70bd0982aa6ed2603615df8a963f285b91872c87 |
|
10-Jan-2018 |
Tobias Thierer <tobiast@google.com> |
Track behavior change in default HostnameVerifier. The default HostnameVerifier now ignores any CommonName in the certificate provided by the server, even when no subjectAltName is present. Bug: 70278814 Test: CtsLibcoreTestCases (ran against an internal build with this CL cherrypicked) Change-Id: Ib6fa0c40d8903352e88d8812bf0c09ec1d8ef6be
|
04ba2ae5ace8d45cbce4139bec5889cf7191d15a |
|
09-Feb-2017 |
Kenny Root <kroot@google.com> |
Use the new X.509 cert generator API The previous API has been deprecated within Bouncycastle for a while. Switch to the newer one to avoid the deprecation warnings. Test: cts-tradefed run cts -m CtsLibcoreTestCases Change-Id: I24b1340185876f90730d362019f202431c94d4a2
|
2bdd86ec6cbafe421e5f4c24b6ec0f0fffe27f90 |
|
09-Feb-2017 |
Kenny Root <kroot@google.com> |
Reduce number of lint warnings When compiled against the SDK, junit.framework is noted as deprecated. Changing this to use JUnit4-style asserts doesn't break any users. Test: cts-tradefed run cts -m CtsLibcoreTestCases Change-Id: Ic480b16db8e0ef13b55e7f3c005c7d9c26da0114
|
a86c73bb4b81906c965a55de48e38dd4e44f49e6 |
|
18-Oct-2016 |
Kenny Root <kroot@google.com> |
SSLSocketTest: TLS client auth with opaque keys AndroidKeyStore can be used with TLS client auth, but we don't test anything similar with SSLSocketTest. Add a PrivateKey wrapper that allows us to closely simulate the conditions which trigger the special code in Conscrypt to do upcalls to Java to generate signatures with the client private key. Test: cts-tradefed run cts -m CtsLibcoreTestCases -a arm64-v8a Test: cts-tradefed run cts -m CtsLibcoreOkHttpTestCases -a arm64-v8a Bug: 31714503 Change-Id: I559db546ddd31f8efbe73fc70a91689ed6d7d7e5
|
a1d3063e3f0d9b8eb9b049bcaa0808f4ea6fba64 |
|
31-Oct-2016 |
Kenny Root <kroot@google.com> |
Make sure BouncyCastleProvider is initialized When running these tests against an Android system when we're not built as part of the system image (e.g., we have our own BouncyCastleProvider instance), then we need to make sure our instance of BouncyCastleProvider is initialized properly. The initialization happens in its constructor. In TestKeyStore the included version of BouncyCastleProvider does not need to be inserted as a security provider since it's only used to create X.509 certificates. However, BouncyCastle calls into itself for some things like OID -> key type conversion. This relies on all of its internal data structures being initialized properly. In particular there is a keyInfoConverters field that must be populated to work correctly. If keyInfoConverters is not populated, the generated certificate will have a null PublicKey since it can't figure out what type of key it is. Test: ran outside of CTS Test: cts-tradefed run cts -m CtsLibcoreTestCases -a arm64-v8a Bug: 31119038 Change-Id: I1bcc73a363cb9dac9e9decb9046d386d3394f1d9
|
540623638aef83a6346aa5567aba53905c40e214 |
|
14-Apr-2016 |
Kenny Root <kroot@google.com> |
TestKeyStore: use static DH parameters Generating a DH key can take a long time since safe primes need to be found. However, you can use a "known safe" prime which is fine as long as too many people don't try to start using it and make it valuable enough to solve the discrete log problem in this group. This makes tests using the TestKeyStore run in a predictable amount of time which reduces the amount of flaky tests. (cherry picked from commit b38c1d0379aae312f2a3edd5a0581850988afba1) Bug: 28131777 Change-Id: Ic3548c40e24436e354edd4ff106a6f0852a7cfd6
|
b38c1d0379aae312f2a3edd5a0581850988afba1 |
|
14-Apr-2016 |
Kenny Root <kroot@google.com> |
