From 274ee0ec5b9df1afdfcb377fff3e289f0ae32351 Mon Sep 17 00:00:00 2001 From: Anthony Scarpino Date: Mon, 19 Oct 2015 17:35:18 -0700 Subject: [PATCH] 8133151: Preferred provider configuration for JCE Reviewed-by: valeriep --- jdk/make/gendata/Gendata-java.base.gmk | 2 +- .../makejavasecurity/MakeJavaSecurity.java | 16 +- .../security/AlgorithmParameterGenerator.java | 7 + .../java/security/AlgorithmParameters.java | 9 +- .../classes/java/security/KeyFactory.java | 9 +- .../java/security/KeyPairGenerator.java | 7 + .../share/classes/java/security/KeyStore.java | 7 + .../classes/java/security/MessageDigest.java | 7 + .../share/classes/java/security/Policy.java | 7 + .../classes/java/security/SecureRandom.java | 9 +- .../classes/java/security/Signature.java | 7 + .../java/security/cert/CertPathBuilder.java | 9 +- .../java/security/cert/CertPathValidator.java | 9 +- .../classes/java/security/cert/CertStore.java | 9 +- .../security/cert/CertificateFactory.java | 9 +- .../share/classes/javax/crypto/Cipher.java | 7 + .../javax/crypto/ExemptionMechanism.java | 9 +- .../classes/javax/crypto/KeyAgreement.java | 9 +- .../classes/javax/crypto/KeyGenerator.java | 9 +- .../share/classes/javax/crypto/Mac.java | 9 +- .../javax/crypto/SecretKeyFactory.java | 9 +- .../javax/net/ssl/KeyManagerFactory.java | 7 + .../classes/javax/net/ssl/SSLContext.java | 7 + .../javax/net/ssl/TrustManagerFactory.java | 7 + .../security/auth/login/Configuration.java | 7 + .../sun/security/jca/ProviderList.java | 212 +++++++++++++++++- .../share/conf/security/java.security | 25 +++ .../classes/javax/security/sasl/Sasl.java | 14 ++ .../javax/smartcardio/TerminalFactory.java | 9 +- .../xml/crypto/dsig/TransformService.java | 9 +- .../xml/crypto/dsig/XMLSignatureFactory.java | 9 +- .../crypto/dsig/keyinfo/KeyInfoFactory.java | 16 +- 32 files changed, 465 insertions(+), 32 deletions(-) diff --git a/jdk/make/gendata/Gendata-java.base.gmk b/jdk/make/gendata/Gendata-java.base.gmk index c0ee693f730..d94ec3404c0 100644 --- a/jdk/make/gendata/Gendata-java.base.gmk +++ b/jdk/make/gendata/Gendata-java.base.gmk @@ -70,7 +70,7 @@ $(GENDATA_JAVA_SECURITY): $(BUILD_TOOLS) $(GENDATA_JAVA_SECURITY_SRC) $(RESTRICT $(ECHO) "Generating java.security" $(MKDIR) -p $(@D) $(TOOL_MAKEJAVASECURITY) $(GENDATA_JAVA_SECURITY_SRC) $@ $(OPENJDK_TARGET_OS) \ - $(RESTRICTED_PKGS_SRC) || exit 1 + $(OPENJDK_TARGET_CPU_ARCH) $(RESTRICTED_PKGS_SRC) || exit 1 TARGETS += $(GENDATA_JAVA_SECURITY) diff --git a/jdk/make/src/classes/build/tools/makejavasecurity/MakeJavaSecurity.java b/jdk/make/src/classes/build/tools/makejavasecurity/MakeJavaSecurity.java index d5c6e14c7b1..46f8ce9af9d 100644 --- a/jdk/make/src/classes/build/tools/makejavasecurity/MakeJavaSecurity.java +++ b/jdk/make/src/classes/build/tools/makejavasecurity/MakeJavaSecurity.java @@ -50,19 +50,21 @@ public class MakeJavaSecurity { public static void main(String[] args) throws Exception { - if (args.length < 3) { + if (args.length < 4) { System.err.println("Usage: java MakeJavaSecurity " + "[input java.security file name] " + "[output java.security file name] " + "[openjdk target os] " + + "[openjdk target cpu architecture]" + "[more restricted packages file name?]"); - System.exit(1); + + System.exit(1); } // more restricted packages List extraLines; - if (args.length == 4) { - extraLines = Files.readAllLines(Paths.get(args[3])); + if (args.length == 5) { + extraLines = Files.readAllLines(Paths.get(args[4])); } else { extraLines = Collections.emptyList(); } @@ -96,7 +98,11 @@ public class MakeJavaSecurity { mode = 0; iter.remove(); } else if (line.startsWith("#ifdef ")) { - mode = line.endsWith(args[2])?1:2; + if (line.indexOf('-') > 0) { + mode = line.endsWith(args[2]+"-"+args[3]) ? 1 : 2; + } else { + mode = line.endsWith(args[2]) ? 1 : 2; + } iter.remove(); } else if (line.startsWith("#ifndef ")) { mode = line.endsWith(args[2])?2:1; diff --git a/jdk/src/java.base/share/classes/java/security/AlgorithmParameterGenerator.java b/jdk/src/java.base/share/classes/java/security/AlgorithmParameterGenerator.java index 5c03453d8fd..36b2a65cbfa 100644 --- a/jdk/src/java.base/share/classes/java/security/AlgorithmParameterGenerator.java +++ b/jdk/src/java.base/share/classes/java/security/AlgorithmParameterGenerator.java @@ -138,6 +138,13 @@ public class AlgorithmParameterGenerator { *

