| a0ffe1ac1371d6a533a99ade3400d5a013d91cab |
|
23-Nov-2017 |
Raj Mamadgi <r.mamadgi@samsung.com> |
Fix for libcore.java.security.ProviderTest#test_Provider_getServices
Just like Android Key Store, creating Samsung Knox Keystore for
exception handling.
Change-Id: I04ebad92a1065afe8037674eed6d51c913ebbdf8
Signed-off-by: Raj Mamadgi <r.mamadgi@samsung.com>
|
| 9da28e1cd4cdce2e6ee2ece3b0fbd5f20e5e6eda |
|
03-Nov-2017 |
Adam Vartanian <flooey@google.com> |
Update tests for Conscrypt upstream merge.
For the most part, this is just adjusting tests to account for the fact
that "ChaCha20" now refers to the plain stream cipher instead of
ChaCha20+Poly1305.
Test: cts -m CtsLibcoreTestCases
Change-Id: I5976027811c58910952a186f3580a3f5e561407d
|
| 12442ce0398b6ca0917462d33709f15c68f7e095 |
|
16-Oct-2017 |
Adam Vartanian <flooey@google.com> |
Update tests for Conscrypt upstream merge.
Adds basic compliance tests for ChaCha20/Poly1305/NoPadding.
Adds test that AES/GCM/NoPadding can be initialized with GCM
AlgorithmParameters.
Adds reuse test for ChaCha20/Poly1305/NoPadding.
Updates StandardNames for new names.
Updates SSLSocketTest for changed Conscrypt implementation details.
Test: cts -m CtsLibcoreTestCases
Change-Id: I608e4bbcced678fdfac8b28d500f7fa8b4599319
|
| 87b15f87f9e01e8e8d8350aa3fc74a08599ad6e8 |
|
07-Mar-2017 |
Kenny Root <kroot@google.com> |
Remove DHE ciphers from defaults list
Since DHE does not allow negotiation of the group used, it is pretty
broken. ECDHE at least allows the negotiation of the group which allows
its security to be maintained with configuration changes in the client
or server.
This tracks a change in Conscrypt merged in
906cfad7e08fd339be06441ff42960743f95053c
Test: cts-tradefed run cts -m CtsLibcoreOkHttpTestCases -a arm64-v8a
Test: cts-tradefed run cts -m CtsLibcoreTestCases -a arm64-v8a
Test: make docs
Test: visual inspection of docs output in web browser
Change-Id: Ic90297bf6b1c82af192a887797238ad250e3d1ce
|
| 4a7d052f9ff1dede771be29acf8e855959b08a69 |
|
14-Feb-2017 |
Adam Vartanian <flooey@google.com> |
Conscrypt: Add PBEWithHmacSHAXXXAndAES_XXX cipher aliases.
Bug: 29631070
Test: cts run -m CtsLibcoreTestCases -t libcore.java.security.ProviderTest
Test: cts run -m CtsLibcoreTestCases -t libcore.javax.crypto.CipherTest
Change-Id: I9bd6ed1a17048748cc5006326720dbd6c2012d67
|
| 2bdd86ec6cbafe421e5f4c24b6ec0f0fffe27f90 |
|
09-Feb-2017 |
Kenny Root <kroot@google.com> |
Reduce number of lint warnings
When compiled against the SDK, junit.framework is noted as deprecated.
Changing this to use JUnit4-style asserts doesn't break any users.
Test: cts-tradefed run cts -m CtsLibcoreTestCases
Change-Id: Ic480b16db8e0ef13b55e7f3c005c7d9c26da0114
|
| 385c0d328cd6925efd4d2c985f412166e78ced3c |
|
08-Feb-2017 |
Adam Vartanian <flooey@google.com> |
Conscrypt: Add key-constrained versions of AES algorithms.
Bug: 29631070
Test: run cts -m CtsLibcoreTestCases
Change-Id: I7174ec7f6c598d46dce1935385c723b96907d9d1
|
| 61209f38be2e98277eca36a3039da34ee0c32a54 |
|
10-Feb-2017 |
Adam Vartanian <flooey@google.com> |
BouncyCastle: Enable EC AlgorithmParameters.
Bug: 29631070
Test: run cts -m CtsLibcoreTestCases
Change-Id: Iff5246f9053a8a1691038f5719145a541ebec5e2
|
| fe74e44f279e241d07b0b0eeae28bf3bd4cfc622 |
|
26-Jan-2017 |
Chad Brubaker <cbrubaker@google.com> |
Provide SSL SSLContext algorithm
SSL was rexposed in 3f3b9c8292773841760263f410b74ed0ab7aae6b as an alias
to TLS.
Bug: 34722987
Test: cts-tradefed run cts -m CtsLibcoreTestCases -t
libcore.java.security.ProviderTest
Change-Id: Icf784ca30ccec2c5546dc9af6e7a06ae8ffefd56
|
| 3f3b9c8292773841760263f410b74ed0ab7aae6b |
|
17-Jan-2017 |
Chad Brubaker <cbrubaker@google.com> |
Expose SSLContext.SSL as an alias for SSLContext.TLS
SSL was removed with SSLv3 however a lot of callers use
SSL instead of Default leading to breakage.
Test: libcore/run-libcore-tests
libcore/luni/src/test/java/libcore/javax/net/ssl/*
Bug:32584776
Bug:30977793
Change-Id: I7ce48488a28e2c62bb0c2a76261a11fbd5bb9da7
|
| aeec00f5c8ce2675107ac096765fb250521b903e |
|
11-Jan-2017 |
Robert Sloan <varomodt@google.com> |
Update Libcore's Elliptic Curves to the BoringSSL change:
https://boringssl-review.googlesource.com/#/c/10923/
Test: CtsLibcoreTestCases
Change-Id: Ie13bcce8b1557e55921366643efbf71b7b75314b
|
| f3203f2d212279300ebd7f4a43ae323580d77812 |
|
17-Oct-2016 |
Sergio Giro <sgiro@google.com> |
bouncycastle: add support for PKCS5S2 algorithm parameters
Java 8 allows to specify a PBE key using only the password (as opposed
to password + salt + iteration count) and generate the encryption key
later by specifying the rest of the parameters in an AlgorithmParameters
object.
Adding these AlgorithmParameters in BouncyCastle together with support
in ciphers.
Bug: 29631070
Test: run CtsLibcoreTestCases
Change-Id: If3f9cf04a12beaf7cade5197ecbf7ea0fcca72fe
|
| 61a39247fb8ae7183518607ca98c2296722762e7 |
|
05-Oct-2016 |
Sergio Giro <sgiro@google.com> |
external/bouncycastle: add algorithms for PbeWithHmacSha mac variants
Bug: 29631070
Test: run CtsLibcoreTestCases
Change-Id: I5fd344c1de7c687585bc65a582e468501ee9154d
|
| 2439c385217d3351f9f9692731168870778dee10 |
|
27-Sep-2016 |
Chad Brubaker <cbrubaker@google.com> |
SSLContext no longer provides SSL on Android
Bug: 31765123
Test: Run libcore.java.security.ProviderTest.test_Provider_getServices
Change-Id: I78acfd4955b8d753d86876e56cb5bcb482f6bbf9
|
| 8f2073552a3aa97ce95f8380f5cab1742d77de91 |
|
14-Sep-2016 |
Chad Brubaker <cbrubaker@google.com> |
Drop SSLv3 support
The specific API version in the deprecation doc comments will be added
later, for now listed as TBD.
Bug: 30977793
Test: libcore/run-libcore-tests libcore/luni/src/test/java/libcore/javax/net/ssl/*
Change-Id: I5ebe22421589415a9e9065715262e6860b251b2b
|
| 8a978725ca74a014e90ccf14d6ea9964691ad1e4 |
|
12-Sep-2016 |
Chad Brubaker <cbrubaker@google.com> |
Drop RC4 cipher suite support from TLS
The specific API version in the deprecation doc comments will be added
later, for now listed as TBD.
Bug: 30977793
Test: libcore/run-libcore-tests libcore/luni/src/test/java/libcore/javax/net/ssl/*
Change-Id: Ic72806ef23066b89722419d5f09fed7fa007a60b
|
| 5b48c9448ea2413aede3b6ab17d6708ed2bb93d2 |
|
08-Sep-2016 |
Kenny Root <kroot@google.com> |
Add test to make sure TLS elliptic curves list is sensible
We accidentally regressed Android's TLS client by taking a change to
BoringSSL that limited client support to secp256r1. Note that BoringSSL
still sets the default, but add this test to make sure that our usage of
BoringSSL API doesn't cause unintended regressions.
(cherry picked from commit c97ba7f9b6a7621a55b95a7d5fd00cdffd6f09d5 with
removal of "x25519")
Test: make -j32 build-art-host vogar && vogar --mode host --classpath out/host/common/obj/JAVA_LIBRARIES/core-tests-support-hostdex_intermediates/classes.jack --classpath out/host/common/obj/JAVA_LIBRARIES/core-tests-hostdex_intermediates/classes.jack libcore/luni/src/test/java/libcore/javax/net/ssl/SSLSocketTest.java -- test_SSLSocket_ClientHello_supportedCurves
Bug: 31393711
Change-Id: I9ec9b46f7f504dc239ae6a0da042458ebfbe9c63
|
| c97ba7f9b6a7621a55b95a7d5fd00cdffd6f09d5 |
|
08-Sep-2016 |
Kenny Root <kroot@google.com> |
Add test to make sure TLS elliptic curves list is sensible
We accidentally regressed Android's TLS client by taking a change to
BoringSSL that limited client support to secp256r1. Note that BoringSSL
still sets the default, but add this test to make sure that our usage of
BoringSSL API doesn't cause unintended regressions.