TestKeyStore: use static DH parameters Generating a DH key can take a long time since safe primes need to be found. However, you can use a "known safe" prime which is fine as long as too many people don't try to start using it and make it valuable enough to solve the discrete log problem in this group. This makes tests using the TestKeyStore run in a predictable amount of time which reduces the amount of flaky tests. Bug: 28131777 Change-Id: Ic3548c40e24436e354edd4ff106a6f0852a7cfd6
|
7abb54e68e213538f8df3357a8abce4a6e49b086 |
|
05-Apr-2016 |
Sergio Giro <sgiro@google.com> |
TestKeyStore: add the ability to set certificate serial numbers Change URLConnectionTest#testHttpsWithCustomTrustManager to check for specifically set serial numbers. As of 5a85130cc3ee3df65c3b263773e3649277b37317, the serial numbers were being generated randomly, and the test was looking for the value "1", so the test was broken. (cherry picked from commit a23e1a7d40a0a85f8eed3a94d6b5714f98180a4e) Bug: 27987415 Change-Id: I91d2726f362a6aab75edbb6b0d133c00ab774e73
|
a23e1a7d40a0a85f8eed3a94d6b5714f98180a4e |
|
05-Apr-2016 |
Sergio Giro <sgiro@google.com> |
TestKeyStore: add the ability to set certificate serial numbers Change URLConnectionTest#testHttpsWithCustomTrustManager to check for specifically set serial numbers. As of 5a85130cc3ee3df65c3b263773e3649277b37317, the serial numbers were being generated randomly, and the test was looking for the value "1", so the test was broken. Bug: 27987415 Change-Id: I1b6a8dbcb496808266f66ede9503027ab8693861
|
5a85130cc3ee3df65c3b263773e3649277b37317 |
|
30-Mar-2016 |
Kenny Root <kroot@google.com> |
Add OCSP helpers Add helper functions for later tests that test OCSP functionality. (cherry picked from commit 0435fdbd46bdbbec9c97932ebb86bffe8cb981b6) Bug: 27812109 Change-Id: If0f9190e30ea386b364fda4eaa3315ad647c461e
|
0435fdbd46bdbbec9c97932ebb86bffe8cb981b6 |
|
30-Mar-2016 |
Kenny Root <kroot@google.com> |
Add OCSP helpers Add helper functions for later tests that test OCSP functionality. Bug: 27812109 Change-Id: If0f9190e30ea386b364fda4eaa3315ad647c461e
|
5fe0dc42747e190d165e5b52b32318826a56fe0c |
|
08-Dec-2015 |
Kenny Root <kroot@google.com> |
Bump test key sizes to 1024 For maximum compatibility with all targets, bump the minimum key size up to 1024 bits. Also extract all the magic constants so they can be updated later on while conveying which key types they map to. Bug: 25753423 Change-Id: If58a9747d2f636e6ffd3616a4d4fffc2927607be
|
560a1e7a77290205382d02e003d6882ce202c076 |
|
08-Dec-2015 |
Kenny Root <kroot@google.com> |
Revert "Bump test key sizes to 1024" This reverts commit 68d97656b8b1802ef5ec47f978b5421412c62bfb. Uploaded wrong patchset. Change-Id: I0765605685de2a0910373a072ce69f6926647675
|
68d97656b8b1802ef5ec47f978b5421412c62bfb |
|
08-Dec-2015 |
Kenny Root <kroot@google.com> |
Bump test key sizes to 1024 For maximum compatibility with all targets, bump the minimum key size up to 1024 bits. Also extract all the magic constants so they can be updated later on while conveying which key types they map to. Bug: 25753423 Change-Id: Ie402e29e591fc646560a46ff1eea97f1d201a93c
|
a5caedeac65e6f1193fb51824af957c9f69c5191 |
|
10-Jun-2015 |
Sergio Giro <sgiro@google.com> |
libcore/support: change TestKeyStore to avoid using getLocalHost() Use constants instead. InetAddress.getLocalHost() causes trouble when there is incompatibility between netd and bionic (see c/147244). This is part of an effort to start running conscrypt/java.security tests in the buildbot. Change-Id: I97ccf0a09f11c68e1b1ae2c2da99c2269ad0fe90
|
258e3d158c9a876307d5111972f7e9f1ad87b076 |
|
12-Nov-2014 |
Kenny Root <kroot@google.com> |
TestKeyStore: more possibilities for KeyStore creation Needed for change I379de26bdae3de1d0fe867adc1d8b7d5443c8c7a in external/conscrypt Bug: 17972577 Change-Id: Iaeb36167d953533e23d610bf218488bd79b6430e
|
888373c54fd5f8fa0b1965238309db8187e3b381 |
|
08-May-2014 |
Kenny Root <kroot@google.com> |
