2216155c3066236eb450f307983019f69a10303d |
|
19-Oct-2016 |
Kenny Root <kroot@google.com> |
Address various ErrorProne warnings Test: mmma -j32 libcore Test: cts-tradefed run cts -m CtsLibcoreTestCases -a arm64-v8a Change-Id: Ib42abe9c1a21b1d3cb103c769787c44fb7e793ae
|
8f2073552a3aa97ce95f8380f5cab1742d77de91 |
|
14-Sep-2016 |
Chad Brubaker <cbrubaker@google.com> |
Drop SSLv3 support The specific API version in the deprecation doc comments will be added later, for now listed as TBD. Bug: 30977793 Test: libcore/run-libcore-tests libcore/luni/src/test/java/libcore/javax/net/ssl/* Change-Id: I5ebe22421589415a9e9065715262e6860b251b2b
|
05aea14e16612262d4cefbc3cc8ec66a09abefbe |
|
29-Apr-2016 |
Kenny Root <kroot@google.com> |
SSLEngineTest: test multiple thread use Use SSLEngine with multiple threads to make sure there are no issues. (cherry picked from commit 58af60a00935641f4669afc358593456944644ec) Bug: 28473706 Change-Id: Ica180edff10d03fdf5e31621a901ad5575a762f3
|
58af60a00935641f4669afc358593456944644ec |
|
29-Apr-2016 |
Kenny Root <kroot@google.com> |
SSLEngineTest: test multiple thread use Use SSLEngine with multiple threads to make sure there are no issues. Bug: 28473706 Change-Id: Ica180edff10d03fdf5e31621a901ad5575a762f3
|
01b7734160977458d44d1fb179984fd91672f08d |
|
01-Feb-2016 |
Kenny Root <kroot@google.com> |
Add tests for SSL handshake session and endpoint verification Partial revert of commit 36214feb86a0963b23f34c8c63584252bd757e19. Change-Id: I731515bd180f1ea36abf4d8c1151a75254ad0c10
|
7c4f30cf50079df52bc4572688c7c9eed129a4bb |
|
07-Apr-2015 |
Sergio Giro <sgiro@google.com> |
libcore: change SSLEngineTest to close SSLEngine instances It was leaking resources allocated by SSLEngine's, pipes among others, thus causing subsequent tests to fail with "too many open files" errors. In OpenSSLEngineImpl, the resources are freed in the finalizer, so there's no guarantee that resources as pipes will ever be freed unless the engines are explicitly closed. Change-Id: Ide90808a64278486a19bcdfcba628f623c62afc9
|
2e47cbcfd5aad2a525af42cbc93a919b96e2c62a |
|
02-Dec-2014 |
Narayan Kamath <narayan@google.com> |
Add tests for issue 18554122. We assert that UNDERFLOW is returned on empty inputs both during and after a handshake. bug: 18554122 (cherry picked from commit 03365a863c7316325ff12bf88aa19dc33e34f19f) Change-Id: I41d7fbdbd0363aea84904b14a1e99116cebff0f5
|
03365a863c7316325ff12bf88aa19dc33e34f19f |
|
02-Dec-2014 |
Narayan Kamath <narayan@google.com> |
Add tests for issue 18554122. We assert that UNDERFLOW is returned on empty inputs both during and after a handshake. bug: 18554122 Change-Id: I17da7b213362aa8cd0ed4a2529935a3abad27802
|
782740701db73dd2dc4fef9df8cde270b0e631a4 |
|
18-Nov-2014 |
Alex Klyubin <klyubin@google.com> |
Fix SSLContextTest.test_SSLContext_defaultConfiguration failure This test was failing because it assumed that all SSLContext instances have the same set of TLS protocol versions enabled. The fix refactored SSLDefaultConfigurationAsserts class into SSLConfigurationAsserts class. The main difference is that the new class has wider scope: it can assert that (1) the default configuration of TLS/SSL primitives is as expected -- exactly what the old SSLDefaultConfigurationAsserts class offered, and (2) that TLS/SSL primitives are configured the same as a provided SSLContext. Assertions about the default configuration of primitives other than SSLContext are now implemented by asserting that these primitives are configured exactly like the default SSLContext. Change-Id: I52d6514768c4053054df2cf79e7182d8fd87bfe2
|
3b96a51f6446c8bc7d4ce7c23ad9164a4a4437ba |
