def4a695d1e00b10043901146d23952f39bb0aa1 |
17-Apr-2013 |
Brian Carlstrom <bdc@google.com> |
Merge "Do not include bogus certs in final chain output" into jb-mr2-dev
|
e21b3caf3fb4e3e3d9244a000669a547621c16bd |
16-Apr-2013 |
Kenny Root <kroot@google.com> |
NativeCrypto: fix EOF at beginning of stream Any InputStream where the first character was an EOF (-1) would cause OpenSSLBIOInputStream to hang forever. This caused bad X.509 certificates to hang forever in the call to CertificateFactory#generateCertificate(InputStream) Bug: 8632056 Change-Id: Ia88f33aa356c3a6a23be872c7eef844873d73d5c
rovider/jsse/OpenSSLBIOInputStream.java
|
608ba9e25b0b4c2611197e9ad4cbb58c9db3aa57 |
27-Mar-2013 |
Brian Carlstrom <bdc@google.com> |
Do not include bogus certs in final chain output (cherry-picked from 2cdf54071e7c62ceca7d40d7f6c704b91aad2a9f) Bug: 8313312 Bug: https://code.google.com/p/android/issues/detail?id=52295 Change-Id: Ie9f58c1bdc676471eaaf3073a78b0b00c5d9a833
rovider/jsse/TrustManagerImpl.java
|
3725893865ddbdd2e9cebc2ea2f7ecfc357fcfbb |
15-Apr-2013 |
Kenny Root <kroot@google.com> |
NativeCrypto: set Calendar instances to 0 millis X.509 does not have a notion of milliseconds so it was not being set through the Calendar instances we used in OpenSSLX509Certificate, et al. Instead it was getting whatever the current millisecond offset was from the GregorianCalendar default constructor. That made two parsed certificates unlikely to be equal when comparing since the milliseconds were also checked. Bug: 8616647 Change-Id: I756088d946191417bb3afcba082bed5371ed731a
rovider/jsse/OpenSSLX509CRL.java
rovider/jsse/OpenSSLX509CRLEntry.java
rovider/jsse/OpenSSLX509Certificate.java
|
5911a70a882d502d21b74dcdca6d9f4fcd5e36d5 |
06-Apr-2013 |
Brian Carlstrom <bdc@google.com> |
Don't forget to call sessionRemoved from removeEldestEntry Also to prevent similar problems in the future, remember SSLSession we are trying to use in case it disappears from SSLSessionContext. Added test of SSLSocket SSLSession reuse. Bug: https://code.google.com/p/android/issues/detail?id=52738 Bug: 8313208 (cherry picked from commit b88ab0efb05475fa9d4e2a06175e95e88f507cff) Change-Id: I229e018c3acb427a7b580eaf880f86d9b263bac7
rovider/jsse/AbstractSessionContext.java
rovider/jsse/OpenSSLSocketImpl.java
|
90d02cbdbac93f6fee46082e25c1c67f75108442 |
03-Jan-2013 |
Chris Palmer <palmer@google.com> |
Check the EE's eKU extension field, if present. BUG=https://code.google.com/p/chromium/issues/detail?id=167607 and https://b.corp.google.com/issue?id=7920492 (cherry picked from commit 0da1515c5fe4e97fc2d4d24a41ebd4c078fec4db) Change-Id: I4309d4a90a9d41390f41c748fa1442ed736e225f
rovider/jsse/TrustManagerImpl.java
|
bc5800cc4ebcd5d778483851b73bdac6b1dc2f3c |
29-Mar-2013 |
Alex Klyubin <klyubin@google.com> |
Make KeyFactory.translateKey for OpenSSL keys a no-op. There's no need for the OpenSSL-backed KeyFactory.translateKey to create copies of Key instances which are already backed by OpenSSL. (cherry picked from commit 3fb32505a22a01c95ff82435ac7f4d6da001c11c) Change-Id: I49322aa2d29e44a06e6bd35aed3aebc0ea70a3f9
rovider/jsse/OpenSSLDSAKeyFactory.java
rovider/jsse/OpenSSLECKeyFactory.java
rovider/jsse/OpenSSLRSAKeyFactory.java
|
4556926f9dee32ac5b2a8ac0c442bc716d1303f3 |
05-Apr-2013 |
Kenny Root <kroot@google.com> |
NativeCrypto: catch another RSA error Also add a generic fallback for certificate verification when the specific type of error is unknown. (cherry picked from commit f04fc33c88d2ad1f06d58d50a0734c0ef511c5b9) Bug: 8550441 Change-Id: Ica617074718ccac224c9ce3cc8b89502e2abb90d
rovider/jsse/OpenSSLX509Certificate.java
|
325ce8a74236f16db63c1971a99aeabf55e61a57 |
01-Apr-2013 |
Kenny Root <kroot@google.com> |
NativeCrypto: adjust thrown exceptions Should be throwing CertificateException when InputStream is null. Sometimes OpenSSL doesn't push an error onto the list when PEM encoding fails. This can be seen with the call to PEM_read_bio_X509 with hyts_badpem.cer Throw a generic RuntimeException instead. (cherry picked from commit d14eedd3c70f67a0d7af71b56dcf7b8e4f030bdd) Bug: 8488314 Change-Id: I716c089c00ab477b4803bdd774681e52384eb95d
rovider/jsse/OpenSSLX509CertPath.java
rovider/jsse/OpenSSLX509CertificateFactory.java
|
39143413c9a4ccb11f0c16b50bdbf07cca79f19c |
01-Apr-2013 |
Kenny Root <kroot@google.com> |
NativeCrypto: adjust BasicConstraints check OpenSSL checks KeyUsage for "Certificate Signing" when checking for a CA, but Java just specifies that the getBasicConstraints call only looks at the BasicConstraints itself. (cherry picked from commit cd59afd3e34cb6b3645babdace22c03882e0ec19) Bug: 8488314 Change-Id: I72f8d6679169480960630bd73745ebf4c55b383c
rovider/jsse/NativeCrypto.java
rovider/jsse/OpenSSLX509Certificate.java
|
699ec7b45e1648fb53333df33889971230058233 |
29-Mar-2013 |
Kenny Root <kroot@google.com> |
NativeCrypto: make generation bug compatible generateCertPath, generateCertificates, and generateCRLs have slightly different behavior on null input. Match the RI and (apparently) previous BC behavior. (cherry picked from commit ce0f579c5e7c384d2a3734e7327ce3a859ba52e3) Bug: 8488314 Change-Id: I6d0f96829798c83b46201a74cd409ef828e0adb2
rovider/jsse/OpenSSLX509CertPath.java
rovider/jsse/OpenSSLX509CertificateFactory.java
|
d961888f0666ccd4b797205aaeb60889688a9cb8 |
29-Mar-2013 |
Alex Klyubin <klyubin@google.com> |
Switch OpenSSLECDHKeyAgreement to KeyFactory.translateKey. OpenSSL KeyFactory.translateKey encapsulates all the functionality for translating arbitrary Key instances to OpenSSL-backed Key instances. Thus, there's no need to replicate that functionality elsewhere. (cherry picked from commit 0469e3a6a9b5e854b8b985039de8ba4f6e6037bd) Change-Id: I4caa0021e51a83be6932617117275fd033b6d5f7
rovider/jsse/NativeCrypto.java
rovider/jsse/OpenSSLECDHKeyAgreement.java
|
28a47ccf41ba39f227f0b075dd31cde42b7a5f49 |
20-Mar-2013 |
Alex Klyubin <klyubin@google.com> |
Disallow KeyFactory.translateKey between public and private This fixes the bug where OpenSSL-backed KeyFactory instances (RSA, DSA, EC) could translateKey from PrivateKey to PublicKey and vice versa when presented with "opaque" keys whose translation is performed via their primary encoded form. (cherry picked from commit ddee4ef28dcce942e25fd7a24f27239cd74807fa) Change-Id: Ia24a2591a06ac82c5225a3a9e3069af7a01a0c37
rovider/jsse/OpenSSLDSAKeyFactory.java
rovider/jsse/OpenSSLECKeyFactory.java
rovider/jsse/OpenSSLRSAKeyFactory.java
|
ed7441ebfbc69821598a5bc060518b5c82ffb5c8 |
20-Mar-2013 |
Alex Klyubin <klyubin@google.com> |
InvalidKeyException for "opaque" keys null getEncoded() This makes OpenSSL-backed KeyFactory instances (RSA, DSA, EC) translateKey method throw InvalidKeyException for "opaque" keys whose getFormat() returns non-null while getEncoded() returns null. Prior to this change a NullPointerException was thrown. Change-Id: Ie0f3ec27356307338839f4c2b248b0e79578e19b
rovider/jsse/OpenSSLDSAKeyFactory.java
rovider/jsse/OpenSSLECKeyFactory.java
rovider/jsse/OpenSSLRSAKeyFactory.java
|
223319e62fb4e34b2e82c0d72b3b8af8cb18b68b |
18-Mar-2013 |
Kenny Root <kroot@google.com> |
NativeCrypto: throw exception on invalid DNS altname When we receive an invalid DNS alt name (e.g., contains characters outside of the ASCII printable range), we should throw an exception to match the previous behavior. This is not validated this against the RI since the tests currently don't work, but it brings the behavior back to what it was previously. Also amend the previous ASN.1 string check to use ASN1_PRINTABLE_type(...) which actually scans the string to check its contents. This is what was meant in the last patch. Bug: 8398461 Change-Id: I260f045a2e144fb9ded7e1d3aa46592da8f63272
rovider/jsse/NativeCrypto.java
|
41dbe2157cc4e6c8ec2beb4c17e88caa84ea7dfc |
15-Mar-2013 |
Kenny Root <kroot@google.com> |
NativeCrypto: catch null input streams in cert factory Change-Id: I7b4a9d89cab8d35491d2d6efb6dfc0fae8e705d7
rovider/jsse/OpenSSLX509CertificateFactory.java
|
7885a9c6c62c6162a308913272447153b6a2e809 |
14-Mar-2013 |
Kenny Root <kroot@google.com> |
NativeCrypto: be more tolerant during translateKey Change-Id: I284bdb4d037d511390a6beb8518eb9bf9c50f25f
rovider/jsse/OpenSSLDSAKeyFactory.java
rovider/jsse/OpenSSLECKeyFactory.java
rovider/jsse/OpenSSLECPrivateKey.java
rovider/jsse/OpenSSLECPublicKey.java
rovider/jsse/OpenSSLKey.java
rovider/jsse/OpenSSLRSAKeyFactory.java
|
0048f46694737c3e46ec3150db608c2cb19f26aa |
12-Mar-2013 |
Kenny Root <kroot@android.com> |
Merge "Switch TLS Channel ID API from ECPrivateKey to PrivateKey."
|
c17bdfa469de6c48f16e454611caae3aaa82cc9d |
12-Mar-2013 |
Alex Klyubin <klyubin@google.com> |
Switch TLS Channel ID API from ECPrivateKey to PrivateKey. This is to accept both the "transparent" and "opaque" ECC private keys. "Transparent" keys provide structured access to their key material -- these are instances of ECPrivateKey. "Opaque" private keys are not required to provide structured (or even any) access to their key material -- these are instances of PrivateKey. Change-Id: I3fdc4c46675bde48c72424f1cc8f59c3d6b89f0e
rovider/jsse/NativeCrypto.java
rovider/jsse/OpenSSLSocketImpl.java
|
ce14ab85f110ef6b4e5065ede5fd83ff91499d93 |
11-Mar-2013 |
Kenny Root <kroot@google.com> |
NativeCrypto: throw instead of return null We should not return null for items that cannot be extracted. Instead throw UnsupportedOperationException so we don't break the API contract. Change-Id: I09b0854c36f02b5b7ead2fb802f1454353b4cf6e
rovider/jsse/OpenSSLDSAPrivateKey.java
rovider/jsse/OpenSSLECPrivateKey.java
rovider/jsse/OpenSSLRSAPrivateCrtKey.java
rovider/jsse/OpenSSLRSAPrivateKey.java
|
e741559fd878ee6e3deca9102f7c27e1c1ca70d0 |
11-Mar-2013 |
Alex Klyubin <klyubin@google.com> |
Add support for ECDH KeyAgreement to OpenSSLProvider. Change-Id: I07d369de0199505d22f2809c815cc2852388a7b7
rovider/jsse/NativeCrypto.java
rovider/jsse/OpenSSLECDHKeyAgreement.java
rovider/jsse/OpenSSLProvider.java
|
e6de385bae91943cae91d88ad8e1bfdd951930f4 |
08-Mar-2013 |
Kenny Root <kroot@google.com> |
NativeCrypto: various fixes * JNI_TRACE debug messages were misleading in some cases. * MD object reference was being passed as a jint * kusage wasn't being checked for null Change-Id: I15bcba4d8b7291dc232ea20671917bb0848c3180
rovider/jsse/OpenSSLMac.java
rovider/jsse/OpenSSLX509Certificate.java
|
15cfd91abf3e6d6f905d572fe70cf2b3b4cfee60 |
08-Mar-2013 |
Kenny Root <kroot@google.com> |
NativeCrypto: add CertPath encoding PkiPath Set the default encoding to be PkiPath to conform to other implementations. This now passes all the tests. Change-Id: I8475e328e8440aa3ecccd88c34e2aba6bc169be5
rovider/jsse/NativeCrypto.java
rovider/jsse/OpenSSLX509CertPath.java
|
52055836ff1f8c235a558b3754b3f3dd25f5d38c |
08-Mar-2013 |
Kenny Root <kroot@google.com> |
NativeCrypto: add CertPath support with PKCS7 Add support for generating CertPath with the OpenSSLX509CertificateFactory implementation. This only will encode withrPKCS7 currently. This means it fails the CertPath serialization test because the serialization and de-serialization code only uses a provider's default serialization format. Since this provider is not the default provider and the default provider uses PkiPath as its default format, the OpenSSLX509CertPath still fails the tests. This seems like a problem with the way CertPath is serialized. The impact of this seems to be that a CertPath implementation must have "PkiPath" as its default encoding. Change-Id: Ie0e3577746345108301b02e7a1d4e8ea189f2bda
rovider/jsse/NativeCrypto.java
rovider/jsse/OpenSSLX509CertPath.java
rovider/jsse/OpenSSLX509Certificate.java
rovider/jsse/OpenSSLX509CertificateFactory.java
|
4e74f18c791e6d005c78a421875ae9bf89228981 |
07-Mar-2013 |
Kenny Root <kroot@google.com> |
NativeCrypto: eliminate some unneeded suppressions Refactoring eliminated the need for these suppressions, so just remove them. Change-Id: Ia7f0160d4b5db09a1d23029f3cd2755ef2bd59d6
rovider/jsse/OpenSSLX509CertificateFactory.java
|
75dc9601af8ab3c65114e3c8c57d29ce5ac64125 |
19-Dec-2012 |
Kenny Root <kroot@google.com> |
NativeCrypto: add OpenSSL X.509 certificate/CRLs Initial implementation of parsing X.509 certificates and certificate revocation lists (CRLs). This lacks support for generating CertPath objects, but that will be added at a later time. This currently isn't the default provider so anything that doesn't explicitly request this provider will not get this implementation. Change-Id: I07ae9f333763087cb6ce47e20e12ceeed750920d
rovider/jsse/NativeCrypto.java
rovider/jsse/OpenSSLBIOInputStream.java
rovider/jsse/OpenSSLProvider.java
rovider/jsse/OpenSSLX509CRL.java
rovider/jsse/OpenSSLX509CRLEntry.java
rovider/jsse/OpenSSLX509Certificate.java
rovider/jsse/OpenSSLX509CertificateFactory.java
|
c1f6588cf2400b3118bb4fcc65f695491110a4f3 |
04-Mar-2013 |
Kenny Root <kroot@google.com> |
NativeCrypto: add OpenSSLBIOInputStream Any APIs that deal with potentially unbounded input data need a better way of reading in data than byte arrays. This provides a building block to implement those APIs with OpenSSL. Change-Id: I58fef4388dc2731cc004ec5cb9ccc805acc55888
rovider/jsse/NativeCrypto.java
rovider/jsse/OpenSSLBIOInputStream.java
|
8acd6134dc84b387608746fbf2054c6d7dcd4f52 |
28-Feb-2013 |
Joel Dice <joel.dice@gmail.com> |
use longs instead of ints to store pointers in OpenSSL binding This allows the code to be used on 64-bit VMs. Change-Id: I6c0ef28c55160186c7d59e88ef6fcde4f4a41907
rovider/jsse/AbstractSessionContext.java
rovider/jsse/NativeCrypto.java
rovider/jsse/OpenSSLCipher.java
rovider/jsse/OpenSSLCipherContext.java
rovider/jsse/OpenSSLDigestContext.java
rovider/jsse/OpenSSLECGroupContext.java
rovider/jsse/OpenSSLECPointContext.java
rovider/jsse/OpenSSLECPrivateKey.java
rovider/jsse/OpenSSLECPublicKey.java
rovider/jsse/OpenSSLEngine.java
rovider/jsse/OpenSSLKey.java
rovider/jsse/OpenSSLMac.java
rovider/jsse/OpenSSLMessageDigestJDK.java
rovider/jsse/OpenSSLSessionImpl.java
rovider/jsse/OpenSSLSignature.java
rovider/jsse/OpenSSLSocketImpl.java
|
004df9b49863d5449c0c70d0ade0203813f4e676 |
16-Feb-2013 |
Alex Klyubin <klyubin@google.com> |
Add support for SECG names for NIST P-192 and P-256 ECC curves. SECG names of the two curve specs are "secp192r1" and "secp256r1". OpenSSL doesn't support these names (see crypto/ec/ec_curve.c) because: * "SECG secp192r1 is the same as X9.62 prime192v1 and hence omitted" * "SECG secp256r1 is the same as X9.62 prime256v1 and hence omitted" The BouncyCastle-based EC provider, which was the default on older Android platforms, supported both the SECG (secp...) and ANSI X9.62 (prime...) names for these curves. This change also makes java.security.KeyPairGeneratorTest assert that both the SECG and the ANSI X9.62 names of the two curves are supported by EC* KeyPairGenerators of all the registered Providers. Change-Id: I9531f05020971fd47afac2367021e3e3e6345d50
rovider/jsse/OpenSSLECGroupContext.java
|
e5e09174c6239dcb22b015466ca1724193da612d |
07-Feb-2013 |
Kenny Root <kroot@google.com> |
Merge "NativeCrypto: serialize EC keys differently"
|
3039d83af05c3dee6d2f0d33cc4b9b167b1a4391 |
06-Feb-2013 |
Kenny Root <kroot@google.com> |
NativeCrypto: serialize EC keys differently Change-Id: Iff593c707723811347b5b7e91bed52b07c490c9d
rovider/jsse/OpenSSLECPrivateKey.java
rovider/jsse/OpenSSLECPublicKey.java
|
3fefbd8abaf356e842705f8ebd24b414dcea8aac |
07-Feb-2013 |
Kenny Root <kroot@google.com> |
NativeCrypto: update curve names to match OpenSSL Some of the curve names were incorrect in the ECKeyPairGenerator, so renamed them to match what OpenSSL expects. Change-Id: Ib56fe8ce30b95f7faee34a3e18add7c4037e4c47
rovider/jsse/OpenSSLECKeyPairGenerator.java
|
92e388f87a6a830793e7e33c6328c8ca6a89aef4 |
06-Feb-2013 |
Kenny Root <kroot@google.com> |
NativeCrypto: reduce strict Class equality check For requested keySpec, we don't necessarily need the strict equality check. Also, remove code that is unreachable: RSAPrivateCrtKeySpec is a child of RSAPrivateKeySpec, so there is no need to check whether the keySpec is assignable to the CRT spec. Change-Id: I8070541b015167d9314b83b45bd1410663487865
rovider/jsse/OpenSSLDSAKeyFactory.java
rovider/jsse/OpenSSLECKeyFactory.java
rovider/jsse/OpenSSLRSAKeyFactory.java
|
a812f61dc1102c8089c1acd48c24b36829ce2482 |
06-Feb-2013 |
Kenny Root <kroot@google.com> |
NativeCrypto: fix more DSA/ECDSA key generation * Add hidden API to pass along the EC curve name in ECParameterSpec. The lack of name passing made KeyFactory2Test fail because the reconstructed ECDSA key had explicit curve parameters instead of an OID naming the curve. * Fix some mixing of PKCS8/X509EncodedKeySpec in DSA/ECDSA KeyFactory implementations. * Fix the KeyFactory2Test to output more useful error messages. * Remove known failure which is no longer happening. * Change EC_GROUP_get_curve_name to return the "shortName" string which matches the EC_GROUP_new_by_curve_name Bug: 3483365 Change-Id: I0a80be88bef728b2177f3593cc3421fa47b79470
rovider/jsse/NativeCrypto.java
rovider/jsse/OpenSSLDSAKeyFactory.java
rovider/jsse/OpenSSLECGroupContext.java
rovider/jsse/OpenSSLECKeyFactory.java
|
8c4b6ac9b5a3346af8b474949c501fbb2d464c50 |
05-Feb-2013 |
Kenny Root <kroot@google.com> |
NativeCrypto: fix some DSA/ECDSA key generation We were trying to generate a public key from a private key spec which obviously doesn't work. Also fix the error messages that indicated public key when it meant private key. Change-Id: Ifae417bc3e4c56aced5b7583a34965c7f31c9c66
rovider/jsse/OpenSSLDSAKeyFactory.java
rovider/jsse/OpenSSLECKeyFactory.java
|
fc5480d13eb8b32c325ba79ba4221df2145727b7 |
05-Feb-2013 |
Kenny Root <kroot@google.com> |
NativeCrypto: DSA keys do not always have parameters DSA keys do not always have parameters. When validating a certificate chain, the DSA key will inherit parameters from the next DSA key up the chain if DSAPublicKey#getParams() returns "null". Change-Id: I052b42219829157ebdf148abb53048044cc83f8d
rovider/jsse/OpenSSLDSAParams.java
rovider/jsse/OpenSSLDSAPublicKey.java
|
eca901e0699ed0b1026dacabc81aed33fba10ead |
04-Feb-2013 |
Kenny Root <kroot@google.com> |
OpenSSLCipher: fix short buffer error message Change-Id: I4f16bee3c57c80a113bd92509451606d5fd2b666
rovider/jsse/OpenSSLCipher.java
|
c9989de40c23c579bc9dc0231fb643436bbf73cc |
01-Feb-2013 |
Kenny Root <kroot@google.com> |
OpenSSL KeyFactory for DSA and EC Add KeyFactory for EC. Uncomment the KeyFactory for DSA. Remove useless template parameters from RSA KeyFactory. Change-Id: Id7c4d3624719b5088abf239482ba58c7a2557d61
rovider/jsse/OpenSSLECKeyFactory.java
rovider/jsse/OpenSSLECPrivateKey.java
rovider/jsse/OpenSSLECPublicKey.java
rovider/jsse/OpenSSLProvider.java
rovider/jsse/OpenSSLRSAKeyFactory.java
|
7245d2ec05c8488f0bd82720eedac6a2dda17059 |
01-Feb-2013 |
Kenny Root <kroot@google.com> |
NativeCrypto: fix Channel ID tests The NativeCryptoTest runs from a different class loader, so we need to make the OpenSSLECGroupContext public to use it from there. Also make sure we explicitly initialize the EC key at the beginning of the test. Change-Id: I733fe6263ef2ef72988987bf608cb806752033f5
rovider/jsse/OpenSSLECGroupContext.java
|
a45d02e5fbf1ec387dcb1e6c91e867d32ab36193 |
23-Jan-2013 |
Kenny Root <kroot@google.com> |
NativeCrypto: add OpenSSLSecretKey for HMAC Change-Id: Id5a77b41549944d7deffda0e2a4e60dbbd26184e
rovider/jsse/OpenSSLEngine.java
rovider/jsse/OpenSSLKey.java
rovider/jsse/OpenSSLMac.java
rovider/jsse/OpenSSLSecretKey.java
|
6914efca8fe737a753d234d7e91222da6a8cdabe |
28-Jan-2013 |
Kenny Root <kroot@google.com> |
NativeCrypto: add test base for OpenSSL ENGINEs This sets up some of the testing infrastructure to allow us to test all the ENGINE-related test paths in the NativeCrypto code. Change-Id: I21f3dbebbaa90327d48a99020ae3a3e90624cc75
rovider/jsse/NativeCrypto.java
|
0731d6d00c5e30c05e035d3ae96327029d07a606 |
22-Jan-2013 |
Kenny Root <kroot@google.com> |
OpenSSLKey: easier creation and use of OpenSSL keys For some future changes, it will be easier to convert OpenSSL objects to real objects and back from native pointers. Make it easier to add new EVP_PKEY types without adding them in if/else statements everywhere. Change-Id: I19095bfc5f00835a266f572bc62e2e8d0a8cd544
rovider/jsse/NativeCrypto.java
rovider/jsse/OpenSSLDSAPrivateKey.java
rovider/jsse/OpenSSLDSAPublicKey.java
rovider/jsse/OpenSSLECGroupContext.java
rovider/jsse/OpenSSLECPrivateKey.java
rovider/jsse/OpenSSLECPublicKey.java
rovider/jsse/OpenSSLEngine.java
rovider/jsse/OpenSSLKey.java
rovider/jsse/OpenSSLKeyHolder.java
rovider/jsse/OpenSSLRSAPrivateCrtKey.java
rovider/jsse/OpenSSLRSAPrivateKey.java
rovider/jsse/OpenSSLRSAPublicKey.java
rovider/jsse/OpenSSLSignature.java
rovider/jsse/OpenSSLSignatureRawRSA.java
rovider/jsse/OpenSSLSocketImpl.java
|
4b88b3ded5c026282bf3a38cc006dc5f764603a1 |
19-Jan-2013 |
Brian Carlstrom <bdc@google.com> |
Merge "Add support for TLS Channel ID to OpenSSL-backed sockets."
|
7e5832d1a709558fca80ecb25fdd0626b2d4312d |
19-Jan-2013 |
Kenny Root <kroot@google.com> |
Merge changes Idfb18017,Ifbba9fdf * changes: OpenSSLMac: fix initialization with new key HarmonyJSSE: convert byte correctly in padding check
|
0d4ee1f9b8c37fb33cd74da4efac5905ba138e45 |
19-Jan-2013 |
Kenny Root <kroot@google.com> |
OpenSSLMac: fix initialization with new key If an OpenSSLMac instance was re-initialized with a new key, it wouldn't produce correct results. Make sure to re-initialize the EVP_MD_CTX as well. Change-Id: Idfb18017407ff65866ae7e6f6fca3d646a970803
rovider/jsse/NativeCrypto.java
rovider/jsse/OpenSSLMac.java
|
3247af087973af299112cde32101592e86992c6f |
18-Jan-2013 |
Kenny Root <kroot@google.com> |
HarmonyJSSE: convert byte correctly in padding check This gives a better error message since the byte could be negative without the mask. Change-Id: Ifbba9fdf647b7ecf8bc300fb1034011ba8357401
rovider/jsse/ConnectionStateSSLv3.java
rovider/jsse/ConnectionStateTLS.java
|
de30700ecd96af43e2f3ee2e03f398896f5bb1e9 |
17-Jan-2013 |
Alex Klyubin <klyubin@google.com> |
Add support for TLS Channel ID to OpenSSL-backed sockets. On the client, TLS Channel ID is enabled by passing an ECDSA P-256 private key to OpenSSLSocketImpl via the new setChannelIdPrivateKey method. On the server, TLS Channel ID is enabled via the new method OpenSSLServerSocketImpl.setChannelIdEnabled. After the TLS/SSL handshake, the Channel ID can be obtained via the new method getChannelId. See http://tools.ietf.org/html/draft-balfanz-tls-channelid-00. Change-Id: I035e86d36678ae5956e6c1837afefcd668b3d750
rovider/jsse/NativeCrypto.java
rovider/jsse/OpenSSLServerSocketImpl.java
rovider/jsse/OpenSSLSocketImpl.java
|
90c22063c0c26c1f9762dcaa91eef2f1ae607d67 |
18-Jan-2013 |
Brian Carlstrom <bdc@google.com> |
Track new value of SSL_MODE_HANDSHAKE_CUTTHROUGH in external/openssl Change-Id: Ie5cd6d4201ce2f361384eebe37487a3586321e8b
rovider/jsse/NativeCrypto.java
|
c9acbf1c80d90952f7a4bce83e37c2540e42f6fc |
17-Jan-2013 |
Kenny Root <kroot@google.com> |
NativeCrypto: output named curves when possible When converting to ASN.1 format from a named curve, try to make sure we can output those named curves whenever possible instead of all the parameters. Also make sure we output in uncompressed point format for compatibility with other implementations. Change-Id: I3f370be694ac709f02e3043a2c1152ad4838ef41
rovider/jsse/NativeCrypto.java
rovider/jsse/OpenSSLECGroupContext.java
rovider/jsse/OpenSSLSocketImpl.java
|
8c4a407e34de1b348316a9175bd1c0577c887181 |
09-Jan-2013 |
Brian Carlstrom <bdc@google.com> |
verifyCertificateChain should convert unknown exceptions to CertificateException Bug: http://code.google.com/p/android/issues/detail?id=42533 Change-Id: Id0e0eb8f007987decb4fee94135be8a92d2f8981
rovider/jsse/OpenSSLSocketImpl.java
|
df99092f30a7bdc9f40f2fa0c3546a30d925edc0 |
01-Nov-2012 |
Brian Carlstrom <bdc@google.com> |
resolved conflicts for merge of eef7e935 to jb-mr1-dev-plus-aosp Change-Id: I1af764dffabdfa63bc383b606d0c86451bdf64dd
|
eef7e9357c272a9154f007e8bee2a09eed66d101 |
01-Nov-2012 |
Brian Carlstrom <bdc@google.com> |
Test to verify BC Signature algorithms by OID Bug: 7453821 Change-Id: I69408d0bb4063e34441ed1d7632fd1ccac39965b
rovider/jsse/OpenSSLProvider.java
|
9fb84f4bee364d44b1d0d425109c98e964b23ae4 |
30-Oct-2012 |
Brian Carlstrom <bdc@google.com> |
am adcea0bf: Merge "Prefer PKIX algorithm name for TrustManagerFactory and KeyManagerFactory" * commit 'adcea0bf53b5b932013d8290619f17715b33f139': Prefer PKIX algorithm name for TrustManagerFactory and KeyManagerFactory
|
c934a095e1f863f00bf6f7c0b37fbd05ebeaaff5 |
29-Oct-2012 |
Brian Carlstrom <bdc@google.com> |
Prefer PKIX algorithm name for TrustManagerFactory and KeyManagerFactory Change-Id: I3da5bdf6739c6aee5ec0174e93cd6c06d6dfeeb3
rovider/jsse/DefaultSSLContextImpl.java
rovider/jsse/JSSEProvider.java
|
c323184c9221d119b8b06a1fff6731f5119a64c0 |
16-Oct-2012 |
Kenny Root <kroot@google.com> |
am 196687f6: Merge "Use OpenSSL to convert from OID to name" * commit '196687f6ed88a0935813efec5ca49c86fd536bf2': Use OpenSSL to convert from OID to name
|
196687f6ed88a0935813efec5ca49c86fd536bf2 |
16-Oct-2012 |
Kenny Root <kroot@google.com> |
Merge "Use OpenSSL to convert from OID to name"
|
0130cf9705455a63eca0a4651986bb0806a7f5bc |
16-Oct-2012 |
Geremy Condra <gcondra@google.com> |
am f2df9e57: Merge "Adding minimum cryptographic strength check for cert chains." * commit 'f2df9e575e6f0a20b1b27f0fca6a62e2b19729b1': Adding minimum cryptographic strength check for cert chains.
|
f2df9e575e6f0a20b1b27f0fca6a62e2b19729b1 |
16-Oct-2012 |
Geremy Condra <gcondra@google.com> |
Merge "Adding minimum cryptographic strength check for cert chains."