KeyManagerFactoryTest: add all the possible key types This adds all the possible key types from the Standard Names document to the tests. Change-Id: Ifbca56371261c040c3cb9e0d80447e9cb73cad0f
|
70bf6bc3ad78ed9a0a7a5767381ad6c25debbd70 |
|
20-Mar-2014 |
Kenny Root <kroot@google.com> |
Add X509ExtendedTrustManager This adds the X509ExtendedTrustManager class and all its ancillary methods that allow it to be used. This allows the endpointVerificationAlgorithm setting to be enabled on SSLSocket to check that the cerificate given for the endpoint during the handshake matched the expected hostname. Since X509ExtendedTrustManager allows you to pass in an SSLSocket, there is a new call added to SSLSocket called getHandshakeSession which does not force the handshake to take place. Bug: 13103812 Change-Id: I18a18b4f457d1676c8dc9a2a7bf7c3c4646a0425
|
edeec21a9c9e97cad91dffd47d4f2f7185dffe07 |
|
19-Mar-2014 |
Alex Klyubin <klyubin@google.com> |
Support multiple KeyManagers in TestSSLContext and TestKeyStore. The two classes in some places assumed that only one KeyManager is necessary or that only the first provided KeyManager is important. Change-Id: I88629778911503ac7c233341d44612247d799d22
|
181e96d17e879a1f063530cf1c540c2c5097cb02 |
|
30-Oct-2013 |
William Luh <williamluh@google.com> |
Add a second intermediate test CA. (cherry picked from commit 1295a430f883ab592fd3bd4a7cf950241ad22fcd) Change-Id: I732e7727c0de572f637d4c436094fec7583baf14
|
1295a430f883ab592fd3bd4a7cf950241ad22fcd |
|
30-Oct-2013 |
William Luh <williamluh@google.com> |
Add a second intermediate test CA. Change-Id: I732e7727c0de572f637d4c436094fec7583baf14
|
422092deb4fcc5f3f8d4e9d36cb6294b4049fd43 |
|
14-Sep-2013 |
Kenny Root <kroot@google.com> |
Remove BC workaround in TestKeyStore At one point in time, BC had a bug where it couldn't work with other EC keys. This has since been fixed, so this workaround is no longer needed. Change-Id: I0fb3f4d207fb5093e3bd1e1256cc3e165ecae8b0
|
90d02cbdbac93f6fee46082e25c1c67f75108442 |
|
03-Jan-2013 |
Chris Palmer <palmer@google.com> |
Check the EE's eKU extension field, if present. BUG=https://code.google.com/p/chromium/issues/detail?id=167607 and https://b.corp.google.com/issue?id=7920492 (cherry picked from commit 0da1515c5fe4e97fc2d4d24a41ebd4c078fec4db) Change-Id: I4309d4a90a9d41390f41c748fa1442ed736e225f
|
0da1515c5fe4e97fc2d4d24a41ebd4c078fec4db |
|
03-Jan-2013 |
Chris Palmer <palmer@google.com> |
Check the EE's eKU extension field, if present. BUG=https://code.google.com/p/chromium/issues/detail?id=167607 and https://b.corp.google.com/issue?id=7920492 Change-Id: Ib917c3a4a8ea6a12f685c44056aa44aa414d45e6
|
ac4b39b3f93a28ba0375ac108155b752a79e4f5f |
|
31-Jan-2013 |
Brian Carlstrom <bdc@google.com> |
Tracking bouncycastle 1.48 upgrade Change-Id: I3c43882dda27b5596c6823f5f0711049803ac985
|
3e6dd45baa0d7f9b4fa06f4ade76e088b59cc7bf |
|
16-Mar-2012 |
Brian Carlstrom <bdc@google.com> |
Tracking openssl-1.0.1 Bug: 6168278 Change-Id: I240d2cbc91f616fd486efc5203e2221c9896d90f
|
547450702efd233213f953ba2213bb38803c34c3 |
|
09-Jun-2011 |
Jesse Wilson <jessewilson@google.com> |
Use the same host name in the SSL cert as in mockwebserver. MockWebServer had to revert to getLocalHost() since 'getLoopbackAddress() doesn't exist on Java 6 and MockWebServer wants to work on Java 6. Tested on host and device without problem. Change-Id: Ib083ec393d34b2378da579ffc7b6a71d599f9d22
|
003f7a4d100cd1527d94bac81a4a3c5a8216c6ee |
|
04-Jun-2011 |
Brian Carlstrom <bdc@google.com> |
Make test initialization lazy Bug: 4311645 Change-Id: I4280d7ddb2a78f0e33564f3b40cfeb5c671e134a
|
1b3c5388d0fffde4392007eb1b0be011a5dfae82 |
|
12-May-2011 |
Brian Carlstrom <bdc@google.com> |
