sun.security.util: refactoring in DisabledAlgorithmConstraints
Port from jdk8u60: the class DisabledAlgorithmConstraints has been
refactored by doing the following changes:
- the class now extends from the abstract class AbstractAlgorithmConstraints
- the method decompose has been moved to the class AlgorithmDecomposer
- the logic for checking an algorithm in the method permits has been moved to
checkAlgorithm in AbstractAlgorithmConstraints
- the method loadDisabledAlgorithmsMap was replaced by loadAlgorithmsMap
in AbstractAlgorithmConstraints, except for populating the field
keySizeConstraints, which now happens in getKeySizeConstraints.
The possible cause of this refactoring was to avoid repeating code
with respect to a newly introduced class LegacyAlgorithmConstraints,
which is not used in Android and was not ported.
This code is exercised by tests.security.cert.X509CertSelectorTest
Bug: 29631070
Test: run cts -m CtsLibcoreTestCases
Change-Id: Icb8413bdce86dd25f61560622e9ff51159fe8368
diff --git a/ojluni/src/main/java/sun/security/util/AbstractAlgorithmConstraints.java b/ojluni/src/main/java/sun/security/util/AbstractAlgorithmConstraints.java
new file mode 100644
index 0000000..4c3efd9
--- /dev/null
+++ b/ojluni/src/main/java/sun/security/util/AbstractAlgorithmConstraints.java
@@ -0,0 +1,119 @@
+/*
+ * Copyright (c) 2015, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation. Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package sun.security.util;
+
+import java.security.AccessController;
+import java.security.AlgorithmConstraints;
+import java.security.PrivilegedAction;
+import java.security.Security;
+import java.util.Map;
+import java.util.Set;
+
+/**
+ * The class contains common functionality for algorithm constraints classes.
+ */
+public abstract class AbstractAlgorithmConstraints
+ implements AlgorithmConstraints {
+
+ protected final AlgorithmDecomposer decomposer;
+
+ protected AbstractAlgorithmConstraints(AlgorithmDecomposer decomposer) {
+ this.decomposer = decomposer;
+ }
+
+ // Get algorithm constraints from the specified security property.
+ private static void loadAlgorithmsMap(Map<String, String[]> algorithmsMap,
+ String propertyName) {
+ String property = AccessController.doPrivileged(
+ (PrivilegedAction<String>) () -> Security.getProperty(
+ propertyName));
+
+ String[] algorithmsInProperty = null;
+ if (property != null && !property.isEmpty()) {
+ // remove double quote marks from beginning/end of the property
+ if (property.charAt(0) == '"'
+ && property.charAt(property.length() - 1) == '"') {
+ property = property.substring(1, property.length() - 1);
+ }
+ algorithmsInProperty = property.split(",");
+ for (int i = 0; i < algorithmsInProperty.length;
+ i++) {
+ algorithmsInProperty[i] = algorithmsInProperty[i].trim();
+ }
+ }
+
+ // map the disabled algorithms
+ if (algorithmsInProperty == null) {
+ algorithmsInProperty = new String[0];
+ }
+ algorithmsMap.put(propertyName, algorithmsInProperty);
+ }
+
+ static String[] getAlgorithms(Map<String, String[]> algorithmsMap,
+ String propertyName) {
+ synchronized (algorithmsMap) {
+ if (!algorithmsMap.containsKey(propertyName)) {
+ loadAlgorithmsMap(algorithmsMap, propertyName);
+ }
+
+ return algorithmsMap.get(propertyName);
+ }
+ }
+
+ static boolean checkAlgorithm(String[] algorithms, String algorithm,
+ AlgorithmDecomposer decomposer) {
+ if (algorithm == null || algorithm.length() == 0) {
+ throw new IllegalArgumentException("No algorithm name specified");
+ }
+
+ Set<String> elements = null;
+ for (String item : algorithms) {
+ if (item == null || item.isEmpty()) {
+ continue;
+ }
+
+ // check the full name
+ if (item.equalsIgnoreCase(algorithm)) {
+ return false;
+ }
+
+ // decompose the algorithm into sub-elements
+ if (elements == null) {
+ elements = decomposer.decompose(algorithm);
+ }
+
+ // check the items of the algorithm
+ for (String element : elements) {
+ if (item.equalsIgnoreCase(element)) {
+ return false;
+ }
+ }
+ }
+
+ return true;
+ }
+
+}
diff --git a/ojluni/src/main/java/sun/security/util/AlgorithmDecomposer.java b/ojluni/src/main/java/sun/security/util/AlgorithmDecomposer.java
new file mode 100644
index 0000000..394b846
--- /dev/null
+++ b/ojluni/src/main/java/sun/security/util/AlgorithmDecomposer.java
@@ -0,0 +1,130 @@
+/*
+ * Copyright (c) 2015, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation. Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+package sun.security.util;
+
+import java.util.HashSet;
+import java.util.Set;
+import java.util.regex.Pattern;
+
+/**
+ * The class decomposes standard algorithms into sub-elements.
