diff -Nru openjdk-6-6b37-1.13.9/ChangeLog openjdk-6-6b38-1.13.10/ChangeLog --- openjdk-6-6b37-1.13.9/ChangeLog 2015-11-11 03:26:01.000000000 +0000 +++ openjdk-6-6b38-1.13.10/ChangeLog 2016-01-21 02:42:36.000000000 +0000 @@ -1,3 +1,45 @@ +2016-01-20 Andrew John Hughes + + * NEWS: Set release date to this Friday. + * configure.ac: Bump to 1.13.10. + +2016-01-20 Andrew John Hughes + + * Makefile.am: + (OPENJDK_DATE): Bump to b38 creation date; + 20th of January, 2016. + (OPENJDK_SHA256SUM): Update for b38 tarball. + +2016-01-19 Andrew John Hughes + + * patches/openjdk/p11cipher-4898461-support_ecb_and_cbc.patch, + * patches/openjdk/p11cipher-6867345-turkish_regional_options_cause_npe_in_algoid.patch: + Removed; added upstream in OpenJDK 6 b38. + * Makefile.am: + (ICEDTEA_PATCHES): Remove above patches. + * NEWS: Updated. + * patches/openjdk/6799141-split_out_versions.patch: + Fixed to apply against OPENJDK6-70. + +2015-11-26 Andrew John Hughes + + * Makefile.am: + (OPENJDK_VERSION): Bump to next release, b38. + +2016-01-19 Andrew John Hughes + + * Makefile.am: + (ICEDTEA_PATCHES): Add new patches. + * NEWS: Updated. + * patches/openjdk/7169111-pr2757-unreadable_menu_bar_with_ambiance_theme.patch, + * patches/openjdk/8140620-pr2711-find_default.sf2.patch: + New backports for issues to be fixed in 1.13.10. + +2015-11-17 Andrew John Hughes + + * NEWS: Add 1.13.10 section. + * configure.ac: Bump to 1.13.10pre. + 2015-11-11 Andrew John Hughes * NEWS: Update with changes added diff -Nru openjdk-6-6b37-1.13.9/configure openjdk-6-6b38-1.13.10/configure --- openjdk-6-6b37-1.13.9/configure 2016-02-01 20:26:37.000000000 +0000 +++ openjdk-6-6b38-1.13.10/configure 2016-02-01 20:26:43.000000000 +0000 @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for icedtea6 1.13.9. +# Generated by GNU Autoconf 2.69 for icedtea6 1.13.10. # # Report bugs to . # @@ -580,8 +580,8 @@ # Identity of this package. PACKAGE_NAME='icedtea6' PACKAGE_TARNAME='icedtea6' -PACKAGE_VERSION='1.13.9' -PACKAGE_STRING='icedtea6 1.13.9' +PACKAGE_VERSION='1.13.10' +PACKAGE_STRING='icedtea6 1.13.10' PACKAGE_BUGREPORT='distro-pkg-dev@openjdk.java.net' PACKAGE_URL='' @@ -1675,7 +1675,7 @@ # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures icedtea6 1.13.9 to adapt to many kinds of systems. +\`configure' configures icedtea6 1.13.10 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1746,7 +1746,7 @@ if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of icedtea6 1.13.9:";; + short | recursive ) echo "Configuration of icedtea6 1.13.10:";; esac cat <<\_ACEOF @@ -1966,7 +1966,7 @@ test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -icedtea6 configure 1.13.9 +icedtea6 configure 1.13.10 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -2535,7 +2535,7 @@ This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by icedtea6 $as_me 1.13.9, which was +It was created by icedtea6 $as_me 1.13.10, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -3460,7 +3460,7 @@ # Define the identity of the package. PACKAGE='icedtea6' - VERSION='1.13.9' + VERSION='1.13.10' cat >>confdefs.h <<_ACEOF @@ -15986,7 +15986,7 @@ # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by icedtea6 $as_me 1.13.9, which was +This file was extended by icedtea6 $as_me 1.13.10, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -16043,7 +16043,7 @@ cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -icedtea6 config.status 1.13.9 +icedtea6 config.status 1.13.10 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" diff -Nru openjdk-6-6b37-1.13.9/configure.ac openjdk-6-6b38-1.13.10/configure.ac --- openjdk-6-6b37-1.13.9/configure.ac 2016-02-01 20:26:37.000000000 +0000 +++ openjdk-6-6b38-1.13.10/configure.ac 2016-02-01 20:26:43.000000000 +0000 @@ -1,4 +1,4 @@ -AC_INIT([icedtea6],[1.13.9],[distro-pkg-dev@openjdk.java.net]) +AC_INIT([icedtea6],[1.13.10],[distro-pkg-dev@openjdk.java.net]) AC_CANONICAL_HOST AC_CANONICAL_TARGET AM_INIT_AUTOMAKE([1.9 tar-pax foreign]) diff -Nru openjdk-6-6b37-1.13.9/debian/changelog openjdk-6-6b38-1.13.10/debian/changelog --- openjdk-6-6b37-1.13.9/debian/changelog 2016-02-01 20:26:37.000000000 +0000 +++ openjdk-6-6b38-1.13.10/debian/changelog 2016-02-01 20:26:43.000000000 +0000 @@ -1,8 +1,33 @@ -openjdk-6 (6b37-1.13.9-1ubuntu0.14.04.1) trusty-security; urgency=medium +openjdk-6 (6b38-1.13.10-0ubuntu0.14.04.1) trusty-security; urgency=high * Backport to Ubuntu 14.04. - -- Tiago Stürmer Daitx Tue, 24 Nov 2015 14:43:10 +0000 + -- Tiago Stürmer Daitx Tue, 26 Jan 2016 13:21:11 +0000 + +openjdk-6 (6b38-1.13.10-0ubuntu0.15.10.1) wily-security; urgency=medium + + * IcedTea 1.13.10 release. + * Security fixes: + - S8059054, CVE-2016-0402: Better URL processing + - S8130710, CVE-2016-0448: Better attributes processing + - S8133962, CVE-2016-0466: More general limits + - S8137060: JMX memory management improvements + - S8139012: Better font substitutions + - S8139017, CVE-2016-0483: More stable image decoding + - S8140543, CVE-2016-0494: Arrange font actions + - S8143185: Cleanup for handling proxies + - S8143941, CVE-2015-8126, CVE-2015-8472: Update splashscreen displays + * Other fixes: + - S7169111, PR2757: Unreadable menu bar with Ambiance theme in GTK L&F + (LP: #932274) + * debian/rules: removed old @op@, @pkg_version@, and @pkg_sversion@ + * debian/control.in: replaced @op@ with =, @pkg_version@ with + ${binary:Version}, and @pkg_sversion@ by ${source:Version} + * debian/control.cacao-jre: same + * debian/control.jamvm-jre: same + * debian/control.zero-jre: same + + -- Tiago Stürmer Daitx Mon, 25 Jan 2016 02:40:51 +0000 openjdk-6 (6b37-1.13.9-1) experimental; urgency=medium diff -Nru openjdk-6-6b37-1.13.9/debian/control openjdk-6-6b38-1.13.10/debian/control --- openjdk-6-6b37-1.13.9/debian/control 2016-02-01 20:26:37.000000000 +0000 +++ openjdk-6-6b38-1.13.10/debian/control 2016-02-01 20:26:43.000000000 +0000 @@ -14,7 +14,7 @@ Architecture: any Multi-Arch: same Pre-Depends: ${dpkg:Depends} -Depends: openjdk-6-jre (>= ${binary:Version}), ${shlibs:Depends}, ${misc:Depends} +Depends: openjdk-6-jre (= ${binary:Version}), ${shlibs:Depends}, ${misc:Depends} Recommends: libxt-dev Suggests: openjdk-6-demo, openjdk-6-source, visualvm Provides: java-sdk, java2-sdk, java5-sdk, java6-sdk, java-compiler @@ -30,7 +30,7 @@ Architecture: any Multi-Arch: same Pre-Depends: ${dpkg:Depends}, ${multiarch:Depends} -Depends: openjdk-6-jre-lib (>= ${source:Version}), ${jredefault:Depends}, ${cacert:Depends}, ${tzdata:Depends}, ${jcommon:Depends}, ${dlopenhl:Depends}, ${shlibs:Depends}, ${misc:Depends} +Depends: openjdk-6-jre-lib (= ${source:Version}), ${jredefault:Depends}, ${cacert:Depends}, ${tzdata:Depends}, ${jcommon:Depends}, ${dlopenhl:Depends}, ${shlibs:Depends}, ${misc:Depends} Recommends: ${dlopenjl:Recommends}, ${cacao:Recommends}, ${jamvm:Recommends} Suggests: libnss-mdns, sun-java6-fonts, ttf-dejavu-extra, fonts-ipafont-gothic, fonts-ipafont-mincho, ttf-wqy-microhei | ttf-wqy-zenhei, ttf-indic-fonts-core, ttf-telugu-fonts, ttf-oriya-fonts, ttf-kannada-fonts, ttf-bengali-fonts, Provides: java-runtime-headless, java2-runtime-headless, java5-runtime-headless, java6-runtime-headless, ${defaultvm:Provides}, ${jvm:Provides} @@ -47,7 +47,7 @@ Architecture: any Multi-Arch: same Pre-Depends: ${dpkg:Depends} -Depends: openjdk-6-jre-headless (>= ${binary:Version}), ${xandsound:Depends}, ${shlibs:Depends}, ${dlopenjre:Depends}, ${misc:Depends}, ${dep:bridge} +Depends: openjdk-6-jre-headless (= ${binary:Version}), ${xandsound:Depends}, ${shlibs:Depends}, ${dlopenjre:Depends}, ${misc:Depends}, ${dep:bridge} Recommends: ${dlopenjre:Recommends}, ttf-dejavu-extra, icedtea-netx Suggests: icedtea-plugin, ${pkg:pulseaudio} Conflicts: icedtea-gcjwebplugin (<< 1.0-1ubuntu4), openjdk-6-jre-lib (<< 6b17~pre3-1), openjdk-6-jre-headless (<< 6b17~pre3-1), openjdk-6-jdk (<< 6b17~pre3-1), openjdk-6-demo (<< 6b17~pre3-1), openjdk-6-source (<< 6b17~pre3-1), openjdk-6-doc (<< 6b17~pre3-1), openjdk-6-dbg (<< 6b17~pre3-1), openjdk-6-jre-zero (<< 6b17~pre3-1) @@ -68,6 +68,7 @@ Recommends: ${dlopen:Recommends} Conflicts: openjdk-6-jre-headless (<< 6b17~pre3-1), openjdk-6-jre (<< 6b17~pre3-1) Breaks: openjdk-6-jre-headless (<< 6b23~pre9-1~) +Built-Using: ${rhino:Source} Description: OpenJDK Java runtime (architecture independent libraries) OpenJDK Java runtime, using ${vm:Name}. . @@ -78,7 +79,7 @@ Architecture: any Priority: extra Pre-Depends: ${dpkg:Depends} -Depends: openjdk-6-jre (>= ${binary:Version}), ${shlibs:Depends}, ${misc:Depends} +Depends: openjdk-6-jre (= ${binary:Version}), ${shlibs:Depends}, ${misc:Depends} Conflicts: openjdk-6-jre-headless (<< 6b17~pre3-1), openjdk-6-jre (<< 6b17~pre3-1) Description: Java runtime based on OpenJDK (demos and examples) OpenJDK Java runtime diff -Nru openjdk-6-6b37-1.13.9/debian/control.cacao-jre openjdk-6-6b38-1.13.10/debian/control.cacao-jre --- openjdk-6-6b37-1.13.9/debian/control.cacao-jre 2016-02-01 20:26:37.000000000 +0000 +++ openjdk-6-6b38-1.13.10/debian/control.cacao-jre 2016-02-01 20:26:43.000000000 +0000 @@ -4,7 +4,7 @@ Multi-Arch: same Priority: extra Pre-Depends: ${dpkg:Depends} -Depends: @basename@-jre-headless (= @pkg_version@), ${shlibs:Depends}, ${misc:Depends} +Depends: @basename@-jre-headless (= ${binary:Version}), ${shlibs:Depends}, ${misc:Depends} Provides: icedtea6-jre-cacao Description: Alternative JVM for OpenJDK, using Cacao The package provides an alternative runtime using the Cacao VM and the diff -Nru openjdk-6-6b37-1.13.9/debian/control.in openjdk-6-6b38-1.13.10/debian/control.in --- openjdk-6-6b37-1.13.9/debian/control.in 2016-02-01 20:26:37.000000000 +0000 +++ openjdk-6-6b38-1.13.10/debian/control.in 2016-02-01 20:26:43.000000000 +0000 @@ -14,7 +14,7 @@ Architecture: any Multi-Arch: same Pre-Depends: ${dpkg:Depends} -Depends: @basename@-jre (@op@ @pkg_version@), ${shlibs:Depends}, ${misc:Depends} +Depends: @basename@-jre (= ${binary:Version}), ${shlibs:Depends}, ${misc:Depends} Recommends: libxt-dev Suggests: @basename@-demo, @basename@-source, visualvm Provides: java-sdk, java2-sdk, java5-sdk, java6-sdk, java-compiler @@ -30,7 +30,7 @@ Architecture: any Multi-Arch: same Pre-Depends: ${dpkg:Depends}, ${multiarch:Depends} -Depends: @basename@-jre-lib (@op@ @pkg_sversion@), ${jredefault:Depends}, ${cacert:Depends}, ${tzdata:Depends}, ${jcommon:Depends}, ${dlopenhl:Depends}, ${shlibs:Depends}, ${misc:Depends} +Depends: @basename@-jre-lib (= ${source:Version}), ${jredefault:Depends}, ${cacert:Depends}, ${tzdata:Depends}, ${jcommon:Depends}, ${dlopenhl:Depends}, ${shlibs:Depends}, ${misc:Depends} Recommends: ${dlopenjl:Recommends}, ${cacao:Recommends}, ${jamvm:Recommends} Suggests: libnss-mdns, sun-java6-fonts, @core_fonts@, @cjk_fonts@ Provides: java-runtime-headless, java2-runtime-headless, java5-runtime-headless, java6-runtime-headless, ${defaultvm:Provides}, ${jvm:Provides} @@ -47,7 +47,7 @@ Architecture: any Multi-Arch: same Pre-Depends: ${dpkg:Depends} -Depends: @basename@-jre-headless (@op@ @pkg_version@), ${xandsound:Depends}, ${shlibs:Depends}, ${dlopenjre:Depends}, ${misc:Depends}, ${dep:bridge} +Depends: @basename@-jre-headless (= ${binary:Version}), ${xandsound:Depends}, ${shlibs:Depends}, ${dlopenjre:Depends}, ${misc:Depends}, ${dep:bridge} Recommends: ${dlopenjre:Recommends}, @core_fonts@, icedtea-netx Suggests: icedtea-plugin, ${pkg:pulseaudio} Conflicts: icedtea-gcjwebplugin (<< 1.0-1ubuntu4), @basename@-jre-lib (<< 6b17~pre3-1), @basename@-jre-headless (<< 6b17~pre3-1), @basename@-jdk (<< 6b17~pre3-1), @basename@-demo (<< 6b17~pre3-1), @basename@-source (<< 6b17~pre3-1), @basename@-doc (<< 6b17~pre3-1), @basename@-dbg (<< 6b17~pre3-1), @basename@-jre-zero (<< 6b17~pre3-1) @@ -79,7 +79,7 @@ Architecture: any Priority: extra Pre-Depends: ${dpkg:Depends} -Depends: @basename@-jre (@op@ @pkg_version@), ${shlibs:Depends}, ${misc:Depends} +Depends: @basename@-jre (= ${binary:Version}), ${shlibs:Depends}, ${misc:Depends} Conflicts: @basename@-jre-headless (<< 6b17~pre3-1), @basename@-jre (<< 6b17~pre3-1) Description: Java runtime based on OpenJDK (demos and examples) OpenJDK Java runtime @@ -91,7 +91,7 @@ Architecture: all Priority: extra Pre-Depends: ${dpkg:Depends} -Depends: @basename@-jre (>= @pkg_sversion@), @basename@-jdk (>= @pkg_version@), ${misc:Depends} +Depends: @basename@-jre (>= ${source:Version}), @basename@-jdk (>= ${binary:Version}), ${misc:Depends} Conflicts: @basename@-jre-headless (<< 6b17~pre3-1), @basename@-jre (<< 6b17~pre3-1) Description: OpenJDK Development Kit (JDK) source files OpenJDK is a development environment for building applications, @@ -126,9 +126,9 @@ Priority: extra Section: debug Pre-Depends: ${dpkg:Depends} -Depends: @basename@-jre-headless (= @pkg_version@), ${misc:Depends} -Recommends: @basename@-jre (= @pkg_version@) -Suggests: @basename@-jdk (= @pkg_version@) +Depends: @basename@-jre-headless (= ${binary:Version}), ${misc:Depends} +Recommends: @basename@-jre (= ${binary:Version}) +Suggests: @basename@-jdk (= ${binary:Version}) Conflicts: @basename@-jre-headless (<< 6b17~pre3-1), @basename@-jre (<< 6b17~pre3-1) Description: Java runtime based on OpenJDK (debugging symbols) OpenJDK is a development environment for building applications, diff -Nru openjdk-6-6b37-1.13.9/debian/control.jamvm-jre openjdk-6-6b38-1.13.10/debian/control.jamvm-jre --- openjdk-6-6b37-1.13.9/debian/control.jamvm-jre 2016-02-01 20:26:37.000000000 +0000 +++ openjdk-6-6b38-1.13.10/debian/control.jamvm-jre 2016-02-01 20:26:43.000000000 +0000 @@ -4,7 +4,7 @@ Multi-Arch: same Priority: extra Pre-Depends: ${dpkg:Depends} -Depends: @basename@-jre-headless (= @pkg_version@), ${shlibs:Depends}, ${misc:Depends} +Depends: @basename@-jre-headless (= ${binary:Version}), ${shlibs:Depends}, ${misc:Depends} Description: Alternative JVM for OpenJDK, using JamVM The package provides an alternative runtime using the JamVM. This is a somewhat faster alternative than the Zero port on architectures like armel, diff -Nru openjdk-6-6b37-1.13.9/debian/control.zero-jre openjdk-6-6b38-1.13.10/debian/control.zero-jre --- openjdk-6-6b37-1.13.9/debian/control.zero-jre 2016-02-01 20:26:37.000000000 +0000 +++ openjdk-6-6b38-1.13.10/debian/control.zero-jre 2016-02-01 20:26:43.000000000 +0000 @@ -4,7 +4,7 @@ Multi-Arch: same Priority: extra Pre-Depends: ${dpkg:Depends} -Depends: @basename@-jre-headless (= @pkg_version@), ${shlibs:Depends}, ${misc:Depends} +Depends: @basename@-jre-headless (= ${binary:Version}), ${shlibs:Depends}, ${misc:Depends} Provides: ${zerovm:Provides} Conflicts: @basename@-jre-headless (<< 6b17~pre3-1), @basename@-jre (<< 6b17~pre3-1) Description: Alternative JVM for OpenJDK, using Zero/Shark diff -Nru openjdk-6-6b37-1.13.9/debian/generate-debian-orig.sh openjdk-6-6b38-1.13.10/debian/generate-debian-orig.sh --- openjdk-6-6b37-1.13.9/debian/generate-debian-orig.sh 2016-02-01 20:26:37.000000000 +0000 +++ openjdk-6-6b38-1.13.10/debian/generate-debian-orig.sh 2016-02-01 20:26:43.000000000 +0000 @@ -1,15 +1,15 @@ -tarball=openjdk-6-src-b37-11_nov_2015.tar.xz -version=6b37-1.13.9 +tarball=openjdk-6-src-b38-20_jan_2016.tar.xz +version=6b38-1.13.10 hotspot=hotspot-hs20.tar.gz cacaotb=cacao-68fe50ac34ec.tar.gz jamvmtb=jamvm-2.0.0.tar.gz base=openjdk-6 pkgdir=$base-$version origtar=${base}_${version}.orig.tar.gz -tarballdir=6b37 +tarballdir=6b38 -icedtea_checkout=icedtea6-1.13.9 +icedtea_checkout=icedtea6-1.13.10 debian_checkout=openjdk6 if [ -d $pkgdir ]; then diff -Nru openjdk-6-6b37-1.13.9/debian/rules openjdk-6-6b38-1.13.10/debian/rules --- openjdk-6-6b37-1.13.9/debian/rules 2016-02-01 20:26:37.000000000 +0000 +++ openjdk-6-6b38-1.13.10/debian/rules 2016-02-01 20:26:43.000000000 +0000 @@ -188,8 +188,8 @@ $(error unknown bootstrap method for architecture $(DEB_HOST_ARCH)) endif -OPENJDK_VERSION = b37 -OPENJDK_SRC_ZIP = openjdk-6-src-$(OPENJDK_VERSION)-11_nov_2015.tar.xz +OPENJDK_VERSION = b38 +OPENJDK_SRC_ZIP = openjdk-6-src-$(OPENJDK_VERSION)-20_jan_2016.tar.xz # the version of the build dependency for non-bootstrap builds; only adjust if # the package is installable on all these architectures. req_openjdk_bd_ver = 6b27 @@ -963,9 +963,6 @@ -e 's/@jamvm_archs@/$(jamvm_archs)/g' \ -e 's/@hotspot_archs@/$(hotspot_archs)/g' \ -e 's/@altzero_archs@/$(altzero_archs)/g' \ - -e 's,@pkg_version@,$(if $(filter $(distrel),etch dapper edgy feisty gutsy),$${Source-Version},$${binary:Version}),g' \ - -e 's,@pkg_sversion@,$(if $(filter $(distrel),etch dapper edgy feisty gutsy),$${Source-Version},$${source:Version}),g' \ - -e 's/@op@/$(if $(filter Debian,$(distribution)),=,>=)/g' \ -e 's/@lib_arch@/$(p_lib_arch)/g' \ debian/control.in \ $(if $(cacao_archs), debian/control.cacao-jre) \ diff -Nru openjdk-6-6b37-1.13.9/hotspot/src/os/linux/vm/perfMemory_linux.cpp openjdk-6-6b38-1.13.10/hotspot/src/os/linux/vm/perfMemory_linux.cpp --- openjdk-6-6b37-1.13.9/hotspot/src/os/linux/vm/perfMemory_linux.cpp 2015-11-11 01:20:59.000000000 +0000 +++ openjdk-6-6b38-1.13.10/hotspot/src/os/linux/vm/perfMemory_linux.cpp 2016-01-20 01:47:46.000000000 +0000 @@ -216,9 +216,9 @@ // return false; } - // See if the uid of the directory matches the effective uid of the process. - // - if (statp->st_uid != geteuid()) { + // If user is not root then see if the uid of the directory matches the effective uid of the process. + uid_t euid = geteuid(); + if ((euid != 0) && (statp->st_uid != euid)) { // The directory was not created by this user, declare it insecure. // return false; diff -Nru openjdk-6-6b37-1.13.9/hotspot/src/os/solaris/vm/perfMemory_solaris.cpp openjdk-6-6b38-1.13.10/hotspot/src/os/solaris/vm/perfMemory_solaris.cpp --- openjdk-6-6b37-1.13.9/hotspot/src/os/solaris/vm/perfMemory_solaris.cpp 2015-11-11 01:20:59.000000000 +0000 +++ openjdk-6-6b38-1.13.10/hotspot/src/os/solaris/vm/perfMemory_solaris.cpp 2016-01-20 01:47:46.000000000 +0000 @@ -218,9 +218,9 @@ // return false; } - // See if the uid of the directory matches the effective uid of the process. - // - if (statp->st_uid != geteuid()) { + // If user is not root then see if the uid of the directory matches the effective uid of the process. + uid_t euid = geteuid(); + if ((euid != 0) && (statp->st_uid != euid)) { // The directory was not created by this user, declare it insecure. // return false; diff -Nru openjdk-6-6b37-1.13.9/jaxp/drop_included/jaxp_src/src/com/sun/org/apache/xerces/internal/impl/XML11DocumentScannerImpl.java openjdk-6-6b38-1.13.10/jaxp/drop_included/jaxp_src/src/com/sun/org/apache/xerces/internal/impl/XML11DocumentScannerImpl.java --- openjdk-6-6b37-1.13.9/jaxp/drop_included/jaxp_src/src/com/sun/org/apache/xerces/internal/impl/XML11DocumentScannerImpl.java 2015-11-11 01:20:00.000000000 +0000 +++ openjdk-6-6b38-1.13.10/jaxp/drop_included/jaxp_src/src/com/sun/org/apache/xerces/internal/impl/XML11DocumentScannerImpl.java 2016-01-20 01:47:42.000000000 +0000 @@ -332,7 +332,7 @@ new Object[]{entityName}); } } - fEntityManager.startEntity(false, entityName, true); + fEntityManager.startEntity(true, entityName, true); } } } diff -Nru openjdk-6-6b37-1.13.9/jaxp/drop_included/jaxp_src/src/com/sun/org/apache/xerces/internal/impl/XML11EntityScanner.java openjdk-6-6b38-1.13.10/jaxp/drop_included/jaxp_src/src/com/sun/org/apache/xerces/internal/impl/XML11EntityScanner.java --- openjdk-6-6b37-1.13.9/jaxp/drop_included/jaxp_src/src/com/sun/org/apache/xerces/internal/impl/XML11EntityScanner.java 2015-11-11 01:20:00.000000000 +0000 +++ openjdk-6-6b38-1.13.10/jaxp/drop_included/jaxp_src/src/com/sun/org/apache/xerces/internal/impl/XML11EntityScanner.java 2016-01-20 01:47:42.000000000 +0000 @@ -894,7 +894,7 @@ } int length = fCurrentEntity.position - offset; fCurrentEntity.columnNumber += length - newlines; - if (fCurrentEntity.reference) { + if (fCurrentEntity.isGE) { checkLimit(Limit.TOTAL_ENTITY_SIZE_LIMIT, fCurrentEntity, offset, length); } content.setValues(fCurrentEntity.ch, offset, length); @@ -1040,6 +1040,9 @@ } int length = fCurrentEntity.position - offset; fCurrentEntity.columnNumber += length - newlines; + if (fCurrentEntity.isGE) { + checkLimit(Limit.TOTAL_ENTITY_SIZE_LIMIT, fCurrentEntity, offset, length); + } content.setValues(fCurrentEntity.ch, offset, length); // return next character diff -Nru openjdk-6-6b37-1.13.9/jaxp/drop_included/jaxp_src/src/com/sun/org/apache/xerces/internal/impl/XMLEntityManager.java openjdk-6-6b38-1.13.10/jaxp/drop_included/jaxp_src/src/com/sun/org/apache/xerces/internal/impl/XMLEntityManager.java --- openjdk-6-6b37-1.13.9/jaxp/drop_included/jaxp_src/src/com/sun/org/apache/xerces/internal/impl/XMLEntityManager.java 2015-11-11 01:20:00.000000000 +0000 +++ openjdk-6-6b38-1.13.10/jaxp/drop_included/jaxp_src/src/com/sun/org/apache/xerces/internal/impl/XMLEntityManager.java 2016-01-20 01:47:42.000000000 +0000 @@ -1116,7 +1116,7 @@ /** * Starts a named entity. * - * @param reference flag to indicate whether the entity is an Entity Reference. + * @param isGE flag to indicate whether the entity is a General Entity * @param entityName The name of the entity to start. * @param literal True if this entity is started within a literal * value. @@ -1124,7 +1124,7 @@ * @throws IOException Thrown on i/o error. * @throws XNIException Thrown by entity handler to signal an error. */ - public void startEntity(boolean reference, String entityName, boolean literal) + public void startEntity(boolean isGE, String entityName, boolean literal) throws IOException, XNIException { // was entity declared? @@ -1243,7 +1243,7 @@ } // start the entity - startEntity(reference, entityName, xmlInputSource, literal, external); + startEntity(isGE, entityName, xmlInputSource, literal, external); } // startEntity(String,boolean) @@ -1292,7 +1292,7 @@ * This method can be used to insert an application defined XML * entity stream into the parsing stream. * - * @param reference flag to indicate whether the entity is an Entity Reference. + * @param isGE flag to indicate whether the entity is a General Entity * @param name The name of the entity. * @param xmlInputSource The input source of the entity. * @param literal True if this entity is started within a @@ -1302,12 +1302,12 @@ * @throws IOException Thrown on i/o error. * @throws XNIException Thrown by entity handler to signal an error. */ - public void startEntity(boolean reference, String name, + public void startEntity(boolean isGE, String name, XMLInputSource xmlInputSource, boolean literal, boolean isExternal) throws IOException, XNIException { - String encoding = setupCurrentEntity(reference, name, xmlInputSource, literal, isExternal); + String encoding = setupCurrentEntity(isGE, name, xmlInputSource, literal, isExternal); //when entity expansion limit is set by the Application, we need to //check for the entity expansion limit set by the parser, if number of entity diff -Nru openjdk-6-6b37-1.13.9/jaxp/drop_included/jaxp_src/src/com/sun/org/apache/xerces/internal/impl/XMLEntityScanner.java openjdk-6-6b38-1.13.10/jaxp/drop_included/jaxp_src/src/com/sun/org/apache/xerces/internal/impl/XMLEntityScanner.java --- openjdk-6-6b37-1.13.9/jaxp/drop_included/jaxp_src/src/com/sun/org/apache/xerces/internal/impl/XMLEntityScanner.java 2015-11-11 01:20:00.000000000 +0000 +++ openjdk-6-6b38-1.13.10/jaxp/drop_included/jaxp_src/src/com/sun/org/apache/xerces/internal/impl/XMLEntityScanner.java 2016-01-20 01:47:42.000000000 +0000 @@ -1001,7 +1001,7 @@ } int length = fCurrentEntity.position - offset; fCurrentEntity.columnNumber += length - newlines; - if (fCurrentEntity.reference) { + if (fCurrentEntity.isGE) { checkLimit(Limit.TOTAL_ENTITY_SIZE_LIMIT, fCurrentEntity, offset, length); } @@ -1177,6 +1177,9 @@ } int length = fCurrentEntity.position - offset; fCurrentEntity.columnNumber += length - newlines; + if (fCurrentEntity.isGE) { + checkLimit(Limit.TOTAL_ENTITY_SIZE_LIMIT, fCurrentEntity, offset, length); + } content.setValues(fCurrentEntity.ch, offset, length); // return next character diff -Nru openjdk-6-6b37-1.13.9/jaxp/drop_included/jaxp_src/src/com/sun/org/apache/xerces/internal/impl/XMLScanner.java openjdk-6-6b38-1.13.10/jaxp/drop_included/jaxp_src/src/com/sun/org/apache/xerces/internal/impl/XMLScanner.java --- openjdk-6-6b37-1.13.9/jaxp/drop_included/jaxp_src/src/com/sun/org/apache/xerces/internal/impl/XMLScanner.java 2015-11-11 01:20:00.000000000 +0000 +++ openjdk-6-6b38-1.13.10/jaxp/drop_included/jaxp_src/src/com/sun/org/apache/xerces/internal/impl/XMLScanner.java 2016-01-20 01:47:42.000000000 +0000 @@ -963,7 +963,7 @@ new Object[]{entityName}); } } - fEntityManager.startEntity(false, entityName, true); + fEntityManager.startEntity(true, entityName, true); } } } diff -Nru openjdk-6-6b37-1.13.9/jaxp/drop_included/jaxp_src/src/com/sun/xml/internal/stream/Entity.java openjdk-6-6b38-1.13.10/jaxp/drop_included/jaxp_src/src/com/sun/xml/internal/stream/Entity.java --- openjdk-6-6b37-1.13.9/jaxp/drop_included/jaxp_src/src/com/sun/xml/internal/stream/Entity.java 2015-11-11 01:20:00.000000000 +0000 +++ openjdk-6-6b38-1.13.10/jaxp/drop_included/jaxp_src/src/com/sun/xml/internal/stream/Entity.java 2016-01-20 01:47:42.000000000 +0000 @@ -344,8 +344,8 @@ // to know that prolog is read public boolean xmlDeclChunkRead = false; - // flag to indicate whether the Entity is an Entity Reference - public boolean reference = false; + // flag to indicate whether the Entity is a General Entity + public boolean isGE = false; /** returns the name of the current encoding * @return current encoding name @@ -391,11 +391,11 @@ // /** Constructs a scanned entity. */ - public ScannedEntity(boolean reference, String name, + public ScannedEntity(boolean isGE, String name, XMLResourceIdentifier entityLocation, InputStream stream, Reader reader, String encoding, boolean literal, boolean mayReadChunks, boolean isExternal) { - this.reference = reference; + this.isGE = isGE; this.name = name ; this.entityLocation = entityLocation; this.stream = stream; diff -Nru openjdk-6-6b37-1.13.9/jdk/make/common/shared/Platform.gmk openjdk-6-6b38-1.13.10/jdk/make/common/shared/Platform.gmk --- openjdk-6-6b37-1.13.9/jdk/make/common/shared/Platform.gmk 2015-11-11 01:20:41.000000000 +0000 +++ openjdk-6-6b38-1.13.10/jdk/make/common/shared/Platform.gmk 2016-01-20 01:47:58.000000000 +0000 @@ -258,7 +258,7 @@ endif ifneq ($(ARCH), ia64) # ALSA 0.9.1 and above - REQUIRED_ALSA_VERSION = ^((0[.]9[.][1-9])|(1[.]0[.][0-9]))[0-9]* + REQUIRED_ALSA_VERSION = ^((0[.]9[.][1-9])|(1[.][0-9][.][0-9]))[0-9]* endif # How much RAM does this machine have: MB_OF_MEMORY := $(shell free -m | fgrep Mem: | sed -e 's@\ \ *@ @g' | cut -d' ' -f2) diff -Nru openjdk-6-6b37-1.13.9/jdk/make/sun/font/Makefile openjdk-6-6b38-1.13.10/jdk/make/sun/font/Makefile --- openjdk-6-6b37-1.13.9/jdk/make/sun/font/Makefile 2015-11-11 01:20:41.000000000 +0000 +++ openjdk-6-6b38-1.13.10/jdk/make/sun/font/Makefile 2016-01-20 01:47:58.000000000 +0000 @@ -95,6 +95,15 @@ endif # PLATFORM +# Turn off aliasing with GCC for ExtensionSubtables.cpp +# Turn off strict overflow with GCC for IndicRearrangementProcessor.cpp +ifeq ($(PLATFORM), linux) + CXXFLAGS += $(CXXFLAGS_$(@F)) + CXXFLAGS_ExtensionSubtables.o = -fno-strict-aliasing + CXXFLAGS_IndicRearrangementProcessor.o := -fno-strict-overflow + CXXFLAGS_IndicRearrangementProcessor2.o := -fno-strict-overflow +endif + #In the non-OpenJDK mode we need to build T2K ifndef OPENJDK t2k: diff -Nru openjdk-6-6b37-1.13.9/jdk/make/sun/javazic/tzdata/asia openjdk-6-6b38-1.13.10/jdk/make/sun/javazic/tzdata/asia --- openjdk-6-6b37-1.13.9/jdk/make/sun/javazic/tzdata/asia 2015-11-11 01:20:41.000000000 +0000 +++ openjdk-6-6b38-1.13.10/jdk/make/sun/javazic/tzdata/asia 2016-01-20 01:47:58.000000000 +0000 @@ -154,7 +154,8 @@ # Azerbaijan # From Rustam Aliyev of the Azerbaijan Internet Forum (2005-10-23): # According to the resolution of Cabinet of Ministers, 1997 -# Resolution available at: http://aif.az/docs/daylight_res.pdf +# From Paul Eggert (2015-09-17): It was Resolution No. 21 (1997-03-17). +# http://code.az/files/daylight_res.pdf # Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S Rule Azer 1997 max - Mar lastSun 4:00 1:00 S Rule Azer 1997 max - Oct lastSun 5:00 0 - @@ -1740,11 +1741,12 @@ # the 8:30 time zone on August 15, one example: # http://www.bbc.com/news/world-asia-33815049 # -# From Paul Eggert (2015-08-07): -# No transition time is specified; assume 00:00. +# From Paul Eggert (2015-08-15): +# Bells rang out midnight (00:00) Friday as part of the celebrations. See: +# Talmadge E. North Korea celebrates new time zone, 'Pyongyang Time' +# http://news.yahoo.com/north-korea-celebrates-time-zone-pyongyang-time-164038128.html # There is no common English-language abbreviation for this time zone. -# Use %z rather than invent one. We can't assume %z works everywhere yet, -# so for now substitute its output manually. +# Use KST, as that's what we already use for 1954-1961 in ROK. # Zone NAME GMTOFF RULES FORMAT [UNTIL] Zone Asia/Seoul 8:27:52 - LMT 1908 Apr 1 @@ -1758,7 +1760,7 @@ 8:30 - KST 1912 Jan 1 9:00 - JCST 1937 Oct 1 9:00 - JST 1945 Aug 24 - 9:00 - KST 2015 Aug 15 + 9:00 - KST 2015 Aug 15 00:00 8:30 - KST ############################################################################### diff -Nru openjdk-6-6b37-1.13.9/jdk/make/sun/javazic/tzdata/australasia openjdk-6-6b38-1.13.10/jdk/make/sun/javazic/tzdata/australasia --- openjdk-6-6b37-1.13.9/jdk/make/sun/javazic/tzdata/australasia 2015-11-11 01:20:41.000000000 +0000 +++ openjdk-6-6b38-1.13.10/jdk/make/sun/javazic/tzdata/australasia 2016-01-20 01:47:58.000000000 +0000 @@ -358,10 +358,17 @@ # DST will start Nov. 2 this year. # http://www.fiji.gov.fj/Media-Center/Press-Releases/DAYLIGHT-SAVING-STARTS-ON-SUNDAY,-NOVEMBER-2ND.aspx -# From Paul Eggert (2014-10-20): +# From a government order dated 2015-08-26 and published as Legal Notice No. 77 +# in the Government of Fiji Gazette Supplement No. 24 (2015-08-28), +# via Ken Rylander (2015-09-02): +# the daylight saving period is 1 hour in advance of the standard time +# commencing at 2.00 am on Sunday 1st November, 2015 and ending at +# 3.00 am on Sunday 17th January, 2016. + +# From Paul Eggert (2015-09-01): # For now, guess DST from 02:00 the first Sunday in November to -# 03:00 the first Sunday on or after January 18. Although ad hoc, it -# matches this year's plan and seems more likely to match future +# 03:00 the third Sunday in January. Although ad hoc, it matches +# transitions since late 2014 and seems more likely to match future # practice than guessing no DST. # Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S @@ -374,7 +381,7 @@ Rule Fiji 2012 2013 - Jan Sun>=18 3:00 0 - Rule Fiji 2014 only - Jan Sun>=18 2:00 0 - Rule Fiji 2014 max - Nov Sun>=1 2:00 1:00 S -Rule Fiji 2015 max - Jan Sun>=18 3:00 0 - +Rule Fiji 2015 max - Jan Sun>=15 3:00 0 - # Zone NAME GMTOFF RULES FORMAT [UNTIL] Zone Pacific/Fiji 11:55:44 - LMT 1915 Oct 26 # Suva 12:00 Fiji FJ%sT # Fiji Time @@ -533,7 +540,10 @@ # Zone NAME GMTOFF RULES FORMAT [UNTIL] Zone Pacific/Norfolk 11:11:52 - LMT 1901 # Kingston 11:12 - NMT 1951 # Norfolk Mean Time - 11:30 - NFT # Norfolk Time + 11:30 - NFT 1974 Oct 27 02:00 # Norfolk T. + 11:30 1:00 NFST 1975 Mar 2 02:00 + 11:30 - NFT 2015 Oct 4 02:00 + 11:00 - NFT # Palau (Belau) # Zone NAME GMTOFF RULES FORMAT [UNTIL] @@ -1573,6 +1583,20 @@ # started DST on June 3. Possibly DST was observed other years # in Midway, but we have no record of it. +# Norfolk + +# From Alexander Krivenyshev (2015-09-23): +# Norfolk Island will change ... from +1130 to +1100: +# https://www.comlaw.gov.au/Details/F2015L01483/Explanatory%20Statement/Text +# ... at 12.30 am (by legal time in New South Wales) on 4 October 2015. +# http://www.norfolkisland.gov.nf/nia/MediaRelease/Media%20Release%20Norfolk%20Island%20Standard%20Time%20Change.pdf + +# From Paul Eggert (2015-09-23): +# Transitions before 2015 are from timeanddate.com, which consulted +# the Norfolk Island Museum and the Australian Bureau of Meteorology's +# Norfolk Island station, and found no record of Norfolk observing DST +# other than in 1974/5. See: +# http://www.timeanddate.com/time/australia/norfolk-island.html # Pitcairn diff -Nru openjdk-6-6b37-1.13.9/jdk/make/sun/javazic/tzdata/europe openjdk-6-6b38-1.13.10/jdk/make/sun/javazic/tzdata/europe --- openjdk-6-6b37-1.13.9/jdk/make/sun/javazic/tzdata/europe 2015-11-11 01:20:41.000000000 +0000 +++ openjdk-6-6b38-1.13.10/jdk/make/sun/javazic/tzdata/europe 2016-01-20 01:47:58.000000000 +0000 @@ -3173,6 +3173,11 @@ # http://www.balkaneu.com/eventful-elections-turkey/ 2014-03-30. # I guess the best we can do is document the official time. +# From Fatih (2015-09-29): +# It's officially announced now by the Ministry of Energy. +# Turkey delays winter time to 8th of November 04:00 +# http://www.aa.com.tr/tr/turkiye/yaz-saati-uygulamasi-8-kasimda-sona-erecek/362217 + # Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S Rule Turkey 1916 only - May 1 0:00 1:00 S Rule Turkey 1916 only - Oct 1 0:00 0 - @@ -3242,6 +3247,8 @@ 2:00 - EET 2011 Mar 28 1:00u 2:00 EU EE%sT 2014 Mar 30 1:00u 2:00 - EET 2014 Mar 31 1:00u + 2:00 EU EE%sT 2015 Oct 25 1:00u + 2:00 1:00 EEST 2015 Nov 8 1:00u 2:00 EU EE%sT Link Europe/Istanbul Asia/Istanbul # Istanbul is in both continents. diff -Nru openjdk-6-6b37-1.13.9/jdk/make/sun/javazic/tzdata/northamerica openjdk-6-6b38-1.13.10/jdk/make/sun/javazic/tzdata/northamerica --- openjdk-6-6b37-1.13.9/jdk/make/sun/javazic/tzdata/northamerica 2015-11-11 01:20:41.000000000 +0000 +++ openjdk-6-6b38-1.13.10/jdk/make/sun/javazic/tzdata/northamerica 2016-01-20 01:47:58.000000000 +0000 @@ -1849,6 +1849,22 @@ # The transition dates (and times) are guesses. +# From Matt Johnson (2015-09-21): +# Fort Nelson, BC, Canada will cancel DST this year. So while previously they +# were aligned with America/Vancouver, they're now aligned with +# America/Dawson_Creek. +# http://www.northernrockies.ca/EN/meta/news/archives/2015/northern-rockies-time-change.html +# +# From Tim Parenti (2015-09-23): +# This requires a new zone for the Northern Rockies Regional Municipality, +# America/Fort_Nelson. The resolution of 2014-12-08 was reached following a +# 2014-11-15 poll with nearly 75% support. Effectively, the municipality has +# been on MST (-0700) like Dawson Creek since it advanced its clocks on +# 2015-03-08. +# +# From Paul Eggert (2015-09-23): +# Shanks says Fort Nelson did not observe DST in 1946, unlike Vancouver. + # Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S Rule Vanc 1918 only - Apr 14 2:00 1:00 D Rule Vanc 1918 only - Oct 27 2:00 0 S @@ -1867,6 +1883,12 @@ -8:00 Canada P%sT 1947 -8:00 Vanc P%sT 1972 Aug 30 2:00 -7:00 - MST +Zone America/Fort_Nelson -8:10:47 - LMT 1884 + -8:00 Vanc P%sT 1946 + -8:00 - PST 1947 + -8:00 Vanc P%sT 1987 + -8:00 Canada P%sT 2015 Mar 8 2:00 + -7:00 - MST Zone America/Creston -7:46:04 - LMT 1884 -7:00 - MST 1916 Oct 1 -8:00 - PST 1918 Jun 2 diff -Nru openjdk-6-6b37-1.13.9/jdk/make/sun/javazic/tzdata/VERSION openjdk-6-6b38-1.13.10/jdk/make/sun/javazic/tzdata/VERSION --- openjdk-6-6b37-1.13.9/jdk/make/sun/javazic/tzdata/VERSION 2015-11-11 01:20:41.000000000 +0000 +++ openjdk-6-6b38-1.13.10/jdk/make/sun/javazic/tzdata/VERSION 2016-01-20 01:47:58.000000000 +0000 @@ -21,4 +21,4 @@ # or visit www.oracle.com if you need additional information or have any # questions. # -tzdata2015f +tzdata2015g diff -Nru openjdk-6-6b37-1.13.9/jdk/make/sun/javazic/tzdata/zone.tab openjdk-6-6b38-1.13.10/jdk/make/sun/javazic/tzdata/zone.tab --- openjdk-6-6b37-1.13.9/jdk/make/sun/javazic/tzdata/zone.tab 2015-11-11 01:20:41.000000000 +0000 +++ openjdk-6-6b38-1.13.10/jdk/make/sun/javazic/tzdata/zone.tab 2016-01-20 01:47:58.000000000 +0000 @@ -152,6 +152,7 @@ CA +682059-1334300 America/Inuvik Mountain Time - west Northwest Territories CA +4906-11631 America/Creston Mountain Standard Time - Creston, British Columbia CA +5946-12014 America/Dawson_Creek Mountain Standard Time - Dawson Creek & Fort Saint John, British Columbia +CA +5848-12242 America/Fort_Nelson Mountain Standard Time - Fort Nelson, British Columbia CA +4916-12307 America/Vancouver Pacific Time - west British Columbia CA +6043-13503 America/Whitehorse Pacific Time - south Yukon CA +6404-13925 America/Dawson Pacific Time - north Yukon diff -Nru openjdk-6-6b37-1.13.9/jdk/src/share/classes/com/sun/crypto/provider/TlsRsaPremasterSecretGenerator.java openjdk-6-6b38-1.13.10/jdk/src/share/classes/com/sun/crypto/provider/TlsRsaPremasterSecretGenerator.java --- openjdk-6-6b37-1.13.9/jdk/src/share/classes/com/sun/crypto/provider/TlsRsaPremasterSecretGenerator.java 2015-11-11 01:20:42.000000000 +0000 +++ openjdk-6-6b38-1.13.10/jdk/src/share/classes/com/sun/crypto/provider/TlsRsaPremasterSecretGenerator.java 2016-01-20 01:47:58.000000000 +0000 @@ -74,11 +74,14 @@ ("TlsRsaPremasterSecretGenerator must be initialized"); } - if (random == null) { - random = new SecureRandom(); + byte[] b = spec.getEncodedSecret(); + if (b == null) { + if (random == null) { + random = new SecureRandom(); + } + b = new byte[48]; + random.nextBytes(b); } - byte[] b = new byte[48]; - random.nextBytes(b); b[0] = (byte)spec.getMajorVersion(); b[1] = (byte)spec.getMinorVersion(); diff -Nru openjdk-6-6b37-1.13.9/jdk/src/share/classes/java/net/URL.java openjdk-6-6b38-1.13.10/jdk/src/share/classes/java/net/URL.java --- openjdk-6-6b37-1.13.9/jdk/src/share/classes/java/net/URL.java 2015-11-11 01:20:42.000000000 +0000 +++ openjdk-6-6b38-1.13.10/jdk/src/share/classes/java/net/URL.java 2016-01-20 01:47:58.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (c) 1995, 2012, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1995, 2015, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -27,6 +27,10 @@ import java.io.IOException; import java.io.InputStream; +import java.io.InvalidObjectException; +import java.io.ObjectStreamException; +import java.io.ObjectStreamField; +import java.io.ObjectInputStream.GetField; import java.io.OutputStream; import java.security.AccessController; import java.security.PrivilegedAction; @@ -134,6 +138,7 @@ */ public final class URL implements java.io.Serializable { + static final String BUILTIN_HANDLERS_PREFIX = "sun.net.www.protocol"; static final long serialVersionUID = -7627629688361524110L; /** @@ -218,6 +223,8 @@ */ private int hashCode = -1; + private transient UrlDeserializedState tempState; + /** * Creates a URL object from the specified * protocol, host, port @@ -1237,6 +1244,31 @@ } /** + * @serialField protocol String + * + * @serialField host String + * + * @serialField port int + * + * @serialField authority String + * + * @serialField file String + * + * @serialField ref String + * + * @serialField hashCode int + * + */ + private static final ObjectStreamField[] serialPersistentFields = { + new ObjectStreamField("protocol", String.class), + new ObjectStreamField("host", String.class), + new ObjectStreamField("port", int.class), + new ObjectStreamField("authority", String.class), + new ObjectStreamField("file", String.class), + new ObjectStreamField("ref", String.class), + new ObjectStreamField("hashCode", int.class), }; + + /** * WriteObject is called to save the state of the URL to an * ObjectOutputStream. The handler is not saved since it is * specific to this system. @@ -1258,16 +1290,67 @@ * stream handler. */ private synchronized void readObject(java.io.ObjectInputStream s) - throws IOException, ClassNotFoundException - { - s.defaultReadObject(); // read the fields - if ((handler = getURLStreamHandler(protocol)) == null) { + throws IOException, ClassNotFoundException { + GetField gf = s.readFields(); + String protocol = (String)gf.get("protocol", null); + if (getURLStreamHandler(protocol) == null) { throw new IOException("unknown protocol: " + protocol); } + String host = (String)gf.get("host", null); + int port = gf.get("port", -1); + String authority = (String)gf.get("authority", null); + String file = (String)gf.get("file", null); + String ref = (String)gf.get("ref", null); + int hashCode = gf.get("hashCode", -1); + if (authority == null + && ((host != null && host.length() > 0) || port != -1)) { + if (host == null) + host = ""; + authority = (port == -1) ? host : host + ":" + port; + } + tempState = new UrlDeserializedState(protocol, host, port, authority, + file, ref, hashCode); + } + + /** + * Replaces the de-serialized object with an URL object. + * + * @return a newly created object from the deserialzed state. + * + * @throws ObjectStreamException if a new object replacing this + * object could not be created + */ + + private Object readResolve() throws ObjectStreamException { + + URLStreamHandler handler = null; + // already been checked in readObject + handler = getURLStreamHandler(tempState.getProtocol()); + + URL replacementURL = null; + if (isBuiltinStreamHandler(handler.getClass().getName())) { + replacementURL = fabricateNewURL(); + } else { + replacementURL = setDeserializedFields(handler); + } + return replacementURL; + } + + private URL setDeserializedFields(URLStreamHandler handler) { + URL replacementURL; + String userInfo = null; + String protocol = tempState.getProtocol(); + String host = tempState.getHost(); + int port = tempState.getPort(); + String authority = tempState.getAuthority(); + String file = tempState.getFile(); + String ref = tempState.getRef(); + int hashCode = tempState.getHashCode(); + // Construct authority part - if (authority == null && - ((host != null && host.length() > 0) || port != -1)) { + if (authority == null + && ((host != null && host.length() > 0) || port != -1)) { if (host == null) host = ""; authority = (port == -1) ? host : host + ":" + port; @@ -1286,8 +1369,8 @@ } // Construct path and query part - path = null; - query = null; + String path = null; + String query = null; if (file != null) { // Fix: only do this if hierarchical? int q = file.lastIndexOf('?'); @@ -1297,6 +1380,67 @@ } else path = file; } + + if (port == -1) { + port = 0; + } + // Set the object fields. + this.protocol = protocol; + this.host = host; + this.port = port; + this.file = file; + this.authority = authority; + this.ref = ref; + this.hashCode = hashCode; + this.handler = handler; + this.query = query; + this.path = path; + this.userInfo = userInfo; + replacementURL = this; + return replacementURL; + } + + private URL fabricateNewURL() + throws InvalidObjectException { + // create URL string from deserialized object + URL replacementURL = null; + String urlString = tempState.reconstituteUrlString(); + + try { + replacementURL = new URL(urlString); + } catch (MalformedURLException mEx) { + resetState(); + InvalidObjectException invoEx = new InvalidObjectException( + "Malformed URL: " + urlString); + invoEx.initCause(mEx); + throw invoEx; + } + replacementURL.setSerializedHashCode(tempState.getHashCode()); + resetState(); + return replacementURL; + } + + private boolean isBuiltinStreamHandler(String handlerClassName) { + return (handlerClassName.startsWith(BUILTIN_HANDLERS_PREFIX)); + } + + private void resetState() { + this.protocol = null; + this.host = null; + this.port = -1; + this.file = null; + this.authority = null; + this.ref = null; + this.hashCode = -1; + this.handler = null; + this.query = null; + this.path = null; + this.userInfo = null; + this.tempState = null; + } + + private void setSerializedHashCode(int hc) { + this.hashCode = hc; } } @@ -1328,3 +1472,82 @@ return ref; } } + +final class UrlDeserializedState { + private final String protocol; + private final String host; + private final int port; + private final String authority; + private final String file; + private final String ref; + private final int hashCode; + + public UrlDeserializedState(String protocol, + String host, int port, + String authority, String file, + String ref, int hashCode) { + this.protocol = protocol; + this.host = host; + this.port = port; + this.authority = authority; + this.file = file; + this.ref = ref; + this.hashCode = hashCode; + } + + String getProtocol() { + return protocol; + } + + String getHost() { + return host; + } + + String getAuthority () { + return authority; + } + + int getPort() { + return port; + } + + String getFile () { + return file; + } + + String getRef () { + return ref; + } + + int getHashCode () { + return hashCode; + } + + String reconstituteUrlString() { + + // pre-compute length of StringBuilder + int len = protocol.length() + 1; + if (authority != null && authority.length() > 0) + len += 2 + authority.length(); + if (file != null) { + len += file.length(); + } + if (ref != null) + len += 1 + ref.length(); + StringBuilder result = new StringBuilder(len); + result.append(protocol); + result.append(":"); + if (authority != null && authority.length() > 0) { + result.append("//"); + result.append(authority); + } + if (file != null) { + result.append(file); + } + if (ref != null) { + result.append("#"); + result.append(ref); + } + return result.toString(); + } +} diff -Nru openjdk-6-6b37-1.13.9/jdk/src/share/classes/javax/management/remote/rmi/RMIConnectionImpl.java openjdk-6-6b38-1.13.10/jdk/src/share/classes/javax/management/remote/rmi/RMIConnectionImpl.java --- openjdk-6-6b37-1.13.9/jdk/src/share/classes/javax/management/remote/rmi/RMIConnectionImpl.java 2015-11-11 01:20:41.000000000 +0000 +++ openjdk-6-6b38-1.13.10/jdk/src/share/classes/javax/management/remote/rmi/RMIConnectionImpl.java 2016-01-20 01:47:58.000000000 +0000 @@ -381,7 +381,6 @@ "connectionId=" + connectionId +", className=" + className +", name=" + name - +", params=" + objects(values) +", signature=" + strings(signature)); return (ObjectInstance) @@ -446,7 +445,6 @@ +", className=" + className +", name=" + name +", loaderName=" + loaderName - +", params=" + objects(values) +", signature=" + strings(signature)); return (ObjectInstance) @@ -735,7 +733,7 @@ if (debug) logger.debug("setAttribute", "connectionId=" + connectionId +", name="+name - +", attribute="+attr); + +", attribute name="+attr.getName()); doPrivilegedOperation( SET_ATTRIBUTE, @@ -785,7 +783,7 @@ if (debug) logger.debug("setAttributes", "connectionId=" + connectionId +", name="+name - +", attributes="+attrlist); + +", attribute names="+RMIConnector.getAttributesNames(attrlist)); return (AttributeList) doPrivilegedOperation( @@ -839,7 +837,6 @@ "connectionId=" + connectionId +", name="+name +", operationName="+operationName - +", params="+objects(values) +", signature="+strings(signature)); return diff -Nru openjdk-6-6b37-1.13.9/jdk/src/share/classes/javax/management/remote/rmi/RMIConnector.java openjdk-6-6b38-1.13.10/jdk/src/share/classes/javax/management/remote/rmi/RMIConnector.java --- openjdk-6-6b37-1.13.9/jdk/src/share/classes/javax/management/remote/rmi/RMIConnector.java 2015-11-11 01:20:41.000000000 +0000 +++ openjdk-6-6b38-1.13.10/jdk/src/share/classes/javax/management/remote/rmi/RMIConnector.java 2016-01-20 01:47:58.000000000 +0000 @@ -65,6 +65,7 @@ import java.util.Arrays; import java.util.Collections; import java.util.HashMap; +import java.util.Iterator; import java.util.Map; import java.util.Properties; import java.util.Set; @@ -704,9 +705,7 @@ if (logger.debugOn()) logger.debug("createMBean(String,ObjectName,Object[],String[])", "className=" + className + ", name=" - + name + ", params=" - + objects(params) + ", signature=" - + strings(signature)); + + name + ", signature=" + strings(signature)); final MarshalledObject sParams = new MarshalledObject(params); @@ -745,8 +744,7 @@ if (logger.debugOn()) logger.debug( "createMBean(String,ObjectName,ObjectName,Object[],String[])", "className=" + className + ", name=" + name + ", loaderName=" - + loaderName + ", params=" + objects(params) - + ", signature=" + strings(signature)); + + loaderName + ", signature=" + strings(signature)); final MarshalledObject sParams = new MarshalledObject(params); @@ -946,8 +944,8 @@ IOException { if (logger.debugOn()) logger.debug("setAttribute", - "name=" + name + ", attribute=" - + attribute); + "name=" + name + ", attribute name=" + + attribute.getName()); final MarshalledObject sAttribute = new MarshalledObject(attribute); @@ -969,9 +967,11 @@ ReflectionException, IOException { - if (logger.debugOn()) logger.debug("setAttributes", - "name=" + name + ", attributes=" - + attributes); + if (logger.debugOn()) { + logger.debug("setAttributes", + "name=" + name + ", attribute names=" + + getAttributesNames(attributes)); + } final MarshalledObject sAttributes = new MarshalledObject(attributes); @@ -1004,7 +1004,6 @@ if (logger.debugOn()) logger.debug("invoke", "name=" + name + ", operationName=" + operationName - + ", params=" + objects(params) + ", signature=" + strings(signature)); final MarshalledObject sParams = @@ -2570,4 +2569,18 @@ private static String strings(final String[] strs) { return objects(strs); } + + static String getAttributesNames(AttributeList attributes) { + StringBuilder builder = new StringBuilder("["); + if (attributes != null) { + Iterator i = attributes.asList().iterator(); + while (i.hasNext()) { + builder.append(i.next().getName()); + if (i.hasNext()) + builder.append(", "); + } + } + builder.append("]"); + return builder.toString(); + } } diff -Nru openjdk-6-6b37-1.13.9/jdk/src/share/classes/sun/management/MemoryImpl.java openjdk-6-6b38-1.13.10/jdk/src/share/classes/sun/management/MemoryImpl.java --- openjdk-6-6b37-1.13.9/jdk/src/share/classes/sun/management/MemoryImpl.java 2015-11-11 01:20:40.000000000 +0000 +++ openjdk-6-6b38-1.13.10/jdk/src/share/classes/sun/management/MemoryImpl.java 2016-01-20 01:47:58.000000000 +0000 @@ -123,17 +123,10 @@ "Memory usage exceeds collection usage threshold" }; - private MBeanNotificationInfo[] notifInfo = null; public MBeanNotificationInfo[] getNotificationInfo() { - synchronized (this) { - if (notifInfo == null) { - notifInfo = new MBeanNotificationInfo[1]; - notifInfo[0] = new MBeanNotificationInfo(notifTypes, - notifName, - "Memory Notification"); - } - } - return notifInfo; + return new MBeanNotificationInfo[] { + new MBeanNotificationInfo(notifTypes, notifName, "Memory Notification") + }; } private static String getNotifMsg(String notifType) { diff -Nru openjdk-6-6b37-1.13.9/jdk/src/share/classes/sun/reflect/annotation/AnnotationInvocationHandler.java openjdk-6-6b38-1.13.10/jdk/src/share/classes/sun/reflect/annotation/AnnotationInvocationHandler.java --- openjdk-6-6b37-1.13.9/jdk/src/share/classes/sun/reflect/annotation/AnnotationInvocationHandler.java 2015-11-11 01:20:41.000000000 +0000 +++ openjdk-6-6b38-1.13.10/jdk/src/share/classes/sun/reflect/annotation/AnnotationInvocationHandler.java 2016-01-20 01:47:58.000000000 +0000 @@ -25,6 +25,7 @@ package sun.reflect.annotation; +import java.io.ObjectInputStream; import java.lang.annotation.*; import java.lang.reflect.*; import java.io.Serializable; @@ -423,35 +424,72 @@ private void readObject(java.io.ObjectInputStream s) throws java.io.IOException, ClassNotFoundException { - s.defaultReadObject(); + ObjectInputStream.GetField fields = s.readFields(); + + @SuppressWarnings("unchecked") + Class t = (Class)fields.get("type", null); + @SuppressWarnings("unchecked") + Map streamVals = (Map)fields.get("memberValues", null); // Check to make sure that types have not evolved incompatibly AnnotationType annotationType = null; try { - annotationType = AnnotationType.getInstance(type); + annotationType = AnnotationType.getInstance(t); } catch(IllegalArgumentException e) { // Class is no longer an annotation type; time to punch out throw new java.io.InvalidObjectException("Non-annotation type in annotation serial stream"); } Map> memberTypes = annotationType.memberTypes(); + // consistent with runtime Map type + Map mv = new LinkedHashMap(); // If there are annotation members without values, that // situation is handled by the invoke method. - for (Map.Entry memberValue : memberValues.entrySet()) { + for (Map.Entry memberValue : streamVals.entrySet()) { String name = memberValue.getKey(); + Object value = null; Class memberType = memberTypes.get(name); if (memberType != null) { // i.e. member still exists - Object value = memberValue.getValue(); + value = memberValue.getValue(); if (!(memberType.isInstance(value) || value instanceof ExceptionProxy)) { - memberValue.setValue( - new AnnotationTypeMismatchExceptionProxy( + value = new AnnotationTypeMismatchExceptionProxy( value.getClass() + "[" + value + "]").setMember( - annotationType.members().get(name))); + annotationType.members().get(name)); } } + mv.put(name, value); + } + + UnsafeAccessor.setType(this, t); + UnsafeAccessor.setMemberValues(this, mv); + } + + private static class UnsafeAccessor { + private static final sun.misc.Unsafe unsafe; + private static final long typeOffset; + private static final long memberValuesOffset; + static { + try { + unsafe = sun.misc.Unsafe.getUnsafe(); + typeOffset = unsafe.objectFieldOffset + (AnnotationInvocationHandler.class.getDeclaredField("type")); + memberValuesOffset = unsafe.objectFieldOffset + (AnnotationInvocationHandler.class.getDeclaredField("memberValues")); + } catch (Exception ex) { + throw new ExceptionInInitializerError(ex); + } + } + static void setType(AnnotationInvocationHandler o, + Class type) { + unsafe.putObject(o, typeOffset, type); + } + + static void setMemberValues(AnnotationInvocationHandler o, + Map memberValues) { + unsafe.putObject(o, memberValuesOffset, memberValues); } } } diff -Nru openjdk-6-6b37-1.13.9/jdk/src/share/classes/sun/security/internal/spec/TlsRsaPremasterSecretParameterSpec.java openjdk-6-6b38-1.13.10/jdk/src/share/classes/sun/security/internal/spec/TlsRsaPremasterSecretParameterSpec.java --- openjdk-6-6b37-1.13.9/jdk/src/share/classes/sun/security/internal/spec/TlsRsaPremasterSecretParameterSpec.java 2015-11-11 01:20:41.000000000 +0000 +++ openjdk-6-6b38-1.13.10/jdk/src/share/classes/sun/security/internal/spec/TlsRsaPremasterSecretParameterSpec.java 2016-01-20 01:47:58.000000000 +0000 @@ -41,6 +41,8 @@ @Deprecated public class TlsRsaPremasterSecretParameterSpec implements AlgorithmParameterSpec { + private final byte[] encodedSecret; + /* * The TLS spec says that the version in the RSA premaster secret must * be the maximum version supported by the client (i.e. the version it @@ -87,6 +89,33 @@ this.clientVersion = checkVersion(clientVersion); this.serverVersion = checkVersion(serverVersion); + this.encodedSecret = null; + } + + /** + * Constructs a new TlsRsaPremasterSecretParameterSpec. + * + * @param clientVersion the version of the TLS protocol by which the + * client wishes to communicate during this session + * @param serverVersion the negotiated version of the TLS protocol which + * contains the lower of that suggested by the client in the client + * hello and the highest supported by the server. + * @param encodedSecret the encoded secret key + * + * @throws IllegalArgumentException if clientVersion or serverVersion are + * negative or larger than (2^16 - 1) or if encodedSecret is not + * exactly 48 bytes + */ + public TlsRsaPremasterSecretParameterSpec( + int clientVersion, int serverVersion, byte[] encodedSecret) { + + this.clientVersion = checkVersion(clientVersion); + this.serverVersion = checkVersion(serverVersion); + if (encodedSecret == null || encodedSecret.length != 48) { + throw new IllegalArgumentException( + "Encoded secret is not exactly 48 bytes"); + } + this.encodedSecret = encodedSecret.clone(); } /** @@ -145,4 +174,13 @@ } return version; } + + /** + * Returns the encoded secret. + * + * @return the encoded secret, may be null if no encoded secret. + */ + public byte[] getEncodedSecret() { + return encodedSecret == null ? null : encodedSecret.clone(); + } } diff -Nru openjdk-6-6b37-1.13.9/jdk/src/share/classes/sun/security/jca/JCAUtil.java openjdk-6-6b38-1.13.10/jdk/src/share/classes/sun/security/jca/JCAUtil.java --- openjdk-6-6b37-1.13.9/jdk/src/share/classes/sun/security/jca/JCAUtil.java 2015-11-11 01:20:41.000000000 +0000 +++ openjdk-6-6b38-1.13.10/jdk/src/share/classes/sun/security/jca/JCAUtil.java 2016-01-20 01:47:58.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2003, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2003, 2015, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -41,12 +41,6 @@ // no instantiation } - // lock to use for synchronization - private static final Object LOCK = JCAUtil.class; - - // cached SecureRandom instance - private static volatile SecureRandom secureRandom; - // size of the temporary arrays we use. Should fit into the CPU's 1st // level cache and could be adjusted based on the platform private final static int ARRAY_SIZE = 4096; @@ -60,26 +54,19 @@ return Math.min(ARRAY_SIZE, totalSize); } + // cached SecureRandom instance + private static class CachedSecureRandomHolder { + public static SecureRandom instance = new SecureRandom(); + } + /** - * Get a SecureRandom instance. This method should me used by JDK + * Get a SecureRandom instance. This method should be used by JDK * internal code in favor of calling "new SecureRandom()". That needs to * iterate through the provider table to find the default SecureRandom * implementation, which is fairly inefficient. */ public static SecureRandom getSecureRandom() { - // we use double checked locking to minimize synchronization - // works because we use a volatile reference - SecureRandom r = secureRandom; - if (r == null) { - synchronized (LOCK) { - r = secureRandom; - if (r == null) { - r = new SecureRandom(); - secureRandom = r; - } - } - } - return r; + return CachedSecureRandomHolder.instance; } } diff -Nru openjdk-6-6b37-1.13.9/jdk/src/share/classes/sun/security/krb5/Credentials.java openjdk-6-6b38-1.13.10/jdk/src/share/classes/sun/security/krb5/Credentials.java --- openjdk-6-6b37-1.13.9/jdk/src/share/classes/sun/security/krb5/Credentials.java 2015-11-11 01:20:41.000000000 +0000 +++ openjdk-6-6b38-1.13.10/jdk/src/share/classes/sun/security/krb5/Credentials.java 2016-01-20 01:47:58.000000000 +0000 @@ -35,6 +35,7 @@ import sun.security.krb5.internal.crypto.EType; import java.io.IOException; import java.util.Date; +import java.util.Locale; import java.net.InetAddress; /** @@ -288,7 +289,7 @@ // The default ticket cache on Windows is not a file. String os = java.security.AccessController.doPrivileged( new sun.security.action.GetPropertyAction("os.name")); - if (os.toUpperCase().startsWith("WINDOWS")) { + if (os.toUpperCase(Locale.ENGLISH).startsWith("WINDOWS")) { Credentials creds = acquireDefaultCreds(); if (creds == null) { if (DEBUG) { diff -Nru openjdk-6-6b37-1.13.9/jdk/src/share/classes/sun/security/pkcs/PKCS9Attribute.java openjdk-6-6b38-1.13.10/jdk/src/share/classes/sun/security/pkcs/PKCS9Attribute.java --- openjdk-6-6b37-1.13.9/jdk/src/share/classes/sun/security/pkcs/PKCS9Attribute.java 2015-11-11 01:20:42.000000000 +0000 +++ openjdk-6-6b38-1.13.10/jdk/src/share/classes/sun/security/pkcs/PKCS9Attribute.java 2016-01-20 01:47:58.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997, 2006, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1997, 2010, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -28,6 +28,7 @@ import java.io.IOException; import java.io.OutputStream; import java.security.cert.CertificateException; +import java.util.Locale; import java.util.Date; import java.util.Hashtable; import sun.security.x509.CertificateExtensions; @@ -742,7 +743,7 @@ * the name. */ public static ObjectIdentifier getOID(String name) { - return NAME_OID_TABLE.get(name.toLowerCase()); + return NAME_OID_TABLE.get(name.toLowerCase(Locale.ENGLISH)); } /** diff -Nru openjdk-6-6b37-1.13.9/jdk/src/share/classes/sun/security/pkcs11/P11Cipher.java openjdk-6-6b38-1.13.10/jdk/src/share/classes/sun/security/pkcs11/P11Cipher.java --- openjdk-6-6b37-1.13.9/jdk/src/share/classes/sun/security/pkcs11/P11Cipher.java 2015-11-11 01:20:42.000000000 +0000 +++ openjdk-6-6b38-1.13.10/jdk/src/share/classes/sun/security/pkcs11/P11Cipher.java 2016-01-20 01:47:58.000000000 +0000 @@ -22,10 +22,11 @@ * or visit www.oracle.com if you need additional information or have any * questions. */ - package sun.security.pkcs11; import java.nio.ByteBuffer; +import java.util.Arrays; +import java.util.Locale; import java.security.*; import java.security.spec.*; @@ -34,7 +35,7 @@ import javax.crypto.spec.*; import sun.nio.ch.DirectBuffer; - +import sun.security.jca.JCAUtil; import sun.security.pkcs11.wrapper.*; import static sun.security.pkcs11.wrapper.PKCS11Constants.*; @@ -43,8 +44,8 @@ * DES, DESede, AES, ARCFOUR, and Blowfish. * * This class is designed to support ECB and CBC with NoPadding and - * PKCS5Padding for both. However, currently only CBC/NoPadding (and - * ECB/NoPadding for stream ciphers) is functional. + * PKCS5Padding for both. It will use its own padding impl if the + * native mechanism does not support padding. * * Note that PKCS#11 current only supports ECB and CBC. There are no * provisions for other modes such as CFB, OFB, PCBC, or CTR mode. @@ -62,10 +63,56 @@ private final static int MODE_CBC = 4; // padding constant for NoPadding - private final static int PAD_NONE = 5; + private final static int PAD_NONE = 5; // padding constant for PKCS5Padding private final static int PAD_PKCS5 = 6; + private static interface Padding { + // ENC: format the specified buffer with padding bytes and return the + // actual padding length + int setPaddingBytes(byte[] paddingBuffer, int padLen); + + // DEC: return the length of trailing padding bytes given the specified + // padded data + int unpad(byte[] paddedData, int ofs, int len) + throws BadPaddingException; + } + + private static class PKCS5Padding implements Padding { + + private final int blockSize; + + PKCS5Padding(int blockSize) + throws NoSuchPaddingException { + if (blockSize == 0) { + throw new NoSuchPaddingException + ("PKCS#5 padding not supported with stream ciphers"); + } + this.blockSize = blockSize; + } + + public int setPaddingBytes(byte[] paddingBuffer, int padLen) { + Arrays.fill(paddingBuffer, 0, padLen, (byte) (padLen & 0x007f)); + return padLen; + } + + public int unpad(byte[] paddedData, int ofs, int len) + throws BadPaddingException { + byte padValue = paddedData[ofs + len - 1]; + if (padValue < 1 || padValue > blockSize) { + throw new BadPaddingException("Invalid pad value!"); + } + // sanity check padding bytes + int padStartIndex = ofs + len - padValue; + for (int i = padStartIndex; i < len; i++) { + if (paddedData[i] != padValue) { + throw new BadPaddingException("Invalid pad bytes!"); + } + } + return padValue; + } + } + // token instance private final Token token; @@ -99,64 +146,92 @@ // padding type, on of PAD_* above (PAD_NONE for stream ciphers) private int paddingType; + // when the padding is requested but unsupported by the native mechanism, + // we use the following to do padding and necessary data buffering. + // padding object which generate padding and unpad the decrypted data + private Padding paddingObj; + // buffer for holding back the block which contains padding bytes + private byte[] padBuffer; + private int padBufferLen; + // original IV, if in MODE_CBC private byte[] iv; - // total number of bytes processed - private int bytesProcessed; + // number of bytes buffered internally by the native mechanism and padBuffer + // if we do the padding + private int bytesBuffered; P11Cipher(Token token, String algorithm, long mechanism) - throws PKCS11Exception { + throws PKCS11Exception, NoSuchAlgorithmException { super(); this.token = token; this.algorithm = algorithm; this.mechanism = mechanism; - keyAlgorithm = algorithm.split("/")[0]; + + String algoParts[] = algorithm.split("/"); + keyAlgorithm = algoParts[0]; + if (keyAlgorithm.equals("AES")) { blockSize = 16; - blockMode = MODE_CBC; - // XXX change default to PKCS5Padding - paddingType = PAD_NONE; - } else if (keyAlgorithm.equals("RC4") || keyAlgorithm.equals("ARCFOUR")) { + } else if (keyAlgorithm.equals("RC4") || + keyAlgorithm.equals("ARCFOUR")) { blockSize = 0; - blockMode = MODE_ECB; - paddingType = PAD_NONE; } else { // DES, DESede, Blowfish blockSize = 8; - blockMode = MODE_CBC; - // XXX change default to PKCS5Padding - paddingType = PAD_NONE; + } + this.blockMode = + (algoParts.length > 1 ? parseMode(algoParts[1]) : MODE_ECB); + + String defPadding = (blockSize == 0 ? "NoPadding" : "PKCS5Padding"); + String paddingStr = + (algoParts.length > 2 ? algoParts[2] : defPadding); + try { + engineSetPadding(paddingStr); + } catch (NoSuchPaddingException nspe) { + // should not happen + throw new ProviderException(nspe); } } protected void engineSetMode(String mode) throws NoSuchAlgorithmException { - mode = mode.toUpperCase(); + // Disallow change of mode for now since currently it's explicitly + // defined in transformation strings + throw new NoSuchAlgorithmException("Unsupported mode " + mode); + } + + private int parseMode(String mode) throws NoSuchAlgorithmException { + mode = mode.toUpperCase(Locale.ENGLISH); + int result; if (mode.equals("ECB")) { - this.blockMode = MODE_ECB; + result = MODE_ECB; } else if (mode.equals("CBC")) { if (blockSize == 0) { throw new NoSuchAlgorithmException ("CBC mode not supported with stream ciphers"); } - this.blockMode = MODE_CBC; + result = MODE_CBC; } else { throw new NoSuchAlgorithmException("Unsupported mode " + mode); } + return result; } // see JCE spec protected void engineSetPadding(String padding) throws NoSuchPaddingException { - if (padding.equalsIgnoreCase("NoPadding")) { + paddingObj = null; + padBuffer = null; + padding = padding.toUpperCase(Locale.ENGLISH); + if (padding.equals("NOPADDING")) { paddingType = PAD_NONE; - } else if (padding.equalsIgnoreCase("PKCS5Padding")) { - if (blockSize == 0) { - throw new NoSuchPaddingException - ("PKCS#5 padding not supported with stream ciphers"); - } + } else if (padding.equals("PKCS5PADDING")) { paddingType = PAD_PKCS5; - // XXX PKCS#5 not yet implemented - throw new NoSuchPaddingException("pkcs5"); + if (mechanism != CKM_DES_CBC_PAD && mechanism != CKM_DES3_CBC_PAD && + mechanism != CKM_AES_CBC_PAD) { + // no native padding support; use our own padding impl + paddingObj = new PKCS5Padding(blockSize); + padBuffer = new byte[blockSize]; + } } else { throw new NoSuchPaddingException("Unsupported padding " + padding); } @@ -174,7 +249,7 @@ // see JCE spec protected byte[] engineGetIV() { - return (iv == null) ? null : (byte[])iv.clone(); + return (iv == null) ? null : (byte[]) iv.clone(); } // see JCE spec @@ -184,8 +259,9 @@ } IvParameterSpec ivSpec = new IvParameterSpec(iv); try { - AlgorithmParameters params = AlgorithmParameters.getInstance - (keyAlgorithm, P11Util.getSunJceProvider()); + AlgorithmParameters params = + AlgorithmParameters.getInstance(keyAlgorithm, + P11Util.getSunJceProvider()); params.init(ivSpec); return params; } catch (GeneralSecurityException e) { @@ -209,38 +285,38 @@ protected void engineInit(int opmode, Key key, AlgorithmParameterSpec params, SecureRandom random) throws InvalidKeyException, InvalidAlgorithmParameterException { - byte[] iv; + byte[] ivValue; if (params != null) { if (params instanceof IvParameterSpec == false) { throw new InvalidAlgorithmParameterException ("Only IvParameterSpec supported"); } - IvParameterSpec ivSpec = (IvParameterSpec)params; - iv = ivSpec.getIV(); + IvParameterSpec ivSpec = (IvParameterSpec) params; + ivValue = ivSpec.getIV(); } else { - iv = null; + ivValue = null; } - implInit(opmode, key, iv, random); + implInit(opmode, key, ivValue, random); } // see JCE spec protected void engineInit(int opmode, Key key, AlgorithmParameters params, SecureRandom random) throws InvalidKeyException, InvalidAlgorithmParameterException { - byte[] iv; + byte[] ivValue; if (params != null) { try { IvParameterSpec ivSpec = (IvParameterSpec) params.getParameterSpec(IvParameterSpec.class); - iv = ivSpec.getIV(); + ivValue = ivSpec.getIV(); } catch (InvalidParameterSpecException e) { throw new InvalidAlgorithmParameterException ("Could not decode IV", e); } } else { - iv = null; + ivValue = null; } - implInit(opmode, key, iv, random); + implInit(opmode, key, ivValue, random); } // actual init() implementation @@ -249,42 +325,42 @@ throws InvalidKeyException, InvalidAlgorithmParameterException { cancelOperation(); switch (opmode) { - case Cipher.ENCRYPT_MODE: - encrypt = true; - break; - case Cipher.DECRYPT_MODE: - encrypt = false; - break; - default: - throw new InvalidAlgorithmParameterException - ("Unsupported mode: " + opmode); + case Cipher.ENCRYPT_MODE: + encrypt = true; + break; + case Cipher.DECRYPT_MODE: + encrypt = false; + break; + default: + throw new InvalidAlgorithmParameterException + ("Unsupported mode: " + opmode); } if (blockMode == MODE_ECB) { // ECB or stream cipher if (iv != null) { if (blockSize == 0) { throw new InvalidAlgorithmParameterException - ("IV not used with stream ciphers"); + ("IV not used with stream ciphers"); } else { throw new InvalidAlgorithmParameterException - ("IV not used in ECB mode"); + ("IV not used in ECB mode"); } } } else { // MODE_CBC if (iv == null) { if (encrypt == false) { throw new InvalidAlgorithmParameterException - ("IV must be specified for decryption in CBC mode"); + ("IV must be specified for decryption in CBC mode"); } // generate random IV if (random == null) { - random = new SecureRandom(); + random = JCAUtil.getSecureRandom(); } iv = new byte[blockSize]; random.nextBytes(iv); } else { if (iv.length != blockSize) { throw new InvalidAlgorithmParameterException - ("IV length must match block size"); + ("IV length must match block size"); } } } @@ -330,63 +406,43 @@ session = token.getOpSession(); } if (encrypt) { - token.p11.C_EncryptInit - (session.id(), new CK_MECHANISM(mechanism, iv), p11Key.keyID); + token.p11.C_EncryptInit(session.id(), + new CK_MECHANISM(mechanism, iv), p11Key.keyID); } else { - token.p11.C_DecryptInit - (session.id(), new CK_MECHANISM(mechanism, iv), p11Key.keyID); + token.p11.C_DecryptInit(session.id(), + new CK_MECHANISM(mechanism, iv), p11Key.keyID); } - bytesProcessed = 0; + bytesBuffered = 0; + padBufferLen = 0; initialized = true; } - // XXX the calculations below assume the PKCS#11 implementation is smart. - // conceivably, not all implementations are and we may need to estimate - // more conservatively - - private int bytesBuffered(int totalLen) { - if (paddingType == PAD_NONE) { - // with NoPadding, buffer only the current unfinished block - return totalLen & (blockSize - 1); - } else { // PKCS5 - // with PKCS5Padding in decrypt mode, the buffer must never - // be empty. Buffer a full block instead of nothing. - int buffered = totalLen & (blockSize - 1); - if ((buffered == 0) && (encrypt == false)) { - buffered = blockSize; - } - return buffered; - } - } - // if update(inLen) is called, how big does the output buffer have to be? private int updateLength(int inLen) { if (inLen <= 0) { return 0; } - if (blockSize == 0) { - return inLen; - } else { - // bytes that need to be buffered now - int buffered = bytesBuffered(bytesProcessed); - // bytes that need to be buffered after this update - int newBuffered = bytesBuffered(bytesProcessed + inLen); - return inLen + buffered - newBuffered; + + int result = inLen + bytesBuffered; + if (blockSize != 0) { + // minus the number of bytes in the last incomplete block. + result -= (result & (blockSize - 1)); } + return result; } // if doFinal(inLen) is called, how big does the output buffer have to be? private int doFinalLength(int inLen) { - if (paddingType == PAD_NONE) { - return updateLength(inLen); - } if (inLen < 0) { return 0; } - int buffered = bytesBuffered(bytesProcessed); - int newProcessed = bytesProcessed + inLen; - int paddedProcessed = (newProcessed + blockSize) & ~(blockSize - 1); - return paddedProcessed - bytesProcessed + buffered; + + int result = inLen + bytesBuffered; + if (blockSize != 0 && encrypt && paddingType != PAD_NONE) { + // add the number of bytes to make the last block complete. + result += (blockSize - (result & (blockSize - 1))); + } + return result; } // see JCE spec @@ -396,6 +452,7 @@ int n = engineUpdate(in, inOfs, inLen, out, 0); return P11Util.convert(out, 0, n); } catch (ShortBufferException e) { + // convert since the output length is calculated by updateLength() throw new ProviderException(e); } } @@ -408,6 +465,7 @@ } // see JCE spec + @Override protected int engineUpdate(ByteBuffer inBuffer, ByteBuffer outBuffer) throws ShortBufferException { return implUpdate(inBuffer, outBuffer); @@ -421,14 +479,15 @@ int n = engineDoFinal(in, inOfs, inLen, out, 0); return P11Util.convert(out, 0, n); } catch (ShortBufferException e) { + // convert since the output length is calculated by doFinalLength() throw new ProviderException(e); } } // see JCE spec protected int engineDoFinal(byte[] in, int inOfs, int inLen, byte[] out, - int outOfs) throws ShortBufferException, IllegalBlockSizeException { - // BadPaddingException { + int outOfs) throws ShortBufferException, IllegalBlockSizeException, + BadPaddingException { int n = 0; if ((inLen != 0) && (in != null)) { n = engineUpdate(in, inOfs, inLen, out, outOfs); @@ -439,8 +498,10 @@ } // see JCE spec + @Override protected int engineDoFinal(ByteBuffer inBuffer, ByteBuffer outBuffer) - throws ShortBufferException, IllegalBlockSizeException, BadPaddingException { + throws ShortBufferException, IllegalBlockSizeException, + BadPaddingException { int n = engineUpdate(inBuffer, outBuffer); n += implDoFinal(outBuffer); return n; @@ -453,18 +514,55 @@ } try { ensureInitialized(); - int k; + int k = 0; if (encrypt) { - k = token.p11.C_EncryptUpdate - (session.id(), 0, in, inOfs, inLen, 0, out, outOfs, outLen); + k = token.p11.C_EncryptUpdate(session.id(), 0, in, inOfs, inLen, + 0, out, outOfs, outLen); } else { - k = token.p11.C_DecryptUpdate - (session.id(), 0, in, inOfs, inLen, 0, out, outOfs, outLen); + int newPadBufferLen = 0; + if (paddingObj != null) { + if (padBufferLen != 0) { + // NSS throws up when called with data not in multiple + // of blocks. Try to work around this by holding the + // extra data in padBuffer. + if (padBufferLen != padBuffer.length) { + int bufCapacity = padBuffer.length - padBufferLen; + if (inLen > bufCapacity) { + bufferInputBytes(in, inOfs, bufCapacity); + inOfs += bufCapacity; + inLen -= bufCapacity; + } else { + bufferInputBytes(in, inOfs, inLen); + return 0; + } + } + k = token.p11.C_DecryptUpdate(session.id(), + 0, padBuffer, 0, padBufferLen, + 0, out, outOfs, outLen); + padBufferLen = 0; + } + newPadBufferLen = inLen & (blockSize - 1); + if (newPadBufferLen == 0) { + newPadBufferLen = padBuffer.length; + } + inLen -= newPadBufferLen; + } + if (inLen > 0) { + k += token.p11.C_DecryptUpdate(session.id(), 0, in, inOfs, + inLen, 0, out, (outOfs + k), (outLen - k)); + } + // update 'padBuffer' if using our own padding impl. + if (paddingObj != null) { + bufferInputBytes(in, inOfs + inLen, newPadBufferLen); + } } - bytesProcessed += inLen; + bytesBuffered += (inLen - k); return k; } catch (PKCS11Exception e) { - // XXX throw correct exception + if (e.getErrorCode() == CKR_BUFFER_TOO_SMALL) { + throw (ShortBufferException) + (new ShortBufferException().initCause(e)); + } throw new ProviderException("update() failed", e); } } @@ -480,101 +578,167 @@ if (outLen < updateLength(inLen)) { throw new ShortBufferException(); } - boolean inPosChanged = false; + int origPos = inBuffer.position(); try { ensureInitialized(); long inAddr = 0; - int inOfs = inBuffer.position(); + int inOfs = 0; byte[] inArray = null; + if (inBuffer instanceof DirectBuffer) { - inAddr = ((DirectBuffer)inBuffer).address(); - } else { - if (inBuffer.hasArray()) { - inArray = inBuffer.array(); - inOfs += inBuffer.arrayOffset(); - } else { - inArray = new byte[inLen]; - inBuffer.get(inArray); - inOfs = 0; - inPosChanged = true; - } + inAddr = ((DirectBuffer) inBuffer).address(); + inOfs = origPos; + } else if (inBuffer.hasArray()) { + inArray = inBuffer.array(); + inOfs = (origPos + inBuffer.arrayOffset()); } long outAddr = 0; - int outOfs = outBuffer.position(); + int outOfs = 0; byte[] outArray = null; if (outBuffer instanceof DirectBuffer) { - outAddr = ((DirectBuffer)outBuffer).address(); + outAddr = ((DirectBuffer) outBuffer).address(); + outOfs = outBuffer.position(); } else { if (outBuffer.hasArray()) { outArray = outBuffer.array(); - outOfs += outBuffer.arrayOffset(); + outOfs = (outBuffer.position() + outBuffer.arrayOffset()); } else { outArray = new byte[outLen]; - outOfs = 0; } } - int k; + int k = 0; if (encrypt) { - k = token.p11.C_EncryptUpdate - (session.id(), inAddr, inArray, inOfs, inLen, - outAddr, outArray, outOfs, outLen); - } else { - k = token.p11.C_DecryptUpdate - (session.id(), inAddr, inArray, inOfs, inLen, - outAddr, outArray, outOfs, outLen); - } - bytesProcessed += inLen; - if (!inPosChanged) { - inBuffer.position(inBuffer.position() + inLen); + if (inAddr == 0 && inArray == null) { + inArray = new byte[inLen]; + inBuffer.get(inArray); + } else { + inBuffer.position(origPos + inLen); + } + k = token.p11.C_EncryptUpdate(session.id(), + inAddr, inArray, inOfs, inLen, + outAddr, outArray, outOfs, outLen); + } else { + int newPadBufferLen = 0; + if (paddingObj != null) { + if (padBufferLen != 0) { + // NSS throws up when called with data not in multiple + // of blocks. Try to work around this by holding the + // extra data in padBuffer. + if (padBufferLen != padBuffer.length) { + int bufCapacity = padBuffer.length - padBufferLen; + if (inLen > bufCapacity) { + bufferInputBytes(inBuffer, bufCapacity); + inOfs += bufCapacity; + inLen -= bufCapacity; + } else { + bufferInputBytes(inBuffer, inLen); + return 0; + } + } + k = token.p11.C_DecryptUpdate(session.id(), 0, + padBuffer, 0, padBufferLen, outAddr, outArray, + outOfs, outLen); + padBufferLen = 0; + } + newPadBufferLen = inLen & (blockSize - 1); + if (newPadBufferLen == 0) { + newPadBufferLen = padBuffer.length; + } + inLen -= newPadBufferLen; + } + if (inLen > 0) { + if (inAddr == 0 && inArray == null) { + inArray = new byte[inLen]; + inBuffer.get(inArray); + } else { + inBuffer.position(inBuffer.position() + inLen); + } + k += token.p11.C_DecryptUpdate(session.id(), inAddr, + inArray, inOfs, inLen, outAddr, outArray, + (outOfs + k), (outLen - k)); + } + // update 'padBuffer' if using our own padding impl. + if (paddingObj != null && newPadBufferLen != 0) { + bufferInputBytes(inBuffer, newPadBufferLen); + } } + bytesBuffered += (inLen - k); if (!(outBuffer instanceof DirectBuffer) && - !outBuffer.hasArray()) { + !outBuffer.hasArray()) { outBuffer.put(outArray, outOfs, k); } else { outBuffer.position(outBuffer.position() + k); } return k; } catch (PKCS11Exception e) { - // Un-read the bytes back to input buffer - if (inPosChanged) { - inBuffer.position(inBuffer.position() - inLen); + // Reset input buffer to its original position for + inBuffer.position(origPos); + if (e.getErrorCode() == CKR_BUFFER_TOO_SMALL) { + throw (ShortBufferException) + (new ShortBufferException().initCause(e)); } - // XXX throw correct exception throw new ProviderException("update() failed", e); } } private int implDoFinal(byte[] out, int outOfs, int outLen) - throws ShortBufferException, IllegalBlockSizeException { - if (outLen < doFinalLength(0)) { + throws ShortBufferException, IllegalBlockSizeException, + BadPaddingException { + int requiredOutLen = doFinalLength(0); + if (outLen < requiredOutLen) { throw new ShortBufferException(); } try { ensureInitialized(); + int k = 0; if (encrypt) { - return token.p11.C_EncryptFinal - (session.id(), 0, out, outOfs, outLen); + if (paddingObj != null) { + int actualPadLen = paddingObj.setPaddingBytes(padBuffer, + requiredOutLen - bytesBuffered); + k = token.p11.C_EncryptUpdate(session.id(), + 0, padBuffer, 0, actualPadLen, + 0, out, outOfs, outLen); + } + k += token.p11.C_EncryptFinal(session.id(), + 0, out, (outOfs + k), (outLen - k)); } else { - return token.p11.C_DecryptFinal - (session.id(), 0, out, outOfs, outLen); + if (paddingObj != null) { + if (padBufferLen != 0) { + k = token.p11.C_DecryptUpdate(session.id(), 0, + padBuffer, 0, padBufferLen, 0, padBuffer, 0, + padBuffer.length); + } + k += token.p11.C_DecryptFinal(session.id(), 0, padBuffer, k, + padBuffer.length - k); + int actualPadLen = paddingObj.unpad(padBuffer, 0, k); + k -= actualPadLen; + System.arraycopy(padBuffer, 0, out, outOfs, k); + } else { + k = token.p11.C_DecryptFinal(session.id(), 0, out, outOfs, + outLen); + } } + return k; } catch (PKCS11Exception e) { handleException(e); throw new ProviderException("doFinal() failed", e); } finally { initialized = false; - bytesProcessed = 0; + bytesBuffered = 0; + padBufferLen = 0; session = token.releaseSession(session); } } private int implDoFinal(ByteBuffer outBuffer) - throws ShortBufferException, IllegalBlockSizeException { + throws ShortBufferException, IllegalBlockSizeException, + BadPaddingException { int outLen = outBuffer.remaining(); - if (outLen < doFinalLength(0)) { + int requiredOutLen = doFinalLength(0); + if (outLen < requiredOutLen) { throw new ShortBufferException(); } @@ -582,30 +746,54 @@ ensureInitialized(); long outAddr = 0; - int outOfs = outBuffer.position(); byte[] outArray = null; + int outOfs = 0; if (outBuffer instanceof DirectBuffer) { - outAddr = ((DirectBuffer)outBuffer).address(); + outAddr = ((DirectBuffer) outBuffer).address(); + outOfs = outBuffer.position(); } else { if (outBuffer.hasArray()) { outArray = outBuffer.array(); - outOfs += outBuffer.arrayOffset(); + outOfs = outBuffer.position() + outBuffer.arrayOffset(); } else { outArray = new byte[outLen]; - outOfs = 0; } } - int k; + int k = 0; + if (encrypt) { - k = token.p11.C_EncryptFinal - (session.id(), outAddr, outArray, outOfs, outLen); + if (paddingObj != null) { + int actualPadLen = paddingObj.setPaddingBytes(padBuffer, + requiredOutLen - bytesBuffered); + k = token.p11.C_EncryptUpdate(session.id(), + 0, padBuffer, 0, actualPadLen, + outAddr, outArray, outOfs, outLen); + } + k += token.p11.C_EncryptFinal(session.id(), + outAddr, outArray, (outOfs + k), (outLen - k)); } else { - k = token.p11.C_DecryptFinal - (session.id(), outAddr, outArray, outOfs, outLen); + if (paddingObj != null) { + if (padBufferLen != 0) { + k = token.p11.C_DecryptUpdate(session.id(), + 0, padBuffer, 0, padBufferLen, + 0, padBuffer, 0, padBuffer.length); + padBufferLen = 0; + } + k += token.p11.C_DecryptFinal(session.id(), + 0, padBuffer, k, padBuffer.length - k); + int actualPadLen = paddingObj.unpad(padBuffer, 0, k); + k -= actualPadLen; + outArray = padBuffer; + outOfs = 0; + } else { + k = token.p11.C_DecryptFinal(session.id(), + outAddr, outArray, outOfs, outLen); + } } - if (!(outBuffer instanceof DirectBuffer) && - !outBuffer.hasArray()) { + if ((!encrypt && paddingObj != null) || + (!(outBuffer instanceof DirectBuffer) && + !outBuffer.hasArray())) { outBuffer.put(outArray, outOfs, k); } else { outBuffer.position(outBuffer.position() + k); @@ -616,20 +804,21 @@ throw new ProviderException("doFinal() failed", e); } finally { initialized = false; - bytesProcessed = 0; + bytesBuffered = 0; session = token.releaseSession(session); } } private void handleException(PKCS11Exception e) - throws IllegalBlockSizeException { + throws ShortBufferException, IllegalBlockSizeException { long errorCode = e.getErrorCode(); - // XXX better check - if (errorCode == CKR_DATA_LEN_RANGE) { - throw (IllegalBlockSizeException)new - IllegalBlockSizeException(e.toString()).initCause(e); + if (errorCode == CKR_BUFFER_TOO_SMALL) { + throw (ShortBufferException) + (new ShortBufferException().initCause(e)); + } else if (errorCode == CKR_DATA_LEN_RANGE) { + throw (IllegalBlockSizeException) + (new IllegalBlockSizeException(e.toString()).initCause(e)); } - } // see JCE spec @@ -647,10 +836,22 @@ throw new UnsupportedOperationException("engineUnwrap()"); } + private final void bufferInputBytes(byte[] in, int inOfs, int len) { + System.arraycopy(in, inOfs, padBuffer, padBufferLen, len); + padBufferLen += len; + bytesBuffered += len; + } + + private final void bufferInputBytes(ByteBuffer inBuffer, int len) { + inBuffer.get(padBuffer, padBufferLen, len); + padBufferLen += len; + bytesBuffered += len; + } // see JCE spec + @Override protected int engineGetKeySize(Key key) throws InvalidKeyException { int n = P11SecretKeyFactory.convertKey - (token, key, keyAlgorithm).length(); + (token, key, keyAlgorithm).length(); return n; } } diff -Nru openjdk-6-6b37-1.13.9/jdk/src/share/classes/sun/security/pkcs11/P11RSACipher.java openjdk-6-6b38-1.13.10/jdk/src/share/classes/sun/security/pkcs11/P11RSACipher.java --- openjdk-6-6b37-1.13.9/jdk/src/share/classes/sun/security/pkcs11/P11RSACipher.java 2015-11-11 01:20:42.000000000 +0000 +++ openjdk-6-6b38-1.13.10/jdk/src/share/classes/sun/security/pkcs11/P11RSACipher.java 2016-01-20 01:47:58.000000000 +0000 @@ -29,6 +29,8 @@ import java.security.spec.AlgorithmParameterSpec; import java.security.spec.