Note that the list of registered providers may be retrieved via * the {@link Security#getProviders() Security.getProviders()} method. * + * @implNote + * The JDK Reference Implementation additionally uses the + * {@code jdk.security.provider.preferred} property to determine + * the preferred provider order for the specified algorithm. This + * may be different than the order of providers returned by + * {@link Security#getProviders() Security.getProviders()}. + * * @param algorithm the name of the algorithm this * parameter generator is associated with. * See the AlgorithmParameterGenerator section in the diff --git a/jdk/src/java.base/share/classes/java/security/KeyFactory.java b/jdk/src/java.base/share/classes/java/security/KeyFactory.java index 8e761ff41f7..76076cea2f2 100644 --- a/jdk/src/java.base/share/classes/java/security/KeyFactory.java +++ b/jdk/src/java.base/share/classes/java/security/KeyFactory.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997, 2013, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1997, 2015, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -153,6 +153,13 @@ public class KeyFactory { *

Note that the list of registered providers may be retrieved via * the {@link Security#getProviders() Security.getProviders()} method. * + * @implNote + * The JDK Reference Implementation additionally uses the + * {@code jdk.security.provider.preferred} property to determine + * the preferred provider order for the specified algorithm. This + * may be different than the order of providers returned by + * {@link Security#getProviders() Security.getProviders()}. + * * @param algorithm the name of the requested key algorithm. * See the KeyFactory section in the diff --git a/jdk/src/java.base/share/classes/java/security/KeyPairGenerator.java b/jdk/src/java.base/share/classes/java/security/KeyPairGenerator.java index 277231b568d..246f140b435 100644 --- a/jdk/src/java.base/share/classes/java/security/KeyPairGenerator.java +++ b/jdk/src/java.base/share/classes/java/security/KeyPairGenerator.java @@ -195,6 +195,13 @@ public abstract class KeyPairGenerator extends KeyPairGeneratorSpi { *

Note that the list of registered providers may be retrieved via * the {@link Security#getProviders() Security.getProviders()} method. * + * @implNote + * The JDK Reference Implementation additionally uses the + * {@code jdk.security.provider.preferred} property to determine + * the preferred provider order for the specified algorithm. This + * may be different than the order of providers returned by + * {@link Security#getProviders() Security.getProviders()}. + * * @param algorithm the standard string name of the algorithm. * See the KeyPairGenerator section in the diff --git a/jdk/src/java.base/share/classes/java/security/KeyStore.java b/jdk/src/java.base/share/classes/java/security/KeyStore.java index 6ab121ea629..40df29cdd6c 100644 --- a/jdk/src/java.base/share/classes/java/security/KeyStore.java +++ b/jdk/src/java.base/share/classes/java/security/KeyStore.java @@ -841,6 +841,13 @@ public class KeyStore { *

Note that the list of registered providers may be retrieved via * the {@link Security#getProviders() Security.getProviders()} method. * + * @implNote + * The JDK Reference Implementation additionally uses the + * {@code jdk.security.provider.preferred} property to determine + * the preferred provider order for the specified algorithm. This + * may be different than the order of providers returned by + * {@link Security#getProviders() Security.getProviders()}. + * * @param type the type of keystore. * See the KeyStore section in the diff --git a/jdk/src/java.base/share/classes/java/security/MessageDigest.java b/jdk/src/java.base/share/classes/java/security/MessageDigest.java index 5a58f0997d0..0892140c581 100644 --- a/jdk/src/java.base/share/classes/java/security/MessageDigest.java +++ b/jdk/src/java.base/share/classes/java/security/MessageDigest.java @@ -146,6 +146,13 @@ public abstract class MessageDigest extends MessageDigestSpi { *

Note that the list of registered providers may be retrieved via * the {@link Security#getProviders() Security.getProviders()} method. * + * @implNote + * The JDK Reference Implementation additionally uses the + * {@code jdk.security.provider.preferred} property to determine + * the preferred provider order for the specified algorithm. This + * may be different than the order of providers returned by + * {@link Security#getProviders() Security.getProviders()}. + * * @param algorithm the name of the algorithm requested. * See the MessageDigest section in the diff --git a/jdk/src/java.base/share/classes/java/security/Policy.java b/jdk/src/java.base/share/classes/java/security/Policy.java index 1351ed7db10..9d02d76f8d8 100644 --- a/jdk/src/java.base/share/classes/java/security/Policy.java +++ b/jdk/src/java.base/share/classes/java/security/Policy.java @@ -355,6 +355,13 @@ public abstract class Policy { *