Test: make -j32 build-art-host vogar && vogar --mode host --classpath out/host/common/obj/JAVA_LIBRARIES/core-tests-support-hostdex_intermediates/classes.jack --classpath out/host/common/obj/JAVA_LIBRARIES/core-tests-hostdex_intermediates/classes.jack libcore/luni/src/test/java/libcore/javax/net/ssl/SSLSocketTest.java -- test_SSLSocket_ClientHello_supportedCurves
Change-Id: I9ec9b46f7f504dc239ae6a0da042458ebfbe9c63
|
| 37b47128438ea911beea38228505084d334f951b |
|
21-Mar-2016 |
Kenny Root <kroot@google.com> |
Use canonical name for SHA1withECDSA
The Standard Names documentation that "ECDSA" should not be used due
to its ambiguity. This tracks the changes to Bouncycastle and Conscrypt.
(cherry picked from commit 313d8df320e37b92f711f547a856daa1b284b2b2)
Bug: 27753949
Change-Id: Id84049e6aa1a3ef131ba3ccea38a5a014db7809c
|
| 313d8df320e37b92f711f547a856daa1b284b2b2 |
|
21-Mar-2016 |
Kenny Root <kroot@google.com> |
Use canonical name for SHA1withECDSA
The Standard Names documentation that "ECDSA" should not be used due
to its ambiguity. This tracks the changes to Bouncycastle and Conscrypt.
Bug: 27753949
Change-Id: Id84049e6aa1a3ef131ba3ccea38a5a014db7809c
|
| 7ddc9546a7c6dbf3de8da070f3c5389c85bc1195 |
|
18-Mar-2016 |
Kenny Root <kroot@google.com> |
Prefer AES when hardware acceleration is available
ChaCha20-Poly1305 is more efficient in software, but many modern CPUs
have acceleration for AES which makes AES-GCM the more preferable choice
in terms of throughput and battery consumption (i.e., less CPU cycles
per byte).
(cherry picked from commit 7e8a826ee53af4b7a448fb339b446d13220145c4)
Bug: 26945889
Change-Id: I2b5fac1b8f1efec77fd8d847643d71902eb943e3
|
| 7e8a826ee53af4b7a448fb339b446d13220145c4 |
|
18-Mar-2016 |
Kenny Root <kroot@google.com> |
Prefer AES when hardware acceleration is available
ChaCha20-Poly1305 is more efficient in software, but many modern CPUs
have acceleration for AES which makes AES-GCM the more preferable choice
in terms of throughput and battery consumption (i.e., less CPU cycles
per byte).
Bug: 26945889
Change-Id: I2b5fac1b8f1efec77fd8d847643d71902eb943e3
|
| 9e8d892ecc42255ffc16a006fff9af3c1c1bf52c |
|
04-Mar-2016 |
Alex Klyubin <klyubin@google.com> |
Assert that RC4 TLS/SSL cipher suites are not used by default.
RC4 has been deprecated for a while. It's now time to no longer use it
by default. Mozilla Firefox and Chrome web browsers have already made
the leap.
This is a follow-up to 9a7b700a0f4d5bb1967b71e114b935b5b2ac7c12 which
asserts that TLS_RSA_WITH_RC4_128_SHA is disabled for the same
reasons.
Bug: 24898327
(cherry picked from commit 5fbb3ca9083c4799c5eb8b1d0837270898071379)
Change-Id: I713d65efe020dcef5de7ccfb37a1e828ee08c0a2
|
| 5fbb3ca9083c4799c5eb8b1d0837270898071379 |
|
04-Mar-2016 |
Alex Klyubin <klyubin@google.com> |
Assert that RC4 TLS/SSL cipher suites are not used by default.
RC4 has been deprecated for a while. It's now time to no longer use it
by default. Mozilla Firefox and Chrome web browsers have already made
the leap.
This is a follow-up to 9a7b700a0f4d5bb1967b71e114b935b5b2ac7c12 which
asserts that TLS_RSA_WITH_RC4_128_SHA is disabled for the same
reasons.
Bug: 24898327
Change-Id: Ieedb176e91ead0bb95c9a2a3af04c9547de06221
|
| 5a71ce031ebbcb5512cb4272349e271a625a33ec |
|
24-Feb-2016 |
Alex Klyubin <klyubin@google.com> |
Assert that RC4 TLS/SSL cipher suites are not used by default.
RC4 has been deprecated for a while. It's now time to no longer use it
by default. Mozilla Firefox and Chrome web browsers have already made
the leap.
Bug: 24898327
(cherry picked from commit 9a7b700a0f4d5bb1967b71e114b935b5b2ac7c12)
Change-Id: Ib8bba1a66a253b7e000f7be4e33cca997e84043d
|
| 9a7b700a0f4d5bb1967b71e114b935b5b2ac7c12 |
|
24-Feb-2016 |
Alex Klyubin <klyubin@google.com> |
Assert that RC4 TLS/SSL cipher suites are not used by default.
RC4 has been deprecated for a while. It's now time to no longer use it
by default. Mozilla Firefox and Chrome web browsers have already made
the leap.
Bug: 24898327
Change-Id: Ief3285f0abee0ddef547b13c50f0487dc1911e8d
|
| 18071abfad7b0525ae644d430e1df43c83d1aadf |
|
02-Feb-2016 |
Kenny Root <kroot@google.com> |
Add ChaCha20-Poly1305 as an enabled cipher suite
Change-Id: Idb809fe86688b21d25e1c44867659f5f02145543
|
| 793c9ce05eae979a7de9d164f6ec67f4501d022e |
|
05-Jan-2016 |
Kenny Root <kroot@google.com> |
Revert "Update tests for BoringSSL roll."
There is no way to indicate in the Java language that a TLS extension
should be used instead of the pseudo-ciphersuite for RFC 5746 operation.
Instead we should use the presence of the pseudo-ciphersuite in the
enabled list to enable the TLS extension.
Therefore we should revert the test expectation and allow the
TLS_EMPTY_RENEGOTIATION_INFO_SCSV pseudo-ciphersuite to be in enabled
list.
This reverts commit 5894fb79880aa4fb8fe42963234c2bba599ce1bb.
Bug: 24602368
|
| 25cd1880312d87adb33735b943ac9f184eb2ba7a |
|
21-Nov-2015 |
Alex Klyubin <klyubin@google.com> |
Assert that PSS AlgorithmParameters work as expected.
Bug: 25794302
Change-Id: I5aaf2e732299843b34e4c31f91dff5f505ff61ad
|
| 76cbd50fe694b58beb25b6f06776b722db31abc2 |
|
25-Sep-2015 |
Kenny Root <kroot@google.com> |
Revert "Revert "Update tests for BoringSSL roll.""
This reverts commit 1681d1ab216f42ec6f29d52d3dbb1760dad84d7f.
Underlying issue was fixed.
Change-Id: I387f28df03a4b6f79557557fa1483bc2ba45f6bb
|
| 1681d1ab216f42ec6f29d52d3dbb1760dad84d7f |
|
25-Sep-2015 |
Kenny Root <kroot@google.com> |
Revert "Update tests for BoringSSL roll."
This reverts commit 5894fb79880aa4fb8fe42963234c2bba599ce1bb.
The BoringSSL update broke some x86 builds.
Change-Id: I5e06700853a881778b99187d256bc87d773d46ab
|
| 5894fb79880aa4fb8fe42963234c2bba599ce1bb |
|
24-Sep-2015 |
Adam Langley <agl@google.com> |
Update tests for BoringSSL roll.
The renegotiation SCSV only needs to be sent with SSLv3. Sending it in
newer versions isn't needed because an extension does the same job.
This change updates the test expectations to match the behaviour of the
newer BoringSSL.
Change-Id: I213b778d921f6ba4364043bb582d16bd05966b2d
|
| 9ea5717a2568291bd49b531b733dafbc99d1d5bb |
|
06-Feb-2014 |
An Liu <an1.liu@sta.samsung.com> |
Skip TimaKeyStore in KeyStoreTest
TimaKeyStore is Samsung's TrustZone-based KeyStore
service provider. It should be skipped for KeyStore
test cases since Samsung has it's own test cases.
(cherry picked from commit f0cd15d29ea97346b7c2e870969907cd586b1b30)
Change-Id: I7c63dd1e037b0d8bed58593c2c9c883010106286
|
| 89c6ac92228530d7c8bd3563e6316754190a27ed |
|
17-Jun-2015 |
Alex Klyubin <klyubin@google.com> |
Add RSA-OAEP and RSA-PSS to StandardNames.
This fixes
libcore.java.security.ProviderTest#test_Provider_getServices which got
broken by Android Keystore Provider exposing RSA encryption with
RSA-OAEP padding scheme and RSA signatures with RSA-PSS padding scheme.
Bug: 21870225
Change-Id: I661a333579a29b5ede2b517e1a020d73122bfffc
|
| dfb72da0fbf93c04964db1908e99b10087f07a4c |
|
04-Jun-2015 |
Kenny Root <kroot@google.com> |
Update offered ciphers
Dropped support for non-ephemeral Diffie-Hellman cipher suites, anonymous
authentication, some DES cipher suites, and export cipher suites.
(cherry picked from commit 90b217a3543f119bb7aa20d7a0e55fd5343e9ce7)
Bug: 21522548
Change-Id: Ie2048d303890935969cc7c1ac7bc9d93705c7a90
|
| 90b217a3543f119bb7aa20d7a0e55fd5343e9ce7 |
|
04-Jun-2015 |
Kenny Root <kroot@google.com> |
Update offered ciphers
Dropped support for non-ephemeral Diffie-Hellman cipher suites, anonymous
authentication, some DES cipher suites, and export cipher suites.
Bug: 21522548
Change-Id: Ie2048d303890935969cc7c1ac7bc9d93705c7a90
|
| e31bd0c48b5aed701ac43ae9d1e0ff44daf77a2c |
|
18-May-2015 |
Kenny Root <kroot@google.com> |
No need to test "GCM" mode in regular Cipher test
Partially revert change from 6e0cdd08e2a671393b8a410690d28140a80d9387.
Since the regular cipher test expects to be able to use all padding
types with every mode, testing GCM is not appropriate here. It is
still tested elsewhere in CipherTest.
