Skip to content

/ mobile

Permalink
Browse files

8231139: Improved keystore support 

Reviewed-by: mullan, ahgross
  • Loading branch information
@wangweij
wangweij committed Oct 9, 2019
1 parent af20c6b commit f3815c85a1134f832075b29cdecb7a440e9e45a2
61 src/java.base/share/classes/com/sun/crypto/provider/JceKeyStore.java
View file
@@ -26,6 +26,7 @@
package com.sun.crypto.provider;

import sun.security.util.Debug;
import sun.security.util.IOUtils;

import java.io.*;
import java.util.*;
@@ -73,7 +74,7 @@
private static final class PrivateKeyEntry {
Date date; // the creation date of this entry
byte[] protectedKey;
Certificate chain[];
Certificate[] chain;
};

// Secret key
@@ -742,51 +743,36 @@ public void engineLoad(InputStream stream, char[] password)
entry.date = new Date(dis.readLong());

// read the private key
try {
entry.protectedKey = new byte[dis.readInt()];
} catch (OutOfMemoryError e) {
throw new IOException("Keysize too big");
}
dis.readFully(entry.protectedKey);
entry.protectedKey = IOUtils.readExactlyNBytes(dis, dis.readInt());

// read the certificate chain
int numOfCerts = dis.readInt();
try {
if (numOfCerts > 0) {
entry.chain = new Certificate[numOfCerts];
}
} catch (OutOfMemoryError e) {
throw new IOException("Too many certificates in "
+ "chain");
}
List<Certificate> tmpCerts = new ArrayList<>();
for (int j = 0; j < numOfCerts; j++) {
if (xVersion == 2) {
// read the certificate type, and instantiate a
// certificate factory of that type (reuse
// existing factory if possible)
String certType = dis.readUTF();
if (cfs.containsKey(certType)) {
// reuse certificate factory
// reuse certificate factory
cf = cfs.get(certType);
} else {
// create new certificate factory
// create new certificate factory
cf = CertificateFactory.getInstance(
certType);
// store the certificate factory so we can
// reuse it later
// store the certificate factory so we can
// reuse it later
cfs.put(certType, cf);
}
}
// instantiate the certificate
try {
encoded = new byte[dis.readInt()];
} catch (OutOfMemoryError e) {
throw new IOException("Certificate too big");
}
dis.readFully(encoded);
encoded = IOUtils.readExactlyNBytes(dis, dis.readInt());
bais = new ByteArrayInputStream(encoded);
entry.chain[j] = cf.generateCertificate(bais);
tmpCerts.add(cf.generateCertificate(bais));
}
entry.chain = tmpCerts.toArray(
new Certificate[numOfCerts]);

// Add the entry to the list
entries.put(alias, entry);
@@ -818,12 +804,7 @@ public void engineLoad(InputStream stream, char[] password)
cfs.put(certType, cf);
}
}
try {
encoded = new byte[dis.readInt()];
} catch (OutOfMemoryError e) {
throw new IOException("Certificate too big");
}
dis.readFully(encoded);
encoded = IOUtils.readExactlyNBytes(dis, dis.readInt());
bais = new ByteArrayInputStream(encoded);
entry.cert = cf.generateCertificate(bais);