|
03-Oct-2014 |
Kenny Root <kroot@google.com> |
Add support for TLS_FALLBACK_SCSV Bug: 17750026 (cherry picked from commit e6a6e935e98f426c7000b2bf4086f87101f4441c) Change-Id: Ia7f0714157b0dc36579122b27eb921a54f3a6818
|
6c9609af5f63a759bd50b5f6586f6f52502b4f93 |
|
07-Oct-2014 |
Neil Fuller <nfuller@google.com> |
Add support for TLS_FALLBACK_SCSV Backport of commits: external/conscrypt: 8d7e23e117da591a8d48e6bcda9ed6f58ff1a375 libcore: e6a6e935e98f426c7000b2bf4086f87101f4441c libcore: 957ec8b09833e1c2f2c21380e53c13c9962e6b3e Plus additional changes to: luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLServerSocketImpl.java luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSocketImpl.java luni/src/test/java/libcore/java/net/URLConnectionTest.java luni/src/test/java/org/apache/harmony/xnet/provider/jsse/CipherSuiteTest.java support/src/test/java/libcore/java/security/StandardNames.java to account for KitKat differences. Bug: 17750026 Change-Id: Ic6e9474275bc3ffec3b5c2d6df1f8d6ffe77bff8
|
865c83f8383f03d545217c35d9140a4627a74406 |
|
07-Oct-2014 |
Neil Fuller <nfuller@google.com> |
Add support for TLS_FALLBACK_SCSV Backport of commits: external/conscrypt: 8d7e23e117da591a8d48e6bcda9ed6f58ff1a375 libcore: e6a6e935e98f426c7000b2bf4086f87101f4441c libcore: 957ec8b09833e1c2f2c21380e53c13c9962e6b3e Plus additional changes to: luni/src/main/java/libcore/net/http/HttpConnection.java luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLServerSocketImpl.java luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSocketImpl.java luni/src/test/java/libcore/java/net/URLConnectionTest.java luni/src/test/java/org/apache/harmony/xnet/provider/jsse/CipherSuiteTest.java support/src/test/java/libcore/java/security/StandardNames.java to account for JellyBean differences. Bug: 17750026 Change-Id: I7b60b1260fa0b275631ce9987168c7b5fc7ca138
|
e6a6e935e98f426c7000b2bf4086f87101f4441c |
|
03-Oct-2014 |
Kenny Root <kroot@google.com> |
Add support for TLS_FALLBACK_SCSV Bug: 17750026 Change-Id: I8dec89ae59a6f745f63120b11b4f6dbe9b21a139
|
36214feb86a0963b23f34c8c63584252bd757e19 |
|
17-Jun-2014 |
Brian Carlstrom <bdc@google.com> |
Remove Change-Id: I143d0b26b116e75892223e74b6c22b6c8db05466
|
8d290a506a4a1cd1f86716719ee10586700468f4 |
|
17-Jun-2014 |
Brian Carlstrom <bdc@google.com> |
Remove (cherry picked from commit 36214feb86a0963b23f34c8c63584252bd757e19) Change-Id: I96d5109c01e39255b9970f7a515ddd3575a50e56
|
ee109f62e99f43bcf8b78c857af430be9cf02985 |
|
19-Jun-2014 |
Alex Klyubin <klyubin@google.com> |
Assert that setEnabledProtocols/CipherSuites copy their inputs. SSLSocket, SSLServerSocket, and SSLEngine offer setEnabledProtocols and setEnabledCipherSuites methods which take an array of protocols or cipher suites as input. If these methods store references to the input arrays, then the internal state (lists of enabled protocols and cipher suites) of SSLSocket, SSLServerSocket, and SSLEngine could be modified without going through the setter methods of these classes. Correct implementations of these methods should store copies of the input arrays. Bug: 15753142 Change-Id: Ia5248050d81320ed1da99892278bd60872605f52
|
c9461f39290f815f560f2ec50e9ccde5ff4eb8f7 |
|
09-May-2014 |
Alex Klyubin <klyubin@google.com> |
Document and assert support for TLS-PSK cipher suites. This CL updates the Javadoc of SSLSocket and SSLEngine to list the now supported TLS-PSK cipher suites. It also adds tests to assert that these cipher suites are actually supported by SSLSocket and SSLEngine. Bug: 15073623 Change-Id: I8e59264455f980f23a5e66099c27b5b4d932b9bb
|
a368cef707903c2adc7868ba48a95ccdac5f7625 |
