From b24b03f9dbeb2c1e8b5cb0279659eee489bd9df4 Mon Sep 17 00:00:00 2001 From: Severin Gehwolf Date: Mon, 18 Sep 2023 09:06:41 +0000 Subject: [PATCH 01/13] 8314960: Add Certigna Root CA - 2 Reviewed-by: andrew Backport-of: a44f8b059847135ecd0618cb04abbb0d2be1d2d0 --- jdk/make/data/cacerts/certignarootca | 43 +++ .../certification/CertignaCA.java | 227 -------------- .../certification/CertignaRoots.java | 293 ++++++++++++++++++ .../security/lib/cacerts/VerifyCACerts.java | 8 +- 4 files changed, 341 insertions(+), 230 deletions(-) create mode 100644 jdk/make/data/cacerts/certignarootca delete mode 100644 jdk/test/security/infra/java/security/cert/CertPathValidator/certification/CertignaCA.java create mode 100644 jdk/test/security/infra/java/security/cert/CertPathValidator/certification/CertignaRoots.java diff --git a/jdk/make/data/cacerts/certignarootca b/jdk/make/data/cacerts/certignarootca new file mode 100644 index 0000000000..b79092d0cb --- /dev/null +++ b/jdk/make/data/cacerts/certignarootca @@ -0,0 +1,43 @@ +Owner: CN=Certigna Root CA, OU=0002 48146308100036, O=Dhimyotis, C=FR +Issuer: CN=Certigna Root CA, OU=0002 48146308100036, O=Dhimyotis, C=FR +Serial number: cae91b89f155030da3e6416dc4e3a6e1 +Valid from: Tue Oct 01 08:32:27 GMT 2013 until: Sat Oct 01 08:32:27 GMT 2033 +Signature algorithm name: SHA256withRSA +Subject Public Key Algorithm: 4096-bit RSA key +Version: 3 +-----BEGIN CERTIFICATE----- +MIIGWzCCBEOgAwIBAgIRAMrpG4nxVQMNo+ZBbcTjpuEwDQYJKoZIhvcNAQELBQAw +WjELMAkGA1UEBhMCRlIxEjAQBgNVBAoMCURoaW15b3RpczEcMBoGA1UECwwTMDAw +MiA0ODE0NjMwODEwMDAzNjEZMBcGA1UEAwwQQ2VydGlnbmEgUm9vdCBDQTAeFw0x +MzEwMDEwODMyMjdaFw0zMzEwMDEwODMyMjdaMFoxCzAJBgNVBAYTAkZSMRIwEAYD +VQQKDAlEaGlteW90aXMxHDAaBgNVBAsMEzAwMDIgNDgxNDYzMDgxMDAwMzYxGTAX +BgNVBAMMEENlcnRpZ25hIFJvb3QgQ0EwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAw +ggIKAoICAQDNGDllGlmx6mQWDoyUJJV8g9PFOSbcDO8WV43X2KyjQn+Cyu3NW9sO +ty3tRQgXstmzy9YXUnIo245Onoq2C/mehJpNdt4iKVzSs9IGPjA5qXSjklYcoW9M +CiBtnyN6tMbaLOQdLNyzKNAT8kxOAkmhVECe5uUFoC2EyP+YbNDrihqECB63aCPu +I9Vwzm1RaRDuoXrC0SIxwoKF0vJVdlB8JXrJhFwLrN1CTivngqIkicuQstDuI7pm +TLtipPlTWmR7fJj6o0ieD5Wupxj0auwuA0Wv8HT4Ks16XdG+RCYyKfHx9WzMfgIh +C59vpD++nVPiz32pLHxYGpfhPTc3GGYo0kDFUYqMwy3OU4gkWGQwFsWq4NYKpkDf +ePb1BHxpE4S80dGnBs8B92jAqFe7OmGtBIyT46388NtEbVncSVmurJqZNjBBe3Yz +IoejwpKGbvlw7q6Hh5UbxHq9MfPU0uWZ/75I7HX1eBYdpnDBfzwboZL7z8g81sWT +Co/1VTp2lc5ZmIoJlXcymoO6LAQ6l73UL77XbJuiyn1tJslV1c/DeVIICZkHJC1k +JWumIWmbat10TWuXekG9qxf5kBdIjzb5LdXF2+6qhUVB+s06RbFo5jZMm5BX7CO5 +hwjCxAnxl4YqKE3idMDaxIzb3+KhF1nOJFl0Mdp//TBt2dzhauH8XwIDAQABo4IB +GjCCARYwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYE +FBiHVuBud+4kNTxOc5of1uHieX4rMB8GA1UdIwQYMBaAFBiHVuBud+4kNTxOc5of +1uHieX4rMEQGA1UdIAQ9MDswOQYEVR0gADAxMC8GCCsGAQUFBwIBFiNodHRwczov +L3d3d3cuY2VydGlnbmEuZnIvYXV0b3JpdGVzLzBtBgNVHR8EZjBkMC+gLaArhilo +dHRwOi8vY3JsLmNlcnRpZ25hLmZyL2NlcnRpZ25hcm9vdGNhLmNybDAxoC+gLYYr +aHR0cDovL2NybC5kaGlteW90aXMuY29tL2NlcnRpZ25hcm9vdGNhLmNybDANBgkq +hkiG9w0BAQsFAAOCAgEAlLieT/DjlQgi581oQfccVdV8AOItOoldaDgvUSILSo3L +6btdPrtcPbEo/uRTVRPPoZAbAh1fZkYJMyjhDSSXcNMQH+pkV5a7XdrnxIxPTGRG +HVyH41neQtGbqH6mid2PHMkwgu07nM3A6RngatgCdTer9zQoKJHyBApPNeNgJgH6 +0BGM+RFq7q89w1DTj18zeTyGqHNFkIwgtnJzFyO+B2XleJINugHA64wcZr+shncB +lA2c5uk5jR+mUYyZDDl34bSb+hxnV29qao6pK0xXeXpXIs/NX2NGjVxZOob4Mkdi +o2cNGJHc+6Zr9UhhcyNZjgKnvETq9Emd8VRY+WCv2hikLyhF3HqgiIZd8zvn/yk1 +gPxkQ5Tm4xxvvq0OKmOZK8l+hfZx6AYDlf7ej0gcWtSS6Cvu5zHbugRqh5jnxV/v +faci9wHYTfmJ0A6aBVmknpjZbyvKcL5kwlWj9Omvw5Ip3IgWJJk8jSaYtlu3zM63 +Nwf9JtmYhST/WSMDmu2dnajkXjjO11INb9I/bbEFa0nOipFGc/T2L/Coc3cOZayh +jWZSaX5LaAzHHjcng6WMxwLkFM1JAbBzs/3GkDpv0mztO+7skb6iQ12LAEpmJURw +3kAP+HwV96LOPNdeE4yBFxgX0b3xdxA61GU5wSesVywlVP+i2k+KYTlerj1KjL0= +-----END CERTIFICATE----- diff --git a/jdk/test/security/infra/java/security/cert/CertPathValidator/certification/CertignaCA.java b/jdk/test/security/infra/java/security/cert/CertPathValidator/certification/CertignaCA.java deleted file mode 100644 index 5e05823337..0000000000 --- a/jdk/test/security/infra/java/security/cert/CertPathValidator/certification/CertignaCA.java +++ /dev/null @@ -1,227 +0,0 @@ -/* - * Copyright (c) 2023, Oracle and/or its affiliates. All rights reserved. - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License version 2 only, as - * published by the Free Software Foundation. - * - * This code is distributed in the hope that it will be useful, but WITHOUT - * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or - * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * version 2 for more details (a copy is included in the LICENSE file that - * accompanied this code). - * - * You should have received a copy of the GNU General Public License version - * 2 along with this work; if not, write to the Free Software Foundation, - * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. - * - * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA - * or visit www.oracle.com if you need additional information or have any - * questions. - */ - -/* - * @test - * @bug 8245654 - * @summary Interoperability tests with Certigna Root CA from Dhimyotis - * @build ValidatePathWithParams - * @run main/othervm -Djava.security.debug=certpath CertignaCA OCSP - * @run main/othervm -Djava.security.debug=certpath CertignaCA CRL - */ - -/* - * Obtain TLS test artifacts for Certigna Root CA from: - * - * Valid TLS Certificates: - * https://valid.servicesca.dhimyotis.com/ - * - * Revoked TLS Certificates: - * https://revoked.servicesca.dhimyotis.com/ - */ -public class CertignaCA { - - // Owner: CN=Certigna Services CA, OID.2.5.4.97=NTRFR-48146308100036, - // OU=0002 48146308100036, O=DHIMYOTIS, C=FR - // Issuer: CN=Certigna, O=Dhimyotis, C=FR - // Serial number: 6f82fa28acd6f784bb5b120ba87367ad - // Valid from: Wed Nov 25 03:33:52 PST 2015 until: Sat Nov 22 03:33:52 PST 2025 - private static final String INT = "-----BEGIN CERTIFICATE-----\n" + - "MIIGFjCCBP6gAwIBAgIQb4L6KKzW94S7WxILqHNnrTANBgkqhkiG9w0BAQsFADA0\n" + - "MQswCQYDVQQGEwJGUjESMBAGA1UECgwJRGhpbXlvdGlzMREwDwYDVQQDDAhDZXJ0\n" + - "aWduYTAeFw0xNTExMjUxMTMzNTJaFw0yNTExMjIxMTMzNTJaMH0xCzAJBgNVBAYT\n" + - "AkZSMRIwEAYDVQQKDAlESElNWU9USVMxHDAaBgNVBAsMEzAwMDIgNDgxNDYzMDgx\n" + - "MDAwMzYxHTAbBgNVBGEMFE5UUkZSLTQ4MTQ2MzA4MTAwMDM2MR0wGwYDVQQDDBRD\n" + - "ZXJ0aWduYSBTZXJ2aWNlcyBDQTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoC\n" + - "ggIBALPM+7LpWBz9wFcPaTc3xnB+5g0XrnptB0EPPfrR04vO52Ykm4ky1d4ZLd10\n" + - "tbM1fa1RqNSOVWWg93O4pL7zCFKlz6JV74ZZVhHpEAwzBwv2oPnxvVbxtSN67xsS\n" + - "Y66ahUYxjzs8+3FhmsiRxqwnTYvK2u70uglUvRisOKyTL/M6JnrC4y8tlmoz7OSa\n" + - "5BmBMVplJFQtvmON6N9aHLvYMz+EyJPCbXL6pELxeHjFT5QmIaRamsr2DOTaCjtB\n" + - "ZKI1Wnh3X7lnbjM8MESJiV2t7E9tIQNG0Z/HI3tO4aaUMum3KysY5sC8v3vi7rry\n" + - "GidgzHQhrtP0ZXWW5UH/k7umLS/P/XXWnCFpc2Lxa1uDGfc2im7xibRoPP+JNZsz\n" + - "N76euFlls6jyEXAiwnVr14tVVTewLK0OWs5SJHpEKp8PGMZRDj59EmMvokWwzL6Q\n" + - "zNZ6vVAp00oOm05sbspNY9+MFqGKKUsKvhFGEa4XmRNxDe6KswLcjPZB+NKHZ0QW\n" + - "Fd4ip5C5XmEK/8qIPjwVr9dah9+oiHGGO8Wx7gJAMF5DTmkvW7GhqCKj1LmHnabj\n" + - "zc8av6kxWVQZi/C7HCm9i/W4wio+JA2EAFLqNL3GPNbK9kau4yPhQt/c7zxzo0OH\n" + - "nlsV4THCG7oOCd3cfCiyfQcb3FBt6OSpaKRZxjCLBwP00r0fAgMBAAGjggHZMIIB\n" + - "1TASBgNVHRMBAf8ECDAGAQH/AgEAMA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQU\n" + - "rOyGj0s3HLh/FxsZ0K7oTuM0XBIwZAYDVR0jBF0wW4AUGu3+QTmQtCRZvgHyUtVF\n" + - "9lo53BGhOKQ2MDQxCzAJBgNVBAYTAkZSMRIwEAYDVQQKDAlEaGlteW90aXMxETAP\n" + - "BgNVBAMMCENlcnRpZ25hggkA/tzjAQ/JSP8wSQYDVR0gBEIwQDA+BgoqgXoBgTEB\n" + - "AAECMDAwLgYIKwYBBQUHAgEWImh0dHBzOi8vd3d3LmNlcnRpZ25hLmZyL2F1dG9y\n" + - "aXRlcy8wfAYIKwYBBQUHAQEEcDBuMDQGCCsGAQUFBzAChihodHRwOi8vYXV0b3Jp\n" + - "dGUuY2VydGlnbmEuZnIvY2VydGlnbmEuZGVyMDYGCCsGAQUFBzAChipodHRwOi8v\n" + - "YXV0b3JpdGUuZGhpbXlvdGlzLmNvbS9jZXJ0aWduYS5kZXIwYQYDVR0fBFowWDAp\n" + - "oCegJYYjaHR0cDovL2NybC5jZXJ0aWduYS5mci9jZXJ0aWduYS5jcmwwK6ApoCeG\n" + - "JWh0dHA6Ly9jcmwuZGhpbXlvdGlzLmNvbS9jZXJ0aWduYS5jcmwwDQYJKoZIhvcN\n" + - "AQELBQADggEBAGLft7gIuGPZVfg0cTM+HT2xAZFPDb/2+siH06x+dH044zMKbBIN\n" + - "bRzhKipwB1A3MW8FQjveE9tyrfyuqZE/X+o2SlGcdNV44ybYkxo4f6kcLEavV/IW\n" + - "+oFEnojZlhpksYcxrvQoEyqkAwshe8IS2KtZHKVACrt+XSs0lwvy7ALGmHaF7A4b\n" + - "y6cZWItA7Lhj8XWp+8tBJDj7HocRbWtxzEODdBuyMgJzFrNjc+97J0vH/K0+3yjm\n" + - "kczpKshMA0tM+MF9XDMN/MuwrPmUWGO/fHiqHgUp8yqeWtl1n44ZxkkK1t9GRwhn\n" + - "DWLv73/xhTmdhWYQ/reo0GbgBoLiltKmIJQ=\n" + - "-----END CERTIFICATE-----"; - - // Owner: SERIALNUMBER=S230100953, CN=valid.servicesca.dhimyotis.com, - // OU=0002 48146308100036, O=DHIMYOTIS, L=VILLENEUVE D'ASCQ, C=FR - // Issuer: CN=Certigna Services CA, OID.2.5.4.97=NTRFR-48146308100036, - // OU=0002 48146308100036, O=DHIMYOTIS, C=FR - // Serial number: 2959798fe2e0e7b43810169ae938bc5f - // Valid from: Sun Mar 13 16:00:00 PDT 2022 until: Mon Mar 13 15:59:59 PDT 2023 - private static final String VALID = "-----BEGIN CERTIFICATE-----\n" + - "MIIIkzCCBnugAwIBAgIQKVl5j+Lg57Q4EBaa6Ti8XzANBgkqhkiG9w0BAQsFADB9\n" + - "MQswCQYDVQQGEwJGUjESMBAGA1UECgwJREhJTVlPVElTMRwwGgYDVQQLDBMwMDAy\n" + - "IDQ4MTQ2MzA4MTAwMDM2MR0wGwYDVQRhDBROVFJGUi00ODE0NjMwODEwMDAzNjEd\n" + - "MBsGA1UEAwwUQ2VydGlnbmEgU2VydmljZXMgQ0EwHhcNMjIwMzEzMjMwMDAwWhcN\n" + - "MjMwMzEzMjI1OTU5WjCBmTELMAkGA1UEBhMCRlIxGjAYBgNVBAcMEVZJTExFTkVV\n" + - "VkUgRCdBU0NRMRIwEAYDVQQKDAlESElNWU9USVMxHDAaBgNVBAsMEzAwMDIgNDgx\n" + - "NDYzMDgxMDAwMzYxJzAlBgNVBAMMHnZhbGlkLnNlcnZpY2VzY2EuZGhpbXlvdGlz\n" + - "LmNvbTETMBEGA1UEBRMKUzIzMDEwMDk1MzCCASIwDQYJKoZIhvcNAQEBBQADggEP\n" + - "ADCCAQoCggEBALpeGHbzRGnv1C0PdJS0nT+Cx98Pw8ctaw51m9Vlk2j8AFGZRu8r\n" + - "lX3noQYX0AIfcbk6KqPAreIvJQV0UgM5jxt3mIQF7iU+55MG4mWmSJgKDDq4b3ck\n" + - "WdBy0KpSBqLmB9sHyTNk9NilNu7VwG03HGIltWA2uQFJGC8CkxwAFpMCQ9RVYw2Z\n" + - "NkL/SsiPgrRLiCJZjesk1oAcLnLp7hbelfUB2Z71VmuDDlom7CsLvdN8eIG+Lj+V\n" + - "wkGmH6AbVGvbFniFDLCNDSJWCQ9AHeO+i0CM/wd2gBRSgm993p2YMxu5mVZjz/rp\n" + - "ELaCYjulvNZKvPIFoNe8qsxlXRWeqWaHuPsCAwEAAaOCA/AwggPsMIHkBggrBgEF\n" + - "BQcBAQSB1zCB1DA4BggrBgEFBQcwAoYsaHR0cDovL2F1dG9yaXRlLmRoaW15b3Rp\n" + - "cy5jb20vc2VydmljZXNjYS5kZXIwNgYIKwYBBQUHMAKGKmh0dHA6Ly9hdXRvcml0\n" + - "ZS5jZXJ0aWduYS5mci9zZXJ2aWNlc2NhLmRlcjAwBggrBgEFBQcwAYYkaHR0cDov\n" + - "L3NlcnZpY2VzY2Eub2NzcC5kaGlteW90aXMuY29tMC4GCCsGAQUFBzABhiJodHRw\n" + - "Oi8vc2VydmljZXNjYS5vY3NwLmNlcnRpZ25hLmZyMB8GA1UdIwQYMBaAFKzsho9L\n" + - "Nxy4fxcbGdCu6E7jNFwSMAkGA1UdEwQCMAAwYQYDVR0gBFowWDAIBgZngQwBAgIw\n" + - "TAYLKoF6AYExAgUBAQEwPTA7BggrBgEFBQcCARYvaHR0cHM6Ly93d3cuY2VydGln\n" + - "bmEuY29tL2F1dG9yaXRlLWNlcnRpZmljYXRpb24wZQYDVR0fBF4wXDAroCmgJ4Yl\n" + - "aHR0cDovL2NybC5jZXJ0aWduYS5mci9zZXJ2aWNlc2NhLmNybDAtoCugKYYnaHR0\n" + - "cDovL2NybC5kaGlteW90aXMuY29tL3NlcnZpY2VzY2EuY3JsMBMGA1UdJQQMMAoG\n" + - "CCsGAQUFBwMBMA4GA1UdDwEB/wQEAwIFoDBIBgNVHREEQTA/gh12YWxpZC5zZXJ2\n" + - "aWNlc2NhLmNlcnRpZ25hLmNvbYIedmFsaWQuc2VydmljZXNjYS5kaGlteW90aXMu\n" + - "Y29tMB0GA1UdDgQWBBSGQwwMIdxiI7P+CFU/Z968XZaSGzCCAX0GCisGAQQB1nkC\n" + - "BAIEggFtBIIBaQFnAHUArfe++nz/EMiLnT2cHj4YarRnKV3PsQwkyoWGNOvcgooA\n" + - "AAF/h9eOGgAABAMARjBEAiBaneK2CTn9lH28CUnL2C2/WklUYkvygMiDrtCIUXfw\n" + - "gQIgJrGxwgGlsYzUdZyZY/oNWSLByO8/Jb5LXbNibdk5SnAAdwDoPtDaPvUGNTLn\n" + - "Vyi8iWvJA9PL0RFr7Otp4Xd9bQa9bgAAAX+H14/NAAAEAwBIMEYCIQCVtuV9p/Ug\n" + - "IhwVoMUjPp1KzGte/FmDaKPx432VjOpD+AIhANKWkDEuVnMzPH8sdJCL+eXoB0Q7\n" + - "0mpe5dHEiFJS8lTBAHUAs3N3B+GEUPhjhtYFqdwRCUp5LbFnDAuH3PADDnk2pZoA\n" + - "AAF/h9eTcQAABAMARjBEAiAjdYhnzPe9lJksk94ngl7PLDRi71tSRN7SslibEyv+\n" + - "XAIgLQ5NKQAaJnF8oA7WnHB8gyJ/8kqZi52d1WFgARDLR30wDQYJKoZIhvcNAQEL\n" + - "BQADggIBAJhLhW5Gh9yOPKsrMhABd7U5juc5ev97c6s7Az70Yr5/EtH6TlgC6a1N\n" + - "i0yzFOeXzAR8Svsq6HzqP9kMJkEFIrdWH8JZdEv871EjYetEzLLnO0m+dNEROJAh\n" + - "fcJ2w2LufPNaQ327tGY/DxDH9jdtgquReO01bPlJ0Yc5J3maz4XapeUm/kQ8dRzS\n" + - "0UBOxfUlEMpDatZzg7wugy7g9vOndW/VbtbN5Iioq2bjuykPJZfZUx4cCAmLUS7w\n" + - "bqPThQ54PnybiPXaF8cH1Gq0Rs/lGB1erzRXRXHgMy61mFY944r13oATnSdTy8Gm\n" + - "QoMsVp9w7WBRo8O4PR606Ke8Ufm9Kg2GJ1sHClf70FNFO/OSFlr3BLDG0vEMdgVW\n" + - "9QLu6UQXa9PhWMoo030k5fmUySzIUljXnstj3rgcD2HE1UrobTqyRHbbQ8JVWaF0\n" + - "PrPR4WDFI9dY0jixVQucKlX6FCqsyNrJF8GWDlZH+Cd8bk+MA9fKUuX/vmoOc2d+\n" + - "bvOCliME7YjAJkyclk6yiFIMnqyh+TD0d8WbjE94YC/293Xqb6WGkRhhsCX9RUrk\n" + - "I6QbS2uicCFGjRsPmjvMkDDxS00MShRl2K/KpsAx68Cv/Gcw3bv31obwNXTB2IBg\n" + - "gI0MfBHnjIp1nmNvCNmVIP52YrGQyC2JE7+GZUWTuwUVeDgBhiEZ\n" + - "-----END CERTIFICATE-----"; - - // Owner: SERIALNUMBER=S230120951, CN=revoked.servicesca.dhimyotis.com, - // OU=0002 48146308100036, O=DHIMYOTIS, L=VILLENEUVE D'ASCQ, C=FR - // Issuer: CN=Certigna Services CA, OID.2.5.4.97=NTRFR-48146308100036, - // OU=0002 48146308100036, O=DHIMYOTIS, C=FR - // Serial number: f88f2566b3dbf73763622db9b2bf9cc - // Valid from: Sun Mar 13 16:00:00 PDT 2022 until: Mon Mar 13 15:59:59 PDT 2023 - private static final String REVOKED = "-----BEGIN CERTIFICATE-----\n" + - "MIIImTCCBoGgAwIBAgIQD4jyVms9v3N2NiLbmyv5zDANBgkqhkiG9w0BAQsFADB9\n" + - "MQswCQYDVQQGEwJGUjESMBAGA1UECgwJREhJTVlPVElTMRwwGgYDVQQLDBMwMDAy\n" + - "IDQ4MTQ2MzA4MTAwMDM2MR0wGwYDVQRhDBROVFJGUi00ODE0NjMwODEwMDAzNjEd\n" + - "MBsGA1UEAwwUQ2VydGlnbmEgU2VydmljZXMgQ0EwHhcNMjIwMzEzMjMwMDAwWhcN\n" + - "MjMwMzEzMjI1OTU5WjCBmzELMAkGA1UEBhMCRlIxGjAYBgNVBAcMEVZJTExFTkVV\n" + - "VkUgRCdBU0NRMRIwEAYDVQQKDAlESElNWU9USVMxHDAaBgNVBAsMEzAwMDIgNDgx\n" + - "NDYzMDgxMDAwMzYxKTAnBgNVBAMMIHJldm9rZWQuc2VydmljZXNjYS5kaGlteW90\n" + - "aXMuY29tMRMwEQYDVQQFEwpTMjMwMTIwOTUxMIIBIjANBgkqhkiG9w0BAQEFAAOC\n" + - "AQ8AMIIBCgKCAQEAouvIzemKChCjYICW+TzRigLkqaTdMLnaPlGaXyCCoEUS6nkK\n" + - "QnrwTgebf1X9/mwSAuvTo3Ck7CVgE8AMqsPTluSjezCJuED/F3HYy2YsbIhnVK/i\n" + - "uSzKsDGVY3RlVNm2MA2viVTNBbOFhk4kefYqpDCmp3EGvIDOCb7Y5PTuKKQ79s97\n" + - "uDm+0WoBnOdwSuZMUg+hvINBgu2JQFwiWP0g/SxoK6Ci9SVokM3zR4KgECkMVArf\n" + - "cH0dN+5SYvByaGegQJy7TdKqDsf1lIHM19tUXcxOBNRgV3Rf7WMNIlERtLXjRfke\n" + - "IWXf8QtXRVIH/i/PoVTDo2qvQOMnZFY/Eb5dFQIDAQABo4ID9DCCA/AwgeQGCCsG\n" + - "AQUFBwEBBIHXMIHUMDgGCCsGAQUFBzAChixodHRwOi8vYXV0b3JpdGUuZGhpbXlv\n" + - "dGlzLmNvbS9zZXJ2aWNlc2NhLmRlcjA2BggrBgEFBQcwAoYqaHR0cDovL2F1dG9y\n" + - "aXRlLmNlcnRpZ25hLmZyL3NlcnZpY2VzY2EuZGVyMDAGCCsGAQUFBzABhiRodHRw\n" + - "Oi8vc2VydmljZXNjYS5vY3NwLmRoaW15b3Rpcy5jb20wLgYIKwYBBQUHMAGGImh0\n" + - "dHA6Ly9zZXJ2aWNlc2NhLm9jc3AuY2VydGlnbmEuZnIwHwYDVR0jBBgwFoAUrOyG\n" + - "j0s3HLh/FxsZ0K7oTuM0XBIwCQYDVR0TBAIwADBhBgNVHSAEWjBYMAgGBmeBDAEC\n" + - "AjBMBgsqgXoBgTECBQEBATA9MDsGCCsGAQUFBwIBFi9odHRwczovL3d3dy5jZXJ0\n" + - "aWduYS5jb20vYXV0b3JpdGUtY2VydGlmaWNhdGlvbjBlBgNVHR8EXjBcMCugKaAn\n" + - "hiVodHRwOi8vY3JsLmNlcnRpZ25hLmZyL3NlcnZpY2VzY2EuY3JsMC2gK6Aphido\n" + - "dHRwOi8vY3JsLmRoaW15b3Rpcy5jb20vc2VydmljZXNjYS5jcmwwEwYDVR0lBAww\n" + - "CgYIKwYBBQUHAwEwDgYDVR0PAQH/BAQDAgWgMEwGA1UdEQRFMEOCH3Jldm9rZWQu\n" + - "c2VydmljZXNjYS5jZXJ0aWduYS5jb22CIHJldm9rZWQuc2VydmljZXNjYS5kaGlt\n" + - "eW90aXMuY29tMB0GA1UdDgQWBBTGIed1eHBS8Z1H3PdMkItpjyjq2TCCAX0GCisG\n" + - "AQQB1nkCBAIEggFtBIIBaQFnAHcArfe++nz/EMiLnT2cHj4YarRnKV3PsQwkyoWG\n" + - "NOvcgooAAAF/h9g4MAAABAMASDBGAiEAp/1fQB730JrX9YGD3d1Uq7rTAL95tMKe\n" + - "G6kgUP1GEWoCIQCzi6feA3cImTH6tVZALNEmve/n8SVFAvD2AvX8ioCD9QB1AOg+\n" + - "0No+9QY1MudXKLyJa8kD08vREWvs62nhd31tBr1uAAABf4fYNHcAAAQDAEYwRAIg\n" + - "Dnd8oOV7/MuaiyR23qbdRVf1kBSsDxnLp1/vRdD0JTYCIAw7LuZalEVa/0KpuNHs\n" + - "NIdUJgV4Vioa2xkb9fdPIhtkAHUAs3N3B+GEUPhjhtYFqdwRCUp5LbFnDAuH3PAD\n" + - "Dnk2pZoAAAF/h9g7nwAABAMARjBEAiA80M1W3V3iKjm6Dwn+hKkmvGiuXZoM6o3f\n" + - "QJsZ2ZOx0QIgUiS3I83WzoCdD4qO9rlmDQhRD69CeVzCgLtkaTPz3JYwDQYJKoZI\n" + - "hvcNAQELBQADggIBADKub0gNyasTvURoYukQCllqDC+SvWA4TURBcmQMNjdVkreJ\n" + - "B3O91HZhTyhrCBJxybeIG89zuRI6rjTpHCQGFqtP7968NA3eUlxGGnAPpw6VbN47\n" + - "Ake+CRI9XnhxcKmTGm987DjtIBH42BedS59P1T56grZP5ysOog9Hz4eYo2ytbZqt\n" + - "P/DHggivymaaiIaBsqup8C7/XN3vVAa/yo1FeLJ48i1d0M9hjGBUFMajd8Y5+pE7\n" + - "p6Nb5mT1LXbetORYXMyG3MiJQPBAr1dLnRGnOZxc1Kxa1QwoAFQAFIXFpqfBwfHi\n" + - "NaSDdFS/wLbpe7UvtC8FWLq9sgITDEkPqDPCsbu8Vc7OxaMhBJ7HQGaAYMReGADG\n" + - "Elx9ffAc+dFR62zFnqMLouaEznZ7FVNmU3cYbrFVBvnGmoDRe0AKUoYv5DCiawUg\n" + - "qeQS69DgG7DOE5VIDaWX2Cevy81mz7O8EVQsyS15J/MUxzWfQpRaHUqkge6G9FSH\n" + - "hF/Nm48oWgpWop5aIF2O6bA/Bt1VvAWdypUPUr4gtpYIQoOQBzTFgBVWUeOTOImE\n" + - "avvpzSwGQfZkB7t5PcAQ+zYGxWq7fr30/qY3geePcXJCGWS6PXyj8lNn4CaJ2sMF\n" + - "GKxNJGD49/5uoxi3b3TzGUn/3eG2qP2RZoXZ6ZPLAo+moIy3XLwMoZm3Im8r\n" + - "-----END