(cherry picked from commit a174063b24e6f792fc58373439808842e1c0d657)
Bug: 21209499
Change-Id: Ie20ddab4112f350cce08114c913a89a659823823
|
| 75cad21abebdf292f7e8ca3ed8cc9f7929d5579b |
|
18-May-2015 |
Kenny Root <kroot@google.com> |
Track change from GCM -> AES/GCM/NoPadding
Update tests to track the change from GCM to AES/GCM/NoPadding
(cherry picked from commit 6e0cdd08e2a671393b8a410690d28140a80d9387)
Bug: 21209499
Change-Id: Ie8383cd2cd0bcb62a38c4c55cd86aa90ad834b2b
|
| a174063b24e6f792fc58373439808842e1c0d657 |
|
18-May-2015 |
Kenny Root <kroot@google.com> |
No need to test "GCM" mode in regular Cipher test
Partially revert change from 6e0cdd08e2a671393b8a410690d28140a80d9387.
Since the regular cipher test expects to be able to use all padding
types with every mode, testing GCM is not appropriate here. It is
still tested elsewhere in CipherTest.
Bug: 21209499
Change-Id: Ie20ddab4112f350cce08114c913a89a659823823
|
| 4d582b46ba554b77b83c384f1b064104358a9bc4 |
|
18-May-2015 |
Kenny Root <kroot@google.com> |
StandardNames: update expectations for RI
Change-Id: Ia61cce94c7746b064008fa74b5f48ae1ee701539
|
| 6e0cdd08e2a671393b8a410690d28140a80d9387 |
|
18-May-2015 |
Kenny Root <kroot@google.com> |
Track change from GCM -> AES/GCM/NoPadding
Update tests to track the change from GCM to AES/GCM/NoPadding
Bug: 21209499
Change-Id: Ie8383cd2cd0bcb62a38c4c55cd86aa90ad834b2b
|
| ef68d71f665164dc2b6341dfaaea2c41af8153b0 |
|
15-Apr-2015 |
Alex Klyubin <klyubin@google.com> |
Unbreak SecretKeyFactory-related ProviderTest.
The test was broken by AndroidKeyStore Provider adding support for
SecretKeyFactory for key algorithms AES, HmacSHA1, HmacSHA224,
HmacSHA256, HmacSHA384, and HmacSHA512.
Bug: 20250820
Change-Id: Iba2d8f269844e01913fbf82a744e83da8f951af1
|
| b475d1c3d8bf15b063f6e7d2a1138b973da25e91 |
|
18-Mar-2015 |
Brian Carlstrom <bdc@google.com> |
Fix misspelling of Kerberos
Change-Id: I6473665bc00fa45d8a3941657791334e97df7c85
|
| 782740701db73dd2dc4fef9df8cde270b0e631a4 |
|
18-Nov-2014 |
Alex Klyubin <klyubin@google.com> |
Fix SSLContextTest.test_SSLContext_defaultConfiguration failure
This test was failing because it assumed that all SSLContext
instances have the same set of TLS protocol versions enabled.
The fix refactored SSLDefaultConfigurationAsserts class into
SSLConfigurationAsserts class. The main difference is that the new
class has wider scope: it can assert that (1) the default
configuration of TLS/SSL primitives is as expected -- exactly what
the old SSLDefaultConfigurationAsserts class offered, and (2) that
TLS/SSL primitives are configured the same as a provided SSLContext.
Assertions about the default configuration of primitives other than
SSLContext are now implemented by asserting that these primitives are
configured exactly like the default SSLContext.
Change-Id: I52d6514768c4053054df2cf79e7182d8fd87bfe2
|
| fef7818155899c092e6741de049fb7601dfcaf73 |
|
13-Nov-2014 |
Alex Klyubin <klyubin@google.com> |
Adjust tests for removal of DSS TLS/SSL cipher suites.
This is in preparation for migration from OpenSSL to BoringSSL.
BoringSSL does not support DSS.
Bug: 17409664
Change-Id: I6b2ac5f7c7b9c41416650cdbdce2deed03372f49
|
| 8e810dd5a8e7f0ca6b293704b91911900df100a3 |
|
31-Oct-2014 |
Kenny Root <kroot@google.com> |
SSLSocket: track update to TLS defaults
SSLv3 is no longer in the default list.
Bug: 17136008
Change-Id: I4092e17f79c29d10d11ffe01d130d0d03cd2215f
|
| bda96e051a3634b75abec3c989dcf0a8fab009b3 |
|
30-Oct-2014 |
Kenny Root <kroot@google.com> |
SSLSocket: document current behavior with SSLContext
Currently Android does not pay attention to the algorithm choice, so use
this test as documentation of that.
Bug: 17136008
Change-Id: If8e516be48721bf65a98f22a9cdf02eded8f6375
|
| 3b96a51f6446c8bc7d4ce7c23ad9164a4a4437ba |
|
03-Oct-2014 |
Kenny Root <kroot@google.com> |
Add support for TLS_FALLBACK_SCSV
Bug: 17750026
(cherry picked from commit e6a6e935e98f426c7000b2bf4086f87101f4441c)
Change-Id: Ia7f0714157b0dc36579122b27eb921a54f3a6818
|
| 6c9609af5f63a759bd50b5f6586f6f52502b4f93 |
|
07-Oct-2014 |
Neil Fuller <nfuller@google.com> |
Add support for TLS_FALLBACK_SCSV
Backport of commits:
external/conscrypt: 8d7e23e117da591a8d48e6bcda9ed6f58ff1a375
libcore: e6a6e935e98f426c7000b2bf4086f87101f4441c
libcore: 957ec8b09833e1c2f2c21380e53c13c9962e6b3e
Plus additional changes to:
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLServerSocketImpl.java
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSocketImpl.java
luni/src/test/java/libcore/java/net/URLConnectionTest.java
luni/src/test/java/org/apache/harmony/xnet/provider/jsse/CipherSuiteTest.java
support/src/test/java/libcore/java/security/StandardNames.java
to account for KitKat differences.
Bug: 17750026
Change-Id: Ic6e9474275bc3ffec3b5c2d6df1f8d6ffe77bff8
|
| 865c83f8383f03d545217c35d9140a4627a74406 |
|
07-Oct-2014 |
Neil Fuller <nfuller@google.com> |
Add support for TLS_FALLBACK_SCSV
Backport of commits:
external/conscrypt: 8d7e23e117da591a8d48e6bcda9ed6f58ff1a375
libcore: e6a6e935e98f426c7000b2bf4086f87101f4441c
libcore: 957ec8b09833e1c2f2c21380e53c13c9962e6b3e
Plus additional changes to:
luni/src/main/java/libcore/net/http/HttpConnection.java
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLServerSocketImpl.java
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSocketImpl.java
luni/src/test/java/libcore/java/net/URLConnectionTest.java
luni/src/test/java/org/apache/harmony/xnet/provider/jsse/CipherSuiteTest.java
support/src/test/java/libcore/java/security/StandardNames.java
to account for JellyBean differences.
Bug: 17750026
Change-Id: I7b60b1260fa0b275631ce9987168c7b5fc7ca138
|
| e6a6e935e98f426c7000b2bf4086f87101f4441c |
|
03-Oct-2014 |
Kenny Root <kroot@google.com> |
Add support for TLS_FALLBACK_SCSV
Bug: 17750026
Change-Id: I8dec89ae59a6f745f63120b11b4f6dbe9b21a139
|
| c876cd0510be10a751e5679420bd35889c0b0af9 |
|
11-Jul-2014 |
Alex Klyubin <klyubin@google.com> |
TLS-PSK cipher suites enabled when PSKKeyManager is provided.
This documents and tests that TLS-PSK cipher suites are enabled
if a PSKKeyManager is provided to SSLContext during its
initialization.
Bug: 15073623
(cherry picked from commit b5730a183c0ef94946bb04222f6219f83adef8f5)
Change-Id: Idb84b985301b575f4989f2c2a673b64e4e4930ea
|
| b5730a183c0ef94946bb04222f6219f83adef8f5 |
|
11-Jul-2014 |
Alex Klyubin <klyubin@google.com> |
TLS-PSK cipher suites enabled when PSKKeyManager is provided.
This documents and tests that TLS-PSK cipher suites are enabled
if a PSKKeyManager is provided to SSLContext during its
initialization.
Bug: 15073623
Change-Id: I8e2bc3e7a1ea8a986e468973b6bad19dc6b7bc3c
|
| f14c0fd560a55e464ac56f190896545e1126522d |
|
04-Jun-2014 |
Alex Klyubin <klyubin@google.com> |
Assert the updated list of supported ECDHE-PSK cipher suites.
Bug: 15073623
Change-Id: I427c99f4c1c72690d95e5a3c63763631c41ddae2
|
| c9461f39290f815f560f2ec50e9ccde5ff4eb8f7 |
|
09-May-2014 |
Alex Klyubin <klyubin@google.com> |
Document and assert support for TLS-PSK cipher suites.
This CL updates the Javadoc of SSLSocket and SSLEngine to list the
now supported TLS-PSK cipher suites. It also adds tests to assert
that these cipher suites are actually supported by SSLSocket and
SSLEngine.
Bug: 15073623
Change-Id: I8e59264455f980f23a5e66099c27b5b4d932b9bb
|
| 2c8bbf4bb24657c4e71de66fd0e66ad6baad4cf5 |
|
23-May-2014 |
Alex Klyubin <klyubin@google.com> |
Simplify assertions about SSLEngine.
Now that the default SSLEngine implementation is backed by the same
OpenSSL stack as the default SSLSocket implementation, the sets of
supported/enabled cipher suites and protocols should remain the same
between SSLEngine and SSLSocket.
Change-Id: I1ed88f39b07950e5d8b6e2fc7d6482a034626de3
|
| 2e68348d984d81c73a41e8db39183c55cff8faf9 |
|
09-May-2014 |
DanielMo <DanielMo@fih-foxconn.com> |
Enlarge the minimum key size of RSA to enhance the security
We have modified OpenSSL source code such that size of RSA key should be at least 512 bits or more to support
higher quality key generation as lower key sizes are vulnerable to attack.
Thus we need to increase the size to 512 to avoid CTS failures, please refer to it also.
https://code.google.com/p/android/issues/detail?id=66394
Change-Id: I95d734033227ed1497a5bc0fd0010f62b12c01c5
Signed-off-by: DanielMo <DanielMo@fih-foxconn.com>
|
| 727df1258e3b8386afea4778626c9ab16ef467d6 |
|
09-Apr-2014 |
Kenny Root <kroot@google.com> |
Update SSLEngineTest for OpenSSL
Our new OpenSSL-based SSLEngine supports all the new stuff and no longer
fails tests.
