateStore (as part
of the default TrustManager implementation)
keystore/java/android/security/IKeyChainService.aidl
Simplify KeyChain API. Now that the CA certificates are visible
through the default TrustManager, the KeyChain is solely focused on
retrieving PrivateKeys and their associated certificates. The
calling API for KeyChain to simply a single KeyChain.get() call
that returns a KeyChainResult, removing the need for a KeyChain
instance that needs to be closed.
keystore/java/android/security/KeyChain.java
keystore/java/android/security/KeyChainResult.java
master/libcore
Remove getDefaultIndexedPKIXParameters and
getIndexedPKIXParameters which was used as part of the prototype
of looking up CAs via the KeyChain but is obsoleted by the new
default TrustManager implementation.
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/SSLParametersImpl.java
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/TrustManagerImpl.java
packages/apps/KeyChain
Tracking simplified IKeyChainService, removing now unneeded
implementation, updating tests.
src/com/android/keychain/KeyChainService.java
tests/src/com/android/keychain/tests/KeyChainServiceTest.java
tests/src/com/android/keychain/tests/KeyChainTestActivity.java
Change-Id: I5c0df3b67248bb8014c85a5997098d5e70fbc505
rovider/jsse/SSLParametersImpl.java
rovider/jsse/TrustManagerImpl.java
|
| 1b3c5388d0fffde4392007eb1b0be011a5dfae82 |
12-May-2011 |
Brian Carlstrom <bdc@google.com> |
Make CertInstaller installed CA certs trusted by applications via default TrustManager (2 of 6)
frameworks/base
Adding IKeyChainService APIs for CertInstaller and Settings use
keystore/java/android/security/IKeyChainService.aidl
libcore
Improve exceptions to include more information
luni/src/main/java/javax/security/auth/x500/X500Principal.java
Move guts of RootKeyStoreSpi to TrustedCertificateStore, leaving only KeyStoreSpi methods.
Added support for adding user CAs in a separate directory for system.
Added support for removing system CAs by placing a copy in a sytem directory
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/RootKeyStoreSpi.java
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/TrustedCertificateStore.java
Formerly static methods on RootKeyStoreSpi are now instance methods on TrustedCertificateStore
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/TrustManagerImpl.java
Added test for NativeCrypto.X509_NAME_hash_old and X509_NAME_hash
to make sure the implementing algorithms doe not change since
TrustedCertificateStore depend on X509_NAME_hash_old (OpenSSL
changed the algorithm from MD5 to SHA1 when moving from 0.9.8 to
1.0.0)
luni/src/test/java/org/apache/harmony/xnet/provider/jsse/NativeCryptoTest.java
Extensive test of new TrustedCertificateStore behavior
luni/src/test/java/org/apache/harmony/xnet/provider/jsse/TrustedCertificateStoreTest.java
TestKeyStore improvements
- Refactored TestKeyStore to provide simpler createCA method (and
internal createCertificate)
- Cleaned up to remove use of BouncyCastle specific X509Principal
in the TestKeyStore API when the public X500Principal would do.
- Cleaned up TestKeyStore support methods to not throw Exception
to remove need for static blocks for catch clauses in tests.
support/src/test/java/libcore/java/security/TestKeyStore.java
luni/src/test/java/libcore/java/security/KeyStoreTest.java
luni/src/test/java/org/apache/harmony/xnet/provider/jsse/NativeCryptoTest.java
Added private PKIXParameters contructor for use by
IndexedPKIXParameters to avoid wart of having to lookup and pass
a TrustAnchor to satisfy the super-class sanity check.
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/TrustManagerImpl.java
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/IndexedPKIXParameters.java
luni/src/main/java/java/security/cert/PKIXParameters.java
packages/apps/CertInstaller
Change CertInstaller to call IKeyChainService.installCertificate
for CA certs to pass them to the KeyChainServiceTest which will
make them available to all apps through the
TrustedCertificateStore. Change PKCS12 extraction to use AsyncTask.
src/com/android/certinstaller/CertInstaller.java
Added installCaCertsToKeyChain and hasCaCerts accessor for use by
CertInstaller. Use hasUserCertificate() internally. Cleanup coding
style.
src/com/android/certinstaller/CredentialHelper.java
packages/apps/KeyChain
Added MANAGE_ACCOUNTS so that IKeyChainService.reset
implementation can remove KeyChain accounts.
AndroidManifest.xml
Implement new IKeyChainService methods:
- Added IKeyChainService.installCaCertificate to install certs
provided by CertInstaller using the TrustedCertificateStore.
- Added IKeyChainService.reset to allow Settings to remove the
KeyChain accounts so that any app granted access to keystore
credentials are revoked when the keystore is reset.
src/com/android/keychain/KeyChainService.java
packages/apps/Settings
Changed com.android.credentials.RESET credential reset action to
also call IKeyChainService.reset to remove any installed user CAs
and remove KeyChain accounts to have AccountManager revoke
credential granted to private keys removed during the RESET.
src/com/android/settings/CredentialStorage.java
Added toast text value for failure case
res/values/strings.xml
system/core
Have init create world readable /data/misc/keychain to allow apps
to access user added CA certificates installed by the CertInstaller.
rootdir/init.rc
Change-Id: Ief57672eea38b3eece23b14c94dedb9ea4713744
rovider/jsse/IndexedPKIXParameters.java
rovider/jsse/OpenSSLSocketImpl.java
rovider/jsse/RootKeyStoreSpi.java
rovider/jsse/TrustManagerImpl.java
rovider/jsse/TrustedCertificateStore.java
|
| 32b2c95c350002f67c8b3e65777161feda766b72 |
10-May-2011 |
Jesse Wilson <jessewilson@google.com> |
Dont line wrap Base64.
Change-Id: I9a16a09dad9ff170921591455b17a3b738e70655
rovider/jsse/OpenSSLSessionImpl.java
|
| 347b2a604114602da9bc4ae040278f74d11c2f51 |
26-Apr-2011 |
Brian Carlstrom <bdc@google.com> |
Avoid loading all CA certs into Zygote memory, lazily load instead (2 of 3)
Previously the CA certs stored in the BKS KeyStore at
/system/etc/security/cacerts.bks was loaded in the Zygote. As the the
number of CAs are started to increase, this is causing more and more
memory to be used for rarely used CAs. The new AndroidCAStore KeyStore
implementation reads the CAs as needed out of individual PEM
certificate files. The files can be efficiently found because they are
named based on a hash CA's subject name, similar to OpenSSL.
Bug: 1109242
Details:
build
Removing old cacerts.bks from GRANDFATHERED_ALL_PREBUILT and
adding new cacerts directory to core PRODUCT_PACKAGES
core/legacy_prebuilts.mk
target/product/core.mk
libcore
cacerts build changes. Move cacerts prebuilt logic to new
CaCerts.mk from NativeCode.mk where it didn't make sense. Updated
Android.mk's dalvik-host target to install new cacerts files.
Android.mk
CaCerts.mk
NativeCode.mk
Remove old cacerts.bks and add remove certimport.sh script used to
generate it. Preserved the useful comments from certimport.sh in
the new README.cacerts
luni/src/main/files/cacerts.bks
luni/src/main/files/certimport.sh
luni/src/main/files/README.cacerts
Recanonicalize cacerts files using updated vendor/google/tools/cacerts/certimport.py
(See below discussion of certimport.py changes for details)
luni/src/main/files/cacerts/00673b5b.0
luni/src/main/files/cacerts/03e16f6c.0
luni/src/main/files/cacerts/08aef7bb.0
luni/src/main/files/cacerts/0d188d89.0
luni/src/main/files/cacerts/10531352.0
luni/src/main/files/cacerts/111e6273.0
luni/src/main/files/cacerts/1155c94b.0
luni/src/main/files/cacerts/119afc2e.0
luni/src/main/files/cacerts/11a09b38.0
luni/src/main/files/cacerts/12d55845.0
luni/src/main/files/cacerts/17b51fe6.0
luni/src/main/files/cacerts/1920cacb.0
luni/src/main/files/cacerts/1dac3003.0
luni/src/main/files/cacerts/1dbdda5b.0
luni/src/main/files/cacerts/1dcd6f4c.0
luni/src/main/files/cacerts/1df5ec47.0
luni/src/main/files/cacerts/1e8e7201.0
luni/src/main/files/cacerts/1eb37bdf.0
luni/src/main/files/cacerts/219d9499.0
luni/src/main/files/cacerts/23f4c490.0
luni/src/main/files/cacerts/27af790d.0
luni/src/main/files/cacerts/2afc57aa.0
luni/src/main/files/cacerts/2e8714cb.0
luni/src/main/files/cacerts/2fa87019.0
luni/src/main/files/cacerts/2fb1850a.0
luni/src/main/files/cacerts/33815e15.0
luni/src/main/files/cacerts/343eb6cb.0
luni/src/main/files/cacerts/399e7759.0
luni/src/main/files/cacerts/3a3b02ce.0
luni/src/main/files/cacerts/3ad48a91.0
luni/src/main/files/cacerts/3c58f906.0
luni/src/main/files/cacerts/3c860d51.0
luni/src/main/files/cacerts/3d441de8.0
luni/src/main/files/cacerts/3e7271e8.0
luni/src/main/files/cacerts/418595b9.0
luni/src/main/files/cacerts/455f1b52.0
luni/src/main/files/cacerts/46b2fd3b.0
luni/src/main/files/cacerts/48478734.0
luni/src/main/files/cacerts/4d654d1d.0
luni/src/main/files/cacerts/4e18c148.0
luni/src/main/files/cacerts/4fbd6bfa.0
luni/src/main/files/cacerts/5021a0a2.0
luni/src/main/files/cacerts/5046c355.0
luni/src/main/files/cacerts/524d9b43.0
luni/src/main/files/cacerts/56b8a0b6.0
luni/src/main/files/cacerts/57692373.0
luni/src/main/files/cacerts/58a44af1.0
luni/src/main/files/cacerts/594f1775.0
luni/src/main/files/cacerts/5a3f0ff8.0
luni/src/main/files/cacerts/5a5372fc.0
luni/src/main/files/cacerts/5cf9d536.0
luni/src/main/files/cacerts/5e4e69e7.0
luni/src/main/files/cacerts/60afe812.0
luni/src/main/files/cacerts/635ccfd5.0
luni/src/main/files/cacerts/67495436.0
luni/src/main/files/cacerts/69105f4f.0
luni/src/main/files/cacerts/6adf0799.0
luni/src/main/files/cacerts/6e8bf996.0
luni/src/main/files/cacerts/6fcc125d.0
luni/src/main/files/cacerts/72f369af.0
luni/src/main/files/cacerts/72fa7371.0
luni/src/main/files/cacerts/74c26bd0.0
luni/src/main/files/cacerts/75680d2e.0
luni/src/main/files/cacerts/7651b327.0
luni/src/main/files/cacerts/76579174.0
luni/src/main/files/cacerts/7999be0d.0
luni/src/main/files/cacerts/7a481e66.0
luni/src/main/files/cacerts/7a819ef2.0
luni/src/main/files/cacerts/7d3cd826.0
luni/src/main/files/cacerts/7d453d8f.0
luni/src/main/files/cacerts/81b9768f.0
luni/src/main/files/cacerts/8470719d.0
luni/src/main/files/cacerts/84cba82f.0
luni/src/main/files/cacerts/85cde254.0
luni/src/main/files/cacerts/86212b19.0
luni/src/main/files/cacerts/87753b0d.0
luni/src/main/files/cacerts/882de061.0
luni/src/main/files/cacerts/895cad1a.0
luni/src/main/files/cacerts/89c02a45.0
luni/src/main/files/cacerts/8f7b96c4.0
luni/src/main/files/cacerts/9339512a.0
luni/src/main/files/cacerts/9685a493.0
luni/src/main/files/cacerts/9772ca32.0
luni/src/main/files/cacerts/9d6523ce.0
luni/src/main/files/cacerts/9dbefe7b.0
luni/src/main/files/cacerts/9f533518.0
luni/src/main/files/cacerts/a0bc6fbb.0
luni/src/main/files/cacerts/a15b3b6b.0
luni/src/main/files/cacerts/a3896b44.0
luni/src/main/files/cacerts/a7605362.0
luni/src/main/files/cacerts/a7d2cf64.0
luni/src/main/files/cacerts/ab5346f4.0
luni/src/main/files/cacerts/add67345.0
luni/src/main/files/cacerts/b0f3e76e.0
luni/src/main/files/cacerts/bc3f2570.0
luni/src/main/files/cacerts/bcdd5959.0
luni/src/main/files/cacerts/bda4cc84.0
luni/src/main/files/cacerts/bdacca6f.0
luni/src/main/files/cacerts/bf64f35b.0
luni/src/main/files/cacerts/c0cafbd2.0
luni/src/main/files/cacerts/c215bc69.0
luni/src/main/files/cacerts/c33a80d4.0
luni/src/main/files/cacerts/c527e4ab.0
luni/src/main/files/cacerts/c7e2a638.0
luni/src/main/files/cacerts/c8763593.0
luni/src/main/files/cacerts/ccc52f49.0
luni/src/main/files/cacerts/cdaebb72.0
luni/src/main/files/cacerts/cf701eeb.0
luni/src/main/files/cacerts/d16a5865.0
luni/src/main/files/cacerts/d537fba6.0
luni/src/main/files/cacerts/d64f06f3.0
luni/src/main/files/cacerts/d777342d.0
luni/src/main/files/cacerts/d8274e24.0
luni/src/main/files/cacerts/dbc54cab.0
luni/src/main/files/cacerts/ddc328ff.0
luni/src/main/files/cacerts/e48193cf.0
luni/src/main/files/cacerts/e60bf0c0.0
luni/src/main/files/cacerts/e775ed2d.0
luni/src/main/files/cacerts/e7b8d656.0
luni/src/main/files/cacerts/e8651083.0
luni/src/main/files/cacerts/ea169617.0
luni/src/main/files/cacerts/eb375c3e.0
luni/src/main/files/cacerts/ed049835.0
luni/src/main/files/cacerts/ed524cf5.0
luni/src/main/files/cacerts/ee7cd6fb.0
luni/src/main/files/cacerts/f4996e82.0
luni/src/main/files/cacerts/f58a60fe.0
luni/src/main/files/cacerts/f61bff45.0
luni/src/main/files/cacerts/f80cc7f6.0
luni/src/main/files/cacerts/fac084d7.0
luni/src/main/files/cacerts/facacbc6.0
luni/src/main/files/cacerts/fde84897.0
luni/src/main/files/cacerts/ff783690.0
Change IntegralToString.intToHexString to take width argument to
allow for leading zero padding. Updated existing callers to
specify 0 padding desired. Add testing of new padding
functionality.
luni/src/main/java/java/lang/Character.java
luni/src/main/java/java/lang/Integer.java
luni/src/main/java/java/lang/IntegralToString.java
luni/src/test/java/libcore/java/lang/IntegralToStringTest.java
Improved to throw Exceptions with proper causes
luni/src/main/java/java/security/KeyStore.java
luni/src/main/java/java/security/Policy.java
luni/src/main/java/java/security/cert/CertificateFactory.java
luni/src/main/java/javax/crypto/Cipher.java
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSignature.java
Indentation fixes
luni/src/main/java/java/security/SecureRandom.java
Fix X509CRLSelector.getIssuerNames to clone result and added test to cover this.
luni/src/main/java/java/security/cert/X509CRLSelector.java
luni/src/test/java/libcore/java/security/cert/X509CRLSelectorTest.java
Fixed bug where we created an X500Principal via a String
representation instead of from its original encoded bytes. This
led to a difficult to track down bug where CA 418595b9.0 where the
NativeCode.X509_NAME_hash of a Harmony (but not BouncyCastle)
X509Certificate would not hash to the expected value because the
encoded form used an ASN.1 PrintableString instead of the
UTF8String form found in the original certificate.
luni/src/main/java/org/apache/harmony/security/x501/Name.java
Add a new RootKeyStoreSpi and register it as the
AndroidCAStore. This new read-only KeyStore implementation that
looks for certificates in $ANDROID_ROOT/etc/security/cacerts/
directory, which is /system/etc/security/cacerts/ on devices. The
files are stored in the directory based on the older md5 based
OpenSSL X509_NAME_hash function (now referred to as
X509_NAME_hash_old in OpenSSL 1.0)
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/RootKeyStoreSpi.java
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/JSSEProvider.java
Added OpenSSL compatible X509_NAME_hash and X509_NAME_hash_old
functions for producting an int hash value from an X500Principal.
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/NativeCrypto.java
Changed TrustManagerFactoryImpl to use AndroidCAStore for its default KeyStore
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/TrustManagerFactoryImpl.java
Changed TrustManagerImpl to be AndroidCAStore aware. If it detects
an AndroidCAStore, it avoids generating the acceptedIssuers array
at constructions, since doing so would force us to parse all
certificates in the store and the value is only typically used by
SSLServerSockets when requesting a client certifcate. Because we
don't load all the trusted CAs into the IndexedPKIXParameters at
startup in the case of AndroidCAStore, we now check for new CAs
when examining the cert chain for unnecessary TrustAnchors and for
a newly discovered issuer at the end of the chain before
validation.
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/TrustManagerImpl.java
Updated KeyStoreTest to cope with read only KeyStore. Update
test_cacerts_bks (now renamed test_cacerts) to use the
AndroidCAStore for validating system CA certificate
validity. Register AndroidCAStore as an expected KeyStore type
with StandardNames.
luni/src/test/java/libcore/java/security/KeyStoreTest.java
support/src/test/java/libcore/java/security/StandardNames.java
Added test of X500Principal serialization while investigating Name
encoding issue. However, the actual Name bug was found and
verified by the new test_cacerts test.
luni/src/test/java/libcore/javax/security/auth/x500/X500PrincipalTest.java
vendor/google
Change canonical format for checked in cacerts to have PEM
certificate at the top, as required by Harmony's X.509
CertificateFactory.
tools/cacerts/certimport.py
Change-Id: If0c9de430f13babb07f96a1177897c536f3db08d
rovider/jsse/JSSEProvider.java
rovider/jsse/NativeCrypto.java
rovider/jsse/OpenSSLSignature.java
rovider/jsse/RootKeyStoreSpi.java
rovider/jsse/TrustManagerFactoryImpl.java
rovider/jsse/TrustManagerImpl.java
|
| 3258b52429c7768ea91bda93c5a15257cdd390e5 |
18-Mar-2011 |
Brian Carlstrom <bdc@google.com> |
libcore key chain support
Allow access to default IndexedPKIXParameters, similar to access to
default TrustManager. Needed to allow framework to add/remove trusted
CAs at runtime.
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/SSLParametersImpl.java
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/TrustManagerImpl.java
Add test support for looking up a cert by an issuer for use in key chain tests.
support/src/test/java/libcore/java/security/TestKeyStore.java
Add test support SSLSocketFactory that sets desired client auth on
each created socket. For use with MockWebServer for key chain testing.
support/src/test/java/libcore/javax/net/ssl/TestSSLContext.java
Change-Id: Iecdbd40c67f1673bda25a52b4e229156c805d564
rovider/jsse/SSLParametersImpl.java
rovider/jsse/TrustManagerImpl.java
|
| 5d3f5200f3511c9a7107bcc0a996c7afa1b39aaf |
01-Apr-2011 |
Elliott Hughes <enh@google.com> |
Don't cache the underlying Socket's underlying SocketImpl's underlying FileDescriptor in OpenSSLSocketImpl.
(OpenSSLSocketImpl, of course, being a Socket, not a SocketImpl.)
Bug: 4192414
git cherry-pick dc33f53f38600943c84146320c748e3c46fd2e7b
Change-Id: I8f481e0fe217aac782ad9d9e9053681ad69e62ef
rovider/jsse/NativeCrypto.java
rovider/jsse/OpenSSLSocketImpl.java
|
| 59e4744d27231f260271dbbca406e0cc39768116 |
24-Mar-2011 |
Elliott Hughes <enh@google.com> |
Add shutdown(2).
Bug: 3107501
Change-Id: I30354c4cc6e86a4e7b0e3f84e95719539db1d297
rovider/jsse/SSLSocketImpl.java
|
| 32c2297a959b72abdb18743f0519e1d8b7c7ea88 |
17-Mar-2011 |
Elliott Hughes <enh@google.com> |
Remove bogus "super()" calls.
I've left one in java.util.concurrent, since we have an upstream there.
Change-Id: I60945e48a41433fc7eaef6086433ec4bf434097f
rovider/jsse/EndOfBufferException.java
rovider/jsse/EndOfSourceException.java
rovider/jsse/KeyManagerImpl.java
rovider/jsse/OpenSSLServerSocketFactoryImpl.java
rovider/jsse/OpenSSLServerSocketImpl.java
rovider/jsse/OpenSSLSocketImpl.java
rovider/jsse/SSLEngineImpl.java
rovider/jsse/SSLServerSocketFactoryImpl.java
rovider/jsse/SSLServerSocketImpl.java
rovider/jsse/SSLSessionImpl.java
rovider/jsse/SSLSocketImpl.java
|
| ff8234c90ecab9f1db368924bf92a5b16460f9b5 |
08-Mar-2011 |
Elliott Hughes <enh@google.com> |
Factor out our single-byte InputStream.read/OutputStream.write implementations.
Change-Id: I00106a51a32ea84a39256d5629369170b892a039
rovider/jsse/SSLSocketImpl.java
rovider/jsse/SSLSocketOutputStream.java
|
| 608263018762d64a07276b7c8f58102455ccecc8 |
08-Mar-2011 |
Elliott Hughes <enh@google.com> |
Fix short writes in Socket OutputStreams.
Also tidy some code and fix some comments.
The OpenSSL OutputStream is already correct: it handles this in the native code.