Make CertInstaller installed CA certs trusted by applications via default TrustManager (2 of 6) frameworks/base Adding IKeyChainService APIs for CertInstaller and Settings use keystore/java/android/security/IKeyChainService.aidl libcore Improve exceptions to include more information luni/src/main/java/javax/security/auth/x500/X500Principal.java Move guts of RootKeyStoreSpi to TrustedCertificateStore, leaving only KeyStoreSpi methods. Added support for adding user CAs in a separate directory for system. Added support for removing system CAs by placing a copy in a sytem directory luni/src/main/java/org/apache/harmony/xnet/provider/jsse/RootKeyStoreSpi.java luni/src/main/java/org/apache/harmony/xnet/provider/jsse/TrustedCertificateStore.java Formerly static methods on RootKeyStoreSpi are now instance methods on TrustedCertificateStore luni/src/main/java/org/apache/harmony/xnet/provider/jsse/TrustManagerImpl.java Added test for NativeCrypto.X509_NAME_hash_old and X509_NAME_hash to make sure the implementing algorithms doe not change since TrustedCertificateStore depend on X509_NAME_hash_old (OpenSSL changed the algorithm from MD5 to SHA1 when moving from 0.9.8 to 1.0.0) luni/src/test/java/org/apache/harmony/xnet/provider/jsse/NativeCryptoTest.java Extensive test of new TrustedCertificateStore behavior luni/src/test/java/org/apache/harmony/xnet/provider/jsse/TrustedCertificateStoreTest.java TestKeyStore improvements - Refactored TestKeyStore to provide simpler createCA method (and internal createCertificate) - Cleaned up to remove use of BouncyCastle specific X509Principal in the TestKeyStore API when the public X500Principal would do. - Cleaned up TestKeyStore support methods to not throw Exception to remove need for static blocks for catch clauses in tests. support/src/test/java/libcore/java/security/TestKeyStore.java luni/src/test/java/libcore/java/security/KeyStoreTest.java luni/src/test/java/org/apache/harmony/xnet/provider/jsse/NativeCryptoTest.java Added private PKIXParameters contructor for use by IndexedPKIXParameters to avoid wart of having to lookup and pass a TrustAnchor to satisfy the super-class sanity check. luni/src/main/java/org/apache/harmony/xnet/provider/jsse/TrustManagerImpl.java luni/src/main/java/org/apache/harmony/xnet/provider/jsse/IndexedPKIXParameters.java luni/src/main/java/java/security/cert/PKIXParameters.java packages/apps/CertInstaller Change CertInstaller to call IKeyChainService.installCertificate for CA certs to pass them to the KeyChainServiceTest which will make them available to all apps through the TrustedCertificateStore. Change PKCS12 extraction to use AsyncTask. src/com/android/certinstaller/CertInstaller.java Added installCaCertsToKeyChain and hasCaCerts accessor for use by CertInstaller. Use hasUserCertificate() internally. Cleanup coding style. src/com/android/certinstaller/CredentialHelper.java packages/apps/KeyChain Added MANAGE_ACCOUNTS so that IKeyChainService.reset implementation can remove KeyChain accounts. AndroidManifest.xml Implement new IKeyChainService methods: - Added IKeyChainService.installCaCertificate to install certs provided by CertInstaller using the TrustedCertificateStore. - Added IKeyChainService.reset to allow Settings to remove the KeyChain accounts so that any app granted access to keystore credentials are revoked when the keystore is reset. src/com/android/keychain/KeyChainService.java packages/apps/Settings Changed com.android.credentials.RESET credential reset action to also call IKeyChainService.reset to remove any installed user CAs and remove KeyChain accounts to have AccountManager revoke credential granted to private keys removed during the RESET. src/com/android/settings/CredentialStorage.java Added toast text value for failure case res/values/strings.xml system/core Have init create world readable /data/misc/keychain to allow apps to access user added CA certificates installed by the CertInstaller. rootdir/init.rc Change-Id: Ief57672eea38b3eece23b14c94dedb9ea4713744
|