Change-Id: I7db8e5134ca36ebd963c7081cd7ba79d91b3e5e2
|
| 3ad1704dc8e4653f4ceaeb5d8315ddb28318a1bb |
|
02-Apr-2014 |
Kenny Root <kroot@google.com> |
Update SSLEngineTest for RI
The RI now supports TLSv1.2 with SSLEngine, so update all the
expectations for their tests. It also appears to disable "weak"
algorithms when you select TLSv1.2.
Change-Id: I564283bb4945d3b71bee0f89c93c6dd6e238b4f8
|
| 3c9ab07dd9001226b88f6bd1fca6690a3b7f4e3a |
|
21-Mar-2014 |
Kenny Root <kroot@google.com> |
StandardNames: only remove DH_* for RI
The RI doesn't use DH_RSA and DH_DSA, but we do. Only remove them when
the RI is running the tests.
Change-Id: Id496a60e64ea51b105b7548e219e9340608f4672
|
| a05be72f30c4ec9dc687582c651dc968fb89f444 |
|
20-Mar-2014 |
Kenny Root <kroot@google.com> |
StandardNames: update RI expectations
Change-Id: Ia20902cc63d5e3ef1ac4cfc7a0b651368e845867
|
| f0cd15d29ea97346b7c2e870969907cd586b1b30 |
|
06-Feb-2014 |
An Liu <an1.liu@sta.samsung.com> |
Skip TimaKeyStore in KeyStoreTest
TimaKeyStore is Samsung's TrustZone-based KeyStore
service provider. It should be skipped for KeyStore
test cases since Samsung has it's own test cases.
|
| 9f48b7f4185c06c3f4a1f95bda68a9cbe59b2c61 |
|
01-Feb-2014 |
Alex Klyubin <klyubin@google.com> |
Assert PKCS#7 padding supported for AES and 3DES.
This tests that PKCS#7 padding for all Cipher transformations which
currently support PKCS#5 padding.
PKCS#5 padding is a special case of PKCS#7 padding. PKCS#5 padding
is defined specifically for 64 bit long blocks. However, lots of code
assumes that PKCS#5 for other block sizes works exactly like PKCS#7,
and thus uses PKCS#5 padding where PKCS#7 should actually be used
(e.g., with AES). Thus, we assert the assumption that PKCS#7 padding
works exactly like PKCS#5 padding.
Change-Id: I0ca8a952c67bc7aff172e22bd730378d41438067
|
| 71fa3ffedf35aff964eb2545e9af5fecfb8fe8ce |
|
18-Dec-2013 |
Alex Klyubin <klyubin@google.com> |
Disable MD5 cipher suites in SSLSocket and SSLEngine.
Although HMAC-MD5 is not yet broken, the foundations are shaky --
see http://tools.ietf.org/html/rfc6151.
Scans show that disabling these TLS/SSL cipher suites currently
causes handshake issues with 0.4% of the ecosystem.
Bug: 11220570
Change-Id: I1970d2ecbdf3c0d26e45d439047b1d3884ade2ec
|
| 1169c54ed01bb6146bda80fdc665b4bce9d4b65f |
|
19-Dec-2013 |
Alex Klyubin <klyubin@google.com> |
Actually prefer Forward Secrecy cipher suites.
The documentation for the list of TLS/SSL cipher suites used by
default states that cipher suites offering Forward Secrecy are
preferred. This CL adjusts the list to conform: FS cipher suites
that use RC4_128 bulk encryption algorithm were not preferred
over non-FS cipher suites that use AES.
Bug: 11220570
Change-Id: Ic9019306898600086920874474764186b710c3ef
|
| 69f9b8db2a43d355430af36cc85d5ce945ed0869 |
|
18-Dec-2013 |
Alex Klyubin <klyubin@google.com> |
Assert static key ECDH disallowed in default cipher suites.
This is a follow-up to 5b15ad6b3d508a97d1cd23667afaee8c55072718 which
removed static key ECDH cipher suites from the default list, but
where the list of permitted key exchanges wasn't updated.
Bug: 11220570
Change-Id: I319e21bf4475ddb9e6262b41dda99f5e33b1816f
|
| 9a61ef3365ba5e33c65eec42fc80c7e47bc09958 |
|
18-Dec-2013 |
Alex Klyubin <klyubin@google.com> |
Disable 3DES cipher suites in SSLSocket.
The effective key length for 3DES_EDE bulk encryption algorithm
is only 112 bits. We're now aiming for 128 and higher.
Scans show that removing these cipher suites from the default list
causes handshake issues only with 0.15% of the ecosystem.
Bug: 11220570
Change-Id: Ie01ebe8134d08a36b276295b804540157963be8f
|
| 5b15ad6b3d508a97d1cd23667afaee8c55072718 |
|
18-Dec-2013 |
Alex Klyubin <klyubin@google.com> |
Disable static server key ECDH cipher suites in SSLSocket.
These cipher suites use a static key for ECDH on the server side.
When client certificates are used, a static key is also used on the
client side, leading to the same premaster secret for all connections
between a particular client and server. Also, these cipher suites do
not provide forward secrecy.
Scans show that removing these cipher suites from the default list
does not affect connectivity to servers and is thus safe.
Bug: 11220570
Change-Id: If34f4a3888ed9972c39d171656a85c61dfa98ea1
|
| 0f0e96af6a1e9e6ed88e2b310c8650d0021cfd47 |
|
17-Dec-2013 |
Alex Klyubin <klyubin@google.com> |
Enable AES-GCM cipher suites by default in SSLSocket.
AES-GCM is preferred to AES-CBC whose MAC-pad-then-encrypt approach
has issues (e.g., Lucky 13 attack).
Bug: 11220570
Change-Id: Ib007bc89ccf08358ed3f093f630350fa859e7c35
|
| 9e73d3f497461c5bd788bcfb7882e78c016e5876 |
|
17-Dec-2013 |
Alex Klyubin <klyubin@google.com> |
Enable support for TLSv1.2 cipher suites in SSLSocket.
This adds support for AES-GCM and AES-CBC with MACs based on SHA256
and SHA384.
Bug: 11220570
Change-Id: I56e7e25c5cd65a4c7662da6d4bbe5720f427e677
|
| 53360555a747056b8e599c3e3fb06532e7e30f61 |
|
26-Nov-2013 |
Alex Klyubin <klyubin@google.com> |
Enable TLSv1.1 and TLSv1.2 by default for SSLSocket.
TLSv1.1 and TLSv1.2 offer built-in protection against BEAST attack
and support for GCM cipher suites.
This change causes TLS/SSL handshake failures with a small fraction
of servers, load balancers and TLS/SSL accelerators with broken
TLS/SSL implementations.
Scans demonstrate that the number is around 0.6%. Breaking
connectivity (using platform default settings) to a tiny minority of
the ecosystem is acceptable because this inconvenience is outweighed
by the added safety for the overwheling majority of the ecosystem.
App developers affected by this issue should consider asking such
servers to be fixed or explicitly disabling TLSv1.1 and TLSv1.2 in
their apps.
Bug: 11220570
Change-Id: Ice9e8ce550401ba5e3385fd369c40f01c06ac7fd
|
| 0e5952d5638069e38218abf9136de8c4d3b60d95 |
|
13-Dec-2013 |
Kenny Root <kroot@google.com> |
CipherTest: add support for GCM cipher
Change-Id: I4b5a5123977a1df152f097e2c7ed86cf7dbcfe9e
|
| b4675a53abbbb55acad213485636cf6a0d8b5bf6 |
|
12-Dec-2013 |
Alex Klyubin <klyubin@google.com> |
Javadoc the default configuration of SSLEngine.
The Javadoc of javax.net.ssl.SSLEngine now lists the protocols and
cipher suites supported and enabled by default.
Bug: 11220570
Change-Id: I6e365d58bfe2ddf60bae9dc7ccd0a33249e9e125
|
| 50ef556fd74a411bebdf0e33df75d7be1df1ed81 |
|
10-Dec-2013 |
Alex Klyubin <klyubin@google.com> |
Javadoc the default configuration of SSLSocket.
The Javadoc of javax.net.ssl.SSLSocket now lists the protocols and
cipher suites supported and enabled by default.
Bug: 11220570
Change-Id: I3b6a96a86618370a55abf3307cbaadd1a1587066
|
| 76900faa07771f1143671a3c8703d542b3ca9c21 |
|
08-Nov-2013 |
Alex Klyubin <klyubin@google.com> |
Deprioritize HMAC-MD5 in default TLS/SSL cipher suites.
Although HMAC-MD5 is not yet broken, the foundations are now much
more shaky that those of HMAC-SHA.
See http://tools.ietf.org/html/rfc6151.
Bug: 11220570
Change-Id: I2a2fe4d427650081637efc14fd7c427a33cbea7e
|
| 4892adf2af0d4c842aace8d8f8f8a8189425ac23 |
|
07-Nov-2013 |
Alex Klyubin <klyubin@google.com> |
Prefer Forward Secrecy TLS/SSL cipher suites by default.
This modifies the list of TLS/SSL cipher suites used by default to
prefer those offering Forward Secrecy (FS) -- ECDHE and DHE.
Bug: 11220570
Change-Id: I20f635d11e937d64de4f4e2fea34e1c5ea7a67ac
|
| 3cb3d30b0237493c1fc1947eaee0266c64583221 |
|
07-Nov-2013 |
Alex Klyubin <klyubin@google.com> |
Deprioritize RC4-based TLS/SSL cipher suites.
Now that BEAST and Lucky13 mitigations are enabled, it is prudent to
prefer AES CBC cipher suites over RC4 ones
(see http://www.isg.rhul.ac.uk/tls/).
Bug: 11220570
Change-Id: I52b9724700fd8eaeebbadcfa518a96823a1410b8
|
| f13911b39126ffae49737dadc74332b3a84e0d19 |
|
04-Nov-2013 |
Alex Klyubin <klyubin@google.com> |
Exact asserts for TLS/SSL protocols used by default.