Bug: http://code.google.com/p/android/issues/detail?id=15304
Change-Id: I69645543ec01f1eecdae4418f86c3a1911c0f752
rovider/jsse/SSLSocketImpl.java
rovider/jsse/SSLSocketInputStream.java
rovider/jsse/SSLSocketOutputStream.java
|
| eb8027492e81d5d3a0d1cd49494c59f9a03eeaa3 |
07-Mar-2011 |
Elliott Hughes <enh@google.com> |
Remove useless overrides of InputStream.read(byte[]) and OutputStream.write(byte[]).
For the particular stream in the bug, the useless override assumes that the
implementation of read(byte[], int, int) or write(byte[], int, int) doesn't
do anything special. A dangerous and non-local assumption. (In the bug, we
need to change the three-argument write.)
Bug: http://code.google.com/p/android/issues/detail?id=15304
Change-Id: I915d4a2e20c98f8e7f5775b555ae77d496a535d0
rovider/jsse/SSLSocketInputStream.java
rovider/jsse/SSLSocketOutputStream.java
|
| f5309a39506c967feda8766feeba7f7271a458cb |
25-Feb-2011 |
Elliott Hughes <enh@google.com> |
Fix more FindBugs warnings: RR_NOT_CHECKED.
"This method ignores the return value of one of the variants of
java.io.InputStream.read() which can return multiple bytes. If the return
value is not checked, the caller will not be able to correctly handle the
case where fewer bytes were read than the caller requested. This is a
particularly insidious kind of bug, because in many programs, reads from input
streams usually do read the full amount of data requested, causing the
program to fail only sporadically."
Change-Id: I7d7c62836f2037f0cbb4bb0708bd4f034a22a2fc
rovider/jsse/CertificateRequest.java
rovider/jsse/ClientHello.java
rovider/jsse/ClientKeyExchange.java
rovider/jsse/ServerHello.java
|
| b16edf548fa6bb9cd93b238e7820bc92195e5e2f |
25-Feb-2011 |
Elliott Hughes <enh@google.com> |
Fix more FindBugs warnings: BC_EQUALS_METHOD_SHOULD_WORK_FOR_ALL_OBJECTS.
"The equals(Object o) method shouldn't make any assumptions about the type
of o. It should simply return false if o is not the same type as this."
Change-Id: Ib16eb57e8876ec117634b4c9b069a4dccc61c657
rovider/jsse/AbstractSessionContext.java
rovider/jsse/ByteArray.java
rovider/jsse/ClientSessionContext.java
rovider/jsse/IndexedPKIXParameters.java
|
| cfb6bd546b6a1443de313fb0abd17c2ad8c9f09f |
18-Feb-2011 |
Jesse Wilson <jessewilson@google.com> |
Merge "Remove low-hanging fruit from zygote heap." into dalvik-dev
|
| 21f21e9f56ab8c9abfd8728473533fcaafafeac0 |
18-Feb-2011 |
Jesse Wilson <jessewilson@google.com> |
Remove low-hanging fruit from zygote heap.
Change-Id: If6b5e61089140e99babdebd5036b9c9f4ef0c1f3
rovider/jsse/IndexedPKIXParameters.java
|
| 6aa068b481cc4cca7765ce90fdf32f3eb2b5a77c |
18-Feb-2011 |
Elliott Hughes <enh@google.com> |
Fix various FindBugs warnings.
Only the ChunkHandler and ZoneInfo ones were real bugs. The former is only
called with one input value that doesn't exercise the bug, and the latter
would cause us to think that a time zone that stopped using daylight time
before 1970 was still using daylight time (which would defeat various
optimizations, but should otherwise be harmless).
The other stuff is trivia not worth individual changes.
Change-Id: Ib0752560cd16edc6538d1fc2b234451a66d48171
rovider/jsse/SSLSocketInputStream.java
|
| cd5770741b91e7957e893582cc7d6cd37c8ad568 |
17-Feb-2011 |
Elliott Hughes <enh@google.com> |
Fix NativeCrypto FindBugs warnings.
Change-Id: I102367575b1257582bb20c659223e3f02650fda4
rovider/jsse/NativeCrypto.java
|
| 3a3511edad46420b4287017ac66fe4783cb804db |
11-Feb-2011 |
Jesse Wilson <jessewilson@google.com> |
Move tests from java.injected into libcore.
Change-Id: Ia3fee27c8f8ca38120eea3fc2582d3e1b2504cea
rovider/jsse/ClientSessionContext.java
rovider/jsse/FileClientSessionCache.java
|
| 26ce8fbd8fe488cc969b08f64c56525662763dc4 |
08-Feb-2011 |
Jesse Wilson <jessewilson@google.com> |
resolved conflicts for merge of 6186821c to dalvik-dev
Change-Id: Ic6f0172767d6feedb188d3a5e7488a67702ef8c4
|
| 6186821cb13f4ac7ff50950c813394367e021eae |
08-Feb-2011 |
Jesse Wilson <jessewilson@google.com> |
Move libcore.base classes to libcore.util and libcore.io.
Change-Id: I2340a9dbad3561fa681a8ab47d4f406e72c913e3
rovider/jsse/ClientHello.java
rovider/jsse/ClientKeyExchange.java
rovider/jsse/DigitalSignature.java
rovider/jsse/KeyManagerFactoryImpl.java
rovider/jsse/Logger.java
rovider/jsse/OpenSSLSessionImpl.java
rovider/jsse/SSLServerSocketFactoryImpl.java
rovider/jsse/SSLSessionImpl.java
rovider/jsse/SSLSocketFactoryImpl.java
rovider/jsse/TrustManagerFactoryImpl.java
|
| efb32502d686b06ddf60828d9abe3d4e0577e5dc |
02-Feb-2011 |
Brian Carlstrom <bdc@google.com> |
am 4155a249: Performance improvements to NativeCrypto based MessageDigest API
* commit '4155a2498a57fb09e92815f8993a70c216ddc5ec':
Performance improvements to NativeCrypto based MessageDigest API
|
| 4155a2498a57fb09e92815f8993a70c216ddc5ec |
02-Feb-2011 |
Brian Carlstrom <bdc@google.com> |
Performance improvements to NativeCrypto based MessageDigest API
NativeCrypto API improvements:
- Move to using EVP_MD related native methods, some of which are derived
from the EVP_MD_CTX versions with similar name. The new
EVP_get_digestbyname allows one time lookup of the EVP_MD from the
string name, avoiding doing it on every call to EVP_DigestInit.
- EVP_MD_CTX_create is now removed, it is just done as part of
EVP_DigestInit and EVP_VerifyInit to an extra JNI call.
- EVP_DigestFinal now destroys the EVP_MD_CTX to avoid needing to make
another call JNI call to EVP_MD_CTX_destroy. EVP_MD_CTX_destroy is
kept for cases when EVP_DigestFinal is never called.
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/NativeCrypto.java
In addition to the improved NativeCrypto API to allow better
performance for callers, the implementations use of
throwExceptionIfNecessary was made conditional based on the status
code from various operations, which had a noticeable impact on
performance compared to android.security.MessageDigest
luni/src/main/native/NativeCrypto.cpp
Updated MessageDigest.getInstance default implementation to use new
NativeCrypto API. An EVP_MD instance is looked up at class load time
for a specific digest type and then used to call
NativeCrypto.EVP_DigestInit as needed, avoiding a lookup of EVP_MD for
each new digest. The EVP_MD is also for a one-time lookup the digest
output size in bytes, to avoid native calls for
engineGetDigestLength. Finally, the creation of the EVP_MD_CTX is now
lazy, only created when needed, avoiding unnecessarily create/free in
reset cases such as engineDigest. See also external/bouncycastle's
OpenSSLDigest implementation which had similar optimizations.
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLMessageDigestJDK.java
OpenSSLSignature also used EVP_MD_CTX_create, and its EVP_VerifyInit
was changed similar to EVP_DigestInit to internally allocate the
EVP_MD_CTX on the call to init.
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSignature.java
Fix test to work with arbitrary provider order
luni/src/test/java/org/apache/harmony/security/tests/java/security/MessageDigest2Test.java
Fix CloseGuard warnings
luni/src/test/java/tests/security/MessageDigestTest.java
Bug: 3392028
Change-Id: Idb266ebc0918ffd5550e0f457784256400cd2ff0
rovider/jsse/NativeCrypto.java
rovider/jsse/OpenSSLMessageDigestJDK.java
rovider/jsse/OpenSSLSignature.java
|
| c0779d54195b5b81be9c29e1b46a18022758ef27 |
31-Jan-2011 |
Brian Carlstrom <bdc@google.com> |
am c906eaf2: am 7374d4fa: am 90ff8e2c: Remember intermediate CAs in TrustMangerImpl\'s IndexedPKIXParameters
* commit 'c906eaf2617d6c8f9eb7a3578386845da390956c':
Remember intermediate CAs in TrustMangerImpl's IndexedPKIXParameters
|
| 90ff8e2c017c4332686ff79ea9968a009a703b7e |
30-Jan-2011 |
Brian Carlstrom <bdc@google.com> |
Remember intermediate CAs in TrustMangerImpl's IndexedPKIXParameters
Bug: 3404902
Change-Id: I4a3c35fd2981933c255e5d3a620675b9575083d4
rovider/jsse/IndexedPKIXParameters.java
rovider/jsse/TrustManagerImpl.java
|
| 4885c704f5dba084fc8abc80be390025810aa9ca |
25-Jan-2011 |
Brian Carlstrom <bdc@google.com> |
am e7291d0d: am c009a7d9: am 1c64b3ad: SSLSocket.close() should not throw an IOException if there is a problem sending a close notify
* commit 'e7291d0d02c84ff650cd50297a348f61fe4978b6':
SSLSocket.close() should not throw an IOException if there is a problem sending a close notify
|
| 1c64b3adb85345659ac60ad82216268acba18764 |
24-Jan-2011 |
Brian Carlstrom <bdc@google.com> |
SSLSocket.close() should not throw an IOException if there is a problem sending a close notify
Bug: 3350645
Change-Id: I23844fc94a26175247538c95d8cddec90f368d64
rovider/jsse/OpenSSLSocketImpl.java
|
| 0de447809731c0b76654416d17bb0d8744dcf742 |
21-Jan-2011 |
Elliott Hughes <enh@google.com> |
Merge "Add an @hidden Byte.toHexString that does the right thing, and use it." into dalvik-dev
|
| 4b25199bc0b7a64a6feaa60e7d5d6b0474341234 |
21-Jan-2011 |
Elliott Hughes <enh@google.com> |
Add an @hidden Byte.toHexString that does the right thing, and use it.
Turns out most callers don't actually give a toss about case anyway, since
they're just for debugging output.
Bug: 3371169
Change-Id: Ib8dc079be2dcbf6f2415ecb9b71d034ee71f68eb
rovider/jsse/HandshakeIODataStream.java
rovider/jsse/Logger.java
|
| 2932bab4ee385a107734e2a00010df3b89eda590 |
21-Jan-2011 |
Brian Carlstrom <bdc@google.com> |
am 42b5b3b2: am f8cff2f7: am 57537553: Defend against null directory list in FileClientSessionCache
* commit '42b5b3b2f9d984a710388a7152bbbfabf48b9138':
Defend against null directory list in FileClientSessionCache
|
| 57537553cb179690f40debdf1132f5ed02aa4ae3 |
20-Jan-2011 |
Brian Carlstrom <bdc@google.com> |
Defend against null directory list in FileClientSessionCache
Bug: 3363561
Change-Id: Idc45f7ed85d4e2a78078f06f4d9bbf903efdac69
rovider/jsse/FileClientSessionCache.java
|
| fb0ec0e650bf8be35acb0d47da0311a7c446aa33 |
14-Jan-2011 |
Elliott Hughes <enh@google.com> |
Remove useless android-changed comments.
I've changed useful ones to regular comments or TODOs, as appropriate.
I've left ones in code like java.util.concurrent where we really are
tracking an upstream source, making the change markers useful.
I've left a handful of others where I intend to actually investigate
the implied TODOs before deciding how to resolve them.
Change-Id: Iaf71059b818596351cf8ee5a3cf3c85586051fa6
rovider/jsse/ClientHandshakeImpl.java
rovider/jsse/KeyManagerImpl.java
rovider/jsse/OpenSSLSocketImpl.java
rovider/jsse/SSLContextImpl.java
rovider/jsse/SSLInputStream.java
rovider/jsse/SSLParametersImpl.java
rovider/jsse/SSLSessionImpl.java
rovider/jsse/ServerHandshakeImpl.java
rovider/jsse/TrustManagerFactoryImpl.java
|
| 2feeee4119506ed1511942f80fc2f7eb431afab7 |
13-Jan-2011 |
Elliott Hughes <enh@google.com> |
Remove non-API uses of Vector.
Change-Id: I27902950af0349619f4cb826d41db8926df0d34a
rovider/jsse/CertificateMessage.java
rovider/jsse/CertificateRequest.java
rovider/jsse/HandshakeProtocol.java
rovider/jsse/KeyManagerImpl.java
rovider/jsse/OpenSSLSessionImpl.java
rovider/jsse/SSLSessionImpl.java
|
| 78e3320540c8bdcbefba5ae1222ee18f6679ab33 |
13-Jan-2011 |
Elliott Hughes <enh@google.com> |
Most callers of toLowerCase/toUpperCase should pass Locale.US to avoid problems in Turkey.
Some callers should be replaced with equalsIgnoreCase instead.
The one exception is StreamTokenizer, where the RI uses the default
locale, which is arguably the right thing to do. No-one cares because
that's legacy API, but I've added a test anyway.
I've left HttpCookie and GeneralName for my co-conspirators because the
appropriate resolutions aren't as obvious there...
Bug: 3325637
Change-Id: Ia37a1caaa91b11763ae43e61e445adb45c30f793
rovider/jsse/HandshakeIODataStream.java
rovider/jsse/KeyManagerImpl.java
rovider/jsse/Logger.java
|
| 0d4ce4227fa818288b8db762b640dfa21e3162f5 |
12-Jan-2011 |
Elliott Hughes <enh@google.com> |
Change all "final static"s to "static final".
Just so we sound like native speakers.
Change-Id: I4d98ec7519af8c1578609945ca9d480484b82874
rovider/jsse/HandshakeProtocol.java
|
| ad41624e761bcf1af9c8008eb45187fc13983717 |
07-Jan-2011 |
Elliott Hughes <enh@google.com> |
Retire SecurityManager.
This change removes all the code that was calling getSecurityManager, and
removes all use of AccessController.doPrivileged. It also changes the
implementation of AccessController so it doesn't actually do anything; it's
only there for source-level compatibility.
Bug: 2585285
Change-Id: I1f0295a4f12bce0316d8073011d8593fee116f71
rovider/jsse/DelegatedTask.java
rovider/jsse/JSSEProvider.java
rovider/jsse/KeyManagerFactoryImpl.java
rovider/jsse/Logger.java
rovider/jsse/OpenSSLSessionImpl.java
rovider/jsse/SSLServerSocketImpl.java
rovider/jsse/SSLSessionImpl.java
rovider/jsse/TrustManagerFactoryImpl.java
|
| 54c8a07db3c2d1670c2867ba864d351cb30fecfa |
17-Dec-2010 |
Brian Carlstrom <bdc@google.com> |
resolved conflicts for merge of 5fc737eb to master
Change-Id: Ifc2a4fd44cef525709a3b9dc0a502b1a0690c6fd
|
| 2915378e253f08e47fe5a9bfd026cd1ca7c6c351 |
16-Dec-2010 |
Brian Carlstrom <bdc@google.com> |
HttpsURLConnection retry should not invoke X509TrustManager and HostnameVerifier more than once
Summary:
In 2.3, HttpsURLConnection was change to retry TLS connections as SSL
connections w/o compression to deal with servers that are TLS
intolerant. However, if the handshake proceeded to the point of
invoking the X509TrustManager, we should not retry. Similarly, if we
should not invoke the HostnameVerifier repeatedly, and need to wait
until the SSL handshake has completed.
Tested with (includes two new tests for this issue):
libcore/luni/src/test/java/libcore/javax/net/ssl/
libcore/luni/src/test/java/libcore/java/net/URLConnectionTest.java
libcore/luni/src/test/java/org/apache/harmony/luni/tests/internal/net/www/protocol/https/HttpsURLConnectionTest.java
Details:
HttpConnection.setupSecureSocket has been broken into two
pieces. setupSecureSocket now just does the SSL
handshaking. verifySecureSocketHostname now does the
verification. The old HttpConnection code was careful never to
assign its sslSocket field until verification was complete. A new
unverifiedSocket field is added to store the sslSocket before
verification is completed by verifySecureSocketHostname.
luni/src/main/java/org/apache/harmony/luni/internal/net/www/protocol/http/HttpConnection.java
HttpsEngine.makeConnection now skips TLS intolerant retry if the
reason for the makeSslConnection failure was a
CertificateException, since that implies that we failed during
certification validation after initial handshaking. We also
prevent retrying hostname verification by moving it out of
makeSslConnection and only doing it on new SSL connections,
tracking the changes to HttpConnection.setupSecureSocket mentioned
above. We also now skip the redundant call to setUpTransportIO in
makeSslConnection on reused SSLSockets.
luni/src/main/java/org/apache/harmony/luni/internal/net/www/protocol/https/HttpsURLConnectionImpl.java
Instead of throwing away the underlying CertificateExceptions, set
them as the cause of the SSLExceptions. This is what the RI does
in the case of X509TrustManager failures and is now used by
HttpsEngine.makeConnection.
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSessionImpl.java
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSocketImpl.java
Added new testConnectViaHttpsToUntrustedServer which makes sure
that connections are not retried on certificate verification
failure.
luni/src/test/java/libcore/java/net/URLConnectionTest.java
Added new test_SSLSocket_untrustedServer that verifies that an
SSLHandshakeException is thown containing a CertificateException
is thrown on certificate verification problems.
luni/src/test/java/libcore/javax/net/ssl/SSLSocketTest.java
Added second test CA and a new TestKeyStore.getClientCA2 test key
store that does not trust the primary test key stores. This is
useful for negative testing and is used in the above two new
tests.
support/src/test/java/libcore/java/security/TestKeyStore.java
Issue: http://code.google.com/p/android/issues/detail?id=13178
Bug: 3292412
Change-Id: I37136bb65f04d2bceaf2f32f542d6432c8b76ad4
rovider/jsse/OpenSSLSessionImpl.java
rovider/jsse/OpenSSLSocketImpl.java
|
| a1603838fe9e865575c87982e32c6343740e464c |
11-Dec-2010 |
Elliott Hughes <enh@google.com> |
Lots more bounds-checking/exception-throwing consistency.
Overflow-safe checks all round, plus better detail messages. This isn't
quite everything, but it's a large chunk of the work. Most notably, this
is all of io and nio.
There are numerous changes of exception priority here, and the harmony
tests noticed a subset of them in the nio code. I've modified our checked-out
copy of the tests to accept any of the throwable exceptions.
Change-Id: Id185f1228fb9a1d5fc9494e78375b5623fb0fe14
rovider/jsse/OpenSSLSocketImpl.java
|
| b46dab348e2007bc08abaf7ecae34d89a2474e50 |
09-Dec-2010 |
Elliott Hughes <enh@google.com> |
Rewrite all backwards comparisons.
Strictly, all the ones I could find. This is everything with 0 or null on the
left-hand side.
Note that this touches several incorrect bounds checks, which I haven't fixed:
I'm going to come back and finish that independent cleanup separately.
Change-Id: Ibdb054b53df9aace47c7d2a00ff19122190053e8
rovider/jsse/OpenSSLSocketImpl.java
|
| 8272b935bd238a37846ea76b8fcfe297abe1c7ee |
08-Dec-2010 |
Brian Carlstrom <bdc@google.com> |
KeyManager.choose* methods should tolerate null key types
This regression was found by X509KeyManagerTest and now
KeyManagerFactoryTest covers it as well. The underlying problem was
introduced recently when KeyManagerImpl was updated to support key
types with specific signature algorithms like EC_RSA and EC_EC.
Change-Id: Ic99ab10e5ba07e990dc0e8a2d257c2167f2d33bb
rovider/jsse/KeyManagerImpl.java
|
| ffeba5dd766602f6e2be9caa9081744348a53c04 |
01-Dec-2010 |
Brian Carlstrom <bdc@google.com> |
Add support for TLS_EMPTY_RENEGOTIATION_INFO_SCSV cipher suite
"TLS_EMPTY_RENEGOTIATION_INFO_SCSV" is RFC 5746's renegotiation
indication signaling cipher suite value. It is not a real cipher
suite. It is just an indication in the default and supported cipher
suite lists indicates that the implementation supports secure
renegotiation.
In the RI, its presence means that the SCSV is sent in the cipher
suite list to indicate secure renegotiation support and its absence
means to send an empty TLS renegotiation info extension instead.
However, OpenSSL doesn't provide an API to give this level of control,
instead always sending the SCSV and always including the empty
renegotiation info if TLS is used (as opposed to SSL). So we simply
allow TLS_EMPTY_RENEGOTIATION_INFO_SCSV to be passed for compatibility
as to provide the hint that we support secure renegotiation.
Change-Id: I0850bea47568edcfb1f7df99d4e8a747f938406d
rovider/jsse/NativeCrypto.java
rovider/jsse/OpenSSLServerSocketImpl.java
rovider/jsse/OpenSSLSocketImpl.java
|
| 4ae3fd787741bfe1b808f447dcb0785250024119 |
19-Nov-2010 |
Brian Carlstrom <bdc@google.com> |
Elliptic Crypto support for OpenSSLSocketImpl
Summary:
- Enable Elliptic Crypto support for OpenSSL based SSLSocket instances
- More RI compliant usage of key types, client auth types, and server auth types
- Steps toward TLS_EMPTY_RENEGOTIATION_INFO_SCSV support, currently test updates
Details:
Elliptic Curve changes
CipherSuite updates for EC
- Adding KEY_EXCHANGE_EC* and corresponding CipherSuites Updated
isAnonymous, getKeyType (now renamed getServerKeyType) to handle
new EC cases. Added new getAuthType for use by
checkServerTrusted callers.