3258b52429c7768ea91bda93c5a15257cdd390e5 |
|
18-Mar-2011 |
Brian Carlstrom <bdc@google.com> |
libcore key chain support Allow access to default IndexedPKIXParameters, similar to access to default TrustManager. Needed to allow framework to add/remove trusted CAs at runtime. luni/src/main/java/org/apache/harmony/xnet/provider/jsse/SSLParametersImpl.java luni/src/main/java/org/apache/harmony/xnet/provider/jsse/TrustManagerImpl.java Add test support for looking up a cert by an issuer for use in key chain tests. support/src/test/java/libcore/java/security/TestKeyStore.java Add test support SSLSocketFactory that sets desired client auth on each created socket. For use with MockWebServer for key chain testing. support/src/test/java/libcore/javax/net/ssl/TestSSLContext.java Change-Id: Iecdbd40c67f1673bda25a52b4e229156c805d564
|
8ee594cf5c35b5039aaca67e1f4b84c533046305 |
|
23-Mar-2011 |
Tsu Chiang Chuang <tsu@google.com> |
Fix cts-tf tests by using InetAddress.getLoopbackAddress(). Change-Id: Iced1b64b74e664cbf75006adc2be9cfe1c9ba0e9
|
6ed93fa8be996378e766d3fd2586b51c6fe656b1 |
|
02-Feb-2011 |
Jesse Wilson <jessewilson@google.com> |
Don't parse or format IP addresses in cert code. We used to include a full IP address parser and formatter. The formatter handled one interesting case: a 2x length byte[] containing both an IP route and mask. Although our code supported parsing and formatting these, they do not occur in practice. The Java APIs don't support NameConstraints, which is the only part of the spec that uses them. Change-Id: I7a4b22b40a37d6f26ec09fc5188ec1ba43e4d249 http://b/3385492
|
101547d4a82ba21031dc7cb62018720dbd493758 |
|
01-Feb-2011 |
Jesse Wilson <jessewilson@google.com> |
Refactoring to add a builder for TestKeyStore. Change-Id: I346aea42a27042512f4ed97690f1e0ca1755257c
|
0ac85ead96f1ba7d35f3acadd154de4ef0a8fd87 |
|
25-Jan-2011 |
Brian Carlstrom <bdc@google.com> |
Tracking jarjar of org.bouncycastle to com.android.org.bouncycastle Bug: 3086427 Change-Id: I026f80bfa5e963a8e988ecd6f91c9732a4afc70c
|
0d5c7588179fb373da70ce04362be5ce74a98eb4 |
|
24-Jan-2011 |
Brian Carlstrom <bdc@google.com> |
Cipher.init incorrectly implements RFC 3280 key usage validation Issue: http://code.google.com/p/android/issues/detail?id=12955 Bug: 3381582 Change-Id: Ida63c1356634c8e287ce5b0234418a656dffedf0
|
2915378e253f08e47fe5a9bfd026cd1ca7c6c351 |
|
16-Dec-2010 |
Brian Carlstrom <bdc@google.com> |
HttpsURLConnection retry should not invoke X509TrustManager and HostnameVerifier more than once Summary: In 2.3, HttpsURLConnection was change to retry TLS connections as SSL connections w/o compression to deal with servers that are TLS intolerant. However, if the handshake proceeded to the point of invoking the X509TrustManager, we should not retry. Similarly, if we should not invoke the HostnameVerifier repeatedly, and need to wait until the SSL handshake has completed. Tested with (includes two new tests for this issue): libcore/luni/src/test/java/libcore/javax/net/ssl/ libcore/luni/src/test/java/libcore/java/net/URLConnectionTest.java libcore/luni/src/test/java/org/apache/harmony/luni/tests/internal/net/www/protocol/https/HttpsURLConnectionTest.java Details: HttpConnection.setupSecureSocket has been broken into two pieces. setupSecureSocket now just does the SSL handshaking. verifySecureSocketHostname now does the verification. The old HttpConnection code was careful never to assign its sslSocket field until verification was complete. A new unverifiedSocket field is added to store the sslSocket before verification is completed by verifySecureSocketHostname. luni/src/main/java/org/apache/harmony/luni/internal/net/www/protocol/http/HttpConnection.java HttpsEngine.makeConnection now skips TLS intolerant retry if the reason for the makeSslConnection failure was a CertificateException, since that implies that we failed