From 8167fa4c808ecd4a1795f48eaebe91ed1155a49c Mon Sep 17 00:00:00 2001 From: Weijun Wang Date: Wed, 9 Jul 2014 16:34:31 +0800 Subject: [PATCH] 8047765: Generate blacklist.certs in build Reviewed-by: dholmes, alanb --- jdk/make/CopyFiles.gmk | 19 ----- jdk/make/GenerateData.gmk | 3 + jdk/make/Tools.gmk | 3 + .../blacklisted.certs.pem | 6 ++ jdk/make/gendata/GendataBlacklistedCerts.gmk | 36 +++++++++ .../BlacklistedCertsConverter.java | 80 ++++++++++++------- jdk/src/share/lib/security/blacklisted.certs | 19 ----- 7 files changed, 99 insertions(+), 67 deletions(-) rename jdk/{src/share/lib/security => make/data/blacklistedcertsconverter}/blacklisted.certs.pem (99%) create mode 100644 jdk/make/gendata/GendataBlacklistedCerts.gmk rename jdk/{src/share/lib/security => make/src/classes/build/tools/blacklistedcertsconverter}/BlacklistedCertsConverter.java (56%) delete mode 100644 jdk/src/share/lib/security/blacklisted.certs diff --git a/jdk/make/CopyFiles.gmk b/jdk/make/CopyFiles.gmk index 396f2534317..acab2541256 100644 --- a/jdk/make/CopyFiles.gmk +++ b/jdk/make/CopyFiles.gmk @@ -407,16 +407,11 @@ COPY_FILES += $(CACERTS_DST) ########################################################################################## -BLACKLISTED_CERTS_SRC := $(JDK_TOPDIR)/src/share/lib/security/blacklisted.certs -BLACKLISTED_CERTS_DST := $(JDK_OUTPUTDIR)/lib/security/blacklisted.certs - ifndef OPENJDK BLACKLIST_SRC := $(JDK_TOPDIR)/src/closed/share/lib/security/blacklist BLACKLIST_DST := $(JDK_OUTPUTDIR)/lib/security/blacklist - BLACKLISTED_CERTS_SRC += $(wildcard $(JDK_TOPDIR)/src/closed/share/lib/security/blacklisted.certs) - TRUSTEDLIBS_SRC := $(JDK_TOPDIR)/src/closed/share/lib/security/trusted.libraries TRUSTEDLIBS_DST := $(JDK_OUTPUTDIR)/lib/security/trusted.libraries @@ -432,20 +427,6 @@ ifndef OPENJDK endif -$(BLACKLISTED_CERTS_DST): $(BLACKLISTED_CERTS_SRC) - $(MKDIR) -p $(@D) - $(CAT) $^ | $(SED) '/^$$/d' | $(SORT) | $(UNIQ) > $@.tmp - $(GREP) -i Algorithm $@.tmp > $@ - if [ `$(SED) -n -e "$$=" $@` != 1 ]; then \ - $(ECHO) "Different algorithms defined in $^"; \ - $(RM) $@ $@.tmp; \ - false; \ - fi - $(GREP) -iv Algorithm $@.tmp >> $@ - $(RM) $@.tmp - -COPY_FILES += $(BLACKLISTED_CERTS_DST) - ########################################################################################## ifndef OPENJDK diff --git a/jdk/make/GenerateData.gmk b/jdk/make/GenerateData.gmk index 437dd0b1d38..8228f917800 100644 --- a/jdk/make/GenerateData.gmk +++ b/jdk/make/GenerateData.gmk @@ -50,6 +50,9 @@ GENDATA += $(GENDATA_TZDB) include gendata/GendataHtml32dtd.gmk GENDATA += $(GENDATA_HTML32DTD) +include gendata/GendataBlacklistedCerts.gmk +GENDATA += $(GENDATA_BLACKLISTED_CERTS) + ########################################################################################## GENDATA_UNINAME := $(JDK_OUTPUTDIR)/classes/java/lang/uniName.dat diff --git a/jdk/make/Tools.gmk b/jdk/make/Tools.gmk index d223f4afa62..0f781909490 100644 --- a/jdk/make/Tools.gmk +++ b/jdk/make/Tools.gmk @@ -87,6 +87,9 @@ TOOL_HASHER = $(JAVA_SMALL) -cp $(JDK_OUTPUTDIR)/btclasses \ TOOL_TZDB = $(JAVA_SMALL) -cp $(JDK_OUTPUTDIR)/btclasses \ build.tools.tzdb.TzdbZoneRulesCompiler +TOOL_BLACKLISTED_CERTS = $(JAVA_SMALL) -cp $(JDK_OUTPUTDIR)/btclasses \ + build.tools.blacklistedcertsconverter.BlacklistedCertsConverter + # TODO: There are references to the jdwpgen.jar in jdk/make/netbeans/jdwpgen/build.xml # and nbproject/project.properties in the same dir. Needs to be looked at. diff --git a/jdk/src/share/lib/security/blacklisted.certs.pem b/jdk/make/data/blacklistedcertsconverter/blacklisted.certs.pem similarity index 99% rename from jdk/src/share/lib/security/blacklisted.certs.pem rename to jdk/make/data/blacklistedcertsconverter/blacklisted.certs.pem index f44a6985352..db1c077ccb0 100644 --- a/jdk/src/share/lib/security/blacklisted.certs.pem +++ b/jdk/make/data/blacklistedcertsconverter/blacklisted.certs.pem @@ -1,3 +1,9 @@ +#! java BlacklistedCertsConverter SHA-256 + +# The line above must be the first line of the blacklisted.certs.pem +# file inside src/share/lib/security/. It will be ignored if added in +# src/closed/share/lib/security/blacklisted.certs.pem. + // Subject: CN=Digisign Server ID (Enrich), // OU=457608-K, // O=Digicert Sdn. Bhd., diff --git a/jdk/make/gendata/GendataBlacklistedCerts.gmk b/jdk/make/gendata/GendataBlacklistedCerts.gmk new file mode 100644 index 00000000000..ab62ca69ef9 --- /dev/null +++ b/jdk/make/gendata/GendataBlacklistedCerts.gmk @@ -0,0 +1,36 @@ +# +# Copyright (c) 2014, Oracle and/or its affiliates. All rights reserved. +# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. +# +# This code is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License version 2 only, as +# published by the Free Software Foundation. Oracle designates this +# particular file as subject to the "Classpath" exception as provided +# by Oracle in the LICENSE file that accompanied this code. +# +# This code is distributed in the hope that it will be useful, but WITHOUT +# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or +# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License +# version 2 for more details (a copy is included in the LICENSE file that +# accompanied this code). +# +# You should have received a copy of the GNU General Public License version +# 2 along with this work; if not, write to the Free Software Foundation, +# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA +# or visit www.oracle.com if you need additional information or have any +# questions. +# + +GENDATA_BLACKLISTED_CERTS_SRC := $(JDK_TOPDIR)/make/data/blacklistedcertsconverter/blacklisted.certs.pem +GENDATA_BLACKLISTED_CERTS := $(JDK_OUTPUTDIR)/lib/security/blacklisted.certs + +ifndef OPENJDK + GENDATA_BLACKLISTED_CERTS_SRC += $(wildcard $(JDK_TOPDIR)/make/closed/data/blacklistedcertsconverter/blacklisted.certs.pem) +endif + +$(GENDATA_BLACKLISTED_CERTS): $(BUILD_TOOLS) $(GENDATA_BLACKLISTED_CERTS_SRC) + $(ECHO) "Generating blacklisted certs" + $(MKDIR) -p $(@D) + ($(CAT) $(GENDATA_BLACKLISTED_CERTS_SRC) | $(TOOL_BLACKLISTED_CERTS) > $@) || exit 1 diff --git a/jdk/src/share/lib/security/BlacklistedCertsConverter.java b/jdk/make/src/classes/build/tools/blacklistedcertsconverter/BlacklistedCertsConverter.java similarity index 56% rename from jdk/src/share/lib/security/BlacklistedCertsConverter.java rename to jdk/make/src/classes/build/tools/blacklistedcertsconverter/BlacklistedCertsConverter.java index 65a88f00a2e..9f8ce873c57 100644 --- a/jdk/src/share/lib/security/BlacklistedCertsConverter.java +++ b/jdk/make/src/classes/build/tools/blacklistedcertsconverter/BlacklistedCertsConverter.java @@ -21,37 +21,65 @@ * questions. */ +package build.tools.blacklistedcertsconverter; + import java.security.MessageDigest; -import java.security.NoSuchAlgorithmException; import java.security.cert.Certificate; -import java.security.cert.CertificateEncodingException; import java.security.cert.CertificateFactory; import java.security.cert.X509Certificate; import java.util.Collection; +import java.util.Set; +import java.util.TreeSet; + /** - * This is the tool to convert blacklisted.certs.pem to blacklisted.certs. - * Every time a new blacklisted certs is added, please append the PEM format - * to the end of blacklisted.certs.pem (with proper comments) and then use - * this tool to generate an updated blacklisted.certs. Make sure to include - * changes to both in a changeset. + * Converts blacklisted.certs.pem from System.in to blacklisted.certs in + * System.out. The input must start with a #! line including the fingerprint + * algorithm. The output is sorted