- Restructured code to handle two SUITES_BY_CODE_* arrays
- Remove KEY_EXCHANGE_DH_* definitions which unused because the
corresponding CipherSuites were previously disabled.
- Changed AES CipherSuites definitions to use "_CBC" to match other definitions.
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/CipherSuite.java
openssl EC
- NativeCrypto now registers TLS_EC_* cipher suites and has update default list
- Improved auth type arguments to checkClientTrusted/checkServerTrusted
- NativeCrypto support for emphemeral EC keys
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/NativeCrypto.java
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSocketImpl.java
luni/src/main/native/NativeCrypto.cpp
non-openssl SSL/TLS cleanups
- cleanup around code trying to cope with DiffieHellman vs DH since either should work.
- changed client to use new CipherSuite.getAuthType shared with NativeCrypto implementation
- changed server to use CipherSuite.getKeyType
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/ClientHandshakeImpl.java
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/HandshakeProtocol.java
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/KeyManagerImpl.java
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/ServerHandshakeImpl.java
Consolidate CertificateRequestType code into CipherSuite so that its
shared between java and openssl implementations. This includes the
KEY_TYPE_ string constants, TLS_CT_* byte constants and the 'String
keyType(byte)' (now renamed getClientKeyType) code that depends on them.
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/CertificateRequest.java
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/CipherSuite.java
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/ClientHandshakeImpl.java
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/NativeCrypto.java
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLServerSocketImpl.java
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSocketImpl.java
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/ServerHandshakeImpl.java
Tests
Differentiate between supported list of cipher suites openssl-based
SSLSocket and SSLEngine based, since the SSLEngine code does not support EC.
luni/src/test/java/libcore/javax/net/ssl/SSLEngineTest.java
luni/src/test/java/libcore/javax/net/ssl/SSLSocketTest.java
Added testing for expected default cipher suites. Before we just ensured the values were valid.
luni/src/test/java/libcore/javax/net/ssl/SSLSocketFactoryTest.java
support/src/test/java/libcore/java/security/StandardNames.java
Updated to handle new EC cipher suites codes. Added test for new getClientKeyType.
luni/src/test/java/org/apache/harmony/xnet/provider/jsse/CipherSuiteTest.java
Better use of "standard names" particularly to correctly deal with
the subtle differences between key types, client auth types, and
server auth types. TestKeyManager and TestTrustManager now verify
the values they are passed are acceptable.
support/src/test/java/libcore/java/security/StandardNames.java
support/src/test/java/libcore/javax/net/ssl/TestKeyManager.java
support/src/test/java/libcore/javax/net/ssl/TestTrustManager.java
Changed to timeout after 30 seconds and to log to reveal both client and server issues.
support/src/test/java/libcore/javax/net/ssl/TestSSLSocketPair.java
Bug: 3058375
Change-Id: I14d1d0285d591c99cc211324f3595a5be682cab1
rovider/jsse/CertificateRequest.java
rovider/jsse/CipherSuite.java
rovider/jsse/ClientHandshakeImpl.java
rovider/jsse/HandshakeProtocol.java
rovider/jsse/KeyManagerImpl.java
rovider/jsse/NativeCrypto.java
rovider/jsse/OpenSSLServerSocketImpl.java
rovider/jsse/OpenSSLSocketImpl.java
rovider/jsse/ServerHandshakeImpl.java
|
| 1a3dfbe49a3dcd7c855972dadccb9226468359d5 |
29-Nov-2010 |
Brian Carlstrom <bdc@google.com> |
am 6c78b7b9: Toward EC TLS support
* commit '6c78b7b94c232063ec559436b48b33751373ecf1':
Toward EC TLS support
|
| 6c78b7b94c232063ec559436b48b33751373ecf1 |
19-Nov-2010 |
Brian Carlstrom <bdc@google.com> |
Toward EC TLS support
Summary:
- javax.net.ssl tests are now working on the RI
- KeyManager can now handle EC_EC and EC_RSA
- OpenSSLSocketImpl.startHandshake now works if KeyManager contains EC certificates
Details:
Add CipherSuite.getKeyType to provide X509KeyManager key type strings,
refactored from OpenSSLServerSocketImpl.checkEnabledCipherSuites.
getKeyType is now also used in OpenSSLSocketImpl.startHandshake to
avoid calling setCertificate for unnecessary key types.
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/CipherSuite.java
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLServerSocketImpl.java
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSocketImpl.java
New CipherSuiteTest to cover new getKeyType as well as existing functionality
luni/src/test/java/org/apache/harmony/xnet/provider/jsse/CipherSuiteTest.java
Add support to KeyManager implementation for key types of the form
EC_EC and EC_RSA. The first part implies the KeyPair algorithm (EC in
these new key types) with a potentially different signature algorithm
(EC vs RSA in these)
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/KeyManagerImpl.java
Update NativeCrypto.keyType to support EC_EC and EC_RSA in addition to
EC which was added earlier. Change from array of KEY_TYPES to named
KEY_TYPE_* constants.
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/NativeCrypto.java
Overhauled KeyManagerFactoryTest to cover EC, EC_EC, EC_RSA cases
luni/src/test/java/libcore/javax/net/ssl/KeyManagerFactoryTest.java
support/src/test/java/libcore/java/security/StandardNames.java
Changed TestKeyStore.createKeyStore from always using BKS to now use
JKS on the RI between BC EC Keys and RI X509 certificates. Because JKS
requires a password, we now default "password" on the RI.
support/src/test/java/libcore/java/security/TestKeyStore.java
luni/src/test/java/libcore/javax/net/ssl/SSLContextTest.java
support/src/test/java/libcore/java/security/StandardNames.java
TestKeyStore.create now accepts key types like EC_RSA. Changed
TestKeyStore.createKeys to allow a PrivateKeyEntry to be specified for
signing to enable creation of EC_RSA test certificate. Added
getRootCertificate/rootCertificate to allow lookup of PrivateKeyEntry
for signing. Changed TestKeyStore.getPrivateKey to take explicit
signature algorithm to retrieve EC_EC vs EC_RSA entries.
support/src/test/java/libcore/java/security/TestKeyStore.java
luni/src/test/java/libcore/java/security/KeyStoreTest.java
luni/src/test/java/libcore/javax/net/ssl/KeyManagerFactoryTest.java
luni/src/test/java/libcore/java/security/cert/PKIXParametersTest.java
luni/src/test/java/libcore/javax/net/ssl/TrustManagerFactoryTest.java
luni/src/test/java/org/apache/harmony/xnet/provider/jsse/NativeCryptoTest.java
support/src/test/java/libcore/java/security/StandardNames.java
Added support for EC cipher suites on the RI. Also test with and
without new TLS_EMPTY_RENEGOTIATION_INFO_SCSV cipher suite which is
used to specify the new TLS secure renegotiation.
luni/src/test/java/libcore/javax/net/ssl/SSLEngineTest.java
luni/src/test/java/libcore/javax/net/ssl/SSLSocketTest.java
support/src/test/java/libcore/java/security/StandardNames.java
New TestKeyManager and additional logging in TestTrustManager. Logging
in both is disabled by default using DevNullPrintStream.
support/src/test/java/libcore/javax/net/ssl/TestKeyManager.java
support/src/test/java/libcore/javax/net/ssl/TestTrustManager.java
support/src/test/java/libcore/java/io/DevNullPrintStream.java
Bug: 3058375
Change-Id: Ia5e2a00a025858e10d1076b900886994b481e05a
rovider/jsse/CipherSuite.java
rovider/jsse/KeyManagerImpl.java
rovider/jsse/NativeCrypto.java
rovider/jsse/OpenSSLServerSocketImpl.java
rovider/jsse/OpenSSLSocketImpl.java
|
| 9d615f25f7576314ec6473b143b13d00ce52e805 |
18-Nov-2010 |
Brian Carlstrom <bdc@google.com> |
am 57f2cc03: Test updates for Elliptic Curve
* commit '57f2cc03ff2cf5d2f6413c5410680b4908d7301d':
Test updates for Elliptic Curve
|
| 57f2cc03ff2cf5d2f6413c5410680b4908d7301d |
05-Nov-2010 |
Brian Carlstrom <bdc@google.com> |
Test updates for Elliptic Curve
Updated with Elliptic Curve (EC) (and SunPKCS11-NSS) names for use by ProviderTest
support/src/test/java/libcore/java/security/StandardNames.java
Enhance test_KeyStore_cacerts_bks to verify PublicKey can be
retreived. Before this the test would pass even though an
ECPublicKey could not be accessed. With EC support in
external/bouncycastle, this test now passes.
luni/src/test/java/libcore/java/security/KeyStoreTest.java
New SignatureTest to cover ECDSA, replaces the old one that
required a subclass per tested algorithm.
luni/src/test/java/libcore/java/security/SignatureTest.java
support/src/test/java/tests/security/SignatureTest.java
luni/src/test/java/tests/targets/security/SignatureTestMD5withRSA.java
luni/src/test/java/tests/targets/security/SignatureTestNONEwithDSA.java
luni/src/test/java/tests/targets/security/SignatureTestSHA1withDSA.java
luni/src/test/java/tests/targets/security/SignatureTestSHA1withRSA.java
luni/src/test/java/tests/targets/security/SignatureTestSHA256withRSA.java
luni/src/test/java/tests/targets/security/SignatureTestSHA384withRSA.java
luni/src/test/java/tests/targets/security/SignatureTestSHA512withRSA.java
luni/src/test/java/tests/targets/security/AllTests.java
Improve ProviderTest logging while debugging SunPKCS11-NSS
provider issues. Added some exceptions for RI missing classes.
luni/src/test/java/libcore/java/security/ProviderTest.java
Changed style slightly to match KeyPairGeneratorTest, where +N is
used to indicated when multiples of a increments of a certain
amount are required for valid key sizes.
luni/src/test/java/libcore/javax/crypto/KeyGeneratorTest.java
Fix test CloseGuard issues
luni/src/test/java/libcore/java/security/KeyStoreTest.java
Fix readability
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/ServerHandshakeImpl.java
Bug: 3058375
Change-Id: I99cd93ad66372e8512d993168550cc1d471d3248
rovider/jsse/ServerHandshakeImpl.java
|
| de8ebcab83d48d4edc28fced9d0a8382f1ef1436 |
16-Nov-2010 |
Brian Carlstrom <bdc@google.com> |
am 8a720cce: TrustManager should include PrivateKeyEntry CAs, OpenSSLSocketImpl close fix, and debugging improvements
* commit '8a720cceee7ce319d647738dfeda3f302879f370':
TrustManager should include PrivateKeyEntry CAs, OpenSSLSocketImpl close fix, and debugging improvements
|
| 8a720cceee7ce319d647738dfeda3f302879f370 |
16-Nov-2010 |
Brian Carlstrom <bdc@google.com> |
TrustManager should include PrivateKeyEntry CAs, OpenSSLSocketImpl close fix, and debugging improvements
Revert to older behavior of creating TrustAnchors from both
PrivateKeyEntry and TrustedCertificateEntry values from the
KeyStore. Added tests to better ensure this slighlt different
behavior from PKIXParameters. Also create the acceptedIssuers
proactively since the real memory cost is the X509Certificates
which are already found in the params.
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/TrustManagerImpl.java
luni/src/test/java/libcore/javax/net/ssl/TrustManagerFactoryTest.java
luni/src/test/java/libcore/java/security/cert/PKIXParametersTest.java
Don't just free native state on issue with startHandshake, close
the SSLSocket. While the former addressed a CloseGuard issue, the
latter make sure that checkOpen throws SocketExceptions and we don't
leak a NullPointerException from NativeCrypto.
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSocketImpl.java
Debugging improvements including minor refinements to recently
added NativeCrypto logging, more verbose TestKeyStore.dump output,
and a new TestTrustManager proxy class for logging X509TrustManager
behavior.
luni/src/main/native/NativeCrypto.cpp
support/src/test/java/libcore/java/security/TestKeyStore.java
support/src/test/java/libcore/javax/net/ssl/TestTrustManager.java
Change-Id: I317e1ca34d8e20c77e5cb9c5a5a58cb4ae98d829
rovider/jsse/OpenSSLSocketImpl.java
rovider/jsse/TrustManagerImpl.java
|
| 693eacca9fa67ad79d1b35dbaad61c5ac1ac457c |
10-Nov-2010 |
Elliott Hughes <enh@google.com> |
Stop allocating empty arrays.
Bug: 3166662
Change-Id: I151de373b2bf53786d19824336fa434c02b0b0e8
rovider/jsse/ClientHello.java
rovider/jsse/ClientKeyExchange.java
rovider/jsse/DigitalSignature.java
rovider/jsse/KeyManagerFactoryImpl.java
rovider/jsse/Logger.java
rovider/jsse/NativeCrypto.java
rovider/jsse/SSLServerSocketFactoryImpl.java
rovider/jsse/SSLSessionImpl.java
rovider/jsse/SSLSocketFactoryImpl.java
rovider/jsse/TrustManagerFactoryImpl.java
|
| 41ea5dcbab2b53238434831d2365fa65d6e911ff |
08-Nov-2010 |
Brian Carlstrom <bdc@google.com> |
Make OpenSSLSocketFactory and SSLSocketFactory fields final
Bug: 2954292
Change-Id: I4cad068d4da39a9c55ca25fad698f3ea136f2e24
rovider/jsse/OpenSSLSocketFactoryImpl.java
rovider/jsse/SSLSocketFactoryImpl.java
|
| 9a356d010cadf3bb3d5cf4b5502010751f602fa1 |
08-Nov-2010 |
Brian Carlstrom <bdc@google.com> |
TrustManagerImpl.cleanupCertChain should not modify original the original chain
The original frameworks/base code this was based on unconditionally
copied the chain before cleaning it which I missed on initial
refactoring. The code lazily makes the copy only it actually needs to
modify the chain.
Change-Id: I29bea6f8064d338bd625ab8ed7a89f5d96a75dfd
rovider/jsse/TrustManagerImpl.java
|
| b4bb9aba620d8a363fb3617b25839093caf39cf4 |
03-Nov-2010 |
Brian Carlstrom <bdc@google.com> |
resolved conflicts for merge of a5c608e5 to dalvik-dev
Change-Id: I0319c132ec8f42782475906da267439938308e77
|
| a5c608e59f9d574ea4bc65e9dff44aae2f34fd26 |
01-Nov-2010 |
Brian Carlstrom <bdc@google.com> |
TrustManager improvements
Overhaul of TrustManagerImpl
- PKIXParameters can now be final in TrustManagerImpl because we
always immediately create an IndexedPKIXParameters instead of only
doing it in SSLParametersImpl.createDefaultTrustManager.
- Use new KeyStore constructor for IndexedPKIXParameters to remove
duplicate logic for creating set of TrustAnchors from a KeyStore.
- Improved checkTrusted/cleanupCertChain to remove special cases for
directly trusting the end cert or pruning only self signed certs. To
support b/2530852, we need to stop prune the chain as soon as we
find any trust anchor (using newly improved
TrustManagerImpl.isTrustAnchor), which could be at the beginning,
middle, or end. That means cleanupCertChain can return an empty
chain if everything was trusted directly. (and we don't need to do
extra checks on exception cases to see if the problem was just that
the trust anchor was in the chain)
- isDirectlyTrusted -> isTrustAnchor here as well, using new
IndexedPKIXParameters.isTrustAnchor APIs
- Fix incorrect assumption in getAcceptedIssuers that all TrustAnchor
instances have non-null results for getTrustedCert.
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/TrustManagerImpl.java
Removed indexing in createDefaultTrustManager since we always index now
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/SSLParametersImpl.java
Overhaul of IndexedPKIXParameters
- Single map from subject X500Principal to TrustAnchors
instead of two different X500Principal keyed maps to check
- Removed map based on encoded cert. For b/2530852, we want to treat
certs as equal if they have the same name and public key, not
byte-for-byte equality, which can be done with the remaining map.
Revamped isDirectlyTrusted into isTrustAnchor(cert) to perform this
new name/key based comparison.
- Added helper isTrustAnchor(cert, anchors) to reuse code in
non-IndexedPKIXParameters case in TrustManagerImpl.
- Added constructor from KeyStore
- Moved anchor indexing code to index() from old constructor
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/IndexedPKIXParameters.java
TestKeyStore.getPrivateKey allowed some existing test simplification.
luni/src/test/java/libcore/java/security/KeyStoreTest.java
luni/src/test/java/org/apache/harmony/xnet/provider/jsse/NativeCryptoTest.java
support/src/test/java/libcore/java/security/TestKeyStore.java
Added missing "fail()" before catching expected exceptions.
luni/src/test/java/libcore/java/security/KeyStoreTest.java
Expanded KeyManagerFactoryTest to excercise ManagerFactoryParameters b/1628001
luni/src/test/java/libcore/javax/net/ssl/KeyManagerFactoryTest.java
Added KeyStoreBuilderParametersTest because I thought I saw a bug in
KeyStoreBuilderParameters, but this convinced me otherwise.
luni/src/test/java/libcore/javax/net/ssl/KeyStoreBuilderParametersTest.java
New TrustManagerFactory test modeled on expanded KeyManagerFactoryTest.
test_TrustManagerFactory_intermediate specifically is targeting the
new functionality of b/2530852 to handling trust anchors within the
chain.
luni/src/test/java/libcore/javax/net/ssl/TrustManagerFactoryTest.java
support/src/test/java/libcore/java/security/StandardNames.java
Some initial on tests for Elliptic Curve (b/3058375) after the RI
started reporting it was supported. Removed old @KnownFailure
tags. Skipped a test on the RI that it can't handle. Improved some
assert messages.
luni/src/test/java/libcore/javax/net/ssl/SSLEngineTest.java
luni/src/test/java/libcore/javax/net/ssl/SSLSocketTest.java
support/src/test/java/libcore/java/security/StandardNames.java
support/src/test/java/libcore/java/security/TestKeyStore.java
Removed unneeded bytes->javax->bytes->java case of which can just go bytes->java directly.
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSocketImpl.java
Removed super()
luni/src/main/java/javax/net/ssl/KeyStoreBuilderParameters.java
Made Security.secprops final
luni/src/main/java/java/security/Security.java
Pulled SamplingProfiler fix from dalvik-dev branch
git cherry-pick --no-commit f9dc3450e8f23cab91efc9df99bb860221ac3d6c
dalvik/src/main/java/dalvik/system/SamplingProfiler.java
Bug: 2530852
Change-Id: I95e0c7ee6a2f66b6986b3a9da9583d1ae52f94dd
rovider/jsse/IndexedPKIXParameters.java
rovider/jsse/OpenSSLSocketImpl.java
rovider/jsse/SSLParametersImpl.java
rovider/jsse/TrustManagerImpl.java
|
| aa37a8aa3af5a638cdf4e67f9273fb8118a11dee |
01-Nov-2010 |
Brian Carlstrom <bdc@google.com> |
Avoid races between OpenSSLSocketImpl I/O and close()
The previous change:
commit 5f2e6872311240319509aed64d9f58cd5b64719b
Author: Brian Carlstrom <bdc@google.com>
Date: Mon Aug 23 14:06:51 2010 -0700
SSLSocket.read should throw SocketException not NullPointerException
added checkOpen() to throw SocketException instead of
NullPointerException, but there was still a race between read/write on
one thread and close on another that could allow a
NullPointerException to escape. This change moves checkOpen() calls to
be protected by the existing writeLock/readLock/handshakeLock
synchronzied blocks to avoid this case.
byte buffer error checking for read/write is also moved into the to
lock region to preserve compatability as measured by the test:
libcore.javax.net.ssl.SSLSocketTest#test_SSLSocket_close
Bug: 3153162
rovider/jsse/OpenSSLSocketImpl.java
|
| bc40740e2e9e982908696ec666cc19c77663d0b2 |
01-Nov-2010 |
Brian Carlstrom <bdc@google.com> |
am 12e7cb01: Avoid races between OpenSSLSocketImpl I/O and close()
* commit '12e7cb011c48b228cdeb2b799fff54d7fbfc6d85':
Avoid races between OpenSSLSocketImpl I/O and close()
|
| 12e7cb011c48b228cdeb2b799fff54d7fbfc6d85 |
01-Nov-2010 |
Brian Carlstrom <bdc@google.com> |
Avoid races between OpenSSLSocketImpl I/O and close()
The previous change:
commit 5f2e6872311240319509aed64d9f58cd5b64719b
Author: Brian Carlstrom <bdc@google.com>
Date: Mon Aug 23 14:06:51 2010 -0700
SSLSocket.read should throw SocketException not NullPointerException
added checkOpen() to throw SocketException instead of
NullPointerException, but there was still a race between read/write on
one thread and close on another that could allow a
NullPointerException to escape. This change moves checkOpen() calls to
be protected by the existing writeLock/readLock/handshakeLock
synchronzied blocks to avoid this case.
byte buffer error checking for read/write is also moved into the to
lock region to preserve compatability as measured by the test:
libcore.javax.net.ssl.SSLSocketTest#test_SSLSocket_close
Bug: 3153162
Change-Id: I16299f09dc91871407e88eb718073d21a816f683
rovider/jsse/OpenSSLSocketImpl.java
|
| d29fddcf333997fc2d7429d531e4d934dc705c88 |
27-Oct-2010 |
Jesse Wilson <jessewilson@google.com> |
Flip 'abstract public' to 'public abstract'.