|
200be7055e30cd0f67b79df768b71bca19c5c596 |
11-Oct-2012 |
Geremy Condra <gcondra@google.com> |
Adding minimum cryptographic strength check for cert chains. Change-Id: Id8a3fc28a07c086182183090cd79372ac81582e6
rovider/jsse/ChainStrengthAnalyzer.java
rovider/jsse/TrustManagerImpl.java
|
4a8388aeb988c5ed88f1105f9fa66a5ebd2ffbe3 |
15-Oct-2012 |
Kenny Root <kroot@google.com> |
Use OpenSSL to convert from OID to name OpenSSL has a large database of OID mappings, so fall back to it if the built-in Harmony database doesn't find it. Change-Id: I72daa0b4f697d406a0d3f8285ce20d4e9ec04d27
rovider/jsse/NativeCrypto.java
|
b762206996492843be768a7ae061bbc85b5491da |
15-Oct-2012 |
Kenny Root <kroot@google.com> |
am 70798f65: Merge "OpenSSLCipher: add ARC4 support" * commit '70798f652c21e9bec770d0b965130311a84d5959': OpenSSLCipher: add ARC4 support
|
edefa57a822c27f3e9def050fd50e375c5908551 |
02-Oct-2012 |
Kenny Root <kroot@google.com> |
OpenSSLCipher: add ARC4 support Change-Id: Iccdd76260af1afab0855816b3ccdd34fbc52295b
rovider/jsse/NativeCrypto.java
rovider/jsse/OpenSSLCipher.java
rovider/jsse/OpenSSLProvider.java
|
9dbe25c174d4f7e5099db1ea278513971e058ff8 |
12-Oct-2012 |
Kenny Root <kroot@google.com> |
am 0bf8e7a3: Merge "Add support for ECDSA signatures on jar files" * commit '0bf8e7a3145bbc6a32f5b88364a923af40434b61': Add support for ECDSA signatures on jar files
|
52c906b82c75e811284a1788e5ca0b4330a55a36 |
10-Oct-2012 |
Kenny Root <kroot@google.com> |
Add support for ECDSA signatures on jar files Change-Id: If928f2244b3a0809255d6619c25268beb84f76d3
rovider/jsse/OpenSSLProvider.java
|
9679c42bd37a2539b7306891cba53731c7a8b91b |
12-Oct-2012 |
Kenny Root <kroot@google.com> |
am d5d84f6c: Merge "NativeCrypto: add EC key pairs" * commit 'd5d84f6c657b9d130b4d34c77f151f425ae70ff4': NativeCrypto: add EC key pairs
|
9d2fb535e5d43ad34af09195d490da18a7694a48 |
11-Oct-2012 |
Kenny Root <kroot@google.com> |
NativeCrypto: add EC key pairs Change-Id: I8240df5ff12e38dd935258def099aed4663955ea
rovider/jsse/NativeCrypto.java
rovider/jsse/OpenSSLECGroupContext.java
rovider/jsse/OpenSSLECKeyPairGenerator.java
rovider/jsse/OpenSSLECPointContext.java
rovider/jsse/OpenSSLECPrivateKey.java
rovider/jsse/OpenSSLECPublicKey.java
rovider/jsse/OpenSSLProvider.java
rovider/jsse/OpenSSLSignature.java
|
46d6243e9e39a2b68b985bfd534cc891e52df274 |
09-Oct-2012 |
Brian Carlstrom <bdc@google.com> |
Change OpenSSLCipherRSA.{engineGetBlockSize,engineGetOutputSize} to return result based on key size Includes cherry-pick of 847f22adbd0e829b84491d7202dcbed5bf67a98c Bug: 7192453 Change-Id: Ib5fa1e313d942d2c1034e8e7831af285ad24d71d
rovider/jsse/OpenSSLCipherRSA.java
|
72e44404c32a98e7675a6e7cfbf856adb499a434 |
09-Oct-2012 |
Brian Carlstrom <bdc@google.com> |
Change OpenSSLCipherRSA.{engineGetBlockSize,engineGetOutputSize} to return result based on key size Includes cherry-pick of 847f22adbd0e829b84491d7202dcbed5bf67a98c Bug: 7192453 Change-Id: Ib5fa1e313d942d2c1034e8e7831af285ad24d71d
rovider/jsse/OpenSSLCipherRSA.java
|
b3bc3cd743d06f5fb59a1c950a7634b47f3cafc4 |
10-Oct-2012 |
Kenny Root <kroot@google.com> |
resolved conflicts for merge of 30d217ad to jb-mr1-dev-plus-aosp Change-Id: Iedafef8005b3d26a16f8b279408f113f3afe7a8a
|
3d1643390a0d624a27b8eccc589b337949657c76 |
10-Oct-2012 |
Kenny Root <kroot@google.com> |
Add OIDs for algorithms This allows things from a PKCS#7 container (or any other container that specifies algorithms by OID) to get an instance via OID instead of the common name. Bug: http://code.google.com/p/android/issues/detail?id=38321 Change-Id: Ie766751a3f7894a558f7e40e7d520800bf7a8a08
rovider/jsse/OpenSSLProvider.java
|
a8e0ac07166ba25fa50e83773cd18ac9f36bf18e |
05-Oct-2012 |
Kenny Root <kroot@google.com> |
am f2c8382b: am 5a1225cc: Merge "NativeCrypto: add assertions for no OpenSSL errors" * commit 'f2c8382b0aa0fca4b79601cb21a9136b862996c2': NativeCrypto: add assertions for no OpenSSL errors
|
008e8a74088c7508b49d8ea2323deef40c5076a7 |
05-Oct-2012 |
Kenny Root <kroot@google.com> |
NativeCrypto: add assertions for no OpenSSL errors Some calls in NativeCrypto appear to be not clearing error states. Add an assertion at the end of each test to make sure this doesn't happen. Change-Id: I9030891a8dc9e7715e65071fe949a11d7a560e56
rovider/jsse/NativeCrypto.java
|
a7789931a001d62e02dfb8238c1664cc1103609d |
05-Oct-2012 |
Kenny Root <kroot@google.com> |
am 353e8448: am 3f83b9c8: Merge "OpenSSLCipher: account for padding on doFinal" * commit '353e84483aa2be779d3938d76890e8b218358d89': OpenSSLCipher: account for padding on doFinal
|
2d77ba4ab779bfb5dcd1ee7fe063850d51a92ca3 |
05-Oct-2012 |
Kenny Root <kroot@google.com> |
am 9e1cd813: am 26d9dc15: Merge "Do not use OpenSSLCipherContext in tests" * commit '9e1cd813f618c738007dc7ea3eaf15ee5863a4cc': Do not use OpenSSLCipherContext in tests
|
3f83b9c80bda2de1927efaca193000ae30f22f01 |
05-Oct-2012 |
Kenny Root <kroot@google.com> |
Merge "OpenSSLCipher: account for padding on doFinal"
|
7ca2e3509b2b8578de48ac5e226d1b675a66c69f |
05-Oct-2012 |
Kenny Root <kroot@google.com> |
Do not use OpenSSLCipherContext in tests Change-Id: I422954e7e9a9d1021d4281a254cdd732f37ca2bf
rovider/jsse/OpenSSLCipherContext.java
|
5b5904640b44fe2fd760b5d427edeffe20f55630 |
05-Oct-2012 |
Kenny Root <kroot@google.com> |
OpenSSLCipher: account for padding on doFinal Decrypting also needs to check padding on the last block, so special case encrypting in getOutputSize Change-Id: I0bfaf6f40f5d618e4dd1853668ec5400058e6b67
rovider/jsse/OpenSSLCipher.java
|
0804bbcc7de405ce92436cf82d72194666017b43 |
05-Oct-2012 |
Kenny Root <kroot@google.com> |
am 206730de: am dfa280ba: Merge "OpenSSLMac: add license header" * commit '206730de97cf8f3ebbe8998a86a3f8405c34f2a4': OpenSSLMac: add license header
|
7842ba5ddb88f17c180bba8bfc32f2ef7270b382 |
05-Oct-2012 |
Kenny Root <kroot@google.com> |
am 080cda4a: am 7ae5f93f: Merge "OpenSSLMac: new OpenSSL HMAC connector" * commit '080cda4ad77052269b3ac9a7db48cec05c49f3b4': OpenSSLMac: new OpenSSL HMAC connector
|
725daeb9049fcbe761314e6263c14608ae7bb087 |
05-Oct-2012 |
Kenny Root <kroot@google.com> |
OpenSSLMac: add license header Change-Id: Id205d75d0c82ee33698758f1d6fbec850971322b
rovider/jsse/OpenSSLMac.java
|
7ae5f93f03f60b349f611122c4944634cfba4f39 |
05-Oct-2012 |
Kenny Root <kroot@google.com> |
Merge "OpenSSLMac: new OpenSSL HMAC connector"
|
a9a21fc20ac86e723c141bc145f582a2ab83268a |
04-Oct-2012 |
Kenny Root <kroot@google.com> |
OpenSSLMac: new OpenSSL HMAC connector Change-Id: I6a6a9cbdcdc490a0bc1c313bbaf045a4fd99555e
rovider/jsse/NativeCrypto.java
rovider/jsse/OpenSSLDigestContext.java
rovider/jsse/OpenSSLMac.java
rovider/jsse/OpenSSLProvider.java
|
130e5d6b0281470f03abf810eb38aaa5aa1ca746 |
05-Oct-2012 |
Kenny Root <kroot@google.com> |
am a0592d4e: am d0670a67: Merge "OpenSSLCipher: use OpenSSL buf_len data" * commit 'a0592d4ed7c71d5c1269d4e71611f10627fff8e7': OpenSSLCipher: use OpenSSL buf_len data
|
81508e23428cffc070132f461c1166077910e836 |
05-Oct-2012 |
Kenny Root <kroot@google.com> |
OpenSSLCipher: use OpenSSL buf_len data This allows us to exactly match other implementation outputs for the same input values. What we were doing before was technically to the API's documented behavior, but broke some other things. Change-Id: I7e95dab4a7be8d737e862f6b6ddb04f6bbcd0dbe
rovider/jsse/NativeCrypto.java
rovider/jsse/OpenSSLCipher.java
|
f3cf8f7daed90edec16c9c1582d60fc21723eeb6 |
04-Oct-2012 |
Kenny Root <kroot@google.com> |
am a8969127: am 77be92fe: Merge "OpenSSLCipher: don\'t explode during null decrypt" * commit 'a8969127cda9984754f758e1e3f839a83c5719f6': OpenSSLCipher: don't explode during null decrypt
|
d57f3547302678e7f61016b121530105e4fc0819 |
04-Oct-2012 |
Kenny Root <kroot@google.com> |
am 46b18865: am 7efb2a19: Merge "OpenSSLCipher: only return block size multiples" * commit '46b18865ebf78a72f5bf9faf3b33485ea3dfd6c9': OpenSSLCipher: only return block size multiples
|
77be92fe27e1cc9204b0bac3b9a9a324fd41eb57 |
04-Oct-2012 |
Kenny Root <kroot@google.com> |
Merge "OpenSSLCipher: don't explode during null decrypt"
|
e0a42275cfb7edeb10118f2ab6005bb3095f38b5 |
04-Oct-2012 |
Kenny Root <kroot@google.com> |
OpenSSLCipher: only return block size multiples There is a faulty test that called .getOutputSize(inputLen) and then used the output of that to provide inputLen for the .doFinal(...) call. Unfortunately, this is the only cipher that failed since we're not returning exact multiples of block size for .getOutputSize(...) calls. Instead we'll just return exact block size multiples so we don't run afoul of any other broken code. Change-Id: I1ca860d6df300ee67df90e575fc476d8291ec9c1
rovider/jsse/OpenSSLCipher.java
|
fac659c013ec9c2783f60afce39e83eb107f117d |
04-Oct-2012 |
Kenny Root <kroot@google.com> |
OpenSSLCipher: don't explode during null decrypt Other Cipher implementations return "null" when calling "doFinal()" during decrypt mode without having ever called .update(...) Change OpenSSLCipher to do the same. Change-Id: I76e22702a446912df125af0ff518fb123d62f5a3
rovider/jsse/OpenSSLCipher.java
|
d5db85f89e11e1ad4f78686b86d27ad26cb1c938 |
04-Oct-2012 |
Brian Carlstrom <bdc@google.com> |
am d26da2f6: am 9ac72760: Merge "OpenSSLCipher: remove buffer for partial blocks" * commit 'd26da2f66c9139280a7fbd434980b3bd8349b612': OpenSSLCipher: remove buffer for partial blocks
|
5189c980ebdc842e0e5ca7d6794b4880aa0b6cd5 |
04-Oct-2012 |
Kenny Root <kroot@google.com> |
OpenSSLCipher: remove buffer for partial blocks Some block ciphers buffer the first block used. We weren't accounting for this so we started failing with DES3. This led to another issue that OpenSSL can sometimes keep things in its internal buffer. Instead of having multiple levels of buffering, just rely on OpenSSL to do the buffering. Change-Id: I40a6c7e92e70d3c9ae530f35e8a4234f62e8d225
rovider/jsse/NativeCrypto.java
rovider/jsse/OpenSSLCipher.java
|
5db76d31870b0ef3ced3b0f01584118b4b9a3e3d |
03-Oct-2012 |
Kenny Root <kroot@google.com> |
am ed07842e: am db3690a2: Merge "Fix some failing unit tests" * commit 'ed07842e67e28e57c0ef596e2e1e4772d54926da': Fix some failing unit tests
|
db3690a2d37331bd48b67ba177f7fc1bb33c9276 |
03-Oct-2012 |
Kenny Root <kroot@google.com> |
Merge "Fix some failing unit tests"
|
a56d856815c0974298fbdd9210b8f5a890756add |
03-Oct-2012 |
Kenny Root <kroot@google.com> |
am bec17d88: am dac74262: Merge "OpenSSLCipher: 3DES cipher name depends on key size" * commit 'bec17d88296d0729e8f5047e91e156d2fbce3b08': OpenSSLCipher: 3DES cipher name depends on key size
|
1fe411ff4e4aa4f24158effb6dbfd786bb30048a |
03-Oct-2012 |
Kenny Root <kroot@google.com> |
Fix some failing unit tests evpCipher can be null to handle re-initialization of CIPHER_CTX instances. Make the constructor of OpenSSLCipherContext public so it can be used in testing. Fix all of the things hidden by JNI_DEBUG that were not correct. Throw a BadPaddingException when a decrypt fails. This particular error is returned by OpenSSL in evp_enc.c from EVP_DecryptFinal_ex when the padding check fails. Change-Id: I77cad024db52986fe726443cd9b3ff52430a30dd
rovider/jsse/OpenSSLCipherContext.java
|
46a749879a6d52408e51938b9e63683b238d0bee |
03-Oct-2012 |
Kenny Root <kroot@google.com> |
OpenSSLCipher: 3DES cipher name depends on key size OpenSSL doesn't infer from the key size whether to use two-key or three-key 3DES, so explicitly call it out. Change-Id: Ibd93088844e7585e72a7c7857dd2af8a150b3780
rovider/jsse/OpenSSLCipher.java
|
c2f3e11588854db37f609f60cea8ef946211a02f |
03-Oct-2012 |
Kenny Root <kroot@google.com> |
am f8dac9e9: am d85dfd8d: Merge changes I81f1bec8,I4aa6e3a2 * commit 'f8dac9e9410705895e64187fd8ad75431e147957': OpenSSLCipher: Add DESede support Add Cipher support for AES through OpenSSL
|
9961a1e1fc3cf3fa8ceab5917eb49cedc996a2f6 |
01-Oct-2012 |
Kenny Root <kroot@google.com> |
OpenSSLCipher: Add DESede support Change-Id: I81f1bec8e3562c3ed90b35a60829ca0dfc4d8341
rovider/jsse/OpenSSLCipher.java
rovider/jsse/OpenSSLProvider.java
|
13cf08b2f06e1f5f0278c449072898f5e147db49 |
24-Sep-2012 |
Kenny Root <kroot@google.com> |
Add Cipher support for AES through OpenSSL Timings using encrypt with 256-bit key in CTR mode and PKCS5Padding: implementation inputSize us linear runtime OpenSSL 16 11.4 = OpenSSL 32 12.1 = OpenSSL 64 13.2 = OpenSSL 128 15.1 = OpenSSL 1024 44.0 = OpenSSL 8192 275.0 === BouncyCastle 16 11.5 = BouncyCastle 32 15.9 = BouncyCastle 64 24.6 = BouncyCastle 128 41.5 = BouncyCastle 1024 277.2 === BouncyCastle 8192 2196.9 ============================== Change-Id: I4aa6e3a2ca2b368fab2c602733b4f97e740d04fd
rovider/jsse/NativeCrypto.java
rovider/jsse/OpenSSLCipher.java
rovider/jsse/OpenSSLCipherContext.java
rovider/jsse/OpenSSLProvider.java
|
0df5a7ea6de1b66a1a27678e66909b85c1e464fe |
27-Sep-2012 |
Kenny Root <kroot@google.com> |
am 96612f9c: am a233144d: Merge "Add serialization to OpenSSL-based keys" * commit '96612f9cbfe5666958ec3608a669e6c585432049': Add serialization to OpenSSL-based keys
|
d3df366d3fd59237f1fbf099e979e6843047032c |
27-Sep-2012 |
Kenny Root <kroot@google.com> |
Add serialization to OpenSSL-based keys Any OpenSSL keys that aren't ENGINE-based are serializable, so add the code to be able to keep the Serializable contract. Bug: http://code.google.com/p/android/issues/detail?id=37880 Change-Id: I6d5fd9a1c6817d97d7890e4cccd8c95253e95279
rovider/jsse/OpenSSLDSAPrivateKey.java
rovider/jsse/OpenSSLDSAPublicKey.java
rovider/jsse/OpenSSLRSAPrivateCrtKey.java
rovider/jsse/OpenSSLRSAPrivateKey.java
rovider/jsse/OpenSSLRSAPublicKey.java
|
b2fc6057db8c0c833db90f7ebe01d945213613fc |
25-Sep-2012 |
Brian Carlstrom <bdc@google.com> |
am f80f3547: am 5e05b783: Merge "Fix Generic[Stream|Generic]Cipher to Generic[Stream|Block]Cipher in comments" * commit 'f80f354718d9790ec98db3fd9377a7c40a99710f': Fix Generic[Stream|Generic]Cipher to Generic[Stream|Block]Cipher in comments
|
ca3fd60b58369806a7d02f2204e4140ab70b353e |
25-Sep-2012 |
Brian Carlstrom <bdc@google.com> |
Fix Generic[Stream|Generic]Cipher to Generic[Stream|Block]Cipher in comments Change-Id: Iee2a86c764e5bd19135b371b100865fab2690965
rovider/jsse/ConnectionState.java
|
615225a35dbd838210270b282d1196deff643b51 |
22-Sep-2012 |
Brian Carlstrom <bdc@google.com> |
Add OpenSSLSocketImpl.setSoWriteTimeout to allow SO_SNDTIMEO to be specified Bug: 6693087 Change-Id: Ie6903168ca0ada4516c55dfab5f7194baf965b4c
rovider/jsse/NativeCrypto.java
rovider/jsse/OpenSSLSocketImpl.java
|
9473606aca0af1a6410b2ea396c8a6609cf16940 |
20-Sep-2012 |
Geremy Condra <gcondra@google.com> |
Add cached trust anchors to the chain prior to checking pinning. This avoids an issue where intermediate certs are assumed cached rather than provided by the server. Bug: 7195828 Change-Id: I44e033ddc40a7a259bac888bf2b873d9bb81becc
rovider/jsse/TrustManagerImpl.java
|
7b5bf805d03c2b71266886fa75513400817de9f1 |
19-Sep-2012 |
Geremy Condra <gcondra@google.com> |
Move null check for cert store to the consumer code. This allows the check to operate if TrustManagerImpl gets a non- AndroidCAStore cert store. Bug:7190096 Change-Id: I7c55e48afdbee293e08a0594ad3957b4695a6415
rovider/jsse/PinListEntry.java
|
5ab2ad7ebf828d06710868f33458fb1fbe1aa50b |
19-Sep-2012 |
Geremy Condra <gcondra@google.com> |
Migrate PinFailureLogger to use the DropBox. Also change the DropBox add* methods to be static, since they can be. Change-Id: Iedab6948754dfc0db5d432a918bdc6297e3b8f02
rovider/jsse/PinFailureLogger.java
|
924af71bb26b7c35f702de9a3425109c73184a53 |
19-Sep-2012 |
Geremy Condra <gcondra@google.com> |
Restructure logging to ease the transition to dropbox. Bug: 7190096 Change-Id: Ib16bcd47712890fd627027ebacacc511870b31b0
rovider/jsse/CertPinManager.java
rovider/jsse/PinFailureLogger.java
rovider/jsse/PinListEntry.java
rovider/jsse/TrustManagerImpl.java
|
5c9add3e84fd426fafbec289738f1f09c49aaf90 |
18-Sep-2012 |
Geremy Condra <gcondra@google.com> |
Add logging to detect cert pin failures caused by MITM proxies. Change-Id: Ie9554aaa824506a75534d888432ed8a91e14e386
rovider/jsse/TrustManagerImpl.java
rovider/jsse/TrustedCertificateStore.java
|
5a97188382a40d3345300b92147f80b230b620bc |
17-Sep-2012 |
Brian Carlstrom <bdc@google.com> |
Make PinListEntry and PinEntryException public for CertPinManagerTest Change-Id: If61f800e20613e37a076bf049c259abca1072e4b
rovider/jsse/PinEntryException.java
rovider/jsse/PinListEntry.java
|
d43b9ef11a1095967a3396b246639b563e1a4128 |
12-Sep-2012 |
Kenny Root <kroot@google.com> |
Add consistent reasons for NullPointerException Semi-automated replacement of empty and non-conforming NullPointerException reason messages. (cherry-pick of 86acc043d3334651ee26c65467d78d6cefedd397.) Change-Id: I6d893979f5c20a50e841e32af9fd7b2d8bc9d54d
rovider/jsse/FileClientSessionCache.java
|
86acc043d3334651ee26c65467d78d6cefedd397 |
12-Sep-2012 |
Kenny Root <kroot@google.com> |
Add consistent reasons for NullPointerException Semi-automated replacement of empty and non-conforming NullPointerException reason messages. Change-Id: Iedeb4b21949e973c4042ce5982dda315f2e785e1
rovider/jsse/FileClientSessionCache.java
|
e88bbba97a2a68287b93fecba822d11f272325b7 |
12-Sep-2012 |
Geremy Condra <gcondra@google.com> |
Added event logging to PinListEntry. This is done by adding a stub EventLogger that writes to the usual logs if not overriden by the framework. If it has been then we will wind up writing the code + Objects to the event log. cherry-picked from 52dc295e93679baa72f95b5b873dd21d5a2ccb32 Change-Id: I2c887c233d019910c9b018c4639a36c0808efc02
rovider/jsse/PinListEntry.java
|
6d2a17ab04ab0967e3bff7fe6280066ef66d1d76 |
11-Jun-2012 |
Geremy Condra <gcondra@google.com> |
Added basic cert pinning support. This has four main changes: First, it adds a CertPinManager to TrustManagerImpl that checks to ensure that the chain is properly pinned. Second, it adds the CertPinManager and associated classes to implement cert pinning at this level. Third, it changes the callers of checkServerTrusted to pass in a hostname where possible, allowing them to make use of the pinning transparently. Finally, it changes checkServerTrusted to return the ultimate chain that was verified, which is useful for implementing pinning at a higher level. cherry-picked from 5315f29b2de4aace0077b78f0b99634fda440b85 Change-Id: I150e010da3e2aeed57bd5330ff113d3a7fbbee2a
rovider/jsse/CertPinManager.java
rovider/jsse/ClientHandshakeImpl.java
rovider/jsse/OpenSSLSocketImpl.java
rovider/jsse/PinEntryException.java
rovider/jsse/PinListEntry.java
rovider/jsse/PinManagerException.java
rovider/jsse/SSLSocketFactoryImpl.java
rovider/jsse/SSLSocketImpl.java
rovider/jsse/SSLSocketWrapper.java
rovider/jsse/TrustManagerImpl.java
|
fe8b870db2b374e21c69c2ff0050e6a34e0d8d94 |
05-Sep-2012 |
Brian Carlstrom <bdc@google.com> |
Tracking upgrade to bouncycastle 1.47 Change-Id: Ie1f2ae92638e81ccd7e4ec2459199e6eecdac75f
rovider/jsse/OpenSSLProvider.java
|
f0993272562ebc6e8d77024b985c45fae9f92ed4 |
12-Sep-2012 |
Brian Carlstrom <bdc@google.com> |
am a1359997: am 9f519e17: Merge "Add OpenSSLProvider support for Cipher.RSA/None/PKCS1Padding" * commit 'a1359997a83e4d1aefdb7ae23f73b61420d37964': Add OpenSSLProvider support for Cipher.RSA/None/PKCS1Padding
|
0a156e0126e8015f2791e9a7dd48bbdaeae0c335 |
12-Sep-2012 |
Brian Carlstrom <bdc@google.com> |
Add OpenSSLProvider support for Cipher.RSA/None/PKCS1Padding Summary: - Add OpenSSLProvider support for Cipher.RSA/None/PKCS1Padding Added NativeCrypto.RSA_private_decrypt and NativeCrypto.RSA_public_encrypt - Changed OpenSSLSignatureRawRSA to use new Cipher.RSA/None/PKCS1Padding Removed now obsoleted NativeCrypto APIs for RSA_padding_add_PKCS1_type_1 and RSA_padding_check_PKCS1_type_1 - added wrap/unwrap support OpenSSLCipherRSA Needed for SSLEngine (and fallback SSLSocket implementation) which are now picking up the new Cipher.RSA/None/PKCS1Padding - expanded CipherTest to sanity test all algorithms and PKCS1 padding Change-Id: I03566cc86ffce07d44d5e0094fa82c9c24587c26
rovider/jsse/NativeCrypto.java
rovider/jsse/OpenSSLCipherRSA.java
rovider/jsse/OpenSSLCipherRawRSA.java
rovider/jsse/OpenSSLProvider.java
rovider/jsse/OpenSSLSignatureRawRSA.java
|
c44b3f5d857d0d3f4d3668de905cdac5080ede3b |
01-Sep-2012 |
Kenny Root <kroot@google.com> |
Better OpenSSL key comparison Use native code to compare OpenSSL keys instead of converting them to Java BigIntegers first. Change-Id: If795c9c26e41174755cdab34ff70e01c7487c9bd
rovider/jsse/NativeCrypto.java
rovider/jsse/OpenSSLRSAPrivateCrtKey.java
rovider/jsse/OpenSSLRSAPrivateKey.java
|
7695a9b3261bfee3a810e0829bd8082fe1fcb6a4 |
30-Aug-2012 |
Brian Carlstrom <bdc@google.com> |
Disable SSL compression Bug: 7079965 Change-Id: I8e060a827613e212bbcced66507fbf124bb04543
rovider/jsse/NativeCrypto.java
rovider/jsse/OpenSSLServerSocketImpl.java
rovider/jsse/OpenSSLSessionImpl.java
rovider/jsse/OpenSSLSocketImpl.java
|
796b0d2f4508e3933e53df2d372090c8634164ee |
21-Aug-2012 |
Kenny Root <kroot@google.com> |
Remember key aliases for OpenSSLKeys from ENGINEs Since it's not easy (or sometimes impossible) to retrieve key IDs for keys loaded from an ENGINE, remember them when we create them. (cherry-picked from 86bdaf9b40263efae243d685d449e1ae30b0b161) Change-Id: I3920f56214d9eade87d51d30b024f5aeda9e8344
rovider/jsse/OpenSSLDSAPrivateKey.java
rovider/jsse/OpenSSLEngine.java
rovider/jsse/OpenSSLKey.java
rovider/jsse/OpenSSLRSAPrivateKey.java
|
783004cceef470884b3ee6946cbbfc4af0f28ae7 |
20-Aug-2012 |
Brian Carlstrom <bdc@google.com> |
Restore ability for SSLSocket.close() to interrupt reads and writes SSLSocketTest.test_SSLSocket_interrupt didn't catch this regression so added new test_SSLSocket_interrupt_read to cover this case specifically. Also cleanup SSLSocketTest to use Executors like NativeCryptoTest instead of Threads for better error checking. Bug: 7014266 Change-Id: I1160cd283310a0c6197cd3271a25830e0e2b1524
rovider/jsse/OpenSSLSocketImpl.java
|
62fc526d80608925cad24c3d6d91657f63a56fcf |
16-Aug-2012 |
Kenny Root <kroot@google.com> |
Add new Android-only algos to StandardNames The ProviderTest fails if we don't add these to StandardNames. Change the name of Signature.RAWRSA to "NONEwithRSA" so it matches the convention in existing algorithms. Change-Id: Id126eca46ee3b9f9d19aee596c1babd489693c7a
rovider/jsse/OpenSSLProvider.java
|
cdad5434dff71f87b4e85c6faf6e0c30a80672d7 |
16-Aug-2012 |
Kenny Root <kroot@google.com> |
Merge "Call ENGINE_add to prevent ENGINEs from unloading"
|
106a8928fb4249f2f3d4dba1dddbe73ca5cb3d61 |
16-Aug-2012 |
Kenny Root <kroot@google.com> |
Call ENGINE_add to prevent ENGINEs from unloading The only user of the OpenSSLEngine interface is a dynamic engine (loaded from eng_dyn.c), so it will unload the .so when references to it decrease to zero. Calling ENGINE_add will add the loaded engine to the list of loaded engines. The next time ENGINE_by_id is called, it will just use the one from the list instead of loading the .so again. You can still control whether the engine is ref-counted or copied with ENGINE_set_flags(ret, ENGINE_FLAGS_BY_ID_COPY) in the engine initialization method. Change-Id: Ic005e9ea22a3c6027e3a5aab2adf41fb7995c1f0
rovider/jsse/NativeCrypto.java
rovider/jsse/OpenSSLEngine.java
|
84818197ed60f59a86ba8d9274e1639d222f4040 |
15-Aug-2012 |
Kenny Root <kroot@google.com> |
Do better comparisons for ENGINE-based keys ENGINE-based keys need only be compared by their modulus in actuality, because given a good random number generator each modulus should be unique. Change-Id: Iea1f19126c5ce306d63b3a1bcb05a43139a86846
rovider/jsse/OpenSSLRSAPrivateCrtKey.java
rovider/jsse/OpenSSLRSAPrivateKey.java
|
d762af619aa85042c08553425a4ca4ef7900d45a |
10-Aug-2012 |
Kenny Root <kroot@google.com> |
Fix OpenSSLCipherRawRSA doFinal array copy System.arraycopy was pointing the wrong way making calls to doFinal() with offset markers get zeroed output instead of the actual output. Also fix tests that checked RSA cipher behavior to match RI. Bug: 6951038 Change-Id: Ife84c177a2c06a2c27b98df9960cbd3c4b62d984
rovider/jsse/OpenSSLCipherRawRSA.java
|
83a7cea6ad5c5f066e55aeddd6da27d3ef5e62c1 |
07-Aug-2012 |
Kenny Root <kroot@google.com> |
Add chain building to TrustedCertificateStore Since TrustedCertificateStore has information needed, use it to build certificate chains. OpenSSL uses Authority Key Identifier in extensions to determine if the certificate is the same as itself. There are problems with key rotation when a different certificate serial signs a key with the same subject identifier. It appears to be the same with the old code, but it may generate an invalid chain. (cherry-picked from 3fb088d79e446063ef743362a030e1cfb80b2178) Change-Id: I8149bed1a0ae537f75da5dc3f3d7e3ccab353f91
rovider/jsse/TrustedCertificateStore.java
|
c5ddc93173f32383ab456c0a24739e7cb2d19c42 |
02-Aug-2012 |
Kenny Root <kroot@google.com> |
Add raw RSA Cipher to OpenSSLProvider Recent changes in the way that Android Keystore (accessed via KeyChain) necessitate all key operations be done with a provider that understands the new OpenSSLKey object. This adds Cipher support for the RSA algorithm in "RSA/ECB/NoPadding" and "RSA/None/NoPadding" modes. Change-Id: I98a8eaf3514763a863b2751bba999fbd48609c96
rovider/jsse/OpenSSLCipherRawRSA.java
rovider/jsse/OpenSSLProvider.java
|
7501e29e0182accf28cc317870a3bbe1e25f4bfa |
31-Jul-2012 |
Kenny Root <kroot@google.com> |
Add raw RSA signature support With the new Keystore changes, this is the only way you can get raw RSA signatures which a lot of native code expects to be able to do. (cherry-picked from c531f5f402b4cedcc35a0b7f0b540dc84c545106) Bug: 6787078 Change-Id: I1c5ddd5287be1ab71347eedc864a41c24e156cb4
rovider/jsse/NativeCrypto.java
rovider/jsse/OpenSSLProvider.java
rovider/jsse/OpenSSLSignatureRawRSA.java
|
46aabcb28b0e3b807f6db8c33173962d6f2cb71f |
12-Jun-2012 |
Kenny Root <kroot@google.com> |
Add OpenSSL provider for SHA1PRNG (cherry-pick of 4718b07e482ccb083ce3dfff228d0615b96a8dd2 and 84fb77d814b0ad04d70addb04847797925acf805.) Change-Id: Ib45c646a8596bf5ea0629408d6057d3828a1ac94
rovider/jsse/NativeCrypto.java
rovider/jsse/OpenSSLProvider.java
rovider/jsse/OpenSSLRandom.java
|
20484654bc7c2407da40226d5188acfc37ee1c2b |
09-Aug-2011 |
Elliott Hughes <enh@google.com> |
Remove more cruft. Unused imports and bogus comments. (cherry-pick of 9af8c0318fac8bf03ee145da01b0c38a503791fc.) Change-Id: I2bddb32028b71964407e86c4dbef5516673c27eb
rovider/jsse/ClientHandshakeImpl.java
rovider/jsse/Logger.java
rovider/jsse/OpenSSLSessionImpl.java
rovider/jsse/ServerHandshakeImpl.java
|
52ec5bcc7d5d042d7ba6d0244d98ee72007a95e4 |
24-Jul-2012 |
Brian Carlstrom <bdc@google.com> |
Signature.verify should not throw if called twice Bug: http://code.google.com/p/android/issues/detail?id=34933 Change-Id: Iad18e46729dcd283f4cecd65994ac7b741bd3036
rovider/jsse/OpenSSLSignature.java
|
df9f5967a3b8dc2f61183d155791393b67980511 |
24-Jul-2012 |
Brian Carlstrom <bdc@google.com> |
Fix OpenSSLSocketImpl.close race Move the NativeCrypto.SSL_interrupt call within the close synchronization. Otherwise there can be problems if NativeCrypto_SSL_interrupt tries to use the SSL* and another thread has called NativeCrypto_SSL_free. Bug: 6707288 Change-Id: Id8b0311b10124f2a08f8e0f24595a6ee46805c33
rovider/jsse/OpenSSLSocketImpl.java
|
f0c85fa16995e1c715c679aea704392a162f493a |
13-Jul-2012 |
Brian Carlstrom <bdc@google.com> |
Merge "CertificateRequest should handle case where certificate is requested but none is available."