CERTIFICATE-----"; - - public static void main(String[] args) throws Exception { - - ValidatePathWithParams pathValidator; - String[] validChainToValidate; - String[] revChainToValidate; - - if (args.length >= 1 && "CRL".equalsIgnoreCase(args[0])) { - pathValidator = new ValidatePathWithParams(null); - pathValidator.enableCRLCheck(); - - validChainToValidate = new String[]{VALID, INT}; - revChainToValidate = new String[]{REVOKED, INT}; - } else { - // OCSP check by default - // int certificate doesn't specify OCSP responder - pathValidator = new ValidatePathWithParams(new String[]{INT}); - pathValidator.enableOCSPCheck(); - - validChainToValidate = new String[]{VALID}; - revChainToValidate = new String[]{REVOKED}; - } - - // Validate valid - pathValidator.validate(validChainToValidate, - ValidatePathWithParams.Status.GOOD, null, System.out); - - // Validate Revoked - pathValidator.validate(revChainToValidate, - ValidatePathWithParams.Status.REVOKED, - "Mon Mar 14 03:00:16 PDT 2022", System.out); - } -} - diff --git a/jdk/test/security/infra/java/security/cert/CertPathValidator/certification/CertignaRoots.java b/jdk/test/security/infra/java/security/cert/CertPathValidator/certification/CertignaRoots.java new file mode 100644 index 0000000000..92744eac3d --- /dev/null +++ b/jdk/test/security/infra/java/security/cert/CertPathValidator/certification/CertignaRoots.java @@ -0,0 +1,293 @@ +/* + * Copyright (c) 2023, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +/* + * @test + * @bug 8245654 8314960 + * @summary Interoperability tests with Certigna Root CAs from Dhimyotis + * @build ValidatePathWithParams + * @run main/othervm -Djava.security.debug=certpath CertignaRoots OCSP + * @run main/othervm -Djava.security.debug=certpath CertignaRoots CRL + */ + +/* + * Obtain TLS test artifacts for Certigna Root CAs from: + * + * Valid TLS Certificates: + * https://valid.servicesca.dhimyotis.com/ + * + * Revoked TLS Certificates: + * https://revoked.servicesca.dhimyotis.com/ + */ +public class CertignaRoots { + + // Owner: CN=Certigna Services CA, OID.2.5.4.97=NTRFR-48146308100036, + // OU=0002 48146308100036, O=DHIMYOTIS, C=FR + // Issuer: CN=Certigna Root CA, OU=0002 48146308100036, O=Dhimyotis, C=FR + // Serial number: fd30cf04344fc38dd90c4e70753d0623 + // Valid from: Wed Nov 25 03:37:21 PST 2015 until: Fri Jun 03 04:37:21 PDT 2033 + private static final String INT_CERTIGNA_ROOT_CA = "-----BEGIN CERTIFICATE-----\n" + + "MIIHETCCBPmgAwIBAgIRAP0wzwQ0T8ON2QxOcHU9BiMwDQYJKoZIhvcNAQELBQAw\n" + + "WjELMAkGA1UEBhMCRlIxEjAQBgNVBAoMCURoaW15b3RpczEcMBoGA1UECwwTMDAw\n" + + "MiA0ODE0NjMwODEwMDAzNjEZMBcGA1UEAwwQQ2VydGlnbmEgUm9vdCBDQTAeFw0x\n" + + "NTExMjUxMTM3MjFaFw0zMzA2MDMxMTM3MjFaMH0xCzAJBgNVBAYTAkZSMRIwEAYD\n" + + "VQQKDAlESElNWU9USVMxHDAaBgNVBAsMEzAwMDIgNDgxNDYzMDgxMDAwMzYxHTAb\n" + + "BgNVBGEMFE5UUkZSLTQ4MTQ2MzA4MTAwMDM2MR0wGwYDVQQDDBRDZXJ0aWduYSBT\n" + + "ZXJ2aWNlcyBDQTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBALPM+7Lp\n" + + "WBz9wFcPaTc3xnB+5g0XrnptB0EPPfrR04vO52Ykm4ky1d4ZLd10tbM1fa1RqNSO\n" + + "VWWg93O4pL7zCFKlz6JV74ZZVhHpEAwzBwv2oPnxvVbxtSN67xsSY66ahUYxjzs8\n" + + "+3FhmsiRxqwnTYvK2u70uglUvRisOKyTL/M6JnrC4y8tlmoz7OSa5BmBMVplJFQt\n" + + "vmON6N9aHLvYMz+EyJPCbXL6pELxeHjFT5QmIaRamsr2DOTaCjtBZKI1Wnh3X7ln\n" + + "bjM8MESJiV2t7E9tIQNG0Z/HI3tO4aaUMum3KysY5sC8v3vi7rryGidgzHQhrtP0\n" + + "ZXWW5UH/k7umLS/P/XXWnCFpc2Lxa1uDGfc2im7xibRoPP+JNZszN76euFlls6jy\n" + + "EXAiwnVr14tVVTewLK0OWs5SJHpEKp8PGMZRDj59EmMvokWwzL6QzNZ6vVAp00oO\n" + + "m05sbspNY9+MFqGKKUsKvhFGEa4XmRNxDe6KswLcjPZB+NKHZ0QWFd4ip5C5XmEK\n" + + "/8qIPjwVr9dah9+oiHGGO8Wx7gJAMF5DTmkvW7GhqCKj1LmHnabjzc8av6kxWVQZ\n" + + "i/C7HCm9i/W4wio+JA2EAFLqNL3GPNbK9kau4yPhQt/c7zxzo0OHnlsV4THCG7oO\n" + + "Cd3cfCiyfQcb3FBt6OSpaKRZxjCLBwP00r0fAgMBAAGjggGtMIIBqTASBgNVHRMB\n" + + "Af8ECDAGAQH/AgEAMA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQUrOyGj0s3HLh/\n" + + "FxsZ0K7oTuM0XBIwHwYDVR0jBBgwFoAUGIdW4G537iQ1PE5zmh/W4eJ5fiswSQYD\n" + + "VR0gBEIwQDA+BgoqgXoBgTECAAEBMDAwLgYIKwYBBQUHAgEWImh0dHBzOi8vd3d3\n" + + "LmNlcnRpZ25hLmZyL2F1dG9yaXRlcy8wgYgGCCsGAQUFBwEBBHwwejA6BggrBgEF\n" + + "BQcwAoYuaHR0cDovL2F1dG9yaXRlLmNlcnRpZ25hLmZyL2NlcnRpZ25hcm9vdGNh\n" + + "LmRlcjA8BggrBgEFBQcwAoYwaHR0cDovL2F1dG9yaXRlLmRoaW15b3Rpcy5jb20v\n" + + "Y2VydGlnbmFyb290Y2EuZGVyMG0GA1UdHwRmMGQwL6AtoCuGKWh0dHA6Ly9jcmwu\n" + + "Y2VydGlnbmEuZnIvY2VydGlnbmFyb290Y2EuY3JsMDGgL6AthitodHRwOi8vY3Js\n" + + "LmRoaW15b3Rpcy5jb20vY2VydGlnbmFyb290Y2EuY3JsMA0GCSqGSIb3DQEBCwUA\n" + + "A4ICAQCI5QbprXJ93L+JWHYpUTinXAMSvXMx2dmNm4mIiJRAbGnBOoEYx7M61fbL\n" + + "L5EJIYZhw8jLmeYVFuMao5OJLwda+RMmVzE7lyTGsY64IDKdwogByNCqbKzrlhnU\n" + + "8myyMNB0BDs2jgwQe2Dj9v+MddeHr7sDqvs7R1tSS5hoASLtdQhO7oxUzr3m7M8q\n" + + "+lh4jszli+cjfiPUVS2ADFu4ccQIh4OsIX6SWdU+8R+c/fn0FV6ip4SAVbNyCToz\n" + + "0ZbZKO8YTJgORxRmvrop9dPyuLWjaRrZ0LMx4a3EM3sQDPDqmsG0lHtfFj2PiJvq\n" + + "4lEYA+gDiLKODI+3DJMqo559m3QSS52DsShomHX/Txd0lJoZwepCE6X4KkG9FHjV\n" + + "WXyLgYFwCOcn+hkLhdpblms0wtjeSPITGOioSkefzhleJnDgJ9X4M3svd0HLTpJi\n" + + "lC1DmDZgdrXWITVdOoCogr2LFKNiGd0tbpKG533eKpfBALlm+afc6j73p1KhJEAn\n" + + "AfydDZqBRqv6+HHYplNDn/K2I1CZdkwaGrx3HOR/voGUi1sUI+hYbsPAFu8ZxrhD\n" + + "9UiysmLCfEUhqkbojony+L2mKsoLqyd24emQzn7GgMa7emlWX2jQUTwrD4SliZ2u\n" + + "OetVaZX5RLyqJWs4Igo/xye0xtMQN8INJ4hSZvnMQ1qFtuSRcQ==\n" + + "-----END