during certification validation after initial handshaking. We also prevent retrying hostname verification by moving it out of makeSslConnection and only doing it on new SSL connections, tracking the changes to HttpConnection.setupSecureSocket mentioned above. We also now skip the redundant call to setUpTransportIO in makeSslConnection on reused SSLSockets. luni/src/main/java/org/apache/harmony/luni/internal/net/www/protocol/https/HttpsURLConnectionImpl.java Instead of throwing away the underlying CertificateExceptions, set them as the cause of the SSLExceptions. This is what the RI does in the case of X509TrustManager failures and is now used by HttpsEngine.makeConnection. luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSessionImpl.java luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSocketImpl.java Added new testConnectViaHttpsToUntrustedServer which makes sure that connections are not retried on certificate verification failure. luni/src/test/java/libcore/java/net/URLConnectionTest.java Added new test_SSLSocket_untrustedServer that verifies that an SSLHandshakeException is thown containing a CertificateException is thrown on certificate verification problems. luni/src/test/java/libcore/javax/net/ssl/SSLSocketTest.java Added second test CA and a new TestKeyStore.getClientCA2 test key store that does not trust the primary test key stores. This is useful for negative testing and is used in the above two new tests. support/src/test/java/libcore/java/security/TestKeyStore.java Issue: http://code.google.com/p/android/issues/detail?id=13178 Bug: 3292412 Change-Id: I37136bb65f04d2bceaf2f32f542d6432c8b76ad4
|
6c78b7b94c232063ec559436b48b33751373ecf1 |
|
19-Nov-2010 |
Brian Carlstrom <bdc@google.com> |
Toward EC TLS support Summary: - javax.net.ssl tests are now working on the RI - KeyManager can now handle EC_EC and EC_RSA - OpenSSLSocketImpl.startHandshake now works if KeyManager contains EC certificates Details: Add CipherSuite.getKeyType to provide X509KeyManager key type strings, refactored from OpenSSLServerSocketImpl.checkEnabledCipherSuites. getKeyType is now also used in OpenSSLSocketImpl.startHandshake to avoid calling setCertificate for unnecessary key types. luni/src/main/java/org/apache/harmony/xnet/provider/jsse/CipherSuite.java luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLServerSocketImpl.java luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSocketImpl.java New CipherSuiteTest to cover new getKeyType as well as existing functionality luni/src/test/java/org/apache/harmony/xnet/provider/jsse/CipherSuiteTest.java Add support to KeyManager implementation for key types of the form EC_EC and EC_RSA. The first part implies the KeyPair algorithm (EC in these new key types) with a potentially different signature algorithm (EC vs RSA in these) luni/src/main/java/org/apache/harmony/xnet/provider/jsse/KeyManagerImpl.java Update NativeCrypto.keyType to support EC_EC and EC_RSA in addition to EC which was added earlier. Change from array of KEY_TYPES to named KEY_TYPE_* constants. luni/src/main/java/org/apache/harmony/xnet/provider/jsse/NativeCrypto.java Overhauled KeyManagerFactoryTest to cover EC, EC_EC, EC_RSA cases luni/src/test/java/libcore/javax/net/ssl/KeyManagerFactoryTest.java support/src/test/java/libcore/java/security/StandardNames.java Changed TestKeyStore.createKeyStore from always using BKS to now use JKS on the RI between BC EC Keys and RI X509 certificates. Because JKS requires a password, we now default "password" on the RI. support/src/test/java/libcore/java/security/TestKeyStore.java luni/src/test/java/libcore/javax/net/ssl/SSLContextTest.java support/src/test/java/libcore/java/security/StandardNames.java TestKeyStore.create now accepts key types like EC_RSA. Changed TestKeyStore.createKeys to allow a PrivateKeyEntry to be specified for