|
7c935d4e4ca990334200cf5eb4fbcfac718c6b45 |
04-Jun-2012 |
gcollins <gcollins@antennasoftware.com> |
CertificateRequest should handle case where certificate is requested but none is available. Android SSL client was not handling a CertificateRequest where there was no cert to send. It had a problem because it was assuming that if the CertificateMessage response is not null, it means there is a cert included, which is not true (if it has no cert to send an empty CertificateMessage is sent to the server). So I updated the CertificateVerify creation check to also check whether the CertificateMessage contained any certs (ClientHandshakeImpl.java). In testing I found that the same error was in the server code so I made the same change there (ServerHandshakeImpl.java). I added two test cases to SSLEngineTest - one to directly test the scenario (test_SSLEngine_clientAuthWantedNoClientCert) and one to just double-check that the server would not allow the connection if setNeedClientAuth (test_SSLEngine_clientAuthNeededNoClientCert). Bug: http://code.google.com/p/android/issues/detail?id=31903 Change-Id: Ideb57d6ccbcdd54ca24dc3063e60aba2653c8414
rovider/jsse/ClientHandshakeImpl.java
rovider/jsse/ServerHandshakeImpl.java
|
1982194cb9067e3311ac491b4d02a6ead611fd59 |
17-May-2012 |
Jesse Wilson <jessewilson@google.com> |
Change OpenSSLSocketImpl to forbid empty lists of NPN protocols. Change-Id: I65d5d7b8d69ddfd551cbbe6da063f5ac277c5f45
rovider/jsse/OpenSSLSocketImpl.java
|
679ac55c3c037887edfc6ce6f42a23cd7c11cd12 |
12-May-2012 |
Jesse Wilson <jessewilson@google.com> |
Only use SSL CUTTHROUGH (False Start) if the server supports NPN. We enable cutthrough on the client if the server supports NPN. We never enable cutthrough on the server because most relevant protocols (ie. HTTP) are client-speaks-first and those don't benefit from cutthrough on the server. I verified this by enabling NPN on both client and server and checking that the client's Application Data was sent before the server's Change Cipher Spec. To increase the likelihood of this otherwise racy situation I put the server in SSL debug mode after it receiving next_protos_advertised_callback. OpenSSL's debug mode adds a 1-second sleep before each read and write. Bug: http://b/6331035 Change-Id: I879b5fb26dc237392a36fe0585c8a6519c0e5220
rovider/jsse/OpenSSLSocketImpl.java
|
908975092f7ac7b7562f242c5fd99fbf228acf0f |
02-May-2012 |
Selim Gurun <sgurun@google.com> |
Provide key context Bug: 6249185 Make the key context available. Change-Id: I51967e2a164b3f83d5d5096add7199c3a121da06
rovider/jsse/OpenSSLDSAPrivateKey.java
rovider/jsse/OpenSSLRSAPrivateKey.java
|
88f3ec9ebfd60998eb321f8c182009dace9bf983 |
01-May-2012 |
Brian Carlstrom <bdc@google.com> |
NativeCrypto should honor timeout less than one second Bug: http://code.google.com/p/android/issues/detail?id=29680 Change-Id: I4507a1e9fe37b1c095f7bb4d3e3a55d6d738f7ad
rovider/jsse/NativeCrypto.java
|
0afb10f667ef9c19aa2ea4797af6ba0bc328f148 |
01-May-2012 |
Brian Carlstrom <bdc@google.com> |
Avoid session reuse to fix test_SSL_do_handshake_clientCertificateRequested_throws_after_renegotiate for OpenSSL 1.0.1 Bug: 6229570 Change-Id: I891d10db104fda9978310b8be3420e1729971b27
rovider/jsse/NativeCrypto.java
|
4b2058331094aa5a3b26e65026748ba406594816 |
30-Apr-2012 |
Brian Carlstrom <bdc@google.com> |
Tracking openssl-1.0.1b Change-Id: I418a5b36670c6cc72e1e6cc29add950409f97f9f
rovider/jsse/NativeCrypto.java
|
ebe87d125b8cc83238914f84f5f7aa799c0d83bd |
15-Apr-2012 |
Brian Carlstrom <bdc@google.com> |
Use SSL_CTX_set_session_id_context in ServerSessionContext Without this, OpenSSL with fail when SSLSessions are reused on an SSLServerSocket when client certificates are requested. Bug: 6329719 Change-Id: I9b14b32cccee1e5aba1215cebf81eb05a788d63b
rovider/jsse/NativeCrypto.java
rovider/jsse/ServerSessionContext.java
|
3d74b4bec8543e6e3f89eafe3afe0925f3a69f01 |
28-Mar-2012 |
Brian Carlstrom <bdc@google.com> |
Disable TLSv1.1 and TLSv1.2 by default Bug: 6234791 Change-Id: I5d829211c9e1d5672fc96e42ef603c53d789e695
rovider/jsse/NativeCrypto.java
rovider/jsse/OpenSSLSocketImpl.java
|
12b42fd0252d5423e167dbccd2e09b82018b7a5b |
28-Mar-2012 |
Brian Carlstrom <bdc@google.com> |
Merge "Use WRAP/UNWRAP for key exchange"
|
b9f9831a0800adbb6b67ab5bdc62292aa034992b |
28-Mar-2012 |
Brian Carlstrom <bdc@google.com> |
Use WRAP/UNWRAP for key exchange Bug: http://code.google.com/p/android/issues/detail?id=12955 Change-Id: I1a2be021e0a22ec6a00ba354fb3f19a78c601be9
rovider/jsse/ClientHandshakeImpl.java
rovider/jsse/ServerHandshakeImpl.java
|
087043baca7e2de81bd10c7955f73f8597d7bb83 |
26-Mar-2012 |
Kenny Root <kroot@google.com> |
Merge "More support for ENGINE-based keys"
|
beac31ef5949d994a7096f20f12fcf929b06884d |
26-Mar-2012 |
Kenny Root <kroot@google.com> |
More support for ENGINE-based keys Tweak some of the parameters for RSA and DSA keys to allow ENGINE-based keys to exist without needing to define private key material. Change-Id: Ide2884d6d97636ae2178f8e789eaeec1babd9650
rovider/jsse/OpenSSLDSAParams.java
rovider/jsse/OpenSSLDSAPrivateKey.java
rovider/jsse/OpenSSLKey.java
rovider/jsse/OpenSSLRSAPrivateCrtKey.java
rovider/jsse/OpenSSLRSAPrivateKey.java
|
600dc4949de6bf5608e5f5a5214cde59299b683a |
26-Mar-2012 |
Jesse Wilson <jessewilson@google.com> |
Don't use the SSL_CTX prefix for a method that takes an SSL. The implementation is asymmetric: enabling NPN is per-context, but actually looking up the negotiated protocol is per-SSL. This caused me to screw up in following the SSL_CTX naming scheme; I applied it in too many places. Change-Id: I5bd1be334d513f220086c901527d0b8416f2ba3f
rovider/jsse/NativeCrypto.java
rovider/jsse/OpenSSLSocketImpl.java
|
3a906b6e3555a999b929a129bc896f3e64afc659 |
26-Mar-2012 |
Jesse Wilson <jessewilson@google.com> |
Merge "Expose NPN in OpenSSL."
|
25977e422febea04dac9fb9c35d7271d55d3b6b8 |
23-Mar-2012 |
Jesse Wilson <jessewilson@google.com> |
Expose NPN in OpenSSL. This is derived from costin's change Ib18da136cb628515d6909c438cd0809452d7058a. It moves the protocols data to the AppData's callbacks so the memory can be released when the handshake completes. Change-Id: Id61feaa6f28250e393f5c8093688b099e92dce9c
rovider/jsse/NativeCrypto.java
rovider/jsse/OpenSSLSocketImpl.java
|
5b7f91c1e6e208187cef57ab8a5de0a7f35e817f |
22-Mar-2012 |
Brian Carlstrom <bdc@google.com> |
Split OpenSSLRSAPrivateCrtKey from OpenSSLRSAPrivateKey Change-Id: I6a58044162758b3b74db5d17e9044f97dbe53bae
rovider/jsse/OpenSSLEngine.java
rovider/jsse/OpenSSLRSAKeyFactory.java
rovider/jsse/OpenSSLRSAKeyPairGenerator.java
rovider/jsse/OpenSSLRSAPrivateCrtKey.java
rovider/jsse/OpenSSLRSAPrivateKey.java
rovider/jsse/OpenSSLSignature.java
|
3e6dd45baa0d7f9b4fa06f4ade76e088b59cc7bf |
16-Mar-2012 |
Brian Carlstrom <bdc@google.com> |
Tracking openssl-1.0.1 Bug: 6168278 Change-Id: I240d2cbc91f616fd486efc5203e2221c9896d90f
rovider/jsse/NativeCrypto.java
rovider/jsse/OpenSSLProvider.java
rovider/jsse/OpenSSLServerSocketImpl.java
rovider/jsse/OpenSSLSocketImpl.java
rovider/jsse/SSLRecordProtocol.java
rovider/jsse/ServerHandshakeImpl.java
|
95ae73a81948944b24aa4962e9e0ec375fae8467 |
13-Mar-2012 |
Kenny Root <kroot@google.com> |
Merge "Add support for OpenSSL engines"
|
41e34229c07e8d05090560ff80558fa222623769 |
09-Mar-2012 |
Kenny Root <kroot@google.com> |
Add support for OpenSSL engines This allows OpenSSL ENGINE to be used for RSA and DSA private key operations. Also add in support for directly passing an OpenSSLKey to the OpenSSLSocketImpl in case we are using ENGINEs. Change-Id: Ia31735109052a13e421900b69ba5de13bbce0f6f
rovider/jsse/NativeCrypto.java
rovider/jsse/OpenSSLDSAPrivateKey.java
rovider/jsse/OpenSSLEngine.java
rovider/jsse/OpenSSLKey.java
rovider/jsse/OpenSSLRSAPrivateKey.java
rovider/jsse/OpenSSLSocketImpl.java
|
f52b35a5bc22f53b663ea22954135b69f8636bf4 |
08-Mar-2012 |
Brian Carlstrom <bdc@google.com> |
getPeerHostName should check for null InetAddress The address can be null for SSLSockets that have not been connected. Bug: 5835165 (cherry picked from commit cb047c49abcf3b7b5c231b68431c291fe2d81b52) Change-Id: I12eb92ab0cdb42b89333361a485979c48365d5da
rovider/jsse/OpenSSLSocketImpl.java
|
ffec9b8990adcdaab295e112ca3c3ebf83488199 |
08-Mar-2012 |
Brian Carlstrom <bdc@google.com> |
Use KeyManagementException with causes to report errors Before the code would squash excecptions into null values, then turn the values back into KeyManagementException. Now the code preservers the underlying exception as the cause of the KeyManagementException. (cherry picked from commit b6d100ca03dd4c576c6735ce510cecc70d2e6617) Change-Id: Ia833145839578760ed9b49c626e8d4ab86ceacbe
rovider/jsse/SSLParametersImpl.java
|
60003bff55e4d9fa936078063bf007ffccc79553 |
16-Feb-2012 |
Selim Gurun <sgurun@google.com> |
Merge "Add a way to clear stored trusted certificates."
|
7a61ad51ba5f5a0b439b2f3eacb1e0f99f909606 |
16-Feb-2012 |
Selim Gurun <sgurun@google.com> |
Add a way to clear stored trusted certificates. Bug: 6009802 Update the TrustManagerImpl Api to allow clearing stored certificates. This is needed so we can remove CAs when credential storage is updated. Change-Id: I024f7e8b12b60ea0ee35d7f94280e0e3d6db039f
rovider/jsse/TrustManagerImpl.java
rovider/jsse/TrustedCertificateIndex.java
|
68dc9c0f9ea2913a627aa3df81f4956efa48a980 |
06-Feb-2012 |
Kenny Root <kroot@google.com> |
OpenSSL block ciphers, part 1 This implements the NativeCrypto piece necessary to do basic block cipher operations. More work will need to be done to enable useful modes. This gives us the ability to replace BouncyCastle's ECB mode that it bases the higher level CBC, CTR, etc modes on. However, calling through JNI to OpenSSL for 16-byte blocks for AES ends up being the same speed as the Java implementation. Further enhancements to use large blocks during the JNI call should show marked improvements in speed. Change-Id: I594a6d13ce5101a1ef2877b84edaa5e5b65e1e71
rovider/jsse/NativeCrypto.java
|
d036721c2ecd146acef9f36408c7a397dd0a0785 |
03-Feb-2012 |
Kenny Root <kroot@google.com> |
OpenSSL keys add hashCode, equals, and toString Change-Id: I8d0d8eac1e5a4ee455de1ed51bc8b610df1f45d7
rovider/jsse/OpenSSLDSAParams.java
rovider/jsse/OpenSSLDSAPrivateKey.java
rovider/jsse/OpenSSLDSAPublicKey.java
rovider/jsse/OpenSSLKey.java
rovider/jsse/OpenSSLRSAPrivateKey.java
rovider/jsse/OpenSSLRSAPublicKey.java
|
91bb5fbe55b854df891ff7720e30d42081dbcd58 |
03-Feb-2012 |
Kenny Root <kroot@google.com> |
Throw exceptions on wrong key type in Signature Our engine can handle both RSA and DSA, but we need to throw an error if the wrong key type is supplied after we've initialized to emulate other providers. Also, apparently OpenSSL is really flexible, because calling EVP_SignInit had the same effect as EVP_VerifyInit. Change this to be correct even though the underlying implementation in OpenSSL doesn't care. Change-Id: If9223d17909fcf86437b9669c204fc544e6d12ff
rovider/jsse/OpenSSLDSAPrivateKey.java
rovider/jsse/OpenSSLDSAPublicKey.java
rovider/jsse/OpenSSLRSAPrivateKey.java
rovider/jsse/OpenSSLRSAPublicKey.java
rovider/jsse/OpenSSLSignature.java
|
746a236e2be5dee62c482e27f4c682496d071d8b |
01-Feb-2012 |
Kenny Root <kroot@google.com> |
Add OpenSSL KeyPairGenerator and KeyFactory Refactor the way OpenSSL keys are handled so we can generate OpenSSL keys with the KeyPairGenerator and KeyFactory and pass them around without keeping the context in the OpenSSLSignature where it originated. Change-Id: Ib66bd1914e241a240cd97b1ea37e8526998107d9
rovider/jsse/NativeCrypto.java
rovider/jsse/OpenSSLDSAKeyFactory.java
rovider/jsse/OpenSSLDSAKeyPairGenerator.java
rovider/jsse/OpenSSLDSAParams.java
rovider/jsse/OpenSSLDSAPrivateKey.java
rovider/jsse/OpenSSLDSAPublicKey.java
rovider/jsse/OpenSSLKey.java
rovider/jsse/OpenSSLProvider.java
rovider/jsse/OpenSSLRSAKeyFactory.java
rovider/jsse/OpenSSLRSAKeyPairGenerator.java
rovider/jsse/OpenSSLRSAPrivateKey.java
rovider/jsse/OpenSSLRSAPublicKey.java
rovider/jsse/OpenSSLSignature.java
|
5b57eb538f8da8e97cf88a310d75d14dfc91624c |
31-Jan-2012 |
Kenny Root <kroot@google.com> |
Add signatures to the OpenSSLProvider Now that OpenSSLSignature is a full-fledged Signature provider, we can add it to our OpenSSLProvider. Change-Id: If8539acdf895082cef38eed97a706dbbcdff6853
rovider/jsse/OpenSSLProvider.java
rovider/jsse/OpenSSLSignature.java
|
1dfb8aa653d52268087f450e9b5a865e08b56d98 |
31-Jan-2012 |
Kenny Root <kroot@google.com> |
Add signature generation to OpenSSLSignature Change-Id: I1203516d95a937edb48959146bbec64b338e4f1e
rovider/jsse/NativeCrypto.java
rovider/jsse/OpenSSLSignature.java
|
7eeb1d7024f830b89f17489befeb5688624ae6dd |
30-Jan-2012 |
Brian Carlstrom <bdc@google.com> |
am a5aec70a: am 806d834d: Ensure faster OpenSSLSignature is used when possible by doing proper case insensitive comparison * commit 'a5aec70ab8db56172804108077d5c9d7d8ced789': Ensure faster OpenSSLSignature is used when possible by doing proper case insensitive comparison
|
806d834df24db86be0540ce0846e03fc4d43cb0b |
28-Jan-2012 |
Brian Carlstrom <bdc@google.com> |
Ensure faster OpenSSLSignature is used when possible by doing proper case insensitive comparison Bug: 5934554 Change-Id: I640cd54c227df2bf662d484cb2af95ece4d13421
rovider/jsse/OpenSSLSignature.java
|
27c744cc67c7b155bd2d47551205fb1720e7e196 |
20-Dec-2011 |
Jesse Wilson <jessewilson@google.com> |
Support in-memory HTTPS session caching for wrapped sockets. Previously we couldn't reuse sessions with HttpsURLConnection because the host was incorrect (getInetAddress returns null for wrapped sockets) and because the compression method was different (NULL vs. ZLIB). This improves HttpsURLConnection request/response time on localhost from ~275ms to ~145ms (without connection pooling). Change-Id: I97bc343326658690b00589c0c804c2378b91ae61
rovider/jsse/NativeCrypto.java
rovider/jsse/OpenSSLSocketImpl.java
|
e3df4987da1cc4af786b54e6a446687ec148d5a9 |
24-Oct-2011 |
Brian Carlstrom <bdc@google.com> |
Move OpenSSLSocketImpl.close resource cleanup into a finally clause Bug: 5466273 (cherry picked from commit d3433cea484f380ab2c889c10e9d9d3268046a6c) Change-Id: I8618be21a2227d66ea66352342b530906605160f
rovider/jsse/NativeCrypto.java
rovider/jsse/OpenSSLSocketImpl.java
|
d3433cea484f380ab2c889c10e9d9d3268046a6c |
24-Oct-2011 |
Brian Carlstrom <bdc@google.com> |
Move OpenSSLSocketImpl.close resource cleanup into a finally clause Bug: 5466273 Change-Id: I64758dfd3ca1c35d08616c63982223d84fdc2759
rovider/jsse/NativeCrypto.java
rovider/jsse/OpenSSLSocketImpl.java
|
3267a46b52d848e1e9e20c226512688f0c50d4c3 |
25-Aug-2011 |
Jeff Sharkey <jsharkey@android.com> |
Return real FileDescriptor in Socket wrappers. In classes that wrap another Socket, return the real FileDescriptor from the wrapped Socket. Bug: 5189186 Change-Id: I157feb6991def9110eaf0ea82365b6f5b95b9372
rovider/jsse/OpenSSLSocketImpl.java
rovider/jsse/SSLSocketWrapper.java
|
29b3bd4475263c4a16c6850d45aca045ed4a926a |
24-Jul-2011 |
Jesse Wilson <jessewilson@google.com> |
Update both SSLSessions to not use AccessControlContext. When we fully removed the security manager security theatre we broke 'equals' on some AccessControlContexts that were used in map keys. Now we don't include the AccessControlContexts in the map keys. This fixes this test: tests.api.javax.net.ssl.SSLSessionBindingListenerTest#test_valueUnbound Change-Id: I685416c65056c9c540bf75c4aab5e884b66a4394
rovider/jsse/OpenSSLSessionImpl.java
rovider/jsse/SSLSessionImpl.java
|
487c58a9ff0cb4c6e074b2f5d99a0c3efa54fa37 |
16-Jul-2011 |
Brian Carlstrom <bdc@google.com> |
Replace NativeCrypto.verifySignature with OpenSSLSignature Bug: http://code.google.com/p/android/issues/detail?id=18458 Bug: 5037994 Change-Id: Ie9521df80b3b50e69b5cf9e6f8eb861845b4d30e
rovider/jsse/NativeCrypto.java
|
eda571883445b108e7f9e7337e2d80f1d8329fc8 |
07-Jul-2011 |
Brian Carlstrom <bdc@google.com> |
Avoid NullPointerException with IoUtils.closeQuietly Change-Id: Ibe9ab00205701ad5eaeb3b4299f1fe4508625d1b
rovider/jsse/TrustedCertificateStore.java
|
9bb229396a11df479dbc0688de0b925d23a82869 |
02-Jul-2011 |
Brian Carlstrom <bdc@google.com> |
Merge "Small code cleanup in TrustedCertificateStore.findIssuer"
|
bd7005d38883b9917b6452bbbadbda14fd141dad |
01-Jul-2011 |
Brian Carlstrom <bdc@google.com> |
Small code cleanup in TrustedCertificateStore.findIssuer Change-Id: Ia51868df6856e14b5b82d78745c2390ce11bf6e0
rovider/jsse/TrustedCertificateStore.java
|
d8e6e701b29c32484b062933fa905601ce638513 |
01-Jul-2011 |
Brian Carlstrom <bdc@google.com> |
Updating comment to reflect move from keychain uid to system uid Bug: 4970237 Change-Id: I9d207a3d226019d8f9e584b7be7f586176a133cc
rovider/jsse/TrustedCertificateStore.java
|
638000042da777f6d628d88dadde957c52597710 |
29-Jun-2011 |
Brian Carlstrom <bdc@google.com> |
Add ExceptionCheck after all places we setCallbackState Also remove byte versions of SSL_read and SSL_write matching rest of libcore to avoid making the change in even more places. Note that testing this change required improving SSL_renegotiate which is only used for testing. Change-Id: If425764da3a36508a6c65d90eb3d36c5a018fd18
rovider/jsse/NativeCrypto.java
rovider/jsse/OpenSSLSocketImpl.java
|
5f7beb162c46a281b272d11fec6fe23b8e0796c3 |
27-Jun-2011 |
Brian Carlstrom <bdc@google.com> |
TrustedCertificateStore additions for TrustedCredentials Fragment Avoid StrictMode violation by not touching file system in constructor Change-Id: Ic22387752617a5d8142c16c415b6996e62414442
rovider/jsse/TrustedCertificateStore.java
|
0c58d22d44cfb56f0c80f0fa1c69297ba45f3afc |
23-Jun-2011 |
Jesse Wilson <jessewilson@google.com> |
Don't trigger a reverse DNS lookup from a log statement. Also nuke a bunch of redundant Javadoc and promote the shutdownInput/shutdownOutput methods that always throw to SSLSocket. Change-Id: I077f7413bb6cba66be6204c68f7911b51a191643 http://code.google.com/p/android/issues/detail?id=13117 http://b/3478027
rovider/jsse/AbstractSessionContext.java
rovider/jsse/FileClientSessionCache.java
rovider/jsse/NativeCrypto.java
rovider/jsse/OpenSSLSocketImpl.java
rovider/jsse/SSLSocketImpl.java
|
90b140190f219fd63ede200a63da40bf9e6ca98d |
06-Jun-2011 |
Elliott Hughes <enh@google.com> |
Remove some unnecessary cruft. Change-Id: I8d83954d42f3511a24a44a33c3b28f04af6d3b82
rovider/jsse/ClientHandshakeImpl.java
rovider/jsse/DelegatedTask.java
rovider/jsse/ServerHandshakeImpl.java
|
54709bdf6b22d02efed7d2fd967cbd4d11b3942d |
25-May-2011 |
Brian Carlstrom <bdc@google.com> |
am e2fdfbde: Merge "OpenSSLSocketImpl should tolerate X509KeyManager returning null values" * commit 'e2fdfbde569a4cc284590c92bc57dc15dcc29a9c': OpenSSLSocketImpl should tolerate X509KeyManager returning null values
|
aba5e8c281fb9c6be23229246473fa0b433dd997 |
25-May-2011 |
Brian Carlstrom <bdc@google.com> |
OpenSSLSocketImpl should tolerate X509KeyManager returning null values While this started out as the small fix in OpenSSLSocketImpl.setCertificate and the corresponding test test_SSLSocket_clientAuth_bogusAlias, the need to test the behavior of the X509KeyManager returning null on the RI led to test maintenance to get libcore.javax.net.ssl tests working on RI 7 thanks to a test dependency that was added on the new InetAddress.getLoopbackAddress(). Change-Id: I3d8ed1ce453cc3a0b53e23e39c02e6a71413649c
rovider/jsse/OpenSSLSocketImpl.java
|
c3d80a43de12b7b012d44dc2bea82f0b624e408e |
20-May-2011 |
Brian Carlstrom <bdc@google.com> |
am c77290ea: Remove IndexedPKIXParameters * commit 'c77290eaef032e5e8952d65e0456b091b6b50804': Remove IndexedPKIXParameters
|
c77290eaef032e5e8952d65e0456b091b6b50804 |
20-May-2011 |
Brian Carlstrom <bdc@google.com> |
Remove IndexedPKIXParameters Change-Id: Idaaa1952d1b6148c51b3da5d1771105e8bde8a03
rovider/jsse/IndexedPKIXParameters.java
rovider/jsse/JSSEProvider.java
rovider/jsse/RootKeyStoreSpi.java
rovider/jsse/SSLParametersImpl.java
rovider/jsse/TrustManagerImpl.java
rovider/jsse/TrustedCertificateIndex.java
rovider/jsse/TrustedCertificateKeyStoreSpi.java
rovider/jsse/TrustedCertificateStore.java
|
20024ef4bbd35a0450b9f21bd2ccfef04ce13787 |
18-May-2011 |
Brian Carlstrom <bdc@google.com> |
am 0162c72d: Merge "Simplify KeyChain API by removing now unneeded CA certificate lookup (2 of 3)" * commit '0162c72d58f1683cf0be369709de2450daab375c': Simplify KeyChain API by removing now unneeded CA certificate lookup (2 of 3)
|
17da3dfaf359de021b753570e25a033ae8927432 |
17-May-2011 |
Brian Carlstrom <bdc@google.com> |
am 3041d84e: Merge "Make CertInstaller installed CA certs trusted by applications via default TrustManager (2 of 6)" * commit '3041d84e3c0ac7711868bdd7556047a3422e3052': Make CertInstaller installed CA certs trusted by applications via default TrustManager (2 of 6)
|
dfe69fa450bb1c92c589e703c6dc72aa0e364bb3 |
17-May-2011 |
Brian Carlstrom <bdc@google.com> |
Simplify KeyChain API by removing now unneeded CA certificate lookup (2 of 3) frameworks/base Remove getCaCertificates and findIssuer from IKeyChainService, these are now done via libcore's TrustedCertificateStore (as part of the default TrustManager implementation) keystore/java/android/security/IKeyChainService.aidl Simplify KeyChain API. Now that the CA certificates are visible through the default TrustManager, the KeyChain is solely focused on retrieving PrivateKeys and their associated certificates. The calling API for KeyChain to simply a single KeyChain.get() call that returns a KeyChainResult, removing the need for a KeyChain instance that needs to be closed. keystore/java/android/security/KeyChain.java keystore/java/android/security/KeyChainResult.java master/libcore Remove getDefaultIndexedPKIXParameters and getIndexedPKIXParameters which was used as part of the prototype of looking up CAs via the KeyChain but is obsoleted by the new default TrustManager implementation. luni/src/main/java/org/apache/harmony/xnet/provider/jsse/SSLParametersImpl.java luni/src/main/java/org/apache/harmony/xnet/provider/jsse/TrustManagerImpl.java packages/apps/KeyChain Tracking simplified IKeyChainService, removing now unneeded implementation, updating tests. src/com/android/keychain/KeyChainService.java tests/src/com/android/keychain/tests/KeyChainServiceTest.java tests/src/com/android/keychain/tests/KeyChainTestActivity.java Change-Id: I5c0df3b67248bb8014c85a5997098d5e70fbc505
rovider/jsse/SSLParametersImpl.java
rovider/jsse/TrustManagerImpl.java
|
1b3c5388d0fffde4392007eb1b0be011a5dfae82 |
12-May-2011 |
Brian Carlstrom <bdc@google.com> |
Make CertInstaller installed CA certs trusted by applications via default TrustManager (2 of 6) frameworks/base Adding IKeyChainService APIs for CertInstaller and Settings use keystore/java/android/security/IKeyChainService.aidl libcore Improve exceptions to include more information luni/src/main/java/javax/security/auth/x500/X500Principal.java Move guts of RootKeyStoreSpi to TrustedCertificateStore, leaving only KeyStoreSpi methods. Added support for adding user CAs in a separate directory for system. Added support for removing system CAs by placing a copy in a sytem directory luni/src/main/java/org/apache/harmony/xnet/provider/jsse/RootKeyStoreSpi.java luni/src/main/java/org/apache/harmony/xnet/provider/jsse/TrustedCertificateStore.java Formerly static methods on RootKeyStoreSpi are now instance methods on TrustedCertificateStore luni/src/main/java/org/apache/harmony/xnet/provider/jsse/TrustManagerImpl.java Added test for NativeCrypto.X509_NAME_hash_old and X509_NAME_hash to make sure the implementing algorithms doe not change since TrustedCertificateStore depend on X509_NAME_hash_old (OpenSSL changed the algorithm from MD5 to SHA1 when moving from 0.9.8 to 1.0.0) luni/src/test/java/org/apache/harmony/xnet/provider/jsse/NativeCryptoTest.java Extensive test of new TrustedCertificateStore behavior luni/src/test/java/org/apache/harmony/xnet/provider/jsse/TrustedCertificateStoreTest.java TestKeyStore improvements - Refactored TestKeyStore to provide simpler createCA method (and internal createCertificate) - Cleaned up to remove use of BouncyCastle specific X509Principal in the TestKeyStore API when the public X500Principal would do. - Cleaned up TestKeyStore support methods to not throw Exception to remove need for static blocks for catch clauses in tests. support/src/test/java/libcore/java/security/TestKeyStore.java luni/src/test/java/libcore/java/security/KeyStoreTest.java luni/src/test/java/org/apache/harmony/xnet/provider/jsse/NativeCryptoTest.java Added private PKIXParameters contructor for use by IndexedPKIXParameters to avoid wart of having to lookup and pass a TrustAnchor to satisfy the super-class sanity check. luni/src/main/java/org/apache/harmony/xnet/provider/jsse/TrustManagerImpl.java luni/src/main/java/org/apache/harmony/xnet/provider/jsse/IndexedPKIXParameters.java luni/src/main/java/java/security/cert/PKIXParameters.java packages/apps/CertInstaller Change CertInstaller to call IKeyChainService.installCertificate for CA certs to pass them to the KeyChainServiceTest which will make them available to all apps through the TrustedCertificateStore. Change PKCS12 extraction to use AsyncTask. src/com/android/certinstaller/CertInstaller.java Added installCaCertsToKeyChain and hasCaCerts accessor for use by CertInstaller. Use hasUserCertificate() internally. Cleanup coding style. src/com/android/certinstaller/CredentialHelper.java packages/apps/KeyChain Added MANAGE_ACCOUNTS so that IKeyChainService.reset implementation can remove KeyChain accounts. AndroidManifest.xml Implement new IKeyChainService methods: - Added IKeyChainService.installCaCertificate to install certs provided by CertInstaller using the TrustedCertificateStore. - Added IKeyChainService.reset to allow Settings to remove the KeyChain accounts so that any app granted access to keystore credentials are revoked when the keystore is reset. src/com/android/keychain/KeyChainService.java packages/apps/Settings Changed com.android.credentials.RESET credential reset action to also call IKeyChainService.reset to remove any installed user CAs and remove KeyChain accounts to have AccountManager revoke credential granted to private keys removed during the RESET. src/com/android/settings/CredentialStorage.java Added toast text value for failure case res/values/strings.xml system/core Have init create world readable /data/misc/keychain to allow apps to access user added CA certificates installed by the CertInstaller. rootdir/init.rc Change-Id: Ief57672eea38b3eece23b14c94dedb9ea4713744
rovider/jsse/IndexedPKIXParameters.java
rovider/jsse/OpenSSLSocketImpl.java
rovider/jsse/RootKeyStoreSpi.java
rovider/jsse/TrustManagerImpl.java
rovider/jsse/TrustedCertificateStore.java
|
32b2c95c350002f67c8b3e65777161feda766b72 |
10-May-2011 |
Jesse Wilson <jessewilson@google.com> |
Dont line wrap Base64. Change-Id: I9a16a09dad9ff170921591455b17a3b738e70655
rovider/jsse/OpenSSLSessionImpl.java
|
347b2a604114602da9bc4ae040278f74d11c2f51 |
26-Apr-2011 |
Brian Carlstrom <bdc@google.com> |