CERTIFICATE-----"; + + // Owner: CN=Certigna Services CA, OID.2.5.4.97=NTRFR-48146308100036, + // OU=0002 48146308100036, O=DHIMYOTIS, C=FR + // Issuer: CN=Certigna, O=Dhimyotis, C=FR + // Serial number: 6f82fa28acd6f784bb5b120ba87367ad + // Valid from: Wed Nov 25 03:33:52 PST 2015 until: Sat Nov 22 03:33:52 PST 2025 + private static final String INT_CERTIGNA = "-----BEGIN CERTIFICATE-----\n" + + "MIIGFjCCBP6gAwIBAgIQb4L6KKzW94S7WxILqHNnrTANBgkqhkiG9w0BAQsFADA0\n" + + "MQswCQYDVQQGEwJGUjESMBAGA1UECgwJRGhpbXlvdGlzMREwDwYDVQQDDAhDZXJ0\n" + + "aWduYTAeFw0xNTExMjUxMTMzNTJaFw0yNTExMjIxMTMzNTJaMH0xCzAJBgNVBAYT\n" + + "AkZSMRIwEAYDVQQKDAlESElNWU9USVMxHDAaBgNVBAsMEzAwMDIgNDgxNDYzMDgx\n" + + "MDAwMzYxHTAbBgNVBGEMFE5UUkZSLTQ4MTQ2MzA4MTAwMDM2MR0wGwYDVQQDDBRD\n" + + "ZXJ0aWduYSBTZXJ2aWNlcyBDQTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoC\n" + + "ggIBALPM+7LpWBz9wFcPaTc3xnB+5g0XrnptB0EPPfrR04vO52Ykm4ky1d4ZLd10\n" + + "tbM1fa1RqNSOVWWg93O4pL7zCFKlz6JV74ZZVhHpEAwzBwv2oPnxvVbxtSN67xsS\n" + + "Y66ahUYxjzs8+3FhmsiRxqwnTYvK2u70uglUvRisOKyTL/M6JnrC4y8tlmoz7OSa\n" + + "5BmBMVplJFQtvmON6N9aHLvYMz+EyJPCbXL6pELxeHjFT5QmIaRamsr2DOTaCjtB\n" + + "ZKI1Wnh3X7lnbjM8MESJiV2t7E9tIQNG0Z/HI3tO4aaUMum3KysY5sC8v3vi7rry\n" + + "GidgzHQhrtP0ZXWW5UH/k7umLS/P/XXWnCFpc2Lxa1uDGfc2im7xibRoPP+JNZsz\n" + + "N76euFlls6jyEXAiwnVr14tVVTewLK0OWs5SJHpEKp8PGMZRDj59EmMvokWwzL6Q\n" + + "zNZ6vVAp00oOm05sbspNY9+MFqGKKUsKvhFGEa4XmRNxDe6KswLcjPZB+NKHZ0QW\n" + + "Fd4ip5C5XmEK/8qIPjwVr9dah9+oiHGGO8Wx7gJAMF5DTmkvW7GhqCKj1LmHnabj\n" + + "zc8av6kxWVQZi/C7HCm9i/W4wio+JA2EAFLqNL3GPNbK9kau4yPhQt/c7zxzo0OH\n" + + "nlsV4THCG7oOCd3cfCiyfQcb3FBt6OSpaKRZxjCLBwP00r0fAgMBAAGjggHZMIIB\n" + + "1TASBgNVHRMBAf8ECDAGAQH/AgEAMA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQU\n" + + "rOyGj0s3HLh/FxsZ0K7oTuM0XBIwZAYDVR0jBF0wW4AUGu3+QTmQtCRZvgHyUtVF\n" + + "9lo53BGhOKQ2MDQxCzAJBgNVBAYTAkZSMRIwEAYDVQQKDAlEaGlteW90aXMxETAP\n" + + "BgNVBAMMCENlcnRpZ25hggkA/tzjAQ/JSP8wSQYDVR0gBEIwQDA+BgoqgXoBgTEB\n" + + "AAECMDAwLgYIKwYBBQUHAgEWImh0dHBzOi8vd3d3LmNlcnRpZ25hLmZyL2F1dG9y\n" + + "aXRlcy8wfAYIKwYBBQUHAQEEcDBuMDQGCCsGAQUFBzAChihodHRwOi8vYXV0b3Jp\n" + + "dGUuY2VydGlnbmEuZnIvY2VydGlnbmEuZGVyMDYGCCsGAQUFBzAChipodHRwOi8v\n" + + "YXV0b3JpdGUuZGhpbXlvdGlzLmNvbS9jZXJ0aWduYS5kZXIwYQYDVR0fBFowWDAp\n" + + "oCegJYYjaHR0cDovL2NybC5jZXJ0aWduYS5mci9jZXJ0aWduYS5jcmwwK6ApoCeG\n" + + "JWh0dHA6Ly9jcmwuZGhpbXlvdGlzLmNvbS9jZXJ0aWduYS5jcmwwDQYJKoZIhvcN\n" + + "AQELBQADggEBAGLft7gIuGPZVfg0cTM+HT2xAZFPDb/2+siH06x+dH044zMKbBIN\n" + + "bRzhKipwB1A3MW8FQjveE9tyrfyuqZE/X+o2SlGcdNV44ybYkxo4f6kcLEavV/IW\n" + + "+oFEnojZlhpksYcxrvQoEyqkAwshe8IS2KtZHKVACrt+XSs0lwvy7ALGmHaF7A4b\n" + + "y6cZWItA7Lhj8XWp+8tBJDj7HocRbWtxzEODdBuyMgJzFrNjc+97J0vH/K0+3yjm\n" + + "kczpKshMA0tM+MF9XDMN/MuwrPmUWGO/fHiqHgUp8yqeWtl1n44ZxkkK1t9GRwhn\n" + + "DWLv73/xhTmdhWYQ/reo0GbgBoLiltKmIJQ=\n" + + "-----END CERTIFICATE-----"; + + // Owner: SERIALNUMBER=S266241169, CN=valid.servicesca.dhimyotis.com, O=DHIMYOTIS, + // L=VILLENEUVE D'ASCQ, C=FR + // Issuer: CN=Certigna Services CA, OID.2.5.4.97=NTRFR-48146308100036, OU=0002 + // 48146308100036, O=DHIMYOTIS, C=FR + // Serial number: c641ef7b0340c21515d8c462e729dc0e + // Valid from: Thu Mar 09 15:00:00 PST 2023 until: Mon Mar 11 15:59:59 PDT 2024 + private static final String VALID = "-----BEGIN CERTIFICATE-----\n" + + "MIIIdzCCBl+gAwIBAgIRAMZB73sDQMIVFdjEYucp3A4wDQYJKoZIhvcNAQELBQAw\n" + + "fTELMAkGA1UEBhMCRlIxEjAQBgNVBAoMCURISU1ZT1RJUzEcMBoGA1UECwwTMDAw\n" + + "MiA0ODE0NjMwODEwMDAzNjEdMBsGA1UEYQwUTlRSRlItNDgxNDYzMDgxMDAwMzYx\n" + + "HTAbBgNVBAMMFENlcnRpZ25hIFNlcnZpY2VzIENBMB4XDTIzMDMwOTIzMDAwMFoX\n" + + "DTI0MDMxMTIyNTk1OVowezELMAkGA1UEBhMCRlIxGjAYBgNVBAcMEVZJTExFTkVV\n" + + "VkUgRCdBU0NRMRIwEAYDVQQKDAlESElNWU9USVMxJzAlBgNVBAMMHnZhbGlkLnNl\n" + + "cnZpY2VzY2EuZGhpbXlvdGlzLmNvbTETMBEGA1UEBRMKUzI2NjI0MTE2OTCCASIw\n" + + "DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJDrFpZWEeBJoMUuG37wEmJ7XVeX\n" + + "Jde1bgURpFbLwifRj2TVmMdtfg9hXHL7B7Mh/+I8/e7kJz8mlU9qUYKyH24oAitE\n" + + "myXYHAKTydqTseiM3mp92n4PM+DrgsdbT7bpmiirNM0/sqWFNyGUz7kP6Z5E3uuU\n" + + "HSlzX1LBBj8S0ORNZWvomQho11gjuZJRS72X4XTnSc0DESwnLp2irUfx7pflBNt0\n" + + "sLE8BhpNSSQd91naJVKtCtn0H7df+o4gGBt2ZceCLBwU0NwN8+KXz06KjP8298V4\n" + + "P3+eR2QxAw4QBIanRaG6Gd4AmpdIaT7TpiYHotjrJ/Pbx5C8/cmgxxlmtI0CAwEA\n" + + "AaOCA/IwggPuMIHkBggrBgEFBQcBAQSB1zCB1DA2BggrBgEFBQcwAoYqaHR0cDov\n" + + "L2F1dG9yaXRlLmNlcnRpZ25hLmZyL3NlcnZpY2VzY2EuZGVyMDgGCCsGAQUFBzAC\n" + + "hixodHRwOi8vYXV0b3JpdGUuZGhpbXlvdGlzLmNvbS9zZXJ2aWNlc2NhLmRlcjAu\n" + + "BggrBgEFBQcwAYYiaHR0cDovL3NlcnZpY2VzY2Eub2NzcC5jZXJ0aWduYS5mcjAw\n" + + "BggrBgEFBQcwAYYkaHR0cDovL3NlcnZpY2VzY2Eub2NzcC5kaGlteW90aXMuY29t\n" + + "MB8GA1UdIwQYMBaAFKzsho9LNxy4fxcbGdCu6E7jNFwSMAkGA1UdEwQCMAAwYQYD\n" + + "VR0gBFowWDAIBgZngQwBAgIwTAYLKoF6AYExAgUBAQEwPTA7BggrBgEFBQcCARYv\n" + + "aHR0cHM6Ly93d3cuY2VydGlnbmEuY29tL2F1dG9yaXRlLWNlcnRpZmljYXRpb24w\n" + + "ZQYDVR0fBF4wXDAtoCugKYYnaHR0cDovL2NybC5kaGlteW90aXMuY29tL3NlcnZp\n" + + "Y2VzY2EuY3JsMCugKaAnhiVodHRwOi8vY3JsLmNlcnRpZ25hLmZyL3NlcnZpY2Vz\n" + + "Y2EuY3JsMBMGA1UdJQQMMAoGCCsGAQUFBwMBMA4