Note that the list of registered providers may be retrieved via * the {@link Security#getProviders() Security.getProviders()} method. * + * @implNote + * The JDK Reference Implementation additionally uses the + * {@code jdk.security.provider.preferred} property to determine + * the preferred provider order for the specified algorithm. This + * may be different than the order of providers returned by + * {@link Security#getProviders() Security.getProviders()}. + * * @param type the specified Policy type. See the Policy section in the * diff --git a/jdk/src/java.base/share/classes/java/security/SecureRandom.java b/jdk/src/java.base/share/classes/java/security/SecureRandom.java index feae08b90c9..2f8d734ac00 100644 --- a/jdk/src/java.base/share/classes/java/security/SecureRandom.java +++ b/jdk/src/java.base/share/classes/java/security/SecureRandom.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 1996, 2014, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1996, 2015, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -268,6 +268,13 @@ public class SecureRandom extends java.util.Random { * This self-seeding will not occur if {@code setSeed} was * previously called. * + * @implNote + * The JDK Reference Implementation additionally uses the + * {@code jdk.security.provider.preferred} property to determine + * the preferred provider order for the specified algorithm. This + * may be different than the order of providers returned by + * {@link Security#getProviders() Security.getProviders()}. + * * @param algorithm the name of the RNG algorithm. * See the SecureRandom section in the diff --git a/jdk/src/java.base/share/classes/java/security/Signature.java b/jdk/src/java.base/share/classes/java/security/Signature.java index 75e318c8b94..73fb85c8566 100644 --- a/jdk/src/java.base/share/classes/java/security/Signature.java +++ b/jdk/src/java.base/share/classes/java/security/Signature.java @@ -203,6 +203,13 @@ public abstract class Signature extends SignatureSpi { *

Note that the list of registered providers may be retrieved via * the {@link Security#getProviders() Security.getProviders()} method. * + * @implNote + * The JDK Reference Implementation additionally uses the + * {@code jdk.security.provider.preferred} property to determine + * the preferred provider order for the specified algorithm. This + * may be different than the order of providers returned by + * {@link Security#getProviders() Security.getProviders()}. + * * @param algorithm the standard name of the algorithm requested. * See the Signature section in the diff --git a/jdk/src/java.base/share/classes/java/security/cert/CertPathBuilder.java b/jdk/src/java.base/share/classes/java/security/cert/CertPathBuilder.java index 307cbec4924..8cd1ec09d0c 100644 --- a/jdk/src/java.base/share/classes/java/security/cert/CertPathBuilder.java +++ b/jdk/src/java.base/share/classes/java/security/cert/CertPathBuilder.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2000, 2015, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -142,6 +142,13 @@ public class CertPathBuilder { *

Note that the list of registered providers may be retrieved via * the {@link Security#getProviders() Security.getProviders()} method. * + * @implNote + * The JDK Reference Implementation additionally uses the + * {@code jdk.security.provider.preferred} property to determine + * the preferred provider order for the specified algorithm. This + * may be different than the order of providers returned by + * {@link Security#getProviders() Security.getProviders()}. + * * @param algorithm the name of the requested {@code CertPathBuilder} * algorithm. See the CertPathBuilder section in the diff --git a/jdk/src/java.base/share/classes/java/security/cert/CertPathValidator.java b/jdk/src/java.base/share/classes/java/security/cert/CertPathValidator.java index 857fa2faa8c..3a22c37cb04 100644 --- a/jdk/src/java.base/share/classes/java/security/cert/CertPathValidator.java +++ b/jdk/src/java.base/share/classes/java/security/cert/CertPathValidator.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2000, 2015, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -143,6 +143,13 @@ public class CertPathValidator { *

Note that the list of registered providers may be retrieved via * the {@link Security#getProviders() Security.getProviders()} method. * + * @implNote + * The JDK Reference Implementation additionally uses the + * {@code jdk.security.provider.preferred} property to determine + * the preferred provider order for the specified algorithm. This + * may be different than the order of providers returned by + * {@link Security#getProviders() Security.getProviders()}. + * * @param algorithm the name of the requested {@code CertPathValidator} * algorithm. See the CertPathValidator section in the diff --git a/jdk/src/java.base/share/classes/java/security/cert/CertStore.java b/jdk/src/java.base/share/classes/java/security/cert/CertStore.java index 79835d8ba3b..cb281633929 100644 --- a/jdk/src/java.base/share/classes/java/security/cert/CertStore.java +++ b/jdk/src/java.base/share/classes/java/security/cert/CertStore.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2000, 2015, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -201,6 +201,13 @@ public class CertStore { * Note that the specified {@code CertStoreParameters} object is * cloned. * + * @implNote + * The JDK Reference Implementation additionally uses the + * {@code jdk.security.provider.preferred} property to determine + * the preferred provider order for the specified algorithm. This + * may be different than the order of providers returned by + * {@link Security#getProviders() Security.getProviders()}. + * * @param type the name of the requested {@code CertStore} type. * See the CertStore section in the diff --git a/jdk/src/java.base/share/classes/java/security/cert/CertificateFactory.java b/jdk/src/java.base/share/classes/java/security/cert/CertificateFactory.java index f45866d1b74..735c2df21fc 100644 --- a/jdk/src/java.base/share/classes/java/security/cert/CertificateFactory.java +++ b/jdk/src/java.base/share/classes/java/security/cert/CertificateFactory.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 1998, 2013, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1998, 2015, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -163,6 +163,13 @@ public class CertificateFactory { *