Avoid loading all CA certs into Zygote memory, lazily load instead (2 of 3) Previously the CA certs stored in the BKS KeyStore at /system/etc/security/cacerts.bks was loaded in the Zygote. As the the number of CAs are started to increase, this is causing more and more memory to be used for rarely used CAs. The new AndroidCAStore KeyStore implementation reads the CAs as needed out of individual PEM certificate files. The files can be efficiently found because they are named based on a hash CA's subject name, similar to OpenSSL. Bug: 1109242 Details: build Removing old cacerts.bks from GRANDFATHERED_ALL_PREBUILT and adding new cacerts directory to core PRODUCT_PACKAGES core/legacy_prebuilts.mk target/product/core.mk libcore cacerts build changes. Move cacerts prebuilt logic to new CaCerts.mk from NativeCode.mk where it didn't make sense. Updated Android.mk's dalvik-host target to install new cacerts files. Android.mk CaCerts.mk NativeCode.mk Remove old cacerts.bks and add remove certimport.sh script used to generate it. Preserved the useful comments from certimport.sh in the new README.cacerts luni/src/main/files/cacerts.bks luni/src/main/files/certimport.sh luni/src/main/files/README.cacerts Recanonicalize cacerts files using updated vendor/google/tools/cacerts/certimport.py (See below discussion of certimport.py changes for details) luni/src/main/files/cacerts/00673b5b.0 luni/src/main/files/cacerts/03e16f6c.0 luni/src/main/files/cacerts/08aef7bb.0 luni/src/main/files/cacerts/0d188d89.0 luni/src/main/files/cacerts/10531352.0 luni/src/main/files/cacerts/111e6273.0 luni/src/main/files/cacerts/1155c94b.0 luni/src/main/files/cacerts/119afc2e.0 luni/src/main/files/cacerts/11a09b38.0 luni/src/main/files/cacerts/12d55845.0 luni/src/main/files/cacerts/17b51fe6.0 luni/src/main/files/cacerts/1920cacb.0 luni/src/main/files/cacerts/1dac3003.0 luni/src/main/files/cacerts/1dbdda5b.0 luni/src/main/files/cacerts/1dcd6f4c.0 luni/src/main/files/cacerts/1df5ec47.0 luni/src/main/files/cacerts/1e8e7201.0 luni/src/main/files/cacerts/1eb37bdf.0 luni/src/main/files/cacerts/219d9499.0 luni/src/main/files/cacerts/23f4c490.0 luni/src/main/files/cacerts/27af790d.0 luni/src/main/files/cacerts/2afc57aa.0 luni/src/main/files/cacerts/2e8714cb.0 luni/src/main/files/cacerts/2fa87019.0 luni/src/main/files/cacerts/2fb1850a.0 luni/src/main/files/cacerts/33815e15.0 luni/src/main/files/cacerts/343eb6cb.0 luni/src/main/files/cacerts/399e7759.0 luni/src/main/files/cacerts/3a3b02ce.0 luni/src/main/files/cacerts/3ad48a91.0 luni/src/main/files/cacerts/3c58f906.0 luni/src/main/files/cacerts/3c860d51.0 luni/src/main/files/cacerts/3d441de8.0 luni/src/main/files/cacerts/3e7271e8.0 luni/src/main/files/cacerts/418595b9.0 luni/src/main/files/cacerts/455f1b52.0 luni/src/main/files/cacerts/46b2fd3b.0 luni/src/main/files/cacerts/48478734.0 luni/src/main/files/cacerts/4d654d1d.0 luni/src/main/files/cacerts/4e18c148.0 luni/src/main/files/cacerts/4fbd6bfa.0 luni/src/main/files/cacerts/5021a0a2.0 luni/src/main/files/cacerts/5046c355.0 luni/src/main/files/cacerts/524d9b43.0 luni/src/main/files/cacerts/56b8a0b6.0 luni/src/main/files/cacerts/57692373.0 luni/src/main/files/cacerts/58a44af1.0 luni/src/main/files/cacerts/594f1775.0 luni/src/main/files/cacerts/5a3f0ff8.0 luni/src/main/files/cacerts/5a5372fc.0 luni/src/main/files/cacerts/5cf9d536.0 luni/src/main/files/cacerts/5e4e69e7.0 luni/src/main/files/cacerts/60afe812.0 luni/src/main/files/cacerts/635ccfd5.0 luni/src/main/files/cacerts/67495436.0 luni/src/main/files/cacerts/69105f4f.0 luni/src/main/files/cacerts/6adf0799.0 luni/src/main/files/cacerts/6e8bf996.0 luni/src/main/files/cacerts/6fcc125d.0 luni/src/main/files/cacerts/72f369af.0 luni/src/main/files/cacerts/72fa7371.0 luni/src/main/files/cacerts/74c26bd0.0 luni/src/main/files/cacerts/75680d2e.0 luni/src/main/files/cacerts/7651b327.0 luni/src/main/files/cacerts/76579174.0 luni/src/main/files/cacerts/7999be0d.0 luni/src/main/files/cacerts/7a481e66.0 luni/src/main/files/cacerts/7a819ef2.0 luni/src/main/files/cacerts/7d3cd826.0 luni/src/main/files/cacerts/7d453d8f.0 luni/src/main/files/cacerts/81b9768f.0 luni/src/main/files/cacerts/8470719d.0 luni/src/main/files/cacerts/84cba82f.0 luni/src/main/files/cacerts/85cde254.0 luni/src/main/files/cacerts/86212b19.0 luni/src/main/files/cacerts/87753b0d.0 luni/src/main/files/cacerts/882de061.0 luni/src/main/files/cacerts/895cad1a.0 luni/src/main/files/cacerts/89c02a45.0 luni/src/main/files/cacerts/8f7b96c4.0 luni/src/main/files/cacerts/9339512a.0 luni/src/main/files/cacerts/9685a493.0 luni/src/main/files/cacerts/9772ca32.0 luni/src/main/files/cacerts/9d6523ce.0 luni/src/main/files/cacerts/9dbefe7b.0 luni/src/main/files/cacerts/9f533518.0 luni/src/main/files/cacerts/a0bc6fbb.0 luni/src/main/files/cacerts/a15b3b6b.0 luni/src/main/files/cacerts/a3896b44.0 luni/src/main/files/cacerts/a7605362.0 luni/src/main/files/cacerts/a7d2cf64.0 luni/src/main/files/cacerts/ab5346f4.0 luni/src/main/files/cacerts/add67345.0 luni/src/main/files/cacerts/b0f3e76e.0 luni/src/main/files/cacerts/bc3f2570.0 luni/src/main/files/cacerts/bcdd5959.0 luni/src/main/files/cacerts/bda4cc84.0 luni/src/main/files/cacerts/bdacca6f.0 luni/src/main/files/cacerts/bf64f35b.0 luni/src/main/files/cacerts/c0cafbd2.0 luni/src/main/files/cacerts/c215bc69.0 luni/src/main/files/cacerts/c33a80d4.0 luni/src/main/files/cacerts/c527e4ab.0 luni/src/main/files/cacerts/c7e2a638.0 luni/src/main/files/cacerts/c8763593.0 luni/src/main/files/cacerts/ccc52f49.0 luni/src/main/files/cacerts/cdaebb72.0 luni/src/main/files/cacerts/cf701eeb.0 luni/src/main/files/cacerts/d16a5865.0 luni/src/main/files/cacerts/d537fba6.0 luni/src/main/files/cacerts/d64f06f3.0 luni/src/main/files/cacerts/d777342d.0 luni/src/main/files/cacerts/d8274e24.0 luni/src/main/files/cacerts/dbc54cab.0 luni/src/main/files/cacerts/ddc328ff.0 luni/src/main/files/cacerts/e48193cf.0 luni/src/main/files/cacerts/e60bf0c0.0 luni/src/main/files/cacerts/e775ed2d.0 luni/src/main/files/cacerts/e7b8d656.0 luni/src/main/files/cacerts/e8651083.0 luni/src/main/files/cacerts/ea169617.0 luni/src/main/files/cacerts/eb375c3e.0 luni/src/main/files/cacerts/ed049835.0 luni/src/main/files/cacerts/ed524cf5.0 luni/src/main/files/cacerts/ee7cd6fb.0 luni/src/main/files/cacerts/f4996e82.0 luni/src/main/files/cacerts/f58a60fe.0 luni/src/main/files/cacerts/f61bff45.0 luni/src/main/files/cacerts/f80cc7f6.0 luni/src/main/files/cacerts/fac084d7.0 luni/src/main/files/cacerts/facacbc6.0 luni/src/main/files/cacerts/fde84897.0 luni/src/main/files/cacerts/ff783690.0 Change IntegralToString.intToHexString to take width argument to allow for leading zero padding. Updated existing callers to specify 0 padding desired. Add testing of new padding functionality. luni/src/main/java/java/lang/Character.java luni/src/main/java/java/lang/Integer.java luni/src/main/java/java/lang/IntegralToString.java luni/src/test/java/libcore/java/lang/IntegralToStringTest.java Improved to throw Exceptions with proper causes luni/src/main/java/java/security/KeyStore.java luni/src/main/java/java/security/Policy.java luni/src/main/java/java/security/cert/CertificateFactory.java luni/src/main/java/javax/crypto/Cipher.java luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSignature.java Indentation fixes luni/src/main/java/java/security/SecureRandom.java Fix X509CRLSelector.getIssuerNames to clone result and added test to cover this. luni/src/main/java/java/security/cert/X509CRLSelector.java luni/src/test/java/libcore/java/security/cert/X509CRLSelectorTest.java Fixed bug where we created an X500Principal via a String representation instead of from its original encoded bytes. This led to a difficult to track down bug where CA 418595b9.0 where the NativeCode.X509_NAME_hash of a Harmony (but not BouncyCastle) X509Certificate would not hash to the expected value because the encoded form used an ASN.1 PrintableString instead of the UTF8String form found in the original certificate. luni/src/main/java/org/apache/harmony/security/x501/Name.java Add a new RootKeyStoreSpi and register it as the AndroidCAStore. This new read-only KeyStore implementation that looks for certificates in $ANDROID_ROOT/etc/security/cacerts/ directory, which is /system/etc/security/cacerts/ on devices. The files are stored in the directory based on the older md5 based OpenSSL X509_NAME_hash function (now referred to as X509_NAME_hash_old in OpenSSL 1.0) luni/src/main/java/org/apache/harmony/xnet/provider/jsse/RootKeyStoreSpi.java luni/src/main/java/org/apache/harmony/xnet/provider/jsse/JSSEProvider.java Added OpenSSL compatible X509_NAME_hash and X509_NAME_hash_old functions for producting an int hash value from an X500Principal. luni/src/main/java/org/apache/harmony/xnet/provider/jsse/NativeCrypto.java Changed TrustManagerFactoryImpl to use AndroidCAStore for its default KeyStore luni/src/main/java/org/apache/harmony/xnet/provider/jsse/TrustManagerFactoryImpl.java Changed TrustManagerImpl to be AndroidCAStore aware. If it detects an AndroidCAStore, it avoids generating the acceptedIssuers array at constructions, since doing so would force us to parse all certificates in the store and the value is only typically used by SSLServerSockets when requesting a client certifcate. Because we don't load all the trusted CAs into the IndexedPKIXParameters at startup in the case of AndroidCAStore, we now check for new CAs when examining the cert chain for unnecessary TrustAnchors and for a newly discovered issuer at the end of the chain before validation. luni/src/main/java/org/apache/harmony/xnet/provider/jsse/TrustManagerImpl.java Updated KeyStoreTest to cope with read only KeyStore. Update test_cacerts_bks (now renamed test_cacerts) to use the AndroidCAStore for validating system CA certificate validity. Register AndroidCAStore as an expected KeyStore type with StandardNames. luni/src/test/java/libcore/java/security/KeyStoreTest.java support/src/test/java/libcore/java/security/StandardNames.java Added test of X500Principal serialization while investigating Name encoding issue. However, the actual Name bug was found and verified by the new test_cacerts test. luni/src/test/java/libcore/javax/security/auth/x500/X500PrincipalTest.java vendor/google Change canonical format for checked in cacerts to have PEM certificate at the top, as required by Harmony's X.509 CertificateFactory. tools/cacerts/certimport.py Change-Id: If0c9de430f13babb07f96a1177897c536f3db08d
rovider/jsse/JSSEProvider.java
rovider/jsse/NativeCrypto.java
rovider/jsse/OpenSSLSignature.java
rovider/jsse/RootKeyStoreSpi.java
rovider/jsse/TrustManagerFactoryImpl.java
rovider/jsse/TrustManagerImpl.java
|
3258b52429c7768ea91bda93c5a15257cdd390e5 |
18-Mar-2011 |
Brian Carlstrom <bdc@google.com> |
libcore key chain support Allow access to default IndexedPKIXParameters, similar to access to default TrustManager. Needed to allow framework to add/remove trusted CAs at runtime. luni/src/main/java/org/apache/harmony/xnet/provider/jsse/SSLParametersImpl.java luni/src/main/java/org/apache/harmony/xnet/provider/jsse/TrustManagerImpl.java Add test support for looking up a cert by an issuer for use in key chain tests. support/src/test/java/libcore/java/security/TestKeyStore.java Add test support SSLSocketFactory that sets desired client auth on each created socket. For use with MockWebServer for key chain testing. support/src/test/java/libcore/javax/net/ssl/TestSSLContext.java Change-Id: Iecdbd40c67f1673bda25a52b4e229156c805d564
rovider/jsse/SSLParametersImpl.java
rovider/jsse/TrustManagerImpl.java
|
5d3f5200f3511c9a7107bcc0a996c7afa1b39aaf |
01-Apr-2011 |
Elliott Hughes <enh@google.com> |
Don't cache the underlying Socket's underlying SocketImpl's underlying FileDescriptor in OpenSSLSocketImpl. (OpenSSLSocketImpl, of course, being a Socket, not a SocketImpl.) Bug: 4192414 git cherry-pick dc33f53f38600943c84146320c748e3c46fd2e7b Change-Id: I8f481e0fe217aac782ad9d9e9053681ad69e62ef
rovider/jsse/NativeCrypto.java
rovider/jsse/OpenSSLSocketImpl.java
|
59e4744d27231f260271dbbca406e0cc39768116 |
24-Mar-2011 |
Elliott Hughes <enh@google.com> |
Add shutdown(2). Bug: 3107501 Change-Id: I30354c4cc6e86a4e7b0e3f84e95719539db1d297
rovider/jsse/SSLSocketImpl.java
|
32c2297a959b72abdb18743f0519e1d8b7c7ea88 |
17-Mar-2011 |
Elliott Hughes <enh@google.com> |
Remove bogus "super()" calls. I've left one in java.util.concurrent, since we have an upstream there. Change-Id: I60945e48a41433fc7eaef6086433ec4bf434097f
rovider/jsse/EndOfBufferException.java
rovider/jsse/EndOfSourceException.java
rovider/jsse/KeyManagerImpl.java
rovider/jsse/OpenSSLServerSocketFactoryImpl.java
rovider/jsse/OpenSSLServerSocketImpl.java
rovider/jsse/OpenSSLSocketImpl.java
rovider/jsse/SSLEngineImpl.java
rovider/jsse/SSLServerSocketFactoryImpl.java
rovider/jsse/SSLServerSocketImpl.java
rovider/jsse/SSLSessionImpl.java
rovider/jsse/SSLSocketImpl.java
|
ff8234c90ecab9f1db368924bf92a5b16460f9b5 |
08-Mar-2011 |
Elliott Hughes <enh@google.com> |
Factor out our single-byte InputStream.read/OutputStream.write implementations. Change-Id: I00106a51a32ea84a39256d5629369170b892a039
rovider/jsse/SSLSocketImpl.java
rovider/jsse/SSLSocketOutputStream.java
|
608263018762d64a07276b7c8f58102455ccecc8 |
08-Mar-2011 |
Elliott Hughes <enh@google.com> |
Fix short writes in Socket OutputStreams. Also tidy some code and fix some comments. The OpenSSL OutputStream is already correct: it handles this in the native code. Bug: http://code.google.com/p/android/issues/detail?id=15304 Change-Id: I69645543ec01f1eecdae4418f86c3a1911c0f752
rovider/jsse/SSLSocketImpl.java
rovider/jsse/SSLSocketInputStream.java
rovider/jsse/SSLSocketOutputStream.java
|
eb8027492e81d5d3a0d1cd49494c59f9a03eeaa3 |
07-Mar-2011 |
Elliott Hughes <enh@google.com> |
Remove useless overrides of InputStream.read(byte[]) and OutputStream.write(byte[]). For the particular stream in the bug, the useless override assumes that the implementation of read(byte[], int, int) or write(byte[], int, int) doesn't do anything special. A dangerous and non-local assumption. (In the bug, we need to change the three-argument write.) Bug: http://code.google.com/p/android/issues/detail?id=15304 Change-Id: I915d4a2e20c98f8e7f5775b555ae77d496a535d0
rovider/jsse/SSLSocketInputStream.java
rovider/jsse/SSLSocketOutputStream.java
|
f5309a39506c967feda8766feeba7f7271a458cb |
25-Feb-2011 |
Elliott Hughes <enh@google.com> |
Fix more FindBugs warnings: RR_NOT_CHECKED. "This method ignores the return value of one of the variants of java.io.InputStream.read() which can return multiple bytes. If the return value is not checked, the caller will not be able to correctly handle the case where fewer bytes were read than the caller requested. This is a particularly insidious kind of bug, because in many programs, reads from input streams usually do read the full amount of data requested, causing the program to fail only sporadically." Change-Id: I7d7c62836f2037f0cbb4bb0708bd4f034a22a2fc
rovider/jsse/CertificateRequest.java
rovider/jsse/ClientHello.java
rovider/jsse/ClientKeyExchange.java
rovider/jsse/ServerHello.java
|
b16edf548fa6bb9cd93b238e7820bc92195e5e2f |
25-Feb-2011 |
Elliott Hughes <enh@google.com> |
Fix more FindBugs warnings: BC_EQUALS_METHOD_SHOULD_WORK_FOR_ALL_OBJECTS. "The equals(Object o) method shouldn't make any assumptions about the type of o. It should simply return false if o is not the same type as this." Change-Id: Ib16eb57e8876ec117634b4c9b069a4dccc61c657
rovider/jsse/AbstractSessionContext.java
rovider/jsse/ByteArray.java
rovider/jsse/ClientSessionContext.java
rovider/jsse/IndexedPKIXParameters.java
|
cfb6bd546b6a1443de313fb0abd17c2ad8c9f09f |
18-Feb-2011 |
Jesse Wilson <jessewilson@google.com> |
Merge "Remove low-hanging fruit from zygote heap." into dalvik-dev
|
21f21e9f56ab8c9abfd8728473533fcaafafeac0 |
18-Feb-2011 |
Jesse Wilson <jessewilson@google.com> |
Remove low-hanging fruit from zygote heap. Change-Id: If6b5e61089140e99babdebd5036b9c9f4ef0c1f3
rovider/jsse/IndexedPKIXParameters.java
|
6aa068b481cc4cca7765ce90fdf32f3eb2b5a77c |
18-Feb-2011 |
Elliott Hughes <enh@google.com> |
Fix various FindBugs warnings. Only the ChunkHandler and ZoneInfo ones were real bugs. The former is only called with one input value that doesn't exercise the bug, and the latter would cause us to think that a time zone that stopped using daylight time before 1970 was still using daylight time (which would defeat various optimizations, but should otherwise be harmless). The other stuff is trivia not worth individual changes. Change-Id: Ib0752560cd16edc6538d1fc2b234451a66d48171
rovider/jsse/SSLSocketInputStream.java
|
cd5770741b91e7957e893582cc7d6cd37c8ad568 |
17-Feb-2011 |
Elliott Hughes <enh@google.com> |
Fix NativeCrypto FindBugs warnings. Change-Id: I102367575b1257582bb20c659223e3f02650fda4
rovider/jsse/NativeCrypto.java
|
3a3511edad46420b4287017ac66fe4783cb804db |
11-Feb-2011 |
Jesse Wilson <jessewilson@google.com> |
Move tests from java.injected into libcore. Change-Id: Ia3fee27c8f8ca38120eea3fc2582d3e1b2504cea
rovider/jsse/ClientSessionContext.java
rovider/jsse/FileClientSessionCache.java
|
26ce8fbd8fe488cc969b08f64c56525662763dc4 |
08-Feb-2011 |
Jesse Wilson <jessewilson@google.com> |
resolved conflicts for merge of 6186821c to dalvik-dev Change-Id: Ic6f0172767d6feedb188d3a5e7488a67702ef8c4
|
6186821cb13f4ac7ff50950c813394367e021eae |
08-Feb-2011 |
Jesse Wilson <jessewilson@google.com> |
Move libcore.base classes to libcore.util and libcore.io. Change-Id: I2340a9dbad3561fa681a8ab47d4f406e72c913e3
rovider/jsse/ClientHello.java
rovider/jsse/ClientKeyExchange.java
rovider/jsse/DigitalSignature.java
rovider/jsse/KeyManagerFactoryImpl.java
rovider/jsse/Logger.java
rovider/jsse/OpenSSLSessionImpl.java
rovider/jsse/SSLServerSocketFactoryImpl.java
rovider/jsse/SSLSessionImpl.java
rovider/jsse/SSLSocketFactoryImpl.java
rovider/jsse/TrustManagerFactoryImpl.java
|
efb32502d686b06ddf60828d9abe3d4e0577e5dc |
02-Feb-2011 |
Brian Carlstrom <bdc@google.com> |
am 4155a249: Performance improvements to NativeCrypto based MessageDigest API * commit '4155a2498a57fb09e92815f8993a70c216ddc5ec': Performance improvements to NativeCrypto based MessageDigest API
|
4155a2498a57fb09e92815f8993a70c216ddc5ec |
02-Feb-2011 |
Brian Carlstrom <bdc@google.com> |
Performance improvements to NativeCrypto based MessageDigest API NativeCrypto API improvements: - Move to using EVP_MD related native methods, some of which are derived from the EVP_MD_CTX versions with similar name. The new EVP_get_digestbyname allows one time lookup of the EVP_MD from the string name, avoiding doing it on every call to EVP_DigestInit. - EVP_MD_CTX_create is now removed, it is just done as part of EVP_DigestInit and EVP_VerifyInit to an extra JNI call. - EVP_DigestFinal now destroys the EVP_MD_CTX to avoid needing to make another call JNI call to EVP_MD_CTX_destroy. EVP_MD_CTX_destroy is kept for cases when EVP_DigestFinal is never called. luni/src/main/java/org/apache/harmony/xnet/provider/jsse/NativeCrypto.java In addition to the improved NativeCrypto API to allow better performance for callers, the implementations use of throwExceptionIfNecessary was made conditional based on the status code from various operations, which had a noticeable impact on performance compared to android.security.MessageDigest luni/src/main/native/NativeCrypto.cpp Updated MessageDigest.getInstance default implementation to use new NativeCrypto API. An EVP_MD instance is looked up at class load time for a specific digest type and then used to call NativeCrypto.EVP_DigestInit as needed, avoiding a lookup of EVP_MD for each new digest. The EVP_MD is also for a one-time lookup the digest output size in bytes, to avoid native calls for engineGetDigestLength. Finally, the creation of the EVP_MD_CTX is now lazy, only created when needed, avoiding unnecessarily create/free in reset cases such as engineDigest. See also external/bouncycastle's OpenSSLDigest implementation which had similar optimizations. luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLMessageDigestJDK.java OpenSSLSignature also used EVP_MD_CTX_create, and its EVP_VerifyInit was changed similar to EVP_DigestInit to internally allocate the EVP_MD_CTX on the call to init. luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSignature.java Fix test to work with arbitrary provider order luni/src/test/java/org/apache/harmony/security/tests/java/security/MessageDigest2Test.java Fix CloseGuard warnings luni/src/test/java/tests/security/MessageDigestTest.java Bug: 3392028 Change-Id: Idb266ebc0918ffd5550e0f457784256400cd2ff0
rovider/jsse/NativeCrypto.java
rovider/jsse/OpenSSLMessageDigestJDK.java
rovider/jsse/OpenSSLSignature.java
|
c0779d54195b5b81be9c29e1b46a18022758ef27 |
31-Jan-2011 |
Brian Carlstrom <bdc@google.com> |
am c906eaf2: am 7374d4fa: am 90ff8e2c: Remember intermediate CAs in TrustMangerImpl\'s IndexedPKIXParameters * commit 'c906eaf2617d6c8f9eb7a3578386845da390956c': Remember intermediate CAs in TrustMangerImpl's IndexedPKIXParameters
|
90ff8e2c017c4332686ff79ea9968a009a703b7e |
30-Jan-2011 |
Brian Carlstrom <bdc@google.com> |
Remember intermediate CAs in TrustMangerImpl's IndexedPKIXParameters Bug: 3404902 Change-Id: I4a3c35fd2981933c255e5d3a620675b9575083d4
rovider/jsse/IndexedPKIXParameters.java
rovider/jsse/TrustManagerImpl.java
|
4885c704f5dba084fc8abc80be390025810aa9ca |
25-Jan-2011 |
Brian Carlstrom <bdc@google.com> |
am e7291d0d: am c009a7d9: am 1c64b3ad: SSLSocket.close() should not throw an IOException if there is a problem sending a close notify * commit 'e7291d0d02c84ff650cd50297a348f61fe4978b6': SSLSocket.close() should not throw an IOException if there is a problem sending a close notify
|
1c64b3adb85345659ac60ad82216268acba18764 |
24-Jan-2011 |
Brian Carlstrom <bdc@google.com> |
SSLSocket.close() should not throw an IOException if there is a problem sending a close notify Bug: 3350645 Change-Id: I23844fc94a26175247538c95d8cddec90f368d64
rovider/jsse/OpenSSLSocketImpl.java
|
0de447809731c0b76654416d17bb0d8744dcf742 |
21-Jan-2011 |
Elliott Hughes <enh@google.com> |
Merge "Add an @hidden Byte.toHexString that does the right thing, and use it." into dalvik-dev
|
4b25199bc0b7a64a6feaa60e7d5d6b0474341234 |
21-Jan-2011 |
Elliott Hughes <enh@google.com> |
Add an @hidden Byte.toHexString that does the right thing, and use it. Turns out most callers don't actually give a toss about case anyway, since they're just for debugging output. Bug: 3371169 Change-Id: Ib8dc079be2dcbf6f2415ecb9b71d034ee71f68eb
rovider/jsse/HandshakeIODataStream.java
rovider/jsse/Logger.java
|
2932bab4ee385a107734e2a00010df3b89eda590 |
21-Jan-2011 |
Brian Carlstrom <bdc@google.com> |
am 42b5b3b2: am f8cff2f7: am 57537553: Defend against null directory list in FileClientSessionCache * commit '42b5b3b2f9d984a710388a7152bbbfabf48b9138': Defend against null directory list in FileClientSessionCache
|
57537553cb179690f40debdf1132f5ed02aa4ae3 |
20-Jan-2011 |
Brian Carlstrom <bdc@google.com> |
Defend against null directory list in FileClientSessionCache Bug: 3363561 Change-Id: Idc45f7ed85d4e2a78078f06f4d9bbf903efdac69
rovider/jsse/FileClientSessionCache.java
|
fb0ec0e650bf8be35acb0d47da0311a7c446aa33 |
14-Jan-2011 |
Elliott Hughes <enh@google.com> |
Remove useless android-changed comments. I've changed useful ones to regular comments or TODOs, as appropriate. I've left ones in code like java.util.concurrent where we really are tracking an upstream source, making the change markers useful. I've left a handful of others where I intend to actually investigate the implied TODOs before deciding how to resolve them. Change-Id: Iaf71059b818596351cf8ee5a3cf3c85586051fa6
rovider/jsse/ClientHandshakeImpl.java
rovider/jsse/KeyManagerImpl.java
rovider/jsse/OpenSSLSocketImpl.java
rovider/jsse/SSLContextImpl.java
rovider/jsse/SSLInputStream.java
rovider/jsse/SSLParametersImpl.java
rovider/jsse/SSLSessionImpl.java
rovider/jsse/ServerHandshakeImpl.java
rovider/jsse/TrustManagerFactoryImpl.java
|
2feeee4119506ed1511942f80fc2f7eb431afab7 |
13-Jan-2011 |
Elliott Hughes <enh@google.com> |
Remove non-API uses of Vector. Change-Id: I27902950af0349619f4cb826d41db8926df0d34a
rovider/jsse/CertificateMessage.java
rovider/jsse/CertificateRequest.java
rovider/jsse/HandshakeProtocol.java
rovider/jsse/KeyManagerImpl.java
rovider/jsse/OpenSSLSessionImpl.java
rovider/jsse/SSLSessionImpl.java
|
78e3320540c8bdcbefba5ae1222ee18f6679ab33 |
13-Jan-2011 |
Elliott Hughes <enh@google.com> |
Most callers of toLowerCase/toUpperCase should pass Locale.US to avoid problems in Turkey. Some callers should be replaced with equalsIgnoreCase instead. The one exception is StreamTokenizer, where the RI uses the default locale, which is arguably the right thing to do. No-one cares because that's legacy API, but I've added a test anyway. I've left HttpCookie and GeneralName for my co-conspirators because the appropriate resolutions aren't as obvious there... Bug: 3325637 Change-Id: Ia37a1caaa91b11763ae43e61e445adb45c30f793
rovider/jsse/HandshakeIODataStream.java
rovider/jsse/KeyManagerImpl.java
rovider/jsse/Logger.java
|
0d4ce4227fa818288b8db762b640dfa21e3162f5 |
12-Jan-2011 |
Elliott Hughes <enh@google.com> |
Change all "final static"s to "static final". Just so we sound like native speakers. Change-Id: I4d98ec7519af8c1578609945ca9d480484b82874
rovider/jsse/HandshakeProtocol.java
|
ad41624e761bcf1af9c8008eb45187fc13983717 |
07-Jan-2011 |
Elliott Hughes <enh@google.com> |
Retire SecurityManager. This change removes all the code that was calling getSecurityManager, and removes all use of AccessController.doPrivileged. It also changes the implementation of AccessController so it doesn't actually do anything; it's only there for source-level compatibility. Bug: 2585285 Change-Id: I1f0295a4f12bce0316d8073011d8593fee116f71
rovider/jsse/DelegatedTask.java
rovider/jsse/JSSEProvider.java
rovider/jsse/KeyManagerFactoryImpl.java
rovider/jsse/Logger.java
rovider/jsse/OpenSSLSessionImpl.java
rovider/jsse/SSLServerSocketImpl.java
rovider/jsse/SSLSessionImpl.java
rovider/jsse/TrustManagerFactoryImpl.java
|
54c8a07db3c2d1670c2867ba864d351cb30fecfa |
17-Dec-2010 |
Brian Carlstrom <bdc@google.com> |
resolved conflicts for merge of 5fc737eb to master Change-Id: Ifc2a4fd44cef525709a3b9dc0a502b1a0690c6fd
|
2915378e253f08e47fe5a9bfd026cd1ca7c6c351 |
16-Dec-2010 |
Brian Carlstrom <bdc@google.com> |
HttpsURLConnection retry should not invoke X509TrustManager and HostnameVerifier more than once Summary: In 2.3, HttpsURLConnection was change to retry TLS connections as SSL connections w/o compression to deal with servers that are TLS intolerant. However, if the handshake proceeded to the point of invoking the X509TrustManager, we should not retry. Similarly, if we should not invoke the HostnameVerifier repeatedly, and need to wait until the SSL handshake has completed. Tested with (includes two new tests for this issue): libcore/luni/src/test/java/libcore/javax/net/ssl/ libcore/luni/src/test/java/libcore/java/net/URLConnectionTest.java libcore/luni/src/test/java/org/apache/harmony/luni/tests/internal/net/www/protocol/https/HttpsURLConnectionTest.java Details: HttpConnection.setupSecureSocket has been broken into two pieces. setupSecureSocket now just does the SSL handshaking. verifySecureSocketHostname now does the verification. The old HttpConnection code was careful never to assign its sslSocket field until verification was complete. A new unverifiedSocket field is added to store the sslSocket before verification is completed by verifySecureSocketHostname. luni/src/main/java/org/apache/harmony/luni/internal/net/www/protocol/http/HttpConnection.java HttpsEngine.makeConnection now skips TLS intolerant retry if the reason for the makeSslConnection failure was a CertificateException, since that implies that we failed during certification validation after initial handshaking. We also prevent retrying hostname verification by moving it out of makeSslConnection and only doing it on new SSL connections, tracking the changes to HttpConnection.setupSecureSocket mentioned above. We also now skip the redundant call to setUpTransportIO in makeSslConnection on reused SSLSockets. luni/src/main/java/org/apache/harmony/luni/internal/net/www/protocol/https/HttpsURLConnectionImpl.java Instead of throwing away the underlying CertificateExceptions, set them as the cause of the SSLExceptions. This is what the RI does in the case of X509TrustManager failures and is now used by HttpsEngine.makeConnection. luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSessionImpl.java luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSocketImpl.java Added new testConnectViaHttpsToUntrustedServer which makes sure that connections are not retried on certificate verification failure. luni/src/test/java/libcore/java/net/URLConnectionTest.java Added new test_SSLSocket_untrustedServer that verifies that an SSLHandshakeException is thown containing a CertificateException is thrown on certificate verification problems. luni/src/test/java/libcore/javax/net/ssl/SSLSocketTest.java Added second test CA and a new TestKeyStore.getClientCA2 test key store that does not trust the primary test key stores. This is useful for negative testing and is used in the above two new tests. support/src/test/java/libcore/java/security/TestKeyStore.java Issue: http://code.google.com/p/android/issues/detail?id=13178 Bug: 3292412 Change-Id: I37136bb65f04d2bceaf2f32f542d6432c8b76ad4
rovider/jsse/OpenSSLSessionImpl.java
rovider/jsse/OpenSSLSocketImpl.java
|
a1603838fe9e865575c87982e32c6343740e464c |
11-Dec-2010 |
Elliott Hughes <enh@google.com> |
Lots more bounds-checking/exception-throwing consistency. Overflow-safe checks all round, plus better detail messages. This isn't quite everything, but it's a large chunk of the work. Most notably, this is all of io and nio. There are numerous changes of exception priority here, and the harmony tests noticed a subset of them in the nio code. I've modified our checked-out copy of the tests to accept any of the throwable exceptions. Change-Id: Id185f1228fb9a1d5fc9494e78375b5623fb0fe14
rovider/jsse/OpenSSLSocketImpl.java
|
b46dab348e2007bc08abaf7ecae34d89a2474e50 |
09-Dec-2010 |
Elliott Hughes <enh@google.com> |
Rewrite all backwards comparisons. Strictly, all the ones I could find. This is everything with 0 or null on the left-hand side. Note that this touches several incorrect bounds checks, which I haven't fixed: I'm going to come back and finish that independent cleanup separately. Change-Id: Ibdb054b53df9aace47c7d2a00ff19122190053e8
rovider/jsse/OpenSSLSocketImpl.java
|
8272b935bd238a37846ea76b8fcfe297abe1c7ee |
08-Dec-2010 |
Brian Carlstrom <bdc@google.com> |
KeyManager.choose* methods should tolerate null key types This regression was found by X509KeyManagerTest and now KeyManagerFactoryTest covers it as well. The underlying problem was introduced recently when KeyManagerImpl was updated to support key types with specific signature algorithms like EC_RSA and EC_EC. Change-Id: Ic99ab10e5ba07e990dc0e8a2d257c2167f2d33bb
rovider/jsse/KeyManagerImpl.java
|
ffeba5dd766602f6e2be9caa9081744348a53c04 |
01-Dec-2010 |
Brian Carlstrom <bdc@google.com> |
Add support for TLS_EMPTY_RENEGOTIATION_INFO_SCSV cipher suite "TLS_EMPTY_RENEGOTIATION_INFO_SCSV" is RFC 5746's renegotiation indication signaling cipher suite value. It is not a real cipher suite. It is just an indication in the default and supported cipher suite lists indicates that the implementation supports secure renegotiation. In the RI, its presence means that the SCSV is sent in the cipher suite list to indicate secure renegotiation support and its absence means to send an empty TLS renegotiation info extension instead. However, OpenSSL doesn't provide an API to give this level of control, instead always sending the SCSV and always including the empty renegotiation info if TLS is used (as opposed to SSL). So we simply allow TLS_EMPTY_RENEGOTIATION_INFO_SCSV to be passed for compatibility as to provide the hint that we support secure renegotiation. Change-Id: I0850bea47568edcfb1f7df99d4e8a747f938406d
rovider/jsse/NativeCrypto.java
rovider/jsse/OpenSSLServerSocketImpl.java
rovider/jsse/OpenSSLSocketImpl.java
|
4ae3fd787741bfe1b808f447dcb0785250024119 |
19-Nov-2010 |
Brian Carlstrom <bdc@google.com> |