*; +import java.util.Locale; + import javax.crypto.*; import javax.crypto.spec.*; @@ -118,7 +120,7 @@ protected void engineSetPadding(String padding) throws NoSuchPaddingException { - String lowerPadding = padding.toLowerCase(); + String lowerPadding = padding.toLowerCase(Locale.ENGLISH); if (lowerPadding.equals("pkcs1Padding")) { // empty } else { @@ -433,49 +435,49 @@ algorithm.equals("TlsRsaPremasterSecret"); Exception failover = null; - SecureRandom secureRandom = random; - if (secureRandom == null && isTlsRsaPremasterSecret) { - secureRandom = new SecureRandom(); - } - // Should C_Unwrap be preferred for non-TLS RSA premaster secret? if (token.supportsRawSecretKeyImport()) { // XXX implement unwrap using C_Unwrap() for all keys implInit(Cipher.DECRYPT_MODE, p11Key); - if (wrappedKey.length > maxInputSize) { - throw new InvalidKeyException("Key is too long for unwrapping"); - } - - byte[] encoded = null; - implUpdate(wrappedKey, 0, wrappedKey.length); try { - encoded = doFinal(); - } catch (BadPaddingException e) { - if (isTlsRsaPremasterSecret) { - failover = e; - } else { + if (wrappedKey.length > maxInputSize) { + throw new InvalidKeyException("Key is too long for unwrapping"); + } + + byte[] encoded = null; + implUpdate(wrappedKey, 0, wrappedKey.length); + try { + encoded = doFinal(); + } catch (BadPaddingException e) { + if (isTlsRsaPremasterSecret) { + failover = e; + } else { + throw new InvalidKeyException("Unwrapping failed", e); + } + } catch (IllegalBlockSizeException e) { + // should not occur, handled with length check above throw new InvalidKeyException("Unwrapping failed", e); } - } catch (IllegalBlockSizeException e) { - // should not occur, handled with length check above - throw new InvalidKeyException("Unwrapping failed", e); - } - if (isTlsRsaPremasterSecret) { - if (!(spec instanceof TlsRsaPremasterSecretParameterSpec)) { - throw new IllegalStateException( - "No TlsRsaPremasterSecretParameterSpec specified"); + if (isTlsRsaPremasterSecret) { + if (!(spec instanceof TlsRsaPremasterSecretParameterSpec)) { + throw new IllegalStateException( + "No TlsRsaPremasterSecretParameterSpec specified"); + } + + // polish the TLS premaster secret + TlsRsaPremasterSecretParameterSpec psps = + (TlsRsaPremasterSecretParameterSpec)spec; + encoded = KeyUtil.checkTlsPreMasterSecretKey( + psps.getClientVersion(), psps.getServerVersion(), + random, encoded, (failover != null)); } - // polish the TLS premaster secret - TlsRsaPremasterSecretParameterSpec psps = - (TlsRsaPremasterSecretParameterSpec)spec; - encoded = KeyUtil.checkTlsPreMasterSecretKey( - psps.getClientVersion(), psps.getServerVersion(), - secureRandom, encoded, (failover != null)); + return ConstructKeys.constructKey(encoded, algorithm, type); + } finally { + // Restore original mode + implInit(Cipher.UNWRAP_MODE, p11Key); } - - return ConstructKeys.constructKey(encoded, algorithm, type); } else { Session s = null; SecretKey secretKey = null; @@ -503,20 +505,13 @@ } if (isTlsRsaPremasterSecret) { - byte[] replacer = new byte[48]; - if (failover == null) { - // Does smart compiler dispose this operation? - secureRandom.nextBytes(replacer); - } - TlsRsaPremasterSecretParameterSpec psps = (TlsRsaPremasterSecretParameterSpec)spec; - // Please use the tricky failover and replacer byte array - // as the parameters so that smart compiler won't dispose - // the unused variable . + // Please use the tricky failover as the parameter so that + // smart compiler won't dispose the unused variable. secretKey = polishPreMasterSecretKey(token, s, - failover, replacer, secretKey, + failover, secretKey, psps.getClientVersion(), psps.getServerVersion()); } @@ -535,29 +530,27 @@ private static SecretKey polishPreMasterSecretKey( Token token, Session session, - Exception failover, byte[] replacer, SecretKey secretKey, + Exception failover, SecretKey unwrappedKey, int clientVersion, int serverVersion) { - if (failover != null) { - CK_VERSION version = new CK_VERSION( - (clientVersion >>> 8) & 0xFF, clientVersion & 0xFF); - try { - CK_ATTRIBUTE[] attributes = token.getAttributes( - O_GENERATE, CKO_SECRET_KEY, - CKK_GENERIC_SECRET, new CK_ATTRIBUTE[0]); - long keyID = token.p11.C_GenerateKey(session.id(), - // new CK_MECHANISM(CKM_TLS_PRE_MASTER_KEY_GEN, version), - new CK_MECHANISM(CKM_SSL3_PRE_MASTER_KEY_GEN, version), - attributes); - return P11Key.secretKey(session, - keyID, "TlsRsaPremasterSecret", 48 << 3, attributes); - } catch (PKCS11Exception e) { - throw new ProviderException( - "Could not generate premaster secret", e); - } + SecretKey newKey; + CK_VERSION version = new CK_VERSION( + (clientVersion >>> 8) & 0xFF, clientVersion & 0xFF); + try { + CK_ATTRIBUTE[] attributes = token.getAttributes( + O_GENERATE, CKO_SECRET_KEY, + CKK_GENERIC_SECRET, new CK_ATTRIBUTE[0]); + long keyID = token.p11.C_GenerateKey(session.id(), + new CK_MECHANISM(CKM_SSL3_PRE_MASTER_KEY_GEN, version), + attributes); + newKey = P11Key.secretKey(session, + keyID, "TlsRsaPremasterSecret", 48 << 3, attributes); + } catch (PKCS11Exception e) { + throw new ProviderException( + "Could not generate premaster secret", e); } - return secretKey; + return (failover == null) ? unwrappedKey : newKey; } } diff -Nru openjdk-6-6b37-1.13.9/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java openjdk-6-6b38-1.13.10/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java --- openjdk-6-6b37-1.13.9/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java 2015-11-11 01:20:42.000000000 +0000 +++ openjdk-6-6b38-1.13.10/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java 2016-01-20 01:47:58.000000000 +0000 @@ -583,14 +583,26 @@ // XXX attributes for Ciphers (supported modes, padding) d(CIP, "ARCFOUR", P11Cipher, s("RC4"), m(CKM_RC4)); - // XXX only CBC/NoPadding for block ciphers d(CIP, "DES/CBC/NoPadding", P11Cipher, m(CKM_DES_CBC)); + d(CIP, "DES/CBC/PKCS5Padding", P11Cipher, + m(CKM_DES_CBC_PAD, CKM_DES_CBC)); + d(CIP, "DES/ECB", P11Cipher, s("DES"), + m(CKM_DES_ECB)); + d(CIP, "DESede/CBC/NoPadding", P11Cipher, m(CKM_DES3_CBC)); + d(CIP, "DESede/CBC/PKCS5Padding", P11Cipher, + m(CKM_DES3_CBC_PAD, CKM_DES3_CBC)); + d(CIP, "DESede/ECB", P11Cipher, s("DESede"), + m(CKM_DES3_ECB)); d(CIP, "AES/CBC/NoPadding", P11Cipher, m(CKM_AES_CBC)); - d(CIP, "Blowfish/CBC/NoPadding", P11Cipher, + d(CIP, "AES/CBC/PKCS5Padding", P11Cipher, + m(CKM_AES_CBC_PAD, CKM_AES_CBC)); + d(CIP, "AES/ECB", P11Cipher, s("AES"), + m(CKM_AES_ECB)); + d(CIP, "Blowfish/CBC", P11Cipher, m(CKM_BLOWFISH_CBC)); // XXX RSA_X_509, RSA_OAEP not yet supported diff -Nru openjdk-6-6b37-1.13.9/jdk/src/share/classes/sun/security/provider/certpath/DistributionPointFetcher.java openjdk-6-6b38-1.13.10/jdk/src/share/classes/sun/security/provider/certpath/DistributionPointFetcher.java --- openjdk-6-6b37-1.13.9/jdk/src/share/classes/sun/security/provider/certpath/DistributionPointFetcher.java 2015-11-11 01:20:42.000000000 +0000 +++ openjdk-6-6b38-1.13.10/jdk/src/share/classes/sun/security/provider/certpath/DistributionPointFetcher.java 2016-01-20 01:47:58.000000000 +0000 @@ -319,6 +319,16 @@ debug.println("crl issuer does not equal cert issuer"); } return false; + } else { + // in case of self-issued indirect CRL issuer. + byte[] certAKID = certImpl.getExtensionValue( + PKIXExtensions.AuthorityKey_Id.toString()); + byte[] crlAKID = crlImpl.getExtensionValue( + PKIXExtensions.AuthorityKey_Id.toString()); + + if (!Arrays.equals(certAKID, crlAKID)) { + indirectCRL = true; + } } if (!indirectCRL && !signFlag) { diff -Nru openjdk-6-6b37-1.13.9/jdk/src/share/classes/sun/security/provider/certpath/SunCertPathBuilder.java openjdk-6-6b38-1.13.10/jdk/src/share/classes/sun/security/provider/certpath/SunCertPathBuilder.java --- openjdk-6-6b37-1.13.9/jdk/src/share/classes/sun/security/provider/certpath/SunCertPathBuilder.java 2015-11-11 01:20:42.000000000 +0000 +++ openjdk-6-6b38-1.13.10/jdk/src/share/classes/sun/security/provider/certpath/SunCertPathBuilder.java 2016-01-20 01:47:58.000000000 +0000 @@ -319,7 +319,9 @@ } // break out of loop if search is successful - break; + if (pathCompleted) { + break; + } } if (debug != null) { diff -Nru openjdk-6-6b37-1.13.9/jdk/src/share/classes/sun/security/provider/certpath/URICertStore.java openjdk-6-6b38-1.13.10/jdk/src/share/classes/sun/security/provider/certpath/URICertStore.java --- openjdk-6-6b37-1.13.9/jdk/src/share/classes/sun/security/provider/certpath/URICertStore.java 2015-11-11 01:20:42.000000000 +0000 +++ openjdk-6-6b38-1.13.10/jdk/src/share/classes/sun/security/provider/certpath/URICertStore.java 2016-01-20 01:47:58.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2006, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2006, 2010 Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -50,6 +50,7 @@ import java.util.Collection; import java.util.Collections; import java.util.List; +import java.util.Locale; import sun.security.x509.AccessDescription; import sun.security.x509.GeneralNameInterface; import sun.security.x509.URIName; @@ -134,7 +135,7 @@ } this.uri = ((URICertStoreParameters) params).uri; // if ldap URI, use an LDAPCertStore to fetch certs and CRLs - if (uri.getScheme().toLowerCase().equals("ldap")) { + if (uri.getScheme().toLowerCase(Locale.ENGLISH).equals("ldap")) { ldap = true; ldapCertStore = LDAPCertStore.getInstance(LDAPCertStore.getParameters(uri)); diff -Nru openjdk-6-6b37-1.13.9/jdk/src/share/classes/sun/security/ssl/RSAClientKeyExchange.java openjdk-6-6b38-1.13.10/jdk/src/share/classes/sun/security/ssl/RSAClientKeyExchange.java --- openjdk-6-6b37-1.13.9/jdk/src/share/classes/sun/security/ssl/RSAClientKeyExchange.java 2015-11-11 01:20:42.000000000 +0000 +++ openjdk-6-6b38-1.13.10/jdk/src/share/classes/sun/security/ssl/RSAClientKeyExchange.java 2016-01-20 01:47:58.000000000 +0000 @@ -111,15 +111,34 @@ } } + byte[] encoded = null; try { Cipher cipher = JsseJce.getCipher(JsseJce.CIPHER_RSA_PKCS1); - // Cannot generate key here, please don't use Cipher.UNWRAP_MODE! - cipher.init(Cipher.UNWRAP_MODE, privateKey, - new TlsRsaPremasterSecretParameterSpec( - maxVersion.v, currentVersion.v), - generator); - preMaster = (SecretKey)cipher.unwrap(encrypted, - "TlsRsaPremasterSecret", Cipher.SECRET_KEY); + boolean needFailover = !KeyUtil.isOracleJCEProvider( + cipher.getProvider().getName()); + if (needFailover) { + cipher.init(Cipher.DECRYPT_MODE, privateKey); + boolean failed = false; + try { + encoded = cipher.doFinal(encrypted); + } catch (BadPaddingException bpe) { + // Note: encoded == null + failed = true; + } + encoded = KeyUtil.checkTlsPreMasterSecretKey( + maxVersion.v, currentVersion.v, + generator, encoded, failed); + preMaster = generatePreMasterSecret( + maxVersion.v, currentVersion.v, + encoded, generator); + } else { + cipher.init(Cipher.UNWRAP_MODE, privateKey, + new TlsRsaPremasterSecretParameterSpec( + maxVersion.v, currentVersion.v), + generator); + preMaster = (SecretKey)cipher.unwrap(encrypted, + "TlsRsaPremasterSecret", Cipher.SECRET_KEY); + } } catch (InvalidKeyException ibk) { // the message is too big to process with RSA throw new SSLProtocolException( @@ -134,6 +153,41 @@ } } + // generate a premaster secret with the specified version number + @SuppressWarnings("deprecation") + private static SecretKey generatePreMasterSecret( + int clientVersion, int serverVersion, + byte[] encodedSecret, SecureRandom generator) { + + if (debug != null && Debug.isOn("handshake")) { + System.out.println("Generating a premaster secret"); + } + + try { + String s = ((clientVersion >= ProtocolVersion.TLS12.v) ? + "SunTls12RsaPremasterSecret" : "SunTlsRsaPremasterSecret"); + KeyGenerator kg = JsseJce.getKeyGenerator(s); + kg.init(new TlsRsaPremasterSecretParameterSpec( + clientVersion, serverVersion, encodedSecret), + generator); + return kg.generateKey(); + } catch (InvalidAlgorithmParameterException iae) { + // unlikely to happen, otherwise, must be a provider exception + if (debug != null && Debug.isOn("handshake")) { + System.out.println("RSA premaster secret generation error:"); + iae.printStackTrace(System.out); + } + throw new RuntimeException("Could not generate premaster secret", iae); + } catch (NoSuchAlgorithmException nsae) { + // unlikely to happen, otherwise, must be a provider exception + if (debug != null && Debug.isOn("handshake")) { + System.out.println("RSA premaster secret generation error:"); + nsae.printStackTrace(System.out); + } + throw new RuntimeException("Could not generate premaster secret", nsae); + } + } + @Override int messageType() { return ht_client_key_exchange; diff -Nru openjdk-6-6b37-1.13.9/jdk/src/share/classes/sun/security/util/Debug.java openjdk-6-6b38-1.13.10/jdk/src/share/classes/sun/security/util/Debug.java --- openjdk-6-6b37-1.13.9/jdk/src/share/classes/sun/security/util/Debug.java 2015-11-11 01:20:42.000000000 +0000 +++ openjdk-6-6b38-1.13.10/jdk/src/share/classes/sun/security/util/Debug.java 2016-01-20 01:47:58.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (c) 1998, 2007, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1998, 2010, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -28,6 +28,7 @@ import java.math.BigInteger; import java.util.regex.Pattern; import java.util.regex.Matcher; +import java.util.Locale; /** * A utility class for debuging. @@ -262,7 +263,7 @@ source = left; // convert the rest to lower-case characters - target.append(source.toString().toLowerCase()); + target.append(source.toString().toLowerCase(Locale.ENGLISH)); return target.toString(); } diff -Nru openjdk-6-6b37-1.13.9/jdk/src/share/classes/sun/security/util/KeyUtil.java openjdk-6-6b38-1.13.10/jdk/src/share/classes/sun/security/util/KeyUtil.java --- openjdk-6-6b37-1.13.9/jdk/src/share/classes/sun/security/util/KeyUtil.java 2015-11-11 01:20:42.000000000 +0000 +++ openjdk-6-6b38-1.13.10/jdk/src/share/classes/sun/security/util/KeyUtil.java 2016-01-20 01:47:58.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2012, 2014, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2012, 2015, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * */ @@ -22,6 +22,8 @@ import javax.crypto.spec.DHPublicKeySpec; import java.math.BigInteger; +import sun.security.jca.JCAUtil; + /** * A utility class to get key length, valiate keys, etc. */ @@ -125,8 +127,6 @@ /** * Returns whether the specified provider is Oracle provider or not. - *

- * Note that this method is only apply to SunJCE and SunPKCS11 at present. * * @param providerName * the provider name @@ -134,8 +134,11 @@ * {@code providerName} is Oracle provider */ public static final boolean isOracleJCEProvider(String providerName) { - return providerName != null && (providerName.equals("SunJCE") || - providerName.startsWith("SunPKCS11")); + return providerName != null && + (providerName.equals("SunJCE") || + providerName.equals("SunMSCAPI") || + providerName.equals("OracleUcrypto") || + providerName.startsWith("SunPKCS11")); } /** @@ -180,7 +183,7 @@ byte[] encoded, boolean isFailOver) { if (random == null) { - random = new SecureRandom(); + random = JCAUtil.getSecureRandom(); } byte[] replacer = new byte[48]; random.nextBytes(replacer); diff -Nru openjdk-6-6b37-1.13.9/jdk/src/share/classes/sun/security/validator/SimpleValidator.java openjdk-6-6b38-1.13.10/jdk/src/share/classes/sun/security/validator/SimpleValidator.java --- openjdk-6-6b37-1.13.9/jdk/src/share/classes/sun/security/validator/SimpleValidator.java 2015-11-11 01:20:42.000000000 +0000 +++ openjdk-6-6b38-1.13.10/jdk/src/share/classes/sun/security/validator/SimpleValidator.java 2016-01-20 01:47:58.000000000 +0000 @@ -322,7 +322,7 @@ // if the certificate is self-issued, ignore the pathLenConstraint // checking. if (!X509CertImpl.isSelfIssued(cert)) { - if (maxPathLen <= 1) { // reserved one for end-entity certificate + if (maxPathLen <= 0) { throw new ValidatorException("Violated path length constraints", ValidatorException.T_CA_EXTENSIONS, cert); } diff -Nru openjdk-6-6b37-1.13.9/jdk/src/share/classes/sun/security/x509/AlgorithmId.java openjdk-6-6b38-1.13.10/jdk/src/share/classes/sun/security/x509/AlgorithmId.java --- openjdk-6-6b37-1.13.9/jdk/src/share/classes/sun/security/x509/AlgorithmId.java 2015-11-11 01:20:42.000000000 +0000 +++ openjdk-6-6b38-1.13.10/jdk/src/share/classes/sun/security/x509/AlgorithmId.java 2016-01-20 01:47:58.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (c) 1996, 2006, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1996, 2010, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -541,9 +541,10 @@ for (Enumeration enum_ = provs[i].keys(); enum_.hasMoreElements(); ) { String alias = (String)enum_.nextElement(); + String upperCaseAlias = alias.toUpperCase(Locale.ENGLISH); int index; - if (alias.toUpperCase().startsWith("ALG.ALIAS") && - (index=alias.toUpperCase().indexOf("OID.", 0)) != -1) { + if (upperCaseAlias.startsWith("ALG.ALIAS") && + (index=upperCaseAlias.indexOf("OID.", 0)) != -1) { index += "OID.".length(); if (index == alias.length()) { // invalid alias entry @@ -553,19 +554,26 @@ oidTable = new HashMap(); } oidString = alias.substring(index); - String stdAlgName - = provs[i].getProperty(alias).toUpperCase(); - if (oidTable.get(stdAlgName) == null) { + String stdAlgName = provs[i].getProperty(alias); + if (stdAlgName != null) { + stdAlgName = stdAlgName.toUpperCase(Locale.ENGLISH); + } + if (stdAlgName != null && + oidTable.get(stdAlgName) == null) { oidTable.put(stdAlgName, new ObjectIdentifier(oidString)); } } } } + + if (oidTable == null) { + oidTable = Collections.emptyMap(); + } initOidTable = true; } - return oidTable.get(name.toUpperCase()); + return oidTable.get(name.toUpperCase(Locale.ENGLISH)); } private static ObjectIdentifier oid(int ... values) { diff -Nru openjdk-6-6b37-1.13.9/jdk/src/share/classes/sun/security/x509/AVA.java openjdk-6-6b38-1.13.10/jdk/src/share/classes/sun/security/x509/AVA.java --- openjdk-6-6b37-1.13.9/jdk/src/share/classes/sun/security/x509/AVA.java 2015-11-11 01:20:42.000000000 +0000 +++ openjdk-6-6b38-1.13.10/jdk/src/share/classes/sun/security/x509/AVA.java 2016-01-20 01:47:58.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (c) 1996, 2006, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1996, 2010, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -1222,7 +1222,7 @@ (String keyword, int standard, Map extraKeywordMap) throws IOException { - keyword = keyword.toUpperCase(); + keyword = keyword.toUpperCase(Locale.ENGLISH); if (standard == AVA.RFC2253) { if (keyword.startsWith(" ") || keyword.endsWith(" ")) { throw new IOException("Invalid leading or trailing space " + diff -Nru openjdk-6-6b37-1.13.9/jdk/src/share/classes/sun/security/x509/CRLDistributionPointsExtension.java openjdk-6-6b38-1.13.10/jdk/src/share/classes/sun/security/x509/CRLDistributionPointsExtension.java --- openjdk-6-6b37-1.13.9/jdk/src/share/classes/sun/security/x509/CRLDistributionPointsExtension.java 2015-11-11 01:20:42.000000000 +0000 +++ openjdk-6-6b38-1.13.10/jdk/src/share/classes/sun/security/x509/CRLDistributionPointsExtension.java 2016-01-20 01:47:58.000000000 +0000 @@ -29,6 +29,7 @@ import java.io.OutputStream; import java.util.*; +import java.util.Collections; import sun.security.util.DerOutputStream; import sun.security.util.DerValue; @@ -254,11 +255,12 @@ */ public void delete(String name) throws IOException { if (name.equalsIgnoreCase(POINTS)) { - distributionPoints = new ArrayList(); + distributionPoints = + Collections.emptyList(); } else { throw new IOException("Attribute name [" + name + - "] not recognized by " + - "CertAttrSet:" + extensionName + "."); + "] not recognized by " + + "CertAttrSet:" + extensionName + '.'); } encodeThis(); } diff -Nru openjdk-6-6b37-1.13.9/jdk/src/share/classes/sun/security/x509/CRLNumberExtension.java openjdk-6-6b38-1.13.10/jdk/src/share/classes/sun/security/x509/CRLNumberExtension.java --- openjdk-6-6b37-1.13.9/jdk/src/share/classes/sun/security/x509/CRLNumberExtension.java 2015-11-11 01:20:42.000000000 +0000 +++ openjdk-6-6b38-1.13.10/jdk/src/share/classes/sun/security/x509/CRLNumberExtension.java 2016-01-20 01:47:58.000000000 +0000 @@ -157,11 +157,10 @@ */ public Object get(String name) throws IOException { if (name.equalsIgnoreCase(NUMBER)) { - if (crlNumber == null) return null; - else return crlNumber; + return crlNumber; } else { - throw new IOException("Attribute name not recognized by" - + " CertAttrSet:" + extensionName + "."); + throw new IOException("Attribute name not recognized by" + + " CertAttrSet:" + extensionName + '.'); } } diff -Nru openjdk-6-6b37-1.13.9/jdk/src/share/classes/sun/security/x509/DNSName.java openjdk-6-6b38-1.13.10/jdk/src/share/classes/sun/security/x509/DNSName.java --- openjdk-6-6b37-1.13.9/jdk/src/share/classes/sun/security/x509/DNSName.java 2015-11-11 01:20:42.000000000 +0000 +++ openjdk-6-6b38-1.13.10/jdk/src/share/classes/sun/security/x509/DNSName.java 2016-01-20 01:47:58.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997, 2000, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1997, 2010, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -26,6 +26,7 @@ package sun.security.x509; import java.io.IOException; +import java.util.Locale; import sun.security.util.*; @@ -198,8 +199,9 @@ else if (inputName.getType() != NAME_DNS) constraintType = NAME_DIFF_TYPE; else { - String inName = (((DNSName)inputName).getName()).toLowerCase(); - String thisName = name.toLowerCase(); + String inName = + (((DNSName)inputName).getName()).toLowerCase(Locale.ENGLISH); + String thisName = name.toLowerCase(Locale.ENGLISH); if (inName.equals(thisName)) constraintType = NAME_MATCH; else if (thisName.endsWith(inName)) { @@ -230,15 +232,15 @@ * @throws UnsupportedOperationException if not supported for this name type */ public int subtreeDepth() throws UnsupportedOperationException { - String subtree=name; - int i=1; + // subtree depth is always at least 1 + int sum = 1; - /* count dots */ - for (; subtree.lastIndexOf('.') >= 0; i++) { - subtree=subtree.substring(0,subtree.lastIndexOf('.')); + // count dots + for (int i = name.indexOf('.'); i >= 0; i = name.indexOf('.', i + 1)) { + ++sum; } - return i; + return sum; } } diff -Nru openjdk-6-6b37-1.13.9/jdk/src/share/classes/sun/security/x509/EDIPartyName.java openjdk-6-6b38-1.13.10/jdk/src/share/classes/sun/security/x509/EDIPartyName.java --- openjdk-6-6b37-1.13.9/jdk/src/share/classes/sun/security/x509/EDIPartyName.java 2015-11-11 01:20:42.000000000 +0000 +++ openjdk-6-6b38-1.13.10/jdk/src/share/classes/sun/security/x509/EDIPartyName.java 2016-01-20 01:47:58.000000000 +0000 @@ -197,7 +197,7 @@ */ public int hashCode() { if (myhash == -1) { - myhash = 37 + party.hashCode(); + myhash = 37 + (party == null ? 1 : party.hashCode()); if (assigner != null) { myhash = 37 * myhash + assigner.hashCode(); } diff -Nru openjdk-6-6b37-1.13.9/jdk/src/share/classes/sun/security/x509/GeneralSubtrees.java openjdk-6-6b38-1.13.10/jdk/src/share/classes/sun/security/x509/GeneralSubtrees.java --- openjdk-6-6b37-1.13.9/jdk/src/share/classes/sun/security/x509/GeneralSubtrees.java 2015-11-11 01:20:42.000000000 +0000 +++ openjdk-6-6b38-1.13.10/jdk/src/share/classes/sun/security/x509/GeneralSubtrees.java 2016-01-20 01:47:58.000000000 +0000 @@ -191,7 +191,7 @@ // the list: if any subsequent entry matches or widens entry n, // remove entry n. If any subsequent entries narrow entry n, remove // the subsequent entries. - for (int i = 0; i < size(); i++) { + for (int i = 0; i < (size() - 1); i++) { GeneralNameInterface current = getGeneralNameInterface(i); boolean remove1 = false; diff -Nru openjdk-6-6b37-1.13.9/jdk/src/share/classes/sun/security/x509/IPAddressName.java openjdk-6-6b38-1.13.10/jdk/src/share/classes/sun/security/x509/IPAddressName.java --- openjdk-6-6b37-1.13.9/jdk/src/share/classes/sun/security/x509/IPAddressName.java 2015-11-11 01:20:42.000000000 +0000 +++ openjdk-6-6b38-1.13.10/jdk/src/share/classes/sun/security/x509/IPAddressName.java 2016-01-20 01:47:58.000000000 +0000 @@ -197,8 +197,10 @@ // append a mask corresponding to the num of prefix bits specified int prefixLen = Integer.parseInt(name.substring(slashNdx+1)); - if (prefixLen > 128) - throw new IOException("IPv6Address prefix is longer than 128"); + if (prefixLen < 0 || prefixLen > 128) { + throw new IOException("IPv6Address prefix length (" + + prefixLen + ") in out of valid range [0,128]"); + } // create new bit array initialized to zeros BitArray bitArray = new BitArray(MASKSIZE * 8); @@ -317,7 +319,8 @@ if (!(obj instanceof IPAddressName)) return false; - byte[] other = ((IPAddressName)obj).getBytes(); + IPAddressName otherName = (IPAddressName)obj; + byte[] other = otherName.address; if (other.length != address.length) return false; @@ -326,12 +329,10 @@ // Two subnet addresses // Mask each and compare masked values int maskLen = address.length/2; - byte[] maskedThis = new byte[maskLen]; - byte[] maskedOther = new byte[maskLen]; for (int i=0; i < maskLen; i++) { - maskedThis[i] = (byte)(address[i] & address[i+maskLen]); - maskedOther[i] = (byte)(other[i] & other[i+maskLen]); - if (maskedThis[i] != maskedOther[i]) { + byte maskedThis = (byte)(address[i] & address[i+maskLen]); + byte maskedOther = (byte)(other[i] & other[i+maskLen]); + if (maskedThis != maskedOther) { return false; } } @@ -400,7 +401,8 @@ else if (((IPAddressName)inputName).equals(this)) constraintType = NAME_MATCH; else { - byte[] otherAddress = ((IPAddressName)inputName).getBytes(); + IPAddressName otherName = (IPAddressName)inputName; + byte[] otherAddress = otherName.address; if (otherAddress.length == 4 && address.length == 4) // Two host addresses constraintType = NAME_SAME_TYPE; diff -Nru openjdk-6-6b37-1.13.9/jdk/src/share/classes/sun/security/x509/IssuingDistributionPointExtension.java openjdk-6-6b38-1.13.10/jdk/src/share/classes/sun/security/x509/IssuingDistributionPointExtension.java --- openjdk-6-6b37-1.13.9/jdk/src/share/classes/sun/security/x509/IssuingDistributionPointExtension.java 2015-11-11 01:20:42.000000000 +0000 +++ openjdk-6-6b38-1.13.10/jdk/src/share/classes/sun/security/x509/IssuingDistributionPointExtension.java 2016-01-20 01:47:58.000000000 +0000 @@ -261,6 +261,7 @@ throw new IOException( "Attribute value should be of type ReasonFlags."); } + revocationReasons = (ReasonFlags)obj; } else if (name.equalsIgnoreCase(INDIRECT_CRL)) { if (!(obj instanceof Boolean)) { @@ -290,7 +291,6 @@ } hasOnlyAttributeCerts = ((Boolean)obj).booleanValue(); - } else { throw new IOException("Attribute name [" + name + "] not recognized by " + diff -Nru openjdk-6-6b37-1.13.9/jdk/src/share/classes/sun/security/x509/KeyIdentifier.java openjdk-6-6b38-1.13.10/jdk/src/share/classes/sun/security/x509/KeyIdentifier.java --- openjdk-6-6b37-1.13.9/jdk/src/share/classes/sun/security/x509/KeyIdentifier.java 2015-11-11 01:20:42.000000000 +0000 +++ openjdk-6-6b38-1.13.10/jdk/src/share/classes/sun/security/x509/KeyIdentifier.java 2016-01-20 01:47:58.000000000 +0000 @@ -148,7 +148,7 @@ return true; if (!(other instanceof KeyIdentifier)) return false; - return java.util.Arrays.equals(octetString, - ((KeyIdentifier)other).getIdentifier()); + byte[] otherString = ((KeyIdentifier)other).octetString; + return java.util.Arrays.equals(octetString, otherString); } } diff -Nru openjdk-6-6b37-1.13.9/jdk/src/share/classes/sun/security/x509/PolicyMappingsExtension.java openjdk-6-6b38-1.13.10/jdk/src/share/classes/sun/security/x509/PolicyMappingsExtension.java --- openjdk-6-6b37-1.13.9/jdk/src/share/classes/sun/security/x509/PolicyMappingsExtension.java 2015-11-11 01:20:42.000000000 +0000 +++ openjdk-6-6b38-1.13.10/jdk/src/share/classes/sun/security/x509/PolicyMappingsExtension.java 2016-01-20 01:47:58.000000000 +0000 @@ -104,7 +104,7 @@ public PolicyMappingsExtension() { extensionId = PKIXExtensions.KeyUsage_Id; critical = false; - maps = new ArrayList(); + maps = Collections.emptyList(); } /** diff -Nru openjdk-6-6b37-1.13.9/jdk/src/share/classes/sun/security/x509/PrivateKeyUsageExtension.java openjdk-6-6b38-1.13.10/jdk/src/share/classes/sun/security/x509/PrivateKeyUsageExtension.java --- openjdk-6-6b37-1.13.9/jdk/src/share/classes/sun/security/x509/PrivateKeyUsageExtension.java 2015-11-11 01:20:42.000000000 +0000 +++ openjdk-6-6b38-1.13.10/jdk/src/share/classes/sun/security/x509/PrivateKeyUsageExtension.java 2016-01-20 01:47:58.000000000 +0000 @@ -206,16 +206,18 @@ */ public void valid(Date now) throws CertificateNotYetValidException, CertificateExpiredException { + if (now == null) + throw new NullPointerException(); /* * we use the internal Dates rather than the passed in Date * because someone could override the Date methods after() * and before() to do something entirely different. */ - if (notBefore.after(now)) { + if (notBefore != null && notBefore.after(now)) { throw new CertificateNotYetValidException("NotBefore: " + notBefore.toString()); } - if (notAfter.before(now)) { + if (notAfter != null && notAfter.before(now)) { throw new CertificateExpiredException("NotAfter: " + notAfter.toString()); } diff -Nru openjdk-6-6b37-1.13.9/jdk/src/share/classes/sun/security/x509/RDN.java openjdk-6-6b38-1.13.10/jdk/src/share/classes/sun/security/x509/RDN.java --- openjdk-6-6b37-1.13.9/jdk/src/share/classes/sun/security/x509/RDN.java 2015-11-11 01:20:42.000000000 +0000 +++ openjdk-6-6b38-1.13.10/jdk/src/share/classes/sun/security/x509/RDN.java 2016-01-20 01:47:58.000000000 +0000 @@ -31,7 +31,12 @@ import java.security.PrivilegedExceptionAction; import java.security.AccessController; import java.security.Principal; -import java.util.*; +import java.util.ArrayList; +import java.util.Arrays; +import java.util.Collections; +import java.util.Comparator; +import java.util.List; +import java.util.Map; import sun.security.util.*; import sun.security.pkcs.PKCS9Attribute; @@ -448,31 +453,20 @@ assertion[0].toRFC2253String(oidMap); } - StringBuilder relname = new StringBuilder(); - if (!canonical) { - for (int i = 0; i < assertion.length; i++) { - if (i > 0) { - relname.append('+'); - } - relname.append(assertion[i].toRFC2253String(oidMap)); - } - } else { + AVA[] toOutput = assertion; + if (canonical) { // order the string type AVA's alphabetically, // followed by the oid type AVA's numerically - List avaList = new ArrayList(assertion.length); - for (int i = 0; i < assertion.length; i++) { - avaList.add(assertion[i]); - } - java.util.Collections.sort(avaList, AVAComparator.getInstance()); - - for (int i = 0; i < avaList.size(); i++) { - if (i > 0) { - relname.append('+'); - } - relname.append(avaList.get(i).toRFC2253CanonicalString()); - } + toOutput = assertion.clone(); + Arrays.sort(toOutput, AVAComparator.getInstance()); + } + StringBuilder sb = new StringBuilder(); + for (int a = 0; a < toOutput.length; ++a) { + if (a > 0) sb.append("+"); + sb.append(canonical ? toOutput[a].toRFC2253CanonicalString() + : toOutput[a].toRFC2253String(oidMap)); } - return relname.toString(); + return sb.toString(); } } diff -Nru openjdk-6-6b37-1.13.9/jdk/src/share/classes/sun/security/x509/RFC822Name.java openjdk-6-6b38-1.13.10/jdk/src/share/classes/sun/security/x509/RFC822Name.java --- openjdk-6-6b37-1.13.9/jdk/src/share/classes/sun/security/x509/RFC822Name.java 2015-11-11 01:20:42.000000000 +0000 +++ openjdk-6-6b38-1.13.10/jdk/src/share/classes/sun/security/x509/RFC822Name.java 2016-01-20 01:47:58.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997, 2000, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1997, 2010, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -26,6 +26,7 @@ package sun.security.x509; import java.io.IOException; +import java.util.Locale; import sun.security.util.*; @@ -187,8 +188,9 @@ constraintType = NAME_DIFF_TYPE; } else { //RFC2459 specifies that case is not significant in RFC822Names - String inName = (((RFC822Name)inputName).getName()).toLowerCase(); - String thisName = name.toLowerCase(); + String inName = + (((RFC822Name)inputName).getName()).toLowerCase(Locale.ENGLISH); + String thisName = name.toLowerCase(Locale.ENGLISH); if (inName.equals(thisName)) { constraintType = NAME_MATCH; } else if (thisName.endsWith(inName)) { diff -Nru openjdk-6-6b37-1.13.9/jdk/src/share/classes/sun/security/x509/URIName.java openjdk-6-6b38-1.13.10/jdk/src/share/classes/sun/security/x509/URIName.java --- openjdk-6-6b37-1.13.9/jdk/src/share/classes/sun/security/x509/URIName.java 2015-11-11 01:20:42.000000000 +0000 +++ openjdk-6-6b38-1.13.10/jdk/src/share/classes/sun/security/x509/URIName.java 2016-01-20 01:47:58.000000000 +0000 @@ -167,7 +167,7 @@ String host = uri.getSchemeSpecificPart(); try { DNSName hostDNS; - if (host.charAt(0) == '.') { + if (host.startsWith(".")) { hostDNS = new DNSName(host.substring(1)); } else { hostDNS = new DNSName(host); diff -Nru openjdk-6-6b37-1.13.9/jdk/src/share/classes/sun/security/x509/X500Name.java openjdk-6-6b38-1.13.10/jdk/src/share/classes/sun/security/x509/X500Name.java --- openjdk-6-6b37-1.13.9/jdk/src/share/classes/sun/security/x509/X500Name.java 2015-11-11 01:20:42.000000000 +0000 +++ openjdk-6-6b38-1.13.10/jdk/src/share/classes/sun/security/x509/X500Name.java 2016-01-20 01:47:58.000000000 +0000 @@ -347,6 +347,8 @@ for (int i = 0; i < names.length; i++) { list.addAll(names[i].avas()); } + list = Collections.unmodifiableList(list); + allAvaList = list; } return list; } @@ -365,9 +367,6 @@ */ public boolean isEmpty() { int n = names.length; - if (n == 0) { - return true; - } for (int i = 0; i < n; i++) { if (names[i].assertion.length != 0) { return false; diff -Nru openjdk-6-6b37-1.13.9/jdk/src/share/classes/sun/security/x509/X509AttributeName.java openjdk-6-6b38-1.13.10/jdk/src/share/classes/sun/security/x509/X509AttributeName.java --- openjdk-6-6b37-1.13.9/jdk/src/share/classes/sun/security/x509/X509AttributeName.java 2015-11-11 01:20:42.000000000 +0000 +++ openjdk-6-6b38-1.13.10/jdk/src/share/classes/sun/security/x509/X509AttributeName.java 2016-01-20 01:47:58.000000000 +0000 @@ -47,7 +47,7 @@ */ public X509AttributeName(String name) { int i = name.indexOf(SEPARATOR); - if (i == (-1)) { + if (i < 0) { prefix = name; } else { prefix = name.substring(0, i); diff -Nru openjdk-6-6b37-1.13.9/jdk/src/share/classes/sun/security/x509/X509CertImpl.java openjdk-6-6b38-1.13.10/jdk/src/share/classes/sun/security/x509/X509CertImpl.java --- openjdk-6-6b37-1.13.9/jdk/src/share/classes/sun/security/x509/X509CertImpl.java 2015-11-11 01:20:42.000000000 +0000 +++ openjdk-6-6b38-1.13.10/jdk/src/share/classes/sun/security/x509/X509CertImpl.java 2016-01-20 01:47:58.000000000 +0000 @@ -968,9 +968,7 @@ public byte[] getSignature() { if (signature == null) return null; - byte[] dup = new byte[signature.length]; - System.arraycopy(signature, 0, dup, 0, dup.length); - return dup; + return signature.clone(); } /** diff -Nru openjdk-6-6b37-1.13.9/jdk/src/share/classes/sun/security/x509/X509CRLImpl.java openjdk-6-6b38-1.13.10/jdk/src/share/classes/sun/security/x509/X509CRLImpl.java --- openjdk-6-6b37-1.13.9/jdk/src/share/classes/sun/security/x509/X509CRLImpl.java 2015-11-11 01:20:42.000000000 +0000 +++ openjdk-6-6b38-1.13.10/jdk/src/share/classes/sun/security/x509/X509CRLImpl.java 2016-01-20 01:47:58.000000000 +0000 @@ -688,9 +688,7 @@ public byte[] getTBSCertList() throws CRLException { if (tbsCertList == null) throw new CRLException("Uninitialized CRL"); - byte[] dup = new byte[tbsCertList.length]; - System.arraycopy(tbsCertList, 0, dup, 0, dup.length); - return dup; + return tbsCertList.clone(); } /** @@ -701,9 +699,7 @@ public byte[] getSignature() { if (signature == null) return null; - byte[] dup = new byte[signature.length]; - System.arraycopy(signature, 0, dup, 0, dup.length); - return dup; + return signature.clone(); } /** diff -Nru openjdk-6-6b37-1.13.9/jdk/src/share/classes/sun/util/resources/TimeZoneNames_de.java openjdk-6-6b38-1.13.10/jdk/src/share/classes/sun/util/resources/TimeZoneNames_de.java --- openjdk-6-6b37-1.13.9/jdk/src/share/classes/sun/util/resources/TimeZoneNames_de.java 2015-11-11 01:20:41.000000000 +0000 +++ openjdk-6-6b38-1.13.10/jdk/src/share/classes/sun/util/resources/TimeZoneNames_de.java 2016-01-20 01:47:58.000000000 +0000 @@ -352,6 +352,7 @@ {"America/Eirunepe", ACT}, {"America/El_Salvador", CST}, {"America/Ensenada", PST}, + {"America/Fort_Nelson", MST}, {"America/Fort_Wayne", EST}, {"America/Fortaleza", BRT}, {"America/Glace_Bay", AST}, diff -Nru openjdk-6-6b37-1.13.9/jdk/src/share/classes/sun/util/resources/TimeZoneNames_es.java openjdk-6-6b38-1.13.10/jdk/src/share/classes/sun/util/resources/TimeZoneNames_es.java --- openjdk-6-6b37-1.13.9/jdk/src/share/classes/sun/util/resources/TimeZoneNames_es.java 2015-11-11 01:20:41.000000000 +0000 +++ openjdk-6-6b38-1.13.10/jdk/src/share/classes/sun/util/resources/TimeZoneNames_es.java 2016-01-20 01:47:58.000000000 +0000 @@ -352,6 +352,7 @@ {"America/Eirunepe", ACT}, {"America/El_Salvador", CST}, {"America/Ensenada", PST}, + {"America/Fort_Nelson", MST}, {"America/Fort_Wayne", EST}, {"America/Fortaleza", BRT}, {"America/Glace_Bay", AST}, diff -Nru openjdk-6-6b37-1.13.9/jdk/src/share/classes/sun/util/resources/TimeZoneNames_fr.java openjdk-6-6b38-1.13.10/jdk/src/share/classes/sun/util/resources/TimeZoneNames_fr.java --- openjdk-6-6b37-1.13.9/jdk/src/share/classes/sun/util/resources/TimeZoneNames_fr.java 2015-11-11 01:20:41.000000000 +0000 +++ openjdk-6-6b38-1.13.10/jdk/src/share/classes/sun/util/resources/TimeZoneNames_fr.java 2016-01-20 01:47:58.000000000 +0000 @@ -352,6 +352,7 @@ {"America/Eirunepe", ACT}, {"America/El_Salvador", CST}, {"America/Ensenada", PST}, + {"America/Fort_Nelson", MST}, {"America/Fort_Wayne", EST}, {"America/Fortaleza", BRT}, {"America/Glace_Bay", AST}, diff -Nru openjdk-6-6b37-1.13.9/jdk/src/share/classes/sun/util/resources/TimeZoneNames_it.java openjdk-6-6b38-1.13.10/jdk/src/share/classes/sun/util/resources/TimeZoneNames_it.java --- openjdk-6-6b37-1.13.9/jdk/src/share/classes/sun/util/resources/TimeZoneNames_it.java 2015-11-11 01:20:41.000000000 +0000 +++ openjdk-6-6b38-1.13.10/jdk/src/share/classes/sun/util/resources/TimeZoneNames_it.java 2016-01-20 01:47:58.000000000 +0000 @@ -352,6 +352,7 @@ {"America/Eirunepe", ACT}, {"America/El_Salvador", CST}, {"America/Ensenada", PST}, + {"America/Fort_Nelson", MST}, {"America/Fort_Wayne", EST}, {"America/Fortaleza", BRT}, {"America/Glace_Bay", AST}, diff -Nru openjdk-6-6b37-1.13.9/jdk/src/share/classes/sun/util/resources/TimeZoneNames_ja.java openjdk-6-6b38-1.13.10/jdk/src/share/classes/sun/util/resources/TimeZoneNames_ja.java --- openjdk-6-6b37-1.13.9/jdk/src/share/classes/sun/util/resources/TimeZoneNames_ja.java 2015-11-11 01:20:41.000000000 +0000 +++ openjdk-6-6b38-1.13.10/jdk/src/share/classes/sun/util/resources/TimeZoneNames_ja.java 2016-01-20 01:47:58.000000000 +0000 @@ -352,6 +352,7 @@ {"America/Eirunepe", ACT}, {"America/El_Salvador", CST}, {"America/Ensenada", PST}, + {"America/Fort_Nelson", MST}, {"America/Fort_Wayne", EST}, {"America/Fortaleza", BRT}, {"America/Glace_Bay", AST}, diff -Nru openjdk-6-6b37-1.13.9/jdk/src/share/classes/sun/util/resources/TimeZoneNames.java openjdk-6-6b38-1.13.10/jdk/src/share/classes/sun/util/resources/TimeZoneNames.java --- openjdk-6-6b37-1.13.9/jdk/src/share/classes/sun/util/resources/TimeZoneNames.java 2015-11-11 01:20:41.000000000 +0000 +++ openjdk-6-6b38-1.13.10/jdk/src/share/classes/sun/util/resources/TimeZoneNames.java 2016-01-20 01:47:58.000000000 +0000 @@ -352,6 +352,7 @@ {"America/Eirunepe", ACT}, {"America/El_Salvador", CST}, {"America/Ensenada", PST}, + {"America/Fort_Nelson", MST}, {"America/Fort_Wayne", EST}, {"America/Fortaleza", BRT}, {"America/Glace_Bay", AST}, diff -Nru openjdk-6-6b37-1.13.9/jdk/src/share/classes/sun/util/resources/TimeZoneNames_ko.java openjdk-6-6b38-1.13.10/jdk/src/share/classes/sun/util/resources/TimeZoneNames_ko.java --- openjdk-6-6b37-1.13.9/jdk/src/share/classes/sun/util/resources/TimeZoneNames_ko.java 2015-11-11 01:20:41.000000000 +0000 +++ openjdk-6-6b38-1.13.10/jdk/src/share/classes/sun/util/resources/TimeZoneNames_ko.java 2016-01-20 01:47:58.000000000 +0000 @@ -352,6 +352,7 @@ {"America/Eirunepe", ACT}, {"America/El_Salvador", CST}, {"America/Ensenada", PST}, + {"America/Fort_Nelson", MST}, {"America/Fort_Wayne", EST}, {"America/Fortaleza", BRT}, {"America/Glace_Bay", AST}, diff -Nru openjdk-6-6b37-1.13.9/jdk/src/share/classes/sun/util/resources/TimeZoneNames_pt_BR.java openjdk-6-6b38-1.13.10/jdk/src/share/classes/sun/util/resources/TimeZoneNames_pt_BR.java --- openjdk-6-6b37-1.13.9/jdk/src/share/classes/sun/util/resources/TimeZoneNames_pt_BR.java 2015-11-11 01:20:41.000000000 +0000 +++ openjdk-6-6b38-1.13.10/jdk/src/share/classes/sun/util/resources/TimeZoneNames_pt_BR.java 2016-01-20 01:47:58.000000000 +0000 @@ -352,6 +352,7 @@ {"America/Eirunepe", ACT}, {"America/El_Salvador", CST}, {"America/Ensenada", PST}, + {"America/Fort_Nelson", MST}, {"America/Fort_Wayne", EST}, {"America/Fortaleza", BRT}, {"America/Glace_Bay", AST}, diff -Nru openjdk-6-6b37-1.13.9/jdk/src/share/classes/sun/util/resources/TimeZoneNames_sv.java openjdk-6-6b38-1.13.10/jdk/src/share/classes/sun/util/resources/TimeZoneNames_sv.java --- openjdk-6-6b37-1.13.9/jdk/src/share/classes/sun/util/resources/TimeZoneNames_sv.java 2015-11-11 01:20:41.000000000 +0000 +++ openjdk-6-6b38-1.13.10/jdk/src/share/classes/sun/util/resources/TimeZoneNames_sv.java 2016-01-20 01:47:58.000000000 +0000 @@ -352,6 +352,7 @@ {"America/Eirunepe", ACT}, {"America/El_Salvador", CST}, {"America/Ensenada", PST}, + {"America/Fort_Nelson", MST}, {"America/Fort_Wayne", EST}, {"America/Fortaleza", BRT}, {"America/Glace_Bay", AST}, diff -Nru openjdk-6-6b37-1.13.9/jdk/src/share/classes/sun/util/resources/TimeZoneNames_zh_CN.java openjdk-6-6b38-1.13.10/jdk/src/share/classes/sun/util/resources/TimeZoneNames_zh_CN.java --- openjdk-6-6b37-1.13.9/jdk/src/share/classes/sun/util/resources/TimeZoneNames_zh_CN.java 2015-11-11 01:20:41.000000000 +0000 +++ openjdk-6-6b38-1.13.10/jdk/src/share/classes/sun/util/resources/TimeZoneNames_zh_CN.java 2016-01-20 01:47:58.000000000 +0000 @@ -352,6 +352,7 @@ {"America/Eirunepe", ACT}, {"America/El_Salvador", CST}, {"America/Ensenada", PST}, + {"America/Fort_Nelson", MST}, {"America/Fort_Wayne", EST}, {"America/Fortaleza", BRT}, {"America/Glace_Bay", AST}, diff -Nru openjdk-6-6b37-1.13.9/jdk/src/share/classes/sun/util/resources/TimeZoneNames_zh_TW.java openjdk-6-6b38-1.13.10/jdk/src/share/classes/sun/util/resources/TimeZoneNames_zh_TW.java --- openjdk-6-6b37-1.13.9/jdk/src/share/classes/sun/util/resources/TimeZoneNames_zh_TW.java 2015-11-11 01:20:41.000000000 +0000 +++ openjdk-6-6b38-1.13.10/jdk/src/share/classes/sun/util/resources/TimeZoneNames_zh_TW.java 2016-01-20 01:47:58.000000000 +0000 @@ -352,6 +352,7 @@ {"America/Eirunepe", ACT}, {"America/El_Salvador", CST}, {"America/Ensenada", PST}, + {"America/Fort_Nelson", MST}, {"America/Fort_Wayne", EST}, {"America/Fortaleza", BRT}, {"America/Glace_Bay", AST}, diff -Nru openjdk-6-6b37-1.13.9/jdk/src/share/lib/security/java.security-linux openjdk-6-6b38-1.13.10/jdk/src/share/lib/security/java.security-linux --- openjdk-6-6b37-1.13.9/jdk/src/share/lib/security/java.security-linux 2015-11-11 01:20:42.000000000 +0000 +++ openjdk-6-6b38-1.13.10/jdk/src/share/lib/security/java.security-linux 2016-01-20 01:47:58.000000000 +0000 @@ -423,7 +423,7 @@ # jdk.certpath.disabledAlgorithms=MD2, DSA, RSA keySize < 2048 # # -jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024 +jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1024 # Algorithm restrictions for Secure Socket Layer/Transport Layer Security # (SSL/TLS) processing diff -Nru openjdk-6-6b37-1.13.9/jdk/src/share/lib/security/java.security-solaris openjdk-6-6b38-1.13.10/jdk/src/share/lib/security/java.security-solaris --- openjdk-6-6b37-1.13.9/jdk/src/share/lib/security/java.security-solaris 2015-11-11 01:20:42.000000000 +0000 +++ openjdk-6-6b38-1.13.10/jdk/src/share/lib/security/java.security-solaris 2016-01-20 01:47:58.000000000 +0000 @@ -383,7 +383,7 @@ # jdk.certpath.disabledAlgorithms=MD2, DSA, RSA keySize < 2048 # # -jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024 +jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1024 # Algorithm restrictions for Secure Socket Layer/Transport Layer Security # (SSL/TLS) processing diff -Nru openjdk-6-6b37-1.13.9/jdk/src/share/lib/security/java.security-windows openjdk-6-6b38-1.13.10/jdk/src/share/lib/security/java.security-windows --- openjdk-6-6b37-1.13.9/jdk/src/share/lib/security/java.security-windows 2015-11-11 01:20:42.000000000 +0000 +++ openjdk-6-6b38-1.13.10/jdk/src/share/lib/security/java.security-windows 2016-01-20 01:47:58.000000000 +0000 @@ -400,7 +400,7 @@ # jdk.certpath.disabledAlgorithms=MD2, DSA, RSA keySize < 2048 # # -jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024 +jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1024 # Algorithm restrictions for Secure Socket Layer/Transport Layer Security # (SSL/TLS) processing diff -Nru openjdk-6-6b37-1.13.9/jdk/src/share/native/sun/awt/image/jpeg/jpegdecoder.c openjdk-6-6b38-1.13.10/jdk/src/share/native/sun/awt/image/jpeg/jpegdecoder.c --- openjdk-6-6b37-1.13.9/jdk/src/share/native/sun/awt/image/jpeg/jpegdecoder.c 2015-11-11 01:20:42.000000000 +0000 +++ openjdk-6-6b38-1.13.10/jdk/src/share/native/sun/awt/image/jpeg/jpegdecoder.c 2016-01-20 01:47:58.000000000 +0000 @@ -174,6 +174,7 @@ int *ip; unsigned char *bp; } outbuf; + size_t outbufSize; jobject hOutputBuffer; }; @@ -227,6 +228,7 @@ } if (src->hOutputBuffer) { assert(src->outbuf.ip == 0); + src->outbufSize = (*env)->GetArrayLength(env, src->hOutputBuffer); src->outbuf.ip = (int *)(*env)->GetPrimitiveArrayCritical (env, src->hOutputBuffer, 0); if (src->outbuf.ip == 0) { @@ -671,8 +673,8 @@ cinfo.output_scanline - 1); } else { if (hasalpha) { - ip = jsrc.outbuf.ip + cinfo.image_width; - bp = jsrc.outbuf.bp + cinfo.image_width * 4; + ip = jsrc.outbuf.ip + jsrc.outbufSize; + bp = jsrc.outbuf.bp + jsrc.outbufSize * 4; while (ip > jsrc.outbuf.ip) { pixel = (*--bp) << 24; pixel |= (*--bp); @@ -681,8 +683,8 @@ *--ip = pixel; } } else { - ip = jsrc.outbuf.ip + cinfo.image_width; - bp = jsrc.outbuf.bp + cinfo.image_width * 3; + ip = jsrc.outbuf.ip + jsrc.outbufSize; + bp = jsrc.outbuf.bp + jsrc.outbufSize * 3; while (ip > jsrc.outbuf.ip) { pixel = (*--bp); pixel |= (*--bp) << 8; diff -Nru openjdk-6-6b37-1.13.9/jdk/src/share/native/sun/awt/libpng/CHANGES openjdk-6-6b38-1.13.10/jdk/src/share/native/sun/awt/libpng/CHANGES --- openjdk-6-6b37-1.13.9/jdk/src/share/native/sun/awt/libpng/CHANGES 2015-11-11 01:20:42.000000000 +0000 +++ openjdk-6-6b38-1.13.10/jdk/src/share/native/sun/awt/libpng/CHANGES 2016-01-20 01:47:58.000000000 +0000 @@ -23,13 +23,17 @@ * questions. */ +#if 0 CHANGES - changes for libpng -Version 0.2 +version 0.1 [March 29, 1995] + initial work-in-progress release + +version 0.2 [April 1, 1995] added reader into png.h fixed small problems in stub file -Version 0.3 +version 0.3 [April 8, 1995] added pull reader split up pngwrite.c to several files added pnglib.txt @@ -38,9 +42,9 @@ fixed some bugs in writer interfaced with zlib 0.5 added K&R support - added check for 64 KB blocks for 16-bit machines + added check for 64 KB blocks for 16 bit machines -Version 0.4 +version 0.4 [April 26, 1995] cleaned up code and commented code simplified time handling into png_time created png_color_16 and png_color_8 to handle color needs @@ -51,28 +55,29 @@ cleaned up zTXt reader and writer (using zlib's Reset functions) split transformations into pngrtran.c and pngwtran.c -Version 0.5 +version 0.5 [April 30, 1995] interfaced with zlib 0.8 fixed many reading and writing bugs saved using 3 spaces instead of tabs -Version 0.6 +version 0.6 [May 1, 1995] + first beta release added png_large_malloc() and png_large_free() added png_size_t cleaned up some compiler warnings added png_start_read_image() -Version 0.7 +version 0.7 [June 24, 1995] cleaned up lots of bugs finished dithering and other stuff added test program changed name from pnglib to libpng -Version 0.71 [June, 1995] +version 0.71 [June 26, 1995] changed pngtest.png for zlib 0.93 fixed error in libpng.txt and example.c -Version 0.8 +version 0.8 [August 20, 1995] cleaned up some bugs added png_set_filler() split up pngstub.c into pngmem.c, pngio.c, and pngerror.c @@ -115,7 +120,7 @@ cleaned up documentation added callbacks for read/write and warning/error functions -Version 0.89 [July, 1996] +Version 0.89 [June 5, 1996] Added new initialization API to make libpng work better with shared libs we now have png_create_read_struct(), png_create_write_struct(), png_create_info_struct(), png_destroy_read_struct(), and @@ -142,6 +147,9 @@ New pngtest image also has interlacing and zTXt Updated documentation to reflect new API +Version 0.89c [June 17, 1996] + Bug fixes. + Version 0.90 [January, 1997] Made CRC errors/warnings on critical and ancillary chunks configurable libpng will use the zlib CRC routines by (compile-time) default @@ -182,7 +190,7 @@ Added new pCAL chunk read/write support Added experimental filter selection weighting (Greg Roelofs) Removed old png_set_rgbx() and png_set_xrgb() functions that have been - obsolete for about 2 years now (use png_set_filler() instead) + obsolete for about 2 years now (use png_set_filler() instead) Added macros to read 16- and 32-bit ints directly from buffer, to be used only on those systems that support it (namely PowerPC and 680x0) With some testing, this may become the default for MACOS/PPC systems. @@ -464,7 +472,7 @@ Version 1.0.3a [August 12, 1999] Added check for PNG_READ_INTERLACE_SUPPORTED in pngread.c; issue a warning - if an attempt is made to read an interlaced image when it's not supported. + if an attempt is made to read an interlaced image when it's not supported. Added check if png_ptr->trans is defined before freeing it in pngread.c Modified the Y2K statement to include versions back to version 0.71 Fixed a bug in the check for valid IHDR bit_depth/color_types in pngrutil.c @@ -472,7 +480,7 @@ Replaced leading blanks with tab characters in makefile.hux Changed "dworkin.wustl.edu" to "ccrc.wustl.edu" in various documents. Changed (float)red and (float)green to (double)red, (double)green - in png_set_rgb_to_gray() to avoid "promotion" problems in AIX. + in png_set_rgb_to_gray() to avoid "promotion" problems in AIX. Fixed a bug in pngconf.h that omitted when PNG_DEBUG==0 (K Bracey). Reformatted libpng.3 and libpngpf.3 with proper fonts (script by J. vanZandt). Updated documentation to refer to the PNG-1.2 specification. @@ -515,7 +523,7 @@ Added new png_expand functions to scripts/pngdef.pas and pngos2.def Added a demo read_user_transform_fn that examines the row filters in pngtest.c -Version 1.0.4 [September 24, 1999] +Version 1.0.4 [September 24, 1999, not distributed publicly] Define PNG_ALWAYS_EXTERN in pngconf.h if __STDC__ is defined Delete #define PNG_INTERNAL and include "png.h" from pngasmrd.h Made several minor corrections to pngtest.c @@ -542,6 +550,7 @@ Added a "png_check_version" function in png.c and pngtest.c that will generate a helpful compiler error if an old png.h is found in the search path. Changed type of png_user_transform_depth|channels from int to png_byte. + Added "Libpng is OSI Certified Open Source Software" statement to png.h Version 1.0.4d [October 6, 1999] Changed 0.45 to 0.45455 in png_set_sRGB() @@ -928,7 +937,7 @@ Version 1.0.8beta1 [July 8, 2000] Added png_free(png_ptr, key) two places in pngpread.c to stop memory leaks. Changed PNG_NO_STDIO to PNG_NO_CONSOLE_IO, several places in pngrutil.c and - pngwutil.c. + pngwutil.c. Changed PNG_EXPORT_VAR to use PNG_IMPEXP, in pngconf.h. Removed unused "#include " from png.c Added WindowsCE support. @@ -936,12 +945,12 @@ Version 1.0.8beta2 [July 10, 2000] Added project files to the wince directory and made further revisions - of pngtest.c, pngrio.c, and pngwio.c in support of WindowsCE. + of pngtest.c, pngrio.c, and pngwio.c in support of WindowsCE. Version 1.0.8beta3 [July 11, 2000] Only set the PNG_FLAG_FREE_TRNS or PNG_FREE_TRNS flag in png_handle_tRNS() - for indexed-color input files to avoid potential double-freeing trans array - under some unusual conditions; problem was introduced in version 1.0.6f. + for indexed-color input files to avoid potential double-freeing trans array + under some unusual conditions; problem was introduced in version 1.0.6f. Further revisions to pngtest.c and files in the wince subdirectory. Version 1.0.8beta4 [July 14, 2000] @@ -1113,16 +1122,16 @@ Version 1.2.0beta4 [June 23, 2001] Check for missing profile length field in iCCP chunk and free chunk_data - in case of truncated iCCP chunk. + in case of truncated iCCP chunk. Bumped shared-library number to 3 in makefile.sgi and makefile.sggcc Bumped dll-number from 2 to 3 in makefile.cygwin Revised contrib/gregbook/rpng*-x.c to avoid a memory leak and to exit cleanly - if user attempts to run it on an 8-bit display. + if user attempts to run it on an 8-bit display. Updated contrib/gregbook Use png_malloc instead of png_zalloc to allocate palette in pngset.c Updated makefile.ibmc Added some typecasts to eliminate gcc 3.0 warnings. Changed prototypes - of png_write_oFFS width and height from png_uint_32 to png_int_32. + of png_write_oFFS width and height from png_uint_32 to png_int_32. Updated example.c Revised prototypes for png_debug_malloc and png_debug_free in pngtest.c @@ -1130,9 +1139,9 @@ Revised contrib/gregbook Revised makefile.gcmmx Revised pnggccrd.c to conditionally compile some thread-unsafe code only - when PNG_THREAD_UNSAFE_OK is defined. + when PNG_THREAD_UNSAFE_OK is defined. Added tests to prevent pngwutil.c from writing a bKGD or tRNS chunk with - value exceeding 2^bit_depth-1 + value exceeding 2^bit_depth-1 Revised makefile.sgi and makefile.sggcc Replaced calls to fprintf(stderr,...) with png_warning() in pnggccrd.c Removed restriction that do_invert_mono only operate on 1-bit opaque files @@ -1473,8 +1482,9 @@ Use png_malloc instead of png_zalloc to allocate the pallete. Version 1.0.16rc1 and 1.2.6rc1 [August 4, 2004] - Fixed buffer overflow vulnerability in png_handle_tRNS() - Fixed integer arithmetic overflow vulnerability in png_read_png(). + Fixed buffer overflow vulnerability (CVE-2004-0597) in png_handle_tRNS(). + Fixed NULL dereference vulnerability (CVE-2004-0598) in png_handle_iCCP(). + Fixed integer overflow vulnerability (CVE-2004-0599) in png_read_png(). Fixed some harmless bugs in png_handle_sBIT, etc, that would cause duplicate chunk types to go undetected. Fixed some timestamps in the -config version @@ -1517,7 +1527,7 @@ Version 1.0.16rc5 and 1.2.6rc5 [August 10, 2004] Moved "PNG_HANDLE_CHUNK_*" macros out of PNG_ASSEMBLER_CODE_SUPPORTED - section of png.h where they were inadvertently placed in version rc3. + section of png.h where they were inadvertently placed in version rc3. Version 1.2.6 and 1.0.16 [August 15, 2004] Revised pngtest so memory allocation testing is only done when PNG_DEBUG==1. @@ -2126,7 +2136,7 @@ png_decompress_chunk(), and remove "chunkdata" from parameter list. Put a call to png_check_chunk_name() in png_read_chunk_header(). Revised png_check_chunk_name() to reject a name with a lowercase 3rd byte. - Removed two calls to png_check_chunk_name() occuring later in the process. + Removed two calls to png_check_chunk_name() occurring later in the process. Define PNG_NO_ERROR_NUMBERS by default in pngconf.h Version 1.4.0beta25 [July 30, 2008] @@ -2349,7 +2359,7 @@ Version 1.4.0beta64 [June 24, 2009] Eliminated PNG_LEGACY_SUPPORTED code. Moved the various unknown chunk macro definitions outside of the - PNG_READ|WRITE_ANCILLARY_CHUNK_SUPPORTED blocks. + PNG_READ|WRITE_ANCILLARY_CHUNK_SUPPORTED blocks. Version 1.4.0beta65 [June 26, 2009] Added a reference to the libpng license in each file. @@ -3771,8 +3781,9 @@ Version 1.5.7beta05 [November 25, 2011] Removed "zTXt" from warning in generic chunk decompression function. - Validate time settings passed to pngset() and png_convert_to_rfc1123() - (Frank Busse). + Validate time settings passed to png_set_tIME() and png_convert_to_rfc1123() + (Frank Busse). Note: This prevented CVE-2015-7981 from affecting + libpng-1.5.7 and later. Added MINGW support to CMakeLists.txt Reject invalid compression flag or method when reading the iTXt chunk. Backed out 'simplified' API changes. The API seems too complex and there @@ -3818,12 +3829,13 @@ (the other two required headers aren't used). Non-ANSI systems that don't have stddef.h or limits.h will have to provide an appropriate fake containing the relevant types and #defines. - The use of FAR/far has been eliminated and the definition of png_alloc_size_t - is now controlled by a flag so that 'small size_t' systems can select it - if necessary. Libpng 1.6 may not currently work on such systems -- it - seems likely that it will ask 'malloc' for more than 65535 bytes with any - image that has a sufficiently large row size (rather than simply failing - to read such images). + Dropped support for 16-bit platforms. The use of FAR/far has been eliminated + and the definition of png_alloc_size_t is now controlled by a flag so + that 'small size_t' systems can select it if necessary. Libpng 1.6 may + not currently work on such systems -- it seems likely that it will + ask 'malloc' for more than 65535 bytes with any image that has a + sufficiently large row size (rather than simply failing to read such + images). New tools directory containing tools used to generate libpng code. Fixed race conditions in parallel make builds. With higher degrees of parallelism during 'make' the use of the same temporary file names such @@ -4435,7 +4447,7 @@ Version 1.6.1beta03 [February 22, 2013] Fixed ALIGNED_MEMORY support. - Allow run-time ARM NEON checking to be disabled. A new configure option: + Added a new configure option: --enable-arm-neon=always will stop the run-time checks. New checks within arm/arm_init.c will cause the code not to be compiled unless __ARM_NEON__ is set. This should make it fail safe (if someone asks @@ -4454,10 +4466,10 @@ Version 1.6.1beta06 [March 4, 2013] Better documentation of unknown handling API interactions. Corrected Android builds and corrected libpng.vers with symbol - prefixing. This adds an API to set optimization options externally, + prefixing. It also makes those tests compile and link on Android. + Added an API png_set_option() to set optimization options externally, providing an alternative and general solution for the non-portable - run-time tests used by the ARM Neon code. It also makes those tests - compile and link on Android. + run-time tests used by the ARM Neon code, using the PNG_ARM_NEON option. The order of settings vs options in pnglibconf.h is reversed to allow settings to depend on options and options can now set (or override) the defaults for settings. @@ -4549,13 +4561,14 @@ Expanded manual paragraph about writing private chunks, particularly the need to call png_set_keep_unknown_chunks() when writing them. Avoid dereferencing NULL pointer possibly returned from - png_create_write_struct() (Andrew Church). + png_create_write_struct() (Andrew Church). Version 1.6.3beta05 [May 9, 2013] Calculate our own zlib windowBits when decoding rather than trusting the CMF bytes in the PNG datastream. Added an option to force maximum window size for inflating, which was - the behavior of libpng15 and earlier. + the behavior of libpng15 and earlier, via a new PNG_MAXIMUM_INFLATE_WINDOW + option for png_set_options(). Added png-fix-itxt and png-fix-too-far-back to the built programs and removed warnings from the source code and timepng that are revealed as a result. @@ -5138,17 +5151,326 @@ Version 1.6.16rc01 [December 21, 2014] Restored a test on width that was removed from png.c at libpng-1.6.9 - (Bug report by Alex Eubanks). + (Bug report by Alex Eubanks, CVE-2015-0973). Version 1.6.16rc02 [December 21, 2014] Undid the update to pngrutil.c in 1.6.16rc01. Version 1.6.16rc03 [December 21, 2014] - Fixed an overflow in png_combine_row with very wide interlaced images. + Fixed an overflow in png_combine_row() with very wide interlaced images + (Bug report and fix by John Bowler, CVE-2014-9495). Version 1.6.16 [December 22, 2014] No changes. +Version 1.6.17beta01 [January 29, 2015] + Removed duplicate PNG_SAFE_LIMITS_SUPPORTED handling from pngconf.h + Corrected the width limit calculation in png_check_IHDR(). + Removed user limits from pngfix. Also pass NULL pointers to + png_read_row to skip the unnecessary row de-interlace stuff. + Added testing of png_set_packing() to pngvalid.c + Regenerated configure scripts in the *.tar distributions with libtool-2.4.4 + Implement previously untested cases of libpng transforms in pngvalid.c + Fixed byte order in png_do_read_filler() with 16-bit input. Previously + the high and low bytes of the filler, from png_set_filler() or from + png_set_add_alpha(), were read in the wrong order. + Made the check for out-of-range values in png_set_tRNS() detect + values that are exactly 2^bit_depth, and work on 16-bit platforms. + Merged some parts of libpng-1.6.17beta01 and libpng-1.7.0beta47. + Added #ifndef __COVERITY__ where needed in png.c, pngrutil.c and + pngset.c to avoid warnings about dead code. + Added "& 0xff" to many instances of expressions that are typecast + to (png_byte), to avoid Coverity warnings. + +Version 1.6.17beta02 [February 7, 2015] + Work around one more Coverity-scan dead-code warning. + Do not build png_product2() when it is unused. + +Version 1.6.17beta03 [February 17, 2015] + Display user limits in the output from pngtest. + Eliminated the PNG_SAFE_LIMITS macro and restored the 1-million-column + and 1-million-row default limits in pnglibconf.dfa, that can be reset + by the user at build time or run time. This provides a more robust + defense against DOS and as-yet undiscovered overflows. + +Version 1.6.17beta04 [February 21, 2015] + Added PNG_WRITE_CUSTOMIZE_COMPRESSION_SUPPORTED macro, on by default. + Allow user to call png_get_IHDR() with NULL arguments (Reuben Hawkins). + Rebuilt configure scripts with automake-1.15 and libtool-2.4.6 + +Version 1.6.17beta05 [February 25, 2015] + Restored compiling of png_reciprocal2 with PNG_NO_16BIT. + +Version 1.6.17beta06 [February 27, 2015] + Moved png_set_filter() prototype into a PNG_WRITE_SUPPORTED block + of png.h. + Avoid runtime checks when converting integer to png_byte with + Visual Studio (Sergey Kosarevsky) + +Version 1.6.17rc01 [March 4, 2015] + No changes. + +Version 1.6.17rc02 [March 9, 2015] + Removed some comments that the configure script did not handle + properly from scripts/pnglibconf.dfa and pnglibconf.h.prebuilt. + Free the unknown_chunks structure even when it contains no data. + +Version 1.6.17rc03 [March 12, 2015] + Updated CMakeLists.txt to add OSX framework, change YES/NO to ON/OFF + for consistency, and remove some useless tests (Alexey Petruchik). + +Version 1.6.17rc04 [March 16, 2015] + Remove pnglibconf.h, pnglibconf.c, and pnglibconf.out instead of + pnglibconf.* in "make clean" (Cosmin). + Fix bug in calculation of maxbits, in png_write_sBIT, introduced + in libpng-1.6.17beta01 (John Bowler). + +Version 1.6.17rc05 [March 21, 2015] + Define PNG_FILTER_* and PNG_FILTER_VALUE_* in png.h even when WRITE + is not supported (John Bowler). This fixes an error introduced in + libpng-1.6.17beta06. + Reverted "& 0xff" additions of version 1.6.17beta01. Libpng passes + the Coverity scan without them. + +Version 1.6.17rc06 [March 23, 2015] + Remove pnglibconf.dfn and pnglibconf.pre with "make clean". + Reformatted some "&0xff" instances to "& 0xff". + Fixed simplified 8-bit-linear to sRGB alpha. The calculated alpha + value was wrong. It's not clear if this affected the final stored + value; in the obvious code path the upper and lower 8-bits of the + alpha value were identical and the alpha was truncated to 8-bits + rather than dividing by 257 (John Bowler). + +Version 1.6.17 [March 26, 2015] + No changes. + +Version 1.6.18beta01 [April 1, 2015] + Removed PNG_SET_CHUNK_[CACHE|MALLOC]_LIMIT_SUPPORTED macros. They + have been combined with PNG_SET_USER_LIMITS_SUPPORTED (resolves + bug report by Andrew Church). + Fixed rgb_to_gray checks and added tRNS checks to pngvalid.c. This + fixes some arithmetic errors that caused some tests to fail on + some 32-bit platforms (Bug reports by Peter Breitenlohner [i686] + and Petr Gajdos [i586]). + +Version 1.6.18beta02 [April 26, 2015] + Suppressed some warnings from the Borland C++ 5.5.1/5.82 compiler + (Bug report by Viktor Szakats). + +Version 1.6.18beta03 [May 6, 2015] + Replaced "unexpected" with an integer (0xabadca11) in pngset.c + where a long was expected, to avoid a compiler warning when PNG_DEBUG > 1. + Added contrib/examples/simpleover.c, to demonstrate how to handle + alpha compositing of multiple images, using the "simplified API" + and an example PNG generation tool, contrib/examples/genpng.c + (John Bowler). + +Version 1.6.18beta04 [May 20, 2015] + PNG_RELEASE_BUILD replaces tests where the code depended on the build base + type and can be defined on the command line, allowing testing in beta + builds (John Bowler). + Avoid Coverity issue 80858 (REVERSE NULL) in pngtest.c PNG_DEBUG builds. + Avoid a harmless potential integer overflow in png_XYZ_from_xy() (Bug + report from Christopher Ferris). + +Version 1.6.18beta05 [May 31, 2015] + Backport filter selection code from libpng-1.7.0beta51, to combine + sub_row, up_row, avg_row, and paeth_row into try_row and tst_row. + Changed png_voidcast(), etc., to voidcast(), etc., in contrib/tools/pngfix.c + to avoid confusion with the libpng private macros. + Fixed old cut&paste bug in the weighted filter selection code in + pngwutil.c, introduced in libpng-0.95, March 1997. + +Version 1.6.18beta06 [June 1, 2015] + Removed WRITE_WEIGHTED_FILTERED code, to save a few kbytes of the + compiled library size. It never worked properly and as far as we can + tell, no one uses it. The png_set_filter_heuristics() and + png_set_filter_heuristics_fixed() APIs are retained but deprecated + and do nothing. + +Version 1.6.18beta07 [June 6, 2015] + Removed non-working progressive reader 'skip' function. This + function has apparently never been used. It was implemented + to support back-door modification of png_struct in libpng-1.4.x + but (because it does nothing and cannot do anything) was apparently + never tested (John Bowler). + Fixed cexcept.h in which GCC 5 now reports that one of the auto + variables in the Try macro needs to be volatile to prevent value + being lost over the setjmp (John Bowler). + Fixed NO_WRITE_FILTER and -Wconversion build breaks (John Bowler). + Fix g++ build breaks (John Bowler). + Quieted some Coverity issues in pngfix.c, png-fix-itxt.c, pngvalid.c, + pngstest.c, and pngimage.c. Most seem harmless, but png-fix-itxt + would only work with iTXt chunks with length 255 or less. + Added #ifdef's to contrib/examples programs so people don't try + to compile them without the minimum required support enabled + (suggested by Flavio Medeiros). + +Version 1.6.18beta08 [June 30, 2015] + Eliminated the final two Coverity defects (insecure temporary file + handling in contrib/libtests/pngstest.c; possible overflow of + unsigned char in contrib/tools/png-fix-itxt.c). To use the "secure" + file handling, define PNG_USE_MKSTEMP, otherwise "tmpfile()" will + be used. + Removed some unused WEIGHTED_FILTER macros from png.h and pngstruct.h + +Version 1.6.18beta09 [July 5, 2015] + Removed some useless typecasts from contrib/tools/png-fix-itxt.c + Fixed a new signed-unsigned comparison in pngrtran.c (Max Stepin). + Replaced arbitrary use of 'extern' with #define PNG_LINKAGE_*. To + preserve API compatibility, the new defines all default to "extern" + (requested by Jan Nijtmans). + +Version 1.6.18rc01 [July 9, 2015] + Belatedly added Mans Rullgard and James Yu to the list of Contributing + Authors. + +Version 1.6.18rc02 [July 12, 2015] + Restored unused FILTER_HEURISTIC macros removed at libpng-1.6.18beta08 + to png.h to avoid compatibility warnings. + +Version 1.6.18rc03 [July 15, 2015] + Minor changes to the man page + +Version 1.6.18 [July 23, 2015] + No changes. + +Version 1.6.19beta01 [July 30, 2015] + Updated obsolete information about the simplified API macros in the + manual pages (Bug report by Arc Riley). + Avoid potentially dereferencing NULL info_ptr in png_info_init_3(). + Rearranged png.h to put the major sections in the same order as + in libpng17. + Eliminated unused PNG_COST_SHIFT, PNG_WEIGHT_SHIFT, PNG_COST_FACTOR, and + PNG_WEIGHT_FACTOR macros. + Suppressed some warnings from the Borland C++ 5.5.1/5.82 compiler + (Bug report by Viktor Szakats). Several warnings remain and are + unavoidable, where we test for overflow. + Fixed potential leak of png_pixels in contrib/pngminus/pnm2png.c + Fixed uninitialized variable in contrib/gregbook/rpng2-x.c + +Version 1.6.19beta02 [August 19, 2015] + Moved config.h.in~ from the "libpng_autotools_files" list to the + "libpng_autotools_extra" list in autogen.sh because it was causing a + false positive for missing files (bug report by Robert C. Seacord). + Removed unreachable "break" statements in png.c, pngread.c, and pngrtran.c + to suppress clang warnings (Bug report by Viktor Szakats). + Fixed some bad links in the man page. + Changed "n bit" to "n-bit" in comments. + Added signed/unsigned 16-bit safety net. This removes the dubious + 0x8000 flag definitions on 16-bit systems. They aren't supported + yet the defs *probably* work, however it seems much safer to do this + and be advised if anyone, contrary to advice, is building libpng 1.6 + on a 16-bit system. It also adds back various switch default clauses + for GCC; GCC errors out if they are not present (with an appropriately + high level of warnings). + Safely convert num_bytes to a png_byte in png_set_sig_bytes() (Robert + Seacord). + Fixed the recently reported 1's complement security issue by replacing + the value that is illegal in the PNG spec, in both signed and unsigned + values, with 0. Illegal unsigned values (anything greater than or equal + to 0x80000000) can still pass through, but since these are not illegal + in ANSI-C (unlike 0x80000000 in the signed case) the checking that + occurs later can catch them (John Bowler). + +Version 1.6.19beta03 [September 26, 2015] + Fixed png_save_int_32 when int is not 2's complement (John Bowler). + Updated libpng16 with all the recent test changes from libpng17, + including changes to pngvalid.c to ensure that the original, + distributed, version of contrib/visupng/cexcept.h can be used + (John Bowler). + pngvalid contains the correction to the use of SAVE/STORE_ + UNKNOWN_CHUNKS; a bug revealed by changes in libpng 1.7. More + tests contain the --strict option to detect warnings and the + pngvalid-standard test has been corrected so that it does not + turn on progressive-read. There is a separate test which does + that. (John Bowler) + Also made some signed/unsigned fixes. + Make pngstest error limits version specific. Splitting the machine + generated error structs out to a file allows the values to be updated + without changing pngstest.c itself. Since libpng 1.6 and 1.7 have + slightly different error limits this simplifies maintenance. The + makepngs.sh script has also been updated to more accurately reflect + current problems in libpng 1.7 (John Bowler). + Incorporated new test PNG files into make check. tests/pngstest-* + are changed so that the new test files are divided into 8 groups by + gamma and alpha channel. These tests have considerably better code + and pixel-value coverage than contrib/pngsuite; however,coverage is + still incomplete (John Bowler). + Removed the '--strict' in 1.6 because of the double-gamma-correction + warning, updated pngstest-errors.h for the errors detected with the + new contrib/testspngs PNG test files (John Bowler). + +Version 1.6.19beta04 [October 15, 2015] + Worked around rgb-to-gray issues in libpng 1.6. The previous + attempts to ignore the errors in the code aren't quite enough to + deal with the 'channel selection' encoding added to libpng 1.7; abort. + pngvalid.c is changed to drop this encoding in prior versions. + Fixed 'pow' macros in pngvalid.c. It is legal for 'pow' to be a + macro, therefore the argument list cannot contain preprocessing + directives. Make sure pow is a function where this happens. This is + a minimal safe fix, the issue only arises in non-performance-critical + code (bug report by Curtis Leach, fix by John Bowler). + Added sPLT support to pngtest.c + +Version 1.6.19rc01 [October 23, 2015] + No changes. + +Version 1.6.19rc02 [October 31, 2015] + Prevent setting or writing over-length PLTE chunk (Cosmin Truta). + Silently truncate over-length PLTE chunk while reading. + Libpng incorrectly calculated the output rowbytes when the application + decreased either the number of channels or the bit depth (or both) in + a user transform. This was safe; libpng overallocated buffer space + (potentially by quite a lot; up to 4 times the amount required) but, + from 1.5.4 on, resulted in a png_error (John Bowler). + +Version 1.6.19rc03 [November 3, 2015] + Fixed some inconsequential cut-and-paste typos in png_set_cHRM_XYZ_fixed(). + Clarified COPYRIGHT information to state explicitly that versions + are derived from previous versions. + Removed much of the long list of previous versions from png.h and + libpng.3. + +Version 1.6.19rc04 [November 5, 2015] + Fixed new bug with CRC error after reading an over-length palette + (bug report by Cosmin Truta) (CVE-2015-8126). + +Version 1.6.19 [November 12, 2015] + Cleaned up coding style in png_handle_PLTE(). + +Version 1.6.20beta01 [November 20, 2015] + Avoid potential pointer overflow/underflow in png_handle_sPLT() and + png_handle_pCAL() (Bug report by John Regehr). + +Version 1.6.20beta02 [November 23, 2015] + Fixed incorrect implementation of png_set_PLTE() that uses png_ptr + not info_ptr, that left png_set_PLTE() open to the CVE-2015-8126 + vulnerability. + +Version 1.6.20beta03 [November 24, 2015] + Backported tests from libpng-1.7.0beta69. + +Version 1.6.20rc01 [November 26, 2015] + Fixed an error in handling of bad zlib CMINFO field in pngfix, found by + American Fuzzy Lop, reported by Brian Carpenter. inflate() doesn't + immediately fault a bad CMINFO field; instead a 'too far back' error + happens later (at least some times). pngfix failed to limit CMINFO to + the allowed values but then assumed that window_bits was in range, + triggering an assert. The bug is mostly harmless; the PNG file cannot + be fixed. + +Version 1.6.20rc02 [November 29, 2015] + In libpng 1.6 zlib initialization was changed to use the window size + in the zlib stream, not a fixed value. This causes some invalid images, + where CINFO is too large, to display 'correctly' if the rest of the + data is valid. This provides a workaround for zlib versions where the + error arises (ones that support the API change to use the window size + in the stream). + +Version 1.6.20 [December 3, 2015] + No changes. + Send comments/corrections/commendations to png-mng-implement at lists.sf.net (subscription required; visit https://lists.sourceforge.net/lists/listinfo/png-mng-implement @@ -5156,3 +5478,4 @@ or to glennrp at users.sourceforge.net Glenn R-P +#endif diff -Nru openjdk-6-6b37-1.13.9/jdk/src/share/native/sun/awt/libpng/LICENSE openjdk-6-6b38-1.13.10/jdk/src/share/native/sun/awt/libpng/LICENSE --- openjdk-6-6b37-1.13.9/jdk/src/share/native/sun/awt/libpng/LICENSE 2015-11-11 01:20:42.000000000 +0000 +++ openjdk-6-6b38-1.13.10/jdk/src/share/native/sun/awt/libpng/LICENSE 2016-01-20 01:47:58.000000000 +0000 @@ -10,21 +10,18 @@ This code is released under the libpng license. -libpng versions 1.2.6, August 15, 2004, through 1.6.16, December 22, 2014, are -Copyright (c) 2004, 2006-2014 Glenn Randers-Pehrson, and are -distributed according to the same disclaimer and license as libpng-1.2.5 -with the following individual added to the list of Contributing Authors - - Cosmin Truta - -libpng versions 1.0.7, July 1, 2000, through 1.2.5 - October 3, 2002, are -Copyright (c) 2000-2002 Glenn Randers-Pehrson, and are -distributed according to the same disclaimer and license as libpng-1.0.6 -with the following individuals added to the list of Contributing Authors +libpng versions 1.0.7, July 1, 2000, through 1.6.20, December 3, 2015, are +Copyright (c) 2000-2002, 2004, 2006-2015 Glenn Randers-Pehrson, are +derived from libpng-1.0.6, and are distributed according to the same +disclaimer and license as libpng-1.0.6 with the following individuals +added to the list of Contributing Authors: Simon-Pierre Cadieux Eric S. Raymond + Mans Rullgard + Cosmin Truta Gilles Vollant + James Yu and with the following additions to the disclaimer: @@ -36,18 +33,20 @@ the user. libpng versions 0.97, January 1998, through 1.0.6, March 20, 2000, are -Copyright (c) 1998, 1999 Glenn Randers-Pehrson, and are -distributed according to the same disclaimer and license as libpng-0.96, -with the following individuals added to the list of Contributing Authors: +Copyright (c) 1998-2000 Glenn Randers-Pehrson, are derived from +libpng-0.96, and are distributed according to the same disclaimer and +license as libpng-0.96, with the following individuals added to the list +of Contributing Authors: Tom Lane Glenn Randers-Pehrson Willem van Schaik libpng versions 0.89, June 1996, through 0.96, May 1997, are -Copyright (c) 1996, 1997 Andreas Dilger -Distributed according to the same disclaimer and license as libpng-0.88, -with the following individuals added to the list of Contributing Authors: +Copyright (c) 1996-1997 Andreas Dilger, are derived from libpng-0.88, +and are distributed according to the same disclaimer and license as +libpng-0.88, with the following individuals added to the list of +Contributing Authors: John Bowler Kevin Bracey @@ -57,7 +56,7 @@ Tom Tanner libpng versions 0.5, May 1995, through 0.88, January 1996, are -Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc. +Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc. For the purposes of this copyright and license, "Contributing Authors" is defined as the following set of individuals: @@ -80,13 +79,13 @@ source code, or portions hereof, for any purpose, without fee, subject to the following restrictions: -1. The origin of this source code must not be misrepresented. + 1. The origin of this source code must not be misrepresented. -2. Altered versions must be plainly marked as such and must not - be misrepresented as being the original source. + 2. Altered versions must be plainly marked as such and must not + be misrepresented as being the original source. -3. This Copyright notice may not be removed or altered from any - source or altered source distribution. + 3. This Copyright notice may not be removed or altered from any + source or altered source distribution. The Contributing Authors and Group 42, Inc. specifically permit, without fee, and encourage the use of this source code as a component to @@ -94,18 +93,20 @@ source code in a product, acknowledgment is not required but would be appreciated. +END OF COPYRIGHT NOTICE, DISCLAIMER, and LICENSE. A "png_get_copyright" function is available, for convenient use in "about" boxes and the like: - printf("%s",png_get_copyright(NULL)); + printf("%s", png_get_copyright(NULL)); Also, the PNG logo (in PNG format, of course) is supplied in the files "pngbar.png" and "pngbar.jpg (88x31) and "pngnow.png" (98x31). -Libpng is OSI Certified Open Source Software. OSI Certified Open Source is a -certification mark of the Open Source Initiative. +Libpng is OSI Certified Open Source Software. OSI Certified Open Source is +a certification mark of the Open Source Initiative. OSI has not addressed +the additional disclaimers inserted at version 1.0.7. Glenn Randers-Pehrson glennrp at users.sourceforge.net -December 22, 2014 +December 3, 2015 diff -Nru openjdk-6-6b37-1.13.9/jdk/src/share/native/sun/awt/libpng/png.c openjdk-6-6b38-1.13.10/jdk/src/share/native/sun/awt/libpng/png.c --- openjdk-6-6b37-1.13.9/jdk/src/share/native/sun/awt/libpng/png.c 2015-11-11 01:20:42.000000000 +0000 +++ openjdk-6-6b38-1.13.10/jdk/src/share/native/sun/awt/libpng/png.c 2016-01-20 01:47:58.000000000 +0000 @@ -29,8 +29,8 @@ * However, the following notice accompanied the original version of this * file and, per its terms, should not be removed: * - * Last changed in libpng 1.6.16 [December 22, 2014] - * Copyright (c) 1998-2014 Glenn Randers-Pehrson + * Last changed in libpng 1.6.19 [November 12, 2015] + * Copyright (c) 1998-2015 Glenn Randers-Pehrson * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger) * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.) * @@ -42,7 +42,7 @@ #include "pngpriv.h" /* Generate a compiler error if there is an old png.h in the search path. */ -typedef png_libpng_version_1_6_16 Your_png_h_is_not_version_1_6_16; +typedef png_libpng_version_1_6_20 Your_png_h_is_not_version_1_6_20; /* Tells libpng that we have already handled the first "num_bytes" bytes * of the PNG file signature. If the PNG data is embedded into another @@ -54,15 +54,20 @@ void PNGAPI png_set_sig_bytes(png_structrp png_ptr, int num_bytes) { + unsigned int nb = (unsigned int)num_bytes; + png_debug(1, "in png_set_sig_bytes"); if (png_ptr == NULL) return; - if (num_bytes > 8) + if (num_bytes < 0) + nb = 0; + + if (nb > 8) png_error(png_ptr, "Too many bytes for PNG signature"); - png_ptr->sig_bytes = (png_byte)(num_bytes < 0 ? 0 : num_bytes); + png_ptr->sig_bytes = (png_byte)nb; } /* Checks whether the supplied bytes match the PNG signature. We allow @@ -129,7 +134,7 @@ void /* PRIVATE */ png_reset_crc(png_structrp png_ptr) { - /* The cast is safe because the crc is a 32 bit value. */ + /* The cast is safe because the crc is a 32-bit value. */ png_ptr->crc = (png_uint_32)crc32(0, Z_NULL, 0); } @@ -157,7 +162,7 @@ } /* 'uLong' is defined in zlib.h as unsigned long; this means that on some - * systems it is a 64 bit value. crc32, however, returns 32 bits so the + * systems it is a 64-bit value. crc32, however, returns 32 bits so the * following cast is safe. 