GA1UdDwEB/wQEAwIFoDBIBgNV\n" + + "HREEQTA/gh12YWxpZC5zZXJ2aWNlc2NhLmNlcnRpZ25hLmNvbYIedmFsaWQuc2Vy\n" + + "dmljZXNjYS5kaGlteW90aXMuY29tMB0GA1UdDgQWBBSzyYZfPBt65RUDq98+e0AK\n" + + "U8pd/jCCAX8GCisGAQQB1nkCBAIEggFvBIIBawFpAHcA7s3QZNXbGs7FXLedtM0T\n" + + "ojKHRny87N7DUUhZRnEftZsAAAGGy1ZNXwAABAMASDBGAiEAyG838/RfBOpojEI/\n" + + "cx++f0tvuDbc/rVa0WNcd2f9HekCIQDVKV2wI3VkD3wNmO93m022H7kvKD1OBEhw\n" + + "Tn6+0ZLA6QB2AHb/iD8KtvuVUcJhzPWHujS0pM27KdxoQgqf5mdMWjp0AAABhstW\n" + + "TcYAAAQDAEcwRQIhAOuj/r5G1wHNgFOMg3jsr3uWmWzIIkTmwmp4hJqvsJzzAiBf\n" + + "nm/jZCUW8DFY+iC+O/+Hzsk/kVDkKIlBDd6rA3MzJgB2AFWB1MIWkDYBSuoLm1c8\n" + + "U/DA5Dh4cCUIFy+jqh0HE9MMAAABhstWTw4AAAQDAEcwRQIgRbCAqI1/nxc6P4de\n" + + "Fqg/zc1+ldMDWjeamWjhctciGsgCIQDHQ4OKj0AA7hQKFIe1SVp+00BxRefFGmq7\n" + + "ZJ+8q+pRqzANBgkqhkiG9w0BAQsFAAOCAgEAVkzCC9LIHU+iOi+GFeCtWxxa5Fsk\n" + + "5gXnDJmtbdoVe2TJvOhrb+VnNI7/Ak+csBv3vxNl3P3DXIbPryB98aelleX7pkfP\n" + + "PcKhFAlbwzbII2D3L0mjFLERtVwdnoEJXXKcHsb9hJResKipZ//daMPD8FthHvEE\n" + + "HmtOrR0lHLjhbi4ODq0e4xyygbxFXXl5CCjtBw0jBtZaMDQaC3eemK9LkOggLz3h\n" + + "qs/+VQ7RyKfcKCuGC5Wb4GJR+IDKH812hFsUWmXe26MPoyTrzLNq6tfQZHSuY5Hj\n" + + "K0ZwldEkUZ2Hd7PrRlhCiGdVCp/2kS2yefhUkvX7Z5K5wX6n+LylfzOTvWf6ZPwQ\n" + + "1jTI0Js8ig4eHF25GlqgOWrqbyF9j67kLs3f7/c5Kx3FlclJ7/vlL8zEcTmGU7rm\n" + + "ZFOhEMDT/UYkitqAOvrgT60oIm9YJ1XTAVTeDbW0FFAb2nFmeBOrw8N3jaCb+jpO\n" + + "ysBA/lDaGTiQhMlJK44vwgS+TjbeWHxvmAE5srKa7MWU8Mmku2vuX95lupJo4LmD\n" + + "zOsihH00hyhtHFUB1TGXuaf77kFsipE6iycyxpcrpJ1UAWiZrba6PAZ85TbYhEdY\n" + + "FDNm7F7CVPU67HV5gE2kDa3Jprd1SjwO095LsRptWhzxUByhee3JI0jljBTaKowy\n" + + "jPv8oekm7zqCLzY=\n" + + "-----END CERTIFICATE-----"; + + // Owner: SERIALNUMBER=S266251168, CN=revoked.servicesca.certigna.com, O=DHIMYOTIS, + // L=VILLENEUVE D'ASCQ, C=FR + // Issuer: CN=Certigna Services CA, OID.2.5.4.97=NTRFR-48146308100036, OU=0002 + // 48146308100036, O=DHIMYOTIS, C=FR + // Serial number: e863f752a23a735e3ccf958abf18565b + // Valid from: Thu Mar 09 15:00:00 PST 2023 until: Fri Mar 08 14:59:59 PST 2024 + private static final String REVOKED = "-----BEGIN CERTIFICATE-----\n" + + "MIIIezCCBmOgAwIBAgIRAOhj91KiOnNePM+Vir8YVlswDQYJKoZIhvcNAQELBQAw\n" + + "fTELMAkGA1UEBhMCRlIxEjAQBgNVBAoMCURISU1ZT1RJUzEcMBoGA1UECwwTMDAw\n" + + "MiA0ODE0NjMwODEwMDAzNjEdMBsGA1UEYQwUTlRSRlItNDgxNDYzMDgxMDAwMzYx\n" + + "HTAbBgNVBAMMFENlcnRpZ25hIFNlcnZpY2VzIENBMB4XDTIzMDMwOTIzMDAwMFoX\n" + + "DTI0MDMwODIyNTk1OVowfDELMAkGA1UEBhMCRlIxGjAYBgNVBAcMEVZJTExFTkVV\n" + + "VkUgRCdBU0NRMRIwEAYDVQQKDAlESElNWU9USVMxKDAmBgNVBAMMH3Jldm9rZWQu\n" + + "c2VydmljZXNjYS5jZXJ0aWduYS5jb20xEzARBgNVBAUTClMyNjYyNTExNjgwggEi\n" + + "MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCBqKNjMkHqJ9EQa3CjuZ6EYMz6\n" + + "mWODrEucRcJDihYMigaV1oRyquGlFQ82ootXaK5bU+EYSMmUwbRpdZ9G/oZUn2+K\n" + + "MKAFDI+MoZoFhQC+2w0AzJycCf/hShUVxcRREKRKdfzv+k5YHj3e8ic16tGlTFXT\n" + + "IF1x3y2Uru7mzZARsZJqnRqaqPPghT/QlBpcA04yLi3iSpgO++mRrJxTUoUHlDw/\n" + + "a1nhqnDgH2yKN7tSfwFTetnXat6/UVt0CJ/6dJF6oY8bGWO1YB03Xdq735eLdJE4\n" + + "t38pV/X8rf5Mc9ZQh8IGrjVW83M8mQmqaX5rbsOl0ZCA/q6RWxRFEF2SwK+dAgMB\n" + + "AAGjggP1MIID8TCB5AYIKwYBBQUHAQEEgdcwgdQwNgYIKwYBBQUHMAKGKmh0dHA6\n" + + "Ly9hdXRvcml0ZS5jZXJ0aWduYS5mci9zZXJ2aWNlc2NhLmRlcjA4BggrBgEFBQcw\n" + + "AoYsaHR0cDovL2F1dG9yaXRlLmRoaW15b3Rpcy5jb20vc2VydmljZXNjYS5kZXIw\n" + + "LgYIKwYBBQUHMAGGImh0dHA6Ly9zZXJ2aWNlc2NhLm9jc3AuY2VydGlnbmEuZnIw\n" + + "MAYIKwYBBQUHMAGGJGh0dHA6Ly9zZXJ2aWNlc2NhLm9jc3AuZGhpbXlvdGlzLmNv\n" + + "bTAfBgNVHSMEGDAWgBSs7IaPSzccuH8XGxnQruhO4zRcEjAJBgNVHRMEAjAAMGEG\n" + + "A1UdIARaMFgwCAYGZ4EMAQICMEwGCyqBegGBMQIFAQEBMD0wOwYIKwYBBQUHAgEW\n" + + "L2h0dHBzOi8vd3d3LmNlcnRpZ25hLmNvbS9hdXRvcml0ZS1jZXJ0aWZpY2F0aW9u\n" + + "MGUGA1UdHwReMFwwLaAroCmGJ2h0dHA6Ly9jcmwuZGhpbXlvdGlzLmNvbS9zZXJ2\n" + + "aWNlc2NhLmNybDAroCmgJ4YlaHR0cDovL2NybC5jZXJ0aWduYS5mci9zZXJ2aWNl\n" + + "c2NhLmNybDATBgNVHSUEDDAKBggrBgEFBQcDATAOBgNVHQ8BAf8EBAMCBaAwTAYD\n" + + "VR0RBEUwQ4IgcmV2b2tlZC5zZXJ2aWNlc2NhLmRoaW15b3Rpcy5jb22CH3Jldm9r\n" + + "ZWQuc2VydmljZXNjYS5jZXJ0aWduYS5jb20wHQYDVR0OBBYEFEQsKyX8x8zVxVC2\n" + + "HEK7+bOBLoMkMIIBfgYKKwYBBAHWeQIEAgSCAW4EggFqAWgAdgDuzdBk1dsazsVc\n" + + "t520zROiModGfLzs3sNRSFlGcR+1mwAAAYbLTxPnAAAEAwBHMEUCIQD16IHX+8+4\n" + + "zWnxIME4rzCgQIA4m5OsEqP6ssgRG5iurwIgdBOGFGlF6+DGPSm5FKuk5ShAA8ZC\n" + + "AE+E27CKLkBTnfgAdgB2/4g/Crb7lVHCYcz1h7o0tKTNuyncaEIKn+ZnTFo6dAAA\n" + + "AYbLTxRMAAAEAwBHMEUCIDmW9elysDm3zAeIXsgJwmL33EoMTyVhA3ah2jkvMjzv\n" + + "AiEA6aIZXtwk2DnFt+GA6gLr4UgswUCuK4wxheDVwbpSw/4AdgA7U3d1Pi25gE6L\n" + + "MFsG/kA7Z9hPw/THvQANLXJv4frUFwAAAYbLTxXAAAAEAwBHMEUCIQDGuOg7koEE\n" + + "H9K4VkSHaDD9rAndys2BtswdspfRKUFR3QIgVZ7QUX3H56ECuI8wsAkSjBze4lBO\n" + + "RgfN2xh3l9xQOK0wDQYJKoZIhvcNAQELBQADggIBAFQTTtyQSoV4Zq3QYMnb0yEp\n" + + "u6Hwic/wpYN5L0km+zZoHWuf58vfj8Yg/sfKmftGSZHDdc3NfYSVBlT/0Hl4SDhi\n" + + "zHLLyapoX2GNhbg3esu0Y1fch8E16z2A/wAwrFvxI0XrjHpOyDp4CBDYqDADNPiL\n" + + "vlEkiwP6r7WHjUdWRb7W0t75uAkcajn46XKpFmaHHie5KBch+KDGsUionuH5ZW8Y\n" + + "klh2B34uLWcGZuIR7PeCO9+91mbn/bBNeabGC70qMStaB139lp9P2M+l2WpyREUK\n" + + "l7qHwTsrlMmNb8n44zGtY4wL9NSYWTdTfhcU0FAPdPcLlnjoQubJ1O0vPkzfVYns\n" + + "WQrslxoCBor6CL6AYMQz3jbzQ0soD3Reb11+uTngWGJZtx4DT09RFB3a+1rcYjiS\n" + + "ijCBB+Lqx0xfLQnfBv1A0wjNqUY+gyEe0SpXqB4edqy5uaqawRRKMuNSnb2BVz0/\n" + + "keo1Kif/GSak+JUBpJ8hkJWygtrWCETUNfoseQhqo3gism0EGxJ04tBp+DRvfbrz\n" + + "X4aBgALRro3jSIR1Ibp+e0fxePwShy715SF2H4SfjvplTAKq5bwztZtQUkPR6fJ7\n" + + "5xT0f762c1yytKP1rHFMvzl6k7QWvC6zb2FeG5UqXJw3wFxxWsCuAUu5SPFfXdno\n" + + "5lIHTTV5rpZBN+PzTZsz\n" + + "-----END