and unique. */ public class BlacklistedCertsConverter { + public static void main(String[] args) throws Exception { - if (args.length == 0) { - System.out.println("Usage: java BlacklistedCertsConverter SHA-256" + - " < blacklisted.certs.pem > blacklisted.certs"); - System.exit(1); + + byte[] pattern = "#! java BlacklistedCertsConverter ".getBytes(); + String mdAlg = ""; + + for (int i=0; ; i++) { + int n = System.in.read(); + if (n < 0) { + throw new Exception("Unexpected EOF"); + } + if (i < pattern.length) { + if (n != pattern[i]) { + throw new Exception("The first line must start with \"" + + new String(pattern) + "\""); + } + } else if (i < pattern.length + 100) { + if (n < 32) { + break; + } else { + mdAlg = mdAlg + String.format("%c", n); + } + } } - String mdAlg = args[0]; + + mdAlg = mdAlg.trim(); + System.out.println("Algorithm=" + mdAlg); + CertificateFactory cf = CertificateFactory.getInstance("X.509"); Collection certs = cf.generateCertificates(System.in); - System.out.println("Algorithm=" + mdAlg); + + // Output sorted so that it's easy to locate an entry. + Set fingerprints = new TreeSet<>(); for (Certificate cert: certs) { - System.out.println( + fingerprints.add( getCertificateFingerPrint(mdAlg, (X509Certificate)cert)); } + + for (String s: fingerprints) { + System.out.println(s); + } } /** @@ -69,21 +97,15 @@ public class BlacklistedCertsConverter { /** * Gets the requested finger print of the certificate. */ - private static String getCertificateFingerPrint(String mdAlg, - X509Certificate cert) { - String fingerPrint = ""; - try { - byte[] encCertInfo = cert.getEncoded(); - MessageDigest md = MessageDigest.getInstance(mdAlg); - byte[] digest = md.digest(encCertInfo); - StringBuffer buf = new StringBuffer(); - for (int i = 0; i < digest.length; i++) { - byte2hex(digest[i], buf); - } - fingerPrint = buf.toString(); - } catch (NoSuchAlgorithmException | CertificateEncodingException e) { - // ignored + private static String getCertificateFingerPrint( + String mdAlg, X509Certificate cert) throws Exception { + byte[] encCertInfo = cert.getEncoded(); + MessageDigest md = MessageDigest.getInstance(mdAlg); + byte[] digest = md.digest(encCertInfo); + StringBuffer buf = new StringBuffer(); + for (int i = 0; i < digest.length; i++) { + byte2hex(digest[i], buf); } - return fingerPrint; + return buf.toString(); } } diff --git a/jdk/src/share/lib/security/blacklisted.certs b/jdk/src/share/lib/security/blacklisted.certs deleted file mode 100644 index cb1e4d59e38..00000000000 --- a/jdk/src/share/lib/security/blacklisted.certs +++ /dev/null @@ -1,19 +0,0 @@ -Algorithm=SHA-256 -76A45A496031E4DD2D7ED23E8F6FF97DBDEA980BAAC8B0BA94D7EDB551348645 -4CBBF8256BC9888A8007B2F386940A2E394378B0D903CBB3863C5A6394B889CE -D24566BF315F4E597D6E381C87119FB4198F5E9E2607F5F4AB362EF7E2E7672F -14E6D2764A4B06701C6CBC376A253775F79C782FBCB6C0EE6F99DE4BA1024ADD -D3A936E1A7775A45217C8296A1F22AC5631DCDEC45594099E78EEEBBEDCBA967 -5E83124D68D24E8E177E306DF643D5EA99C5A94D6FC34B072F7544A1CABB7C7B -9ED8F9B0E8E42A1656B8E1DD18F42BA42DC06FE52686173BA2FC70E756F207DC -FDEDB5BDFCB67411513A61AEE5CB5B5D7C52AF06028EFC996CC1B05B1D6CEA2B -A686FEE577C88AB664D0787ECDFFF035F4806F3DE418DC9E4D516324FFF02083 -4FEE0163686ECBD65DB968E7494F55D84B25486D438E9DE558D629D28CD4D176 -8A1BD21661C60015065212CC98B1ABB50DFD14C872A208E66BAE890F25C448AF -B8686723E415534BC0DBD16326F9486F85B0B0799BF6639334E61DAAE67F36CD -3946901F46B0071E90D78279E82FABABCA177231A704BE72C5B0E8918566EA66 -31C8FD37DB9B56E708B03D1F01848B068C6DA66F36FB5D82C008C6040FA3E133 -450F1B421BB05C8609854884559C323319619E8B06B001EA2DCBB74A23AA3BE2 -FC02FD48DB92D4DCE6F11679D38354CF750CFC7F584A520EB90BDE80E241F2BD -DF21016B00FC54F9FE3BC8B039911BB216E9162FAD2FD14D990AB96E951B49BE -F5B6F88F75D391A4B1EB336F9E201239FB6B1377DB8CFA7B84736216E5AFFFD7