Elliptic Crypto support for OpenSSLSocketImpl Summary: - Enable Elliptic Crypto support for OpenSSL based SSLSocket instances - More RI compliant usage of key types, client auth types, and server auth types - Steps toward TLS_EMPTY_RENEGOTIATION_INFO_SCSV support, currently test updates Details: Elliptic Curve changes CipherSuite updates for EC - Adding KEY_EXCHANGE_EC* and corresponding CipherSuites Updated isAnonymous, getKeyType (now renamed getServerKeyType) to handle new EC cases. Added new getAuthType for use by checkServerTrusted callers. - Restructured code to handle two SUITES_BY_CODE_* arrays - Remove KEY_EXCHANGE_DH_* definitions which unused because the corresponding CipherSuites were previously disabled. - Changed AES CipherSuites definitions to use "_CBC" to match other definitions. luni/src/main/java/org/apache/harmony/xnet/provider/jsse/CipherSuite.java openssl EC - NativeCrypto now registers TLS_EC_* cipher suites and has update default list - Improved auth type arguments to checkClientTrusted/checkServerTrusted - NativeCrypto support for emphemeral EC keys luni/src/main/java/org/apache/harmony/xnet/provider/jsse/NativeCrypto.java luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSocketImpl.java luni/src/main/native/NativeCrypto.cpp non-openssl SSL/TLS cleanups - cleanup around code trying to cope with DiffieHellman vs DH since either should work. - changed client to use new CipherSuite.getAuthType shared with NativeCrypto implementation - changed server to use CipherSuite.getKeyType luni/src/main/java/org/apache/harmony/xnet/provider/jsse/ClientHandshakeImpl.java luni/src/main/java/org/apache/harmony/xnet/provider/jsse/HandshakeProtocol.java luni/src/main/java/org/apache/harmony/xnet/provider/jsse/KeyManagerImpl.java luni/src/main/java/org/apache/harmony/xnet/provider/jsse/ServerHandshakeImpl.java Consolidate CertificateRequestType code into CipherSuite so that its shared between java and openssl implementations. This includes the KEY_TYPE_ string constants, TLS_CT_* byte constants and the 'String keyType(byte)' (now renamed getClientKeyType) code that depends on them. luni/src/main/java/org/apache/harmony/xnet/provider/jsse/CertificateRequest.java luni/src/main/java/org/apache/harmony/xnet/provider/jsse/CipherSuite.java luni/src/main/java/org/apache/harmony/xnet/provider/jsse/ClientHandshakeImpl.java luni/src/main/java/org/apache/harmony/xnet/provider/jsse/NativeCrypto.java luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLServerSocketImpl.java luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSocketImpl.java luni/src/main/java/org/apache/harmony/xnet/provider/jsse/ServerHandshakeImpl.java Tests Differentiate between supported list of cipher suites openssl-based SSLSocket and SSLEngine based, since the SSLEngine code does not support EC. luni/src/test/java/libcore/javax/net/ssl/SSLEngineTest.java luni/src/test/java/libcore/javax/net/ssl/SSLSocketTest.java Added testing for expected default cipher suites. Before we just ensured the values were valid. luni/src/test/java/libcore/javax/net/ssl/SSLSocketFactoryTest.java support/src/test/java/libcore/java/security/StandardNames.java Updated to handle new EC cipher suites codes. Added test for new getClientKeyType. luni/src/test/java/org/apache/harmony/xnet/provider/jsse/CipherSuiteTest.java Better use of "standard names" particularly to correctly deal with the subtle differences between key types, client auth types, and server auth types. TestKeyManager and TestTrustManager now verify the values they are passed are acceptable. support/src/test/java/libcore/java/security/StandardNames.java support/src/test/java/libcore/javax/net/ssl/TestKeyManager.java support/src/test/java/libcore/javax/net/ssl/TestTrustManager.java Changed to timeout after 30 seconds and to log to reveal both client and server issues. support/src/test/java/libcore/javax/net/ssl/TestSSLSocketPair.java Bug: 3058375 Change-Id: I14d1d0285d591c99cc211324f3595a5be682cab1
rovider/jsse/CertificateRequest.java
rovider/jsse/CipherSuite.java
rovider/jsse/ClientHandshakeImpl.java
rovider/jsse/HandshakeProtocol.java
rovider/jsse/KeyManagerImpl.java
rovider/jsse/NativeCrypto.java
rovider/jsse/OpenSSLServerSocketImpl.java
rovider/jsse/OpenSSLSocketImpl.java
rovider/jsse/ServerHandshakeImpl.java
|
1a3dfbe49a3dcd7c855972dadccb9226468359d5 |
29-Nov-2010 |
Brian Carlstrom <bdc@google.com> |
am 6c78b7b9: Toward EC TLS support * commit '6c78b7b94c232063ec559436b48b33751373ecf1': Toward EC TLS support
|
6c78b7b94c232063ec559436b48b33751373ecf1 |
19-Nov-2010 |
Brian Carlstrom <bdc@google.com> |
Toward EC TLS support Summary: - javax.net.ssl tests are now working on the RI - KeyManager can now handle EC_EC and EC_RSA - OpenSSLSocketImpl.startHandshake now works if KeyManager contains EC certificates Details: Add CipherSuite.getKeyType to provide X509KeyManager key type strings, refactored from OpenSSLServerSocketImpl.checkEnabledCipherSuites. getKeyType is now also used in OpenSSLSocketImpl.startHandshake to avoid calling setCertificate for unnecessary key types. luni/src/main/java/org/apache/harmony/xnet/provider/jsse/CipherSuite.java luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLServerSocketImpl.java luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSocketImpl.java New CipherSuiteTest to cover new getKeyType as well as existing functionality luni/src/test/java/org/apache/harmony/xnet/provider/jsse/CipherSuiteTest.java Add support to KeyManager implementation for key types of the form EC_EC and EC_RSA. The first part implies the KeyPair algorithm (EC in these new key types) with a potentially different signature algorithm (EC vs RSA in these) luni/src/main/java/org/apache/harmony/xnet/provider/jsse/KeyManagerImpl.java Update NativeCrypto.keyType to support EC_EC and EC_RSA in addition to EC which was added earlier. Change from array of KEY_TYPES to named KEY_TYPE_* constants. luni/src/main/java/org/apache/harmony/xnet/provider/jsse/NativeCrypto.java Overhauled KeyManagerFactoryTest to cover EC, EC_EC, EC_RSA cases luni/src/test/java/libcore/javax/net/ssl/KeyManagerFactoryTest.java support/src/test/java/libcore/java/security/StandardNames.java Changed TestKeyStore.createKeyStore from always using BKS to now use JKS on the RI between BC EC Keys and RI X509 certificates. Because JKS requires a password, we now default "password" on the RI. support/src/test/java/libcore/java/security/TestKeyStore.java luni/src/test/java/libcore/javax/net/ssl/SSLContextTest.java support/src/test/java/libcore/java/security/StandardNames.java TestKeyStore.create now accepts key types like EC_RSA. Changed TestKeyStore.createKeys to allow a PrivateKeyEntry to be specified for signing to enable creation of EC_RSA test certificate. Added getRootCertificate/rootCertificate to allow lookup of PrivateKeyEntry for signing. Changed TestKeyStore.getPrivateKey to take explicit signature algorithm to retrieve EC_EC vs EC_RSA entries. support/src/test/java/libcore/java/security/TestKeyStore.java luni/src/test/java/libcore/java/security/KeyStoreTest.java luni/src/test/java/libcore/javax/net/ssl/KeyManagerFactoryTest.java luni/src/test/java/libcore/java/security/cert/PKIXParametersTest.java luni/src/test/java/libcore/javax/net/ssl/TrustManagerFactoryTest.java luni/src/test/java/org/apache/harmony/xnet/provider/jsse/NativeCryptoTest.java support/src/test/java/libcore/java/security/StandardNames.java Added support for EC cipher suites on the RI. Also test with and without new TLS_EMPTY_RENEGOTIATION_INFO_SCSV cipher suite which is used to specify the new TLS secure renegotiation. luni/src/test/java/libcore/javax/net/ssl/SSLEngineTest.java luni/src/test/java/libcore/javax/net/ssl/SSLSocketTest.java support/src/test/java/libcore/java/security/StandardNames.java New TestKeyManager and additional logging in TestTrustManager. Logging in both is disabled by default using DevNullPrintStream. support/src/test/java/libcore/javax/net/ssl/TestKeyManager.java support/src/test/java/libcore/javax/net/ssl/TestTrustManager.java support/src/test/java/libcore/java/io/DevNullPrintStream.java Bug: 3058375 Change-Id: Ia5e2a00a025858e10d1076b900886994b481e05a
rovider/jsse/CipherSuite.java
rovider/jsse/KeyManagerImpl.java
rovider/jsse/NativeCrypto.java
rovider/jsse/OpenSSLServerSocketImpl.java
rovider/jsse/OpenSSLSocketImpl.java
|
9d615f25f7576314ec6473b143b13d00ce52e805 |
18-Nov-2010 |
Brian Carlstrom <bdc@google.com> |
am 57f2cc03: Test updates for Elliptic Curve * commit '57f2cc03ff2cf5d2f6413c5410680b4908d7301d': Test updates for Elliptic Curve
|
57f2cc03ff2cf5d2f6413c5410680b4908d7301d |
05-Nov-2010 |
Brian Carlstrom <bdc@google.com> |
Test updates for Elliptic Curve Updated with Elliptic Curve (EC) (and SunPKCS11-NSS) names for use by ProviderTest support/src/test/java/libcore/java/security/StandardNames.java Enhance test_KeyStore_cacerts_bks to verify PublicKey can be retreived. Before this the test would pass even though an ECPublicKey could not be accessed. With EC support in external/bouncycastle, this test now passes. luni/src/test/java/libcore/java/security/KeyStoreTest.java New SignatureTest to cover ECDSA, replaces the old one that required a subclass per tested algorithm. luni/src/test/java/libcore/java/security/SignatureTest.java support/src/test/java/tests/security/SignatureTest.java luni/src/test/java/tests/targets/security/SignatureTestMD5withRSA.java luni/src/test/java/tests/targets/security/SignatureTestNONEwithDSA.java luni/src/test/java/tests/targets/security/SignatureTestSHA1withDSA.java luni/src/test/java/tests/targets/security/SignatureTestSHA1withRSA.java luni/src/test/java/tests/targets/security/SignatureTestSHA256withRSA.java luni/src/test/java/tests/targets/security/SignatureTestSHA384withRSA.java luni/src/test/java/tests/targets/security/SignatureTestSHA512withRSA.java luni/src/test/java/tests/targets/security/AllTests.java Improve ProviderTest logging while debugging SunPKCS11-NSS provider issues. Added some exceptions for RI missing classes. luni/src/test/java/libcore/java/security/ProviderTest.java Changed style slightly to match KeyPairGeneratorTest, where +N is used to indicated when multiples of a increments of a certain amount are required for valid key sizes. luni/src/test/java/libcore/javax/crypto/KeyGeneratorTest.java Fix test CloseGuard issues luni/src/test/java/libcore/java/security/KeyStoreTest.java Fix readability luni/src/main/java/org/apache/harmony/xnet/provider/jsse/ServerHandshakeImpl.java Bug: 3058375 Change-Id: I99cd93ad66372e8512d993168550cc1d471d3248
rovider/jsse/ServerHandshakeImpl.java
|
de8ebcab83d48d4edc28fced9d0a8382f1ef1436 |
16-Nov-2010 |
Brian Carlstrom <bdc@google.com> |
am 8a720cce: TrustManager should include PrivateKeyEntry CAs, OpenSSLSocketImpl close fix, and debugging improvements * commit '8a720cceee7ce319d647738dfeda3f302879f370': TrustManager should include PrivateKeyEntry CAs, OpenSSLSocketImpl close fix, and debugging improvements
|
8a720cceee7ce319d647738dfeda3f302879f370 |
16-Nov-2010 |
Brian Carlstrom <bdc@google.com> |
TrustManager should include PrivateKeyEntry CAs, OpenSSLSocketImpl close fix, and debugging improvements Revert to older behavior of creating TrustAnchors from both PrivateKeyEntry and TrustedCertificateEntry values from the KeyStore. Added tests to better ensure this slighlt different behavior from PKIXParameters. Also create the acceptedIssuers proactively since the real memory cost is the X509Certificates which are already found in the params. luni/src/main/java/org/apache/harmony/xnet/provider/jsse/TrustManagerImpl.java luni/src/test/java/libcore/javax/net/ssl/TrustManagerFactoryTest.java luni/src/test/java/libcore/java/security/cert/PKIXParametersTest.java Don't just free native state on issue with startHandshake, close the SSLSocket. While the former addressed a CloseGuard issue, the latter make sure that checkOpen throws SocketExceptions and we don't leak a NullPointerException from NativeCrypto. luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSocketImpl.java Debugging improvements including minor refinements to recently added NativeCrypto logging, more verbose TestKeyStore.dump output, and a new TestTrustManager proxy class for logging X509TrustManager behavior. luni/src/main/native/NativeCrypto.cpp support/src/test/java/libcore/java/security/TestKeyStore.java support/src/test/java/libcore/javax/net/ssl/TestTrustManager.java Change-Id: I317e1ca34d8e20c77e5cb9c5a5a58cb4ae98d829
rovider/jsse/OpenSSLSocketImpl.java
rovider/jsse/TrustManagerImpl.java
|
693eacca9fa67ad79d1b35dbaad61c5ac1ac457c |
10-Nov-2010 |
Elliott Hughes <enh@google.com> |
Stop allocating empty arrays. Bug: 3166662 Change-Id: I151de373b2bf53786d19824336fa434c02b0b0e8
rovider/jsse/ClientHello.java
rovider/jsse/ClientKeyExchange.java
rovider/jsse/DigitalSignature.java
rovider/jsse/KeyManagerFactoryImpl.java
rovider/jsse/Logger.java
rovider/jsse/NativeCrypto.java
rovider/jsse/SSLServerSocketFactoryImpl.java
rovider/jsse/SSLSessionImpl.java
rovider/jsse/SSLSocketFactoryImpl.java
rovider/jsse/TrustManagerFactoryImpl.java
|
41ea5dcbab2b53238434831d2365fa65d6e911ff |
08-Nov-2010 |
Brian Carlstrom <bdc@google.com> |
Make OpenSSLSocketFactory and SSLSocketFactory fields final Bug: 2954292 Change-Id: I4cad068d4da39a9c55ca25fad698f3ea136f2e24
rovider/jsse/OpenSSLSocketFactoryImpl.java
rovider/jsse/SSLSocketFactoryImpl.java
|
9a356d010cadf3bb3d5cf4b5502010751f602fa1 |
08-Nov-2010 |
Brian Carlstrom <bdc@google.com> |
TrustManagerImpl.cleanupCertChain should not modify original the original chain The original frameworks/base code this was based on unconditionally copied the chain before cleaning it which I missed on initial refactoring. The code lazily makes the copy only it actually needs to modify the chain. Change-Id: I29bea6f8064d338bd625ab8ed7a89f5d96a75dfd
rovider/jsse/TrustManagerImpl.java
|
b4bb9aba620d8a363fb3617b25839093caf39cf4 |
03-Nov-2010 |
Brian Carlstrom <bdc@google.com> |
resolved conflicts for merge of a5c608e5 to dalvik-dev Change-Id: I0319c132ec8f42782475906da267439938308e77
|
a5c608e59f9d574ea4bc65e9dff44aae2f34fd26 |
01-Nov-2010 |
Brian Carlstrom <bdc@google.com> |
TrustManager improvements Overhaul of TrustManagerImpl - PKIXParameters can now be final in TrustManagerImpl because we always immediately create an IndexedPKIXParameters instead of only doing it in SSLParametersImpl.createDefaultTrustManager. - Use new KeyStore constructor for IndexedPKIXParameters to remove duplicate logic for creating set of TrustAnchors from a KeyStore. - Improved checkTrusted/cleanupCertChain to remove special cases for directly trusting the end cert or pruning only self signed certs. To support b/2530852, we need to stop prune the chain as soon as we find any trust anchor (using newly improved TrustManagerImpl.isTrustAnchor), which could be at the beginning, middle, or end. That means cleanupCertChain can return an empty chain if everything was trusted directly. (and we don't need to do extra checks on exception cases to see if the problem was just that the trust anchor was in the chain) - isDirectlyTrusted -> isTrustAnchor here as well, using new IndexedPKIXParameters.isTrustAnchor APIs - Fix incorrect assumption in getAcceptedIssuers that all TrustAnchor instances have non-null results for getTrustedCert. luni/src/main/java/org/apache/harmony/xnet/provider/jsse/TrustManagerImpl.java Removed indexing in createDefaultTrustManager since we always index now luni/src/main/java/org/apache/harmony/xnet/provider/jsse/SSLParametersImpl.java Overhaul of IndexedPKIXParameters - Single map from subject X500Principal to TrustAnchors instead of two different X500Principal keyed maps to check - Removed map based on encoded cert. For b/2530852, we want to treat certs as equal if they have the same name and public key, not byte-for-byte equality, which can be done with the remaining map. Revamped isDirectlyTrusted into isTrustAnchor(cert) to perform this new name/key based comparison. - Added helper isTrustAnchor(cert, anchors) to reuse code in non-IndexedPKIXParameters case in TrustManagerImpl. - Added constructor from KeyStore - Moved anchor indexing code to index() from old constructor luni/src/main/java/org/apache/harmony/xnet/provider/jsse/IndexedPKIXParameters.java TestKeyStore.getPrivateKey allowed some existing test simplification. luni/src/test/java/libcore/java/security/KeyStoreTest.java luni/src/test/java/org/apache/harmony/xnet/provider/jsse/NativeCryptoTest.java support/src/test/java/libcore/java/security/TestKeyStore.java Added missing "fail()" before catching expected exceptions. luni/src/test/java/libcore/java/security/KeyStoreTest.java Expanded KeyManagerFactoryTest to excercise ManagerFactoryParameters b/1628001 luni/src/test/java/libcore/javax/net/ssl/KeyManagerFactoryTest.java Added KeyStoreBuilderParametersTest because I thought I saw a bug in KeyStoreBuilderParameters, but this convinced me otherwise. luni/src/test/java/libcore/javax/net/ssl/KeyStoreBuilderParametersTest.java New TrustManagerFactory test modeled on expanded KeyManagerFactoryTest. test_TrustManagerFactory_intermediate specifically is targeting the new functionality of b/2530852 to handling trust anchors within the chain. luni/src/test/java/libcore/javax/net/ssl/TrustManagerFactoryTest.java support/src/test/java/libcore/java/security/StandardNames.java Some initial on tests for Elliptic Curve (b/3058375) after the RI started reporting it was supported. Removed old @KnownFailure tags. Skipped a test on the RI that it can't handle. Improved some assert messages. luni/src/test/java/libcore/javax/net/ssl/SSLEngineTest.java luni/src/test/java/libcore/javax/net/ssl/SSLSocketTest.java support/src/test/java/libcore/java/security/StandardNames.java support/src/test/java/libcore/java/security/TestKeyStore.java Removed unneeded bytes->javax->bytes->java case of which can just go bytes->java directly. luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSocketImpl.java Removed super() luni/src/main/java/javax/net/ssl/KeyStoreBuilderParameters.java Made Security.secprops final luni/src/main/java/java/security/Security.java Pulled SamplingProfiler fix from dalvik-dev branch git cherry-pick --no-commit f9dc3450e8f23cab91efc9df99bb860221ac3d6c dalvik/src/main/java/dalvik/system/SamplingProfiler.java Bug: 2530852 Change-Id: I95e0c7ee6a2f66b6986b3a9da9583d1ae52f94dd
rovider/jsse/IndexedPKIXParameters.java
rovider/jsse/OpenSSLSocketImpl.java
rovider/jsse/SSLParametersImpl.java
rovider/jsse/TrustManagerImpl.java
|
aa37a8aa3af5a638cdf4e67f9273fb8118a11dee |
01-Nov-2010 |
Brian Carlstrom <bdc@google.com> |
Avoid races between OpenSSLSocketImpl I/O and close() The previous change: commit 5f2e6872311240319509aed64d9f58cd5b64719b Author: Brian Carlstrom <bdc@google.com> Date: Mon Aug 23 14:06:51 2010 -0700 SSLSocket.read should throw SocketException not NullPointerException added checkOpen() to throw SocketException instead of NullPointerException, but there was still a race between read/write on one thread and close on another that could allow a NullPointerException to escape. This change moves checkOpen() calls to be protected by the existing writeLock/readLock/handshakeLock synchronzied blocks to avoid this case. byte buffer error checking for read/write is also moved into the to lock region to preserve compatability as measured by the test: libcore.javax.net.ssl.SSLSocketTest#test_SSLSocket_close Bug: 3153162
rovider/jsse/OpenSSLSocketImpl.java
|
bc40740e2e9e982908696ec666cc19c77663d0b2 |
01-Nov-2010 |
Brian Carlstrom <bdc@google.com> |
am 12e7cb01: Avoid races between OpenSSLSocketImpl I/O and close() * commit '12e7cb011c48b228cdeb2b799fff54d7fbfc6d85': Avoid races between OpenSSLSocketImpl I/O and close()
|
12e7cb011c48b228cdeb2b799fff54d7fbfc6d85 |
01-Nov-2010 |
Brian Carlstrom <bdc@google.com> |
Avoid races between OpenSSLSocketImpl I/O and close() The previous change: commit 5f2e6872311240319509aed64d9f58cd5b64719b Author: Brian Carlstrom <bdc@google.com> Date: Mon Aug 23 14:06:51 2010 -0700 SSLSocket.read should throw SocketException not NullPointerException added checkOpen() to throw SocketException instead of NullPointerException, but there was still a race between read/write on one thread and close on another that could allow a NullPointerException to escape. This change moves checkOpen() calls to be protected by the existing writeLock/readLock/handshakeLock synchronzied blocks to avoid this case. byte buffer error checking for read/write is also moved into the to lock region to preserve compatability as measured by the test: libcore.javax.net.ssl.SSLSocketTest#test_SSLSocket_close Bug: 3153162 Change-Id: I16299f09dc91871407e88eb718073d21a816f683
rovider/jsse/OpenSSLSocketImpl.java
|
d29fddcf333997fc2d7429d531e4d934dc705c88 |
27-Oct-2010 |
Jesse Wilson <jessewilson@google.com> |
Flip 'abstract public' to 'public abstract'. Change-Id: Ice9b81c63cea4a3c08f697a28180c161a13e640e
rovider/jsse/AbstractSessionContext.java
|
5d1dfcb5e1e9a0a93a36d7d42a0270af408ef4b3 |
22-Oct-2010 |
Brian Carlstrom <bdc@google.com> |
am 57f2ec9d: Merge "Move improved cert chain handling from CertificateChainValidator to TrustManagerImpl"
|
9ff0e556917fd66ea30224ac89f6dea7958eda1f |
20-Oct-2010 |
Brian Carlstrom <bdc@google.com> |
Move improved cert chain handling from CertificateChainValidator to TrustManagerImpl Bug: 2658463 Change-Id: I014ebfee1f6e2f46b7a842b5bbf6549bf484f3c0
rovider/jsse/TrustManagerImpl.java
|
1d95ed8cdeeb023281dc855aa26a444aeccd1c11 |
15-Oct-2010 |
Brian Carlstrom <bdc@google.com> |
am 49a52427: am 7e39eff6: am ed72e08a: Change SSLParametersImpl.getDefaultTrustManager to not throw checked exceptions Merge commit '49a52427c960328491105cbb08d6c3167ed34d97' into dalvik-dev * commit '49a52427c960328491105cbb08d6c3167ed34d97': Change SSLParametersImpl.getDefaultTrustManager to not throw checked exceptions
|
7f43cc3f91d9322ef85137fb25986d67f838856f |
15-Oct-2010 |
Brian Carlstrom <bdc@google.com> |
am f97a046b: am 0dc94964: am d6e53e42: SSLParameters.getDefaultTrustManager() should lazily initialize its value Merge commit 'f97a046bfb36b5bfee49fd527d4de7cb21b211e2' into dalvik-dev * commit 'f97a046bfb36b5bfee49fd527d4de7cb21b211e2': SSLParameters.getDefaultTrustManager() should lazily initialize its value
|
49a52427c960328491105cbb08d6c3167ed34d97 |
15-Oct-2010 |
Brian Carlstrom <bdc@google.com> |
am 7e39eff6: am ed72e08a: Change SSLParametersImpl.getDefaultTrustManager to not throw checked exceptions Merge commit '7e39eff6d4fea3af79d9fff32e620ee86ba700b4' * commit '7e39eff6d4fea3af79d9fff32e620ee86ba700b4': Change SSLParametersImpl.getDefaultTrustManager to not throw checked exceptions
|
f97a046bfb36b5bfee49fd527d4de7cb21b211e2 |
15-Oct-2010 |
Brian Carlstrom <bdc@google.com> |
am 0dc94964: am d6e53e42: SSLParameters.getDefaultTrustManager() should lazily initialize its value Merge commit '0dc949645456739af3cbb8e3bc6221798abb00c5' * commit '0dc949645456739af3cbb8e3bc6221798abb00c5': SSLParameters.getDefaultTrustManager() should lazily initialize its value
|
ed72e08ad6ee16694681c8c2317f97de6d9f4323 |
13-Oct-2010 |
Brian Carlstrom <bdc@google.com> |
Change SSLParametersImpl.getDefaultTrustManager to not throw checked exceptions Change-Id: Id5a042873acc0a8185567ca18ce009c06e54f38d
rovider/jsse/SSLParametersImpl.java
|
d6e53e42867824f97c9fb9c427cc188897ea9315 |
13-Oct-2010 |
Brian Carlstrom <bdc@google.com> |
SSLParameters.getDefaultTrustManager() should lazily initialize its value Make SSLParametersImpl's defaultKeyManager, defaultTrustManager, defaultSecureRandom, and defaultParameters all use the single check idiom for initialization. Move such initialization for defaultKeyManager and defaultTrustManager out of SSLParametersImpl constructor into static functions, replacing original getDefaultTrustManager simple accessor with code that performs lazy initialization. luni/src/main/java/org/apache/harmony/xnet/provider/jsse/SSLParametersImpl.java dirrect -> direct luni/src/main/java/org/apache/harmony/xnet/provider/jsse/SSLParametersImpl.java luni/src/main/java/org/apache/harmony/xnet/provider/jsse/SSLSocketImpl.java hanshake -> handshake luni/src/main/java/org/apache/harmony/xnet/provider/jsse/SSLRecordProtocol.java luni/src/main/java/org/apache/harmony/xnet/provider/jsse/HandshakeProtocol.java luni/src/main/java/org/apache/harmony/xnet/provider/jsse/SSLSocketImpl.java Bug: 2954292 Change-Id: I19bae541613666903b57fccf3e8bfef65b74d6cf
rovider/jsse/HandshakeProtocol.java
rovider/jsse/SSLParametersImpl.java
rovider/jsse/SSLRecordProtocol.java
rovider/jsse/SSLSocketImpl.java
|
12f2d8e2760b78c673b7a187b9062b3938a03147 |
12-Oct-2010 |
Brian Carlstrom <bdc@google.com> |
Revised CloseGuard usage pattern - CloseGuard.get() instants are now "unopened" - In constructor cases, guard.open("...") is now at the end - In metod cases, guard.open("...") is now after resource acquisition - guard null pointer checks in finalizers in case constructor threw exception Bug: 2645458 Change-Id: Ieb874a8c33b347768a9fa7437b3dd16f3d56d886
rovider/jsse/OpenSSLSocketImpl.java
|
cdce865a463ec17f35c4cc1a6f71813c78e3a566 |
06-Oct-2010 |
Brian Carlstrom <bdc@google.com> |
resolved conflicts for merge of 33cb9824 to dalvik-dev Change-Id: I36508876ffcda358379a0955f107c8706e6130e2
|
33cb9824c6950db2b6c76d7fddec9fb471316b42 |
06-Oct-2010 |
Brian Carlstrom <bdc@google.com> |
Remove OpenSSLSocketImpl.instanceCount Its use in ActivityThread is being replaced with Debug.countInstancesOfClass(OpenSSLSocketImpl.class) Bug: 3015791 Change-Id: I26ece579f8e0fce62f17f398055b16aceaaf1b08
rovider/jsse/OpenSSLSocketImpl.java
|
f7aab022dcbfcd8f27b409ab92b4bca4a84d0b8a |
30-Sep-2010 |
Brian Carlstrom <bdc@google.com> |
CloseGuard: finalizers for closeable objects should log complaints Introducing CloseGuard which warns when resources are implictly cleaned up by finalizers when an explicit termination method, to use the Effective Java "Issue 7: Avoid finalizers" terminology, should have been used by the caller. libcore classes that can use CloseGuard now do so. Bug: 3041575 Change-Id: I4a4e3554addaf3075c823feb0a0ff0ad1c1f6196
rovider/jsse/OpenSSLSocketImpl.java
rovider/jsse/TrustManagerFactoryImpl.java
|
a7a70410e26802f3ab480b08a1ab499338cb6f7e |
03-Oct-2010 |
Jesse Wilson <jessewilson@google.com> |
Use IoUtils.closeQuietly where possible. Change-Id: I354c1e00b7068108032d09c0a1c38e29f6283fb0
rovider/jsse/FileClientSessionCache.java
|
82281cde1eaec8f299cc7d4f383f716cf9e6fe71 |
02-Oct-2010 |
Brian Carlstrom <bdc@google.com> |
am dc825fef: am 9583c700: am cd68630d: Merge "SSL* AppData should not hold onto JNI global references" into gingerbread Merge commit 'dc825fef1519d4a65abf374e31d985cb2faf9d4a' into dalvik-dev * commit 'dc825fef1519d4a65abf374e31d985cb2faf9d4a': SSL* AppData should not hold onto JNI global references
|
dc825fef1519d4a65abf374e31d985cb2faf9d4a |
02-Oct-2010 |
Brian Carlstrom <bdc@google.com> |
am 9583c700: am cd68630d: Merge "SSL* AppData should not hold onto JNI global references" into gingerbread Merge commit '9583c70042da95219941b430d51a9994334e49f0' * commit '9583c70042da95219941b430d51a9994334e49f0': SSL* AppData should not hold onto JNI global references
|
80b486724ca19b3c1c3c36334d06856330362f83 |
01-Oct-2010 |
Jesse Wilson <jessewilson@google.com> |
Simplify skip() to use skipByReading or the superclass where possible. Several classes were overriding InputStream.skip() but not doing anything better than the base class. These were deleted. Others were allocating skip buffers which was correct, but duplicated code with our Streams utility class. The CipherInputStream class had a skip method that always skipped 0 bytes. This has been fixed and tested. Change-Id: Ic96c600e111c11cf7364b4e0a721791d7e3c2ae1
rovider/jsse/SSLInputStream.java
rovider/jsse/SSLSocketInputStream.java
|
df9c090e85c4d052cdd17b5f981819be86a56737 |
01-Oct-2010 |
Brian Carlstrom <bdc@google.com> |
SSL* AppData should not hold onto JNI global references Summary: NativeCrypto.SSL_do_handshake stored JNI global references in its AppData instance for use in upcalls from OpenSSL that invoke Java callbacks. However, one of the references was to the SSLHandshakeCallbacks which in the common case of OpenSSLSocketImpl is the OpenSSLSocketImpl instance itself. This meant that if code dropped the OpenSSLSocketImpl without closing (such as Apache HTTP Client), the instances would never be collected, and perhaps more importantly, file descriptors would not be closed. The fix is to pass in the objects required during a callback in all downcalls to SSL_* methods that could result in a callback and clear them on return. The existing code already did this for the JNIEnv*, so that code was expanded to handle setting the jobjects as well. Details: In the native code used to extract the FileDescriptor object from a Socket on the call to NativeCrypto.SSL_do_handshake. However, since we need this for every read and write operations, we now do this in Java to avoid the repeated overhead. NativeCrypto.SSL_do_handshake now takes a FileDescriptor, which it extracted from the Socket the convenience function using NativeCrypto.getFileDescriptor(Socket) luni/src/main/java/org/apache/harmony/xnet/provider/jsse/NativeCrypto.java In addition to tracking changes to pass FileDescriptor and SSLHandshakeCallbacks, removed final uses of getFieldId since the code no longer needs to extract FileDescriptors itself luni/src/main/native/NativeCrypto.cpp The Socket field used to be non-null in the wrapper case and null in the non-wrapper case. To simplify things a bit, "socket == this" in the non-wrapper case. The socket field is now also final and joined by a final FileDescriptor field. luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSocketImpl.java Updated NativeCryptoTest to track FileDescriptor and SSLHandshakeCallbacks by expanding the Hooks.afterHandshake to provide them. Also changed to add a 5 second timeout to many test cases. luni/src/test/java/org/apache/harmony/xnet/provider/jsse/NativeCryptoTest.java Bug: 2989218 Change-Id: Iccef92b59475f3c1929e990893579493ece9d442
rovider/jsse/NativeCrypto.java
rovider/jsse/OpenSSLSocketImpl.java
|
63fcdd7e833df417cfbd60961a5167ce637f3071 |
29-Sep-2010 |
Brian Carlstrom <bdc@google.com> |
resolved conflicts for merge of 53e83038 to master Conflicts: luni/src/main/java/java/io/FileInputStream.java luni/src/main/java/java/io/FileOutputStream.java luni/src/main/java/javax/crypto/ExemptionMechanism.java luni/src/main/java/org/apache/harmony/luni/net/PlainDatagramSocketImpl.java luni/src/main/java/org/apache/harmony/luni/net/PlainSocketImpl.java Change-Id: I0dd5da8e8cb1819cb90440c462ba307dffde8ed7
|
e2f58c9501eac730d048199906dc41fe8e4cd6e9 |
29-Sep-2010 |
Brian Carlstrom <bdc@google.com> |
Scrub missing calls to super.finalize() Bug: 3024226 Change-Id: I6642cb9d4929ba72244529efe4ebdfa595ae4fa7
rovider/jsse/AbstractSessionContext.java
rovider/jsse/OpenSSLMessageDigestJDK.java
rovider/jsse/OpenSSLSessionImpl.java
rovider/jsse/OpenSSLSignature.java
rovider/jsse/OpenSSLSocketImpl.java
|
d4b134ec6762fa9e85f97d2174497df5e6af8566 |
26-Sep-2010 |
Brian Carlstrom <bdc@google.com> |
am 873c0bfb: am a1b18854: Merge "Fix OpenSSLSessionImpl.getValueNames regression" into gingerbread Merge commit '873c0bfbf627fa15dd44463f9a664b6f83c74594' * commit '873c0bfbf627fa15dd44463f9a664b6f83c74594': Fix OpenSSLSessionImpl.getValueNames regression
|
4071cf16af7a9a7234856d3ff1837df0da168c6c |
25-Sep-2010 |
Brian Carlstrom <bdc@google.com> |
Fix OpenSSLSessionImpl.getValueNames regression In e32b21f14d52bac429a9c54fe031f9e92c911d64, the code was converted to use Objects.equals. However, because of a typo, an autoboxed Boolean was passed instead of an AccessControlContext. I reviewed the rest of the original change to make sure there were no other instances of this regression. Also cleaned up the SSLSessionTest (fixing two broken tests test_getLocalPrincipal and test_getPeerPrincipal) and fixed a whitespace issue in AccessControlContext. Change-Id: Icaee8a0c2f5f527bea7a80037fe3f99c509d9f42
rovider/jsse/OpenSSLSessionImpl.java
|
b55a9297dd1645c4924ac1afa77cbb3010191b1c |
25-Sep-2010 |
Brian Carlstrom <bdc@google.com> |