+ */
+public class AlgorithmDecomposer {
+
+ private static final Pattern transPattern = Pattern.compile("/");
+ private static final Pattern pattern =
+ Pattern.compile("with|and", Pattern.CASE_INSENSITIVE);
+
+ /**
+ * Decompose the standard algorithm name into sub-elements.
+ * <p>
+ * For example, we need to decompose "SHA1WithRSA" into "SHA1" and "RSA"
+ * so that we can check the "SHA1" and "RSA" algorithm constraints
+ * separately.
+ * <p>
+ * Please override the method if need to support more name pattern.
+ */
+ public Set<String> decompose(String algorithm) {
+ if (algorithm == null || algorithm.length() == 0) {
+ return new HashSet<>();
+ }
+
+ // algorithm/mode/padding
+ String[] transTockens = transPattern.split(algorithm);
+
+ Set<String> elements = new HashSet<>();
+ for (String transTocken : transTockens) {
+ if (transTocken == null || transTocken.length() == 0) {
+ continue;
+ }
+
+ // PBEWith<digest>And<encryption>
+ // PBEWith<prf>And<encryption>
+ // OAEPWith<digest>And<mgf>Padding
+ // <digest>with<encryption>
+ // <digest>with<encryption>and<mgf>
+ String[] tokens = pattern.split(transTocken);
+
+ for (String token : tokens) {
+ if (token == null || token.length() == 0) {
+ continue;
+ }
+
+ elements.add(token);
+ }
+ }
+
+ // In Java standard algorithm name specification, for different
+ // purpose, the SHA-1 and SHA-2 algorithm names are different. For
+ // example, for MessageDigest, the standard name is "SHA-256", while
+ // for Signature, the digest algorithm component is "SHA256" for
+ // signature algorithm "SHA256withRSA". So we need to check both
+ // "SHA-256" and "SHA256" to make the right constraint checking.
+
+ // handle special name: SHA-1 and SHA1
+ if (elements.contains("SHA1") && !elements.contains("SHA-1")) {
+ elements.add("SHA-1");
+ }
+ if (elements.contains("SHA-1") && !elements.contains("SHA1")) {
+ elements.add("SHA1");
+ }
+
+ // handle special name: SHA-224 and SHA224
+ if (elements.contains("SHA224") && !elements.contains("SHA-224")) {
+ elements.add("SHA-224");
+ }
+ if (elements.contains("SHA-224") && !elements.contains("SHA224")) {
+ elements.add("SHA224");
+ }
+
+ // handle special name: SHA-256 and SHA256
+ if (elements.contains("SHA256") && !elements.contains("SHA-256")) {
+ elements.add("SHA-256");
+ }
+ if (elements.contains("SHA-256") && !elements.contains("SHA256")) {
+ elements.add("SHA256");
+ }
+
+ // handle special name: SHA-384 and SHA384
+ if (elements.contains("SHA384") && !elements.contains("SHA-384")) {
+ elements.add("SHA-384");
+ }
+ if (elements.contains("SHA-384") && !elements.contains("SHA384")) {
+ elements.add("SHA384");
+ }
+
+ // handle special name: SHA-512 and SHA512
+ if (elements.contains("SHA512") && !elements.contains("SHA-512")) {
+ elements.add("SHA-512");
+ }
+ if (elements.contains("SHA-512") && !elements.contains("SHA512")) {
+ elements.add("SHA512");
+ }
+
+ return elements;
+ }
+
+}
diff --git a/ojluni/src/main/java/sun/security/util/DisabledAlgorithmConstraints.java b/ojluni/src/main/java/sun/security/util/DisabledAlgorithmConstraints.java
index 2a85501..05da9ba 100644
--- a/ojluni/src/main/java/sun/security/util/DisabledAlgorithmConstraints.java
+++ b/ojluni/src/main/java/sun/security/util/DisabledAlgorithmConstraints.java
@@ -25,15 +25,9 @@
package sun.security.util;
-import java.security.AlgorithmConstraints;
import java.security.CryptoPrimitive;
import java.security.AlgorithmParameters;
-
import java.security.Key;
-import java.security.Security;
-import java.security.PrivilegedAction;
-import java.security.AccessController;
-
import java.util.Locale;
import java.util.Set;
import java.util.Collections;
@@ -49,7 +43,7 @@
* See the "jdk.certpath.disabledAlgorithms" specification in java.security
* for the syntax of the disabled algorithm string.