Previously, assertions about the list of protocols used by default by
TLS/SSL primitives were checking that all of the protocols are
supported, but were not checking that the list was exactly as
expected. This CL adjusts the assertions to check that all of the
expected protocols are listed and that no other protocols are listed.
Three assert methods are added, corresponding to the three
concentually different lists: client-side (e.g., SSLSocket),
server-side (SSLServerSocket), and SSLEngine which currently does not
switch lists based on whether it's in client or server mode.
Bug: 11220570
Change-Id: Ib6b56c2372d76f94f254481aa01d29d2d03a085f
|
| 632b6f770974fe4811e2e55dcba54f63b556e305 |
|
01-Nov-2013 |
Alex Klyubin <klyubin@google.com> |
Exact check for cipher suites used by SSLEngine by default.
The previous assertion was only checking that all the default cipher
suites are supported by SSLEngine.
Bug: 11220570
Change-Id: I7c57c11e69fac7a532f890d242ac1ee4d1c64262
|
| 2cd541f61919798b5b050c210f61db450ad8b013 |
|
30-Oct-2013 |
Alex Klyubin <klyubin@google.com> |
Refactor TLS/SSL cipher suite and protocol assertions.
This hides expected lists of cipher suites and protocols from the
users of assertion methods to:
* enable targetSdkVersion-dependent behavior, and
* centralize the definition of expected behavior in StandardNames.
Bug: 11220570
Change-Id: I8b43196b24f02e10010223aa6738a9ce0df24333
|
| c1caa0507a6de77b3cf3f6b739596e7fe08e98dc |
|
23-Oct-2013 |
Alex Klyubin <klyubin@google.com> |
Do not use short-keyed TLS/SSL cipher suites by default.
This removes TLS/SSL cipher suites with bulk cipher secret keys
shorter than 80 bits from the list of cipher suites used by default.
Bug: 11220570
Change-Id: I04e30f6d634801b36018fecc8f2b257fc6b7adfc
|
| 9d72aaddcedda0eb4519f84805d2212fcc25ebaf |
|
26-Sep-2013 |
Kenny Root <kroot@google.com> |
Conscrypt: add SHA-224 with tests
SHA-224 has made a comeback in the latest StandardNames documentation.
This change adds tests for SHA-224 and also Conscrypt providers for
things we have code paths to support.
Change-Id: I8c200082ff76ee4ae38b6efaa16e6741b33b7f5b
|
| b274574b7e2681f4411852af9857b4540bf75841 |
|
02-Aug-2013 |
Elliott Hughes <enh@google.com> |
If libcore wants ASCII casing, it needs to ask for it like everyone else.
http://elliotth.blogspot.com/2012/01/beware-convenience-methods.html
Bug: https://code.google.com/p/android/issues/detail?id=58359
Change-Id: I597b2ac940f17b5b2bc176e390dc4b63fe0a4e72
|
| 3f410d3b2d68c77a2a84629b47c29226c235f57d |
|
29-Apr-2013 |
William Luh <williamluh@google.com> |
PBKDF2 tests to exercise new, correct PBE implementation.
Bug: 8312059
Change-Id: I614a43a0022393cb16250f4991a7156b05b0860c
|
| df622e97f428295cbb19c8bd04433d8febb6d8b3 |
|
24-May-2013 |
Brian Carlstrom <bdc@google.com> |
CipherTest fixes
Bug: 9095447
Change-Id: Ieba76865c4da4260949391389611dfd09bc5e326
|
| e9e7f036545d04e441e2aa8bcae4ba1024c86e97 |
|
24-May-2013 |
Brian Carlstrom <bdc@google.com> |
CipherTest fixes
Bug: 9095447
(cherry picked from commit 1eba66d802f4edfaa3ca599f196e282bc110eff9)
Change-Id: I6709eebcbede0ba617462bf49dd858f98246555f
|
| 1eba66d802f4edfaa3ca599f196e282bc110eff9 |
|
24-May-2013 |
Brian Carlstrom <bdc@google.com> |
CipherTest fixes
Bug: 9095447
Change-Id: Ieba76865c4da4260949391389611dfd09bc5e326
|
| 32d4f90cbb829fce348ff1767d0c05168a5e3e30 |
|
19-Apr-2013 |
Kenny Root <kroot@google.com> |
Rename AndroidKeyStoreProvider -> AndroidKeyStore
Bug: 8657552
Change-Id: I2659f1b67bb0fc298a187938d560fd57d3ceb214
|
| 0b0c73781fbb1e5a43e6c0b363064010ac43f5bf |
|
16-Apr-2013 |
Kenny Root <kroot@google.com> |
Rename AndroidKeyStore in tests to match impl
The KeyPairGenerator was renamed in frameworks/base, but it is tested
during CTS so the StandardNames in libcore needs to be updated to know
about this change as well so tests that use StandardNames don't have
erroneous returns.
Bug: 8626181
Change-Id: I079eb650d2dbe7baa204ff8d110a5389132e32a4
|
| eef7e9357c272a9154f007e8bee2a09eed66d101 |
|
01-Nov-2012 |
Brian Carlstrom <bdc@google.com> |
Test to verify BC Signature algorithms by OID
Bug: 7453821
Change-Id: I69408d0bb4063e34441ed1d7632fd1ccac39965b
|
| c934a095e1f863f00bf6f7c0b37fbd05ebeaaff5 |
|
29-Oct-2012 |
Brian Carlstrom <bdc@google.com> |
Prefer PKIX algorithm name for TrustManagerFactory and KeyManagerFactory
Change-Id: I3da5bdf6739c6aee5ec0174e93cd6c06d6dfeeb3
|
| 72e44404c32a98e7675a6e7cfbf856adb499a434 |
|
09-Oct-2012 |
Brian Carlstrom <bdc@google.com> |
Change OpenSSLCipherRSA.{engineGetBlockSize,engineGetOutputSize} to return result based on key size
Includes cherry-pick of 847f22adbd0e829b84491d7202dcbed5bf67a98c
Bug: 7192453
Change-Id: Ib5fa1e313d942d2c1034e8e7831af285ad24d71d
|
| bff099b1b39940301bc7dd4be52dbe303c5e6fdf |
|
10-Oct-2012 |
Kenny Root <kroot@google.com> |
Add stronger digest support to JarVerifier
Adds support for SHA-256, SHA-384, and SHA-512.
Bug: http://code.google.com/p/android/issues/detail?id=38321
Change-Id: I9bf3f9cb2fa53b9f980e6c1cffcba81aa289a762
|
| 5818245f0d132dc7fffd81d099ea7adb60be15f1 |
|
04-Oct-2012 |
Kenny Root <kroot@google.com> |
OpenSSLCipher: add Ciphers to StandardNames
Change-Id: Ib990dd170d4c94ceea065748aceeb3bb4a297438
|
| 847f22adbd0e829b84491d7202dcbed5bf67a98c |
|
28-Sep-2012 |
Kenny Root <kroot@google.com> |
Add more CipherTest tests
Change-Id: I29f55e41335021945029e410d4e51e2c8f564285
|
| fe8b870db2b374e21c69c2ff0050e6a34e0d8d94 |
|
05-Sep-2012 |
Brian Carlstrom <bdc@google.com> |
Tracking upgrade to bouncycastle 1.47
Change-Id: Ie1f2ae92638e81ccd7e4ec2459199e6eecdac75f
|
| 0a156e0126e8015f2791e9a7dd48bbdaeae0c335 |
|
12-Sep-2012 |
Brian Carlstrom <bdc@google.com> |
Add OpenSSLProvider support for Cipher.RSA/None/PKCS1Padding
Summary:
- Add OpenSSLProvider support for Cipher.RSA/None/PKCS1Padding
Added NativeCrypto.RSA_private_decrypt and NativeCrypto.RSA_public_encrypt
- Changed OpenSSLSignatureRawRSA to use new Cipher.RSA/None/PKCS1Padding
Removed now obsoleted NativeCrypto APIs for
RSA_padding_add_PKCS1_type_1 and RSA_padding_check_PKCS1_type_1
- added wrap/unwrap support OpenSSLCipherRSA
Needed for SSLEngine (and fallback SSLSocket implementation)
which are now picking up the new Cipher.RSA/None/PKCS1Padding
- expanded CipherTest to sanity test all algorithms and PKCS1 padding
Change-Id: I03566cc86ffce07d44d5e0094fa82c9c24587c26
|
| a8ae31b76c5615bf025b29e96dcadf900164efed |
|
29-Aug-2012 |
Kenny Root <kroot@google.com> |
Add Android KeyStore provider to StandardNames
Change-Id: Ic4bbcf5be005a74f5263e40f406f8c741e5d8d5e
|
| 62fc526d80608925cad24c3d6d91657f63a56fcf |
|
16-Aug-2012 |
Kenny Root <kroot@google.com> |
Add new Android-only algos to StandardNames
The ProviderTest fails if we don't add these to StandardNames.
Change the name of Signature.RAWRSA to "NONEwithRSA" so it matches the
convention in existing algorithms.
Change-Id: Id126eca46ee3b9f9d19aee596c1babd489693c7a
|
| ec9557af2760d73e6e53a2be6b025acb258e9017 |
|
02-Aug-2012 |
Brian Carlstrom <bdc@google.com> |
Remove SSLContext TLSv1.1 and TLSv1.2 from expected list for RI
Change-Id: Ie506337882a878df77073c0c8117dfdc8d33b670
|
| 3e6dd45baa0d7f9b4fa06f4ade76e088b59cc7bf |
|
16-Mar-2012 |
Brian Carlstrom <bdc@google.com> |
Tracking openssl-1.0.1
Bug: 6168278
Change-Id: I240d2cbc91f616fd486efc5203e2221c9896d90f
|
| aba5e8c281fb9c6be23229246473fa0b433dd997 |
|
25-May-2011 |
Brian Carlstrom <bdc@google.com> |
OpenSSLSocketImpl should tolerate X509KeyManager returning null values
While this started out as the small fix in
OpenSSLSocketImpl.setCertificate and the corresponding test
test_SSLSocket_clientAuth_bogusAlias, the need to test the behavior of
the X509KeyManager returning null on the RI led to test maintenance to
get libcore.javax.net.ssl tests working on RI 7 thanks to a test
dependency that was added on the new InetAddress.getLoopbackAddress().