|
22-Apr-2014 |
Kenny Root <kroot@google.com> |
Fix SSLEngineTest for RI The assymmetry between client and server with create sessions seems strange. It seems like a bug in the RI, so make sure Android does the right thing. Change-Id: I7b7ab501bd1963757b7f067c6ace8230a19a3e53
|
727df1258e3b8386afea4778626c9ab16ef467d6 |
|
09-Apr-2014 |
Kenny Root <kroot@google.com> |
Update SSLEngineTest for OpenSSL Our new OpenSSL-based SSLEngine supports all the new stuff and no longer fails tests. Change-Id: I7db8e5134ca36ebd963c7081cd7ba79d91b3e5e2
|
3ad1704dc8e4653f4ceaeb5d8315ddb28318a1bb |
|
02-Apr-2014 |
Kenny Root <kroot@google.com> |
Update SSLEngineTest for RI The RI now supports TLSv1.2 with SSLEngine, so update all the expectations for their tests. It also appears to disable "weak" algorithms when you select TLSv1.2. Change-Id: I564283bb4945d3b71bee0f89c93c6dd6e238b4f8
|
70bf6bc3ad78ed9a0a7a5767381ad6c25debbd70 |
|
20-Mar-2014 |
Kenny Root <kroot@google.com> |
Add X509ExtendedTrustManager This adds the X509ExtendedTrustManager class and all its ancillary methods that allow it to be used. This allows the endpointVerificationAlgorithm setting to be enabled on SSLSocket to check that the cerificate given for the endpoint during the handshake matched the expected hostname. Since X509ExtendedTrustManager allows you to pass in an SSLSocket, there is a new call added to SSLSocket called getHandshakeSession which does not force the handshake to take place. Bug: 13103812 Change-Id: I18a18b4f457d1676c8dc9a2a7bf7c3c4646a0425
|
edeec21a9c9e97cad91dffd47d4f2f7185dffe07 |
|
19-Mar-2014 |
Alex Klyubin <klyubin@google.com> |
Support multiple KeyManagers in TestSSLContext and TestKeyStore. The two classes in some places assumed that only one KeyManager is necessary or that only the first provided KeyManager is important. Change-Id: I88629778911503ac7c233341d44612247d799d22
|
358552b505a8985ec9ed3691d0a6d590b60d620f |
|
25-Nov-2013 |
Alex Klyubin <klyubin@google.com> |
Assert that getEnabledCipherSuites/Protocols is affected by setters. Change-Id: I806cfd4fd7f8be39c9bfcce956f6c2804e917c26
|
0669a8cf8b08b2d66a7ff758e5e3dbd456855495 |
|
14-Nov-2013 |
Alex Klyubin <klyubin@google.com> |
SSLEngine: Test that server params are verified This CL adds tests that check that SSLEngine's handshake fails if the signature of server params in ServerKeyExchange does not verify. Bug: 11631299 Change-Id: I16dfa9c07a4f094adc17aadd6fb3fe9eac88103b
|
f605c6822da13b32cd3643415a707882b62a3e91 |
|
06-Nov-2013 |
Alex Klyubin <klyubin@google.com> |
Higher-level default configuration asserts for TLS/SSL primitives. This adds SSLDefaultConfigurationAsserts class that offers higher-level checks for each TLS/SSL primitive. The goals are: * check not only the cipher suites and protocols configured but also the configuration of child primitives (e.g, configuration of SSLSockets returned by SSLSocketFactory, or configuration of SSLSocketFactory returned by SSLContext). * hide the upcoming target API level dependent configuration checks from test classes. Bug: 11220570 Change-Id: Iec1476a1b2d132c984413754129adfcb671885fb
|
d6d1778aeeb36f6295309230131bfaefe1c54005 |
|
06-Nov-2013 |
Kenny Root <kroot@google.com> |
SSLEngine: use 1/n-1 record splitting for servers Bug: 11463939 Change-Id: Id0cc6c87e94bb9852c3199d8fad3892a0464703b
|
c118df9e19edaa61ec3f61c4c8b73268642818f7 |
|
04-Nov-2013 |
Kenny Root <kroot@google.com> |
SSLEngineTest: add asserts for sending app data Add to the SSLEngineTest to make sure App Data is sent correctly over the wire. This also implements checking for BEAST mitigation. Bug: 11463939 Change-Id: If25e6c6c6782d0d367069edcebabdd0bd42820c8