am 51e0ec67: am e9baa585: Merge "OpenSSLSocketImpl should not call NativeCrypto.SSL_set_client_CA_list with an empty array" into gingerbread Merge commit '51e0ec67ca5e78ffd907506c780f5dfd340e9f59' * commit '51e0ec67ca5e78ffd907506c780f5dfd340e9f59': OpenSSLSocketImpl should not call NativeCrypto.SSL_set_client_CA_list with an empty array
|
0150f73ac180714cae49782e674ecb68fde12326 |
25-Sep-2010 |
Brian Carlstrom <bdc@google.com> |
OpenSSLSocketImpl should not call NativeCrypto.SSL_set_client_CA_list with an empty array Bug: 3034616 Change-Id: Ib39ebfa737910f0ebce5ac2ad87715579bd7aa3d
rovider/jsse/OpenSSLSocketImpl.java
|
2550478eb3ff8283ebac6ba2a683fd7bbb23e3ee |
22-Sep-2010 |
Brian Carlstrom <bdc@google.com> |
am 7452795a: am f8f14c30: am 1be19cf6: Tracking external/bouncycastle OpenSSLDigest Merge commit '7452795a3d40cac126b21f85316b36b035950371' into dalvik-dev * commit '7452795a3d40cac126b21f85316b36b035950371': Tracking external/bouncycastle OpenSSLDigest
|
1be19cf6a06834e97608dffd87c30d604b02196a |
22-Sep-2010 |
Brian Carlstrom <bdc@google.com> |
Tracking external/bouncycastle OpenSSLDigest Making OpenSSLMessageDigestJDK final to match OpenSSLDigest version Fixing WITH_JNI_TRACE used for debugging OpenSSLDigest Bug: 3024499 Change-Id: I919749348e531d074a25e16ab13315cede4f88e5
rovider/jsse/OpenSSLMessageDigestJDK.java
|
c18fe70cc844546c7e1e34b501c185d784d7f863 |
20-Sep-2010 |
Brian Carlstrom <bdc@google.com> |
am 7806efe8: am 862e1168: am 03fef47f: Merge "SSLSocket should respect timeout of a wrapped Socket" into gingerbread Merge commit '7806efe820ff848e99eecef68a6df4049b9eb3c5' into dalvik-dev * commit '7806efe820ff848e99eecef68a6df4049b9eb3c5': SSLSocket should respect timeout of a wrapped Socket
|
8b5d96adf89ade9a35b94032e5762e5f602c24a0 |
20-Sep-2010 |
Brian Carlstrom <bdc@google.com> |
am fcc7302e: am 748ccde6: am dad46534: Merge "Use BufferedInputStream when reading cacerts.bks" into gingerbread Merge commit 'fcc7302ea9bbfd553188d369459428b2e8f39fb2' into dalvik-dev * commit 'fcc7302ea9bbfd553188d369459428b2e8f39fb2': Use BufferedInputStream when reading cacerts.bks
|
03fef47fc07bfc4cb2a7a154c9961cd96d910e0e |
20-Sep-2010 |
Brian Carlstrom <bdc@google.com> |
Merge "SSLSocket should respect timeout of a wrapped Socket" into gingerbread
|
a4a95792af235d4bf3256eab3208f74fae8ec262 |
19-Sep-2010 |
Brian Carlstrom <bdc@google.com> |
SSLSocket should respect timeout of a wrapped Socket Change to using getSoTimeout in OpenSSLSocketImpl instead of directly using the timeout field. This means the proper timeout will be used for instances of the OpenSSLSocketImplWrapper subclass, which is used when an SSLSocket is wrapped around an existing connected non-SSL Socket. The code still maintains the local timeout field, now renamed timeoutMilliseconds, which is now accesed via OpenSSLSocketImpl.getSoTimeout. Doing so prevents a getsockopt syscall that otherwise would be necessary if the super.getSoTimeout() was used. Added two unit tests for testing timeouts with SSLSockets wrapped around Socket. One is simply for getters/setters. The second makes sure the timeout is functioning when set on the underlying socket. Bug: 2973305 Change-Id: Idac52853f5d777fae5060a840eefbfe85d448e4c
rovider/jsse/OpenSSLSocketImpl.java
|
d75cf432ba5c084e39ff7a24c388ca5c1c151db7 |
19-Sep-2010 |
Brian Carlstrom <bdc@google.com> |
Use BufferedInputStream when reading cacerts.bks Change-Id: Ibc20bdcadb5c3bc4bcebfeb96b10c42d9c05e7c8
rovider/jsse/TrustManagerFactoryImpl.java
|
fe20355288377b2d80ce5eb3aaaa548b0af04c8e |
17-Sep-2010 |
Brian Carlstrom <bdc@google.com> |
am e3babe52: am 69a153da: am 760b683e: Restore OpenSSLMessageDigestJDK.digest reset behavior Merge commit 'e3babe523df804f88d2371645c2c7e1731411ac2' into dalvik-dev * commit 'e3babe523df804f88d2371645c2c7e1731411ac2': Restore OpenSSLMessageDigestJDK.digest reset behavior
|
760b683ed34f2e62fc4ab1d483988bee515af03e |
17-Sep-2010 |
Brian Carlstrom <bdc@google.com> |
Restore OpenSSLMessageDigestJDK.digest reset behavior SSLEngine tests started failing due to the recent incorrect change to OpenSSLMessageDigestJDK.digest() that removed the reset of MessageDigest state on call to digest(). The problem was not that the digest was resetting, but that it was resetting to use a SHA-0 algorithm. See recent change c38b8476e7e4bd4b091d9f0e8fe8b2b972e7bc81. Change-Id: I40ef4e18a1b546eac5a487cb8a808d4897b301b0
rovider/jsse/OpenSSLMessageDigestJDK.java
|
65f89458ba2929e1e806b7463c1e36e94f75e506 |
17-Sep-2010 |
Brian Carlstrom <bdc@google.com> |
am dc1c4756: am 156f071f: am a3a93d45: Merge "OpenSSLMessageDigestJDK.reset should not change from SHA-1 to SHA-0" into gingerbread Merge commit 'dc1c475681e06d3f9bdd9cd4aab31145ba20c542' into dalvik-dev * commit 'dc1c475681e06d3f9bdd9cd4aab31145ba20c542': OpenSSLMessageDigestJDK.reset should not change from SHA-1 to SHA-0
|
f8fd3aced841e19bf3552fe81289297302a4f3a5 |
17-Sep-2010 |
Brian Carlstrom <bdc@google.com> |
am e6b59c28: am 9e8d51c7: am a3de55dd: Implement OpenSSLMessageDigestJDK.clone and fix OpenSSLMessageDigestJDK.digest Merge commit 'e6b59c287ed3007d76167dd9741dc683f440ed2d' into dalvik-dev * commit 'e6b59c287ed3007d76167dd9741dc683f440ed2d': Implement OpenSSLMessageDigestJDK.clone and fix OpenSSLMessageDigestJDK.digest
|
c38b8476e7e4bd4b091d9f0e8fe8b2b972e7bc81 |
17-Sep-2010 |
Brian Carlstrom <bdc@google.com> |
OpenSSLMessageDigestJDK.reset should not change from SHA-1 to SHA-0 For SHA-1, the OpenSSLMessageDigestJDK constructor was called with the algorithm name "SHA-1", which it passed to the superclass constructor for use as the algorithm field. However, MessageDigest.getInstance would then override this value with the its own algorithm argument. In the case of getInstance("SHA"), this mean the constructor would set the value to "SHA-1" (from the OpenSSLMessageDigestJDK.SHA1 subclass constructor) which would then be overridden by getInstance to "SHA". Because the OpenSSLMessageDigestJDK would then initialize using "SHA-1", the MessageDigest worked in the common case. However, when it was MessageDigest.reset(), it called getAlgorithm() which returned "SHA", which was then passed to OpenSSL as "sha" which interpretted this as "SHA-0". The fix is to change to pass both a standard name (e.g "SHA-1") as well as openssl name expliclty (e.g. "sha1"), removing the somewhat hacky code that tried to algorithmically transform from the standard names to the openssl ones. The same fix needs to be made to OpenSSLDigest. We also are removing SHA-0 from openssl since it is unneeded and would have cause an clear error if it had been absent. Change-Id: Iaa8f5b93a572fb043fa4f2618070ebb5054f82b1
rovider/jsse/OpenSSLMessageDigestJDK.java
|
a3de55ddf81f95c7c0fc1b8767ccb1ecfa251c83 |
16-Sep-2010 |
Brian Carlstrom <bdc@google.com> |
Implement OpenSSLMessageDigestJDK.clone and fix OpenSSLMessageDigestJDK.digest DigestInputStream2Test.test_onZ was failing because OpenSSLMessageDigestJDK did not implement Clonable - Implementing Clonable required a new NativeCrypto.EVP_MD_CTX_copy method - While adding NativeCrypto.EVP_MD_CTX_copy, noticed other methods were not properly named in NativeCrypto.EVP_MD_CTX_* convention. - Converted rest of NativeCrypto.cpp to JNI_TRACE logging while debugging DigestOutputStreamTest.test_onZ was failing because OpenSSLMessageDigestJDK.digest did an engineReset - Removing the engineReset revealed that digest() could not be called repeatedly on an OpenSSLMessageDigestJDK. Problem was that EVP_DigestFinal can only be called once per digest. - Changed engineDigest implementation to use new EVP_MD_CTX_copy to create a temp EVP_MD_CTX which can be used to retreive the digest and then discarded. Bug: 2997405 Change-Id: Ie97c22be245911300d2e729e451a9c4afdb27937
rovider/jsse/NativeCrypto.java
rovider/jsse/OpenSSLMessageDigestJDK.java
rovider/jsse/OpenSSLSignature.java
|
6cab4071580a4b216d943b337af118533c65e495 |
15-Sep-2010 |
Brian Carlstrom <bdc@google.com> |
resolved conflicts for merge of 4b60175b to dalvik-dev Change-Id: I63d0c5949be0984dcd7939205463eefabde8af05
|
bb986f53228cc355f60ea933fda216842bb1df73 |
15-Sep-2010 |
Brian Carlstrom <bdc@google.com> |
am 1ca26549: am 912db46c: am 6812a2e8: Rename internal SSLParameters to SSLParametersImpl to avoid collision with new javax.net.ssl.SSLParameters Merge commit '1ca26549fbe0f4bc171ba7bf8ab0a86ae591c618' into dalvik-dev * commit '1ca26549fbe0f4bc171ba7bf8ab0a86ae591c618': Rename internal SSLParameters to SSLParametersImpl to avoid collision with new javax.net.ssl.SSLParameters
|
ca88b4c628937cd6afc9476773cc334d6d32de8c |
15-Sep-2010 |
Brian Carlstrom <bdc@google.com> |
am 99eec0d3: am 9b6ed9bf: am 2b6188df: Merge "Remove SSLContextImpl.engineInit(..) that takes persistent cache arguments" into gingerbread Merge commit '99eec0d31a89366c9c765db845a022fa6cf7cf42' into dalvik-dev * commit '99eec0d31a89366c9c765db845a022fa6cf7cf42': Remove SSLContextImpl.engineInit(..) that takes persistent cache arguments
|
df349b3eaf4d1fa0643ab722173bc3bf20a266f5 |
14-Sep-2010 |
Brian Carlstrom <bdc@google.com> |
Fix HttpsURLConnectionTest failures Focusing on HttpsURLConnectionTest.test_doOutput found a number of unrelated issues, all of which are addressed by this change: - {HttpURLConnection,HttpsURLConnection}.connect not ignored on subsequent calls - OpenSSLSessionImpl.{getPeerCertificates,getPeerCertificateChain} did not include client certificate - OpenSSLSocketImpl.getSession did not skip handshake when SSLSession was already available - Fix 3 test issues in HttpsURLConnectionTest - Fix 2 test issues in NativeCryptoTest Details: HttpsURLConnectionTest tests (such as test_doOutput) that tried to call URLConnection.connect() at the end of the test were raising exception. The RI URLConnection.connect documentation says calls on connected URLConnections should be ignored. Use "connected" instead of "connection != null" as reason to ignore "connect" luni/src/main/java/org/apache/harmony/luni/internal/net/www/protocol/http/HttpURLConnectionImpl.java luni/src/main/java/org/apache/harmony/luni/internal/net/www/protocol/https/HttpsURLConnectionImpl.java Converted one caller of getPeerCertificateChain to getPeerCertificates which is the new fast path. Track OpenSSLSessionImpl change to take "java" vs "javax" certificates. luni/src/main/java/org/apache/harmony/xnet/provider/jsse/AbstractSessionContext.java Move SSL_SESSION_get_peer_cert_chain to be SSL_get_peer_cert_chain (similar to SSL_get_certificate). The problem was that SSL_SESSION_get_peer_cert_chain used SSL_get_peer_cert_chain which in the server case did not include the client cert itself, which required a call to SSL_get_peer_certificate, which needed the SSL instance pointer. luni/src/main/java/org/apache/harmony/xnet/provider/jsse/NativeCrypto.java luni/src/main/native/NativeCrypto.cpp Improved NativeCrypto_SSL_set_verify tracing luni/src/main/native/NativeCrypto.cpp As a side effect of the move to NativeCrypto.SSL_get_peer_certificate, it no longer made sense to lazily create the peer certificate chain since the SSLSession should not depend on a particular SSL instance. The peer chain is now passed in as part of the constructor and the peerCertifcates in the OpenSSLSession can be final (also made localCertificates final). Since peerCertifcates is the newew (java not javax) API and more commonly used, it is what is created from the native code, and peerCertificateChain is not derived from peerCertifcates instead of vice versa. luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSessionImpl.java Factored out code to used to create local certificate chain to from array of DER byte arrays into createCertChain so it can be reused to create peer certificate chain. luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSocketImpl.java Fix OpenSSLSocketImpl.getSession to check for existing sslSession to and skip handshake, which was causing an exception if the connection had already been closed. luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSocketImpl.java Fix test issues: Removed PrintStream wrapper of System.out which was causing vogar to lose output. Added null check in closeSocket, which can happen in timeout case. Removed use of InputStream.available which in OpenSSLSocket case returned 0, causing test to fail incorrectly. luni/src/test/java/org/apache/harmony/luni/tests/internal/net/www/protocol/https/HttpsURLConnectionTest.java Updating to track change to SSL_get_peer_cert_chain. Also fixed some other unrelated test failures caused by IOException on shutdown and false start (aka SSL_MODE_HANDSHAKE_CUTTHROUGH) causing clientCallback.handshakeCompleted to be false. luni/src/test/java/org/apache/harmony/xnet/provider/jsse/NativeCryptoTest.java Bug: b/2981767 Change-Id: Id083beb6496558296c2f74f51ab0970e158b23a9
rovider/jsse/AbstractSessionContext.java
rovider/jsse/NativeCrypto.java
rovider/jsse/OpenSSLSessionImpl.java
rovider/jsse/OpenSSLSocketImpl.java
|
6812a2e8bb43d9a875633a9ba255d9882c63e327 |
14-Sep-2010 |
Brian Carlstrom <bdc@google.com> |
Rename internal SSLParameters to SSLParametersImpl to avoid collision with new javax.net.ssl.SSLParameters Bug: 2672817 Change-Id: Iadf21b848eaf8850fce22721b9ba3739ab2e9fca
rovider/jsse/HandshakeProtocol.java
rovider/jsse/OpenSSLServerSocketFactoryImpl.java
rovider/jsse/OpenSSLServerSocketImpl.java
rovider/jsse/OpenSSLSocketFactoryImpl.java
rovider/jsse/OpenSSLSocketImpl.java
rovider/jsse/OpenSSLSocketImplWrapper.java
rovider/jsse/SSLContextImpl.java
rovider/jsse/SSLEngineImpl.java
rovider/jsse/SSLParameters.java
rovider/jsse/SSLParametersImpl.java
rovider/jsse/SSLServerSocketFactoryImpl.java
rovider/jsse/SSLServerSocketImpl.java
rovider/jsse/SSLSocketFactoryImpl.java
rovider/jsse/SSLSocketImpl.java
rovider/jsse/SSLSocketWrapper.java
|
ca99759b4f2aac2f796b430b74a8d3caff9d484a |
14-Sep-2010 |
Brian Carlstrom <bdc@google.com> |
Remove SSLContextImpl.engineInit(..) that takes persistent cache arguments Bug: 2672817 Change-Id: I201815857e4452498c746139b8d64b7721bc22cc
rovider/jsse/SSLContextImpl.java
|
d41c277b12ce7b63bf93cfad48d5280c8d036712 |
09-Sep-2010 |
Brad Fitzpatrick <bradfitz@android.com> |
am e00dd470: am f9efa849: am 5900e554: Use BlockGuard for OpenSSL sockets. Merge commit 'e00dd4703c3b7e895059ba7cc7399dda0cba2580' into dalvik-dev * commit 'e00dd4703c3b7e895059ba7cc7399dda0cba2580': Use BlockGuard for OpenSSL sockets.
|
5900e5546059f05d5e58e5732e4d08d83b8b7574 |
09-Sep-2010 |
Brad Fitzpatrick <bradfitz@android.com> |
Use BlockGuard for OpenSSL sockets. StrictMode wasn't catching network usage via SSL. Bug: 2976407 Change-Id: I31fe09861e3aca7b26724b94af88687fb6b9442b
rovider/jsse/OpenSSLSocketImpl.java
|
6670318007799f403594f0760382b8c23f7dda0f |
02-Sep-2010 |
Jesse Wilson <jessewilson@google.com> |
Make fields final where possible. See http://b/issue?id=2099637 Change-Id: I2a237d876c7acbe629e69d5c31d05737908f4606
rovider/jsse/ProtocolVersion.java
rovider/jsse/SSLRecordProtocol.java
|
ae43834bd7046b4758d086bd8264a556b99ac5ea |
01-Sep-2010 |
Jesse Wilson <jessewilson@google.com> |
Merge "Fix classes that implement equals() but not hashCode()." into dalvik-dev
|
01e1686574d5e2722a75175fbae696381bd150c0 |
01-Sep-2010 |
Jesse Wilson <jessewilson@google.com> |
Fixing a dead store in Finished. See bug 2099918. Change-Id: I12f0a53bc5aeacea3ba97820dcd6525e1bf23405
rovider/jsse/Finished.java
|
5d34c74a617a477b215d62646aae04fe321e9795 |
01-Sep-2010 |
Jesse Wilson <jessewilson@google.com> |
Fix classes that implement equals() but not hashCode(). See http://b/2099681 Change-Id: If358af98ccca44c544942b837c25e00e6553e916
rovider/jsse/CipherSuite.java
rovider/jsse/ProtocolVersion.java
|
5f2e6872311240319509aed64d9f58cd5b64719b |
23-Aug-2010 |
Brian Carlstrom <bdc@google.com> |
SSLSocket.read should throw SocketException not NullPointerException OpenSSLSocketImpl now uses checkOpen similar to Socket's checkOpenAndCreate to ensure that SocketExceptions are thrown if certain operations are tried after the socket is closed. Also added *_setUseClientMode_afterHandshake tests for SSLSocket and SSLEngine. We properly through IllegalArgument exception in this case, but it wasn't covered by the tests previously. Bug: 2918499 Change-Id: I393ad39bed40a33725d2c0f3f08b9d0b0d3ff85f
rovider/jsse/OpenSSLSocketImpl.java
|
bc9563c38b92da7fc2a02fd02fafcc7f43a725ae |
17-Aug-2010 |
Brian Carlstrom <bdc@google.com> |
am bfc0713b: am 12e10c1c: b/2914872: fix concurrent initialization problem with peer certificate chain fields Merge commit 'bfc0713bb26ec11c2000ba64439b3abdcb72a0bf' into dalvik-dev * commit 'bfc0713bb26ec11c2000ba64439b3abdcb72a0bf': b/2914872: fix concurrent initialization problem with peer certificate chain fields
|
12e10c1c6f9324693b1dad96ab57fada2b771f11 |
17-Aug-2010 |
Brian Carlstrom <bdc@google.com> |
b/2914872: fix concurrent initialization problem with peer certificate chain fields Change-Id: Ib76dd826c8f3616d4a3aed608aef432a1b99f3d6
rovider/jsse/OpenSSLSessionImpl.java
|
7365de1056414750d0a7d1fdd26025fd247f0d04 |
12-Aug-2010 |
Jesse Wilson <jessewilson@google.com> |
Sorting imports. Change-Id: I8347bc625480a1c37a1ed9976193ddfedeb00bbc
rovider/jsse/AlertProtocol.java
rovider/jsse/CertificateMessage.java
rovider/jsse/CertificateRequest.java
rovider/jsse/CertificateVerify.java
rovider/jsse/CipherSuite.java
rovider/jsse/ClientHandshakeImpl.java
rovider/jsse/ClientKeyExchange.java
rovider/jsse/ConnectionState.java
rovider/jsse/ConnectionStateTLS.java
rovider/jsse/DelegatedTask.java
rovider/jsse/DigitalSignature.java
rovider/jsse/FileClientSessionCache.java
rovider/jsse/Finished.java
rovider/jsse/HandshakeIODataStream.java
rovider/jsse/HelloRequest.java
rovider/jsse/IndexedPKIXParameters.java
rovider/jsse/KeyManagerFactoryImpl.java
rovider/jsse/KeyManagerImpl.java
rovider/jsse/Message.java
rovider/jsse/NativeCrypto.java
rovider/jsse/OpenSSLSignature.java
rovider/jsse/OpenSSLSocketFactoryImpl.java
rovider/jsse/PRF.java
rovider/jsse/SSLBufferedInput.java
rovider/jsse/SSLEngineAppData.java
rovider/jsse/SSLEngineImpl.java
rovider/jsse/SSLRecordProtocol.java
rovider/jsse/SSLServerSocketFactoryImpl.java
rovider/jsse/SSLServerSocketImpl.java
rovider/jsse/SSLSessionImpl.java
rovider/jsse/SSLSocketFactoryImpl.java
rovider/jsse/SSLSocketImpl.java
rovider/jsse/SSLSocketInputStream.java
rovider/jsse/ServerHandshakeImpl.java
rovider/jsse/ServerHello.java
rovider/jsse/ServerHelloDone.java
rovider/jsse/ServerKeyExchange.java
rovider/jsse/TrustManagerFactoryImpl.java
|
4559b1d37edcb5d7f1da086cf2e3290388d74f46 |
23-Jul-2010 |
Brian Carlstrom <bdc@google.com> |
Support for TLS Extensions enabled SSLSockets with fallback to vanila SSL See also b/1569612 Summary: - OpenSSlSocket support for SNI, session tickets, compression - URLConnection mimics Chrome behavior of trying connection with these enabled, falling back to SSL w/o encryption on failure Details: libcore URLConnection https retry Change HttpConnection.getSecureSocket to enable non-standard features on first connection attempt. On second attempt, we back off to SSLv3 from TLSv1, mimicking Chrome's behavior. luni/src/main/java/org/apache/harmony/luni/internal/net/www/protocol/http/HttpConnection.java Change HttpsEngine.connect to implement SSL reconnect luni/src/main/java/org/apache/harmony/luni/internal/net/www/protocol/https/HttpsURLConnectionImpl.java OpenSSL SSLSocket implementation OpenSSLSocketImpl and OpenSSLServerSocketImpl now have an array of enabled compression methods interface and implementation to parallel that of procotols and ciphersuites. luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSocketImpl.java luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLServerSocketImpl.java OpenSSLSessionImpl now has a cache of the native compressionMethod. Also replaced "gives" javadoc working with "returns". luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSessionImpl.java OpenSSLSocketImpl session caching now needs to skip cached sessions with mismatched compression requirements. luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSocketImpl.java OpenSSLSocketImpl.startHandshake now uses NativeCrypto to support our non-standard extensions. luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSocketImpl.java NativeCrypto changes - Added declaration of SSL options for tickets and compression. - Added general "compression methods" interface paralleling "cipher suites" and "protocols" interfaces. - Added SSL_set_tlsext_host_name to set SNI (Server Name Indication) value - Added SSL_get_servername to read SNI (Server Name Indication) value - Added SSL_SESSION_compress_meth read negotiated compression method - SSL_new makes sure to default compression to off for compatibility luni/src/main/java/org/apache/harmony/xnet/provider/jsse/NativeCrypto.java luni/src/main/native/NativeCrypto.cpp Testing Added URLConnectionTest.testConnectViaHttpsWithSSLFallback to make sure we properly retry an https connection if the server terminates unexpectedly. Fixed up URLConnectionTest.testHttpsWithCustomTrustManager with new expected certificate chain. Fixed a few mistaken TestSSLContext.serverContext uses to clientContext luni/src/test/java/java/net/URLConnectionTest.java Added test_SSL_set_tlsext_host_name, test_SSL_get_servername, test_SSL_SESSION_compress_meth. Added a number of missing fail() calls in expected exception cases which caught one test with mistaken expectations. Removed some unnecessary scopes. Fixed some badly scoped catch blocks. luni/src/test/java/org/apache/harmony/xnet/provider/jsse/NativeCryptoTest.java Changed MockWebServer to support a new MockResponse propery of disconnectAtStart, which immediately terminates the connection support/src/test/java/tests/http/MockResponse.java support/src/test/java/tests/http/MockWebServer.java external/openssl Restore -ZLIB to OpenSSL build. Note that NativeCrypto.SSL_new disables compression by for default SSLSocket for compatibility. android-config.mk Force clean build with new CFLAGS CleanSpec.mk Change-Id: Iba6268f9096f2be43f0d30de151dd3fd0aea4a81
rovider/jsse/NativeCrypto.java
rovider/jsse/OpenSSLServerSocketImpl.java
rovider/jsse/OpenSSLSessionImpl.java
rovider/jsse/OpenSSLSocketImpl.java
|
6882e31b7ce2d04ebbc91c7a55d7840e8fdce8a5 |
20-Jul-2010 |
Brian Carlstrom <bdc@google.com> |
Bring SSLSocketImpl and SSLEngine in line with OpenSSLSocketImpl's cipher suites Wrote an interoperability test between our OpenSSL and SSLEngine based SSLSocket implementations. Used it to flush out problems between the implementations, which mostly were in the non-native implementation. Filling out the SSLEngine (and therefore non-native SSLSocket) support led to the list of supported and default cipher suites now being the same as out OpenSSL SSLSocket. Most of the work was making the the NULL, RC4, and AES ciphers work with SSLEngine as well as some minor bug fixes in related code. Summary: - changing test_SSLSocket_getSupportedCipherSuites_connect to try all combinations of our two SSLContext/SSLSocket implementations - fixed SSLEngine with *_WITH_NULL_* CipherSuites to use javax.crypto.NullCipher - added *_AES_* cipher suites to SSLEngine (and therefore Java SSLSocketImpl) - remove *_DH_* cipher suites which are not supported by the RI or our OpenSSL implementation - fixed Java SSLSocket to not handshake on accept so will pass the basic SSLSocketTest - added new KeyManagerFactoryTest while testing "DH_" cipher suite key types This change depends on restoring bouncycastle's RC4 implementation (separate CL in external/bouncycastle) Details: Fixed SSLEngine with *_WITH_NULL_* CipherSuites by use javax.crypto.NullCipher expectations/knownfailures.txt luni/src/main/java/org/apache/harmony/xnet/provider/jsse/ConnectionStateSSLv3.java luni/src/main/java/org/apache/harmony/xnet/provider/jsse/ConnectionStateTLS.java Previously I had changed the string name of CipherSuites from "TLS_..." to "SSL_..." where appropriate to match the RI. Since I was doing maintenance on overall list, I renamed the CODE_TLS_... and TLS_... static fields as well to match. luni/src/main/java/org/apache/harmony/xnet/provider/jsse/CipherSuite.java luni/src/main/java/org/apache/harmony/xnet/provider/jsse/SSLSessionImpl.java Removed IDEA and RC2 CipherSuites to make it clear they are not supported. While technically this happened as a side effect of the assignment "supported = false" if the CipherSuite failed to load, we truly intend not to support these. Also removed SSH_DH_* suites which don't work with DSA keys and aren't supported by the RI or our OpenSSL implementation. luni/src/main/java/org/apache/harmony/xnet/provider/jsse/CipherSuite.java Old connection state code assumed that if a cipher was blocked, the block size was 8 bytes. This is not true for the 16 byte AES ciphers. luni/src/main/java/org/apache/harmony/xnet/provider/jsse/ConnectionState.java luni/src/main/java/org/apache/harmony/xnet/provider/jsse/ConnectionStateSSLv3.java luni/src/main/java/org/apache/harmony/xnet/provider/jsse/ConnectionStateTLS.java No wonder our OpenSSL implementation incorrect did a startHandshake when accepting the socket... it got it from the Java implementation. luni/src/main/java/org/apache/harmony/xnet/provider/jsse/SSLServerSocketImpl.java Test for KeyManagerFactory (and KeyManager). TestKeyStore now creates KeyManagers and TrustManagers from the keystore as a convenience for KeyManagerFactoryTest (instead of having the code in the TestSSLContext where we didn't keep a pointer to the created values). luni/src/test/java/javax/net/ssl/KeyManagerFactoryTest.java support/src/test/java/java/security/StandardNames.java support/src/test/java/java/security/TestKeyStore.java support/src/test/java/javax/net/ssl/TestSSLContext.java Remove CIPHER_SUITES_SSLENGINE now that its the same as CIPHER_SUITES luni/src/test/java/javax/net/ssl/SSLEngineTest.java support/src/test/java/java/security/StandardNames.java test_SSLSocket_getSupportedCipherSuites_connect now does interoperability testing not just between the default SSLContext's SSLSockets but between the four combinations of our two SSLContext. It also now sends some test data bi-directionally between the client and server. luni/src/test/java/javax/net/ssl/SSLSocketTest.java Changed TestSSLContext.create to allow a different Provider for the client and server SSLContexts. luni/src/test/java/javax/net/ssl/SSLEngineTest.java luni/src/test/java/javax/net/ssl/SSLSocketTest.java support/src/test/java/javax/net/ssl/TestSSLContext.java RC4 is now available in bouncycastle for the non-OpenSSL SSLContext to use for parity with the OpenSSL implementation. support/src/test/java/java/security/StandardNames.java Changed TestSSLSocketPair to use Futures like NativeCryptoTest so its easier to choose between client and server errors while debuging. support/src/test/java/javax/net/ssl/TestSSLSocketPair.java Removed bogus import luni/src/test/java/org/apache/harmony/xnet/provider/jsse/NativeCryptoTest.java Change-Id: I080c0343a3f86f27b7c191a7b80b585b9ca52d93
rovider/jsse/CipherSuite.java
rovider/jsse/ClientHandshakeImpl.java
rovider/jsse/ConnectionState.java
rovider/jsse/ConnectionStateSSLv3.java
rovider/jsse/ConnectionStateTLS.java
rovider/jsse/SSLServerSocketImpl.java
rovider/jsse/SSLSessionImpl.java
rovider/jsse/ServerHandshakeImpl.java
|
ef628d1464e57552403ad43366e153c1ef50b926 |
19-Jul-2010 |
Brian Carlstrom <bdc@google.com> |
New NativeCryptoTest, NativeCrypto.{SSL_set_client_CA_list, SSL_renegotiate}, fixes for other minor bugs exposed by test Summary: - New NativeCryptoTest covering NativeCrypto SSL APIs - Added SSL_set_client_CA_list for server to specify acceptable client cert issues - Added SSL_renegotiate for renegoiation testing - Removed unneeded d2i_SSL_SESSION argument - Added OpenSSLSocketImpl read/write bounds checking - Added NULL checks on AppData to avoid native crashes on use of SSL before handshake Details: Corrected NativeCrypto thrown exceptions based on NativeCryptoTest. Of note, we now throw NullPointerException instead of SSLException for simple null issues in NativeCrypto.cpp luni/src/main/java/org/apache/harmony/xnet/provider/jsse/NativeCrypto.java luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSessionImpl.java luni/src/main/native/NativeCrypto.cpp Created NativeCrypto.{encodeCertificates,encodeIssuerX509Principals} to factor out some code out of OpenSSLSocketImpl that any user of NativeCrypto.{SSL_use_certificate, SSL_set_client_CA_list} would find useful. luni/src/main/java/org/apache/harmony/xnet/provider/jsse/NativeCrypto.java luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSocketImpl.java Added SSL_set_client_CA_list to allow server to provide list of issuers acceptable for client certifcates. luni/src/main/java/org/apache/harmony/xnet/provider/jsse/NativeCrypto.java luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSocketImpl.java luni/src/main/native/NativeCrypto.cpp Added SSL_renegotiate to allow unit testing of SSL renegoiation. luni/src/main/java/org/apache/harmony/xnet/provider/jsse/NativeCrypto.java luni/src/main/native/NativeCrypto.cpp Removed d2i_SSL_SESSION size argument since it should be same as length of other argument luni/src/main/java/org/apache/harmony/xnet/provider/jsse/NativeCrypto.java luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSessionImpl.java luni/src/main/native/NativeCrypto.cpp Added bounds checking to getInputStream.read(byte[], ...) and getOutputStream().write(byte[], ...) luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSocketImpl.java Added NULL checks on AppData to avoid native crashes. luni/src/main/native/NativeCrypto.cpp New test of NativeCrypto SSL APIs luni/src/test/java/org/apache/harmony/xnet/provider/jsse/NativeCryptoTest.java Change-Id: I2fb7a40761e66320f73b02880e6e43def9594497
rovider/jsse/NativeCrypto.java
rovider/jsse/OpenSSLSessionImpl.java
rovider/jsse/OpenSSLSocketImpl.java
|
e3a187163504f00c98bd75cbd8bcbdde123ae2cd |
14-Jul-2010 |
Brian Carlstrom <bdc@google.com> |