Note that the list of registered providers may be retrieved via * the {@link Security#getProviders() Security.getProviders()} method. * + * @implNote + * The JDK Reference Implementation additionally uses the + * {@code jdk.security.provider.preferred} property to determine + * the preferred provider order for the specified algorithm. This + * may be different than the order of providers returned by + * {@link Security#getProviders() Security.getProviders()}. + * * @param type the name of the requested certificate type. * See the CertificateFactory section in the diff --git a/jdk/src/java.base/share/classes/javax/crypto/Cipher.java b/jdk/src/java.base/share/classes/javax/crypto/Cipher.java index ed6f4e392bd..fde8cb491cf 100644 --- a/jdk/src/java.base/share/classes/javax/crypto/Cipher.java +++ b/jdk/src/java.base/share/classes/javax/crypto/Cipher.java @@ -478,6 +478,13 @@ public class Cipher { *

Note that the list of registered providers may be retrieved via * the {@link Security#getProviders() Security.getProviders()} method. * + * @implNote + * The JDK Reference Implementation additionally uses the + * {@code jdk.security.provider.preferred} property to determine + * the preferred provider order for the specified algorithm. This + * may be different than the order of providers returned by + * {@link Security#getProviders() Security.getProviders()}. + * * @param transformation the name of the transformation, e.g., * DES/CBC/PKCS5Padding. * See the Cipher section in the Note that the list of registered providers may be retrieved via * the {@link Security#getProviders() Security.getProviders()} method. * + * @implNote + * The JDK Reference Implementation additionally uses the + * {@code jdk.security.provider.preferred} property to determine + * the preferred provider order for the specified algorithm. This + * may be different than the order of providers returned by + * {@link Security#getProviders() Security.getProviders()}. + * * @param algorithm the standard name of the requested exemption * mechanism. * See the ExemptionMechanism section in the diff --git a/jdk/src/java.base/share/classes/javax/crypto/KeyAgreement.java b/jdk/src/java.base/share/classes/javax/crypto/KeyAgreement.java index 98cfcdabc74..a2c951e0275 100644 --- a/jdk/src/java.base/share/classes/javax/crypto/KeyAgreement.java +++ b/jdk/src/java.base/share/classes/javax/crypto/KeyAgreement.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997, 2014, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1997, 2015, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -150,6 +150,13 @@ public class KeyAgreement { *

Note that the list of registered providers may be retrieved via * the {@link Security#getProviders() Security.getProviders()} method. * + * @implNote + * The JDK Reference Implementation additionally uses the + * {@code jdk.security.provider.preferred} property to determine + * the preferred provider order for the specified algorithm. This + * may be different than the order of providers returned by + * {@link Security#getProviders() Security.getProviders()}. + * * @param algorithm the standard name of the requested key agreement * algorithm. * See the KeyAgreement section in the Note that the list of registered providers may be retrieved via * the {@link Security#getProviders() Security.getProviders()} method. * + * @implNote + * The JDK Reference Implementation additionally uses the + * {@code jdk.security.provider.preferred} property to determine + * the preferred provider order for the specified algorithm. This + * may be different than the order of providers returned by + * {@link Security#getProviders() Security.getProviders()}. + * * @param algorithm the standard name of the requested key algorithm. * See the KeyGenerator section in the diff --git a/jdk/src/java.base/share/classes/javax/crypto/Mac.java b/jdk/src/java.base/share/classes/javax/crypto/Mac.java index 9f85e7aecb2..2c5ba4b6aa2 100644 --- a/jdk/src/java.base/share/classes/javax/crypto/Mac.java +++ b/jdk/src/java.base/share/classes/javax/crypto/Mac.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 1998, 2014, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1998, 2015, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -152,6 +152,13 @@ public class Mac implements Cloneable { *

