8253866: Security Libs Terminology Refresh

Reviewed-by: mdoerr Backport-of: 8554fe6
openjdk · Sep 28, 2021 · 9121f555c54be40cb9c99af4296bded6bed3d2a3 · 9121f55 · openjdk-notifier · Sep 28, 2021
1 parent d3a8a9e
commit 9121f555c54be40cb9c99af4296bded6bed3d2a3
Showing 15 changed files with 72 additions and 70 deletions.
diff --git a/make/ToolsJdk.gmk b/make/ToolsJdk.gmk
@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2011, 2020, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2011, 2021, Oracle and/or its affiliates. All rights reserved.
 # DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 #
 # This code is free software; you can redistribute it and/or modify it
@@ -73,9 +73,9 @@ TOOL_HASHER = $(JAVA_SMALL) -cp $(BUILDTOOLS_OUTPUTDIR)/jdk_tools_classes \
 TOOL_TZDB = $(JAVA_SMALL) -cp $(BUILDTOOLS_OUTPUTDIR)/jdk_tools_classes \
     build.tools.tzdb.TzdbZoneRulesCompiler
 
-TOOL_BLACKLISTED_CERTS = $(JAVA_SMALL) -cp $(BUILDTOOLS_OUTPUTDIR)/jdk_tools_classes \
+TOOL_BLOCKED_CERTS = $(JAVA_SMALL) -cp $(BUILDTOOLS_OUTPUTDIR)/jdk_tools_classes \
     --add-exports java.base/sun.security.util=ALL-UNNAMED \
-    build.tools.blacklistedcertsconverter.BlacklistedCertsConverter
+    build.tools.blockedcertsconverter.BlockedCertsConverter
 
 TOOL_MAKEJAVASECURITY = $(JAVA_SMALL) -cp $(BUILDTOOLS_OUTPUTDIR)/jdk_tools_classes \
     build.tools.makejavasecurity.MakeJavaSecurity

diff --git a/...istedcertsconverter/blacklisted.certs.pem → ...a/blockedcertsconverter/blocked.certs.pem b/...istedcertsconverter/blacklisted.certs.pem → ...a/blockedcertsconverter/blocked.certs.pem
@@ -1,4 +1,4 @@
-#! java BlacklistedCertsConverter SHA-256
+#! java BlockedCertsConverter SHA-256
 
 # The line above must be the first line of this file. Do not
 # remove it.

diff --git a/make/gendata/Gendata-java.base.gmk b/make/gendata/Gendata-java.base.gmk
@@ -32,7 +32,7 @@ include GendataBreakIterator.gmk
 
 include GendataTZDB.gmk
 
-include GendataBlacklistedCerts.gmk
+include GendataBlockedCerts.gmk
 
 include GendataCryptoPolicy.gmk
 

diff --git a/make/gendata/GendataBlacklistedCerts.gmk → make/gendata/GendataBlockedCerts.gmk b/make/gendata/GendataBlacklistedCerts.gmk → make/gendata/GendataBlockedCerts.gmk
@@ -1,5 +1,5 @@
 #
-# Copyright (c) 2014, 2016, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2014, 2021, Oracle and/or its affiliates. All rights reserved.
 # DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 #
 # This code is free software; you can redistribute it and/or modify it
@@ -23,14 +23,14 @@
 # questions.
 #
 
-$(eval $(call IncludeCustomExtension, gendata/GendataBlacklistedCerts.gmk))
+$(eval $(call IncludeCustomExtension, gendata/GendataBlockedCerts.gmk))
 
-GENDATA_BLACKLISTED_CERTS_SRC += $(TOPDIR)/make/data/blacklistedcertsconverter/blacklisted.certs.pem
-GENDATA_BLACKLISTED_CERTS := $(SUPPORT_OUTPUTDIR)/modules_libs/$(MODULE)/security/blacklisted.certs
+GENDATA_BLOCKED_CERTS_SRC += $(TOPDIR)/make/data/blockedcertsconverter/blocked.certs.pem
+GENDATA_BLOCKED_CERTS := $(SUPPORT_OUTPUTDIR)/modules_libs/$(MODULE)/security/blocked.certs
 
-$(GENDATA_BLACKLISTED_CERTS): $(BUILD_TOOLS_JDK) $(GENDATA_BLACKLISTED_CERTS_SRC)
-	$(call LogInfo, Generating blacklisted certs)
+$(GENDATA_BLOCKED_CERTS): $(BUILD_TOOLS_JDK) $(GENDATA_BLOCKED_CERTS_SRC)
+	$(call LogInfo, Generating blocked certs)
 	$(call MakeDir, $(@D))
-	($(CAT) $(GENDATA_BLACKLISTED_CERTS_SRC) | $(TOOL_BLACKLISTED_CERTS) > $@) || exit 1
+	($(CAT) $(GENDATA_BLOCKED_CERTS_SRC) | $(TOOL_BLOCKED_CERTS) > $@) || exit 1
 