Change-Id: Ice9b81c63cea4a3c08f697a28180c161a13e640e
rovider/jsse/AbstractSessionContext.java
|
| 5d1dfcb5e1e9a0a93a36d7d42a0270af408ef4b3 |
22-Oct-2010 |
Brian Carlstrom <bdc@google.com> |
am 57f2ec9d: Merge "Move improved cert chain handling from CertificateChainValidator to TrustManagerImpl"
|
| 9ff0e556917fd66ea30224ac89f6dea7958eda1f |
20-Oct-2010 |
Brian Carlstrom <bdc@google.com> |
Move improved cert chain handling from CertificateChainValidator to TrustManagerImpl
Bug: 2658463
Change-Id: I014ebfee1f6e2f46b7a842b5bbf6549bf484f3c0
rovider/jsse/TrustManagerImpl.java
|
| 1d95ed8cdeeb023281dc855aa26a444aeccd1c11 |
15-Oct-2010 |
Brian Carlstrom <bdc@google.com> |
am 49a52427: am 7e39eff6: am ed72e08a: Change SSLParametersImpl.getDefaultTrustManager to not throw checked exceptions
Merge commit '49a52427c960328491105cbb08d6c3167ed34d97' into dalvik-dev
* commit '49a52427c960328491105cbb08d6c3167ed34d97':
Change SSLParametersImpl.getDefaultTrustManager to not throw checked exceptions
|
| 7f43cc3f91d9322ef85137fb25986d67f838856f |
15-Oct-2010 |
Brian Carlstrom <bdc@google.com> |
am f97a046b: am 0dc94964: am d6e53e42: SSLParameters.getDefaultTrustManager() should lazily initialize its value
Merge commit 'f97a046bfb36b5bfee49fd527d4de7cb21b211e2' into dalvik-dev
* commit 'f97a046bfb36b5bfee49fd527d4de7cb21b211e2':
SSLParameters.getDefaultTrustManager() should lazily initialize its value
|
| 49a52427c960328491105cbb08d6c3167ed34d97 |
15-Oct-2010 |
Brian Carlstrom <bdc@google.com> |
am 7e39eff6: am ed72e08a: Change SSLParametersImpl.getDefaultTrustManager to not throw checked exceptions
Merge commit '7e39eff6d4fea3af79d9fff32e620ee86ba700b4'
* commit '7e39eff6d4fea3af79d9fff32e620ee86ba700b4':
Change SSLParametersImpl.getDefaultTrustManager to not throw checked exceptions
|
| f97a046bfb36b5bfee49fd527d4de7cb21b211e2 |
15-Oct-2010 |
Brian Carlstrom <bdc@google.com> |
am 0dc94964: am d6e53e42: SSLParameters.getDefaultTrustManager() should lazily initialize its value
Merge commit '0dc949645456739af3cbb8e3bc6221798abb00c5'
* commit '0dc949645456739af3cbb8e3bc6221798abb00c5':
SSLParameters.getDefaultTrustManager() should lazily initialize its value
|
| ed72e08ad6ee16694681c8c2317f97de6d9f4323 |
13-Oct-2010 |
Brian Carlstrom <bdc@google.com> |
Change SSLParametersImpl.getDefaultTrustManager to not throw checked exceptions
Change-Id: Id5a042873acc0a8185567ca18ce009c06e54f38d
rovider/jsse/SSLParametersImpl.java
|
| d6e53e42867824f97c9fb9c427cc188897ea9315 |
13-Oct-2010 |
Brian Carlstrom <bdc@google.com> |
SSLParameters.getDefaultTrustManager() should lazily initialize its value
Make SSLParametersImpl's defaultKeyManager, defaultTrustManager,
defaultSecureRandom, and defaultParameters all use the single check
idiom for initialization. Move such initialization for
defaultKeyManager and defaultTrustManager out of SSLParametersImpl
constructor into static functions, replacing original
getDefaultTrustManager simple accessor with code that performs lazy
initialization.
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/SSLParametersImpl.java
dirrect -> direct
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/SSLParametersImpl.java
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/SSLSocketImpl.java
hanshake -> handshake
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/SSLRecordProtocol.java
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/HandshakeProtocol.java
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/SSLSocketImpl.java
Bug: 2954292
Change-Id: I19bae541613666903b57fccf3e8bfef65b74d6cf
rovider/jsse/HandshakeProtocol.java
rovider/jsse/SSLParametersImpl.java
rovider/jsse/SSLRecordProtocol.java
rovider/jsse/SSLSocketImpl.java
|
| 12f2d8e2760b78c673b7a187b9062b3938a03147 |
12-Oct-2010 |
Brian Carlstrom <bdc@google.com> |
Revised CloseGuard usage pattern
- CloseGuard.get() instants are now "unopened"
- In constructor cases, guard.open("...") is now at the end
- In metod cases, guard.open("...") is now after resource acquisition
- guard null pointer checks in finalizers in case constructor threw exception
Bug: 2645458
Change-Id: Ieb874a8c33b347768a9fa7437b3dd16f3d56d886
rovider/jsse/OpenSSLSocketImpl.java
|
| cdce865a463ec17f35c4cc1a6f71813c78e3a566 |
06-Oct-2010 |
Brian Carlstrom <bdc@google.com> |
resolved conflicts for merge of 33cb9824 to dalvik-dev
Change-Id: I36508876ffcda358379a0955f107c8706e6130e2
|
| 33cb9824c6950db2b6c76d7fddec9fb471316b42 |
06-Oct-2010 |
Brian Carlstrom <bdc@google.com> |
Remove OpenSSLSocketImpl.instanceCount
Its use in ActivityThread is being replaced with Debug.countInstancesOfClass(OpenSSLSocketImpl.class)
Bug: 3015791
Change-Id: I26ece579f8e0fce62f17f398055b16aceaaf1b08
rovider/jsse/OpenSSLSocketImpl.java
|
| f7aab022dcbfcd8f27b409ab92b4bca4a84d0b8a |
30-Sep-2010 |
Brian Carlstrom <bdc@google.com> |
CloseGuard: finalizers for closeable objects should log complaints
Introducing CloseGuard which warns when resources are implictly
cleaned up by finalizers when an explicit termination method, to use
the Effective Java "Issue 7: Avoid finalizers" terminology, should
have been used by the caller.
libcore classes that can use CloseGuard now do so.
Bug: 3041575
Change-Id: I4a4e3554addaf3075c823feb0a0ff0ad1c1f6196
rovider/jsse/OpenSSLSocketImpl.java
rovider/jsse/TrustManagerFactoryImpl.java
|
| a7a70410e26802f3ab480b08a1ab499338cb6f7e |
03-Oct-2010 |
Jesse Wilson <jessewilson@google.com> |
Use IoUtils.closeQuietly where possible.
Change-Id: I354c1e00b7068108032d09c0a1c38e29f6283fb0
rovider/jsse/FileClientSessionCache.java
|
| 82281cde1eaec8f299cc7d4f383f716cf9e6fe71 |
02-Oct-2010 |
Brian Carlstrom <bdc@google.com> |
am dc825fef: am 9583c700: am cd68630d: Merge "SSL* AppData should not hold onto JNI global references" into gingerbread
Merge commit 'dc825fef1519d4a65abf374e31d985cb2faf9d4a' into dalvik-dev
* commit 'dc825fef1519d4a65abf374e31d985cb2faf9d4a':
SSL* AppData should not hold onto JNI global references
|
| dc825fef1519d4a65abf374e31d985cb2faf9d4a |
02-Oct-2010 |
Brian Carlstrom <bdc@google.com> |
am 9583c700: am cd68630d: Merge "SSL* AppData should not hold onto JNI global references" into gingerbread
Merge commit '9583c70042da95219941b430d51a9994334e49f0'
* commit '9583c70042da95219941b430d51a9994334e49f0':
SSL* AppData should not hold onto JNI global references
|
| 80b486724ca19b3c1c3c36334d06856330362f83 |
01-Oct-2010 |
Jesse Wilson <jessewilson@google.com> |
Simplify skip() to use skipByReading or the superclass where possible.
Several classes were overriding InputStream.skip() but not doing
anything better than the base class. These were deleted.
Others were allocating skip buffers which was correct, but duplicated
code with our Streams utility class.
The CipherInputStream class had a skip method that always skipped
0 bytes. This has been fixed and tested.
Change-Id: Ic96c600e111c11cf7364b4e0a721791d7e3c2ae1
rovider/jsse/SSLInputStream.java
rovider/jsse/SSLSocketInputStream.java
|
| df9c090e85c4d052cdd17b5f981819be86a56737 |
01-Oct-2010 |
Brian Carlstrom <bdc@google.com> |
SSL* AppData should not hold onto JNI global references
Summary:
NativeCrypto.SSL_do_handshake stored JNI global references in its
AppData instance for use in upcalls from OpenSSL that invoke Java
callbacks. However, one of the references was to the
SSLHandshakeCallbacks which in the common case of OpenSSLSocketImpl is
the OpenSSLSocketImpl instance itself. This meant that if code dropped
the OpenSSLSocketImpl without closing (such as Apache HTTP Client),
the instances would never be collected, and perhaps more importantly,
file descriptors would not be closed.
The fix is to pass in the objects required during a callback in all
downcalls to SSL_* methods that could result in a callback and clear
them on return. The existing code already did this for the JNIEnv*, so
that code was expanded to handle setting the jobjects as well.
Details:
In the native code used to extract the FileDescriptor object from a
Socket on the call to NativeCrypto.SSL_do_handshake. However, since we
need this for every read and write operations, we now do this in Java
to avoid the repeated overhead. NativeCrypto.SSL_do_handshake now
takes a FileDescriptor, which it extracted from the Socket the
convenience function using NativeCrypto.getFileDescriptor(Socket)
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/NativeCrypto.java
In addition to tracking changes to pass FileDescriptor and
SSLHandshakeCallbacks, removed final uses of getFieldId since the
code no longer needs to extract FileDescriptors itself
luni/src/main/native/NativeCrypto.cpp
The Socket field used to be non-null in the wrapper case and null in
the non-wrapper case. To simplify things a bit, "socket == this" in
the non-wrapper case. The socket field is now also final and joined by
a final FileDescriptor field.
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSocketImpl.java
Updated NativeCryptoTest to track FileDescriptor and
SSLHandshakeCallbacks by expanding the Hooks.afterHandshake to provide
them. Also changed to add a 5 second timeout to many test cases.
luni/src/test/java/org/apache/harmony/xnet/provider/jsse/NativeCryptoTest.java
Bug: 2989218
Change-Id: Iccef92b59475f3c1929e990893579493ece9d442
rovider/jsse/NativeCrypto.java
rovider/jsse/OpenSSLSocketImpl.java
|
| 63fcdd7e833df417cfbd60961a5167ce637f3071 |
29-Sep-2010 |
Brian Carlstrom <bdc@google.com> |
resolved conflicts for merge of 53e83038 to master
Conflicts:
luni/src/main/java/java/io/FileInputStream.java
luni/src/main/java/java/io/FileOutputStream.java
luni/src/main/java/javax/crypto/ExemptionMechanism.java
luni/src/main/java/org/apache/harmony/luni/net/PlainDatagramSocketImpl.java
luni/src/main/java/org/apache/harmony/luni/net/PlainSocketImpl.java
Change-Id: I0dd5da8e8cb1819cb90440c462ba307dffde8ed7
|
| e2f58c9501eac730d048199906dc41fe8e4cd6e9 |
29-Sep-2010 |
Brian Carlstrom <bdc@google.com> |
Scrub missing calls to super.finalize()
Bug: 3024226
Change-Id: I6642cb9d4929ba72244529efe4ebdfa595ae4fa7
rovider/jsse/AbstractSessionContext.java
rovider/jsse/OpenSSLMessageDigestJDK.java
rovider/jsse/OpenSSLSessionImpl.java
rovider/jsse/OpenSSLSignature.java
rovider/jsse/OpenSSLSocketImpl.java
|
| d4b134ec6762fa9e85f97d2174497df5e6af8566 |
26-Sep-2010 |
Brian Carlstrom <bdc@google.com> |
am 873c0bfb: am a1b18854: Merge "Fix OpenSSLSessionImpl.getValueNames regression" into gingerbread
Merge commit '873c0bfbf627fa15dd44463f9a664b6f83c74594'
* commit '873c0bfbf627fa15dd44463f9a664b6f83c74594':
Fix OpenSSLSessionImpl.getValueNames regression
|
| 4071cf16af7a9a7234856d3ff1837df0da168c6c |
25-Sep-2010 |
Brian Carlstrom <bdc@google.com> |
Fix OpenSSLSessionImpl.getValueNames regression
In e32b21f14d52bac429a9c54fe031f9e92c911d64, the code was converted to
use Objects.equals. However, because of a typo, an autoboxed Boolean
was passed instead of an AccessControlContext. I reviewed the rest of
the original change to make sure there were no other instances of this
regression.
Also cleaned up the SSLSessionTest (fixing two broken tests
test_getLocalPrincipal and test_getPeerPrincipal) and fixed a
whitespace issue in AccessControlContext.
Change-Id: Icaee8a0c2f5f527bea7a80037fe3f99c509d9f42
rovider/jsse/OpenSSLSessionImpl.java
|
| b55a9297dd1645c4924ac1afa77cbb3010191b1c |
25-Sep-2010 |
Brian Carlstrom <bdc@google.com> |
am 51e0ec67: am e9baa585: Merge "OpenSSLSocketImpl should not call NativeCrypto.SSL_set_client_CA_list with an empty array" into gingerbread
Merge commit '51e0ec67ca5e78ffd907506c780f5dfd340e9f59'
* commit '51e0ec67ca5e78ffd907506c780f5dfd340e9f59':
OpenSSLSocketImpl should not call NativeCrypto.SSL_set_client_CA_list with an empty array
|
| 0150f73ac180714cae49782e674ecb68fde12326 |
25-Sep-2010 |
Brian Carlstrom <bdc@google.com> |
OpenSSLSocketImpl should not call NativeCrypto.SSL_set_client_CA_list with an empty array
Bug: 3034616
Change-Id: Ib39ebfa737910f0ebce5ac2ad87715579bd7aa3d
rovider/jsse/OpenSSLSocketImpl.java
|
| 2550478eb3ff8283ebac6ba2a683fd7bbb23e3ee |
22-Sep-2010 |
Brian Carlstrom <bdc@google.com> |
am 7452795a: am f8f14c30: am 1be19cf6: Tracking external/bouncycastle OpenSSLDigest
Merge commit '7452795a3d40cac126b21f85316b36b035950371' into dalvik-dev
* commit '7452795a3d40cac126b21f85316b36b035950371':
Tracking external/bouncycastle OpenSSLDigest
|
| 1be19cf6a06834e97608dffd87c30d604b02196a |
22-Sep-2010 |
Brian Carlstrom <bdc@google.com> |
Tracking external/bouncycastle OpenSSLDigest
Making OpenSSLMessageDigestJDK final to match OpenSSLDigest version
Fixing WITH_JNI_TRACE used for debugging OpenSSLDigest
Bug: 3024499
Change-Id: I919749348e531d074a25e16ab13315cede4f88e5
rovider/jsse/OpenSSLMessageDigestJDK.java
|
| c18fe70cc844546c7e1e34b501c185d784d7f863 |
20-Sep-2010 |
Brian Carlstrom <bdc@google.com> |
am 7806efe8: am 862e1168: am 03fef47f: Merge "SSLSocket should respect timeout of a wrapped Socket" into gingerbread
Merge commit '7806efe820ff848e99eecef68a6df4049b9eb3c5' into dalvik-dev
* commit '7806efe820ff848e99eecef68a6df4049b9eb3c5':
SSLSocket should respect timeout of a wrapped Socket
|
| 8b5d96adf89ade9a35b94032e5762e5f602c24a0 |
20-Sep-2010 |
Brian Carlstrom <bdc@google.com> |
am fcc7302e: am 748ccde6: am dad46534: Merge "Use BufferedInputStream when reading cacerts.bks" into gingerbread
Merge commit 'fcc7302ea9bbfd553188d369459428b2e8f39fb2' into dalvik-dev
* commit 'fcc7302ea9bbfd553188d369459428b2e8f39fb2':
Use BufferedInputStream when reading cacerts.bks
|
| 03fef47fc07bfc4cb2a7a154c9961cd96d910e0e |
20-Sep-2010 |
Brian Carlstrom <bdc@google.com> |
Merge "SSLSocket should respect timeout of a wrapped Socket" into gingerbread
|
| a4a95792af235d4bf3256eab3208f74fae8ec262 |
19-Sep-2010 |
Brian Carlstrom <bdc@google.com> |
SSLSocket should respect timeout of a wrapped Socket
Change to using getSoTimeout in OpenSSLSocketImpl instead of directly
using the timeout field. This means the proper timeout will be used
for instances of the OpenSSLSocketImplWrapper subclass, which is used
when an SSLSocket is wrapped around an existing connected non-SSL
Socket. The code still maintains the local timeout field, now renamed
timeoutMilliseconds, which is now accesed via
OpenSSLSocketImpl.getSoTimeout. Doing so prevents a getsockopt syscall
that otherwise would be necessary if the super.getSoTimeout() was used.
Added two unit tests for testing timeouts with SSLSockets wrapped
around Socket. One is simply for getters/setters. The second makes
sure the timeout is functioning when set on the underlying socket.
Bug: 2973305
Change-Id: Idac52853f5d777fae5060a840eefbfe85d448e4c
rovider/jsse/OpenSSLSocketImpl.java
|
| d75cf432ba5c084e39ff7a24c388ca5c1c151db7 |
19-Sep-2010 |
Brian Carlstrom <bdc@google.com> |
Use BufferedInputStream when reading cacerts.bks
Change-Id: Ibc20bdcadb5c3bc4bcebfeb96b10c42d9c05e7c8
rovider/jsse/TrustManagerFactoryImpl.java
|
| fe20355288377b2d80ce5eb3aaaa548b0af04c8e |
17-Sep-2010 |
Brian Carlstrom <bdc@google.com> |
am e3babe52: am 69a153da: am 760b683e: Restore OpenSSLMessageDigestJDK.digest reset behavior
Merge commit 'e3babe523df804f88d2371645c2c7e1731411ac2' into dalvik-dev
* commit 'e3babe523df804f88d2371645c2c7e1731411ac2':
Restore OpenSSLMessageDigestJDK.digest reset behavior
|
| 760b683ed34f2e62fc4ab1d483988bee515af03e |
17-Sep-2010 |
Brian Carlstrom <bdc@google.com> |
Restore OpenSSLMessageDigestJDK.digest reset behavior
SSLEngine tests started failing due to the recent incorrect change to
OpenSSLMessageDigestJDK.digest() that removed the reset of
MessageDigest state on call to digest(). The problem was not that the
digest was resetting, but that it was resetting to use a SHA-0
algorithm. See recent change c38b8476e7e4bd4b091d9f0e8fe8b2b972e7bc81.
Change-Id: I40ef4e18a1b546eac5a487cb8a808d4897b301b0
rovider/jsse/OpenSSLMessageDigestJDK.java
|
| 65f89458ba2929e1e806b7463c1e36e94f75e506 |
17-Sep-2010 |
Brian Carlstrom <bdc@google.com> |
am dc1c4756: am 156f071f: am a3a93d45: Merge "OpenSSLMessageDigestJDK.reset should not change from SHA-1 to SHA-0" into gingerbread
Merge commit 'dc1c475681e06d3f9bdd9cd4aab31145ba20c542' into dalvik-dev
* commit 'dc1c475681e06d3f9bdd9cd4aab31145ba20c542':
OpenSSLMessageDigestJDK.reset should not change from SHA-1 to SHA-0
|
| f8fd3aced841e19bf3552fe81289297302a4f3a5 |
17-Sep-2010 |
Brian Carlstrom <bdc@google.com> |
am e6b59c28: am 9e8d51c7: am a3de55dd: Implement OpenSSLMessageDigestJDK.clone and fix OpenSSLMessageDigestJDK.digest
Merge commit 'e6b59c287ed3007d76167dd9741dc683f440ed2d' into dalvik-dev
* commit 'e6b59c287ed3007d76167dd9741dc683f440ed2d':
Implement OpenSSLMessageDigestJDK.clone and fix OpenSSLMessageDigestJDK.digest
|
| c38b8476e7e4bd4b091d9f0e8fe8b2b972e7bc81 |
17-Sep-2010 |
Brian Carlstrom <bdc@google.com> |
OpenSSLMessageDigestJDK.reset should not change from SHA-1 to SHA-0
For SHA-1, the OpenSSLMessageDigestJDK constructor was called with the
algorithm name "SHA-1", which it passed to the superclass constructor
for use as the algorithm field. However, MessageDigest.getInstance
would then override this value with the its own algorithm argument. In the
case of getInstance("SHA"), this mean the constructor would set the
value to "SHA-1" (from the OpenSSLMessageDigestJDK.SHA1 subclass
constructor) which would then be overridden by getInstance to
"SHA". Because the OpenSSLMessageDigestJDK would then initialize using
"SHA-1", the MessageDigest worked in the common case. However, when it
was MessageDigest.reset(), it called getAlgorithm() which returned
"SHA", which was then passed to OpenSSL as "sha" which interpretted
this as "SHA-0".
The fix is to change to pass both a standard name (e.g "SHA-1") as
well as openssl name expliclty (e.g. "sha1"), removing the somewhat
hacky code that tried to algorithmically transform from the standard
names to the openssl ones.
The same fix needs to be made to OpenSSLDigest. We also are removing
SHA-0 from openssl since it is unneeded and would have cause an clear
error if it had been absent.