'uInt' may be no more than 16 bits, so it is * necessary to perform a loop here. */ @@ -168,8 +173,10 @@ do { uInt safe_length = (uInt)length; +#ifndef __COVERITY__ if (safe_length == 0) safe_length = (uInt)-1; /* evil, but safe */ +#endif crc = crc32(crc, ptr, safe_length); @@ -269,15 +276,15 @@ create_struct.user_height_max = PNG_USER_HEIGHT_MAX; # ifdef PNG_USER_CHUNK_CACHE_MAX - /* Added at libpng-1.2.43 and 1.4.0 */ - create_struct.user_chunk_cache_max = PNG_USER_CHUNK_CACHE_MAX; + /* Added at libpng-1.2.43 and 1.4.0 */ + create_struct.user_chunk_cache_max = PNG_USER_CHUNK_CACHE_MAX; # endif # ifdef PNG_USER_CHUNK_MALLOC_MAX - /* Added at libpng-1.2.43 and 1.4.1, required only for read but exists - * in png_struct regardless. - */ - create_struct.user_chunk_malloc_max = PNG_USER_CHUNK_MALLOC_MAX; + /* Added at libpng-1.2.43 and 1.4.1, required only for read but exists + * in png_struct regardless. + */ + create_struct.user_chunk_malloc_max = PNG_USER_CHUNK_MALLOC_MAX; # endif # endif @@ -301,7 +308,9 @@ # ifdef PNG_SETJMP_SUPPORTED if (!setjmp(create_jmp_buf)) +# endif { +# ifdef PNG_SETJMP_SUPPORTED /* Temporarily fake out the longjmp information until we have * successfully completed this function. This only works if we have * setjmp() support compiled in, but it is safe - this stuff should @@ -310,8 +319,6 @@ create_struct.jmp_buf_ptr = &create_jmp_buf; create_struct.jmp_buf_size = 0; /*stack allocation*/ create_struct.longjmp_fn = longjmp; -# else - { # endif /* Call the general version checker (shared with read and write code): */ @@ -330,10 +337,10 @@ create_struct.zstream.opaque = png_ptr; # ifdef PNG_SETJMP_SUPPORTED - /* Eliminate the local error handling: */ - create_struct.jmp_buf_ptr = NULL; - create_struct.jmp_buf_size = 0; - create_struct.longjmp_fn = 0; + /* Eliminate the local error handling: */ + create_struct.jmp_buf_ptr = NULL; + create_struct.jmp_buf_size = 0; + create_struct.longjmp_fn = 0; # endif *png_ptr = create_struct; @@ -439,6 +446,8 @@ free(info_ptr); info_ptr = png_voidcast(png_inforp, png_malloc_base(NULL, (sizeof *info_ptr))); + if (info_ptr == NULL) + return; *ptr_ptr = info_ptr; } @@ -504,9 +513,10 @@ /* Free any tRNS entry */ if (((mask & PNG_FREE_TRNS) & info_ptr->free_me) != 0) { + info_ptr->valid &= ~PNG_INFO_tRNS; png_free(png_ptr, info_ptr->trans_alpha); info_ptr->trans_alpha = NULL; - info_ptr->valid &= ~PNG_INFO_tRNS; + info_ptr->num_trans = 0; } #endif @@ -572,20 +582,17 @@ else { - if (info_ptr->splt_palettes_num != 0) - { - int i; - - for (i = 0; i < info_ptr->splt_palettes_num; i++) - { - png_free(png_ptr, info_ptr->splt_palettes[i].name); - png_free(png_ptr, info_ptr->splt_palettes[i].entries); - } + int i; - png_free(png_ptr, info_ptr->splt_palettes); - info_ptr->splt_palettes = NULL; - info_ptr->splt_palettes_num = 0; + for (i = 0; i < info_ptr->splt_palettes_num; i++) + { + png_free(png_ptr, info_ptr->splt_palettes[i].name); + png_free(png_ptr, info_ptr->splt_palettes[i].entries); } + + png_free(png_ptr, info_ptr->splt_palettes); + info_ptr->splt_palettes = NULL; + info_ptr->splt_palettes_num = 0; info_ptr->valid &= ~PNG_INFO_sPLT; } } @@ -605,15 +612,12 @@ { int i; - if (info_ptr->unknown_chunks_num != 0) - { - for (i = 0; i < info_ptr->unknown_chunks_num; i++) - png_free(png_ptr, info_ptr->unknown_chunks[i].data); + for (i = 0; i < info_ptr->unknown_chunks_num; i++) + png_free(png_ptr, info_ptr->unknown_chunks[i].data); - png_free(png_ptr, info_ptr->unknown_chunks); - info_ptr->unknown_chunks = NULL; - info_ptr->unknown_chunks_num = 0; - } + png_free(png_ptr, info_ptr->unknown_chunks); + info_ptr->unknown_chunks = NULL; + info_ptr->unknown_chunks_num = 0; } } #endif @@ -694,22 +698,23 @@ } # endif -#ifdef PNG_SAVE_INT_32_SUPPORTED -/* The png_save_int_32 function assumes integers are stored in two's - * complement format. If this isn't the case, then this routine needs to - * be modified to write data in two's complement format. Note that, - * the following works correctly even if png_int_32 has more than 32 bits - * (compare the more complex code required on read for sign extension.) +# ifdef PNG_SAVE_INT_32_SUPPORTED +/* PNG signed integers are saved in 32-bit 2's complement format. ANSI C-90 + * defines a cast of a signed integer to an unsigned integer either to preserve + * the value, if it is positive, or to calculate: + * + * (UNSIGNED_MAX+1) + integer + * + * Where UNSIGNED_MAX is the appropriate maximum unsigned value, so when the + * negative integral value is added the result will be an unsigned value + * correspnding to the 2's complement representation. */ void PNGAPI png_save_int_32(png_bytep buf, png_int_32 i) { - buf[0] = (png_byte)((i >> 24) & 0xff); - buf[1] = (png_byte)((i >> 16) & 0xff); - buf[2] = (png_byte)((i >> 8) & 0xff); - buf[3] = (png_byte)(i & 0xff); + png_save_uint_32(buf, i); } -#endif +# endif # ifdef PNG_TIME_RFC1123_SUPPORTED /* Convert the supplied time into an RFC 1123 string suitable for use in @@ -753,6 +758,7 @@ APPEND(':'); APPEND_NUMBER(PNG_NUMBER_FORMAT_02u, (unsigned)ptime->second); APPEND_STRING(" +0000"); /* This reliably terminates the buffer */ + PNG_UNUSED (pos) # undef APPEND # undef APPEND_NUMBER @@ -762,7 +768,7 @@ return 1; } -# if PNG_LIBPNG_VER < 10700 +# if PNG_LIBPNG_VER < 10700 /* To do: remove the following from libpng-1.7 */ /* Original API that uses a private buffer in png_struct. * Deprecated because it causes png_struct to carry a spurious temporary @@ -783,7 +789,7 @@ return NULL; } -# endif +# endif /* LIBPNG_VER < 10700 */ # endif /* TIME_RFC1123 */ #endif /* READ || WRITE */ @@ -797,14 +803,14 @@ #else # ifdef __STDC__ return PNG_STRING_NEWLINE \ - "libpng version 1.6.16 - December 22, 2014" PNG_STRING_NEWLINE \ - "Copyright (c) 1998-2014 Glenn Randers-Pehrson" PNG_STRING_NEWLINE \ - "Copyright (c) 1996-1997 Andreas Dilger" PNG_STRING_NEWLINE \ - "Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc." \ - PNG_STRING_NEWLINE; + "libpng version 1.6.20 - December 3, 2015" PNG_STRING_NEWLINE \ + "Copyright (c) 1998-2015 Glenn Randers-Pehrson" PNG_STRING_NEWLINE \ + "Copyright (c) 1996-1997 Andreas Dilger" PNG_STRING_NEWLINE \ + "Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc." \ + PNG_STRING_NEWLINE; # else - return "libpng version 1.6.16 - December 22, 2014\ - Copyright (c) 1998-2014 Glenn Randers-Pehrson\ + return "libpng version 1.6.20 - December 3, 2015\ + Copyright (c) 1998-2015 Glenn Randers-Pehrson\ Copyright (c) 1996-1997 Andreas Dilger\ Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc."; # endif @@ -842,9 +848,9 @@ #ifdef __STDC__ return PNG_HEADER_VERSION_STRING # ifndef PNG_READ_SUPPORTED - " (NO READ SUPPORT)" + " (NO READ SUPPORT)" # endif - PNG_STRING_NEWLINE; + PNG_STRING_NEWLINE; #else return PNG_HEADER_VERSION_STRING; #endif @@ -900,9 +906,9 @@ for (i = 0, v = 0; i < num_palette; i++, v += color_inc) { - palette[i].red = (png_byte)v; - palette[i].green = (png_byte)v; - palette[i].blue = (png_byte)v; + palette[i].red = (png_byte)(v & 0xff); + palette[i].green = (png_byte)(v & 0xff); + palette[i].blue = (png_byte)(v & 0xff); } } #endif @@ -975,8 +981,6 @@ return((png_uint_32)PNG_LIBPNG_VER); } - - #if defined(PNG_READ_SUPPORTED) || defined(PNG_WRITE_SUPPORTED) /* Ensure that png_ptr->zstream.msg holds some appropriate error message string. * If it doesn't 'ret' is used to set it to something appropriate, even in cases @@ -1119,10 +1123,10 @@ errmsg = "gamma value out of range"; # ifdef PNG_READ_gAMA_SUPPORTED - /* Allow the application to set the gamma value more than once */ - else if ((png_ptr->mode & PNG_IS_READ_STRUCT) != 0 && - (colorspace->flags & PNG_COLORSPACE_FROM_gAMA) != 0) - errmsg = "duplicate"; + /* Allow the application to set the gamma value more than once */ + else if ((png_ptr->mode & PNG_IS_READ_STRUCT) != 0 && + (colorspace->flags & PNG_COLORSPACE_FROM_gAMA) != 0) + errmsg = "duplicate"; # endif /* Do nothing if the colorspace is already invalid */ @@ -1163,31 +1167,31 @@ PNG_INFO_iCCP); # ifdef PNG_COLORSPACE_SUPPORTED - /* Clean up the iCCP profile now if it won't be used. */ - png_free_data(png_ptr, info_ptr, PNG_FREE_ICCP, -1/*not used*/); + /* Clean up the iCCP profile now if it won't be used. */ + png_free_data(png_ptr, info_ptr, PNG_FREE_ICCP, -1/*not used*/); # else - PNG_UNUSED(png_ptr) + PNG_UNUSED(png_ptr) # endif } else { # ifdef PNG_COLORSPACE_SUPPORTED - /* Leave the INFO_iCCP flag set if the pngset.c code has already set - * it; this allows a PNG to contain a profile which matches sRGB and - * yet still have that profile retrievable by the application. - */ - if ((info_ptr->colorspace.flags & PNG_COLORSPACE_MATCHES_sRGB) != 0) - info_ptr->valid |= PNG_INFO_sRGB; + /* Leave the INFO_iCCP flag set if the pngset.c code has already set + * it; this allows a PNG to contain a profile which matches sRGB and + * yet still have that profile retrievable by the application. + */ + if ((info_ptr->colorspace.flags & PNG_COLORSPACE_MATCHES_sRGB) != 0) + info_ptr->valid |= PNG_INFO_sRGB; - else - info_ptr->valid &= ~PNG_INFO_sRGB; + else + info_ptr->valid &= ~PNG_INFO_sRGB; - if ((info_ptr->colorspace.flags & PNG_COLORSPACE_HAVE_ENDPOINTS) != 0) - info_ptr->valid |= PNG_INFO_cHRM; + if ((info_ptr->colorspace.flags & PNG_COLORSPACE_HAVE_ENDPOINTS) != 0) + info_ptr->valid |= PNG_INFO_cHRM; - else - info_ptr->valid &= ~PNG_INFO_cHRM; + else + info_ptr->valid &= ~PNG_INFO_cHRM; # endif if ((info_ptr->colorspace.flags & PNG_COLORSPACE_HAVE_GAMMA) != 0) @@ -1209,7 +1213,7 @@ png_colorspace_sync_info(png_ptr, info_ptr); } #endif -#endif +#endif /* GAMMA */ #ifdef PNG_COLORSPACE_SUPPORTED /* Added at libpng-1.5.5 to support read and write of true CIEXYZ values for @@ -1268,16 +1272,17 @@ /* Check xy and, implicitly, z. Note that wide gamut color spaces typically * have end points with 0 tristimulus values (these are impossible end - * points, but they are used to cover the possible colors.) + * points, but they are used to cover the possible colors). We check + * xy->whitey against 5, not 0, to avoid a possible integer overflow. */ - if (xy->redx < 0 || xy->redx > PNG_FP_1) return 1; - if (xy->redy < 0 || xy->redy > PNG_FP_1-xy->redx) return 1; + if (xy->redx < 0 || xy->redx > PNG_FP_1) return 1; + if (xy->redy < 0 || xy->redy > PNG_FP_1-xy->redx) return 1; if (xy->greenx < 0 || xy->greenx > PNG_FP_1) return 1; if (xy->greeny < 0 || xy->greeny > PNG_FP_1-xy->greenx) return 1; - if (xy->bluex < 0 || xy->bluex > PNG_FP_1) return 1; - if (xy->bluey < 0 || xy->bluey > PNG_FP_1-xy->bluex) return 1; + if (xy->bluex < 0 || xy->bluex > PNG_FP_1) return 1; + if (xy->bluey < 0 || xy->bluey > PNG_FP_1-xy->bluex) return 1; if (xy->whitex < 0 || xy->whitex > PNG_FP_1) return 1; - if (xy->whitey < 0 || xy->whitey > PNG_FP_1-xy->whitex) return 1; + if (xy->whitey < 5 || xy->whitey > PNG_FP_1-xy->whitex) return 1; /* The reverse calculation is more difficult because the original tristimulus * value had 9 independent values (red,green,blue)x(X,Y,Z) however only 8 @@ -1735,7 +1740,6 @@ */ colorspace->flags |= PNG_COLORSPACE_INVALID; png_error(png_ptr, "internal error checking chromaticities"); - break; } return 0; /* failed */ @@ -1763,7 +1767,6 @@ default: colorspace->flags |= PNG_COLORSPACE_INVALID; png_error(png_ptr, "internal error checking chromaticities"); - break; } return 0; /* failed */ @@ -2089,8 +2092,8 @@ temp = png_get_uint_32(profile+12); /* profile/device class */ switch (temp) { - case 0x73636E72: /* 'scnr' */ - case 0x6D6E7472: /* 'mntr' */ + case 0x73636e72: /* 'scnr' */ + case 0x6d6e7472: /* 'mntr' */ case 0x70727472: /* 'prtr' */ case 0x73706163: /* 'spac' */ /* All supported */ @@ -2101,7 +2104,7 @@ return png_icc_profile_error(png_ptr, colorspace, name, temp, "invalid embedded Abstract ICC profile"); - case 0x6C696E6B: /* 'link' */ + case 0x6c696e6b: /* 'link' */ /* DeviceLink profiles cannot be interpreted in a non-device specific * fashion, if an app uses the AToB0Tag in the profile the results are * undefined unless the result is sent to the intended device, @@ -2111,7 +2114,7 @@ return png_icc_profile_error(png_ptr, colorspace, name, temp, "unexpected DeviceLink ICC profile class"); - case 0x6E6D636C: /* 'nmcl' */ + case 0x6e6d636c: /* 'nmcl' */ /* A NamedColor profile is also device specific, however it doesn't * contain an AToB0 tag that is open to misinterpretation. Almost * certainly it will fail the tests below. @@ -2137,8 +2140,8 @@ temp = png_get_uint_32(profile+20); switch (temp) { - case 0x58595A20: /* 'XYZ ' */ - case 0x4C616220: /* 'Lab ' */ + case 0x58595a20: /* 'XYZ ' */ + case 0x4c616220: /* 'Lab ' */ break; default: @@ -2194,7 +2197,8 @@ return 1; /* success, maybe with warnings */ } -#if defined(PNG_sRGB_SUPPORTED) && PNG_sRGB_PROFILE_CHECKS >= 0 +#ifdef PNG_sRGB_SUPPORTED +#if PNG_sRGB_PROFILE_CHECKS >= 0 /* Information about the known ICC sRGB profiles */ static const struct { @@ -2307,8 +2311,8 @@ } /* Length *and* intent must match */ - if (length == png_sRGB_checks[i].length && - intent == png_sRGB_checks[i].intent) + if (length == (png_uint_32) png_sRGB_checks[i].length && + intent == (png_uint_32) png_sRGB_checks[i].intent) { /* Now calculate the adler32 if not done already. */ if (adler == 0) @@ -2352,8 +2356,8 @@ */ else if (png_sRGB_checks[i].have_md5 == 0) { - png_chunk_report(png_ptr, "out-of-date sRGB profile with" - " no signature", + png_chunk_report(png_ptr, + "out-of-date sRGB profile with no signature", PNG_CHUNK_WARNING); } @@ -2366,8 +2370,8 @@ * way. This probably indicates a data error or uninformed hacking. * Fall through to "no match". */ - png_chunk_report(png_ptr, "Not recognizing known sRGB profile that" - " has been edited", + png_chunk_report(png_ptr, + "Not recognizing known sRGB profile that has been edited", PNG_CHUNK_WARNING); break; # endif @@ -2377,9 +2381,8 @@ return 0; /* no match */ } -#endif +#endif /* PNG_sRGB_PROFILE_CHECKS >= 0 */ -#ifdef PNG_sRGB_SUPPORTED void /* PRIVATE */ png_icc_set_sRGB(png_const_structrp png_ptr, png_colorspacerp colorspace, png_const_bytep profile, uLong adler) @@ -2393,7 +2396,7 @@ (void)png_colorspace_set_sRGB(png_ptr, colorspace, (int)/*already checked*/png_get_uint_32(profile+64)); } -#endif /* READ_sRGB */ +#endif /* sRGB */ int /* PRIVATE */ png_colorspace_set_ICC(png_const_structrp png_ptr, png_colorspacerp colorspace, @@ -2485,7 +2488,7 @@ png_error(png_ptr, "internal error handling cHRM->XYZ"); } } -#endif +#endif /* READ_RGB_TO_GRAY */ #endif /* COLORSPACE */ @@ -2514,18 +2517,19 @@ png_warning(png_ptr, "Image width is zero in IHDR"); error = 1; } - else if (width > PNG_UINT_31_MAX) + + if (width > PNG_UINT_31_MAX) { png_warning(png_ptr, "Invalid image width in IHDR"); error = 1; } - else if (png_gt(width, - (PNG_SIZE_MAX >> 3) /* 8-byte RGBA pixels */ - - 48 /* big_row_buf hack */ - - 1 /* filter byte */ - - 7*8 /* rounding width to multiple of 8 pix */ - - 8)) /* extra max_pixel_depth pad */ + if (png_gt(((width + 7) & (~7)), + ((PNG_SIZE_MAX + - 48 /* big_row_buf hack */ + - 1) /* filter byte */ + / 8) /* 8-byte RGBA pixels */ + - 1)) /* extra max_pixel_depth pad */ { /* The size of the row must be within the limits of this architecture. * Because the read code can perform arbitrary transformations the @@ -2541,17 +2545,15 @@ png_warning(png_ptr, "Image width is too large for this architecture"); error = 1; } - else + +#ifdef PNG_SET_USER_LIMITS_SUPPORTED + if (width > png_ptr->user_width_max) +#else + if (width > PNG_USER_WIDTH_MAX) +#endif { -# ifdef PNG_SET_USER_LIMITS_SUPPORTED - if (width > png_ptr->user_width_max) -# else - if (width > PNG_USER_WIDTH_MAX) -# endif - { - png_warning(png_ptr, "Image width exceeds user limit in IHDR"); - error = 1; - } + png_warning(png_ptr, "Image width exceeds user limit in IHDR"); + error = 1; } if (height == 0) @@ -2559,22 +2561,21 @@ png_warning(png_ptr, "Image height is zero in IHDR"); error = 1; } - else if (height > PNG_UINT_31_MAX) + + if (height > PNG_UINT_31_MAX) { png_warning(png_ptr, "Invalid image height in IHDR"); error = 1; } - else + +#ifdef PNG_SET_USER_LIMITS_SUPPORTED + if (height > png_ptr->user_height_max) +#else + if (height > PNG_USER_HEIGHT_MAX) +#endif { -# ifdef PNG_SET_USER_LIMITS_SUPPORTED - if (height > png_ptr->user_height_max) -# else - if (height > PNG_USER_HEIGHT_MAX) -# endif - { - png_warning(png_ptr, "Image height exceeds user limit in IHDR"); - error = 1; - } + png_warning(png_ptr, "Image height exceeds user limit in IHDR"); + error = 1; } /* Check other values */ @@ -2613,7 +2614,7 @@ error = 1; } -# ifdef PNG_MNG_FEATURES_SUPPORTED +#ifdef PNG_MNG_FEATURES_SUPPORTED /* Accept filter_method 64 (intrapixel differencing) only if * 1. Libpng was compiled with PNG_MNG_FEATURES_SUPPORTED and * 2. Libpng did not read a PNG signature (this filter_method is only @@ -2646,13 +2647,13 @@ } } -# else +#else if (filter_type != PNG_FILTER_TYPE_BASE) { png_warning(png_ptr, "Unknown filter method in IHDR"); error = 1; } -# endif +#endif if (error == 1) png_error(png_ptr, "Invalid IHDR data"); @@ -2878,7 +2879,7 @@ if (fp >= DBL_MIN && fp <= DBL_MAX) { - int exp_b10; /* A base 10 exponent */ + int exp_b10; /* A base 10 exponent */ double base; /* 10^exp_b10 */ /* First extract a base 10 exponent of the number, @@ -2926,7 +2927,7 @@ */ { - int czero, clead, cdigits; + unsigned int czero, clead, cdigits; char exponent[10]; /* Allow up to two leading zeros - this will not lengthen @@ -2956,7 +2957,7 @@ * of the loop don't break the number into parts so * that the final digit is rounded. */ - if (cdigits+czero-clead+1 < (int)precision) + if (cdigits+czero+1 < precision+clead) fp = modf(fp, &d); else @@ -3062,14 +3063,14 @@ *ascii++ = (char)(48 + (int)d), ++cdigits; } } - while (cdigits+czero-clead < (int)precision && fp > DBL_MIN); + while (cdigits+czero < precision+clead && fp > DBL_MIN); /* The total output count (max) is now 4+precision */ /* Check for an exponent, if we don't need one we are * done and just need to terminate the string. At * this point exp_b10==(-1) is effectively if flag - it got - * to '-1' because of the decrement after outputing + * to '-1' because of the decrement after outputting * the decimal point above (the exponent required is * *not* -1!) */ @@ -3077,7 +3078,7 @@ { /* The following only happens if we didn't output the * leading zeros above for negative exponent, so this - * doest add to the digit requirement. Note that the + * doesn't add to the digit requirement. Note that the * two zeros here can only be output if the two leading * zeros were *not* output, so this doesn't increase * the output count. @@ -3130,7 +3131,7 @@ /* Need another size check here for the exponent digits, so * this need not be considered above. */ - if ((int)size > cdigits) + if (size > cdigits) { while (cdigits > 0) *ascii++ = exponent[--cdigits]; @@ -3178,7 +3179,7 @@ /* Avoid overflow here on the minimum integer. */ if (fp < 0) - *ascii++ = 45, --size, num = -fp; + *ascii++ = 45, num = -fp; else num = fp; @@ -3234,7 +3235,7 @@ png_error(png_ptr, "ASCII conversion buffer too small"); } # endif /* FIXED_POINT */ -#endif /* READ_SCAL */ +#endif /* SCAL */ #if defined(PNG_FLOATING_POINT_SUPPORTED) && \ !defined(PNG_FIXED_POINT_MACRO_SUPPORTED) && \ @@ -3252,7 +3253,7 @@ png_fixed_error(png_ptr, text); # ifndef PNG_ERROR_TEXT_SUPPORTED - PNG_UNUSED(text) + PNG_UNUSED(text) # endif return (png_fixed_point)r; @@ -3433,29 +3434,29 @@ #endif #ifdef PNG_READ_GAMMA_SUPPORTED -#if defined(PNG_16BIT_SUPPORTED) || !defined(PNG_FLOATING_ARITHMETIC_SUPPORTED) +#ifdef PNG_16BIT_SUPPORTED /* A local convenience routine. */ static png_fixed_point png_product2(png_fixed_point a, png_fixed_point b) { /* The required result is 1/a * 1/b; the following preserves accuracy. */ -# ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED +#ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED double r = a * 1E-5; r *= b; r = floor(r+.5); if (r <= 2147483647. && r >= -2147483648.) return (png_fixed_point)r; -# else +#else png_fixed_point res; if (png_muldiv(&res, a, b, 100000) != 0) return res; -# endif +#endif return 0; /* overflow */ } -#endif /* 16BIT || !FLOATING_ARITHMETIC */ +#endif /* 16BIT */ /* The inverse of the above. */ png_fixed_point @@ -3463,12 +3464,15 @@ { /* The required result is 1/a * 1/b; the following preserves accuracy. */ #ifdef PNG_FLOATING_ARITHMETIC_SUPPORTED - double r = 1E15/a; - r /= b; - r = floor(r+.5); + if (a != 0 && b != 0) + { + double r = 1E15/a; + r /= b; + r = floor(r+.5); - if (r <= 2147483647. && r >= -2147483648.) - return (png_fixed_point)r; + if (r <= 2147483647. && r >= -2147483648.) + return (png_fixed_point)r; + } #else /* This may overflow because the range of png_fixed_point isn't symmetric, * but this API is only used for the product of file and screen gamma so it @@ -3706,7 +3710,7 @@ if (x > 0 && x <= 0xfffff) /* Else overflow or zero (underflow) */ { /* Obtain a 4-bit approximation */ - png_uint_32 e = png_32bit_exp[(x >> 12) & 0xf]; + png_uint_32 e = png_32bit_exp[(x >> 12) & 0x0f]; /* Incorporate the low 12 bits - these decrease the returned value by * multiplying by a number less than 1 if the bit is set. The multiplier @@ -3759,7 +3763,7 @@ * step. */ x -= x >> 8; - return (png_byte)((x + 0x7fffffU) >> 24); + return (png_byte)(((x + 0x7fffffU) >> 24) & 0xff); } #ifdef PNG_16BIT_SUPPORTED @@ -3820,7 +3824,7 @@ # endif } - return (png_byte)value; + return (png_byte)(value & 0xff); } #ifdef PNG_16BIT_SUPPORTED @@ -4042,7 +4046,7 @@ else for (i=0; i<256; ++i) - table[i] = (png_byte)i; + table[i] = (png_byte)(i & 0xff); } /* Used from png_read_destroy and below to release the memory used by the gamma @@ -4182,7 +4186,8 @@ * */ if (sig_bit > 0 && sig_bit < 16U) - shift = (png_byte)(16U - sig_bit); /* shift == insignificant bits */ + /* shift == insignificant bits */ + shift = (png_byte)((16U - sig_bit) & 0xff); else shift = 0; /* keep all 16 bits */ @@ -4251,7 +4256,7 @@ int setting = (2 + (onoff != 0)) << option; int current = png_ptr->options; - png_ptr->options = (png_byte)((current & ~mask) | setting); + png_ptr->options = (png_byte)(((current & ~mask) | setting) & 0xff); return (current & mask) >> option; } @@ -4267,7 +4272,7 @@ * contrib/tools/makesRGB.c. The actual sRGB transfer curve defined in the * specification (see the article at http://en.wikipedia.org/wiki/SRGB) * is used, not the gamma=1/2.2 approximation use elsewhere in libpng. - * The sRGB to linear table is exact (to the nearest 16 bit linear fraction). + * The sRGB to linear table is exact (to the nearest 16-bit linear fraction). * The inverse (linear to sRGB) table has accuracies as follows: * * For all possible (255*65535+1) input values: diff -Nru openjdk-6-6b37-1.13.9/jdk/src/share/native/sun/awt/libpng/pngconf.h openjdk-6-6b38-1.13.10/jdk/src/share/native/sun/awt/libpng/pngconf.h --- openjdk-6-6b37-1.13.9/jdk/src/share/native/sun/awt/libpng/pngconf.h 2015-11-11 01:20:42.000000000 +0000 +++ openjdk-6-6b38-1.13.10/jdk/src/share/native/sun/awt/libpng/pngconf.h 2016-01-20 01:47:58.000000000 +0000 @@ -29,9 +29,9 @@ * However, the following notice accompanied the original version of this * file and, per its terms, should not be removed: * - * libpng version 1.6.16,December 22, 2014 + * libpng version 1.6.20, December 3, 2015 * - * Copyright (c) 1998-2014 Glenn Randers-Pehrson + * Copyright (c) 1998-2015 Glenn Randers-Pehrson * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger) * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.) * @@ -39,9 +39,7 @@ * For conditions of distribution and use, see the disclaimer * and license in png.h * - */ - -/* Any machine specific code is near the front of this file, so if you + * Any machine specific code is near the front of this file, so if you * are configuring libpng for a machine, you may want to read the section * starting here down to where it starts to typedef png_color, png_text, * and png_info. @@ -50,26 +48,6 @@ #ifndef PNGCONF_H #define PNGCONF_H -/* To do: Do all of this in scripts/pnglibconf.dfa */ -#ifdef PNG_SAFE_LIMITS_SUPPORTED -# ifdef PNG_USER_WIDTH_MAX -# undef PNG_USER_WIDTH_MAX -# define PNG_USER_WIDTH_MAX 1000000L -# endif -# ifdef PNG_USER_HEIGHT_MAX -# undef PNG_USER_HEIGHT_MAX -# define PNG_USER_HEIGHT_MAX 1000000L -# endif -# ifdef PNG_USER_CHUNK_MALLOC_MAX -# undef PNG_USER_CHUNK_MALLOC_MAX -# define PNG_USER_CHUNK_MALLOC_MAX 4000000L -# endif -# ifdef PNG_USER_CHUNK_CACHE_MAX -# undef PNG_USER_CHUNK_CACHE_MAX -# define PNG_USER_CHUNK_CACHE_MAX 128 -# endif -#endif - #ifndef PNG_BUILDING_SYMBOL_TABLE /* else includes may cause problems */ /* From libpng 1.6.0 libpng requires an ANSI X3.159-1989 ("ISOC90") compliant C @@ -113,7 +91,7 @@ */ #define PNG_CONST const /* backward compatibility only */ -/* This controls optimization of the reading of 16 and 32 bit values +/* This controls optimization of the reading of 16-bit and 32-bit values * from PNG files. It can be set on a per-app-file basis - it * just changes whether a macro is used when the function is called. * The library builder sets the default; if read functions are not @@ -345,11 +323,11 @@ * table entries, so we discard it here. See the .dfn files in the * scripts directory. */ -#ifndef PNG_EXPORTA -# define PNG_EXPORTA(ordinal, type, name, args, attributes)\ - PNG_FUNCTION(PNG_EXPORT_TYPE(type),(PNGAPI name),PNGARG(args), \ - extern attributes) +#ifndef PNG_EXPORTA +# define PNG_EXPORTA(ordinal, type, name, args, attributes) \ + PNG_FUNCTION(PNG_EXPORT_TYPE(type), (PNGAPI name), PNGARG(args), \ + PNG_LINKAGE_API attributes) #endif /* ANSI-C (C90) does not permit a macro to be invoked with an empty argument, @@ -357,7 +335,7 @@ */ #define PNG_EMPTY /*empty list*/ -#define PNG_EXPORT(ordinal, type, name, args)\ +#define PNG_EXPORT(ordinal, type, name, args) \ PNG_EXPORTA(ordinal, type, name, args, PNG_EMPTY) /* Use PNG_REMOVED to comment out a removed interface. */ @@ -530,7 +508,7 @@ #if CHAR_BIT == 8 && UCHAR_MAX == 255 typedef unsigned char png_byte; #else -# error "libpng requires 8 bit bytes" +# error "libpng requires 8-bit bytes" #endif #if INT_MIN == -32768 && INT_MAX == 32767 @@ -538,7 +516,7 @@ #elif SHRT_MIN == -32768 && SHRT_MAX == 32767 typedef short png_int_16; #else -# error "libpng requires a signed 16 bit type" +# error "libpng requires a signed 16-bit type" #endif #if UINT_MAX == 65535 @@ -546,7 +524,7 @@ #elif USHRT_MAX == 65535 typedef unsigned short png_uint_16; #else -# error "libpng requires an unsigned 16 bit type" +# error "libpng requires an unsigned 16-bit type" #endif #if INT_MIN < -2147483646 && INT_MAX > 2147483646 @@ -554,7 +532,7 @@ #elif LONG_MIN < -2147483646 && LONG_MAX > 2147483646 typedef long int png_int_32; #else -# error "libpng requires a signed 32 bit (or more) type" +# error "libpng requires a signed 32-bit (or more) type" #endif #if UINT_MAX > 4294967294 @@ -562,7 +540,7 @@ #elif ULONG_MAX > 4294967294 typedef unsigned long int png_uint_32; #else -# error "libpng requires an unsigned 32 bit (or more) type" +# error "libpng requires an unsigned 32-bit (or more) type" #endif /* Prior to 1.6.0 it was possible to disable the use of size_t, 1.6.0, however, diff -Nru openjdk-6-6b37-1.13.9/jdk/src/share/native/sun/awt/libpng/pngdebug.h openjdk-6-6b38-1.13.10/jdk/src/share/native/sun/awt/libpng/pngdebug.h --- openjdk-6-6b37-1.13.9/jdk/src/share/native/sun/awt/libpng/pngdebug.h 2015-11-11 01:20:42.000000000 +0000 +++ openjdk-6-6b38-1.13.10/jdk/src/share/native/sun/awt/libpng/pngdebug.h 2016-01-20 01:47:58.000000000 +0000 @@ -29,12 +29,11 @@ * However, the following notice accompanied the original version of this * file and, per its terms, should not be removed: * + * Last changed in libpng 1.6.8 [December 19, 2013] * Copyright (c) 1998-2013 Glenn Randers-Pehrson * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger) * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.) * - * Last changed in libpng 1.6.8 [December 19, 2013] - * * This code is released under the libpng license. * For conditions of distribution and use, see the disclaimer * and license in png.h diff -Nru openjdk-6-6b37-1.13.9/jdk/src/share/native/sun/awt/libpng/pngget.c openjdk-6-6b38-1.13.10/jdk/src/share/native/sun/awt/libpng/pngget.c --- openjdk-6-6b37-1.13.9/jdk/src/share/native/sun/awt/libpng/pngget.c 2015-11-11 01:20:42.000000000 +0000 +++ openjdk-6-6b38-1.13.10/jdk/src/share/native/sun/awt/libpng/pngget.c 2016-01-20 01:47:58.000000000 +0000 @@ -29,8 +29,8 @@ * However, the following notice accompanied the original version of this * file and, per its terms, should not be removed: * - * Last changed in libpng 1.6.15 [November 20, 2014] - * Copyright (c) 1998-2014 Glenn Randers-Pehrson + * Last changed in libpng 1.6.17 [March 26, 2015] + * Copyright (c) 1998-2015 Glenn Randers-Pehrson * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger) * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.) * @@ -827,14 +827,20 @@ { png_debug1(1, "in %s retrieval function", "IHDR"); - if (png_ptr == NULL || info_ptr == NULL || width == NULL || - height == NULL || bit_depth == NULL || color_type == NULL) + if (png_ptr == NULL || info_ptr == NULL) return (0); - *width = info_ptr->width; - *height = info_ptr->height; - *bit_depth = info_ptr->bit_depth; - *color_type = info_ptr->color_type; + if (width != NULL) + *width = info_ptr->width; + + if (height != NULL) + *height = info_ptr->height; + + if (bit_depth != NULL) + *bit_depth = info_ptr->bit_depth; + + if (color_type != NULL) + *color_type = info_ptr->color_type; if (compression_type != NULL) *compression_type = info_ptr->compression_type; @@ -1163,21 +1169,21 @@ if (png_ptr == NULL) return 0; -# ifdef PNG_WRITE_SUPPORTED +#ifdef PNG_WRITE_SUPPORTED if ((png_ptr->mode & PNG_IS_READ_STRUCT) != 0) -# endif +#endif { -# ifdef PNG_SEQUENTIAL_READ_SUPPORTED +#ifdef PNG_SEQUENTIAL_READ_SUPPORTED return png_ptr->IDAT_read_size; -# else +#else return PNG_IDAT_READ_SIZE; -# endif +#endif } -# ifdef PNG_WRITE_SUPPORTED +#ifdef PNG_WRITE_SUPPORTED else return png_ptr->zbuffer_size; -# endif +#endif } #ifdef PNG_SET_USER_LIMITS_SUPPORTED diff -Nru openjdk-6-6b37-1.13.9/jdk/src/share/native/sun/awt/libpng/png.h openjdk-6-6b38-1.13.10/jdk/src/share/native/sun/awt/libpng/png.h --- openjdk-6-6b37-1.13.9/jdk/src/share/native/sun/awt/libpng/png.h 2015-11-11 01:20:42.000000000 +0000 +++ openjdk-6-6b38-1.13.10/jdk/src/share/native/sun/awt/libpng/png.h 2016-01-20 01:47:58.000000000 +0000 @@ -29,8 +29,9 @@ * However, the following notice accompanied the original version of this * file and, per its terms, should not be removed: * - * libpng version 1.6.16, December 22, 2014 - * Copyright (c) 1998-2014 Glenn Randers-Pehrson + * libpng version 1.6.20, December 3, 2015 + * + * Copyright (c) 1998-2015 Glenn Randers-Pehrson * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger) * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.) * @@ -38,229 +39,10 @@ * * Authors and maintainers: * libpng versions 0.71, May 1995, through 0.88, January 1996: Guy Schalnat - * libpng versions 0.89c, June 1996, through 0.96, May 1997: Andreas Dilger - * libpng versions 0.97, January 1998, through 1.6.16, December 22, 2014: Glenn + * libpng versions 0.89, June 1996, through 0.96, May 1997: Andreas Dilger + * libpng versions 0.97, January 1998, through 1.6.20, December 3, 2015: + * Glenn Randers-Pehrson. * See also "Contributing Authors", below. - * - * Note about libpng version numbers: - * - * Due to various miscommunications, unforeseen code incompatibilities - * and occasional factors outside the authors' control, version numbering - * on the library has not always been consistent and straightforward. - * The following table summarizes matters since version 0.89c, which was - * the first widely used release: - * - * source png.h png.h shared-lib - * version string int version - * ------- ------ ----- ---------- - * 0.89c "1.0 beta 3" 0.89 89 1.0.89 - * 0.90 "1.0 beta 4" 0.90 90 0.90 [should have been 2.0.90] - * 0.95 "1.0 beta 5" 0.95 95 0.95 [should have been 2.0.95] - * 0.96 "1.0 beta 6" 0.96 96 0.96 [should have been 2.0.96] - * 0.97b "1.00.97 beta 7" 1.00.97 97 1.0.1 [should have been 2.0.97] - * 0.97c 0.97 97 2.0.97 - * 0.98 0.98 98 2.0.98 - * 0.99 0.99 98 2.0.99 - * 0.99a-m 0.99 99 2.0.99 - * 1.00 1.00 100 2.1.0 [100 should be 10000] - * 1.0.0 (from here on, the 100 2.1.0 [100 should be 10000] - * 1.0.1 png.h string is 10001 2.1.0 - * 1.0.1a-e identical to the 10002 from here on, the shared library - * 1.0.2 source version) 10002 is 2.V where V is the source code - * 1.0.2a-b 10003 version, except as noted. - * 1.0.3 10003 - * 1.0.3a-d 10004 - * 1.0.4 10004 - * 1.0.4a-f 10005 - * 1.0.5 (+ 2 patches) 10005 - * 1.0.5a-d 10006 - * 1.0.5e-r 10100 (not source compatible) - * 1.0.5s-v 10006 (not binary compatible) - * 1.0.6 (+ 3 patches) 10006 (still binary incompatible) - * 1.0.6d-f 10007 (still binary incompatible) - * 1.0.6g 10007 - * 1.0.6h 10007 10.6h (testing xy.z so-numbering) - * 1.0.6i 10007 10.6i - * 1.0.6j 10007 2.1.0.6j (incompatible with 1.0.0) - * 1.0.7beta11-14 DLLNUM 10007 2.1.0.7beta11-14 (binary compatible) - * 1.0.7beta15-18 1 10007 2.1.0.7beta15-18 (binary compatible) - * 1.0.7rc1-2 1 10007 2.1.0.7rc1-2 (binary compatible) - * 1.0.7 1 10007 (still compatible) - * 1.0.8beta1-4 1 10008 2.1.0.8beta1-4 - * 1.0.8rc1 1 10008 2.1.0.8rc1 - * 1.0.8 1 10008 2.1.0.8 - * 1.0.9beta1-6 1 10009 2.1.0.9beta1-6 - * 1.0.9rc1 1 10009 2.1.0.9rc1 - * 1.0.9beta7-10 1 10009 2.1.0.9beta7-10 - * 1.0.9rc2 1 10009 2.1.0.9rc2 - * 1.0.9 1 10009 2.1.0.9 - * 1.0.10beta1 1 10010 2.1.0.10beta1 - * 1.0.10rc1 1 10010 2.1.0.10rc1 - * 1.0.10 1 10010 2.1.0.10 - * 1.0.11beta1-3 1 10011 2.1.0.11beta1-3 - * 1.0.11rc1 1 10011 2.1.0.11rc1 - * 1.0.11 1 10011 2.1.0.11 - * 1.0.12beta1-2 2 10012 2.1.0.12beta1-2 - * 1.0.12rc1 2 10012 2.1.0.12rc1 - * 1.0.12 2 10012 2.1.0.12 - * 1.1.0a-f - 10100 2.1.1.0a-f (branch abandoned) - * 1.2.0beta1-2 2 10200 2.1.2.0beta1-2 - * 1.2.0beta3-5 3 10200 3.1.2.0beta3-5 - * 1.2.0rc1 3 10200 3.1.2.0rc1 - * 1.2.0 3 10200 3.1.2.0 - * 1.2.1beta1-4 3 10201 3.1.2.1beta1-4 - * 1.2.1rc1-2 3 10201 3.1.2.1rc1-2 - * 1.2.1 3 10201 3.1.2.1 - * 1.2.2beta1-6 12 10202 12.so.0.1.2.2beta1-6 - * 1.0.13beta1 10 10013 10.so.0.1.0.13beta1 - * 1.0.13rc1 10 10013 10.so.0.1.0.13rc1 - * 1.2.2rc1 12 10202 12.so.0.1.2.2rc1 - * 1.0.13 10 10013 10.so.0.1.0.13 - * 1.2.2 12 10202 12.so.0.1.2.2 - * 1.2.3rc1-6 12 10203 12.so.0.1.2.3rc1-6 - * 1.2.3 12 10203 12.so.0.1.2.3 - * 1.2.4beta1-3 13 10204 12.so.0.1.2.4beta1-3 - * 1.0.14rc1 13 10014 10.so.0.1.0.14rc1 - * 1.2.4rc1 13 10204 12.so.0.1.2.4rc1 - * 1.0.14 10 10014 10.so.0.1.0.14 - * 1.2.4 13 10204 12.so.0.1.2.4 - * 1.2.5beta1-2 13 10205 12.so.0.1.2.5beta1-2 - * 1.0.15rc1-3 10 10015 10.so.0.1.0.15rc1-3 - * 1.2.5rc1-3 13 10205 12.so.0.1.2.5rc1-3 - * 1.0.15 10 10015 10.so.0.1.0.15 - * 1.2.5 13 10205 12.so.0.1.2.5 - * 1.2.6beta1-4 13 10206 12.so.0.1.2.6beta1-4 - * 1.0.16 10 10016 10.so.0.1.0.16 - * 1.2.6 13 10206 12.so.0.1.2.6 - * 1.2.7beta1-2 13 10207 12.so.0.1.2.7beta1-2 - * 1.0.17rc1 10 10017 12.so.0.1.0.17rc1 - * 1.2.7rc1 13 10207 12.so.0.1.2.7rc1 - * 1.0.17 10 10017 12.so.0.1.0.17 - * 1.2.7 13 10207 12.so.0.1.2.7 - * 1.2.8beta1-5 13 10208 12.so.0.1.2.8beta1-5 - * 1.0.18rc1-5 10 10018 12.so.0.1.0.18rc1-5 - * 1.2.8rc1-5 13 10208 12.so.0.1.2.8rc1-5 - * 1.0.18 10 10018 12.so.0.1.0.18 - * 1.2.8 13 10208 12.so.0.1.2.8 - * 1.2.9beta1-3 13 10209 12.so.0.1.2.9beta1-3 - * 1.2.9beta4-11 13 10209 12.so.0.9[.0] - * 1.2.9rc1 13 10209 12.so.0.9[.0] - * 1.2.9 13 10209 12.so.0.9[.0] - * 1.2.10beta1-7 13 10210 12.so.0.10[.0] - * 1.2.10rc1-2 13 10210 12.so.0.10[.0] - * 1.2.10 13 10210 12.so.0.10[.0] - * 1.4.0beta1-5 14 10400 14.so.0.0[.0] - * 1.2.11beta1-4 13 10211 12.so.0.11[.0] - * 1.4.0beta7-8 14 10400 14.so.0.0[.0] - * 1.2.11 13 10211 12.so.0.11[.0] - * 1.2.12 13 10212 12.so.0.12[.0] - * 1.4.0beta9-14 14 10400 14.so.0.0[.0] - * 1.2.13 13 10213 12.so.0.13[.0] - * 1.4.0beta15-36 14 10400 14.so.0.0[.0] - * 1.4.0beta37-87 14 10400 14.so.14.0[.0] - * 1.4.0rc01 14 10400 14.so.14.0[.0] - * 1.4.0beta88-109 14 10400 14.so.14.0[.0] - * 1.4.0rc02-08 14 10400 14.so.14.0[.0] - * 1.4.0 14 10400 14.so.14.0[.0] - * 1.4.1beta01-03 14 10401 14.so.14.1[.0] - * 1.4.1rc01 14 10401 14.so.14.1[.0] - * 1.4.1beta04-12 14 10401 14.so.14.1[.0] - * 1.4.1 14 10401 14.so.14.1[.0] - * 1.4.2 14 10402 14.so.14.2[.0] - * 1.4.3 14 10403 14.so.14.3[.0] - * 1.4.4 14 10404 14.so.14.4[.0] - * 1.5.0beta01-58 15 10500 15.so.15.0[.0] - * 1.5.0rc01-07 15 10500 15.so.15.0[.0] - * 1.5.0 15 10500 15.so.15.0[.0] - * 1.5.1beta01-11 15 10501 15.so.15.1[.0] - * 1.5.1rc01-02 15 10501 15.so.15.1[.0] - * 1.5.1 15 10501 15.so.15.1[.0] - * 1.5.2beta01-03 15 10502 15.so.15.2[.0] - * 1.5.2rc01-03 15 10502 15.so.15.2[.0] - * 1.5.2 15 10502 15.so.15.2[.0] - * 1.5.3beta01-10 15 10503 15.so.15.3[.0] - * 1.5.3rc01-02 15 10503 15.so.15.3[.0] - * 1.5.3beta11 15 10503 15.so.15.3[.0] - * 1.5.3 [omitted] - * 1.5.4beta01-08 15 10504 15.so.15.4[.0] - * 1.5.4rc01 15 10504 15.so.15.4[.0] - * 1.5.4 15 10504 15.so.15.4[.0] - * 1.5.5beta01-08 15 10505 15.so.15.5[.0] - * 1.5.5rc01 15 10505 15.so.15.5[.0] - * 1.5.5 15 10505 15.so.15.5[.0] - * 1.5.6beta01-07 15 10506 15.so.15.6[.0] - * 1.5.6rc01-03 15 10506 15.so.15.6[.0] - * 1.5.6 15 10506 15.so.15.6[.0] - * 1.5.7beta01-05 15 10507 15.so.15.7[.0] - * 1.5.7rc01-03 15 10507 15.so.15.7[.0] - * 1.5.7 15 10507 15.so.15.7[.0] - * 1.6.0beta01-40 16 10600 16.so.16.0[.0] - * 1.6.0rc01-08 16 10600 16.so.16.0[.0] - * 1.6.0 16 10600 16.so.16.0[.0] - * 1.6.1beta01-09 16 10601 16.so.16.1[.0] - * 1.6.1rc01 16 10601 16.so.16.1[.0] - * 1.6.1 16 10601 16.so.16.1[.0] - * 1.6.2beta01 16 10602 16.so.16.2[.0] - * 1.6.2rc01-06 16 10602 16.so.16.2[.0] - * 1.6.2 16 10602 16.so.16.2[.0] - * 1.6.3beta01-11 16 10603 16.so.16.3[.0] - * 1.6.3rc01 16 10603 16.so.16.3[.0] - * 1.6.3 16 10603 16.so.16.3[.0] - * 1.6.4beta01-02 16 10604 16.so.16.4[.0] - * 1.6.4rc01 16 10604 16.so.16.4[.0] - * 1.6.4 16 10604 16.so.16.4[.0] - * 1.6.5 16 10605 16.so.16.5[.0] - * 1.6.6 16 10606 16.so.16.6[.0] - * 1.6.7beta01-04 16 10607 16.so.16.7[.0] - * 1.6.7rc01-03 16 10607 16.so.16.7[.0] - * 1.6.7 16 10607 16.so.16.7[.0] - * 1.6.8beta01-02 16 10608 16.so.16.8[.0] - * 1.6.8rc01-02 16 10608 16.so.16.8[.0] - * 1.6.8 16 10608 16.so.16.8[.0] - * 1.6.9beta01-04 16 10609 16.so.16.9[.0] - * 1.6.9rc01-02 16 10609 16.so.16.9[.0] - * 1.6.9 16 10609 16.so.16.9[.0] - * 1.6.10beta01-03 16 10610 16.so.16.10[.0] - * 1.6.10rc01-03 16 10610 16.so.16.10[.0] - * 1.6.10 16 10610 16.so.16.10[.0] - * 1.6.11beta01-06 16 10611 16.so.16.11[.0] - * 1.6.11rc01-02 16 10611 16.so.16.11[.0] - * 1.6.11 16 10611 16.so.16.11[.0] - * 1.6.12rc01-03 16 10612 16.so.16.12[.0] - * 1.6.12 16 10612 16.so.16.12[.0] - * 1.6.13beta01-04 16 10613 16.so.16.13[.0] - * 1.6.13rc01-02 16 10613 16.so.16.13[.0] - * 1.6.13 16 10613 16.so.16.13[.0] - * 1.6.14beta01-07 16 10614 16.so.16.14[.0] - * 1.6.14rc01-02 16 10614 16.so.16.14[.0] - * 1.6.14 16 10614 16.so.16.14[.0] - * 1.6.15beta01-08 16 10615 16.so.16.15[.0] - * 1.6.15rc01-03 16 10615 16.so.16.15[.0] - * 1.6.15 16 10615 16.so.16.15[.0] - * 1.6.16beta01-03 16 10616 16.so.16.16[.0] - * 1.6.16rc01-02 16 10616 16.so.16.16[.0] - * 1.6.16 16 10616 16.so.16.16[.0] - * - * Henceforth the source version will match the shared-library major - * and minor numbers; the shared-library major version number will be - * used for changes in backward compatibility, as it is intended. The - * PNG_LIBPNG_VER macro, which is not used within libpng but is available - * for applications, is an unsigned integer of the form xyyzz corresponding - * to the source version x.y.z (leading zeros in y and z). Beta versions - * were given the previous public release number plus a letter, until - * version 1.0.6j; from then on they were given the upcoming public - * release number plus "betaNN" or "rcNN". - * - * Binary incompatibility exists only when applications make direct access - * to the info_ptr or png_ptr members through png.h, and the compiled - * application is loaded with a different version of the library. - * - * DLLNUM will change each time there are forward or backward changes - * in binary compatibility (e.g., when a new feature is added). - * - * See libpng-manual.txt or libpng.3 for more information. The PNG - * specification is available as a W3C Recommendation and as an ISO - * Specification, = 0x8000 /* else this might break */ #define PNG_INFO_IDAT 0x8000 /* ESR, 1.0.6 */ +#endif /* This is used for the transformation routines, as some of them * change these values for the row. It also should enable using @@ -1017,7 +883,9 @@ #define PNG_TRANSFORM_GRAY_TO_RGB 0x2000 /* read only */ /* Added to libpng-1.5.4 */ #define PNG_TRANSFORM_EXPAND_16 0x4000 /* read only */ +#if INT_MAX >= 0x8000 /* else this might break */ #define PNG_TRANSFORM_SCALE_16 0x8000 /* read only */ +#endif /* Flags for MNG supported features */ #define PNG_FLAG_MNG_EMPTY_PLTE 0x01 @@ -1034,7 +902,7 @@ png_alloc_size_t)); typedef PNG_CALLBACK(void, *png_free_ptr, (png_structp, png_voidp)); -/* Section 3: exported functions +/* Section 4: exported functions * Here are the function definitions most commonly used. This is not * the place to find out how to use libpng. See libpng-manual.txt for the * full explanation, see example.c for the summary. This just provides @@ -1407,13 +1275,13 @@ #endif #if defined(PNG_READ_FILLER_SUPPORTED) || defined(PNG_WRITE_FILLER_SUPPORTED) -/* Add a filler byte to 8-bit Gray or 24-bit RGB images. */ +/* Add a filler byte to 8-bit or 16-bit Gray or 24-bit or 48-bit RGB images. */ PNG_EXPORT(39, void, png_set_filler, (png_structrp png_ptr, png_uint_32 filler, int flags)); /* The values of the PNG_FILLER_ defines should NOT be changed */ # define PNG_FILLER_BEFORE 0 # define PNG_FILLER_AFTER 1 -/* Add an alpha byte to 8-bit Gray or 24-bit RGB images. */ +/* Add an alpha byte to 8-bit or 16-bit Gray or 24-bit or 48-bit RGB images. */ PNG_EXPORT(40, void, png_set_add_alpha, (png_structrp png_ptr, png_uint_32 filler, int flags)); #endif /* READ_FILLER || WRITE_FILLER */ @@ -1606,6 +1474,7 @@ #define PNG_CRC_QUIET_USE 4 /* quiet/use data quiet/use data */ #define PNG_CRC_NO_CHANGE 5 /* use current value use current value */ +#ifdef PNG_WRITE_SUPPORTED /* These functions give the user control over the scan-line filtering in * libpng and the compression methods used by zlib. These functions are * mainly useful for testing, as the defaults should work with most users. @@ -1619,6 +1488,7 @@ */ PNG_EXPORT(67, void, png_set_filter, (png_structrp png_ptr, int method, int filters)); +#endif /* WRITE */ /* Flags for png_set_filter() to say which filters to use. The flags * are chosen so that they don't conflict with real filter types @@ -1644,35 +1514,8 @@ #define PNG_FILTER_VALUE_PAETH 4 #define PNG_FILTER_VALUE_LAST 5 -#ifdef PNG_WRITE_WEIGHTED_FILTER_SUPPORTED /* EXPERIMENTAL */ -/* The "heuristic_method" is given by one of the PNG_FILTER_HEURISTIC_ - * defines, either the default (minimum-sum-of-absolute-differences), or - * the experimental method (weighted-minimum-sum-of-absolute-differences). - * - * Weights are factors >= 1.0, indicating how important it is to keep the - * filter type consistent between rows. Larger numbers mean the current - * filter is that many times as likely to be the same as the "num_weights" - * previous filters. This is cumulative for each previous row with a weight. - * There needs to be "num_weights" values in "filter_weights", or it can be - * NULL if the weights aren't being specified. Weights have no influence on - * the selection of the first row filter. Well chosen weights can (in theory) - * improve the compression for a given image. - * - * Costs are factors >= 1.0 indicating the relative decoding costs of a - * filter type. Higher costs indicate more decoding expense, and are - * therefore less likely to be selected over a filter with lower computational - * costs. There needs to be a value in "filter_costs" for each valid filter - * type (given by PNG_FILTER_VALUE_LAST), or it can be NULL if you aren't - * setting the costs. Costs try to improve the speed of decompression without - * unduly increasing the compressed image size. - * - * A negative weight or cost indicates the default value is to be used, and - * values in the range [0.0, 1.0) indicate the value is to remain unchanged. - * The default values for both weights and costs are currently 1.0, but may - * change if good general weighting/cost heuristics can be found. If both - * the weights and costs are set to 1.0, this degenerates the WEIGHTED method - * to the UNWEIGHTED method, but with added encoding time/computation. - */ +#ifdef PNG_WRITE_SUPPORTED +#ifdef PNG_WRITE_WEIGHTED_FILTER_SUPPORTED /* DEPRECATED */ PNG_FP_EXPORT(68, void, png_set_filter_heuristics, (png_structrp png_ptr, int heuristic_method, int num_weights, png_const_doublep filter_weights, png_const_doublep filter_costs)) @@ -1682,15 +1525,12 @@ png_const_fixed_point_p filter_costs)) #endif /* WRITE_WEIGHTED_FILTER */ -/* Heuristic used for row filter selection. These defines should NOT be - * changed. - */ +/* The following are no longer used and will be removed from libpng-1.7: */ #define PNG_FILTER_HEURISTIC_DEFAULT 0 /* Currently "UNWEIGHTED" */ #define PNG_FILTER_HEURISTIC_UNWEIGHTED 1 /* Used by libpng < 0.95 */ #define PNG_FILTER_HEURISTIC_WEIGHTED 2 /* Experimental feature */ #define PNG_FILTER_HEURISTIC_LAST 3 /* Not a valid value */ -#ifdef PNG_WRITE_SUPPORTED /* Set the library compression level. Currently, valid values range from * 0 - 9, corresponding directly to the zlib compression levels 0 - 9 * (0 - no compression, 9 - "maximal" compression). Note that tests have @@ -1698,6 +1538,7 @@ * for PNG images, and do considerably fewer caclulations. In the future, * these values may not correspond directly to the zlib compression levels. */ +#ifdef PNG_WRITE_CUSTOMIZE_COMPRESSION_SUPPORTED PNG_EXPORT(69, void, png_set_compression_level, (png_structrp png_ptr, int level)); @@ -1715,7 +1556,7 @@ PNG_EXPORT(73, void, png_set_compression_method, (png_structrp png_ptr, int method)); -#endif +#endif /* WRITE_CUSTOMIZE_COMPRESSION */ #ifdef PNG_WRITE_CUSTOMIZE_ZTXT_COMPRESSION_SUPPORTED /* Also set zlib parameters for compressing non-IDAT chunks */ @@ -1737,6 +1578,7 @@ PNG_EXPORT(226, void, png_set_text_compression_method, (png_structrp png_ptr, int method)); #endif /* WRITE_CUSTOMIZE_ZTXT_COMPRESSION */ +#endif /* WRITE */ /* These next functions are called for input/output, memory, and error * handling. They are in the file pngrio.c, pngwio.c, and pngerror.c, @@ -1847,7 +1689,7 @@ * * The integer return from the callback function is interpreted thus: * - * negative: An error occured, png_chunk_error will be called. + * negative: An error occurred; png_chunk_error will be called. * zero: The chunk was not handled, the chunk will be saved. A critical * chunk will cause an error at this point unless it is to be saved. * positive: The chunk was handled, libpng will ignore/discard it. @@ -2692,26 +2534,28 @@ * (png_uint_16)(alpha) \ + (png_uint_16)(bg)*(png_uint_16)(255 \ - (png_uint_16)(alpha)) + 128); \ - (composite) = (png_byte)((temp + (temp >> 8)) >> 8); } + (composite) = (png_byte)(((temp + (temp >> 8)) >> 8) & 0xff); } # define png_composite_16(composite, fg, alpha, bg) \ { png_uint_32 temp = (png_uint_32)((png_uint_32)(fg) \ * (png_uint_32)(alpha) \ + (png_uint_32)(bg)*(65535 \ - (png_uint_32)(alpha)) + 32768); \ - (composite) = (png_uint_16)((temp + (temp >> 16)) >> 16); } + (composite) = (png_uint_16)(0xffff & ((temp + (temp >> 16)) >> 16)); } #else /* Standard method using integer division */ -# define png_composite(composite, fg, alpha, bg) \ - (composite) = (png_byte)(((png_uint_16)(fg) * (png_uint_16)(alpha) + \ - (png_uint_16)(bg) * (png_uint_16)(255 - (png_uint_16)(alpha)) + \ - 127) / 255) +# define png_composite(composite, fg, alpha, bg) \ + (composite) = \ + (png_byte)(0xff & (((png_uint_16)(fg) * (png_uint_16)(alpha) + \ + (png_uint_16)(bg) * (png_uint_16)(255 - (png_uint_16)(alpha)) + \ + 127) / 255)) # define png_composite_16(composite, fg, alpha, bg) \ - (composite) = (png_uint_16)(((png_uint_32)(fg) * (png_uint_32)(alpha) + \ - (png_uint_32)(bg)*(png_uint_32)(65535 - (png_uint_32)(alpha)) + \ - 32767) / 65535) + (composite) = \ + (png_uint_16)(0xffff & (((png_uint_32)(fg) * (png_uint_32)(alpha) + \ + (png_uint_32)(bg)*(png_uint_32)(65535 - (png_uint_32)(alpha)) + \ + 32767) / 65535)) #endif /* READ_COMPOSITE_NODIV */ #ifdef PNG_READ_INT_FUNCTIONS_SUPPORTED @@ -2762,7 +2606,7 @@ # define PNG_get_int_32(buf) \ ((png_int_32)((*(buf) & 0x80) \ - ? -((png_int_32)((png_get_uint_32(buf) ^ 0xffffffffL) + 1)) \ + ? -((png_int_32)(((png_get_uint_32(buf)^0xffffffffU)+1U)&0x7fffffffU)) \ : (png_int_32)png_get_uint_32(buf))) /* If PNG_PREFIX is defined the same thing as below happens in pnglibconf.h, @@ -2782,10 +2626,17 @@ # endif #endif -#if defined(PNG_SIMPLIFIED_READ_SUPPORTED) || \ - defined(PNG_SIMPLIFIED_WRITE_SUPPORTED) +#ifdef PNG_CHECK_FOR_INVALID_INDEX_SUPPORTED +PNG_EXPORT(242, void, png_set_check_for_invalid_index, + (png_structrp png_ptr, int allowed)); +# ifdef PNG_GET_PALETTE_MAX_SUPPORTED +PNG_EXPORT(243, int, png_get_palette_max, (png_const_structp png_ptr, + png_const_infop info_ptr)); +# endif +#endif /* CHECK_FOR_INVALID_INDEX */ + /******************************************************************************* - * SIMPLIFIED API + * Section 5: SIMPLIFIED API ******************************************************************************* * * Please read the documentation in libpng-manual.txt (TODO: write said @@ -2801,8 +2652,9 @@ * * To read a PNG file using the simplified API: * - * 1) Declare a 'png_image' structure (see below) on the stack and set the - * version field to PNG_IMAGE_VERSION. + * 1) Declare a 'png_image' structure (see below) on the stack, set the + * version field to PNG_IMAGE_VERSION and the 'opaque' pointer to NULL + * (this is REQUIRED, your program may crash if you don't do it.) * 2) Call the appropriate png_image_begin_read... function. * 3) Set the png_image 'format' member to the required sample format. * 4) Allocate a buffer for the image and, if required, the color-map. @@ -2829,6 +2681,9 @@ * when it is being read or defines the in-memory format of an image that you * need to write: */ +#if defined(PNG_SIMPLIFIED_READ_SUPPORTED) || \ + defined(PNG_SIMPLIFIED_WRITE_SUPPORTED) + #define PNG_IMAGE_VERSION 1 typedef struct png_control *png_controlp; @@ -2928,7 +2783,7 @@ * called to read or write the color-map and set the format correctly for the * image data. Do not set the PNG_FORMAT_FLAG_COLORMAP bit directly! * - * NOTE: libpng can be built with particular features disabled, if you see + * NOTE: libpng can be built with particular features disabled. If you see * compiler errors because the definition of one of the following flags has been * compiled out it is because libpng does not have the required support. It is * possible, however, for the libpng configuration to enable the format on just @@ -2940,7 +2795,7 @@ */ #define PNG_FORMAT_FLAG_ALPHA 0x01U /* format with an alpha channel */ #define PNG_FORMAT_FLAG_COLOR 0x02U /* color format: otherwise grayscale */ -#define PNG_FORMAT_FLAG_LINEAR 0x04U /* 2 byte channels else 1 byte */ +#define PNG_FORMAT_FLAG_LINEAR 0x04U /* 2-byte channels else 1-byte */ #define PNG_FORMAT_FLAG_COLORMAP 0x08U /* image data is color-mapped */ #ifdef PNG_FORMAT_BGR_SUPPORTED @@ -3227,9 +3082,11 @@ * * With all APIs row_stride is handled as in the read APIs - it is the spacing * from one row to the next in component sized units (1 or 2 bytes) and if - * negative indicates a bottom-up row layout in the buffer. + * negative indicates a bottom-up row layout in the buffer. If row_stride is zero, + * libpng will calculate it for you from the image width and number of channels. * - * Note that the write API does not support interlacing or sub-8-bit pixels. + * Note that the write API does not support interlacing, sub-8-bit pixels, indexed + * PNG (color_type 3) or most ancillary chunks. */ #endif /* STDIO */ #endif /* SIMPLIFIED_WRITE */ @@ -3238,17 +3095,8 @@ ******************************************************************************/ #endif /* SIMPLIFIED_{READ|WRITE} */ -#ifdef PNG_CHECK_FOR_INVALID_INDEX_SUPPORTED -PNG_EXPORT(242, void, png_set_check_for_invalid_index, - (png_structrp png_ptr, int allowed)); -# ifdef PNG_GET_PALETTE_MAX_SUPPORTED -PNG_EXPORT(243, int, png_get_palette_max, (png_const_structp png_ptr, - png_const_infop info_ptr)); -# endif -#endif /* CHECK_FOR_INVALID_INDEX */ - /******************************************************************************* - * IMPLEMENTATION OPTIONS + * Section 6: IMPLEMENTATION OPTIONS ******************************************************************************* * * Support for arbitrary implementation-specific optimizations. The API allows diff -Nru openjdk-6-6b37-1.13.9/jdk/src/share/native/sun/awt/libpng/pnginfo.h openjdk-6-6b38-1.13.10/jdk/src/share/native/sun/awt/libpng/pnginfo.h --- openjdk-6-6b37-1.13.9/jdk/src/share/native/sun/awt/libpng/pnginfo.h 2015-11-11 01:20:42.000000000 +0000 +++ openjdk-6-6b38-1.13.10/jdk/src/share/native/sun/awt/libpng/pnginfo.h 2016-01-20 01:47:58.000000000 +0000 @@ -29,12 +29,11 @@ * However, the following notice accompanied the original version of this * file and, per its terms, should not be removed: * + * Last changed in libpng 1.6.1 [March 28, 2013] * Copyright (c) 1998-2013 Glenn Randers-Pehrson * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger) * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.) * - * Last changed in libpng 1.6.1 [March 28, 2013] - * * This code is released under the libpng license. * For conditions of distribution and use, see the disclaimer * and license in png.h diff -Nru openjdk-6-6b37-1.13.9/jdk/src/share/native/sun/awt/libpng/pnglibconf.h openjdk-6-6b38-1.13.10/jdk/src/share/native/sun/awt/libpng/pnglibconf.h --- openjdk-6-6b37-1.13.9/jdk/src/share/native/sun/awt/libpng/pnglibconf.h 2015-11-11 01:20:42.000000000 +0000 +++ openjdk-6-6b38-1.13.10/jdk/src/share/native/sun/awt/libpng/pnglibconf.h 2016-01-20 01:47:58.000000000 +0000 @@ -34,7 +34,7 @@ * file and, per its terms, should not be removed: */ -/* libpng version 1.6.16,December 22, 2014 */ +/* libpng version 1.6.20, December 3, 2015 */ /* Copyright (c) 1998-2014 Glenn Randers-Pehrson */ @@ -129,13 +129,10 @@ #define PNG_READ_tIME_SUPPORTED #define PNG_READ_tRNS_SUPPORTED #define PNG_READ_zTXt_SUPPORTED -/*#undef PNG_SAFE_LIMITS_SUPPORTED*/ /*#undef PNG_SAVE_INT_32_SUPPORTED*/ #define PNG_SAVE_UNKNOWN_CHUNKS_SUPPORTED #define PNG_SEQUENTIAL_READ_SUPPORTED #define PNG_SETJMP_SUPPORTED -#define PNG_SET_CHUNK_CACHE_LIMIT_SUPPORTED -#define PNG_SET_CHUNK_MALLOC_LIMIT_SUPPORTED #define PNG_SET_OPTION_SUPPORTED #define PNG_SET_UNKNOWN_CHUNKS_SUPPORTED #define PNG_SET_USER_LIMITS_SUPPORTED @@ -161,6 +158,7 @@ /*#undef PNG_WRITE_BGR_SUPPORTED*/ /*#undef PNG_WRITE_CHECK_FOR_INVALID_INDEX_SUPPORTED*/ /*#undef PNG_WRITE_COMPRESSED_TEXT_SUPPORTED*/ +/*#undef PNG_WRITE_CUSTOMIZE_COMPRESSION_SUPPORTED*/ /*#undef PNG_WRITE_CUSTOMIZE_ZTXT_COMPRESSION_SUPPORTED*/ /*#undef PNG_WRITE_FILLER_SUPPORTED*/ /*#undef PNG_WRITE_FILTER_SUPPORTED*/ @@ -219,11 +217,14 @@ /* end of options */ /* settings */ #define PNG_API_RULE 0 -#define PNG_COST_SHIFT 3 #define PNG_DEFAULT_READ_MACROS 1 #define PNG_GAMMA_THRESHOLD_FIXED 5000 #define PNG_IDAT_READ_SIZE PNG_ZBUF_SIZE #define PNG_INFLATE_BUF_SIZE 1024 +#define PNG_LINKAGE_API extern +#define PNG_LINKAGE_CALLBACK extern +#define PNG_LINKAGE_DATA extern +#define PNG_LINKAGE_FUNCTION extern #define PNG_MAX_GAMMA_8 11 #define PNG_QUANTIZE_BLUE_BITS 5 #define PNG_QUANTIZE_GREEN_BITS 5 @@ -234,7 +235,6 @@ #define PNG_USER_CHUNK_MALLOC_MAX 0 #define PNG_USER_HEIGHT_MAX 1000000 #define PNG_USER_WIDTH_MAX 1000000 -#define PNG_WEIGHT_SHIFT 8 #define PNG_ZBUF_SIZE 8192 #define PNG_ZLIB_VERNUM 0 #define PNG_Z_DEFAULT_COMPRESSION (-1) diff -Nru openjdk-6-6b37-1.13.9/jdk/src/share/native/sun/awt/libpng/pngmem.c openjdk-6-6b38-1.13.10/jdk/src/share/native/sun/awt/libpng/pngmem.c --- openjdk-6-6b37-1.13.9/jdk/src/share/native/sun/awt/libpng/pngmem.c 2015-11-11 01:20:42.000000000 +0000 +++ openjdk-6-6b38-1.13.10/jdk/src/share/native/sun/awt/libpng/pngmem.c 2016-01-20 01:47:58.000000000 +0000 @@ -69,7 +69,7 @@ } /* Allocate memory. For reasonable files, size should never exceed - * 64K. However, zlib may allocate more then 64K if you don't tell + * 64K. However, zlib may allocate more than 64K if you don't tell * it not to. See zconf.h and png.h for more information. zlib does * need to allocate exactly 64K, so whatever you call here must * have the ability to do that. @@ -105,6 +105,9 @@ PNG_UNUSED(png_ptr) #endif + /* Some compilers complain that this is always true. However, it + * can be false when integer overflow happens. + */ if (size > 0 && size <= PNG_SIZE_MAX # ifdef PNG_MAX_MALLOC_64K && size <= 65536U diff -Nru openjdk-6-6b37-1.13.9/jdk/src/share/native/sun/awt/libpng/pngpread.c openjdk-6-6b38-1.13.10/jdk/src/share/native/sun/awt/libpng/pngpread.c --- openjdk-6-6b37-1.13.9/jdk/src/share/native/sun/awt/libpng/pngpread.c 2015-11-11 01:20:42.000000000 +0000 +++ openjdk-6-6b38-1.13.10/jdk/src/share/native/sun/awt/libpng/pngpread.c 2016-01-20 01:47:58.000000000 +0000 @@ -29,8 +29,8 @@ * However, the following notice accompanied the original version of this * file and, per its terms, should not be removed: * - * Last changed in libpng 1.6.15 [November 20, 2014] - * Copyright (c) 1998-2014 Glenn Randers-Pehrson + * Last changed in libpng 1.6.18 [July 23, 2015] + * Copyright (c) 1998-2015 Glenn Randers-Pehrson * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger) * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.) * @@ -47,7 +47,6 @@ #define PNG_READ_SIG_MODE 0 #define PNG_READ_CHUNK_MODE 1 #define PNG_READ_IDAT_MODE 2 -#define PNG_SKIP_MODE 3 #define PNG_READ_tEXt_MODE 4 #define PNG_READ_zTXt_MODE 5 #define PNG_READ_DONE_MODE 6 @@ -106,32 +105,14 @@ png_uint_32 PNGAPI png_process_data_skip(png_structrp png_ptr) { - png_uint_32 remaining = 0; - - if (png_ptr != NULL && png_ptr->process_mode == PNG_SKIP_MODE && - png_ptr->skip_length > 0) - { - /* At the end of png_process_data the buffer size must be 0 (see the loop - * above) so we can detect a broken call here: - */ - if (png_ptr->buffer_size != 0) - png_error(png_ptr, - "png_process_data_skip called inside png_process_data"); - - /* If is impossible for there to be a saved buffer at this point - - * otherwise we could not be in SKIP mode. This will also happen if - * png_process_skip is called inside png_process_data (but only very - * rarely.) - */ - if (png_ptr->save_buffer_size != 0) - png_error(png_ptr, "png_process_data_skip called with saved data"); - - remaining = png_ptr->skip_length; - png_ptr->skip_length = 0; - png_ptr->process_mode = PNG_READ_CHUNK_MODE; - } - - return remaining; + /* TODO: Deprecate and remove this API. + * Somewhere the implementation of this seems to have been lost, + * or abandoned. It was only to support some internal back-door access + * to png_struct) in libpng-1.4.x. + */ + png_app_warning(png_ptr, +"png_process_data_skip is not implemented in any current version of libpng"); + return 0; } /* What we do with the incoming data depends on what we were previously @@ -163,12 +144,6 @@ break; } - case PNG_SKIP_MODE: - { - png_push_crc_finish(png_ptr); - break; - } - default: { png_ptr->buffer_size = 0; @@ -187,7 +162,7 @@ png_push_read_sig(png_structrp png_ptr, png_inforp info_ptr) { png_size_t num_checked = png_ptr->sig_bytes, /* SAFE, does not exceed 8 */ - num_to_check = 8 - num_checked; + num_to_check = 8 - num_checked; if (png_ptr->buffer_size < num_to_check) { @@ -467,69 +442,6 @@ png_ptr->mode &= ~PNG_HAVE_CHUNK_HEADER; } -void /* PRIVATE */ -png_push_crc_skip(png_structrp png_ptr, png_uint_32 skip) -{ - png_ptr->process_mode = PNG_SKIP_MODE; - png_ptr->skip_length = skip; -} - -void /* PRIVATE */ -png_push_crc_finish(png_structrp png_ptr) -{ - if (png_ptr->skip_length != 0 && png_ptr->save_buffer_size != 0) - { - png_size_t save_size = png_ptr->save_buffer_size; - png_uint_32 skip_length = png_ptr->skip_length; - - /* We want the smaller of 'skip_length' and 'save_buffer_size', but - * they are of different types and we don't know which variable has the - * fewest bits. Carefully select the smaller and cast it to the type of - * the larger - this cannot overflow. Do not cast in the following test - * - it will break on either 16 or 64 bit platforms. - */ - if (skip_length < save_size) - save_size = (png_size_t)skip_length; - - else - skip_length = (png_uint_32)save_size; - - png_calculate_crc(png_ptr, png_ptr->save_buffer_ptr, save_size); - - png_ptr->skip_length -= skip_length; - png_ptr->buffer_size -= save_size; - png_ptr->save_buffer_size -= save_size; - png_ptr->save_buffer_ptr += save_size; - } - if (png_ptr->skip_length != 0 && png_ptr->current_buffer_size != 0) - { - png_size_t save_size = png_ptr->current_buffer_size; - png_uint_32 skip_length = png_ptr->skip_length; - - /* We want the smaller of 'skip_length' and 'current_buffer_size', here, - * the same problem exists as above and the same solution. - */ - if (skip_length < save_size) - save_size = (png_size_t)skip_length; - - else - skip_length = (png_uint_32)save_size; - - png_calculate_crc(png_ptr, png_ptr->current_buffer_ptr, save_size); - - png_ptr->skip_length -= skip_length; - png_ptr->buffer_size -= save_size; - png_ptr->current_buffer_size -= save_size; - png_ptr->current_buffer_ptr += save_size; - } - if (png_ptr->skip_length == 0) - { - PNG_PUSH_SAVE_BUFFER_IF_LT(4) - png_crc_finish(png_ptr, 0); - png_ptr->process_mode = PNG_READ_CHUNK_MODE; - } -} - void PNGCBAPI png_push_fill_buffer(png_structp png_ptr, png_bytep buffer, png_size_t length) { @@ -612,13 +524,11 @@ if (png_ptr->save_buffer == NULL) { png_free(png_ptr, old_buffer); - old_buffer = NULL; png_error(png_ptr, "Insufficient memory for save_buffer"); } memcpy(png_ptr->save_buffer, old_buffer, png_ptr->save_buffer_size); png_free(png_ptr, old_buffer); - old_buffer = NULL; png_ptr->save_buffer_max = new_max; } if (png_ptr->current_buffer_size) @@ -681,7 +591,7 @@ * are of different types and we don't know which variable has the fewest * bits. Carefully select the smaller and cast it to the type of the * larger - this cannot overflow. Do not cast in the following test - it - * will break on either 16 or 64 bit platforms. + * will break on either 16-bit or 64-bit platforms. */ if (idat_size < save_size) save_size = (png_size_t)idat_size; @@ -724,6 +634,7 @@ png_ptr->current_buffer_size -= save_size; png_ptr->current_buffer_ptr += save_size; } + if (png_ptr->idat_size == 0) { PNG_PUSH_SAVE_BUFFER_IF_LT(4) @@ -754,7 +665,7 @@ * or the stream marked as finished. */ while (png_ptr->zstream.avail_in > 0 && - !(png_ptr->flags & PNG_FLAG_ZSTREAM_ENDED)) + (png_ptr->flags & PNG_FLAG_ZSTREAM_ENDED) == 0) { int ret; @@ -779,7 +690,7 @@ * change the current behavior (see comments in inflate.c * for why this doesn't happen at present with zlib 1.2.5). */ - ret = inflate(&png_ptr->zstream, Z_SYNC_FLUSH); + ret = PNG_INFLATE(png_ptr, Z_SYNC_FLUSH); /* Check for any failure before proceeding. */ if (ret != Z_OK && ret != Z_STREAM_END) @@ -1064,6 +975,7 @@ } } else +#endif { png_push_have_row(png_ptr, png_ptr->row_buf + 1); png_read_push_finish_row(png_ptr); @@ -1073,6 +985,7 @@ void /* PRIVATE */ png_read_push_finish_row(png_structrp png_ptr) { +#ifdef PNG_READ_INTERLACING_SUPPORTED /* Arrays to facilitate easy interlacing - use pass (0 - 6) as index */ /* Start of interlace block */ @@ -1097,6 +1010,7 @@ if (png_ptr->row_number < png_ptr->num_rows) return; +#ifdef PNG_READ_INTERLACING_SUPPORTED if (png_ptr->interlaced != 0) { png_ptr->row_number = 0; @@ -1131,6 +1045,7 @@ } while (png_ptr->iwidth == 0 || png_ptr->num_rows == 0); } +#endif /* READ_INTERLACING */ } void /* PRIVATE */ @@ -1155,6 +1070,7 @@ (int)png_ptr->pass); } +#ifdef PNG_READ_INTERLACING_SUPPORTED void PNGAPI png_progressive_combine_row(png_const_structrp png_ptr, png_bytep old_row, png_const_bytep new_row) @@ -1169,6 +1085,7 @@ if (new_row != NULL) png_combine_row(png_ptr, old_row, 1/*blocky display*/); } +#endif /* READ_INTERLACING */ void PNGAPI png_set_progressive_read_fn(png_structrp png_ptr, png_voidp progressive_ptr, diff -Nru openjdk-6-6b37-1.13.9/jdk/src/share/native/sun/awt/libpng/pngpriv.h openjdk-6-6b38-1.13.10/jdk/src/share/native/sun/awt/libpng/pngpriv.h --- openjdk-6-6b37-1.13.9/jdk/src/share/native/sun/awt/libpng/pngpriv.h 2015-11-11 01:20:42.000000000 +0000 +++ openjdk-6-6b38-1.13.10/jdk/src/share/native/sun/awt/libpng/pngpriv.h 2016-01-20 01:47:58.000000000 +0000 @@ -29,13 +29,11 @@ * However, the following notice accompanied the original version of this * file and, per its terms, should not be removed: * - * For conditions of distribution and use, see copyright notice in png.h - * Copyright (c) 1998-2014 Glenn Randers-Pehrson + * Last changed in libpng 1.6.18 [July 23, 2015] + * Copyright (c) 1998-2015 Glenn Randers-Pehrson * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger) * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.) * - * Last changed in libpng 1.6.10 [March 6, 1014]] - * * This code is released under the libpng license. * For conditions of distribution and use, see the disclaimer * and license in png.h @@ -148,8 +146,12 @@ * to compile with an appropriate #error if ALIGNED_MEMORY has been turned * off. * - * Note that gcc-4.9 defines __ARM_NEON instead of __ARM_NEON__, so we - * check both variants. + * Note that gcc-4.9 defines __ARM_NEON instead of the deprecated + * __ARM_NEON__, so we check both variants. + * + * To disable ARM_NEON optimizations entirely, and skip compiling the + * associated assembler code, pass --enable-arm-neon=no to configure + * or put -DPNG_ARM_NEON_OPT=0 in CPPFLAGS. */ # if (defined(__ARM_NEON__) || defined(__ARM_NEON)) && \ defined(PNG_ALIGNED_MEMORY_SUPPORTED) @@ -278,17 +280,18 @@ * always be used to declare an extern data or function object in this file. */ #ifndef PNG_INTERNAL_DATA -# define PNG_INTERNAL_DATA(type, name, array) extern type name array +# define PNG_INTERNAL_DATA(type, name, array) PNG_LINKAGE_DATA type name array #endif #ifndef PNG_INTERNAL_FUNCTION # define PNG_INTERNAL_FUNCTION(type, name, args, attributes)\ - extern PNG_FUNCTION(type, name, args, PNG_EMPTY attributes) + PNG_LINKAGE_FUNCTION PNG_FUNCTION(type, name, args, PNG_EMPTY attributes) #endif #ifndef PNG_INTERNAL_CALLBACK # define PNG_INTERNAL_CALLBACK(type, name, args, attributes)\ - extern PNG_FUNCTION(type, (PNGCBAPI name), args, PNG_EMPTY attributes) + PNG_LINKAGE_CALLBACK PNG_FUNCTION(type, (PNGCBAPI name), args,\ + PNG_EMPTY attributes) #endif /* If floating or fixed point APIs are disabled they may still be compiled @@ -326,48 +329,27 @@ # define PNG_DLL_EXPORT #endif -/* SECURITY and SAFETY: - * - * By default libpng is built without any internal limits on image size, - * individual heap (png_malloc) allocations or the total amount of memory used. - * If PNG_SAFE_LIMITS_SUPPORTED is defined, however, the limits below are used - * (unless individually overridden). These limits are believed to be fairly - * safe, but builders of secure systems should verify the values against the - * real system capabilities. - */ -#ifdef PNG_SAFE_LIMITS_SUPPORTED - /* 'safe' limits */ -# ifndef PNG_USER_WIDTH_MAX -# define PNG_USER_WIDTH_MAX 1000000 -# endif -# ifndef PNG_USER_HEIGHT_MAX -# define PNG_USER_HEIGHT_MAX 1000000 -# endif -# ifndef PNG_USER_CHUNK_CACHE_MAX -# define PNG_USER_CHUNK_CACHE_MAX 128 -# endif -# ifndef PNG_USER_CHUNK_MALLOC_MAX -# define PNG_USER_CHUNK_MALLOC_MAX 8000000 -# endif -#else - /* values for no limits */ -# ifndef PNG_USER_WIDTH_MAX -# define PNG_USER_WIDTH_MAX 0x7fffffff -# endif -# ifndef PNG_USER_HEIGHT_MAX -# define PNG_USER_HEIGHT_MAX 0x7fffffff -# endif -# ifndef PNG_USER_CHUNK_CACHE_MAX -# define PNG_USER_CHUNK_CACHE_MAX 0 -# endif -# ifndef PNG_USER_CHUNK_MALLOC_MAX -# define PNG_USER_CHUNK_MALLOC_MAX 0 -# endif +/* This is a global switch to set the compilation for an installed system + * (a release build). It can be set for testing debug builds to ensure that + * they will compile when the build type is switched to RC or STABLE, the + * default is just to use PNG_LIBPNG_BUILD_BASE_TYPE. Set this in CPPFLAGS + * with either: + * + * -DPNG_RELEASE_BUILD Turns on the release compile path + * -DPNG_RELEASE_BUILD=0 Turns it off + * or in your pngusr.h with + * #define PNG_RELEASE_BUILD=1 Turns on the release compile path + * #define PNG_RELEASE_BUILD=0 Turns it off + */ +#ifndef PNG_RELEASE_BUILD +# define PNG_RELEASE_BUILD (PNG_LIBPNG_BUILD_BASE_TYPE >= PNG_LIBPNG_BUILD_RC) #endif -/* Moved to pngpriv.h at libpng-1.5.0 */ -/* NOTE: some of these may have been used in external applications as - * these definitions were exposed in pngconf.h prior to 1.5. +/* SECURITY and SAFETY: + * + * libpng is built with support for internal limits on image dimensions and + * memory usage. These are documented in scripts/pnglibconf.dfa of the + * source and recorded in the machine generated header file pnglibconf.h. */ /* If you are running on a machine where you cannot allocate more @@ -610,21 +592,17 @@ #define PNG_RGB_TO_GRAY_WARN 0x400000 #define PNG_RGB_TO_GRAY 0x600000 /* two bits, RGB_TO_GRAY_ERR|WARN */ #define PNG_ENCODE_ALPHA 0x800000 /* Added to libpng-1.5.4 */ -#define PNG_ADD_ALPHA 0x1000000 /* Added to libpng-1.2.7 */ -#define PNG_EXPAND_tRNS 0x2000000 /* Added to libpng-1.2.9 */ -#define PNG_SCALE_16_TO_8 0x4000000 /* Added to libpng-1.5.4 */ - /* 0x8000000 unused */ - /* 0x10000000 unused */ - /* 0x20000000 unused */ - /* 0x40000000 unused */ +#define PNG_ADD_ALPHA 0x1000000 /* Added to libpng-1.2.7 */ +#define PNG_EXPAND_tRNS 0x2000000 /* Added to libpng-1.2.9 */ +#define PNG_SCALE_16_TO_8 0x4000000 /* Added to libpng-1.5.4 */ + /* 0x8000000 unused */ + /* 0x10000000 unused */ + /* 0x20000000 unused */ + /* 0x40000000 unused */ /* Flags for png_create_struct */ #define PNG_STRUCT_PNG 0x0001 #define PNG_STRUCT_INFO 0x0002 -/* Scaling factor for filter heuristic weighting calculations */ -#define PNG_WEIGHT_FACTOR (1<<(PNG_WEIGHT_SHIFT)) -#define PNG_COST_FACTOR (1<<(PNG_COST_SHIFT)) - /* Flags for the png_ptr->flags rather than declaring a byte for each one */ #define PNG_FLAG_ZLIB_CUSTOM_STRATEGY 0x0001 #define PNG_FLAG_ZSTREAM_INITIALIZED 0x0002 /* Added to libpng-1.6.0 */ @@ -715,7 +693,7 @@ /* The fixed point conversion performs range checking and evaluates * its argument multiple times, so must be used with care. The * range checking uses the PNG specification values for a signed - * 32 bit fixed point value except that the values are deliberately + * 32-bit fixed point value except that the values are deliberately * rounded-to-zero to an integral value - 21474 (21474.83 is roughly * (2^31-1) * 100000). 's' is a string that describes the value being * converted. @@ -808,15 +786,17 @@ * macro will fail on top-bit-set values because of the sign extension. */ #define PNG_CHUNK_FROM_STRING(s)\ - PNG_U32(0xff&(s)[0], 0xff&(s)[1], 0xff&(s)[2], 0xff&(s)[3]) + PNG_U32(0xff & (s)[0], 0xff & (s)[1], 0xff & (s)[2], 0xff & (s)[3]) /* This uses (char), not (png_byte) to avoid warnings on systems where (char) is * signed and the argument is a (char[]) This macro will fail miserably on * systems where (char) is more than 8 bits. */ #define PNG_STRING_FROM_CHUNK(s,c)\ - (void)(((char*)(s))[0]=(char)((c)>>24), ((char*)(s))[1]=(char)((c)>>16),\ - ((char*)(s))[2]=(char)((c)>>8), ((char*)(s))[3]=(char)((c))) + (void)(((char*)(s))[0]=(char)(((c)>>24) & 0xff), \ + ((char*)(s))[1]=(char)(((c)>>16) & 0xff),\ + ((char*)(s))[2]=(char)(((c)>>8) & 0xff), \ + ((char*)(s))[3]=(char)((c & 0xff))) /* Do the same but terminate with a null character. */ #define PNG_CSTRING_FROM_CHUNK(s,c)\ @@ -860,7 +840,7 @@ */ #endif -/* This is used for 16 bit gamma tables -- only the top level pointers are +/* This is used for 16-bit gamma tables -- only the top level pointers are * const; this could be changed: */ typedef const png_uint_16p * png_const_uint_16pp; @@ -878,8 +858,9 @@ PNG_INTERNAL_DATA(const png_uint_16, png_sRGB_base, [512]); PNG_INTERNAL_DATA(const png_byte, png_sRGB_delta, [512]); -#define PNG_sRGB_FROM_LINEAR(linear) ((png_byte)((png_sRGB_base[(linear)>>15] +\ - ((((linear)&0x7fff)*png_sRGB_delta[(linear)>>15])>>12)) >> 8)) +#define PNG_sRGB_FROM_LINEAR(linear) \ + ((png_byte)(0xff & ((png_sRGB_base[(linear)>>15] \ + + ((((linear) & 0x7fff)*png_sRGB_delta[(linear)>>15])>>12)) >> 8))) /* Given a value 'linear' in the range 0..255*65535 calculate the 8-bit sRGB * encoded value with maximum error 0.646365. Note that the input is not a * 16-bit value; it has been multiplied by 255! */ @@ -1262,6 +1243,14 @@ /* Initialize the row buffers, etc. */ PNG_INTERNAL_FUNCTION(void,png_read_start_row,(png_structrp png_ptr),PNG_EMPTY); +#if PNG_ZLIB_VERNUM >= 0x1240 +PNG_INTERNAL_FUNCTION(int,png_zlib_inflate,(png_structrp png_ptr, int flush), + PNG_EMPTY); +# define PNG_INFLATE(pp, flush) png_zlib_inflate(pp, flush) +#else /* Zlib < 1.2.4 */ +# define PNG_INFLATE(pp, flush) inflate(&(pp)->zstream, flush) +#endif /* Zlib < 1.2.4 */ + #ifdef PNG_READ_TRANSFORMS_SUPPORTED /* Optional call to update the users info structure */ PNG_INTERNAL_FUNCTION(void,png_read_transform_info,(png_structrp png_ptr, @@ -1436,10 +1425,6 @@ PNG_INTERNAL_FUNCTION(void,png_push_read_sig,(png_structrp png_ptr, png_inforp info_ptr),PNG_EMPTY); PNG_INTERNAL_FUNCTION(void,png_push_check_crc,(png_structrp png_ptr),PNG_EMPTY); -PNG_INTERNAL_FUNCTION(void,png_push_crc_skip,(png_structrp png_ptr, - png_uint_32 length),PNG_EMPTY); -PNG_INTERNAL_FUNCTION(void,png_push_crc_finish,(png_structrp png_ptr), - PNG_EMPTY); PNG_INTERNAL_FUNCTION(void,png_push_save_buffer,(png_structrp png_ptr), PNG_EMPTY); PNG_INTERNAL_FUNCTION(void,png_push_restore_buffer,(png_structrp png_ptr, diff -Nru openjdk-6-6b37-1.13.9/jdk/src/share/native/sun/awt/libpng/pngread.c openjdk-6-6b38-1.13.10/jdk/src/share/native/sun/awt/libpng/pngread.c --- openjdk-6-6b37-1.13.9/jdk/src/share/native/sun/awt/libpng/pngread.c 2015-11-11 01:20:42.000000000 +0000 +++ openjdk-6-6b38-1.13.10/jdk/src/share/native/sun/awt/libpng/pngread.c 2016-01-20 01:47:58.000000000 +0000 @@ -29,8 +29,8 @@ * However, the following notice accompanied the original version of this * file and, per its terms, should not be removed: * - * Last changed in libpng 1.6.15 [November 20, 2014] - * Copyright (c) 1998-2014 Glenn Randers-Pehrson + * Last changed in libpng 1.6.17 [March 26, 2015] + * Copyright (c) 1998-2015 Glenn Randers-Pehrson * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger) * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.) * @@ -91,7 +91,7 @@ /* In stable builds only warn if an application error can be completely * handled. */ -# if PNG_LIBPNG_BUILD_BASE_TYPE >= PNG_LIBPNG_BUILD_RC +# if PNG_RELEASE_BUILD png_ptr->flags |= PNG_FLAG_APP_WARNINGS_WARN; # endif # endif @@ -842,8 +842,7 @@ /* Zero length IDATs are legal after the last IDAT has been * read, but not after other chunks have been read. */ - if ((length > 0) || - (png_ptr->mode & PNG_HAVE_CHUNK_AFTER_IDAT) != 0) + if ((length > 0) || (png_ptr->mode & PNG_HAVE_CHUNK_AFTER_IDAT) != 0) png_benign_error(png_ptr, "Too many IDATs found"); png_crc_finish(png_ptr, length); @@ -1072,9 +1071,9 @@ /* Tell libpng to strip 16-bit/color files down to 8 bits per color. */ if ((transforms & PNG_TRANSFORM_SCALE_16) != 0) - /* Added at libpng-1.5.4. "strip_16" produces the same result that it - * did in earlier versions, while "scale_16" is now more accurate. - */ + /* Added at libpng-1.5.4. "strip_16" produces the same result that it + * did in earlier versions, while "scale_16" is now more accurate. + */ #ifdef PNG_READ_SCALE_16_TO_8_SUPPORTED png_set_scale_16(png_ptr); #else @@ -1238,7 +1237,7 @@ for (iptr = 0; iptr < info_ptr->height; iptr++) info_ptr->row_pointers[iptr] = png_voidcast(png_bytep, - png_malloc(png_ptr, info_ptr->rowbytes)); + png_malloc(png_ptr, info_ptr->rowbytes)); } png_read_image(png_ptr, info_ptr->row_pointers); @@ -1712,10 +1711,11 @@ value *= 257; break; +#ifdef __GNUC__ default: png_error(display->image->opaque->png_ptr, "unexpected encoding (internal error)"); - break; +#endif } return value; @@ -1852,6 +1852,7 @@ y = (y + 128) >> 8; y *= 255; y = PNG_sRGB_FROM_LINEAR((y + 64) >> 7); + alpha = PNG_DIV257(alpha); encoding = P_sRGB; } @@ -2314,8 +2315,14 @@ output_processing = PNG_CMAP_NONE; break; } - +#ifdef __COVERITY__ + /* Coverity claims that output_encoding cannot be 2 (P_LINEAR) + * here. + */ + back_alpha = 255; +#else back_alpha = output_encoding == P_LINEAR ? 65535 : 255; +#endif } /* output_processing means that the libpng-processed row will be @@ -2440,7 +2447,14 @@ */ background_index = i; png_create_colormap_entry(display, i++, back_r, back_g, back_b, - output_encoding == P_LINEAR ? 65535U : 255U, output_encoding); +#ifdef __COVERITY__ + /* Coverity claims that output_encoding cannot be 2 (P_LINEAR) + * here. + */ 255U, +#else + output_encoding == P_LINEAR ? 65535U : 255U, +#endif + output_encoding); /* For non-opaque input composite on the sRGB background - this * requires inverting the encoding for each component. The input @@ -2852,7 +2866,6 @@ default: png_error(png_ptr, "invalid PNG color type"); /*NOT REACHED*/ - break; } /* Now deal with the output processing */ @@ -2862,10 +2875,6 @@ switch (data_encoding) { - default: - png_error(png_ptr, "bad data option (internal error)"); - break; - case P_sRGB: /* Change to 8-bit sRGB */ png_set_alpha_mode_fixed(png_ptr, PNG_ALPHA_PNG, PNG_GAMMA_sRGB); @@ -2875,6 +2884,11 @@ if (png_ptr->bit_depth > 8) png_set_scale_16(png_ptr); break; + +#ifdef __GNUC__ + default: + png_error(png_ptr, "bad data option (internal error)"); +#endif } if (cmap_entries > 256 || cmap_entries > image->colormap_entries) @@ -3274,7 +3288,7 @@ png_uint_32 width = image->width; ptrdiff_t step_row = display->row_bytes; unsigned int channels = - (image->format & PNG_FORMAT_FLAG_COLOR) != 0 ? 3 : 1; + (image->format & PNG_FORMAT_FLAG_COLOR) != 0 ? 3 : 1; int pass; for (pass = 0; pass < passes; ++pass) @@ -3425,10 +3439,6 @@ */ switch (info_ptr->bit_depth) { - default: - png_error(png_ptr, "unexpected bit depth"); - break; - case 8: /* 8-bit sRGB gray values with an alpha channel; the alpha channel is * to be removed by composing on a background: either the row if @@ -3646,6 +3656,11 @@ } } break; + +#ifdef __GNUC__ + default: + png_error(png_ptr, "unexpected bit depth"); +#endif } return 1; diff -Nru openjdk-6-6b37-1.13.9/jdk/src/share/native/sun/awt/libpng/pngrio.c openjdk-6-6b38-1.13.10/jdk/src/share/native/sun/awt/libpng/pngrio.c --- openjdk-6-6b37-1.13.9/jdk/src/share/native/sun/awt/libpng/pngrio.c 2015-11-11 01:20:42.000000000 +0000 +++ openjdk-6-6b38-1.13.10/jdk/src/share/native/sun/awt/libpng/pngrio.c 2016-01-20 01:47:58.000000000 +0000 @@ -29,8 +29,8 @@ * However, the following notice accompanied the original version of this * file and, per its terms, should not be removed: * - * Last changed in libpng 1.6.15 [November 20, 2014] - * Copyright (c) 1998-2014 Glenn Randers-Pehrson + * Last changed in libpng 1.6.17 [March 26, 2015] + * Copyright (c) 1998-2015 Glenn Randers-Pehrson * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger) * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.) * @@ -54,7 +54,7 @@ * reads from a file pointer. Note that this routine sometimes gets called * with very small lengths, so you should implement some kind of simple * buffering if you are using unbuffered reads. This should never be asked - * to read more then 64K on a 16 bit machine. + * to read more than 64K on a 16-bit machine. */ void /* PRIVATE */ png_read_data(png_structrp png_ptr, png_bytep data, png_size_t length) diff -Nru openjdk-6-6b37-1.13.9/jdk/src/share/native/sun/awt/libpng/pngrtran.c openjdk-6-6b38-1.13.10/jdk/src/share/native/sun/awt/libpng/pngrtran.c --- openjdk-6-6b37-1.13.9/jdk/src/share/native/sun/awt/libpng/pngrtran.c 2015-11-11 01:20:42.000000000 +0000 +++ openjdk-6-6b38-1.13.10/jdk/src/share/native/sun/awt/libpng/pngrtran.c 2016-01-20 01:47:58.000000000 +0000 @@ -29,8 +29,8 @@ * However, the following notice accompanied the original version of this * file and, per its terms, should not be removed: * - * Last changed in libpng 1.6.15 [November 20, 2014] - * Copyright (c) 1998-2014 Glenn Randers-Pehrson + * Last changed in libpng 1.6.19 [November 12, 2015] + * Copyright (c) 1998-2015 Glenn Randers-Pehrson * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger) * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.) * @@ -422,7 +422,7 @@ /* Dither file to 8-bit. Supply a palette, the current number * of elements in the palette, the maximum number of elements * allowed, and a histogram if possible. If the current number - * of colors is greater then the maximum number, the palette will be + * of colors is greater than the maximum number, the palette will be * modified to fit in the maximum number. "full_quantize" indicates * whether we need a quantizing cube set up for RGB images, or if we * simply are reducing the number of colors in a paletted image. @@ -1004,7 +1004,6 @@ default: png_error(png_ptr, "invalid error action to rgb_to_gray"); - break; } if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) @@ -2025,7 +2024,7 @@ # endif # else - /* No 16 bit support: force chopping 16-bit input down to 8, in this case + /* No 16-bit support: force chopping 16-bit input down to 8, in this case * the app program can chose if both APIs are available by setting the * correct scaling to use. */ @@ -2126,10 +2125,10 @@ defined(PNG_READ_USER_TRANSFORM_SUPPORTED) if ((png_ptr->transformations & PNG_USER_TRANSFORM) != 0) { - if (info_ptr->bit_depth < png_ptr->user_transform_depth) + if (png_ptr->user_transform_depth != 0) info_ptr->bit_depth = png_ptr->user_transform_depth; - if (info_ptr->channels < png_ptr->user_transform_channels) + if (png_ptr->user_transform_channels != 0) info_ptr->channels = png_ptr->user_transform_channels; } #endif @@ -2385,7 +2384,7 @@ if (++channel >= channels) channel = 0; *bp++ = (png_byte)(value >> 8); - *bp++ = (png_byte)(value & 0xff); + *bp++ = (png_byte)value; } break; } @@ -2410,8 +2409,8 @@ while (sp < ep) { - /* The input is an array of 16 bit components, these must be scaled to - * 8 bits each. For a 16 bit value V the required value (from the PNG + /* The input is an array of 16-bit components, these must be scaled to + * 8 bits each. For a 16-bit value V the required value (from the PNG * specification) is: * * (V * 255) / 65535 @@ -2432,7 +2431,7 @@ * * The approximate differs from the exact answer only when (vlo-vhi) is * 128; it then gives a correction of +1 when the exact correction is - * 0. This gives 128 errors. The exact answer (correct for all 16 bit + * 0. This gives 128 errors. The exact answer (correct for all 16-bit * input values) is: * * error = (vlo-vhi+128)*65535 >> 24; @@ -2690,9 +2689,9 @@ png_uint_32 row_width = row_info->width; #ifdef PNG_READ_16BIT_SUPPORTED - png_byte hi_filler = (png_byte)((filler>>8) & 0xff); + png_byte hi_filler = (png_byte)(filler>>8); #endif - png_byte lo_filler = (png_byte)(filler & 0xff); + png_byte lo_filler = (png_byte)filler; png_debug(1, "in png_do_read_filler"); @@ -2743,13 +2742,13 @@ png_bytep dp = sp + (png_size_t)row_width * 2; for (i = 1; i < row_width; i++) { - *(--dp) = hi_filler; *(--dp) = lo_filler; + *(--dp) = hi_filler; *(--dp) = *(--sp); *(--dp) = *(--sp); } - *(--dp) = hi_filler; *(--dp) = lo_filler; + *(--dp) = hi_filler; row_info->channels = 2; row_info->pixel_depth = 32; row_info->rowbytes = row_width * 4; @@ -2764,8 +2763,8 @@ { *(--dp) = *(--sp); *(--dp) = *(--sp); - *(--dp) = hi_filler; *(--dp) = lo_filler; + *(--dp) = hi_filler; } row_info->channels = 2; row_info->pixel_depth = 32; @@ -2824,8 +2823,8 @@ png_bytep dp = sp + (png_size_t)row_width * 2; for (i = 1; i < row_width; i++) { - *(--dp) = hi_filler; *(--dp) = lo_filler; + *(--dp) = hi_filler; *(--dp) = *(--sp); *(--dp) = *(--sp); *(--dp) = *(--sp); @@ -2833,8 +2832,8 @@ *(--dp) = *(--sp); *(--dp) = *(--sp); } - *(--dp) = hi_filler; *(--dp) = lo_filler; + *(--dp) = hi_filler; row_info->channels = 4; row_info->pixel_depth = 64; row_info->rowbytes = row_width * 8; @@ -2853,8 +2852,8 @@ *(--dp) = *(--sp); *(--dp) = *(--sp); *(--dp) = *(--sp); - *(--dp) = hi_filler; *(--dp) = lo_filler; + *(--dp) = hi_filler; } row_info->channels = 4; @@ -3115,10 +3114,11 @@ for (i = 0; i < row_width; i++) { png_uint_16 red, green, blue, w; + png_byte hi,lo; - red = (png_uint_16)(((*(sp)) << 8) | *(sp + 1)); sp += 2; - green = (png_uint_16)(((*(sp)) << 8) | *(sp + 1)); sp += 2; - blue = (png_uint_16)(((*(sp)) << 8) | *(sp + 1)); sp += 2; + hi=*(sp)++; lo=*(sp)++; red = (png_uint_16)((hi << 8) | (lo)); + hi=*(sp)++; lo=*(sp)++; green = (png_uint_16)((hi << 8) | (lo)); + hi=*(sp)++; lo=*(sp)++; blue = (png_uint_16)((hi << 8) | (lo)); if (red == green && red == blue) { @@ -3132,16 +3132,16 @@ else { - png_uint_16 red_1 = png_ptr->gamma_16_to_1[(red&0xff) + png_uint_16 red_1 = png_ptr->gamma_16_to_1[(red & 0xff) >> png_ptr->gamma_shift][red>>8]; png_uint_16 green_1 = - png_ptr->gamma_16_to_1[(green&0xff) >> + png_ptr->gamma_16_to_1[(green & 0xff) >> png_ptr->gamma_shift][green>>8]; - png_uint_16 blue_1 = png_ptr->gamma_16_to_1[(blue&0xff) + png_uint_16 blue_1 = png_ptr->gamma_16_to_1[(blue & 0xff) >> png_ptr->gamma_shift][blue>>8]; png_uint_16 gray16 = (png_uint_16)((rc*red_1 + gc*green_1 + bc*blue_1 + 16384)>>15); - w = png_ptr->gamma_16_from_1[(gray16&0xff) >> + w = png_ptr->gamma_16_from_1[(gray16 & 0xff) >> png_ptr->gamma_shift][gray16 >> 8]; rgb_error |= 1; } @@ -3166,17 +3166,18 @@ for (i = 0; i < row_width; i++) { png_uint_16 red, green, blue, gray16; + png_byte hi,lo; - red = (png_uint_16)(((*(sp)) << 8) | *(sp + 1)); sp += 2; - green = (png_uint_16)(((*(sp)) << 8) | *(sp + 1)); sp += 2; - blue = (png_uint_16)(((*(sp)) << 8) | *(sp + 1)); sp += 2; + hi=*(sp)++; lo=*(sp)++; red = (png_uint_16)((hi << 8) | (lo)); + hi=*(sp)++; lo=*(sp)++; green = (png_uint_16)((hi << 8) | (lo)); + hi=*(sp)++; lo=*(sp)++; blue = (png_uint_16)((hi << 8) | (lo)); if (red != green || red != blue) rgb_error |= 1; - /* From 1.5.5 in the 16 bit case do the accurate conversion even + /* From 1.5.5 in the 16-bit case do the accurate conversion even * in the 'fast' case - this is because this is where the code - * ends up when handling linear 16 bit data. + * ends up when handling linear 16-bit data. */ gray16 = (png_uint_16)((rc*red + gc*green + bc*blue + 16384) >> 15); @@ -3341,7 +3342,7 @@ if ((png_uint_16)((*sp >> shift) & 0x0f) == png_ptr->trans_color.gray) { - unsigned int tmp = *sp & (0xf0f >> (4 - shift)); + unsigned int tmp = *sp & (0x0f0f >> (4 - shift)); tmp |= png_ptr->background.gray << shift; *sp = (png_byte)(tmp & 0xff); } @@ -3351,7 +3352,7 @@ unsigned int p = (*sp >> shift) & 0x0f; unsigned int g = (gamma_table[p | (p << 4)] >> 4) & 0x0f; - unsigned int tmp = *sp & (0xf0f >> (4 - shift)); + unsigned int tmp = *sp & (0x0f0f >> (4 - shift)); tmp |= g << shift; *sp = (png_byte)(tmp & 0xff); } @@ -3377,7 +3378,7 @@ if ((png_uint_16)((*sp >> shift) & 0x0f) == png_ptr->trans_color.gray) { - unsigned int tmp = *sp & (0xf0f >> (4 - shift)); + unsigned int tmp = *sp & (0x0f0f >> (4 - shift)); tmp |= png_ptr->background.gray << shift; *sp = (png_byte)(tmp & 0xff); } @@ -3695,7 +3696,8 @@ if (optimize != 0) w = v; else - w = gamma_16_from_1[(v&0xff) >> gamma_shift][v >> 8]; + w = gamma_16_from_1[(v & 0xff) >> + gamma_shift][v >> 8]; *sp = (png_byte)((w >> 8) & 0xff); *(sp + 1) = (png_byte)(w & 0xff); } @@ -3859,7 +3861,7 @@ v = gamma_16_to_1[*(sp + 1) >> gamma_shift][*sp]; png_composite_16(w, v, a, png_ptr->background_1.red); if (optimize == 0) - w = gamma_16_from_1[((w&0xff) >> gamma_shift)][w >> + w = gamma_16_from_1[((w & 0xff) >> gamma_shift)][w >> 8]; *sp = (png_byte)((w >> 8) & 0xff); *(sp + 1) = (png_byte)(w & 0xff); @@ -3867,7 +3869,7 @@ v = gamma_16_to_1[*(sp + 3) >> gamma_shift][*(sp + 2)]; png_composite_16(w, v, a, png_ptr->background_1.green); if (optimize == 0) - w = gamma_16_from_1[((w&0xff) >> gamma_shift)][w >> + w = gamma_16_from_1[((w & 0xff) >> gamma_shift)][w >> 8]; *(sp + 2) = (png_byte)((w >> 8) & 0xff); @@ -3876,7 +3878,7 @@ v = gamma_16_to_1[*(sp + 5) >> gamma_shift][*(sp + 4)]; png_composite_16(w, v, a, png_ptr->background_1.blue); if (optimize == 0) - w = gamma_16_from_1[((w&0xff) >> gamma_shift)][w >> + w = gamma_16_from_1[((w & 0xff) >> gamma_shift)][w >> 8]; *(sp + 4) = (png_byte)((w >> 8) & 0xff); @@ -4485,7 +4487,7 @@ for (i = 0; i < row_width; i++) { - if (*sp == gray) + if ((*sp & 0xffU) == gray) *dp-- = 0; else @@ -4503,7 +4505,8 @@ dp = row + (row_info->rowbytes << 1) - 1; for (i = 0; i < row_width; i++) { - if (*(sp - 1) == gray_high && *(sp) == gray_low) + if ((*(sp - 1) & 0xffU) == gray_high && + (*(sp) & 0xffU) == gray_low) { *dp-- = 0; *dp-- = 0; @@ -4865,7 +4868,7 @@ /* Because PNG_COMPOSE does the gamma transform if there is something to * do (if there is an alpha channel or transparency.) */ - !