Note that the list of registered providers may be retrieved via * the {@link Security#getProviders() Security.getProviders()} method. * + * @implNote + * The JDK Reference Implementation additionally uses the + * {@code jdk.security.provider.preferred} property to determine + * the preferred provider order for the specified algorithm. This + * may be different than the order of providers returned by + * {@link Security#getProviders() Security.getProviders()}. + * * @param algorithm the standard name of the requested MAC algorithm. * See the Mac section in the diff --git a/jdk/src/java.base/share/classes/javax/crypto/SecretKeyFactory.java b/jdk/src/java.base/share/classes/javax/crypto/SecretKeyFactory.java index 2be70598dd0..9dd815149b9 100644 --- a/jdk/src/java.base/share/classes/javax/crypto/SecretKeyFactory.java +++ b/jdk/src/java.base/share/classes/javax/crypto/SecretKeyFactory.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997, 2011, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1997, 2015, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -137,6 +137,13 @@ public class SecretKeyFactory { *

Note that the list of registered providers may be retrieved via * the {@link Security#getProviders() Security.getProviders()} method. * + * @implNote + * The JDK Reference Implementation additionally uses the + * {@code jdk.security.provider.preferred} property to determine + * the preferred provider order for the specified algorithm. This + * may be different than the order of providers returned by + * {@link Security#getProviders() Security.getProviders()}. + * * @param algorithm the standard name of the requested secret-key * algorithm. * See the SecretKeyFactory section in the Note that the list of registered providers may be retrieved via * the {@link Security#getProviders() Security.getProviders()} method. * + * @implNote + * The JDK Reference Implementation additionally uses the + * {@code jdk.security.provider.preferred} property to determine + * the preferred provider order for the specified algorithm. This + * may be different than the order of providers returned by + * {@link Security#getProviders() Security.getProviders()}. + * * @param algorithm the standard name of the requested algorithm. * See the diff --git a/jdk/src/java.base/share/classes/javax/net/ssl/SSLContext.java b/jdk/src/java.base/share/classes/javax/net/ssl/SSLContext.java index df3af8b4602..1ed527569a6 100644 --- a/jdk/src/java.base/share/classes/javax/net/ssl/SSLContext.java +++ b/jdk/src/java.base/share/classes/javax/net/ssl/SSLContext.java @@ -136,6 +136,13 @@ public class SSLContext { *

Note that the list of registered providers may be retrieved via * the {@link Security#getProviders() Security.getProviders()} method. * + * @implNote + * The JDK Reference Implementation additionally uses the + * {@code jdk.security.provider.preferred} property to determine + * the preferred provider order for the specified algorithm. This + * may be different than the order of providers returned by + * {@link Security#getProviders() Security.getProviders()}. + * * @param protocol the standard name of the requested protocol. * See the SSLContext section in the diff --git a/jdk/src/java.base/share/classes/javax/net/ssl/TrustManagerFactory.java b/jdk/src/java.base/share/classes/javax/net/ssl/TrustManagerFactory.java index 0567d99e9c3..4e9bdf2b7e0 100644 --- a/jdk/src/java.base/share/classes/javax/net/ssl/TrustManagerFactory.java +++ b/jdk/src/java.base/share/classes/javax/net/ssl/TrustManagerFactory.java @@ -130,6 +130,13 @@ public class TrustManagerFactory { *

Note that the list of registered providers may be retrieved via * the {@link Security#getProviders() Security.getProviders()} method. * + * @implNote + * The JDK Reference Implementation additionally uses the + * {@code jdk.security.provider.preferred} property to determine + * the preferred provider order for the specified algorithm. This + * may be different than the order of providers returned by + * {@link Security#getProviders() Security.getProviders()}. + * * @param algorithm the standard name of the requested trust management * algorithm. See the diff --git a/jdk/src/java.base/share/classes/javax/security/auth/login/Configuration.java b/jdk/src/java.base/share/classes/javax/security/auth/login/Configuration.java index c0b1865ee0b..b5a2a2cd107 100644 --- a/jdk/src/java.base/share/classes/javax/security/auth/login/Configuration.java +++ b/jdk/src/java.base/share/classes/javax/security/auth/login/Configuration.java @@ -311,6 +311,13 @@ public abstract class Configuration { *