|
f13911b39126ffae49737dadc74332b3a84e0d19 |
|
04-Nov-2013 |
Alex Klyubin <klyubin@google.com> |
Exact asserts for TLS/SSL protocols used by default. Previously, assertions about the list of protocols used by default by TLS/SSL primitives were checking that all of the protocols are supported, but were not checking that the list was exactly as expected. This CL adjusts the assertions to check that all of the expected protocols are listed and that no other protocols are listed. Three assert methods are added, corresponding to the three concentually different lists: client-side (e.g., SSLSocket), server-side (SSLServerSocket), and SSLEngine which currently does not switch lists based on whether it's in client or server mode. Bug: 11220570 Change-Id: Ib6b56c2372d76f94f254481aa01d29d2d03a085f
|
632b6f770974fe4811e2e55dcba54f63b556e305 |
|
01-Nov-2013 |
Alex Klyubin <klyubin@google.com> |
Exact check for cipher suites used by SSLEngine by default. The previous assertion was only checking that all the default cipher suites are supported by SSLEngine. Bug: 11220570 Change-Id: I7c57c11e69fac7a532f890d242ac1ee4d1c64262
|
24320dbdb41ad39806e00ddca7909462ee18bfc3 |
|
31-Oct-2013 |
Alex Klyubin <klyubin@google.com> |
Use SSLEngine-specific cipher suite and protocol asserts. SSLEngine implementations are currently assumed to support a subset of TLS/SSL protocols and cipher suites supported by SSLSocket/SSLServerSocket. SSLEngineTest should therefore use SSLEngine-specific assertions about cipher suites and protocols. Change-Id: I4c0359fb50cfe45df56c4b09f76f9a8583c712b4
|
2cd541f61919798b5b050c210f61db450ad8b013 |
|
30-Oct-2013 |
Alex Klyubin <klyubin@google.com> |
Refactor TLS/SSL cipher suite and protocol assertions. This hides expected lists of cipher suites and protocols from the users of assertion methods to: * enable targetSdkVersion-dependent behavior, and * centralize the definition of expected behavior in StandardNames. Bug: 11220570 Change-Id: I8b43196b24f02e10010223aa6738a9ce0df24333
|
7c935d4e4ca990334200cf5eb4fbcfac718c6b45 |
|
04-Jun-2012 |
gcollins <gcollins@antennasoftware.com> |
CertificateRequest should handle case where certificate is requested but none is available. Android SSL client was not handling a CertificateRequest where there was no cert to send. It had a problem because it was assuming that if the CertificateMessage response is not null, it means there is a cert included, which is not true (if it has no cert to send an empty CertificateMessage is sent to the server). So I updated the CertificateVerify creation check to also check whether the CertificateMessage contained any certs (ClientHandshakeImpl.java). In testing I found that the same error was in the server code so I made the same change there (ServerHandshakeImpl.java). I added two test cases to SSLEngineTest - one to directly test the scenario (test_SSLEngine_clientAuthWantedNoClientCert) and one to just double-check that the server would not allow the connection if setNeedClientAuth (test_SSLEngine_clientAuthNeededNoClientCert). Bug: http://code.google.com/p/android/issues/detail?id=31903 Change-Id: Ideb57d6ccbcdd54ca24dc3063e60aba2653c8414
|
3e6dd45baa0d7f9b4fa06f4ade76e088b59cc7bf |
|
16-Mar-2012 |
Brian Carlstrom <bdc@google.com> |
Tracking openssl-1.0.1 Bug: 6168278 Change-Id: I240d2cbc91f616fd486efc5203e2221c9896d90f
|
aba5e8c281fb9c6be23229246473fa0b433dd997 |
|
25-May-2011 |
Brian Carlstrom <bdc@google.com> |