((png_ptr->transformations & PNG_COMPOSE) && + !((png_ptr->transformations & PNG_COMPOSE) != 0 && ((png_ptr->num_trans != 0) || (png_ptr->color_type & PNG_COLOR_MASK_ALPHA) != 0)) && #endif diff -Nru openjdk-6-6b37-1.13.9/jdk/src/share/native/sun/awt/libpng/pngrutil.c openjdk-6-6b38-1.13.10/jdk/src/share/native/sun/awt/libpng/pngrutil.c --- openjdk-6-6b37-1.13.9/jdk/src/share/native/sun/awt/libpng/pngrutil.c 2015-11-11 01:20:42.000000000 +0000 +++ openjdk-6-6b38-1.13.10/jdk/src/share/native/sun/awt/libpng/pngrutil.c 2016-01-20 01:47:58.000000000 +0000 @@ -29,8 +29,8 @@ * However, the following notice accompanied the original version of this * file and, per its terms, should not be removed: * - * Last changed in libpng 1.6.15 [November 20, 2014] - * Copyright (c) 1998-2014 Glenn Randers-Pehrson + * Last changed in libpng 1.6.20 [December 3, 2015] + * Copyright (c) 1998-2015 Glenn Randers-Pehrson * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger) * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.) * @@ -117,7 +117,13 @@ return uval; uval = (uval ^ 0xffffffff) + 1; /* 2's complement: -x = ~x+1 */ - return -(png_int_32)uval; + if ((uval & 0x80000000) == 0) /* no overflow */ + return -(png_int_32)uval; + /* The following has to be safe; this function only gets called on PNG data + * and if we get here that data is invalid. 0 is the most safe value and + * if not then an attacker would surely just generate a PNG with 0 instead. + */ + return 0; } /* Grab an unsigned 16-bit integer from a buffer in big-endian format. */ @@ -126,7 +132,7 @@ { /* ANSI-C requires an int value to accomodate at least 16 bits so this * works and allows the compiler not to worry about possible narrowing - * on 32 bit systems. (Pre-ANSI systems did not make integers smaller + * on 32-bit systems. (Pre-ANSI systems did not make integers smaller * than 16 bits either.) */ unsigned int val = @@ -369,7 +375,7 @@ * are minimal. */ (void)png_safecat(msg, (sizeof msg), 4, " using zstream"); -#if PNG_LIBPNG_BUILD_BASE_TYPE >= PNG_LIBPNG_BUILD_RC +#if PNG_RELEASE_BUILD png_chunk_warning(png_ptr, msg); png_ptr->zowner = 0; #else @@ -399,10 +405,16 @@ if (((png_ptr->options >> PNG_MAXIMUM_INFLATE_WINDOW) & 3) == PNG_OPTION_ON) + { window_bits = 15; + png_ptr->zstream_start = 0; /* fixed window size */ + } else + { window_bits = 0; + png_ptr->zstream_start = 1; + } # else # define window_bits 0 # endif @@ -451,6 +463,31 @@ #endif } +#if PNG_ZLIB_VERNUM >= 0x1240 +/* Handle the start of the inflate stream if we called inflateInit2(strm,0); + * in this case some zlib versions skip validation of the CINFO field and, in + * certain circumstances, libpng may end up displaying an invalid image, in + * contrast to implementations that call zlib in the normal way (e.g. libpng + * 1.5). + */ +int /* PRIVATE */ +png_zlib_inflate(png_structrp png_ptr, int flush) +{ + if (png_ptr->zstream_start && png_ptr->zstream.avail_in > 0) + { + if ((*png_ptr->zstream.next_in >> 4) > 7) + { + png_ptr->zstream.msg = "invalid window size (libpng)"; + return Z_DATA_ERROR; + } + + png_ptr->zstream_start = 0; + } + + return inflate(&png_ptr->zstream, flush); +} +#endif /* Zlib >= 1.2.4 */ + #ifdef PNG_READ_COMPRESSED_TEXT_SUPPORTED /* png_inflate now returns zlib error codes including Z_OK and Z_STREAM_END to * allow the caller to do multiple calls if required. If the 'finish' flag is @@ -544,7 +581,7 @@ * the previous chunk of input data. Tell zlib if we have reached the * end of the output buffer. */ - ret = inflate(&png_ptr->zstream, avail_out > 0 ? Z_NO_FLUSH : + ret = PNG_INFLATE(png_ptr, avail_out > 0 ? Z_NO_FLUSH : (finish ? Z_FINISH : Z_SYNC_FLUSH)); } while (ret == Z_OK); @@ -603,7 +640,7 @@ */ png_alloc_size_t limit = PNG_SIZE_MAX; -# ifdef PNG_SET_CHUNK_MALLOC_LIMIT_SUPPORTED +# ifdef PNG_SET_USER_LIMITS_SUPPORTED if (png_ptr->user_chunk_malloc_max > 0 && png_ptr->user_chunk_malloc_max < limit) limit = png_ptr->user_chunk_malloc_max; @@ -698,7 +735,6 @@ * success) */ png_free(png_ptr, text); - text = NULL; /* This really is very benign, but it's still an error because * the extra space may otherwise be used as a Trojan Horse. @@ -794,7 +830,7 @@ * the available output is produced; this allows reading of truncated * streams. */ - ret = inflate(&png_ptr->zstream, + ret = PNG_INFLATE(png_ptr, *chunk_bytes > 0 ? Z_NO_FLUSH : (finish ? Z_FINISH : Z_SYNC_FLUSH)); } while (ret == Z_OK && (*out_size > 0 || png_ptr->zstream.avail_out > 0)); @@ -895,7 +931,7 @@ png_handle_PLTE(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length) { png_color palette[PNG_MAX_PALETTE_LENGTH]; - int num, i; + int max_palette_length, num, i; #ifdef PNG_POINTER_INDEXING_SUPPORTED png_colorp pal_ptr; #endif @@ -956,6 +992,19 @@ /* The cast is safe because 'length' is less than 3*PNG_MAX_PALETTE_LENGTH */ num = (int)length / 3; + /* If the palette has 256 or fewer entries but is too large for the bit + * depth, we don't issue an error, to preserve the behavior of previous + * libpng versions. We silently truncate the unused extra palette entries + * here. + */ + if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) + max_palette_length = (1 << png_ptr->bit_depth); + else + max_palette_length = PNG_MAX_PALETTE_LENGTH; + + if (num > max_palette_length) + num = max_palette_length; + #ifdef PNG_POINTER_INDEXING_SUPPORTED for (i = 0, pal_ptr = palette; i < num; i++, pal_ptr++) { @@ -988,7 +1037,7 @@ if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) #endif { - png_crc_finish(png_ptr, 0); + png_crc_finish(png_ptr, (int) length - num * 3); } #ifndef PNG_READ_OPT_PLTE_SUPPORTED @@ -1175,11 +1224,13 @@ return; for (i=0; i sample_depth) { png_chunk_benign_error(png_ptr, "invalid"); return; } + } if ((png_ptr->color_type & PNG_COLOR_MASK_COLOR) != 0) { @@ -1490,10 +1541,10 @@ finished = 1; # ifdef PNG_sRGB_SUPPORTED - /* Check for a match against sRGB */ - png_icc_set_sRGB(png_ptr, - &png_ptr->colorspace, profile, - png_ptr->zstream.adler); + /* Check for a match against sRGB */ + png_icc_set_sRGB(png_ptr, + &png_ptr->colorspace, profile, + png_ptr->zstream.adler); # endif /* Steal the profile for info_ptr. */ @@ -1543,8 +1594,10 @@ else if (size > 0) errmsg = "truncated"; +#ifndef __COVERITY__ else errmsg = png_ptr->zstream.msg; +#endif } /* else png_icc_check_tag_table output an error */ @@ -1676,7 +1729,7 @@ ++entry_start; /* A sample depth should follow the separator, and we should be on it */ - if (entry_start > buffer + length - 2) + if (length < 2U || entry_start > buffer + (length - 2U)) { png_warning(png_ptr, "malformed sPLT chunk"); return; @@ -1701,8 +1754,8 @@ if (dl > max_dl) { - png_warning(png_ptr, "sPLT chunk too long"); - return; + png_warning(png_ptr, "sPLT chunk too long"); + return; } new_palette.nentries = (png_int_32)(data_length / entry_size); @@ -1712,8 +1765,8 @@ if (new_palette.entries == NULL) { - png_warning(png_ptr, "sPLT chunk requires too much memory"); - return; + png_warning(png_ptr, "sPLT chunk requires too much memory"); + return; } #ifdef PNG_POINTER_INDEXING_SUPPORTED @@ -1843,7 +1896,8 @@ return; } - if (length > png_ptr->num_palette || length > PNG_MAX_PALETTE_LENGTH || + if (length > (unsigned int) png_ptr->num_palette || + length > (unsigned int) PNG_MAX_PALETTE_LENGTH || length == 0) { png_crc_finish(png_ptr, length); @@ -2006,7 +2060,8 @@ num = length / 2 ; - if (num != png_ptr->num_palette || num > PNG_MAX_PALETTE_LENGTH) + if (num != (unsigned int) png_ptr->num_palette || + num > (unsigned int) PNG_MAX_PALETTE_LENGTH) { png_crc_finish(png_ptr, length); png_chunk_benign_error(png_ptr, "invalid"); @@ -2178,7 +2233,7 @@ /* We need to have at least 12 bytes after the purpose string * in order to get the parameter information. */ - if (endptr <= buf + 12) + if (endptr - buf <= 12) { png_chunk_benign_error(png_ptr, "invalid"); return; @@ -2741,14 +2796,14 @@ png_ptr->unknown_chunk.data = NULL; } -# ifdef PNG_SET_CHUNK_MALLOC_LIMIT_SUPPORTED - if (png_ptr->user_chunk_malloc_max > 0 && - png_ptr->user_chunk_malloc_max < limit) - limit = png_ptr->user_chunk_malloc_max; +# ifdef PNG_SET_USER_LIMITS_SUPPORTED + if (png_ptr->user_chunk_malloc_max > 0 && + png_ptr->user_chunk_malloc_max < limit) + limit = png_ptr->user_chunk_malloc_max; # elif PNG_USER_CHUNK_MALLOC_MAX > 0 - if (PNG_USER_CHUNK_MALLOC_MAX < limit) - limit = PNG_USER_CHUNK_MALLOC_MAX; + if (PNG_USER_CHUNK_MALLOC_MAX < limit) + limit = PNG_USER_CHUNK_MALLOC_MAX; # endif if (length <= limit) @@ -2811,7 +2866,7 @@ */ # ifndef PNG_HANDLE_AS_UNKNOWN_SUPPORTED # ifdef PNG_SET_UNKNOWN_CHUNKS_SUPPORTED - keep = png_chunk_unknown_handling(png_ptr, png_ptr->chunk_name); + keep = png_chunk_unknown_handling(png_ptr, png_ptr->chunk_name); # endif # endif @@ -2820,153 +2875,153 @@ * PNG_READ_UNKNOWN_CHUNKS_SUPPORTED) */ # ifdef PNG_READ_USER_CHUNKS_SUPPORTED - /* The user callback takes precedence over the chunk keep value, but the - * keep value is still required to validate a save of a critical chunk. - */ - if (png_ptr->read_user_chunk_fn != NULL) + /* The user callback takes precedence over the chunk keep value, but the + * keep value is still required to validate a save of a critical chunk. + */ + if (png_ptr->read_user_chunk_fn != NULL) + { + if (png_cache_unknown_chunk(png_ptr, length) != 0) { - if (png_cache_unknown_chunk(png_ptr, length) != 0) + /* Callback to user unknown chunk handler */ + int ret = (*(png_ptr->read_user_chunk_fn))(png_ptr, + &png_ptr->unknown_chunk); + + /* ret is: + * negative: An error occurred; png_chunk_error will be called. + * zero: The chunk was not handled, the chunk will be discarded + * unless png_set_keep_unknown_chunks has been used to set + * a 'keep' behavior for this particular chunk, in which + * case that will be used. A critical chunk will cause an + * error at this point unless it is to be saved. + * positive: The chunk was handled, libpng will ignore/discard it. + */ + if (ret < 0) + png_chunk_error(png_ptr, "error in user chunk"); + + else if (ret == 0) { - /* Callback to user unknown chunk handler */ - int ret = (*(png_ptr->read_user_chunk_fn))(png_ptr, - &png_ptr->unknown_chunk); - - /* ret is: - * negative: An error occured, png_chunk_error will be called. - * zero: The chunk was not handled, the chunk will be discarded - * unless png_set_keep_unknown_chunks has been used to set - * a 'keep' behavior for this particular chunk, in which - * case that will be used. A critical chunk will cause an - * error at this point unless it is to be saved. - * positive: The chunk was handled, libpng will ignore/discard it. + /* If the keep value is 'default' or 'never' override it, but + * still error out on critical chunks unless the keep value is + * 'always' While this is weird it is the behavior in 1.4.12. + * A possible improvement would be to obey the value set for the + * chunk, but this would be an API change that would probably + * damage some applications. + * + * The png_app_warning below catches the case that matters, where + * the application has not set specific save or ignore for this + * chunk or global save or ignore. */ - if (ret < 0) - png_chunk_error(png_ptr, "error in user chunk"); - - else if (ret == 0) + if (keep < PNG_HANDLE_CHUNK_IF_SAFE) { - /* If the keep value is 'default' or 'never' override it, but - * still error out on critical chunks unless the keep value is - * 'always' While this is weird it is the behavior in 1.4.12. - * A possible improvement would be to obey the value set for the - * chunk, but this would be an API change that would probably - * damage some applications. - * - * The png_app_warning below catches the case that matters, where - * the application has not set specific save or ignore for this - * chunk or global save or ignore. - */ - if (keep < PNG_HANDLE_CHUNK_IF_SAFE) +# ifdef PNG_SET_UNKNOWN_CHUNKS_SUPPORTED + if (png_ptr->unknown_default < PNG_HANDLE_CHUNK_IF_SAFE) { -# ifdef PNG_SET_UNKNOWN_CHUNKS_SUPPORTED - if (png_ptr->unknown_default < PNG_HANDLE_CHUNK_IF_SAFE) - { - png_chunk_warning(png_ptr, "Saving unknown chunk:"); - png_app_warning(png_ptr, - "forcing save of an unhandled chunk;" - " please call png_set_keep_unknown_chunks"); - /* with keep = PNG_HANDLE_CHUNK_IF_SAFE */ - } -# endif - keep = PNG_HANDLE_CHUNK_IF_SAFE; + png_chunk_warning(png_ptr, "Saving unknown chunk:"); + png_app_warning(png_ptr, + "forcing save of an unhandled chunk;" + " please call png_set_keep_unknown_chunks"); + /* with keep = PNG_HANDLE_CHUNK_IF_SAFE */ } - } - - else /* chunk was handled */ - { - handled = 1; - /* Critical chunks can be safely discarded at this point. */ - keep = PNG_HANDLE_CHUNK_NEVER; +# endif + keep = PNG_HANDLE_CHUNK_IF_SAFE; } } - else - keep = PNG_HANDLE_CHUNK_NEVER; /* insufficient memory */ + else /* chunk was handled */ + { + handled = 1; + /* Critical chunks can be safely discarded at this point. */ + keep = PNG_HANDLE_CHUNK_NEVER; + } } else - /* Use the SAVE_UNKNOWN_CHUNKS code or skip the chunk */ + keep = PNG_HANDLE_CHUNK_NEVER; /* insufficient memory */ + } + + else + /* Use the SAVE_UNKNOWN_CHUNKS code or skip the chunk */ # endif /* READ_USER_CHUNKS */ # ifdef PNG_SAVE_UNKNOWN_CHUNKS_SUPPORTED - { - /* keep is currently just the per-chunk setting, if there was no - * setting change it to the global default now (not that this may - * still be AS_DEFAULT) then obtain the cache of the chunk if required, - * if not simply skip the chunk. - */ - if (keep == PNG_HANDLE_CHUNK_AS_DEFAULT) - keep = png_ptr->unknown_default; - - if (keep == PNG_HANDLE_CHUNK_ALWAYS || - (keep == PNG_HANDLE_CHUNK_IF_SAFE && - PNG_CHUNK_ANCILLARY(png_ptr->chunk_name))) - { - if (png_cache_unknown_chunk(png_ptr, length) == 0) - keep = PNG_HANDLE_CHUNK_NEVER; - } + { + /* keep is currently just the per-chunk setting, if there was no + * setting change it to the global default now (not that this may + * still be AS_DEFAULT) then obtain the cache of the chunk if required, + * if not simply skip the chunk. + */ + if (keep == PNG_HANDLE_CHUNK_AS_DEFAULT) + keep = png_ptr->unknown_default; - else - png_crc_finish(png_ptr, length); + if (keep == PNG_HANDLE_CHUNK_ALWAYS || + (keep == PNG_HANDLE_CHUNK_IF_SAFE && + PNG_CHUNK_ANCILLARY(png_ptr->chunk_name))) + { + if (png_cache_unknown_chunk(png_ptr, length) == 0) + keep = PNG_HANDLE_CHUNK_NEVER; } + + else + png_crc_finish(png_ptr, length); + } # else # ifndef PNG_READ_USER_CHUNKS_SUPPORTED # error no method to support READ_UNKNOWN_CHUNKS # endif - { - /* If here there is no read callback pointer set and no support is - * compiled in to just save the unknown chunks, so simply skip this - * chunk. If 'keep' is something other than AS_DEFAULT or NEVER then - * the app has erroneously asked for unknown chunk saving when there - * is no support. - */ - if (keep > PNG_HANDLE_CHUNK_NEVER) - png_app_error(png_ptr, "no unknown chunk support available"); + { + /* If here there is no read callback pointer set and no support is + * compiled in to just save the unknown chunks, so simply skip this + * chunk. If 'keep' is something other than AS_DEFAULT or NEVER then + * the app has erroneously asked for unknown chunk saving when there + * is no support. + */ + if (keep > PNG_HANDLE_CHUNK_NEVER) + png_app_error(png_ptr, "no unknown chunk support available"); - png_crc_finish(png_ptr, length); - } + png_crc_finish(png_ptr, length); + } # endif # ifdef PNG_STORE_UNKNOWN_CHUNKS_SUPPORTED - /* Now store the chunk in the chunk list if appropriate, and if the limits - * permit it. - */ - if (keep == PNG_HANDLE_CHUNK_ALWAYS || - (keep == PNG_HANDLE_CHUNK_IF_SAFE && - PNG_CHUNK_ANCILLARY(png_ptr->chunk_name))) - { + /* Now store the chunk in the chunk list if appropriate, and if the limits + * permit it. + */ + if (keep == PNG_HANDLE_CHUNK_ALWAYS || + (keep == PNG_HANDLE_CHUNK_IF_SAFE && + PNG_CHUNK_ANCILLARY(png_ptr->chunk_name))) + { # ifdef PNG_USER_LIMITS_SUPPORTED - switch (png_ptr->user_chunk_cache_max) - { - case 2: - png_ptr->user_chunk_cache_max = 1; - png_chunk_benign_error(png_ptr, "no space in chunk cache"); - /* FALL THROUGH */ - case 1: - /* NOTE: prior to 1.6.0 this case resulted in an unknown critical - * chunk being skipped, now there will be a hard error below. - */ - break; + switch (png_ptr->user_chunk_cache_max) + { + case 2: + png_ptr->user_chunk_cache_max = 1; + png_chunk_benign_error(png_ptr, "no space in chunk cache"); + /* FALL THROUGH */ + case 1: + /* NOTE: prior to 1.6.0 this case resulted in an unknown critical + * chunk being skipped, now there will be a hard error below. + */ + break; - default: /* not at limit */ - --(png_ptr->user_chunk_cache_max); - /* FALL THROUGH */ - case 0: /* no limit */ -# endif /* USER_LIMITS */ - /* Here when the limit isn't reached or when limits are compiled - * out; store the chunk. - */ - png_set_unknown_chunks(png_ptr, info_ptr, - &png_ptr->unknown_chunk, 1); - handled = 1; -# ifdef PNG_USER_LIMITS_SUPPORTED - break; - } -# endif + default: /* not at limit */ + --(png_ptr->user_chunk_cache_max); + /* FALL THROUGH */ + case 0: /* no limit */ +# endif /* USER_LIMITS */ + /* Here when the limit isn't reached or when limits are compiled + * out; store the chunk. + */ + png_set_unknown_chunks(png_ptr, info_ptr, + &png_ptr->unknown_chunk, 1); + handled = 1; +# ifdef PNG_USER_LIMITS_SUPPORTED + break; } +# endif + } # else /* no store support: the chunk must be handled by the user callback */ - PNG_UNUSED(info_ptr) + PNG_UNUSED(info_ptr) # endif /* Regardless of the error handling below the cached data (if any) can be @@ -3068,13 +3123,13 @@ end_ptr = dp + PNG_ROWBYTES(pixel_depth, row_width) - 1; end_byte = *end_ptr; # ifdef PNG_READ_PACKSWAP_SUPPORTED - if ((png_ptr->transformations & PNG_PACKSWAP) != 0) - /* little-endian byte */ - end_mask = 0xff << end_mask; + if ((png_ptr->transformations & PNG_PACKSWAP) != 0) + /* little-endian byte */ + end_mask = 0xff << end_mask; - else /* big-endian byte */ + else /* big-endian byte */ # endif - end_mask = 0xff >> end_mask; + end_mask = 0xff >> end_mask; /* end_mask is now the bits to *keep* from the destination row */ } @@ -3232,12 +3287,12 @@ png_uint_32 mask; # ifdef PNG_READ_PACKSWAP_SUPPORTED - if ((png_ptr->transformations & PNG_PACKSWAP) != 0) - mask = MASK(pass, pixel_depth, display, 0); + if ((png_ptr->transformations & PNG_PACKSWAP) != 0) + mask = MASK(pass, pixel_depth, display, 0); - else + else # endif - mask = MASK(pass, pixel_depth, display, 1); + mask = MASK(pass, pixel_depth, display, 1); for (;;) { @@ -3838,15 +3893,15 @@ p = b - c; pc = a - c; -# ifdef PNG_USE_ABS - pa = abs(p); - pb = abs(pc); - pc = abs(p + pc); -# else - pa = p < 0 ? -p : p; - pb = pc < 0 ? -pc : pc; - pc = (p + pc) < 0 ? -(p + pc) : p + pc; -# endif +#ifdef PNG_USE_ABS + pa = abs(p); + pb = abs(pc); + pc = abs(p + pc); +#else + pa = p < 0 ? -p : p; + pb = pc < 0 ? -pc : pc; + pc = (p + pc) < 0 ? -(p + pc) : p + pc; +#endif /* Find the best predictor, the least of pa, pb, pc favoring the earlier * ones in the case of a tie. @@ -3893,15 +3948,15 @@ p = b - c; pc = a - c; -# ifdef PNG_USE_ABS - pa = abs(p); - pb = abs(pc); - pc = abs(p + pc); -# else - pa = p < 0 ? -p : p; - pb = pc < 0 ? -pc : pc; - pc = (p + pc) < 0 ? -(p + pc) : p + pc; -# endif +#ifdef PNG_USE_ABS + pa = abs(p); + pb = abs(pc); + pc = abs(p + pc); +#else + pa = p < 0 ? -p : p; + pb = pc < 0 ? -pc : pc; + pc = (p + pc) < 0 ? -(p + pc) : p + pc; +#endif if (pb < pa) pa = pb, a = b; if (pc < pa) a = c; @@ -4043,7 +4098,7 @@ * * TODO: deal more elegantly with truncated IDAT lists. */ - ret = inflate(&png_ptr->zstream, Z_NO_FLUSH); + ret = PNG_INFLATE(png_ptr, Z_NO_FLUSH); /* Take the unconsumed output back. */ if (output != NULL) @@ -4306,18 +4361,18 @@ #ifdef PNG_READ_EXPAND_16_SUPPORTED if ((png_ptr->transformations & PNG_EXPAND_16) != 0) { -# ifdef PNG_READ_EXPAND_SUPPORTED - /* In fact it is an error if it isn't supported, but checking is - * the safe way. - */ - if ((png_ptr->transformations & PNG_EXPAND) != 0) - { - if (png_ptr->bit_depth < 16) - max_pixel_depth *= 2; - } - else -# endif - png_ptr->transformations &= ~PNG_EXPAND_16; +# ifdef PNG_READ_EXPAND_SUPPORTED + /* In fact it is an error if it isn't supported, but checking is + * the safe way. + */ + if ((png_ptr->transformations & PNG_EXPAND) != 0) + { + if (png_ptr->bit_depth < 16) + max_pixel_depth *= 2; + } + else +# endif + png_ptr->transformations &= ~PNG_EXPAND_16; } #endif diff -Nru openjdk-6-6b37-1.13.9/jdk/src/share/native/sun/awt/libpng/pngset.c openjdk-6-6b38-1.13.10/jdk/src/share/native/sun/awt/libpng/pngset.c --- openjdk-6-6b37-1.13.9/jdk/src/share/native/sun/awt/libpng/pngset.c 2015-11-11 01:20:42.000000000 +0000 +++ openjdk-6-6b38-1.13.10/jdk/src/share/native/sun/awt/libpng/pngset.c 2016-01-20 01:47:58.000000000 +0000 @@ -29,8 +29,8 @@ * However, the following notice accompanied the original version of this * file and, per its terms, should not be removed: * - * Last changed in libpng 1.6.15 [November 20, 2014] - * Copyright (c) 1998-2014 Glenn Randers-Pehrson + * Last changed in libpng 1.6.19 [November 12, 2015] + * Copyright (c) 1998-2015 Glenn Randers-Pehrson * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger) * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.) * @@ -151,12 +151,12 @@ png_fixed(png_ptr, red_X, "cHRM Red X"), png_fixed(png_ptr, red_Y, "cHRM Red Y"), png_fixed(png_ptr, red_Z, "cHRM Red Z"), - png_fixed(png_ptr, green_X, "cHRM Red X"), - png_fixed(png_ptr, green_Y, "cHRM Red Y"), - png_fixed(png_ptr, green_Z, "cHRM Red Z"), - png_fixed(png_ptr, blue_X, "cHRM Red X"), - png_fixed(png_ptr, blue_Y, "cHRM Red Y"), - png_fixed(png_ptr, blue_Z, "cHRM Red Z")); + png_fixed(png_ptr, green_X, "cHRM Green X"), + png_fixed(png_ptr, green_Y, "cHRM Green Y"), + png_fixed(png_ptr, green_Z, "cHRM Green Z"), + png_fixed(png_ptr, blue_X, "cHRM Blue X"), + png_fixed(png_ptr, blue_Y, "cHRM Blue Y"), + png_fixed(png_ptr, blue_Z, "cHRM Blue Z")); } # endif /* FLOATING_POINT */ @@ -218,6 +218,7 @@ if (info_ptr->hist == NULL) { png_warning(png_ptr, "Insufficient memory for hIST chunk data"); + return; } @@ -299,7 +300,7 @@ png_debug1(1, "in %s storage function", "pCAL"); if (png_ptr == NULL || info_ptr == NULL || purpose == NULL || units == NULL - || (nparams > 0 && params == NULL)) + || (nparams > 0 && params == NULL)) return; length = strlen(purpose) + 1; @@ -329,6 +330,7 @@ if (info_ptr->pcal_purpose == NULL) { png_warning(png_ptr, "Insufficient memory for pCAL purpose"); + return; } @@ -350,6 +352,7 @@ if (info_ptr->pcal_units == NULL) { png_warning(png_ptr, "Insufficient memory for pCAL units"); + return; } @@ -361,6 +364,7 @@ if (info_ptr->pcal_params == NULL) { png_warning(png_ptr, "Insufficient memory for pCAL params"); + return; } @@ -377,6 +381,7 @@ if (info_ptr->pcal_params[i] == NULL) { png_warning(png_ptr, "Insufficient memory for pCAL parameter"); + return; } @@ -426,6 +431,7 @@ if (info_ptr->scal_s_width == NULL) { png_warning(png_ptr, "Memory allocation failed while processing sCAL"); + return; } @@ -444,6 +450,7 @@ info_ptr->scal_s_width = NULL; png_warning(png_ptr, "Memory allocation failed while processing sCAL"); + return; } @@ -534,12 +541,17 @@ png_const_colorp palette, int num_palette) { + png_uint_32 max_palette_length; + png_debug1(1, "in %s storage function", "PLTE"); if (png_ptr == NULL || info_ptr == NULL) return; - if (num_palette < 0 || num_palette > PNG_MAX_PALETTE_LENGTH) + max_palette_length = (info_ptr->color_type == PNG_COLOR_TYPE_PALETTE) ? + (1 << info_ptr->bit_depth) : PNG_MAX_PALETTE_LENGTH; + + if (num_palette < 0 || num_palette > (int) max_palette_length) { if (info_ptr->color_type == PNG_COLOR_TYPE_PALETTE) png_error(png_ptr, "Invalid palette length"); @@ -547,6 +559,7 @@ else { png_warning(png_ptr, "Invalid palette length"); + return; } } @@ -559,7 +572,6 @@ )) { png_error(png_ptr, "Invalid palette"); - return; } /* It may not actually be necessary to set png_ptr->palette here; @@ -572,8 +584,8 @@ png_free_data(png_ptr, info_ptr, PNG_FREE_PLTE, 0); /* Changed in libpng-1.2.1 to allocate PNG_MAX_PALETTE_LENGTH instead - * of num_palette entries, in case of an invalid PNG file that has - * too-large sample values. + * of num_palette entries, in case of an invalid PNG file or incorrect + * call to png_set_PLTE() with too-large sample values. */ png_ptr->palette = png_voidcast(png_colorp, png_calloc(png_ptr, PNG_MAX_PALETTE_LENGTH * (sizeof (png_color)))); @@ -683,6 +695,7 @@ if (new_iccp_name == NULL) { png_benign_error(png_ptr, "Insufficient memory to process iCCP chunk"); + return; } @@ -693,9 +706,9 @@ if (new_iccp_profile == NULL) { png_free(png_ptr, new_iccp_name); - new_iccp_name = NULL; png_benign_error(png_ptr, "Insufficient memory to process iCCP profile"); + return; } @@ -729,7 +742,7 @@ { int i; - png_debug1(1, "in %lx storage function", png_ptr == NULL ? "unexpected" : + png_debug1(1, "in %lx storage function", png_ptr == NULL ? 0xabadca11U : (unsigned long)png_ptr->chunk_name); if (png_ptr == NULL || info_ptr == NULL || num_text <= 0 || text_ptr == NULL) @@ -771,6 +784,7 @@ { png_chunk_report(png_ptr, "too many text chunks", PNG_CHUNK_WRITE_ERROR); + return 1; } @@ -826,7 +840,7 @@ else lang_key_len = 0; } -# else /* PNG_iTXt_SUPPORTED */ +# else /* iTXt */ { png_chunk_report(png_ptr, "iTXt chunk not supported", PNG_CHUNK_WRITE_ERROR); @@ -859,6 +873,7 @@ { png_chunk_report(png_ptr, "text chunk: out of memory", PNG_CHUNK_WRITE_ERROR); + return 1; } @@ -932,6 +947,7 @@ mod_time->second > 60) { png_warning(png_ptr, "Ignoring invalid time value"); + return; } @@ -948,6 +964,7 @@ png_debug1(1, "in %s storage function", "tRNS"); if (png_ptr == NULL || info_ptr == NULL) + return; if (trans_alpha != NULL) @@ -973,16 +990,21 @@ if (trans_color != NULL) { - int sample_max = (1 << info_ptr->bit_depth); +#ifdef PNG_WARNINGS_SUPPORTED + if (info_ptr->bit_depth < 16) + { + int sample_max = (1 << info_ptr->bit_depth) - 1; - if ((info_ptr->color_type == PNG_COLOR_TYPE_GRAY && - trans_color->gray > sample_max) || - (info_ptr->color_type == PNG_COLOR_TYPE_RGB && - (trans_color->red > sample_max || - trans_color->green > sample_max || - trans_color->blue > sample_max))) - png_warning(png_ptr, - "tRNS chunk has out-of-range samples for bit_depth"); + if ((info_ptr->color_type == PNG_COLOR_TYPE_GRAY && + trans_color->gray > sample_max) || + (info_ptr->color_type == PNG_COLOR_TYPE_RGB && + (trans_color->red > sample_max || + trans_color->green > sample_max || + trans_color->blue > sample_max))) + png_warning(png_ptr, + "tRNS chunk has out-of-range samples for bit_depth"); + } +#endif info_ptr->trans_color = *trans_color; @@ -1029,6 +1051,7 @@ { /* Out of memory or too many chunks */ png_chunk_report(png_ptr, "too many sPLT chunks", PNG_CHUNK_WRITE_ERROR); + return; } @@ -1144,7 +1167,7 @@ png_unknown_chunkp np; if (png_ptr == NULL || info_ptr == NULL || num_unknowns <= 0 || - unknowns == NULL) + unknowns == NULL) return; /* Check for the failure cases where support has been disabled at compile @@ -1158,6 +1181,7 @@ if ((png_ptr->mode & PNG_IS_READ_STRUCT) != 0) { png_app_error(png_ptr, "no unknown chunk support on read"); + return; } # endif @@ -1166,6 +1190,7 @@ if ((png_ptr->mode & PNG_IS_READ_STRUCT) == 0) { png_app_error(png_ptr, "no unknown chunk support on write"); + return; } # endif @@ -1183,6 +1208,7 @@ { png_chunk_report(png_ptr, "too many unknown chunks", PNG_CHUNK_WRITE_ERROR); + return; } @@ -1260,8 +1286,7 @@ check_location(png_ptr, location); } } -#endif - +#endif /* STORE_UNKNOWN_CHUNKS */ #ifdef PNG_MNG_FEATURES_SUPPORTED png_uint_32 PNGAPI @@ -1292,6 +1317,7 @@ if (memcmp(list, add, 4) == 0) { list[4] = (png_byte)keep; + return count; } } @@ -1319,6 +1345,7 @@ if (keep < 0 || keep >= PNG_HANDLE_CHUNK_LAST) { png_app_error(png_ptr, "png_set_keep_unknown_chunks: invalid keep"); + return; } @@ -1368,6 +1395,7 @@ * which can be switched off. */ png_app_error(png_ptr, "png_set_keep_unknown_chunks: no chunk list"); + return; } @@ -1383,6 +1411,7 @@ if (num_chunks + old_num_chunks > UINT_MAX/5) { png_app_error(png_ptr, "png_set_keep_unknown_chunks: too many chunks"); + return; } @@ -1520,23 +1549,30 @@ { png_warning(png_ptr, "Compression buffer size cannot be changed because it is in use"); + return; } +#ifndef __COVERITY__ + /* Some compilers complain that this is always false. However, it + * can be true when integer overflow happens. + */ if (size > ZLIB_IO_MAX) { png_warning(png_ptr, "Compression buffer size limited to system maximum"); size = ZLIB_IO_MAX; /* must fit */ } +#endif - else if (size < 6) + if (size < 6) { /* Deflate will potentially go into an infinite loop on a SYNC_FLUSH * if this is permitted. */ png_warning(png_ptr, "Compression buffer size cannot be reduced below 6"); + return; } @@ -1565,7 +1601,7 @@ { /* Images with dimensions larger than these limits will be * rejected by png_set_IHDR(). To accept any PNG datastream - * regardless of dimensions, set both limits to 0x7ffffffL. + * regardless of dimensions, set both limits to 0x7fffffff. */ if (png_ptr == NULL) return; @@ -1578,8 +1614,8 @@ void PNGAPI png_set_chunk_cache_max (png_structrp png_ptr, png_uint_32 user_chunk_cache_max) { - if (png_ptr != NULL) - png_ptr->user_chunk_cache_max = user_chunk_cache_max; + if (png_ptr != NULL) + png_ptr->user_chunk_cache_max = user_chunk_cache_max; } /* This function was added to libpng 1.4.1 */ diff -Nru openjdk-6-6b37-1.13.9/jdk/src/share/native/sun/awt/libpng/pngstruct.h openjdk-6-6b38-1.13.10/jdk/src/share/native/sun/awt/libpng/pngstruct.h --- openjdk-6-6b37-1.13.9/jdk/src/share/native/sun/awt/libpng/pngstruct.h 2015-11-11 01:20:42.000000000 +0000 +++ openjdk-6-6b38-1.13.10/jdk/src/share/native/sun/awt/libpng/pngstruct.h 2016-01-20 01:47:58.000000000 +0000 @@ -29,12 +29,11 @@ * However, the following notice accompanied the original version of this * file and, per its terms, should not be removed: * - * Copyright (c) 1998-2013 Glenn Randers-Pehrson + * Last changed in libpng 1.6.18 [July 23, 2015] + * Copyright (c) 1998-2015 Glenn Randers-Pehrson * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger) * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.) * - * Last changed in libpng 1.6.1 [March 28, 2013] - * * This code is released under the libpng license. * For conditions of distribution and use, see the disclaimer * and license in png.h @@ -129,7 +128,7 @@ #endif /* COLORSPACE */ #if defined(PNG_COLORSPACE_SUPPORTED) || defined(PNG_GAMMA_SUPPORTED) -/* A colorspace is all the above plus, potentially, profile information, +/* A colorspace is all the above plus, potentially, profile information; * however at present libpng does not use the profile internally so it is only * stored in the png_info struct (if iCCP is supported.) The rendering intent * is retained here and is checked. @@ -248,16 +247,18 @@ png_uint_32 row_number; /* current row in interlace pass */ png_uint_32 chunk_name; /* PNG_CHUNK() id of current chunk */ png_bytep prev_row; /* buffer to save previous (unfiltered) row. - * This is a pointer into big_prev_row + * While reading this is a pointer into + * big_prev_row; while writing it is separately + * allocated if needed. */ png_bytep row_buf; /* buffer to save current (unfiltered) row. - * This is a pointer into big_row_buf + * While reading, this is a pointer into + * big_row_buf; while writing it is separately + * allocated. */ -#ifdef PNG_WRITE_SUPPORTED - png_bytep sub_row; /* buffer to save "sub" row when filtering */ - png_bytep up_row; /* buffer to save "up" row when filtering */ - png_bytep avg_row; /* buffer to save "avg" row when filtering */ - png_bytep paeth_row; /* buffer to save "Paeth" row when filtering */ +#ifdef PNG_WRITE_FILTER_SUPPORTED + png_bytep try_row; /* buffer to save trial row when filtering */ + png_bytep tst_row; /* buffer to save best trial row when filtering */ #endif png_size_t info_rowbytes; /* Added in 1.5.4: cache of updated row bytes */ @@ -290,6 +291,9 @@ /* pixel depth used for the row buffers */ png_byte transformed_pixel_depth; /* pixel depth after read/write transforms */ +#if PNG_ZLIB_VERNUM >= 0x1240 + png_byte zstream_start; /* at start of an input zlib stream */ +#endif /* Zlib >= 1.2.4 */ #if defined(PNG_READ_FILLER_SUPPORTED) || defined(PNG_WRITE_FILLER_SUPPORTED) png_uint_16 filler; /* filler bytes for pixel expansion */ #endif @@ -375,17 +379,7 @@ png_bytep quantize_index; /* index translation for palette files */ #endif -#ifdef PNG_WRITE_WEIGHTED_FILTER_SUPPORTED - png_byte heuristic_method; /* heuristic for row filter selection */ - png_byte num_prev_filters; /* number of weights for previous rows */ - png_bytep prev_filters; /* filter type(s) of previous row(s) */ - png_uint_16p filter_weights; /* weight(s) for previous line(s) */ - png_uint_16p inv_filter_weights; /* 1/weight(s) for previous line(s) */ - png_uint_16p filter_costs; /* relative filter calculation cost */ - png_uint_16p inv_filter_costs; /* 1/relative filter calculation cost */ -#endif - - /* Options */ +/* Options */ #ifdef PNG_SET_OPTION_SUPPORTED png_byte options; /* On/off state (up to 4 options) */ #endif diff -Nru openjdk-6-6b37-1.13.9/jdk/src/share/native/sun/awt/libpng/pngtest.c openjdk-6-6b38-1.13.10/jdk/src/share/native/sun/awt/libpng/pngtest.c --- openjdk-6-6b37-1.13.9/jdk/src/share/native/sun/awt/libpng/pngtest.c 2015-11-11 01:20:42.000000000 +0000 +++ openjdk-6-6b38-1.13.10/jdk/src/share/native/sun/awt/libpng/pngtest.c 2016-01-20 01:47:58.000000000 +0000 @@ -29,8 +29,8 @@ * However, the following notice accompanied the original version of this * file and, per its terms, should not be removed: * - * Last changed in libpng 1.6.15 [November 20, 2014] - * Copyright (c) 1998-2014 Glenn Randers-Pehrson + * Last changed in libpng 1.5.25 [December 3, 2015] + * Copyright (c) 1998-2015 Glenn Randers-Pehrson * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger) * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.) * @@ -89,10 +89,11 @@ defined PNG_READ_sBIT_SUPPORTED &&\ defined PNG_READ_sCAL_SUPPORTED &&\ defined PNG_READ_sRGB_SUPPORTED &&\ + defined PNG_READ_sPLT_SUPPORTED &&\ defined PNG_READ_tEXt_SUPPORTED &&\ defined PNG_READ_tIME_SUPPORTED &&\ defined PNG_READ_zTXt_SUPPORTED &&\ - defined PNG_WRITE_INTERLACING_SUPPORTED + (defined PNG_WRITE_INTERLACING_SUPPORTED || PNG_LIBPNG_VER >= 10700) #ifdef PNG_ZLIB_HEADER # include PNG_ZLIB_HEADER /* defined by pnglibconf.h from 1.7 */ @@ -129,6 +130,10 @@ # define SINGLE_ROWBUF_ALLOC /* Makes buffer overruns easier to nail */ #endif +#ifndef PNG_UNUSED +# define PNG_UNUSED(param) (void)param; +#endif + /* Turn on CPU timing #define PNGTEST_TIMING */ @@ -146,6 +151,22 @@ #define PNG_tIME_STRING_LENGTH 29 static int tIME_chunk_present = 0; static char tIME_string[PNG_tIME_STRING_LENGTH] = "tIME chunk is not present"; + +#if PNG_LIBPNG_VER < 10619 +#define png_convert_to_rfc1123_buffer(ts, t) tIME_to_str(read_ptr, ts, t) + +static int +tIME_to_str(png_structp png_ptr, png_charp ts, png_const_timep t) +{ + png_const_charp str = png_convert_to_rfc1123(png_ptr, t); + + if (str == NULL) + return 0; + + strcpy(ts, str); + return 1; +} +#endif /* older libpng */ #endif static int verbose = 0; @@ -213,16 +234,14 @@ #ifdef PNG_READ_USER_TRANSFORM_SUPPORTED -/* Example of using user transform callback (we don't transform anything, - * but merely examine the row filters. We set this to 256 rather than - * 5 in case illegal filter values are present.) +/* Example of using a user transform callback (doesn't do anything at present). */ -static png_uint_32 filters_used[256]; static void PNGCBAPI -count_filters(png_structp png_ptr, png_row_infop row_info, png_bytep data) +read_user_callback(png_structp png_ptr, png_row_infop row_info, png_bytep data) { - if (png_ptr != NULL && row_info != NULL) - ++filters_used[*(data - 1)]; + PNG_UNUSED(png_ptr) + PNG_UNUSED(row_info) + PNG_UNUSED(data) } #endif @@ -497,7 +516,7 @@ #if defined(PNG_USER_MEM_SUPPORTED) && PNG_DEBUG /* Allocate memory. For reasonable files, size should never exceed - * 64K. However, zlib may allocate more then 64K if you don't tell + * 64K. However, zlib may allocate more than 64K if you don't tell * it not to. See zconf.h and png.h for more information. zlib does * need to allocate exactly 64K, so whatever you call here must * have the ability to do that. @@ -593,6 +612,7 @@ } /* Unlink the element from the list. */ + if (pinformation != NULL) { memory_infop *ppinfo = &pinformation; @@ -609,8 +629,7 @@ /* We must free the list element too, but first kill the memory that is to be freed. */ memset(ptr, 0x55, pinfo->size); - if (pinfo != NULL) - free(pinfo); + free(pinfo); pinfo = NULL; break; } @@ -820,7 +839,7 @@ */ #ifdef PNG_TEXT_SUPPORTED static void -pngtest_check_text_support(png_const_structp png_ptr, png_textp text_ptr, +pngtest_check_text_support(png_structp png_ptr, png_textp text_ptr, int num_text) { while (num_text > 0) @@ -833,6 +852,8 @@ case PNG_TEXT_COMPRESSION_zTXt: # ifndef PNG_WRITE_zTXt_SUPPORTED ++unsupported_chunks; + /* In libpng 1.7 this now does an app-error, so stop it: */ + text_ptr[num_text].compression = PNG_TEXT_COMPRESSION_NONE; # endif break; @@ -840,6 +861,7 @@ case PNG_ITXT_COMPRESSION_zTXt: # ifndef PNG_WRITE_iTXt_SUPPORTED ++unsupported_chunks; + text_ptr[num_text].compression = PNG_TEXT_COMPRESSION_NONE; # endif break; @@ -866,16 +888,19 @@ png_structp write_ptr; png_infop write_info_ptr; png_infop write_end_info_ptr; +#ifdef PNG_WRITE_FILTER_SUPPORTED int interlace_preserved = 1; -#else +#endif /* WRITE_FILTER */ +#else /* !WRITE */ png_structp write_ptr = NULL; png_infop write_info_ptr = NULL; png_infop write_end_info_ptr = NULL; -#endif +#endif /* !WRITE */ png_bytep row_buf; png_uint_32 y; png_uint_32 width, height; - int num_pass = 1, pass; + volatile int num_passes; + int pass; int bit_depth, color_type; row_buf = NULL; @@ -1028,14 +1053,7 @@ } #ifdef PNG_READ_USER_TRANSFORM_SUPPORTED - { - int i; - - for (i = 0; i<256; i++) - filters_used[i] = 0; - - png_set_read_user_transform_fn(read_ptr, count_filters); - } + png_set_read_user_transform_fn(read_ptr, read_user_callback); #endif #ifdef PNG_WRITE_USER_TRANSFORM_SUPPORTED zero_samples = 0; @@ -1082,27 +1100,27 @@ { png_set_IHDR(write_ptr, write_info_ptr, width, height, bit_depth, color_type, interlace_type, compression_type, filter_type); -#ifndef PNG_READ_INTERLACING_SUPPORTED - /* num_pass will not be set below, set it here if the image is - * interlaced: what happens is that write interlacing is *not* turned - * on an the partial interlaced rows are written directly. + /* num_passes may not be available below if interlace support is not + * provided by libpng for both read and write. */ switch (interlace_type) { case PNG_INTERLACE_NONE: - num_pass = 1; + num_passes = 1; break; case PNG_INTERLACE_ADAM7: - num_pass = 7; - break; + num_passes = 7; + break; default: - png_error(read_ptr, "invalid interlace type"); - /*NOT REACHED*/ + png_error(read_ptr, "invalid interlace type"); + /*NOT REACHED*/ } -#endif } + + else + png_error(read_ptr, "png_get_IHDR failed"); } #ifdef PNG_FIXED_POINT_SUPPORTED #ifdef PNG_cHRM_SUPPORTED @@ -1273,6 +1291,19 @@ #endif #endif #endif + +#ifdef PNG_sPLT_SUPPORTED + { + png_sPLT_tp entries; + + int num_entries = (int) png_get_sPLT(read_ptr, read_info_ptr, &entries); + if (num_entries) + { + png_set_sPLT(write_ptr, write_info_ptr, entries, num_entries); + } + } +#endif + #ifdef PNG_TEXT_SUPPORTED { png_textp text_ptr; @@ -1394,21 +1425,49 @@ #endif /* SINGLE_ROWBUF_ALLOC */ pngtest_debug("Writing row data"); -#ifdef PNG_READ_INTERLACING_SUPPORTED - num_pass = png_set_interlace_handling(read_ptr); - if (png_set_interlace_handling(write_ptr) != num_pass) - png_error(write_ptr, "png_set_interlace_handling: inconsistent num_pass"); -#endif +#if defined(PNG_READ_INTERLACING_SUPPORTED) &&\ + defined(PNG_WRITE_INTERLACING_SUPPORTED) + /* Both must be defined for libpng to be able to handle the interlace, + * otherwise it gets handled below by simply reading and writing the passes + * directly. + */ + if (png_set_interlace_handling(read_ptr) != num_passes) + png_error(write_ptr, + "png_set_interlace_handling(read): wrong pass count "); + if (png_set_interlace_handling(write_ptr) != num_passes) + png_error(write_ptr, + "png_set_interlace_handling(write): wrong pass count "); +#else /* png_set_interlace_handling not called on either read or write */ +# define calc_pass_height +#endif /* not using libpng interlace handling */ #ifdef PNGTEST_TIMING t_stop = (float)clock(); t_misc += (t_stop - t_start); t_start = t_stop; #endif - for (pass = 0; pass < num_pass; pass++) + for (pass = 0; pass < num_passes; pass++) { +# ifdef calc_pass_height + png_uint_32 pass_height; + + if (num_passes == 7) /* interlaced */ + { + if (PNG_PASS_COLS(width, pass) > 0) + pass_height = PNG_PASS_ROWS(height, pass); + + else + pass_height = 0; + } + + else /* not interlaced */ + pass_height = height; +# else +# define pass_height height +# endif + pngtest_debug1("Writing row data for pass %d", pass); - for (y = 0; y < height; y++) + for (y = 0; y < pass_height; y++) { #ifndef SINGLE_ROWBUF_ALLOC pngtest_debug2("Allocating row buffer (pass %d, y = %u)...", pass, y); @@ -1598,7 +1657,7 @@ } # ifdef PNG_WRITE_SUPPORTED - /* If there we no write support nothing was written! */ + /* If there is no write support nothing was written! */ else if (unsupported_chunks > 0) { fprintf(STDERR, "\n %s: unsupported chunks (%d)%s", @@ -1629,7 +1688,8 @@ return (1); } -#ifdef PNG_WRITE_SUPPORTED /* else nothing was written */ +#if defined (PNG_WRITE_SUPPORTED) /* else nothing was written */ &&\ + defined (PNG_WRITE_FILTER_SUPPORTED) if (interlace_preserved != 0) /* else the files will be changed */ { for (;;) @@ -1706,7 +1766,7 @@ } } } -#endif /* WRITE */ +#endif /* WRITE && WRITE_FILTER */ FCLOSE(fpin); FCLOSE(fpout); @@ -1729,6 +1789,8 @@ int multiple = 0; int ierror = 0; + png_structp dummy_ptr; + fprintf(STDERR, "\n Testing libpng version %s\n", PNG_LIBPNG_VER_STRING); fprintf(STDERR, " with zlib version %s\n", ZLIB_VERSION); fprintf(STDERR, "%s", png_get_copyright(NULL)); @@ -1843,26 +1905,17 @@ kerror = test_one_file(argv[i], outname); if (kerror == 0) { -#ifdef PNG_READ_USER_TRANSFORM_SUPPORTED - int k; -#endif #ifdef PNG_WRITE_USER_TRANSFORM_SUPPORTED fprintf(STDERR, "\n PASS (%lu zero samples)\n", (unsigned long)zero_samples); #else fprintf(STDERR, " PASS\n"); #endif -#ifdef PNG_READ_USER_TRANSFORM_SUPPORTED - for (k = 0; k<256; k++) - if (filters_used[k] != 0) - fprintf(STDERR, " Filter %d was used %lu times\n", - k, (unsigned long)filters_used[k]); -#endif #ifdef PNG_TIME_RFC1123_SUPPORTED - if (tIME_chunk_present != 0) - fprintf(STDERR, " tIME = %s\n", tIME_string); + if (tIME_chunk_present != 0) + fprintf(STDERR, " tIME = %s\n", tIME_string); - tIME_chunk_present = 0; + tIME_chunk_present = 0; #endif /* TIME_RFC1123 */ } @@ -1934,21 +1987,12 @@ { if (verbose == 1 || i == 2) { -#ifdef PNG_READ_USER_TRANSFORM_SUPPORTED - int k; -#endif #ifdef PNG_WRITE_USER_TRANSFORM_SUPPORTED fprintf(STDERR, "\n PASS (%lu zero samples)\n", (unsigned long)zero_samples); #else fprintf(STDERR, " PASS\n"); #endif -#ifdef PNG_READ_USER_TRANSFORM_SUPPORTED - for (k = 0; k<256; k++) - if (filters_used[k] != 0) - fprintf(STDERR, " Filter %d was used %lu times\n", - k, (unsigned long)filters_used[k]); -#endif #ifdef PNG_TIME_RFC1123_SUPPORTED if (tIME_chunk_present != 0) fprintf(STDERR, " tIME = %s\n", tIME_string); @@ -2022,6 +2066,24 @@ else fprintf(STDERR, " libpng FAILS test\n"); + dummy_ptr = png_create_read_struct(PNG_LIBPNG_VER_STRING, NULL, NULL, NULL); + fprintf(STDERR, " Default limits:\n"); + fprintf(STDERR, " width_max = %lu\n", + (unsigned long) png_get_user_width_max(dummy_ptr)); + fprintf(STDERR, " height_max = %lu\n", + (unsigned long) png_get_user_height_max(dummy_ptr)); + if (png_get_chunk_cache_max(dummy_ptr) == 0) + fprintf(STDERR, " cache_max = unlimited\n"); + else + fprintf(STDERR, " cache_max = %lu\n", + (unsigned long) png_get_chunk_cache_max(dummy_ptr)); + if (png_get_chunk_malloc_max(dummy_ptr) == 0) + fprintf(STDERR, " malloc_max = unlimited\n"); + else + fprintf(STDERR, " malloc_max = %lu\n", + (unsigned long) png_get_chunk_malloc_max(dummy_ptr)); + png_destroy_read_struct(&dummy_ptr, NULL, NULL); + return (int)(ierror != 0); } #else @@ -2036,4 +2098,4 @@ #endif /* Generate a compiler error if there is an old png.h in the search path. */ -typedef png_libpng_version_1_6_16 Your_png_h_is_not_version_1_6_16; +typedef png_libpng_version_1_6_20 Your_png_h_is_not_version_1_6_20; diff -Nru openjdk-6-6b37-1.13.9/jdk/src/share/native/sun/awt/libpng/pngtrans.c openjdk-6-6b38-1.13.10/jdk/src/share/native/sun/awt/libpng/pngtrans.c --- openjdk-6-6b37-1.13.9/jdk/src/share/native/sun/awt/libpng/pngtrans.c 2015-11-11 01:20:42.000000000 +0000 +++ openjdk-6-6b38-1.13.10/jdk/src/share/native/sun/awt/libpng/pngtrans.c 2016-01-20 01:47:58.000000000 +0000 @@ -29,8 +29,8 @@ * However, the following notice accompanied the original version of this * file and, per its terms, should not be removed: * - * Last changed in libpng 1.6.15 [November 20, 2014] - * Copyright (c) 1998-2014 Glenn Randers-Pehrson + * Last changed in libpng 1.6.18 [July 23, 2015] + * Copyright (c) 1998-2015 Glenn Randers-Pehrson * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger) * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.) * @@ -58,7 +58,7 @@ #endif #if defined(PNG_READ_SWAP_SUPPORTED) || defined(PNG_WRITE_SWAP_SUPPORTED) -/* Turn on 16 bit byte swapping */ +/* Turn on 16-bit byte swapping */ void PNGAPI png_set_swap(png_structrp png_ptr) { @@ -341,7 +341,7 @@ #ifdef PNG_16BIT_SUPPORTED #if defined(PNG_READ_SWAP_SUPPORTED) || defined(PNG_WRITE_SWAP_SUPPORTED) -/* Swaps byte order on 16 bit depth images */ +/* Swaps byte order on 16-bit depth images */ void /* PRIVATE */ png_do_swap(png_row_infop row_info, png_bytep row) { @@ -732,7 +732,7 @@ */ for (; rp > png_ptr->row_buf; rp--) { - if (*rp >> padding != 0) + if ((*rp >> padding) != 0) png_ptr->num_palette_max = 1; padding = 0; } diff -Nru openjdk-6-6b37-1.13.9/jdk/src/share/native/sun/awt/libpng/pngwio.c openjdk-6-6b38-1.13.10/jdk/src/share/native/sun/awt/libpng/pngwio.c --- openjdk-6-6b37-1.13.9/jdk/src/share/native/sun/awt/libpng/pngwio.c 2015-11-11 01:20:42.000000000 +0000 +++ openjdk-6-6b38-1.13.10/jdk/src/share/native/sun/awt/libpng/pngwio.c 2016-01-20 01:47:58.000000000 +0000 @@ -54,7 +54,7 @@ * writes to a file pointer. Note that this routine sometimes gets called * with very small lengths, so you should implement some kind of simple * buffering if you are using unbuffered writes. This should never be asked - * to write more than 64K on a 16 bit machine. + * to write more than 64K on a 16-bit machine. */ void /* PRIVATE */ diff -Nru openjdk-6-6b37-1.13.9/jdk/src/share/native/sun/awt/libpng/pngwrite.c openjdk-6-6b38-1.13.10/jdk/src/share/native/sun/awt/libpng/pngwrite.c --- openjdk-6-6b37-1.13.9/jdk/src/share/native/sun/awt/libpng/pngwrite.c 2015-11-11 01:20:42.000000000 +0000 +++ openjdk-6-6b38-1.13.10/jdk/src/share/native/sun/awt/libpng/pngwrite.c 2016-01-20 01:47:58.000000000 +0000 @@ -29,8 +29,8 @@ * However, the following notice accompanied the original version of this * file and, per its terms, should not be removed: * - * Last changed in libpng 1.6.15 [November 20, 2014] - * Copyright (c) 1998-2014 Glenn Randers-Pehrson + * Last changed in libpng 1.6.19 [November 12, 2015] + * Copyright (c) 1998-2015 Glenn Randers-Pehrson * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger) * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.) * @@ -118,43 +118,44 @@ if ((png_ptr->mode & PNG_WROTE_INFO_BEFORE_PLTE) == 0) { - /* Write PNG signature */ - png_write_sig(png_ptr); + /* Write PNG signature */ + png_write_sig(png_ptr); #ifdef PNG_MNG_FEATURES_SUPPORTED - if ((png_ptr->mode & PNG_HAVE_PNG_SIGNATURE) != 0 && \ - png_ptr->mng_features_permitted != 0) - { - png_warning(png_ptr, "MNG features are not allowed in a PNG datastream"); - png_ptr->mng_features_permitted = 0; - } + if ((png_ptr->mode & PNG_HAVE_PNG_SIGNATURE) != 0 && \ + png_ptr->mng_features_permitted != 0) + { + png_warning(png_ptr, + "MNG features are not allowed in a PNG datastream"); + png_ptr->mng_features_permitted = 0; + } #endif - /* Write IHDR information. */ - png_write_IHDR(png_ptr, info_ptr->width, info_ptr->height, - info_ptr->bit_depth, info_ptr->color_type, info_ptr->compression_type, - info_ptr->filter_type, + /* Write IHDR information. */ + png_write_IHDR(png_ptr, info_ptr->width, info_ptr->height, + info_ptr->bit_depth, info_ptr->color_type, info_ptr->compression_type, + info_ptr->filter_type, #ifdef PNG_WRITE_INTERLACING_SUPPORTED - info_ptr->interlace_type + info_ptr->interlace_type #else - 0 + 0 #endif - ); + ); - /* The rest of these check to see if the valid field has the appropriate - * flag set, and if it does, writes the chunk. - * - * 1.6.0: COLORSPACE support controls the writing of these chunks too, and - * the chunks will be written if the WRITE routine is there and information - * is available in the COLORSPACE. (See png_colorspace_sync_info in png.c - * for where the valid flags get set.) - * - * Under certain circumstances the colorspace can be invalidated without - * syncing the info_struct 'valid' flags; this happens if libpng detects and - * error and calls png_error while the color space is being set, yet the - * application continues writing the PNG. So check the 'invalid' flag here - * too. - */ + /* The rest of these check to see if the valid field has the appropriate + * flag set, and if it does, writes the chunk. + * + * 1.6.0: COLORSPACE support controls the writing of these chunks too, and + * the chunks will be written if the WRITE routine is there and + * information * is available in the COLORSPACE. (See + * png_colorspace_sync_info in png.c for where the valid flags get set.) + * + * Under certain circumstances the colorspace can be invalidated without + * syncing the info_struct 'valid' flags; this happens if libpng detects + * an error and calls png_error while the color space is being set, yet + * the application continues writing the PNG. So check the 'invalid' + * flag here too. + */ #ifdef PNG_GAMMA_SUPPORTED # ifdef PNG_WRITE_gAMA_SUPPORTED if ((info_ptr->colorspace.flags & PNG_COLORSPACE_INVALID) == 0 && @@ -165,50 +166,50 @@ #endif #ifdef PNG_COLORSPACE_SUPPORTED - /* Write only one of sRGB or an ICC profile. If a profile was supplied - * and it matches one of the known sRGB ones issue a warning. - */ + /* Write only one of sRGB or an ICC profile. If a profile was supplied + * and it matches one of the known sRGB ones issue a warning. + */ # ifdef PNG_WRITE_iCCP_SUPPORTED - if ((info_ptr->colorspace.flags & PNG_COLORSPACE_INVALID) == 0 && - (info_ptr->valid & PNG_INFO_iCCP) != 0) - { -# ifdef PNG_WRITE_sRGB_SUPPORTED - if ((info_ptr->valid & PNG_INFO_sRGB) != 0) - png_app_warning(png_ptr, - "profile matches sRGB but writing iCCP instead"); -# endif + if ((info_ptr->colorspace.flags & PNG_COLORSPACE_INVALID) == 0 && + (info_ptr->valid & PNG_INFO_iCCP) != 0) + { +# ifdef PNG_WRITE_sRGB_SUPPORTED + if ((info_ptr->valid & PNG_INFO_sRGB) != 0) + png_app_warning(png_ptr, + "profile matches sRGB but writing iCCP instead"); +# endif - png_write_iCCP(png_ptr, info_ptr->iccp_name, - info_ptr->iccp_profile); - } + png_write_iCCP(png_ptr, info_ptr->iccp_name, + info_ptr->iccp_profile); + } # ifdef PNG_WRITE_sRGB_SUPPORTED else # endif # endif # ifdef PNG_WRITE_sRGB_SUPPORTED - if ((info_ptr->colorspace.flags & PNG_COLORSPACE_INVALID) == 0 && - (info_ptr->valid & PNG_INFO_sRGB) != 0) - png_write_sRGB(png_ptr, info_ptr->colorspace.rendering_intent); + if ((info_ptr->colorspace.flags & PNG_COLORSPACE_INVALID) == 0 && + (info_ptr->valid & PNG_INFO_sRGB) != 0) + png_write_sRGB(png_ptr, info_ptr->colorspace.rendering_intent); # endif /* WRITE_sRGB */ #endif /* COLORSPACE */ #ifdef PNG_WRITE_sBIT_SUPPORTED - if ((info_ptr->valid & PNG_INFO_sBIT) != 0) - png_write_sBIT(png_ptr, &(info_ptr->sig_bit), info_ptr->color_type); + if ((info_ptr->valid & PNG_INFO_sBIT) != 0) + png_write_sBIT(png_ptr, &(info_ptr->sig_bit), info_ptr->color_type); #endif #ifdef PNG_COLORSPACE_SUPPORTED # ifdef PNG_WRITE_cHRM_SUPPORTED - if ((info_ptr->colorspace.flags & PNG_COLORSPACE_INVALID) == 0 && - (info_ptr->colorspace.flags & PNG_COLORSPACE_FROM_cHRM) != 0 && - (info_ptr->valid & PNG_INFO_cHRM) != 0) - png_write_cHRM_fixed(png_ptr, &info_ptr->colorspace.end_points_xy); + if ((info_ptr->colorspace.flags & PNG_COLORSPACE_INVALID) == 0 && + (info_ptr->colorspace.flags & PNG_COLORSPACE_FROM_cHRM) != 0 && + (info_ptr->valid & PNG_INFO_cHRM) != 0) + png_write_cHRM_fixed(png_ptr, &info_ptr->colorspace.end_points_xy); # endif #endif #ifdef PNG_WRITE_UNKNOWN_CHUNKS_SUPPORTED - write_unknown_chunks(png_ptr, info_ptr, PNG_HAVE_IHDR); + write_unknown_chunks(png_ptr, info_ptr, PNG_HAVE_IHDR); #endif png_ptr->mode |= PNG_WROTE_INFO_BEFORE_PLTE; @@ -233,7 +234,7 @@ png_write_PLTE(png_ptr, info_ptr->palette, (png_uint_32)info_ptr->num_palette); - else if ((info_ptr->color_type == PNG_COLOR_TYPE_PALETTE) !=0) + else if (info_ptr->color_type == PNG_COLOR_TYPE_PALETTE) png_error(png_ptr, "Valid palette required for paletted images"); #ifdef PNG_WRITE_tRNS_SUPPORTED @@ -244,8 +245,13 @@ if ((png_ptr->transformations & PNG_INVERT_ALPHA) != 0 && info_ptr->color_type == PNG_COLOR_TYPE_PALETTE) { - int j; - for (j = 0; j<(int)info_ptr->num_trans; j++) + int j, jend; + + jend = info_ptr->num_trans; + if (jend > PNG_MAX_PALETTE_LENGTH) + jend = PNG_MAX_PALETTE_LENGTH; + + for (j = 0; jtrans_alpha[j] = (png_byte)(255 - info_ptr->trans_alpha[j]); } @@ -566,7 +572,7 @@ /* App warnings are warnings in release (or release candidate) builds but * are errors during development. */ -#if PNG_LIBPNG_BUILD_BASE_TYPE >= PNG_LIBPNG_BUILD_RC +#if PNG_RELEASE_BUILD png_ptr->flags |= PNG_FLAG_APP_WARNINGS_WARN; #endif @@ -666,8 +672,8 @@ for (i = 0, rp = row; i < row_width; i++, rp += bytes_per_pixel) { - *(rp) = (png_byte)((*rp - *(rp + 1)) & 0xff); - *(rp + 2) = (png_byte)((*(rp + 2) - *(rp + 1)) & 0xff); + *(rp) = (png_byte)(*rp - *(rp + 1)); + *(rp + 2) = (png_byte)(*(rp + 2) - *(rp + 1)); } } @@ -693,10 +699,10 @@ png_uint_32 s2 = (*(rp + 4) << 8) | *(rp + 5); png_uint_32 red = (png_uint_32)((s0 - s1) & 0xffffL); png_uint_32 blue = (png_uint_32)((s2 - s1) & 0xffffL); - *(rp ) = (png_byte)((red >> 8) & 0xff); - *(rp + 1) = (png_byte)(red & 0xff); - *(rp + 4) = (png_byte)((blue >> 8) & 0xff); - *(rp + 5) = (png_byte)(blue & 0xff); + *(rp ) = (png_byte)(red >> 8); + *(rp + 1) = (png_byte)red; + *(rp + 4) = (png_byte)(blue >> 8); + *(rp + 5) = (png_byte)blue; } } #endif /* WRITE_16BIT */ @@ -877,7 +883,7 @@ * which is also the output depth. */ if (row_info.pixel_depth != png_ptr->pixel_depth || - row_info.pixel_depth != png_ptr->transformed_pixel_depth) + row_info.pixel_depth != png_ptr->transformed_pixel_depth) png_error(png_ptr, "internal write transform logic error"); #ifdef PNG_MNG_FEATURES_SUPPORTED @@ -945,10 +951,6 @@ } #endif /* WRITE_FLUSH */ -#ifdef PNG_WRITE_WEIGHTED_FILTER_SUPPORTED -static void png_reset_filter_heuristics(png_structrp png_ptr);/* forward decl */ -#endif - /* Free any memory used in png_ptr struct without freeing the struct itself. */ static void png_write_destroy(png_structrp png_ptr) @@ -965,24 +967,11 @@ png_ptr->row_buf = NULL; #ifdef PNG_WRITE_FILTER_SUPPORTED png_free(png_ptr, png_ptr->prev_row); - png_free(png_ptr, png_ptr->sub_row); - png_free(png_ptr, png_ptr->up_row); - png_free(png_ptr, png_ptr->avg_row); - png_free(png_ptr, png_ptr->paeth_row); + png_free(png_ptr, png_ptr->try_row); + png_free(png_ptr, png_ptr->tst_row); png_ptr->prev_row = NULL; - png_ptr->sub_row = NULL; - png_ptr->up_row = NULL; - png_ptr->avg_row = NULL; - png_ptr->paeth_row = NULL; -#endif - -#ifdef PNG_WRITE_WEIGHTED_FILTER_SUPPORTED - /* Use this to save a little code space, it doesn't free the filter_costs */ - png_reset_filter_heuristics(png_ptr); - png_free(png_ptr, png_ptr->filter_costs); - png_free(png_ptr, png_ptr->inv_filter_costs); - png_ptr->filter_costs = NULL; - png_ptr->inv_filter_costs = NULL; + png_ptr->try_row = NULL; + png_ptr->tst_row = NULL; #endif #ifdef PNG_SET_UNKNOWN_CHUNKS_SUPPORTED @@ -1072,211 +1061,85 @@ #endif /* WRITE_FILTER */ } +#ifdef PNG_WRITE_FILTER_SUPPORTED /* If we have allocated the row_buf, this means we have already started * with the image and we should have allocated all of the filter buffers * that have been selected. If prev_row isn't already allocated, then * it is too late to start using the filters that need it, since we * will be missing the data in the previous row. If an application * wants to start and stop using particular filters during compression, - * it should start out with all of the filters, and then add and - * remove them after the start of compression. + * it should start out with all of the filters, and then remove them + * or add them back after the start of compression. + * + * NOTE: this is a nasty constraint on the code, because it means that the + * prev_row buffer must be maintained even if there are currently no + * 'prev_row' requiring filters active. */ if (png_ptr->row_buf != NULL) { -#ifdef PNG_WRITE_FILTER_SUPPORTED - if ((png_ptr->do_filter & PNG_FILTER_SUB) != 0 && - png_ptr->sub_row == NULL) - { - png_ptr->sub_row = (png_bytep)png_malloc(png_ptr, - (png_ptr->rowbytes + 1)); - png_ptr->sub_row[0] = PNG_FILTER_VALUE_SUB; - } + int num_filters; + png_alloc_size_t buf_size; - if ((png_ptr->do_filter & PNG_FILTER_UP) != 0 && - png_ptr->up_row == NULL) - { - if (png_ptr->prev_row == NULL) - { - png_warning(png_ptr, "Can't add Up filter after starting"); - png_ptr->do_filter = (png_byte)(png_ptr->do_filter & - ~PNG_FILTER_UP); - } - - else - { - png_ptr->up_row = (png_bytep)png_malloc(png_ptr, - (png_ptr->rowbytes + 1)); - png_ptr->up_row[0] = PNG_FILTER_VALUE_UP; - } - } - - if ((png_ptr->do_filter & PNG_FILTER_AVG) != 0 && - png_ptr->avg_row == NULL) - { - if (png_ptr->prev_row == NULL) - { - png_warning(png_ptr, "Can't add Average filter after starting"); - png_ptr->do_filter = (png_byte)(png_ptr->do_filter & - ~PNG_FILTER_AVG); - } + /* Repeat the checks in png_write_start_row; 1 pixel high or wide + * images cannot benefit from certain filters. If this isn't done here + * the check below will fire on 1 pixel high images. + */ + if (png_ptr->height == 1) + filters &= ~(PNG_FILTER_UP|PNG_FILTER_AVG|PNG_FILTER_PAETH); - else - { - png_ptr->avg_row = (png_bytep)png_malloc(png_ptr, - (png_ptr->rowbytes + 1)); - png_ptr->avg_row[0] = PNG_FILTER_VALUE_AVG; - } - } + if (png_ptr->width == 1) + filters &= ~(PNG_FILTER_SUB|PNG_FILTER_AVG|PNG_FILTER_PAETH); - if ((png_ptr->do_filter & PNG_FILTER_PAETH) != 0 && - png_ptr->paeth_row == NULL) + if ((filters & (PNG_FILTER_UP|PNG_FILTER_AVG|PNG_FILTER_PAETH)) != 0 + && png_ptr->prev_row == NULL) { - if (png_ptr->prev_row == NULL) - { - png_warning(png_ptr, "Can't add Paeth filter after starting"); - png_ptr->do_filter &= (png_byte)(~PNG_FILTER_PAETH); - } - - else - { - png_ptr->paeth_row = (png_bytep)png_malloc(png_ptr, - (png_ptr->rowbytes + 1)); - png_ptr->paeth_row[0] = PNG_FILTER_VALUE_PAETH; - } + /* This is the error case, however it is benign - the previous row + * is not available so the filter can't be used. Just warn here. + */ + png_app_warning(png_ptr, + "png_set_filter: UP/AVG/PAETH cannot be added after start"); + filters &= ~(PNG_FILTER_UP|PNG_FILTER_AVG|PNG_FILTER_PAETH); } - if (png_ptr->do_filter == PNG_NO_FILTERS) -#endif /* WRITE_FILTER */ - png_ptr->do_filter = PNG_FILTER_NONE; - } - } - else - png_error(png_ptr, "Unknown custom filter method"); -} + num_filters = 0; -/* This allows us to influence the way in which libpng chooses the "best" - * filter for the current scanline. While the "minimum-sum-of-absolute- - * differences metric is relatively fast and effective, there is some - * question as to whether it can be improved upon by trying to keep the - * filtered data going to zlib more consistent, hopefully resulting in - * better compression. - */ -#ifdef PNG_WRITE_WEIGHTED_FILTER_SUPPORTED /* GRR 970116 */ -/* Convenience reset API. */ -static void -png_reset_filter_heuristics(png_structrp png_ptr) -{ - /* Clear out any old values in the 'weights' - this must be done because if - * the app calls set_filter_heuristics multiple times with different - * 'num_weights' values we would otherwise potentially have wrong sized - * arrays. - */ - png_ptr->num_prev_filters = 0; - png_ptr->heuristic_method = PNG_FILTER_HEURISTIC_UNWEIGHTED; - if (png_ptr->prev_filters != NULL) - { - png_bytep old = png_ptr->prev_filters; - png_ptr->prev_filters = NULL; - png_free(png_ptr, old); - } - if (png_ptr->filter_weights != NULL) - { - png_uint_16p old = png_ptr->filter_weights; - png_ptr->filter_weights = NULL; - png_free(png_ptr, old); - } + if (filters & PNG_FILTER_SUB) + num_filters++; - if (png_ptr->inv_filter_weights != NULL) - { - png_uint_16p old = png_ptr->inv_filter_weights; - png_ptr->inv_filter_weights = NULL; - png_free(png_ptr, old); - } + if (filters & PNG_FILTER_UP) + num_filters++; - /* Leave the filter_costs - this array is fixed size. */ -} - -static int -png_init_filter_heuristics(png_structrp png_ptr, int heuristic_method, - int num_weights) -{ - if (png_ptr == NULL) - return 0; + if (filters & PNG_FILTER_AVG) + num_filters++; - /* Clear out the arrays */ - png_reset_filter_heuristics(png_ptr); + if (filters & PNG_FILTER_PAETH) + num_filters++; - /* Check arguments; the 'reset' function makes the correct settings for the - * unweighted case, but we must handle the weight case by initializing the - * arrays for the caller. - */ - if (heuristic_method == PNG_FILTER_HEURISTIC_WEIGHTED) - { - int i; - - if (num_weights > 0) - { - png_ptr->prev_filters = (png_bytep)png_malloc(png_ptr, - (png_uint_32)((sizeof (png_byte)) * num_weights)); - - /* To make sure that the weighting starts out fairly */ - for (i = 0; i < num_weights; i++) - { - png_ptr->prev_filters[i] = 255; - } - - png_ptr->filter_weights = (png_uint_16p)png_malloc(png_ptr, - (png_uint_32)((sizeof (png_uint_16)) * num_weights)); + /* Allocate needed row buffers if they have not already been + * allocated. + */ + buf_size = PNG_ROWBYTES(png_ptr->usr_channels * png_ptr->usr_bit_depth, + png_ptr->width) + 1; - png_ptr->inv_filter_weights = (png_uint_16p)png_malloc(png_ptr, - (png_uint_32)((sizeof (png_uint_16)) * num_weights)); + if (png_ptr->try_row == NULL) + png_ptr->try_row = png_voidcast(png_bytep, + png_malloc(png_ptr, buf_size)); - for (i = 0; i < num_weights; i++) + if (num_filters > 1) { - png_ptr->inv_filter_weights[i] = - png_ptr->filter_weights[i] = PNG_WEIGHT_FACTOR; + if (png_ptr->tst_row == NULL) + png_ptr->tst_row = png_voidcast(png_bytep, + png_malloc(png_ptr, buf_size)); } - - /* Safe to set this now */ - png_ptr->num_prev_filters = (png_byte)num_weights; } - - /* If, in the future, there are other filter methods, this would - * need to be based on png_ptr->filter. - */ - if (png_ptr->filter_costs == NULL) - { - png_ptr->filter_costs = (png_uint_16p)png_malloc(png_ptr, - (png_uint_32)((sizeof (png_uint_16)) * PNG_FILTER_VALUE_LAST)); - - png_ptr->inv_filter_costs = (png_uint_16p)png_malloc(png_ptr, - (png_uint_32)((sizeof (png_uint_16)) * PNG_FILTER_VALUE_LAST)); - } - - for (i = 0; i < PNG_FILTER_VALUE_LAST; i++) - { - png_ptr->inv_filter_costs[i] = - png_ptr->filter_costs[i] = PNG_COST_FACTOR; - } - - /* All the arrays are inited, safe to set this: */ - png_ptr->heuristic_method = PNG_FILTER_HEURISTIC_WEIGHTED; - - /* Return the 'ok' code. */ - return 1; - } - else if (heuristic_method == PNG_FILTER_HEURISTIC_DEFAULT || - heuristic_method == PNG_FILTER_HEURISTIC_UNWEIGHTED) - { - return 1; + png_ptr->do_filter = (png_byte)filters; +#endif } else - { - png_warning(png_ptr, "Unknown filter heuristic method"); - return 0; - } + png_error(png_ptr, "Unknown custom filter method"); } +#ifdef PNG_WRITE_WEIGHTED_FILTER_SUPPORTED /* DEPRECATED */ /* Provide floating and fixed point APIs */ #ifdef PNG_FLOATING_POINT_SUPPORTED void PNGAPI @@ -1284,52 +1147,11 @@ int num_weights, png_const_doublep filter_weights, png_const_doublep filter_costs) { - png_debug(1, "in png_set_filter_heuristics"); - - /* The internal API allocates all the arrays and ensures that the elements of - * those arrays are set to the default value. - */ - if (png_init_filter_heuristics(png_ptr, heuristic_method, num_weights) == 0) - return; - - /* If using the weighted method copy in the weights. */ - if (heuristic_method == PNG_FILTER_HEURISTIC_WEIGHTED) - { - int i; - for (i = 0; i < num_weights; i++) - { - if (filter_weights[i] <= 0.0) - { - png_ptr->inv_filter_weights[i] = - png_ptr->filter_weights[i] = PNG_WEIGHT_FACTOR; - } - - else - { - png_ptr->inv_filter_weights[i] = - (png_uint_16)(PNG_WEIGHT_FACTOR*filter_weights[i]+.5); - - png_ptr->filter_weights[i] = - (png_uint_16)(PNG_WEIGHT_FACTOR/filter_weights[i]+.5); - } - } - - /* Here is where we set the relative costs of the different filters. We - * should take the desired compression level into account when setting - * the costs, so that Paeth, for instance, has a high relative cost at low - * compression levels, while it has a lower relative cost at higher - * compression settings. The filter types are in order of increasing - * relative cost, so it would be possible to do this with an algorithm. - */ - for (i = 0; i < PNG_FILTER_VALUE_LAST; i++) if (filter_costs[i] >= 1.0) - { - png_ptr->inv_filter_costs[i] = - (png_uint_16)(PNG_COST_FACTOR / filter_costs[i] + .5); - - png_ptr->filter_costs[i] = - (png_uint_16)(PNG_COST_FACTOR * filter_costs[i] + .5); - } - } + PNG_UNUSED(png_ptr) + PNG_UNUSED(heuristic_method) + PNG_UNUSED(num_weights) + PNG_UNUSED(filter_weights) + PNG_UNUSED(filter_costs) } #endif /* FLOATING_POINT */ @@ -1339,67 +1161,16 @@ int num_weights, png_const_fixed_point_p filter_weights, png_const_fixed_point_p filter_costs) { - png_debug(1, "in png_set_filter_heuristics_fixed"); - - /* The internal API allocates all the arrays and ensures that the elements of - * those arrays are set to the default value. - */ - if (png_init_filter_heuristics(png_ptr, heuristic_method, num_weights) == 0) - return; - - /* If using the weighted method copy in the weights. */ - if (heuristic_method == PNG_FILTER_HEURISTIC_WEIGHTED) - { - int i; - for (i = 0; i < num_weights; i++) - { - if (filter_weights[i] <= 0) - { - png_ptr->inv_filter_weights[i] = - png_ptr->filter_weights[i] = PNG_WEIGHT_FACTOR; - } - - else - { - png_ptr->inv_filter_weights[i] = (png_uint_16) - ((PNG_WEIGHT_FACTOR*filter_weights[i]+PNG_FP_HALF)/PNG_FP_1); - - png_ptr->filter_weights[i] = (png_uint_16)((PNG_WEIGHT_FACTOR* - PNG_FP_1+(filter_weights[i]/2))/filter_weights[i]); - } - } - - /* Here is where we set the relative costs of the different filters. We - * should take the desired compression level into account when setting - * the costs, so that Paeth, for instance, has a high relative cost at low - * compression levels, while it has a lower relative cost at higher - * compression settings. The filter types are in order of increasing - * relative cost, so it would be possible to do this with an algorithm. - */ - for (i = 0; i < PNG_FILTER_VALUE_LAST; i++) - if (filter_costs[i] >= PNG_FP_1) - { - png_uint_32 tmp; - - /* Use a 32 bit unsigned temporary here because otherwise the - * intermediate value will be a 32 bit *signed* integer (ANSI rules) - * and this will get the wrong answer on division. - */ - tmp = PNG_COST_FACTOR*PNG_FP_1 + (filter_costs[i]/2); - tmp /= filter_costs[i]; - - png_ptr->inv_filter_costs[i] = (png_uint_16)tmp; - - tmp = PNG_COST_FACTOR * filter_costs[i] + PNG_FP_HALF; - tmp /= PNG_FP_1; - - png_ptr->filter_costs[i] = (png_uint_16)tmp; - } - } + PNG_UNUSED(png_ptr) + PNG_UNUSED(heuristic_method) + PNG_UNUSED(num_weights) + PNG_UNUSED(filter_weights) + PNG_UNUSED(filter_costs) } #endif /* FIXED_POINT */ #endif /* WRITE_WEIGHTED_FILTER */ +#ifdef PNG_WRITE_CUSTOMIZE_COMPRESSION_SUPPORTED void PNGAPI png_set_compression_level(png_structrp png_ptr, int level) { @@ -1445,8 +1216,8 @@ if (png_ptr == NULL) return; - /* Prior to 1.6.0 this would warn but then set the window_bits value, this - * meant that negative window bits values could be selected which would cause + /* Prior to 1.6.0 this would warn but then set the window_bits value. This + * meant that negative window bits values could be selected that would cause * libpng to write a non-standard PNG file with raw deflate or gzip * compressed IDAT or ancillary chunks. Such files can be read and there is * no warning on read, so this seems like a very bad idea. @@ -1482,6 +1253,7 @@ png_ptr->zlib_method = method; } +#endif /* WRITE_CUSTOMIZE_COMPRESSION */ /* The following were added to libpng-1.5.4 */ #ifdef PNG_WRITE_CUSTOMIZE_ZTXT_COMPRESSION_SUPPORTED @@ -1642,14 +1414,14 @@ * alpha channel. */ if ((transforms & (PNG_TRANSFORM_STRIP_FILLER_AFTER| - PNG_TRANSFORM_STRIP_FILLER_BEFORE)) != 0) + PNG_TRANSFORM_STRIP_FILLER_BEFORE)) != 0) { #ifdef PNG_WRITE_FILLER_SUPPORTED if ((transforms & PNG_TRANSFORM_STRIP_FILLER_AFTER) != 0) { if ((transforms & PNG_TRANSFORM_STRIP_FILLER_BEFORE) != 0) png_app_error(png_ptr, - "PNG_TRANSFORM_STRIP_FILLER: BEFORE+AFTER not supported"); + "PNG_TRANSFORM_STRIP_FILLER: BEFORE+AFTER not supported"); /* Continue if ignored - this is the pre-1.6.10 behavior */ png_set_filler(png_ptr, 0, PNG_FILLER_AFTER); @@ -1678,7 +1450,7 @@ png_app_error(png_ptr, "PNG_TRANSFORM_SWAP_ENDIAN not supported"); #endif - /* Swap bits of 1, 2, 4 bit packed pixel formats */ + /* Swap bits of 1-bit, 2-bit, 4-bit packed pixel formats */ if ((transforms & PNG_TRANSFORM_PACKSWAP) != 0) #ifdef PNG_WRITE_PACKSWAP_SUPPORTED png_set_packswap(png_ptr); @@ -1708,13 +1480,13 @@ #ifdef PNG_SIMPLIFIED_WRITE_SUPPORTED -#ifdef PNG_STDIO_SUPPORTED /* currently required for png_image_write_* */ +# ifdef PNG_STDIO_SUPPORTED /* currently required for png_image_write_* */ /* Initialize the write structure - general purpose utility. */ static int png_image_write_init(png_imagep image) { png_structp png_ptr = png_create_write_struct(PNG_LIBPNG_VER_STRING, image, - png_safe_error, png_safe_warning); + png_safe_error, png_safe_warning); if (png_ptr != NULL) { @@ -1723,7 +1495,7 @@ if (info_ptr != NULL) { png_controlp control = png_voidcast(png_controlp, - png_malloc_warn(png_ptr, (sizeof *control))); + png_malloc_warn(png_ptr, (sizeof *control))); if (control != NULL) { @@ -1770,12 +1542,12 @@ png_write_image_16bit(png_voidp argument) { png_image_write_control *display = png_voidcast(png_image_write_control*, - argument); + argument); png_imagep image = display->image; png_structrp png_ptr = image->opaque->png_ptr; png_const_uint_16p input_row = png_voidcast(png_const_uint_16p, - display->first_row); + display->first_row); png_uint_16p output_row = png_voidcast(png_uint_16p, display->local_row); png_uint_16p row_end; const int channels = (image->format & PNG_FORMAT_FLAG_COLOR) != 0 ? 3 : 1; @@ -1784,17 +1556,18 @@ if ((image->format & PNG_FORMAT_FLAG_ALPHA) != 0) { -# ifdef PNG_SIMPLIFIED_WRITE_AFIRST_SUPPORTED - if ((image->format & PNG_FORMAT_FLAG_AFIRST) != 0) - { - aindex = -1; - ++input_row; /* To point to the first component */ - ++output_row; - } - +# ifdef PNG_SIMPLIFIED_WRITE_AFIRST_SUPPORTED + if ((image->format & PNG_FORMAT_FLAG_AFIRST) != 0) + { + aindex = -1; + ++input_row; /* To point to the first component */ + ++output_row; + } else -# endif + aindex = channels; +# else aindex = channels; +# endif } else @@ -1876,7 +1649,7 @@ * calculation can be done to 15 bits of accuracy; however, the output needs to * be scaled in the range 0..255*65535, so include that scaling here. */ -#define UNP_RECIPROCAL(alpha) ((((0xffff*0xff)<<7)+(alpha>>1))/alpha) +# define UNP_RECIPROCAL(alpha) ((((0xffff*0xff)<<7)+(alpha>>1))/alpha) static png_byte png_unpremultiply(png_uint_32 component, png_uint_32 alpha, @@ -1927,12 +1700,12 @@ png_write_image_8bit(png_voidp argument) { png_image_write_control *display = png_voidcast(png_image_write_control*, - argument); + argument); png_imagep image = display->image; png_structrp png_ptr = image->opaque->png_ptr; png_const_uint_16p input_row = png_voidcast(png_const_uint_16p, - display->first_row); + display->first_row); png_bytep output_row = png_voidcast(png_bytep, display->local_row); png_uint_32 y = image->height; const int channels = (image->format & PNG_FORMAT_FLAG_COLOR) != 0 ? 3 : 1; @@ -1942,17 +1715,17 @@ png_bytep row_end; int aindex; -# ifdef PNG_SIMPLIFIED_WRITE_AFIRST_SUPPORTED - if ((image->format & PNG_FORMAT_FLAG_AFIRST) != 0) - { - aindex = -1; - ++input_row; /* To point to the first component */ - ++output_row; - } +# ifdef PNG_SIMPLIFIED_WRITE_AFIRST_SUPPORTED + if ((image->format & PNG_FORMAT_FLAG_AFIRST) != 0) + { + aindex = -1; + ++input_row; /* To point to the first component */ + ++output_row; + } - else -# endif - aindex = channels; + else +# endif + aindex = channels; /* Use row_end in place of a loop counter: */ row_end = output_row + image->width * (channels+1); @@ -1986,7 +1759,7 @@ } /* while out_ptr < row_end */ png_write_row(png_ptr, png_voidcast(png_const_bytep, - display->local_row)); + display->local_row)); input_row += display->row_bytes/(sizeof (png_uint_16)); } /* while y */ } @@ -2025,25 +1798,25 @@ const png_imagep image = display->image; const void *cmap = display->colormap; const int entries = image->colormap_entries > 256 ? 256 : - (int)image->colormap_entries; + (int)image->colormap_entries; /* NOTE: the caller must check for cmap != NULL and entries != 0 */ const png_uint_32 format = image->format; const int channels = PNG_IMAGE_SAMPLE_CHANNELS(format); -# if defined(PNG_FORMAT_BGR_SUPPORTED) &&\ +# if defined(PNG_FORMAT_BGR_SUPPORTED) &&\ defined(PNG_SIMPLIFIED_WRITE_AFIRST_SUPPORTED) const int afirst = (format & PNG_FORMAT_FLAG_AFIRST) != 0 && - (format & PNG_FORMAT_FLAG_ALPHA) != 0; -# else + (format & PNG_FORMAT_FLAG_ALPHA) != 0; +# else # define afirst 0 -# endif +# endif -# ifdef PNG_FORMAT_BGR_SUPPORTED +# ifdef PNG_FORMAT_BGR_SUPPORTED const int bgr = (format & PNG_FORMAT_FLAG_BGR) != 0 ? 