-TARGETS += $(GENDATA_BLACKLISTED_CERTS)
+TARGETS += $(GENDATA_BLOCKED_CERTS)
diff --git a/...sconverter/BlacklistedCertsConverter.java → ...certsconverter/BlockedCertsConverter.java b/...sconverter/BlacklistedCertsConverter.java → ...certsconverter/BlockedCertsConverter.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2013, 2020, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2013, 2021, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -23,7 +23,7 @@
  * questions.
  */
 
-package build.tools.blacklistedcertsconverter;
+package build.tools.blockedcertsconverter;
 
 import java.io.IOException;
 import java.math.BigInteger;
@@ -45,15 +45,15 @@
 import sun.security.util.DerValue;
 
 /**
- * Converts blacklisted.certs.pem from System.in to blacklisted.certs in
+ * Converts blocked.certs.pem from System.in to blocked.certs in
  * System.out. The input must start with a #! line including the fingerprint
  * algorithm. The output is sorted and unique.
  */
-public class BlacklistedCertsConverter {
+public class BlockedCertsConverter {
 
     public static void main(String[] args) throws Exception {
 
-        byte[] pattern = "#! java BlacklistedCertsConverter ".getBytes();
+        byte[] pattern = "#! java BlockedCertsConverter ".getBytes();
         String mdAlg = "";
 
         for (int i=0; ; i++) {

diff --git a/make/scripts/compare.sh b/make/scripts/compare.sh
@@ -1,6 +1,6 @@
 #!/bin/bash
 #
-# Copyright (c) 2012, 2020, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2012, 2021, Oracle and/or its affiliates. All rights reserved.
 # DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 #
 # This code is free software; you can redistribute it and/or modify it
@@ -1044,7 +1044,7 @@ compare_all_execs() {
             -o -name '*.zip' -o -name '*.jimage' -o -name '*.java' -o -name '*.mf' \
             -o -name '*.jpg' -o -name '*.wsdl' -o -name '*.js' -o -name '*.sh' \
             -o -name '*.bat' -o -name '*LICENSE' -o -name '*.d' -o -name '*store' \
-            -o -name 'blacklist' -o -name '*certs' -o -name '*.ttf' \
+            -o -name 'blocked' -o -name '*certs' -o -name '*.ttf' \
             -o -name '*.jfc' -o -name '*.dat'  -o -name 'release' -o -name '*.dir'\
             -o -name '*.sym' -o -name '*.idl' -o -name '*.h' -o -name '*.access' \
             -o -name '*.template' -o -name '*.policy' -o -name '*.security' \

diff --git a/src/java.base/share/classes/com/sun/crypto/provider/JceKeyStore.java b/src/java.base/share/classes/com/sun/crypto/provider/JceKeyStore.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1998, 2020, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1998, 2021, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -549,7 +549,7 @@ public void engineStore(OutputStream stream, char[] password)
              *     }
              *
              * ended by a keyed SHA1 hash (bytes only) of
-             *     { password + whitener + preceding body }
+             *     { password + extra data + preceding body }
              */
 
             // password is mandatory when storing
@@ -895,7 +895,7 @@ public void engineLoad(InputStream stream, char[] password)
 
     /**
      * To guard against tampering with the keystore, we append a keyed
-     * hash with a bit of whitener.
+     * hash with a bit of extra data.
      */
     private MessageDigest getPreKeyedHash(char[] password)
     throws NoSuchAlgorithmException, UnsupportedEncodingException {

diff --git a/src/java.base/share/classes/java/util/jar/JarVerifier.java b/src/java.base/share/classes/java/util/jar/JarVerifier.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 2018, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2021, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -93,7 +93,7 @@ class JarVerifier {
     /** makes code source singleton instances unique to us */
     private Object csdomain = new Object();
 
-    /** collect -DIGEST-MANIFEST values for blacklist */
+    /** collect -DIGEST-MANIFEST values for deny list */
     private List<Object> manifestDigests;
 
     public JarVerifier(String name, byte rawBytes[]) {

diff --git a/src/java.base/share/classes/sun/security/provider/JavaKeyStore.java b/src/java.base/share/classes/sun/security/provider/JavaKeyStore.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 2019, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2021, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -536,7 +536,7 @@ public void engineStore(OutputStream stream, char[] password)
              *     }
              *
              * ended by a keyed SHA1 hash (bytes only) of
-             *     { password + whitener + preceding body }
+             *     { password + extra data + preceding body }
              */
 