OpenSSLSocketImpl should tolerate X509KeyManager returning null values While this started out as the small fix in OpenSSLSocketImpl.setCertificate and the corresponding test test_SSLSocket_clientAuth_bogusAlias, the need to test the behavior of the X509KeyManager returning null on the RI led to test maintenance to get libcore.javax.net.ssl tests working on RI 7 thanks to a test dependency that was added on the new InetAddress.getLoopbackAddress(). Change-Id: I3d8ed1ce453cc3a0b53e23e39c02e6a71413649c
|
101547d4a82ba21031dc7cb62018720dbd493758 |
|
01-Feb-2011 |
Jesse Wilson <jessewilson@google.com> |
Refactoring to add a builder for TestKeyStore. Change-Id: I346aea42a27042512f4ed97690f1e0ca1755257c
|
0d5c7588179fb373da70ce04362be5ce74a98eb4 |
|
24-Jan-2011 |
Brian Carlstrom <bdc@google.com> |
Cipher.init incorrectly implements RFC 3280 key usage validation Issue: http://code.google.com/p/android/issues/detail?id=12955 Bug: 3381582 Change-Id: Ida63c1356634c8e287ce5b0234418a656dffedf0
|
4ae3fd787741bfe1b808f447dcb0785250024119 |
|
19-Nov-2010 |
Brian Carlstrom <bdc@google.com> |
Elliptic Crypto support for OpenSSLSocketImpl Summary: - Enable Elliptic Crypto support for OpenSSL based SSLSocket instances - More RI compliant usage of key types, client auth types, and server auth types - Steps toward TLS_EMPTY_RENEGOTIATION_INFO_SCSV support, currently test updates Details: Elliptic Curve changes CipherSuite updates for EC - Adding KEY_EXCHANGE_EC* and corresponding CipherSuites Updated isAnonymous, getKeyType (now renamed getServerKeyType) to handle new EC cases. Added new getAuthType for use by checkServerTrusted callers. - Restructured code to handle two SUITES_BY_CODE_* arrays - Remove KEY_EXCHANGE_DH_* definitions which unused because the corresponding CipherSuites were previously disabled. - Changed AES CipherSuites definitions to use "_CBC" to match other definitions. luni/src/main/java/org/apache/harmony/xnet/provider/jsse/CipherSuite.java openssl EC - NativeCrypto now registers TLS_EC_* cipher suites and has update default list - Improved auth type arguments to checkClientTrusted/checkServerTrusted - NativeCrypto support for emphemeral EC keys luni/src/main/java/org/apache/harmony/xnet/provider/jsse/NativeCrypto.java luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSocketImpl.java luni/src/main/native/NativeCrypto.cpp non-openssl SSL/TLS cleanups - cleanup around code trying to cope with DiffieHellman vs DH since either should work. - changed client to use new CipherSuite.getAuthType shared with NativeCrypto implementation - changed server to use CipherSuite.getKeyType luni/src/main/java/org/apache/harmony/xnet/provider/jsse/ClientHandshakeImpl.java luni/src/main/java/org/apache/harmony/xnet/provider/jsse/HandshakeProtocol.java luni/src/main/java/org/apache/harmony/xnet/provider/jsse/KeyManagerImpl.java luni/src/main/java/org/apache/harmony/xnet/provider/jsse/ServerHandshakeImpl.java Consolidate CertificateRequestType code into CipherSuite so that its shared between java and openssl implementations. This includes the KEY_TYPE_ string constants, TLS_CT_* byte constants and the 'String keyType(byte)' (now renamed getClientKeyType) code that depends on them. luni/src/main/java/org/apache/harmony/xnet/provider/jsse/CertificateRequest.java luni/src/main/java/org/apache/harmony/xnet/provider/jsse/CipherSuite.java luni/src/main/java/org/apache/harmony/xnet/provider/jsse/ClientHandshakeImpl.java luni/src/main/java/org/apache/harmony/xnet/provider/jsse/NativeCrypto.java luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLServerSocketImpl.java luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSocketImpl.java