2 : 0; -# else +# else # define bgr 0 -# endif +# endif int i, num_trans; png_color palette[256]; @@ -2068,11 +1841,11 @@ if (channels >= 3) /* RGB */ { palette[i].blue = (png_byte)PNG_sRGB_FROM_LINEAR(255 * - entry[(2 ^ bgr)]); + entry[(2 ^ bgr)]); palette[i].green = (png_byte)PNG_sRGB_FROM_LINEAR(255 * - entry[1]); + entry[1]); palette[i].red = (png_byte)PNG_sRGB_FROM_LINEAR(255 * - entry[bgr]); + entry[bgr]); } else /* Gray */ @@ -2148,12 +1921,12 @@ } } -# ifdef afirst +# ifdef afirst # undef afirst -# endif -# ifdef bgr +# endif +# ifdef bgr # undef bgr -# endif +# endif png_set_PLTE(image->opaque->png_ptr, image->opaque->info_ptr, palette, entries); @@ -2181,10 +1954,10 @@ int alpha = !colormap && (format & PNG_FORMAT_FLAG_ALPHA); int write_16bit = linear && !colormap && (display->convert_to_8bit == 0); -# ifdef PNG_BENIGN_ERRORS_SUPPORTED +# ifdef PNG_BENIGN_ERRORS_SUPPORTED /* Make sure we error out on any bad situation */ png_set_benign_errors(png_ptr, 0/*error*/); -# endif +# endif /* Default the 'row_stride' parameter if required. */ if (display->row_stride == 0) @@ -2253,7 +2026,7 @@ /* Now set up the data transformations (*after* the header is written), * remove the handled transformations from the 'format' flags for checking. * - * First check for a little endian system if writing 16 bit files. + * First check for a little endian system if writing 16-bit files. */ if (write_16bit != 0) { @@ -2263,23 +2036,23 @@ png_set_swap(png_ptr); } -# ifdef PNG_SIMPLIFIED_WRITE_BGR_SUPPORTED +# ifdef PNG_SIMPLIFIED_WRITE_BGR_SUPPORTED if ((format & PNG_FORMAT_FLAG_BGR) != 0) { if (colormap == 0 && (format & PNG_FORMAT_FLAG_COLOR) != 0) png_set_bgr(png_ptr); format &= ~PNG_FORMAT_FLAG_BGR; } -# endif +# endif -# ifdef PNG_SIMPLIFIED_WRITE_AFIRST_SUPPORTED +# ifdef PNG_SIMPLIFIED_WRITE_AFIRST_SUPPORTED if ((format & PNG_FORMAT_FLAG_AFIRST) != 0) { if (colormap == 0 && (format & PNG_FORMAT_FLAG_ALPHA) != 0) png_set_swap_alpha(png_ptr); format &= ~PNG_FORMAT_FLAG_AFIRST; } -# endif +# endif /* If there are 16 or fewer color-map entries we wrote a lower bit depth * above, but the application data is still byte packed. @@ -2315,7 +2088,9 @@ * it about 50 times. The speed-up in pngstest was about 10-20% of the * total (user) time on a heavily loaded system. */ +# ifdef PNG_WRITE_CUSTOMIZE_COMPRESSION_SUPPORTED png_set_compression_level(png_ptr, 3); +# endif } /* Check for the cases that currently require a pre-transform on the row @@ -2478,6 +2253,6 @@ else return 0; } -#endif /* STDIO */ +# endif /* STDIO */ #endif /* SIMPLIFIED_WRITE */ #endif /* WRITE */ diff -Nru openjdk-6-6b37-1.13.9/jdk/src/share/native/sun/awt/libpng/pngwtran.c openjdk-6-6b38-1.13.10/jdk/src/share/native/sun/awt/libpng/pngwtran.c --- openjdk-6-6b37-1.13.9/jdk/src/share/native/sun/awt/libpng/pngwtran.c 2015-11-11 01:20:42.000000000 +0000 +++ openjdk-6-6b38-1.13.10/jdk/src/share/native/sun/awt/libpng/pngwtran.c 2016-01-20 01:47:58.000000000 +0000 @@ -29,8 +29,8 @@ * However, the following notice accompanied the original version of this * file and, per its terms, should not be removed: * - * Last changed in libpng 1.6.15 [November 20, 2014] - * Copyright (c) 1998-2014 Glenn Randers-Pehrson + * Last changed in libpng 1.6.18 [July 23, 2015] + * Copyright (c) 1998-2015 Glenn Randers-Pehrson * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger) * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.) * @@ -99,7 +99,8 @@ case 2: { png_bytep sp, dp; - int shift, v; + unsigned int shift; + int v; png_uint_32 i; png_uint_32 row_width = row_info->width; @@ -138,7 +139,8 @@ case 4: { png_bytep sp, dp; - int shift, v; + unsigned int shift; + int v; png_uint_32 i; png_uint_32 row_width = row_info->width; @@ -450,7 +452,7 @@ *(dp++) = *(sp++); */ sp+=3; dp = sp; - *(dp++) = (png_byte)(255 - *(sp++)); + *dp = (png_byte)(255 - *(sp++)); } } @@ -474,7 +476,7 @@ */ sp+=6; dp = sp; *(dp++) = (png_byte)(255 - *(sp++)); - *(dp++) = (png_byte)(255 - *(sp++)); + *dp = (png_byte)(255 - *(sp++)); } } #endif /* WRITE_16BIT */ @@ -512,7 +514,7 @@ */ sp+=2; dp = sp; *(dp++) = (png_byte)(255 - *(sp++)); - *(dp++) = (png_byte)(255 - *(sp++)); + *dp = (png_byte)(255 - *(sp++)); } } #endif /* WRITE_16BIT */ diff -Nru openjdk-6-6b37-1.13.9/jdk/src/share/native/sun/awt/libpng/pngwutil.c openjdk-6-6b38-1.13.10/jdk/src/share/native/sun/awt/libpng/pngwutil.c --- openjdk-6-6b37-1.13.9/jdk/src/share/native/sun/awt/libpng/pngwutil.c 2015-11-11 01:20:42.000000000 +0000 +++ openjdk-6-6b38-1.13.10/jdk/src/share/native/sun/awt/libpng/pngwutil.c 2016-01-20 01:47:58.000000000 +0000 @@ -29,8 +29,8 @@ * However, the following notice accompanied the original version of this * file and, per its terms, should not be removed: * - * Last changed in libpng 1.6.15 [November 20, 2014] - * Copyright (c) 1998-2014 Glenn Randers-Pehrson + * Last changed in libpng 1.6.19 [November 12, 2015] + * Copyright (c) 1998-2015 Glenn Randers-Pehrson * (Version 0.96 Copyright (c) 1996, 1997 Andreas Dilger) * (Version 0.88 Copyright (c) 1995, 1996 Guy Eric Schalnat, Group 42, Inc.) * @@ -51,10 +51,10 @@ void PNGAPI png_save_uint_32(png_bytep buf, png_uint_32 i) { - buf[0] = (png_byte)((i >> 24) & 0xff); - buf[1] = (png_byte)((i >> 16) & 0xff); - buf[2] = (png_byte)((i >> 8) & 0xff); - buf[3] = (png_byte)(i & 0xff); + buf[0] = (png_byte)(i >> 24); + buf[1] = (png_byte)(i >> 16); + buf[2] = (png_byte)(i >> 8); + buf[3] = (png_byte)(i ); } /* Place a 16-bit number into a buffer in PNG byte order. @@ -64,8 +64,8 @@ void PNGAPI png_save_uint_16(png_bytep buf, unsigned int i) { - buf[0] = (png_byte)((i >> 8) & 0xff); - buf[1] = (png_byte)(i & 0xff); + buf[0] = (png_byte)(i >> 8); + buf[1] = (png_byte)(i ); } #endif @@ -207,7 +207,7 @@ if (png_ptr == NULL) return; - /* On 64 bit architectures 'length' may not fit in a png_uint_32. */ + /* On 64-bit architectures 'length' may not fit in a png_uint_32. */ if (length > PNG_UINT_31_MAX) png_error(png_ptr, "length exceeds PNG maximum"); @@ -336,7 +336,7 @@ */ (void)png_safecat(msg, (sizeof msg), 10, " using zstream"); #endif -#if PNG_LIBPNG_BUILD_BASE_TYPE >= PNG_LIBPNG_BUILD_RC +#if PNG_RELEASE_BUILD png_warning(png_ptr, msg); /* Attempt sane error recovery */ @@ -723,7 +723,7 @@ while (*key && key_len < 79) { - png_byte ch = (png_byte)(0xff & *key++); + png_byte ch = (png_byte)*key++; if ((ch > 32 && ch <= 126) || (ch >= 161 /*&& ch <= 255*/)) *new_key++ = ch, ++key_len, space = 0; @@ -899,7 +899,7 @@ interlace_type=PNG_INTERLACE_NONE; #endif - /* Save the relevent information */ + /* Save the relevant information */ png_ptr->bit_depth = (png_byte)bit_depth; png_ptr->color_type = (png_byte)color_type; png_ptr->interlaced = (png_byte)interlace_type; @@ -950,17 +950,20 @@ png_write_PLTE(png_structrp png_ptr, png_const_colorp palette, png_uint_32 num_pal) { - png_uint_32 i; + png_uint_32 max_palette_length, i; png_const_colorp pal_ptr; png_byte buf[3]; png_debug(1, "in png_write_PLTE"); + max_palette_length = (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) ? + (1 << png_ptr->bit_depth) : PNG_MAX_PALETTE_LENGTH; + if (( #ifdef PNG_MNG_FEATURES_SUPPORTED (png_ptr->mng_features_permitted & PNG_FLAG_MNG_EMPTY_PLTE) == 0 && #endif - num_pal == 0) || num_pal > 256) + num_pal == 0) || num_pal > max_palette_length) { if (png_ptr->color_type == PNG_COLOR_TYPE_PALETTE) { @@ -1472,7 +1475,7 @@ else if (color_type == PNG_COLOR_TYPE_GRAY) { - /* One 16 bit value */ + /* One 16-bit value */ if (tran->gray >= (1 << png_ptr->bit_depth)) { png_app_warning(png_ptr, @@ -1487,7 +1490,7 @@ else if (color_type == PNG_COLOR_TYPE_RGB) { - /* Three 16 bit values */ + /* Three 16-bit values */ png_save_uint_16(buf, tran->red); png_save_uint_16(buf + 2, tran->green); png_save_uint_16(buf + 4, tran->blue); @@ -1793,7 +1796,7 @@ png_write_compressed_data_out(png_ptr, &comp); else - png_write_chunk_data(png_ptr, (png_const_bytep)text, comp.input_len); + png_write_chunk_data(png_ptr, (png_const_bytep)text, comp.output_len); png_write_chunk_end(png_ptr); } @@ -1989,6 +1992,10 @@ png_alloc_size_t buf_size; int usr_pixel_depth; +#ifdef PNG_WRITE_FILTER_SUPPORTED + png_byte filters; +#endif + png_debug(1, "in png_write_start_row"); usr_pixel_depth = png_ptr->usr_channels * png_ptr->usr_bit_depth; @@ -1999,50 +2006,54 @@ png_ptr->maximum_pixel_depth = (png_byte)usr_pixel_depth; /* Set up row buffer */ - png_ptr->row_buf = (png_bytep)png_malloc(png_ptr, buf_size); + png_ptr->row_buf = png_voidcast(png_bytep, png_malloc(png_ptr, buf_size)); png_ptr->row_buf[0] = PNG_FILTER_VALUE_NONE; #ifdef PNG_WRITE_FILTER_SUPPORTED - /* Set up filtering buffer, if using this filter */ - if (png_ptr->do_filter & PNG_FILTER_SUB) - { - png_ptr->sub_row = (png_bytep)png_malloc(png_ptr, png_ptr->rowbytes + 1); + filters = png_ptr->do_filter; - png_ptr->sub_row[0] = PNG_FILTER_VALUE_SUB; - } + if (png_ptr->height == 1) + filters &= 0xff & ~(PNG_FILTER_UP|PNG_FILTER_AVG|PNG_FILTER_PAETH); + + if (png_ptr->width == 1) + filters &= 0xff & ~(PNG_FILTER_SUB|PNG_FILTER_AVG|PNG_FILTER_PAETH); + + if (filters == 0) + filters = PNG_FILTER_NONE; - /* We only need to keep the previous row if we are using one of these. */ - if ((png_ptr->do_filter & - (PNG_FILTER_AVG | PNG_FILTER_UP | PNG_FILTER_PAETH)) != 0) + png_ptr->do_filter = filters; + + if (((filters & (PNG_FILTER_SUB | PNG_FILTER_UP | PNG_FILTER_AVG | + PNG_FILTER_PAETH)) != 0) && png_ptr->try_row == NULL) { - /* Set up previous row buffer */ - png_ptr->prev_row = (png_bytep)png_calloc(png_ptr, buf_size); + int num_filters = 0; - if ((png_ptr->do_filter & PNG_FILTER_UP) != 0) - { - png_ptr->up_row = (png_bytep)png_malloc(png_ptr, - png_ptr->rowbytes + 1); + png_ptr->try_row = png_voidcast(png_bytep, png_malloc(png_ptr, buf_size)); - png_ptr->up_row[0] = PNG_FILTER_VALUE_UP; - } + if (filters & PNG_FILTER_SUB) + num_filters++; - if ((png_ptr->do_filter & PNG_FILTER_AVG) != 0) - { - png_ptr->avg_row = (png_bytep)png_malloc(png_ptr, - png_ptr->rowbytes + 1); + if (filters & PNG_FILTER_UP) + num_filters++; - png_ptr->avg_row[0] = PNG_FILTER_VALUE_AVG; - } + if (filters & PNG_FILTER_AVG) + num_filters++; - if ((png_ptr->do_filter & PNG_FILTER_PAETH) != 0) - { - png_ptr->paeth_row = (png_bytep)png_malloc(png_ptr, - png_ptr->rowbytes + 1); + if (filters & PNG_FILTER_PAETH) + num_filters++; - png_ptr->paeth_row[0] = PNG_FILTER_VALUE_PAETH; - } + if (num_filters > 1) + png_ptr->tst_row = png_voidcast(png_bytep, png_malloc(png_ptr, + buf_size)); } + + /* We only need to keep the previous row if we are using one of the following + * filters. + */ + if ((filters & (PNG_FILTER_AVG | PNG_FILTER_UP | PNG_FILTER_PAETH)) != 0) + png_ptr->prev_row = png_voidcast(png_bytep, + png_calloc(png_ptr, buf_size)); #endif /* WRITE_FILTER */ #ifdef PNG_WRITE_INTERLACING_SUPPORTED @@ -2188,7 +2199,7 @@ { png_bytep sp; png_bytep dp; - int shift; + unsigned int shift; int d; int value; png_uint_32 i; @@ -2226,7 +2237,7 @@ { png_bytep sp; png_bytep dp; - int shift; + unsigned int shift; int d; int value; png_uint_32 i; @@ -2263,7 +2274,7 @@ { png_bytep sp; png_bytep dp; - int shift; + unsigned int shift; int d; int value; png_uint_32 i; @@ -2338,50 +2349,181 @@ } #endif + /* This filters the row, chooses which filter to use, if it has not already * been specified by the application, and then writes the row out with the * chosen filter. */ -static void +static void /* PRIVATE */ png_write_filtered_row(png_structrp png_ptr, png_bytep filtered_row, png_size_t row_bytes); -#define PNG_MAXSUM (((png_uint_32)(-1)) >> 1) -#define PNG_HISHIFT 10 -#define PNG_LOMASK ((png_uint_32)0xffffL) -#define PNG_HIMASK ((png_uint_32)(~PNG_LOMASK >> PNG_HISHIFT)) +#ifdef PNG_WRITE_FILTER_SUPPORTED +static png_size_t /* PRIVATE */ +png_setup_sub_row(png_structrp png_ptr, const png_uint_32 bpp, + const png_size_t row_bytes, const png_size_t lmins) +{ + png_bytep rp, dp, lp; + png_size_t i; + png_size_t sum = 0; + int v; + + png_ptr->try_row[0] = PNG_FILTER_VALUE_SUB; + + for (i = 0, rp = png_ptr->row_buf + 1, dp = png_ptr->try_row + 1; i < bpp; + i++, rp++, dp++) + { + v = *dp = *rp; + sum += (v < 128) ? v : 256 - v; + } + + for (lp = png_ptr->row_buf + 1; i < row_bytes; + i++, rp++, lp++, dp++) + { + v = *dp = (png_byte)(((int)*rp - (int)*lp) & 0xff); + sum += (v < 128) ? v : 256 - v; + + if (sum > lmins) /* We are already worse, don't continue. */ + break; + } + + return (sum); +} + +static png_size_t /* PRIVATE */ +png_setup_up_row(png_structrp png_ptr, const png_size_t row_bytes, + const png_size_t lmins) +{ + png_bytep rp, dp, pp; + png_size_t i; + png_size_t sum = 0; + int v; + + png_ptr->try_row[0] = PNG_FILTER_VALUE_UP; + + for (i = 0, rp = png_ptr->row_buf + 1, dp = png_ptr->try_row + 1, + pp = png_ptr->prev_row + 1; i < row_bytes; + i++, rp++, pp++, dp++) + { + v = *dp = (png_byte)(((int)*rp - (int)*pp) & 0xff); + sum += (v < 128) ? v : 256 - v; + + if (sum > lmins) /* We are already worse, don't continue. */ + break; + } + + return (sum); +} + +static png_size_t /* PRIVATE */ +png_setup_avg_row(png_structrp png_ptr, const png_uint_32 bpp, + const png_size_t row_bytes, const png_size_t lmins) +{ + png_bytep rp, dp, pp, lp; + png_uint_32 i; + png_size_t sum = 0; + int v; + + png_ptr->try_row[0] = PNG_FILTER_VALUE_AVG; + + for (i = 0, rp = png_ptr->row_buf + 1, dp = png_ptr->try_row + 1, + pp = png_ptr->prev_row + 1; i < bpp; i++) + { + v = *dp++ = (png_byte)(((int)*rp++ - ((int)*pp++ / 2)) & 0xff); + + sum += (v < 128) ? v : 256 - v; + } + + for (lp = png_ptr->row_buf + 1; i < row_bytes; i++) + { + v = *dp++ = (png_byte)(((int)*rp++ - (((int)*pp++ + (int)*lp++) / 2)) + & 0xff); + + sum += (v < 128) ? v : 256 - v; + + if (sum > lmins) /* We are already worse, don't continue. */ + break; + } + + return (sum); +} + +static png_size_t /* PRIVATE */ +png_setup_paeth_row(png_structrp png_ptr, const png_uint_32 bpp, + const png_size_t row_bytes, const png_size_t lmins) +{ + png_bytep rp, dp, pp, cp, lp; + png_size_t i; + png_size_t sum = 0; + int v; + + png_ptr->try_row[0] = PNG_FILTER_VALUE_PAETH; + + for (i = 0, rp = png_ptr->row_buf + 1, dp = png_ptr->try_row + 1, + pp = png_ptr->prev_row + 1; i < bpp; i++) + { + v = *dp++ = (png_byte)(((int)*rp++ - (int)*pp++) & 0xff); + + sum += (v < 128) ? v : 256 - v; + } + + for (lp = png_ptr->row_buf + 1, cp = png_ptr->prev_row + 1; i < row_bytes; + i++) + { + int a, b, c, pa, pb, pc, p; + + b = *pp++; + c = *cp++; + a = *lp++; + + p = b - c; + pc = a - c; + +#ifdef PNG_USE_ABS + pa = abs(p); + pb = abs(pc); + pc = abs(p + pc); +#else + pa = p < 0 ? -p : p; + pb = pc < 0 ? -pc : pc; + pc = (p + pc) < 0 ? -(p + pc) : p + pc; +#endif + + p = (pa <= pb && pa <=pc) ? a : (pb <= pc) ? b : c; + + v = *dp++ = (png_byte)(((int)*rp++ - p) & 0xff); + + sum += (v < 128) ? v : 256 - v; + + if (sum > lmins) /* We are already worse, don't continue. */ + break; + } + + return (sum); +} +#endif /* WRITE_FILTER */ + void /* PRIVATE */ png_write_find_filter(png_structrp png_ptr, png_row_infop row_info) { - png_bytep best_row; -#ifdef PNG_WRITE_FILTER_SUPPORTED - png_bytep prev_row, row_buf; - png_uint_32 mins, bpp; +#ifndef PNG_WRITE_FILTER_SUPPORTED + png_write_filtered_row(png_ptr, png_ptr->row_buf, row_info->rowbytes+1); +#else png_byte filter_to_do = png_ptr->do_filter; + png_bytep row_buf; + png_bytep best_row; + png_uint_32 bpp; + png_size_t mins; png_size_t row_bytes = row_info->rowbytes; -#ifdef PNG_WRITE_WEIGHTED_FILTER_SUPPORTED - int num_p_filters = png_ptr->num_prev_filters; -#endif png_debug(1, "in png_write_find_filter"); -#ifndef PNG_WRITE_WEIGHTED_FILTER_SUPPORTED - if (png_ptr->row_number == 0 && filter_to_do == PNG_ALL_FILTERS) - { - /* These will never be selected so we need not test them. */ - filter_to_do &= ~(PNG_FILTER_UP | PNG_FILTER_PAETH); - } -#endif - /* Find out how many bytes offset each pixel is */ bpp = (row_info->pixel_depth + 7) >> 3; - prev_row = png_ptr->prev_row; -#endif - best_row = png_ptr->row_buf; -#ifdef PNG_WRITE_FILTER_SUPPORTED - row_buf = best_row; - mins = PNG_MAXSUM; + row_buf = png_ptr->row_buf; + mins = PNG_SIZE_MAX - 256/* so we can detect potential overflow of the + running sum */; /* The prediction method we use is to find which method provides the * smallest value when summing the absolute values of the distances @@ -2411,57 +2553,37 @@ /* We don't need to test the 'no filter' case if this is the only filter * that has been chosen, as it doesn't actually do anything to the data. */ + best_row = png_ptr->row_buf; + + if ((filter_to_do & PNG_FILTER_NONE) != 0 && filter_to_do != PNG_FILTER_NONE) { png_bytep rp; - png_uint_32 sum = 0; + png_size_t sum = 0; png_size_t i; int v; - for (i = 0, rp = row_buf + 1; i < row_bytes; i++, rp++) + if (PNG_SIZE_MAX/128 <= row_bytes) { - v = *rp; - sum += (v < 128) ? v : 256 - v; - } + for (i = 0, rp = row_buf + 1; i < row_bytes; i++, rp++) + { + /* Check for overflow */ + if (sum > PNG_SIZE_MAX/128 - 256) + break; -#ifdef PNG_WRITE_WEIGHTED_FILTER_SUPPORTED - if (png_ptr->heuristic_method == PNG_FILTER_HEURISTIC_WEIGHTED) + v = *rp; + sum += (v < 128) ? v : 256 - v; + } + } + else /* Overflow is not possible */ { - png_uint_32 sumhi, sumlo; - int j; - sumlo = sum & PNG_LOMASK; - sumhi = (sum >> PNG_HISHIFT) & PNG_HIMASK; /* Gives us some footroom */ - - /* Reduce the sum if we match any of the previous rows */ - for (j = 0; j < num_p_filters; j++) + for (i = 0, rp = row_buf + 1; i < row_bytes; i++, rp++) { - if (png_ptr->prev_filters[j] == PNG_FILTER_VALUE_NONE) - { - sumlo = (sumlo * png_ptr->filter_weights[j]) >> - PNG_WEIGHT_SHIFT; - - sumhi = (sumhi * png_ptr->filter_weights[j]) >> - PNG_WEIGHT_SHIFT; - } + v = *rp; + sum += (v < 128) ? v : 256 - v; } - - /* Factor in the cost of this filter (this is here for completeness, - * but it makes no sense to have a "cost" for the NONE filter, as - * it has the minimum possible computational cost - none). - */ - sumlo = (sumlo * png_ptr->filter_costs[PNG_FILTER_VALUE_NONE]) >> - PNG_COST_SHIFT; - - sumhi = (sumhi * png_ptr->filter_costs[PNG_FILTER_VALUE_NONE]) >> - PNG_COST_SHIFT; - - if (sumhi > PNG_HIMASK) - sum = PNG_MAXSUM; - - else - sum = (sumhi << PNG_HISHIFT) + sumlo; } -#endif + mins = sum; } @@ -2469,553 +2591,109 @@ if (filter_to_do == PNG_FILTER_SUB) /* It's the only filter so no testing is needed */ { - png_bytep rp, lp, dp; - png_size_t i; - - for (i = 0, rp = row_buf + 1, dp = png_ptr->sub_row + 1; i < bpp; - i++, rp++, dp++) - { - *dp = *rp; - } - - for (lp = row_buf + 1; i < row_bytes; - i++, rp++, lp++, dp++) - { - *dp = (png_byte)(((int)*rp - (int)*lp) & 0xff); - } - - best_row = png_ptr->sub_row; + (void) png_setup_sub_row(png_ptr, bpp, row_bytes, mins); + best_row = png_ptr->try_row; } else if ((filter_to_do & PNG_FILTER_SUB) != 0) { - png_bytep rp, dp, lp; - png_uint_32 sum = 0, lmins = mins; - png_size_t i; - int v; + png_size_t sum; + png_size_t lmins = mins; -#ifdef PNG_WRITE_WEIGHTED_FILTER_SUPPORTED - /* We temporarily increase the "minimum sum" by the factor we - * would reduce the sum of this filter, so that we can do the - * early exit comparison without scaling the sum each time. - */ - if (png_ptr->heuristic_method == PNG_FILTER_HEURISTIC_WEIGHTED) - { - int j; - png_uint_32 lmhi, lmlo; - lmlo = lmins & PNG_LOMASK; - lmhi = (lmins >> PNG_HISHIFT) & PNG_HIMASK; - - for (j = 0; j < num_p_filters; j++) - { - if (png_ptr->prev_filters[j] == PNG_FILTER_VALUE_SUB) - { - lmlo = (lmlo * png_ptr->inv_filter_weights[j]) >> - PNG_WEIGHT_SHIFT; - - lmhi = (lmhi * png_ptr->inv_filter_weights[j]) >> - PNG_WEIGHT_SHIFT; - } - } - - lmlo = (lmlo * png_ptr->inv_filter_costs[PNG_FILTER_VALUE_SUB]) >> - PNG_COST_SHIFT; - - lmhi = (lmhi * png_ptr->inv_filter_costs[PNG_FILTER_VALUE_SUB]) >> - PNG_COST_SHIFT; - - if (lmhi > PNG_HIMASK) - lmins = PNG_MAXSUM; - - else - lmins = (lmhi << PNG_HISHIFT) + lmlo; - } -#endif - - for (i = 0, rp = row_buf + 1, dp = png_ptr->sub_row + 1; i < bpp; - i++, rp++, dp++) - { - v = *dp = *rp; - - sum += (v < 128) ? v : 256 - v; - } - - for (lp = row_buf + 1; i < row_bytes; - i++, rp++, lp++, dp++) - { - v = *dp = (png_byte)(((int)*rp - (int)*lp) & 0xff); - - sum += (v < 128) ? v : 256 - v; - - if (sum > lmins) /* We are already worse, don't continue. */ - break; - } - -#ifdef PNG_WRITE_WEIGHTED_FILTER_SUPPORTED - if (png_ptr->heuristic_method == PNG_FILTER_HEURISTIC_WEIGHTED) - { - int j; - png_uint_32 sumhi, sumlo; - sumlo = sum & PNG_LOMASK; - sumhi = (sum >> PNG_HISHIFT) & PNG_HIMASK; - - for (j = 0; j < num_p_filters; j++) - { - if (png_ptr->prev_filters[j] == PNG_FILTER_VALUE_SUB) - { - sumlo = (sumlo * png_ptr->inv_filter_weights[j]) >> - PNG_WEIGHT_SHIFT; - - sumhi = (sumhi * png_ptr->inv_filter_weights[j]) >> - PNG_WEIGHT_SHIFT; - } - } - - sumlo = (sumlo * png_ptr->inv_filter_costs[PNG_FILTER_VALUE_SUB]) >> - PNG_COST_SHIFT; - - sumhi = (sumhi * png_ptr->inv_filter_costs[PNG_FILTER_VALUE_SUB]) >> - PNG_COST_SHIFT; - - if (sumhi > PNG_HIMASK) - sum = PNG_MAXSUM; - - else - sum = (sumhi << PNG_HISHIFT) + sumlo; - } -#endif + sum = png_setup_sub_row(png_ptr, bpp, row_bytes, lmins); if (sum < mins) { mins = sum; - best_row = png_ptr->sub_row; + best_row = png_ptr->try_row; + if (png_ptr->tst_row != NULL) + { + png_ptr->try_row = png_ptr->tst_row; + png_ptr->tst_row = best_row; + } } } /* Up filter */ if (filter_to_do == PNG_FILTER_UP) { - png_bytep rp, dp, pp; - png_size_t i; - - for (i = 0, rp = row_buf + 1, dp = png_ptr->up_row + 1, - pp = prev_row + 1; i < row_bytes; - i++, rp++, pp++, dp++) - { - *dp = (png_byte)(((int)*rp - (int)*pp) & 0xff); - } - - best_row = png_ptr->up_row; + (void) png_setup_up_row(png_ptr, row_bytes, mins); + best_row = png_ptr->try_row; } else if ((filter_to_do & PNG_FILTER_UP) != 0) { - png_bytep rp, dp, pp; - png_uint_32 sum = 0, lmins = mins; - png_size_t i; - int v; - - -#ifdef PNG_WRITE_WEIGHTED_FILTER_SUPPORTED - if (png_ptr->heuristic_method == PNG_FILTER_HEURISTIC_WEIGHTED) - { - int j; - png_uint_32 lmhi, lmlo; - lmlo = lmins & PNG_LOMASK; - lmhi = (lmins >> PNG_HISHIFT) & PNG_HIMASK; - - for (j = 0; j < num_p_filters; j++) - { - if (png_ptr->prev_filters[j] == PNG_FILTER_VALUE_UP) - { - lmlo = (lmlo * png_ptr->inv_filter_weights[j]) >> - PNG_WEIGHT_SHIFT; - - lmhi = (lmhi * png_ptr->inv_filter_weights[j]) >> - PNG_WEIGHT_SHIFT; - } - } - - lmlo = (lmlo * png_ptr->inv_filter_costs[PNG_FILTER_VALUE_UP]) >> - PNG_COST_SHIFT; - - lmhi = (lmhi * png_ptr->inv_filter_costs[PNG_FILTER_VALUE_UP]) >> - PNG_COST_SHIFT; - - if (lmhi > PNG_HIMASK) - lmins = PNG_MAXSUM; - - else - lmins = (lmhi << PNG_HISHIFT) + lmlo; - } -#endif - - for (i = 0, rp = row_buf + 1, dp = png_ptr->up_row + 1, - pp = prev_row + 1; i < row_bytes; i++) - { - v = *dp++ = (png_byte)(((int)*rp++ - (int)*pp++) & 0xff); + png_size_t sum; + png_size_t lmins = mins; - sum += (v < 128) ? v : 256 - v; - - if (sum > lmins) /* We are already worse, don't continue. */ - break; - } - -#ifdef PNG_WRITE_WEIGHTED_FILTER_SUPPORTED - if (png_ptr->heuristic_method == PNG_FILTER_HEURISTIC_WEIGHTED) - { - int j; - png_uint_32 sumhi, sumlo; - sumlo = sum & PNG_LOMASK; - sumhi = (sum >> PNG_HISHIFT) & PNG_HIMASK; - - for (j = 0; j < num_p_filters; j++) - { - if (png_ptr->prev_filters[j] == PNG_FILTER_VALUE_UP) - { - sumlo = (sumlo * png_ptr->filter_weights[j]) >> - PNG_WEIGHT_SHIFT; - - sumhi = (sumhi * png_ptr->filter_weights[j]) >> - PNG_WEIGHT_SHIFT; - } - } - - sumlo = (sumlo * png_ptr->filter_costs[PNG_FILTER_VALUE_UP]) >> - PNG_COST_SHIFT; - - sumhi = (sumhi * png_ptr->filter_costs[PNG_FILTER_VALUE_UP]) >> - PNG_COST_SHIFT; - - if (sumhi > PNG_HIMASK) - sum = PNG_MAXSUM; - - else - sum = (sumhi << PNG_HISHIFT) + sumlo; - } -#endif + sum = png_setup_up_row(png_ptr, row_bytes, lmins); if (sum < mins) { mins = sum; - best_row = png_ptr->up_row; + best_row = png_ptr->try_row; + if (png_ptr->tst_row != NULL) + { + png_ptr->try_row = png_ptr->tst_row; + png_ptr->tst_row = best_row; + } } } /* Avg filter */ if (filter_to_do == PNG_FILTER_AVG) { - png_bytep rp, dp, pp, lp; - png_uint_32 i; - - for (i = 0, rp = row_buf + 1, dp = png_ptr->avg_row + 1, - pp = prev_row + 1; i < bpp; i++) - { - *dp++ = (png_byte)(((int)*rp++ - ((int)*pp++ / 2)) & 0xff); - } - - for (lp = row_buf + 1; i < row_bytes; i++) - { - *dp++ = (png_byte)(((int)*rp++ - (((int)*pp++ + (int)*lp++) / 2)) - & 0xff); - } - best_row = png_ptr->avg_row; + (void) png_setup_avg_row(png_ptr, bpp, row_bytes, mins); + best_row = png_ptr->try_row; } else if ((filter_to_do & PNG_FILTER_AVG) != 0) { - png_bytep rp, dp, pp, lp; - png_uint_32 sum = 0, lmins = mins; - png_size_t i; - int v; - -#ifdef PNG_WRITE_WEIGHTED_FILTER_SUPPORTED - if (png_ptr->heuristic_method == PNG_FILTER_HEURISTIC_WEIGHTED) - { - int j; - png_uint_32 lmhi, lmlo; - lmlo = lmins & PNG_LOMASK; - lmhi = (lmins >> PNG_HISHIFT) & PNG_HIMASK; - - for (j = 0; j < num_p_filters; j++) - { - if (png_ptr->prev_filters[j] == PNG_FILTER_VALUE_AVG) - { - lmlo = (lmlo * png_ptr->inv_filter_weights[j]) >> - PNG_WEIGHT_SHIFT; - - lmhi = (lmhi * png_ptr->inv_filter_weights[j]) >> - PNG_WEIGHT_SHIFT; - } - } - - lmlo = (lmlo * png_ptr->inv_filter_costs[PNG_FILTER_VALUE_AVG]) >> - PNG_COST_SHIFT; - - lmhi = (lmhi * png_ptr->inv_filter_costs[PNG_FILTER_VALUE_AVG]) >> - PNG_COST_SHIFT; - - if (lmhi > PNG_HIMASK) - lmins = PNG_MAXSUM; - - else - lmins = (lmhi << PNG_HISHIFT) + lmlo; - } -#endif - - for (i = 0, rp = row_buf + 1, dp = png_ptr->avg_row + 1, - pp = prev_row + 1; i < bpp; i++) - { - v = *dp++ = (png_byte)(((int)*rp++ - ((int)*pp++ / 2)) & 0xff); - - sum += (v < 128) ? v : 256 - v; - } - - for (lp = row_buf + 1; i < row_bytes; i++) - { - v = *dp++ = - (png_byte)(((int)*rp++ - (((int)*pp++ + (int)*lp++) / 2)) & 0xff); - - sum += (v < 128) ? v : 256 - v; - - if (sum > lmins) /* We are already worse, don't continue. */ - break; - } - -#ifdef PNG_WRITE_WEIGHTED_FILTER_SUPPORTED - if (png_ptr->heuristic_method == PNG_FILTER_HEURISTIC_WEIGHTED) - { - int j; - png_uint_32 sumhi, sumlo; - sumlo = sum & PNG_LOMASK; - sumhi = (sum >> PNG_HISHIFT) & PNG_HIMASK; - - for (j = 0; j < num_p_filters; j++) - { - if (png_ptr->prev_filters[j] == PNG_FILTER_VALUE_NONE) - { - sumlo = (sumlo * png_ptr->filter_weights[j]) >> - PNG_WEIGHT_SHIFT; - - sumhi = (sumhi * png_ptr->filter_weights[j]) >> - PNG_WEIGHT_SHIFT; - } - } - - sumlo = (sumlo * png_ptr->filter_costs[PNG_FILTER_VALUE_AVG]) >> - PNG_COST_SHIFT; + png_size_t sum; + png_size_t lmins = mins; - sumhi = (sumhi * png_ptr->filter_costs[PNG_FILTER_VALUE_AVG]) >> - PNG_COST_SHIFT; - - if (sumhi > PNG_HIMASK) - sum = PNG_MAXSUM; - - else - sum = (sumhi << PNG_HISHIFT) + sumlo; - } -#endif + sum= png_setup_avg_row(png_ptr, bpp, row_bytes, lmins); if (sum < mins) { mins = sum; - best_row = png_ptr->avg_row; + best_row = png_ptr->try_row; + if (png_ptr->tst_row != NULL) + { + png_ptr->try_row = png_ptr->tst_row; + png_ptr->tst_row = best_row; + } } } /* Paeth filter */ if ((filter_to_do == PNG_FILTER_PAETH) != 0) { - png_bytep rp, dp, pp, cp, lp; - png_size_t i; - - for (i = 0, rp = row_buf + 1, dp = png_ptr->paeth_row + 1, - pp = prev_row + 1; i < bpp; i++) - { - *dp++ = (png_byte)(((int)*rp++ - (int)*pp++) & 0xff); - } - - for (lp = row_buf + 1, cp = prev_row + 1; i < row_bytes; i++) - { - int a, b, c, pa, pb, pc, p; - - b = *pp++; - c = *cp++; - a = *lp++; - - p = b - c; - pc = a - c; - -#ifdef PNG_USE_ABS - pa = abs(p); - pb = abs(pc); - pc = abs(p + pc); -#else - pa = p < 0 ? -p : p; - pb = pc < 0 ? -pc : pc; - pc = (p + pc) < 0 ? -(p + pc) : p + pc; -#endif - - p = (pa <= pb && pa <=pc) ? a : (pb <= pc) ? b : c; - - *dp++ = (png_byte)(((int)*rp++ - p) & 0xff); - } - best_row = png_ptr->paeth_row; + (void) png_setup_paeth_row(png_ptr, bpp, row_bytes, mins); + best_row = png_ptr->try_row; } else if ((filter_to_do & PNG_FILTER_PAETH) != 0) { - png_bytep rp, dp, pp, cp, lp; - png_uint_32 sum = 0, lmins = mins; - png_size_t i; - int v; - -#ifdef PNG_WRITE_WEIGHTED_FILTER_SUPPORTED - if (png_ptr->heuristic_method == PNG_FILTER_HEURISTIC_WEIGHTED) - { - int j; - png_uint_32 lmhi, lmlo; - lmlo = lmins & PNG_LOMASK; - lmhi = (lmins >> PNG_HISHIFT) & PNG_HIMASK; - - for (j = 0; j < num_p_filters; j++) - { - if (png_ptr->prev_filters[j] == PNG_FILTER_VALUE_PAETH) - { - lmlo = (lmlo * png_ptr->inv_filter_weights[j]) >> - PNG_WEIGHT_SHIFT; - - lmhi = (lmhi * png_ptr->inv_filter_weights[j]) >> - PNG_WEIGHT_SHIFT; - } - } + png_size_t sum; + png_size_t lmins = mins; - lmlo = (lmlo * png_ptr->inv_filter_costs[PNG_FILTER_VALUE_PAETH]) >> - PNG_COST_SHIFT; - - lmhi = (lmhi * png_ptr->inv_filter_costs[PNG_FILTER_VALUE_PAETH]) >> - PNG_COST_SHIFT; - - if (lmhi > PNG_HIMASK) - lmins = PNG_MAXSUM; - - else - lmins = (lmhi << PNG_HISHIFT) + lmlo; - } -#endif - - for (i = 0, rp = row_buf + 1, dp = png_ptr->paeth_row + 1, - pp = prev_row + 1; i < bpp; i++) - { - v = *dp++ = (png_byte)(((int)*rp++ - (int)*pp++) & 0xff); - - sum += (v < 128) ? v : 256 - v; - } + sum = png_setup_paeth_row(png_ptr, bpp, row_bytes, lmins); - for (lp = row_buf + 1, cp = prev_row + 1; i < row_bytes; i++) - { - int a, b, c, pa, pb, pc, p; - - b = *pp++; - c = *cp++; - a = *lp++; - -#ifndef PNG_SLOW_PAETH - p = b - c; - pc = a - c; -#ifdef PNG_USE_ABS - pa = abs(p); - pb = abs(pc); - pc = abs(p + pc); -#else - pa = p < 0 ? -p : p; - pb = pc < 0 ? -pc : pc; - pc = (p + pc) < 0 ? -(p + pc) : p + pc; -#endif - p = (pa <= pb && pa <=pc) ? a : (pb <= pc) ? b : c; -#else /* SLOW_PAETH */ - p = a + b - c; - pa = abs(p - a); - pb = abs(p - b); - pc = abs(p - c); - - if (pa <= pb && pa <= pc) - p = a; - - else if (pb <= pc) - p = b; - - else - p = c; -#endif /* SLOW_PAETH */ - - v = *dp++ = (png_byte)(((int)*rp++ - p) & 0xff); - - sum += (v < 128) ? v : 256 - v; - - if (sum > lmins) /* We are already worse, don't continue. */ - break; - } - -#ifdef PNG_WRITE_WEIGHTED_FILTER_SUPPORTED - if (png_ptr->heuristic_method == PNG_FILTER_HEURISTIC_WEIGHTED) + if (sum < mins) { - int j; - png_uint_32 sumhi, sumlo; - sumlo = sum & PNG_LOMASK; - sumhi = (sum >> PNG_HISHIFT) & PNG_HIMASK; - - for (j = 0; j < num_p_filters; j++) + best_row = png_ptr->try_row; + if (png_ptr->tst_row != NULL) { - if (png_ptr->prev_filters[j] == PNG_FILTER_VALUE_PAETH) - { - sumlo = (sumlo * png_ptr->filter_weights[j]) >> - PNG_WEIGHT_SHIFT; - - sumhi = (sumhi * png_ptr->filter_weights[j]) >> - PNG_WEIGHT_SHIFT; - } + png_ptr->try_row = png_ptr->tst_row; + png_ptr->tst_row = best_row; } - - sumlo = (sumlo * png_ptr->filter_costs[PNG_FILTER_VALUE_PAETH]) >> - PNG_COST_SHIFT; - - sumhi = (sumhi * png_ptr->filter_costs[PNG_FILTER_VALUE_PAETH]) >> - PNG_COST_SHIFT; - - if (sumhi > PNG_HIMASK) - sum = PNG_MAXSUM; - - else - sum = (sumhi << PNG_HISHIFT) + sumlo; - } -#endif - - if (sum < mins) - { - best_row = png_ptr->paeth_row; } } -#endif /* WRITE_FILTER */ /* Do the actual writing of the filtered row data from the chosen filter. */ png_write_filtered_row(png_ptr, best_row, row_info->rowbytes+1); -#ifdef PNG_WRITE_FILTER_SUPPORTED -#ifdef PNG_WRITE_WEIGHTED_FILTER_SUPPORTED - /* Save the type of filter we picked this time for future calculations */ - if (png_ptr->num_prev_filters > 0) - { - int j; - - for (j = 1; j < num_p_filters; j++) - { - png_ptr->prev_filters[j] = png_ptr->prev_filters[j - 1]; - } - - png_ptr->prev_filters[j] = best_row[0]; - } -#endif #endif /* WRITE_FILTER */ } @@ -3031,6 +2709,7 @@ png_compress_IDAT(png_ptr, filtered_row, full_row_length, Z_NO_FLUSH); +#ifdef PNG_WRITE_FILTER_SUPPORTED /* Swap the current and previous rows */ if (png_ptr->prev_row != NULL) { @@ -3040,6 +2719,7 @@ png_ptr->prev_row = png_ptr->row_buf; png_ptr->row_buf = tptr; } +#endif /* WRITE_FILTER */ /* Finish row - updates counters and flushes zlib if last row */ png_write_finish_row(png_ptr); diff -Nru openjdk-6-6b37-1.13.9/jdk/src/share/native/sun/awt/libpng/README openjdk-6-6b38-1.13.10/jdk/src/share/native/sun/awt/libpng/README --- openjdk-6-6b37-1.13.9/jdk/src/share/native/sun/awt/libpng/README 2015-11-11 01:20:42.000000000 +0000 +++ openjdk-6-6b38-1.13.10/jdk/src/share/native/sun/awt/libpng/README 2016-01-20 01:47:58.000000000 +0000 @@ -1,4 +1,4 @@ -README for libpng version 1.6.16 - December 22, 2014 (shared library 16.0) +README for libpng version 1.6.20 - December 3, 2015 (shared library 16.0) See the note about version numbers near the top of png.h See INSTALL for instructions on how to install libpng. @@ -134,7 +134,7 @@ to others, if necessary. Please do not send suggestions on how to change PNG. We have -been discussing PNG for nineteen years now, and it is official and +been discussing PNG for twenty years now, and it is official and finished. If you have suggestions for libpng, however, I'll gladly listen. Even if your suggestion is not used immediately, it may be used later. diff -Nru openjdk-6-6b37-1.13.9/jdk/src/share/native/sun/awt/splashscreen/splashscreen_png.c openjdk-6-6b38-1.13.10/jdk/src/share/native/sun/awt/splashscreen/splashscreen_png.c --- openjdk-6-6b37-1.13.9/jdk/src/share/native/sun/awt/splashscreen/splashscreen_png.c 2015-11-11 01:20:42.000000000 +0000 +++ openjdk-6-6b38-1.13.10/jdk/src/share/native/sun/awt/splashscreen/splashscreen_png.c 2016-01-20 01:47:58.000000000 +0000 @@ -98,6 +98,7 @@ if (png_get_gAMA(png_ptr, info_ptr, &gamma)) png_set_gamma(png_ptr, 2.2, gamma); + png_set_interlace_handling(png_ptr); png_read_update_info(png_ptr, info_ptr); rowbytes = png_get_rowbytes(png_ptr, info_ptr); diff -Nru openjdk-6-6b37-1.13.9/jdk/src/share/native/sun/font/layout/ContextualSubstSubtables.cpp openjdk-6-6b38-1.13.10/jdk/src/share/native/sun/font/layout/ContextualSubstSubtables.cpp --- openjdk-6-6b37-1.13.9/jdk/src/share/native/sun/font/layout/ContextualSubstSubtables.cpp 2015-11-11 01:20:42.000000000 +0000 +++ openjdk-6-6b38-1.13.10/jdk/src/share/native/sun/font/layout/ContextualSubstSubtables.cpp 2016-01-20 01:47:58.000000000 +0000 @@ -243,14 +243,14 @@ le_uint16 srSetCount = SWAPW(subRuleSetCount); if (coverageIndex < srSetCount) { - LEReferenceToArrayOf subRuleSetTableOffsetArrayRef(base, success, - &subRuleSetTableOffsetArray[coverageIndex], 1); + LEReferenceToArrayOf + subRuleSetTableOffsetArrayRef(base, success, subRuleSetTableOffsetArray, srSetCount); if (LE_FAILURE(success)) { return 0; } Offset subRuleSetTableOffset = SWAPW(subRuleSetTableOffsetArray[coverageIndex]); - LEReferenceTo - subRuleSetTable(base, success, (const SubRuleSetTable *) ((char *) this + subRuleSetTableOffset)); + LEReferenceTo subRuleSetTable(base, success, subRuleSetTableOffset); + if (LE_FAILURE(success)) { return 0; } le_uint16 subRuleCount = SWAPW(subRuleSetTable->subRuleCount); le_int32 position = glyphIterator->getCurrStreamPosition(); @@ -264,6 +264,7 @@ SWAPW(subRuleSetTable->subRuleTableOffsetArray[subRule]); LEReferenceTo subRuleTable(subRuleSetTable, success, subRuleTableOffset); + if (LE_FAILURE(success)) { return 0; } le_uint16 matchCount = SWAPW(subRuleTable->glyphCount) - 1; le_uint16 substCount = SWAPW(subRuleTable->substCount); LEReferenceToArrayOf inputGlyphArray(base, success, subRuleTable->inputGlyphArray, matchCount+2); @@ -304,8 +305,8 @@ } if (coverageIndex >= 0) { - LEReferenceTo classDefinitionTable(base, success, - (const ClassDefinitionTable *) ((char *) this + SWAPW(classDefTableOffset))); + LEReferenceTo classDefinitionTable(base, success, SWAPW(classDefTableOffset)); + if (LE_FAILURE(success)) { return 0; } le_uint16 scSetCount = SWAPW(subClassSetCount); le_int32 setClass = classDefinitionTable->getGlyphClass(classDefinitionTable, glyphIterator->getCurrGlyphID(), @@ -313,44 +314,45 @@ if (setClass < scSetCount) { LEReferenceToArrayOf - subClassSetTableOffsetArrayRef(base, success, subClassSetTableOffsetArray, setClass); + subClassSetTableOffsetArrayRef(base, success, subClassSetTableOffsetArray, scSetCount); if (LE_FAILURE(success)) { return 0; } if (subClassSetTableOffsetArray[setClass] != 0) { - Offset subClassSetTableOffset = SWAPW(subClassSetTableOffsetArray[setClass]); - LEReferenceTo - subClassSetTable(base, success, (const SubClassSetTable *) ((char *) this + subClassSetTableOffset)); - le_uint16 subClassRuleCount = SWAPW(subClassSetTable->subClassRuleCount); - le_int32 position = glyphIterator->getCurrStreamPosition(); + Offset subClassSetTableOffset = SWAPW(subClassSetTableOffsetArray[setClass]); + LEReferenceTo subClassSetTable(base, success, subClassSetTableOffset); + if (LE_FAILURE(success)) { return 0; } + le_uint16 subClassRuleCount = SWAPW(subClassSetTable->subClassRuleCount); + le_int32 position = glyphIterator->getCurrStreamPosition(); LEReferenceToArrayOf subClassRuleTableOffsetArrayRef(base, success, subClassSetTable->subClassRuleTableOffsetArray, subClassRuleCount); if (LE_FAILURE(success)) { return 0; } - for (le_uint16 scRule = 0; scRule < subClassRuleCount; scRule += 1) { - Offset subClassRuleTableOffset = - SWAPW(subClassSetTable->subClassRuleTableOffsetArray[scRule]); - LEReferenceTo - subClassRuleTable(subClassSetTable, success, subClassRuleTableOffset); - le_uint16 matchCount = SWAPW(subClassRuleTable->glyphCount) - 1; - le_uint16 substCount = SWAPW(subClassRuleTable->substCount); - - LEReferenceToArrayOf classArray(base, success, subClassRuleTable->classArray, matchCount+1); + for (le_uint16 scRule = 0; scRule < subClassRuleCount; scRule += 1) { + Offset subClassRuleTableOffset = + SWAPW(subClassSetTable->subClassRuleTableOffsetArray[scRule]); + LEReferenceTo + subClassRuleTable(subClassSetTable, success, subClassRuleTableOffset); + if (LE_FAILURE(success)) { return 0; } + le_uint16 matchCount = SWAPW(subClassRuleTable->glyphCount) - 1; + le_uint16 substCount = SWAPW(subClassRuleTable->substCount); + + LEReferenceToArrayOf classArray(base, success, subClassRuleTable->classArray, matchCount+1); + + if (LE_FAILURE(success)) { return 0; } + if (matchGlyphClasses(classArray, matchCount, glyphIterator, classDefinitionTable, success)) { + LEReferenceToArrayOf + substLookupRecordArray(base, success, (const SubstitutionLookupRecord *) &subClassRuleTable->classArray[matchCount], substCount); - if (LE_FAILURE(success)) { return 0; } - if (matchGlyphClasses(classArray, matchCount, glyphIterator, classDefinitionTable, success)) { - LEReferenceToArrayOf - substLookupRecordArray(base, success, (const SubstitutionLookupRecord *) &subClassRuleTable->classArray[matchCount], substCount); + applySubstitutionLookups(lookupProcessor, substLookupRecordArray, substCount, glyphIterator, fontInstance, position, success); - applySubstitutionLookups(lookupProcessor, substLookupRecordArray, substCount, glyphIterator, fontInstance, position, success); + return matchCount + 1; + } - return matchCount + 1; + glyphIterator->setCurrStreamPosition(position); } - - glyphIterator->setCurrStreamPosition(position); } } - } // XXX If we get here, the table is mal-formed... } @@ -463,13 +465,13 @@ if (coverageIndex < srSetCount) { LEReferenceToArrayOf - chainSubRuleSetTableOffsetArrayRef(base, success, chainSubRuleSetTableOffsetArray, coverageIndex); + chainSubRuleSetTableOffsetArrayRef(base, success, chainSubRuleSetTableOffsetArray, srSetCount); if (LE_FAILURE(success)) { return 0; } Offset chainSubRuleSetTableOffset = SWAPW(chainSubRuleSetTableOffsetArray[coverageIndex]); - LEReferenceTo - chainSubRuleSetTable(base, success, (const ChainSubRuleSetTable *) ((char *) this + chainSubRuleSetTableOffset)); + LEReferenceTo chainSubRuleSetTable(base, success, chainSubRuleSetTableOffset); + if (LE_FAILURE(success)) { return 0; } le_uint16 chainSubRuleCount = SWAPW(chainSubRuleSetTable->chainSubRuleCount); le_int32 position = glyphIterator->getCurrStreamPosition(); GlyphIterator tempIterator(*glyphIterator, emptyFeatureList); @@ -550,17 +552,17 @@ if (coverageIndex >= 0) { LEReferenceTo - backtrackClassDefinitionTable(base, success, (const ClassDefinitionTable *) ((char *) this + SWAPW(backtrackClassDefTableOffset))); + backtrackClassDefinitionTable(base, success, SWAPW(backtrackClassDefTableOffset)); LEReferenceTo - inputClassDefinitionTable(base, success, (const ClassDefinitionTable *) ((char *) this + SWAPW(inputClassDefTableOffset))); + inputClassDefinitionTable(base, success, SWAPW(inputClassDefTableOffset)); LEReferenceTo - lookaheadClassDefinitionTable(base, success, (const ClassDefinitionTable *) ((char *) this + SWAPW(lookaheadClassDefTableOffset))); + lookaheadClassDefinitionTable(base, success, SWAPW(lookaheadClassDefTableOffset)); le_uint16 scSetCount = SWAPW(chainSubClassSetCount); le_int32 setClass = inputClassDefinitionTable->getGlyphClass(inputClassDefinitionTable, glyphIterator->getCurrGlyphID(), success); LEReferenceToArrayOf - chainSubClassSetTableOffsetArrayRef(base, success, chainSubClassSetTableOffsetArray, setClass); + chainSubClassSetTableOffsetArrayRef(base, success, chainSubClassSetTableOffsetArray, scSetCount); if (LE_FAILURE(success)) { return 0; } @@ -568,7 +570,8 @@ if (setClass < scSetCount && chainSubClassSetTableOffsetArray[setClass] != 0) { Offset chainSubClassSetTableOffset = SWAPW(chainSubClassSetTableOffsetArray[setClass]); LEReferenceTo - chainSubClassSetTable(base, success, (const ChainSubClassSetTable *) ((char *) this + chainSubClassSetTableOffset)); + chainSubClassSetTable(base, success, chainSubClassSetTableOffset); + if (LE_FAILURE(success)) { return 0; } le_uint16 chainSubClassRuleCount = SWAPW(chainSubClassSetTable->chainSubClassRuleCount); le_int32 position = glyphIterator->getCurrStreamPosition(); GlyphIterator tempIterator(*glyphIterator, emptyFeatureList); @@ -582,6 +585,7 @@ SWAPW(chainSubClassSetTable->chainSubClassRuleTableOffsetArray[scRule]); LEReferenceTo chainSubClassRuleTable(chainSubClassSetTable, success, chainSubClassRuleTableOffset); + if (LE_FAILURE(success)) { return 0; } le_uint16 backtrackGlyphCount = SWAPW(chainSubClassRuleTable->backtrackGlyphCount); LEReferenceToArrayOf backtrackClassArray(base, success, chainSubClassRuleTable->backtrackClassArray, backtrackGlyphCount); if( LE_FAILURE(success) ) { return 0; } diff -Nru openjdk-6-6b37-1.13.9/jdk/src/share/native/sun/font/layout/CursiveAttachmentSubtables.cpp openjdk-6-6b38-1.13.10/jdk/src/share/native/sun/font/layout/CursiveAttachmentSubtables.cpp --- openjdk-6-6b37-1.13.9/jdk/src/share/native/sun/font/layout/CursiveAttachmentSubtables.cpp 2015-11-11 01:20:42.000000000 +0000 +++ openjdk-6-6b38-1.13.10/jdk/src/share/native/sun/font/layout/CursiveAttachmentSubtables.cpp 2016-01-20 01:47:58.000000000 +0000 @@ -46,7 +46,7 @@ le_uint16 eeCount = SWAPW(entryExitCount); LEReferenceToArrayOf - entryExitRecordsArrayRef(base, success, entryExitRecords, coverageIndex); + entryExitRecordsArrayRef(base, success, entryExitRecords, eeCount); if (coverageIndex < 0 || coverageIndex >= eeCount || LE_FAILURE(success)) { glyphIterator->setCursiveGlyph(); diff -Nru openjdk-6-6b37-1.13.9/jdk/src/share/native/sun/font/layout/Features.cpp openjdk-6-6b38-1.13.10/jdk/src/share/native/sun/font/layout/Features.cpp --- openjdk-6-6b37-1.13.9/jdk/src/share/native/sun/font/layout/Features.cpp 2015-11-11 01:20:42.000000000 +0000 +++ openjdk-6-6b38-1.13.10/jdk/src/share/native/sun/font/layout/Features.cpp 2016-01-20 01:47:58.000000000 +0000 @@ -41,11 +41,12 @@ LEReferenceTo FeatureListTable::getFeatureTable(const LETableReference &base, le_uint16 featureIndex, LETag *featureTag, LEErrorCode &success) const { LEReferenceToArrayOf - featureRecordArrayRef(base, success, featureRecordArray, featureIndex+1); + featureRecordArrayRef(base, success, featureRecordArray, SWAPW(featureCount)); - if (featureIndex >= SWAPW(featureCount) || LE_FAILURE(success)) { - return LEReferenceTo(); - } + if (featureIndex >= SWAPW(featureCount) || LE_FAILURE(success)) { + success = LE_INDEX_OUT_OF_BOUNDS_ERROR; + return LEReferenceTo(); + } Offset featureTableOffset = featureRecordArray[featureIndex].featureTableOffset; diff -Nru openjdk-6-6b37-1.13.9/jdk/src/share/native/sun/font/layout/IndicRearrangementProcessor.cpp openjdk-6-6b38-1.13.10/jdk/src/share/native/sun/font/layout/IndicRearrangementProcessor.cpp --- openjdk-6-6b37-1.13.9/jdk/src/share/native/sun/font/layout/IndicRearrangementProcessor.cpp 2015-11-11 01:20:42.000000000 +0000 +++ openjdk-6-6b38-1.13.10/jdk/src/share/native/sun/font/layout/IndicRearrangementProcessor.cpp 2016-01-20 01:47:58.000000000 +0000 @@ -76,11 +76,11 @@ } if (flags & irfMarkFirst) { - firstGlyph = (le_uint32)currGlyph; + firstGlyph = currGlyph; } if (flags & irfMarkLast) { - lastGlyph = (le_uint32)currGlyph; + lastGlyph = currGlyph; } doRearrangementAction(glyphStorage, (IndicRearrangementVerb) (flags & irfVerbMask), success); @@ -118,7 +118,7 @@ if (firstGlyph == lastGlyph) break; if (firstGlyph + 1 < firstGlyph) { success = LE_INDEX_OUT_OF_BOUNDS_ERROR; - break; + break; } a = glyphStorage[firstGlyph]; ia = glyphStorage.getCharIndex(firstGlyph, success); diff -Nru openjdk-6-6b37-1.13.9/jdk/src/share/native/sun/font/layout/IndicRearrangementProcessor.h openjdk-6-6b38-1.13.10/jdk/src/share/native/sun/font/layout/IndicRearrangementProcessor.h --- openjdk-6-6b37-1.13.9/jdk/src/share/native/sun/font/layout/IndicRearrangementProcessor.h 2015-11-11 01:20:42.000000000 +0000 +++ openjdk-6-6b38-1.13.10/jdk/src/share/native/sun/font/layout/IndicRearrangementProcessor.h 2016-01-20 01:47:58.000000000 +0000 @@ -76,8 +76,8 @@ static UClassID getStaticClassID(); protected: - le_uint32 firstGlyph; - le_uint32 lastGlyph; + le_int32 firstGlyph; + le_int32 lastGlyph; LEReferenceTo indicRearrangementSubtableHeader; LEReferenceToArrayOf entryTable; diff -Nru openjdk-6-6b37-1.13.9/jdk/src/share/native/sun/font/layout/Lookups.cpp openjdk-6-6b38-1.13.10/jdk/src/share/native/sun/font/layout/Lookups.cpp --- openjdk-6-6b37-1.13.9/jdk/src/share/native/sun/font/layout/Lookups.cpp 2015-11-11 01:20:42.000000000 +0000 +++ openjdk-6-6b38-1.13.10/jdk/src/share/native/sun/font/layout/Lookups.cpp 2016-01-20 01:47:58.000000000 +0000 @@ -42,6 +42,7 @@ LEReferenceToArrayOf lookupTableOffsetArrayRef(base, success, (const Offset*)&lookupTableOffsetArray, SWAPW(lookupCount)); if(LE_FAILURE(success) || lookupTableIndex>lookupTableOffsetArrayRef.getCount()) { + success = LE_INDEX_OUT_OF_BOUNDS_ERROR; return LEReferenceTo(); } else { return LEReferenceTo(base, success, SWAPW(lookupTableOffsetArrayRef.getObject(lookupTableIndex, success))); @@ -53,6 +54,7 @@ LEReferenceToArrayOf subTableOffsetArrayRef(base, success, (const Offset*)&subTableOffsetArray, SWAPW(subTableCount)); if(LE_FAILURE(success) || subtableIndex>subTableOffsetArrayRef.getCount()) { + success = LE_INDEX_OUT_OF_BOUNDS_ERROR; return LEReferenceTo(); } else { return LEReferenceTo(base, success, SWAPW(subTableOffsetArrayRef.getObject(subtableIndex, success))); diff -Nru openjdk-6-6b37-1.13.9/jdk/src/share/native/sun/font/layout/MarkToBasePosnSubtables.cpp openjdk-6-6b38-1.13.10/jdk/src/share/native/sun/font/layout/MarkToBasePosnSubtables.cpp --- openjdk-6-6b37-1.13.9/jdk/src/share/native/sun/font/layout/MarkToBasePosnSubtables.cpp 2015-11-11 01:20:42.000000000 +0000 +++ openjdk-6-6b38-1.13.10/jdk/src/share/native/sun/font/layout/MarkToBasePosnSubtables.cpp 2016-01-20 01:47:58.000000000 +0000 @@ -93,7 +93,7 @@ } LEReferenceTo baseRecord(base, success, &baseArray->baseRecordArray[baseCoverage * mcCount]); if( LE_FAILURE(success) ) { return 0; } - LEReferenceToArrayOf baseAnchorTableOffsetArray(base, success, &(baseRecord->baseAnchorTableOffsetArray[0]), markClass+1); + LEReferenceToArrayOf baseAnchorTableOffsetArray(base, success, &(baseRecord->baseAnchorTableOffsetArray[0]), mcCount); if( LE_FAILURE(success) ) { return 0; } Offset anchorTableOffset = SWAPW(baseRecord->baseAnchorTableOffsetArray[markClass]); diff -Nru openjdk-6-6b37-1.13.9/jdk/src/share/native/sun/font/layout/MarkToLigaturePosnSubtables.cpp openjdk-6-6b38-1.13.10/jdk/src/share/native/sun/font/layout/MarkToLigaturePosnSubtables.cpp --- openjdk-6-6b37-1.13.9/jdk/src/share/native/sun/font/layout/MarkToLigaturePosnSubtables.cpp 2015-11-11 01:20:42.000000000 +0000 +++ openjdk-6-6b38-1.13.10/jdk/src/share/native/sun/font/layout/MarkToLigaturePosnSubtables.cpp 2016-01-20 01:47:58.000000000 +0000 @@ -83,6 +83,7 @@ LEGlyphID ligatureGlyph = findLigatureGlyph(&ligatureIterator); le_int32 ligatureCoverage = getBaseCoverage(base, (LEGlyphID) ligatureGlyph, success); LEReferenceTo ligatureArray(base, success, SWAPW(baseArrayOffset)); + if (LE_FAILURE(success)) { return 0; } le_uint16 ligatureCount = SWAPW(ligatureArray->ligatureCount); if (ligatureCoverage < 0 || ligatureCoverage >= ligatureCount) { @@ -95,6 +96,7 @@ le_int32 markPosition = glyphIterator->getCurrStreamPosition(); Offset ligatureAttachOffset = SWAPW(ligatureArray->ligatureAttachTableOffsetArray[ligatureCoverage]); LEReferenceTo ligatureAttachTable(ligatureArray, success, ligatureAttachOffset); + if (LE_FAILURE(success)) { return 0; } le_int32 componentCount = SWAPW(ligatureAttachTable->componentCount); le_int32 component = ligatureIterator.getMarkComponent(markPosition); @@ -104,10 +106,12 @@ } LEReferenceTo componentRecord(base, success, &ligatureAttachTable->componentRecordArray[component * mcCount]); - LEReferenceToArrayOf ligatureAnchorTableOffsetArray(base, success, &(componentRecord->ligatureAnchorTableOffsetArray[0]), markClass+1); + if (LE_FAILURE(success)) { return 0; } + LEReferenceToArrayOf ligatureAnchorTableOffsetArray(base, success, &(componentRecord->ligatureAnchorTableOffsetArray[0]), mcCount); if( LE_FAILURE(success) ) { return 0; } Offset anchorTableOffset = SWAPW(componentRecord->ligatureAnchorTableOffsetArray[markClass]); LEReferenceTo anchorTable(ligatureAttachTable, success, anchorTableOffset); + if (LE_FAILURE(success)) { return 0; } LEPoint ligatureAnchor, markAdvance, pixels; anchorTable->getAnchor(anchorTable, ligatureGlyph, fontInstance, ligatureAnchor, success); diff -Nru openjdk-6-6b37-1.13.9/jdk/src/windows/classes/sun/security/krb5/internal/tools/Ktab.java openjdk-6-6b38-1.13.10/jdk/src/windows/classes/sun/security/krb5/internal/tools/Ktab.java --- openjdk-6-6b37-1.13.9/jdk/src/windows/classes/sun/security/krb5/internal/tools/Ktab.java 2015-11-11 01:20:41.000000000 +0000 +++ openjdk-6-6b38-1.13.10/jdk/src/windows/classes/sun/security/krb5/internal/tools/Ktab.java 2016-01-20 01:47:58.000000000 +0000 @@ -157,29 +157,28 @@ boolean argAlreadyAppeared = false; for (int i = 0; i < args.length; i++) { if (args[i].startsWith("-")) { - switch (args[i].toLowerCase(Locale.US)) { - + String argLower = args[i].toLowerCase(Locale.US); // Commands - case "-l": // list + if ("-l".equals(argLower)) { // list action = 'l'; - break; - case "-a": // add a new entry to keytab. + } + else if ("-a".equals(argLower)) { // add a new entry to keytab. action = 'a'; if (++i >= args.length || args[i].startsWith("-")) { error("A principal name must be specified after -a"); } principal = args[i]; - break; - case "-d": // delete entries + } + else if ("-d".equals(argLower)) { // delete entries action = 'd'; if (++i >= args.length || args[i].startsWith("-")) { error("A principal name must be specified after -d"); } principal = args[i]; - break; + } // Options - case "-e": + else if ("-e".equals(argLower)) { if (action == 'l') { // list etypes showEType = true; } else if (action == 'd') { // delete etypes @@ -197,8 +196,8 @@ } else { error(args[i] + " is not valid after -" + action); } - break; - case "-n": // kvno for -a + } + else if ("-n".equals(argLower)) { // kvno for -a if (++i >= args.length || args[i].startsWith("-")) { error("A KVNO must be specified after -n"); } @@ -210,8 +209,8 @@ } catch (NumberFormatException nfe) { error(args[i] + " is not a valid KVNO"); } - break; - case "-k": // specify keytab to use + } + else if ("-k".equals(argLower)) { // specify keytab to use if (++i >= args.length || args[i].startsWith("-")) { error("A keytab name must be specified after -k"); } @@ -221,20 +220,19 @@ } else { name = args[i]; } - break; - case "-t": // list timestamps + } + else if ("-t".equals(argLower)) { // list timestamps showTime = true; - break; - case "-f": // force delete, no prompt + } + else if ("-f".equals(argLower)) { // force delete, no prompt forced = true; - break; - case "-append": // -a, new keys append to file + } + else if ("-append".equals(argLower)) { // -a, new keys append to file append = true; - break; - default: + } + else { printHelp(); - break; - } + } } else { // optional standalone arguments if (argAlreadyAppeared) { error("Useless extra argument " + args[i]); @@ -242,10 +240,10 @@ if (action == 'a') { password = args[i].toCharArray(); } else if (action == 'd') { - switch (args[i]) { - case "all": vDel = -1; break; - case "old": vDel = -2; break; - default: { + String ar = args[i]; + if ("all".equals(ar)) { vDel = -1; } + else if ("old".equals(ar)) { vDel = -2; } + else { try { vDel = Integer.parseInt(args[i]); if (vDel < 0) { @@ -255,7 +253,6 @@ error(args[i] + " is not a valid KVNO"); } } - } } else { error("Useless extra argument " + args[i]); } diff -Nru openjdk-6-6b37-1.13.9/jdk/test/java/nio/channels/ServerSocketChannel/AdaptServerSocket.java openjdk-6-6b38-1.13.10/jdk/test/java/nio/channels/ServerSocketChannel/AdaptServerSocket.java --- openjdk-6-6b37-1.13.9/jdk/test/java/nio/channels/ServerSocketChannel/AdaptServerSocket.java 2015-11-11 01:20:43.000000000 +0000 +++ openjdk-6-6b38-1.13.10/jdk/test/java/nio/channels/ServerSocketChannel/AdaptServerSocket.java 2016-01-20 01:47:58.000000000 +0000 @@ -123,7 +123,7 @@ public static void main(String[] args) throws Exception { test(0, 0, false); - test(50, 500, false); + test(50, 5000, false); test(500, 50, true); } diff -Nru openjdk-6-6b37-1.13.9/jdk/test/java/security/cert/CertPathBuilder/selfIssued/DisableRevocation.java openjdk-6-6b38-1.13.10/jdk/test/java/security/cert/CertPathBuilder/selfIssued/DisableRevocation.java --- openjdk-6-6b37-1.13.9/jdk/test/java/security/cert/CertPathBuilder/selfIssued/DisableRevocation.java 1970-01-01 00:00:00.000000000 +0000 +++ openjdk-6-6b38-1.13.10/jdk/test/java/security/cert/CertPathBuilder/selfIssued/DisableRevocation.java 2016-01-20 01:47:58.000000000 +0000 @@ -0,0 +1,270 @@ +/* + * Copyright (c) 2009, 2014, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +// +// Security properties, once set, cannot revert to unset. To avoid +// conflicts with tests running in the same VM isolate this test by +// running it in otherVM mode. +// + +/** + * @test + * @bug 6852744 + * @summary PIT b61: PKI test suite fails because self signed certificates + * are being rejected + * @run main/othervm DisableRevocation subca + * @run main/othervm DisableRevocation subci + * @run main/othervm DisableRevocation alice + * @author Xuelei Fan + */ + +import java.io.*; +import java.net.SocketException; +import java.util.*; +import java.security.Security; +import java.security.cert.*; +import java.security.cert.CertPathValidatorException.BasicReason; +import sun.security.util.DerInputStream; + +/** + * A test case helps to ensure that a certification path building process is + * able to identify a self-issued certificate from its issuer when disable + * revocation checking. + */ +public final class DisableRevocation { + + // the trust anchor + static String selfSignedCertStr = + "-----BEGIN CERTIFICATE-----\n" + + "MIICPjCCAaegAwIBAgIBADANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ\n" + + "MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA2MjgxMzMyMThaFw0zMDA2MDgxMzMyMTha\n" + + "MB8xCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMIGfMA0GCSqGSIb3DQEB\n" + + "AQUAA4GNADCBiQKBgQDInJhXi0655bPXAVkz1n5I6fAcZejzPnOPuwq3hU3OxFw8\n" + + "81Uf6o9oKI1h4w4XAD8u1cUNOgiX+wPwojronlp68bIfO6FVhNf287pLtLhNJo+7\n" + + "m6Qxw3ymFvEKy+PVj20CHSggdKHxUa4MBZBmHMFNBuxfYmjwzn+yTMmCCXOvSwID\n" + + "AQABo4GJMIGGMB0GA1UdDgQWBBSQ52Dpau+gtL+Kc31dusYnKj16ZTBHBgNVHSME\n" + + "QDA+gBSQ52Dpau+gtL+Kc31dusYnKj16ZaEjpCEwHzELMAkGA1UEBhMCVVMxEDAO\n" + + "BgNVBAoTB0V4YW1wbGWCAQAwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAQYw\n" + + "DQYJKoZIhvcNAQEEBQADgYEAjBt6ea65HCqbGsS2rs/HhlGusYXtThRVC5vwXSey\n" + + "ZFYwSgukuq1KDzckqZFu1meNImEwdZjwxdN0e2p/nVREPC42rZliSj6V1ThayKXj\n" + + "DWEZW1U5aR8T+3NYfDrdKcJGx4Hzfz0qKz1j4ssV1M9ptJxYYv4y2Da+592IN1S9\n" + + "v/E=\n" + + "-----END CERTIFICATE-----"; + + // the sub-ca + static String subCaCertStr = + "-----BEGIN CERTIFICATE-----\n" + + "MIICUDCCAbmgAwIBAgIBAzANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ\n" + + "MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA2MjgxMzMyMjRaFw0yOTAzMTUxMzMyMjRa\n" + + "MDExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMRAwDgYDVQQLEwdDbGFz\n" + + "cy0xMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDPFv24SK78VI0gWlyIrq/X\n" + + "srl1431K5hJJxMYZtaQunyPmrYg3oI9KvKFykxnR0N4XDPaIi75p9dXGppVu80BA\n" + + "+csvIPBwlBQoNmKDQWTziDOqfK4tE+IMuL/Y7pxnH6CDMY7VGpvatty2zcmH+m/v\n" + + "E/n+HPyeELJQT2rT/3T+7wIDAQABo4GJMIGGMB0GA1UdDgQWBBRidC8Dt3dBzYES\n" + + "KpR2tR560sZ0+zBHBgNVHSMEQDA+gBSQ52Dpau+gtL+Kc31dusYnKj16ZaEjpCEw\n" + + "HzELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0V4YW1wbGWCAQAwDwYDVR0TAQH/BAUw\n" + + "AwEB/zALBgNVHQ8EBAMCAQYwDQYJKoZIhvcNAQEEBQADgYEAMeMKqrMr5d3eTQsv\n" + + "MYOD15Dl3THQGLAa4ad5Eyq5/1eUeEOpztzCgDfi0iPD8YCubIEVasBTSqTiGXqb\n" + + "RpGuPHOwwfWvHrTeHSludiFBAUiKj7aEV+oQa0FBn4U4TT8HA62HQ93FhzTDI3jP\n" + + "iil34GktVl6gfMKGzUEW/Dh8OM4=\n" + + "-----END CERTIFICATE-----"; + + // a delegated CRL issuer, it's a self-issued certificate of trust anchor + static String topCrlIssuerCertStr = + "-----BEGIN CERTIFICATE-----\n" + + "MIICPjCCAaegAwIBAgIBAjANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ\n" + + "MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA2MjgxMzMyMjNaFw0yOTAzMTUxMzMyMjNa\n" + + "MB8xCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMIGfMA0GCSqGSIb3DQEB\n" + + "AQUAA4GNADCBiQKBgQC99u93trf+WmpfiqunJy/P31ej1l4rESxft2JSGNjKuLFN\n" + + "/BO3SAugGJSkCARAwXjB0c8eeXhXWhVVWdNpbKepRJTxrjDfnFIavLgtUvmFwn/3\n" + + "hPXe+RQeA8+AJ99Y+o+10kY8JAZLa2j93C2FdmwOjUbo8aIz85yhbiV1tEDjLwID\n" + + "AQABo4GJMIGGMB0GA1UdDgQWBBSyFyA3XWLbdL6W6hksmBn7RKsQmDBHBgNVHSME\n" + + "QDA+gBSQ52Dpau+gtL+Kc31dusYnKj16ZaEjpCEwHzELMAkGA1UEBhMCVVMxEDAO\n" + + "BgNVBAoTB0V4YW1wbGWCAQAwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAQYw\n" + + "DQYJKoZIhvcNAQEEBQADgYEAHTm8aRTeakgCfEBCgSWK9wvMW1c18ANGMm8OFDBk\n" + + "xabVy9BT0MVFHlaneh89oIxTZN0FMTpg21GZMAvIzhEt7DGdO7HLsW7JniN7/OZ0\n" + + "rACmpK5frmZrLS03zUm8c+rTbazNfYLoZVG3/mDZbKIi+4y8IGnFcgLVsHsYoBNP\n" + + "G0c=\n" + + "-----END CERTIFICATE-----"; + + // a delegated CRL issuer, it's a self-issued certificate of sub-ca + static String subCrlIssuerCertStr = + "-----BEGIN CERTIFICATE-----\n" + + "MIICUDCCAbmgAwIBAgIBBDANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ\n" + + "MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA2MjgxMzMyMjdaFw0yOTAzMTUxMzMyMjda\n" + + "MDExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMRAwDgYDVQQLEwdDbGFz\n" + + "cy0xMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC+8AcLJtGAVUWvv3ifcyQw\n" + + "OGqwzcPrBw/XCs6vTMlcdtFzcH1M+Z3/QHN9+5VT1gqeTIZ+b8g9005Og3XKy/HX\n" + + "obXZeLv20VZsr+jm52ySghEYOVCTJ9OyFOAp5adp6nf0cA66Feh3LsmVhpTEcDOG\n" + + "GnyntQm0DBYxRoOT/GBlvQIDAQABo4GJMIGGMB0GA1UdDgQWBBSRWhMuZLQoHSDN\n" + + "xhxr+vdDmfAY8jBHBgNVHSMEQDA+gBSQ52Dpau+gtL+Kc31dusYnKj16ZaEjpCEw\n" + + "HzELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0V4YW1wbGWCAQAwDwYDVR0TAQH/BAUw\n" + + "AwEB/zALBgNVHQ8EBAMCAQYwDQYJKoZIhvcNAQEEBQADgYEAMIDZLdOLFiPyS1bh\n" + + "Ch4eUYHT+K1WG93skbga3kVYg3GSe+gctwkKwKK13bwfi8zc7wwz6MtmQwEYhppc\n" + + "pKKKEwi5QirBCP54rihLCvRQaj6ZqUJ6VP+zPAqHYMDbzlBbHtVF/1lQUP30I6SV\n" + + "Fu987DvLmZ2GuQA9FKJsnlD9pbU=\n" + + "-----END CERTIFICATE-----"; + + // the target EE certificate + static String targetCertStr = + "-----BEGIN CERTIFICATE-----\n" + + "MIICNzCCAaCgAwIBAgIBAjANBgkqhkiG9w0BAQQFADAxMQswCQYDVQQGEwJVUzEQ\n" + + "MA4GA1UEChMHRXhhbXBsZTEQMA4GA1UECxMHQ2xhc3MtMTAeFw0wOTA2MjgxMzMy\n" + + "MzBaFw0yOTAzMTUxMzMyMzBaMEExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFt\n" + + "cGxlMRAwDgYDVQQLEwdDbGFzcy0xMQ4wDAYDVQQDEwVBbGljZTCBnzANBgkqhkiG\n" + + "9w0BAQEFAAOBjQAwgYkCgYEA7wnsvR4XEOfVznf40l8ClLod+7L0y2/+smVV+GM/\n" + + "T1/QF/stajAJxXNy08gK00WKZ6ruTHhR9vh/Z6+EQM2RZDCpU0A7LPa3kLE/XTmS\n" + + "1MLDu8ntkdlpURpvhdDWem+rl2HU5oZgzV8Jkcov9vXuSjqEDfr45FlPuV40T8+7\n" + + "cxsCAwEAAaNPME0wCwYDVR0PBAQDAgPoMB0GA1UdDgQWBBSBwsAhi6Z1kriOs3ty\n" + + "uSIujv9a3DAfBgNVHSMEGDAWgBRidC8Dt3dBzYESKpR2tR560sZ0+zANBgkqhkiG\n" + + "9w0BAQQFAAOBgQDEiBqd5AMy2SQopFaS3dYkzj8MHlwtbCSoNVYkOfDnewcatrbk\n" + + "yFcp6FX++PMdOQFHWvvnDdkCUAzZQp8kCkF9tGLVLBtOK7XxQ1us1LZym7kOPzsd\n" + + "G93Dcf0U1JRO77juc61Br5paAy8Bok18Y/MeG7uKgB2MAEJYKhGKbCrfMw==\n" + + "-----END CERTIFICATE-----"; + + private static Set generateTrustAnchors() + throws CertificateException { + // generate certificate from cert string + CertificateFactory cf = CertificateFactory.getInstance("X.509"); + + ByteArrayInputStream is = + new ByteArrayInputStream(selfSignedCertStr.getBytes()); + Certificate selfSignedCert = cf.generateCertificate(is); + + // generate a trust anchor + TrustAnchor anchor = + new TrustAnchor((X509Certificate)selfSignedCert, null); + + return Collections.singleton(anchor); + } + + private static CertStore generateCertificateStore() throws Exception { + Collection entries = new HashSet(); + + // generate certificate from certificate string + CertificateFactory cf = CertificateFactory.getInstance("X.509"); + + ByteArrayInputStream is; + + is = new ByteArrayInputStream(targetCertStr.getBytes()); + Certificate cert = cf.generateCertificate(is); + entries.add(cert); + + is = new ByteArrayInputStream(subCaCertStr.getBytes()); + cert = cf.generateCertificate(is); + entries.add(cert); + + is = new ByteArrayInputStream(selfSignedCertStr.getBytes()); + cert = cf.generateCertificate(is); + entries.add(cert); + + is = new ByteArrayInputStream(topCrlIssuerCertStr.getBytes()); + cert = cf.generateCertificate(is); + entries.add(cert); + + is = new ByteArrayInputStream(subCrlIssuerCertStr.getBytes()); + cert = cf.generateCertificate(is); + entries.add(cert); + + return CertStore.getInstance("Collection", + new CollectionCertStoreParameters(entries)); + } + + private static X509CertSelector generateSelector(String name) + throws Exception { + X509CertSelector selector = new X509CertSelector(); + + // generate certificate from certificate string + CertificateFactory cf = CertificateFactory.getInstance("X.509"); + ByteArrayInputStream is = null; + if (name.equals("subca")) { + is = new ByteArrayInputStream(subCaCertStr.getBytes()); + } else if (name.equals("subci")) { + is = new ByteArrayInputStream(subCrlIssuerCertStr.getBytes()); + } else { + is = new ByteArrayInputStream(targetCertStr.getBytes()); + } + + X509Certificate target = (X509Certificate)cf.generateCertificate(is); + byte[] extVal = target.getExtensionValue("2.5.29.14"); + if (extVal != null) { + DerInputStream in = new DerInputStream(extVal); + byte[] subjectKID = in.getOctetString(); + selector.setSubjectKeyIdentifier(subjectKID); + } else { + // unlikely to happen. + throw new Exception("unexpected certificate: no SKID extension"); + } + + return selector; + } + + private static boolean match(String name, Certificate cert) + throws Exception { + X509CertSelector selector = new X509CertSelector(); + + // generate certificate from certificate string + CertificateFactory cf = CertificateFactory.getInstance("X.509"); + ByteArrayInputStream is = null; + if (name.equals("subca")) { + is = new ByteArrayInputStream(subCaCertStr.getBytes()); + } else if (name.equals("subci")) { + is = new ByteArrayInputStream(subCrlIssuerCertStr.getBytes()); + } else { + is = new ByteArrayInputStream(targetCertStr.getBytes()); + } + X509Certificate target = (X509Certificate)cf.generateCertificate(is); + + return target.equals(cert); + } + + + public static void main(String[] args) throws Exception { + // MD5 is used in this test case, don't disable MD5 algorithm. + Security.setProperty( + "jdk.certpath.disabledAlgorithms", "MD2, RSA keySize < 1024"); + + CertPathBuilder builder = CertPathBuilder.getInstance("PKIX"); + + X509CertSelector selector = generateSelector(args[0]); + + Set anchors = generateTrustAnchors(); + CertStore certs = generateCertificateStore(); + + + PKIXBuilderParameters params = + new PKIXBuilderParameters(anchors, selector); + params.addCertStore(certs); + params.setRevocationEnabled(false); + params.setDate(new Date(109, 7, 1)); // 2009-07-01 + Security.setProperty("ocsp.enable", "false"); + System.setProperty("com.sun.security.enableCRLDP", "false"); + + PKIXCertPathBuilderResult result = + (PKIXCertPathBuilderResult)builder.build(params); + + if (!match(args[0], result.getCertPath().getCertificates().get(0))) { + throw new Exception("unexpected certificate"); + } + } +} diff -Nru openjdk-6-6b37-1.13.9/jdk/test/java/security/cert/CertPathBuilder/selfIssued/generate.sh openjdk-6-6b38-1.13.10/jdk/test/java/security/cert/CertPathBuilder/selfIssued/generate.sh --- openjdk-6-6b37-1.13.9/jdk/test/java/security/cert/CertPathBuilder/selfIssued/generate.sh 1970-01-01 00:00:00.000000000 +0000 +++ openjdk-6-6b38-1.13.10/jdk/test/java/security/cert/CertPathBuilder/selfIssued/generate.sh 2016-01-20 01:47:58.000000000 +0000 @@ -0,0 +1,221 @@ +# +# Copyright (c) 2009, Oracle and/or its affiliates. All rights reserved. +# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. +# +# This code is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License version 2 only, as +# published by the Free Software Foundation. Oracle designates this +# particular file as subject to the "Classpath" exception as provided +# by Oracle in the LICENSE file that accompanied this code. +# +# This code is distributed in the hope that it will be useful, but WITHOUT +# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or +# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License +# version 2 for more details (a copy is included in the LICENSE file that +# accompanied this code). +# +# You should have received a copy of the GNU General Public License version +# 2 along with this work; if not, write to the Free Software Foundation, +# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA +# or visit www.oracle.com if you need additional information or have any +# questions. +# + +#!/bin/ksh +# +# needs ksh to run the script. + +# generate a self-signed root certificate +if [ ! -f root/root_cert.pem ]; then + if [ ! -d root ]; then + mkdir root + fi + + openssl req -x509 -newkey rsa:1024 -keyout root/root_key.pem \ + -out root/root_cert.pem -subj "/C=US/O=Example" \ + -config openssl.cnf -reqexts cert_issuer -days 7650 \ + -passin pass:passphrase -passout pass:passphrase +fi + +# generate a sele-issued root crl issuer certificate +if [ ! -f root/top_crlissuer_cert.pem ]; then + if [ ! -d root ]; then + mkdir root + fi + + openssl req -newkey rsa:1024 -keyout root/top_crlissuer_key.pem \ + -out root/top_crlissuer_req.pem -subj "/C=US/O=Example" -days 7650 \ + -passin pass:passphrase -passout pass:passphrase + + openssl x509 -req -in root/top_crlissuer_req.pem -extfile openssl.cnf \ + -extensions crl_issuer -CA root/root_cert.pem \ + -CAkey root/root_key.pem -out root/top_crlissuer_cert.pem \ + -CAcreateserial -CAserial root/root_cert.srl -days 7200 \ + -passin pass:passphrase +fi + +# generate subca cert issuer and crl iuuser certificates +if [ ! -f subca/subca_cert.pem ]; then + if [ ! -d subca ]; then + mkdir subca + fi + + openssl req -newkey rsa:1024 -keyout subca/subca_key.pem \ + -out subca/subca_req.pem -subj "/C=US/O=Example/OU=Class-1" \ + -days 7650 -passin pass:passphrase -passout pass:passphrase + + openssl x509 -req -in subca/subca_req.pem -extfile openssl.cnf \ + -extensions cert_issuer -CA root/root_cert.pem \ + -CAkey root/root_key.pem -out subca/subca_cert.pem -CAcreateserial \ + -CAserial root/root_cert.srl -days 7200 -passin pass:passphrase + + openssl req -newkey rsa:1024 -keyout subca/subca_crlissuer_key.pem \ + -out subca/subca_crlissuer_req.pem -subj "/C=US/O=Example/OU=Class-1" \ + -days 7650 -passin pass:passphrase -passout pass:passphrase + + openssl x509 -req -in subca/subca_crlissuer_req.pem -extfile openssl.cnf \ + -extensions crl_issuer -CA root/root_cert.pem \ + -CAkey root/root_key.pem -out subca/subca_crlissuer_cert.pem \ + -CAcreateserial -CAserial root/root_cert.srl -days 7200 \ + -passin pass:passphrase +fi + +# generate dumca cert issuer and crl iuuser certificates +if [ ! -f dumca/dumca_cert.pem ]; then + if [ ! -d sumca ]; then + mkdir dumca + fi + + openssl req -newkey rsa:1024 -keyout dumca/dumca_key.pem \ + -out dumca/dumca_req.pem -subj "/C=US/O=Example/OU=Class-D" \ + -days 7650 -passin pass:passphrase -passout pass:passphrase + + openssl x509 -req -in dumca/dumca_req.pem -extfile openssl.cnf \ + -extensions cert_issuer -CA root/root_cert.pem \ + -CAkey root/root_key.pem -out dumca/dumca_cert.pem \ + -CAcreateserial -CAserial root/root_cert.srl -days 7200 \ + -passin pass:passphrase + + openssl req -newkey rsa:1024 -keyout dumca/dumca_crlissuer_key.pem \ + -out dumca/dumca_crlissuer_req.pem -subj "/C=US/O=Example/OU=Class-D" \ + -days 7650 -passin pass:passphrase -passout pass:passphrase + + openssl x509 -req -in dumca/dumca_crlissuer_req.pem \ + -extfile openssl.cnf -extensions crl_issuer -CA root/root_cert.pem \ + -CAkey root/root_key.pem -out dumca/dumca_crlissuer_cert.pem \ + -CAcreateserial -CAserial root/root_cert.srl -days 7200 \ + -passin pass:passphrase +fi + +# generate certifiacte for Alice +if [ ! -f subca/alice/alice_cert.pem ]; then + if [ ! -d subca/alice ]; then + mkdir -p subca/alice + fi + + openssl req -newkey rsa:1024 -keyout subca/alice/alice_key.pem \ + -out subca/alice/alice_req.pem \ + -subj "/C=US/O=Example/OU=Class-1/CN=Alice" -days 7650 \ + -passin pass:passphrase -passout pass:passphrase + + openssl x509 -req -in subca/alice/alice_req.pem \ + -extfile openssl.cnf -extensions ee_of_subca \ + -CA subca/subca_cert.pem -CAkey subca/subca_key.pem \ + -out subca/alice/alice_cert.pem -CAcreateserial \ + -CAserial subca/subca_cert.srl -days 7200 -passin pass:passphrase +fi + +# generate certifiacte for Bob +if [ ! -f subca/bob/bob_cert.pem ]; then + if [ ! -d subca/bob ]; then + mkdir -p subca/bob + fi + + openssl req -newkey rsa:1024 -keyout subca/bob/bob_key.pem \ + -out subca/bob/bob_req.pem \ + -subj "/C=US/O=Example/OU=Class-1/CN=Bob" -days 7650 \ + -passin pass:passphrase -passout pass:passphrase + + openssl x509 -req -in subca/bob/bob_req.pem \ + -extfile openssl.cnf -extensions ee_of_subca \ + -CA subca/subca_cert.pem -CAkey subca/subca_key.pem \ + -out subca/bob/bob_cert.pem -CAcreateserial \ + -CAserial subca/subca_cert.srl -days 7200 -passin pass:passphrase +fi + +# generate certifiacte for Susan +if [ ! -f subca/susan/susan_cert.pem ]; then + if [ ! -d subca/susan ]; then + mkdir -p subca/susan + fi + + openssl req -newkey rsa:1024 -keyout subca/susan/susan_key.pem \ + -out subca/susan/susan_req.pem \ + -subj "/C=US/O=Example/OU=Class-1/CN=Susan" -days 7650 \ + -passin pass:passphrase -passout pass:passphrase + + openssl x509 -req -in subca/susan/susan_req.pem -extfile openssl.cnf \ + -extensions ee_of_subca -CA subca/subca_cert.pem \ + -CAkey subca/subca_key.pem -out subca/susan/susan_cert.pem \ + -CAcreateserial -CAserial subca/subca_cert.srl -days 7200 \ + -passin pass:passphrase +fi + + +# generate the top CRL +if [ ! -f root/top_crl.pem ]; then + if [ ! -d root ]; then + mkdir root + fi + + if [ ! -f root/index.txt ]; then + touch root/index.txt + echo 00 > root/crlnumber + fi + + openssl ca -gencrl -config openssl.cnf -name ca_top -crldays 7000 \ + -crl_reason superseded -keyfile root/top_crlissuer_key.pem \ + -cert root/top_crlissuer_cert.pem -out root/top_crl.pem \ + -passin pass:passphrase +fi + +# revoke dumca +openssl ca -revoke dumca/dumca_cert.pem -config openssl.cnf \ + -name ca_top -crl_reason superseded \ + -keyfile root/top_crlissuer_key.pem -cert root/top_crlissuer_cert.pem \ + -passin pass:passphrase + +openssl ca -gencrl -config openssl.cnf -name ca_top -crldays 7000 \ + -crl_reason superseded -keyfile root/top_crlissuer_key.pem \ + -cert root/top_crlissuer_cert.pem -out root/top_crl.pem \ + -passin pass:passphrase + +# revoke for subca +if [ ! -f subca/subca_crl.pem ]; then + if [ ! -d subca ]; then + mkdir subca + fi + + if [ ! -f subca/index.txt ]; then + touch subca/index.txt + echo 00 > subca/crlnumber + fi + + openssl ca -gencrl -config openssl.cnf -name ca_subca -crldays 7000 \ + -crl_reason superseded -keyfile subca/subca_crlissuer_key.pem \ + -cert subca/subca_crlissuer_cert.pem -out subca/subca_crl.pem \ + -passin pass:passphrase +fi + +# revoke susan +openssl ca -revoke subca/susan/susan_cert.pem -config openssl.cnf \ + -name ca_subca -crl_reason superseded \ + -keyfile subca/subca_crlissuer_key.pem \ + -cert subca/subca_crlissuer_cert.pem -passin pass:passphrase + +openssl ca -gencrl -config openssl.cnf -name ca_subca -crldays 7000 \ + -crl_reason superseded -keyfile subca/subca_crlissuer_key.pem \ + -cert subca/subca_crlissuer_cert.pem -out subca/subca_crl.pem \ + -passin pass:passphrase diff -Nru openjdk-6-6b37-1.13.9/jdk/test/java/security/cert/CertPathBuilder/selfIssued/KeyUsageMatters.java openjdk-6-6b38-1.13.10/jdk/test/java/security/cert/CertPathBuilder/selfIssued/KeyUsageMatters.java --- openjdk-6-6b37-1.13.9/jdk/test/java/security/cert/CertPathBuilder/selfIssued/KeyUsageMatters.java 1970-01-01 00:00:00.000000000 +0000 +++ openjdk-6-6b38-1.13.10/jdk/test/java/security/cert/CertPathBuilder/selfIssued/KeyUsageMatters.java 2016-01-20 01:47:58.000000000 +0000 @@ -0,0 +1,313 @@ +/* + * Copyright (c) 2009, 2014, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +// +// Security properties, once set, cannot revert to unset. To avoid +// conflicts with tests running in the same VM isolate this test by +// running it in otherVM mode. +// + +/** + * @test + * @bug 6852744 + * @summary PIT b61: PKI test suite fails because self signed certificates + * are being rejected + * @run main/othervm KeyUsageMatters subca + * @run main/othervm KeyUsageMatters subci + * @run main/othervm KeyUsageMatters alice + * @author Xuelei Fan + */ + +import java.io.*; +import java.net.SocketException; +import java.util.*; +import java.security.Security; +import java.security.cert.*; +import java.security.cert.CertPathValidatorException.BasicReason; +import sun.security.util.DerInputStream; + +/** + * KeyUsage extension plays a important rule during looking for the issuer + * of a certificate or CRL. A certificate issuer should have the keyCertSign + * bit set, and a CRL issuer should have the cRLSign bit set. + * + * Sometime, a delegated CRL issuer would also have the keyCertSign bit set, + * as would be troublesome to find the proper CRL issuer during certificate + * path build if the delegated CRL issuer is a self-issued certificate, for + * it is hard to identify it from its issuer by the "issuer" field only. + * + * The fix of 6852744 should addresses above issue, and allow a delegated CRL + * issuer to have keyCertSign bit set. + * + * In the test case, the delegated CRL issuers have cRLSign bit set only, and + * the CAs have the keyCertSign bit set only, it is expected to work before + * and after the bug fix of 6852744. + */ +public final class KeyUsageMatters { + + // the trust anchor + static String selfSignedCertStr = + "-----BEGIN CERTIFICATE-----\n" + + "MIICPjCCAaegAwIBAgIBADANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ\n" + + "MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA0MjcwMjI0MzJaFw0zMDA0MDcwMjI0MzJa\n" + + "MB8xCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMIGfMA0GCSqGSIb3DQEB\n" + + "AQUAA4GNADCBiQKBgQC4OTag24sTxL2tXTNuvpmUEtdxrYAZoFsslFQ60T+WD9wQ\n" + + "Jeiw87FSPsR2vxRuv0j8DNm2a4h7LNNIFcLurfNldbz5pvgZ7VqdbbUMPE9qP85n\n" + + "jgDl4woyRTSUeRI4A7O0CO6NpES21dtbdhroWQrEkHxpnrDPxsxrz5gf2m3gqwID\n" + + "AQABo4GJMIGGMB0GA1UdDgQWBBSCJd0hpl5PdAD9IZS+Hzng4lXLGzBHBgNVHSME\n" + + "QDA+gBSCJd0hpl5PdAD9IZS+Hzng4lXLG6EjpCEwHzELMAkGA1UEBhMCVVMxEDAO\n" + + "BgNVBAoTB0V4YW1wbGWCAQAwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQw\n" + + "DQYJKoZIhvcNAQEEBQADgYEAluy6HIjWcq009lTLmhp+Np6dxU78pInBK8RZkza0\n" + + "484qGaxFGD3UGyZkI5uWmsH2XuMbuox5khfIq6781gmkPBHXBIEtJN8eLusOHEye\n" + + "iE8h7WI+N3qa6Pj56WionMrioqC/3X+b06o147bbhx8U0vkYv/HyPaITOFfMXTdz\n" + + "Vjw=\n" + + "-----END CERTIFICATE-----"; + + // the sub-ca + static String subCaCertStr = + "-----BEGIN CERTIFICATE-----\n" + + "MIICUDCCAbmgAwIBAgIBAzANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ\n" + + "MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA0MjcwMjI0MzRaFw0yOTAxMTIwMjI0MzRa\n" + + "MDExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMRAwDgYDVQQLEwdDbGFz\n" + + "cy0xMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCiAJnAQW2ad3ZMKUhSJVZj\n" + + "8pBqxTcHSTwAVguQkDglsN/OIwUpvR5Jgp3lpRWUEt6idEp0FZzORpvtjt3pr5MG\n" + + "Eg2CDptekC5BSPS+fIAIKlncB3HwOiFFhH6b3wTydDCdEd2fvsi4QMOSVrIYMeA8\n" + + "P/mCz6kRhfUQPE0CMmOUewIDAQABo4GJMIGGMB0GA1UdDgQWBBT0/nNP8WpyxmYr\n" + + "IBp4tN8y08jw2jBHBgNVHSMEQDA+gBSCJd0hpl5PdAD9IZS+Hzng4lXLG6EjpCEw\n" + + "HzELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0V4YW1wbGWCAQAwDwYDVR0TAQH/BAUw\n" + + "AwEB/zALBgNVHQ8EBAMCAgQwDQYJKoZIhvcNAQEEBQADgYEAS9PzI6B39R/U9fRj\n" + + "UExzN1FXNP5awnAPtiv34kSCL6n6MryqkfG+8aaAOdZsSjmTylNFaF7cW/Xp1VBF\n" + + "hq0bg/SbEAbK7+UwL8GSC3crhULHLbh+1iFdVTEwxCw5YmB8ji3BaZ/WKW/PkjCZ\n" + + "7cXP6VDeZMG6oRQ4hbOcixoFPXo=\n" + + "-----END CERTIFICATE-----"; + + // a delegated CRL issuer, it's a self-issued certificate of trust anchor + static String topCrlIssuerCertStr = + "-----BEGIN CERTIFICATE-----\n" + + "MIICKzCCAZSgAwIBAgIBAjANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ\n" + + "MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA0MjcwMjI0MzNaFw0yOTAxMTIwMjI0MzNa\n" + + "MB8xCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMIGfMA0GCSqGSIb3DQEB\n" + + "AQUAA4GNADCBiQKBgQDMJeBMBybHykI/YpwUJ4O9euqDSLb1kpWpceBS8TVqvgBC\n" + + "SgUJWtFZL0i6bdvF6mMdlbuBkGzhXqHiVAi96/zRLbUC9F8SMEJ6MuD+YhQ0ZFTQ\n" + + "atKy8zf8O9XzztelLJ26Gqb7QPV133WY3haAqHtCXOhEKkCN16NOYNC37DTaJwID\n" + + "AQABo3cwdTAdBgNVHQ4EFgQULXSWzXzUOIpOJpzbSCpW42IJUugwRwYDVR0jBEAw\n" + + "PoAUgiXdIaZeT3QA/SGUvh854OJVyxuhI6QhMB8xCzAJBgNVBAYTAlVTMRAwDgYD\n" + + "VQQKEwdFeGFtcGxlggEAMAsGA1UdDwQEAwIBAjANBgkqhkiG9w0BAQQFAAOBgQAY\n" + + "eMnf5AHSNlyUlzXk8o2S0h4gCuvKX6C3kFfKuZcWvFAbx4yQOWLS2s15/nzR4+AP\n" + + "FGX3lgJjROyAh7fGedTQK+NFWwkM2ag1g3hXktnlnT1qHohi0w31nVBJxXEDO/Ck\n" + + "uJTpJGt8XxxbFaw5v7cHy7XuTAeU/sekvjEiNHW00Q==\n" + + "-----END CERTIFICATE-----"; + + // a delegated CRL issuer, it's a self-issued certificate of sub-ca + static String subCrlIssuerCertStr = + "-----BEGIN CERTIFICATE-----\n" + + "MIICPTCCAaagAwIBAgIBBDANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ\n" + + "MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA0MjcwMjI0MzRaFw0yOTAxMTIwMjI0MzRa\n" + + "MDExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMRAwDgYDVQQLEwdDbGFz\n" + + "cy0xMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDWUtDQx2MB/7arDiquMJyd\n" + + "LWwSg6p8sg5z6wKrC1v47MT4DBhFX+0RUgTMUdQgYpgxGpczn+6y4zfV76064S0N\n" + + "4L/IQ+SunTW1w4yRGjB+xkyyJmWAqijG1nr+Dgkv5nxPI+9Er5lHcoVWVMEcvvRm\n" + + "6jIBQdldVlSgv+VgUnFm5wIDAQABo3cwdTAdBgNVHQ4EFgQUkV3Qqtk7gIot9n60\n" + + "jX6dloxrfMEwRwYDVR0jBEAwPoAUgiXdIaZeT3QA/SGUvh854OJVyxuhI6QhMB8x\n" + + "CzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlggEAMAsGA1UdDwQEAwIBAjAN\n" + + "BgkqhkiG9w0BAQQFAAOBgQADu4GM8EdmIKhC7FRvk5jF90zfvZ38wbXBzCjKI4jX\n" + + "QJrhne1bfyeNNm5c1w+VKidT+XzBzBGH7ZqYzoZmzRIfcbLKX2brEBKiukeeAyL3\n" + + "bctQtbp19tX+uu2dQberD188AAysKTkHcJUV+rRsTwVJ9vcYKxoRxKk8DhH7ZS3M\n" + + "rg==\n" + + "-----END CERTIFICATE-----"; + + // the target EE certificate + static String targetCertStr = + "-----BEGIN CERTIFICATE-----\n" + + "MIICNzCCAaCgAwIBAgIBAjANBgkqhkiG9w0BAQQFADAxMQswCQYDVQQGEwJVUzEQ\n" + + "MA4GA1UEChMHRXhhbXBsZTEQMA4GA1UECxMHQ2xhc3MtMTAeFw0wOTA0MjcwMjI0\n" + + "MzZaFw0yOTAxMTIwMjI0MzZaMEExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFt\n" + + "cGxlMRAwDgYDVQQLEwdDbGFzcy0xMQ4wDAYDVQQDEwVBbGljZTCBnzANBgkqhkiG\n" + + "9w0BAQEFAAOBjQAwgYkCgYEAvYSaU3oiE4Pxp/aUIXwMqOwSiWkZ+O3aTu13hRtK\n" + + "ZyR+Wtj63IuvaigAC4uC+zBypF93ThjwCzVR2qKDQaQzV8CLleO96gStt7Y+i3G2\n" + + "V3IUGgrVCqeK7N6nNYu0wW84sibcPqG/TIy0UoaQMqgB21xtRF+1DUVlFh4Z89X/\n" + + "pskCAwEAAaNPME0wCwYDVR0PBAQDAgPoMB0GA1UdDgQWBBSynMEdcal/e9TmvlNE\n" + + "4suXGA4+hjAfBgNVHSMEGDAWgBT0/nNP8WpyxmYrIBp4tN8y08jw2jANBgkqhkiG\n" + + "9w0BAQQFAAOBgQB/jru7E/+piSmUwByw5qbZsoQZVcgR97pd2TErNJpJMAX2oIHR\n" + + "wJH6w4NuYs27+fEAX7wK4whc6EUH/w1SI6o28F2rG6HqYQPPZ2E2WqwbBQL9nYE3\n" + + "Vfzu/G9axTUQXFbf90h80UErA+mZVxqc2xtymLuH0YEaMZImtRZ2MXHfXg==\n" + + "-----END CERTIFICATE-----"; + + // CRL issued by the delegated CRL issuer, topCrlIssuerCertStr + static String topCrlStr = + "-----BEGIN X509 CRL-----\n" + + "MIIBGzCBhQIBATANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQMA4GA1UE\n" + + "ChMHRXhhbXBsZRcNMDkwNDI3MDIzODA0WhcNMjgwNjI2MDIzODA0WjAiMCACAQUX\n" + + "DTA5MDQyNzAyMzgwMFowDDAKBgNVHRUEAwoBBKAOMAwwCgYDVR0UBAMCAQIwDQYJ\n" + + "KoZIhvcNAQEEBQADgYEAoarfzXEtw3ZDi4f9U8eSvRIipHSyxOrJC7HR/hM5VhmY\n" + + "CErChny6x9lBVg9s57tfD/P9PSzBLusCcHwHMAbMOEcTltVVKUWZnnbumpywlYyg\n" + + "oKLrE9+yCOkYUOpiRlz43/3vkEL5hjIKMcDSZnPKBZi1h16Yj2hPe9GMibNip54=\n" + + "-----END X509 CRL-----"; + + // CRL issued by the delegated CRL issuer, subCrlIssuerCertStr + static String subCrlStr = + "-----BEGIN X509 CRL-----\n" + + "MIIBLTCBlwIBATANBgkqhkiG9w0BAQQFADAxMQswCQYDVQQGEwJVUzEQMA4GA1UE\n" + + "ChMHRXhhbXBsZTEQMA4GA1UECxMHQ2xhc3MtMRcNMDkwNDI3MDIzODA0WhcNMjgw\n" + + "NjI2MDIzODA0WjAiMCACAQQXDTA5MDQyNzAyMzgwMVowDDAKBgNVHRUEAwoBBKAO\n" + + "MAwwCgYDVR0UBAMCAQIwDQYJKoZIhvcNAQEEBQADgYEAeS+POqYEIHIIJcsLxuUr\n" + + "aJFzQ/ujH0QmnyMNEL3Uavyq4VQuAahF+w6aTPb5UBzms0uX8NAvD2vNoUJvmJOX\n" + + "nGKuq4Q1DFj82E7/9d25nXdWGOmFvFCRVO+St2Xe5n8CJuZNBiz388FDSIOiFSCa\n" + + "ARGr6Qu68MYGtLMC6ZqP3u0=\n" + + "-----END X509 CRL-----"; + + private static Set generateTrustAnchors() + throws CertificateException { + // generate certificate from cert string + CertificateFactory cf = CertificateFactory.getInstance("X.509"); + + ByteArrayInputStream is = + new ByteArrayInputStream(selfSignedCertStr.getBytes()); + Certificate selfSignedCert = cf.generateCertificate(is); + + // generate a trust anchor + TrustAnchor anchor = + new TrustAnchor((X509Certificate)selfSignedCert, null); + + return Collections.singleton(anchor); + } + + private static CertStore generateCertificateStore() throws Exception { + Collection entries = new HashSet(); + + // generate certificate from certificate string + CertificateFactory cf = CertificateFactory.getInstance("X.509"); + + ByteArrayInputStream is; + + is = new ByteArrayInputStream(targetCertStr.getBytes()); + Certificate cert = cf.generateCertificate(is); + entries.add(cert); + + is = new ByteArrayInputStream(subCaCertStr.getBytes()); + cert = cf.generateCertificate(is); + entries.add(cert); + + is = new ByteArrayInputStream(selfSignedCertStr.getBytes()); + cert = cf.generateCertificate(is); + entries.add(cert); + + is = new ByteArrayInputStream(topCrlIssuerCertStr.getBytes()); + cert = cf.generateCertificate(is); + entries.add(cert); + + is = new ByteArrayInputStream(subCrlIssuerCertStr.getBytes()); + cert = cf.generateCertificate(is); + entries.add(cert); + + // generate CRL from CRL string + is = new ByteArrayInputStream(topCrlStr.getBytes()); + Collection mixes = cf.generateCRLs(is); + entries.addAll(mixes); + + is = new ByteArrayInputStream(subCrlStr.getBytes()); + mixes = cf.generateCRLs(is); + entries.addAll(mixes); + + return CertStore.getInstance("Collection", + new CollectionCertStoreParameters(entries)); + } + + private static X509CertSelector generateSelector(String name) + throws Exception { + X509CertSelector selector = new X509CertSelector(); + + // generate certificate from certificate string + CertificateFactory cf = CertificateFactory.getInstance("X.509"); + ByteArrayInputStream is = null; + if (name.equals("subca")) { + is = new ByteArrayInputStream(subCaCertStr.getBytes()); + } else if (name.equals("subci")) { + is = new ByteArrayInputStream(subCrlIssuerCertStr.getBytes()); + } else { + is = new ByteArrayInputStream(targetCertStr.getBytes()); + } + + X509Certificate target = (X509Certificate)cf.generateCertificate(is); + byte[] extVal = target.getExtensionValue("2.5.29.14"); + if (extVal != null) { + DerInputStream in = new DerInputStream(extVal); + byte[] subjectKID = in.getOctetString(); + selector.setSubjectKeyIdentifier(subjectKID); + } else { + // unlikely to happen. + throw new Exception("unexpected certificate: no SKID extension"); + } + + return selector; + } + + private static boolean match(String name, Certificate cert) + throws Exception { + X509CertSelector selector = new X509CertSelector(); + + // generate certificate from certificate string + CertificateFactory cf = CertificateFactory.getInstance("X.509"); + ByteArrayInputStream is = null; + if (name.equals("subca")) { + is = new ByteArrayInputStream(subCaCertStr.getBytes()); + } else if (name.equals("subci")) { + is = new ByteArrayInputStream(subCrlIssuerCertStr.getBytes()); + } else { + is = new ByteArrayInputStream(targetCertStr.getBytes()); + } + X509Certificate target = (X509Certificate)cf.generateCertificate(is); + + return target.equals(cert); + } + + + public static void main(String[] args) throws Exception { + // MD5 is used in this test case, don't disable MD5 algorithm. + Security.setProperty( + "jdk.certpath.disabledAlgorithms", "MD2, RSA keySize < 1024"); + + CertPathBuilder builder = CertPathBuilder.getInstance("PKIX"); + + X509CertSelector selector = generateSelector(args[0]); + + Set anchors = generateTrustAnchors(); + CertStore certs = generateCertificateStore(); + + + PKIXBuilderParameters params = + new PKIXBuilderParameters(anchors, selector); + params.addCertStore(certs); + params.setRevocationEnabled(true); + params.setDate(new Date(109, 5, 1)); // 2009-05-01 + Security.setProperty("ocsp.enable", "false"); + System.setProperty("com.sun.security.enableCRLDP", "true"); + + PKIXCertPathBuilderResult result = + (PKIXCertPathBuilderResult)builder.build(params); + + if (!match(args[0], result.getCertPath().getCertificates().get(0))) { + throw new Exception("unexpected certificate"); + } + } +} diff -Nru openjdk-6-6b37-1.13.9/jdk/test/java/security/cert/CertPathBuilder/selfIssued/openssl.cnf openjdk-6-6b38-1.13.10/jdk/test/java/security/cert/CertPathBuilder/selfIssued/openssl.cnf --- openjdk-6-6b37-1.13.9/jdk/test/java/security/cert/CertPathBuilder/selfIssued/openssl.cnf 1970-01-01 00:00:00.000000000 +0000 +++ openjdk-6-6b38-1.13.10/jdk/test/java/security/cert/CertPathBuilder/selfIssued/openssl.cnf 2016-01-20 01:47:58.000000000 +0000 @@ -0,0 +1,205 @@ +# +# Copyright (c) 2009, Oracle and/or its affiliates. All rights reserved. +# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. +# +# This code is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License version 2 only, as +# published by the Free Software Foundation. Oracle designates this +# particular file as subject to the "Classpath" exception as provided +# by Oracle in the LICENSE file that accompanied this code. +# +# This code is distributed in the hope that it will be useful, but WITHOUT +# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or +# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License +# version 2 for more details (a copy is included in the LICENSE file that +# accompanied this code). +# +# You should have received a copy of the GNU General Public License version +# 2 along with this work; if not, write to the Free Software Foundation, +# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA +# or visit www.oracle.com if you need additional information or have any +# questions. +# + +# +# OpenSSL configuration file. +# + +HOME = . +RANDFILE = $ENV::HOME/.rnd + +[ ca ] +default_ca = CA_default + +[ CA_default ] +dir = ./top +certs = $dir/certs +crl_dir = $dir/crl +database = $dir/index.txt +unique_subject = no +new_certs_dir = $dir/newcerts +certificate = $dir/cacert.pem +serial = $dir/serial +crlnumber = $dir/crlnumber +crl = $dir/crl.pem +private_key = $dir/private/cakey.pem +RANDFILE = $dir/private/.rand +x509_extensions = v3_ca + +name_opt = ca_default +cert_opt = ca_default + +default_days = 7650 +default_crl_days = 30 +default_md = sha1 +preserve = no + +policy = policy_anything + +[ ca_top ] +dir = ./root +certs = $dir/certs +crl_dir = $dir/crl +database = $dir/index.txt +unique_subject = no +new_certs_dir = $dir/newcerts +certificate = $dir/cacert.pem +serial = $dir/serial +crlnumber = $dir/crlnumber +crl = $dir/crl.pem +private_key = $dir/private/cakey.pem +RANDFILE = $dir/private/.rand + +x509_extensions = v3_ca + +name_opt = ca_default +cert_opt = ca_default + +default_days = 7650 +default_crl_days = 30 +default_md = sha1 +preserve = no + +policy = policy_anything + +[ ca_subca ] +dir = ./subca +certs = $dir/certs +crl_dir = $dir/crl +database = $dir/index.txt +unique_subject = no +new_certs_dir = $dir/newcerts + +certificate = $dir/cacert.pem +serial = $dir/serial +crlnumber = $dir/crlnumber +crl = $dir/crl.pem +private_key = $dir/private/cakey.pem +RANDFILE = $dir/private/.rand + +x509_extensions = usr_cert + +name_opt = ca_default +cert_opt = ca_default + +default_days = 7650 +default_crl_days = 30 +default_md = sha1 +preserve = no + +policy = policy_anything + +[ policy_match ] +countryName = match +stateOrProvinceName = match +organizationName = match +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +[ policy_anything ] +countryName = optional +stateOrProvinceName = optional +localityName = optional +organizationName = optional +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +[ req ] +default_bits = 1024 +default_keyfile = privkey.pem +distinguished_name = req_distinguished_name +attributes = req_attributes +x509_extensions = v3_ca + +string_mask = nombstr + +[ req_distinguished_name ] +countryName = Country Name (2 letter code) +countryName_default = NO +countryName_min = 2 +countryName_max = 2 + +stateOrProvinceName = State or Province Name (full name) +stateOrProvinceName_default = A-State + +localityName = Locality Name (eg, city) + +0.organizationName = Organization Name (eg, company) +0.organizationName_default = Internet Widgits Pty Ltd + +organizationalUnitName = Organizational Unit Name (eg, section) + +commonName = Common Name (eg, YOUR name) +commonName_max = 64 + +emailAddress = Email Address +emailAddress_max = 64 + +[ req_attributes ] +challengePassword = A challenge password +challengePassword_min = 4 +challengePassword_max = 20 +unstructuredName = An optional company name + +[ usr_cert ] +keyUsage = nonRepudiation, digitalSignature, keyEncipherment + +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid,issuer + +[ v3_req ] +basicConstraints = CA:FALSE +keyUsage = nonRepudiation, digitalSignature, keyEncipherment +subjectAltName = email:example@openjdk.net, RID:1.2.3.4:true + +[ v3_ca ] +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer:always +basicConstraints = critical,CA:true +keyUsage = keyCertSign, cRLSign + +[ cert_issuer ] +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer:always +basicConstraints = critical,CA:true +keyUsage = keyCertSign, cRLSign + +[ crl_issuer ] +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer:always +basicConstraints = critical,CA:true +keyUsage = keyCertSign, cRLSign + + +[ crl_ext ] +authorityKeyIdentifier = keyid:always,issuer:always + +[ ee_of_subca ] +keyUsage = nonRepudiation, digitalSignature, keyEncipherment, keyAgreement + +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid,issuer diff -Nru openjdk-6-6b37-1.13.9/jdk/test/java/security/cert/CertPathBuilder/selfIssued/README openjdk-6-6b38-1.13.10/jdk/test/java/security/cert/CertPathBuilder/selfIssued/README --- openjdk-6-6b37-1.13.9/jdk/test/java/security/cert/CertPathBuilder/selfIssued/README 1970-01-01 00:00:00.000000000 +0000 +++ openjdk-6-6b38-1.13.10/jdk/test/java/security/cert/CertPathBuilder/selfIssued/README 2016-01-20 