*/
-public class DisabledAlgorithmConstraints implements AlgorithmConstraints {
+public class DisabledAlgorithmConstraints extends AbstractAlgorithmConstraints {
// the known security property, jdk.certpath.disabledAlgorithms
public final static String PROPERTY_CERTPATH_DISABLED_ALGS =
@@ -59,13 +53,13 @@
public final static String PROPERTY_TLS_DISABLED_ALGS =
"jdk.tls.disabledAlgorithms";
- private static Map<String, String[]> disabledAlgorithmsMap =
- Collections.synchronizedMap(new HashMap<String, String[]>());
- private static Map<String, KeySizeConstraints> keySizeConstraintsMap =
- Collections.synchronizedMap(new HashMap<String, KeySizeConstraints>());
+ private final static Map<String, String[]> disabledAlgorithmsMap =
+ new HashMap<>();
+ private final static Map<String, KeySizeConstraints> keySizeConstraintsMap =
+ new HashMap<>();
- private String[] disabledAlgorithms;
- private KeySizeConstraints keySizeConstraints;
+ private final String[] disabledAlgorithms;
+ private final KeySizeConstraints keySizeConstraints;
/**
* Initialize algorithm constraints with the specified security property.
@@ -74,54 +68,26 @@
* algorithm constraints
*/
public DisabledAlgorithmConstraints(String propertyName) {
- synchronized (disabledAlgorithmsMap) {
- if(!disabledAlgorithmsMap.containsKey(propertyName)) {
- loadDisabledAlgorithmsMap(propertyName);
- }
+ this(propertyName, new AlgorithmDecomposer());
+ }
- disabledAlgorithms = disabledAlgorithmsMap.get(propertyName);
- keySizeConstraints = keySizeConstraintsMap.get(propertyName);
- }
+ public DisabledAlgorithmConstraints(String propertyName,
+ AlgorithmDecomposer decomposer) {
+ super(decomposer);
+ disabledAlgorithms = getAlgorithms(disabledAlgorithmsMap, propertyName);
+ keySizeConstraints = getKeySizeConstraints(disabledAlgorithms,
+ propertyName);
}
@Override
final public boolean permits(Set<CryptoPrimitive> primitives,
String algorithm, AlgorithmParameters parameters) {
-
- if (algorithm == null || algorithm.length() == 0) {
- throw new IllegalArgumentException("No algorithm name specified");
- }
-
if (primitives == null || primitives.isEmpty()) {
throw new IllegalArgumentException(
"No cryptographic primitive specified");
}
- Set<String> elements = null;
- for (String disabled : disabledAlgorithms) {
- if (disabled == null || disabled.isEmpty()) {
- continue;
- }
-
- // check the full name
- if (disabled.equalsIgnoreCase(algorithm)) {
- return false;
- }
-
- // decompose the algorithm into sub-elements
- if (elements == null) {
- elements = decomposes(algorithm);
- }
-
- // check the items of the algorithm
- for (String element : elements) {
- if (disabled.equalsIgnoreCase(element)) {
- return false;
- }
- }
- }
-
- return true;
+ return checkAlgorithm(disabledAlgorithms, algorithm, decomposer);
}
@Override
@@ -140,98 +106,6 @@
return checkConstraints(primitives, algorithm, key, parameters);
}
- /**
- * Decompose the standard algorithm name into sub-elements.
- * <p>
- * For example, we need to decompose "SHA1WithRSA" into "SHA1" and "RSA"
- * so that we can check the "SHA1" and "RSA" algorithm constraints
- * separately.
- * <p>
- * Please override the method if need to support more name pattern.
- */
- protected Set<String> decomposes(String algorithm) {
- if (algorithm == null || algorithm.length() == 0) {
- return new HashSet<String>();
- }
-
- // algorithm/mode/padding
- Pattern transPattern = Pattern.compile("/");
- String[] transTockens = transPattern.split(algorithm);
-
- Set<String> elements = new HashSet<String>();
- for (String transTocken : transTockens) {
- if (transTocken == null || transTocken.length() == 0) {
- continue;
- }
-
- // PBEWith<digest>And<encryption>
- // PBEWith<prf>And<encryption>
- // OAEPWith<digest>And<mgf>Padding
- // <digest>with<encryption>
- // <digest>with<encryption>and<mgf>
- Pattern pattern =
- Pattern.compile("with|and", Pattern.CASE_INSENSITIVE);
- String[] tokens = pattern.split(transTocken);
-
- for (String token : tokens) {
- if (token == null || token.length() == 0) {
- continue;
- }
-
- elements.add(token);
- }
- }
-
- // In Java standard algorithm name specification, for different
- // purpose, the SHA-1 and SHA-2 algorithm names are different. For
- // example, for MessageDigest, the standard name is "SHA-256", while
- // for Signature, the digest algorithm component is "SHA256" for
- // signature algorithm "SHA256withRSA". So we need to check both
- // "SHA-256" and "SHA256" to make the right constraint checking.