luni/src/main/java/org/apache/harmony/xnet/provider/jsse/ServerHandshakeImpl.java Tests Differentiate between supported list of cipher suites openssl-based SSLSocket and SSLEngine based, since the SSLEngine code does not support EC. luni/src/test/java/libcore/javax/net/ssl/SSLEngineTest.java luni/src/test/java/libcore/javax/net/ssl/SSLSocketTest.java Added testing for expected default cipher suites. Before we just ensured the values were valid. luni/src/test/java/libcore/javax/net/ssl/SSLSocketFactoryTest.java support/src/test/java/libcore/java/security/StandardNames.java Updated to handle new EC cipher suites codes. Added test for new getClientKeyType. luni/src/test/java/org/apache/harmony/xnet/provider/jsse/CipherSuiteTest.java Better use of "standard names" particularly to correctly deal with the subtle differences between key types, client auth types, and server auth types. TestKeyManager and TestTrustManager now verify the values they are passed are acceptable. support/src/test/java/libcore/java/security/StandardNames.java support/src/test/java/libcore/javax/net/ssl/TestKeyManager.java support/src/test/java/libcore/javax/net/ssl/TestTrustManager.java Changed to timeout after 30 seconds and to log to reveal both client and server issues. support/src/test/java/libcore/javax/net/ssl/TestSSLSocketPair.java Bug: 3058375 Change-Id: I14d1d0285d591c99cc211324f3595a5be682cab1
|
6c78b7b94c232063ec559436b48b33751373ecf1 |
|
19-Nov-2010 |
Brian Carlstrom <bdc@google.com> |
Toward EC TLS support Summary: - javax.net.ssl tests are now working on the RI - KeyManager can now handle EC_EC and EC_RSA - OpenSSLSocketImpl.startHandshake now works if KeyManager contains EC certificates Details: Add CipherSuite.getKeyType to provide X509KeyManager key type strings, refactored from OpenSSLServerSocketImpl.checkEnabledCipherSuites. getKeyType is now also used in OpenSSLSocketImpl.startHandshake to avoid calling setCertificate for unnecessary key types. luni/src/main/java/org/apache/harmony/xnet/provider/jsse/CipherSuite.java luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLServerSocketImpl.java luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSocketImpl.java New CipherSuiteTest to cover new getKeyType as well as existing functionality luni/src/test/java/org/apache/harmony/xnet/provider/jsse/CipherSuiteTest.java Add support to KeyManager implementation for key types of the form EC_EC and EC_RSA. The first part implies the KeyPair algorithm (EC in these new key types) with a potentially different signature algorithm (EC vs RSA in these) luni/src/main/java/org/apache/harmony/xnet/provider/jsse/KeyManagerImpl.java Update NativeCrypto.keyType to support EC_EC and EC_RSA in addition to EC which was added earlier. Change from array of KEY_TYPES to named KEY_TYPE_* constants. luni/src/main/java/org/apache/harmony/xnet/provider/jsse/NativeCrypto.java Overhauled KeyManagerFactoryTest to cover EC, EC_EC, EC_RSA cases luni/src/test/java/libcore/javax/net/ssl/KeyManagerFactoryTest.java support/src/test/java/libcore/java/security/StandardNames.java Changed TestKeyStore.createKeyStore from always using BKS to now use JKS on the RI between BC EC Keys and RI X509 certificates. Because JKS requires a password, we now default "password" on the RI. support/src/test/java/libcore/java/security/TestKeyStore.java luni/src/test/java/libcore/javax/net/ssl/SSLContextTest.java support/src/test/java/libcore/java/security/StandardNames.java TestKeyStore.create now accepts key types like EC_RSA. Changed TestKeyStore.createKeys to allow a PrivateKeyEntry to be specified for signing to enable creation of EC_RSA test certificate. Added