             // password is mandatory when storing
@@ -802,7 +802,7 @@ public void engineLoad(InputStream stream, char[] password)
 
     /**
      * To guard against tampering with the keystore, we append a keyed
-     * hash with a bit of whitener.
+     * hash with a bit of extra data.
      */
     private MessageDigest getPreKeyedHash(char[] password)
         throws NoSuchAlgorithmException, UnsupportedEncodingException

diff --git a/src/java.base/share/classes/sun/security/util/UntrustedCertificates.java b/src/java.base/share/classes/sun/security/util/UntrustedCertificates.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2012, 2020, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2012, 2021, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -55,12 +55,12 @@ public final class UntrustedCertificates {
             @Override
             public Void run() {
                 File f = new File(StaticProperty.javaHome(),
-                        "lib/security/blacklisted.certs");
+                        "lib/security/blocked.certs");
                 try (FileInputStream fin = new FileInputStream(f)) {
                     props.load(fin);
                 } catch (IOException fnfe) {
                     if (debug != null) {
-                        debug.println("Error parsing blacklisted.certs");
+                        debug.println("Error parsing blocked.certs");
                     }
                 }
                 return null;

diff --git a/src/java.base/share/conf/security/java.security b/src/java.base/share/conf/security/java.security
@@ -450,21 +450,22 @@ networkaddress.cache.negative.ttl=10
 # Policy for failed Kerberos KDC lookups:
 #
 # When a KDC is unavailable (network error, service failure, etc), it is
-# put inside a blacklist and accessed less often for future requests. The
+# put inside a secondary list and accessed less often for future requests. The
 # value (case-insensitive) for this policy can be:
 #
 # tryLast
-#    KDCs in the blacklist are always tried after those not on the list.
+#    KDCs in the secondary list are always tried after those not on the list.
 #
 # tryLess[:max_retries,timeout]
-#    KDCs in the blacklist are still tried by their order in the configuration,
-#    but with smaller max_retries and timeout values. max_retries and timeout
-#    are optional numerical parameters (default 1 and 5000, which means once
-#    and 5 seconds). Please notes that if any of the values defined here is
-#    more than what is defined in krb5.conf, it will be ignored.
-#
-# Whenever a KDC is detected as available, it is removed from the blacklist.
-# The blacklist is reset when krb5.conf is reloaded. You can add
+#    KDCs in the secondary list are still tried by their order in the
+#    configuration, but with smaller max_retries and timeout values.
+#    max_retries and timeout are optional numerical parameters (default 1 and
+#    5000, which means once and 5 seconds). Please note that if any of the
+#    values defined here are more than what is defined in krb5.conf, it will be
+#    ignored.
+#
+# Whenever a KDC is detected as available, it is removed from the secondary
+# list. The secondary list is reset when krb5.conf is reloaded. You can add
 # refreshKrb5Config=true to a JAAS configuration file so that krb5.conf is
 # reloaded whenever a JAAS authentication is attempted.
 #

diff --git a/src/java.security.jgss/share/classes/sun/security/krb5/Config.java b/src/java.security.jgss/share/classes/sun/security/krb5/Config.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2000, 2020, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2000, 2021, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -1332,7 +1332,7 @@ private static String checkRealm(String mapRealm) {
     /**
      * Locate KDC using DNS
      *
-     * @param realm the realm for which the master KDC is desired
+     * @param realm the realm for which the primary KDC is desired
      * @return the KDC
      */
     private String getKDCFromDNS(String realm) throws KrbException {

diff --git a/src/java.security.jgss/share/classes/sun/security/krb5/KdcComm.java b/src/java.security.jgss/share/classes/sun/security/krb5/KdcComm.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2000, 2014, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2000, 2021, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -492,12 +492,12 @@ private static int parsePositiveIntString(String intString) {
 
     /**
      * Maintains a KDC accessible list. Unavailable KDCs are put into a
-     * blacklist, when a KDC in the blacklist is available, it's removed
-     * from there. No insertion order in the blacklist.
+     * secondary KDC list. When a KDC in the secondary list is available,
+     * it is removed from there. No insertion order in the secondary KDC list.
      *
-     * There are two methods to deal with KDCs in the blacklist. 1. Only try
-     * them when there's no KDC not on the blacklist. 2. Still try them, but
-     * with lesser number of retries and smaller timeout value.
+     * There are two methods to deal with KDCs in the secondary KDC list.
+     * 1. Only try them when they are the only known KDCs.
+     * 2. Still try them, but with fewer retries and a smaller timeout value.
      */
     static class KdcAccessibility {
         // Known bad KDCs

