Fix PKCS12 and BKS KeyStore as well as SSL renegotiation
Summary:
- Added KeyStoreTest and fixed PKCS and BKS keystores to be fully functional
- KeyStore and KeyStoreImpl improvements in libcore and bouncycastle for more RI-like behavior
- SSL Renegotiation fix for new implementation
Details:
external/bouncycastle
TwoFish added back for BKS KeyStore. Like RC2, it not supported as
a general cipher, but instead used internally for KeyStore
implementation.
src/main/java/org/bouncycastle/crypto/engines/TwofishEngine.java
bouncycastle.config
Added back PBEWITHSHAANDTWOFISH, PBEWITHSHAANDTWOFISH-CBC,
PBEWITHSHA1ANDRC2-CBC, PBEWITHHMACSHA, PBEWITHHMACSHA1 to support
PKCS12 and BKS KeyStore implementations (as determined by new
KeyStoreTest)
src/main/java/org/bouncycastle/jce/provider/BouncyCastleProvider.java
src/main/java/org/bouncycastle/jce/provider/JCEBlockCipher.java
src/main/java/org/bouncycastle/jce/provider/JCEMac.java
src/main/java/org/bouncycastle/jce/provider/JCESecretKeyFactory.java
Don't throw an error when deleting a non-existing KeyStore entry. The
RI documentation (and behavior) says it throws an error when it fails
to remove an entry, not when the entry does not exist.
src/main/java/org/bouncycastle/jce/provider/JDKKeyStore.java
src/main/java/org/bouncycastle/jce/provider/JDKPKCS12KeyStore.java
Try to make BC's PKCS KeyStore have a more RI-like getCreationDate behavior
src/main/java/org/bouncycastle/jce/provider/JDKPKCS12KeyStore.java
Make BC's PKCS KeyStore failfast on setting non-supported key,
instead of failing later on get.
src/main/java/org/bouncycastle/jce/provider/JDKPKCS12KeyStore.java
Make BC's PKCS KeyStore handle setting a PrivateKey with an emtpy chain.
src/main/java/org/bouncycastle/jce/provider/JDKPKCS12KeyStore.java
Add more general avoidance of NullPointerExceptions on null aliases
src/main/java/org/bouncycastle/jce/provider/JDKPKCS12KeyStore.java
Added notes about changes improvements
patches/README
Regenerated patch with above changes
patches/android.patch
libcore
KeyStore improvements based on KeyStoreTest
- Fix UnrecoverableKeyException to be a subclass of
UnrecoverableEntryException, which was keeping the new
KeyStoreTest from compiling.
luni/src/main/java/java/security/UnrecoverableKeyException.java
- Fix to not convert UnrecoverableKeyException to KeyStoreException,
which was only being done because of the UnrecoverableKeyException
superclass bug.
luni/src/main/java/java/security/KeyStoreSpi.java
- Harmony KeyStore was being overly aggresive about throwing on null
alias arguments in cases where the RI was happy to pass them to the
KeyStoreSpi.
luni/src/main/java/java/security/KeyStore.java
- New test after PKCS12 regresion. It enumerates and excercises
all methods on all available KeyStore
implementations. Unfortunately, the main varieties of KeyStores
made this a lot more complicated than I was originally
expecting. It does clarifiy the differences between the RI and
BC KeyStore implementations, especially for PKCS12, where in
some ways the RI is more feature complete (setting key via
byte[]), but in other ways BC goes beyond some RI limitations
(allowing storage of certificates).
luni/src/test/java/java/security/KeyStoreTest.java
TestKeyStore improvements while writing KeyStoreTest
- Renamed "keyStorePassword" working usages to clarify if it really
means the "storePassword" on the whole KeyStore, or if it is a
"keyPassword" on individual keys.
- Moved TestKeyStore from javax.net.ssl to java.security
luni/src/test/java/javax/net/ssl/SSLContextTest.java
luni/src/test/java/javax/net/ssl/SSLEngineTest.java
luni/src/test/java/javax/net/ssl/SSLSessionTest.java
luni/src/test/java/javax/net/ssl/SSLSocketTest.java
support/src/test/java/java/security/StandardNames.java
support/src/test/java/java/security/TestKeyStore.java
support/src/test/java/javax/net/ssl/TestKeyStore.java
support/src/test/java/javax/net/ssl/TestSSLContext.java
Fixing up SSL renegotiation support. Now that we are not trying to
prevent renegotiation, make sure it is working correctly.
- Remove SSL_VERIFY_CLIENT_ONCE to take the default behavior of
re-requesting client certificate on renegotiation.
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/NativeCrypto.java
luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSocketImpl.java
- Updated comments to reflect renegotiation. Bug fix to not clear
out callback reference on handshake complete, since we need it for
renegotiation.
luni/src/main/native/NativeCrypto.cpp
Updated for PKCS12 KeyStore support
support/src/test/java/java/security/StandardNames.java
Added javadoc when writint KeyStoreTest
luni/src/test/java/java/security/ProviderTest.java
frameworks/base
Tracking changes to UnrecoverableKeyException superclass
api/8.xml
api/current.xml
Change-Id: I6349dbfc02896417595b52e364ade8000b567615
15 files changed