Change-Id: Iaa8f5b93a572fb043fa4f2618070ebb5054f82b1
rovider/jsse/OpenSSLMessageDigestJDK.java
|
| a3de55ddf81f95c7c0fc1b8767ccb1ecfa251c83 |
16-Sep-2010 |
Brian Carlstrom <bdc@google.com> |
Implement OpenSSLMessageDigestJDK.clone and fix OpenSSLMessageDigestJDK.digest
DigestInputStream2Test.test_onZ was failing because OpenSSLMessageDigestJDK did not implement Clonable
- Implementing Clonable required a new NativeCrypto.EVP_MD_CTX_copy method
- While adding NativeCrypto.EVP_MD_CTX_copy, noticed other methods
were not properly named in NativeCrypto.EVP_MD_CTX_* convention.
- Converted rest of NativeCrypto.cpp to JNI_TRACE logging while debugging
DigestOutputStreamTest.test_onZ was failing because OpenSSLMessageDigestJDK.digest did an engineReset
- Removing the engineReset revealed that digest() could not be called
repeatedly on an OpenSSLMessageDigestJDK. Problem was that
EVP_DigestFinal can only be called once per digest.
- Changed engineDigest implementation to use new EVP_MD_CTX_copy to
create a temp EVP_MD_CTX which can be used to retreive the digest
and then discarded.
Bug: 2997405
Change-Id: Ie97c22be245911300d2e729e451a9c4afdb27937
rovider/jsse/NativeCrypto.java
rovider/jsse/OpenSSLMessageDigestJDK.java
rovider/jsse/OpenSSLSignature.java
|
| 6cab4071580a4b216d943b337af118533c65e495 |
15-Sep-2010 |
Brian Carlstrom <bdc@google.com> |
resolved conflicts for merge of 4b60175b to dalvik-dev
Change-Id: I63d0c5949be0984dcd7939205463eefabde8af05
|
| bb986f53228cc355f60ea933fda216842bb1df73 |
15-Sep-2010 |
Brian Carlstrom <bdc@google.com> |
am 1ca26549: am 912db46c: am 6812a2e8: Rename internal SSLParameters to SSLParametersImpl to avoid collision with new javax.net.ssl.SSLParameters
Merge commit '1ca26549fbe0f4bc171ba7bf8ab0a86ae591c618' into dalvik-dev
* commit '1ca26549fbe0f4bc171ba7bf8ab0a86ae591c618':
Rename internal SSLParameters to SSLParametersImpl to avoid collision with new javax.net.ssl.SSLParameters
|
| ca88b4c628937cd6afc9476773cc334d6d32de8c |
15-Sep-2010 |
Brian Carlstrom <bdc@google.com> |
am 99eec0d3: am 9b6ed9bf: am 2b6188df: Merge "Remove SSLContextImpl.engineInit(..) that takes persistent cache arguments" into gingerbread
Merge commit '99eec0d31a89366c9c765db845a022fa6cf7cf42' into dalvik-dev
* commit '99eec0d31a89366c9c765db845a022fa6cf7cf42':
Remove SSLContextImpl.engineInit(..) that takes persistent cache arguments
|
| df349b3eaf4d1fa0643ab722173bc3bf20a266f5 |
14-Sep-2010 |
Brian Carlstrom <bdc@google.com> |
Fix HttpsURLConnectionTest failures
Focusing on HttpsURLConnectionTest.test_doOutput found a number of
unrelated issues, all of which are addressed by this change:
- {HttpURLConnection,HttpsURLConnection}.connect not ignored on subsequent calls
- OpenSSLSessionImpl.{getPeerCertificates,getPeerCertificateChain} did not include client certificate
- OpenSSLSocketImpl.getSession did not skip handshake when SSLSession was already available
- Fix 3 test issues in HttpsURLConnectionTest
- Fix 2 test issues in NativeCryptoTest
Details:
HttpsURLConnectionTest tests (such as test_doOutput) that
tried to call URLConnection.connect() at the end of the test
were raising exception. The RI URLConnection.connect
documentation says calls on connected URLConnections should be ignored.
Use "connected" instead of "connection != null" as reason to ignore "connect"
luni/src/main/java/org/apache/harmony/luni/internal/net/www/protocol/http/HttpURLConnectionImpl.java
luni/src/main/java/org/apache/harmony/luni/internal/net/www/protocol/https/HttpsURLConnectionImpl.java
Converted one caller of getPeerCertificateChain to
getPeerCertificates which is the new fast path. Track
OpenSSLSessionImpl change to take "java" vs "javax" certificates.
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/AbstractSessionContext.java
Move SSL_SESSION_get_peer_cert_chain to be SSL_get_peer_cert_chain
(similar to SSL_get_certificate). The problem was that
SSL_SESSION_get_peer_cert_chain used SSL_get_peer_cert_chain which
in the server case did not include the client cert itself, which
required a call to SSL_get_peer_certificate, which needed the
SSL instance pointer.
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/NativeCrypto.java
luni/src/main/native/NativeCrypto.cpp
Improved NativeCrypto_SSL_set_verify tracing
luni/src/main/native/NativeCrypto.cpp
As a side effect of the move to
NativeCrypto.SSL_get_peer_certificate, it no longer made sense to
lazily create the peer certificate chain since the SSLSession
should not depend on a particular SSL instance. The peer chain is
now passed in as part of the constructor and the peerCertifcates
in the OpenSSLSession can be final (also made localCertificates
final). Since peerCertifcates is the newew (java not javax) API
and more commonly used, it is what is created from the native
code, and peerCertificateChain is not derived from peerCertifcates
instead of vice versa.
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSessionImpl.java
Factored out code to used to create local certificate chain to
from array of DER byte arrays into createCertChain so it can be
reused to create peer certificate chain.
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSocketImpl.java
Fix OpenSSLSocketImpl.getSession to check for existing sslSession
to and skip handshake, which was causing an exception if the
connection had already been closed.
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSocketImpl.java
Fix test issues: Removed PrintStream wrapper of System.out which
was causing vogar to lose output. Added null check in closeSocket,
which can happen in timeout case. Removed use of
InputStream.available which in OpenSSLSocket case returned 0,
causing test to fail incorrectly.
luni/src/test/java/org/apache/harmony/luni/tests/internal/net/www/protocol/https/HttpsURLConnectionTest.java
Updating to track change to SSL_get_peer_cert_chain. Also fixed
some other unrelated test failures caused by IOException on
shutdown and false start (aka SSL_MODE_HANDSHAKE_CUTTHROUGH)
causing clientCallback.handshakeCompleted to be false.
luni/src/test/java/org/apache/harmony/xnet/provider/jsse/NativeCryptoTest.java
Bug: b/2981767
Change-Id: Id083beb6496558296c2f74f51ab0970e158b23a9
rovider/jsse/AbstractSessionContext.java
rovider/jsse/NativeCrypto.java
rovider/jsse/OpenSSLSessionImpl.java
rovider/jsse/OpenSSLSocketImpl.java
|
| 6812a2e8bb43d9a875633a9ba255d9882c63e327 |
14-Sep-2010 |
Brian Carlstrom <bdc@google.com> |
Rename internal SSLParameters to SSLParametersImpl to avoid collision with new javax.net.ssl.SSLParameters
Bug: 2672817
Change-Id: Iadf21b848eaf8850fce22721b9ba3739ab2e9fca
rovider/jsse/HandshakeProtocol.java
rovider/jsse/OpenSSLServerSocketFactoryImpl.java
rovider/jsse/OpenSSLServerSocketImpl.java
rovider/jsse/OpenSSLSocketFactoryImpl.java
rovider/jsse/OpenSSLSocketImpl.java
rovider/jsse/OpenSSLSocketImplWrapper.java
rovider/jsse/SSLContextImpl.java
rovider/jsse/SSLEngineImpl.java
rovider/jsse/SSLParameters.java
rovider/jsse/SSLParametersImpl.java
rovider/jsse/SSLServerSocketFactoryImpl.java
rovider/jsse/SSLServerSocketImpl.java
rovider/jsse/SSLSocketFactoryImpl.java
rovider/jsse/SSLSocketImpl.java
rovider/jsse/SSLSocketWrapper.java
|
| ca99759b4f2aac2f796b430b74a8d3caff9d484a |
14-Sep-2010 |
Brian Carlstrom <bdc@google.com> |
Remove SSLContextImpl.engineInit(..) that takes persistent cache arguments
Bug: 2672817
Change-Id: I201815857e4452498c746139b8d64b7721bc22cc
rovider/jsse/SSLContextImpl.java
|
| d41c277b12ce7b63bf93cfad48d5280c8d036712 |
09-Sep-2010 |
Brad Fitzpatrick <bradfitz@android.com> |
am e00dd470: am f9efa849: am 5900e554: Use BlockGuard for OpenSSL sockets.
Merge commit 'e00dd4703c3b7e895059ba7cc7399dda0cba2580' into dalvik-dev
* commit 'e00dd4703c3b7e895059ba7cc7399dda0cba2580':
Use BlockGuard for OpenSSL sockets.
|
| 5900e5546059f05d5e58e5732e4d08d83b8b7574 |
09-Sep-2010 |
Brad Fitzpatrick <bradfitz@android.com> |
Use BlockGuard for OpenSSL sockets.
StrictMode wasn't catching network usage via SSL.
Bug: 2976407
Change-Id: I31fe09861e3aca7b26724b94af88687fb6b9442b
rovider/jsse/OpenSSLSocketImpl.java
|
| 6670318007799f403594f0760382b8c23f7dda0f |
02-Sep-2010 |
Jesse Wilson <jessewilson@google.com> |
Make fields final where possible.
See http://b/issue?id=2099637
Change-Id: I2a237d876c7acbe629e69d5c31d05737908f4606
rovider/jsse/ProtocolVersion.java
rovider/jsse/SSLRecordProtocol.java
|
| ae43834bd7046b4758d086bd8264a556b99ac5ea |
01-Sep-2010 |
Jesse Wilson <jessewilson@google.com> |
Merge "Fix classes that implement equals() but not hashCode()." into dalvik-dev
|
| 01e1686574d5e2722a75175fbae696381bd150c0 |
01-Sep-2010 |
Jesse Wilson <jessewilson@google.com> |
Fixing a dead store in Finished.
See bug 2099918.
Change-Id: I12f0a53bc5aeacea3ba97820dcd6525e1bf23405
rovider/jsse/Finished.java
|
| 5d34c74a617a477b215d62646aae04fe321e9795 |
01-Sep-2010 |
Jesse Wilson <jessewilson@google.com> |
Fix classes that implement equals() but not hashCode().
See http://b/2099681
Change-Id: If358af98ccca44c544942b837c25e00e6553e916
rovider/jsse/CipherSuite.java
rovider/jsse/ProtocolVersion.java
|
| 5f2e6872311240319509aed64d9f58cd5b64719b |
23-Aug-2010 |
Brian Carlstrom <bdc@google.com> |
SSLSocket.read should throw SocketException not NullPointerException
OpenSSLSocketImpl now uses checkOpen similar to Socket's
checkOpenAndCreate to ensure that SocketExceptions are thrown if
certain operations are tried after the socket is closed.
Also added *_setUseClientMode_afterHandshake tests for SSLSocket and
SSLEngine. We properly through IllegalArgument exception in this case,
but it wasn't covered by the tests previously.
Bug: 2918499
Change-Id: I393ad39bed40a33725d2c0f3f08b9d0b0d3ff85f
rovider/jsse/OpenSSLSocketImpl.java
|
| bc9563c38b92da7fc2a02fd02fafcc7f43a725ae |
17-Aug-2010 |
Brian Carlstrom <bdc@google.com> |
am bfc0713b: am 12e10c1c: b/2914872: fix concurrent initialization problem with peer certificate chain fields
Merge commit 'bfc0713bb26ec11c2000ba64439b3abdcb72a0bf' into dalvik-dev
* commit 'bfc0713bb26ec11c2000ba64439b3abdcb72a0bf':
b/2914872: fix concurrent initialization problem with peer certificate chain fields
|
| 12e10c1c6f9324693b1dad96ab57fada2b771f11 |
17-Aug-2010 |
Brian Carlstrom <bdc@google.com> |
b/2914872: fix concurrent initialization problem with peer certificate chain fields
Change-Id: Ib76dd826c8f3616d4a3aed608aef432a1b99f3d6
rovider/jsse/OpenSSLSessionImpl.java
|
| 7365de1056414750d0a7d1fdd26025fd247f0d04 |
12-Aug-2010 |
Jesse Wilson <jessewilson@google.com> |
Sorting imports.
Change-Id: I8347bc625480a1c37a1ed9976193ddfedeb00bbc
rovider/jsse/AlertProtocol.java
rovider/jsse/CertificateMessage.java
rovider/jsse/CertificateRequest.java
rovider/jsse/CertificateVerify.java
rovider/jsse/CipherSuite.java
rovider/jsse/ClientHandshakeImpl.java
rovider/jsse/ClientKeyExchange.java
rovider/jsse/ConnectionState.java
rovider/jsse/ConnectionStateTLS.java
rovider/jsse/DelegatedTask.java
rovider/jsse/DigitalSignature.java
rovider/jsse/FileClientSessionCache.java
rovider/jsse/Finished.java
rovider/jsse/HandshakeIODataStream.java
rovider/jsse/HelloRequest.java
rovider/jsse/IndexedPKIXParameters.java
rovider/jsse/KeyManagerFactoryImpl.java
rovider/jsse/KeyManagerImpl.java
rovider/jsse/Message.java
rovider/jsse/NativeCrypto.java
rovider/jsse/OpenSSLSignature.java
rovider/jsse/OpenSSLSocketFactoryImpl.java
rovider/jsse/PRF.java
rovider/jsse/SSLBufferedInput.java
rovider/jsse/SSLEngineAppData.java
rovider/jsse/SSLEngineImpl.java
rovider/jsse/SSLRecordProtocol.java
rovider/jsse/SSLServerSocketFactoryImpl.java
rovider/jsse/SSLServerSocketImpl.java
rovider/jsse/SSLSessionImpl.java
rovider/jsse/SSLSocketFactoryImpl.java
rovider/jsse/SSLSocketImpl.java
rovider/jsse/SSLSocketInputStream.java
rovider/jsse/ServerHandshakeImpl.java
rovider/jsse/ServerHello.java
rovider/jsse/ServerHelloDone.java
rovider/jsse/ServerKeyExchange.java
rovider/jsse/TrustManagerFactoryImpl.java
|
| 4559b1d37edcb5d7f1da086cf2e3290388d74f46 |
23-Jul-2010 |
Brian Carlstrom <bdc@google.com> |
Support for TLS Extensions enabled SSLSockets with fallback to vanila SSL
See also b/1569612
Summary:
- OpenSSlSocket support for SNI, session tickets, compression
- URLConnection mimics Chrome behavior of trying connection with these enabled,
falling back to SSL w/o encryption on failure
Details:
libcore
URLConnection https retry
Change HttpConnection.getSecureSocket to enable non-standard features on first
connection attempt. On second attempt, we back off to SSLv3 from
TLSv1, mimicking Chrome's behavior.
luni/src/main/java/org/apache/harmony/luni/internal/net/www/protocol/http/HttpConnection.java
Change HttpsEngine.connect to implement SSL reconnect
luni/src/main/java/org/apache/harmony/luni/internal/net/www/protocol/https/HttpsURLConnectionImpl.java
OpenSSL SSLSocket implementation
OpenSSLSocketImpl and OpenSSLServerSocketImpl now have an array of
enabled compression methods interface and implementation to
parallel that of procotols and ciphersuites.
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSocketImpl.java
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLServerSocketImpl.java
OpenSSLSessionImpl now has a cache of the native
compressionMethod. Also replaced "gives" javadoc working with
"returns".
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSessionImpl.java
OpenSSLSocketImpl session caching now needs to skip cached
sessions with mismatched compression requirements.
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSocketImpl.java
OpenSSLSocketImpl.startHandshake now uses NativeCrypto to support
our non-standard extensions.
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSocketImpl.java
NativeCrypto changes
- Added declaration of SSL options for tickets and compression.
- Added general "compression methods" interface
paralleling "cipher suites" and "protocols" interfaces.
- Added SSL_set_tlsext_host_name to set SNI (Server Name Indication) value
- Added SSL_get_servername to read SNI (Server Name Indication) value
- Added SSL_SESSION_compress_meth read negotiated compression method
- SSL_new makes sure to default compression to off for compatibility
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/NativeCrypto.java
luni/src/main/native/NativeCrypto.cpp
Testing
Added URLConnectionTest.testConnectViaHttpsWithSSLFallback to make
sure we properly retry an https connection if the server
terminates unexpectedly. Fixed up
URLConnectionTest.testHttpsWithCustomTrustManager with new
expected certificate chain. Fixed a few mistaken
TestSSLContext.serverContext uses to clientContext
luni/src/test/java/java/net/URLConnectionTest.java
Added test_SSL_set_tlsext_host_name, test_SSL_get_servername,
test_SSL_SESSION_compress_meth. Added a number of missing fail()
calls in expected exception cases which caught one test with
mistaken expectations. Removed some unnecessary scopes. Fixed some
badly scoped catch blocks.
luni/src/test/java/org/apache/harmony/xnet/provider/jsse/NativeCryptoTest.java
Changed MockWebServer to support a new MockResponse propery of
disconnectAtStart, which immediately terminates the connection
support/src/test/java/tests/http/MockResponse.java
support/src/test/java/tests/http/MockWebServer.java
external/openssl
Restore -ZLIB to OpenSSL build. Note that NativeCrypto.SSL_new
disables compression by for default SSLSocket for compatibility.
android-config.mk
Force clean build with new CFLAGS
CleanSpec.mk
Change-Id: Iba6268f9096f2be43f0d30de151dd3fd0aea4a81
rovider/jsse/NativeCrypto.java
rovider/jsse/OpenSSLServerSocketImpl.java
rovider/jsse/OpenSSLSessionImpl.java
rovider/jsse/OpenSSLSocketImpl.java
|
| 6882e31b7ce2d04ebbc91c7a55d7840e8fdce8a5 |
20-Jul-2010 |
Brian Carlstrom <bdc@google.com> |
Bring SSLSocketImpl and SSLEngine in line with OpenSSLSocketImpl's cipher suites
Wrote an interoperability test between our OpenSSL and SSLEngine
based SSLSocket implementations. Used it to flush out problems between
the implementations, which mostly were in the non-native implementation.
Filling out the SSLEngine (and therefore non-native SSLSocket) support
led to the list of supported and default cipher suites now being the
same as out OpenSSL SSLSocket. Most of the work was making the the
NULL, RC4, and AES ciphers work with SSLEngine as well as some minor
bug fixes in related code.
Summary:
- changing test_SSLSocket_getSupportedCipherSuites_connect to try all
combinations of our two SSLContext/SSLSocket implementations
- fixed SSLEngine with *_WITH_NULL_* CipherSuites to use javax.crypto.NullCipher
- added *_AES_* cipher suites to SSLEngine (and therefore Java SSLSocketImpl)
- remove *_DH_* cipher suites which are not supported by the RI or our OpenSSL implementation
- fixed Java SSLSocket to not handshake on accept so will pass the basic SSLSocketTest
- added new KeyManagerFactoryTest while testing "DH_" cipher suite key types
This change depends on restoring bouncycastle's RC4 implementation (separate CL in external/bouncycastle)
Details:
Fixed SSLEngine with *_WITH_NULL_* CipherSuites by use javax.crypto.NullCipher
expectations/knownfailures.txt
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/ConnectionStateSSLv3.java
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/ConnectionStateTLS.java
Previously I had changed the string name of CipherSuites from
"TLS_..." to "SSL_..." where appropriate to match the RI. Since I was
doing maintenance on overall list, I renamed the CODE_TLS_... and
TLS_... static fields as well to match.
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/CipherSuite.java
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/SSLSessionImpl.java
Removed IDEA and RC2 CipherSuites to make it clear they are not
supported. While technically this happened as a side effect of the
assignment "supported = false" if the CipherSuite failed to load, we
truly intend not to support these. Also removed SSH_DH_* suites which
don't work with DSA keys and aren't supported by the RI or our OpenSSL
implementation.
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/CipherSuite.java
Old connection state code assumed that if a cipher was blocked, the
block size was 8 bytes. This is not true for the 16 byte AES ciphers.
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/ConnectionState.java
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/ConnectionStateSSLv3.java
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/ConnectionStateTLS.java
No wonder our OpenSSL implementation incorrect did a startHandshake
when accepting the socket... it got it from the Java implementation.