Change-Id: I3d8ed1ce453cc3a0b53e23e39c02e6a71413649c
|
| 347b2a604114602da9bc4ae040278f74d11c2f51 |
|
26-Apr-2011 |
Brian Carlstrom <bdc@google.com> |
Avoid loading all CA certs into Zygote memory, lazily load instead (2 of 3)
Previously the CA certs stored in the BKS KeyStore at
/system/etc/security/cacerts.bks was loaded in the Zygote. As the the
number of CAs are started to increase, this is causing more and more
memory to be used for rarely used CAs. The new AndroidCAStore KeyStore
implementation reads the CAs as needed out of individual PEM
certificate files. The files can be efficiently found because they are
named based on a hash CA's subject name, similar to OpenSSL.
Bug: 1109242
Details:
build
Removing old cacerts.bks from GRANDFATHERED_ALL_PREBUILT and
adding new cacerts directory to core PRODUCT_PACKAGES
core/legacy_prebuilts.mk
target/product/core.mk
libcore
cacerts build changes. Move cacerts prebuilt logic to new
CaCerts.mk from NativeCode.mk where it didn't make sense. Updated
Android.mk's dalvik-host target to install new cacerts files.
Android.mk
CaCerts.mk
NativeCode.mk
Remove old cacerts.bks and add remove certimport.sh script used to
generate it. Preserved the useful comments from certimport.sh in
the new README.cacerts
luni/src/main/files/cacerts.bks
luni/src/main/files/certimport.sh
luni/src/main/files/README.cacerts
Recanonicalize cacerts files using updated vendor/google/tools/cacerts/certimport.py
(See below discussion of certimport.py changes for details)
luni/src/main/files/cacerts/00673b5b.0
luni/src/main/files/cacerts/03e16f6c.0
luni/src/main/files/cacerts/08aef7bb.0
luni/src/main/files/cacerts/0d188d89.0
luni/src/main/files/cacerts/10531352.0
luni/src/main/files/cacerts/111e6273.0
luni/src/main/files/cacerts/1155c94b.0
luni/src/main/files/cacerts/119afc2e.0
luni/src/main/files/cacerts/11a09b38.0
luni/src/main/files/cacerts/12d55845.0
luni/src/main/files/cacerts/17b51fe6.0
luni/src/main/files/cacerts/1920cacb.0
luni/src/main/files/cacerts/1dac3003.0
luni/src/main/files/cacerts/1dbdda5b.0
luni/src/main/files/cacerts/1dcd6f4c.0
luni/src/main/files/cacerts/1df5ec47.0
luni/src/main/files/cacerts/1e8e7201.0
luni/src/main/files/cacerts/1eb37bdf.0
luni/src/main/files/cacerts/219d9499.0
luni/src/main/files/cacerts/23f4c490.0
luni/src/main/files/cacerts/27af790d.0
luni/src/main/files/cacerts/2afc57aa.0
luni/src/main/files/cacerts/2e8714cb.0
luni/src/main/files/cacerts/2fa87019.0
luni/src/main/files/cacerts/2fb1850a.0
luni/src/main/files/cacerts/33815e15.0
luni/src/main/files/cacerts/343eb6cb.0
luni/src/main/files/cacerts/399e7759.0
luni/src/main/files/cacerts/3a3b02ce.0
luni/src/main/files/cacerts/3ad48a91.0
luni/src/main/files/cacerts/3c58f906.0
luni/src/main/files/cacerts/3c860d51.0
luni/src/main/files/cacerts/3d441de8.0
luni/src/main/files/cacerts/3e7271e8.0
luni/src/main/files/cacerts/418595b9.0
luni/src/main/files/cacerts/455f1b52.0
luni/src/main/files/cacerts/46b2fd3b.0
luni/src/main/files/cacerts/48478734.0
luni/src/main/files/cacerts/4d654d1d.0
luni/src/main/files/cacerts/4e18c148.0
luni/src/main/files/cacerts/4fbd6bfa.0
luni/src/main/files/cacerts/5021a0a2.0
luni/src/main/files/cacerts/5046c355.0
luni/src/main/files/cacerts/524d9b43.0
luni/src/main/files/cacerts/56b8a0b6.0
luni/src/main/files/cacerts/57692373.0
luni/src/main/files/cacerts/58a44af1.0
luni/src/main/files/cacerts/594f1775.0
luni/src/main/files/cacerts/5a3f0ff8.0
luni/src/main/files/cacerts/5a5372fc.0
luni/src/main/files/cacerts/5cf9d536.0
luni/src/main/files/cacerts/5e4e69e7.0
luni/src/main/files/cacerts/60afe812.0
luni/src/main/files/cacerts/635ccfd5.0
luni/src/main/files/cacerts/67495436.0
luni/src/main/files/cacerts/69105f4f.0
luni/src/main/files/cacerts/6adf0799.0
luni/src/main/files/cacerts/6e8bf996.0
luni/src/main/files/cacerts/6fcc125d.0
luni/src/main/files/cacerts/72f369af.0
luni/src/main/files/cacerts/72fa7371.0
luni/src/main/files/cacerts/74c26bd0.0
luni/src/main/files/cacerts/75680d2e.0
luni/src/main/files/cacerts/7651b327.0
luni/src/main/files/cacerts/76579174.0
luni/src/main/files/cacerts/7999be0d.0
luni/src/main/files/cacerts/7a481e66.0
luni/src/main/files/cacerts/7a819ef2.0
luni/src/main/files/cacerts/7d3cd826.0
luni/src/main/files/cacerts/7d453d8f.0
luni/src/main/files/cacerts/81b9768f.0
luni/src/main/files/cacerts/8470719d.0
luni/src/main/files/cacerts/84cba82f.0
luni/src/main/files/cacerts/85cde254.0
luni/src/main/files/cacerts/86212b19.0
luni/src/main/files/cacerts/87753b0d.0
luni/src/main/files/cacerts/882de061.0
luni/src/main/files/cacerts/895cad1a.0
luni/src/main/files/cacerts/89c02a45.0
luni/src/main/files/cacerts/8f7b96c4.0
luni/src/main/files/cacerts/9339512a.0
luni/src/main/files/cacerts/9685a493.0
luni/src/main/files/cacerts/9772ca32.0
luni/src/main/files/cacerts/9d6523ce.0
luni/src/main/files/cacerts/9dbefe7b.0
luni/src/main/files/cacerts/9f533518.0
luni/src/main/files/cacerts/a0bc6fbb.0
luni/src/main/files/cacerts/a15b3b6b.0
luni/src/main/files/cacerts/a3896b44.0
luni/src/main/files/cacerts/a7605362.0
luni/src/main/files/cacerts/a7d2cf64.0
luni/src/main/files/cacerts/ab5346f4.0
luni/src/main/files/cacerts/add67345.0
luni/src/main/files/cacerts/b0f3e76e.0
luni/src/main/files/cacerts/bc3f2570.0
luni/src/main/files/cacerts/bcdd5959.0
luni/src/main/files/cacerts/bda4cc84.0
luni/src/main/files/cacerts/bdacca6f.0
luni/src/main/files/cacerts/bf64f35b.0
luni/src/main/files/cacerts/c0cafbd2.0
luni/src/main/files/cacerts/c215bc69.0
luni/src/main/files/cacerts/c33a80d4.0
luni/src/main/files/cacerts/c527e4ab.0
luni/src/main/files/cacerts/c7e2a638.0
luni/src/main/files/cacerts/c8763593.0
luni/src/main/files/cacerts/ccc52f49.0
luni/src/main/files/cacerts/cdaebb72.0
luni/src/main/files/cacerts/cf701eeb.0
luni/src/main/files/cacerts/d16a5865.0
luni/src/main/files/cacerts/d537fba6.0
luni/src/main/files/cacerts/d64f06f3.0
luni/src/main/files/cacerts/d777342d.0
luni/src/main/files/cacerts/d8274e24.0
luni/src/main/files/cacerts/dbc54cab.0
luni/src/main/files/cacerts/ddc328ff.0
luni/src/main/files/cacerts/e48193cf.0
luni/src/main/files/cacerts/e60bf0c0.0
luni/src/main/files/cacerts/e775ed2d.0
luni/src/main/files/cacerts/e7b8d656.0
luni/src/main/files/cacerts/e8651083.0
luni/src/main/files/cacerts/ea169617.0
luni/src/main/files/cacerts/eb375c3e.0
luni/src/main/files/cacerts/ed049835.0
luni/src/main/files/cacerts/ed524cf5.0
luni/src/main/files/cacerts/ee7cd6fb.0
luni/src/main/files/cacerts/f4996e82.0
luni/src/main/files/cacerts/f58a60fe.0
luni/src/main/files/cacerts/f61bff45.0
luni/src/main/files/cacerts/f80cc7f6.0
luni/src/main/files/cacerts/fac084d7.0
luni/src/main/files/cacerts/facacbc6.0
luni/src/main/files/cacerts/fde84897.0
luni/src/main/files/cacerts/ff783690.0
Change IntegralToString.intToHexString to take width argument to
allow for leading zero padding. Updated existing callers to
specify 0 padding desired. Add testing of new padding
functionality.
luni/src/main/java/java/lang/Character.java
luni/src/main/java/java/lang/Integer.java
luni/src/main/java/java/lang/IntegralToString.java
luni/src/test/java/libcore/java/lang/IntegralToStringTest.java
Improved to throw Exceptions with proper causes
luni/src/main/java/java/security/KeyStore.java
luni/src/main/java/java/security/Policy.java
luni/src/main/java/java/security/cert/CertificateFactory.java
luni/src/main/java/javax/crypto/Cipher.java
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSignature.java
Indentation fixes
luni/src/main/java/java/security/SecureRandom.java
Fix X509CRLSelector.getIssuerNames to clone result and added test to cover this.
luni/src/main/java/java/security/cert/X509CRLSelector.java
luni/src/test/java/libcore/java/security/cert/X509CRLSelectorTest.java
Fixed bug where we created an X500Principal via a String
representation instead of from its original encoded bytes. This
led to a difficult to track down bug where CA 418595b9.0 where the
NativeCode.X509_NAME_hash of a Harmony (but not BouncyCastle)
X509Certificate would not hash to the expected value because the
encoded form used an ASN.1 PrintableString instead of the
UTF8String form found in the original certificate.
luni/src/main/java/org/apache/harmony/security/x501/Name.java
Add a new RootKeyStoreSpi and register it as the
AndroidCAStore. This new read-only KeyStore implementation that
looks for certificates in $ANDROID_ROOT/etc/security/cacerts/
directory, which is /system/etc/security/cacerts/ on devices. The
files are stored in the directory based on the older md5 based
OpenSSL X509_NAME_hash function (now referred to as
X509_NAME_hash_old in OpenSSL 1.0)
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/RootKeyStoreSpi.java
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/JSSEProvider.java
Added OpenSSL compatible X509_NAME_hash and X509_NAME_hash_old
functions for producting an int hash value from an X500Principal.