@@ -882,18 +863,14 @@ public void engineLoad(InputStream stream, char[] password)
* with
*/
if (password != null) {
byte computed[], actual[];
computed = md.digest();
actual = new byte[computed.length];
dis.readFully(actual);
for (int i = 0; i < computed.length; i++) {
if (computed[i] != actual[i]) {
throw new IOException(
byte[] computed = md.digest();
byte[] actual = IOUtils.readExactlyNBytes(dis, computed.length);
if (!MessageDigest.isEqual(computed, actual)) {
throw new IOException(
"Keystore was tampered with, or "
+ "password was incorrect",
new UnrecoverableKeyException(
"Password verification failed"));
}
new UnrecoverableKeyException(
"Password verification failed"));
}
}
} finally {
2 src/java.base/share/classes/java/security/CodeSource.java
View file
@@ -598,7 +598,7 @@ private void readObject(java.io.ObjectInputStream ois)
cfs.put(certType, cf);
}
// parse the certificate
byte[] encoded = IOUtils.readNBytes(ois, ois.readInt());
byte[] encoded = IOUtils.readExactlyNBytes(ois, ois.readInt());
ByteArrayInputStream bais = new ByteArrayInputStream(encoded);
try {
certList.add(cf.generateCertificate(bais));
2 src/java.base/share/classes/java/security/UnresolvedPermission.java
View file
@@ -594,7 +594,7 @@ private void readObject(java.io.ObjectInputStream ois)
cfs.put(certType, cf);
}
// parse the certificate
byte[] encoded = IOUtils.readNBytes(ois, ois.readInt());
byte[] encoded = IOUtils.readExactlyNBytes(ois, ois.readInt());
ByteArrayInputStream bais = new ByteArrayInputStream(encoded);
try {
certList.add(cf.generateCertificate(bais));
2 src/java.base/share/classes/java/security/cert/CertificateRevokedException.java
View file
@@ -244,7 +244,7 @@ private void readObject(ObjectInputStream ois)
for (int i = 0; i < size; i++) {
String oid = (String) ois.readObject();
boolean critical = ois.readBoolean();
byte[] extVal = IOUtils.readNBytes(ois, ois.readInt());
byte[] extVal = IOUtils.readExactlyNBytes(ois, ois.readInt());
Extension ext = sun.security.x509.Extension.newExtension
(new ObjectIdentifier(oid), critical, extVal);
extensions.put(oid, ext);
19 src/java.base/share/classes/sun/security/provider/JavaKeyStore.java
View file
@@ -697,7 +697,7 @@ public void engineLoad(InputStream stream, char[] password)

// Read the private key
entry.protectedPrivKey =
IOUtils.readFully(dis, dis.readInt(), true);
IOUtils.readExactlyNBytes(dis, dis.readInt());

// Read the certificate chain
int numOfCerts = dis.readInt();
@@ -722,7 +722,7 @@ public void engineLoad(InputStream stream, char[] password)
}
}
// instantiate the certificate
encoded = IOUtils.readFully(dis, dis.readInt(), true);
encoded = IOUtils.readExactlyNBytes(dis, dis.readInt());
bais = new ByteArrayInputStream(encoded);
certs.add(cf.generateCertificate(bais));
bais.close();
@@ -761,7 +761,7 @@ public void engineLoad(InputStream stream, char[] password)
cfs.put(certType, cf);
}
}
encoded = IOUtils.readFully(dis, dis.readInt(), true);
encoded = IOUtils.readExactlyNBytes(dis, dis.readInt());
bais = new ByteArrayInputStream(encoded);
entry.cert = cf.generateCertificate(bais);
bais.close();
@@ -787,16 +787,13 @@ public void engineLoad(InputStream stream, char[] password)
*/
if (password != null) {
byte[] computed = md.digest();
byte[] actual = new byte[computed.length];
dis.readFully(actual);
for (int i = 0; i < computed.length; i++) {
if (computed[i] != actual[i]) {
Throwable t = new UnrecoverableKeyException
byte[] actual = IOUtils.readExactlyNBytes(dis, computed.length);
if (!MessageDigest.isEqual(computed, actual)) {
Throwable t = new UnrecoverableKeyException
("Password verification failed");
throw (IOException)new IOException
throw (IOException) new IOException
("Keystore was tampered with, or "
+ "password was incorrect").initCause(t);
}
+ "password was incorrect").initCause(t);
}
}
}
2 src/java.base/share/classes/sun/security/util/DerValue.java
View file
@@ -395,7 +395,7 @@ private DerInputStream init(boolean fullyBuffered, InputStream in,
if (fullyBuffered && in.available() != length)
throw new IOException("extra data given to DerValue constructor");

byte[] bytes = IOUtils.readFully(in, length, true);
byte[] bytes = IOUtils.readExactlyNBytes(in, length);

buffer = new DerInputBuffer(bytes, allowBER);
return new DerInputStream(buffer);
70 src/java.base/share/classes/sun/security/util/IOUtils.java
View file
@@ -1,5 +1,5 @@
/*
* Copyright (c) 2009, 2017, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2009, 2019, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -32,68 +32,34 @@
import java.io.EOFException;
import java.io.IOException;
import java.io.InputStream;
import java.util.Arrays;