Note that the list of registered providers may be retrieved via * the {@link Security#getProviders() Security.getProviders()} method. * + * @implNote + * The JDK Reference Implementation additionally uses the + * {@code jdk.security.provider.preferred} property to determine + * the preferred provider order for the specified algorithm. This + * may be different than the order of providers returned by + * {@link Security#getProviders() Security.getProviders()}. + * * @param type the specified Configuration type. See the Configuration * section in the diff --git a/jdk/src/java.base/share/classes/sun/security/jca/ProviderList.java b/jdk/src/java.base/share/classes/sun/security/jca/ProviderList.java index f8dfed64e6f..9f9c86d99e2 100644 --- a/jdk/src/java.base/share/classes/sun/security/jca/ProviderList.java +++ b/jdk/src/java.base/share/classes/sun/security/jca/ProviderList.java @@ -27,8 +27,11 @@ package sun.security.jca; import java.util.*; -import java.security.*; +import java.security.AccessController; +import java.security.PrivilegedAction; +import java.security.Provider; import java.security.Provider.Service; +import java.security.Security; /** * List of Providers. Used to represent the provider preferences. @@ -65,6 +68,9 @@ public final class ProviderList { // constant for an ProviderList with no elements static final ProviderList EMPTY = new ProviderList(PC0, true); + // list of all jdk.security.provider.preferred entries + static private PreferredList preferredPropList = null; + // dummy provider object to use during initialization // used to avoid explicit null checks in various places private static final Provider EMPTY_PROVIDER = @@ -162,11 +168,10 @@ public final class ProviderList { */ private ProviderList() { List configList = new ArrayList<>(); - for (int i = 1; true; i++) { - String entry = Security.getProperty("security.provider." + i); - if (entry == null) { - break; - } + String entry; + int i = 1; + + while ((entry = Security.getProperty("security.provider." + i)) != null) { entry = entry.trim(); if (entry.length() == 0) { System.err.println("invalid entry for " + @@ -187,10 +192,36 @@ public final class ProviderList { if (configList.contains(config) == false) { configList.add(config); } + i++; } configs = configList.toArray(PC0); + + // Load config entries for use when getInstance is called + entry = Security.getProperty("jdk.security.provider.preferred"); + if (entry != null && (entry = entry.trim()).length() > 0) { + String[] entries = entry.split(","); + if (ProviderList.preferredPropList == null) { + ProviderList.preferredPropList = new PreferredList(); + } + + for (String e : entries) { + i = e.indexOf(':'); + if (i < 0) { + if (debug != null) { + debug.println("invalid preferred entry skipped. " + + "Missing colon delimiter \"" + e + "\""); + } + continue; + } + ProviderList.preferredPropList.add(new PreferredEntry( + e.substring(0, i).trim(), e.substring(i + 1).trim())); + } + } + if (debug != null) { debug.println("provider configuration: " + configList); + debug.println("config configuration: " + + ProviderList.preferredPropList); } } @@ -327,7 +358,22 @@ public final class ProviderList { * algorithm. */ public Service getService(String type, String name) { - for (int i = 0; i < configs.length; i++) { + ArrayList pList = null; + int i; + + // Preferred provider list + if (preferredPropList != null && + (pList = preferredPropList.getAll(type, name)) != null) { + for (i = 0; i < pList.size(); i++) { + Provider p = getProvider(pList.get(i).provider); + Service s = p.getService(type, name); + if (s != null) { + return s; + } + } + } + + for (i = 0; i < configs.length; i++) { Provider p = getProvider(i); Service s = p.getService(type, name); if (s != null) { @@ -394,7 +440,11 @@ public final class ProviderList { private List services; // index into config[] of the next provider we need to query - private int providerIndex; + private int providerIndex = 0; + + // Matching preferred provider list for this ServiceList + ArrayList preferredList = null; + private int preferredIndex = 0; ServiceList(String type, String algorithm) { this.type = type; @@ -421,6 +471,14 @@ public final class ProviderList { } private Service tryGet(int index) { + Provider p; + + // If preferred providers are configured, check for matches with + // the requested service. + if (preferredPropList != null && preferredList == null) { + preferredList = preferredPropList.getAll(this); + } + while (true) { if ((index == 0) && (firstService != null)) { return firstService; @@ -430,8 +488,27 @@ public final class ProviderList { if (providerIndex >= configs.length) { return null; } - // check all algorithms in this provider before moving on - Provider p = getProvider(providerIndex++); + + // If there were matches with a preferred provider, iterate + // through the list first before going through the + // ordered list (java.security.provider.#) + if (preferredList != null && + preferredIndex < preferredList.size()) { + PreferredEntry entry = preferredList.get(preferredIndex++); + // Look for the provider name in the PreferredEntry + p = getProvider(entry.provider); + if (p == null) { + if (debug != null) { + debug.println("No provider found with name: " + + entry.provider); + } + continue; + } + } else { + // check all algorithms in this provider before moving on + p = getProvider(providerIndex++); + } + if (type != null) { // simple lookup Service s = p.getService(type, algorithm); @@ -502,4 +579,119 @@ public final class ProviderList { } } + // Provider list defined by jdk.security.provider.preferred entry + static final class PreferredList { + ArrayList list = new ArrayList(); + + /* + * Return a list of all preferred entries that match the passed + * ServiceList. + */ + ArrayList getAll(ServiceList s) { + if (s.ids == null) { + return getAll(s.type, s.algorithm); + + } + + ArrayList l = new ArrayList(); + for (ServiceId id : s.ids) { + implGetAll(l, id.type, id.algorithm); + } + + return l; + } + + /* + * Return a list of all preferred entries that match the passed + * type and algorithm. + */ + ArrayList getAll(String type, String algorithm) { + ArrayList l = new ArrayList(); + implGetAll(l, type, algorithm); + return l; + } + + /* + * Compare each preferred entry against the passed type and + * algorithm, putting any matches in the passed ArrayList. + */ + private void implGetAll(ArrayList l, String type, + String algorithm) { + PreferredEntry e; + + for (int i = 0; i < size(); i++) { + e = list.get(i); + if (e.match(type, algorithm)) { + l.add(e); + } + } + } + + public PreferredEntry get(int i) { + return list.get(i); + } + + public int size() { + return list.size(); + } + + public boolean add(PreferredEntry e) { + return list.add(e); + } + + public String toString() { + String s = ""; + for (PreferredEntry e: list) { + s += e.toString(); + } + return s; + } + } + + // Individual preferred property entry from jdk.security.provider.preferred + private class PreferredEntry { + String type = null; + String algorithm; + String provider; + + PreferredEntry(String t, String p) { + int i = t.indexOf('.'); + if (i > 0) { + type = t.substring(0, i); + algorithm = t.substring(i + 1); + } else { + algorithm = t; + } + + provider = p; + } + + boolean match(String t, String a) { + if (debug != null) { + debug.println("Config match: " + toString() + " == [" + t + + ", " + a + "]"); + } + + // Compare service type if configured + if (type != null && type.compareToIgnoreCase(t) != 0) { + return false; + } + + // Compare the algorithm string. + if (a.compareToIgnoreCase(algorithm) == 0) { + if (debug != null) { + debug.println("Config entry found: " + toString()); + } + return true; + } + + // No match + return false; + } + + public String toString() { + return "[" + type + ", " + algorithm + " : " + provider + "] "; + } + } + } diff --git a/jdk/src/java.base/share/conf/security/java.security b/jdk/src/java.base/share/conf/security/java.security index 4523ddcd226..6809cb4c952 100644 --- a/jdk/src/java.base/share/conf/security/java.security +++ b/jdk/src/java.base/share/conf/security/java.security @@ -90,6 +90,31 @@ security.provider.tbd=apple.security.AppleProvider security.provider.tbd=sun.security.pkcs11.SunPKCS11 #endif +# +# A list of preferred providers for specific algorithms. These providers will +# be searched for matching algorithms before the list of registered providers. +# Entries containing errors (parsing, etc) will be ignored. Use the +# -Djava.security.debug=jca property to debug these errors. +# +# The property is a comma-separated list of serviceType.algorithm:provider +# entries. The serviceType (example: "MessageDigest") is optional, and if +# not specified, the algorithm applies to all service types that support it. +# The algorithm is the standard algorithm name or transformation. +# Transformations can be specified in their full standard name +# (ex: AES/CBC/PKCS5Padding), or as partial matches (ex: AES, AES/CBC). +# The provider is the name of the provider. Any provider that does not +# also appear in the registered list will be ignored. +# +# Example: +# jdk.security.provider.preferred=AES/GCM/NoPadding:SunJCE, \ +# MessageDigest.SHA-256:SUN +#ifdef solaris-sparc +jdk.security.provider.preferred=AES:SunJCE, SHA-256:SUN, SHA-384:SUN, SHA-512:SUN +#endif +#ifdef solaris-x86 +jdk.security.provider.preferred=AES:SunJCE, RSA:SunRsaSign +#endif + # # Sun Provider SecureRandom seed source. diff --git a/jdk/src/java.security.sasl/share/classes/javax/security/sasl/Sasl.java b/jdk/src/java.security.sasl/share/classes/javax/security/sasl/Sasl.java index 66bdb7ef86a..aaeaae4c1ae 100644 --- a/jdk/src/java.security.sasl/share/classes/javax/security/sasl/Sasl.java +++ b/jdk/src/java.security.sasl/share/classes/javax/security/sasl/Sasl.java @@ -310,6 +310,13 @@ public class Sasl { * for information about how to install and configure security service * providers. * + * @implNote + * The JDK Reference Implementation additionally uses the + * {@code jdk.security.provider.preferred} property to determine + * the preferred provider order for the specified algorithm. This + * may be different than the order of providers returned by + * {@link Security#getProviders() Security.getProviders()}. + * * @param mechanisms The non-null list of mechanism names to try. Each is the * IANA-registered name of a SASL mechanism. (e.g. "GSSAPI", "CRAM-MD5"). * @param authorizationId The possibly null protocol-dependent @@ -452,6 +459,13 @@ public class Sasl { * for information about how to install and configure security * service providers. * + * @implNote + * The JDK Reference Implementation additionally uses the + * {@code jdk.security.provider.preferred} property to determine + * the preferred provider order for the specified algorithm. This + * may be different than the order of providers returned by + * {@link Security#getProviders() Security.getProviders()}. + * * @param mechanism The non-null mechanism name. It must be an * IANA-registered name of a SASL mechanism. (e.g. "GSSAPI", "CRAM-MD5"). * @param protocol The non-null string name of the protocol for which diff --git a/jdk/src/java.smartcardio/share/classes/javax/smartcardio/TerminalFactory.java b/jdk/src/java.smartcardio/share/classes/javax/smartcardio/TerminalFactory.java index b04d556b452..f83bc78f53e 100644 --- a/jdk/src/java.smartcardio/share/classes/javax/smartcardio/TerminalFactory.java +++ b/jdk/src/java.smartcardio/share/classes/javax/smartcardio/TerminalFactory.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2005, 2011, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2005, 2015, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -229,6 +229,13 @@ public final class TerminalFactory { * specified parameters Object. The type of parameters * needed may vary between different types of TerminalFactorys. * + * @implNote + * The JDK Reference Implementation additionally uses the + * {@code jdk.security.provider.preferred} property to determine + * the preferred provider order for the specified algorithm. This + * may be different than the order of providers returned by + * {@link Security#getProviders() Security.getProviders()}. + * * @param type the type of the requested TerminalFactory * @param params the parameters to pass to the TerminalFactorySpi * implementation, or null if no parameters are needed diff --git a/jdk/src/java.xml.crypto/share/classes/javax/xml/crypto/dsig/TransformService.java b/jdk/src/java.xml.crypto/share/classes/javax/xml/crypto/dsig/TransformService.java index d7793da59cb..84212c45c90 100644 --- a/jdk/src/java.xml.crypto/share/classes/javax/xml/crypto/dsig/TransformService.java +++ b/jdk/src/java.xml.crypto/share/classes/javax/xml/crypto/dsig/TransformService.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2005, 2013, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2005, 2015, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -136,6 +136,13 @@ public abstract class TransformService implements Transform { *