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/SSLServerSocketImpl.java
Test for KeyManagerFactory (and KeyManager). TestKeyStore now creates
KeyManagers and TrustManagers from the keystore as a convenience for
KeyManagerFactoryTest (instead of having the code in the
TestSSLContext where we didn't keep a pointer to the created values).
luni/src/test/java/javax/net/ssl/KeyManagerFactoryTest.java
support/src/test/java/java/security/StandardNames.java
support/src/test/java/java/security/TestKeyStore.java
support/src/test/java/javax/net/ssl/TestSSLContext.java
Remove CIPHER_SUITES_SSLENGINE now that its the same as CIPHER_SUITES
luni/src/test/java/javax/net/ssl/SSLEngineTest.java
support/src/test/java/java/security/StandardNames.java
test_SSLSocket_getSupportedCipherSuites_connect now does
interoperability testing not just between the default SSLContext's
SSLSockets but between the four combinations of our two SSLContext. It
also now sends some test data bi-directionally between the client and
server.
luni/src/test/java/javax/net/ssl/SSLSocketTest.java
Changed TestSSLContext.create to allow a different Provider for the
client and server SSLContexts.
luni/src/test/java/javax/net/ssl/SSLEngineTest.java
luni/src/test/java/javax/net/ssl/SSLSocketTest.java
support/src/test/java/javax/net/ssl/TestSSLContext.java
RC4 is now available in bouncycastle for the non-OpenSSL SSLContext to
use for parity with the OpenSSL implementation.
support/src/test/java/java/security/StandardNames.java
Changed TestSSLSocketPair to use Futures like NativeCryptoTest so its
easier to choose between client and server errors while debuging.
support/src/test/java/javax/net/ssl/TestSSLSocketPair.java
Removed bogus import
luni/src/test/java/org/apache/harmony/xnet/provider/jsse/NativeCryptoTest.java
Change-Id: I080c0343a3f86f27b7c191a7b80b585b9ca52d93
rovider/jsse/CipherSuite.java
rovider/jsse/ClientHandshakeImpl.java
rovider/jsse/ConnectionState.java
rovider/jsse/ConnectionStateSSLv3.java
rovider/jsse/ConnectionStateTLS.java
rovider/jsse/SSLServerSocketImpl.java
rovider/jsse/SSLSessionImpl.java
rovider/jsse/ServerHandshakeImpl.java
|
| ef628d1464e57552403ad43366e153c1ef50b926 |
19-Jul-2010 |
Brian Carlstrom <bdc@google.com> |
New NativeCryptoTest, NativeCrypto.{SSL_set_client_CA_list, SSL_renegotiate}, fixes for other minor bugs exposed by test
Summary:
- New NativeCryptoTest covering NativeCrypto SSL APIs
- Added SSL_set_client_CA_list for server to specify acceptable client cert issues
- Added SSL_renegotiate for renegoiation testing
- Removed unneeded d2i_SSL_SESSION argument
- Added OpenSSLSocketImpl read/write bounds checking
- Added NULL checks on AppData to avoid native crashes on use of SSL before handshake
Details:
Corrected NativeCrypto thrown exceptions based on
NativeCryptoTest. Of note, we now throw NullPointerException
instead of SSLException for simple null issues in NativeCrypto.cpp
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/NativeCrypto.java
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSessionImpl.java
luni/src/main/native/NativeCrypto.cpp
Created NativeCrypto.{encodeCertificates,encodeIssuerX509Principals} to
factor out some code out of OpenSSLSocketImpl that any user of
NativeCrypto.{SSL_use_certificate, SSL_set_client_CA_list} would
find useful.
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/NativeCrypto.java
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSocketImpl.java
Added SSL_set_client_CA_list to allow server to provide list of
issuers acceptable for client certifcates.
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/NativeCrypto.java
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSocketImpl.java
luni/src/main/native/NativeCrypto.cpp
Added SSL_renegotiate to allow unit testing of SSL renegoiation.
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/NativeCrypto.java
luni/src/main/native/NativeCrypto.cpp
Removed d2i_SSL_SESSION size argument since it should be same as length of other argument
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/NativeCrypto.java
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSessionImpl.java
luni/src/main/native/NativeCrypto.cpp
Added bounds checking to getInputStream.read(byte[], ...) and
getOutputStream().write(byte[], ...)
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSocketImpl.java
Added NULL checks on AppData to avoid native crashes.
luni/src/main/native/NativeCrypto.cpp
New test of NativeCrypto SSL APIs
luni/src/test/java/org/apache/harmony/xnet/provider/jsse/NativeCryptoTest.java
Change-Id: I2fb7a40761e66320f73b02880e6e43def9594497
rovider/jsse/NativeCrypto.java
rovider/jsse/OpenSSLSessionImpl.java
rovider/jsse/OpenSSLSocketImpl.java
|
| e3a187163504f00c98bd75cbd8bcbdde123ae2cd |
14-Jul-2010 |
Brian Carlstrom <bdc@google.com> |
Fix PKCS12 and BKS KeyStore as well as SSL renegotiation
Summary:
- Added KeyStoreTest and fixed PKCS and BKS keystores to be fully functional
- KeyStore and KeyStoreImpl improvements in libcore and bouncycastle for more RI-like behavior
- SSL Renegotiation fix for new implementation
Details:
external/bouncycastle
TwoFish added back for BKS KeyStore. Like RC2, it not supported as
a general cipher, but instead used internally for KeyStore
implementation.
src/main/java/org/bouncycastle/crypto/engines/TwofishEngine.java
bouncycastle.config
Added back PBEWITHSHAANDTWOFISH, PBEWITHSHAANDTWOFISH-CBC,
PBEWITHSHA1ANDRC2-CBC, PBEWITHHMACSHA, PBEWITHHMACSHA1 to support
PKCS12 and BKS KeyStore implementations (as determined by new
KeyStoreTest)
src/main/java/org/bouncycastle/jce/provider/BouncyCastleProvider.java
src/main/java/org/bouncycastle/jce/provider/JCEBlockCipher.java
src/main/java/org/bouncycastle/jce/provider/JCEMac.java
src/main/java/org/bouncycastle/jce/provider/JCESecretKeyFactory.java
Don't throw an error when deleting a non-existing KeyStore entry. The
RI documentation (and behavior) says it throws an error when it fails
to remove an entry, not when the entry does not exist.
src/main/java/org/bouncycastle/jce/provider/JDKKeyStore.java
src/main/java/org/bouncycastle/jce/provider/JDKPKCS12KeyStore.java
Try to make BC's PKCS KeyStore have a more RI-like getCreationDate behavior
src/main/java/org/bouncycastle/jce/provider/JDKPKCS12KeyStore.java
Make BC's PKCS KeyStore failfast on setting non-supported key,
instead of failing later on get.
src/main/java/org/bouncycastle/jce/provider/JDKPKCS12KeyStore.java
Make BC's PKCS KeyStore handle setting a PrivateKey with an emtpy chain.
src/main/java/org/bouncycastle/jce/provider/JDKPKCS12KeyStore.java
Add more general avoidance of NullPointerExceptions on null aliases
src/main/java/org/bouncycastle/jce/provider/JDKPKCS12KeyStore.java
Added notes about changes improvements
patches/README
Regenerated patch with above changes
patches/android.patch
libcore
KeyStore improvements based on KeyStoreTest
- Fix UnrecoverableKeyException to be a subclass of
UnrecoverableEntryException, which was keeping the new
KeyStoreTest from compiling.
luni/src/main/java/java/security/UnrecoverableKeyException.java
- Fix to not convert UnrecoverableKeyException to KeyStoreException,
which was only being done because of the UnrecoverableKeyException
superclass bug.
luni/src/main/java/java/security/KeyStoreSpi.java
- Harmony KeyStore was being overly aggresive about throwing on null
alias arguments in cases where the RI was happy to pass them to the
KeyStoreSpi.
luni/src/main/java/java/security/KeyStore.java
- New test after PKCS12 regresion. It enumerates and excercises
all methods on all available KeyStore
implementations. Unfortunately, the main varieties of KeyStores
made this a lot more complicated than I was originally
expecting. It does clarifiy the differences between the RI and
BC KeyStore implementations, especially for PKCS12, where in
some ways the RI is more feature complete (setting key via
byte[]), but in other ways BC goes beyond some RI limitations
(allowing storage of certificates).
luni/src/test/java/java/security/KeyStoreTest.java
TestKeyStore improvements while writing KeyStoreTest
- Renamed "keyStorePassword" working usages to clarify if it really
means the "storePassword" on the whole KeyStore, or if it is a
"keyPassword" on individual keys.
- Moved TestKeyStore from javax.net.ssl to java.security
luni/src/test/java/javax/net/ssl/SSLContextTest.java
luni/src/test/java/javax/net/ssl/SSLEngineTest.java
luni/src/test/java/javax/net/ssl/SSLSessionTest.java
luni/src/test/java/javax/net/ssl/SSLSocketTest.java
support/src/test/java/java/security/StandardNames.java
support/src/test/java/java/security/TestKeyStore.java
support/src/test/java/javax/net/ssl/TestKeyStore.java
support/src/test/java/javax/net/ssl/TestSSLContext.java
Fixing up SSL renegotiation support. Now that we are not trying to
prevent renegotiation, make sure it is working correctly.
- Remove SSL_VERIFY_CLIENT_ONCE to take the default behavior of
re-requesting client certificate on renegotiation.
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/NativeCrypto.java
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSocketImpl.java
- Updated comments to reflect renegotiation. Bug fix to not clear
out callback reference on handshake complete, since we need it for
renegotiation.
luni/src/main/native/NativeCrypto.cpp
Updated for PKCS12 KeyStore support
support/src/test/java/java/security/StandardNames.java
Added javadoc when writint KeyStoreTest
luni/src/test/java/java/security/ProviderTest.java
frameworks/base
Tracking changes to UnrecoverableKeyException superclass
api/8.xml
api/current.xml
Change-Id: I6349dbfc02896417595b52e364ade8000b567615
rovider/jsse/NativeCrypto.java
rovider/jsse/OpenSSLSocketImpl.java
|
| 059dbc04218144f985b20a228bbe98139d400d0c |
08-Jul-2010 |
Brian Carlstrom <bdc@google.com> |
Improved client certificate and certificate chain support
Summary:
- openssl: add openssl support for specifying per key certificate chains
- libcore: properly implement client certificate request call back
- libcore: properly implement sending certificate chain
- libcore: properly implement retreiving local certificate chain
- libcore: added an SSLContext for non-OpenSSL SSLSocket creation
Details:
external/openssl
Improve patch generate support by applying all other patches to
baseline to remove cross polluting other patch changes into target
patch. Move cleanup of ./Configure output to import script from
openssl.config.
import_openssl.sh
openssl.config
Adding SSL_use_certificate_chain and SSL_get_certificate_chain to
continue to finish most of remaining JSSE issues.
include/openssl/ssl.h
ssl/s3_both.c
ssl/ssl.h
ssl/ssl_locl.h
ssl/ssl_rsa.c
Updated patch (and list of input files to patch)
patches/jsse.patch
openssl.config
libcore
Restoring SSLContextImpl as provider of non-OpenSSL SSLSocketImpl
instances for interoperability testing. OpenSSLContextImpl is the
new subclass that provides OpenSSLSocketImpl. JSSEProvider
provides the old style SSLContexts, OpenSSLProvider provides the
OpenSSL SSLContext, which includes the "default" context. Changed
to register SSLContexts without aliases to match the RI.
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/JSSEProvider.java
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLProvider.java
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/DefaultSSLContextImpl.java
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLContextImpl.java
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/SSLContextImpl.java
Native interface updates to support OpenSSLSocketImpl improvements
- KEY_TYPES now expanded based on what we are being provided by OpenSSL.
keyType function now maps key type values received from
clientCertificateRequested callback.
- Removed remaining uses of string PEM encoding, now using ASN1 DER consistently
Includes SSL_SESSION_get_peer_cert_chain, verifyCertificateChain
- Fixed clientCertificateRequested to properly include all key
types supported by server, not just the one from the cipher
suite. We also now properly include the list of supported CAs to
help the client select a certificate to use.
- Fixed NativeCrypto.SSL_use_certificate implementation to use new
SSL_use_certificate_chain function from openssl to pass chain to
OpenSSL.
- Added error handling of all uses of sk_*_push which can fail due to out of memory
- Fixed compile warning due to missing JNI_TRACE argument
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/NativeCrypto.java
luni/src/main/native/NativeCrypto.cpp
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSocketImpl.java
Pass this into chooseServerAlias call as well in significantly revamped choseClientAlias
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSocketImpl.java
Minor code cleanup while reviewing diff between checkClientTrusted and checkServerTrusted
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/TrustManagerImpl.java
Improvements to SSL test support to go along with client
certificate and certificate chain changes. TestSSLContext now has
separate contexts for the client and server (as well as seperate
key stores information). TestKeyStore now is more realistic by
default, creating a CA, intermediate CA, and separate client and
server certificates, as well as a client keystore that simply
contains the CA and no certificates.
support/src/test/java/javax/net/ssl/TestKeyStore.java
support/src/test/java/javax/net/ssl/TestSSLContext.java
Tests tracking API changes. Tests involving cert chains now now
updated to use TestKeyStore.assertChainLength to avoid hardwiring
expected chain length in tests. These tests also now use
TestSSLContext.assertClientCertificateChain to validate that the
chain is properly constructed and trusted by a trust manager.
luni/src/test/java/java/net/URLConnectionTest.java
luni/src/test/java/javax/net/ssl/SSLContextTest.java
luni/src/test/java/javax/net/ssl/SSLEngineTest.java
luni/src/test/java/javax/net/ssl/SSLSessionContextTest.java
luni/src/test/java/javax/net/ssl/SSLSessionTest.java
luni/src/test/java/javax/net/ssl/SSLSocketTest.java
support/src/test/java/java/security/StandardNames.java
support/src/test/java/javax/net/ssl/TestSSLEnginePair.java
support/src/test/java/javax/net/ssl/TestSSLSocketPair.java
frameworks/base
Tracking change of SSLContextImpl to OpenSSLContextImpl
core/java/android/net/SSLCertificateSocketFactory.java
core/java/android/net/http/HttpsConnection.java
tests/CoreTests/android/core/SSLPerformanceTest.java
tests/CoreTests/android/core/SSLSocketTest.java
Tracking changes to TestSSLContext
core/tests/coretests/src/android/net/http/HttpsThroughHttpProxyTest.java
Change-Id: Ie35ebce89966dfce62c316f7fe7252bf06935680
rovider/jsse/DefaultSSLContextImpl.java
rovider/jsse/JSSEProvider.java
rovider/jsse/NativeCrypto.java
rovider/jsse/OpenSSLContextImpl.java
rovider/jsse/OpenSSLProvider.java
rovider/jsse/OpenSSLSocketImpl.java
rovider/jsse/SSLContextImpl.java
rovider/jsse/TrustManagerImpl.java
|
| ccbe3404e0691dab506d017550658e8e5974c83e |
10-Jul-2010 |
Elliott Hughes <enh@google.com> |
Use 'dst' (or an even more appropriate name where possible) rather than 'dest'.
(The ArrayIndexOutOfBoundsException for System.arraycopy already talks
about 'dst' and 'dstPos'.)
Change-Id: Iba9415dd4a9ec3b457938ea4469b4a0024bab6e4
rovider/jsse/HandshakeIODataStream.java
|
| b7eec62f6db198a76b67d7915b03e59189c6df4f |
02-Jul-2010 |
Brian Carlstrom <bdc@google.com> |
TestKeyStore only use RSA by default & fixing SSLEngine client auth with DSA client and RSA server
Summary:
Goal here was to just make most tests faster by only having
TestKeyStore create RSA keys by default. However, when I did that
SSLEngineTest#test_SSLEngine_clientAuth started working, so I ended up
investigating a much deeper issue with DSA client authentication
against an RSA SSLEngine server.
Details:
Changed the TestKeyStore.get singleton to only contain RSA
keys. TestKeyStore.create now requires the caller enumerate what
keys they want if they need more than that or an alternative.
support/src/test/java/javax/net/ssl/TestKeyStore.java
Changed test_SSLSocket_getSupportedCipherSuites_connect to
explicitly request RSA and DSA keys since it needs both to try
connecting all possible cipher suites.
luni/src/test/java/javax/net/ssl/SSLSocketTest.java
Fixing SSLEngine client authentication when server uses RSA but client uses DSA
Fixed java.net.ssl.SSLEngineTest#test_SSLEngine_clientAuth
expectations/knownfailures.txt
Added CiperSuite.authType field which contains the algorithm name
such as RSA, DSA, DH, that the client will use to authenticate the
server. Like the cipherName, hmacName, and hashName, this is
logically derivable from the the CiperSuite.KEY_EXCHANGE_*, but we
remember it to avoid repeatedly doing large cascading "if" tests to
determine which key algorithm should be used for each
case.
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/CipherSuite.java
Fixed a number of client certificate authentication bugs in SSLEngine
- Changed ClientHandshakeImpl's in the SSL/Tls Certificate message
code to mirror ServerHandshakeImpl's implementation to properly
use chooseEngineClientAlias in the SSLEngine case.
- Changed to use the client certifcates key algorithm for computing
the signature for the SSL/TLS CertificateVerify
message. Previously we used the cipher suites negoitated key
exchange method, but if the client may select a certificate with
a different algorithm if the server provides a CA for another
algorithm.
- Also changed to use CipherSuite.isAnonymous in two places rather
than the inlined equivalent.
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/ClientHandshakeImpl.java
Fixed client authentication to use the client's certificate (not
the server's) to do verify the CertificateVerify message signature.
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/ServerHandshakeImpl.java
Fixed bug in DigitalSignature which did not Signature.update in
verifySignature, so it could never have properly authenticated DSA
signatures.
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/DigitalSignature.java
Added CertificateMessage getAuthType convenience
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/CertificateMessage.java
Made CertificateRequest certificate_authorities final, found we were double allocating it
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/CertificateRequest.java
Cleaning up imports of HandshakeProtocol while working on its subclasses.
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/HandshakeProtocol.java
Cleaned up while looking at X509KeyManager implementations while debugging.
support/src/test/java/org/apache/harmony/xnet/tests/support/X509KeyManagerImpl.java
Change-Id: I74b98754c11000cbfea416f1571c380c9c67abf3
rovider/jsse/CertificateMessage.java
rovider/jsse/CertificateRequest.java
rovider/jsse/CipherSuite.java
rovider/jsse/ClientHandshakeImpl.java
rovider/jsse/DigitalSignature.java
rovider/jsse/HandshakeProtocol.java
rovider/jsse/ServerHandshakeImpl.java
|
| 7329fa972d9c20777444e5e1b13169d700de6567 |
29-Jun-2010 |
Brian Carlstrom <bdc@google.com> |
Fixes to support new dalvik.googlecode.com benchmarks
The following new benchmarks where tested with the below changes:
- DigestBenchmark
- MessageDigestBenchmark
- SSLSocketBenchmark
- SignatureBenchmark
Fix package name of OpenSSLProvider
luni/src/main/java/java/security/security.properties
Restore Java (vs OpenSSL) SSLSocket wrappers on SSLEngine for benchmarking
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/SSLServerSocketFactoryImpl.java
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/SSLServerSocketImpl.java
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/SSLSocketFactoryImpl.java
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/SSLSocketImpl.java
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/SSLSocketInputStream.java
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/SSLSocketOutputStream.java
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/SSLSocketWrapper.java
Restore HandshakeProtocol.socketOwner code for SSLSocket to function
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/ClientHandshakeImpl.java
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/HandshakeProtocol.java
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/ServerHandshakeImpl.java
Remove unneeded OpenSSLMessageDigestJDK.getInstance since these are
registered via OpenSSLProvider and SHA224 which is not part of the RI.
We had already removed the BouncyCastle version of this.
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLMessageDigestJDK.java
luni/src/test/java/tests/targets/security/AllTests.java
luni/src/test/java/tests/targets/security/MessageDigestTestSHA224.java
luni/src/test/java/tests/targets/security/SignatureTestSHA224withRSA.java
Change-Id: I7daae7f0d9f50acad6df9157eac1b0133af83062
rovider/jsse/ClientHandshakeImpl.java
rovider/jsse/HandshakeProtocol.java
rovider/jsse/OpenSSLMessageDigestJDK.java
rovider/jsse/SSLServerSocketFactoryImpl.java
rovider/jsse/SSLServerSocketImpl.java
rovider/jsse/SSLSocketFactoryImpl.java
rovider/jsse/SSLSocketImpl.java
rovider/jsse/SSLSocketInputStream.java
rovider/jsse/SSLSocketOutputStream.java
rovider/jsse/SSLSocketWrapper.java
rovider/jsse/ServerHandshakeImpl.java
|
| 12cd1f00c2fa1a7f37bf644cecdf7588bdc0b0a9 |
23-Jun-2010 |
Brian Carlstrom <bdc@google.com> |
Remove libcore's dependency on bouncycastle
external/bouncycastle
- Change to be the primary build for bouncycastle sources (as opposed to part of libcore)
- Moved OpenSSLMessageDigest from libcore to OpenSSLDigest
It uses NativeCrypto API from core, but implements a bouncycastle specific interface
- restored registration of bouncycastle MessageDigests for SHA-1, SHA-256, MD5
OpenSSLProvider versions take precedence, but explicit provider of "BC" allows choice
- enabled native versions of SHA-384 and SHA-512
- pruned MD4 implementation
frameworks/base
- frameworks and CoreTests modules now depend on bouncycastle
- update preloades classes for NativeBN package change
- moved CryptoTest to libcore
libcore
- core now builds without bouncycastle sources
- core-tests, core-tests-support, core-tests-supportlib now depend on bouncycastle
- removed libcore/openssl directory, moving NativeBN to java/math
- minor cleanup of Provider, Security, Services style while working on ProviderTest
- added new OpenSSLProvider registered as first provider to have
priority over the others to ensure our native implementations are used
- moved BouncyCastle to have priority as a provider over Harmony
- JarVerifier and JarUtils now implicitly use OpenSSLMessageDigest
- Cleanedup OpenSSLSignature, implementation needs to be finished to move to OpenSSLProvider
- To avoid using PEMWriter from BouncyCastle, NativeCrypto now takes binary encoded certs and keys
This is more efficient as well avoiding the base64 decode/encode of the binary data
- removed SHA-224 to match the RI
packages/apps/CertInstaller
- CertificateInstaller module now depends on bouncycastle
this is the only app to depend on bouncycastle
system/core
- updated BOOTCLASSPATH
Change-Id: I6205366b12baec4331b4a76e2c85d8324bf64b2c
rovider/jsse/AbstractSessionContext.java
rovider/jsse/JSSEProvider.java
rovider/jsse/NativeCrypto.java
rovider/jsse/OpenSSLMessageDigest.java
rovider/jsse/OpenSSLProvider.java
rovider/jsse/OpenSSLSignature.java
rovider/jsse/OpenSSLSocketFactoryImpl.java
rovider/jsse/OpenSSLSocketImpl.java
|
| 06fb2e026572e4f67ac80c927d30e9be787bbe6e |
22-Jun-2010 |
Brian Carlstrom <bdc@google.com> |
Move IndexedPKIXParameters from external/bouncycastle to libcore to avoid cyclic build dependency
Change-Id: I65292321560c9f4551dc79fc7c6795f093638bbf
rovider/jsse/IndexedPKIXParameters.java
rovider/jsse/TrustManagerImpl.java
|
| e32b21f14d52bac429a9c54fe031f9e92c911d64 |
18-Jun-2010 |
Jesse Wilson <jessewilson@google.com> |
Implementing ZoneInfo.hasSameRules().