01:47:58.000000000 +0000 @@ -0,0 +1,382 @@ +/* + * Copyright (c) 2009, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + + Certificates and CRLs + +The certificates and CRLs used by KeyUsageMatters.java are copied from +test/java/security/cert/CertPathValidator/indirectCRL. + +Here lists the local generated certificates and CRLs used in the test cases. + +The generate.sh depends on openssl, and it should be run under ksh. The +script will create many directories and files, please run it in a +directory outside of JDK workspace. + +1. root certifiate and key +-----BEGIN CERTIFICATE----- +MIICPjCCAaegAwIBAgIBADANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ +MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA2MjgxMzMyMThaFw0zMDA2MDgxMzMyMTha +MB8xCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMIGfMA0GCSqGSIb3DQEB +AQUAA4GNADCBiQKBgQDInJhXi0655bPXAVkz1n5I6fAcZejzPnOPuwq3hU3OxFw8 +81Uf6o9oKI1h4w4XAD8u1cUNOgiX+wPwojronlp68bIfO6FVhNf287pLtLhNJo+7 +m6Qxw3ymFvEKy+PVj20CHSggdKHxUa4MBZBmHMFNBuxfYmjwzn+yTMmCCXOvSwID +AQABo4GJMIGGMB0GA1UdDgQWBBSQ52Dpau+gtL+Kc31dusYnKj16ZTBHBgNVHSME +QDA+gBSQ52Dpau+gtL+Kc31dusYnKj16ZaEjpCEwHzELMAkGA1UEBhMCVVMxEDAO +BgNVBAoTB0V4YW1wbGWCAQAwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAQYw +DQYJKoZIhvcNAQEEBQADgYEAjBt6ea65HCqbGsS2rs/HhlGusYXtThRVC5vwXSey +ZFYwSgukuq1KDzckqZFu1meNImEwdZjwxdN0e2p/nVREPC42rZliSj6V1ThayKXj +DWEZW1U5aR8T+3NYfDrdKcJGx4Hzfz0qKz1j4ssV1M9ptJxYYv4y2Da+592IN1S9 +v/E= +-----END CERTIFICATE----- + +-----BEGIN RSA PRIVATE KEY----- +Proc-Type: 4,ENCRYPTED +DEK-Info: DES-EDE3-CBC,46F13CECA9B38323 + +AVNWPH7jiPyJVq9KfL3IlGVCwD41KVapg12yJR2t/WWlLaKr19/0oWNvimcrd040 +txFKvcFO9TFLxmaco33+actCoL0K/XbrCBICThZLybzcFTuYFMum8eqL61avQgBe +Kt4CCjcupWLzKWkKTMV/bP6nPnPUSB9U8QeGwutjJYnLDi0TuYx8YSqZo/36vM98 +r3OvtcSA5XEN4guxxHusZJnhbclVb/Z1WtLVb4v2d5yBtPM2p3R0hK17L4Dnusjl +n56z6Z0AIYmfAggM/Fpge2uT3D/5n//l1lZRNoSvsX5UZipKswZKLpvx7IJ+AqgA +UO9lcmNLGnIXME3IS3smd83wPi7nxH3NCYWHbGAKLm6mkFMs5LOhofUMOBS3Rxmm +2RjCGtuzDxBPKveo9/Y80B//6sEce2gdi7fCKgWwtR4VFuJd0hWODD6CarK3edHH +rUG62Kt2aqiI/y/NLEbfHCHbyM37c9/OzS5Zy695dDl22r5EirVFsVgejQR1JGtP +ANdc6kkkJW+s6GiqimShssMTp1x0L8twT/+wEa38LafiaPKk4OweleBuyz7k2FxA +Rr2u9IOvGU3eKAeH8HSFWvaNE9S2lYFPiWWZ6O/LzVvnb847+gungQ7SPRzOkt4k +L4PtHIoKmLWFr5tzML1Q8wiaKcTWMb5LZbRbo+2XYGoIpilxkBBuhX7cMJFwOHEf +YJJRixBI97doPsnIQ3GkA8xY+INzQ4LWNQbnEtS7L7t26NA9tDlg4ILU/UfMoQIp +Ol4EZY1U7gD8BeMwo2vX3x/WA+a7R2N95klBFNqn9jSkm6a5yoeCZw== +-----END RSA PRIVATE KEY----- + + +2. root crl issuer and key +-----BEGIN CERTIFICATE----- +MIICPjCCAaegAwIBAgIBAjANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ +MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA2MjgxMzMyMjNaFw0yOTAzMTUxMzMyMjNa +MB8xCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMIGfMA0GCSqGSIb3DQEB +AQUAA4GNADCBiQKBgQC99u93trf+WmpfiqunJy/P31ej1l4rESxft2JSGNjKuLFN +/BO3SAugGJSkCARAwXjB0c8eeXhXWhVVWdNpbKepRJTxrjDfnFIavLgtUvmFwn/3 +hPXe+RQeA8+AJ99Y+o+10kY8JAZLa2j93C2FdmwOjUbo8aIz85yhbiV1tEDjLwID +AQABo4GJMIGGMB0GA1UdDgQWBBSyFyA3XWLbdL6W6hksmBn7RKsQmDBHBgNVHSME +QDA+gBSQ52Dpau+gtL+Kc31dusYnKj16ZaEjpCEwHzELMAkGA1UEBhMCVVMxEDAO +BgNVBAoTB0V4YW1wbGWCAQAwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAQYw +DQYJKoZIhvcNAQEEBQADgYEAHTm8aRTeakgCfEBCgSWK9wvMW1c18ANGMm8OFDBk +xabVy9BT0MVFHlaneh89oIxTZN0FMTpg21GZMAvIzhEt7DGdO7HLsW7JniN7/OZ0 +rACmpK5frmZrLS03zUm8c+rTbazNfYLoZVG3/mDZbKIi+4y8IGnFcgLVsHsYoBNP +G0c= +-----END CERTIFICATE----- + +-----BEGIN RSA PRIVATE KEY----- +Proc-Type: 4,ENCRYPTED +DEK-Info: DES-EDE3-CBC,3881A5676C1AD5E5 + +KgaAtGlIQXVnsoifcd1oTi4hS1J+InHISFcZepI1h1hrU9KVAJAlwD1GIeM2qAkG +P1ABsA0TE0yRJpd3qHih2IPtD42osfc3HmNTw17nh4Trd3ESilrs4w/rrH8e6bR5 +WlqG0OKsw8x57t44m9yX94+pP3tdPaJwnFk5M7pDCO44IZskmy10S0NHBn7wMwM/ +mqlZ15mK6YZTwOuLzpdSDJqYPLiv77KpfeiqSN++ISXoNhIcNYHRVyErAS/DcBlx +mbrmBaGexhuagQYqVikEDIvg8kBDWD92EjOFbz94Z6eTvliauJ/+E1/Ffefe2cN5 +LaVwuUsiyW9GjarWwBJDFrXesTikklshC9V35j/ACHVdh5CuO8FGfVijIwlbZ14N +xKWJdSlZlJgEjkwUlWfi1KmrFrob+yK20fGMWr3oY1rTKWZdYkrqnnKEYcMQV/TH +XNY77D5idJ3FLtvJyziqIFuohdatQsu6xFP5UEOeUi6OhptJDjjS+zDhiBlL4cqA +klThzvuycxjZT+5xno0f8GEnZkQNcC6xxPoP6vstNMKLz1rI1CVUSXZBHc5nfMaF +m75rrLbvf6F2NLUspaNXnW8TUMHxcu8nNCnM4/u6hkqebQo/N8X1/v1HImsewwWO +P5uJwqmqfuRz0vZyMKAk3FzQIfrjJouxDfkNV2YHM9VP/grPlDgzmgiN0+6bCbn+ +RW2K8kvkSFZehQ1Ygdst9KYH3NEcEYVYY9pH1N1xRNAylcIDJNwrFwf9vfwjt9/q +AVsyDxUBT/KVCcqr15LNNq9HmmcP6IZZMRjdyf2BR+/cobxxDRZq1Q== +-----END RSA PRIVATE KEY----- + + +3. root CRL issued by root crl issuer. +-----BEGIN X509 CRL----- +MIIBGzCBhQIBATANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQMA4GA1UE +ChMHRXhhbXBsZRcNMDkwNjI4MTMzMjM4WhcNMjgwODI3MTMzMjM4WjAiMCACAQUX +DTA5MDYyODEzMzIzN1owDDAKBgNVHRUEAwoBBKAOMAwwCgYDVR0UBAMCAQEwDQYJ +KoZIhvcNAQEEBQADgYEAVUIeu2x7ZwsliafoCBOg+u8Q4S/VFfTe/SQnRyTM3/V1 +v+Vn5Acc7eo8Rh4AHcnFFbLNk38n6lllov/CaVR0IPZ6hnrNHVa7VYkNlRAwV2aN +GUUhkMMOLVLnN25UOrN9J637SHmRE6pB+TRMaEQ73V7UNlWxuSMK4KofWen0A34= +-----END X509 CRL----- + + +4. subca certificate and key +-----BEGIN CERTIFICATE----- +MIICUDCCAbmgAwIBAgIBAzANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ +MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA2MjgxMzMyMjRaFw0yOTAzMTUxMzMyMjRa +MDExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMRAwDgYDVQQLEwdDbGFz +cy0xMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDPFv24SK78VI0gWlyIrq/X +srl1431K5hJJxMYZtaQunyPmrYg3oI9KvKFykxnR0N4XDPaIi75p9dXGppVu80BA ++csvIPBwlBQoNmKDQWTziDOqfK4tE+IMuL/Y7pxnH6CDMY7VGpvatty2zcmH+m/v +E/n+HPyeELJQT2rT/3T+7wIDAQABo4GJMIGGMB0GA1UdDgQWBBRidC8Dt3dBzYES +KpR2tR560sZ0+zBHBgNVHSMEQDA+gBSQ52Dpau+gtL+Kc31dusYnKj16ZaEjpCEw +HzELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0V4YW1wbGWCAQAwDwYDVR0TAQH/BAUw +AwEB/zALBgNVHQ8EBAMCAQYwDQYJKoZIhvcNAQEEBQADgYEAMeMKqrMr5d3eTQsv +MYOD15Dl3THQGLAa4ad5Eyq5/1eUeEOpztzCgDfi0iPD8YCubIEVasBTSqTiGXqb +RpGuPHOwwfWvHrTeHSludiFBAUiKj7aEV+oQa0FBn4U4TT8HA62HQ93FhzTDI3jP +iil34GktVl6gfMKGzUEW/Dh8OM4= +-----END CERTIFICATE----- + +-----BEGIN RSA PRIVATE KEY----- +Proc-Type: 4,ENCRYPTED +DEK-Info: DES-EDE3-CBC,35408AD3018F0049 + +4t6WfpFNqpOr47Wc/OAt8+KZK0+WX7d3nlJn47W+QN7AkPfBlLBpcQJkImhP4/eh +aJyk8fPOdUhT/4rgc5ORuKk4d9boD36KK5Iz/+/oNBxzuld6TybVb+Hvw41cIZTW +CtkvADQpR8XWbPre+3ZH2eAKoTeWX0xR7pYg1JsFk9vxee6U82iqsAYRdUOdot8D +9zdDbbeaLWs78UbZkxFtuXREuyNVX880Q17t8qszJL2KmmtMQpUvxTlW04Ope1Ug +uIuOxeannzpKRD+37fj+oacM3GRqVFOP47/NVaziOexDBn4b5nlW6OMro6t0qiHt +1GLJcw1oLXoFe8ycexfzYWUiHymSz5Vh3wIflsQY+Ik6dopL+fpk2cVD0bncKJlf +Ie9PvL04RwannRjgtPl9X05tzcgeyznp2Ix1/rsriZQQpdPTLGA6w6kUhQeK6TwT +eX7pXn3iLTGK+VoHRfbxBQR2Fvq1nRJbvsmJFhPOcJU5CYSaDPGGdA6NorbdVgbc +14DlkhzojhEpZ7DaUeFNUXUMlQOR5UUTZB+wL3zQoY/FzHci3JD1Gj4NlbC9mMEg +ncWZcpZWOnP2kHSz2o/UOxQM80gerukI7NOr020iJ+ZZRb/gyAAzLPnD+mCZ7/e2 +JJ3x6yHOtVA6WzZiQH1d9/bm79rtcWaRH83X/idG1lHuKXQJFAaw5f7Z2n2/yuF1 +9pZf7el1M7UoBf74oc68klAl46f4inroy8anAtc/qjSTXUYQrNvKZsWU9AZVS7oH +iEuYMVW4KiZh3SHsIg5TZdMbdVYtZpcTsl/Kh6XuY0o0Xsi+rTK5AA== +-----END RSA PRIVATE KEY----- + + +5. crl issuer of subca, the certificate and key +-----BEGIN CERTIFICATE----- +MIICUDCCAbmgAwIBAgIBBDANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ +MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA2MjgxMzMyMjdaFw0yOTAzMTUxMzMyMjda +MDExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMRAwDgYDVQQLEwdDbGFz +cy0xMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC+8AcLJtGAVUWvv3ifcyQw +OGqwzcPrBw/XCs6vTMlcdtFzcH1M+Z3/QHN9+5VT1gqeTIZ+b8g9005Og3XKy/HX +obXZeLv20VZsr+jm52ySghEYOVCTJ9OyFOAp5adp6nf0cA66Feh3LsmVhpTEcDOG +GnyntQm0DBYxRoOT/GBlvQIDAQABo4GJMIGGMB0GA1UdDgQWBBSRWhMuZLQoHSDN +xhxr+vdDmfAY8jBHBgNVHSMEQDA+gBSQ52Dpau+gtL+Kc31dusYnKj16ZaEjpCEw +HzELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0V4YW1wbGWCAQAwDwYDVR0TAQH/BAUw +AwEB/zALBgNVHQ8EBAMCAQYwDQYJKoZIhvcNAQEEBQADgYEAMIDZLdOLFiPyS1bh +Ch4eUYHT+K1WG93skbga3kVYg3GSe+gctwkKwKK13bwfi8zc7wwz6MtmQwEYhppc +pKKKEwi5QirBCP54rihLCvRQaj6ZqUJ6VP+zPAqHYMDbzlBbHtVF/1lQUP30I6SV +Fu987DvLmZ2GuQA9FKJsnlD9pbU= +-----END CERTIFICATE----- + +-----BEGIN RSA PRIVATE KEY----- +Proc-Type: 4,ENCRYPTED +DEK-Info: DES-EDE3-CBC,4CD10EAA24AF8C25 + +6pTRc9jsn6CJ2EMYhuGX3aWrDThhacnqdtsKIqUzX8Ga7Jz9kq6HseTRlqPkzBfb +rCl+eVIkgugrPbf93375mP/ozY8LkEgD9TRAL1uXqha2N6TRLC2ozQJQSoIc441e +UZ9XkB6tPGRfPNvi1xE0WTP7bjOUkvkPU9wM9QFuBW6B7mRf3tG2nqkFiTpY6nz8 +5X5+h9jafcCvMwYhfJm0JFTGWmX4WJWubs8QeYndvIriDDw2zpVNcno45sClSQCb +YVekMLgGlKPmNGub5iRfXsozykE3jbMnXRokxrvzk20jjo0XYPVGfCRe9IhJh8Ud +iCG/kPaJspbUkUlKXfvIOdp2pnoDFZI5hbfc75YrFYJ8x8dwRYBUl6yRtBkw5Yo/ +VQDuNq3d7YpxiGxVTwFox6HQ5+rs6jwSGzOilgOCxPSs41fYcdAlogNqLzjvhn+e +0GU1XTVyMJbO0Ae6Sgm4PmxU7QM2bdzESuZWbYRFbH2ywwmoR8SahB3ICBhuIA/l +lsCrBbq+jL/K2IL1VXBKuaKBN1ShKUPZD/ABWNv4uENNg2AFq1XQ6kvTU8Glfhd9 +tyK8YnJ0ViY4VLGhdf0s2eEPmbfxOv0HCW0sz/57eASoQSTJTdVApYopWHBOwaNq +8qQUEPDMTKaPNqCjA2m/NwGrLPHhU0d5dHmp+9gTbCTmWy4sVenhBPbOy6wvFpNA +F+35tJVaZQOOurm/KC2dLOYkKyAvqnB7D2q4zducpWkiyCweg7uYL14Mo5JQmGuq +2DwfRiMxdqqoqHFKEOxsoAMrKSwJlYojUknfz/LEaqxtMePQtNwhjw== +-----END RSA PRIVATE KEY----- + + +6. CLR issued by subca CRL issuer +-----BEGIN X509 CRL----- +MIIBLTCBlwIBATANBgkqhkiG9w0BAQQFADAxMQswCQYDVQQGEwJVUzEQMA4GA1UE +ChMHRXhhbXBsZTEQMA4GA1UECxMHQ2xhc3MtMRcNMDkwNjI4MTMzMjQzWhcNMjgw +ODI3MTMzMjQzWjAiMCACAQQXDTA5MDYyODEzMzIzOFowDDAKBgNVHRUEAwoBBKAO +MAwwCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEEBQADgYEACQZEf6ydb3fKTMPJ8DBO +oo630MsrT3P0x0AC4+aQOueCBaGpNqW/H379uZxXAad7yr+aXUBwaeBMYVKUbwOe +5TrN5QWPe2eCkU+MSQvh1SHASDDMH4jhWFMRdO3aPMDKKPlO/Q3s0G72eD7Zo5dr +N9AvUXxGxU4DruoJuFPcrCI= +-----END X509 CRL----- + + +7. dumca certificate and key +-----BEGIN CERTIFICATE----- +MIICUDCCAbmgAwIBAgIBBTANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ +MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA2MjgxMzMyMjhaFw0yOTAzMTUxMzMyMjha +MDExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMRAwDgYDVQQLEwdDbGFz +cy1EMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDeWn+ulgls9+dK3KzzfC1b +a9RMSf+gjv/Olw5386Vw6pJOVngR11RytWJoLiKbjYPyGhP1cms2FoUKuAEO31gD +3AoUCa+nXgaMLiDtmdC5ATqVv3Oap5aNgAqq0mxMxOylKgcUhfuH2icEnfBtHzEe +ST11S69zQr5GGfa/XslbDQIDAQABo4GJMIGGMB0GA1UdDgQWBBRCmXIsp4G3iP7Z +Qv4gS19W8W/cLzBHBgNVHSMEQDA+gBSQ52Dpau+gtL+Kc31dusYnKj16ZaEjpCEw +HzELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0V4YW1wbGWCAQAwDwYDVR0TAQH/BAUw +AwEB/zALBgNVHQ8EBAMCAQYwDQYJKoZIhvcNAQEEBQADgYEAkRiLpJesXyNQ34ZP +Oc4d0gvCl4pyNHx5gsV0yHtxP7oYoIa7Bw4setplQ9Y2YcH5xuXK84xvAby9csWp +cod1QOkFzZfb9qj10PXfD8bMoLOyrZfr5nsNAl2scvOtnM1TFL/ll5/S2PVcPthx +Z5t128UNQYMu93OmVjZANL5L6Jw= +-----END CERTIFICATE----- + +-----BEGIN RSA PRIVATE KEY----- +Proc-Type: 4,ENCRYPTED +DEK-Info: DES-EDE3-CBC,11485599004D2482 + +R+TgUoQo1Ksqpnwh1B1x3u7jxd1qJsfG5st7WJaeJzSY3v+ZnmTS4O008eKgw6Z1 +eGJevsNW8Z8ButjChzlesCm+90jpKpOqA6MlvzeknAxtGdEfe8rUEytfNOorjJTy +1Mu9T8Tlk6tmmmXNTDX1lQytYaHA4e4VVEbYGNceMNcPonT1Y0SyebJwtfd4XKkG +Ty40kMnb+qrFr1ZxVRG+LWKDR/bS0S2K2zY6Ha45d8yoYZlgLZ7yVAlrp0T0PF4B +UWvSyNK9VOBLrvqXSofK5gNGkR/C63x8FU2V25ISicBQBXLNo9OgIsbrryHF330T +2TxhnOpFU1AwgTSfp4Fy/Htkvgo7/jmFRa3r4xelTdEUKvRrwaZeMjg0fT+24529 +8o8MMOF0YWNtIDNUVRFg9/DgAsD/LoXbOGc/E2ryJdq1D4N914s4m/D5Sox27iu4 +3op/dt+WMoA0g/YbjhWn2cAfWcH9P8p8/n/FUO8APmGI3aHbtOhJQ8qwxcalp6kO +fICWsW4ygWtdpnyJWzAY0Udtsl8mglTppGTl59OYZmlDQTLhJ1hWiXLeNKj0pGPz +bAJ5jGQN8zXAk83j019rI5WveAdWp+w1XRGvmPxLL3heojHrkutuYLQ0LOcFwNvg +OqmPvZneRBoy6Yshp0XyYy+qioxDm+Vd/NV1/aCWgQXJA3vFqUg3AURLFHHTh+7h +fa3DDCLtdg/wJkRtOWjFhq0hgx5sb9zVv8HCuMERbZJbWwDOfSrHJwXj4KaTHVqY +OWfBE9vzeAxRpdpe69SZWYg3tyu7uSf6a5Rp55iMI3kjuQMCanvsNA== +-----END RSA PRIVATE KEY----- + + +8. crl issuer for dumca, the certificate and key +-----BEGIN CERTIFICATE----- +MIICUDCCAbmgAwIBAgIBBjANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ +MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA2MjgxMzMyMjlaFw0yOTAzMTUxMzMyMjla +MDExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMRAwDgYDVQQLEwdDbGFz +cy1EMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDF7NjUUWji4pPmFg3qx4HB +kjtInwe7i2lPjRUN0ZwTcWob2RaD1+fhc7seeNmnypjERTa9TXF5cs2PgSHWNISC +QbQpbobOUcSsV/6Lr0kvrHJuVowcX13VsApGSJavVs2oJqUiFGNpnch8yR/pMHJf +hsd/Go+nUXMOl2xN31DMFQIDAQABo4GJMIGGMB0GA1UdDgQWBBS1XVE2CYKHgO7t +1koYVTu2w7xgNTBHBgNVHSMEQDA+gBSQ52Dpau+gtL+Kc31dusYnKj16ZaEjpCEw +HzELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0V4YW1wbGWCAQAwDwYDVR0TAQH/BAUw +AwEB/zALBgNVHQ8EBAMCAQYwDQYJKoZIhvcNAQEEBQADgYEAHYraYtdetZFOiTUR +dhvUi556el1WT25O8pF21YAzRI7KI4yzl6deD29DtcIPiBc8H1A4U6OhwXSQsqTd +taOHHdZxnU+m078mb231OPVvo48uZwpnX35g/qItW+Nb/dIEb08537oQKoGgL0hV +sKZPWod70JBkJabDuUirorhlk4A= +-----END CERTIFICATE----- + +-----BEGIN RSA PRIVATE KEY----- +Proc-Type: 4,ENCRYPTED +DEK-Info: DES-EDE3-CBC,1E0E5983F90A10E0 + +KdPTRmJjeKXFTgdVIgP0eu+m0evwVD2QFMkT3pPI9HELRxtkgIQzjK8F0KIHK9vi +Ur0CMgJkX0zs2v7HIG7jvfQ2fREidRTk1g3xCjHXVbpwjWN2dbo+mR0J2zzxNILy +mSs13PlDPdV81Vkn1WkMY0lhdrEpR6senQ4KIiMJTMsWZabG3lyFM6d7ag7CDVC+ +jnsUFg2XW5dYP/kb09p14+CdiQwruNVeVEWhWPG1pAjl7hXCEM5ssz9fNk6Gyh2X +OXB2mMysqTkt+qB+OIqLKj3NTUs2ovVQZnaCaynsnMYTcIEFmv3lC0gJHYAZtBXf +IkySb+VaB7wmk1CI1+texDU8+B2sq7wmqX0SLY7dMwkbxP1kydn9U5i4Gqmdxpw5 +4+jn7dB6oKfVFlXIZTZzhmN44cIdai48qVmse1BRDxUdfmlgd9C2W1mw4N60BXbt +DeNr8ua5UtcUOXBGJk6VEJapDU/dnnANhVR4R48Y9t+g1qlhwHB4zbSrAIJ5Rsbg +6pvdt7BQmFXtm4flZbf21Lr8awWkNFdc/k/3uXA6xemgsFNxPZXlpXO26KpIP+nz +lt9Q82WxIkzE+BvO+qd5wMqQ/GC/ztO8GJeGdRIo6un7KkNKs2AZDoCELo2lO53B +EBWHeABtJpB1Fw3lW3iJn0A6YbYzK1omztoNMkesBIi0QI5L/e0tq4Mp+LUjLm+Y +ywdrofTiYTu8R7mgS1b5q3eFtwUR9MZuKJGvhsBcSfS41vH2hDezYHg8vW55UIE3 +h7EhOUnTkHY43OKZnmXHwh3pTEmHv1TfMpeaktiU/w0= +-----END RSA PRIVATE KEY----- + +9. end entity certificate issued by subca, Alice +-----BEGIN CERTIFICATE----- +MIICNzCCAaCgAwIBAgIBAjANBgkqhkiG9w0BAQQFADAxMQswCQYDVQQGEwJVUzEQ +MA4GA1UEChMHRXhhbXBsZTEQMA4GA1UECxMHQ2xhc3MtMTAeFw0wOTA2MjgxMzMy +MzBaFw0yOTAzMTUxMzMyMzBaMEExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFt +cGxlMRAwDgYDVQQLEwdDbGFzcy0xMQ4wDAYDVQQDEwVBbGljZTCBnzANBgkqhkiG +9w0BAQEFAAOBjQAwgYkCgYEA7wnsvR4XEOfVznf40l8ClLod+7L0y2/+smVV+GM/ +T1/QF/stajAJxXNy08gK00WKZ6ruTHhR9vh/Z6+EQM2RZDCpU0A7LPa3kLE/XTmS +1MLDu8ntkdlpURpvhdDWem+rl2HU5oZgzV8Jkcov9vXuSjqEDfr45FlPuV40T8+7 +cxsCAwEAAaNPME0wCwYDVR0PBAQDAgPoMB0GA1UdDgQWBBSBwsAhi6Z1kriOs3ty +uSIujv9a3DAfBgNVHSMEGDAWgBRidC8Dt3dBzYESKpR2tR560sZ0+zANBgkqhkiG +9w0BAQQFAAOBgQDEiBqd5AMy2SQopFaS3dYkzj8MHlwtbCSoNVYkOfDnewcatrbk +yFcp6FX++PMdOQFHWvvnDdkCUAzZQp8kCkF9tGLVLBtOK7XxQ1us1LZym7kOPzsd +G93Dcf0U1JRO77juc61Br5paAy8Bok18Y/MeG7uKgB2MAEJYKhGKbCrfMw== +-----END CERTIFICATE----- + +-----BEGIN RSA PRIVATE KEY----- +Proc-Type: 4,ENCRYPTED +DEK-Info: DES-EDE3-CBC,9E29E1901B338431 + +796Bj4/MwwHdy6+yZQcq3pS12EZPlEm7qsCCTl787y+DYEnnj+9W4WX4+1zWsUGV +1+39oe/KOUfi5O9ytMuKiroIrklmkskWHDoW6sr4VcDprnLYL+75AhTfgpOtY+gK +q+++N7P2o9V6YF7PiGxaBqGy/3bt0nTu0sjctfzbo4g0PniiId9sus2Y+iRHKebJ +r9V0b0jB8USuIsZ+4IQJFZ+/zeKuqqqPM/4v5VKNUahER8oykhRd4L9UactnVH5t +dsfowtHmOmKE6ObJX3m+HgJMvauMMf7zJVdqJquU2vy0bUk9ufCrA7t5ws7JDRzd +SG5gt7EVQzd5x/yXsQdKbDew5mXsYPB8vz4moTgj4YJU+m6k0t1PH00pz7LUrDHl +E8ZAmXIKLEBIih1AWkdASR/YZsfB3URIC8mLyDSZJN5iEVJxl/JWm6pbJlP3Xn3J +fraVEXP6uerf29CNhizq520AfGdsSqga6atdx6PXBVm67V0TZ+zmBMUQJrWmJUUC +NFGAac+M58lYX9uwsrO9x/x6GSZvhQQu1kfD1m8DHN3IV5m3uHxsEvhmuHaqFEMJ +uH336HbqWYENXwZfDHZvOU1o2FejsLZ7QmFjB72iAxhVNQt53pCXed2gF/bERGSn +qi0PsYtjyzfEUefqlVRSWVulbQfGwkvl8dX9s6BxmOG1q0BzlDu+cQLYXPS+XOww +H8GgkGp6XTd04qT/qCm8gcuxAvdkYkj2zgAIKaqeJ53S3Ua9lrIKnA3L3btiEG5F +JTYutSdRqB4liukkB1TciiDVSmOisszjrMHhRRYPfgeLfnRFdX9U9g== +-----END RSA PRIVATE KEY----- + +10. end entity certificate issued by subca, Bob +-----BEGIN CERTIFICATE----- +MIICNTCCAZ6gAwIBAgIBAzANBgkqhkiG9w0BAQQFADAxMQswCQYDVQQGEwJVUzEQ +MA4GA1UEChMHRXhhbXBsZTEQMA4GA1UECxMHQ2xhc3MtMTAeFw0wOTA2MjgxMzMy +MzVaFw0yOTAzMTUxMzMyMzVaMD8xCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFt +cGxlMRAwDgYDVQQLEwdDbGFzcy0xMQwwCgYDVQQDEwNCb2IwgZ8wDQYJKoZIhvcN +AQEBBQADgY0AMIGJAoGBALLrxd3DpXuH7yiAoyi/Rc1F7WsyyeNE1Ra2ymHpcee/ +3sbldekcgPl6lGQF/JJ5ARBbfeDtaf6ZtAK3j6aXqxVFxDKKu86r96v74gWJB7Vv +CHcUPvmE/EGESq3VNFI998DbmvqICLC97nFLUIrKWDH1rRFZjjkmouln40UxQXvV +AgMBAAGjTzBNMAsGA1UdDwQEAwID6DAdBgNVHQ4EFgQUTXz1J2viNSKvRHIRVhD6 +cJE4lgYwHwYDVR0jBBgwFoAUYnQvA7d3Qc2BEiqUdrUeetLGdPswDQYJKoZIhvcN +AQEEBQADgYEApsKyLf4FbXb26KsQrxgFn/w0d/7ck4cE8a6oXQqi5OLheNSWfD3S +fgD1dR28mGmhBiyOkdLmrhA1+6BuEr4FsuyLgrFnEqKL0ZhVhiqvwKLGqvasWxfU +Edaw4WXvRcfRWXfgjtwB6PSj/3nqGKSGRPif/OFIjO6UqHwEM7JEWO4= +-----END CERTIFICATE----- + +-----BEGIN RSA PRIVATE KEY----- +Proc-Type: 4,ENCRYPTED +DEK-Info: DES-EDE3-CBC,4A820975D251613F + +GseD8MIztC0oYMxwpxeBO4/YPs9ZFFjgncXXcy+1oYZdlEsrS1xw87unjeHigL8m +QPIn8Guv3DiOsBdvweuMAgPPaA1zlophPClbGZMk7BB3T2acEfjBQH1DZz7kd7Bf +OmI2DrqcEg1yDi7l7YutBuTQPiy3nj3d7pbScuFd5YVMu6yH0YpS7JsPvviabFk2 +eYVlkaiejtQwV+4rUb7sH/0iyqX2uqvnpnGAwVzGp+tfSOl71SByz240nOODBRgY +3Uvxkrw6XhCBAayJE0t7rkPMEe1KgZaGO2IU2jsJJbyHVjvNPSugdbsT28prZHN1 +5M1J1NSOssq/kAq6S3f9sC5j7OzP7oUlx8uMUUSaz09/Ttq22tUoqmTue2IqqxAt +lDaeR8duHP5VV1wWnDsW/XaVYlBFQ4eFPJcXqmWsNAkDQVJp327GrcT6ngevP8fD +BcIxyX6J0rETPruAE+1+PAGjqy+C+oB0ssyZvKcjzdajHcNxSlRpCuOO2ekDvNPO +h+mVukNpHCEBsh3jYmk3z9i7VPLCM0BI+vheJ1TbM+homWP6bXyTQxtLfaKzXZJH +jRJ+zGTMBNJoPVKkou03uXFpT6hdWr9nYwbMT6G9hmC0If3wEl8nRjDKbmyMS29B +p3im1kPxVJA0DjhghC+7tACy42ffw6KZPALwaVDKHGeitrQBc3xTGfrjOGQOTTcm +hZ8icYCY0cjl5KQ2kq2GpXa2zQMujNV/Oj7D4sE0xcASMRXl3tst77R/j0eowx1M +niCTRphxx4iTPkieIbjWWeFTpVmSzUBrm4hSw3tiRapVWf6Zo3aAIg== +-----END RSA PRIVATE KEY----- + +11. end entity certificate issued by subca, Susan +-----BEGIN CERTIFICATE----- +MIICNzCCAaCgAwIBAgIBBDANBgkqhkiG9w0BAQQFADAxMQswCQYDVQQGEwJVUzEQ +MA4GA1UEChMHRXhhbXBsZTEQMA4GA1UECxMHQ2xhc3MtMTAeFw0wOTA2MjgxMzMy +MzZaFw0yOTAzMTUxMzMyMzZaMEExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFt +cGxlMRAwDgYDVQQLEwdDbGFzcy0xMQ4wDAYDVQQDEwVTdXNhbjCBnzANBgkqhkiG +9w0BAQEFAAOBjQAwgYkCgYEAr2u6mdjqAVtfcgPze+9OUFZu3pi+HqoNBoygm2gq +qRAe+FVNSUeNAMQesQBo/eB0F1Iv/BjnYJ/7pYMLaf90MLoYr0Q5vNKYlBdcyUee +Jn1WmfN2Qk+UoUaiM4HAKHNJnZk13vWpZW54mcW1q09oj0oMjAZtaZsqpY6CtW6/ ++J8CAwEAAaNPME0wCwYDVR0PBAQDAgPoMB0GA1UdDgQWBBQVK9naug5W9pQlBqD2 +fVaCXooa1TAfBgNVHSMEGDAWgBRidC8Dt3dBzYESKpR2tR560sZ0+zANBgkqhkiG +9w0BAQQFAAOBgQDKYoM8EbP78ucjtsdvw4ywyo21hhSeP9PmRnNz/U3F9sQATmn+ +QBl6sBsrmbML2yrhkM1ctZTVUVp0S72fAbLgVjNk86p/CF+a2tmi0+lJh1aR7zQi +opt+68Nec2/52kgWi64ruF7YITmGHBxS/RDooFbscZbdrPgcow/Jw+5HnQ== +-----END CERTIFICATE----- + +-----BEGIN RSA PRIVATE KEY----- +Proc-Type: 4,ENCRYPTED +DEK-Info: DES-EDE3-CBC,9025CDB2AB43B0DE + +q4hvYnqkhDSDCsbXfxtMjPvzT38ql5wscOsGwDM/xMANSyPk9h/aqAxvB8G+8v6E +63x9Q5jRi2YY6z2sOpvu0utu7Xn6KA/H1YrpYFURTEjBbK2Qd41vPQ/NYcIO3nQd +PR2Qm3kpNumBSZomyNfJk9oegGxfw+P0af2GIb6YqmTDot+LLCLwpqxrGyQQ1LYp +zc4A9D/b19Y0eD+TU9S2KEYszvfUo7RBxRFSZ6QN1rT2SEa7IJN9wb6TvgeB2lRB +Ds90tmLtkbuwLTZre+aqbM8mU40+RI9GHh+mPw0Qz55Kw2CUe+PnGsLQnOTm7p/I +mLiPTNMJKvwaR18Z88IE9UwL0zE/ND7vZfrhqTn9bHRnzHU4NtBCBsS8zloI+rXZ +EIWKMDyzMH3wpbNYq/AemSvvUz1wGOxit5TjG2QwwCNt8hPLl0Es6Q5aWdAPPrLM +EfX/6gL7bLTHNyLPz/U32o0H4hz5J7FQ7SuYUPLI3ybiPC2qL11jbtrZMesAYEAX +mvRnqO+6dPEpwGmKz8kUj2mC8X8FPKCCiy4kbc8NjLTMao+/vOgD+wBuIePaC3yE +vpuZrsUSFZWRJ824sDMmmZFoi2DKsp1zqCV1kXozaPGigaOxtkdp890nBcGkPijQ +8F+jCGwSFda6UfuJHCQ/eJB+8LQUWa8u1TeJ9zo98oD2OBfQ5maZU0Vfv1EXvwbp +pz2R6HXFaPrQDeGO0xVzD453AbY/fZCGnhIwrEYvPAbwpIKde397MP66gYFMNFhA +IaMimFnBv7IHL08Ka0KtqbVhLpEKWFpZ6LsOnyispeB4KF0md+lpGg== +-----END RSA PRIVATE KEY----- diff -Nru openjdk-6-6b37-1.13.9/jdk/test/java/security/cert/CertPathBuilder/selfIssued/StatusLoopDependency.java openjdk-6-6b38-1.13.10/jdk/test/java/security/cert/CertPathBuilder/selfIssued/StatusLoopDependency.java --- openjdk-6-6b37-1.13.9/jdk/test/java/security/cert/CertPathBuilder/selfIssued/StatusLoopDependency.java 1970-01-01 00:00:00.000000000 +0000 +++ openjdk-6-6b38-1.13.10/jdk/test/java/security/cert/CertPathBuilder/selfIssued/StatusLoopDependency.java 2016-01-20 01:47:58.000000000 +0000 @@ -0,0 +1,319 @@ +/* + * Copyright (c) 2009, 2014, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +// +// Security properties, once set, cannot revert to unset. To avoid +// conflicts with tests running in the same VM isolate this test by +// running it in otherVM mode. +// + +/** + * @test + * @bug 6852744 + * @summary PIT b61: PKI test suite fails because self signed certificates + * are being rejected + * @run main/othervm StatusLoopDependency subca + * @run main/othervm StatusLoopDependency subci + * @run main/othervm StatusLoopDependency alice + * @author Xuelei Fan + */ + +import java.io.*; +import java.net.SocketException; +import java.util.*; +import java.security.Security; +import java.security.cert.*; +import java.security.cert.CertPathValidatorException.BasicReason; +import sun.security.util.DerInputStream; + +/** + * KeyUsage extension plays a important rule during looking for the issuer + * of a certificate or CRL. A certificate issuer should have the keyCertSign + * bit set, and a CRL issuer should have the cRLSign bit set. + * + * Sometime, a delegated CRL issuer would also have the keyCertSign bit set, + * as would be troublesome to find the proper CRL issuer during certificate + * path build if the delegated CRL issuer is a self-issued certificate, for + * it is hard to identify it from its issuer by the "issuer" field only. + * + * In the test case, the delegated CRL issuers have keyCertSign bit set, and + * the CAs have the cRLSign bit set also. If we cannot identify the delegated + * CRL issuer from its issuer, there is a potential loop to find the correct + * CRL. + * + * And when revocation enabled, needs to check the status of the delegated + * CRL issuers. If the delegated CRL issuer issues itself status, there is + * a potential loop to verify the CRL and check the status of delegated CRL + * issuer. + * + * The fix of 6852744 should addresses above issues. + */ +public final class StatusLoopDependency { + + // the trust anchor + static String selfSignedCertStr = + "-----BEGIN CERTIFICATE-----\n" + + "MIICPjCCAaegAwIBAgIBADANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ\n" + + "MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA2MjgxMzMyMThaFw0zMDA2MDgxMzMyMTha\n" + + "MB8xCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMIGfMA0GCSqGSIb3DQEB\n" + + "AQUAA4GNADCBiQKBgQDInJhXi0655bPXAVkz1n5I6fAcZejzPnOPuwq3hU3OxFw8\n" + + "81Uf6o9oKI1h4w4XAD8u1cUNOgiX+wPwojronlp68bIfO6FVhNf287pLtLhNJo+7\n" + + "m6Qxw3ymFvEKy+PVj20CHSggdKHxUa4MBZBmHMFNBuxfYmjwzn+yTMmCCXOvSwID\n" + + "AQABo4GJMIGGMB0GA1UdDgQWBBSQ52Dpau+gtL+Kc31dusYnKj16ZTBHBgNVHSME\n" + + "QDA+gBSQ52Dpau+gtL+Kc31dusYnKj16ZaEjpCEwHzELMAkGA1UEBhMCVVMxEDAO\n" + + "BgNVBAoTB0V4YW1wbGWCAQAwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAQYw\n" + + "DQYJKoZIhvcNAQEEBQADgYEAjBt6ea65HCqbGsS2rs/HhlGusYXtThRVC5vwXSey\n" + + "ZFYwSgukuq1KDzckqZFu1meNImEwdZjwxdN0e2p/nVREPC42rZliSj6V1ThayKXj\n" + + "DWEZW1U5aR8T+3NYfDrdKcJGx4Hzfz0qKz1j4ssV1M9ptJxYYv4y2Da+592IN1S9\n" + + "v/E=\n" + + "-----END CERTIFICATE-----"; + + // the sub-ca + static String subCaCertStr = + "-----BEGIN CERTIFICATE-----\n" + + "MIICUDCCAbmgAwIBAgIBAzANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ\n" + + "MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA2MjgxMzMyMjRaFw0yOTAzMTUxMzMyMjRa\n" + + "MDExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMRAwDgYDVQQLEwdDbGFz\n" + + "cy0xMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDPFv24SK78VI0gWlyIrq/X\n" + + "srl1431K5hJJxMYZtaQunyPmrYg3oI9KvKFykxnR0N4XDPaIi75p9dXGppVu80BA\n" + + "+csvIPBwlBQoNmKDQWTziDOqfK4tE+IMuL/Y7pxnH6CDMY7VGpvatty2zcmH+m/v\n" + + "E/n+HPyeELJQT2rT/3T+7wIDAQABo4GJMIGGMB0GA1UdDgQWBBRidC8Dt3dBzYES\n" + + "KpR2tR560sZ0+zBHBgNVHSMEQDA+gBSQ52Dpau+gtL+Kc31dusYnKj16ZaEjpCEw\n" + + "HzELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0V4YW1wbGWCAQAwDwYDVR0TAQH/BAUw\n" + + "AwEB/zALBgNVHQ8EBAMCAQYwDQYJKoZIhvcNAQEEBQADgYEAMeMKqrMr5d3eTQsv\n" + + "MYOD15Dl3THQGLAa4ad5Eyq5/1eUeEOpztzCgDfi0iPD8YCubIEVasBTSqTiGXqb\n" + + "RpGuPHOwwfWvHrTeHSludiFBAUiKj7aEV+oQa0FBn4U4TT8HA62HQ93FhzTDI3jP\n" + + "iil34GktVl6gfMKGzUEW/Dh8OM4=\n" + + "-----END CERTIFICATE-----"; + + // a delegated CRL issuer, it's a self-issued certificate of trust anchor + static String topCrlIssuerCertStr = + "-----BEGIN CERTIFICATE-----\n" + + "MIICPjCCAaegAwIBAgIBAjANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ\n" + + "MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA2MjgxMzMyMjNaFw0yOTAzMTUxMzMyMjNa\n" + + "MB8xCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMIGfMA0GCSqGSIb3DQEB\n" + + "AQUAA4GNADCBiQKBgQC99u93trf+WmpfiqunJy/P31ej1l4rESxft2JSGNjKuLFN\n" + + "/BO3SAugGJSkCARAwXjB0c8eeXhXWhVVWdNpbKepRJTxrjDfnFIavLgtUvmFwn/3\n" + + "hPXe+RQeA8+AJ99Y+o+10kY8JAZLa2j93C2FdmwOjUbo8aIz85yhbiV1tEDjLwID\n" + + "AQABo4GJMIGGMB0GA1UdDgQWBBSyFyA3XWLbdL6W6hksmBn7RKsQmDBHBgNVHSME\n" + + "QDA+gBSQ52Dpau+gtL+Kc31dusYnKj16ZaEjpCEwHzELMAkGA1UEBhMCVVMxEDAO\n" + + "BgNVBAoTB0V4YW1wbGWCAQAwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAQYw\n" + + "DQYJKoZIhvcNAQEEBQADgYEAHTm8aRTeakgCfEBCgSWK9wvMW1c18ANGMm8OFDBk\n" + + "xabVy9BT0MVFHlaneh89oIxTZN0FMTpg21GZMAvIzhEt7DGdO7HLsW7JniN7/OZ0\n" + + "rACmpK5frmZrLS03zUm8c+rTbazNfYLoZVG3/mDZbKIi+4y8IGnFcgLVsHsYoBNP\n" + + "G0c=\n" + + "-----END CERTIFICATE-----"; + + // a delegated CRL issuer, it's a self-issued certificate of sub-ca + static String subCrlIssuerCertStr = + "-----BEGIN CERTIFICATE-----\n" + + "MIICUDCCAbmgAwIBAgIBBDANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ\n" + + "MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA2MjgxMzMyMjdaFw0yOTAzMTUxMzMyMjda\n" + + "MDExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMRAwDgYDVQQLEwdDbGFz\n" + + "cy0xMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC+8AcLJtGAVUWvv3ifcyQw\n" + + "OGqwzcPrBw/XCs6vTMlcdtFzcH1M+Z3/QHN9+5VT1gqeTIZ+b8g9005Og3XKy/HX\n" + + "obXZeLv20VZsr+jm52ySghEYOVCTJ9OyFOAp5adp6nf0cA66Feh3LsmVhpTEcDOG\n" + + "GnyntQm0DBYxRoOT/GBlvQIDAQABo4GJMIGGMB0GA1UdDgQWBBSRWhMuZLQoHSDN\n" + + "xhxr+vdDmfAY8jBHBgNVHSMEQDA+gBSQ52Dpau+gtL+Kc31dusYnKj16ZaEjpCEw\n" + + "HzELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0V4YW1wbGWCAQAwDwYDVR0TAQH/BAUw\n" + + "AwEB/zALBgNVHQ8EBAMCAQYwDQYJKoZIhvcNAQEEBQADgYEAMIDZLdOLFiPyS1bh\n" + + "Ch4eUYHT+K1WG93skbga3kVYg3GSe+gctwkKwKK13bwfi8zc7wwz6MtmQwEYhppc\n" + + "pKKKEwi5QirBCP54rihLCvRQaj6ZqUJ6VP+zPAqHYMDbzlBbHtVF/1lQUP30I6SV\n" + + "Fu987DvLmZ2GuQA9FKJsnlD9pbU=\n" + + "-----END CERTIFICATE-----"; + + // the target EE certificate + static String targetCertStr = + "-----BEGIN CERTIFICATE-----\n" + + "MIICNzCCAaCgAwIBAgIBAjANBgkqhkiG9w0BAQQFADAxMQswCQYDVQQGEwJVUzEQ\n" + + "MA4GA1UEChMHRXhhbXBsZTEQMA4GA1UECxMHQ2xhc3MtMTAeFw0wOTA2MjgxMzMy\n" + + "MzBaFw0yOTAzMTUxMzMyMzBaMEExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFt\n" + + "cGxlMRAwDgYDVQQLEwdDbGFzcy0xMQ4wDAYDVQQDEwVBbGljZTCBnzANBgkqhkiG\n" + + "9w0BAQEFAAOBjQAwgYkCgYEA7wnsvR4XEOfVznf40l8ClLod+7L0y2/+smVV+GM/\n" + + "T1/QF/stajAJxXNy08gK00WKZ6ruTHhR9vh/Z6+EQM2RZDCpU0A7LPa3kLE/XTmS\n" + + "1MLDu8ntkdlpURpvhdDWem+rl2HU5oZgzV8Jkcov9vXuSjqEDfr45FlPuV40T8+7\n" + + "cxsCAwEAAaNPME0wCwYDVR0PBAQDAgPoMB0GA1UdDgQWBBSBwsAhi6Z1kriOs3ty\n" + + "uSIujv9a3DAfBgNVHSMEGDAWgBRidC8Dt3dBzYESKpR2tR560sZ0+zANBgkqhkiG\n" + + "9w0BAQQFAAOBgQDEiBqd5AMy2SQopFaS3dYkzj8MHlwtbCSoNVYkOfDnewcatrbk\n" + + "yFcp6FX++PMdOQFHWvvnDdkCUAzZQp8kCkF9tGLVLBtOK7XxQ1us1LZym7kOPzsd\n" + + "G93Dcf0U1JRO77juc61Br5paAy8Bok18Y/MeG7uKgB2MAEJYKhGKbCrfMw==\n" + + "-----END CERTIFICATE-----"; + + // CRL issued by the delegated CRL issuer, topCrlIssuerCertStr + static String topCrlStr = + "-----BEGIN X509 CRL-----\n" + + "MIIBGzCBhQIBATANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQMA4GA1UE\n" + + "ChMHRXhhbXBsZRcNMDkwNjI4MTMzMjM4WhcNMjgwODI3MTMzMjM4WjAiMCACAQUX\n" + + "DTA5MDYyODEzMzIzN1owDDAKBgNVHRUEAwoBBKAOMAwwCgYDVR0UBAMCAQEwDQYJ\n" + + "KoZIhvcNAQEEBQADgYEAVUIeu2x7ZwsliafoCBOg+u8Q4S/VFfTe/SQnRyTM3/V1\n" + + "v+Vn5Acc7eo8Rh4AHcnFFbLNk38n6lllov/CaVR0IPZ6hnrNHVa7VYkNlRAwV2aN\n" + + "GUUhkMMOLVLnN25UOrN9J637SHmRE6pB+TRMaEQ73V7UNlWxuSMK4KofWen0A34=\n" + + "-----END X509 CRL-----"; + + // CRL issued by the delegated CRL issuer, subCrlIssuerCertStr + static String subCrlStr = + "-----BEGIN X509 CRL-----\n" + + "MIIBLTCBlwIBATANBgkqhkiG9w0BAQQFADAxMQswCQYDVQQGEwJVUzEQMA4GA1UE\n" + + "ChMHRXhhbXBsZTEQMA4GA1UECxMHQ2xhc3MtMRcNMDkwNjI4MTMzMjQzWhcNMjgw\n" + + "ODI3MTMzMjQzWjAiMCACAQQXDTA5MDYyODEzMzIzOFowDDAKBgNVHRUEAwoBBKAO\n" + + "MAwwCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEEBQADgYEACQZEf6ydb3fKTMPJ8DBO\n" + + "oo630MsrT3P0x0AC4+aQOueCBaGpNqW/H379uZxXAad7yr+aXUBwaeBMYVKUbwOe\n" + + "5TrN5QWPe2eCkU+MSQvh1SHASDDMH4jhWFMRdO3aPMDKKPlO/Q3s0G72eD7Zo5dr\n" + + "N9AvUXxGxU4DruoJuFPcrCI=\n" + + "-----END X509 CRL-----"; + + private static Set generateTrustAnchors() + throws CertificateException { + // generate certificate from cert string + CertificateFactory cf = CertificateFactory.getInstance("X.509"); + + ByteArrayInputStream is = + new ByteArrayInputStream(selfSignedCertStr.getBytes()); + Certificate selfSignedCert = cf.generateCertificate(is); + + // generate a trust anchor + TrustAnchor anchor = + new TrustAnchor((X509Certificate)selfSignedCert, null); + + return Collections.singleton(anchor); + } + + private static CertStore generateCertificateStore() throws Exception { + Collection entries = new HashSet(); + + // generate certificate from certificate string + CertificateFactory cf = CertificateFactory.getInstance("X.509"); + + ByteArrayInputStream is; + + is = new ByteArrayInputStream(targetCertStr.getBytes()); + Certificate cert = cf.generateCertificate(is); + entries.add(cert); + + is = new ByteArrayInputStream(subCaCertStr.getBytes()); + cert = cf.generateCertificate(is); + entries.add(cert); + + is = new ByteArrayInputStream(selfSignedCertStr.getBytes()); + cert = cf.generateCertificate(is); + entries.add(cert); + + is = new ByteArrayInputStream(topCrlIssuerCertStr.getBytes()); + cert = cf.generateCertificate(is); + entries.add(cert); + + is = new ByteArrayInputStream(subCrlIssuerCertStr.getBytes()); + cert = cf.generateCertificate(is); + entries.add(cert); + + // generate CRL from CRL string + is = new ByteArrayInputStream(topCrlStr.getBytes()); + Collection mixes = cf.generateCRLs(is); + entries.addAll(mixes); + + is = new ByteArrayInputStream(subCrlStr.getBytes()); + mixes = cf.generateCRLs(is); + entries.addAll(mixes); + + return CertStore.getInstance("Collection", + new CollectionCertStoreParameters(entries)); + } + + private static X509CertSelector generateSelector(String name) + throws Exception { + X509CertSelector selector = new X509CertSelector(); + + // generate certificate from certificate string + CertificateFactory cf = CertificateFactory.getInstance("X.509"); + ByteArrayInputStream is = null; + if (name.equals("subca")) { + is = new ByteArrayInputStream(subCaCertStr.getBytes()); + } else if (name.equals("subci")) { + is = new ByteArrayInputStream(subCrlIssuerCertStr.getBytes()); + } else { + is = new ByteArrayInputStream(targetCertStr.getBytes()); + } + + X509Certificate target = (X509Certificate)cf.generateCertificate(is); + byte[] extVal = target.getExtensionValue("2.5.29.14"); + if (extVal != null) { + DerInputStream in = new DerInputStream(extVal); + byte[] subjectKID = in.getOctetString(); + selector.setSubjectKeyIdentifier(subjectKID); + } else { + // unlikely to happen. + throw new Exception("unexpected certificate: no SKID extension"); + } + + return selector; + } + + private static boolean match(String name, Certificate cert) + throws Exception { + X509CertSelector selector = new X509CertSelector(); + + // generate certificate from certificate string + CertificateFactory cf = CertificateFactory.getInstance("X.509"); + ByteArrayInputStream is = null; + if (name.equals("subca")) { + is = new ByteArrayInputStream(subCaCertStr.getBytes()); + } else if (name.equals("subci")) { + is = new ByteArrayInputStream(subCrlIssuerCertStr.getBytes()); + } else { + is = new ByteArrayInputStream(targetCertStr.getBytes()); + } + X509Certificate target = (X509Certificate)cf.generateCertificate(is); + + return target.equals(cert); + } + + + public static void main(String[] args) throws Exception { + // MD5 is used in this test case, don't disable MD5 algorithm. + Security.setProperty( + "jdk.certpath.disabledAlgorithms", "MD2, RSA keySize < 1024"); + + CertPathBuilder builder = CertPathBuilder.getInstance("PKIX"); + + X509CertSelector selector = generateSelector(args[0]); + + Set anchors = generateTrustAnchors(); + CertStore certs = generateCertificateStore(); + + + PKIXBuilderParameters params = + new PKIXBuilderParameters(anchors, selector); + params.addCertStore(certs); + params.setRevocationEnabled(true); + params.setDate(new Date(109, 7, 1)); // 2009-07-01 + Security.setProperty("ocsp.enable", "false"); + System.setProperty("com.sun.security.enableCRLDP", "true"); + + PKIXCertPathBuilderResult result = + (PKIXCertPathBuilderResult)builder.build(params); + + if (!match(args[0], result.getCertPath().getCertificates().get(0))) { + throw new Exception("unexpected certificate"); + } + } +} diff -Nru openjdk-6-6b37-1.13.9/jdk/test/java/security/cert/CertPathValidator/indirectCRL/CircularCRLOneLevel.java openjdk-6-6b38-1.13.10/jdk/test/java/security/cert/CertPathValidator/indirectCRL/CircularCRLOneLevel.java --- openjdk-6-6b37-1.13.9/jdk/test/java/security/cert/CertPathValidator/indirectCRL/CircularCRLOneLevel.java 1970-01-01 00:00:00.000000000 +0000 +++ openjdk-6-6b38-1.13.10/jdk/test/java/security/cert/CertPathValidator/indirectCRL/CircularCRLOneLevel.java 2016-01-20 01:47:58.000000000 +0000 @@ -0,0 +1,204 @@ +/* + * Copyright (c) 2009, 2014, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +// +// Security properties, once set, cannot revert to unset. To avoid +// conflicts with tests running in the same VM isolate this test by +// running it in otherVM mode. +// + +/** + * @test + * + * @bug 6720721 + * @summary CRL check with circular depency support needed + * @run main/othervm CircularCRLOneLevel + * @author Xuelei Fan + */ + +import java.io.*; +import java.net.SocketException; +import java.util.*; +import java.security.Security; +import java.security.cert.*; +import java.security.cert.CertPathValidatorException.BasicReason; + +public class CircularCRLOneLevel { + + static String selfSignedCertStr = + "-----BEGIN CERTIFICATE-----\n" + + "MIICPjCCAaegAwIBAgIBADANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ\n" + + "MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA0MjcwMjI0MzJaFw0zMDA0MDcwMjI0MzJa\n" + + "MB8xCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMIGfMA0GCSqGSIb3DQEB\n" + + "AQUAA4GNADCBiQKBgQC4OTag24sTxL2tXTNuvpmUEtdxrYAZoFsslFQ60T+WD9wQ\n" + + "Jeiw87FSPsR2vxRuv0j8DNm2a4h7LNNIFcLurfNldbz5pvgZ7VqdbbUMPE9qP85n\n" + + "jgDl4woyRTSUeRI4A7O0CO6NpES21dtbdhroWQrEkHxpnrDPxsxrz5gf2m3gqwID\n" + + "AQABo4GJMIGGMB0GA1UdDgQWBBSCJd0hpl5PdAD9IZS+Hzng4lXLGzBHBgNVHSME\n" + + "QDA+gBSCJd0hpl5PdAD9IZS+Hzng4lXLG6EjpCEwHzELMAkGA1UEBhMCVVMxEDAO\n" + + "BgNVBAoTB0V4YW1wbGWCAQAwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQw\n" + + "DQYJKoZIhvcNAQEEBQADgYEAluy6HIjWcq009lTLmhp+Np6dxU78pInBK8RZkza0\n" + + "484qGaxFGD3UGyZkI5uWmsH2XuMbuox5khfIq6781gmkPBHXBIEtJN8eLusOHEye\n" + + "iE8h7WI+N3qa6Pj56WionMrioqC/3X+b06o147bbhx8U0vkYv/HyPaITOFfMXTdz\n" + + "Vjw=\n" + + "-----END CERTIFICATE-----"; + + static String subCaCertStr = + "-----BEGIN CERTIFICATE-----\n" + + "MIICUDCCAbmgAwIBAgIBAzANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ\n" + + "MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA0MjcwMjI0MzRaFw0yOTAxMTIwMjI0MzRa\n" + + "MDExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMRAwDgYDVQQLEwdDbGFz\n" + + "cy0xMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCiAJnAQW2ad3ZMKUhSJVZj\n" + + "8pBqxTcHSTwAVguQkDglsN/OIwUpvR5Jgp3lpRWUEt6idEp0FZzORpvtjt3pr5MG\n" + + "Eg2CDptekC5BSPS+fIAIKlncB3HwOiFFhH6b3wTydDCdEd2fvsi4QMOSVrIYMeA8\n" + + "P/mCz6kRhfUQPE0CMmOUewIDAQABo4GJMIGGMB0GA1UdDgQWBBT0/nNP8WpyxmYr\n" + + "IBp4tN8y08jw2jBHBgNVHSMEQDA+gBSCJd0hpl5PdAD9IZS+Hzng4lXLG6EjpCEw\n" + + "HzELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0V4YW1wbGWCAQAwDwYDVR0TAQH/BAUw\n" + + "AwEB/zALBgNVHQ8EBAMCAgQwDQYJKoZIhvcNAQEEBQADgYEAS9PzI6B39R/U9fRj\n" + + "UExzN1FXNP5awnAPtiv34kSCL6n6MryqkfG+8aaAOdZsSjmTylNFaF7cW/Xp1VBF\n" + + "hq0bg/SbEAbK7+UwL8GSC3crhULHLbh+1iFdVTEwxCw5YmB8ji3BaZ/WKW/PkjCZ\n" + + "7cXP6VDeZMG6oRQ4hbOcixoFPXo=\n" + + "-----END CERTIFICATE-----"; + + static String targetCertStr = subCaCertStr; + + static String crlIssuerCertStr = + "-----BEGIN CERTIFICATE-----\n" + + "MIICKzCCAZSgAwIBAgIBAjANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ\n" + + "MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA0MjcwMjI0MzNaFw0yOTAxMTIwMjI0MzNa\n" + + "MB8xCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMIGfMA0GCSqGSIb3DQEB\n" + + "AQUAA4GNADCBiQKBgQDMJeBMBybHykI/YpwUJ4O9euqDSLb1kpWpceBS8TVqvgBC\n" + + "SgUJWtFZL0i6bdvF6mMdlbuBkGzhXqHiVAi96/zRLbUC9F8SMEJ6MuD+YhQ0ZFTQ\n" + + "atKy8zf8O9XzztelLJ26Gqb7QPV133WY3haAqHtCXOhEKkCN16NOYNC37DTaJwID\n" + + "AQABo3cwdTAdBgNVHQ4EFgQULXSWzXzUOIpOJpzbSCpW42IJUugwRwYDVR0jBEAw\n" + + "PoAUgiXdIaZeT3QA/SGUvh854OJVyxuhI6QhMB8xCzAJBgNVBAYTAlVTMRAwDgYD\n" + + "VQQKEwdFeGFtcGxlggEAMAsGA1UdDwQEAwIBAjANBgkqhkiG9w0BAQQFAAOBgQAY\n" + + "eMnf5AHSNlyUlzXk8o2S0h4gCuvKX6C3kFfKuZcWvFAbx4yQOWLS2s15/nzR4+AP\n" + + "FGX3lgJjROyAh7fGedTQK+NFWwkM2ag1g3hXktnlnT1qHohi0w31nVBJxXEDO/Ck\n" + + "uJTpJGt8XxxbFaw5v7cHy7XuTAeU/sekvjEiNHW00Q==\n" + + "-----END CERTIFICATE-----"; + + static String crlStr = + "-----BEGIN X509 CRL-----\n" + + "MIIBGzCBhQIBATANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQMA4GA1UE\n" + + "ChMHRXhhbXBsZRcNMDkwNDI3MDIzODA0WhcNMjgwNjI2MDIzODA0WjAiMCACAQUX\n" + + "DTA5MDQyNzAyMzgwMFowDDAKBgNVHRUEAwoBBKAOMAwwCgYDVR0UBAMCAQIwDQYJ\n" + + "KoZIhvcNAQEEBQADgYEAoarfzXEtw3ZDi4f9U8eSvRIipHSyxOrJC7HR/hM5VhmY\n" + + "CErChny6x9lBVg9s57tfD/P9PSzBLusCcHwHMAbMOEcTltVVKUWZnnbumpywlYyg\n" + + "oKLrE9+yCOkYUOpiRlz43/3vkEL5hjIKMcDSZnPKBZi1h16Yj2hPe9GMibNip54=\n" + + "-----END X509 CRL-----"; + + private static CertPath generateCertificatePath() + throws CertificateException { + // generate certificate from cert strings + CertificateFactory cf = CertificateFactory.getInstance("X.509"); + + ByteArrayInputStream is; + + is = new ByteArrayInputStream(targetCertStr.getBytes()); + Certificate targetCert = cf.generateCertificate(is); + + is = new ByteArrayInputStream(selfSignedCertStr.getBytes()); + Certificate selfSignedCert = cf.generateCertificate(is); + + // generate certification path + List list = Arrays.asList(new Certificate[] { + targetCert, selfSignedCert}); + + return cf.generateCertPath(list); + } + + private static Set generateTrustAnchors() + throws CertificateException { + // generate certificate from cert string + CertificateFactory cf = CertificateFactory.getInstance("X.509"); + + ByteArrayInputStream is = + new ByteArrayInputStream(selfSignedCertStr.getBytes()); + Certificate selfSignedCert = cf.generateCertificate(is); + + // generate a trust anchor + TrustAnchor anchor = + new TrustAnchor((X509Certificate)selfSignedCert, null); + + return Collections.singleton(anchor); + } + + private static CertStore generateCertificateStore() throws Exception { + // generate CRL from CRL string + CertificateFactory cf = CertificateFactory.getInstance("X.509"); + + ByteArrayInputStream is = + new ByteArrayInputStream(crlStr.getBytes()); + + // generate a cert store + Collection crls = cf.generateCRLs(is); + + is = new ByteArrayInputStream(crlIssuerCertStr.getBytes()); + Collection certs = cf.generateCertificates(is); + + Collection entries = new HashSet(); + entries.addAll(crls); + entries.addAll(certs); + + return CertStore.getInstance("Collection", + new CollectionCertStoreParameters(entries)); + } + + public static void main(String args[]) throws Exception { + // MD5 is used in this test case, don't disable MD5 algorithm. + Security.setProperty( + "jdk.certpath.disabledAlgorithms", "MD2, RSA keySize < 1024"); + + CertPath path = generateCertificatePath(); + Set anchors = generateTrustAnchors(); + CertStore crls = generateCertificateStore(); + + PKIXParameters params = new PKIXParameters(anchors); + + // add the CRL store + params.addCertStore(crls); + + // Activate certificate revocation checking + params.setRevocationEnabled(true); + + // set the validation time + params.setDate(new Date(109, 5, 1)); // 2009-05-01 + + // disable OCSP checker + Security.setProperty("ocsp.enable", "false"); + + // enable CRL checker + System.setProperty("com.sun.security.enableCRLDP", "true"); + + CertPathValidator validator = CertPathValidator.getInstance("PKIX"); + + try { + validator.validate(path, params); + } catch (CertPathValidatorException cpve) { + if (cpve.getReason() != BasicReason.REVOKED) { + throw new Exception( + "unexpect exception, should be a REVOKED CPVE", cpve); + } + } + } +} diff -Nru openjdk-6-6b37-1.13.9/jdk/test/java/security/cert/CertPathValidator/indirectCRL/CircularCRLOneLevelRevoked.java openjdk-6-6b38-1.13.10/jdk/test/java/security/cert/CertPathValidator/indirectCRL/CircularCRLOneLevelRevoked.java --- openjdk-6-6b37-1.13.9/jdk/test/java/security/cert/CertPathValidator/indirectCRL/CircularCRLOneLevelRevoked.java 1970-01-01 00:00:00.000000000 +0000 +++ openjdk-6-6b38-1.13.10/jdk/test/java/security/cert/CertPathValidator/indirectCRL/CircularCRLOneLevelRevoked.java 2016-01-20 01:47:58.000000000 +0000 @@ -0,0 +1,207 @@ +/* + * Copyright (c) 2009, 2014, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +// +// Security properties, once set, cannot revert to unset. To avoid +// conflicts with tests running in the same VM isolate this test by +// running it in otherVM mode. +// + +/** + * @test + * + * @bug 6720721 + * @summary CRL check with circular depency support needed + * @run main/othervm CircularCRLOneLevelRevoked + * @author Xuelei Fan + */ + +import java.io.*; +import java.net.SocketException; +import java.util.*; +import java.security.Security; +import java.security.cert.*; +import java.security.cert.CertPathValidatorException.BasicReason; + +public class CircularCRLOneLevelRevoked { + + static String selfSignedCertStr = + "-----BEGIN CERTIFICATE-----\n" + + "MIICPjCCAaegAwIBAgIBADANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ\n" + + "MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA0MjcwMjI0MzJaFw0zMDA0MDcwMjI0MzJa\n" + + "MB8xCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMIGfMA0GCSqGSIb3DQEB\n" + + "AQUAA4GNADCBiQKBgQC4OTag24sTxL2tXTNuvpmUEtdxrYAZoFsslFQ60T+WD9wQ\n" + + "Jeiw87FSPsR2vxRuv0j8DNm2a4h7LNNIFcLurfNldbz5pvgZ7VqdbbUMPE9qP85n\n" + + "jgDl4woyRTSUeRI4A7O0CO6NpES21dtbdhroWQrEkHxpnrDPxsxrz5gf2m3gqwID\n" + + "AQABo4GJMIGGMB0GA1UdDgQWBBSCJd0hpl5PdAD9IZS+Hzng4lXLGzBHBgNVHSME\n" + + "QDA+gBSCJd0hpl5PdAD9IZS+Hzng4lXLG6EjpCEwHzELMAkGA1UEBhMCVVMxEDAO\n" + + "BgNVBAoTB0V4YW1wbGWCAQAwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQw\n" + + "DQYJKoZIhvcNAQEEBQADgYEAluy6HIjWcq009lTLmhp+Np6dxU78pInBK8RZkza0\n" + + "484qGaxFGD3UGyZkI5uWmsH2XuMbuox5khfIq6781gmkPBHXBIEtJN8eLusOHEye\n" + + "iE8h7WI+N3qa6Pj56WionMrioqC/3X+b06o147bbhx8U0vkYv/HyPaITOFfMXTdz\n" + + "Vjw=\n" + + "-----END CERTIFICATE-----"; + + static String dumCaCertStr = + "-----BEGIN CERTIFICATE-----\n" + + "MIICUDCCAbmgAwIBAgIBBTANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ\n" + + "MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA0MjcwMjI0MzVaFw0yOTAxMTIwMjI0MzVa\n" + + "MDExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMRAwDgYDVQQLEwdDbGFz\n" + + "cy1EMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDAwfZ3wIYzdCkiFIKjrUKc\n" + + "0B32HaRkUeVJthadinLmoAVruCi3GRkLZUIPXDD9b7dFBbdeT1+8qDHV5wu/ES8W\n" + + "bgfirO8ng8h2hRuJbZgtfljNnVc3fptjxo7x73aP++w2oIcmjzVwaV08sgahoaY4\n" + + "f249t4EXbvjJQ8kuj1I8qQIDAQABo4GJMIGGMB0GA1UdDgQWBBR3fwdjpP4WiuyL\n" + + "/MDVrXUORrarXDBHBgNVHSMEQDA+gBSCJd0hpl5PdAD9IZS+Hzng4lXLG6EjpCEw\n" + + "HzELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0V4YW1wbGWCAQAwDwYDVR0TAQH/BAUw\n" + + "AwEB/zALBgNVHQ8EBAMCAgQwDQYJKoZIhvcNAQEEBQADgYEAp/2sXI/XLtXu+X05\n" + + "EISyBPQqdE3kgN3dmXOuoK9J7Io8jhgetdbr9S1WTSGBonaXZgc52FNsaaDU+VIp\n" + + "TGTYU5SFloUyOu/e095eAf9Q867pAPcE5zArfKpXEBLbJwhLFwrsKPk/WZM7Yaxs\n" + + "mihnXyZWWTA1sPZlVJu7/abJ2v0=\n" + + "-----END CERTIFICATE-----"; + + // a revoked certificate + static String targetCertStr = dumCaCertStr; + + static String crlIssuerCertStr = + "-----BEGIN CERTIFICATE-----\n" + + "MIICKzCCAZSgAwIBAgIBAjANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ\n" + + "MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA0MjcwMjI0MzNaFw0yOTAxMTIwMjI0MzNa\n" + + "MB8xCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMIGfMA0GCSqGSIb3DQEB\n" + + "AQUAA4GNADCBiQKBgQDMJeBMBybHykI/YpwUJ4O9euqDSLb1kpWpceBS8TVqvgBC\n" + + "SgUJWtFZL0i6bdvF6mMdlbuBkGzhXqHiVAi96/zRLbUC9F8SMEJ6MuD+YhQ0ZFTQ\n" + + "atKy8zf8O9XzztelLJ26Gqb7QPV133WY3haAqHtCXOhEKkCN16NOYNC37DTaJwID\n" + + "AQABo3cwdTAdBgNVHQ4EFgQULXSWzXzUOIpOJpzbSCpW42IJUugwRwYDVR0jBEAw\n" + + "PoAUgiXdIaZeT3QA/SGUvh854OJVyxuhI6QhMB8xCzAJBgNVBAYTAlVTMRAwDgYD\n" + + "VQQKEwdFeGFtcGxlggEAMAsGA1UdDwQEAwIBAjANBgkqhkiG9w0BAQQFAAOBgQAY\n" + + "eMnf5AHSNlyUlzXk8o2S0h4gCuvKX6C3kFfKuZcWvFAbx4yQOWLS2s15/nzR4+AP\n" + + "FGX3lgJjROyAh7fGedTQK+NFWwkM2ag1g3hXktnlnT1qHohi0w31nVBJxXEDO/Ck\n" + + "uJTpJGt8XxxbFaw5v7cHy7XuTAeU/sekvjEiNHW00Q==\n" + + "-----END CERTIFICATE-----"; + + static String crlStr = + "-----BEGIN X509 CRL-----\n" + + "MIIBGzCBhQIBATANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQMA4GA1UE\n" + + "ChMHRXhhbXBsZRcNMDkwNDI3MDIzODA0WhcNMjgwNjI2MDIzODA0WjAiMCACAQUX\n" + + "DTA5MDQyNzAyMzgwMFowDDAKBgNVHRUEAwoBBKAOMAwwCgYDVR0UBAMCAQIwDQYJ\n" + + "KoZIhvcNAQEEBQADgYEAoarfzXEtw3ZDi4f9U8eSvRIipHSyxOrJC7HR/hM5VhmY\n" + + "CErChny6x9lBVg9s57tfD/P9PSzBLusCcHwHMAbMOEcTltVVKUWZnnbumpywlYyg\n" + + "oKLrE9+yCOkYUOpiRlz43/3vkEL5hjIKMcDSZnPKBZi1h16Yj2hPe9GMibNip54=\n" + + "-----END X509 CRL-----"; + + private static CertPath generateCertificatePath() + throws CertificateException { + // generate certificate from cert strings + CertificateFactory cf = CertificateFactory.getInstance("X.509"); + + ByteArrayInputStream is; + + is = new ByteArrayInputStream(targetCertStr.getBytes()); + Certificate targetCert = cf.generateCertificate(is); + + is = new ByteArrayInputStream(selfSignedCertStr.getBytes()); + Certificate selfSignedCert = cf.generateCertificate(is); + + // generate certification path + List list = Arrays.asList(new Certificate[] { + targetCert, selfSignedCert}); + + return cf.generateCertPath(list); + } + + private static Set generateTrustAnchors() + throws CertificateException { + // generate certificate from cert string + CertificateFactory cf = CertificateFactory.getInstance("X.509"); + + ByteArrayInputStream is = + new ByteArrayInputStream(selfSignedCertStr.getBytes()); + Certificate selfSignedCert = cf.generateCertificate(is); + + // generate a trust anchor + TrustAnchor anchor = + new TrustAnchor((X509Certificate)selfSignedCert, null); + + return Collections.singleton(anchor); + } + + private static CertStore generateCertificateStore() throws Exception { + // generate CRL from CRL string + CertificateFactory cf = CertificateFactory.getInstance("X.509"); + + ByteArrayInputStream is = + new ByteArrayInputStream(crlStr.getBytes()); + + // generate a cert store + Collection crls = cf.generateCRLs(is); + + is = new ByteArrayInputStream(crlIssuerCertStr.getBytes()); + Collection certs = cf.generateCertificates(is); + + Collection entries = new HashSet(); + entries.addAll(crls); + entries.addAll(certs); + + return CertStore.getInstance("Collection", + new CollectionCertStoreParameters(entries)); + } + + public static void main(String args[]) throws Exception { + // MD5 is used in this test case, don't disable MD5 algorithm. + Security.setProperty( + "jdk.certpath.disabledAlgorithms", "MD2, RSA keySize < 1024"); + + CertPath path = generateCertificatePath(); + Set anchors = generateTrustAnchors(); + CertStore crls = generateCertificateStore(); + + PKIXParameters params = new PKIXParameters(anchors); + + // add the CRL store + params.addCertStore(crls); + + // Activate certificate revocation checking + params.setRevocationEnabled(true); + + // set the validation time + params.setDate(new Date(109, 5, 1)); // 2009-05-01 + + // disable OCSP checker + Security.setProperty("ocsp.enable", "false"); + + // enable CRL checker + System.setProperty("com.sun.security.enableCRLDP", "true"); + + CertPathValidator validator = CertPathValidator.getInstance("PKIX"); + + try { + validator.validate(path, params); + throw new Exception("unexpected status, should be REVOKED"); + } catch (CertPathValidatorException cpve) { + if (cpve.getReason() != BasicReason.REVOKED) { + throw new Exception( + "unexpected exception, should be a REVOKED CPVE", cpve); + } + } + + } +} diff -Nru openjdk-6-6b37-1.13.9/jdk/test/java/security/cert/CertPathValidator/indirectCRL/CircularCRLTwoLevel.java openjdk-6-6b38-1.13.10/jdk/test/java/security/cert/CertPathValidator/indirectCRL/CircularCRLTwoLevel.java --- openjdk-6-6b37-1.13.9/jdk/test/java/security/cert/CertPathValidator/indirectCRL/CircularCRLTwoLevel.java 1970-01-01 00:00:00.000000000 +0000 +++ openjdk-6-6b38-1.13.10/jdk/test/java/security/cert/CertPathValidator/indirectCRL/CircularCRLTwoLevel.java 2016-01-20 01:47:58.000000000 +0000 @@ -0,0 +1,256 @@ +/* + * Copyright (c) 2009, 2014, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +// +// Security properties, once set, cannot revert to unset. To avoid +// conflicts with tests running in the same VM isolate this test by +// running it in otherVM mode. +// + +/** + * @test + * + * @bug 6720721 + * @summary CRL check with circular depency support needed + * @run main/othervm CircularCRLTwoLevel + * @author Xuelei Fan + */ + +import java.io.*; +import java.net.SocketException; +import java.util.*; +import java.security.Security; +import java.security.cert.*; +import java.security.cert.CertPathValidatorException.BasicReason; + +public class CircularCRLTwoLevel { + + static String selfSignedCertStr = + "-----BEGIN CERTIFICATE-----\n" + + "MIICPjCCAaegAwIBAgIBADANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ\n" + + "MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA0MjcwMjI0MzJaFw0zMDA0MDcwMjI0MzJa\n" + + "MB8xCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMIGfMA0GCSqGSIb3DQEB\n" + + "AQUAA4GNADCBiQKBgQC4OTag24sTxL2tXTNuvpmUEtdxrYAZoFsslFQ60T+WD9wQ\n" + + "Jeiw87FSPsR2vxRuv0j8DNm2a4h7LNNIFcLurfNldbz5pvgZ7VqdbbUMPE9qP85n\n" + + "jgDl4woyRTSUeRI4A7O0CO6NpES21dtbdhroWQrEkHxpnrDPxsxrz5gf2m3gqwID\n" + + "AQABo4GJMIGGMB0GA1UdDgQWBBSCJd0hpl5PdAD9IZS+Hzng4lXLGzBHBgNVHSME\n" + + "QDA+gBSCJd0hpl5PdAD9IZS+Hzng4lXLG6EjpCEwHzELMAkGA1UEBhMCVVMxEDAO\n" + + "BgNVBAoTB0V4YW1wbGWCAQAwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQw\n" + + "DQYJKoZIhvcNAQEEBQADgYEAluy6HIjWcq009lTLmhp+Np6dxU78pInBK8RZkza0\n" + + "484qGaxFGD3UGyZkI5uWmsH2XuMbuox5khfIq6781gmkPBHXBIEtJN8eLusOHEye\n" + + "iE8h7WI+N3qa6Pj56WionMrioqC/3X+b06o147bbhx8U0vkYv/HyPaITOFfMXTdz\n" + + "Vjw=\n" + + "-----END CERTIFICATE-----"; + + static String subCaCertStr = + "-----BEGIN CERTIFICATE-----\n" + + "MIICUDCCAbmgAwIBAgIBAzANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ\n" + + "MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA0MjcwMjI0MzRaFw0yOTAxMTIwMjI0MzRa\n" + + "MDExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMRAwDgYDVQQLEwdDbGFz\n" + + "cy0xMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCiAJnAQW2ad3ZMKUhSJVZj\n" + + "8pBqxTcHSTwAVguQkDglsN/OIwUpvR5Jgp3lpRWUEt6idEp0FZzORpvtjt3pr5MG\n" + + "Eg2CDptekC5BSPS+fIAIKlncB3HwOiFFhH6b3wTydDCdEd2fvsi4QMOSVrIYMeA8\n" + + "P/mCz6kRhfUQPE0CMmOUewIDAQABo4GJMIGGMB0GA1UdDgQWBBT0/nNP8WpyxmYr\n" + + "IBp4tN8y08jw2jBHBgNVHSMEQDA+gBSCJd0hpl5PdAD9IZS+Hzng4lXLG6EjpCEw\n" + + "HzELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0V4YW1wbGWCAQAwDwYDVR0TAQH/BAUw\n" + + "AwEB/zALBgNVHQ8EBAMCAgQwDQYJKoZIhvcNAQEEBQADgYEAS9PzI6B39R/U9fRj\n" + + "UExzN1FXNP5awnAPtiv34kSCL6n6MryqkfG+8aaAOdZsSjmTylNFaF7cW/Xp1VBF\n" + + "hq0bg/SbEAbK7+UwL8GSC3crhULHLbh+1iFdVTEwxCw5YmB8ji3BaZ/WKW/PkjCZ\n" + + "7cXP6VDeZMG6oRQ4hbOcixoFPXo=\n" + + "-----END CERTIFICATE-----"; + + static String targetCertStr = + "-----BEGIN CERTIFICATE-----\n" + + "MIICNzCCAaCgAwIBAgIBAjANBgkqhkiG9w0BAQQFADAxMQswCQYDVQQGEwJVUzEQ\n" + + "MA4GA1UEChMHRXhhbXBsZTEQMA4GA1UECxMHQ2xhc3MtMTAeFw0wOTA0MjcwMjI0\n" + + "MzZaFw0yOTAxMTIwMjI0MzZaMEExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFt\n" + + "cGxlMRAwDgYDVQQLEwdDbGFzcy0xMQ4wDAYDVQQDEwVBbGljZTCBnzANBgkqhkiG\n" + + "9w0BAQEFAAOBjQAwgYkCgYEAvYSaU3oiE4Pxp/aUIXwMqOwSiWkZ+O3aTu13hRtK\n" + + "ZyR+Wtj63IuvaigAC4uC+zBypF93ThjwCzVR2qKDQaQzV8CLleO96gStt7Y+i3G2\n" + + "V3IUGgrVCqeK7N6nNYu0wW84sibcPqG/TIy0UoaQMqgB21xtRF+1DUVlFh4Z89X/\n" + + "pskCAwEAAaNPME0wCwYDVR0PBAQDAgPoMB0GA1UdDgQWBBSynMEdcal/e9TmvlNE\n" + + "4suXGA4+hjAfBgNVHSMEGDAWgBT0/nNP8WpyxmYrIBp4tN8y08jw2jANBgkqhkiG\n" + + "9w0BAQQFAAOBgQB/jru7E/+piSmUwByw5qbZsoQZVcgR97pd2TErNJpJMAX2oIHR\n" + + "wJH6w4NuYs27+fEAX7wK4whc6EUH/w1SI6o28F2rG6HqYQPPZ2E2WqwbBQL9nYE3\n" + + "Vfzu/G9axTUQXFbf90h80UErA+mZVxqc2xtymLuH0YEaMZImtRZ2MXHfXg==\n" + + "-----END CERTIFICATE-----"; + + static String topCrlIssuerCertStr = + "-----BEGIN CERTIFICATE-----\n" + + "MIICKzCCAZSgAwIBAgIBAjANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ\n" + + "MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA0MjcwMjI0MzNaFw0yOTAxMTIwMjI0MzNa\n" + + "MB8xCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMIGfMA0GCSqGSIb3DQEB\n" + + "AQUAA4GNADCBiQKBgQDMJeBMBybHykI/YpwUJ4O9euqDSLb1kpWpceBS8TVqvgBC\n" + + "SgUJWtFZL0i6bdvF6mMdlbuBkGzhXqHiVAi96/zRLbUC9F8SMEJ6MuD+YhQ0ZFTQ\n" + + "atKy8zf8O9XzztelLJ26Gqb7QPV133WY3haAqHtCXOhEKkCN16NOYNC37DTaJwID\n" + + "AQABo3cwdTAdBgNVHQ4EFgQULXSWzXzUOIpOJpzbSCpW42IJUugwRwYDVR0jBEAw\n" + + "PoAUgiXdIaZeT3QA/SGUvh854OJVyxuhI6QhMB8xCzAJBgNVBAYTAlVTMRAwDgYD\n" + + "VQQKEwdFeGFtcGxlggEAMAsGA1UdDwQEAwIBAjANBgkqhkiG9w0BAQQFAAOBgQAY\n" + + "eMnf5AHSNlyUlzXk8o2S0h4gCuvKX6C3kFfKuZcWvFAbx4yQOWLS2s15/nzR4+AP\n" + + "FGX3lgJjROyAh7fGedTQK+NFWwkM2ag1g3hXktnlnT1qHohi0w31nVBJxXEDO/Ck\n" + + "uJTpJGt8XxxbFaw5v7cHy7XuTAeU/sekvjEiNHW00Q==\n" + + "-----END CERTIFICATE-----"; + + static String subCrlIssuerCertStr = + "-----BEGIN CERTIFICATE-----\n" + + "MIICPTCCAaagAwIBAgIBBDANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ\n" + + "MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA0MjcwMjI0MzRaFw0yOTAxMTIwMjI0MzRa\n" + + "MDExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMRAwDgYDVQQLEwdDbGFz\n" + + "cy0xMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDWUtDQx2MB/7arDiquMJyd\n" + + "LWwSg6p8sg5z6wKrC1v47MT4DBhFX+0RUgTMUdQgYpgxGpczn+6y4zfV76064S0N\n" + + "4L/IQ+SunTW1w4yRGjB+xkyyJmWAqijG1nr+Dgkv5nxPI+9Er5lHcoVWVMEcvvRm\n" + + "6jIBQdldVlSgv+VgUnFm5wIDAQABo3cwdTAdBgNVHQ4EFgQUkV3Qqtk7gIot9n60\n" + + "jX6dloxrfMEwRwYDVR0jBEAwPoAUgiXdIaZeT3QA/SGUvh854OJVyxuhI6QhMB8x\n" + + "CzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlggEAMAsGA1UdDwQEAwIBAjAN\n" + + "BgkqhkiG9w0BAQQFAAOBgQADu4GM8EdmIKhC7FRvk5jF90zfvZ38wbXBzCjKI4jX\n" + + "QJrhne1bfyeNNm5c1w+VKidT+XzBzBGH7ZqYzoZmzRIfcbLKX2brEBKiukeeAyL3\n" + + "bctQtbp19tX+uu2dQberD188AAysKTkHcJUV+rRsTwVJ9vcYKxoRxKk8DhH7ZS3M\n" + + "rg==\n" + + "-----END CERTIFICATE-----"; + + static String topCrlStr = + "-----BEGIN X509 CRL-----\n" + + "MIIBGzCBhQIBATANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQMA4GA1UE\n" + + "ChMHRXhhbXBsZRcNMDkwNDI3MDIzODA0WhcNMjgwNjI2MDIzODA0WjAiMCACAQUX\n" + + "DTA5MDQyNzAyMzgwMFowDDAKBgNVHRUEAwoBBKAOMAwwCgYDVR0UBAMCAQIwDQYJ\n" + + "KoZIhvcNAQEEBQADgYEAoarfzXEtw3ZDi4f9U8eSvRIipHSyxOrJC7HR/hM5VhmY\n" + + "CErChny6x9lBVg9s57tfD/P9PSzBLusCcHwHMAbMOEcTltVVKUWZnnbumpywlYyg\n" + + "oKLrE9+yCOkYUOpiRlz43/3vkEL5hjIKMcDSZnPKBZi1h16Yj2hPe9GMibNip54=\n" + + "-----END X509 CRL-----"; + + static String subCrlStr = + "-----BEGIN X509 CRL-----\n" + + "MIIBLTCBlwIBATANBgkqhkiG9w0BAQQFADAxMQswCQYDVQQGEwJVUzEQMA4GA1UE\n" + + "ChMHRXhhbXBsZTEQMA4GA1UECxMHQ2xhc3MtMRcNMDkwNDI3MDIzODA0WhcNMjgw\n" + + "NjI2MDIzODA0WjAiMCACAQQXDTA5MDQyNzAyMzgwMVowDDAKBgNVHRUEAwoBBKAO\n" + + "MAwwCgYDVR0UBAMCAQIwDQYJKoZIhvcNAQEEBQADgYEAeS+POqYEIHIIJcsLxuUr\n" + + "aJFzQ/ujH0QmnyMNEL3Uavyq4VQuAahF+w6aTPb5UBzms0uX8NAvD2vNoUJvmJOX\n" + + "nGKuq4Q1DFj82E7/9d25nXdWGOmFvFCRVO+St2Xe5n8CJuZNBiz388FDSIOiFSCa\n" + + "ARGr6Qu68MYGtLMC6ZqP3u0=\n" + + "-----END X509 CRL-----"; + + private static CertPath generateCertificatePath() + throws CertificateException { + // generate certificate from cert strings + CertificateFactory cf = CertificateFactory.getInstance("X.509"); + + ByteArrayInputStream is; + + is = new ByteArrayInputStream(targetCertStr.getBytes()); + Certificate targetCert = cf.generateCertificate(is); + + is = new ByteArrayInputStream(subCaCertStr.getBytes()); + Certificate subCaCert = cf.generateCertificate(is); + + is = new ByteArrayInputStream(selfSignedCertStr.getBytes()); + Certificate selfSignedCert = cf.generateCertificate(is); + + // generate certification path + List list = Arrays.asList(new Certificate[] { + targetCert, subCaCert, selfSignedCert}); + + return cf.generateCertPath(list); + } + + private static Set generateTrustAnchors() + throws CertificateException { + // generate certificate from cert string + CertificateFactory cf = CertificateFactory.getInstance("X.509"); + + ByteArrayInputStream is = + new ByteArrayInputStream(selfSignedCertStr.getBytes()); + Certificate selfSignedCert = cf.generateCertificate(is); + + // generate a trust anchor + TrustAnchor anchor = + new TrustAnchor((X509Certificate)selfSignedCert, null); + + return Collections.singleton(anchor); + } + + private static CertStore generateCertificateStore() throws Exception { + Collection entries = new HashSet(); + + // generate CRL from CRL string + CertificateFactory cf = CertificateFactory.getInstance("X.509"); + + ByteArrayInputStream is = + new ByteArrayInputStream(topCrlStr.getBytes()); + Collection mixes = cf.generateCRLs(is); + entries.addAll(mixes); + + is = new ByteArrayInputStream(subCrlStr.getBytes()); + mixes = cf.generateCRLs(is); + entries.addAll(mixes); + + // intermediate certs + is = new ByteArrayInputStream(topCrlIssuerCertStr.getBytes()); + mixes = cf.generateCertificates(is); + entries.addAll(mixes); + + is = new ByteArrayInputStream(subCrlIssuerCertStr.getBytes()); + mixes = cf.generateCertificates(is); + entries.addAll(mixes); + + return CertStore.getInstance("Collection", + new CollectionCertStoreParameters(entries)); + } + + public static void main(String args[]) throws Exception { + // MD5 is used in this test case, don't disable MD5 algorithm. + Security.setProperty( + "jdk.certpath.disabledAlgorithms", "MD2, RSA keySize < 1024"); + + CertPath path = generateCertificatePath(); + Set anchors = generateTrustAnchors(); + CertStore crls = generateCertificateStore(); + + PKIXParameters params = new PKIXParameters(anchors); + + // add the CRL store + params.addCertStore(crls); + + // Activate certificate revocation checking + params.setRevocationEnabled(true); + + // set the validation time + params.setDate(new Date(109, 5, 1)); // 2009-05-01 + + // disable OCSP checker + Security.setProperty("ocsp.enable", "false"); + + // enable CRL checker + System.setProperty("com.sun.security.enableCRLDP", "true"); + + CertPathValidator validator = CertPathValidator.getInstance("PKIX"); + + try { + validator.validate(path, params); + } catch (CertPathValidatorException cpve) { + if (cpve.getReason() != BasicReason.REVOKED) { + throw new Exception( + "unexpect exception, should be a REVOKED CPVE", cpve); + } + } + } +} diff -Nru openjdk-6-6b37-1.13.9/jdk/test/java/security/cert/CertPathValidator/indirectCRL/CircularCRLTwoLevelRevoked.java openjdk-6-6b38-1.13.10/jdk/test/java/security/cert/CertPathValidator/indirectCRL/CircularCRLTwoLevelRevoked.java --- openjdk-6-6b37-1.13.9/jdk/test/java/security/cert/CertPathValidator/indirectCRL/CircularCRLTwoLevelRevoked.java 1970-01-01 00:00:00.000000000 +0000 +++ openjdk-6-6b38-1.13.10/jdk/test/java/security/cert/CertPathValidator/indirectCRL/CircularCRLTwoLevelRevoked.java 2016-01-20 01:47:58.000000000 +0000 @@ -0,0 +1,258 @@ +/* + * Copyright (c) 2009, 2014, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +// +// Security properties, once set, cannot revert to unset. To avoid +// conflicts with tests running in the same VM isolate this test by +// running it in otherVM mode. +// + +/** + * @test + * + * @bug 6720721 + * @summary CRL check with circular depency support needed + * @run main/othervm CircularCRLTwoLevelRevoked + * @author Xuelei Fan + */ + +import java.io.*; +import java.net.SocketException; +import java.util.*; +import java.security.Security; +import java.security.cert.*; +import java.security.cert.CertPathValidatorException.BasicReason; + +public class CircularCRLTwoLevelRevoked { + + static String selfSignedCertStr = + "-----BEGIN CERTIFICATE-----\n" + + "MIICPjCCAaegAwIBAgIBADANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ\n" + + "MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA0MjcwMjI0MzJaFw0zMDA0MDcwMjI0MzJa\n" + + "MB8xCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMIGfMA0GCSqGSIb3DQEB\n" + + "AQUAA4GNADCBiQKBgQC4OTag24sTxL2tXTNuvpmUEtdxrYAZoFsslFQ60T+WD9wQ\n" + + "Jeiw87FSPsR2vxRuv0j8DNm2a4h7LNNIFcLurfNldbz5pvgZ7VqdbbUMPE9qP85n\n" + + "jgDl4woyRTSUeRI4A7O0CO6NpES21dtbdhroWQrEkHxpnrDPxsxrz5gf2m3gqwID\n" + + "AQABo4GJMIGGMB0GA1UdDgQWBBSCJd0hpl5PdAD9IZS+Hzng4lXLGzBHBgNVHSME\n" + + "QDA+gBSCJd0hpl5PdAD9IZS+Hzng4lXLG6EjpCEwHzELMAkGA1UEBhMCVVMxEDAO\n" + + "BgNVBAoTB0V4YW1wbGWCAQAwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQw\n" + + "DQYJKoZIhvcNAQEEBQADgYEAluy6HIjWcq009lTLmhp+Np6dxU78pInBK8RZkza0\n" + + "484qGaxFGD3UGyZkI5uWmsH2XuMbuox5khfIq6781gmkPBHXBIEtJN8eLusOHEye\n" + + "iE8h7WI+N3qa6Pj56WionMrioqC/3X+b06o147bbhx8U0vkYv/HyPaITOFfMXTdz\n" + + "Vjw=\n" + + "-----END CERTIFICATE-----"; + + static String subCaCertStr = + "-----BEGIN CERTIFICATE-----\n" + + "MIICUDCCAbmgAwIBAgIBAzANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ\n" + + "MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA0MjcwMjI0MzRaFw0yOTAxMTIwMjI0MzRa\n" + + "MDExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMRAwDgYDVQQLEwdDbGFz\n" + + "cy0xMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCiAJnAQW2ad3ZMKUhSJVZj\n" + + "8pBqxTcHSTwAVguQkDglsN/OIwUpvR5Jgp3lpRWUEt6idEp0FZzORpvtjt3pr5MG\n" + + "Eg2CDptekC5BSPS+fIAIKlncB3HwOiFFhH6b3wTydDCdEd2fvsi4QMOSVrIYMeA8\n" + + "P/mCz6kRhfUQPE0CMmOUewIDAQABo4GJMIGGMB0GA1UdDgQWBBT0/nNP8WpyxmYr\n" + + "IBp4tN8y08jw2jBHBgNVHSMEQDA+gBSCJd0hpl5PdAD9IZS+Hzng4lXLG6EjpCEw\n" + + "HzELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0V4YW1wbGWCAQAwDwYDVR0TAQH/BAUw\n" + + "AwEB/zALBgNVHQ8EBAMCAgQwDQYJKoZIhvcNAQEEBQADgYEAS9PzI6B39R/U9fRj\n" + + "UExzN1FXNP5awnAPtiv34kSCL6n6MryqkfG+8aaAOdZsSjmTylNFaF7cW/Xp1VBF\n" + + "hq0bg/SbEAbK7+UwL8GSC3crhULHLbh+1iFdVTEwxCw5YmB8ji3BaZ/WKW/PkjCZ\n" + + "7cXP6VDeZMG6oRQ4hbOcixoFPXo=\n" + + "-----END CERTIFICATE-----"; + + // a revoked certificate + static String targetCertStr = + "-----BEGIN CERTIFICATE-----\n" + + "MIICNzCCAaCgAwIBAgIBBDANBgkqhkiG9w0BAQQFADAxMQswCQYDVQQGEwJVUzEQ\n" + + "MA4GA1UEChMHRXhhbXBsZTEQMA4GA1UECxMHQ2xhc3MtMTAeFw0wOTA0MjcwMjI0\n" + + "MzhaFw0yOTAxMTIwMjI0MzhaMEExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFt\n" + + "cGxlMRAwDgYDVQQLEwdDbGFzcy0xMQ4wDAYDVQQDEwVTdXNhbjCBnzANBgkqhkiG\n" + + "9w0BAQEFAAOBjQAwgYkCgYEAyPKlfep+EIIUOpZF3xtYUhAx79qEqe2RPRcH2YeR\n" + + "1ogM8+AZMdcXoiuDl4CFLzQwRv1DSKUZAPdPbROLVDsUn+IGvgn2jnE7ZQEUtQQJ\n" + + "+rorcasE7bo5MBPuno/0oQRi/4MZn6lX3qB13ZUHAvZH96oCF6C3Ro19LAwav1Lo\n" + + "FRcCAwEAAaNPME0wCwYDVR0PBAQDAgPoMB0GA1UdDgQWBBTCUH1tqQk96Pocr8Is\n" + + "tDKMoIRQljAfBgNVHSMEGDAWgBT0/nNP8WpyxmYrIBp4tN8y08jw2jANBgkqhkiG\n" + + "9w0BAQQFAAOBgQB3YXuTA+QfaImQ2aN/e27Nv5a/FMml6y6t0+pzt5hUYG2W0C2f\n" + + "5Hdmf3whNCA7zE5RVDQP0iuGBPgjvrABuN98Vimv2eTV+N5aYTak0Aav/OuR5Lpi\n" + + "tYhXMMg5gSmT+JDARba4CX+Ap1oAaNe9Mtv8L6FWdvBqfzzifDHWavdIWA==\n" + + "-----END CERTIFICATE-----"; + + static String topCrlIssuerCertStr = + "-----BEGIN CERTIFICATE-----\n" + + "MIICKzCCAZSgAwIBAgIBAjANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ\n" + + "MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA0MjcwMjI0MzNaFw0yOTAxMTIwMjI0MzNa\n" + + "MB8xCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMIGfMA0GCSqGSIb3DQEB\n" + + "AQUAA4GNADCBiQKBgQDMJeBMBybHykI/YpwUJ4O9euqDSLb1kpWpceBS8TVqvgBC\n" + + "SgUJWtFZL0i6bdvF6mMdlbuBkGzhXqHiVAi96/zRLbUC9F8SMEJ6MuD+YhQ0ZFTQ\n" + + "atKy8zf8O9XzztelLJ26Gqb7QPV133WY3haAqHtCXOhEKkCN16NOYNC37DTaJwID\n" + + "AQABo3cwdTAdBgNVHQ4EFgQULXSWzXzUOIpOJpzbSCpW42IJUugwRwYDVR0jBEAw\n" + + "PoAUgiXdIaZeT3QA/SGUvh854OJVyxuhI6QhMB8xCzAJBgNVBAYTAlVTMRAwDgYD\n" + + "VQQKEwdFeGFtcGxlggEAMAsGA1UdDwQEAwIBAjANBgkqhkiG9w0BAQQFAAOBgQAY\n" + + "eMnf5AHSNlyUlzXk8o2S0h4gCuvKX6C3kFfKuZcWvFAbx4yQOWLS2s15/nzR4+AP\n" + + "FGX3lgJjROyAh7fGedTQK+NFWwkM2ag1g3hXktnlnT1qHohi0w31nVBJxXEDO/Ck\n" + + "uJTpJGt8XxxbFaw5v7cHy7XuTAeU/sekvjEiNHW00Q==\n" + + "-----END CERTIFICATE-----"; + + static String subCrlIssuerCertStr = + "-----BEGIN CERTIFICATE-----\n" + + "MIICPTCCAaagAwIBAgIBBDANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ\n" + + "MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA0MjcwMjI0MzRaFw0yOTAxMTIwMjI0MzRa\n" + + "MDExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMRAwDgYDVQQLEwdDbGFz\n" + + "cy0xMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDWUtDQx2MB/7arDiquMJyd\n" + + "LWwSg6p8sg5z6wKrC1v47MT4DBhFX+0RUgTMUdQgYpgxGpczn+6y4zfV76064S0N\n" + + "4L/IQ+SunTW1w4yRGjB+xkyyJmWAqijG1nr+Dgkv5nxPI+9Er5lHcoVWVMEcvvRm\n" + + "6jIBQdldVlSgv+VgUnFm5wIDAQABo3cwdTAdBgNVHQ4EFgQUkV3Qqtk7gIot9n60\n" + + "jX6dloxrfMEwRwYDVR0jBEAwPoAUgiXdIaZeT3QA/SGUvh854OJVyxuhI6QhMB8x\n" + + "CzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlggEAMAsGA1UdDwQEAwIBAjAN\n" + + "BgkqhkiG9w0BAQQFAAOBgQADu4GM8EdmIKhC7FRvk5jF90zfvZ38wbXBzCjKI4jX\n" + + "QJrhne1bfyeNNm5c1w+VKidT+XzBzBGH7ZqYzoZmzRIfcbLKX2brEBKiukeeAyL3\n" + + "bctQtbp19tX+uu2dQberD188AAysKTkHcJUV+rRsTwVJ9vcYKxoRxKk8DhH7ZS3M\n" + + "rg==\n" + + "-----END CERTIFICATE-----"; + + static String topCrlStr = + "-----BEGIN X509 CRL-----\n" + + "MIIBGzCBhQIBATANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQMA4GA1UE\n" + + "ChMHRXhhbXBsZRcNMDkwNDI3MDIzODA0WhcNMjgwNjI2MDIzODA0WjAiMCACAQUX\n" + + "DTA5MDQyNzAyMzgwMFowDDAKBgNVHRUEAwoBBKAOMAwwCgYDVR0UBAMCAQIwDQYJ\n" + + "KoZIhvcNAQEEBQADgYEAoarfzXEtw3ZDi4f9U8eSvRIipHSyxOrJC7HR/hM5VhmY\n" + + "CErChny6x9lBVg9s57tfD/P9PSzBLusCcHwHMAbMOEcTltVVKUWZnnbumpywlYyg\n" + + "oKLrE9+yCOkYUOpiRlz43/3vkEL5hjIKMcDSZnPKBZi1h16Yj2hPe9GMibNip54=\n" + + "-----END X509 CRL-----"; + + static String subCrlStr = + "-----BEGIN X509 CRL-----\n" + + "MIIBLTCBlwIBATANBgkqhkiG9w0BAQQFADAxMQswCQYDVQQGEwJVUzEQMA4GA1UE\n" + + "ChMHRXhhbXBsZTEQMA4GA1UECxMHQ2xhc3MtMRcNMDkwNDI3MDIzODA0WhcNMjgw\n" + + "NjI2MDIzODA0WjAiMCACAQQXDTA5MDQyNzAyMzgwMVowDDAKBgNVHRUEAwoBBKAO\n" + + "MAwwCgYDVR0UBAMCAQIwDQYJKoZIhvcNAQEEBQADgYEAeS+POqYEIHIIJcsLxuUr\n" + + "aJFzQ/ujH0QmnyMNEL3Uavyq4VQuAahF+w6aTPb5UBzms0uX8NAvD2vNoUJvmJOX\n" + + "nGKuq4Q1DFj82E7/9d25nXdWGOmFvFCRVO+St2Xe5n8CJuZNBiz388FDSIOiFSCa\n" + + "ARGr6Qu68MYGtLMC6ZqP3u0=\n" + + "-----END X509 CRL-----"; + + private static CertPath generateCertificatePath() + throws CertificateException { + // generate certificate from cert strings + CertificateFactory cf = CertificateFactory.getInstance("X.509"); + + ByteArrayInputStream is; + + is = new ByteArrayInputStream(targetCertStr.getBytes()); + Certificate targetCert = cf.generateCertificate(is); + + is = new ByteArrayInputStream(subCaCertStr.getBytes()); + Certificate subCaCert = cf.generateCertificate(is); + + is = new ByteArrayInputStream(selfSignedCertStr.getBytes()); + Certificate selfSignedCert = cf.generateCertificate(is); + + // generate certification path + List list = Arrays.asList(new Certificate[] { + targetCert, subCaCert, selfSignedCert}); + + return cf.generateCertPath(list); + } + + private static Set generateTrustAnchors() + throws CertificateException { + // generate certificate from cert string + CertificateFactory cf = CertificateFactory.getInstance("X.509"); + + ByteArrayInputStream is = + new ByteArrayInputStream(selfSignedCertStr.getBytes()); + Certificate selfSignedCert = cf.generateCertificate(is); + + // generate a trust anchor + TrustAnchor anchor = + new TrustAnchor((X509Certificate)selfSignedCert, null); + + return Collections.singleton(anchor); + } + + private static CertStore generateCertificateStore() throws Exception { + Collection entries = new HashSet(); + + // generate CRL from CRL string + CertificateFactory cf = CertificateFactory.getInstance("X.509"); + + ByteArrayInputStream is = + new ByteArrayInputStream(topCrlStr.getBytes()); + Collection mixes = cf.generateCRLs(is); + entries.addAll(mixes); + + is = new ByteArrayInputStream(subCrlStr.getBytes()); + mixes = cf.generateCRLs(is); + entries.addAll(mixes); + + // intermediate certs + is = new ByteArrayInputStream(topCrlIssuerCertStr.getBytes()); + mixes = cf.generateCertificates(is); + entries.addAll(mixes); + + is = new ByteArrayInputStream(subCrlIssuerCertStr.getBytes()); + mixes = cf.generateCertificates(is); + entries.addAll(mixes); + + return CertStore.getInstance("Collection", + new CollectionCertStoreParameters(entries)); + } + + public static void main(String args[]) throws Exception { + // MD5 is used in this test case, don't disable MD5 algorithm. + Security.setProperty( + "jdk.certpath.disabledAlgorithms", "MD2, RSA keySize < 1024"); + + CertPath path = generateCertificatePath(); + Set anchors = generateTrustAnchors(); + CertStore crls = generateCertificateStore(); + + PKIXParameters params = new PKIXParameters(anchors); + + // add the CRL store + params.addCertStore(crls); + + // Activate certificate revocation checking + params.setRevocationEnabled(true); + + // set the validation time + params.setDate(new Date(109, 5, 1)); // 2009-05-01 + + // disable OCSP checker + Security.setProperty("ocsp.enable", "false"); + + // enable CRL checker + System.setProperty("com.sun.security.enableCRLDP", "true"); + + CertPathValidator validator = CertPathValidator.getInstance("PKIX"); + + try { + validator.validate(path, params); + throw new Exception("unexpected status, should be REVOKED"); + } catch (CertPathValidatorException cpve) { + if (cpve.getReason() != BasicReason.REVOKED) { + throw new Exception( + "unexpect exception, should be a REVOKED CPVE", cpve); + } + } + } +} diff -Nru openjdk-6-6b37-1.13.9/jdk/test/java/security/cert/CertPathValidator/indirectCRL/generate.sh openjdk-6-6b38-1.13.10/jdk/test/java/security/cert/CertPathValidator/indirectCRL/generate.sh --- openjdk-6-6b37-1.13.9/jdk/test/java/security/cert/CertPathValidator/indirectCRL/generate.sh 1970-01-01 00:00:00.000000000 +0000 +++ openjdk-6-6b38-1.13.10/jdk/test/java/security/cert/CertPathValidator/indirectCRL/generate.sh 2016-01-20 01:47:58.000000000 +0000 @@ -0,0 +1,221 @@ +# +# Copyright (c) 2009, Oracle and/or its affiliates. All rights reserved. +# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. +# +# This code is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License version 2 only, as +# published by the Free Software Foundation. Oracle designates this +# particular file as subject to the "Classpath" exception as provided +# by Oracle in the LICENSE file that accompanied this code. +# +# This code is distributed in the hope that it will be useful, but WITHOUT +# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or +# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License +# version 2 for more details (a copy is included in the LICENSE file that +# accompanied this code). +# +# You should have received a copy of the GNU General Public License version +# 2 along with this work; if not, write to the Free Software Foundation, +# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA +# or visit www.oracle.com if you need additional information or have any +# questions. +# + +#!/bin/ksh +# +# needs ksh to run the script. + +# generate a self-signed root certificate +if [ ! -f root/root_cert.pem ]; then + if [ ! -d root ]; then + mkdir root + fi + + openssl req -x509 -newkey rsa:1024 -keyout root/root_key.pem \ + -out root/root_cert.pem -subj "/C=US/O=Example" \ + -config openssl.cnf -reqexts cert_issuer -days 7650 \ + -passin pass:passphrase -passout pass:passphrase +fi + +# generate a sele-issued root crl issuer certificate +if [ ! -f root/top_crlissuer_cert.pem ]; then + if [ ! -d root ]; then + mkdir root + fi + + openssl req -newkey rsa:1024 -keyout root/top_crlissuer_key.pem \ + -out root/top_crlissuer_req.pem -subj "/C=US/O=Example" -days 7650 \ + -passin pass:passphrase -passout pass:passphrase + + openssl x509 -req -in root/top_crlissuer_req.pem -extfile openssl.cnf \ + -extensions crl_issuer -CA root/root_cert.pem \ + -CAkey root/root_key.pem -out root/top_crlissuer_cert.pem \ + -CAcreateserial -CAserial root/root_cert.srl -days 7200 \ + -passin pass:passphrase +fi + +# generate subca cert issuer and crl iuuser certificates +if [ ! -f subca/subca_cert.pem ]; then + if [ ! -d subca ]; then + mkdir subca + fi + + openssl req -newkey rsa:1024 -keyout subca/subca_key.pem \ + -out subca/subca_req.pem -subj "/C=US/O=Example/OU=Class-1" \ + -days 7650 -passin pass:passphrase -passout pass:passphrase + + openssl x509 -req -in subca/subca_req.pem -extfile openssl.cnf \ + -extensions cert_issuer -CA root/root_cert.pem \ + -CAkey root/root_key.pem -out subca/subca_cert.pem -CAcreateserial \ + -CAserial root/root_cert.srl -days 7200 -passin pass:passphrase + + openssl req -newkey rsa:1024 -keyout subca/subca_crlissuer_key.pem \ + -out subca/subca_crlissuer_req.pem -subj "/C=US/O=Example/OU=Class-1" \ + -days 7650 -passin pass:passphrase -passout pass:passphrase + + openssl x509 -req -in subca/subca_crlissuer_req.pem -extfile openssl.cnf \ + -extensions crl_issuer -CA root/root_cert.pem \ + -CAkey root/root_key.pem -out subca/subca_crlissuer_cert.pem \ + -CAcreateserial -CAserial root/root_cert.srl -days 7200 \ + -passin pass:passphrase +fi + +# generate dumca cert issuer and crl iuuser certificates +if [ ! -f dumca/dumca_cert.pem ]; then + if [ ! -d sumca ]; then + mkdir dumca + fi + + openssl req -newkey rsa:1024 -keyout dumca/dumca_key.pem \ + -out dumca/dumca_req.pem -subj "/C=US/O=Example/OU=Class-D" \ + -days 7650 -passin pass:passphrase -passout pass:passphrase + + openssl x509 -req -in dumca/dumca_req.pem -extfile openssl.cnf \ + -extensions cert_issuer -CA root/root_cert.pem \ + -CAkey root/root_key.pem -out dumca/dumca_cert.pem \ + -CAcreateserial -CAserial root/root_cert.srl -days 7200 \ + -passin pass:passphrase + + openssl req -newkey rsa:1024 -keyout dumca/dumca_crlissuer_key.pem \ + -out dumca/dumca_crlissuer_req.pem -subj "/C=US/O=Example/OU=Class-D" \ + -days 7650 -passin pass:passphrase -passout pass:passphrase + + openssl x509 -req -in dumca/dumca_crlissuer_req.pem \ + -extfile openssl.cnf -extensions crl_issuer -CA root/root_cert.pem \ + -CAkey root/root_key.pem -out dumca/dumca_crlissuer_cert.pem \ + -CAcreateserial -CAserial root/root_cert.srl -days 7200 \ + -passin pass:passphrase +fi + +# generate certifiacte for Alice +if [ ! -f subca/alice/alice_cert.pem ]; then + if [ ! -d subca/alice ]; then + mkdir -p subca/alice + fi + + openssl req -newkey rsa:1024 -keyout subca/alice/alice_key.pem \ + -out subca/alice/alice_req.pem \ + -subj "/C=US/O=Example/OU=Class-1/CN=Alice" -days 7650 \ + -passin pass:passphrase -passout pass:passphrase + + openssl x509 -req -in subca/alice/alice_req.pem \ + -extfile openssl.cnf -extensions ee_of_subca \ + -CA subca/subca_cert.pem -CAkey subca/subca_key.pem \ + -out subca/alice/alice_cert.pem -CAcreateserial \ + -CAserial subca/subca_cert.srl -days 7200 -passin pass:passphrase +fi + +# generate certifiacte for Bob +if [ ! -f subca/bob/bob_cert.pem ]; then + if [ ! -d subca/bob ]; then + mkdir -p subca/bob + fi + + openssl req -newkey rsa:1024 -keyout subca/bob/bob_key.pem \ + -out subca/bob/bob_req.pem \ + -subj "/C=US/O=Example/OU=Class-1/CN=Bob" -days 7650 \ + -passin pass:passphrase -passout pass:passphrase + + openssl x509 -req -in subca/bob/bob_req.pem \ + -extfile openssl.cnf -extensions ee_of_subca \ + -CA subca/subca_cert.pem -CAkey subca/subca_key.pem \ + -out subca/bob/bob_cert.pem -CAcreateserial \ + -CAserial subca/subca_cert.srl -days 7200 -passin pass:passphrase +fi + +# generate certifiacte for Susan +if [ ! -f subca/susan/susan_cert.pem ]; then + if [ ! -d subca/susan ]; then + mkdir -p subca/susan + fi + + openssl req -newkey rsa:1024 -keyout subca/susan/susan_key.pem \ + -out subca/susan/susan_req.pem \ + -subj "/C=US/O=Example/OU=Class-1/CN=Susan" -days 7650 \ + -passin pass:passphrase -passout pass:passphrase + + openssl x509 -req -in subca/susan/susan_req.pem -extfile openssl.cnf \ + -extensions ee_of_subca -CA subca/subca_cert.pem \ + -CAkey subca/subca_key.pem -out subca/susan/susan_cert.pem \ + -CAcreateserial -CAserial subca/subca_cert.srl -days 7200 \ + -passin pass:passphrase +fi + + +# generate the top CRL +if [ ! -f root/top_crl.pem ]; then + if [ ! -d root ]; then + mkdir root + fi + + if [ ! -f root/index.txt ]; then + touch root/index.txt + echo 00 > root/crlnumber + fi + + openssl ca -gencrl -config openssl.cnf -name ca_top -crldays 7000 \ + -crl_reason superseded -keyfile root/top_crlissuer_key.pem \ + -cert root/top_crlissuer_cert.pem -out root/top_crl.pem \ + -passin pass:passphrase +fi + +# revoke dumca +openssl ca -revoke dumca/dumca_cert.pem -config openssl.cnf \ + -name ca_top -crl_reason superseded \ + -keyfile root/top_crlissuer_key.pem -cert root/top_crlissuer_cert.pem \ + -passin pass:passphrase + +openssl ca -gencrl -config openssl.cnf -name ca_top -crldays 7000 \ + -crl_reason superseded -keyfile root/top_crlissuer_key.pem \ + -cert root/top_crlissuer_cert.pem -out root/top_crl.pem \ + -passin pass:passphrase + +# revoke for subca +if [ ! -f subca/subca_crl.pem ]; then + if [ ! -d subca ]; then + mkdir subca + fi + + if [ ! -f subca/index.txt ]; then + touch subca/index.txt + echo 00 > subca/crlnumber + fi + + openssl ca -gencrl -config openssl.cnf -name ca_subca -crldays 7000 \ + -crl_reason superseded -keyfile subca/subca_crlissuer_key.pem \ + -cert subca/subca_crlissuer_cert.pem -out subca/subca_crl.pem \ + -passin pass:passphrase +fi + +# revoke susan +openssl ca -revoke subca/susan/susan_cert.pem -config openssl.cnf \ + -name ca_subca -crl_reason superseded \ + -keyfile subca/subca_crlissuer_key.pem \ + -cert subca/subca_crlissuer_cert.pem -passin pass:passphrase + +openssl ca -gencrl -config openssl.cnf -name ca_subca -crldays 7000 \ + -crl_reason superseded -keyfile subca/subca_crlissuer_key.pem \ + -cert subca/subca_crlissuer_cert.pem -out subca/subca_crl.pem \ + -passin pass:passphrase diff -Nru openjdk-6-6b37-1.13.9/jdk/test/java/security/cert/CertPathValidator/indirectCRL/openssl.cnf openjdk-6-6b38-1.13.10/jdk/test/java/security/cert/CertPathValidator/indirectCRL/openssl.cnf --- openjdk-6-6b37-1.13.9/jdk/test/java/security/cert/CertPathValidator/indirectCRL/openssl.cnf 1970-01-01 00:00:00.000000000 +0000 +++ openjdk-6-6b38-1.13.10/jdk/test/java/security/cert/CertPathValidator/indirectCRL/openssl.cnf 2016-01-20 01:47:58.000000000 +0000 @@ -0,0 +1,206 @@ +# +# Copyright (c) 2009, Oracle and/or its affiliates. All rights reserved. +# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. +# +# This code is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License version 2 only, as +# published by the Free Software Foundation. Oracle designates this +# particular file as subject to the "Classpath" exception as provided +# by Oracle in the LICENSE file that accompanied this code. +# +# This code is distributed in the hope that it will be useful, but WITHOUT +# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or +# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License +# version 2 for more details (a copy is included in the LICENSE file that +# accompanied this code). +# +# You should have received a copy of the GNU General Public License version +# 2 along with this work; if not, write to the Free Software Foundation, +# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA +# or visit www.oracle.com if you need additional information or have any +# questions. +# + +# +# OpenSSL configuration file. +# + +HOME = . +RANDFILE = $ENV::HOME/.rnd + +[ ca ] +default_ca = CA_default + +[ CA_default ] +dir = ./top +certs = $dir/certs +crl_dir = $dir/crl +database = $dir/index.txt +unique_subject = no +new_certs_dir = $dir/newcerts +certificate = $dir/cacert.pem +serial = $dir/serial +crlnumber = $dir/crlnumber +crl = $dir/crl.pem +private_key = $dir/private/cakey.pem +RANDFILE = $dir/private/.rand +x509_extensions = v3_ca + +name_opt = ca_default +cert_opt = ca_default + +default_days = 7650 +default_crl_days = 30 +default_md = sha1 +preserve = no + +policy = policy_anything + +[ ca_top ] +dir = ./root +certs = $dir/certs +crl_dir = $dir/crl +database = $dir/index.txt +unique_subject = no +new_certs_dir = $dir/newcerts +certificate = $dir/cacert.pem +serial = $dir/serial +crlnumber = $dir/crlnumber +crl = $dir/crl.pem +private_key = $dir/private/cakey.pem +RANDFILE = $dir/private/.rand + +x509_extensions = v3_ca + +name_opt = ca_default +cert_opt = ca_default + +default_days = 7650 +default_crl_days = 30 +default_md = sha1 +preserve = no + +policy = policy_anything + +[ ca_subca ] +dir = ./subca +certs = $dir/certs +crl_dir = $dir/crl +database = $dir/index.txt +unique_subject = no +new_certs_dir = $dir/newcerts + +certificate = $dir/cacert.pem +serial = $dir/serial +crlnumber = $dir/crlnumber +crl = $dir/crl.pem +private_key = $dir/private/cakey.pem +RANDFILE = $dir/private/.rand + +x509_extensions = usr_cert + +name_opt = ca_default +cert_opt = ca_default + +default_days = 7650 +default_crl_days = 30 +default_md = sha1 +preserve = no + +policy = policy_anything + +[ policy_match ] +countryName = match +stateOrProvinceName = match +organizationName = match +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +[ policy_anything ] +countryName = optional +stateOrProvinceName = optional +localityName = optional +organizationName = optional +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +[ req ] +default_bits = 1024 +default_keyfile = privkey.pem +distinguished_name = req_distinguished_name +attributes = req_attributes +x509_extensions = v3_ca + +string_mask = nombstr + +[ req_distinguished_name ] +countryName = Country Name (2 letter code) +countryName_default = NO +countryName_min = 2 +countryName_max = 2 + +stateOrProvinceName = State or Province Name (full name) +stateOrProvinceName_default = A-State + +localityName = Locality Name (eg, city) + +0.organizationName = Organization Name (eg, company) +0.organizationName_default = Internet Widgits Pty Ltd + +organizationalUnitName = Organizational Unit Name (eg, section) + +commonName = Common Name (eg, YOUR name) +commonName_max = 64 + +emailAddress = Email Address +emailAddress_max = 64 + +[ req_attributes ] +challengePassword = A challenge password +challengePassword_min = 4 +challengePassword_max = 20 +unstructuredName = An optional company name + + +[ usr_cert ] +keyUsage = nonRepudiation, digitalSignature, keyEncipherment + +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid,issuer + +[ v3_req ] +basicConstraints = CA:FALSE +keyUsage = nonRepudiation, digitalSignature, keyEncipherment +subjectAltName = email:example@openjdk.net, RID:1.2.3.4:true + +[ v3_ca ] +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer:always +basicConstraints = critical,CA:true +keyUsage = keyCertSign + +[ cert_issuer ] +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer:always +basicConstraints = critical,CA:true +keyUsage = keyCertSign + + +[ crl_issuer ] +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer:always +keyUsage = cRLSign + + +[ crl_ext ] +authorityKeyIdentifier = keyid:always,issuer:always + +[ ee_of_subca ] +keyUsage = nonRepudiation, digitalSignature, keyEncipherment, keyAgreement + +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid,issuer diff -Nru openjdk-6-6b37-1.13.9/jdk/test/java/security/cert/CertPathValidator/indirectCRL/README openjdk-6-6b38-1.13.10/jdk/test/java/security/cert/CertPathValidator/indirectCRL/README --- openjdk-6-6b37-1.13.9/jdk/test/java/security/cert/CertPathValidator/indirectCRL/README 1970-01-01 00:00:00.000000000 +0000 +++ openjdk-6-6b38-1.13.10/jdk/test/java/security/cert/CertPathValidator/indirectCRL/README 2016-01-20 01:47:58.000000000 +0000 @@ -0,0 +1,373 @@ +/* + * Copyright (c) 2009, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + + Certificates and CRLs + +Here lists the Certificates and CRLs, which was generated by generate.sh, +used in the test cases. + +The generate.sh depends on