diff --git a/test/jdk/sun/security/krb5/auto/BogusKDC.java b/test/jdk/sun/security/krb5/auto/BogusKDC.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2015, 2018, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2015, 2021, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -34,8 +34,8 @@
 /*
  * @test
  * @bug 4515853 8075297 8194486
- * @summary Checks that Kerberos client tries slave KDC
- *          if master KDC is not responding
+ * @summary Checks that Kerberos client tries replica KDC
+ *          if primary KDC is not responding
  * @library /test/lib
  * @run main jdk.test.lib.FileInstaller TestHosts TestHosts
  * @run main/othervm -Djdk.net.hosts.file=TestHosts BogusKDC
@@ -80,8 +80,8 @@ public static void main(String[] args) throws LoginException, IOException {
         CallbackHandler handler = new Helper.UserPasswordHandler(
                 USER, USER_PASSWORD);
 
-        // create a krb5 config with non-existing host for master KDC,
-        // and wrong port for slave KDC
+        // create a krb5 config with non-existing host for primary KDC,
+        // and wrong port for replica KDC
         try (PrintWriter w = new PrintWriter(new FileWriter(KRB5_CONF))) {
             w.write(String.format(KRB5_CONF_TEMPLATE,
                     KDC.NOT_EXISTING_HOST, WRONG_KDC_PORT));
@@ -96,8 +96,8 @@ public static void main(String[] args) throws LoginException, IOException {
             System.out.println("Expected login failure: " + le);
         }
 
-        // create a krb5 config with non-existing host for master KDC,
-        // but correct port for slave KDC
+        // create a krb5 config with non-existing host for primary KDC,
+        // but correct port for replica KDC
         try (PrintWriter w = new PrintWriter(new FileWriter(KRB5_CONF))) {
             w.write(String.format(KRB5_CONF_TEMPLATE,
                     KDC.NOT_EXISTING_HOST, kdc.getPort()));

diff --git a/...n/security/lib/CheckBlacklistedCerts.java → ...k/sun/security/lib/CheckBlockedCerts.java b/...n/security/lib/CheckBlacklistedCerts.java → ...k/sun/security/lib/CheckBlockedCerts.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2013, 2020, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2013, 2021, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -35,7 +35,7 @@
 import java.security.cert.*;
 import java.util.*;
 
-public class CheckBlacklistedCerts {
+public class CheckBlockedCerts {
     public static void main(String[] args) throws Exception {
 
         String home = System.getProperty("java.home");
@@ -57,29 +57,30 @@ public static void main(String[] args) throws Exception {
         }
 
         // All certs in the pem files
-        Set<Certificate> blacklisted = new HashSet<>();
+        Set<Certificate> blocked = new HashSet<>();
 
         // Assumes the full src is available
-        File blacklist = new File(System.getProperty("test.src"),
-                "../../../../../make/data/blacklistedcertsconverter/blacklisted.certs.pem");
+        File blockedCertsFile = new File(System.getProperty("test.src"),
+                "../../../../../make/data/blockedcertsconverter/blocked.certs.pem");
 
         CertificateFactory cf = CertificateFactory.getInstance("X.509");
-        try (FileInputStream fis = new FileInputStream(blacklist)) {
+        try (FileInputStream fis = new FileInputStream(blockedCertsFile)) {
             Collection<? extends Certificate> certs
                     = cf.generateCertificates(fis);
             System.out.println(certs.size());
             for (Certificate c: certs) {
-                blacklisted.add(c);
+                blocked.add(c);
                 X509Certificate cert = ((X509Certificate)c);
                 if (!UntrustedCertificates.isUntrusted(cert)) {
-                    System.out.println(cert.getSubjectDN() + " is trusted");
+                    System.out.println(cert.getSubjectX500Principal() +
+                            " is trusted");
                     failed = true;
                 }
             }
         }
 
-        // Check the blacklisted.certs file itself
-        file = new File(home, "lib/security/blacklisted.certs");
+        // Check the blocked.certs file itself
+        file = new File(home, "lib/security/blocked.certs");
         System.out.print("Check for " + file + ": ");
         try (BufferedReader reader = new BufferedReader(
                 new InputStreamReader(new FileInputStream(file)))) {
@@ -100,11 +101,11 @@ public static void main(String[] args) throws Exception {
                 failed = true;
             }
             // There are two unique fingerprints for each RSA certificate
-            if (ccount != blacklisted.size() * 2
-                    && !blacklisted.isEmpty()) {
-                System.out.println("Wrong blacklisted.certs size: "
+            if (ccount != blocked.size() * 2
+                    && !blocked.isEmpty()) {
+                System.out.println("Wrong blocked.certs size: "
                         + ccount + " fingerprints, "
-                        + blacklisted.size() + " certs");
+                        + blocked.size() + " certs");
                 failed = true;
             }
         }