getRootCertificate/rootCertificate to allow lookup of PrivateKeyEntry for signing. Changed TestKeyStore.getPrivateKey to take explicit signature algorithm to retrieve EC_EC vs EC_RSA entries. support/src/test/java/libcore/java/security/TestKeyStore.java luni/src/test/java/libcore/java/security/KeyStoreTest.java luni/src/test/java/libcore/javax/net/ssl/KeyManagerFactoryTest.java luni/src/test/java/libcore/java/security/cert/PKIXParametersTest.java luni/src/test/java/libcore/javax/net/ssl/TrustManagerFactoryTest.java luni/src/test/java/org/apache/harmony/xnet/provider/jsse/NativeCryptoTest.java support/src/test/java/libcore/java/security/StandardNames.java Added support for EC cipher suites on the RI. Also test with and without new TLS_EMPTY_RENEGOTIATION_INFO_SCSV cipher suite which is used to specify the new TLS secure renegotiation. luni/src/test/java/libcore/javax/net/ssl/SSLEngineTest.java luni/src/test/java/libcore/javax/net/ssl/SSLSocketTest.java support/src/test/java/libcore/java/security/StandardNames.java New TestKeyManager and additional logging in TestTrustManager. Logging in both is disabled by default using DevNullPrintStream. support/src/test/java/libcore/javax/net/ssl/TestKeyManager.java support/src/test/java/libcore/javax/net/ssl/TestTrustManager.java support/src/test/java/libcore/java/io/DevNullPrintStream.java Bug: 3058375 Change-Id: Ia5e2a00a025858e10d1076b900886994b481e05a
|
a5c608e59f9d574ea4bc65e9dff44aae2f34fd26 |
|
01-Nov-2010 |
Brian Carlstrom <bdc@google.com> |
TrustManager improvements Overhaul of TrustManagerImpl - PKIXParameters can now be final in TrustManagerImpl because we always immediately create an IndexedPKIXParameters instead of only doing it in SSLParametersImpl.createDefaultTrustManager. - Use new KeyStore constructor for IndexedPKIXParameters to remove duplicate logic for creating set of TrustAnchors from a KeyStore. - Improved checkTrusted/cleanupCertChain to remove special cases for directly trusting the end cert or pruning only self signed certs. To support b/2530852, we need to stop prune the chain as soon as we find any trust anchor (using newly improved TrustManagerImpl.isTrustAnchor), which could be at the beginning, middle, or end. That means cleanupCertChain can return an empty chain if everything was trusted directly. (and we don't need to do extra checks on exception cases to see if the problem was just that the trust anchor was in the chain) - isDirectlyTrusted -> isTrustAnchor here as well, using new IndexedPKIXParameters.isTrustAnchor APIs - Fix incorrect assumption in getAcceptedIssuers that all TrustAnchor instances have non-null results for getTrustedCert. luni/src/main/java/org/apache/harmony/xnet/provider/jsse/TrustManagerImpl.java Removed indexing in createDefaultTrustManager since we always index now luni/src/main/java/org/apache/harmony/xnet/provider/jsse/SSLParametersImpl.java Overhaul of IndexedPKIXParameters - Single map from subject X500Principal to TrustAnchors instead of two different X500Principal keyed maps to check - Removed map based on encoded cert. For b/2530852, we want to treat certs as equal if they have the same name and public key, not byte-for-byte equality, which can be done with the remaining map. Revamped isDirectlyTrusted into isTrustAnchor(cert) to perform this new name/key based comparison. - Added helper isTrustAnchor(cert, anchors) to reuse code in non-IndexedPKIXParameters case in TrustManagerImpl. - Added constructor from KeyStore - Moved anchor indexing code to index() from old constructor luni/src/main/java/org/apache/harmony/xnet/provider/jsse/IndexedPKIXParameters.java