CERTIFICATE-----"; + + public static void main(String[] args) throws Exception { + // OCSP check by default + boolean ocspEnabled = args.length < 1 || !"CRL".equalsIgnoreCase(args[0]); + + // CN=Certigna + new CertignaCAs().runTest(ocspEnabled, + VALID, + REVOKED, + INT_CERTIGNA); + + // CN=Certigna Root CA + new CertignaCAs().runTest(ocspEnabled, + VALID, + REVOKED, + INT_CERTIGNA_ROOT_CA); + } +} + +class CertignaCAs { + public void runTest(boolean ocspEnabled, + final String VALID, + final String REVOKED, + final String INT_CERT) throws Exception { + + ValidatePathWithParams pathValidator; + String[] validChainToValidate; + String[] revChainToValidate; + + if (!ocspEnabled) { + pathValidator = new ValidatePathWithParams(null); + pathValidator.enableCRLCheck(); + + validChainToValidate = new String[]{VALID, INT_CERT}; + revChainToValidate = new String[]{REVOKED, INT_CERT}; + } else { + // int certificate doesn't specify OCSP responder + pathValidator = new ValidatePathWithParams(new String[]{INT_CERT}); + pathValidator.enableOCSPCheck(); + + validChainToValidate = new String[]{VALID}; + revChainToValidate = new String[]{REVOKED}; + } + + // Validate valid + pathValidator.validate(validChainToValidate, + ValidatePathWithParams.Status.GOOD, null, System.out); + + // Validate Revoked + pathValidator.validate(revChainToValidate, + ValidatePathWithParams.Status.REVOKED, + "Fri Mar 10 03:39:51 PST 2023", System.out); + } +} diff --git a/jdk/test/sun/security/lib/cacerts/VerifyCACerts.java b/jdk/test/sun/security/lib/cacerts/VerifyCACerts.java index 9caf545b60..dd8918ebc0 100644 --- a/jdk/test/sun/security/lib/cacerts/VerifyCACerts.java +++ b/jdk/test/sun/security/lib/cacerts/VerifyCACerts.java @@ -28,7 +28,7 @@ * 8209452 8209506 8210432 8195793 8216577 8222089 8222133 8222137 8222136 * 8223499 8225392 8232019 8234245 8233223 8225068 8225069 8243321 8243320 * 8243559 8225072 8258630 8259312 8256421 8225081 8225082 8225083 8245654 - * 8305975 8304760 8307134 8295894 + * 8305975 8304760 8307134 8295894 8314960 * @summary Check root CA entries in cacerts file */ import java.io.ByteArrayInputStream; @@ -54,12 +54,12 @@ public class VerifyCACerts { + File.separator + "security" + File.separator + "cacerts"; // The numbers of certs now. - private static final int COUNT = 96; + private static final int COUNT = 97; // SHA-256 of cacerts, can be generated with // shasum -a 256 cacerts | sed -e 's/../&:/g' | tr '[:lower:]' '[:upper:]' | cut -c1-95 private static final String CHECKSUM - = "9B:AF:A2:BD:88:C9:74:05:7F:DD:F3:97:85:21:18:4A:52:F0:07:CC:46:FD:2B:90:BA:FB:57:09:18:3B:66:0F"; + = "88:72:92:56:FF:E5:A3:E4:39:98:6D:18:0B:BA:CC:0B:66:CB:1D:6D:52:CE:D7:C8:AD:63:B7:F1:5F:02:24:52"; // map of cert alias to SHA-256 fingerprint @SuppressWarnings("serial") private static final Map FINGERPRINT_MAP @@ -257,6 +257,8 @@ public class VerifyCACerts { "34:D8:A7:3E:E2:08:D9:BC:DB:0D:95:65:20:93:4B:4E:40:E6:94:82:59:6E:8B:6F:73:C8:42:6B:01:0A:6F:48"); put("gtsrootecccar4 [jdk]", "34:9D:FA:40:58:C5:E2:63:12:3B:39:8A:E7:95:57:3C:4E:13:13:C8:3F:E6:8F:93:55:6C:D5:E8:03:1B:3C:7D"); + put("certignarootca [jdk]", + "D4:8D:3D:23:EE:DB:50:A4:59:E5:51:97:60:1C:27:77:4B:9D:7B:18:C9:4D:5A:05:95:11:A1:02:50:B9:31:68"); } }; From 1d6f9bd1ea09eb7866cdd1462b24e2c8801f7513 Mon Sep 17 00:00:00 2001 From: Martin Balao Date: Tue, 19 Sep 2023 01:36:16 +0000 Subject: [PATCH 02/13] 8209115: adjust libsplashscreen linux ppc64le builds for easier libpng update Reviewed-by: andrew, phh Backport-of: e4fdd0391733756f5b898371a66b38869d625c77 --- jdk/make/lib/Awt2dLibraries.gmk | 6 ++++++ jdk/src/share/native/sun/awt/libpng/pngpriv.h | 3 --- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/jdk/make/lib/Awt2dLibraries.gmk b/jdk/make/lib/Awt2dLibraries.gmk index 9368a9d508..01e0369017 100644 --- a/jdk/make/lib/Awt2dLibraries.gmk +++ b/jdk/make/lib/Awt2dLibraries.gmk @@ -1159,6 +1159,12 @@ ifndef BUILD_HEADLESS_ONLY -DPNG_ARM_NEON_OPT=0 -DPNG_ARM_NEON_IMPLEMENTATION=0 \ $(foreach dir, $(LIBSPLASHSCREEN_DIRS), -I$(dir)) + ifeq ($(OPENJDK_TARGET_OS), linux) + ifeq ($(OPENJDK_TARGET_CPU_ARCH), ppc) + LIBSPLASHSCREEN_CFLAGS += -DPNG_POWERPC_VSX_OPT=0 + endif + endif + ifeq ($(OPENJDK_TARGET_OS), macosx) LIBSPLASHSCREEN_CFLAGS := -I$(JDK_TOPDIR)/src/macosx/native/sun/awt/splashscreen \ $(LIBSPLASHSCREEN_CFLAGS) diff --git a/jdk/src/share/native/sun/awt/libpng/pngpriv.h b/jdk/src/share/native/sun/awt/libpng/pngpriv.h index 5f70426030..73e1e9371a 100644 --- a/jdk/src/share/native/sun/awt/libpng/pngpriv.h +++ b/jdk/src/share/native/sun/awt/libpng/pngpriv.h @@ -293,13 +293,10 @@ # endif #endif /* PNG_MIPS_MSA_OPT > 0 */ -#ifdef PNG_POWERPC_VSX_API_SUPPORTED #if PNG_POWERPC_VSX_OPT > 0 # define PNG_FILTER_OPTIMIZATIONS png_init_filter_functions_vsx # define PNG_POWERPC_VSX_IMPLEMENTATION 1 #endif -#endif - /* Is this a build of a DLL where compilation of the object modules requires From dd6efb10c26453229dc262f8366af64bd97a9b7f Mon Sep 17 00:00:00 2001 From: Yuri Nesterenko Date: Thu, 5 Oct 2023 16:39:59 +0000 Subject: [PATCH 03/13] 8242330: Arrays should be cloned in several JAAS Callback classes Reviewed-by: andrew Backport-of: 8cd9241448f818b5e307d408ac4395b518791096 --- .../auth/callback/ChoiceCallback.java | 18 ++-- .../auth/callback/ConfirmationCallback.java | 25 +++-- .../security/auth/callback/Mutability.java | 96 +++++++++++++++++++ 3 files changed, 121 insertions(+), 18 deletions(-) create mode 100644 jdk/test/javax/security/auth/callback/Mutability.java diff --git a/jdk/src/share/classes/javax/security/auth/callback/ChoiceCallback.java b/jdk/src/share/classes/javax/security/auth/callback/ChoiceCallback.java index 215a8dd790..3887f0953d 100644 --- a/jdk/src/share/classes/javax/security/auth/callback/ChoiceCallback.java +++ b/jdk/src/share/classes/javax/security/auth/callback/ChoiceCallback.