-
- // handle special name: SHA-1 and SHA1
- if (elements.contains("SHA1") && !elements.contains("SHA-1")) {
- elements.add("SHA-1");
- }
- if (elements.contains("SHA-1") && !elements.contains("SHA1")) {
- elements.add("SHA1");
- }
-
- // handle special name: SHA-224 and SHA224
- if (elements.contains("SHA224") && !elements.contains("SHA-224")) {
- elements.add("SHA-224");
- }
- if (elements.contains("SHA-224") && !elements.contains("SHA224")) {
- elements.add("SHA224");
- }
-
- // handle special name: SHA-256 and SHA256
- if (elements.contains("SHA256") && !elements.contains("SHA-256")) {
- elements.add("SHA-256");
- }
- if (elements.contains("SHA-256") && !elements.contains("SHA256")) {
- elements.add("SHA256");
- }
-
- // handle special name: SHA-384 and SHA384
- if (elements.contains("SHA384") && !elements.contains("SHA-384")) {
- elements.add("SHA-384");
- }
- if (elements.contains("SHA-384") && !elements.contains("SHA384")) {
- elements.add("SHA384");
- }
-
- // handle special name: SHA-512 and SHA512
- if (elements.contains("SHA512") && !elements.contains("SHA-512")) {
- elements.add("SHA-512");
- }
- if (elements.contains("SHA-512") && !elements.contains("SHA512")) {
- elements.add("SHA512");
- }
-
- return elements;
- }
-
// Check algorithm constraints
private boolean checkConstraints(Set<CryptoPrimitive> primitives,
String algorithm, Key key, AlgorithmParameters parameters) {
@@ -261,43 +135,18 @@
return true;
}
- // Get disabled algorithm constraints from the specified security property.
- private static void loadDisabledAlgorithmsMap(
- final String propertyName) {
-
- String property = AccessController.doPrivileged(
- new PrivilegedAction<String>() {
- public String run() {
- return Security.getProperty(propertyName);
- }
- });
-
- String[] algorithmsInProperty = null;
-
- if (property != null && !property.isEmpty()) {
-
- // remove double quote marks from beginning/end of the property
- if (property.charAt(0) == '"' &&
- property.charAt(property.length() - 1) == '"') {
- property = property.substring(1, property.length() - 1);
+ private static KeySizeConstraints getKeySizeConstraints(
+ String[] disabledAlgorithms, String propertyName) {
+ synchronized (keySizeConstraintsMap) {
+ if(!keySizeConstraintsMap.containsKey(propertyName)) {
+ // map the key constraints
+ KeySizeConstraints keySizeConstraints =
+ new KeySizeConstraints(disabledAlgorithms);
+ keySizeConstraintsMap.put(propertyName, keySizeConstraints);
}
- algorithmsInProperty = property.split(",");
- for (int i = 0; i < algorithmsInProperty.length; i++) {
- algorithmsInProperty[i] = algorithmsInProperty[i].trim();
- }
+ return keySizeConstraintsMap.get(propertyName);
}
-
- // map the disabled algorithms
- if (algorithmsInProperty == null) {
- algorithmsInProperty = new String[0];
- }
- disabledAlgorithmsMap.put(propertyName, algorithmsInProperty);
-
- // map the key constraints
- KeySizeConstraints keySizeConstraints =
- new KeySizeConstraints(algorithmsInProperty);
- keySizeConstraintsMap.put(propertyName, keySizeConstraints);
}
/**
diff --git a/openjdk_java_files.mk b/openjdk_java_files.mk
index 1108120..47227ac 100644
--- a/openjdk_java_files.mk
+++ b/openjdk_java_files.mk
@@ -1473,6 +1473,8 @@
ojluni/src/main/java/sun/security/provider/certpath/X509CertificatePair.java \
ojluni/src/main/java/sun/security/provider/X509Factory.java \
ojluni/src/main/java/sun/security/timestamp/TimestampToken.java \
+ ojluni/src/main/java/sun/security/util/AbstractAlgorithmConstraints.java \
+ ojluni/src/main/java/sun/security/util/AlgorithmDecomposer.java \
ojluni/src/main/java/sun/security/util/BitArray.java \
ojluni/src/main/java/sun/security/util/ByteArrayLexOrder.java \
ojluni/src/main/java/sun/security/util/ByteArrayTagOrder.java \