signing to enable creation of EC_RSA test certificate. Added getRootCertificate/rootCertificate to allow lookup of PrivateKeyEntry for signing. Changed TestKeyStore.getPrivateKey to take explicit signature algorithm to retrieve EC_EC vs EC_RSA entries. support/src/test/java/libcore/java/security/TestKeyStore.java luni/src/test/java/libcore/java/security/KeyStoreTest.java luni/src/test/java/libcore/javax/net/ssl/KeyManagerFactoryTest.java luni/src/test/java/libcore/java/security/cert/PKIXParametersTest.java luni/src/test/java/libcore/javax/net/ssl/TrustManagerFactoryTest.java luni/src/test/java/org/apache/harmony/xnet/provider/jsse/NativeCryptoTest.java support/src/test/java/libcore/java/security/StandardNames.java Added support for EC cipher suites on the RI. Also test with and without new TLS_EMPTY_RENEGOTIATION_INFO_SCSV cipher suite which is used to specify the new TLS secure renegotiation. luni/src/test/java/libcore/javax/net/ssl/SSLEngineTest.java luni/src/test/java/libcore/javax/net/ssl/SSLSocketTest.java support/src/test/java/libcore/java/security/StandardNames.java New TestKeyManager and additional logging in TestTrustManager. Logging in both is disabled by default using DevNullPrintStream. support/src/test/java/libcore/javax/net/ssl/TestKeyManager.java support/src/test/java/libcore/javax/net/ssl/TestTrustManager.java support/src/test/java/libcore/java/io/DevNullPrintStream.java Bug: 3058375 Change-Id: Ia5e2a00a025858e10d1076b900886994b481e05a
|
8a720cceee7ce319d647738dfeda3f302879f370 |
|
16-Nov-2010 |
Brian Carlstrom <bdc@google.com> |
TrustManager should include PrivateKeyEntry CAs, OpenSSLSocketImpl close fix, and debugging improvements Revert to older behavior of creating TrustAnchors from both PrivateKeyEntry and TrustedCertificateEntry values from the KeyStore. Added tests to better ensure this slighlt different behavior from PKIXParameters. Also create the acceptedIssuers proactively since the real memory cost is the X509Certificates which are already found in the params. luni/src/main/java/org/apache/harmony/xnet/provider/jsse/TrustManagerImpl.java luni/src/test/java/libcore/javax/net/ssl/TrustManagerFactoryTest.java luni/src/test/java/libcore/java/security/cert/PKIXParametersTest.java Don't just free native state on issue with startHandshake, close the SSLSocket. While the former addressed a CloseGuard issue, the latter make sure that checkOpen throws SocketExceptions and we don't leak a NullPointerException from NativeCrypto. luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSocketImpl.java Debugging improvements including minor refinements to recently added NativeCrypto logging, more verbose TestKeyStore.dump output, and a new TestTrustManager proxy class for logging X509TrustManager behavior. luni/src/main/native/NativeCrypto.cpp support/src/test/java/libcore/java/security/TestKeyStore.java support/src/test/java/libcore/javax/net/ssl/TestTrustManager.java Change-Id: I317e1ca34d8e20c77e5cb9c5a5a58cb4ae98d829
|
a5c608e59f9d574ea4bc65e9dff44aae2f34fd26 |
|
01-Nov-2010 |
Brian Carlstrom <bdc@google.com> |
TrustManager improvements Overhaul of TrustManagerImpl - PKIXParameters can now be final in TrustManagerImpl because we always immediately create an IndexedPKIXParameters instead of only doing it in SSLParametersImpl.createDefaultTrustManager. - Use new KeyStore constructor for IndexedPKIXParameters to remove duplicate logic for creating set of TrustAnchors from a KeyStore. - Improved checkTrusted/cleanupCertChain to remove special cases for directly trusting the end cert or pruning only self signed certs. To support b/2530852, we need to stop prune the chain as soon as we find any trust anchor (using newly improved TrustManagerImpl.isTrustAnchor), which could be at the beginning, middle, or end. That means cleanupCertChain can return an empty chain if everything