public class IOUtils {

/**
* Read up to {@code length} of bytes from {@code in}
* until EOF is detected.
* Read exactly {@code length} of bytes from {@code in}.
*
* <p> Note that this method is safe to be called with unknown large
* {@code length} argument. The memory used is proportional to the
* actual bytes available. An exception is thrown if there are not
* enough bytes in the stream.
*
* @param is input stream, must not be null
* @param length number of bytes to read
* @param readAll if true, an EOFException will be thrown if not enough
* bytes are read.
* @return bytes read
* @throws IOException Any IO error or a premature EOF is detected
* @throws EOFException if there are not enough bytes in the stream
* @throws IOException if an I/O error occurs or {@code length} is negative
* @throws OutOfMemoryError if an array of the required size cannot be
* allocated.
*/
public static byte[] readFully(InputStream is, int length, boolean readAll)
public static byte[] readExactlyNBytes(InputStream is, int length)
throws IOException {
if (length < 0) {
throw new IOException("Invalid length");
}
byte[] output = {};
int pos = 0;
while (pos < length) {
int bytesToRead;
if (pos >= output.length) { // Only expand when there's no room
bytesToRead = Math.min(length - pos, output.length + 1024);
if (output.length < pos + bytesToRead) {
output = Arrays.copyOf(output, pos + bytesToRead);
}
} else {
bytesToRead = output.length - pos;
}
int cc = is.read(output, pos, bytesToRead);
if (cc < 0) {
if (readAll) {
throw new EOFException("Detect premature EOF");
} else {
if (output.length != pos) {
output = Arrays.copyOf(output, pos);
}
break;
}
}
pos += cc;
}
return output;
}

/**
* Read {@code length} of bytes from {@code in}. An exception is
* thrown if there are not enough bytes in the stream.
*
* @param is input stream, must not be null
* @param length number of bytes to read, must not be negative
* @return bytes read
* @throws IOException if any IO error or a premature EOF is detected, or
* if {@code length} is negative since this length is usually also
* read from {@code is}.
*/
public static byte[] readNBytes(InputStream is, int length) throws IOException {
if (length < 0) {
throw new IOException("length cannot be negative: " + length);
}
return readFully(is, length, true);
byte[] data = is.readNBytes(length);
if (data.length < length) {
throw new EOFException();
}
return data;
}
}
4 src/java.security.jgss/share/classes/sun/security/krb5/internal/NetClient.java
View file
@@ -1,5 +1,5 @@
/*
* Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.
* Copyright (c) 2000, 2019, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -102,7 +102,7 @@ public void send(byte[] data) throws IOException {
}

try {
return IOUtils.readFully(in, len, true);
return IOUtils.readExactlyNBytes(in, len);
} catch (IOException ioe) {
if (Krb5.DEBUG) {
System.out.println(
8 ...java.security.jgss/share/classes/sun/security/krb5/internal/ccache/CCacheInputStream.java
View file
@@ -128,7 +128,7 @@ public PrincipalName readPrincipal(int version) throws IOException, RealmExcepti
length--;
for (int i = 0; i <= length; i++) {
namelength = readLength4();
byte[] bytes = IOUtils.readFully(this, namelength, true);
byte[] bytes = IOUtils.readExactlyNBytes(this, namelength);
result.add(new String(bytes));
}
if (result.isEmpty()) {
@@ -186,7 +186,7 @@ EncryptionKey readKey(int version) throws IOException {
if (version == KRB5_FCC_FVNO_3)
read(2); /* keytype recorded twice in fvno 3 */
keyLen = readLength4();
byte[] bytes = IOUtils.readFully(this, keyLen, true);
byte[] bytes = IOUtils.readExactlyNBytes(this, keyLen);
return new EncryptionKey(bytes, keyType, version);
}

@@ -239,7 +239,7 @@ boolean readskey() throws IOException {
for (int i = 0; i < num; i++) {
adtype = read(2);
adlength = readLength4();
data = IOUtils.readFully(this, adlength, true);
data = IOUtils.readExactlyNBytes(this, adlength);
auData.add(new AuthorizationDataEntry(adtype, data));
}
return auData.toArray(new AuthorizationDataEntry[auData.size()]);
@@ -253,7 +253,7 @@ boolean readskey() throws IOException {
if (length == 0) {
return null;
} else {
return IOUtils.readFully(this, length, true);
return IOUtils.readExactlyNBytes(this, length);
}
}

0 comments on commit f3815c8

Please sign in to comment.