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/NativeCrypto.java
Changed TrustManagerFactoryImpl to use AndroidCAStore for its default KeyStore
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/TrustManagerFactoryImpl.java
Changed TrustManagerImpl to be AndroidCAStore aware. If it detects
an AndroidCAStore, it avoids generating the acceptedIssuers array
at constructions, since doing so would force us to parse all
certificates in the store and the value is only typically used by
SSLServerSockets when requesting a client certifcate. Because we
don't load all the trusted CAs into the IndexedPKIXParameters at
startup in the case of AndroidCAStore, we now check for new CAs
when examining the cert chain for unnecessary TrustAnchors and for
a newly discovered issuer at the end of the chain before
validation.
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/TrustManagerImpl.java
Updated KeyStoreTest to cope with read only KeyStore. Update
test_cacerts_bks (now renamed test_cacerts) to use the
AndroidCAStore for validating system CA certificate
validity. Register AndroidCAStore as an expected KeyStore type
with StandardNames.
luni/src/test/java/libcore/java/security/KeyStoreTest.java
support/src/test/java/libcore/java/security/StandardNames.java
Added test of X500Principal serialization while investigating Name
encoding issue. However, the actual Name bug was found and
verified by the new test_cacerts test.
luni/src/test/java/libcore/javax/security/auth/x500/X500PrincipalTest.java
vendor/google
Change canonical format for checked in cacerts to have PEM
certificate at the top, as required by Harmony's X.509
CertificateFactory.
tools/cacerts/certimport.py
Change-Id: If0c9de430f13babb07f96a1177897c536f3db08d
|
| 839b99a3725f9af66ca9ea1bac2a3f3c784717c4 |
|
13-Apr-2011 |
Brian Carlstrom <bdc@google.com> |
Updating StandardNames for bouncycastle 1.46 upgrade
Change-Id: I26a9ff274fd86c4645e44123f6761621045228b5
|
| 8bc378b1cec65bc06766a14a9cc575fec931b418 |
|
24-Feb-2011 |
Jesse Wilson <jessewilson@google.com> |
Don't generate large DH keys when small ones will do.
This dramatically improves the runtime of these tests from a few
minutes to a few seconds.
Also update known failures to cover the new reasons why these
tests are failing.
Change-Id: I82b738f3f1fb24a08d334fa960153692a0c9144f
http://b/3474446
|
| ffeba5dd766602f6e2be9caa9081744348a53c04 |
|
01-Dec-2010 |
Brian Carlstrom <bdc@google.com> |
Add support for TLS_EMPTY_RENEGOTIATION_INFO_SCSV cipher suite
"TLS_EMPTY_RENEGOTIATION_INFO_SCSV" is RFC 5746's renegotiation
indication signaling cipher suite value. It is not a real cipher
suite. It is just an indication in the default and supported cipher
suite lists indicates that the implementation supports secure
renegotiation.
In the RI, its presence means that the SCSV is sent in the cipher
suite list to indicate secure renegotiation support and its absence
means to send an empty TLS renegotiation info extension instead.
However, OpenSSL doesn't provide an API to give this level of control,
instead always sending the SCSV and always including the empty
renegotiation info if TLS is used (as opposed to SSL). So we simply
allow TLS_EMPTY_RENEGOTIATION_INFO_SCSV to be passed for compatibility
as to provide the hint that we support secure renegotiation.
Change-Id: I0850bea47568edcfb1f7df99d4e8a747f938406d
|
| 4ae3fd787741bfe1b808f447dcb0785250024119 |
|
19-Nov-2010 |
Brian Carlstrom <bdc@google.com> |
Elliptic Crypto support for OpenSSLSocketImpl
Summary:
- Enable Elliptic Crypto support for OpenSSL based SSLSocket instances
- More RI compliant usage of key types, client auth types, and server auth types
- Steps toward TLS_EMPTY_RENEGOTIATION_INFO_SCSV support, currently test updates
Details:
Elliptic Curve changes
CipherSuite updates for EC
- Adding KEY_EXCHANGE_EC* and corresponding CipherSuites Updated
isAnonymous, getKeyType (now renamed getServerKeyType) to handle
new EC cases. Added new getAuthType for use by
checkServerTrusted callers.
- Restructured code to handle two SUITES_BY_CODE_* arrays
- Remove KEY_EXCHANGE_DH_* definitions which unused because the
corresponding CipherSuites were previously disabled.
- Changed AES CipherSuites definitions to use "_CBC" to match other definitions.
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/CipherSuite.java
openssl EC
- NativeCrypto now registers TLS_EC_* cipher suites and has update default list
- Improved auth type arguments to checkClientTrusted/checkServerTrusted
- NativeCrypto support for emphemeral EC keys
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/NativeCrypto.java
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSocketImpl.java
luni/src/main/native/NativeCrypto.cpp
non-openssl SSL/TLS cleanups
- cleanup around code trying to cope with DiffieHellman vs DH since either should work.
- changed client to use new CipherSuite.getAuthType shared with NativeCrypto implementation
- changed server to use CipherSuite.getKeyType
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/ClientHandshakeImpl.java
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/HandshakeProtocol.java
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/KeyManagerImpl.java
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/ServerHandshakeImpl.java
Consolidate CertificateRequestType code into CipherSuite so that its
shared between java and openssl implementations. This includes the
KEY_TYPE_ string constants, TLS_CT_* byte constants and the 'String
keyType(byte)' (now renamed getClientKeyType) code that depends on them.
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/CertificateRequest.java
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/CipherSuite.java
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/ClientHandshakeImpl.java
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/NativeCrypto.java
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLServerSocketImpl.java
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSocketImpl.java
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/ServerHandshakeImpl.java
Tests
Differentiate between supported list of cipher suites openssl-based
SSLSocket and SSLEngine based, since the SSLEngine code does not support EC.
luni/src/test/java/libcore/javax/net/ssl/SSLEngineTest.java
luni/src/test/java/libcore/javax/net/ssl/SSLSocketTest.java
Added testing for expected default cipher suites. Before we just ensured the values were valid.
luni/src/test/java/libcore/javax/net/ssl/SSLSocketFactoryTest.java
support/src/test/java/libcore/java/security/StandardNames.java
Updated to handle new EC cipher suites codes. Added test for new getClientKeyType.
luni/src/test/java/org/apache/harmony/xnet/provider/jsse/CipherSuiteTest.java
Better use of "standard names" particularly to correctly deal with
the subtle differences between key types, client auth types, and
server auth types. TestKeyManager and TestTrustManager now verify
the values they are passed are acceptable.
support/src/test/java/libcore/java/security/StandardNames.java
support/src/test/java/libcore/javax/net/ssl/TestKeyManager.java
support/src/test/java/libcore/javax/net/ssl/TestTrustManager.java
Changed to timeout after 30 seconds and to log to reveal both client and server issues.
support/src/test/java/libcore/javax/net/ssl/TestSSLSocketPair.java
Bug: 3058375
Change-Id: I14d1d0285d591c99cc211324f3595a5be682cab1
|
| 6c78b7b94c232063ec559436b48b33751373ecf1 |
|
19-Nov-2010 |
Brian Carlstrom <bdc@google.com> |
Toward EC TLS support
Summary:
- javax.net.ssl tests are now working on the RI
- KeyManager can now handle EC_EC and EC_RSA
- OpenSSLSocketImpl.startHandshake now works if KeyManager contains EC certificates
Details:
Add CipherSuite.getKeyType to provide X509KeyManager key type strings,
refactored from OpenSSLServerSocketImpl.checkEnabledCipherSuites.
getKeyType is now also used in OpenSSLSocketImpl.startHandshake to
avoid calling setCertificate for unnecessary key types.
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/CipherSuite.java
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLServerSocketImpl.java
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSocketImpl.java
New CipherSuiteTest to cover new getKeyType as well as existing functionality
luni/src/test/java/org/apache/harmony/xnet/provider/jsse/CipherSuiteTest.java
Add support to KeyManager implementation for key types of the form
EC_EC and EC_RSA. The first part implies the KeyPair algorithm (EC in
these new key types) with a potentially different signature algorithm
(EC vs RSA in these)
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/KeyManagerImpl.java
Update NativeCrypto.keyType to support EC_EC and EC_RSA in addition to
EC which was added earlier. Change from array of KEY_TYPES to named
KEY_TYPE_* constants.