Moving TimeZoneTest to OldTimeZoneTest and removing test methods
that are duplicated between libcore and Harmony.
Also adding Objects.equals() to make implementing this easy,
and removing redundant time zone tests. I did a few searches
to find candidate code that could take advantage of this new
utility method and adopted it there.
Change-Id: I133298f1b36d755bd35c1ad0dc0ab366fd164270
rovider/jsse/OpenSSLSessionImpl.java
rovider/jsse/SSLSessionImpl.java
|
| 79f07cc86be9abc27d0da7df3245ba4bab809ae6 |
12-Jun-2010 |
Elliott Hughes <enh@google.com> |
Improve MessageDigest documentation.
As explained in the bug, I don't think we can/should fix this potential
native crash, but we can and should improve the documentation to explain
how you're _supposed_ to use MessageDigest.
Bug: http://code.google.com/p/android/issues/detail?id=8709
Change-Id: I1cbab5995e5673d5386e21270ac52b6f90b9f421
rovider/jsse/OpenSSLMessageDigest.java
rovider/jsse/OpenSSLMessageDigestJDK.java
|
| 018b67accb28954d35f3cd697be3428e9b45b7d8 |
28-May-2010 |
Jesse Wilson <jessewilson@google.com> |
Further small fixes to increase API compatibility with RI v6.
Highlights:
code was moved from SSLContextImpl to its superclass.
took X500Principal code from Harmony
Tested with Harmony's tests.api.javax.security.auth.x500.X500PrincipalTest.
Change-Id: I89b46d4b47e692a5461916cca972e05de95f3280
rovider/jsse/SSLContextImpl.java
|
| 2be0ae9c8abc05d1c94c8bb170503ee2feae1866 |
27-May-2010 |
Brian Carlstrom <bdc@google.com> |
Add missing package on ambiguous class name and cast on ambiguous type
Change-Id: I470c929f67ecaffa91d5a67c87f1ed5358cfd84c
rovider/jsse/SSLContextImpl.java
|
| 0c131a2ca38465b7d1df4eaee63ac73ce4d5986d |
21-May-2010 |
Brian Carlstrom <bdc@google.com> |
RI 6 support for javax.net.ssl
Summary:
- RI 6 support for javax.net.ssl
- SSLEngine fixes based on new SSLEngineTest
- fix Cipher.checkMode bug recently introduced in dalvik-dev
Details:
Fix Cipher.checkMode that was preventing most javax.net.ssl tests from working
luni/src/main/java/javax/crypto/Cipher.java
RI 6 has introduced the concept of a "Default" SSLContext. This is
accessed via SSLContext.getDefault() and also
SSLContext.getInstance("Default"). Harmony had its own
DefaultSSLContext but it was not created via an SSLContextSpi. It also
was a single shared instance whereas the new RI6 Default SSLContext
shares internal SSLSessionContext instances between different Default
SSLContexts.
Refactored the old code into an SSLContextImpl subclass that
allows it to be created via SSLContext.getInstance. SSLContextImpl
ensures that we only ever create one set of SSLSessionContext
instances for the Default context.
luni/src/main/java/javax/net/ssl/DefaultSSLContext.java
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/DefaultSSLContextImpl.java
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/SSLContextImpl.java
Added SSLContext.getDefault and SSLContext.setDefault
luni/src/main/java/javax/net/ssl/SSLContext.java
Replace dependencies of old DefaultSSLContext with use of SSLContext.getDefault
luni/src/main/java/javax/net/ssl/SSLServerSocketFactory.java
luni/src/main/java/javax/net/ssl/SSLSocketFactory.java
Register "SSLContext.Default" as DefaultSSLContextImpl class for SSLContext.getInstance()
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/JSSEProvider.java
Added constant for new "Default" standard name and added it to
SSL_CONTEXT_PROTOCOLS. New tests based on SSL_CONTEXT_PROTOCOLS
made it clear that neither Android or RI support SSLv2 so removed
it from SSL_CONTEXT_PROTOCOLS and SSL_SOCKET_PROTOCOLS. Added
constant for TLS as well which was previously scattered all over
tests. Remove SSLv2Hello from SSL_SOCKET_PROTOCOLS for Android
since with OpenSSL disablign SSLv2 means you can not use
SSLv2Hello either.
support/src/test/java/javax/net/ssl/StandardNames.java
Added tests for SSLContext.getDefault and
SSLContext.setDefault. Changed existing tests to work on all
protocols including new "Default".
luni/src/test/java/javax/net/ssl/SSLContextTest.java
RI 6 has introduced the notion of SSLParameters which encapsulate SSL
the handshake parameters of desired cipher suites, protocols, and
client authentication requirements.
The main new class SSLParameters is basically just a bag of fields
with accessors and a couple simple constructors. The only things
of note are that it clones all String arrays on input and output
and the setters for the two boolean fields ensure that only one is
true at a time.
luni/src/main/java/javax/net/ssl/SSLParameters.java
Added SSLContext.getDefaultSSLParameters and
SSLContext.getSupportedSSLParameters which simply delegate to the
SSLContextSpi.
luni/src/main/java/javax/net/ssl/SSLContext.java
Added abstract SSLContextSpi.engineGetDefaultSSLParameters and
SSLContext.engineGetSupportedSSLParameters.
luni/src/main/java/javax/net/ssl/SSLContextSpi.java
Added engineGetDefaultSSLParameters and
engineGetSupportedSSLParameters implementation. The RI documents
in SSLContextSpi that these are implemented by default by creating
a socket via the SSLContext's SocketFactory and asking for the
enabled/supported cipher suites and protocols respectively, so
that is what is done. The doc mentions throwing
UnsupportedOperationException if there is a problem, so we do that
as well.
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/SSLContextImpl.java
Added {SSLEngine,SSLSocket}.{getSSLParameters,setSSLParameters}
which are analogous.
luni/src/main/java/javax/net/ssl/SSLEngine.java
luni/src/main/java/javax/net/ssl/SSLSocket.java
Added SSLParametersTest
luni/src/test/java/javax/net/ssl/SSLParametersTest.java
luni/src/test/java/javax/net/ssl/AllTests.java
Added SSLContext.get{Default,Supported}SSLParameters tests
luni/src/test/java/javax/net/ssl/SSLContextTest.java
Added SSLSocket.{getSSLParameters,setSSLParameters} tests and added
some extra asserts to test_SSLSocketPair_create based on experience
with test_SSLEnginePair_create.
luni/src/test/java/javax/net/ssl/SSLSocketTest.java
Dummy implementation of new SSLContextSpi for test classes.
support/src/test/java/org/apache/harmony/security/tests/support/MySSLContextSpi.java
support/src/test/java/org/apache/harmony/xnet/tests/support/MySSLContextSpi.java
Other minor RI 6 API changes:
RI 6 removed Serializable from HandshakeCompletedEvent and SSLSessionBindingEvent
luni/src/main/java/javax/net/ssl/HandshakeCompletedEvent.java
luni/src/main/java/javax/net/ssl/SSLSessionBindingEvent.java
RI 6 added generic types to the KeyStoreBuilderParameters List
constructor and accessor as well as to
SSLSessionContext.getIds. Fixed tests to compile with generic types.
luni/src/main/java/javax/net/ssl/KeyStoreBuilderParameters.java
luni/src/main/java/javax/net/ssl/SSLSessionContext.java
luni/src/test/java/tests/api/javax/net/ssl/KeyStoreBuilderParametersTest.java
SSLEngine improvements. Since I was changing SSLEngine, I wrote an
SSLEngineTest based on my SSLSocketTest to do some simply sanity
checking. It expose a number of issues. I've fixed the small ones,
marked the rest as known failures.
Renamed some TLS_ cipher suites to SSL_ to match JSSE standard
names. These were all old suites no longer supported by RI or
OpenSSL which is why they were missed in an earlier cleanup of this
type in this class. Also fixed SSLEngine supported cipher suites
list not to include SSL_NULL_WITH_NULL_NULL which is not a valid
suite to negotiate.
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/CipherSuite.java
SSLEngine instances can have null host values, which caused a
NullPointerException in the ClientSessionContext implementation.
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/ClientSessionContext.java
SSLEngine tests were failing because SSLParameters was throwing
NullPointerException instead of IllegalArgument exception on null
element values. Fixed null pointer message style while I was here.
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/SSLParameters.java
Fixed SSLEngine instances to default to server mode like RI
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/SSLContextImpl.java
Fixed KEY_TYPES based on SSLEngine implementation. Removed dead
code NativeCrypto.getEnabledProtocols which was recently made
obsolete. Cleaned up null exception messages to follow our convention.
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/NativeCrypto.java
Added SSLEngineTest which parallels SSLSocketTest in its
coverage. Similarly added TestSSLEnginePair which loosely parallels
TestSSLSocketPair.
luni/src/test/java/javax/net/ssl/SSLEngineTest.java
luni/src/test/java/javax/net/ssl/AllTests.java
support/src/test/java/javax/net/ssl/TestSSLEnginePair.java
SSLEngineTest betters exposed the differences between SSLSocket and
SSLEngine supported cipher suites. StandardNames now has an
CIPHER_SUITES_SSLENGINE definition which denotes what is missing
and what is extra and why in the SSLEngine implementation.
support/src/test/java/javax/net/ssl/StandardNames.java
Created StandardNames.assert{Valid,Supported}{CipherSuites,Protocols}
to factor out some code test code that is also used by new tests.
support/src/test/java/javax/net/ssl/StandardNames.java
luni/src/test/java/javax/net/ssl/SSLSocketFactoryTest.java
luni/src/test/java/javax/net/ssl/SSLSocketTest.java
Remove SSLSocketTest known failure and add new SSLEngineTest known failures
expectations/knownfailures.txt
SSL_OP_NO_TICKET change was recently merged from master which required some fixes.
For the moment, sslServerSocketSupportsSessionTickets always returns false.
support/src/test/java/javax/net/ssl/TestSSLContext.java
Fixed flakey test_SSLSocket_HandshakeCompletedListener which had a
race because the client thread look in the server session context
for an session by id potentially before the server thread had a
chance to store its session. Made noticable because of
SSL_OP_NO_TICKET recently merged from master (before this code
path was host only, not device)
luni/src/test/java/javax/net/ssl/SSLSocketTest.java
Fix checkjni issue where we need to check for pending exception in
OpenSSL callback. Possibly introduced by recent merge of
SSL_OP_NO_TICKET from master.
luni/src/main/native/org_apache_harmony_xnet_provider_jsse_NativeCrypto.cpp
Expectation updates
Remove SSLSocketTest known failure and add new SSLEngineTest known failures
expectations/knownfailures.txt
Tag test_SSLSocket_getSupportedCipherSuites_connect as large
expectations/taggedtests.txt
Misc changes:
opening brace on wrong line
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/ServerSessionContext.java
Long line cleanup while debugging
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/HandshakeProtocol.java
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLServerSocketFactoryImpl.java
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSocketFactoryImpl.java
support/src/test/java/javax/net/ssl/TestKeyStore.java
Removed bogus import
luni/src/test/java/javax/net/ssl/SSLSessionContextTest.java
Comment clarify while debugging
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSocketImpl.java
Ctor -> Constructor in comment
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/SSLEngineImpl.java
Fixed naming of SocketTest_Test_create to TestSocketPair_Create to match renamed classes
luni/src/test/java/javax/net/ssl/SSLSocketTest.java
Change-Id: I99505e97d6047eeabe4a0b93202075a0b2d486ec
rovider/jsse/CipherSuite.java
rovider/jsse/ClientSessionContext.java
rovider/jsse/DefaultSSLContextImpl.java
rovider/jsse/HandshakeProtocol.java
rovider/jsse/JSSEProvider.java
rovider/jsse/NativeCrypto.java
rovider/jsse/OpenSSLServerSocketFactoryImpl.java
rovider/jsse/OpenSSLSocketFactoryImpl.java
rovider/jsse/OpenSSLSocketImpl.java
rovider/jsse/SSLContextImpl.java
rovider/jsse/SSLEngineImpl.java
rovider/jsse/SSLParameters.java
rovider/jsse/ServerSessionContext.java
|
| aacf6f9741dea0f12fbff5e7696e53f251177280 |
20-May-2010 |
Brian Carlstrom <bdc@google.com> |
Enable Diffie-Hellman cipher suites
Enable Diffie-Hellman cipher suites in NativeCrypto (and in
StandardNames to match for testing). This means we now have the same
default cipher suite list as RI 5.
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/NativeCrypto.java
support/src/test/java/javax/net/ssl/StandardNames.java
Enabling DH made it obvious that the RI check for enable cipher suites
on SSLServerSocket.accept was not as stringent as first
thought. Apparently they don't care if all enabled cipher suites have
certificates/keys, just that at least one of them will work, even if
its anonymous. Factored out the logic to check this into
checkEnabledCipherSuites for clarity along with the supporting
checkForPrivateKey. Also only check if the socket is in server mode,
since its fine to have nothing configured for server acting as a
client for handshake purposes.
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLServerSocketImpl.java
The real work to enable Diffie-Hellman was to use
SSL_CTX_set_tmp_dh_callback to set a callback to get DH
parameters. There are two ways to create the parameters. The first is
to use DH_generate_parameters_ex which is very slow (minutes) as is
recommended as install time option. The second is to use
DSA_generate_parameters_ex followed by DSA_dup_DH, which is faster for
a single call, but must be done every time, so slower overall. We
currently take the second approach to just have DH working.
luni/src/main/native/org_apache_harmony_xnet_provider_jsse_NativeCrypto.cpp
Changed ephemeral RSA keys to be stored per SSL in AppData, not in a static global.
luni/src/main/native/org_apache_harmony_xnet_provider_jsse_NativeCrypto.cpp
Fix LS_ to TLS_ typo in commented out constant. Removed easy to miss wrapping in array definition.
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/CipherSuite.java
Renamed CipherSuites defaultPretendant to defaultCipherSuites which
led to renaming the CipherSuites constants to follow the coding style.
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/CipherSuite.java
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/ClientHandshakeImpl.java
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/DigitalSignature.java
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLServerSocketImpl.java
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/SSLParameters.java
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/ServerHandshakeImpl.java
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/ServerKeyExchange.java
Change-Id: Ia38de48cabb699b24fe6e341ba79f34e3da8b543
rovider/jsse/CipherSuite.java
rovider/jsse/ClientHandshakeImpl.java
rovider/jsse/DigitalSignature.java
rovider/jsse/NativeCrypto.java
rovider/jsse/OpenSSLServerSocketImpl.java
rovider/jsse/SSLParameters.java
rovider/jsse/ServerHandshakeImpl.java
rovider/jsse/ServerKeyExchange.java
|
| 8f78381c9c7a64f7c703913d702f2a8895207877 |
19-May-2010 |
Brian Carlstrom <bdc@google.com> |
SSLServerSocket accept should make sure enabled cipher suites have supporting private keys
Make CipherSuite static fields final (noticed because I tried to use some in a switch statement).
Also renamed "cuites*" to "suites*" and fixed UNKNOUN to UNKNOWN
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/CipherSuite.java
SSLServerSocket now matches the RI behavior of throwing an
SSLException for missing keys for non-anonymous cipher suites.
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLServerSocketImpl.java
Fixed one KnownFailure
luni/src/test/java/javax/net/ssl/SSLSocketTest.java
Change-Id: I1ccbf93cfc5aa5951b1f33881446d93c380b6e68
rovider/jsse/CipherSuite.java
rovider/jsse/OpenSSLServerSocketImpl.java
|
| a653cca054f36de92bbef8498be3f0f01d9d6119 |
18-May-2010 |
Brian Carlstrom <bdc@google.com> |
SSLSocketFactory.connect(Socket...) should allow port of -1
SSLSession.getPeerPort is supposed to return -1 when the port is
undefined so now we initialize it to that value.
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSessionImpl.java
Avoid creating InetAddress to store the OpenSSLSessionImplWrapper host
and port arguments since it was causing an exception on an port value
of -1 and was just used to go back to the original host and port when
creating the SSLSession, which is allowed to return a port value of -1.
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSocketImpl.java
Remove last of KnownFailures for SSLSocketFactory
luni/src/test/java/javax/net/ssl/SSLSocketFactoryTest.java
Update classpath for newly seperated out junit jars
run-core-tests
Change-Id: I646a8f23c3d6ae01f1dd38e40bc9c32d436e6254
rovider/jsse/OpenSSLSessionImpl.java
rovider/jsse/OpenSSLSocketImpl.java
|
| 6df6339ecd4662d351c622a59533cbbe9f275ffd |
18-May-2010 |
Brian Carlstrom <bdc@google.com> |
Client certificates should only be set on request from server
Client certificates should only be set into the SSL* when requested by
the server so that after the handshake is completed the client can
inspect its SSLSession to see what certificate if any was
requested. Previously the value was always non-null even if the server
didn't request the certificate.
- Created RAND_seed and RAND_load_file out of the NativeCrypto.SSL_new
- NativeCrypto.SSL_new now simply performs SSL_new and does not
deal with certificates, private keys, or random seeds.
- Removed helper version of NativeCrypto.SSL_new
Moved code to OpenSSLSocketImpl.setCertificate
- Created SSL_use_certificate, SSL_use_PrivateKey, SSL_check_private_key from SSL_new.
These are used not just on server handshake but also via clientCertificateRequested callback.
- Merged CertificateChainVerifier and HandshakeCompletedCallback into new SSLHandshakeCallbacks
while adding new clientCertificateRequested callback from OpenSSL C code to Java
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/NativeCrypto.java
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSocketImpl.java
luni/src/main/native/org_apache_harmony_xnet_provider_jsse_NativeCrypto.cpp
In addition to supporting NativeCrypto.java changes, also changed
to_SSL_CTX and to_SSL_SESSION to allow null checking and throwing
NullPointerException. Changed these and to_SSL to log exception on
JNITrace, taking these logs out of individual functions. There
were a lot of null checks missing previously, mostly in
to_SSL_SESSION cases.
luni/src/main/native/org_apache_harmony_xnet_provider_jsse_NativeCrypto.cpp
All KnownFailures now fixed.
luni/src/test/java/javax/net/ssl/SSLSessionTest.java
Three more KnownFailures now fixed.
luni/src/test/java/javax/net/ssl/SSLSocketTest.java
Change-Id: Iddcd5512e8395d947d3b894f03e3a059e63afe8a
rovider/jsse/NativeCrypto.java
rovider/jsse/OpenSSLSocketImpl.java
|
| fd487fbac3547360ea81d96edea9827fad080f86 |
18-May-2010 |
Brian Carlstrom <bdc@google.com> |
Change Harmony CipherSuite to use JSSE names
Change text names of Harmony CipherSuite's (used by SSLEngine and some
places with OpenSSL code) to match JSSE names.
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/CipherSuite.java
Added StandardName constant for SSL_NULL_WITH_NULL_NULL
support/src/test/java/javax/net/ssl/StandardNames.java
Marked test as working with above fix, changed to use newly defined constant.
luni/src/test/java/javax/net/ssl/SSLSessionTest.java
Change-Id: Id48d2adcbbff71306296f1fdf8ff970c618fdcc6
rovider/jsse/CipherSuite.java
|
| 204cab3c22b4d75c866c95e2d2eec42e14cbd924 |
18-May-2010 |
Brian Carlstrom <bdc@google.com> |
Supported cipher suites improvements
Added new test_SSLSocket_getSupportedCipherSuites_connect to make sure
all cipher suites we claim work actually do. It clearly exposed that
although a large number of cipher suites are supported by libssl.so,
they are not properly wired up into the OpenSSL JSSE
implementation. In particular Elliptic Curve has been disabled in our
version Bouncy Castle does not work. In addition Diffie-Hellman does
not work because we need to further integration work with OpenSSL via
SSL_set_tmp_dh_callback or SSL_set_tmp_dh. Finally,
SSL_RSA_EXPORT_WITH_RC4_40_MD5 doesn't work but that is being left as
KnownFailure for more immediate cleanup based on ServerHandshakeImpl's
handling of KeyExchange_RSA_EXPORT as part of having OpenSSL call us
back for certificates dynamically.
luni/src/test/java/javax/net/ssl/SSLSocketTest.java
Refactored TestSSLContext.createKeyStore to create TestKeyStore which
now factors out TestSSLContext.createKeys from the old createKeyStore
method, which allows createKeys to be called multiple times for
different key algorithms (for example DSA in addition to RSA). Also
added a reusable singleton instance to cut down on test execution
time.
support/src/test/java/javax/net/ssl/TestKeyStore.java
Removed publicAlias/privateAlias from TestSSLContext since we now
include both RSA and DSA key pairs in they KeyStore by default. Added
TestSSLContext.assertCertificateInKeyStore methods to help tests the
previously used the alias fields fields. TestSSLContext.create API
changed as well since the alias names are no longer
required. TestSSLContext.createClient now needs to iterate over all
server certificates when setting up its TrustManager instead of just
grabbing one by alias name.
support/src/test/java/javax/net/ssl/TestSSLContext.java
luni/src/test/java/javax/net/ssl/SSLContextTest.java
luni/src/test/java/javax/net/ssl/SSLSessionTest.java
luni/src/test/java/javax/net/ssl/SSLSocketTest.java
TestSSLSocketPair.connect now allows optional inclusion of server
cipher suite list.
support/src/test/java/javax/net/ssl/TestSSLSocketPair.java
luni/src/test/java/javax/net/ssl/SSLSessionContextTest.java
Turning off Elliptic Curve and Diffie-Hellman which are not currently
working. Updating test expectations to match.