was trusted directly. (and we don't need to do extra checks on exception cases to see if the problem was just that the trust anchor was in the chain) - isDirectlyTrusted -> isTrustAnchor here as well, using new IndexedPKIXParameters.isTrustAnchor APIs - Fix incorrect assumption in getAcceptedIssuers that all TrustAnchor instances have non-null results for getTrustedCert. luni/src/main/java/org/apache/harmony/xnet/provider/jsse/TrustManagerImpl.java Removed indexing in createDefaultTrustManager since we always index now luni/src/main/java/org/apache/harmony/xnet/provider/jsse/SSLParametersImpl.java Overhaul of IndexedPKIXParameters - Single map from subject X500Principal to TrustAnchors instead of two different X500Principal keyed maps to check - Removed map based on encoded cert. For b/2530852, we want to treat certs as equal if they have the same name and public key, not byte-for-byte equality, which can be done with the remaining map. Revamped isDirectlyTrusted into isTrustAnchor(cert) to perform this new name/key based comparison. - Added helper isTrustAnchor(cert, anchors) to reuse code in non-IndexedPKIXParameters case in TrustManagerImpl. - Added constructor from KeyStore - Moved anchor indexing code to index() from old constructor luni/src/main/java/org/apache/harmony/xnet/provider/jsse/IndexedPKIXParameters.java TestKeyStore.getPrivateKey allowed some existing test simplification. luni/src/test/java/libcore/java/security/KeyStoreTest.java luni/src/test/java/org/apache/harmony/xnet/provider/jsse/NativeCryptoTest.java support/src/test/java/libcore/java/security/TestKeyStore.java Added missing "fail()" before catching expected exceptions. luni/src/test/java/libcore/java/security/KeyStoreTest.java Expanded KeyManagerFactoryTest to excercise ManagerFactoryParameters b/1628001 luni/src/test/java/libcore/javax/net/ssl/KeyManagerFactoryTest.java Added KeyStoreBuilderParametersTest because I thought I saw a bug in KeyStoreBuilderParameters, but this convinced me otherwise. luni/src/test/java/libcore/javax/net/ssl/KeyStoreBuilderParametersTest.java New TrustManagerFactory test modeled on expanded KeyManagerFactoryTest. test_TrustManagerFactory_intermediate specifically is targeting the new functionality of b/2530852 to handling trust anchors within the chain. luni/src/test/java/libcore/javax/net/ssl/TrustManagerFactoryTest.java support/src/test/java/libcore/java/security/StandardNames.java Some initial on tests for Elliptic Curve (b/3058375) after the RI started reporting it was supported. Removed old @KnownFailure tags. Skipped a test on the RI that it can't handle. Improved some assert messages. luni/src/test/java/libcore/javax/net/ssl/SSLEngineTest.java luni/src/test/java/libcore/javax/net/ssl/SSLSocketTest.java support/src/test/java/libcore/java/security/StandardNames.java support/src/test/java/libcore/java/security/TestKeyStore.java Removed unneeded bytes->javax->bytes->java case of which can just go bytes->java directly. luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSocketImpl.java Removed super() luni/src/main/java/javax/net/ssl/KeyStoreBuilderParameters.java Made Security.secprops final luni/src/main/java/java/security/Security.java Pulled SamplingProfiler fix from dalvik-dev branch git cherry-pick --no-commit f9dc3450e8f23cab91efc9df99bb860221ac3d6c dalvik/src/main/java/dalvik/system/SamplingProfiler.java Bug: 2530852 Change-Id: I95e0c7ee6a2f66b6986b3a9da9583d1ae52f94dd
|
4557728efb66c455a52b7669a8eefef7a9e54854 |
|
11-Aug-2010 |
Jesse Wilson <jessewilson@google.com> |
Moving tests to be under the libcore.* package. This is indended to make it easier to run on VMs that restrict the packages from which application classes can be loaded. For example, on the RI you need to use the bootclasspath to load these tests. Change-Id: I52193f35c5fcca18b5a3e1d280505b1e29b388af
|