TestKeyStore.getPrivateKey allowed some existing test simplification. luni/src/test/java/libcore/java/security/KeyStoreTest.java luni/src/test/java/org/apache/harmony/xnet/provider/jsse/NativeCryptoTest.java support/src/test/java/libcore/java/security/TestKeyStore.java Added missing "fail()" before catching expected exceptions. luni/src/test/java/libcore/java/security/KeyStoreTest.java Expanded KeyManagerFactoryTest to excercise ManagerFactoryParameters b/1628001 luni/src/test/java/libcore/javax/net/ssl/KeyManagerFactoryTest.java Added KeyStoreBuilderParametersTest because I thought I saw a bug in KeyStoreBuilderParameters, but this convinced me otherwise. luni/src/test/java/libcore/javax/net/ssl/KeyStoreBuilderParametersTest.java New TrustManagerFactory test modeled on expanded KeyManagerFactoryTest. test_TrustManagerFactory_intermediate specifically is targeting the new functionality of b/2530852 to handling trust anchors within the chain. luni/src/test/java/libcore/javax/net/ssl/TrustManagerFactoryTest.java support/src/test/java/libcore/java/security/StandardNames.java Some initial on tests for Elliptic Curve (b/3058375) after the RI started reporting it was supported. Removed old @KnownFailure tags. Skipped a test on the RI that it can't handle. Improved some assert messages. luni/src/test/java/libcore/javax/net/ssl/SSLEngineTest.java luni/src/test/java/libcore/javax/net/ssl/SSLSocketTest.java support/src/test/java/libcore/java/security/StandardNames.java support/src/test/java/libcore/java/security/TestKeyStore.java Removed unneeded bytes->javax->bytes->java case of which can just go bytes->java directly. luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSocketImpl.java Removed super() luni/src/main/java/javax/net/ssl/KeyStoreBuilderParameters.java Made Security.secprops final luni/src/main/java/java/security/Security.java Pulled SamplingProfiler fix from dalvik-dev branch git cherry-pick --no-commit f9dc3450e8f23cab91efc9df99bb860221ac3d6c dalvik/src/main/java/dalvik/system/SamplingProfiler.java Bug: 2530852 Change-Id: I95e0c7ee6a2f66b6986b3a9da9583d1ae52f94dd
|
f7aab022dcbfcd8f27b409ab92b4bca4a84d0b8a |
|
30-Sep-2010 |
Brian Carlstrom <bdc@google.com> |
CloseGuard: finalizers for closeable objects should log complaints Introducing CloseGuard which warns when resources are implictly cleaned up by finalizers when an explicit termination method, to use the Effective Java "Issue 7: Avoid finalizers" terminology, should have been used by the caller. libcore classes that can use CloseGuard now do so. Bug: 3041575 Change-Id: I4a4e3554addaf3075c823feb0a0ff0ad1c1f6196
|
5f2e6872311240319509aed64d9f58cd5b64719b |
|
23-Aug-2010 |
Brian Carlstrom <bdc@google.com> |
SSLSocket.read should throw SocketException not NullPointerException OpenSSLSocketImpl now uses checkOpen similar to Socket's checkOpenAndCreate to ensure that SocketExceptions are thrown if certain operations are tried after the socket is closed. Also added *_setUseClientMode_afterHandshake tests for SSLSocket and SSLEngine. We properly through IllegalArgument exception in this case, but it wasn't covered by the tests previously. Bug: 2918499 Change-Id: I393ad39bed40a33725d2c0f3f08b9d0b0d3ff85f
|
4557728efb66c455a52b7669a8eefef7a9e54854 |
|
11-Aug-2010 |
Jesse Wilson <jessewilson@google.com> |
Moving tests to be under the libcore.* package. This is indended to make it easier to run on VMs that restrict the packages from which application classes can be loaded. For example, on the RI you need to use the bootclasspath to load these tests. Change-Id: I52193f35c5fcca18b5a3e1d280505b1e29b388af
|