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/NativeCrypto.java
Overhauled KeyManagerFactoryTest to cover EC, EC_EC, EC_RSA cases
luni/src/test/java/libcore/javax/net/ssl/KeyManagerFactoryTest.java
support/src/test/java/libcore/java/security/StandardNames.java
Changed TestKeyStore.createKeyStore from always using BKS to now use
JKS on the RI between BC EC Keys and RI X509 certificates. Because JKS
requires a password, we now default "password" on the RI.
support/src/test/java/libcore/java/security/TestKeyStore.java
luni/src/test/java/libcore/javax/net/ssl/SSLContextTest.java
support/src/test/java/libcore/java/security/StandardNames.java
TestKeyStore.create now accepts key types like EC_RSA. Changed
TestKeyStore.createKeys to allow a PrivateKeyEntry to be specified for
signing to enable creation of EC_RSA test certificate. Added
getRootCertificate/rootCertificate to allow lookup of PrivateKeyEntry
for signing. Changed TestKeyStore.getPrivateKey to take explicit
signature algorithm to retrieve EC_EC vs EC_RSA entries.
support/src/test/java/libcore/java/security/TestKeyStore.java
luni/src/test/java/libcore/java/security/KeyStoreTest.java
luni/src/test/java/libcore/javax/net/ssl/KeyManagerFactoryTest.java
luni/src/test/java/libcore/java/security/cert/PKIXParametersTest.java
luni/src/test/java/libcore/javax/net/ssl/TrustManagerFactoryTest.java
luni/src/test/java/org/apache/harmony/xnet/provider/jsse/NativeCryptoTest.java
support/src/test/java/libcore/java/security/StandardNames.java
Added support for EC cipher suites on the RI. Also test with and
without new TLS_EMPTY_RENEGOTIATION_INFO_SCSV cipher suite which is
used to specify the new TLS secure renegotiation.
luni/src/test/java/libcore/javax/net/ssl/SSLEngineTest.java
luni/src/test/java/libcore/javax/net/ssl/SSLSocketTest.java
support/src/test/java/libcore/java/security/StandardNames.java
New TestKeyManager and additional logging in TestTrustManager. Logging
in both is disabled by default using DevNullPrintStream.
support/src/test/java/libcore/javax/net/ssl/TestKeyManager.java
support/src/test/java/libcore/javax/net/ssl/TestTrustManager.java
support/src/test/java/libcore/java/io/DevNullPrintStream.java
Bug: 3058375
Change-Id: Ia5e2a00a025858e10d1076b900886994b481e05a
|
| 57f2cc03ff2cf5d2f6413c5410680b4908d7301d |
|
05-Nov-2010 |
Brian Carlstrom <bdc@google.com> |
Test updates for Elliptic Curve
Updated with Elliptic Curve (EC) (and SunPKCS11-NSS) names for use by ProviderTest
support/src/test/java/libcore/java/security/StandardNames.java
Enhance test_KeyStore_cacerts_bks to verify PublicKey can be
retreived. Before this the test would pass even though an
ECPublicKey could not be accessed. With EC support in
external/bouncycastle, this test now passes.
luni/src/test/java/libcore/java/security/KeyStoreTest.java
New SignatureTest to cover ECDSA, replaces the old one that
required a subclass per tested algorithm.
luni/src/test/java/libcore/java/security/SignatureTest.java
support/src/test/java/tests/security/SignatureTest.java
luni/src/test/java/tests/targets/security/SignatureTestMD5withRSA.java
luni/src/test/java/tests/targets/security/SignatureTestNONEwithDSA.java
luni/src/test/java/tests/targets/security/SignatureTestSHA1withDSA.java
luni/src/test/java/tests/targets/security/SignatureTestSHA1withRSA.java
luni/src/test/java/tests/targets/security/SignatureTestSHA256withRSA.java
luni/src/test/java/tests/targets/security/SignatureTestSHA384withRSA.java
luni/src/test/java/tests/targets/security/SignatureTestSHA512withRSA.java
luni/src/test/java/tests/targets/security/AllTests.java
Improve ProviderTest logging while debugging SunPKCS11-NSS
provider issues. Added some exceptions for RI missing classes.
luni/src/test/java/libcore/java/security/ProviderTest.java
Changed style slightly to match KeyPairGeneratorTest, where +N is
used to indicated when multiples of a increments of a certain
amount are required for valid key sizes.
luni/src/test/java/libcore/javax/crypto/KeyGeneratorTest.java
Fix test CloseGuard issues
luni/src/test/java/libcore/java/security/KeyStoreTest.java
Fix readability
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/ServerHandshakeImpl.java
Bug: 3058375
Change-Id: I99cd93ad66372e8512d993168550cc1d471d3248
|
| a5c608e59f9d574ea4bc65e9dff44aae2f34fd26 |
|
01-Nov-2010 |
Brian Carlstrom <bdc@google.com> |
TrustManager improvements
Overhaul of TrustManagerImpl
- PKIXParameters can now be final in TrustManagerImpl because we
always immediately create an IndexedPKIXParameters instead of only
doing it in SSLParametersImpl.createDefaultTrustManager.
- Use new KeyStore constructor for IndexedPKIXParameters to remove
duplicate logic for creating set of TrustAnchors from a KeyStore.
- Improved checkTrusted/cleanupCertChain to remove special cases for
directly trusting the end cert or pruning only self signed certs. To
support b/2530852, we need to stop prune the chain as soon as we
find any trust anchor (using newly improved
TrustManagerImpl.isTrustAnchor), which could be at the beginning,
middle, or end. That means cleanupCertChain can return an empty
chain if everything was trusted directly. (and we don't need to do
extra checks on exception cases to see if the problem was just that
the trust anchor was in the chain)
- isDirectlyTrusted -> isTrustAnchor here as well, using new
IndexedPKIXParameters.isTrustAnchor APIs
- Fix incorrect assumption in getAcceptedIssuers that all TrustAnchor
instances have non-null results for getTrustedCert.
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/TrustManagerImpl.java
Removed indexing in createDefaultTrustManager since we always index now
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/SSLParametersImpl.java
Overhaul of IndexedPKIXParameters
- Single map from subject X500Principal to TrustAnchors
instead of two different X500Principal keyed maps to check
- Removed map based on encoded cert. For b/2530852, we want to treat
certs as equal if they have the same name and public key, not
byte-for-byte equality, which can be done with the remaining map.
Revamped isDirectlyTrusted into isTrustAnchor(cert) to perform this
new name/key based comparison.
- Added helper isTrustAnchor(cert, anchors) to reuse code in
non-IndexedPKIXParameters case in TrustManagerImpl.
- Added constructor from KeyStore
- Moved anchor indexing code to index() from old constructor
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/IndexedPKIXParameters.java
TestKeyStore.getPrivateKey allowed some existing test simplification.
luni/src/test/java/libcore/java/security/KeyStoreTest.java
luni/src/test/java/org/apache/harmony/xnet/provider/jsse/NativeCryptoTest.java
support/src/test/java/libcore/java/security/TestKeyStore.java
Added missing "fail()" before catching expected exceptions.
luni/src/test/java/libcore/java/security/KeyStoreTest.java
Expanded KeyManagerFactoryTest to excercise ManagerFactoryParameters b/1628001
luni/src/test/java/libcore/javax/net/ssl/KeyManagerFactoryTest.java
Added KeyStoreBuilderParametersTest because I thought I saw a bug in
KeyStoreBuilderParameters, but this convinced me otherwise.
luni/src/test/java/libcore/javax/net/ssl/KeyStoreBuilderParametersTest.java
New TrustManagerFactory test modeled on expanded KeyManagerFactoryTest.
test_TrustManagerFactory_intermediate specifically is targeting the
new functionality of b/2530852 to handling trust anchors within the
chain.
luni/src/test/java/libcore/javax/net/ssl/TrustManagerFactoryTest.java
support/src/test/java/libcore/java/security/StandardNames.java
Some initial on tests for Elliptic Curve (b/3058375) after the RI
started reporting it was supported. Removed old @KnownFailure
tags. Skipped a test on the RI that it can't handle. Improved some
assert messages.
luni/src/test/java/libcore/javax/net/ssl/SSLEngineTest.java
luni/src/test/java/libcore/javax/net/ssl/SSLSocketTest.java
support/src/test/java/libcore/java/security/StandardNames.java
support/src/test/java/libcore/java/security/TestKeyStore.java
Removed unneeded bytes->javax->bytes->java case of which can just go bytes->java directly.
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSocketImpl.java
Removed super()
luni/src/main/java/javax/net/ssl/KeyStoreBuilderParameters.java
Made Security.secprops final
luni/src/main/java/java/security/Security.java
Pulled SamplingProfiler fix from dalvik-dev branch
git cherry-pick --no-commit f9dc3450e8f23cab91efc9df99bb860221ac3d6c
dalvik/src/main/java/dalvik/system/SamplingProfiler.java
Bug: 2530852
Change-Id: I95e0c7ee6a2f66b6986b3a9da9583d1ae52f94dd
|
| 915789995fc136049c13c8b0354e2f7009b653e4 |
|
04-Oct-2010 |
Brian Carlstrom <bdc@google.com> |
Test updates for new SecretKeyFactory.PBKDF2WithHmacSHA1 support
Bug: 3059950
Change-Id: I24546cb9e38b17ea615e36de3606ec6d373df594
|
| a2e75c78d67795d28e86704192222c3fd8829154 |
|
19-Sep-2010 |
Brian Carlstrom <bdc@google.com> |
Update supported cipher suites list
Update list of cipher suites supported by the current RI
Change-Id: Ifa2a799bd3ca40b4979fa44f5423d744e90af35c
|
| 48dfb27f884ddc5ada89c5b613d11a986f50513a |
|
24-Aug-2010 |
Brian Carlstrom <bdc@google.com> |
Restore PBE Ciphers and SecreyKeyFactories if underlying algorithm is supported for better PKCS12 support
This restores the Password Based Encryption (PBE) algorithms when we
were including the underlying algorithms used (3DES, AES, DES, MD5,
RC2, SHA1, SHA256)
Specficially we leave out PBE definitions that include algorithms such
as MD2, RIPEMD, Tiger that are not in our BouncyCastle jar.
Bug: 2942581
Change-Id: Ibef31aad56fc24b4db82a43a69153553660af65d
|
| 4557728efb66c455a52b7669a8eefef7a9e54854 |
|
11-Aug-2010 |
Jesse Wilson <jessewilson@google.com> |
Moving tests to be under the libcore.* package.
This is indended to make it easier to run on VMs that restrict the packages
from which application classes can be loaded. For example, on the RI you need
to use the bootclasspath to load these tests.
Change-Id: I52193f35c5fcca18b5a3e1d280505b1e29b388af
|