openssl, and it should be run under ksh. The +script will create many directories and files, please run it in a +directory outside of JDK workspace. + +1. root certifiate and key +-----BEGIN CERTIFICATE----- +MIICPjCCAaegAwIBAgIBADANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ +MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA0MjcwMjI0MzJaFw0zMDA0MDcwMjI0MzJa +MB8xCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMIGfMA0GCSqGSIb3DQEB +AQUAA4GNADCBiQKBgQC4OTag24sTxL2tXTNuvpmUEtdxrYAZoFsslFQ60T+WD9wQ +Jeiw87FSPsR2vxRuv0j8DNm2a4h7LNNIFcLurfNldbz5pvgZ7VqdbbUMPE9qP85n +jgDl4woyRTSUeRI4A7O0CO6NpES21dtbdhroWQrEkHxpnrDPxsxrz5gf2m3gqwID +AQABo4GJMIGGMB0GA1UdDgQWBBSCJd0hpl5PdAD9IZS+Hzng4lXLGzBHBgNVHSME +QDA+gBSCJd0hpl5PdAD9IZS+Hzng4lXLG6EjpCEwHzELMAkGA1UEBhMCVVMxEDAO +BgNVBAoTB0V4YW1wbGWCAQAwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQw +DQYJKoZIhvcNAQEEBQADgYEAluy6HIjWcq009lTLmhp+Np6dxU78pInBK8RZkza0 +484qGaxFGD3UGyZkI5uWmsH2XuMbuox5khfIq6781gmkPBHXBIEtJN8eLusOHEye +iE8h7WI+N3qa6Pj56WionMrioqC/3X+b06o147bbhx8U0vkYv/HyPaITOFfMXTdz +Vjw= +-----END CERTIFICATE----- + +-----BEGIN RSA PRIVATE KEY----- +Proc-Type: 4,ENCRYPTED +DEK-Info: DES-EDE3-CBC,407A749DF8F6338E + +4ukHU4tkRAh2w17NEjPTICMbVtoS24bNk11Ywd7OzLV0aXnes2nSAV0KnXqnPTP8 +0VdoMVpp7r/jdaJvd3oL7MF5WcURzcOx2rirg+HeD5lHv0Blrh1FADcI1CQNsi8b +WZHVuCc1+feOKxixPB8Fge5lKeeU554iTTk5XjOxAKO6GFn8FInj7b3+Zse4A/1E +AOSKVSIWbx71owQyzjrYfoGE/oJVaSRraUbJL4xKcSUYdK+7Qp6h/HI1Cne2DZKu +UmApdQnZbxa8hjuLqOiQFu6TVpzJh2UOqu1PEmjJgEM4DQQ9C8AgHdkVYitcLjiI +b90H7JFl3EekMbjKEX/w2Z6y4RzFC9oGpJL/QpKvlq6sY7htPd1MK2UbWVE7/yq/ +holkrvySI1S7BFqKEdIY8Oe0tCNlmELdmL1+yVnQT0LnAX/bkzLNDw1n5J4WpLSX +JdsgAXmw1hTh24tnT1E6IUd8HM4QyVrvsqCuEHTSMix1u6QCLvdlw4P6yA39ruiY +xbBIcb5PHic0UrcdElRCzXLtW6tRe/98ET7WDEJOLudSUOSG3CKwrEX/kekBqJ11 +pAO34wLW5gsPwk2AQ1fAaNwHtGBlvKXnmbyuNitytA3/oSENSXnDHD2tIe1Jtep6 +yrfB9IqYEhINRi9BRR4rCkUwkBSRi4bRI7AzRP8pImG+iCDN6sT7T/mUmTTgFVLX +NxPSGxbLxbidxnBU0B2JA3PfXqtt7J2Q5n0t3R3SC3iUxURGOvvccA3TcIWd4H75 +yQZNzvSIfTG3RhIM0as8/Ahad8hsdE/MqgW50yhzyjNF/UkvFLV8mw== +-----END RSA PRIVATE KEY----- + +2. root crl issuer and key +-----BEGIN CERTIFICATE----- +MIICKzCCAZSgAwIBAgIBAjANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ +MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA0MjcwMjI0MzNaFw0yOTAxMTIwMjI0MzNa +MB8xCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMIGfMA0GCSqGSIb3DQEB +AQUAA4GNADCBiQKBgQDMJeBMBybHykI/YpwUJ4O9euqDSLb1kpWpceBS8TVqvgBC +SgUJWtFZL0i6bdvF6mMdlbuBkGzhXqHiVAi96/zRLbUC9F8SMEJ6MuD+YhQ0ZFTQ +atKy8zf8O9XzztelLJ26Gqb7QPV133WY3haAqHtCXOhEKkCN16NOYNC37DTaJwID +AQABo3cwdTAdBgNVHQ4EFgQULXSWzXzUOIpOJpzbSCpW42IJUugwRwYDVR0jBEAw +PoAUgiXdIaZeT3QA/SGUvh854OJVyxuhI6QhMB8xCzAJBgNVBAYTAlVTMRAwDgYD +VQQKEwdFeGFtcGxlggEAMAsGA1UdDwQEAwIBAjANBgkqhkiG9w0BAQQFAAOBgQAY +eMnf5AHSNlyUlzXk8o2S0h4gCuvKX6C3kFfKuZcWvFAbx4yQOWLS2s15/nzR4+AP +FGX3lgJjROyAh7fGedTQK+NFWwkM2ag1g3hXktnlnT1qHohi0w31nVBJxXEDO/Ck +uJTpJGt8XxxbFaw5v7cHy7XuTAeU/sekvjEiNHW00Q== +-----END CERTIFICATE----- + +-----BEGIN RSA PRIVATE KEY----- +Proc-Type: 4,ENCRYPTED +DEK-Info: DES-EDE3-CBC,96FBBE554515B5A4 + +cDfhsWvWCNruFN+9gSWSEz8kffFrqnvp9sxQx2/EwBrC8HNdQQqQqhkcb5moALz0 +KxAFQMmUG476v1zRv4ZRIpmT9gYhuqSpqKVQLRzFhe9wUDsCOcNCSfqK4I4blt+R +gqRF+o97iNun+T2QXvku6B72CgQhJQHrEifoSTSGYpKGIVnhBmBPgadKn864zrv0 +ZvwjjRtgyC6/QTfKcXTW+8TIa8Bg/821ZJ0FcNsJs+2tQnki/KubRBIo7rGXGcxO +f5PtO8BTjsw6G9TMuHKPlozOgGBgkQzf3gNXOLhdjwSDJUlTLLx5ugal+q0VVK7a +Np8rK1SLrbC9ReI/VGD8BBW8qHRYhJny2JQ0ub8rXIptILNxH4d8r5ye3NaoskVN +S4i5Jr5bgr0ijZ6kdECDiAoUo6UtTX1O9nbZA2AyJLch8gfNs+WeJLDmG9JPGVsW +moGPGev1ykTc11Hn8K6S0errWD778B+k0ODLWg3EP8E1GFgdChTdMz2fT+YNrvQ/ +0iJATduzl4BN9eVB2qnadDAXfWm9kwkaX915ePKU1RpEnU3WygSnze8MfWshVJTn +2F/meijLWgqrb4fmyd6KoDeqP5a+ByAPAiw/oAtemWSDviDc6VpXcXCL8dYoIBOV +ehg/3Z/DmjfVFHdl5PWQfHiuVbIJbr/soQiTvDsjypYDi/aiY729ils2IxmzIQR8 +iLhOtBr6yd9qfqQ0761cYrdW5HlsTHOyZFctKxIf98ybzp+bJlskH8ifA1kgNLs3 +18T2gS+SkKqITi6TmD4Fkob+UtXPyzsb/8g7cNSv82k= +-----END RSA PRIVATE KEY----- + +3. root CRL issued by root crl issuer. +-----BEGIN X509 CRL----- +MIIBGzCBhQIBATANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQMA4GA1UE +ChMHRXhhbXBsZRcNMDkwNDI3MDIzODA0WhcNMjgwNjI2MDIzODA0WjAiMCACAQUX +DTA5MDQyNzAyMzgwMFowDDAKBgNVHRUEAwoBBKAOMAwwCgYDVR0UBAMCAQIwDQYJ +KoZIhvcNAQEEBQADgYEAoarfzXEtw3ZDi4f9U8eSvRIipHSyxOrJC7HR/hM5VhmY +CErChny6x9lBVg9s57tfD/P9PSzBLusCcHwHMAbMOEcTltVVKUWZnnbumpywlYyg +oKLrE9+yCOkYUOpiRlz43/3vkEL5hjIKMcDSZnPKBZi1h16Yj2hPe9GMibNip54= +-----END X509 CRL----- + +4. subca certificate and key +-----BEGIN CERTIFICATE----- +MIICUDCCAbmgAwIBAgIBAzANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ +MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA0MjcwMjI0MzRaFw0yOTAxMTIwMjI0MzRa +MDExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMRAwDgYDVQQLEwdDbGFz +cy0xMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCiAJnAQW2ad3ZMKUhSJVZj +8pBqxTcHSTwAVguQkDglsN/OIwUpvR5Jgp3lpRWUEt6idEp0FZzORpvtjt3pr5MG +Eg2CDptekC5BSPS+fIAIKlncB3HwOiFFhH6b3wTydDCdEd2fvsi4QMOSVrIYMeA8 +P/mCz6kRhfUQPE0CMmOUewIDAQABo4GJMIGGMB0GA1UdDgQWBBT0/nNP8WpyxmYr +IBp4tN8y08jw2jBHBgNVHSMEQDA+gBSCJd0hpl5PdAD9IZS+Hzng4lXLG6EjpCEw +HzELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0V4YW1wbGWCAQAwDwYDVR0TAQH/BAUw +AwEB/zALBgNVHQ8EBAMCAgQwDQYJKoZIhvcNAQEEBQADgYEAS9PzI6B39R/U9fRj +UExzN1FXNP5awnAPtiv34kSCL6n6MryqkfG+8aaAOdZsSjmTylNFaF7cW/Xp1VBF +hq0bg/SbEAbK7+UwL8GSC3crhULHLbh+1iFdVTEwxCw5YmB8ji3BaZ/WKW/PkjCZ +7cXP6VDeZMG6oRQ4hbOcixoFPXo= +-----END CERTIFICATE----- + +-----BEGIN RSA PRIVATE KEY----- +Proc-Type: 4,ENCRYPTED +DEK-Info: DES-EDE3-CBC,AB196C2474B93EE0 + +8S3B4hsTW2OI6CA7bgoou4nt8VQckaRKvC6v+J/gHhnjd9aWnv3wKHhZsQl42+dY +HB8DImLTU02gnf3tEGJrTIyrIGrrAjwvio8yzxVqOnNuB6CamlCYx6Td7L09+Wlp +8qV1dj+czHhkoH/r0oRHU8NKQMphLQ0kcq3n+hM1UcSzdPxStyIBSRn34dKkuA+t +UjKfxbaPMN0dABPesN5emyAUYvVu4qSgDaw4pkqJKk/3+DL6lP3Ih93vTnyx7KU5 +UexoA9apTDGQuiNbhoKJwOlrG2E7Y57eVOW52b7QPHH8miNCJ5UJALBymPkBc76s +D1ioMSdPWfy5C70Hh219oWync3UTToL/Jh1jc0ir5XI5l9lFz/IEA9uhxg137ixB +Gj1f2S+eSgnQ3SADVrA5wwX88nrjDufrFpH7ofq947IbI9F6iTMOSqR1uIy0SryW +jhB6t/fB0alZceqn8dLAFMV2WvVCGsWx53zcGg09q29FkjpLJpZiI6Bc6EYdk+nn +aeGbHLxwKf/vLcD0Oyx4FiJS1vMAEex41eblcwqjiU6vql9LbIFX4hVjGoQ/cL0U +bjEZjWlNPAvbBVAlStEXOyZzrrDJUags5gqhdv6VKvzQouwH3+Ivbx7UiSTpJ3If +A9txNSVsqc5MTy4hA30RSdMwoP4lK2PrHvivNnZi/kD7Knxn9OuEVBL3KXTmYduQ +kDmJzsKWOPvXHEgAZkfXIPKYNT2Z5LuS3yPSlGUcInImBawOkqgs5NJvUTrkbDMk +uSrOUFUBdBczU4I5oD1vs9yNhLtaK0S6w3gfiHNpIfg4FIFbdqmnAA== +-----END RSA PRIVATE KEY----- + +5. crl issuer of subca, the certificate and key +-----BEGIN CERTIFICATE----- +MIICPTCCAaagAwIBAgIBBDANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ +MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA0MjcwMjI0MzRaFw0yOTAxMTIwMjI0MzRa +MDExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMRAwDgYDVQQLEwdDbGFz +cy0xMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDWUtDQx2MB/7arDiquMJyd +LWwSg6p8sg5z6wKrC1v47MT4DBhFX+0RUgTMUdQgYpgxGpczn+6y4zfV76064S0N +4L/IQ+SunTW1w4yRGjB+xkyyJmWAqijG1nr+Dgkv5nxPI+9Er5lHcoVWVMEcvvRm +6jIBQdldVlSgv+VgUnFm5wIDAQABo3cwdTAdBgNVHQ4EFgQUkV3Qqtk7gIot9n60 +jX6dloxrfMEwRwYDVR0jBEAwPoAUgiXdIaZeT3QA/SGUvh854OJVyxuhI6QhMB8x +CzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlggEAMAsGA1UdDwQEAwIBAjAN +BgkqhkiG9w0BAQQFAAOBgQADu4GM8EdmIKhC7FRvk5jF90zfvZ38wbXBzCjKI4jX +QJrhne1bfyeNNm5c1w+VKidT+XzBzBGH7ZqYzoZmzRIfcbLKX2brEBKiukeeAyL3 +bctQtbp19tX+uu2dQberD188AAysKTkHcJUV+rRsTwVJ9vcYKxoRxKk8DhH7ZS3M +rg== +-----END CERTIFICATE----- + +-----BEGIN RSA PRIVATE KEY----- +Proc-Type: 4,ENCRYPTED +DEK-Info: DES-EDE3-CBC,8C523D20E1687EC3 + +KdLa0JlKnRDBf/bwtpvmcerBOzJNPidRoIrqDt8fZ5r4WyUWhmBzkNgmBu6KFFPQ +4IKK4GW7Oo/D7x1w4hIyDt+JaMSdWWgSyvlIWZ6gSDEsqhzMHQpFNxDet8oD3B6H +CMdfXuQ7VHWcYhjX078FNxSRqTQvKR1eAv3AdnXAkuH6Z8V/if1dlQ/yFteSKzCZ +Y468leZR14Fl0J8au8LOHxZ6tUBvVXUTo0/FutsfOs9BfLTLkKvLS2pEjMdwnfvS +4utV/keK7edAXALfnclAshjYShxgwcyAWszJs9M16k/jqAGdDLAfluoZaznfZ1sc +KhAyIKYRo1XivjmTQxvQRwdG+X/w8CYUzawybt8TtXyLyu4cRdEHsEDyjJ5eG9ap ++ZDP+djWmrjUPKN5Ahc+Fjtsi6i8PcVFnYTnMAwfjiBd4iU+zJEhne0YUB4QRZee +5jdLC8OUfqU0tByj7kDxn6shU2F3r7gIjPqx9DEWGWSf5XDlfk880GGIR67cNEqo +lMLP/9/KUEeCwgrvqKdoD/O7qbNlmX7JyGcl/eU2Zsq5P5xkLWenuRHwpJlmV19m +2Ovg2gK24okl7FiUgP3vNAzDznqHfyoyoR4noKPwtRANOI3otJxokMFGlgzQAXZB +4Eg6M+VLuTxoV14tsSqtkBGNFOUE06n3G5CKuXbh3gXQs0gc8BvzuRMawVSHC144 +UJM3X73aqSM42lwO2pBjMfxyPdFNkxf3lDuyfMOhGlpDwsny4N4EAOS5ctKNl3Ua +oP0BiqyKSuzreg1Ouwq1XxxnWec6XqlHm9482I/vautunqLYQDcfQQ== +-----END RSA PRIVATE KEY----- + +6. CLR issued by subca CRL issuer +-----BEGIN X509 CRL----- +MIIBLTCBlwIBATANBgkqhkiG9w0BAQQFADAxMQswCQYDVQQGEwJVUzEQMA4GA1UE +ChMHRXhhbXBsZTEQMA4GA1UECxMHQ2xhc3MtMRcNMDkwNDI3MDIzODA0WhcNMjgw +NjI2MDIzODA0WjAiMCACAQQXDTA5MDQyNzAyMzgwMVowDDAKBgNVHRUEAwoBBKAO +MAwwCgYDVR0UBAMCAQIwDQYJKoZIhvcNAQEEBQADgYEAeS+POqYEIHIIJcsLxuUr +aJFzQ/ujH0QmnyMNEL3Uavyq4VQuAahF+w6aTPb5UBzms0uX8NAvD2vNoUJvmJOX +nGKuq4Q1DFj82E7/9d25nXdWGOmFvFCRVO+St2Xe5n8CJuZNBiz388FDSIOiFSCa +ARGr6Qu68MYGtLMC6ZqP3u0= +-----END X509 CRL----- + +7. dumca certificate and key +-----BEGIN CERTIFICATE----- +MIICUDCCAbmgAwIBAgIBBTANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ +MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA0MjcwMjI0MzVaFw0yOTAxMTIwMjI0MzVa +MDExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMRAwDgYDVQQLEwdDbGFz +cy1EMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDAwfZ3wIYzdCkiFIKjrUKc +0B32HaRkUeVJthadinLmoAVruCi3GRkLZUIPXDD9b7dFBbdeT1+8qDHV5wu/ES8W +bgfirO8ng8h2hRuJbZgtfljNnVc3fptjxo7x73aP++w2oIcmjzVwaV08sgahoaY4 +f249t4EXbvjJQ8kuj1I8qQIDAQABo4GJMIGGMB0GA1UdDgQWBBR3fwdjpP4WiuyL +/MDVrXUORrarXDBHBgNVHSMEQDA+gBSCJd0hpl5PdAD9IZS+Hzng4lXLG6EjpCEw +HzELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0V4YW1wbGWCAQAwDwYDVR0TAQH/BAUw +AwEB/zALBgNVHQ8EBAMCAgQwDQYJKoZIhvcNAQEEBQADgYEAp/2sXI/XLtXu+X05 +EISyBPQqdE3kgN3dmXOuoK9J7Io8jhgetdbr9S1WTSGBonaXZgc52FNsaaDU+VIp +TGTYU5SFloUyOu/e095eAf9Q867pAPcE5zArfKpXEBLbJwhLFwrsKPk/WZM7Yaxs +mihnXyZWWTA1sPZlVJu7/abJ2v0= +-----END CERTIFICATE----- + +-----BEGIN RSA PRIVATE KEY----- +Proc-Type: 4,ENCRYPTED +DEK-Info: DES-EDE3-CBC,8CE4AB01D39EC5B3 + +KUkwAyP6ba59QAdDbaXGLmtxtrAilKjFVB+2eawq2Arpumu4cl1joeLtMANF9f1f +afG5FDATYke6C0FMD/bfF4VkUcVUq+Daw8uS5LkDTYjRqrxE4nCLBhxDJdNiIhUi +VNuTMITqcpOOU77nUu2O5LW9Z40F6H9x86SeHOeY0IrmhlFVgHuxr81jdrd8OLYK +7DkKPUa5F331fAkknOQIYnhmCXeHtlTv8ozU5bfBc6TePAL6Y1jn7Hv7EB9C2yYU +6qejxzKBgxWWWuYU21K0gayPmq8gAKyfi21xSxFR+a9GxRlf+K/x07i7w7oT6QLh +Qft76I+UER2jYYeQm3sxEeLBq9nDb2HfSjOnLjh3J2c5Tp9B2dmLxPk2hHim4cUn +nyE8lGDwt/+t6lM8GWfAPn92r2/YOQWr+MXcwE7hi8NZp4cjRR+UqXc0p4+3rKzQ +IuD5CGgtx78sxMrAxfwvkedmYpjf9L8nGWdbivOI25mNKSXhEjMNzv+lC6nLQE7o +6LLA3voN+SiVh7wu45FMJHsz1JOjUjwYXS931GsHyd/sy9q7wUkzokKc1WHML2vl +NglC/4w3NOuEYm5ZDlu6QYQh2uIg/pHPO3am2NTjffjFV0uXEZGd0Qw3gPv9gPNv +iMRa+6vQfl97xOYOtep4yp5L7XatoLMrVmboykdrojUuAQSiZgfwIR/f/NPbVvHp +q3/fadE2hLpkkSJjPm5ensFXoLn14QTdVpKl3mjnAa0rb8q5edz4d8r644NHaYH0 +nxToTdZpSH7uGAuOMZwvUaKT//hojKBj6hjlDuVJWs/kwRHbWJEd4A== +-----END RSA PRIVATE KEY----- + +8. crl issuer for dumca, the certificate and key +-----BEGIN CERTIFICATE----- +MIICPTCCAaagAwIBAgIBBjANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ +MA4GA1UEChMHRXhhbXBsZTAeFw0wOTA0MjcwMjI0MzVaFw0yOTAxMTIwMjI0MzVa +MDExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMRAwDgYDVQQLEwdDbGFz +cy1EMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCcDDBVR9IPJq6ND9z3Wpsv +s0VfJief2QW6U7fNYAnpD4eXNXdwWtZvybMI12crUp31AWzjIaffsBzlFjBO3vKn +edJ+Om2nhqPPT31nDIWIx1VdS7jL+XoFpo8QgzJQpX0rDZNhaTbQcgnuRhzOZ+x2 +AzxxQf7aMI6YQ5xklO1ftQIDAQABo3cwdTAdBgNVHQ4EFgQUYqt5Hbekj/p4UkfY +sP4Ma5HdTpkwRwYDVR0jBEAwPoAUgiXdIaZeT3QA/SGUvh854OJVyxuhI6QhMB8x +CzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlggEAMAsGA1UdDwQEAwIBAjAN +BgkqhkiG9w0BAQQFAAOBgQAMBqjEfALPFj+asQfTjSqXZimybm5WCYJcv92WAaFm +2aJe08jUKCwCVo29CFMMgVG5X0UhEP+ude9RyonYNrMg84hFrQdZSto4Co5yfCGi +SMaa91gkN8/W4VKFjDoooOQ/9o6i22OC7av6+r+qhGMsop5mqRMumAM+C00dy1m6 +5g== +-----END CERTIFICATE----- + +-----BEGIN RSA PRIVATE KEY----- +Proc-Type: 4,ENCRYPTED +DEK-Info: DES-EDE3-CBC,FE34D030ADCF25E5 + +V+hWLshb8wbqv8MqBFVZUBK3T995hc6xxWt9wn1aFVcvoxSmWQ20/9LdYDFNhf5j +3grRdy6sBmQY1Ch73Q1N8egl0FlqqttBY62ulpVQFCYcYhCSMJKSDJyw5pYlQjd4 +LpVXhqsTCB1KdeOVkdB45Ljg7wy+idWfo6U0pAPjhnbPysZWuPrIGVIrVfDMz1tw +ohuh/NOsF8r2w/U3zBaGKoeW/TGkxXBCKhMU78fve5ytEwv9Gp5m1O5yHJDqNC1M +gtAQvvXifeLaCRfOpQtCHGuoR0fhdOnQPJQ/4Nre/dRG8zDVa3FKvWjMPbse4cxJ +OljgVyd7UWrnUvnlNufI3T069b6aAfk16eLz9RAJZNZfpXflboRcaHW9VmjU8m7Y +ir353hxKQk+P+lU2Ysmu7hx/QKmfG8aKI+r7tXnm1J0dmbeOZE69i4lhvXNvx1N2 +kPNKXsQ3kMKdJNVg5TQrUaqa7GtdQlg3Nr+FpaZ5aZJhTNFejQZrTV9bnQHob0q2 +1KCveDPOy2qtRY/mK+BnlNwGx1Ti87iGHv0Om8tXI53G0UkJs3LMI5JPcmHXVC1c +skU6nAxhdNPSDN7EBMF80xte99qQTTtDbYQbIqMtd8lCP4HaYhTtlBeaROuntEjx +3XDXVIHKHxSsrrKn/dE8Ls7tv1j0XxarzGekhQWZ6xbxxursiMstZUfDeQR7SlwC +a3Lem76iGo2BqZd6wbv0i45P2hVQ8DuNhmOphC7DTFQmudOnFJKHPp8pmca+LGfV +dgFmct3vSnWjnTvRDktFblfYa0r0QZDSKZt7TiI4QjR5iqP8WEziKA== +-----END RSA PRIVATE KEY----- + +9. end entity certificate issued by subca, Alice +-----BEGIN CERTIFICATE----- +MIICNzCCAaCgAwIBAgIBAjANBgkqhkiG9w0BAQQFADAxMQswCQYDVQQGEwJVUzEQ +MA4GA1UEChMHRXhhbXBsZTEQMA4GA1UECxMHQ2xhc3MtMTAeFw0wOTA0MjcwMjI0 +MzZaFw0yOTAxMTIwMjI0MzZaMEExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFt +cGxlMRAwDgYDVQQLEwdDbGFzcy0xMQ4wDAYDVQQDEwVBbGljZTCBnzANBgkqhkiG +9w0BAQEFAAOBjQAwgYkCgYEAvYSaU3oiE4Pxp/aUIXwMqOwSiWkZ+O3aTu13hRtK +ZyR+Wtj63IuvaigAC4uC+zBypF93ThjwCzVR2qKDQaQzV8CLleO96gStt7Y+i3G2 +V3IUGgrVCqeK7N6nNYu0wW84sibcPqG/TIy0UoaQMqgB21xtRF+1DUVlFh4Z89X/ +pskCAwEAAaNPME0wCwYDVR0PBAQDAgPoMB0GA1UdDgQWBBSynMEdcal/e9TmvlNE +4suXGA4+hjAfBgNVHSMEGDAWgBT0/nNP8WpyxmYrIBp4tN8y08jw2jANBgkqhkiG +9w0BAQQFAAOBgQB/jru7E/+piSmUwByw5qbZsoQZVcgR97pd2TErNJpJMAX2oIHR +wJH6w4NuYs27+fEAX7wK4whc6EUH/w1SI6o28F2rG6HqYQPPZ2E2WqwbBQL9nYE3 +Vfzu/G9axTUQXFbf90h80UErA+mZVxqc2xtymLuH0YEaMZImtRZ2MXHfXg== +-----END CERTIFICATE----- + +-----BEGIN RSA PRIVATE KEY----- +Proc-Type: 4,ENCRYPTED +DEK-Info: DES-EDE3-CBC,3616B3F098ED6707 + +uXoAPYIUINSr8Cc67K1XdLPO/toBasXYJAYYodq+qMsqYVhjgUgzJWYBwayav04Y +tPgID3f4olLMQP77h5nHLArQCdgI3ZmKDZ6tYR7c2YglTqO1h4pzptv3Csc6lsnr +zYS43Wg5YK8lAVxAbaDqG/xRiJhEG6+Xqno/lyDSUcDjcsyULWCf1mUZUR66fpnO +Kcvmec3RFS6PPpYKJ/3Hl6Px5TsnSMEgb8OIrLik4Tj08XhdBEZxTJcyA1JPeAUP +PH9hm+TWb3E+kDywpItMlTFIhS6b41JGo6Rq6HwVYquCoE4NO32vovd57u5R20yy +3mfzc0udAYDD8drnzp2XPridqy47m/zFpVgfYU+irH3uW/n1QSB0w3fdCRXNEl6c +5dAAwwIR1Pn+RAVUvZ7sQ/qReSOHg85uH7FjY9+m4d4vtf8aV410pyDbaNnevvfK +fTiwmopWujL9sJoZZYP04QZ1f+8aGA41dWS837d9e2F/9BtI5zlymEhLs8UFHziJ +Cw41xnOHHaoxtDFSvSmc2G6o0jfwJ0AZf8toyB5kj+rd5iu2Z1Kmk8vd4bK5SCwT +dZRLri75Hyns7fLMXuzOrJXLaYkLp7gk2YaN368M7mj2Z7yLBV0CoVopS2tfRVJn +fzaxyrkzmZKPKq+m8+UjnlwRW7yR+2RYlFNP3/KemB2i+nXd35f1QCZqb20Lmbbx +jDc1CxESY1wzY5oqUGXeFapbM4YKhQQ5BK90AjVfss1ymBT5vhSjoJSIW2yeklcI +F/WuQ/CrBlmODbiM2LsQMTSoYcAIOUaRcVh/7kvlOlQ= +-----END RSA PRIVATE KEY----- + +10. end entity certificate issued by subca, Bob +-----BEGIN CERTIFICATE----- +MIICNTCCAZ6gAwIBAgIBAzANBgkqhkiG9w0BAQQFADAxMQswCQYDVQQGEwJVUzEQ +MA4GA1UEChMHRXhhbXBsZTEQMA4GA1UECxMHQ2xhc3MtMTAeFw0wOTA0MjcwMjI0 +MzdaFw0yOTAxMTIwMjI0MzdaMD8xCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFt +cGxlMRAwDgYDVQQLEwdDbGFzcy0xMQwwCgYDVQQDEwNCb2IwgZ8wDQYJKoZIhvcN +AQEBBQADgY0AMIGJAoGBANHxsJI6N5CawwUWJ63i2bvgdHzrsKUeBs7CXEIovPll ++utfqwJGGkkiW9FVxQ2NQfMoHKdSrbLQaZ4I6U75yh40ZiSgSCELzlW8JC48kX7u +txYJzszjT6lATW+mRdMoO0guxAS4NcldoFHZ0nLkAvhRRpZgdS+wdc0LODxeplqT +AgMBAAGjTzBNMAsGA1UdDwQEAwID6DAdBgNVHQ4EFgQU2yqQyfYTig4K30lCbEsR +rSrhM6UwHwYDVR0jBBgwFoAU9P5zT/FqcsZmKyAaeLTfMtPI8NowDQYJKoZIhvcN +AQEEBQADgYEAn6j1wY0G5dieYdwUBAJuh6zP1Cu+J12NgdetHAaN6Q3tP339ToCi +C2NQYvFSwOZ7CKf2ofQq5qWA4EFd7PNxpYaVjhhxzkeQRuv/r/sA3rH+01MPx5ob +N1wXY5QmBOuHJIKroNH60u9GzOIGIANZuYWsluw4spWRpvOdqudJWlg= +-----END CERTIFICATE----- + +-----BEGIN RSA PRIVATE KEY----- +Proc-Type: 4,ENCRYPTED +DEK-Info: DES-EDE3-CBC,3DD8B45BA8A57B72 + +cC15d0phhzxu+Y3FMLu22WejN0JEVGCD0Qbwz73+ahVCqivd7aaipXfnuyuIJW12 +ZHKR0ixZUwezRqqM0/D4vKyFR9giJ14A5Tk7RFzimm0JqdJYRXrmVEp+QdVYbJFC +5ncmU/KCAJcHwewixbjo5pkrWNDpIWeIqI8F6rvY1MLSMCCwYfr+1SP5U6AB3+1T +yySvWwK+TIAgVMNjhDKlJ78BxQ3C/AMw5grAU0t2jmuuuXJPML72mQ95ZBgcJsRF +S0walZGZlK+p9S/b4EVzO+oaR1icazH1WJTyuzKOOurlFjFk3tmsnhNuWQTkNjgV +wKODHLA8E8tBajYAYmkQX+uQOmol9LXSOrQFrxvHF3dWC5giOtPYeh9ibEFx+RMu +2EmkF/9VFxzh+kK9KL2qplm4K3HoL/v9g/LlKowjQlr7LoJRCRDOmESCUWX0JPPB +nD01HvyRjgpUAeKtxR3hjH3CrUM1rdLAJaFi1RzgjvXeXhX5stD3X6UCWFbeBBh1 +yic4RIGYWjqE7RJRd/Q+/11rCkONg9stYcpe1PL5fJWSC8Sixo6XQTQDbxOJBQbr +gCoUFfCcN8nOYdSe2wWrE/l7r/mRFYbwlErlpomSaxye5yzXhombnZ2k4jNKylEp +TMsvFtVXFyoLWFqhtrv/Sg+0zDox1HMx+qzePYsz9+/rrS7ej6b5c8r6yqmg7nHn +XM4REA46bWcAVjkLNpNZU4i0iURrkjuK0uVFYfnFIxrvGLys8dzH+xAfAHcP0zZ3 +/K54gAGk4ZVVXOt8JKOVxAOj2+8f0Gbf28leRx/VOJlEZBpU6UVg4g== +-----END RSA PRIVATE KEY----- + +10. end entity certificate issued by subca, Susan +-----BEGIN CERTIFICATE----- +MIICNzCCAaCgAwIBAgIBBDANBgkqhkiG9w0BAQQFADAxMQswCQYDVQQGEwJVUzEQ +MA4GA1UEChMHRXhhbXBsZTEQMA4GA1UECxMHQ2xhc3MtMTAeFw0wOTA0MjcwMjI0 +MzhaFw0yOTAxMTIwMjI0MzhaMEExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFt +cGxlMRAwDgYDVQQLEwdDbGFzcy0xMQ4wDAYDVQQDEwVTdXNhbjCBnzANBgkqhkiG +9w0BAQEFAAOBjQAwgYkCgYEAyPKlfep+EIIUOpZF3xtYUhAx79qEqe2RPRcH2YeR +1ogM8+AZMdcXoiuDl4CFLzQwRv1DSKUZAPdPbROLVDsUn+IGvgn2jnE7ZQEUtQQJ ++rorcasE7bo5MBPuno/0oQRi/4MZn6lX3qB13ZUHAvZH96oCF6C3Ro19LAwav1Lo +FRcCAwEAAaNPME0wCwYDVR0PBAQDAgPoMB0GA1UdDgQWBBTCUH1tqQk96Pocr8Is +tDKMoIRQljAfBgNVHSMEGDAWgBT0/nNP8WpyxmYrIBp4tN8y08jw2jANBgkqhkiG +9w0BAQQFAAOBgQB3YXuTA+QfaImQ2aN/e27Nv5a/FMml6y6t0+pzt5hUYG2W0C2f +5Hdmf3whNCA7zE5RVDQP0iuGBPgjvrABuN98Vimv2eTV+N5aYTak0Aav/OuR5Lpi +tYhXMMg5gSmT+JDARba4CX+Ap1oAaNe9Mtv8L6FWdvBqfzzifDHWavdIWA== +-----END CERTIFICATE----- + +-----BEGIN RSA PRIVATE KEY----- +Proc-Type: 4,ENCRYPTED +DEK-Info: DES-EDE3-CBC,A03CB9ABBA747E7A + +YhChWe6DOA1Ck5BAjWrHmPkHcS9x5pDw81p31gSf7SE9MCwfsvAIq9jZ7xol3cIJ +5dhbXtBaJIRghke11McQ6zM2DE+9izCO4itedw94i95jSzgpEHTk6gwp9MuomSsm +ytrqIhwEtVC8PaQmywqshKWnpDn3tZESwySNZjUjzHhyzn2Vuyrb0WaHmw3uk33O +7muGNkmn/1yP1qRyJ3YSGcMNpk2zvJDZS5CfJH9sb00+LL4PTKg4dymw4Vjk7b5f +P5JGLbFCBbQ73CwSNLsQGV4qGz7AnRhsmPmNughshOoLKSEAxUsRHE67qyl+Flx0 +KZEGeKZUJD9fzgMMdNoYk0Pg9zxzM1oNewxsFk2tTrtMfGq+XFokWKfJoQWguStY +BJWETGrSbXiDMIE93gX40C2zlT06ziOYfFCXeVRcBarolonTrOXt3RZzsQpY4lTz +AAGrb2I9ZByL59ujfniTqljtBpuCKAm+jS0ofcGlQQ0MawtSOeSbQkFKHcKpcK0V +cKMFL3sEzeJf+1LCt7Xnt4gaoXtTpVoWVWFZkghDSmIAHzKaWHAHn5PcUjwAAZHb +47IRq+pe1WLc+tb61+E2jkhFC06QOSxmWSV3CHfMZTxkXX7B7RCiqs+tVH5Vlj/C +ZhkSfmANUVPW1H0KXsDq6lzrEnvaZXZIzTLvj+OsLcG1anXdwPn0NPikfRU0GTvA +fCzg7ZWlexJgl5I48X7AzpHpTPGAHGeNpYjzGWbxmC0KREcAM0yD15uFVac/ZIVI +TO0icmSiRoshC70zo9/u2hUP1e4+s1vl0laq0WjGfFORE1JZ1Cs2Dg== +-----END RSA PRIVATE KEY----- + diff -Nru openjdk-6-6b37-1.13.9/jdk/test/java/security/cert/CertPathValidator/OCSP/AIACheck.java openjdk-6-6b38-1.13.10/jdk/test/java/security/cert/CertPathValidator/OCSP/AIACheck.java --- openjdk-6-6b37-1.13.9/jdk/test/java/security/cert/CertPathValidator/OCSP/AIACheck.java 2015-11-11 01:20:43.000000000 +0000 +++ openjdk-6-6b38-1.13.10/jdk/test/java/security/cert/CertPathValidator/OCSP/AIACheck.java 2016-01-20 01:47:58.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2004, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2004, 2014, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -21,12 +21,19 @@ * questions. */ +// +// Security properties, once set, cannot revert to unset. To avoid +// conflicts with tests running in the same VM isolate this test by +// running it in otherVM mode. +// + /** * @test * @bug 5072953 * @summary Verify that the URL for an OCSP responder can be extracted from a * certificate's AuthorityInfoAccess extension when OCSP certifiate * validation has been enabled. + * @run main/othervm AIACheck */ import java.io.*; @@ -51,6 +58,10 @@ } public static void main(String args[]) throws Exception { + // MD5 is used in this test case, don't disable MD5 algorithm. + Security.setProperty( + "jdk.certpath.disabledAlgorithms", "MD2, RSA keySize < 1024"); + X509Certificate aiaCert = loadCertificate("AIACert.pem"); X509Certificate rootCert = loadCertificate("RootCert.pem"); diff -Nru openjdk-6-6b37-1.13.9/jdk/test/sun/security/pkcs11/Cipher/TestSymmCiphers.java openjdk-6-6b38-1.13.10/jdk/test/sun/security/pkcs11/Cipher/TestSymmCiphers.java --- openjdk-6-6b37-1.13.9/jdk/test/sun/security/pkcs11/Cipher/TestSymmCiphers.java 1970-01-01 00:00:00.000000000 +0000 +++ openjdk-6-6b38-1.13.10/jdk/test/sun/security/pkcs11/Cipher/TestSymmCiphers.java 2016-01-20 01:47:58.000000000 +0000 @@ -0,0 +1,272 @@ +/* + * Copyright (c) 2008, 2011, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +/** + * @test %I% %E% + * @bug 4898461 + * @summary basic test for symmetric ciphers with padding + * @author Valerie Peng + * @library .. + */ +import java.io.*; +import java.nio.*; +import java.util.*; + +import java.security.*; +import java.security.spec.AlgorithmParameterSpec; + +import javax.crypto.*; +import javax.crypto.spec.IvParameterSpec; + +public class TestSymmCiphers extends PKCS11Test { + + private static class CI { // class for holding Cipher Information + + String transformation; + String keyAlgo; + int dataSize; + + CI(String transformation, String keyAlgo, int dataSize) { + this.transformation = transformation; + this.keyAlgo = keyAlgo; + this.dataSize = dataSize; + } + } + private static final CI[] TEST_LIST = { + new CI("ARCFOUR", "ARCFOUR", 400), + new CI("RC4", "RC4", 401), + new CI("DES/CBC/NoPadding", "DES", 400), + new CI("DESede/CBC/NoPadding", "DESede", 160), + new CI("AES/CBC/NoPadding", "AES", 4800), + new CI("Blowfish/CBC/NoPadding", "Blowfish", 24), + new CI("DES/cbc/PKCS5Padding", "DES", 6401), + new CI("DESede/CBC/PKCS5Padding", "DESede", 402), + new CI("AES/CBC/PKCS5Padding", "AES", 30), + new CI("Blowfish/CBC/PKCS5Padding", "Blowfish", 19), + new CI("DES/ECB/NoPadding", "DES", 400), + new CI("DESede/ECB/NoPadding", "DESede", 160), + new CI("AES/ECB/NoPadding", "AES", 4800), + new CI("DES/ECB/PKCS5Padding", "DES", 32), + new CI("DES/ECB/PKCS5Padding", "DES", 6400), + new CI("DESede/ECB/PKCS5Padding", "DESede", 400), + new CI("AES/ECB/PKCS5Padding", "AES", 64), + new CI("DES", "DES", 6400), + new CI("DESede", "DESede", 408), + new CI("AES", "AES", 128) + }; + private static StringBuffer debugBuf = new StringBuffer(); + + public void main(Provider p) throws Exception { + // NSS reports CKR_DEVICE_ERROR when the data passed to + // its EncryptUpdate/DecryptUpdate is not multiple of blocks + int firstBlkSize = 16; + boolean status = true; + Random random = new Random(); + try { + for (int i = 0; i < TEST_LIST.length; i++) { + CI currTest = TEST_LIST[i]; + System.out.println("===" + currTest.transformation + "==="); + try { + KeyGenerator kg = + KeyGenerator.getInstance(currTest.keyAlgo, p); + SecretKey key = kg.generateKey(); + Cipher c1 = Cipher.getInstance(currTest.transformation, p); + Cipher c2 = Cipher.getInstance(currTest.transformation, + "SunJCE"); + + byte[] plainTxt = new byte[currTest.dataSize]; + random.nextBytes(plainTxt); + System.out.println("Testing inLen = " + plainTxt.length); + + c2.init(Cipher.ENCRYPT_MODE, key); + AlgorithmParameters params = c2.getParameters(); + byte[] answer = c2.doFinal(plainTxt); + System.out.println("Encryption tests: START"); + test(c1, Cipher.ENCRYPT_MODE, key, params, firstBlkSize, + plainTxt, answer); + System.out.println("Encryption tests: DONE"); + c2.init(Cipher.DECRYPT_MODE, key, params); + byte[] answer2 = c2.doFinal(answer); + System.out.println("Decryption tests: START"); + test(c1, Cipher.DECRYPT_MODE, key, params, firstBlkSize, + answer, answer2); + System.out.println("Decryption tests: DONE"); + } catch (NoSuchAlgorithmException nsae) { + System.out.println("Skipping unsupported algorithm: " + + nsae); + } + } + } catch (Exception ex) { + // print out debug info when exception is encountered + if (debugBuf != null) { + System.out.println(debugBuf.toString()); + debugBuf = new StringBuffer(); + } + throw ex; + } + } + + private static void test(Cipher cipher, int mode, SecretKey key, + AlgorithmParameters params, int firstBlkSize, + byte[] in, byte[] answer) throws Exception { + // test setup + long startTime, endTime; + cipher.init(mode, key, params); + int outLen = cipher.getOutputSize(in.length); + //debugOut("Estimated output size = " + outLen + "\n"); + + // test data preparation + ByteBuffer inBuf = ByteBuffer.allocate(in.length); + inBuf.put(in); + inBuf.position(0); + ByteBuffer inDirectBuf = ByteBuffer.allocateDirect(in.length); + inDirectBuf.put(in); + inDirectBuf.position(0); + ByteBuffer outBuf = ByteBuffer.allocate(outLen); + ByteBuffer outDirectBuf = ByteBuffer.allocateDirect(outLen); + + // test#1: byte[] in + byte[] out + //debugOut("Test#1:\n"); + + ByteArrayOutputStream baos = new ByteArrayOutputStream(); + + startTime = System.nanoTime(); + byte[] temp = cipher.update(in, 0, firstBlkSize); + if (temp != null && temp.length > 0) { + baos.write(temp, 0, temp.length); + } + temp = cipher.doFinal(in, firstBlkSize, in.length - firstBlkSize); + if (temp != null && temp.length > 0) { + baos.write(temp, 0, temp.length); + } + byte[] testOut1 = baos.toByteArray(); + endTime = System.nanoTime(); + perfOut("stream InBuf + stream OutBuf: " + + (endTime - startTime)); + match(testOut1, answer); + + // test#2: Non-direct Buffer in + non-direct Buffer out + //debugOut("Test#2:\n"); + //debugOut("inputBuf: " + inBuf + "\n"); + //debugOut("outputBuf: " + outBuf + "\n"); + + startTime = System.nanoTime(); + cipher.update(inBuf, outBuf); + cipher.doFinal(inBuf, outBuf); + endTime = System.nanoTime(); + perfOut("non-direct InBuf + non-direct OutBuf: " + + (endTime - startTime)); + match(outBuf, answer); + + // test#3: Direct Buffer in + direc Buffer out + //debugOut("Test#3:\n"); + //debugOut("(pre) inputBuf: " + inDirectBuf + "\n"); + //debugOut("(pre) outputBuf: " + outDirectBuf + "\n"); + + startTime = System.nanoTime(); + cipher.update(inDirectBuf, outDirectBuf); + cipher.doFinal(inDirectBuf, outDirectBuf); + endTime = System.nanoTime(); + perfOut("direct InBuf + direct OutBuf: " + + (endTime - startTime)); + + //debugOut("(post) inputBuf: " + inDirectBuf + "\n"); + //debugOut("(post) outputBuf: " + outDirectBuf + "\n"); + match(outDirectBuf, answer); + + // test#4: Direct Buffer in + non-direct Buffer out + //debugOut("Test#4:\n"); + inDirectBuf.position(0); + outBuf.position(0); + //debugOut("inputBuf: " + inDirectBuf + "\n"); + //debugOut("outputBuf: " + outBuf + "\n"); + + startTime = System.nanoTime(); + cipher.update(inDirectBuf, outBuf); + cipher.doFinal(inDirectBuf, outBuf); + endTime = System.nanoTime(); + perfOut("direct InBuf + non-direct OutBuf: " + + (endTime - startTime)); + match(outBuf, answer); + + // test#5: Non-direct Buffer in + direct Buffer out + //debugOut("Test#5:\n"); + inBuf.position(0); + outDirectBuf.position(0); + + //debugOut("(pre) inputBuf: " + inBuf + "\n"); + //debugOut("(pre) outputBuf: " + outDirectBuf + "\n"); + + startTime = System.nanoTime(); + cipher.update(inBuf, outDirectBuf); + cipher.doFinal(inBuf, outDirectBuf); + endTime = System.nanoTime(); + perfOut("non-direct InBuf + direct OutBuf: " + + (endTime - startTime)); + + //debugOut("(post) inputBuf: " + inBuf + "\n"); + //debugOut("(post) outputBuf: " + outDirectBuf + "\n"); + match(outDirectBuf, answer); + + debugBuf = null; + } + + private static void perfOut(String msg) { + if (debugBuf != null) { + debugBuf.append("PERF>" + msg); + } + } + + private static void debugOut(String msg) { + if (debugBuf != null) { + debugBuf.append(msg); + } + } + + private static void match(byte[] b1, byte[] b2) throws Exception { + if (b1.length != b2.length) { + debugOut("got len : " + b1.length + "\n"); + debugOut("expect len: " + b2.length + "\n"); + throw new Exception("mismatch - different length! got: " + b1.length + ", expect: " + b2.length + "\n"); + } else { + for (int i = 0; i < b1.length; i++) { + if (b1[i] != b2[i]) { + debugOut("got : " + toString(b1) + "\n"); + debugOut("expect: " + toString(b2) + "\n"); + throw new Exception("mismatch"); + } + } + } + } + + private static void match(ByteBuffer bb, byte[] answer) throws Exception { + byte[] bbTemp = new byte[bb.position()]; + bb.position(0); + bb.get(bbTemp, 0, bbTemp.length); + match(bbTemp, answer); + } + + public static void main(String[] args) throws Exception { + main(new TestSymmCiphers()); + } +} diff -Nru openjdk-6-6b37-1.13.9/jdk/test/sun/security/pkcs11/sslecc/ClientJSSEServerJSSE.java openjdk-6-6b38-1.13.10/jdk/test/sun/security/pkcs11/sslecc/ClientJSSEServerJSSE.java --- openjdk-6-6b37-1.13.9/jdk/test/sun/security/pkcs11/sslecc/ClientJSSEServerJSSE.java 2015-11-11 01:20:42.000000000 +0000 +++ openjdk-6-6b38-1.13.10/jdk/test/sun/security/pkcs11/sslecc/ClientJSSEServerJSSE.java 2016-01-20 01:47:58.000000000 +0000 @@ -47,6 +47,10 @@ } public void main(Provider p) throws Exception { + // MD5 is used in this test case, don't disable MD5 algorithm. + Security.setProperty( + "jdk.certpath.disabledAlgorithms", "MD2, RSA keySize < 1024"); + if (p.getService("KeyFactory", "EC") == null) { System.out.println("Provider does not support EC, skipping"); return; diff -Nru openjdk-6-6b37-1.13.9/jdk/test/sun/security/provider/certpath/DisabledAlgorithms/CPBuilderWithMD5.java openjdk-6-6b38-1.13.10/jdk/test/sun/security/provider/certpath/DisabledAlgorithms/CPBuilderWithMD5.java --- openjdk-6-6b37-1.13.9/jdk/test/sun/security/provider/certpath/DisabledAlgorithms/CPBuilderWithMD5.java 1970-01-01 00:00:00.000000000 +0000 +++ openjdk-6-6b38-1.13.10/jdk/test/sun/security/provider/certpath/DisabledAlgorithms/CPBuilderWithMD5.java 2016-01-20 01:47:58.000000000 +0000 @@ -0,0 +1,449 @@ +/* + * Copyright (c) 2015, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +// This test case relies on static security property, no way to re-use +// security property in samevm/agentvm mode. + +/** + * @test + * + * @bug 8141287 + * @summary Add MD5 to jdk.certpath.disabledAlgorithms security property + * + * @run main/othervm CPBuilderWithMD5 trustAnchor_SHA1withRSA_1024 0 true + * @run main/othervm CPBuilderWithMD5 trustAnchor_SHA1withRSA_512 0 true + * @run main/othervm CPBuilderWithMD5 intermediate_SHA1withRSA_1024_1024 1 true + * @run main/othervm CPBuilderWithMD5 intermediate_SHA1withRSA_1024_512 1 false + * @run main/othervm CPBuilderWithMD5 intermediate_SHA1withRSA_512_1024 1 false + * @run main/othervm CPBuilderWithMD5 intermediate_SHA1withRSA_512_512 1 false + * @run main/othervm CPBuilderWithMD5 intermediate_MD5withRSA_1024_1024 1 false + * @run main/othervm CPBuilderWithMD5 intermediate_MD5withRSA_1024_512 1 false + * @run main/othervm CPBuilderWithMD5 endentiry_SHA1withRSA_1024_1024 2 true + * @run main/othervm CPBuilderWithMD5 endentiry_SHA1withRSA_1024_512 2 false + * @run main/othervm CPBuilderWithMD5 endentiry_SHA1withRSA_512_1024 2 false + * @run main/othervm CPBuilderWithMD5 endentiry_SHA1withRSA_512_512 2 false + * @run main/othervm CPBuilderWithMD5 endentiry_MD5withRSA_1024_1024 2 false + * @run main/othervm CPBuilderWithMD5 endentiry_MD5withRSA_1024_512 2 false + * + * @author Xuelei Fan + */ + +/* + * The generate.sh was designed to generate MD2 signed certificates. The + * certificates used in this test are generated by an updated generate.sh that + * replacing MD2 with MD5 algorithm. + */ +import java.io.*; +import java.net.SocketException; +import java.util.*; +import java.security.Security; +import java.security.cert.*; +import sun.security.util.DerInputStream; + +public class CPBuilderWithMD5 { + + // SHA1withRSA 1024 + static String trustAnchor_SHA1withRSA_1024 = + "-----BEGIN CERTIFICATE-----\n" + + "MIICPjCCAaegAwIBAgIBADANBgkqhkiG9w0BAQUFADAfMQswCQYDVQQGEwJVUzEQ\n" + + "MA4GA1UEChMHRXhhbXBsZTAeFw0xMzEyMjgxMTA4NTFaFw0zNDEyMDgxMTA4NTFa\n" + + "MB8xCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMIGfMA0GCSqGSIb3DQEB\n" + + "AQUAA4GNADCBiQKBgQDn3JSHACqi/bcohVy7eFqDs3L5ehnXmF9Jrg4rMRUeNrxA\n" + + "61F8bJ9JXx4j8WyqmT0TtokgXuqGxbsXRQVVw4AdXLF2PwCs/y+Y+AwU59uDHA3J\n" + + "AMk4VvjV9MB2Ea6YzuLnbbj/TNrfxB6LZ7KBvh0fYGt2T40yMvOvilU/f6e3zQID\n" + + "AQABo4GJMIGGMB0GA1UdDgQWBBSIxINDFVm8GpUz3v+BbWNmDEKP7TBHBgNVHSME\n" + + "QDA+gBSIxINDFVm8GpUz3v+BbWNmDEKP7aEjpCEwHzELMAkGA1UEBhMCVVMxEDAO\n" + + "BgNVBAoTB0V4YW1wbGWCAQAwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAgQw\n" + + "DQYJKoZIhvcNAQEFBQADgYEAt0mYDXTpInrGvEOylIL2gx65A/bpdz9iDQsSs5sZ\n" + + "r3m0v9zJnzR8lRqN4GbaD1vrFdkUrIoObcvXjXitnf5QqDzmc9BbIYj83Ft8QSUj\n" + + "jCMy04EGT/7ATss4SiFEu6sJpmOBjsgH6wYuobR27wl/01XOu2CXUo3OOjgAoPBs\n" + + "QoQ=\n" + + "-----END CERTIFICATE-----"; + + // SHA1withRSA 512 + static String trustAnchor_SHA1withRSA_512 = + "-----BEGIN CERTIFICATE-----\n" + + "MIIBuTCCAWOgAwIBAgIBADANBgkqhkiG9w0BAQUFADAfMQswCQYDVQQGEwJVUzEQ\n" + + "MA4GA1UEChMHRXhhbXBsZTAeFw0xMzEyMjgxMTA4NTFaFw0zNDEyMDgxMTA4NTFa\n" + + "MB8xCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMFwwDQYJKoZIhvcNAQEB\n" + + "BQADSwAwSAJBANLqQkOpH7rBTo/a2ccYjJxvNib/Lxm6UXO1uAd/0AUzPWzJsOpB\n" + + "u2zyD26UYc0GNyXCkWMZ44FrtSQ8VI146j8CAwEAAaOBiTCBhjAdBgNVHQ4EFgQU\n" + + "5PVLxBY//smN31jHb/MAmCEz5NIwRwYDVR0jBEAwPoAU5PVLxBY//smN31jHb/MA\n" + + "mCEz5NKhI6QhMB8xCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlggEAMA8G\n" + + "A1UdEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMA0GCSqGSIb3DQEBBQUAA0EAzF9E\n" + + "dXYPLqziCRY45IHCUtxaLjLQmwsjEu91TV4xyuuozGEumcqH7m6Hg6Ohnd1FGfsN\n" + + "X+vt1tdaDIu9+OzGjQ==\n" + + "-----END CERTIFICATE-----"; + + // SHA1withRSA 1024 signed with RSA 1024 + static String intermediate_SHA1withRSA_1024_1024 = + "-----BEGIN CERTIFICATE-----\n" + + "MIICUDCCAbmgAwIBAgIBAzANBgkqhkiG9w0BAQUFADAfMQswCQYDVQQGEwJVUzEQ\n" + + "MA4GA1UEChMHRXhhbXBsZTAeFw0xMzEyMjgxMTA5MDlaFw0zMzA5MTQxMTA5MDla\n" + + "MDExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMRAwDgYDVQQLEwdDbGFz\n" + + "cy0xMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC/m9wdJT0HR+exquh2Q2Yq\n" + + "XvL9HtEsCabCikd0Vjuoi3sZJ/5SBbbHTvh7z7enW0NEpLHQee0ry5FW8mLxDtrR\n" + + "38NjE9W7zutucBG5WztwGuvcts13aEw+vH+EwhokJW9PXz9Do+y4PTJo3vdsk7Zs\n" + + "bGVY9+YjvlgEaozWXZ1JhQIDAQABo4GJMIGGMB0GA1UdDgQWBBQIsaDZL94kLug/\n" + + "A1N4EkNOA4z47DBHBgNVHSMEQDA+gBSIxINDFVm8GpUz3v+BbWNmDEKP7aEjpCEw\n" + + "HzELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0V4YW1wbGWCAQAwDwYDVR0TAQH/BAUw\n" + + "AwEB/zALBgNVHQ8EBAMCAgQwDQYJKoZIhvcNAQEFBQADgYEA0673aIUF2k20jkpR\n" + + "4USN9UkbfX57Uazhl4n765EeAiteWnTzKztISeH1GTrCw7bSl1r07aaflsnbKOHC\n" + + "RrL2RxbxNwQARvuuCxr664vXnsGrt86xA5F2iNF22uDM/5HA5sIfBmEk5xXSLrgH\n" + + "I7jOaYqAA1b8C+4DU2Z5ZgO4LOA=\n" + + "-----END CERTIFICATE-----"; + + // SHA1withRSA 1024 signed with RSA 512 + static String intermediate_SHA1withRSA_1024_512 = + "-----BEGIN CERTIFICATE-----\n" + + "MIICDzCCAbmgAwIBAgIBBDANBgkqhkiG9w0BAQUFADAfMQswCQYDVQQGEwJVUzEQ\n" + + "MA4GA1UEChMHRXhhbXBsZTAeFw0xMzEyMjgxMTA5MDlaFw0zMzA5MTQxMTA5MDla\n" + + "MDExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMRAwDgYDVQQLEwdDbGFz\n" + + "cy0xMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC/m9wdJT0HR+exquh2Q2Yq\n" + + "XvL9HtEsCabCikd0Vjuoi3sZJ/5SBbbHTvh7z7enW0NEpLHQee0ry5FW8mLxDtrR\n" + + "38NjE9W7zutucBG5WztwGuvcts13aEw+vH+EwhokJW9PXz9Do+y4PTJo3vdsk7Zs\n" + + "bGVY9+YjvlgEaozWXZ1JhQIDAQABo4GJMIGGMB0GA1UdDgQWBBQIsaDZL94kLug/\n" + + "A1N4EkNOA4z47DBHBgNVHSMEQDA+gBTk9UvEFj/+yY3fWMdv8wCYITPk0qEjpCEw\n" + + "HzELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0V4YW1wbGWCAQAwDwYDVR0TAQH/BAUw\n" + + "AwEB/zALBgNVHQ8EBAMCAgQwDQYJKoZIhvcNAQEFBQADQQAihshnF7RWZ13tUGsH\n" + + "iM4i8HmBjw2+pwW/cs0E8BcycYEy3beWMcL1Np2yfOa/7K5ZvGPhe/piwzTel+Kt\n" + + "5VLm\n" + + "-----END CERTIFICATE-----"; + + // SHA1withRSA 512 signed with RSA 1024 + static String intermediate_SHA1withRSA_512_1024 = + "-----BEGIN CERTIFICATE-----\n" + + "MIICDDCCAXWgAwIBAgIBBTANBgkqhkiG9w0BAQUFADAfMQswCQYDVQQGEwJVUzEQ\n" + + "MA4GA1UEChMHRXhhbXBsZTAeFw0xMzEyMjgxMTA5MDlaFw0zMzA5MTQxMTA5MDla\n" + + "MDExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMRAwDgYDVQQLEwdDbGFz\n" + + "cy0xMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAK4h/iW3wt+ugR5ObWiFSl394UU/\n" + + "lWNm+N6UAgsBRhSzZz/Iof7xZTQI+usNXzOrTnU3+uZsMgokpjkrko1osxUCAwEA\n" + + "AaOBiTCBhjAdBgNVHQ4EFgQU88OD48Osuh7lJiLnhfMhrySqW8QwRwYDVR0jBEAw\n" + + "PoAUiMSDQxVZvBqVM97/gW1jZgxCj+2hI6QhMB8xCzAJBgNVBAYTAlVTMRAwDgYD\n" + + "VQQKEwdFeGFtcGxlggEAMA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMA0G\n" + + "CSqGSIb3DQEBBQUAA4GBAAHN8XUTT6asa1MvpfqAvKTH6tNrMOmzoFsUamPxSrUB\n" + + "tnBv/fa/E9+1QvQwl3g6luVXBkQf2/nVD0195IdkEuD/C6psuGKerXmiaRMv5Wcs\n" + + "B+8bTzhNxMzHKPZDJ8Tf/RD3XpPvtxw0T+I5xud68FH/WDhJtu7TiXPAhs7srtHt\n" + + "-----END CERTIFICATE-----"; + + // SHA1withRSA 512 signed with RSA 512 + static String intermediate_SHA1withRSA_512_512 = + "-----BEGIN CERTIFICATE-----\n" + + "MIIByzCCAXWgAwIBAgIBBjANBgkqhkiG9w0BAQUFADAfMQswCQYDVQQGEwJVUzEQ\n" + + "MA4GA1UEChMHRXhhbXBsZTAeFw0xMzEyMjgxMTA5MDlaFw0zMzA5MTQxMTA5MDla\n" + + "MDExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMRAwDgYDVQQLEwdDbGFz\n" + + "cy0xMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAK4h/iW3wt+ugR5ObWiFSl394UU/\n" + + "lWNm+N6UAgsBRhSzZz/Iof7xZTQI+usNXzOrTnU3+uZsMgokpjkrko1osxUCAwEA\n" + + "AaOBiTCBhjAdBgNVHQ4EFgQU88OD48Osuh7lJiLnhfMhrySqW8QwRwYDVR0jBEAw\n" + + "PoAU5PVLxBY//smN31jHb/MAmCEz5NKhI6QhMB8xCzAJBgNVBAYTAlVTMRAwDgYD\n" + + "VQQKEwdFeGFtcGxlggEAMA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgIEMA0G\n" + + "CSqGSIb3DQEBBQUAA0EASLN+1/pfo+9ty5EaYkoPu4QeYGr+5wmXyDceiaED/Lok\n" + + "RdV0ZH0qwD4kiarlJssNOgMCk+2EzgvXcIhEMDa5hA==\n" + + "-----END CERTIFICATE-----"; + + // MD5withRSA 1024 signed with RSA 1024 + static String intermediate_MD5withRSA_1024_1024 = + "-----BEGIN CERTIFICATE-----\n" + + "MIICUDCCAbmgAwIBAgIBBzANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ\n" + + "MA4GA1UEChMHRXhhbXBsZTAeFw0xMzEyMjgxMTA5MDlaFw0zMzA5MTQxMTA5MDla\n" + + "MDExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMRAwDgYDVQQLEwdDbGFz\n" + + "cy0xMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC/m9wdJT0HR+exquh2Q2Yq\n" + + "XvL9HtEsCabCikd0Vjuoi3sZJ/5SBbbHTvh7z7enW0NEpLHQee0ry5FW8mLxDtrR\n" + + "38NjE9W7zutucBG5WztwGuvcts13aEw+vH+EwhokJW9PXz9Do+y4PTJo3vdsk7Zs\n" + + "bGVY9+YjvlgEaozWXZ1JhQIDAQABo4GJMIGGMB0GA1UdDgQWBBQIsaDZL94kLug/\n" + + "A1N4EkNOA4z47DBHBgNVHSMEQDA+gBSIxINDFVm8GpUz3v+BbWNmDEKP7aEjpCEw\n" + + "HzELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0V4YW1wbGWCAQAwDwYDVR0TAQH/BAUw\n" + + "AwEB/zALBgNVHQ8EBAMCAgQwDQYJKoZIhvcNAQEEBQADgYEAerx2je3FBVn2eoPs\n" + + "nTzLKILezqCTCO7mXWiyBidRhh4RGdM8JggMN5SRmuwRurxfYFgPfqmAenWtEFqO\n" + + "xZrTXQUvIrrEgpzqkfppFnkCh4kDsX4roD5Nho3J4MTBQkqE0r676Yq6Rp6cywCq\n" + + "CHQQztRGY7n/ZYRNJ3uzvuoT1tk=\n" + + "-----END CERTIFICATE-----"; + + // MD5withRSA 1024 signed with RSA 512 + static String intermediate_MD5withRSA_1024_512 = + "-----BEGIN CERTIFICATE-----\n" + + "MIICDzCCAbmgAwIBAgIBCDANBgkqhkiG9w0BAQQFADAfMQswCQYDVQQGEwJVUzEQ\n" + + "MA4GA1UEChMHRXhhbXBsZTAeFw0xMzEyMjgxMTA5MTBaFw0zMzA5MTQxMTA5MTBa\n" + + "MDExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFtcGxlMRAwDgYDVQQLEwdDbGFz\n" + + "cy0xMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC/m9wdJT0HR+exquh2Q2Yq\n" + + "XvL9HtEsCabCikd0Vjuoi3sZJ/5SBbbHTvh7z7enW0NEpLHQee0ry5FW8mLxDtrR\n" + + "38NjE9W7zutucBG5WztwGuvcts13aEw+vH+EwhokJW9PXz9Do+y4PTJo3vdsk7Zs\n" + + "bGVY9+YjvlgEaozWXZ1JhQIDAQABo4GJMIGGMB0GA1UdDgQWBBQIsaDZL94kLug/\n" + + "A1N4EkNOA4z47DBHBgNVHSMEQDA+gBTk9UvEFj/+yY3fWMdv8wCYITPk0qEjpCEw\n" + + "HzELMAkGA1UEBhMCVVMxEDAOBgNVBAoTB0V4YW1wbGWCAQAwDwYDVR0TAQH/BAUw\n" + + "AwEB/zALBgNVHQ8EBAMCAgQwDQYJKoZIhvcNAQEEBQADQQA3XGQPNin8cDIsJ4vx\n" + + "tTxUO6XVJoWOdTsjwzlMrPmLvjJNZeXLtQe3pQu0vjgyUpQ59VYLW3qKN/LF3UH0\n" + + "Ep7V\n" + + "-----END CERTIFICATE-----"; + + // SHA1withRSA 1024 signed with RSA 1024 + static String endentiry_SHA1withRSA_1024_1024 = + "-----BEGIN CERTIFICATE-----\n" + + "MIICNzCCAaCgAwIBAgIBAjANBgkqhkiG9w0BAQUFADAxMQswCQYDVQQGEwJVUzEQ\n" + + "MA4GA1UEChMHRXhhbXBsZTEQMA4GA1UECxMHQ2xhc3MtMTAeFw0xMzEyMjgxMTA5\n" + + "MTJaFw0zMzA5MTQxMTA5MTJaMEExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFt\n" + + "cGxlMRAwDgYDVQQLEwdDbGFzcy0xMQ4wDAYDVQQDEwVBbGljZTCBnzANBgkqhkiG\n" + + "9w0BAQEFAAOBjQAwgYkCgYEAvktJqK4/SvQrTyGgV8tM6zP/K5xQP1pFRipRKS8i\n" + + "2yaXdlW4jQBZWVXdfEsm8YwGwtXFKIlleALmgJcLldPwNm0qaKixL4mRJVMm4bXM\n" + + "UXCfmr+Im1SpA4Yum4VFCfIJ1kkeQkXqc57sCSfS+rFnC+1kSNa9wj+Mc4+5FR4k\n" + + "zqUCAwEAAaNPME0wCwYDVR0PBAQDAgPoMB0GA1UdDgQWBBRDzLh/sWyTsdq1KKnG\n" + + "8e7JW1tPUDAfBgNVHSMEGDAWgBQIsaDZL94kLug/A1N4EkNOA4z47DANBgkqhkiG\n" + + "9w0BAQUFAAOBgQB2RkWHOaL4WTOGoeTS4J4o9FW+4UXihbocdI/64rMExERjDkE/\n" + + "Jh31TEmatnP1gPrF1AfmqQPubqVSbRtCHrZF+Ilk6L6YeyRNzKvsLiMUtgrLYLas\n" + + "Vop0DFZxR02xHgaJdoJkcWBjNadb9zG7eZtt8OOOJ4lRwg02aLTy+WDqPA==\n" + + "-----END CERTIFICATE-----"; + + // SHA1withRSA 1024 signed with RSA 512 + static String endentiry_SHA1withRSA_1024_512 = + "-----BEGIN CERTIFICATE-----\n" + + "MIIB9jCCAaCgAwIBAgIBAzANBgkqhkiG9w0BAQUFADAxMQswCQYDVQQGEwJVUzEQ\n" + + "MA4GA1UEChMHRXhhbXBsZTEQMA4GA1UECxMHQ2xhc3MtMTAeFw0xMzEyMjgxMTA5\n" + + "MTJaFw0zMzA5MTQxMTA5MTJaMEExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFt\n" + + "cGxlMRAwDgYDVQQLEwdDbGFzcy0xMQ4wDAYDVQQDEwVBbGljZTCBnzANBgkqhkiG\n" + + "9w0BAQEFAAOBjQAwgYkCgYEAvktJqK4/SvQrTyGgV8tM6zP/K5xQP1pFRipRKS8i\n" + + "2yaXdlW4jQBZWVXdfEsm8YwGwtXFKIlleALmgJcLldPwNm0qaKixL4mRJVMm4bXM\n" + + "UXCfmr+Im1SpA4Yum4VFCfIJ1kkeQkXqc57sCSfS+rFnC+1kSNa9wj+Mc4+5FR4k\n" + + "zqUCAwEAAaNPME0wCwYDVR0PBAQDAgPoMB0GA1UdDgQWBBRDzLh/sWyTsdq1KKnG\n" + + "8e7JW1tPUDAfBgNVHSMEGDAWgBTzw4Pjw6y6HuUmIueF8yGvJKpbxDANBgkqhkiG\n" + + "9w0BAQUFAANBAIapvjECUm4YD4O99G0v2SM17cKQzjZtSWkScS7FSk4sxS+dP3hM\n" + + "Qb2UpoRl6CGynhOVVy2G/VJN8BEqOfywj8k=\n" + + "-----END CERTIFICATE-----"; + + // SHA1withRSA 512 signed with RSA 1024 + static String endentiry_SHA1withRSA_512_1024 = + "-----BEGIN CERTIFICATE-----\n" + + "MIIB8zCCAVygAwIBAgIBBDANBgkqhkiG9w0BAQUFADAxMQswCQYDVQQGEwJVUzEQ\n" + + "MA4GA1UEChMHRXhhbXBsZTEQMA4GA1UECxMHQ2xhc3MtMTAeFw0xMzEyMjgxMTA5\n" + + "MTJaFw0zMzA5MTQxMTA5MTJaMEExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFt\n" + + "cGxlMRAwDgYDVQQLEwdDbGFzcy0xMQ4wDAYDVQQDEwVBbGljZTBcMA0GCSqGSIb3\n" + + "DQEBAQUAA0sAMEgCQQCngiNTE+qngHcfj2jUpdc82gCw+TFRjR7oMSdp7b/3NwpD\n" + + "E+11z9WspoXTDzvbKcGUH9svFl691NyY0ZUmf+4RAgMBAAGjTzBNMAsGA1UdDwQE\n" + + "AwID6DAdBgNVHQ4EFgQUK+oVsFTQbz08evgQZ5Sd82c2y4UwHwYDVR0jBBgwFoAU\n" + + "CLGg2S/eJC7oPwNTeBJDTgOM+OwwDQYJKoZIhvcNAQEFBQADgYEAMd/8XnjRz5jK\n" + + "nbss9DDQQC2mUuCbV/tGdke7eQ1DtBVZLBU6wDgisGr52sUXmyZIPmSVKpQqwCG5\n" + + "8cY5uQhaNwPtPmMMKXzX32zN9NhVkiDNceL+zHs3vdjD1i/QiUTST+NKfLYVb6dF\n" + + "YMG65lxe3gMVxMweiHSZSukmk1k3gUA=\n" + + "-----END CERTIFICATE-----"; + + // SHA1withRSA 512 signed with RSA 512 + static String endentiry_SHA1withRSA_512_512 = + "-----BEGIN CERTIFICATE-----\n" + + "MIIBsjCCAVygAwIBAgIBBTANBgkqhkiG9w0BAQUFADAxMQswCQYDVQQGEwJVUzEQ\n" + + "MA4GA1UEChMHRXhhbXBsZTEQMA4GA1UECxMHQ2xhc3MtMTAeFw0xMzEyMjgxMTA5\n" + + "MTJaFw0zMzA5MTQxMTA5MTJaMEExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFt\n" + + "cGxlMRAwDgYDVQQLEwdDbGFzcy0xMQ4wDAYDVQQDEwVBbGljZTBcMA0GCSqGSIb3\n" + + "DQEBAQUAA0sAMEgCQQCngiNTE+qngHcfj2jUpdc82gCw+TFRjR7oMSdp7b/3NwpD\n" + + "E+11z9WspoXTDzvbKcGUH9svFl691NyY0ZUmf+4RAgMBAAGjTzBNMAsGA1UdDwQE\n" + + "AwID6DAdBgNVHQ4EFgQUK+oVsFTQbz08evgQZ5Sd82c2y4UwHwYDVR0jBBgwFoAU\n" + + "88OD48Osuh7lJiLnhfMhrySqW8QwDQYJKoZIhvcNAQEFBQADQQB4xFWtC6ijDBIe\n" + + "/Gkf3B9+ycmP52pTPNiPwMS6u1a5vTRXMn5xRDexWfxJKJVZ2s9UR1jheZvWgPC8\n" + + "VUWO8bbG\n" + + "-----END CERTIFICATE-----"; + + // MD5withRSA 1024 signed with RSA 1024 + static String endentiry_MD5withRSA_1024_1024 = + "-----BEGIN CERTIFICATE-----\n" + + "MIICNzCCAaCgAwIBAgIBBjANBgkqhkiG9w0BAQQFADAxMQswCQYDVQQGEwJVUzEQ\n" + + "MA4GA1UEChMHRXhhbXBsZTEQMA4GA1UECxMHQ2xhc3MtMTAeFw0xMzEyMjgxMTA5\n" + + "MTJaFw0zMzA5MTQxMTA5MTJaMEExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFt\n" + + "cGxlMRAwDgYDVQQLEwdDbGFzcy0xMQ4wDAYDVQQDEwVBbGljZTCBnzANBgkqhkiG\n" + + "9w0BAQEFAAOBjQAwgYkCgYEAvktJqK4/SvQrTyGgV8tM6zP/K5xQP1pFRipRKS8i\n" + + "2yaXdlW4jQBZWVXdfEsm8YwGwtXFKIlleALmgJcLldPwNm0qaKixL4mRJVMm4bXM\n" + + "UXCfmr+Im1SpA4Yum4VFCfIJ1kkeQkXqc57sCSfS+rFnC+1kSNa9wj+Mc4+5FR4k\n" + + "zqUCAwEAAaNPME0wCwYDVR0PBAQDAgPoMB0GA1UdDgQWBBRDzLh/sWyTsdq1KKnG\n" + + "8e7JW1tPUDAfBgNVHSMEGDAWgBQIsaDZL94kLug/A1N4EkNOA4z47DANBgkqhkiG\n" + + "9w0BAQQFAAOBgQBCVn9/JQxsRTaKIKSrgB+KtEreat+33k3SXuJICuRxcmvjOXIx\n" + + "wSdq+mRCA+DpIPSNtgnDAUyipnyxRxpdmRRUHuRYpkALq4a5QtTJK0Y/CEMfsd2J\n" + + "Yd2zKcfynDLW6LVeNdtjlY7fTemJnbA/WImNhwyW55V9vbnk3J04EZN8jw==\n" + + "-----END CERTIFICATE-----"; + + // MD5withRSA 1024 signed with RSA 512 + static String endentiry_MD5withRSA_1024_512 = + "-----BEGIN CERTIFICATE-----\n" + + "MIIB9jCCAaCgAwIBAgIBBzANBgkqhkiG9w0BAQQFADAxMQswCQYDVQQGEwJVUzEQ\n" + + "MA4GA1UEChMHRXhhbXBsZTEQMA4GA1UECxMHQ2xhc3MtMTAeFw0xMzEyMjgxMTA5\n" + + "MTNaFw0zMzA5MTQxMTA5MTNaMEExCzAJBgNVBAYTAlVTMRAwDgYDVQQKEwdFeGFt\n" + + "cGxlMRAwDgYDVQQLEwdDbGFzcy0xMQ4wDAYDVQQDEwVBbGljZTCBnzANBgkqhkiG\n" + + "9w0BAQEFAAOBjQAwgYkCgYEAvktJqK4/SvQrTyGgV8tM6zP/K5xQP1pFRipRKS8i\n" + + "2yaXdlW4jQBZWVXdfEsm8YwGwtXFKIlleALmgJcLldPwNm0qaKixL4mRJVMm4bXM\n" + + "UXCfmr+Im1SpA4Yum4VFCfIJ1kkeQkXqc57sCSfS+rFnC+1kSNa9wj+Mc4+5FR4k\n" + + "zqUCAwEAAaNPME0wCwYDVR0PBAQDAgPoMB0GA1UdDgQWBBRDzLh/sWyTsdq1KKnG\n" + + "8e7JW1tPUDAfBgNVHSMEGDAWgBTzw4Pjw6y6HuUmIueF8yGvJKpbxDANBgkqhkiG\n" + + "9w0BAQQFAANBAAbZwmkqb6sfiiIxuLnj6PjhJsXGfvPomkkbLu5CapAMhen/p6ZG\n" + + "6vh69TbIsBR9UHu7qDyTl5Xax7bmYeW+sDQ=\n" + + "-----END CERTIFICATE-----"; + + static HashMap certmap = new HashMap(); + static { + certmap.put("trustAnchor_SHA1withRSA_1024", + trustAnchor_SHA1withRSA_1024); + certmap.put("trustAnchor_SHA1withRSA_512", + trustAnchor_SHA1withRSA_512); + certmap.put("intermediate_SHA1withRSA_1024_1024", + intermediate_SHA1withRSA_1024_1024); + certmap.put("intermediate_SHA1withRSA_1024_512", + intermediate_SHA1withRSA_1024_512); + certmap.put("intermediate_SHA1withRSA_512_1024", + intermediate_SHA1withRSA_512_1024); + certmap.put("intermediate_SHA1withRSA_512_512", + intermediate_SHA1withRSA_512_512); + certmap.put("intermediate_MD5withRSA_1024_1024", + intermediate_MD5withRSA_1024_1024); + certmap.put("intermediate_MD5withRSA_1024_512", + intermediate_MD5withRSA_1024_512); + certmap.put("endentiry_SHA1withRSA_1024_1024", + endentiry_SHA1withRSA_1024_1024); + certmap.put("endentiry_SHA1withRSA_1024_512", + endentiry_SHA1withRSA_1024_512); + certmap.put("endentiry_SHA1withRSA_512_1024", + endentiry_SHA1withRSA_512_1024); + certmap.put("endentiry_SHA1withRSA_512_512", + endentiry_SHA1withRSA_512_512); + certmap.put("endentiry_MD5withRSA_1024_1024", + endentiry_MD5withRSA_1024_1024); + certmap.put("endentiry_MD5withRSA_1024_512", + endentiry_MD5withRSA_1024_512); + } + + private static Set generateTrustAnchors() + throws CertificateException { + // generate certificate from cert string + CertificateFactory cf = CertificateFactory.getInstance("X.509"); + HashSet anchors = new HashSet(); + + ByteArrayInputStream is = + new ByteArrayInputStream(trustAnchor_SHA1withRSA_1024.getBytes()); + Certificate cert = cf.generateCertificate(is); + TrustAnchor anchor = new TrustAnchor((X509Certificate)cert, null); + anchors.add(anchor); + + is = new ByteArrayInputStream(trustAnchor_SHA1withRSA_512.getBytes()); + cert = cf.generateCertificate(is); + anchor = new TrustAnchor((X509Certificate)cert, null); + anchors.add(anchor); + + return anchors; + } + + private static CertStore generateCertificateStore() throws Exception { + Collection entries = new HashSet(); + + // generate certificate from certificate string + CertificateFactory cf = CertificateFactory.getInstance("X.509"); + + for (String key : certmap.keySet()) { + String certStr = certmap.get(key); + ByteArrayInputStream is = + new ByteArrayInputStream(certStr.getBytes());; + Certificate cert = cf.generateCertificate(is); + entries.add(cert); + } + + return CertStore.getInstance("Collection", + new CollectionCertStoreParameters(entries)); + } + + private static X509CertSelector generateSelector(String name) + throws Exception { + X509CertSelector selector = new X509CertSelector(); + + String certStr = certmap.get(name); + if (certStr == null) { + return null; + } + + // generate certificate from certificate string + CertificateFactory cf = CertificateFactory.getInstance("X.509"); + ByteArrayInputStream is = new ByteArrayInputStream(certStr.getBytes()); + X509Certificate target = (X509Certificate)cf.generateCertificate(is); + + selector.setCertificate(target); + + return selector; + } + + private static boolean match(String name, Certificate cert) + throws Exception { + X509CertSelector selector = new X509CertSelector(); + + String certStr = certmap.get(name); + if (certStr == null) { + return false; + } + + // generate certificate from certificate string + CertificateFactory cf = CertificateFactory.getInstance("X.509"); + ByteArrayInputStream is = new ByteArrayInputStream(certStr.getBytes()); + X509Certificate target = (X509Certificate)cf.generateCertificate(is); + + return target.equals(cert); + } + + public static void main(String args[]) throws Exception { + CertPathBuilder builder = CertPathBuilder.getInstance("PKIX"); + + X509CertSelector selector = generateSelector(args[0]); + if (selector == null) { + // no target certificate, ignore it + return; + } + + Set anchors = generateTrustAnchors(); + CertStore certs = generateCertificateStore(); + + PKIXBuilderParameters params = + new PKIXBuilderParameters(anchors, selector); + params.addCertStore(certs); + params.setRevocationEnabled(false); + params.setDate(new Date(114, 9, 1)); // 2014-09-01 + + boolean success = Boolean.valueOf(args[2]); + try { + PKIXCertPathBuilderResult result = + (PKIXCertPathBuilderResult)builder.build(params); + if (!success) { + throw new Exception("expected algorithm disabled exception"); + } + + int length = Integer.parseInt(args[1]); + List path = + result.getCertPath().getCertificates(); + if (length != path.size()) { + throw new Exception("unexpected certification path length"); + } + + if (!path.isEmpty()) { // the target is not a trust anchor + if (!match(args[0], path.get(0))) { + throw new Exception("unexpected certificate"); + } + } + } catch (CertPathBuilderException cpbe) { + if (success) { + throw new Exception("unexpected exception", cpbe); + } else { + System.out.println("Get the expected exception " + cpbe); + } + } + } + +} diff -Nru openjdk-6-6b37-1.13.9/jdk/test/sun/security/provider/certpath/ReverseBuilder/ReverseBuild.java openjdk-6-6b38-1.13.10/jdk/test/sun/security/provider/certpath/ReverseBuilder/ReverseBuild.java --- openjdk-6-6b37-1.13.9/jdk/test/sun/security/provider/certpath/ReverseBuilder/ReverseBuild.java 1970-01-01 00:00:00.000000000 +0000 +++ openjdk-6-6b38-1.13.10/jdk/test/sun/security/provider/certpath/ReverseBuilder/ReverseBuild.java 2016-01-20 01:47:58.000000000 +0000 @@ -0,0 +1,349 @@ +/* + * Copyright (c) 2012, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +/* + * @test + * @bug 7167988 + * @summary PKIX CertPathBuilder in reverse mode doesn't work if more than + * one trust anchor is specified + * @run main/othervm ReverseBuild + */ +import java.io.*; +import java.util.*; +import java.security.cert.*; + +import sun.security.provider.certpath.SunCertPathBuilderParameters; + +public class ReverseBuild { + // Certificate information: + // Issuer: C=US, ST=Some-State, L=Some-City, O=Some-Org + // Validity + // Not Before: Dec 8 02:43:36 2008 GMT + // Not After : Aug 25 02:43:36 2028 GMT + // Subject: C=US, ST=Some-State, L=Some-City, O=Some-Org + // X509v3 Subject Key Identifier: + // FA:B9:51:BF:4C:E7:D9:86:98:33:F9:E7:CB:1E:F1:33:49:F7:A8:14 + // X509v3 Authority Key Identifier: + // keyid:FA:B9:51:BF:4C:E7:D9:86:98:33:F9:E7:CB:1E:F1:33:49:F7:A8:14 + // DirName:/C=US/ST=Some-State/L=Some-City/O=Some-Org + // serial:00 + static String NoiceTrusedCertStr = + "-----BEGIN CERTIFICATE-----\n" + + "MIICrDCCAhWgAwIBAgIBADANBgkqhkiG9w0BAQQFADBJMQswCQYDVQQGEwJVUzET\n" + + "MBEGA1UECBMKU29tZS1TdGF0ZTESMBAGA1UEBxMJU29tZS1DaXR5MREwDwYDVQQK\n" + + "EwhTb21lLU9yZzAeFw0wODEyMDgwMjQzMzZaFw0yODA4MjUwMjQzMzZaMEkxCzAJ\n" + + "BgNVBAYTAlVTMRMwEQYDVQQIEwpTb21lLVN0YXRlMRIwEAYDVQQHEwlTb21lLUNp\n" + + "dHkxETAPBgNVBAoTCFNvbWUtT3JnMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB\n" + + "gQDLxDggB76Ip5OwoUNRLdeOha9U3a2ieyNbz5kTU5lFfe5tui2/461uPZ8a+QOX\n" + + "4BdVrhEmV94BKY4FPyH35zboLjfXSKxT1mAOx1Bt9sWF94umxZE1cjyU7vEX8HHj\n" + + "7BvOyk5AQrBt7moO1uWtPA/JuoJPePiJl4kqlRJM2Akq6QIDAQABo4GjMIGgMB0G\n" + + "A1UdDgQWBBT6uVG/TOfZhpgz+efLHvEzSfeoFDBxBgNVHSMEajBogBT6uVG/TOfZ\n" + + "hpgz+efLHvEzSfeoFKFNpEswSTELMAkGA1UEBhMCVVMxEzARBgNVBAgTClNvbWUt\n" + + "U3RhdGUxEjAQBgNVBAcTCVNvbWUtQ2l0eTERMA8GA1UEChMIU29tZS1PcmeCAQAw\n" + + "DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQQFAAOBgQBcIm534U123Hz+rtyYO5uA\n" + + "ofd81G6FnTfEAV8Kw9fGyyEbQZclBv34A9JsFKeMvU4OFIaixD7nLZ/NZ+IWbhmZ\n" + + "LovmJXyCkOufea73pNiZ+f/4/ScZaIlM/PRycQSqbFNd4j9Wott+08qxHPLpsf3P\n" + + "6Mvf0r1PNTY2hwTJLJmKtg==\n" + + "-----END CERTIFICATE-----"; + + // Certificate information: + // Issuer: C=US, O=Java, OU=SunJSSE Test Serivce + // Validity + // Not Before: Aug 19 01:52:19 2011 GMT + // Not After : Jul 29 01:52:19 2032 GMT + // Subject: C=US, O=Java, OU=SunJSSE Test Serivce + + // X509v3 Subject Key Identifier: + // B9:7C:D5:D9:DF:A7:4C:03:AE:FD:0E:27:5B:31:95:6C:C7:F3:75:E1 + // X509v3 Authority Key Identifier: + // keyid:B9:7C:D5:D9:DF:A7:4C:03:AE:FD:0E:27:5B:31:95:6C:C7:F3:75:E1 + // DirName:/C=US/O=Java/OU=SunJSSE Test Serivce + // serial:00 + static String NoiceTrusedCertStr_2nd = + "-----BEGIN CERTIFICATE-----\n" + + "MIICkjCCAfugAwIBAgIBADANBgkqhkiG9w0BAQQFADA7MQswCQYDVQQGEwJVUzEN\n" + + "MAsGA1UEChMESmF2YTEdMBsGA1UECxMUU3VuSlNTRSBUZXN0IFNlcml2Y2UwHhcN\n" + + "MTEwODE5MDE1MjE5WhcNMzIwNzI5MDE1MjE5WjA7MQswCQYDVQQGEwJVUzENMAsG\n" + + "A1UEChMESmF2YTEdMBsGA1UECxMUU3VuSlNTRSBUZXN0IFNlcml2Y2UwgZ8wDQYJ\n" + + "KoZIhvcNAQEBBQADgY0AMIGJAoGBAM8orG08DtF98TMSscjGsidd1ZoN4jiDpi8U\n" + + "ICz+9dMm1qM1d7O2T+KH3/mxyox7Rc2ZVSCaUD0a3CkhPMnlAx8V4u0H+E9sqso6\n" + + "iDW3JpOyzMExvZiRgRG/3nvp55RMIUV4vEHOZ1QbhuqG4ebN0Vz2DkRft7+flthf\n" + + "vDld6f5JAgMBAAGjgaUwgaIwHQYDVR0OBBYEFLl81dnfp0wDrv0OJ1sxlWzH83Xh\n" + + "MGMGA1UdIwRcMFqAFLl81dnfp0wDrv0OJ1sxlWzH83XhoT+kPTA7MQswCQYDVQQG\n" + + "EwJVUzENMAsGA1UEChMESmF2YTEdMBsGA1UECxMUU3VuSlNTRSBUZXN0IFNlcml2\n" + + "Y2WCAQAwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAQYwDQYJKoZIhvcNAQEE\n" + + "BQADgYEALlgaH1gWtoBZ84EW8Hu6YtGLQ/L9zIFmHonUPZwn3Pr//icR9Sqhc3/l\n" + + "pVTxOINuFHLRz4BBtEylzRIOPzK3tg8XwuLb1zd0db90x3KBCiAL6E6cklGEPwLe\n" + + "XYMHDn9eDsaq861Tzn6ZwzMgw04zotPMoZN0mVd/3Qca8UJFucE=\n" + + "-----END CERTIFICATE-----"; + + + // Certificate information: + // Issuer: C=US, O=Java, OU=SunJSSE Test Serivce + // Validity + // Not Before: May 5 02:40:50 2012 GMT + // Not After : Apr 15 02:40:50 2033 GMT + // Subject: C=US, O=Java, OU=SunJSSE Test Serivce + // X509v3 Subject Key Identifier: + // DD:4E:8D:2A:11:C0:83:03:F0:AC:EB:A2:BF:F9:F2:7D:C8:69:1F:9B + // X509v3 Authority Key Identifier: + // keyid:DD:4E:8D:2A:11:C0:83:03:F0:AC:EB:A2:BF:F9:F2:7D:C8:69:1F:9B + // DirName:/C=US/O=Java/OU=SunJSSE Test Serivce + // serial:00 + static String trustedCertStr = + "-----BEGIN CERTIFICATE-----\n" + + "MIICkjCCAfugAwIBAgIBADANBgkqhkiG9w0BAQIFADA7MQswCQYDVQQGEwJVUzEN\n" + + "MAsGA1UEChMESmF2YTEdMBsGA1UECxMUU3VuSlNTRSBUZXN0IFNlcml2Y2UwHhcN\n" + + "MTIwNTA1MDI0MDUwWhcNMzMwNDE1MDI0MDUwWjA7MQswCQYDVQQGEwJVUzENMAsG\n" + + "A1UEChMESmF2YTEdMBsGA1UECxMUU3VuSlNTRSBUZXN0IFNlcml2Y2UwgZ8wDQYJ\n" + + "KoZIhvcNAQEBBQADgY0AMIGJAoGBANtiq0AIJK+iVRwFrqcD7fYXTCbMYC5Qz/k6\n" + + "AXBy7/1rI8wDhEJLE3m/+NSqiJwZcmdq2dNh/1fJFrwvzuURbc9+paOBWeHbN+Sc\n" + + "x3huw91oPZme385VpoK3G13rSE114S/rF4DM9mz4EStFhSHXATjtdbskNOAYGLTV\n" + + "x8uEy9GbAgMBAAGjgaUwgaIwHQYDVR0OBBYEFN1OjSoRwIMD8Kzror/58n3IaR+b\n" + + "MGMGA1UdIwRcMFqAFN1OjSoRwIMD8Kzror/58n3IaR+boT+kPTA7MQswCQYDVQQG\n" + + "EwJVUzENMAsGA1UEChMESmF2YTEdMBsGA1UECxMUU3VuSlNTRSBUZXN0IFNlcml2\n" + + "Y2WCAQAwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAQYwDQYJKoZIhvcNAQEC\n" + + "BQADgYEAjjkJesQrkbr36N40egybaIxw7RcqT6iy5fkAGS1JYlBDk8uSCK1o6bCH\n" + + "ls5EpYcGeEoabSS73WRdkO1lgeyWDduO4ef8cCCSpmpT6/YdZG0QS1PtcREeVig+\n" + + "Zr25jNemS4ADHX0aaXP4kiV/G80cR7nX5t5XCUm4bYdbwM07NgI=\n" + + "-----END CERTIFICATE-----"; + static String trustedPrivateKey = // Private key in the format of PKCS#8 + "MIICeAIBADANBgkqhkiG9w0BAQEFAASCAmIwggJeAgEAAoGBANtiq0AIJK+iVRwF\n" + + "rqcD7fYXTCbMYC5Qz/k6AXBy7/1rI8wDhEJLE3m/+NSqiJwZcmdq2dNh/1fJFrwv\n" + + "zuURbc9+paOBWeHbN+Scx3huw91oPZme385VpoK3G13rSE114S/rF4DM9mz4EStF\n" + + "hSHXATjtdbskNOAYGLTVx8uEy9GbAgMBAAECgYEA2VjHkIiA0ABjkX+PqKeb+VLb\n" + + "fxS7tSca5C8zfdRhLxAWRui0/3ihst0eCJNrBDuxvAOACovsDWyLuaUjtI2v2ysz\n" + + "vz6SPyGy82PhQOFzyKQuQ814N6EpothpiZzF0yFchfKIGhUsdY89UrGs9nM7m6NT\n" + + "rztYvgIu4avg2VPR2AECQQD+pFAqipR2BplQRIuuRSZfHRxvoEyDjT1xnHJsC6WP\n" + + "I5hCLghL91MhQGWbP4EJMKYQOTRVukWlcp2Kycpf+P5hAkEA3I43gmVUAPEdyZdY\n" + + "fatW7OaLlbbYJb6qEtpCZ1Rwe/BIvm6H6E3qSi/lpz7Ia7WDulpbF6BawHH3pRFq\n" + + "CUY5ewJBAP3pUDqrRpBN0jB0uSeDslhjSciQ+dqvSpZv3rSYBHUvlBJhnkpJiy37\n" + + "7ZUZhIxqYxyIPgRBolLwb+FFh7OdL+ECQCtldDic9WVmC+VheRDpCKZ+SlK/8lGi\n" + + "7VXeShiIvcU1JysJFoa35fSI7hf1O3wt7+hX5PqGG7Un94EsJwACKEcCQQC1TWt6\n" + + "ArKH6tRxKjOxFtqfs8fgEVYUaOr3j1jF4KBUuX2mtQtddZe3VfJ2wPsuKMMxmhkB\n" + + "e7xWWZnJsErt2e+E"; + + // Certificate information: + // Issuer: C=US, O=Java, OU=SunJSSE Test Serivce + // Validity + // Not Before: May 5 02:40:53 2012 GMT + // Not After : Jan 21 02:40:53 2032 GMT + // Subject: C=US, O=Java, OU=SunJSSE Test Serivce, CN=casigner + // X509v3 Subject Key Identifier: + // 13:07:E0:11:07:DB:EB:33:23:87:31:D0:DB:7E:16:56:BE:11:90:0A + // X509v3 Authority Key Identifier: + // keyid:DD:4E:8D:2A:11:C0:83:03:F0:AC:EB:A2:BF:F9:F2:7D:C8:69:1F:9B + // DirName:/C=US/O=Java/OU=SunJSSE Test Serivce + // serial:00 + static String caSignerStr = + "-----BEGIN CERTIFICATE-----\n" + + "MIICqDCCAhGgAwIBAgIBAjANBgkqhkiG9w0BAQQFADA7MQswCQYDVQQGEwJVUzEN\n" + + "MAsGA1UEChMESmF2YTEdMBsGA1UECxMUU3VuSlNTRSBUZXN0IFNlcml2Y2UwHhcN\n" + + "MTIwNTA1MDI0MDUzWhcNMzIwMTIxMDI0MDUzWjBOMQswCQYDVQQGEwJVUzENMAsG\n" + + "A1UEChMESmF2YTEdMBsGA1UECxMUU3VuSlNTRSBUZXN0IFNlcml2Y2UxETAPBgNV\n" + + "BAMTCGNhc2lnbmVyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC+x8+o7oM0\n" + + "ct/LZmZLXBL4CQ8jrULD5P7NtEW0hg/zxBFZfBHf+44Oo2eMPYZj+7xaREOH5BmV\n" + + "KRYlzRtONAaC5Ng4Mrm5UKNPcMIIUjUOvm7vWM4oSTMSfoEcSX+vp99uUAkw3w7Z\n" + + "+frYDm1M4At/j0b+lLij71GFN2L8drpgPQIDAQABo4GoMIGlMB0GA1UdDgQWBBQT\n" + + "B+ARB9vrMyOHMdDbfhZWvhGQCjBjBgNVHSMEXDBagBTdTo0qEcCDA/Cs66K/+fJ9\n" + + "yGkfm6E/pD0wOzELMAkGA1UEBhMCVVMxDTALBgNVBAoTBEphdmExHTAbBgNVBAsT\n" + + "FFN1bkpTU0UgVGVzdCBTZXJpdmNlggEAMBIGA1UdEwEB/wQIMAYBAf8CAQEwCwYD\n" + + "VR0PBAQDAgEGMA0GCSqGSIb3DQEBBAUAA4GBAI+LXA/UCPkTANablUkt80JNPWsl\n" + + "pS4XLNgPxWaN0bkRDs5oI4ooWAz1rwpeJ/nfetOvWlpmrVjSeovBFja5Hl+dUHTf\n" + + "VfuyzkxXbhuNiJIpo1mVBpNsjwu9YRxuwX6UA2LTUQpgvtVJEE012x3zRvxBCbu2\n" + + "Y/v1R5fZ4c+hXDfC\n" + + "-----END CERTIFICATE-----"; + static String caSignerPrivateKey = // Private key in the format of PKCS#8 + "MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBAL7Hz6jugzRy38tm\n" + + "ZktcEvgJDyOtQsPk/s20RbSGD/PEEVl8Ed/7jg6jZ4w9hmP7vFpEQ4fkGZUpFiXN\n" + + "G040BoLk2DgyublQo09wwghSNQ6+bu9YzihJMxJ+gRxJf6+n325QCTDfDtn5+tgO\n" + + "bUzgC3+PRv6UuKPvUYU3Yvx2umA9AgMBAAECgYBYvu30cW8LONyt62Zua9hPFTe7\n" + + "qt9B7QYyfkdmoG5PQMepTrOp84SzfoOukvgvDm0huFuJnSvhXQl2cCDhkgXskvFj\n" + + "Hh7KBCFViVXokGdq5YoS0/KYMyQV0TZfJUvILBl51uc4/siQ2tClC/N4sa+1JhgW\n" + + "a6dFGfRjiUKSSlmMwQJBAPWpIz3Q/c+DYMvoQr5OD8EaYwYIevlTdXb97RnJJh2b\n" + + "UnhB9jrqesJiHYVzPmP0ukyPOXOwlp2T5Am4Kw0LFOkCQQDGz150NoHOp28Mvyc4\n" + + "CTqz/zYzUhy2eCJESl196uyP4N65Y01VYQ3JDww4DlsXiU17tVSbgA9TCcfTYOzy\n" + + "vyw1AkARUky+1hafZCcWGZljK8PmnMKwsTZikCTvL/Zg5BMA8Wu+OQBwpQnk3OAy\n" + + "Aa87gw0DyvGFG8Vy9POWT9sRP1/JAkBqP0hrMvYMSs6+MSn0eHo2151PsAJIQcuO\n" + + "U2/Da1khSzu8N6WMi2GiobgV/RYRbf9KrY2ZzMZjykZQYOxAjopBAkEAghCu38cN\n" + + "aOsW6ueo24uzsWI1FTdE+qWNVEi3RSP120xXBCyhaBjIq4WVSlJK9K2aBaJpit3j\n" + + "iQ5tl6zrLlxQhg=="; + + // Certificate information: + // Issuer: C=US, O=Java, OU=SunJSSE Test Serivce, CN=casigner + // Validity + // Not Before: May 5 02:40:57 2012 GMT + // Not After : Jan 21 02:40:57 2032 GMT + // Subject: C=US, O=Java, OU=SunJSSE Test Serivce, CN=certissuer + // X509v3 Subject Key Identifier: + // 39:0E:C6:33:B1:50:BC:73:07:31:E5:D8:04:F7:BB:97:55:CF:9B:C8 + // X509v3 Authority Key Identifier: + // keyid:13:07:E0:11:07:DB:EB:33:23:87:31:D0:DB:7E:16:56:BE:11:90:0A + // DirName:/C=US/O=Java/OU=SunJSSE Test Serivce + // serial:02 + static String certIssuerStr = + "-----BEGIN CERTIFICATE-----\n" + + "MIICvjCCAiegAwIBAgIBAzANBgkqhkiG9w0BAQQFADBOMQswCQYDVQQGEwJVUzEN\n" + + "MAsGA1UEChMESmF2YTEdMBsGA1UECxMUU3VuSlNTRSBUZXN0IFNlcml2Y2UxETAP\n" + + "BgNVBAMTCGNhc2lnbmVyMB4XDTEyMDUwNTAyNDA1N1oXDTMyMDEyMTAyNDA1N1ow\n" + + "UDELMAkGA1UEBhMCVVMxDTALBgNVBAoTBEphdmExHTAbBgNVBAsTFFN1bkpTU0Ug\n" + + "VGVzdCBTZXJpdmNlMRMwEQYDVQQDEwpjZXJ0aXNzdWVyMIGfMA0GCSqGSIb3DQEB\n" + + "AQUAA4GNADCBiQKBgQCyz55zinU6kNL/LeiTNiBI0QWYmDG0YTotuC4D75liBNqs\n" + + "7Mmladsh2mTtQUAwmuGaGzaZV25a+cUax0DXZoyBwdbTI09u1bUYsZcaUUKbPoCC\n" + + "HH26e4jLFL4olW13Sv4ZAd57tIYevMw+Fp5f4fLPFGegCJTFlv2Qjpmic/cuvQID\n" + + "AQABo4GpMIGmMB0GA1UdDgQWBBQ5DsYzsVC8cwcx5dgE97uXVc+byDBjBgNVHSME\n" + + "XDBagBQTB+ARB9vrMyOHMdDbfhZWvhGQCqE/pD0wOzELMAkGA1UEBhMCVVMxDTAL\n" + + "BgNVBAoTBEphdmExHTAbBgNVBAsTFFN1bkpTU0UgVGVzdCBTZXJpdmNlggECMBMG\n" + + "A1UdEwEB/wQJMAcBAf8CAgQAMAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQQFAAOB\n" + + "gQCQTagenCdClT98C+oTJGJrw/dUBD9K3tE6ZJKPMc/2bUia8G5ei1C0eXj4mWG2\n" + + "lu9umR6C90/A6qB050QB2h50qtqxSrkpu+ym1yypauZpg7U3nUY9wZWJNI1vqrQZ\n" + + "pqUMRcXY3iQIVKx+Qj+4/Za1wwFQzpEoGmqRW31V1SdMEw==\n" + + "-----END CERTIFICATE-----"; + static String certIssuerPrivateKey = // Private key in the format of PKCS#8 + "MIICeQIBADANBgkqhkiG9w0BAQEFAASCAmMwggJfAgEAAoGBALLPnnOKdTqQ0v8t\n" + + "6JM2IEjRBZiYMbRhOi24LgPvmWIE2qzsyaVp2yHaZO1BQDCa4ZobNplXblr5xRrH\n" + + "QNdmjIHB1tMjT27VtRixlxpRQps+gIIcfbp7iMsUviiVbXdK/hkB3nu0hh68zD4W\n" + + "nl/h8s8UZ6AIlMWW/ZCOmaJz9y69AgMBAAECgYEAjtew2tgm4gxDojqIauF4VPM1\n" + + "pzsdqd1p3pAdomNLgrQiBLZ8N7oiph6TNb1EjA+OXc+ThFgF/oM9ZDD8qZZwcvjN\n" + + "qDZlpTkFs2TaGcyEZfUaMB45NHVs6Nn+pSkagSNwwy3xeyAct7sQEzGNTDlEwVv5\n" + + "7V9LQutQtBd6xT48KzkCQQDpNRfv2OFNG/6GtzJoO68oJhpnpl2MsYNi4ntRkre/\n" + + "6uXpiCYaDskcrPMRwOOs0m7mxG+Ev+uKnLnSoEMm1GCbAkEAxEmDtiD0Psb8Z9BL\n" + + "ZRb83Jqho3xe2MCAh3xUfz9b/Mhae9dZ44o4OCgQZuwvW1mczF0NtpgZl93BmYa2\n" + + "hTwHhwJBAKHrEj6ep/fA6x0gD2idoATRR94VfbiU+7NpqtO9ecVP0+gsdr/66hn1\n" + + "3yLBeZLh3MxvMTrLgkAQh1i9m0JXjOcCQQClLXAHHegrw+u3uNMZeKTFR+Lp3sk6\n" + + "AZSnbvr0Me9I45kxSeG81x3ENALJecvIRbrrRws5MvmmkNhQR8rkh8WVAkEAk6b+\n" + + "aVtmBgUaTS5+FFlHGHJY9HFrfT1a1C/dwyMuqlmbC3YsBmZaMOlKli5TXNybLff8\n" + + "5KMeGEpXMzgC7AscGA=="; + + // Certificate information: + // Issuer: C=US, O=Java, OU=SunJSSE Test Serivce, CN=certissuer + // Validity + // Not Before: May 5 02:41:01 2012 GMT + // Not After : Jan 21 02:41:01 2032 GMT + // Subject: C=US, O=Java, OU=SunJSSE Test Serivce, CN=localhost + // X509v3 Subject Key Identifier: + // AD:C0:2C:4C:E4:C2:2E:A1:BB:5D:92:BE:66:E0:4E:E0:0D:2F:11:EF + // X509v3 Authority Key Identifier: + // keyid:39:0E:C6:33:B1:50:BC:73:07:31:E5:D8:04:F7:BB:97:55:CF:9B:C8 + static String targetCertStr = + "-----BEGIN CERTIFICATE-----\n" + + "MIICjTCCAfagAwIBAgIBBDANBgkqhkiG9w0BAQQFADBQMQswCQYDVQQGEwJVUzEN\n" + + "MAsGA1UEChMESmF2YTEdMBsGA1UECxMUU3VuSlNTRSBUZXN0IFNlcml2Y2UxEzAR\n" + + "BgNVBAMTCmNlcnRpc3N1ZXIwHhcNMTIwNTA1MDI0MTAxWhcNMzIwMTIxMDI0MTAx\n" + + "WjBPMQswCQYDVQQGEwJVUzENMAsGA1UEChMESmF2YTEdMBsGA1UECxMUU3VuSlNT\n" + + "RSBUZXN0IFNlcml2Y2UxEjAQBgNVBAMTCWxvY2FsaG9zdDCBnzANBgkqhkiG9w0B\n" + + "AQEFAAOBjQAwgYkCgYEAvwaUd7wmBSKqycEstYLWD26vkU08DM39EtaT8wL9HnQ0\n" + + "fgPblwBFI4zdLa2cuYXRZcFUb04N8nrkcpR0D6kkE+AlFAoRWrrZF80B7JTbtEK4\n" + + "1PIeurihXvUT+4MpzGLOojIihMfvM4ufelblD56SInso4WFHm7t4qCln88J1gjkC\n" + + "AwEAAaN4MHYwCwYDVR0PBAQDAgPoMB0GA1UdDgQWBBStwCxM5MIuobtdkr5m4E7g\n" + + "DS8R7zAfBgNVHSMEGDAWgBQ5DsYzsVC8cwcx5dgE97uXVc+byDAnBgNVHSUEIDAe\n" + + "BggrBgEFBQcDAQYIKwYBBQUHAwIGCCsGAQUFBwMDMA0GCSqGSIb3DQEBBAUAA4GB\n" + + "AGfwcfdvEG/nSCiAn2MGbYHp34mgF3OA1SJLWUW0LvWJhwm2cn4AXlSoyvbwrkaB\n" + + "IDDCwhJvvc0vUyL2kTx7sqVaFTq3mDs+ktlB/FfH0Pb+i8FE+g+7T42Iw/j0qxHL\n" + + "YmgbrjBQf5WYN1AvBE/rrPt9aOtS3UsqtVGW574b0shW\n" + + "-----END CERTIFICATE-----"; + static String targetPrivateKey = // Private key in the format of PKCS#8 + "MIICdAIBADANBgkqhkiG9w0BAQEFAASCAl4wggJaAgEAAoGBAL8GlHe8JgUiqsnB\n" + + "LLWC1g9ur5FNPAzN/RLWk/MC/R50NH4D25cARSOM3S2tnLmF0WXBVG9ODfJ65HKU\n" + + "dA+pJBPgJRQKEVq62RfNAeyU27RCuNTyHrq4oV71E/uDKcxizqIyIoTH7zOLn3pW\n" + + "5Q+ekiJ7KOFhR5u7eKgpZ/PCdYI5AgMBAAECf3CscOYvFD3zNMnMJ5LomVqA7w3F\n" + + "gKYM2jlCWAH+wU41PMEXhW6Lujw92jgXL1o+lERwxFzirVdZJWZwKgUSvzP1G0h3\n" + + "fkucq1/UWnToK+8NSXNM/yS8hXbBgSEoJo5f7LKcIi1Ev6doBVofMxs+njzyWKbM\n" + + "Nb7rOLHadghoon0CQQDgQzbzzSN8Dc1YmmylhI5v+0sQRHH0DL7D24k4Weh4vInG\n" + + "EAbt4x8M7ZKEo8/dv0s4hbmNmAnJl93/RRxIyEqLAkEA2g87DiswSQam2pZ8GlrO\n" + + "+w4Qg9mH8uxx8ou2rl0XlHzH1XiTNbkjfY0EZoL7L31BHFk9n11Fb2P85g6ws+Hy\n" + + "ywJAM/xgyLNM/nzUlS128geAXUULaYH0SHaL4isJ7B4rXZGW/mrIsGxtzjlkNYsj\n" + + "rGujrD6TfNc5rZmexIXowJZtcQJBAIww+pCzZ4mrgx5JXWQ8OZHiiu+ZrPOa2+9J\n" + + "r5sOMpi+WGN/73S8oHqZbNjTINZ5OqEVJq8MchWZPQBTNXuQql0CQHEjUzzkCQa3\n" + + "j6JTa2KAdqyvLOx0XF9zcc1gA069uNQI2gPUHS8V215z57f/gMGnDNhVfLs/vMKz\n" + + "sFkVZ3zg7As="; + + + public static void main(String args[]) throws Exception { + // MD5 is used in this test case, don't disable MD5 algorithm. + java.security.Security.setProperty( + "jdk.certpath.disabledAlgorithms", "MD2, RSA keySize < 1024"); + + // generate certificate from cert string + CertificateFactory cf = CertificateFactory.getInstance("X.509"); + + // create a set of trust anchors + LinkedHashSet trustAnchors = new LinkedHashSet<>(); + + ByteArrayInputStream is = + new ByteArrayInputStream(NoiceTrusedCertStr.getBytes()); + Certificate trustedCert = cf.generateCertificate(is); + is.close(); + TrustAnchor anchor = + new TrustAnchor((X509Certificate)trustedCert, null); + trustAnchors.add(anchor); + + is = new ByteArrayInputStream(trustedCertStr.getBytes()); + trustedCert = cf.generateCertificate(is); + is.close(); + anchor = new TrustAnchor((X509Certificate)trustedCert, null); + trustAnchors.add(anchor); + + is = new ByteArrayInputStream(NoiceTrusedCertStr_2nd.getBytes()); + trustedCert = cf.generateCertificate(is); + is.close(); + anchor = new TrustAnchor((X509Certificate)trustedCert, null); + trustAnchors.add(anchor); + + // create a list of certificates + List chainList = new ArrayList<>(); + + is = new ByteArrayInputStream(targetCertStr.getBytes()); + Certificate cert = cf.generateCertificate(is); + is.close(); + chainList.add(cert); + + is = new ByteArrayInputStream(certIssuerStr.getBytes()); + cert = cf.generateCertificate(is); + is.close(); + chainList.add(cert); + + is = new ByteArrayInputStream(caSignerStr.getBytes()); + cert = cf.generateCertificate(is); + is.close(); + chainList.add(cert); + + // create a certificate selector + X509CertSelector xcs = new X509CertSelector(); + X509Certificate eeCert = (X509Certificate)chainList.get(0); + xcs.setSubject(eeCert.getSubjectX500Principal()); + + // reverse build + SunCertPathBuilderParameters params = + new SunCertPathBuilderParameters(trustAnchors, xcs); + params.setBuildForward(false); + params.setRevocationEnabled(false); + + CollectionCertStoreParameters ccsp = + new CollectionCertStoreParameters(chainList); + params.addCertStore(CertStore.getInstance("Collection", ccsp)); + + CertPathBuilder cpb = CertPathBuilder.getInstance("PKIX"); + CertPathBuilderResult res = cpb.build(params); + } +} diff -Nru openjdk-6-6b37-1.13.9/jdk/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/X509KeyManager/PreferredKey.java openjdk-6-6b38-1.13.10/jdk/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/X509KeyManager/PreferredKey.java --- openjdk-6-6b37-1.13.9/jdk/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/X509KeyManager/PreferredKey.java 2015-11-11 01:20:43.000000000 +0000 +++ openjdk-6-6b38-1.13.10/jdk/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/X509KeyManager/PreferredKey.java 2016-01-20 01:47:58.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2005, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2005, 2014, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -21,11 +21,18 @@ * questions. */ +// +// Security properties, once set, cannot revert to unset. To avoid +// conflicts with tests running in the same VM isolate this test by +// running it in otherVM mode. +// + /* * @test * @bug 6302644 * @summary X509KeyManager implementation for NewSunX509 doesn't return most * preferable key + * @run main/othervm PreferredKey */ import java.io.*; import java.net.*; @@ -49,6 +56,10 @@ public static void main(String[] args) throws Exception { + // MD5 is used in this test case, don't disable MD5 algorithm. + Security.setProperty( + "jdk.certpath.disabledAlgorithms", "MD2, RSA keySize < 1024"); + KeyStore ks; KeyManagerFactory kmf; X509KeyManager km; diff -Nru openjdk-6-6b37-1.13.9/jdk/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/X509TrustManagerImpl/BasicConstraints.java openjdk-6-6b38-1.13.10/jdk/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/X509TrustManagerImpl/BasicConstraints.java --- openjdk-6-6b37-1.13.9/jdk/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/X509TrustManagerImpl/BasicConstraints.java 1970-01-01 00:00:00.000000000 +0000 +++ openjdk-6-6b38-1.13.10/jdk/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/X509TrustManagerImpl/BasicConstraints.java 2016-01-20 01:47:58.000000000 +0000 @@ -0,0 +1,562 @@ +/* + * Copyright (c) 2012, 2014, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +// +// SunJSSE does not support dynamic system properties, no way to re-use +// system properties in samevm/agentvm mode. +// + +/* + * @test + * @bug 7166570 + * @summary JSSE certificate validation has started to fail for + * certificate chains + * @run main/othervm BasicConstraints PKIX + * @run main/othervm BasicConstraints SunX509 + */ + +import java.net.*; +import java.util.*; +import java.io.*; +import javax.net.ssl.*; +import java.security.Security; +import java.security.KeyStore; +import java.security.KeyFactory; +import java.security.cert.*; +import java.security.spec.*; +import java.security.interfaces.*; +import java.math.BigInteger; + +import sun.misc.BASE64Decoder; + +public class BasicConstraints { + + /* + * ============================================================= + * Set the various variables needed for the tests, then + * specify what tests to run on each side. + */ + + /* + * Should we run the client or server in a separate thread? + * Both sides can throw exceptions, but do you have a preference + * as to which side should be the main thread. + */ + static boolean separateServerThread = true; + + /* + * Where do we find the keystores? + */ + // Certificate information: + // Issuer: C=US, O=Java, OU=SunJSSE Test Serivce + // Validity + // Not Before: May 5 02:40:50 2012 GMT + // Not After : Apr 15 02:40:50 2033 GMT + // Subject: C=US, O=Java, OU=SunJSSE Test Serivce + // X509v3 Subject Key Identifier: + // DD:4E:8D:2A:11:C0:83:03:F0:AC:EB:A2:BF:F9:F2:7D:C8:69:1F:9B + // X509v3 Authority Key Identifier: + // keyid:DD:4E:8D:2A:11:C0:83:03:F0:AC:EB:A2:BF:F9:F2:7D:C8:69:1F:9B + // DirName:/C=US/O=Java/OU=SunJSSE Test Serivce + // serial:00 + static String trusedCertStr = + "-----BEGIN CERTIFICATE-----\n" + + "MIICkjCCAfugAwIBAgIBADANBgkqhkiG9w0BAQIFADA7MQswCQYDVQQGEwJVUzEN\n" + + "MAsGA1UEChMESmF2YTEdMBsGA1UECxMUU3VuSlNTRSBUZXN0IFNlcml2Y2UwHhcN\n" + + "MTIwNTA1MDI0MDUwWhcNMzMwNDE1MDI0MDUwWjA7MQswCQYDVQQGEwJVUzENMAsG\n" + + "A1UEChMESmF2YTEdMBsGA1UECxMUU3VuSlNTRSBUZXN0IFNlcml2Y2UwgZ8wDQYJ\n" + + "KoZIhvcNAQEBBQADgY0AMIGJAoGBANtiq0AIJK+iVRwFrqcD7fYXTCbMYC5Qz/k6\n" + + "AXBy7/1rI8wDhEJLE3m/+NSqiJwZcmdq2dNh/1fJFrwvzuURbc9+paOBWeHbN+Sc\n" + + "x3huw91oPZme385VpoK3G13rSE114S/rF4DM9mz4EStFhSHXATjtdbskNOAYGLTV\n" + + "x8uEy9GbAgMBAAGjgaUwgaIwHQYDVR0OBBYEFN1OjSoRwIMD8Kzror/58n3IaR+b\n" + + "MGMGA1UdIwRcMFqAFN1OjSoRwIMD8Kzror/58n3IaR+boT+kPTA7MQswCQYDVQQG\n" + + "EwJVUzENMAsGA1UEChMESmF2YTEdMBsGA1UECxMUU3VuSlNTRSBUZXN0IFNlcml2\n" + + "Y2WCAQAwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAQYwDQYJKoZIhvcNAQEC\n" + + "BQADgYEAjjkJesQrkbr36N40egybaIxw7RcqT6iy5fkAGS1JYlBDk8uSCK1o6bCH\n" + + "ls5EpYcGeEoabSS73WRdkO1lgeyWDduO4ef8cCCSpmpT6/YdZG0QS1PtcREeVig+\n" + + "Zr25jNemS4ADHX0aaXP4kiV/G80cR7nX5t5XCUm4bYdbwM07NgI=\n" + + "-----END CERTIFICATE-----"; + static String trustedPrivateKey = // Private key in the format of PKCS#8 + "MIICeAIBADANBgkqhkiG9w0BAQEFAASCAmIwggJeAgEAAoGBANtiq0AIJK+iVRwF\n" + + "rqcD7fYXTCbMYC5Qz/k6AXBy7/1rI8wDhEJLE3m/+NSqiJwZcmdq2dNh/1fJFrwv\n" + + "zuURbc9+paOBWeHbN+Scx3huw91oPZme385VpoK3G13rSE114S/rF4DM9mz4EStF\n" + + "hSHXATjtdbskNOAYGLTVx8uEy9GbAgMBAAECgYEA2VjHkIiA0ABjkX+PqKeb+VLb\n" + + "fxS7tSca5C8zfdRhLxAWRui0/3ihst0eCJNrBDuxvAOACovsDWyLuaUjtI2v2ysz\n" + + "vz6SPyGy82PhQOFzyKQuQ814N6EpothpiZzF0yFchfKIGhUsdY89UrGs9nM7m6NT\n" + + "rztYvgIu4avg2VPR2AECQQD+pFAqipR2BplQRIuuRSZfHRxvoEyDjT1xnHJsC6WP\n" + + "I5hCLghL91MhQGWbP4EJMKYQOTRVukWlcp2Kycpf+P5hAkEA3I43gmVUAPEdyZdY\n" + + "fatW7OaLlbbYJb6qEtpCZ1Rwe/BIvm6H6E3qSi/lpz7Ia7WDulpbF6BawHH3pRFq\n" + + "CUY5ewJBAP3pUDqrRpBN0jB0uSeDslhjSciQ+dqvSpZv3rSYBHUvlBJhnkpJiy37\n" + + "7ZUZhIxqYxyIPgRBolLwb+FFh7OdL+ECQCtldDic9WVmC+VheRDpCKZ+SlK/8lGi\n" + + "7VXeShiIvcU1JysJFoa35fSI7hf1O3wt7+hX5PqGG7Un94EsJwACKEcCQQC1TWt6\n" + + "ArKH6tRxKjOxFtqfs8fgEVYUaOr3j1jF4KBUuX2mtQtddZe3VfJ2wPsuKMMxmhkB\n" + + "e7xWWZnJsErt2e+E"; + + // Certificate information: + // Issuer: C=US, O=Java, OU=SunJSSE Test Serivce + // Validity + // Not Before: May 5 02:40:53 2012 GMT + // Not After : Jan 21 02:40:53 2032 GMT + // Subject: C=US, O=Java, OU=SunJSSE Test Serivce, CN=casigner + // X509v3 Subject Key Identifier: + // 13:07:E0:11:07:DB:EB:33:23:87:31:D0:DB:7E:16:56:BE:11:90:0A + // X509v3 Authority Key Identifier: + // keyid:DD:4E:8D:2A:11:C0:83:03:F0:AC:EB:A2:BF:F9:F2:7D:C8:69:1F:9B + // DirName:/C=US/O=Java/OU=SunJSSE Test Serivce + // serial:00 + static String caSignerStr = + "-----BEGIN CERTIFICATE-----\n" + + "MIICqDCCAhGgAwIBAgIBAjANBgkqhkiG9w0BAQQFADA7MQswCQYDVQQGEwJVUzEN\n" + + "MAsGA1UEChMESmF2YTEdMBsGA1UECxMUU3VuSlNTRSBUZXN0IFNlcml2Y2UwHhcN\n" + + "MTIwNTA1MDI0MDUzWhcNMzIwMTIxMDI0MDUzWjBOMQswCQYDVQQGEwJVUzENMAsG\n" + + "A1UEChMESmF2YTEdMBsGA1UECxMUU3VuSlNTRSBUZXN0IFNlcml2Y2UxETAPBgNV\n" + + "BAMTCGNhc2lnbmVyMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC+x8+o7oM0\n" + + "ct/LZmZLXBL4CQ8jrULD5P7NtEW0hg/zxBFZfBHf+44Oo2eMPYZj+7xaREOH5BmV\n" + + "KRYlzRtONAaC5Ng4Mrm5UKNPcMIIUjUOvm7vWM4oSTMSfoEcSX+vp99uUAkw3w7Z\n" + + "+frYDm1M4At/j0b+lLij71GFN2L8drpgPQIDAQABo4GoMIGlMB0GA1UdDgQWBBQT\n" + + "B+ARB9vrMyOHMdDbfhZWvhGQCjBjBgNVHSMEXDBagBTdTo0qEcCDA/Cs66K/+fJ9\n" + + "yGkfm6E/pD0wOzELMAkGA1UEBhMCVVMxDTALBgNVBAoTBEphdmExHTAbBgNVBAsT\n" + + "FFN1bkpTU0UgVGVzdCBTZXJpdmNlggEAMBIGA1UdEwEB/wQIMAYBAf8CAQEwCwYD\n" + + "VR0PBAQDAgEGMA0GCSqGSIb3DQEBBAUAA4GBAI+LXA/UCPkTANablUkt80JNPWsl\n" + + "pS4XLNgPxWaN0bkRDs5oI4ooWAz1rwpeJ/nfetOvWlpmrVjSeovBFja5Hl+dUHTf\n" + + "VfuyzkxXbhuNiJIpo1mVBpNsjwu9YRxuwX6UA2LTUQpgvtVJEE012x3zRvxBCbu2\n" + + "Y/v1R5fZ4c+hXDfC\n" + + "-----END CERTIFICATE-----"; + static String caSignerPrivateKey = // Private key in the format of PKCS#8 + "MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBAL7Hz6jugzRy38tm\n" + + "ZktcEvgJDyOtQsPk/s20RbSGD/PEEVl8Ed/7jg6jZ4w9hmP7vFpEQ4fkGZUpFiXN\n" + + "G040BoLk2DgyublQo09wwghSNQ6+bu9YzihJMxJ+gRxJf6+n325QCTDfDtn5+tgO\n" + + "bUzgC3+PRv6UuKPvUYU3Yvx2umA9AgMBAAECgYBYvu30cW8LONyt62Zua9hPFTe7\n" + + "qt9B7QYyfkdmoG5PQMepTrOp84SzfoOukvgvDm0huFuJnSvhXQl2cCDhkgXskvFj\n" + + "Hh7KBCFViVXokGdq5YoS0/KYMyQV0TZfJUvILBl51uc4/siQ2tClC/N4sa+1JhgW\n" + + "a6dFGfRjiUKSSlmMwQJBAPWpIz3Q/c+DYMvoQr5OD8EaYwYIevlTdXb97RnJJh2b\n" + + "UnhB9jrqesJiHYVzPmP0ukyPOXOwlp2T5Am4Kw0LFOkCQQDGz150NoHOp28Mvyc4\n" + + "CTqz/zYzUhy2eCJESl196uyP4N65Y01VYQ3JDww4DlsXiU17tVSbgA9TCcfTYOzy\n" + + "vyw1AkARUky+1hafZCcWGZljK8PmnMKwsTZikCTvL/Zg5BMA8Wu+OQBwpQnk3OAy\n" + + "Aa87gw0DyvGFG8Vy9POWT9sRP1/JAkBqP0hrMvYMSs6+MSn0eHo2151PsAJIQcuO\n" + + "U2/Da1khSzu8N6WMi2GiobgV/RYRbf9KrY2ZzMZjykZQYOxAjopBAkEAghCu38cN\n" + + "aOsW6ueo24uzsWI1FTdE+qWNVEi3RSP120xXBCyhaBjIq4WVSlJK9K2aBaJpit3j\n" + + "iQ5tl6zrLlxQhg=="; + + // Certificate information: + // Issuer: C=US, O=Java, OU=SunJSSE Test Serivce, CN=casigner + // Validity + // Not Before: May 5 02:40:57 2012 GMT + // Not After : Jan 21 02:40:57 2032 GMT + // Subject: C=US, O=Java, OU=SunJSSE Test Serivce, CN=certissuer + // X509v3 Subject Key Identifier: + // 39:0E:C6:33:B1:50:BC:73:07:31:E5:D8:04:F7:BB:97:55:CF:9B:C8 + // X509v3 Authority Key Identifier: + // keyid:13:07:E0:11:07:DB:EB:33:23:87:31:D0:DB:7E:16:56:BE:11:90:0A + // DirName:/C=US/O=Java/OU=SunJSSE Test Serivce + // serial:02 + static String certIssuerStr = + "-----BEGIN CERTIFICATE-----\n" + + "MIICvjCCAiegAwIBAgIBAzANBgkqhkiG9w0BAQQFADBOMQswCQYDVQQGEwJVUzEN\n" + + "MAsGA1UEChMESmF2YTEdMBsGA1UECxMUU3VuSlNTRSBUZXN0IFNlcml2Y2UxETAP\n" + + "BgNVBAMTCGNhc2lnbmVyMB4XDTEyMDUwNTAyNDA1N1oXDTMyMDEyMTAyNDA1N1ow\n" + + "UDELMAkGA1UEBhMCVVMxDTALBgNVBAoTBEphdmExHTAbBgNVBAsTFFN1bkpTU0Ug\n" + + "VGVzdCBTZXJpdmNlMRMwEQYDVQQDEwpjZXJ0aXNzdWVyMIGfMA0GCSqGSIb3DQEB\n" + + "AQUAA4GNADCBiQKBgQCyz55zinU6kNL/LeiTNiBI0QWYmDG0YTotuC4D75liBNqs\n" + + "7Mmladsh2mTtQUAwmuGaGzaZV25a+cUax0DXZoyBwdbTI09u1bUYsZcaUUKbPoCC\n" + + "HH26e4jLFL4olW13Sv4ZAd57tIYevMw+Fp5f4fLPFGegCJTFlv2Qjpmic/cuvQID\n" + + "AQABo4GpMIGmMB0GA1UdDgQWBBQ5DsYzsVC8cwcx5dgE97uXVc+byDBjBgNVHSME\n" + + "XDBagBQTB+ARB9vrMyOHMdDbfhZWvhGQCqE/pD0wOzELMAkGA1UEBhMCVVMxDTAL\n" + + "BgNVBAoTBEphdmExHTAbBgNVBAsTFFN1bkpTU0UgVGVzdCBTZXJpdmNlggECMBMG\n" + + "A1UdEwEB/wQJMAcBAf8CAgQAMAsGA1UdDwQEAwIBBjANBgkqhkiG9w0BAQQFAAOB\n" + + "gQCQTagenCdClT98C+oTJGJrw/dUBD9K3tE6ZJKPMc/2bUia8G5ei1C0eXj4mWG2\n" + + "lu9umR6C90/A6qB050QB2h50qtqxSrkpu+ym1yypauZpg7U3nUY9wZWJNI1vqrQZ\n" + + "pqUMRcXY3iQIVKx+Qj+4/Za1wwFQzpEoGmqRW31V1SdMEw==\n" + + "-----END CERTIFICATE-----"; + static String certIssuerPrivateKey = // Private key in the format of PKCS#8 + "MIICeQIBADANBgkqhkiG9w0BAQEFAASCAmMwggJfAgEAAoGBALLPnnOKdTqQ0v8t\n" + + "6JM2IEjRBZiYMbRhOi24LgPvmWIE2qzsyaVp2yHaZO1BQDCa4ZobNplXblr5xRrH\n" + + "QNdmjIHB1tMjT27VtRixlxpRQps+gIIcfbp7iMsUviiVbXdK/hkB3nu0hh68zD4W\n" + + "nl/h8s8UZ6AIlMWW/ZCOmaJz9y69AgMBAAECgYEAjtew2tgm4gxDojqIauF4VPM1\n" + + "pzsdqd1p3pAdomNLgrQiBLZ8N7oiph6TNb1EjA+OXc+ThFgF/oM9ZDD8qZZwcvjN\n" + + "qDZlpTkFs2TaGcyEZfUaMB45NHVs6Nn+pSkagSNwwy3xeyAct7sQEzGNTDlEwVv5\n" + + "7V9LQutQtBd6xT48KzkCQQDpNRfv2OFNG/6GtzJoO68oJhpnpl2MsYNi4ntRkre/\n" + + "6uXpiCYaDskcrPMRwOOs0m7mxG+Ev+uKnLnSoEMm1GCbAkEAxEmDtiD0Psb8Z9BL\n" + + "ZRb83Jqho3xe2MCAh3xUfz9b/Mhae9dZ44o4OCgQZuwvW1mczF0NtpgZl93BmYa2\n" + + "hTwHhwJBAKHrEj6ep/fA6x0gD2idoATRR94VfbiU+7NpqtO9ecVP0+gsdr/66hn1\n" + + "3yLBeZLh3MxvMTrLgkAQh1i9m0JXjOcCQQClLXAHHegrw+u3uNMZeKTFR+Lp3sk6\n" + + "AZSnbvr0Me9I45kxSeG81x3ENALJecvIRbrrRws5MvmmkNhQR8rkh8WVAkEAk6b+\n" + + "aVtmBgUaTS5+FFlHGHJY9HFrfT1a1C/dwyMuqlmbC3YsBmZaMOlKli5TXNybLff8\n" + + "5KMeGEpXMzgC7AscGA=="; + + // Certificate information: + // Issuer: C=US, O=Java, OU=SunJSSE Test Serivce, CN=certissuer + // Validity + // Not Before: May 5 02:41:01 2012 GMT + // Not After : Jan 21 02:41:01 2032 GMT + // Subject: C=US, O=Java, OU=SunJSSE Test Serivce, CN=localhost + // X509v3 Subject Key Identifier: + // AD:C0:2C:4C:E4:C2:2E:A1:BB:5D:92:BE:66:E0:4E:E0:0D:2F:11:EF + // X509v3 Authority Key Identifier: + // keyid:39:0E:C6:33:B1:50:BC:73:07:31:E5:D8:04:F7:BB:97:55:CF:9B:C8 + static String serverCertStr = + "-----BEGIN CERTIFICATE-----\n" + + "MIICjTCCAfagAwIBAgIBBDANBgkqhkiG9w0BAQQFADBQMQswCQYDVQQGEwJVUzEN\n" + + "MAsGA1UEChMESmF2YTEdMBsGA1UECxMUU3VuSlNTRSBUZXN0IFNlcml2Y2UxEzAR\n" + + "BgNVBAMTCmNlcnRpc3N1ZXIwHhcNMTIwNTA1MDI0MTAxWhcNMzIwMTIxMDI0MTAx\n" + + "WjBPMQswCQYDVQQGEwJVUzENMAsGA1UEChMESmF2YTEdMBsGA1UECxMUU3VuSlNT\n" + + "RSBUZXN0IFNlcml2Y2UxEjAQBgNVBAMTCWxvY2FsaG9zdDCBnzANBgkqhkiG9w0B\n" + + "AQEFAAOBjQAwgYkCgYEAvwaUd7wmBSKqycEstYLWD26vkU08DM39EtaT8wL9HnQ0\n" + + "fgPblwBFI4zdLa2cuYXRZcFUb04N8nrkcpR0D6kkE+AlFAoRWrrZF80B7JTbtEK4\n" + + "1PIeurihXvUT+4MpzGLOojIihMfvM4ufelblD56SInso4WFHm7t4qCln88J1gjkC\n" + + "AwEAAaN4MHYwCwYDVR0PBAQDAgPoMB0GA1UdDgQWBBStwCxM5MIuobtdkr5m4E7g\n" + + "DS8R7zAfBgNVHSMEGDAWgBQ5DsYzsVC8cwcx5dgE97uXVc+byDAnBgNVHSUEIDAe\n" + + "BggrBgEFBQcDAQYIKwYBBQUHAwIGCCsGAQUFBwMDMA0GCSqGSIb3DQEBBAUAA4GB\n" + + "AGfwcfdvEG/nSCiAn2MGbYHp34mgF3OA1SJLWUW0LvWJhwm2cn4AXlSoyvbwrkaB\n" + + "IDDCwhJvvc0vUyL2kTx7sqVaFTq3mDs+ktlB/FfH0Pb+i8FE+g+7T42Iw/j0qxHL\n" + + "YmgbrjBQf5WYN1AvBE/rrPt9aOtS3UsqtVGW574b0shW\n" + + "-----END CERTIFICATE-----"; + static String serverPrivateKey = // Private key in the format of PKCS#8 + "MIICdAIBADANBgkqhkiG9w0BAQEFAASCAl4wggJaAgEAAoGBAL8GlHe8JgUiqsnB\n" + + "LLWC1g9ur5FNPAzN/RLWk/MC/R50NH4D25cARSOM3S2tnLmF0WXBVG9ODfJ65HKU\n" + + "dA+pJBPgJRQKEVq62RfNAeyU27RCuNTyHrq4oV71E/uDKcxizqIyIoTH7zOLn3pW\n" + + "5Q+ekiJ7KOFhR5u7eKgpZ/PCdYI5AgMBAAECf3CscOYvFD3zNMnMJ5LomVqA7w3F\n" + + "gKYM2jlCWAH+wU41PMEXhW6Lujw92jgXL1o+lERwxFzirVdZJWZwKgUSvzP1G0h3\n" + + "fkucq1/UWnToK+8NSXNM/yS8hXbBgSEoJo5f7LKcIi1Ev6doBVofMxs+njzyWKbM\n" + + "Nb7rOLHadghoon0CQQDgQzbzzSN8Dc1YmmylhI5v+0sQRHH0DL7D24k4Weh4vInG\n" + + "EAbt4x8M7ZKEo8/dv0s4hbmNmAnJl93/RRxIyEqLAkEA2g87DiswSQam2pZ8GlrO\n" + + "+w4Qg9mH8uxx8ou2rl0XlHzH1XiTNbkjfY0EZoL7L31BHFk9n11Fb2P85g6ws+Hy\n" + + "ywJAM/xgyLNM/nzUlS128geAXUULaYH0SHaL4isJ7B4rXZGW/mrIsGxtzjlkNYsj\n" + + "rGujrD6TfNc5rZmexIXowJZtcQJBAIww+pCzZ4mrgx5JXWQ8OZHiiu+ZrPOa2+9J\n" + + "r5sOMpi+WGN/73S8oHqZbNjTINZ5OqEVJq8MchWZPQBTNXuQql0CQHEjUzzkCQa3\n" + + "j6JTa2KAdqyvLOx0XF9zcc1gA069uNQI2gPUHS8V215z57f/gMGnDNhVfLs/vMKz\n" + + "sFkVZ3zg7As="; + + // Certificate information: + // Issuer: C=US, O=Java, OU=SunJSSE Test Serivce, CN=certissuer + // Validity + // Not Before: May 5 02:41:02 2012 GMT + // Not After : Jan 21 02:41:02 2032 GMT + // Subject: C=US, O=Java, OU=SunJSSE Test Serivce, CN=InterOp Tester + // X509v3 Subject Key Identifier: + // 57:7D:E2:33:33:60:DF:DD:5E:ED:81:3F:EB:F2:1B:59:7F:50:9C:99 + // X509v3 Authority Key Identifier: + // keyid:39:0E:C6:33:B1:50:BC:73:07:31:E5:D8:04:F7:BB:97:55:CF:9B:C8 + static String clientCertStr = + "-----BEGIN CERTIFICATE-----\n" + + "MIICaTCCAdKgAwIBAgIBBTANBgkqhkiG9w0BAQQFADBQMQswCQYDVQQGEwJVUzEN\n" + + "MAsGA1UEChMESmF2YTEdMBsGA1UECxMUU3VuSlNTRSBUZXN0IFNlcml2Y2UxEzAR\n" + + "BgNVBAMTCmNlcnRpc3N1ZXIwHhcNMTIwNTA1MDI0MTAyWhcNMzIwMTIxMDI0MTAy\n" + + "WjBUMQswCQYDVQQGEwJVUzENMAsGA1UEChMESmF2YTEdMBsGA1UECxMUU3VuSlNT\n" + + "RSBUZXN0IFNlcml2Y2UxFzAVBgNVBAMTDkludGVyT3AgVGVzdGVyMIGfMA0GCSqG\n" + + "SIb3DQEBAQUAA4GNADCBiQKBgQC1pA71nDg1KhhnHjRdi/eVDUa7uFZAtN8R9huu\n" + + "pTwFoyqSX8lDMz8jDawOMmaI9dVZLjTh3hnf4KBEqQOearFVz45yBOjlgPLBuI4F\n" + + "D/ORhgmDaIu2NK+c1yj6YQlyiO0DPwh55GtPLVG3iuEpejU7gQyaMuTaddoXrO7s\n" + + "xwzanQIDAQABo08wTTALBgNVHQ8EBAMCA+gwHQYDVR0OBBYEFFd94jMzYN/dXu2B\n" + + "P+vyG1l/UJyZMB8GA1UdIwQYMBaAFDkOxjOxULxzBzHl2AT3u5dVz5vIMA0GCSqG\n" + + "SIb3DQEBBAUAA4GBAHTgB5W7wnl7Jnb4wNQcb6JdR8FRHIdslcRfnReFfZBHZZux\n" + + "ChpA1lf62KIzYohKoxQXXMul86vnVSHnXq5xctHEmxCBnALEnoAcCOv6wfWqEA7g\n" + + "2rX+ydmu+0ArbqKhSOypZ7K3ame0UOJJ6HDxdsgBYJuotmSou4KKq9e8GF+d\n" + + "-----END CERTIFICATE-----"; + static String clientPrivateKey = // Private key in the format of PKCS#8 + "MIICeAIBADANBgkqhkiG9w0BAQEFAASCAmIwggJeAgEAAoGBALWkDvWcODUqGGce\n" + + "NF2L95UNRru4VkC03xH2G66lPAWjKpJfyUMzPyMNrA4yZoj11VkuNOHeGd/goESp\n" + + "A55qsVXPjnIE6OWA8sG4jgUP85GGCYNoi7Y0r5zXKPphCXKI7QM/CHnka08tUbeK\n" + + "4Sl6NTuBDJoy5Np12hes7uzHDNqdAgMBAAECgYEAjLwygwapXjfhdHQoqpp6F9iT\n" + + "h3sKCVSaybXgOO75lHyZzZO9wv1/288KEm3mmBOxXEm6245UievnAYvaq/GKt93O\n" + + "pj2zRefBzZjGbz0v84fmna/MN6zUUYX1PcVRMKWLx9HKKmQihzwoXdBX0o9PPXdi\n" + + "LfzujNa/q8/mpI5PmEECQQDZwLSaL7OReWZTY4NoQuNzwhx5IKJUOtCFQfmHKZSW\n" + + "wtXntZf+E5W9tGaDY5wjpq5cilKDAHdEAlFWxDe1PoE1AkEA1YuTBpctOLBfquFn\n" + + "Y/S3lzGVlnIHDk3dj4bFglkoJ2bCdlwRNUyBSjAjBDcbYhper8S7GlEN5SiEdz9I\n" + + "3OjIyQJBAKEPMgYhZjYhjxf6sQV7A/VpC9pj0u1uGzGVXNUmYisorUKXRHa/UbBh\n" + + "MLnaAXE1Jh54iRMwUwbQmA0PUQ0T0EkCQQCcr6/umwhkWw2nHYK2Vf5LoudGn15M\n" + + "AZg7UsEjVnXfC0hOfllmCT+ohs96rVCbWAv33lsHAUg3x9YChV3aMbf5AkAj1kuV\n" + + "jUTgFKjediyQC6uof7YdLn+gQGiXK1XE0GBN4WMkzcLiS0jC+MFTgKfFnFdh9K0y\n" + + "fswYKdTA/o8RKaa5"; + + static char passphrase[] = "passphrase".toCharArray(); + + /* + * Is the server ready to serve? + */ + volatile static boolean serverReady = false; + + /* + * Turn on SSL debugging? + */ + static boolean debug = false; + + /* + * Define the server side of the test. + * + * If the server prematurely exits, serverReady will be set to true + * to avoid infinite hangs. + */ + void doServerSide() throws Exception { + SSLContext context = getSSLContext(true); + SSLServerSocketFactory sslssf = context.getServerSocketFactory(); + + SSLServerSocket sslServerSocket = + (SSLServerSocket)sslssf.createServerSocket(serverPort); + serverPort = sslServerSocket.getLocalPort(); + SSLSocket sslSocket = null; + try { + /* + * Signal Client, we're ready for his connect. + */ + serverReady = true; + + sslSocket = (SSLSocket) sslServerSocket.accept(); + sslSocket.setNeedClientAuth(true); + + InputStream sslIS = sslSocket.getInputStream(); + OutputStream sslOS = sslSocket.getOutputStream(); + + sslIS.read(); + sslOS.write(85); + sslOS.flush(); + } finally { + if (sslSocket != null) { + sslSocket.close(); + } + sslServerSocket.close(); + } + } + + /* + * Define the client side of the test. + * + * If the server prematurely exits, serverReady will be set to true + * to avoid infinite hangs. + */ + void doClientSide() throws Exception { + /* + * Wait for server to get started. + */ + while (!serverReady) { + Thread.sleep(50); + } + + SSLContext context = getSSLContext(false); + SSLSocketFactory sslsf = context.getSocketFactory(); + + SSLSocket sslSocket = + (SSLSocket)sslsf.createSocket("localhost", serverPort); + try { + InputStream sslIS = sslSocket.getInputStream(); + OutputStream sslOS = sslSocket.getOutputStream(); + + sslOS.write(280); + sslOS.flush(); + sslIS.read(); + } finally { + sslSocket.close(); + } + } + + // get the ssl context + private static SSLContext getSSLContext(boolean isServer) throws Exception { + + // generate certificate from cert string + CertificateFactory cf = CertificateFactory.getInstance("X.509"); + + // create a key store + KeyStore ks = KeyStore.getInstance("JKS"); + ks.load(null, null); + + // import the trused cert + ByteArrayInputStream is = + new ByteArrayInputStream(trusedCertStr.getBytes()); + Certificate trusedCert = cf.generateCertificate(is); + is.close(); + + ks.setCertificateEntry("SunJSSE Test Serivce", trusedCert); + + // import the certificate chain and key + Certificate[] chain = new Certificate[3]; + + is = new ByteArrayInputStream(caSignerStr.getBytes()); + Certificate caSignerCert = cf.generateCertificate(is); + is.close(); + chain[2] = caSignerCert; + + is = new ByteArrayInputStream(certIssuerStr.getBytes()); + Certificate certIssuerCert = cf.generateCertificate(is); + is.close(); + chain[1] = certIssuerCert; + + PKCS8EncodedKeySpec priKeySpec = null; + if (isServer) { + priKeySpec = new PKCS8EncodedKeySpec( + new BASE64Decoder().decodeBuffer(serverPrivateKey)); + is = new ByteArrayInputStream(serverCertStr.getBytes()); + } else { + priKeySpec = new PKCS8EncodedKeySpec( + new BASE64Decoder().decodeBuffer(clientPrivateKey)); + is = new ByteArrayInputStream(clientCertStr.getBytes()); + } + KeyFactory kf = KeyFactory.getInstance("RSA"); + RSAPrivateKey priKey = (RSAPrivateKey)kf.generatePrivate(priKeySpec); + Certificate keyCert = cf.generateCertificate(is); + is.close(); + chain[0] = keyCert; + + ks.setKeyEntry("End Entity", priKey, passphrase, chain); + + // check the certification path + PKIXParameters paras = new PKIXParameters(ks); + paras.setRevocationEnabled(false); + CertPath path = cf.generateCertPath(Arrays.asList(chain)); + CertPathValidator cv = CertPathValidator.getInstance("PKIX"); + cv.validate(path, paras); + + // create SSL context + TrustManagerFactory tmf = TrustManagerFactory.getInstance(tmAlgorithm); + tmf.init(ks); + + SSLContext ctx = SSLContext.getInstance("TLS"); + KeyManagerFactory kmf = KeyManagerFactory.getInstance("NewSunX509"); + kmf.init(ks, passphrase); + + ctx.