Fix PKCS12 and BKS KeyStore as well as SSL renegotiation Summary: - Added KeyStoreTest and fixed PKCS and BKS keystores to be fully functional - KeyStore and KeyStoreImpl improvements in libcore and bouncycastle for more RI-like behavior - SSL Renegotiation fix for new implementation Details: external/bouncycastle TwoFish added back for BKS KeyStore. Like RC2, it not supported as a general cipher, but instead used internally for KeyStore implementation. src/main/java/org/bouncycastle/crypto/engines/TwofishEngine.java bouncycastle.config Added back PBEWITHSHAANDTWOFISH, PBEWITHSHAANDTWOFISH-CBC, PBEWITHSHA1ANDRC2-CBC, PBEWITHHMACSHA, PBEWITHHMACSHA1 to support PKCS12 and BKS KeyStore implementations (as determined by new KeyStoreTest) src/main/java/org/bouncycastle/jce/provider/BouncyCastleProvider.java src/main/java/org/bouncycastle/jce/provider/JCEBlockCipher.java src/main/java/org/bouncycastle/jce/provider/JCEMac.java src/main/java/org/bouncycastle/jce/provider/JCESecretKeyFactory.java Don't throw an error when deleting a non-existing KeyStore entry. The RI documentation (and behavior) says it throws an error when it fails to remove an entry, not when the entry does not exist. src/main/java/org/bouncycastle/jce/provider/JDKKeyStore.java src/main/java/org/bouncycastle/jce/provider/JDKPKCS12KeyStore.java Try to make BC's PKCS KeyStore have a more RI-like getCreationDate behavior src/main/java/org/bouncycastle/jce/provider/JDKPKCS12KeyStore.java Make BC's PKCS KeyStore failfast on setting non-supported key, instead of failing later on get. src/main/java/org/bouncycastle/jce/provider/JDKPKCS12KeyStore.java Make BC's PKCS KeyStore handle setting a PrivateKey with an emtpy chain. src/main/java/org/bouncycastle/jce/provider/JDKPKCS12KeyStore.java Add more general avoidance of NullPointerExceptions on null aliases src/main/java/org/bouncycastle/jce/provider/JDKPKCS12KeyStore.java Added notes about changes improvements patches/README Regenerated patch with above changes patches/android.patch libcore KeyStore improvements based on KeyStoreTest - Fix UnrecoverableKeyException to be a subclass of UnrecoverableEntryException, which was keeping the new KeyStoreTest from compiling. luni/src/main/java/java/security/UnrecoverableKeyException.java - Fix to not convert UnrecoverableKeyException to KeyStoreException, which was only being done because of the UnrecoverableKeyException superclass bug. luni/src/main/java/java/security/KeyStoreSpi.java - Harmony KeyStore was being overly aggresive about throwing on null alias arguments in cases where the RI was happy to pass them to the KeyStoreSpi. luni/src/main/java/java/security/KeyStore.java - New test after PKCS12 regresion. It enumerates and excercises all methods on all available KeyStore implementations. Unfortunately, the main varieties of KeyStores made this a lot more complicated than I was originally expecting. It does clarifiy the differences between the RI and BC KeyStore implementations, especially for PKCS12, where in some ways the RI is more feature complete (setting key via byte[]), but in other ways BC goes beyond some RI limitations (allowing storage of certificates). luni/src/test/java/java/security/KeyStoreTest.java TestKeyStore improvements while writing KeyStoreTest - Renamed "keyStorePassword" working usages to clarify if it really means the "storePassword" on the whole KeyStore, or if it is a "keyPassword" on individual keys. - Moved TestKeyStore from javax.net.ssl to java.security luni/src/test/java/javax/net/ssl/SSLContextTest.java luni/src/test/java/javax/net/ssl/SSLEngineTest.java luni/src/test/java/javax/net/ssl/SSLSessionTest.java luni/src/test/java/javax/net/ssl/SSLSocketTest.java support/src/test/java/java/security/StandardNames.java support/src/test/java/java/security/TestKeyStore.java support/src/test/java/javax/net/ssl/TestKeyStore.java support/src/test/java/javax/net/ssl/TestSSLContext.java Fixing up SSL renegotiation support. Now that we are not trying to prevent renegotiation, make sure it is working correctly. - Remove SSL_VERIFY_CLIENT_ONCE to take the default behavior of re-requesting client certificate on renegotiation. luni/src/main/java/org/apache/harmony/xnet/provider/jsse/NativeCrypto.java luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSocketImpl.java - Updated comments to reflect renegotiation. Bug fix to not clear out callback reference on handshake complete, since we need it for renegotiation. luni/src/main/native/NativeCrypto.cpp Updated for PKCS12 KeyStore support support/src/test/java/java/security/StandardNames.java Added javadoc when writint KeyStoreTest luni/src/test/java/java/security/ProviderTest.java frameworks/base Tracking changes to UnrecoverableKeyException superclass api/8.xml api/current.xml Change-Id: I6349dbfc02896417595b52e364ade8000b567615
rovider/jsse/NativeCrypto.java
rovider/jsse/OpenSSLSocketImpl.java
|
059dbc04218144f985b20a228bbe98139d400d0c |
08-Jul-2010 |
Brian Carlstrom <bdc@google.com> |
Improved client certificate and certificate chain support Summary: - openssl: add openssl support for specifying per key certificate chains - libcore: properly implement client certificate request call back - libcore: properly implement sending certificate chain - libcore: properly implement retreiving local certificate chain - libcore: added an SSLContext for non-OpenSSL SSLSocket creation Details: external/openssl Improve patch generate support by applying all other patches to baseline to remove cross polluting other patch changes into target patch. Move cleanup of ./Configure output to import script from openssl.config. import_openssl.sh openssl.config Adding SSL_use_certificate_chain and SSL_get_certificate_chain to continue to finish most of remaining JSSE issues. include/openssl/ssl.h ssl/s3_both.c ssl/ssl.h ssl/ssl_locl.h ssl/ssl_rsa.c Updated patch (and list of input files to patch) patches/jsse.patch openssl.config libcore Restoring SSLContextImpl as provider of non-OpenSSL SSLSocketImpl instances for interoperability testing. OpenSSLContextImpl is the new subclass that provides OpenSSLSocketImpl. JSSEProvider provides the old style SSLContexts, OpenSSLProvider provides the OpenSSL SSLContext, which includes the "default" context. Changed to register SSLContexts without aliases to match the RI. luni/src/main/java/org/apache/harmony/xnet/provider/jsse/JSSEProvider.java luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLProvider.java luni/src/main/java/org/apache/harmony/xnet/provider/jsse/DefaultSSLContextImpl.java luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLContextImpl.java luni/src/main/java/org/apache/harmony/xnet/provider/jsse/SSLContextImpl.java Native interface updates to support OpenSSLSocketImpl improvements - KEY_TYPES now expanded based on what we are being provided by OpenSSL. keyType function now maps key type values received from clientCertificateRequested callback. - Removed remaining uses of string PEM encoding, now using ASN1 DER consistently Includes SSL_SESSION_get_peer_cert_chain, verifyCertificateChain - Fixed clientCertificateRequested to properly include all key types supported by server, not just the one from the cipher suite. We also now properly include the list of supported CAs to help the client select a certificate to use. - Fixed NativeCrypto.SSL_use_certificate implementation to use new SSL_use_certificate_chain function from openssl to pass chain to OpenSSL. - Added error handling of all uses of sk_*_push which can fail due to out of memory - Fixed compile warning due to missing JNI_TRACE argument luni/src/main/java/org/apache/harmony/xnet/provider/jsse/NativeCrypto.java luni/src/main/native/NativeCrypto.cpp luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSocketImpl.java Pass this into chooseServerAlias call as well in significantly revamped choseClientAlias luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSocketImpl.java Minor code cleanup while reviewing diff between checkClientTrusted and checkServerTrusted luni/src/main/java/org/apache/harmony/xnet/provider/jsse/TrustManagerImpl.java Improvements to SSL test support to go along with client certificate and certificate chain changes. TestSSLContext now has separate contexts for the client and server (as well as seperate key stores information). TestKeyStore now is more realistic by default, creating a CA, intermediate CA, and separate client and server certificates, as well as a client keystore that simply contains the CA and no certificates. support/src/test/java/javax/net/ssl/TestKeyStore.java support/src/test/java/javax/net/ssl/TestSSLContext.java Tests tracking API changes. Tests involving cert chains now now updated to use TestKeyStore.assertChainLength to avoid hardwiring expected chain length in tests. These tests also now use TestSSLContext.assertClientCertificateChain to validate that the chain is properly constructed and trusted by a trust manager. luni/src/test/java/java/net/URLConnectionTest.java luni/src/test/java/javax/net/ssl/SSLContextTest.java luni/src/test/java/javax/net/ssl/SSLEngineTest.java luni/src/test/java/javax/net/ssl/SSLSessionContextTest.java luni/src/test/java/javax/net/ssl/SSLSessionTest.java luni/src/test/java/javax/net/ssl/SSLSocketTest.java support/src/test/java/java/security/StandardNames.java support/src/test/java/javax/net/ssl/TestSSLEnginePair.java support/src/test/java/javax/net/ssl/TestSSLSocketPair.java frameworks/base Tracking change of SSLContextImpl to OpenSSLContextImpl core/java/android/net/SSLCertificateSocketFactory.java core/java/android/net/http/HttpsConnection.java tests/CoreTests/android/core/SSLPerformanceTest.java tests/CoreTests/android/core/SSLSocketTest.java Tracking changes to TestSSLContext core/tests/coretests/src/android/net/http/HttpsThroughHttpProxyTest.java Change-Id: Ie35ebce89966dfce62c316f7fe7252bf06935680
rovider/jsse/DefaultSSLContextImpl.java
rovider/jsse/JSSEProvider.java
rovider/jsse/NativeCrypto.java
rovider/jsse/OpenSSLContextImpl.java
rovider/jsse/OpenSSLProvider.java
rovider/jsse/OpenSSLSocketImpl.java
rovider/jsse/SSLContextImpl.java
rovider/jsse/TrustManagerImpl.java
|
ccbe3404e0691dab506d017550658e8e5974c83e |
10-Jul-2010 |
Elliott Hughes <enh@google.com> |
Use 'dst' (or an even more appropriate name where possible) rather than 'dest'. (The ArrayIndexOutOfBoundsException for System.arraycopy already talks about 'dst' and 'dstPos'.) Change-Id: Iba9415dd4a9ec3b457938ea4469b4a0024bab6e4
rovider/jsse/HandshakeIODataStream.java
|
b7eec62f6db198a76b67d7915b03e59189c6df4f |
02-Jul-2010 |
Brian Carlstrom <bdc@google.com> |
TestKeyStore only use RSA by default & fixing SSLEngine client auth with DSA client and RSA server Summary: Goal here was to just make most tests faster by only having TestKeyStore create RSA keys by default. However, when I did that SSLEngineTest#test_SSLEngine_clientAuth started working, so I ended up investigating a much deeper issue with DSA client authentication against an RSA SSLEngine server. Details: Changed the TestKeyStore.get singleton to only contain RSA keys. TestKeyStore.create now requires the caller enumerate what keys they want if they need more than that or an alternative. support/src/test/java/javax/net/ssl/TestKeyStore.java Changed test_SSLSocket_getSupportedCipherSuites_connect to explicitly request RSA and DSA keys since it needs both to try connecting all possible cipher suites. luni/src/test/java/javax/net/ssl/SSLSocketTest.java Fixing SSLEngine client authentication when server uses RSA but client uses DSA Fixed java.net.ssl.SSLEngineTest#test_SSLEngine_clientAuth expectations/knownfailures.txt Added CiperSuite.authType field which contains the algorithm name such as RSA, DSA, DH, that the client will use to authenticate the server. Like the cipherName, hmacName, and hashName, this is logically derivable from the the CiperSuite.KEY_EXCHANGE_*, but we remember it to avoid repeatedly doing large cascading "if" tests to determine which key algorithm should be used for each case. luni/src/main/java/org/apache/harmony/xnet/provider/jsse/CipherSuite.java Fixed a number of client certificate authentication bugs in SSLEngine - Changed ClientHandshakeImpl's in the SSL/Tls Certificate message code to mirror ServerHandshakeImpl's implementation to properly use chooseEngineClientAlias in the SSLEngine case. - Changed to use the client certifcates key algorithm for computing the signature for the SSL/TLS CertificateVerify message. Previously we used the cipher suites negoitated key exchange method, but if the client may select a certificate with a different algorithm if the server provides a CA for another algorithm. - Also changed to use CipherSuite.isAnonymous in two places rather than the inlined equivalent. luni/src/main/java/org/apache/harmony/xnet/provider/jsse/ClientHandshakeImpl.java Fixed client authentication to use the client's certificate (not the server's) to do verify the CertificateVerify message signature. luni/src/main/java/org/apache/harmony/xnet/provider/jsse/ServerHandshakeImpl.java Fixed bug in DigitalSignature which did not Signature.update in verifySignature, so it could never have properly authenticated DSA signatures. luni/src/main/java/org/apache/harmony/xnet/provider/jsse/DigitalSignature.java Added CertificateMessage getAuthType convenience luni/src/main/java/org/apache/harmony/xnet/provider/jsse/CertificateMessage.java Made CertificateRequest certificate_authorities final, found we were double allocating it luni/src/main/java/org/apache/harmony/xnet/provider/jsse/CertificateRequest.java Cleaning up imports of HandshakeProtocol while working on its subclasses. luni/src/main/java/org/apache/harmony/xnet/provider/jsse/HandshakeProtocol.java Cleaned up while looking at X509KeyManager implementations while debugging. support/src/test/java/org/apache/harmony/xnet/tests/support/X509KeyManagerImpl.java Change-Id: I74b98754c11000cbfea416f1571c380c9c67abf3
rovider/jsse/CertificateMessage.java
rovider/jsse/CertificateRequest.java
rovider/jsse/CipherSuite.java
rovider/jsse/ClientHandshakeImpl.java
rovider/jsse/DigitalSignature.java
rovider/jsse/HandshakeProtocol.java
rovider/jsse/ServerHandshakeImpl.java
|
7329fa972d9c20777444e5e1b13169d700de6567 |
29-Jun-2010 |
Brian Carlstrom <bdc@google.com> |
Fixes to support new dalvik.googlecode.com benchmarks The following new benchmarks where tested with the below changes: - DigestBenchmark - MessageDigestBenchmark - SSLSocketBenchmark - SignatureBenchmark Fix package name of OpenSSLProvider luni/src/main/java/java/security/security.properties Restore Java (vs OpenSSL) SSLSocket wrappers on SSLEngine for benchmarking luni/src/main/java/org/apache/harmony/xnet/provider/jsse/SSLServerSocketFactoryImpl.java luni/src/main/java/org/apache/harmony/xnet/provider/jsse/SSLServerSocketImpl.java luni/src/main/java/org/apache/harmony/xnet/provider/jsse/SSLSocketFactoryImpl.java luni/src/main/java/org/apache/harmony/xnet/provider/jsse/SSLSocketImpl.java luni/src/main/java/org/apache/harmony/xnet/provider/jsse/SSLSocketInputStream.java luni/src/main/java/org/apache/harmony/xnet/provider/jsse/SSLSocketOutputStream.java luni/src/main/java/org/apache/harmony/xnet/provider/jsse/SSLSocketWrapper.java Restore HandshakeProtocol.socketOwner code for SSLSocket to function luni/src/main/java/org/apache/harmony/xnet/provider/jsse/ClientHandshakeImpl.java luni/src/main/java/org/apache/harmony/xnet/provider/jsse/HandshakeProtocol.java luni/src/main/java/org/apache/harmony/xnet/provider/jsse/ServerHandshakeImpl.java Remove unneeded OpenSSLMessageDigestJDK.getInstance since these are registered via OpenSSLProvider and SHA224 which is not part of the RI. We had already removed the BouncyCastle version of this. luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLMessageDigestJDK.java luni/src/test/java/tests/targets/security/AllTests.java luni/src/test/java/tests/targets/security/MessageDigestTestSHA224.java luni/src/test/java/tests/targets/security/SignatureTestSHA224withRSA.java Change-Id: I7daae7f0d9f50acad6df9157eac1b0133af83062
rovider/jsse/ClientHandshakeImpl.java
rovider/jsse/HandshakeProtocol.java
rovider/jsse/OpenSSLMessageDigestJDK.java
rovider/jsse/SSLServerSocketFactoryImpl.java
rovider/jsse/SSLServerSocketImpl.java
rovider/jsse/SSLSocketFactoryImpl.java
rovider/jsse/SSLSocketImpl.java
rovider/jsse/SSLSocketInputStream.java
rovider/jsse/SSLSocketOutputStream.java
rovider/jsse/SSLSocketWrapper.java
rovider/jsse/ServerHandshakeImpl.java
|
12cd1f00c2fa1a7f37bf644cecdf7588bdc0b0a9 |
23-Jun-2010 |
Brian Carlstrom <bdc@google.com> |
Remove libcore's dependency on bouncycastle external/bouncycastle - Change to be the primary build for bouncycastle sources (as opposed to part of libcore) - Moved OpenSSLMessageDigest from libcore to OpenSSLDigest It uses NativeCrypto API from core, but implements a bouncycastle specific interface - restored registration of bouncycastle MessageDigests for SHA-1, SHA-256, MD5 OpenSSLProvider versions take precedence, but explicit provider of "BC" allows choice - enabled native versions of SHA-384 and SHA-512 - pruned MD4 implementation frameworks/base - frameworks and CoreTests modules now depend on bouncycastle - update preloades classes for NativeBN package change - moved CryptoTest to libcore libcore - core now builds without bouncycastle sources - core-tests, core-tests-support, core-tests-supportlib now depend on bouncycastle - removed libcore/openssl directory, moving NativeBN to java/math - minor cleanup of Provider, Security, Services style while working on ProviderTest - added new OpenSSLProvider registered as first provider to have priority over the others to ensure our native implementations are used - moved BouncyCastle to have priority as a provider over Harmony - JarVerifier and JarUtils now implicitly use OpenSSLMessageDigest - Cleanedup OpenSSLSignature, implementation needs to be finished to move to OpenSSLProvider - To avoid using PEMWriter from BouncyCastle, NativeCrypto now takes binary encoded certs and keys This is more efficient as well avoiding the base64 decode/encode of the binary data - removed SHA-224 to match the RI packages/apps/CertInstaller - CertificateInstaller module now depends on bouncycastle this is the only app to depend on bouncycastle system/core - updated BOOTCLASSPATH Change-Id: I6205366b12baec4331b4a76e2c85d8324bf64b2c
rovider/jsse/AbstractSessionContext.java
rovider/jsse/JSSEProvider.java
rovider/jsse/NativeCrypto.java
rovider/jsse/OpenSSLMessageDigest.java
rovider/jsse/OpenSSLProvider.java
rovider/jsse/OpenSSLSignature.java
rovider/jsse/OpenSSLSocketFactoryImpl.java
rovider/jsse/OpenSSLSocketImpl.java
|
06fb2e026572e4f67ac80c927d30e9be787bbe6e |
22-Jun-2010 |
Brian Carlstrom <bdc@google.com> |
Move IndexedPKIXParameters from external/bouncycastle to libcore to avoid cyclic build dependency Change-Id: I65292321560c9f4551dc79fc7c6795f093638bbf
rovider/jsse/IndexedPKIXParameters.java
rovider/jsse/TrustManagerImpl.java
|
e32b21f14d52bac429a9c54fe031f9e92c911d64 |
18-Jun-2010 |
Jesse Wilson <jessewilson@google.com> |
Implementing ZoneInfo.hasSameRules(). Moving TimeZoneTest to OldTimeZoneTest and removing test methods that are duplicated between libcore and Harmony. Also adding Objects.equals() to make implementing this easy, and removing redundant time zone tests. I did a few searches to find candidate code that could take advantage of this new utility method and adopted it there. Change-Id: I133298f1b36d755bd35c1ad0dc0ab366fd164270
rovider/jsse/OpenSSLSessionImpl.java
rovider/jsse/SSLSessionImpl.java
|
79f07cc86be9abc27d0da7df3245ba4bab809ae6 |
12-Jun-2010 |
Elliott Hughes <enh@google.com> |
Improve MessageDigest documentation. As explained in the bug, I don't think we can/should fix this potential native crash, but we can and should improve the documentation to explain how you're _supposed_ to use MessageDigest. Bug: http://code.google.com/p/android/issues/detail?id=8709 Change-Id: I1cbab5995e5673d5386e21270ac52b6f90b9f421
rovider/jsse/OpenSSLMessageDigest.java
rovider/jsse/OpenSSLMessageDigestJDK.java
|
018b67accb28954d35f3cd697be3428e9b45b7d8 |
28-May-2010 |
Jesse Wilson <jessewilson@google.com> |
Further small fixes to increase API compatibility with RI v6. Highlights: code was moved from SSLContextImpl to its superclass. took X500Principal code from Harmony Tested with Harmony's tests.api.javax.security.auth.x500.X500PrincipalTest. Change-Id: I89b46d4b47e692a5461916cca972e05de95f3280
rovider/jsse/SSLContextImpl.java
|
2be0ae9c8abc05d1c94c8bb170503ee2feae1866 |
27-May-2010 |
Brian Carlstrom <bdc@google.com> |
Add missing package on ambiguous class name and cast on ambiguous type Change-Id: I470c929f67ecaffa91d5a67c87f1ed5358cfd84c
rovider/jsse/SSLContextImpl.java
|
0c131a2ca38465b7d1df4eaee63ac73ce4d5986d |
21-May-2010 |
Brian Carlstrom <bdc@google.com> |
RI 6 support for javax.net.ssl Summary: - RI 6 support for javax.net.ssl - SSLEngine fixes based on new SSLEngineTest - fix Cipher.checkMode bug recently introduced in dalvik-dev Details: Fix Cipher.checkMode that was preventing most javax.net.ssl tests from working luni/src/main/java/javax/crypto/Cipher.java RI 6 has introduced the concept of a "Default" SSLContext. This is accessed via SSLContext.getDefault() and also SSLContext.getInstance("Default"). Harmony had its own DefaultSSLContext but it was not created via an SSLContextSpi. It also was a single shared instance whereas the new RI6 Default SSLContext shares internal SSLSessionContext instances between different Default SSLContexts. Refactored the old code into an SSLContextImpl subclass that allows it to be created via SSLContext.getInstance. SSLContextImpl ensures that we only ever create one set of SSLSessionContext instances for the Default context. luni/src/main/java/javax/net/ssl/DefaultSSLContext.java luni/src/main/java/org/apache/harmony/xnet/provider/jsse/DefaultSSLContextImpl.java luni/src/main/java/org/apache/harmony/xnet/provider/jsse/SSLContextImpl.java Added SSLContext.getDefault and SSLContext.setDefault luni/src/main/java/javax/net/ssl/SSLContext.java Replace dependencies of old DefaultSSLContext with use of SSLContext.getDefault luni/src/main/java/javax/net/ssl/SSLServerSocketFactory.java luni/src/main/java/javax/net/ssl/SSLSocketFactory.java Register "SSLContext.Default" as DefaultSSLContextImpl class for SSLContext.getInstance() luni/src/main/java/org/apache/harmony/xnet/provider/jsse/JSSEProvider.java Added constant for new "Default" standard name and added it to SSL_CONTEXT_PROTOCOLS. New tests based on SSL_CONTEXT_PROTOCOLS made it clear that neither Android or RI support SSLv2 so removed it from SSL_CONTEXT_PROTOCOLS and SSL_SOCKET_PROTOCOLS. Added constant for TLS as well which was previously scattered all over tests. Remove SSLv2Hello from SSL_SOCKET_PROTOCOLS for Android since with OpenSSL disablign SSLv2 means you can not use SSLv2Hello either. support/src/test/java/javax/net/ssl/StandardNames.java Added tests for SSLContext.getDefault and SSLContext.setDefault. Changed existing tests to work on all protocols including new "Default". luni/src/test/java/javax/net/ssl/SSLContextTest.java RI 6 has introduced the notion of SSLParameters which encapsulate SSL the handshake parameters of desired cipher suites, protocols, and client authentication requirements. The main new class SSLParameters is basically just a bag of fields with accessors and a couple simple constructors. The only things of note are that it clones all String arrays on input and output and the setters for the two boolean fields ensure that only one is true at a time. luni/src/main/java/javax/net/ssl/SSLParameters.java Added SSLContext.getDefaultSSLParameters and SSLContext.getSupportedSSLParameters which simply delegate to the SSLContextSpi. luni/src/main/java/javax/net/ssl/SSLContext.java Added abstract SSLContextSpi.engineGetDefaultSSLParameters and SSLContext.engineGetSupportedSSLParameters. luni/src/main/java/javax/net/ssl/SSLContextSpi.java Added engineGetDefaultSSLParameters and engineGetSupportedSSLParameters implementation. The RI documents in SSLContextSpi that these are implemented by default by creating a socket via the SSLContext's SocketFactory and asking for the enabled/supported cipher suites and protocols respectively, so that is what is done. The doc mentions throwing UnsupportedOperationException if there is a problem, so we do that as well. luni/src/main/java/org/apache/harmony/xnet/provider/jsse/SSLContextImpl.java Added {SSLEngine,SSLSocket}.{getSSLParameters,setSSLParameters} which are analogous. luni/src/main/java/javax/net/ssl/SSLEngine.java luni/src/main/java/javax/net/ssl/SSLSocket.java Added SSLParametersTest luni/src/test/java/javax/net/ssl/SSLParametersTest.java luni/src/test/java/javax/net/ssl/AllTests.java Added SSLContext.get{Default,Supported}SSLParameters tests luni/src/test/java/javax/net/ssl/SSLContextTest.java Added SSLSocket.{getSSLParameters,setSSLParameters} tests and added some extra asserts to test_SSLSocketPair_create based on experience with test_SSLEnginePair_create. luni/src/test/java/javax/net/ssl/SSLSocketTest.java Dummy implementation of new SSLContextSpi for test classes. support/src/test/java/org/apache/harmony/security/tests/support/MySSLContextSpi.java support/src/test/java/org/apache/harmony/xnet/tests/support/MySSLContextSpi.java Other minor RI 6 API changes: RI 6 removed Serializable from HandshakeCompletedEvent and SSLSessionBindingEvent luni/src/main/java/javax/net/ssl/HandshakeCompletedEvent.java luni/src/main/java/javax/net/ssl/SSLSessionBindingEvent.java RI 6 added generic types to the KeyStoreBuilderParameters List constructor and accessor as well as to SSLSessionContext.getIds. Fixed tests to compile with generic types. luni/src/main/java/javax/net/ssl/KeyStoreBuilderParameters.java luni/src/main/java/javax/net/ssl/SSLSessionContext.java luni/src/test/java/tests/api/javax/net/ssl/KeyStoreBuilderParametersTest.java SSLEngine improvements. Since I was changing SSLEngine, I wrote an SSLEngineTest based on my SSLSocketTest to do some simply sanity checking. It expose a number of issues. I've fixed the small ones, marked the rest as known failures. Renamed some TLS_ cipher suites to SSL_ to match JSSE standard names. These were all old suites no longer supported by RI or OpenSSL which is why they were missed in an earlier cleanup of this type in this class. Also fixed SSLEngine supported cipher suites list not to include SSL_NULL_WITH_NULL_NULL which is not a valid suite to negotiate. luni/src/main/java/org/apache/harmony/xnet/provider/jsse/CipherSuite.java SSLEngine instances can have null host values, which caused a NullPointerException in the ClientSessionContext implementation. luni/src/main/java/org/apache/harmony/xnet/provider/jsse/ClientSessionContext.java SSLEngine tests were failing because SSLParameters was throwing NullPointerException instead of IllegalArgument exception on null element values. Fixed null pointer message style while I was here. luni/src/main/java/org/apache/harmony/xnet/provider/jsse/SSLParameters.java Fixed SSLEngine instances to default to server mode like RI luni/src/main/java/org/apache/harmony/xnet/provider/jsse/SSLContextImpl.java Fixed KEY_TYPES based on SSLEngine implementation. Removed dead code NativeCrypto.getEnabledProtocols which was recently made obsolete. Cleaned up null exception messages to follow our convention. luni/src/main/java/org/apache/harmony/xnet/provider/jsse/NativeCrypto.java Added SSLEngineTest which parallels SSLSocketTest in its coverage. Similarly added TestSSLEnginePair which loosely parallels TestSSLSocketPair. luni/src/test/java/javax/net/ssl/SSLEngineTest.java luni/src/test/java/javax/net/ssl/AllTests.java support/src/test/java/javax/net/ssl/TestSSLEnginePair.java SSLEngineTest betters exposed the differences between SSLSocket and SSLEngine supported cipher suites. StandardNames now has an CIPHER_SUITES_SSLENGINE definition which denotes what is missing and what is extra and why in the SSLEngine implementation. support/src/test/java/javax/net/ssl/StandardNames.java Created StandardNames.assert{Valid,Supported}{CipherSuites,Protocols} to factor out some code test code that is also used by new tests. support/src/test/java/javax/net/ssl/StandardNames.java luni/src/test/java/javax/net/ssl/SSLSocketFactoryTest.java luni/src/test/java/javax/net/ssl/SSLSocketTest.java Remove SSLSocketTest known failure and add new SSLEngineTest known failures expectations/knownfailures.txt SSL_OP_NO_TICKET change was recently merged from master which required some fixes. For the moment, sslServerSocketSupportsSessionTickets always returns false. support/src/test/java/javax/net/ssl/TestSSLContext.java Fixed flakey test_SSLSocket_HandshakeCompletedListener which had a race because the client thread look in the server session context for an session by id potentially before the server thread had a chance to store its session. Made noticable because of SSL_OP_NO_TICKET recently merged from master (before this code path was host only, not device) luni/src/test/java/javax/net/ssl/SSLSocketTest.java Fix checkjni issue where we need to check for pending exception in OpenSSL callback. Possibly introduced by recent merge of SSL_OP_NO_TICKET from master. luni/src/main/native/org_apache_harmony_xnet_provider_jsse_NativeCrypto.cpp Expectation updates Remove SSLSocketTest known failure and add new SSLEngineTest known failures expectations/knownfailures.txt Tag test_SSLSocket_getSupportedCipherSuites_connect as large expectations/taggedtests.txt Misc changes: opening brace on wrong line luni/src/main/java/org/apache/harmony/xnet/provider/jsse/ServerSessionContext.java Long line cleanup while debugging luni/src/main/java/org/apache/harmony/xnet/provider/jsse/HandshakeProtocol.java luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLServerSocketFactoryImpl.java luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSocketFactoryImpl.java support/src/test/java/javax/net/ssl/TestKeyStore.java Removed bogus import luni/src/test/java/javax/net/ssl/SSLSessionContextTest.java Comment clarify while debugging luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSocketImpl.java Ctor -> Constructor in comment luni/src/main/java/org/apache/harmony/xnet/provider/jsse/SSLEngineImpl.java Fixed naming of SocketTest_Test_create to TestSocketPair_Create to match renamed classes luni/src/test/java/javax/net/ssl/SSLSocketTest.java Change-Id: I99505e97d6047eeabe4a0b93202075a0b2d486ec
rovider/jsse/CipherSuite.java
rovider/jsse/ClientSessionContext.java
rovider/jsse/DefaultSSLContextImpl.java
rovider/jsse/HandshakeProtocol.java
rovider/jsse/JSSEProvider.java
rovider/jsse/NativeCrypto.java
rovider/jsse/OpenSSLServerSocketFactoryImpl.java
rovider/jsse/OpenSSLSocketFactoryImpl.java
rovider/jsse/OpenSSLSocketImpl.java
rovider/jsse/SSLContextImpl.java
rovider/jsse/SSLEngineImpl.java
rovider/jsse/SSLParameters.java
rovider/jsse/ServerSessionContext.java
|
aacf6f9741dea0f12fbff5e7696e53f251177280 |
20-May-2010 |
Brian Carlstrom <bdc@google.com> |