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/NativeCrypto.java
support/src/test/java/javax/net/ssl/StandardNames.java
Turn on registration of ECDSA and DSA since this part is currently
functional (and excercised by TestKeyStore.create())
luni/src/main/java/org/bouncycastle/x509/X509Util.java
Improve logging by including SSL pointer in error messages, which
makes it easier to relate these errors to JNI_TRACE messages.
luni/src/main/native/org_apache_harmony_xnet_provider_jsse_NativeCrypto.cpp
Change-Id: I014d001a6a21a46c360678a346d3a3c8232f4d53
rovider/jsse/NativeCrypto.java
|
| d7119eb12622a4187553e68a32aafa61999d7162 |
15-May-2010 |
Elliott Hughes <enh@google.com> |
Merge "Fix getInetAddress/getPort/getLocalAddress/getLocalPort." into dalvik-dev
|
| 8cc54e9f098c4f299d2b88bb2b9110ce44354ed7 |
14-May-2010 |
Elliott Hughes <enh@google.com> |
Fix getInetAddress/getPort/getLocalAddress/getLocalPort.
Responsibility is split between Socket, SocketImpl, PlainSocketImpl,
SocketChannel, SocketChannelImpl, and SocketChannelImpl.SocketAdapter, and
we need to keep them synchronized. Our hands are somewhat tied by the fact
that the RI exposed way too much. I think, now I understand the relationships
a bit better, that we can probably rewrite this cluster of classes to be
simpler, but I don't want to bite off more than I can chew right now, and
this does fix the known problems.
This patch also makes us more compatible with the RI by making getLocalAddress
after the socket has been closed return the address we used.
By strange coincidence, harmony addressed this at the same time I was looking
at it (see http://svn.apache.org/viewvc?rev=944119&view=rev) but I feel they're
going in the wrong direction and making the relationships even more complicated.
I have run their new tests in addition to my own, though.
Bug: 1952042
Bug: http://code.google.com/p/android/issues/detail?id=1933
Bug: http://code.google.com/p/android/issues/detail?id=3123
Change-Id: Icb7793fb5d868e0d1f1b8b3d5da88c32fb973744
rovider/jsse/OpenSSLSocketImplWrapper.java
|
| 9acacc36bafda869c6e9cc63786cdddd995ca96a |
14-May-2010 |
Brian Carlstrom <bdc@google.com> |
Use JSSE cipher suite names and restore JSSE SSLSessionContext semantics
Summary:
- Switch to using JSSE cipher suite names
- SSLSessionContext implementation cleanup
- Updated tests
Details:
Switch to using JSSE cipher suite names
- We maintain backward compatability for enabling cipher suites using
OpenSSL names for old code that did so without checking for the
presence of the names in the supported list.
- We now have a well defined list of the supported cipher suites which
are sorted in priority order as specified in JSSE documentation so
that callers doing:
s.setEnabledCipherSuites(s.getSupportedCipherSuites())
will get something reasonable.
- We now have a default cipher suite list that is chose to match RI
behavior and priority, not based on OpenSSLs default and priorities.
Details:
- Added NativeCrypto OPENSSL_TO_STANDARD and STANDARD_TO_OPENSSL
mapping between naming conventions. STANDARD_TO_OPENSSL is a
LinkedHashMap so enumerating it gives the proper order for
SUPPORTED_CIPHER_SUITES.
- SSL_get_ciphers and SSL_set_cipher_list are removed, we now use
our own SSL_set_cipher_lists (defined seperately in
external/openssl/patches/jsse.patch) to set the set and order of
cipher suites. SSL_CTX_get_ciphers is also removed because we no
longer rely on the OpenSSL for the default cipher suites
behavior.
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/NativeCrypto.java
luni/src/main/native/org_apache_harmony_xnet_provider_jsse_NativeCrypto.cpp
Add cipherSuite and protocol field caches for native values,
mapping the cipherSuite to a JSSE name from the OpenSSL name
returned by SSL_SESSION_cipher.
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSessionImpl.java
Fixed a long standing bug where we reused sessions found in the
client host/port cache even if the old protocol and cipher suite
where no longer compatible with what was specified by
setEnabledCipherSuites and setProtocols. Also fixed a recently
introduced bug where lastAccessedTime was being set on a cached
session even if it was not reused, found by fixed the above.
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSocketImpl.java
Move most of SSLSessionContext implementation from subclasses to
AbstractSessionContext. This was primarily to align the
implementations of how different sessions id for the same host and
port were handled for RI compatability. client subclasses now focuses
on handling its host/port based cache and both deal with their own
persistent cache details.
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/AbstractSessionContext.java
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/ClientSessionContext.java
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/ServerSessionContext.java
Tests
Added some variants of assertSSLSessionContextSize to simplify tests code.
Broke test_SSLSessionContext_setSessionCacheSize_oneConnect out of
test_SSLSessionContext_setSessionCacheSize_dynamic. Renamed
test_SSLSessionContext_setSessionCacheSize_basic to
test_SSLSessionContext_setSessionCacheSize_noConnect to match name
of _oneConnect. _dynamic was cleaned up a bit as getting it working
was the only goal of this change list. Fixed to filter
SSL_RSA_EXPORT_ ciphers since our test certificate key length is
too long for those. Lower test requirement to 3 unique cipher suites.
luni/src/test/java/javax/net/ssl/SSLSessionContextTest.java
Added checks that cipher suites and protocols have standard names.
luni/src/test/java/javax/net/ssl/SSLSessionTest.java
Removing known failures related to cipher suite naming. Fixed bug
of using assertNotNull instead of assertTrue. Added extra
size/length check which would have found the
assertNotNull/assertTrue issue.
luni/src/test/java/javax/net/ssl/SSLSocketFactoryTest.java
luni/src/test/java/javax/net/ssl/SSLSocketTest.java
Fixing test the explicitly worked around broken cipher suite naming.
luni/src/test/java/tests/api/javax/net/ssl/SSLSessionTest.java
Updated standard cipher suites to RI 6 list, which also now
specifies ordering, which we now align with.
support/src/test/java/javax/net/ssl/StandardNames.java
Unrelated
Remove more now obsolete jars from the test classpath
run-core-tests
Change-Id: I45c274a9327c9a1aeeccb39ecaf5a3fbe2903c8f
rovider/jsse/AbstractSessionContext.java
rovider/jsse/ClientSessionContext.java
rovider/jsse/NativeCrypto.java
rovider/jsse/OpenSSLSessionImpl.java
rovider/jsse/OpenSSLSocketImpl.java
rovider/jsse/ServerSessionContext.java
|
| f33eae7e84eb6d3b0f4e86b59605bb3de73009f3 |
13-May-2010 |
Elliott Hughes <enh@google.com> |
Remove all trailing whitespace from the dalvik team-maintained parts of libcore.
Gentlemen, you may now set your editors to "strip trailing whitespace"...
Change-Id: I85b2f6c80e5fbef1af6cab11789790b078c11b1b
rovider/jsse/AlertException.java
rovider/jsse/Appendable.java
rovider/jsse/CertificateMessage.java
rovider/jsse/CertificateRequest.java
rovider/jsse/CertificateVerify.java
rovider/jsse/CipherSuite.java
rovider/jsse/ClientHandshakeImpl.java
rovider/jsse/ClientHello.java
rovider/jsse/ClientKeyExchange.java
rovider/jsse/ClientSessionContext.java
rovider/jsse/ConnectionStateSSLv3.java
rovider/jsse/ConnectionStateTLS.java
rovider/jsse/DHParameters.java
rovider/jsse/DelegatedTask.java
rovider/jsse/DigitalSignature.java
rovider/jsse/FileClientSessionCache.java
rovider/jsse/Finished.java
rovider/jsse/Handshake.java
rovider/jsse/HandshakeIODataStream.java
rovider/jsse/HandshakeProtocol.java
rovider/jsse/HelloRequest.java
rovider/jsse/JSSEProvider.java
rovider/jsse/KeyManagerImpl.java
rovider/jsse/Logger.java
rovider/jsse/Message.java
rovider/jsse/OpenSSLMessageDigest.java
rovider/jsse/OpenSSLMessageDigestJDK.java
rovider/jsse/OpenSSLSignature.java
rovider/jsse/PRF.java
rovider/jsse/ProtocolVersion.java
rovider/jsse/SSLBufferedInput.java
rovider/jsse/SSLContextImpl.java
rovider/jsse/SSLEngineAppData.java
rovider/jsse/SSLEngineImpl.java
rovider/jsse/SSLParameters.java
rovider/jsse/SSLRecordProtocol.java
rovider/jsse/SSLSessionImpl.java
rovider/jsse/SSLv3Constants.java
rovider/jsse/ServerHandshakeImpl.java
rovider/jsse/ServerHello.java
rovider/jsse/ServerHelloDone.java
rovider/jsse/ServerKeyExchange.java
rovider/jsse/TrustManagerFactoryImpl.java
|
| a7ae90de24809b266bb5efdc9033a3261e31f521 |
11-May-2010 |
Brian Carlstrom <bdc@google.com> |
SSLSession and SSLSessionContext timeout improvements
Fix getIds Enumeration to filter invalid sessions.
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/AbstractSessionContext.java
Implement SSLSessionContext.setSessionTimeout to remove newly
invalid sessions as specified by the RI documentation. getSession
interfaces now filters invalid sessions from results.
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/ClientSessionContext.java
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/ServerSessionContext.java
Added OpenSSLSocketImpl.creationTime instance field cache to avoid
repeated native calls since this is now used for all isValid tests.
Fixed broken isValid implementation:
- compared seconds to milliseconds
- direction of comparison backwards
- used last accessed time instead creation time as clarified in RI 7 documentation.
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSessionImpl.java
Unrelated
Replace java.io.* java.util.* imports with properly expanded versions:
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/AbstractSessionContext.java
Change-Id: Ib02218df414f014f1d260f7acc067e5647fb700b
rovider/jsse/AbstractSessionContext.java
rovider/jsse/ClientSessionContext.java
rovider/jsse/OpenSSLSessionImpl.java
rovider/jsse/ServerSessionContext.java
|
| 0af0a7959d838c48e6b4e8dc9ac188ff6bbb6a87 |
11-May-2010 |
Brian Carlstrom <bdc@google.com> |
SSLSessionContexts should throw NullPointerException on getSession(null)
Add an explicit null check to ensure failure on a null argument to getSession to match the RI
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/ClientSessionContext.java
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/ServerSessionContext.java
Remove KnownFailures resolved by above fix as well as clarifiying SSL
session cache expections on Android vs the RI. The KnownFailures were
also hiding some latent issues to do SSL session tickets, so fixed
those up as well.
luni/src/test/java/javax/net/ssl/SSLSessionContextTest.java
Added constants for expected SSL session cache behavior for RI vs Android
support/src/test/java/javax/net/ssl/TestSSLContext.java
Change-Id: Ic6285192cf76c0a5c3fa45a24eaa504ed0babff5
rovider/jsse/ClientSessionContext.java
rovider/jsse/ServerSessionContext.java
|
| f365a1c9cec94071b7a3161d7bdcb3f61d28f912 |
10-May-2010 |
Brian Carlstrom <bdc@google.com> |
SSLContext.getClientSessionContext and getServerSessionContext should work before SSLContext.init
Moved initialization of SSLContextImpl clientSessionContext and
serverSessionContext from engineInit time (in SSLParameters
constructor) to constructor time, making them final. This is to
fix javax.net.ssl.SSLContextTest which was failing because it
tried to access this before init was called, which worked fine on
the RI. The SSLParameters now simply takes the preallocated
session contexts as arguments. SSLParameters.getDefault() now
needs to create its own session contexts when an SSLContext is not
used, which is how Harmony does it.
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/SSLContextImpl.java
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/SSLParameters.java
Removed KnownFailure from SSLContextTest as its 100% working.
luni/src/test/java/javax/net/ssl/SSLContextTest.java
Changed persistentCache fields of ClientSessionContext and
ServerSessionContext from final to private and added a public
setter. This replaces passing the persistentCache implementation
in via the constructor. For momentarily backward compatibility
with frameworks/base, the now deprecated 5 argument engineInit
method now uses these setters for backward compatability. The
SSLParameters previously took these persistent caches as arguments
in order to pass them to the session context contructors, but as
SSLParameters no longer creates these, they are no longer relevant.
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/ClientSessionContext.java
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/ServerSessionContext.java
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/SSLContextImpl.java
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/SSLParameters.java
While moving the call of the AbstractSessionContext constructor
from SSLParameters to SSLContextImpl after removing the persistent
cache arguments, I realized there was no longer any reason to take
any arguments. I pushed the initization of sslCtxNativePointer to
the point of declaration.
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/AbstractSessionContext.java
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/ClientSessionContext.java
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/ServerSessionContext.java
Change-Id: Ied2903a2f369bf4e521e702bf58f32f21cb97d17
rovider/jsse/AbstractSessionContext.java
rovider/jsse/ClientSessionContext.java
rovider/jsse/SSLContextImpl.java
rovider/jsse/SSLParameters.java
rovider/jsse/ServerSessionContext.java
|
| 3e24c53ecc31b840e51869c295785d5a2f8b31eb |
06-May-2010 |
Brian Carlstrom <bdc@google.com> |
Moving OpenSSLSocketImpl native code to NativeCrypto (and other clearnup)
Summary:
- Finished consolidating OpenSSL native code into NativeCrypto
- fixing local vs global ref bug with AppData
Added new ScopedGlobalRef as part of this fix
- fixed many historical memory leaks identified during code review
- fixed lack of error checking on allcoation with OpenSSL *_new routines
- Added to_SSL_CTX and to_SSL_SESSION to match to_SSL (renamed from getSslPointer)
- Replaced most uses of GetByteArrayElements with ScopedByteArray
(including cases where we we using ReleaseByteArrayElements(..,...,0) instead of JNI_ABORT)
- Replaced uses of GetStringUTFChars with ScopedUtfChars
Details:
Finished consolidating OpenSSL native code into NativeCrypto
OpenSSLSocketImpl NativeCrypto
---------------------------------------
nativeread SSL_read_byte
nativeread SSL_read
nativewrite SSL_write_byte
nativewrite SSL_write
nativeinterrupt SSL_interrupt
nativeclose SSL_shutdown
nativeverifysignature verifysignature
Also removed dead code that was wrapping SSL_get1_session
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/NativeCrypto.java
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSocketImpl.java
luni/src/main/native/org_apache_harmony_xnet_provider_jsse_NativeCrypto.cpp
Fixed NativeCrypto_SSL_write and NativeCrypto_d2i_SSL_SESSION to use
JNI_ABORT on release to avoid copy back of unchanged data (via ScopedByteArray).
luni/src/main/native/org_apache_harmony_xnet_provider_jsse_NativeCrypto.cpp
While running the usual tests:
adb shell run-core-tests tests.xnet.AllTests javax.net.ssl.AllTests
there was an abort from the JNI checking because in the recent
handshaking change, local refs were kept in AppData and then reused in
later calls. Added new ScopedGlobalRef to handle the book keeping of this.
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSocketImpl.java
include/ScopedGlobalRef.h
Fixed various leaks on old error paths spotted by reviewer.
luni/src/main/native/org_apache_harmony_xnet_provider_jsse_NativeCrypto.cpp
Tracking move of verifySignature, a non-SSL bit of code that was lurking in OpenSSLSocketImpl
luni/src/main/java/org/apache/harmony/security/provider/cert/X509CertImpl.java
Change-Id: If1e409782bc99dc684039cfe3f53f8244e29346e
rovider/jsse/NativeCrypto.java
rovider/jsse/OpenSSLSocketImpl.java
|
| f002bdddce924e2145a4a2b60592b7a40f4112f6 |
05-May-2010 |
Brian Carlstrom <bdc@google.com> |
Moving OpenSSLSessionImpl native code to NativeCrypto
OpenSSLSessionImpl NativeCrypto
-------------------------------------------------------
getId SSL_SESSION_session_id
getPeerCertificatesImpl SSL_SESSION_get_peer_cert_chain
getCreationTime SSL_SESSION_get_time
getProtocol SSL_SESSION_get_version
getCipherSuite SSL_SESSION_cipher
freeImpl SSL_SESSION_free
getEncoded i2d_SSL_SESSION
initializeNativeImpl d2i_SSL_SESSION
Change-Id: I4538df52280266711986a577b14868af3ea0ed62
rovider/jsse/NativeCrypto.java
rovider/jsse/OpenSSLSessionImpl.java
rovider/jsse/OpenSSLSocketImpl.java
|
| e688a4123f165ed2905878e312b074b8c825d119 |
05-May-2010 |
Brian Carlstrom <bdc@google.com> |
Addressing post-submit comments regarding OpenSSL handhake changes
Following up on feedback from earlier change https://android-git.corp.google.com/g/50435
Added new test_SSLSocket_startHandshake_noClientCertificate to
make sure handshaking works when no client certificates are
present after issues raised by hwu during code review.
luni/src/test/java/javax/net/ssl/SSLSocketTest.java
Improve TestSSLContext.create* options
- added javadoc comments to help distinguish different versions
- fixed bug of not passing in keyStorePassword in create()
- added new createClient(server) method to create a TestSSLContext
that trusts the provided server TestSSLContext's certificate for
use by test_SSLSocket_startHandshake_noClientCertificate
- made createKeyStore optionally create a more minimal keystore if
aliases are not present
support/src/test/java/javax/net/ssl/TestSSLContext.java
Fixed argument names in SSL_*_mode methods names as pointed out by hwu
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/NativeCrypto.java
Added comment to explain purpose of OpenSSLSessionImpl.resetId.
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSessionImpl.java
Two changes to OpenSocketImpl
- Added logging on runtime exception catch around
HandshakeCompletedListener execution to closely mirror RI
behavior.
- Cleaned up peerCertificate check to not just be on the client path.
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSocketImpl.java
Addressed enh's comments about using clearEnv and when to delete AppData
luni/src/main/native/org_apache_harmony_xnet_provider_jsse_NativeCrypto.cpp
Change-Id: I34f54e3e41a5d53d81fdc22aa34ca4de4ee9826f
rovider/jsse/NativeCrypto.java
rovider/jsse/OpenSSLSessionImpl.java
rovider/jsse/OpenSSLSocketImpl.java
|
| 6b811c5daec1b28e6f63b57f98a032236f2c3cf7 |
03-May-2010 |
Peter Hallam <peterhal@google.com> |
Merge awt-kernel, icu, luni-kernel, prefs, security-kernel, x-net into luni
Merge xml except xmlpull and kxml into luni
rovider/jsse/AbstractSessionContext.java
rovider/jsse/AlertException.java
rovider/jsse/AlertProtocol.java
rovider/jsse/Appendable.java
rovider/jsse/CertificateMessage.java
rovider/jsse/CertificateRequest.java
rovider/jsse/CertificateVerify.java
rovider/jsse/CipherSuite.java
rovider/jsse/ClientHandshakeImpl.java
rovider/jsse/ClientHello.java
rovider/jsse/ClientKeyExchange.java
rovider/jsse/ClientSessionContext.java
rovider/jsse/ConnectionState.java
rovider/jsse/ConnectionStateSSLv3.java
rovider/jsse/ConnectionStateTLS.java
rovider/jsse/ContentType.java
rovider/jsse/DHParameters.java
rovider/jsse/DataStream.java
rovider/jsse/DelegatedTask.java
rovider/jsse/DigitalSignature.java
rovider/jsse/EndOfBufferException.java
rovider/jsse/EndOfSourceException.java
rovider/jsse/FileClientSessionCache.java
rovider/jsse/Finished.java
rovider/jsse/Handshake.java
rovider/jsse/HandshakeIODataStream.java
rovider/jsse/HandshakeProtocol.java
rovider/jsse/HelloRequest.java
rovider/jsse/JSSEProvider.java
rovider/jsse/KeyManagerFactoryImpl.java
rovider/jsse/KeyManagerImpl.java
rovider/jsse/Logger.java
rovider/jsse/Message.java
rovider/jsse/NativeCrypto.java
rovider/jsse/OpenSSLMessageDigest.java
rovider/jsse/OpenSSLMessageDigestJDK.java
rovider/jsse/OpenSSLServerSocketFactoryImpl.java
rovider/jsse/OpenSSLServerSocketImpl.java
rovider/jsse/OpenSSLSessionImpl.java
rovider/jsse/OpenSSLSignature.java
rovider/jsse/OpenSSLSocketFactoryImpl.java
rovider/jsse/OpenSSLSocketImpl.java
rovider/jsse/OpenSSLSocketImplWrapper.java
rovider/jsse/PRF.java
rovider/jsse/ProtocolVersion.java
rovider/jsse/SSLBufferedInput.java
rovider/jsse/SSLClientSessionCache.java
rovider/jsse/SSLContextImpl.java
rovider/jsse/SSLEngineAppData.java
rovider/jsse/SSLEngineDataStream.java
rovider/jsse/SSLEngineImpl.java
rovider/jsse/SSLInputStream.java
rovider/jsse/SSLParameters.java
rovider/jsse/SSLRecordProtocol.java
rovider/jsse/SSLServerSessionCache.java
rovider/jsse/SSLSessionImpl.java
rovider/jsse/SSLStreamedInput.java
rovider/jsse/SSLv3Constants.java
rovider/jsse/ServerHandshakeImpl.java
rovider/jsse/ServerHello.java
rovider/jsse/ServerHelloDone.java
rovider/jsse/ServerKeyExchange.java
rovider/jsse/ServerSessionContext.java
rovider/jsse/TrustManagerFactoryImpl.java
rovider/jsse/TrustManagerImpl.java
|