Note that the list of registered providers may be retrieved via * the {@link Security#getProviders() Security.getProviders()} method. * + * @implNote + * The JDK Reference Implementation additionally uses the + * {@code jdk.security.provider.preferred} property to determine + * the preferred provider order for the specified algorithm. This + * may be different than the order of providers returned by + * {@link Security#getProviders() Security.getProviders()}. + * * @param algorithm the URI of the algorithm * @param mechanismType the type of the XML processing mechanism and * representation diff --git a/jdk/src/java.xml.crypto/share/classes/javax/xml/crypto/dsig/XMLSignatureFactory.java b/jdk/src/java.xml.crypto/share/classes/javax/xml/crypto/dsig/XMLSignatureFactory.java index f776bf322b5..def0a5d013f 100644 --- a/jdk/src/java.xml.crypto/share/classes/javax/xml/crypto/dsig/XMLSignatureFactory.java +++ b/jdk/src/java.xml.crypto/share/classes/javax/xml/crypto/dsig/XMLSignatureFactory.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2005, 2014, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2005, 2015, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -173,6 +173,13 @@ public abstract class XMLSignatureFactory { *

Note that the list of registered providers may be retrieved via * the {@link Security#getProviders() Security.getProviders()} method. * + * @implNote + * The JDK Reference Implementation additionally uses the + * {@code jdk.security.provider.preferred} property to determine + * the preferred provider order for the specified algorithm. This + * may be different than the order of providers returned by + * {@link Security#getProviders() Security.getProviders()}. + * * @param mechanismType the type of the XML processing mechanism and * representation. See the diff --git a/jdk/src/java.xml.crypto/share/classes/javax/xml/crypto/dsig/keyinfo/KeyInfoFactory.java b/jdk/src/java.xml.crypto/share/classes/javax/xml/crypto/dsig/keyinfo/KeyInfoFactory.java index a9465f79330..beaa1820e9e 100644 --- a/jdk/src/java.xml.crypto/share/classes/javax/xml/crypto/dsig/keyinfo/KeyInfoFactory.java +++ b/jdk/src/java.xml.crypto/share/classes/javax/xml/crypto/dsig/keyinfo/KeyInfoFactory.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2005, 2014, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2005, 2015, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -129,6 +129,13 @@ public abstract class KeyInfoFactory { *

Note that the list of registered providers may be retrieved via * the {@link Security#getProviders() Security.getProviders()} method. * + * @implNote + * The JDK Reference Implementation additionally uses the + * {@code jdk.security.provider.preferred} property to determine + * the preferred provider order for the specified algorithm. This + * may be different than the order of providers returned by + * {@link Security#getProviders() Security.getProviders()}. + * * @param mechanismType the type of the XML processing mechanism and * representation. See the @@ -263,6 +270,13 @@ public abstract class KeyInfoFactory { *

Note that the list of registered providers may be retrieved via * the {@link Security#getProviders() Security.getProviders()} method. * + * @implNote + * The JDK Reference Implementation additionally uses the + * {@code jdk.security.provider.preferred} property to determine + * the preferred provider order for the specified algorithm. This + * may be different than the order of providers returned by + * {@link Security#getProviders() Security.getProviders()}. + * * @return a new KeyInfoFactory * @throws NoSuchMechanismException if no Provider supports a * KeyInfoFactory implementation for the DOM mechanism