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null); + ks = null; + + return ctx; + } + + private static String tmAlgorithm; // trust manager + + private static void parseArguments(String[] args) { + tmAlgorithm = args[0]; + } + + /* + * ============================================================= + * The remainder is just support stuff + */ + + // use any free port by default + volatile int serverPort = 0; + + volatile Exception serverException = null; + volatile Exception clientException = null; + + public static void main(String args[]) throws Exception { + // MD5 is used in this test case, don't disable MD5 algorithm. + Security.setProperty( + "jdk.certpath.disabledAlgorithms", "MD2, RSA keySize < 1024"); + + if (debug) + System.setProperty("javax.net.debug", "all"); + + + /* + * Get the customized arguments. + */ + parseArguments(args); + + /* + * Start the tests. + */ + new BasicConstraints(); + } + + Thread clientThread = null; + Thread serverThread = null; + /* + * Primary constructor, used to drive remainder of the test. + * + * Fork off the other side, then do your work. + */ + BasicConstraints() throws Exception { + if (separateServerThread) { + startServer(true); + startClient(false); + } else { + startClient(true); + startServer(false); + } + + /* + * Wait for other side to close down. + */ + if (separateServerThread) { + serverThread.join(); + } else { + clientThread.join(); + } + + /* + * When we get here, the test is pretty much over. + * + * If the main thread excepted, that propagates back + * immediately. If the other thread threw an exception, we + * should report back. + */ + if (serverException != null) + throw serverException; + if (clientException != null) + throw clientException; + } + + void startServer(boolean newThread) throws Exception { + if (newThread) { + serverThread = new Thread() { + public void run() { + try { + doServerSide(); + } catch (Exception e) { + /* + * Our server thread just died. + * + * Release the client, if not active already... + */ + System.err.println("Server died..."); + serverReady = true; + serverException = e; + } + } + }; + serverThread.start(); + } else { + doServerSide(); + } + } + + void startClient(boolean newThread) throws Exception { + if (newThread) { + clientThread = new Thread() { + public void run() { + try { + doClientSide(); + } catch (Exception e) { + /* + * Our client thread just died. + */ + System.err.println("Client died..."); + clientException = e; + } + } + }; + clientThread.start(); + } else { + doClientSide(); + } + } + +} diff -Nru openjdk-6-6b37-1.13.9/jdk/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/X509TrustManagerImpl/SelfIssuedCert.java openjdk-6-6b38-1.13.10/jdk/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/X509TrustManagerImpl/SelfIssuedCert.java --- openjdk-6-6b37-1.13.9/jdk/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/X509TrustManagerImpl/SelfIssuedCert.java 2015-11-11 01:20:43.000000000 +0000 +++ openjdk-6-6b38-1.13.10/jdk/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/X509TrustManagerImpl/SelfIssuedCert.java 2016-01-20 01:47:58.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2009, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2009, 2014, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -34,6 +34,7 @@ import java.util.*; import java.io.*; import javax.net.ssl.*; +import java.security.Security; import java.security.KeyStore; import java.security.KeyFactory; import java.security.cert.Certificate; @@ -299,6 +300,10 @@ volatile Exception clientException = null; public static void main(String args[]) throws Exception { + // MD5 is used in this test case, don't disable MD5 algorithm. + Security.setProperty( + "jdk.certpath.disabledAlgorithms", "MD2, RSA keySize < 1024"); + if (debug) System.setProperty("javax.net.debug", "all"); diff -Nru openjdk-6-6b37-1.13.9/jdk/test/sun/security/ssl/com/sun/net/ssl/internal/www/protocol/https/HttpsURLConnection/CriticalSubjectAltName.java openjdk-6-6b38-1.13.10/jdk/test/sun/security/ssl/com/sun/net/ssl/internal/www/protocol/https/HttpsURLConnection/CriticalSubjectAltName.java --- openjdk-6-6b37-1.13.9/jdk/test/sun/security/ssl/com/sun/net/ssl/internal/www/protocol/https/HttpsURLConnection/CriticalSubjectAltName.java 2015-11-11 01:20:43.000000000 +0000 +++ openjdk-6-6b38-1.13.10/jdk/test/sun/security/ssl/com/sun/net/ssl/internal/www/protocol/https/HttpsURLConnection/CriticalSubjectAltName.java 2016-01-20 01:47:58.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2001, 2010, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2001, 2014, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -27,7 +27,9 @@ * @summary Presence of a critical subjectAltName causes JSSE's SunX509 to * fail trusted checks * @author Xuelei Fan - * + */ + +/* * This test depends on binary keystore, crisubn.jks and trusted.jks. Because * JAVA keytool cannot generate X509 certificate with SubjectAltName extension, * the certificates are generated with openssl toolkits and then imported into @@ -42,6 +44,7 @@ import java.io.*; import java.net.*; import javax.net.ssl.*; +import java.security.Security; import java.security.cert.Certificate; public class CriticalSubjectAltName implements HostnameVerifier { @@ -149,6 +152,10 @@ volatile Exception clientException = null; public static void main(String[] args) throws Exception { + // MD5 is used in this test case, don't disable MD5 algorithm. + Security.setProperty( + "jdk.certpath.disabledAlgorithms", "MD2, RSA keySize < 1024"); + String keyFilename = System.getProperty("test.src", "./") + "/" + pathToStores + "/" + keyStoreFile; diff -Nru openjdk-6-6b37-1.13.9/jdk/test/sun/security/ssl/javax/net/ssl/TLSv11/EmptyCertificateAuthorities.java openjdk-6-6b38-1.13.10/jdk/test/sun/security/ssl/javax/net/ssl/TLSv11/EmptyCertificateAuthorities.java --- openjdk-6-6b37-1.13.9/jdk/test/sun/security/ssl/javax/net/ssl/TLSv11/EmptyCertificateAuthorities.java 2015-11-11 01:20:43.000000000 +0000 +++ openjdk-6-6b38-1.13.10/jdk/test/sun/security/ssl/javax/net/ssl/TLSv11/EmptyCertificateAuthorities.java 2016-01-20 01:47:58.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2010, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2010, 2014, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -225,6 +225,10 @@ volatile Exception clientException = null; public static void main(String[] args) throws Exception { + // MD5 is used in this test case, don't disable MD5 algorithm. + Security.setProperty( + "jdk.certpath.disabledAlgorithms", "MD2, RSA keySize < 1024"); + String keyFilename = System.getProperty("test.src", ".") + "/" + pathToStores + "/" + keyStoreFile; diff -Nru openjdk-6-6b37-1.13.9/jdk/test/sun/security/ssl/sun/net/www/protocol/https/HttpsURLConnection/DNSIdentities.java openjdk-6-6b38-1.13.10/jdk/test/sun/security/ssl/sun/net/www/protocol/https/HttpsURLConnection/DNSIdentities.java --- openjdk-6-6b37-1.13.9/jdk/test/sun/security/ssl/sun/net/www/protocol/https/HttpsURLConnection/DNSIdentities.java 2015-11-11 01:20:43.000000000 +0000 +++ openjdk-6-6b38-1.13.10/jdk/test/sun/security/ssl/sun/net/www/protocol/https/HttpsURLConnection/DNSIdentities.java 2016-01-20 01:47:58.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2010, 2011, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2010, 2014, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -31,6 +31,7 @@ import java.util.*; import java.io.*; import javax.net.ssl.*; +import java.security.Security; import java.security.KeyStore; import java.security.KeyFactory; import java.security.cert.Certificate; @@ -734,6 +735,10 @@ volatile Exception clientException = null; public static void main(String args[]) throws Exception { + // MD5 is used in this test case, don't disable MD5 algorithm. + Security.setProperty( + "jdk.certpath.disabledAlgorithms", "MD2, RSA keySize < 1024"); + if (debug) System.setProperty("javax.net.debug", "all"); diff -Nru openjdk-6-6b37-1.13.9/jdk/test/sun/security/ssl/sun/net/www/protocol/https/HttpsURLConnection/Identities.java openjdk-6-6b38-1.13.10/jdk/test/sun/security/ssl/sun/net/www/protocol/https/HttpsURLConnection/Identities.java --- openjdk-6-6b37-1.13.9/jdk/test/sun/security/ssl/sun/net/www/protocol/https/HttpsURLConnection/Identities.java 2015-11-11 01:20:43.000000000 +0000 +++ openjdk-6-6b38-1.13.10/jdk/test/sun/security/ssl/sun/net/www/protocol/https/HttpsURLConnection/Identities.java 2016-01-20 01:47:58.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2010, 2011, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2010, 2014, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -31,6 +31,7 @@ import java.util.*; import java.io.*; import javax.net.ssl.*; +import java.security.Security; import java.security.KeyStore; import java.security.KeyFactory; import java.security.cert.Certificate; @@ -734,6 +735,10 @@ volatile Exception clientException = null; public static void main(String args[]) throws Exception { + // MD5 is used in this test case, don't disable MD5 algorithm. + Security.setProperty( + "jdk.certpath.disabledAlgorithms", "MD2, RSA keySize < 1024"); + if (debug) System.setProperty("javax.net.debug", "all"); diff -Nru openjdk-6-6b37-1.13.9/jdk/test/sun/security/ssl/sun/net/www/protocol/https/HttpsURLConnection/IPAddressIPIdentities.java openjdk-6-6b38-1.13.10/jdk/test/sun/security/ssl/sun/net/www/protocol/https/HttpsURLConnection/IPAddressIPIdentities.java --- openjdk-6-6b37-1.13.9/jdk/test/sun/security/ssl/sun/net/www/protocol/https/HttpsURLConnection/IPAddressIPIdentities.java 2015-11-11 01:20:43.000000000 +0000 +++ openjdk-6-6b38-1.13.10/jdk/test/sun/security/ssl/sun/net/www/protocol/https/HttpsURLConnection/IPAddressIPIdentities.java 2016-01-20 01:47:58.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2010, 2011, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2010, 2014, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -31,6 +31,7 @@ import java.util.*; import java.io.*; import javax.net.ssl.*; +import java.security.Security; import java.security.KeyStore; import java.security.KeyFactory; import java.security.cert.Certificate; @@ -735,6 +736,10 @@ volatile Exception clientException = null; public static void main(String args[]) throws Exception { + // MD5 is used in this test case, don't disable MD5 algorithm. + Security.setProperty( + "jdk.certpath.disabledAlgorithms", "MD2, RSA keySize < 1024"); + if (debug) System.setProperty("javax.net.debug", "all"); diff -Nru openjdk-6-6b37-1.13.9/jdk/test/sun/security/ssl/sun/net/www/protocol/https/HttpsURLConnection/IPIdentities.java openjdk-6-6b38-1.13.10/jdk/test/sun/security/ssl/sun/net/www/protocol/https/HttpsURLConnection/IPIdentities.java --- openjdk-6-6b37-1.13.9/jdk/test/sun/security/ssl/sun/net/www/protocol/https/HttpsURLConnection/IPIdentities.java 2015-11-11 01:20:43.000000000 +0000 +++ openjdk-6-6b38-1.13.10/jdk/test/sun/security/ssl/sun/net/www/protocol/https/HttpsURLConnection/IPIdentities.java 2016-01-20 01:47:58.000000000 +0000 @@ -1,5 +1,5 @@ /* - * Copyright (c) 2010, 2011, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2010, 2014, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -31,6 +31,7 @@ import java.util.*; import java.io.*; import javax.net.ssl.*; +import java.security.Security; import java.security.KeyStore; import java.security.KeyFactory; import java.security.cert.Certificate; @@ -735,6 +736,10 @@ volatile Exception clientException = null; public static void main(String args[]) throws Exception { + // MD5 is used in this test case, don't disable MD5 algorithm. + Security.setProperty( + "jdk.certpath.disabledAlgorithms", "MD2, RSA keySize < 1024"); + if (debug) System.setProperty("javax.net.debug", "all"); diff -Nru openjdk-6-6b37-1.13.9/jdk/test/sun/security/x509/AlgorithmId/TurkishRegion.java openjdk-6-6b38-1.13.10/jdk/test/sun/security/x509/AlgorithmId/TurkishRegion.java --- openjdk-6-6b37-1.13.9/jdk/test/sun/security/x509/AlgorithmId/TurkishRegion.java 1970-01-01 00:00:00.000000000 +0000 +++ openjdk-6-6b38-1.13.10/jdk/test/sun/security/x509/AlgorithmId/TurkishRegion.java 2016-01-20 01:47:58.000000000 +0000 @@ -0,0 +1,40 @@ +/* + * Copyright (c) 2010, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +/* + * @test + * @bug 6867345 + * @summary Turkish regional options cause NPE in + * sun.security.x509.AlgorithmId.algOID + * @run main/othervm -Duser.language=tr -Duser.region=TR TurkishRegion + * @author Xuelei Fan + */ + +import sun.security.x509.*; + +public class TurkishRegion { + + public static void main(String[] args) throws Exception { + AlgorithmId algId = AlgorithmId.get("PBEWITHMD5ANDDES"); + } +} diff -Nru openjdk-6-6b37-1.13.9/langtools/src/share/classes/com/sun/tools/javadoc/ClassDocImpl.java openjdk-6-6b38-1.13.10/langtools/src/share/classes/com/sun/tools/javadoc/ClassDocImpl.java --- openjdk-6-6b37-1.13.9/langtools/src/share/classes/com/sun/tools/javadoc/ClassDocImpl.java 2015-11-11 01:20:13.000000000 +0000 +++ openjdk-6-6b38-1.13.10/langtools/src/share/classes/com/sun/tools/javadoc/ClassDocImpl.java 2016-01-20 01:47:44.000000000 +0000 @@ -120,12 +120,14 @@ * Returns the flags of a ClassSymbol in terms of javac's flags */ static long getFlags(ClassSymbol clazz) { - while (true) { - try { - return clazz.flags(); - } catch (CompletionFailure ex) { - // quietly ignore completion failures - } + try { + return clazz.flags(); + } catch (CompletionFailure ex) { + /* Quietly ignore completion failures and try again - the type + * for which the CompletionFailure was thrown shouldn't be completed + * again by the completer that threw the CompletionFailure. + */ + return getFlags(clazz); } } diff -Nru openjdk-6-6b37-1.13.9/langtools/src/share/classes/com/sun/tools/javadoc/MethodDocImpl.java openjdk-6-6b38-1.13.10/langtools/src/share/classes/com/sun/tools/javadoc/MethodDocImpl.java --- openjdk-6-6b37-1.13.9/langtools/src/share/classes/com/sun/tools/javadoc/MethodDocImpl.java 2015-11-11 01:20:13.000000000 +0000 +++ openjdk-6-6b38-1.13.10/langtools/src/share/classes/com/sun/tools/javadoc/MethodDocImpl.java 2016-01-20 01:47:44.000000000 +0000 @@ -128,7 +128,7 @@ t.tag == TypeTags.CLASS; t = env.types.supertype(t)) { ClassSymbol c = (ClassSymbol)t.tsym; - for (Scope.Entry e = c.members().lookup(sym.name); e.scope != null; e = e.next()) { + for (Scope.Entry e = membersOf(c).lookup(sym.name); e.scope != null; e = e.next()) { if (sym.overrides(e.sym, origin, env.types, true)) { return TypeMaker.getType(env, t); } @@ -160,7 +160,7 @@ t.tag == TypeTags.CLASS; t = env.types.supertype(t)) { ClassSymbol c = (ClassSymbol)t.tsym; - for (Scope.Entry e = c.members().lookup(sym.name); e.scope != null; e = e.next()) { + for (Scope.Entry e = membersOf(c).lookup(sym.name); e.scope != null; e = e.next()) { if (sym.overrides(e.sym, origin, env.types, true)) { return env.getMethodDoc((MethodSymbol)e.sym); } @@ -169,6 +169,19 @@ return null; } + /**Retrieve members of c, ignoring any CompletionFailures that occur. */ + private Scope membersOf(ClassSymbol c) { + try { + return c.members(); + } catch (CompletionFailure cf) { + /* Quietly ignore completion failures and try again - the type + * for which the CompletionFailure was thrown shouldn't be completed + * again by the completer that threw the CompletionFailure. + */ + return membersOf(c); + } + } + /** * Tests whether this method overrides another. * The overridden method may be one declared in a superclass or diff -Nru openjdk-6-6b37-1.13.9/langtools/src/share/classes/com/sun/tools/javadoc/TypeMaker.java openjdk-6-6b38-1.13.10/langtools/src/share/classes/com/sun/tools/javadoc/TypeMaker.java --- openjdk-6-6b37-1.13.9/langtools/src/share/classes/com/sun/tools/javadoc/TypeMaker.java 2015-11-11 01:20:13.000000000 +0000 +++ openjdk-6-6b38-1.13.10/langtools/src/share/classes/com/sun/tools/javadoc/TypeMaker.java 2016-01-20 01:47:44.000000000 +0000 @@ -31,6 +31,7 @@ import com.sun.tools.javac.code.Symbol; import com.sun.tools.javac.code.Symbol.ClassSymbol; +import com.sun.tools.javac.code.Symbol.CompletionFailure; import com.sun.tools.javac.code.Type; import com.sun.tools.javac.code.Type.ClassType; import com.sun.tools.javac.code.Type.TypeVar; @@ -47,11 +48,24 @@ return getType(env, t, true); } + public static com.sun.javadoc.Type getType(DocEnv env, Type t, + boolean errToClassDoc) { + try { + return getTypeImpl(env, t, errToClassDoc); + } catch (CompletionFailure cf) { + /* Quietly ignore completion failures and try again - the type + * for which the CompletionFailure was thrown shouldn't be completed + * again by the completer that threw the CompletionFailure. + */ + return getType(env, t, errToClassDoc); + } + } + /** * @param errToClassDoc if true, ERROR type results in a ClassDoc; * false preserves legacy behavior */ - public static com.sun.javadoc.Type getType(DocEnv env, Type t, + private static com.sun.javadoc.Type getTypeImpl(DocEnv env, Type t, boolean errToClassDoc) { if (env.legacyDoclet) { t = env.types.erasure(t); diff -Nru openjdk-6-6b37-1.13.9/Makefile.am openjdk-6-6b38-1.13.10/Makefile.am --- openjdk-6-6b37-1.13.9/Makefile.am 2016-02-01 20:26:37.000000000 +0000 +++ openjdk-6-6b38-1.13.10/Makefile.am 2016-02-01 20:26:43.000000000 +0000 @@ -1,8 +1,8 @@ # Dependencies -OPENJDK_DATE = 11_nov_2015 -OPENJDK_SHA256SUM = 462ac2c28f6dbfb4a18eb46efca232b907d6027f7618715cbc4de5dd73b89e8d -OPENJDK_VERSION = b37 +OPENJDK_DATE = 20_jan_2016 +OPENJDK_SHA256SUM = ff88dbcbda6c3c7d80b7cbd28065a455cdb009de9874fcf9ff9ca8205d38a257 +OPENJDK_VERSION = b38 OPENJDK_URL = https://java.net/downloads/openjdk6/ CACAO_VERSION = 68fe50ac34ec @@ -463,11 +463,9 @@ patches/remove-gcm-test.patch \ patches/skip_wrap_mode.patch \ patches/remove_multicatch_in_testrsa.patch \ - patches/openjdk/p11cipher-4898461-support_ecb_and_cbc.patch \ patches/openjdk/p11cipher-6682411-fix_indexoutofboundsexception.patch \ patches/openjdk/p11cipher-6682417-fix_decrypted_data_not_multiple_of_blocks.patch \ patches/openjdk/p11cipher-6812738-native_cleanup.patch \ - patches/openjdk/p11cipher-6867345-turkish_regional_options_cause_npe_in_algoid.patch \ patches/openjdk/p11cipher-6687725-throw_illegalblocksizeexception.patch \ patches/openjdk/p11cipher-6924489-ckr_operation_not_initialized.patch \ patches/openjdk/p11cipher-6604496-support_ckm_aes_ctr.patch \ @@ -639,7 +637,9 @@ patches/openjdk/6763122-no_zipfile_ctor_exception.patch \ patches/openjdk/6599383-pr363-large_zip_files.patch \ patches/openjdk/6929479-pr363-disable_mmap_zip.patch \ - patches/pr2513-layoutengine_reset.patch + patches/pr2513-layoutengine_reset.patch \ + patches/openjdk/7169111-pr2757-unreadable_menu_bar_with_ambiance_theme.patch \ + patches/openjdk/8140620-pr2711-find_default.sf2.patch if WITH_RHINO ICEDTEA_PATCHES += \ diff -Nru openjdk-6-6b37-1.13.9/Makefile.in openjdk-6-6b38-1.13.10/Makefile.in --- openjdk-6-6b37-1.13.9/Makefile.in 2016-02-01 20:26:37.000000000 +0000 +++ openjdk-6-6b38-1.13.10/Makefile.in 2016-02-01 20:26:43.000000000 +0000 @@ -558,9 +558,9 @@ top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ -OPENJDK_DATE = 11_nov_2015 -OPENJDK_SHA256SUM = 462ac2c28f6dbfb4a18eb46efca232b907d6027f7618715cbc4de5dd73b89e8d -OPENJDK_VERSION = b37 +OPENJDK_DATE = 20_jan_2016 +OPENJDK_SHA256SUM = ff88dbcbda6c3c7d80b7cbd28065a455cdb009de9874fcf9ff9ca8205d38a257 +OPENJDK_VERSION = b38 OPENJDK_URL = https://java.net/downloads/openjdk6/ CACAO_VERSION = 68fe50ac34ec CACAO_SHA256SUM = b8230f20d7022f9230bbfea13b2f3f179b2f42db40138ac6d32c82fc418ffc3a @@ -837,11 +837,9 @@ patches/generalise_crypto_tests.patch \ patches/remove-gcm-test.patch patches/skip_wrap_mode.patch \ patches/remove_multicatch_in_testrsa.patch \ - patches/openjdk/p11cipher-4898461-support_ecb_and_cbc.patch \ patches/openjdk/p11cipher-6682411-fix_indexoutofboundsexception.patch \ patches/openjdk/p11cipher-6682417-fix_decrypted_data_not_multiple_of_blocks.patch \ patches/openjdk/p11cipher-6812738-native_cleanup.patch \ - patches/openjdk/p11cipher-6867345-turkish_regional_options_cause_npe_in_algoid.patch \ patches/openjdk/p11cipher-6687725-throw_illegalblocksizeexception.patch \ patches/openjdk/p11cipher-6924489-ckr_operation_not_initialized.patch \ patches/openjdk/p11cipher-6604496-support_ckm_aes_ctr.patch \ @@ -1005,12 +1003,14 @@ patches/openjdk/6763122-no_zipfile_ctor_exception.patch \ patches/openjdk/6599383-pr363-large_zip_files.patch \ patches/openjdk/6929479-pr363-disable_mmap_zip.patch \ - patches/pr2513-layoutengine_reset.patch $(am__append_21) \ - $(am__append_22) $(am__append_23) $(am__append_24) \ - $(am__append_25) $(am__append_26) $(am__append_27) \ - $(am__append_28) $(am__append_29) $(am__append_30) \ - $(am__append_31) $(am__append_32) $(am__append_33) \ - $(DISTRIBUTION_PATCHES) + patches/pr2513-layoutengine_reset.patch \ + patches/openjdk/7169111-pr2757-unreadable_menu_bar_with_ambiance_theme.patch \ + patches/openjdk/8140620-pr2711-find_default.sf2.patch \ + $(am__append_21) $(am__append_22) $(am__append_23) \ + $(am__append_24) $(am__append_25) $(am__append_26) \ + $(am__append_27) $(am__append_28) $(am__append_29) \ + $(am__append_30) $(am__append_31) $(am__append_32) \ + $(am__append_33) $(DISTRIBUTION_PATCHES) @ENABLE_NSS_FALSE@NSS_PATCHES = patches/nss-not-enabled-config.patch @ENABLE_NSS_TRUE@NSS_PATCHES = patches/nss-config.patch diff -Nru openjdk-6-6b37-1.13.9/NEWS openjdk-6-6b38-1.13.10/NEWS --- openjdk-6-6b37-1.13.9/NEWS 2015-11-11 03:26:01.000000000 +0000 +++ openjdk-6-6b38-1.13.10/NEWS 2016-01-21 02:42:36.000000000 +0000 @@ -12,6 +12,43 @@ CVE-XXXX-YYYY: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=XXXX-YYYY +New in release 1.13.10 (2016-01-22): + +* Security fixes + - S8059054, CVE-2016-0402: Better URL processing + - S8130710, CVE-2016-0448: Better attributes processing + - S8133962, CVE-2016-0466: More general limits + - S8137060: JMX memory management improvements + - S8139012: Better font substitutions + - S8139017, CVE-2016-0483: More stable image decoding + - S8140543, CVE-2016-0494: Arrange font actions + - S8143185: Cleanup for handling proxies + - S8143941, CVE-2015-8126, CVE-2015-8472: Update splashscreen displays +* Import of OpenJDK6 b38 + - OJ69: Windows build broken after b37 changes + - OJ70: Allow versions of ALSA >= 1.1.0 + - S6720721: CRL check with circular depency support needed + - S6852744: PIT b61: PKI test suite fails because self signed certificates are being rejected [Tests only] + - S7166570: JSSE certificate validation has started to fail for certificate chains + - S7167988: PKIX CertPathBuilder in reverse mode doesn't work if more than one trust anchor is specified + - S7171223: Building ExtensionSubtables.cpp should use -fno-strict-aliasing + - S8068761: [TEST_BUG] java/nio/channels/ServerSocketChannel/AdaptServerSocket.java failed with SocketTimeoutException + - S8074068: Cleanup in src/share/classes/sun/security/x509/ + - S8075773: jps running as root fails after the fix of JDK-8050807 + - S8081297: SSL Problem with Tomcat + - S8134605: Partial rework of the fix for 8081297 + - S8135307: CompletionFailure thrown when calling FieldDoc.type, if the field's type is missing + - S8138716: (tz) Support tzdata2015g + - S8141213: [Parfait]Potentially blocking function GetArrayLength called in JNI critical region at line 239 of jdk/src/share/native/sun/awt/image/jpeg/jpegdecoder.c in function GET_ARRAYS + - S8141287: Add MD5 to jdk.certpath.disabledAlgorithms - Take 2 + - S8142928: [TEST_BUG] sun/security/provider/certpath/ReverseBuilder/ReverseBuild.java 8u71 failure + - S8144955: Wrong changes were pushed with 8143942 + - S8145551: Test failed with Crash for Improved font lookups + - S8147466: Add -fno-strict-overflow to IndicRearrangementProcessor{,2}.cpp +* Backports + - S7169111, PR2757: Unreadable menu bar with Ambiance theme in GTK L&F + - S8140620, PR2711: Find and load default.sf2 as the default soundbank on Linux + New in release 1.13.9 (2015-11-13): * Security fixes Binary files /tmp/tmpjP2EbG/aaFIolX7DS/openjdk-6-6b37-1.13.9/openjdk-6-src-b37-11_nov_2015.tar.xz and /tmp/tmpjP2EbG/KYTO8hEWpo/openjdk-6-6b38-1.13.10/openjdk-6-src-b37-11_nov_2015.tar.xz differ Binary files /tmp/tmpjP2EbG/aaFIolX7DS/openjdk-6-6b37-1.13.9/openjdk-6-src-b38-20_jan_2016.tar.xz and /tmp/tmpjP2EbG/KYTO8hEWpo/openjdk-6-6b38-1.13.10/openjdk-6-src-b38-20_jan_2016.tar.xz differ diff -Nru openjdk-6-6b37-1.13.9/patches/openjdk/6799141-split_out_versions.patch openjdk-6-6b38-1.13.10/patches/openjdk/6799141-split_out_versions.patch --- openjdk-6-6b37-1.13.9/patches/openjdk/6799141-split_out_versions.patch 2015-11-11 03:26:01.000000000 +0000 +++ openjdk-6-6b38-1.13.10/patches/openjdk/6799141-split_out_versions.patch 2016-01-21 02:42:37.000000000 +0000 @@ -447,7 +447,7 @@ - endif - ifneq ($(ARCH), ia64) - # ALSA 0.9.1 and above -- REQUIRED_ALSA_VERSION = ^((0[.]9[.][1-9])|(1[.]0[.][0-9]))[0-9]* +- REQUIRED_ALSA_VERSION = ^((0[.]9[.][1-9])|(1[.][0-9][.][0-9]))[0-9]* - endif # How much RAM does this machine have: MB_OF_MEMORY := $(shell free -m | fgrep Mem: | sed -e 's@\ \ *@ @g' | cut -d' ' -f2) diff -Nru openjdk-6-6b37-1.13.9/patches/openjdk/7169111-pr2757-unreadable_menu_bar_with_ambiance_theme.patch openjdk-6-6b38-1.13.10/patches/openjdk/7169111-pr2757-unreadable_menu_bar_with_ambiance_theme.patch --- openjdk-6-6b37-1.13.9/patches/openjdk/7169111-pr2757-unreadable_menu_bar_with_ambiance_theme.patch 1970-01-01 00:00:00.000000000 +0000 +++ openjdk-6-6b38-1.13.10/patches/openjdk/7169111-pr2757-unreadable_menu_bar_with_ambiance_theme.patch 2016-01-21 02:42:37.000000000 +0000 @@ -0,0 +1,54 @@ +# HG changeset patch +# User rupashka +# Date 1342090033 -14400 +# Thu Jul 12 14:47:13 2012 +0400 +# Node ID 05c69338ee73c1e454aa632ced5cbc057420b404 +# Parent 0039f5c7fb512e1ec2e22bceb69ee324426a684f +7169111, PR2757: Unreadable menu bar with Ambiance theme in GTK L&F +Reviewed-by: kizune + +diff -r 0039f5c7fb51 -r 05c69338ee73 src/share/classes/com/sun/java/swing/plaf/gtk/GTKLookAndFeel.java +--- openjdk/jdk/src/share/classes/com/sun/java/swing/plaf/gtk/GTKLookAndFeel.java Wed Jul 11 16:19:41 2012 -0700 ++++ openjdk/jdk/src/share/classes/com/sun/java/swing/plaf/gtk/GTKLookAndFeel.java Thu Jul 12 14:47:13 2012 +0400 +@@ -796,9 +796,10 @@ + "Menu.margin", zeroInsets, + "Menu.cancelMode", "hideMenuTree", + "Menu.alignAcceleratorText", Boolean.FALSE, ++ "Menu.useMenuBarForTopLevelMenus", Boolean.TRUE, + + +- "MenuBar.windowBindings", new Object[] { ++ "MenuBar.windowBindings", new Object[] { + "F10", "takeFocus" }, + "MenuBar.font", new FontLazyValue(Region.MENU_BAR), + +diff -r 0039f5c7fb51 -r 05c69338ee73 src/share/classes/com/sun/java/swing/plaf/gtk/GTKStyleFactory.java +--- openjdk/jdk/src/share/classes/com/sun/java/swing/plaf/gtk/GTKStyleFactory.java Wed Jul 11 16:19:41 2012 -0700 ++++ openjdk/jdk/src/share/classes/com/sun/java/swing/plaf/gtk/GTKStyleFactory.java Thu Jul 12 14:47:13 2012 +0400 +@@ -92,7 +92,13 @@ + boolean defaultCapable = btn.isDefaultCapable(); + key = new ComplexKey(wt, toolButton, defaultCapable); + } ++ } else if (id == Region.MENU) { ++ if (c instanceof JMenu && ((JMenu) c).isTopLevelMenu() && ++ UIManager.getBoolean("Menu.useMenuBarForTopLevelMenus")) { ++ wt = WidgetType.MENU_BAR; ++ } + } ++ + if (key == null) { + // Otherwise, just use the WidgetType as the key. + key = wt; +diff -r 0039f5c7fb51 -r 05c69338ee73 src/share/classes/javax/swing/plaf/synth/SynthMenuUI.java +--- openjdk/jdk/src/share/classes/javax/swing/plaf/synth/SynthMenuUI.java Wed Jul 11 16:19:41 2012 -0700 ++++ openjdk/jdk/src/share/classes/javax/swing/plaf/synth/SynthMenuUI.java Thu Jul 12 14:47:13 2012 +0400 +@@ -299,7 +299,8 @@ + */ + @Override + public void propertyChange(PropertyChangeEvent e) { +- if (SynthLookAndFeel.shouldUpdateStyle(e)) { ++ if (SynthLookAndFeel.shouldUpdateStyle(e) || ++ (e.getPropertyName().equals("ancestor") && UIManager.getBoolean("Menu.useMenuBarForTopLevelMenus"))) { + updateStyle((JMenu)e.getSource()); + } + } diff -Nru openjdk-6-6b37-1.13.9/patches/openjdk/8140620-pr2711-find_default.sf2.patch openjdk-6-6b38-1.13.10/patches/openjdk/8140620-pr2711-find_default.sf2.patch --- openjdk-6-6b37-1.13.9/patches/openjdk/8140620-pr2711-find_default.sf2.patch 1970-01-01 00:00:00.000000000 +0000 +++ openjdk-6-6b38-1.13.10/patches/openjdk/8140620-pr2711-find_default.sf2.patch 2016-01-21 02:42:37.000000000 +0000 @@ -0,0 +1,53 @@ +# HG changeset patch +# User omajid +# Date 1445973555 14400 +# Tue Oct 27 15:19:15 2015 -0400 +# Node ID 79e4644bd40482ec3ae557f086137e2869b3f50a +# Parent 09c2cc84d4517af288f26607a39ff0515a05e771 +8140620, PR2711: Find and load default.sf2 as the default soundbank on Linux +Reviewed-by: serb + +diff -r 09c2cc84d451 -r 79e4644bd404 src/share/classes/com/sun/media/sound/SoftSynthesizer.java +--- openjdk/jdk/src/share/classes/com/sun/media/sound/SoftSynthesizer.java Fri Nov 13 05:11:53 2015 +0000 ++++ openjdk/jdk/src/share/classes/com/sun/media/sound/SoftSynthesizer.java Tue Oct 27 15:19:15 2015 -0400 +@@ -668,6 +668,40 @@ + actions.add(new PrivilegedAction() { + public InputStream run() { + if (System.getProperties().getProperty("os.name") ++ .startsWith("Linux")) { ++ ++ File[] systemSoundFontsDir = new File[] { ++ /* Arch, Fedora, Mageia */ ++ new File("/usr/share/soundfonts/"), ++ new File("/usr/local/share/soundfonts/"), ++ /* Debian, Gentoo, OpenSUSE, Ubuntu */ ++ new File("/usr/share/sounds/sf2/"), ++ new File("/usr/local/share/sounds/sf2/"), ++ }; ++ ++ /* ++ * Look for a default.sf2 ++ */ ++ for (File systemSoundFontDir : systemSoundFontsDir) { ++ if (systemSoundFontDir.exists()) { ++ File defaultSoundFont = new File(systemSoundFontDir, "default.sf2"); ++ if (defaultSoundFont.exists()) { ++ try { ++ return new FileInputStream(defaultSoundFont); ++ } catch (IOException e) { ++ // continue with lookup ++ } ++ } ++ } ++ } ++ } ++ return null; ++ } ++ }); ++ ++ actions.add(new PrivilegedAction() { ++ public InputStream run() { ++ if (System.getProperties().getProperty("os.name") + .startsWith("Windows")) { + File gm_dls = new File(System.getenv("SystemRoot") + + "\\system32\\drivers\\gm.dls"); diff -Nru openjdk-6-6b37-1.13.9/patches/openjdk/p11cipher-4898461-support_ecb_and_cbc.patch openjdk-6-6b38-1.13.10/patches/openjdk/p11cipher-4898461-support_ecb_and_cbc.patch --- openjdk-6-6b37-1.13.9/patches/openjdk/p11cipher-4898461-support_ecb_and_cbc.patch 2015-11-11 03:26:01.000000000 +0000 +++ openjdk-6-6b38-1.13.10/patches/openjdk/p11cipher-4898461-support_ecb_and_cbc.patch 1970-01-01 00:00:00.000000000 +0000 @@ -1,1169 +0,0 @@ -diff -Nru openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/P11Cipher.java openjdk/jdk/src/share/classes/sun/security/pkcs11/P11Cipher.java ---- openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/P11Cipher.java 2012-10-23 18:00:58.332289584 +0100 -+++ openjdk/jdk/src/share/classes/sun/security/pkcs11/P11Cipher.java 2012-10-23 18:10:13.013034333 +0100 -@@ -22,10 +22,10 @@ - * or visit www.oracle.com if you need additional information or have any - * questions. - */ -- - package sun.security.pkcs11; - - import java.nio.ByteBuffer; -+import java.util.Arrays; - - import java.security.*; - import java.security.spec.*; -@@ -34,7 +34,6 @@ - import javax.crypto.spec.*; - - import sun.nio.ch.DirectBuffer; -- - import sun.security.pkcs11.wrapper.*; - import static sun.security.pkcs11.wrapper.PKCS11Constants.*; - -@@ -43,8 +42,8 @@ - * DES, DESede, AES, ARCFOUR, and Blowfish. - * - * This class is designed to support ECB and CBC with NoPadding and -- * PKCS5Padding for both. However, currently only CBC/NoPadding (and -- * ECB/NoPadding for stream ciphers) is functional. -+ * PKCS5Padding for both. It will use its own padding impl if the -+ * native mechanism does not support padding. - * - * Note that PKCS#11 current only supports ECB and CBC. There are no - * provisions for other modes such as CFB, OFB, PCBC, or CTR mode. -@@ -62,10 +61,56 @@ - private final static int MODE_CBC = 4; - - // padding constant for NoPadding -- private final static int PAD_NONE = 5; -+ private final static int PAD_NONE = 5; - // padding constant for PKCS5Padding - private final static int PAD_PKCS5 = 6; - -+ private static interface Padding { -+ // ENC: format the specified buffer with padding bytes and return the -+ // actual padding length -+ int setPaddingBytes(byte[] paddingBuffer, int padLen); -+ -+ // DEC: return the length of trailing padding bytes given the specified -+ // padded data -+ int unpad(byte[] paddedData, int ofs, int len) -+ throws BadPaddingException; -+ } -+ -+ private static class PKCS5Padding implements Padding { -+ -+ private final int blockSize; -+ -+ PKCS5Padding(int blockSize) -+ throws NoSuchPaddingException { -+ if (blockSize == 0) { -+ throw new NoSuchPaddingException -+ ("PKCS#5 padding not supported with stream ciphers"); -+ } -+ this.blockSize = blockSize; -+ } -+ -+ public int setPaddingBytes(byte[] paddingBuffer, int padLen) { -+ Arrays.fill(paddingBuffer, 0, padLen, (byte) (padLen & 0x007f)); -+ return padLen; -+ } -+ -+ public int unpad(byte[] paddedData, int ofs, int len) -+ throws BadPaddingException { -+ byte padValue = paddedData[ofs + len - 1]; -+ if (padValue < 1 || padValue > blockSize) { -+ throw new BadPaddingException("Invalid pad value!"); -+ } -+ // sanity check padding bytes -+ int padStartIndex = ofs + len - padValue; -+ for (int i = padStartIndex; i < len; i++) { -+ if (paddedData[i] != padValue) { -+ throw new BadPaddingException("Invalid pad bytes!"); -+ } -+ } -+ return padValue; -+ } -+ } -+ - // token instance - private final Token token; - -@@ -99,64 +144,92 @@ - // padding type, on of PAD_* above (PAD_NONE for stream ciphers) - private int paddingType; - -+ // when the padding is requested but unsupported by the native mechanism, -+ // we use the following to do padding and necessary data buffering. -+ // padding object which generate padding and unpad the decrypted data -+ private Padding paddingObj; -+ // buffer for holding back the block which contains padding bytes -+ private byte[] padBuffer; -+ private int padBufferLen; -+ - // original IV, if in MODE_CBC - private byte[] iv; - -- // total number of bytes processed -- private int bytesProcessed; -+ // number of bytes buffered internally by the native mechanism and padBuffer -+ // if we do the padding -+ private int bytesBuffered; - - P11Cipher(Token token, String algorithm, long mechanism) -- throws PKCS11Exception { -+ throws PKCS11Exception, NoSuchAlgorithmException { - super(); - this.token = token; - this.algorithm = algorithm; - this.mechanism = mechanism; -- keyAlgorithm = algorithm.split("/")[0]; -+ -+ String algoParts[] = algorithm.split("/"); -+ keyAlgorithm = algoParts[0]; -+ - if (keyAlgorithm.equals("AES")) { - blockSize = 16; -- blockMode = MODE_CBC; -- // XXX change default to PKCS5Padding -- paddingType = PAD_NONE; -- } else if (keyAlgorithm.equals("RC4") || keyAlgorithm.equals("ARCFOUR")) { -+ } else if (keyAlgorithm.equals("RC4") || -+ keyAlgorithm.equals("ARCFOUR")) { - blockSize = 0; -- blockMode = MODE_ECB; -- paddingType = PAD_NONE; - } else { // DES, DESede, Blowfish - blockSize = 8; -- blockMode = MODE_CBC; -- // XXX change default to PKCS5Padding -- paddingType = PAD_NONE; -+ } -+ this.blockMode = -+ (algoParts.length > 1 ? parseMode(algoParts[1]) : MODE_ECB); -+ -+ String defPadding = (blockSize == 0 ? "NoPadding" : "PKCS5Padding"); -+ String paddingStr = -+ (algoParts.length > 2 ? algoParts[2] : defPadding); -+ try { -+ engineSetPadding(paddingStr); -+ } catch (NoSuchPaddingException nspe) { -+ // should not happen -+ throw new ProviderException(nspe); - } - } - - protected void engineSetMode(String mode) throws NoSuchAlgorithmException { -+ // Disallow change of mode for now since currently it's explicitly -+ // defined in transformation strings -+ throw new NoSuchAlgorithmException("Unsupported mode " + mode); -+ } -+ -+ private int parseMode(String mode) throws NoSuchAlgorithmException { - mode = mode.toUpperCase(); -+ int result; - if (mode.equals("ECB")) { -- this.blockMode = MODE_ECB; -+ result = MODE_ECB; - } else if (mode.equals("CBC")) { - if (blockSize == 0) { - throw new NoSuchAlgorithmException - ("CBC mode not supported with stream ciphers"); - } -- this.blockMode = MODE_CBC; -+ result = MODE_CBC; - } else { - throw new NoSuchAlgorithmException("Unsupported mode " + mode); - } -+ return result; - } - - // see JCE spec - protected void engineSetPadding(String padding) - throws NoSuchPaddingException { -- if (padding.equalsIgnoreCase("NoPadding")) { -+ paddingObj = null; -+ padBuffer = null; -+ padding = padding.toUpperCase(); -+ if (padding.equals("NOPADDING")) { - paddingType = PAD_NONE; -- } else if (padding.equalsIgnoreCase("PKCS5Padding")) { -- if (blockSize == 0) { -- throw new NoSuchPaddingException -- ("PKCS#5 padding not supported with stream ciphers"); -- } -+ } else if (padding.equals("PKCS5PADDING")) { - paddingType = PAD_PKCS5; -- // XXX PKCS#5 not yet implemented -- throw new NoSuchPaddingException("pkcs5"); -+ if (mechanism != CKM_DES_CBC_PAD && mechanism != CKM_DES3_CBC_PAD && -+ mechanism != CKM_AES_CBC_PAD) { -+ // no native padding support; use our own padding impl -+ paddingObj = new PKCS5Padding(blockSize); -+ padBuffer = new byte[blockSize]; -+ } - } else { - throw new NoSuchPaddingException("Unsupported padding " + padding); - } -@@ -174,7 +247,7 @@ - - // see JCE spec - protected byte[] engineGetIV() { -- return (iv == null) ? null : (byte[])iv.clone(); -+ return (iv == null) ? null : (byte[]) iv.clone(); - } - - // see JCE spec -@@ -184,8 +257,9 @@ - } - IvParameterSpec ivSpec = new IvParameterSpec(iv); - try { -- AlgorithmParameters params = AlgorithmParameters.getInstance -- (keyAlgorithm, P11Util.getSunJceProvider()); -+ AlgorithmParameters params = -+ AlgorithmParameters.getInstance(keyAlgorithm, -+ P11Util.getSunJceProvider()); - params.init(ivSpec); - return params; - } catch (GeneralSecurityException e) { -@@ -209,38 +283,38 @@ - protected void engineInit(int opmode, Key key, - AlgorithmParameterSpec params, SecureRandom random) - throws InvalidKeyException, InvalidAlgorithmParameterException { -- byte[] iv; -+ byte[] ivValue; - if (params != null) { - if (params instanceof IvParameterSpec == false) { - throw new InvalidAlgorithmParameterException - ("Only IvParameterSpec supported"); - } -- IvParameterSpec ivSpec = (IvParameterSpec)params; -- iv = ivSpec.getIV(); -+ IvParameterSpec ivSpec = (IvParameterSpec) params; -+ ivValue = ivSpec.getIV(); - } else { -- iv = null; -+ ivValue = null; - } -- implInit(opmode, key, iv, random); -+ implInit(opmode, key, ivValue, random); - } - - // see JCE spec - protected void engineInit(int opmode, Key key, AlgorithmParameters params, - SecureRandom random) - throws InvalidKeyException, InvalidAlgorithmParameterException { -- byte[] iv; -+ byte[] ivValue; - if (params != null) { - try { - IvParameterSpec ivSpec = (IvParameterSpec) - params.getParameterSpec(IvParameterSpec.class); -- iv = ivSpec.getIV(); -+ ivValue = ivSpec.getIV(); - } catch (InvalidParameterSpecException e) { - throw new InvalidAlgorithmParameterException - ("Could not decode IV", e); - } - } else { -- iv = null; -+ ivValue = null; - } -- implInit(opmode, key, iv, random); -+ implInit(opmode, key, ivValue, random); - } - - // actual init() implementation -@@ -249,31 +323,31 @@ - throws InvalidKeyException, InvalidAlgorithmParameterException { - cancelOperation(); - switch (opmode) { -- case Cipher.ENCRYPT_MODE: -- encrypt = true; -- break; -- case Cipher.DECRYPT_MODE: -- encrypt = false; -- break; -- default: -- throw new InvalidAlgorithmParameterException -- ("Unsupported mode: " + opmode); -+ case Cipher.ENCRYPT_MODE: -+ encrypt = true; -+ break; -+ case Cipher.DECRYPT_MODE: -+ encrypt = false; -+ break; -+ default: -+ throw new InvalidAlgorithmParameterException -+ ("Unsupported mode: " + opmode); - } - if (blockMode == MODE_ECB) { // ECB or stream cipher - if (iv != null) { - if (blockSize == 0) { - throw new InvalidAlgorithmParameterException -- ("IV not used with stream ciphers"); -+ ("IV not used with stream ciphers"); - } else { - throw new InvalidAlgorithmParameterException -- ("IV not used in ECB mode"); -+ ("IV not used in ECB mode"); - } - } - } else { // MODE_CBC - if (iv == null) { - if (encrypt == false) { - throw new InvalidAlgorithmParameterException -- ("IV must be specified for decryption in CBC mode"); -+ ("IV must be specified for decryption in CBC mode"); - } - // generate random IV - if (random == null) { -@@ -284,7 +358,7 @@ - } else { - if (iv.length != blockSize) { - throw new InvalidAlgorithmParameterException -- ("IV length must match block size"); -+ ("IV length must match block size"); - } - } - } -@@ -330,63 +404,43 @@ - session = token.getOpSession(); - } - if (encrypt) { -- token.p11.C_EncryptInit -- (session.id(), new CK_MECHANISM(mechanism, iv), p11Key.keyID); -+ token.p11.C_EncryptInit(session.id(), -+ new CK_MECHANISM(mechanism, iv), p11Key.keyID); - } else { -- token.p11.C_DecryptInit -- (session.id(), new CK_MECHANISM(mechanism, iv), p11Key.keyID); -+ token.p11.C_DecryptInit(session.id(), -+ new CK_MECHANISM(mechanism, iv), p11Key.keyID); - } -- bytesProcessed = 0; -+ bytesBuffered = 0; -+ padBufferLen = 0; - initialized = true; - } - -- // XXX the calculations below assume the PKCS#11 implementation is smart. -- // conceivably, not all implementations are and we may need to estimate -- // more conservatively -- -- private int bytesBuffered(int totalLen) { -- if (paddingType == PAD_NONE) { -- // with NoPadding, buffer only the current unfinished block -- return totalLen & (blockSize - 1); -- } else { // PKCS5 -- // with PKCS5Padding in decrypt mode, the buffer must never -- // be empty. Buffer a full block instead of nothing. -- int buffered = totalLen & (blockSize - 1); -- if ((buffered == 0) && (encrypt == false)) { -- buffered = blockSize; -- } -- return buffered; -- } -- } -- - // if update(inLen) is called, how big does the output buffer have to be? - private int updateLength(int inLen) { - if (inLen <= 0) { - return 0; - } -- if (blockSize == 0) { -- return inLen; -- } else { -- // bytes that need to be buffered now -- int buffered = bytesBuffered(bytesProcessed); -- // bytes that need to be buffered after this update -- int newBuffered = bytesBuffered(bytesProcessed + inLen); -- return inLen + buffered - newBuffered; -+ -+ int result = inLen + bytesBuffered; -+ if (blockSize != 0) { -+ // minus the number of bytes in the last incomplete block. -+ result -= (result & (blockSize - 1)); - } -+ return result; - } - - // if doFinal(inLen) is called, how big does the output buffer have to be? - private int doFinalLength(int inLen) { -- if (paddingType == PAD_NONE) { -- return updateLength(inLen); -- } - if (inLen < 0) { - return 0; - } -- int buffered = bytesBuffered(bytesProcessed); -- int newProcessed = bytesProcessed + inLen; -- int paddedProcessed = (newProcessed + blockSize) & ~(blockSize - 1); -- return paddedProcessed - bytesProcessed + buffered; -+ -+ int result = inLen + bytesBuffered; -+ if (blockSize != 0 && encrypt && paddingType != PAD_NONE) { -+ // add the number of bytes to make the last block complete. -+ result += (blockSize - (result & (blockSize - 1))); -+ } -+ return result; - } - - // see JCE spec -@@ -396,6 +450,7 @@ - int n = engineUpdate(in, inOfs, inLen, out, 0); - return P11Util.convert(out, 0, n); - } catch (ShortBufferException e) { -+ // convert since the output length is calculated by updateLength() - throw new ProviderException(e); - } - } -@@ -408,6 +463,7 @@ - } - - // see JCE spec -+ @Override - protected int engineUpdate(ByteBuffer inBuffer, ByteBuffer outBuffer) - throws ShortBufferException { - return implUpdate(inBuffer, outBuffer); -@@ -421,14 +477,15 @@ - int n = engineDoFinal(in, inOfs, inLen, out, 0); - return P11Util.convert(out, 0, n); - } catch (ShortBufferException e) { -+ // convert since the output length is calculated by doFinalLength() - throw new ProviderException(e); - } - } - - // see JCE spec - protected int engineDoFinal(byte[] in, int inOfs, int inLen, byte[] out, -- int outOfs) throws ShortBufferException, IllegalBlockSizeException { -- // BadPaddingException { -+ int outOfs) throws ShortBufferException, IllegalBlockSizeException, -+ BadPaddingException { - int n = 0; - if ((inLen != 0) && (in != null)) { - n = engineUpdate(in, inOfs, inLen, out, outOfs); -@@ -439,8 +496,10 @@ - } - - // see JCE spec -+ @Override - protected int engineDoFinal(ByteBuffer inBuffer, ByteBuffer outBuffer) -- throws ShortBufferException, IllegalBlockSizeException, BadPaddingException { -+ throws ShortBufferException, IllegalBlockSizeException, -+ BadPaddingException { - int n = engineUpdate(inBuffer, outBuffer); - n += implDoFinal(outBuffer); - return n; -@@ -453,18 +512,55 @@ - } - try { - ensureInitialized(); -- int k; -+ int k = 0; - if (encrypt) { -- k = token.p11.C_EncryptUpdate -- (session.id(), 0, in, inOfs, inLen, 0, out, outOfs, outLen); -+ k = token.p11.C_EncryptUpdate(session.id(), 0, in, inOfs, inLen, -+ 0, out, outOfs, outLen); - } else { -- k = token.p11.C_DecryptUpdate -- (session.id(), 0, in, inOfs, inLen, 0, out, outOfs, outLen); -+ int newPadBufferLen = 0; -+ if (paddingObj != null) { -+ if (padBufferLen != 0) { -+ // NSS throws up when called with data not in multiple -+ // of blocks. Try to work around this by holding the -+ // extra data in padBuffer. -+ if (padBufferLen != padBuffer.length) { -+ int bufCapacity = padBuffer.length - padBufferLen; -+ if (inLen > bufCapacity) { -+ bufferInputBytes(in, inOfs, bufCapacity); -+ inOfs += bufCapacity; -+ inLen -= bufCapacity; -+ } else { -+ bufferInputBytes(in, inOfs, inLen); -+ return 0; -+ } -+ } -+ k = token.p11.C_DecryptUpdate(session.id(), -+ 0, padBuffer, 0, padBufferLen, -+ 0, out, outOfs, outLen); -+ padBufferLen = 0; -+ } -+ newPadBufferLen = inLen & (blockSize - 1); -+ if (newPadBufferLen == 0) { -+ newPadBufferLen = padBuffer.length; -+ } -+ inLen -= newPadBufferLen; -+ } -+ if (inLen > 0) { -+ k += token.p11.C_DecryptUpdate(session.id(), 0, in, inOfs, -+ inLen, 0, out, (outOfs + k), (outLen - k)); -+ } -+ // update 'padBuffer' if using our own padding impl. -+ if (paddingObj != null) { -+ bufferInputBytes(in, inOfs + inLen, newPadBufferLen); -+ } - } -- bytesProcessed += inLen; -+ bytesBuffered += (inLen - k); - return k; - } catch (PKCS11Exception e) { -- // XXX throw correct exception -+ if (e.getErrorCode() == CKR_BUFFER_TOO_SMALL) { -+ throw (ShortBufferException) -+ (new ShortBufferException().initCause(e)); -+ } - throw new ProviderException("update() failed", e); - } - } -@@ -480,101 +576,167 @@ - if (outLen < updateLength(inLen)) { - throw new ShortBufferException(); - } -- boolean inPosChanged = false; -+ int origPos = inBuffer.position(); - try { - ensureInitialized(); - - long inAddr = 0; -- int inOfs = inBuffer.position(); -+ int inOfs = 0; - byte[] inArray = null; -+ - if (inBuffer instanceof DirectBuffer) { -- inAddr = ((DirectBuffer)inBuffer).address(); -- } else { -- if (inBuffer.hasArray()) { -- inArray = inBuffer.array(); -- inOfs += inBuffer.arrayOffset(); -- } else { -- inArray = new byte[inLen]; -- inBuffer.get(inArray); -- inOfs = 0; -- inPosChanged = true; -- } -+ inAddr = ((DirectBuffer) inBuffer).address(); -+ inOfs = origPos; -+ } else if (inBuffer.hasArray()) { -+ inArray = inBuffer.array(); -+ inOfs = (origPos + inBuffer.arrayOffset()); - } - - long outAddr = 0; -- int outOfs = outBuffer.position(); -+ int outOfs = 0; - byte[] outArray = null; - if (outBuffer instanceof DirectBuffer) { -- outAddr = ((DirectBuffer)outBuffer).address(); -+ outAddr = ((DirectBuffer) outBuffer).address(); -+ outOfs = outBuffer.position(); - } else { - if (outBuffer.hasArray()) { - outArray = outBuffer.array(); -- outOfs += outBuffer.arrayOffset(); -+ outOfs = (outBuffer.position() + outBuffer.arrayOffset()); - } else { - outArray = new byte[outLen]; -- outOfs = 0; - } - } - -- int k; -+ int k = 0; - if (encrypt) { -- k = token.p11.C_EncryptUpdate -- (session.id(), inAddr, inArray, inOfs, inLen, -- outAddr, outArray, outOfs, outLen); -- } else { -- k = token.p11.C_DecryptUpdate -- (session.id(), inAddr, inArray, inOfs, inLen, -- outAddr, outArray, outOfs, outLen); -- } -- bytesProcessed += inLen; -- if (!inPosChanged) { -- inBuffer.position(inBuffer.position() + inLen); -+ if (inAddr == 0 && inArray == null) { -+ inArray = new byte[inLen]; -+ inBuffer.get(inArray); -+ } else { -+ inBuffer.position(origPos + inLen); -+ } -+ k = token.p11.C_EncryptUpdate(session.id(), -+ inAddr, inArray, inOfs, inLen, -+ outAddr, outArray, outOfs, outLen); -+ } else { -+ int newPadBufferLen = 0; -+ if (paddingObj != null) { -+ if (padBufferLen != 0) { -+ // NSS throws up when called with data not in multiple -+ // of blocks. Try to work around this by holding the -+ // extra data in padBuffer. -+ if (padBufferLen != padBuffer.length) { -+ int bufCapacity = padBuffer.length - padBufferLen; -+ if (inLen > bufCapacity) { -+ bufferInputBytes(inBuffer, bufCapacity); -+ inOfs += bufCapacity; -+ inLen -= bufCapacity; -+ } else { -+ bufferInputBytes(inBuffer, inLen); -+ return 0; -+ } -+ } -+ k = token.p11.C_DecryptUpdate(session.id(), 0, -+ padBuffer, 0, padBufferLen, outAddr, outArray, -+ outOfs, outLen); -+ padBufferLen = 0; -+ } -+ newPadBufferLen = inLen & (blockSize - 1); -+ if (newPadBufferLen == 0) { -+ newPadBufferLen = padBuffer.length; -+ } -+ inLen -= newPadBufferLen; -+ } -+ if (inLen > 0) { -+ if (inAddr == 0 && inArray == null) { -+ inArray = new byte[inLen]; -+ inBuffer.get(inArray); -+ } else { -+ inBuffer.position(inBuffer.position() + inLen); -+ } -+ k += token.p11.C_DecryptUpdate(session.id(), inAddr, -+ inArray, inOfs, inLen, outAddr, outArray, -+ (outOfs + k), (outLen - k)); -+ } -+ // update 'padBuffer' if using our own padding impl. -+ if (paddingObj != null && newPadBufferLen != 0) { -+ bufferInputBytes(inBuffer, newPadBufferLen); -+ } - } -+ bytesBuffered += (inLen - k); - if (!(outBuffer instanceof DirectBuffer) && -- !outBuffer.hasArray()) { -+ !outBuffer.hasArray()) { - outBuffer.put(outArray, outOfs, k); - } else { - outBuffer.position(outBuffer.position() + k); - } - return k; - } catch (PKCS11Exception e) { -- // Un-read the bytes back to input buffer -- if (inPosChanged) { -- inBuffer.position(inBuffer.position() - inLen); -+ // Reset input buffer to its original position for -+ inBuffer.position(origPos); -+ if (e.getErrorCode() == CKR_BUFFER_TOO_SMALL) { -+ throw (ShortBufferException) -+ (new ShortBufferException().initCause(e)); - } -- // XXX throw correct exception - throw new ProviderException("update() failed", e); - } - } - - private int implDoFinal(byte[] out, int outOfs, int outLen) -- throws ShortBufferException, IllegalBlockSizeException { -- if (outLen < doFinalLength(0)) { -+ throws ShortBufferException, IllegalBlockSizeException, -+ BadPaddingException { -+ int requiredOutLen = doFinalLength(0); -+ if (outLen < requiredOutLen) { - throw new ShortBufferException(); - } - try { - ensureInitialized(); -+ int k = 0; - if (encrypt) { -- return token.p11.C_EncryptFinal -- (session.id(), 0, out, outOfs, outLen); -+ if (paddingObj != null) { -+ int actualPadLen = paddingObj.setPaddingBytes(padBuffer, -+ requiredOutLen - bytesBuffered); -+ k = token.p11.C_EncryptUpdate(session.id(), -+ 0, padBuffer, 0, actualPadLen, -+ 0, out, outOfs, outLen); -+ } -+ k += token.p11.C_EncryptFinal(session.id(), -+ 0, out, (outOfs + k), (outLen - k)); - } else { -- return token.p11.C_DecryptFinal -- (session.id(), 0, out, outOfs, outLen); -+ if (paddingObj != null) { -+ if (padBufferLen != 0) { -+ k = token.p11.C_DecryptUpdate(session.id(), 0, -+ padBuffer, 0, padBufferLen, 0, padBuffer, 0, -+ padBuffer.length); -+ } -+ k += token.p11.C_DecryptFinal(session.id(), 0, padBuffer, k, -+ padBuffer.length - k); -+ int actualPadLen = paddingObj.unpad(padBuffer, 0, k); -+ k -= actualPadLen; -+ System.arraycopy(padBuffer, 0, out, outOfs, k); -+ } else { -+ k = token.p11.C_DecryptFinal(session.id(), 0, out, outOfs, -+ outLen); -+ } - } -+ return k; - } catch (PKCS11Exception e) { - handleException(e); - throw new ProviderException("doFinal() failed", e); - } finally { - initialized = false; -- bytesProcessed = 0; -+ bytesBuffered = 0; -+ padBufferLen = 0; - session = token.releaseSession(session); - } - } - - private int implDoFinal(ByteBuffer outBuffer) -- throws ShortBufferException, IllegalBlockSizeException { -+ throws ShortBufferException, IllegalBlockSizeException, -+ BadPaddingException { - int outLen = outBuffer.remaining(); -- if (outLen < doFinalLength(0)) { -+ int requiredOutLen = doFinalLength(0); -+ if (outLen < requiredOutLen) { - throw new ShortBufferException(); - } - -@@ -582,30 +744,54 @@ - ensureInitialized(); - - long outAddr = 0; -- int outOfs = outBuffer.position(); - byte[] outArray = null; -+ int outOfs = 0; - if (outBuffer instanceof DirectBuffer) { -- outAddr = ((DirectBuffer)outBuffer).address(); -+ outAddr = ((DirectBuffer) outBuffer).address(); -+ outOfs = outBuffer.position(); - } else { - if (outBuffer.hasArray()) { - outArray = outBuffer.array(); -- outOfs += outBuffer.arrayOffset(); -+ outOfs = outBuffer.position() + outBuffer.arrayOffset(); - } else { - outArray = new byte[outLen]; -- outOfs = 0; - } - } - -- int k; -+ int k = 0; -+ - if (encrypt) { -- k = token.p11.C_EncryptFinal -- (session.id(), outAddr, outArray, outOfs, outLen); -+ if (paddingObj != null) { -+ int actualPadLen = paddingObj.setPaddingBytes(padBuffer, -+ requiredOutLen - bytesBuffered); -+ k = token.p11.C_EncryptUpdate(session.id(), -+ 0, padBuffer, 0, actualPadLen, -+ outAddr, outArray, outOfs, outLen); -+ } -+ k += token.p11.C_EncryptFinal(session.id(), -+ outAddr, outArray, (outOfs + k), (outLen - k)); - } else { -- k = token.p11.C_DecryptFinal -- (session.id(), outAddr, outArray, outOfs, outLen); -+ if (paddingObj != null) { -+ if (padBufferLen != 0) { -+ k = token.p11.C_DecryptUpdate(session.id(), -+ 0, padBuffer, 0, padBufferLen, -+ 0, padBuffer, 0, padBuffer.length); -+ padBufferLen = 0; -+ } -+ k += token.p11.C_DecryptFinal(session.id(), -+ 0, padBuffer, k, padBuffer.length - k); -+ int actualPadLen = paddingObj.unpad(padBuffer, 0, k); -+ k -= actualPadLen; -+ outArray = padBuffer; -+ outOfs = 0; -+ } else { -+ k = token.p11.C_DecryptFinal(session.id(), -+ outAddr, outArray, outOfs, outLen); -+ } - } -- if (!(outBuffer instanceof DirectBuffer) && -- !outBuffer.hasArray()) { -+ if ((!encrypt && paddingObj != null) || -+ (!(outBuffer instanceof DirectBuffer) && -+ !outBuffer.hasArray())) { - outBuffer.put(outArray, outOfs, k); - } else { - outBuffer.position(outBuffer.position() + k); -@@ -616,20 +802,21 @@ - throw new ProviderException("doFinal() failed", e); - } finally { - initialized = false; -- bytesProcessed = 0; -+ bytesBuffered = 0; - session = token.releaseSession(session); - } - } - - private void handleException(PKCS11Exception e) -- throws IllegalBlockSizeException { -+ throws ShortBufferException, IllegalBlockSizeException { - long errorCode = e.getErrorCode(); -- // XXX better check -- if (errorCode == CKR_DATA_LEN_RANGE) { -- throw (IllegalBlockSizeException)new -- IllegalBlockSizeException(e.toString()).initCause(e); -+ if (errorCode == CKR_BUFFER_TOO_SMALL) { -+ throw (ShortBufferException) -+ (new ShortBufferException().initCause(e)); -+ } else if (errorCode == CKR_DATA_LEN_RANGE) { -+ throw (IllegalBlockSizeException) -+ (new IllegalBlockSizeException(e.toString()).initCause(e)); - } -- - } - - // see JCE spec -@@ -648,9 +835,22 @@ - } - - // see JCE spec -+ @Override - protected int engineGetKeySize(Key key) throws InvalidKeyException { - int n = P11SecretKeyFactory.convertKey - (token, key, keyAlgorithm).length(); - return n; - } -+ -+ private final void bufferInputBytes(byte[] in, int inOfs, int len) { -+ System.arraycopy(in, inOfs, padBuffer, padBufferLen, len); -+ padBufferLen += len; -+ bytesBuffered += len; -+ } -+ -+ private final void bufferInputBytes(ByteBuffer inBuffer, int len) { -+ inBuffer.get(padBuffer, padBufferLen, len); -+ padBufferLen += len; -+ bytesBuffered += len; -+ } - } -diff -Nru openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java openjdk/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java ---- openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java 2012-09-21 20:03:48.000000000 +0100 -+++ openjdk/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java 2012-10-23 18:09:25.964291180 +0100 -@@ -601,14 +601,26 @@ - // XXX attributes for Ciphers (supported modes, padding) - d(CIP, "ARCFOUR", P11Cipher, s("RC4"), - m(CKM_RC4)); -- // XXX only CBC/NoPadding for block ciphers - d(CIP, "DES/CBC/NoPadding", P11Cipher, - m(CKM_DES_CBC)); -+ d(CIP, "DES/CBC/PKCS5Padding", P11Cipher, -+ m(CKM_DES_CBC_PAD, CKM_DES_CBC)); -+ d(CIP, "DES/ECB", P11Cipher, s("DES"), -+ m(CKM_DES_ECB)); -+ - d(CIP, "DESede/CBC/NoPadding", P11Cipher, - m(CKM_DES3_CBC)); -+ d(CIP, "DESede/CBC/PKCS5Padding", P11Cipher, -+ m(CKM_DES3_CBC_PAD, CKM_DES3_CBC)); -+ d(CIP, "DESede/ECB", P11Cipher, s("DESede"), -+ m(CKM_DES3_ECB)); - d(CIP, "AES/CBC/NoPadding", P11Cipher, - m(CKM_AES_CBC)); -- d(CIP, "Blowfish/CBC/NoPadding", P11Cipher, -+ d(CIP, "AES/CBC/PKCS5Padding", P11Cipher, -+ m(CKM_AES_CBC_PAD, CKM_AES_CBC)); -+ d(CIP, "AES/ECB", P11Cipher, s("AES"), -+ m(CKM_AES_ECB)); -+ d(CIP, "Blowfish/CBC", P11Cipher, - m(CKM_BLOWFISH_CBC)); - - // XXX RSA_X_509, RSA_OAEP not yet supported -diff -Nru openjdk.orig/jdk/test/sun/security/pkcs11/Cipher/TestSymmCiphers.java openjdk/jdk/test/sun/security/pkcs11/Cipher/TestSymmCiphers.java ---- openjdk.orig/jdk/test/sun/security/pkcs11/Cipher/TestSymmCiphers.java 1970-01-01 01:00:00.000000000 +0100 -+++ openjdk/jdk/test/sun/security/pkcs11/Cipher/TestSymmCiphers.java 2012-10-23 18:09:25.976291370 +0100 -@@ -0,0 +1,282 @@ -+/* -+ * Copyright 2008 Sun Microsystems, Inc. All Rights Reserved. -+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. -+ * -+ * This code is free software; you can redistribute it and/or modi -+fy it -+ * under the terms of the GNU General Public License version 2 onl -+y, as -+ * published by the Free Software Foundation. -+ * -+ * This code is distributed in the hope that it will be useful, bu -+t WITHOUT -+ * ANY WARRANTY; without even the implied warranty of MERCHANTABIL -+ITY or -+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public L -+icense -+ * version 2 for more details (a copy is included in the LICENSE f -+ile that -+ * accompanied this code). -+ * -+ * You should have received a copy of the GNU General Public Licen -+se version -+ * 2 along with this work; if not, write to the Free Software Foun -+dation, -+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. -+ * -+ * Please contact Sun Microsystems, Inc., 4150 Network Circle, San -+ta Clara, -+ * CA 95054 USA or visit www.sun.com if you need additional inform -+ation or -+ * have any questions. -+ */ -+ -+/** -+ * @test %I% %E% -+ * @bug 4898461 -+ * @summary basic test for symmetric ciphers with padding -+ * @author Valerie Peng -+ * @library .. -+ */ -+import java.io.*; -+import java.nio.*; -+import java.util.*; -+ -+import java.security.*; -+import java.security.spec.AlgorithmParameterSpec; -+ -+import javax.crypto.*; -+import javax.crypto.spec.IvParameterSpec; -+ -+public class TestSymmCiphers extends PKCS11Test { -+ -+ private static class CI { // class for holding Cipher Information -+ -+ String transformation; -+ String keyAlgo; -+ int dataSize; -+ -+ CI(String transformation, String keyAlgo, int dataSize) { -+ this.transformation = transformation; -+ this.keyAlgo = keyAlgo; -+ this.dataSize = dataSize; -+ } -+ } -+ private static final CI[] TEST_LIST = { -+ new CI("ARCFOUR", "ARCFOUR", 400), -+ new CI("RC4", "RC4", 401), -+ new CI("DES/CBC/NoPadding", "DES", 400), -+ new CI("DESede/CBC/NoPadding", "DESede", 160), -+ new CI("AES/CBC/NoPadding", "AES", 4800), -+ new CI("Blowfish/CBC/NoPadding", "Blowfish", 24), -+ new CI("DES/cbc/PKCS5Padding", "DES", 6401), -+ new CI("DESede/CBC/PKCS5Padding", "DESede", 402), -+ new CI("AES/CBC/PKCS5Padding", "AES", 30), -+ new CI("Blowfish/CBC/PKCS5Padding", "Blowfish", 19), -+ new CI("DES/ECB/NoPadding", "DES", 400), -+ new CI("DESede/ECB/NoPadding", "DESede", 160), -+ new CI("AES/ECB/NoPadding", "AES", 4800), -+ new CI("DES/ECB/PKCS5Padding", "DES", 32), -+ new CI("DES/ECB/PKCS5Padding", "DES", 6400), -+ new CI("DESede/ECB/PKCS5Padding", "DESede", 400), -+ new CI("AES/ECB/PKCS5Padding", "AES", 64), -+ new CI("DES", "DES", 6400), -+ new CI("DESede", "DESede", 408), -+ new CI("AES", "AES", 128) -+ }; -+ private static StringBuffer debugBuf = new StringBuffer(); -+ -+ public void main(Provider p) throws Exception { -+ // NSS reports CKR_DEVICE_ERROR when the data passed to -+ // its EncryptUpdate/DecryptUpdate is not multiple of blocks -+ int firstBlkSize = 16; -+ boolean status = true; -+ Random random = new Random(); -+ try { -+ for (int i = 0; i < TEST_LIST.length; i++) { -+ CI currTest = TEST_LIST[i]; -+ System.out.println("===" + currTest.transformation + "==="); -+ try { -+ KeyGenerator kg = -+ KeyGenerator.getInstance(currTest.keyAlgo, p); -+ SecretKey key = kg.generateKey(); -+ Cipher c1 = Cipher.getInstance(currTest.transformation, p); -+ Cipher c2 = Cipher.getInstance(currTest.transformation, -+ "SunJCE"); -+ -+ byte[] plainTxt = new byte[currTest.dataSize]; -+ random.nextBytes(plainTxt); -+ System.out.println("Testing inLen = " + plainTxt.length); -+ -+ c2.init(Cipher.ENCRYPT_MODE, key); -+ AlgorithmParameters params = c2.getParameters(); -+ byte[] answer = c2.doFinal(plainTxt); -+ System.out.println("Encryption tests: START"); -+ test(c1, Cipher.ENCRYPT_MODE, key, params, firstBlkSize, -+ plainTxt, answer); -+ System.out.println("Encryption tests: DONE"); -+ c2.init(Cipher.DECRYPT_MODE, key, params); -+ byte[] answer2 = c2.doFinal(answer); -+ System.out.println("Decryption tests: START"); -+ test(c1, Cipher.DECRYPT_MODE, key, params, firstBlkSize, -+ answer, answer2); -+ System.out.println("Decryption tests: DONE"); -+ } catch (NoSuchAlgorithmException nsae) { -+ System.out.println("Skipping unsupported algorithm: " + -+ nsae); -+ } -+ } -+ } catch (Exception ex) { -+ // print out debug info when exception is encountered -+ if (debugBuf != null) { -+ System.out.println(debugBuf.toString()); -+ debugBuf = new StringBuffer(); -+ } -+ throw ex; -+ } -+ } -+ -+ private static void test(Cipher cipher, int mode, SecretKey key, -+ AlgorithmParameters params, int firstBlkSize, -+ byte[] in, byte[] answer) throws Exception { -+ // test setup -+ long startTime, endTime; -+ cipher.init(mode, key, params); -+ int outLen = cipher.getOutputSize(in.length); -+ //debugOut("Estimated output size = " + outLen + "\n"); -+ -+ // test data preparation -+ ByteBuffer inBuf = ByteBuffer.allocate(in.length); -+ inBuf.put(in); -+ inBuf.position(0); -+ ByteBuffer inDirectBuf = ByteBuffer.allocateDirect(in.length); -+ inDirectBuf.put(in); -+ inDirectBuf.position(0); -+ ByteBuffer outBuf = ByteBuffer.allocate(outLen); -+ ByteBuffer outDirectBuf = ByteBuffer.allocateDirect(outLen); -+ -+ // test#1: byte[] in + byte[] out -+ //debugOut("Test#1:\n"); -+ -+ ByteArrayOutputStream baos = new ByteArrayOutputStream(); -+ -+ startTime = System.nanoTime(); -+ byte[] temp = cipher.update(in, 0, firstBlkSize); -+ if (temp != null && temp.length > 0) { -+ baos.write(temp, 0, temp.length); -+ } -+ temp = cipher.doFinal(in, firstBlkSize, in.length - firstBlkSize); -+ if (temp != null && temp.length > 0) { -+ baos.write(temp, 0, temp.length); -+ } -+ byte[] testOut1 = baos.toByteArray(); -+ endTime = System.nanoTime(); -+ perfOut("stream InBuf + stream OutBuf: " + -+ (endTime - startTime)); -+ match(testOut1, answer); -+ -+ // test#2: Non-direct Buffer in + non-direct Buffer out -+ //debugOut("Test#2:\n"); -+ //debugOut("inputBuf: " + inBuf + "\n"); -+ //debugOut("outputBuf: " + outBuf + "\n"); -+ -+ startTime = System.nanoTime(); -+ cipher.update(inBuf, outBuf); -+ cipher.doFinal(inBuf, outBuf); -+ endTime = System.nanoTime(); -+ perfOut("non-direct InBuf + non-direct OutBuf: " + -+ (endTime - startTime)); -+ match(outBuf, answer); -+ -+ // test#3: Direct Buffer in + direc Buffer out -+ //debugOut("Test#3:\n"); -+ //debugOut("(pre) inputBuf: " + inDirectBuf + "\n"); -+ //debugOut("(pre) outputBuf: " + outDirectBuf + "\n"); -+ -+ startTime = System.nanoTime(); -+ cipher.update(inDirectBuf, outDirectBuf); -+ cipher.doFinal(inDirectBuf, outDirectBuf); -+ endTime = System.nanoTime(); -+ perfOut("direct InBuf + direct OutBuf: " + -+ (endTime - startTime)); -+ -+ //debugOut("(post) inputBuf: " + inDirectBuf + "\n"); -+ //debugOut("(post) outputBuf: " + outDirectBuf + "\n"); -+ match(outDirectBuf, answer); -+ -+ // test#4: Direct Buffer in + non-direct Buffer out -+ //debugOut("Test#4:\n"); -+ inDirectBuf.position(0); -+ outBuf.position(0); -+ //debugOut("inputBuf: " + inDirectBuf + "\n"); -+ //debugOut("outputBuf: " + outBuf + "\n"); -+ -+ startTime = System.nanoTime(); -+ cipher.update(inDirectBuf, outBuf); -+ cipher.doFinal(inDirectBuf, outBuf); -+ endTime = System.nanoTime(); -+ perfOut("direct InBuf + non-direct OutBuf: " + -+ (endTime - startTime)); -+ match(outBuf, answer); -+ -+ // test#5: Non-direct Buffer in + direct Buffer out -+ //debugOut("Test#5:\n"); -+ inBuf.position(0); -+ outDirectBuf.position(0); -+ -+ //debugOut("(pre) inputBuf: " + inBuf + "\n"); -+ //debugOut("(pre) outputBuf: " + outDirectBuf + "\n"); -+ -+ startTime = System.nanoTime(); -+ cipher.update(inBuf, outDirectBuf); -+ cipher.doFinal(inBuf, outDirectBuf); -+ endTime = System.nanoTime(); -+ perfOut("non-direct InBuf + direct OutBuf: " + -+ (endTime - startTime)); -+ -+ //debugOut("(post) inputBuf: " + inBuf + "\n"); -+ //debugOut("(post) outputBuf: " + outDirectBuf + "\n"); -+ match(outDirectBuf, answer); -+ -+ debugBuf = null; -+ } -+ -+ private static void perfOut(String msg) { -+ if (debugBuf != null) { -+ debugBuf.append("PERF>" + msg); -+ } -+ } -+ -+ private static void debugOut(String msg) { -+ if (debugBuf != null) { -+ debugBuf.append(msg); -+ } -+ } -+ -+ private static void match(byte[] b1, byte[] b2) throws Exception { -+ if (b1.length != b2.length) { -+ debugOut("got len : " + b1.length + "\n"); -+ debugOut("expect len: " + b2.length + "\n"); -+ throw new Exception("mismatch - different length! got: " + b1.length + ", expect: " + b2.length + "\n"); -+ } else { -+ for (int i = 0; i < b1.length; i++) { -+ if (b1[i] != b2[i]) { -+ debugOut("got : " + toString(b1) + "\n"); -+ debugOut("expect: " + toString(b2) + "\n"); -+ throw new Exception("mismatch"); -+ } -+ } -+ } -+ } -+ -+ private static void match(ByteBuffer bb, byte[] answer) throws Exception { -+ byte[] bbTemp = new byte[bb.position()]; -+ bb.position(0); -+ bb.get(bbTemp, 0, bbTemp.length); -+ match(bbTemp, answer); -+ } -+ -+ public static void main(String[] args) throws Exception { -+ main(new TestSymmCiphers()); -+ } -+} diff -Nru openjdk-6-6b37-1.13.9/patches/openjdk/p11cipher-6867345-turkish_regional_options_cause_npe_in_algoid.patch openjdk-6-6b38-1.13.10/patches/openjdk/p11cipher-6867345-turkish_regional_options_cause_npe_in_algoid.patch --- openjdk-6-6b37-1.13.9/patches/openjdk/p11cipher-6867345-turkish_regional_options_cause_npe_in_algoid.patch 2015-11-11 03:26:01.000000000 +0000 +++ openjdk-6-6b38-1.13.10/patches/openjdk/p11cipher-6867345-turkish_regional_options_cause_npe_in_algoid.patch 1970-01-01 00:00:00.000000000 +0000 @@ -1,328 +0,0 @@ -diff -Nru openjdk.orig/jdk/src/share/classes/sun/security/krb5/Credentials.java openjdk/jdk/src/share/classes/sun/security/krb5/Credentials.java ---- openjdk.orig/jdk/src/share/classes/sun/security/krb5/Credentials.java 2015-10-26 18:40:10.645524086 +0000 -+++ openjdk/jdk/src/share/classes/sun/security/krb5/Credentials.java 2015-10-27 01:13:22.017703153 +0000 -@@ -35,6 +35,7 @@ - import sun.security.krb5.internal.crypto.EType; - import java.io.IOException; - import java.util.Date; -+import java.util.Locale; - import java.net.InetAddress; - - /** -@@ -268,7 +269,7 @@ - // The default ticket cache on Windows is not a file. - String os = java.security.AccessController.doPrivileged( - new sun.security.action.GetPropertyAction("os.name")); -- if (os.toUpperCase().startsWith("WINDOWS")) { -+ if (os.toUpperCase(Locale.ENGLISH).startsWith("WINDOWS")) { - Credentials creds = acquireDefaultCreds(); - if (creds == null) { - if (DEBUG) { -diff -Nru openjdk.orig/jdk/src/share/classes/sun/security/pkcs/PKCS9Attribute.java openjdk/jdk/src/share/classes/sun/security/pkcs/PKCS9Attribute.java ---- openjdk.orig/jdk/src/share/classes/sun/security/pkcs/PKCS9Attribute.java 2015-10-26 18:40:10.741522482 +0000 -+++ openjdk/jdk/src/share/classes/sun/security/pkcs/PKCS9Attribute.java 2015-10-27 01:13:09.697910241 +0000 -@@ -1,5 +1,5 @@ - /* -- * Copyright (c) 1997, 2006, Oracle and/or its affiliates. All rights reserved. -+ * Copyright (c) 1997, 2010, Oracle and/or its affiliates. All rights reserved. - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it -@@ -28,6 +28,7 @@ - import java.io.IOException; - import java.io.OutputStream; - import java.security.cert.CertificateException; -+import java.util.Locale; - import java.util.Date; - import java.util.Hashtable; - import sun.security.x509.CertificateExtensions; -@@ -742,7 +743,7 @@ - * the name. - */ - public static ObjectIdentifier getOID(String name) { -- return NAME_OID_TABLE.get(name.toLowerCase()); -+ return NAME_OID_TABLE.get(name.toLowerCase(Locale.ENGLISH)); - } - - /** -diff -Nru openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/P11Cipher.java openjdk/jdk/src/share/classes/sun/security/pkcs11/P11Cipher.java ---- openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/P11Cipher.java 2015-10-27 00:25:34.802092132 +0000 -+++ openjdk/jdk/src/share/classes/sun/security/pkcs11/P11Cipher.java 2015-10-27 01:13:09.701910173 +0000 -@@ -26,6 +26,7 @@ - - import java.nio.ByteBuffer; - import java.util.Arrays; -+import java.util.Locale; - - import java.security.*; - import java.security.spec.*; -@@ -201,7 +202,7 @@ - } - - private int parseMode(String mode) throws NoSuchAlgorithmException { -- mode = mode.toUpperCase(); -+ mode = mode.toUpperCase(Locale.ENGLISH); - int result; - if (mode.equals("ECB")) { - result = MODE_ECB; -@@ -222,7 +223,7 @@ - throws NoSuchPaddingException { - paddingObj = null; - padBuffer = null; -- padding = padding.toUpperCase(); -+ padding = padding.toUpperCase(Locale.ENGLISH); - if (padding.equals("NOPADDING")) { - paddingType = PAD_NONE; - } else if (padding.equals("PKCS5PADDING")) { -diff -Nru openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/P11RSACipher.java openjdk/jdk/src/share/classes/sun/security/pkcs11/P11RSACipher.java ---- openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/P11RSACipher.java 2015-10-27 00:25:35.530079682 +0000 -+++ openjdk/jdk/src/share/classes/sun/security/pkcs11/P11RSACipher.java 2015-10-27 01:13:09.701910173 +0000 -@@ -29,6 +29,8 @@ - import java.security.spec.AlgorithmParameterSpec; - import java.security.spec.*; - -+import java.util.Locale; -+ - import javax.crypto.*; - import javax.crypto.spec.*; - -@@ -118,7 +120,7 @@ - - protected void engineSetPadding(String padding) - throws NoSuchPaddingException { -- String lowerPadding = padding.toLowerCase(); -+ String lowerPadding = padding.toLowerCase(Locale.ENGLISH); - if (lowerPadding.equals("pkcs1Padding")) { - // empty - } else { -diff -Nru openjdk.orig/jdk/src/share/classes/sun/security/provider/certpath/URICertStore.java openjdk/jdk/src/share/classes/sun/security/provider/certpath/URICertStore.java ---- openjdk.orig/jdk/src/share/classes/sun/security/provider/certpath/URICertStore.java 2015-10-26 18:40:10.833520945 +0000 -+++ openjdk/jdk/src/share/classes/sun/security/provider/certpath/URICertStore.java 2015-10-27 01:13:09.701910173 +0000 -@@ -1,5 +1,5 @@ - /* -- * Copyright (c) 2006, Oracle and/or its affiliates. All rights reserved. -+ * Copyright (c) 2006, 2010 Oracle and/or its affiliates. All rights reserved. - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it -@@ -50,6 +50,7 @@ - import java.util.Collection; - import java.util.Collections; - import java.util.List; -+import java.util.Locale; - import sun.security.x509.AccessDescription; - import sun.security.x509.GeneralNameInterface; - import sun.security.x509.URIName; -@@ -134,7 +135,7 @@ - } - this.uri = ((URICertStoreParameters) params).uri; - // if ldap URI, use an LDAPCertStore to fetch certs and CRLs -- if (uri.getScheme().toLowerCase().equals("ldap")) { -+ if (uri.getScheme().toLowerCase(Locale.ENGLISH).equals("ldap")) { - ldap = true; - ldapCertStore = - LDAPCertStore.getInstance(LDAPCertStore.getParameters(uri)); -diff -Nru openjdk.orig/jdk/src/share/classes/sun/security/util/Debug.java openjdk/jdk/src/share/classes/sun/security/util/Debug.java ---- openjdk.orig/jdk/src/share/classes/sun/security/util/Debug.java 2015-10-26 18:40:10.933519274 +0000 -+++ openjdk/jdk/src/share/classes/sun/security/util/Debug.java 2015-10-27 01:13:09.701910173 +0000 -@@ -1,5 +1,5 @@ - /* -- * Copyright (c) 1998, 2007, Oracle and/or its affiliates. All rights reserved. -+ * Copyright (c) 1998, 2010, Oracle and/or its affiliates. All rights reserved. - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it -@@ -28,6 +28,7 @@ - import java.math.BigInteger; - import java.util.regex.Pattern; - import java.util.regex.Matcher; -+import java.util.Locale; - - /** - * A utility class for debuging. -@@ -262,7 +263,7 @@ - source = left; - - // convert the rest to lower-case characters -- target.append(source.toString().toLowerCase()); -+ target.append(source.toString().toLowerCase(Locale.ENGLISH)); - - return target.toString(); - } -diff -Nru openjdk.orig/jdk/src/share/classes/sun/security/x509/AlgorithmId.java openjdk/jdk/src/share/classes/sun/security/x509/AlgorithmId.java ---- openjdk.orig/jdk/src/share/classes/sun/security/x509/AlgorithmId.java 2015-10-26 18:40:10.973518606 +0000 -+++ openjdk/jdk/src/share/classes/sun/security/x509/AlgorithmId.java 2015-10-27 01:13:09.701910173 +0000 -@@ -1,5 +1,5 @@ - /* -- * Copyright (c) 1996, 2006, Oracle and/or its affiliates. All rights reserved. -+ * Copyright (c) 1996, 2010, Oracle and/or its affiliates. All rights reserved. - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it -@@ -541,9 +541,10 @@ - for (Enumeration enum_ = provs[i].keys(); - enum_.hasMoreElements(); ) { - String alias = (String)enum_.nextElement(); -+ String upperCaseAlias = alias.toUpperCase(Locale.ENGLISH); - int index; -- if (alias.toUpperCase().startsWith("ALG.ALIAS") && -- (index=alias.toUpperCase().indexOf("OID.", 0)) != -1) { -+ if (upperCaseAlias.startsWith("ALG.ALIAS") && -+ (index=upperCaseAlias.indexOf("OID.", 0)) != -1) { - index += "OID.".length(); - if (index == alias.length()) { - // invalid alias entry -@@ -553,19 +554,26 @@ - oidTable = new HashMap(); - } - oidString = alias.substring(index); -- String stdAlgName -- = provs[i].getProperty(alias).toUpperCase(); -- if (oidTable.get(stdAlgName) == null) { -+ String stdAlgName = provs[i].getProperty(alias); -+ if (stdAlgName != null) { -+ stdAlgName = stdAlgName.toUpperCase(Locale.ENGLISH); -+ } -+ if (stdAlgName != null && -+ oidTable.get(stdAlgName) == null) { - oidTable.put(stdAlgName, - new ObjectIdentifier(oidString)); - } - } - } - } -+ -+ if (oidTable == null) { -+ oidTable = new HashMap(1); -+ } - initOidTable = true; - } - -- return oidTable.get(name.toUpperCase()); -+ return oidTable.get(name.toUpperCase(Locale.ENGLISH)); - } - - private static ObjectIdentifier oid(int ... values) { -diff -Nru openjdk.orig/jdk/src/share/classes/sun/security/x509/AVA.java openjdk/jdk/src/share/classes/sun/security/x509/AVA.java ---- openjdk.orig/jdk/src/share/classes/sun/security/x509/AVA.java 2015-10-26 18:40:10.973518606 +0000 -+++ openjdk/jdk/src/share/classes/sun/security/x509/AVA.java 2015-10-27 01:13:09.701910173 +0000 -@@ -1,5 +1,5 @@ - /* -- * Copyright (c) 1996, 2006, Oracle and/or its affiliates. All rights reserved. -+ * Copyright (c) 1996, 2010, Oracle and/or its affiliates. All rights reserved. - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it -@@ -1222,7 +1222,7 @@ - (String keyword, int standard, Map extraKeywordMap) - throws IOException { - -- keyword = keyword.toUpperCase(); -+ keyword = keyword.toUpperCase(Locale.ENGLISH); - if (standard == AVA.RFC2253) { - if (keyword.startsWith(" ") || keyword.endsWith(" ")) { - throw new IOException("Invalid leading or trailing space " + -diff -Nru openjdk.orig/jdk/src/share/classes/sun/security/x509/DNSName.java openjdk/jdk/src/share/classes/sun/security/x509/DNSName.java ---- openjdk.orig/jdk/src/share/classes/sun/security/x509/DNSName.java 2015-10-26 18:40:10.985518405 +0000 -+++ openjdk/jdk/src/share/classes/sun/security/x509/DNSName.java 2015-10-27 01:13:09.701910173 +0000 -@@ -1,5 +1,5 @@ - /* -- * Copyright (c) 1997, 2000, Oracle and/or its affiliates. All rights reserved. -+ * Copyright (c) 1997, 2010, Oracle and/or its affiliates. All rights reserved. - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it -@@ -26,6 +26,7 @@ - package sun.security.x509; - - import java.io.IOException; -+import java.util.Locale; - - import sun.security.util.*; - -@@ -198,8 +199,9 @@ - else if (inputName.getType() != NAME_DNS) - constraintType = NAME_DIFF_TYPE; - else { -- String inName = (((DNSName)inputName).getName()).toLowerCase(); -- String thisName = name.toLowerCase(); -+ String inName = -+ (((DNSName)inputName).getName()).toLowerCase(Locale.ENGLISH); -+ String thisName = name.toLowerCase(Locale.ENGLISH); - if (inName.equals(thisName)) - constraintType = NAME_MATCH; - else if (thisName.endsWith(inName)) { -diff -Nru openjdk.orig/jdk/src/share/classes/sun/security/x509/RFC822Name.java openjdk/jdk/src/share/classes/sun/security/x509/RFC822Name.java ---- openjdk.orig/jdk/src/share/classes/sun/security/x509/RFC822Name.java 2015-10-26 18:40:11.001518138 +0000 -+++ openjdk/jdk/src/share/classes/sun/security/x509/RFC822Name.java 2015-10-27 01:13:09.701910173 +0000 -@@ -1,5 +1,5 @@ - /* -- * Copyright (c) 1997, 2000, Oracle and/or its affiliates. All rights reserved. -+ * Copyright (c) 1997, 2010, Oracle and/or its affiliates. All rights reserved. - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it -@@ -26,6 +26,7 @@ - package sun.security.x509; - - import java.io.IOException; -+import java.util.Locale; - - import sun.security.util.*; - -@@ -187,8 +188,9 @@ - constraintType = NAME_DIFF_TYPE; - } else { - //RFC2459 specifies that case is not significant in RFC822Names -- String inName = (((RFC822Name)inputName).getName()).toLowerCase(); -- String thisName = name.toLowerCase(); -+ String inName = -+ (((RFC822Name)inputName).getName()).toLowerCase(Locale.ENGLISH); -+ String thisName = name.toLowerCase(Locale.ENGLISH); - if (inName.equals(thisName)) { - constraintType = NAME_MATCH; - } else if (thisName.endsWith(inName)) { -diff -Nru openjdk.orig/jdk/test/sun/security/x509/AlgorithmId/TurkishRegion.java openjdk/jdk/test/sun/security/x509/AlgorithmId/TurkishRegion.java ---- openjdk.orig/jdk/test/sun/security/x509/AlgorithmId/TurkishRegion.java 1970-01-01 01:00:00.000000000 +0100 -+++ openjdk/jdk/test/sun/security/x509/AlgorithmId/TurkishRegion.java 2015-10-27 01:13:09.701910173 +0000 -@@ -0,0 +1,40 @@ -+/* -+ * Copyright (c) 2010, Oracle and/or its affiliates. All rights reserved. -+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. -+ * -+ * This code is free software; you can redistribute it and/or modify it -+ * under the terms of the GNU General Public License version 2 only, as -+ * published by the Free Software Foundation. -+ * -+ * This code is distributed in the hope that it will be useful, but WITHOUT -+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or -+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License -+ * version 2 for more details (a copy is included in the LICENSE file that -+ * accompanied this code). -+ * -+ * You should have received a copy of the GNU General Public License version -+ * 2 along with this work; if not, write to the Free Software Foundation, -+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. -+ * -+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA -+ * or visit www.oracle.com if you need additional information or have any -+ * questions. -+ */ -+ -+/* -+ * @test -+ * @bug 6867345 -+ * @summary Turkish regional options cause NPE in -+ * sun.security.x509.AlgorithmId.algOID -+ * @run main/othervm -Duser.language=tr -Duser.region=TR TurkishRegion -+ * @author Xuelei Fan -+ */ -+ -+import sun.security.x509.*; -+ -+public class TurkishRegion { -+ -+ public static void main(String[] args) throws Exception { -+ AlgorithmId algId = AlgorithmId.get("PBEWITHMD5ANDDES"); -+ } -+}