Enable Diffie-Hellman cipher suites Enable Diffie-Hellman cipher suites in NativeCrypto (and in StandardNames to match for testing). This means we now have the same default cipher suite list as RI 5. luni/src/main/java/org/apache/harmony/xnet/provider/jsse/NativeCrypto.java support/src/test/java/javax/net/ssl/StandardNames.java Enabling DH made it obvious that the RI check for enable cipher suites on SSLServerSocket.accept was not as stringent as first thought. Apparently they don't care if all enabled cipher suites have certificates/keys, just that at least one of them will work, even if its anonymous. Factored out the logic to check this into checkEnabledCipherSuites for clarity along with the supporting checkForPrivateKey. Also only check if the socket is in server mode, since its fine to have nothing configured for server acting as a client for handshake purposes. luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLServerSocketImpl.java The real work to enable Diffie-Hellman was to use SSL_CTX_set_tmp_dh_callback to set a callback to get DH parameters. There are two ways to create the parameters. The first is to use DH_generate_parameters_ex which is very slow (minutes) as is recommended as install time option. The second is to use DSA_generate_parameters_ex followed by DSA_dup_DH, which is faster for a single call, but must be done every time, so slower overall. We currently take the second approach to just have DH working. luni/src/main/native/org_apache_harmony_xnet_provider_jsse_NativeCrypto.cpp Changed ephemeral RSA keys to be stored per SSL in AppData, not in a static global. luni/src/main/native/org_apache_harmony_xnet_provider_jsse_NativeCrypto.cpp Fix LS_ to TLS_ typo in commented out constant. Removed easy to miss wrapping in array definition. luni/src/main/java/org/apache/harmony/xnet/provider/jsse/CipherSuite.java Renamed CipherSuites defaultPretendant to defaultCipherSuites which led to renaming the CipherSuites constants to follow the coding style. luni/src/main/java/org/apache/harmony/xnet/provider/jsse/CipherSuite.java luni/src/main/java/org/apache/harmony/xnet/provider/jsse/ClientHandshakeImpl.java luni/src/main/java/org/apache/harmony/xnet/provider/jsse/DigitalSignature.java luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLServerSocketImpl.java luni/src/main/java/org/apache/harmony/xnet/provider/jsse/SSLParameters.java luni/src/main/java/org/apache/harmony/xnet/provider/jsse/ServerHandshakeImpl.java luni/src/main/java/org/apache/harmony/xnet/provider/jsse/ServerKeyExchange.java Change-Id: Ia38de48cabb699b24fe6e341ba79f34e3da8b543
rovider/jsse/CipherSuite.java
rovider/jsse/ClientHandshakeImpl.java
rovider/jsse/DigitalSignature.java
rovider/jsse/NativeCrypto.java
rovider/jsse/OpenSSLServerSocketImpl.java
rovider/jsse/SSLParameters.java
rovider/jsse/ServerHandshakeImpl.java
rovider/jsse/ServerKeyExchange.java
|
8f78381c9c7a64f7c703913d702f2a8895207877 |
19-May-2010 |
Brian Carlstrom <bdc@google.com> |
SSLServerSocket accept should make sure enabled cipher suites have supporting private keys Make CipherSuite static fields final (noticed because I tried to use some in a switch statement). Also renamed "cuites*" to "suites*" and fixed UNKNOUN to UNKNOWN luni/src/main/java/org/apache/harmony/xnet/provider/jsse/CipherSuite.java SSLServerSocket now matches the RI behavior of throwing an SSLException for missing keys for non-anonymous cipher suites. luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLServerSocketImpl.java Fixed one KnownFailure luni/src/test/java/javax/net/ssl/SSLSocketTest.java Change-Id: I1ccbf93cfc5aa5951b1f33881446d93c380b6e68
rovider/jsse/CipherSuite.java
rovider/jsse/OpenSSLServerSocketImpl.java
|
a653cca054f36de92bbef8498be3f0f01d9d6119 |
18-May-2010 |
Brian Carlstrom <bdc@google.com> |
SSLSocketFactory.connect(Socket...) should allow port of -1 SSLSession.getPeerPort is supposed to return -1 when the port is undefined so now we initialize it to that value. luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSessionImpl.java Avoid creating InetAddress to store the OpenSSLSessionImplWrapper host and port arguments since it was causing an exception on an port value of -1 and was just used to go back to the original host and port when creating the SSLSession, which is allowed to return a port value of -1. luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSocketImpl.java Remove last of KnownFailures for SSLSocketFactory luni/src/test/java/javax/net/ssl/SSLSocketFactoryTest.java Update classpath for newly seperated out junit jars run-core-tests Change-Id: I646a8f23c3d6ae01f1dd38e40bc9c32d436e6254
rovider/jsse/OpenSSLSessionImpl.java
rovider/jsse/OpenSSLSocketImpl.java
|
6df6339ecd4662d351c622a59533cbbe9f275ffd |
18-May-2010 |
Brian Carlstrom <bdc@google.com> |
Client certificates should only be set on request from server Client certificates should only be set into the SSL* when requested by the server so that after the handshake is completed the client can inspect its SSLSession to see what certificate if any was requested. Previously the value was always non-null even if the server didn't request the certificate. - Created RAND_seed and RAND_load_file out of the NativeCrypto.SSL_new - NativeCrypto.SSL_new now simply performs SSL_new and does not deal with certificates, private keys, or random seeds. - Removed helper version of NativeCrypto.SSL_new Moved code to OpenSSLSocketImpl.setCertificate - Created SSL_use_certificate, SSL_use_PrivateKey, SSL_check_private_key from SSL_new. These are used not just on server handshake but also via clientCertificateRequested callback. - Merged CertificateChainVerifier and HandshakeCompletedCallback into new SSLHandshakeCallbacks while adding new clientCertificateRequested callback from OpenSSL C code to Java luni/src/main/java/org/apache/harmony/xnet/provider/jsse/NativeCrypto.java luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSocketImpl.java luni/src/main/native/org_apache_harmony_xnet_provider_jsse_NativeCrypto.cpp In addition to supporting NativeCrypto.java changes, also changed to_SSL_CTX and to_SSL_SESSION to allow null checking and throwing NullPointerException. Changed these and to_SSL to log exception on JNITrace, taking these logs out of individual functions. There were a lot of null checks missing previously, mostly in to_SSL_SESSION cases. luni/src/main/native/org_apache_harmony_xnet_provider_jsse_NativeCrypto.cpp All KnownFailures now fixed. luni/src/test/java/javax/net/ssl/SSLSessionTest.java Three more KnownFailures now fixed. luni/src/test/java/javax/net/ssl/SSLSocketTest.java Change-Id: Iddcd5512e8395d947d3b894f03e3a059e63afe8a
rovider/jsse/NativeCrypto.java
rovider/jsse/OpenSSLSocketImpl.java
|
fd487fbac3547360ea81d96edea9827fad080f86 |
18-May-2010 |
Brian Carlstrom <bdc@google.com> |
Change Harmony CipherSuite to use JSSE names Change text names of Harmony CipherSuite's (used by SSLEngine and some places with OpenSSL code) to match JSSE names. luni/src/main/java/org/apache/harmony/xnet/provider/jsse/CipherSuite.java Added StandardName constant for SSL_NULL_WITH_NULL_NULL support/src/test/java/javax/net/ssl/StandardNames.java Marked test as working with above fix, changed to use newly defined constant. luni/src/test/java/javax/net/ssl/SSLSessionTest.java Change-Id: Id48d2adcbbff71306296f1fdf8ff970c618fdcc6
rovider/jsse/CipherSuite.java
|
204cab3c22b4d75c866c95e2d2eec42e14cbd924 |
18-May-2010 |
Brian Carlstrom <bdc@google.com> |
Supported cipher suites improvements Added new test_SSLSocket_getSupportedCipherSuites_connect to make sure all cipher suites we claim work actually do. It clearly exposed that although a large number of cipher suites are supported by libssl.so, they are not properly wired up into the OpenSSL JSSE implementation. In particular Elliptic Curve has been disabled in our version Bouncy Castle does not work. In addition Diffie-Hellman does not work because we need to further integration work with OpenSSL via SSL_set_tmp_dh_callback or SSL_set_tmp_dh. Finally, SSL_RSA_EXPORT_WITH_RC4_40_MD5 doesn't work but that is being left as KnownFailure for more immediate cleanup based on ServerHandshakeImpl's handling of KeyExchange_RSA_EXPORT as part of having OpenSSL call us back for certificates dynamically. luni/src/test/java/javax/net/ssl/SSLSocketTest.java Refactored TestSSLContext.createKeyStore to create TestKeyStore which now factors out TestSSLContext.createKeys from the old createKeyStore method, which allows createKeys to be called multiple times for different key algorithms (for example DSA in addition to RSA). Also added a reusable singleton instance to cut down on test execution time. support/src/test/java/javax/net/ssl/TestKeyStore.java Removed publicAlias/privateAlias from TestSSLContext since we now include both RSA and DSA key pairs in they KeyStore by default. Added TestSSLContext.assertCertificateInKeyStore methods to help tests the previously used the alias fields fields. TestSSLContext.create API changed as well since the alias names are no longer required. TestSSLContext.createClient now needs to iterate over all server certificates when setting up its TrustManager instead of just grabbing one by alias name. support/src/test/java/javax/net/ssl/TestSSLContext.java luni/src/test/java/javax/net/ssl/SSLContextTest.java luni/src/test/java/javax/net/ssl/SSLSessionTest.java luni/src/test/java/javax/net/ssl/SSLSocketTest.java TestSSLSocketPair.connect now allows optional inclusion of server cipher suite list. support/src/test/java/javax/net/ssl/TestSSLSocketPair.java luni/src/test/java/javax/net/ssl/SSLSessionContextTest.java Turning off Elliptic Curve and Diffie-Hellman which are not currently working. Updating test expectations to match. luni/src/main/java/org/apache/harmony/xnet/provider/jsse/NativeCrypto.java support/src/test/java/javax/net/ssl/StandardNames.java Turn on registration of ECDSA and DSA since this part is currently functional (and excercised by TestKeyStore.create()) luni/src/main/java/org/bouncycastle/x509/X509Util.java Improve logging by including SSL pointer in error messages, which makes it easier to relate these errors to JNI_TRACE messages. luni/src/main/native/org_apache_harmony_xnet_provider_jsse_NativeCrypto.cpp Change-Id: I014d001a6a21a46c360678a346d3a3c8232f4d53
rovider/jsse/NativeCrypto.java
|
d7119eb12622a4187553e68a32aafa61999d7162 |
15-May-2010 |
Elliott Hughes <enh@google.com> |
Merge "Fix getInetAddress/getPort/getLocalAddress/getLocalPort." into dalvik-dev
|
8cc54e9f098c4f299d2b88bb2b9110ce44354ed7 |
14-May-2010 |
Elliott Hughes <enh@google.com> |
Fix getInetAddress/getPort/getLocalAddress/getLocalPort. Responsibility is split between Socket, SocketImpl, PlainSocketImpl, SocketChannel, SocketChannelImpl, and SocketChannelImpl.SocketAdapter, and we need to keep them synchronized. Our hands are somewhat tied by the fact that the RI exposed way too much. I think, now I understand the relationships a bit better, that we can probably rewrite this cluster of classes to be simpler, but I don't want to bite off more than I can chew right now, and this does fix the known problems. This patch also makes us more compatible with the RI by making getLocalAddress after the socket has been closed return the address we used. By strange coincidence, harmony addressed this at the same time I was looking at it (see http://svn.apache.org/viewvc?rev=944119&view=rev) but I feel they're going in the wrong direction and making the relationships even more complicated. I have run their new tests in addition to my own, though. Bug: 1952042 Bug: http://code.google.com/p/android/issues/detail?id=1933 Bug: http://code.google.com/p/android/issues/detail?id=3123 Change-Id: Icb7793fb5d868e0d1f1b8b3d5da88c32fb973744
rovider/jsse/OpenSSLSocketImplWrapper.java
|
9acacc36bafda869c6e9cc63786cdddd995ca96a |
14-May-2010 |
Brian Carlstrom <bdc@google.com> |
Use JSSE cipher suite names and restore JSSE SSLSessionContext semantics Summary: - Switch to using JSSE cipher suite names - SSLSessionContext implementation cleanup - Updated tests Details: Switch to using JSSE cipher suite names - We maintain backward compatability for enabling cipher suites using OpenSSL names for old code that did so without checking for the presence of the names in the supported list. - We now have a well defined list of the supported cipher suites which are sorted in priority order as specified in JSSE documentation so that callers doing: s.setEnabledCipherSuites(s.getSupportedCipherSuites()) will get something reasonable. - We now have a default cipher suite list that is chose to match RI behavior and priority, not based on OpenSSLs default and priorities. Details: - Added NativeCrypto OPENSSL_TO_STANDARD and STANDARD_TO_OPENSSL mapping between naming conventions. STANDARD_TO_OPENSSL is a LinkedHashMap so enumerating it gives the proper order for SUPPORTED_CIPHER_SUITES. - SSL_get_ciphers and SSL_set_cipher_list are removed, we now use our own SSL_set_cipher_lists (defined seperately in external/openssl/patches/jsse.patch) to set the set and order of cipher suites. SSL_CTX_get_ciphers is also removed because we no longer rely on the OpenSSL for the default cipher suites behavior. luni/src/main/java/org/apache/harmony/xnet/provider/jsse/NativeCrypto.java luni/src/main/native/org_apache_harmony_xnet_provider_jsse_NativeCrypto.cpp Add cipherSuite and protocol field caches for native values, mapping the cipherSuite to a JSSE name from the OpenSSL name returned by SSL_SESSION_cipher. luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSessionImpl.java Fixed a long standing bug where we reused sessions found in the client host/port cache even if the old protocol and cipher suite where no longer compatible with what was specified by setEnabledCipherSuites and setProtocols. Also fixed a recently introduced bug where lastAccessedTime was being set on a cached session even if it was not reused, found by fixed the above. luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSocketImpl.java Move most of SSLSessionContext implementation from subclasses to AbstractSessionContext. This was primarily to align the implementations of how different sessions id for the same host and port were handled for RI compatability. client subclasses now focuses on handling its host/port based cache and both deal with their own persistent cache details. luni/src/main/java/org/apache/harmony/xnet/provider/jsse/AbstractSessionContext.java luni/src/main/java/org/apache/harmony/xnet/provider/jsse/ClientSessionContext.java luni/src/main/java/org/apache/harmony/xnet/provider/jsse/ServerSessionContext.java Tests Added some variants of assertSSLSessionContextSize to simplify tests code. Broke test_SSLSessionContext_setSessionCacheSize_oneConnect out of test_SSLSessionContext_setSessionCacheSize_dynamic. Renamed test_SSLSessionContext_setSessionCacheSize_basic to test_SSLSessionContext_setSessionCacheSize_noConnect to match name of _oneConnect. _dynamic was cleaned up a bit as getting it working was the only goal of this change list. Fixed to filter SSL_RSA_EXPORT_ ciphers since our test certificate key length is too long for those. Lower test requirement to 3 unique cipher suites. luni/src/test/java/javax/net/ssl/SSLSessionContextTest.java Added checks that cipher suites and protocols have standard names. luni/src/test/java/javax/net/ssl/SSLSessionTest.java Removing known failures related to cipher suite naming. Fixed bug of using assertNotNull instead of assertTrue. Added extra size/length check which would have found the assertNotNull/assertTrue issue. luni/src/test/java/javax/net/ssl/SSLSocketFactoryTest.java luni/src/test/java/javax/net/ssl/SSLSocketTest.java Fixing test the explicitly worked around broken cipher suite naming. luni/src/test/java/tests/api/javax/net/ssl/SSLSessionTest.java Updated standard cipher suites to RI 6 list, which also now specifies ordering, which we now align with. support/src/test/java/javax/net/ssl/StandardNames.java Unrelated Remove more now obsolete jars from the test classpath run-core-tests Change-Id: I45c274a9327c9a1aeeccb39ecaf5a3fbe2903c8f
rovider/jsse/AbstractSessionContext.java
rovider/jsse/ClientSessionContext.java
rovider/jsse/NativeCrypto.java
rovider/jsse/OpenSSLSessionImpl.java
rovider/jsse/OpenSSLSocketImpl.java
rovider/jsse/ServerSessionContext.java
|
f33eae7e84eb6d3b0f4e86b59605bb3de73009f3 |
13-May-2010 |
Elliott Hughes <enh@google.com> |
Remove all trailing whitespace from the dalvik team-maintained parts of libcore. Gentlemen, you may now set your editors to "strip trailing whitespace"... Change-Id: I85b2f6c80e5fbef1af6cab11789790b078c11b1b
rovider/jsse/AlertException.java
rovider/jsse/Appendable.java
rovider/jsse/CertificateMessage.java
rovider/jsse/CertificateRequest.java
rovider/jsse/CertificateVerify.java
rovider/jsse/CipherSuite.java
rovider/jsse/ClientHandshakeImpl.java
rovider/jsse/ClientHello.java
rovider/jsse/ClientKeyExchange.java
rovider/jsse/ClientSessionContext.java
rovider/jsse/ConnectionStateSSLv3.java
rovider/jsse/ConnectionStateTLS.java
rovider/jsse/DHParameters.java
rovider/jsse/DelegatedTask.java
rovider/jsse/DigitalSignature.java
rovider/jsse/FileClientSessionCache.java
rovider/jsse/Finished.java
rovider/jsse/Handshake.java
rovider/jsse/HandshakeIODataStream.java
rovider/jsse/HandshakeProtocol.java
rovider/jsse/HelloRequest.java
rovider/jsse/JSSEProvider.java
rovider/jsse/KeyManagerImpl.java
rovider/jsse/Logger.java
rovider/jsse/Message.java
rovider/jsse/OpenSSLMessageDigest.java
rovider/jsse/OpenSSLMessageDigestJDK.java
rovider/jsse/OpenSSLSignature.java
rovider/jsse/PRF.java
rovider/jsse/ProtocolVersion.java
rovider/jsse/SSLBufferedInput.java
rovider/jsse/SSLContextImpl.java
rovider/jsse/SSLEngineAppData.java
rovider/jsse/SSLEngineImpl.java
rovider/jsse/SSLParameters.java
rovider/jsse/SSLRecordProtocol.java
rovider/jsse/SSLSessionImpl.java
rovider/jsse/SSLv3Constants.java
rovider/jsse/ServerHandshakeImpl.java
rovider/jsse/ServerHello.java
rovider/jsse/ServerHelloDone.java
rovider/jsse/ServerKeyExchange.java
rovider/jsse/TrustManagerFactoryImpl.java
|
a7ae90de24809b266bb5efdc9033a3261e31f521 |
11-May-2010 |
Brian Carlstrom <bdc@google.com> |
SSLSession and SSLSessionContext timeout improvements Fix getIds Enumeration to filter invalid sessions. luni/src/main/java/org/apache/harmony/xnet/provider/jsse/AbstractSessionContext.java Implement SSLSessionContext.setSessionTimeout to remove newly invalid sessions as specified by the RI documentation. getSession interfaces now filters invalid sessions from results. luni/src/main/java/org/apache/harmony/xnet/provider/jsse/ClientSessionContext.java luni/src/main/java/org/apache/harmony/xnet/provider/jsse/ServerSessionContext.java Added OpenSSLSocketImpl.creationTime instance field cache to avoid repeated native calls since this is now used for all isValid tests. Fixed broken isValid implementation: - compared seconds to milliseconds - direction of comparison backwards - used last accessed time instead creation time as clarified in RI 7 documentation. luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSessionImpl.java Unrelated Replace java.io.* java.util.* imports with properly expanded versions: luni/src/main/java/org/apache/harmony/xnet/provider/jsse/AbstractSessionContext.java Change-Id: Ib02218df414f014f1d260f7acc067e5647fb700b
rovider/jsse/AbstractSessionContext.java
rovider/jsse/ClientSessionContext.java
rovider/jsse/OpenSSLSessionImpl.java
rovider/jsse/ServerSessionContext.java
|
0af0a7959d838c48e6b4e8dc9ac188ff6bbb6a87 |
11-May-2010 |
Brian Carlstrom <bdc@google.com> |
SSLSessionContexts should throw NullPointerException on getSession(null) Add an explicit null check to ensure failure on a null argument to getSession to match the RI luni/src/main/java/org/apache/harmony/xnet/provider/jsse/ClientSessionContext.java luni/src/main/java/org/apache/harmony/xnet/provider/jsse/ServerSessionContext.java Remove KnownFailures resolved by above fix as well as clarifiying SSL session cache expections on Android vs the RI. The KnownFailures were also hiding some latent issues to do SSL session tickets, so fixed those up as well. luni/src/test/java/javax/net/ssl/SSLSessionContextTest.java Added constants for expected SSL session cache behavior for RI vs Android support/src/test/java/javax/net/ssl/TestSSLContext.java Change-Id: Ic6285192cf76c0a5c3fa45a24eaa504ed0babff5
rovider/jsse/ClientSessionContext.java
rovider/jsse/ServerSessionContext.java
|
f365a1c9cec94071b7a3161d7bdcb3f61d28f912 |
10-May-2010 |
Brian Carlstrom <bdc@google.com> |
SSLContext.getClientSessionContext and getServerSessionContext should work before SSLContext.init Moved initialization of SSLContextImpl clientSessionContext and serverSessionContext from engineInit time (in SSLParameters constructor) to constructor time, making them final. This is to fix javax.net.ssl.SSLContextTest which was failing because it tried to access this before init was called, which worked fine on the RI. The SSLParameters now simply takes the preallocated session contexts as arguments. SSLParameters.getDefault() now needs to create its own session contexts when an SSLContext is not used, which is how Harmony does it. luni/src/main/java/org/apache/harmony/xnet/provider/jsse/SSLContextImpl.java luni/src/main/java/org/apache/harmony/xnet/provider/jsse/SSLParameters.java Removed KnownFailure from SSLContextTest as its 100% working. luni/src/test/java/javax/net/ssl/SSLContextTest.java Changed persistentCache fields of ClientSessionContext and ServerSessionContext from final to private and added a public setter. This replaces passing the persistentCache implementation in via the constructor. For momentarily backward compatibility with frameworks/base, the now deprecated 5 argument engineInit method now uses these setters for backward compatability. The SSLParameters previously took these persistent caches as arguments in order to pass them to the session context contructors, but as SSLParameters no longer creates these, they are no longer relevant. luni/src/main/java/org/apache/harmony/xnet/provider/jsse/ClientSessionContext.java luni/src/main/java/org/apache/harmony/xnet/provider/jsse/ServerSessionContext.java luni/src/main/java/org/apache/harmony/xnet/provider/jsse/SSLContextImpl.java luni/src/main/java/org/apache/harmony/xnet/provider/jsse/SSLParameters.java While moving the call of the AbstractSessionContext constructor from SSLParameters to SSLContextImpl after removing the persistent cache arguments, I realized there was no longer any reason to take any arguments. I pushed the initization of sslCtxNativePointer to the point of declaration. luni/src/main/java/org/apache/harmony/xnet/provider/jsse/AbstractSessionContext.java luni/src/main/java/org/apache/harmony/xnet/provider/jsse/ClientSessionContext.java luni/src/main/java/org/apache/harmony/xnet/provider/jsse/ServerSessionContext.java Change-Id: Ied2903a2f369bf4e521e702bf58f32f21cb97d17
rovider/jsse/AbstractSessionContext.java
rovider/jsse/ClientSessionContext.java
rovider/jsse/SSLContextImpl.java
rovider/jsse/SSLParameters.java
rovider/jsse/ServerSessionContext.java
|
3e24c53ecc31b840e51869c295785d5a2f8b31eb |
06-May-2010 |
Brian Carlstrom <bdc@google.com> |
Moving OpenSSLSocketImpl native code to NativeCrypto (and other clearnup) Summary: - Finished consolidating OpenSSL native code into NativeCrypto - fixing local vs global ref bug with AppData Added new ScopedGlobalRef as part of this fix - fixed many historical memory leaks identified during code review - fixed lack of error checking on allcoation with OpenSSL *_new routines - Added to_SSL_CTX and to_SSL_SESSION to match to_SSL (renamed from getSslPointer) - Replaced most uses of GetByteArrayElements with ScopedByteArray (including cases where we we using ReleaseByteArrayElements(..,...,0) instead of JNI_ABORT) - Replaced uses of GetStringUTFChars with ScopedUtfChars Details: Finished consolidating OpenSSL native code into NativeCrypto OpenSSLSocketImpl NativeCrypto --------------------------------------- nativeread SSL_read_byte nativeread SSL_read nativewrite SSL_write_byte nativewrite SSL_write nativeinterrupt SSL_interrupt nativeclose SSL_shutdown nativeverifysignature verifysignature Also removed dead code that was wrapping SSL_get1_session luni/src/main/java/org/apache/harmony/xnet/provider/jsse/NativeCrypto.java luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSocketImpl.java luni/src/main/native/org_apache_harmony_xnet_provider_jsse_NativeCrypto.cpp Fixed NativeCrypto_SSL_write and NativeCrypto_d2i_SSL_SESSION to use JNI_ABORT on release to avoid copy back of unchanged data (via ScopedByteArray). luni/src/main/native/org_apache_harmony_xnet_provider_jsse_NativeCrypto.cpp While running the usual tests: adb shell run-core-tests tests.xnet.AllTests javax.net.ssl.AllTests there was an abort from the JNI checking because in the recent handshaking change, local refs were kept in AppData and then reused in later calls. Added new ScopedGlobalRef to handle the book keeping of this. luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSocketImpl.java include/ScopedGlobalRef.h Fixed various leaks on old error paths spotted by reviewer. luni/src/main/native/org_apache_harmony_xnet_provider_jsse_NativeCrypto.cpp Tracking move of verifySignature, a non-SSL bit of code that was lurking in OpenSSLSocketImpl luni/src/main/java/org/apache/harmony/security/provider/cert/X509CertImpl.java Change-Id: If1e409782bc99dc684039cfe3f53f8244e29346e
rovider/jsse/NativeCrypto.java
rovider/jsse/OpenSSLSocketImpl.java
|
f002bdddce924e2145a4a2b60592b7a40f4112f6 |
05-May-2010 |
Brian Carlstrom <bdc@google.com> |
Moving OpenSSLSessionImpl native code to NativeCrypto OpenSSLSessionImpl NativeCrypto ------------------------------------------------------- getId SSL_SESSION_session_id getPeerCertificatesImpl SSL_SESSION_get_peer_cert_chain getCreationTime SSL_SESSION_get_time getProtocol SSL_SESSION_get_version getCipherSuite SSL_SESSION_cipher freeImpl SSL_SESSION_free getEncoded i2d_SSL_SESSION initializeNativeImpl d2i_SSL_SESSION Change-Id: I4538df52280266711986a577b14868af3ea0ed62
rovider/jsse/NativeCrypto.java
rovider/jsse/OpenSSLSessionImpl.java
rovider/jsse/OpenSSLSocketImpl.java
|
e688a4123f165ed2905878e312b074b8c825d119 |
05-May-2010 |
Brian Carlstrom <bdc@google.com> |
Addressing post-submit comments regarding OpenSSL handhake changes Following up on feedback from earlier change https://android-git.corp.google.com/g/50435 Added new test_SSLSocket_startHandshake_noClientCertificate to make sure handshaking works when no client certificates are present after issues raised by hwu during code review. luni/src/test/java/javax/net/ssl/SSLSocketTest.java Improve TestSSLContext.create* options - added javadoc comments to help distinguish different versions - fixed bug of not passing in keyStorePassword in create() - added new createClient(server) method to create a TestSSLContext that trusts the provided server TestSSLContext's certificate for use by test_SSLSocket_startHandshake_noClientCertificate - made createKeyStore optionally create a more minimal keystore if aliases are not present support/src/test/java/javax/net/ssl/TestSSLContext.java Fixed argument names in SSL_*_mode methods names as pointed out by hwu luni/src/main/java/org/apache/harmony/xnet/provider/jsse/NativeCrypto.java Added comment to explain purpose of OpenSSLSessionImpl.resetId. luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSessionImpl.java Two changes to OpenSocketImpl - Added logging on runtime exception catch around HandshakeCompletedListener execution to closely mirror RI behavior. - Cleaned up peerCertificate check to not just be on the client path. luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSocketImpl.java Addressed enh's comments about using clearEnv and when to delete AppData luni/src/main/native/org_apache_harmony_xnet_provider_jsse_NativeCrypto.cpp Change-Id: I34f54e3e41a5d53d81fdc22aa34ca4de4ee9826f
rovider/jsse/NativeCrypto.java
rovider/jsse/OpenSSLSessionImpl.java
rovider/jsse/OpenSSLSocketImpl.java
|
6b811c5daec1b28e6f63b57f98a032236f2c3cf7 |
03-May-2010 |
Peter Hallam <peterhal@google.com> |
Merge awt-kernel, icu, luni-kernel, prefs, security-kernel, x-net into luni Merge xml except xmlpull and kxml into luni
rovider/jsse/AbstractSessionContext.java
rovider/jsse/AlertException.java
rovider/jsse/AlertProtocol.java
rovider/jsse/Appendable.java
rovider/jsse/CertificateMessage.java
rovider/jsse/CertificateRequest.java
rovider/jsse/CertificateVerify.java
rovider/jsse/CipherSuite.java
rovider/jsse/ClientHandshakeImpl.java
rovider/jsse/ClientHello.java
rovider/jsse/ClientKeyExchange.java
rovider/jsse/ClientSessionContext.java
rovider/jsse/ConnectionState.java
rovider/jsse/ConnectionStateSSLv3.java
rovider/jsse/ConnectionStateTLS.java
rovider/jsse/ContentType.java
rovider/jsse/DHParameters.java
rovider/jsse/DataStream.java
rovider/jsse/DelegatedTask.java
rovider/jsse/DigitalSignature.java
rovider/jsse/EndOfBufferException.java
rovider/jsse/EndOfSourceException.java
rovider/jsse/FileClientSessionCache.java
rovider/jsse/Finished.java
rovider/jsse/Handshake.java
rovider/jsse/HandshakeIODataStream.java
rovider/jsse/HandshakeProtocol.java
rovider/jsse/HelloRequest.java
rovider/jsse/JSSEProvider.java
rovider/jsse/KeyManagerFactoryImpl.java
rovider/jsse/KeyManagerImpl.java
rovider/jsse/Logger.java
rovider/jsse/Message.java
rovider/jsse/NativeCrypto.java
rovider/jsse/OpenSSLMessageDigest.java
rovider/jsse/OpenSSLMessageDigestJDK.java
rovider/jsse/OpenSSLServerSocketFactoryImpl.java
rovider/jsse/OpenSSLServerSocketImpl.java
rovider/jsse/OpenSSLSessionImpl.java
rovider/jsse/OpenSSLSignature.java
rovider/jsse/OpenSSLSocketFactoryImpl.java
rovider/jsse/OpenSSLSocketImpl.java
rovider/jsse/OpenSSLSocketImplWrapper.java
rovider/jsse/PRF.java
rovider/jsse/ProtocolVersion.java
rovider/jsse/SSLBufferedInput.java
rovider/jsse/SSLClientSessionCache.java
rovider/jsse/SSLContextImpl.java
rovider/jsse/SSLEngineAppData.java
rovider/jsse/SSLEngineDataStream.java
rovider/jsse/SSLEngineImpl.java
rovider/jsse/SSLInputStream.java
rovider/jsse/SSLParameters.java
rovider/jsse/SSLRecordProtocol.java
rovider/jsse/SSLServerSessionCache.java
rovider/jsse/SSLSessionImpl.java
rovider/jsse/SSLStreamedInput.java
rovider/jsse/SSLv3Constants.java
rovider/jsse/ServerHandshakeImpl.java
rovider/jsse/ServerHello.java
rovider/jsse/ServerHelloDone.java
rovider/jsse/ServerKeyExchange.java
rovider/jsse/ServerSessionContext.java
rovider/jsse/TrustManagerFactoryImpl.java
rovider/jsse/TrustManagerImpl.java
|