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 1999, 2013, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1999, 2020, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -41,23 +41,23 @@ public class ChoiceCallback implements Callback, java.io.Serializable { * @serial * @since 1.4 */ - private String prompt; + private final String prompt; /** * @serial the list of choices * @since 1.4 */ - private String[] choices; + private final String[] choices; /** * @serial the choice to be used as the default choice * @since 1.4 */ - private int defaultChoice; + private final int defaultChoice; /** * @serial whether multiple selections are allowed from the list of * choices * @since 1.4 */ - private boolean multipleSelectionsAllowed; + private final boolean multipleSelectionsAllowed; /** * @serial the selected choices, represented as indexes into the * {@code choices} list. @@ -109,7 +109,7 @@ public class ChoiceCallback implements Callback, java.io.Serializable { } this.prompt = prompt; - this.choices = choices; + this.choices = choices.clone(); this.defaultChoice = defaultChoice; this.multipleSelectionsAllowed = multipleSelectionsAllowed; } @@ -133,7 +133,7 @@ public class ChoiceCallback implements Callback, java.io.Serializable { * @return the list of choices. */ public String[] getChoices() { - return choices; + return choices.clone(); } /** @@ -192,7 +192,7 @@ public class ChoiceCallback implements Callback, java.io.Serializable { public void setSelectedIndexes(int[] selections) { if (!multipleSelectionsAllowed) throw new UnsupportedOperationException(); - this.selections = selections; + this.selections = selections == null ? null : selections.clone(); } /** @@ -206,6 +206,6 @@ public class ChoiceCallback implements Callback, java.io.Serializable { * @see #setSelectedIndexes */ public int[] getSelectedIndexes() { - return selections; + return selections == null ? null : selections.clone(); } } diff --git a/jdk/src/share/classes/javax/security/auth/callback/ConfirmationCallback.java b/jdk/src/share/classes/javax/security/auth/callback/ConfirmationCallback.java index 2d85c463ca..005ff6333f 100644 --- a/jdk/src/share/classes/javax/security/auth/callback/ConfirmationCallback.java +++ b/jdk/src/share/classes/javax/security/auth/callback/ConfirmationCallback.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 1999, 2013, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1999, 2020, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -120,31 +120,32 @@ public class ConfirmationCallback implements Callback, java.io.Serializable { /** ERROR message type. */ public static final int ERROR = 2; + /** * @serial * @since 1.4 */ - private String prompt; + private final String prompt; /** * @serial * @since 1.4 */ - private int messageType; + private final int messageType; /** * @serial * @since 1.4 */ - private int optionType = UNSPECIFIED_OPTION; + private final int optionType; /** * @serial * @since 1.4 */ - private int defaultOption; + private final int defaultOption; /** * @serial * @since 1.4 */ - private String[] options; + private final String[] options; /** * @serial * @since 1.4 @@ -206,8 +207,10 @@ public class ConfirmationCallback implements Callback, java.io.Serializable { break; } + this.prompt = null; this.messageType = messageType; this.optionType = optionType; + this.options = null; this.defaultOption = defaultOption; } @@ -255,8 +258,10 @@ public class ConfirmationCallback implements Callback, java.io.Serializable { throw new IllegalArgumentException(); } + this.prompt = null; this.messageType = messageType; - this.options = options; + this.optionType = UNSPECIFIED_OPTION; + this.options = options.clone(); this.defaultOption = defaultOption; } @@ -323,6 +328,7 @@ public class ConfirmationCallback implements Callback, java.io.Serializable { this.prompt = prompt; this.messageType = messageType; this.optionType = optionType; + this.options = null; this.defaultOption = defaultOption; } @@ -377,7 +383,8 @@ public class ConfirmationCallback implements Callback, java.io.Serializable { this.prompt = prompt; this.messageType = messageType; - this.options = options; + this.optionType = UNSPECIFIED_OPTION; + this.options = options.clone(); this.defaultOption = defaultOption; } @@ -437,7 +444,7 @@ public class ConfirmationCallback implements Callback, java.io.Serializable { * an {@code optionType} instead of {@code options}. */ public String[] getOptions() { - return options; + return options == null ? null : options.clone(); } /** diff --git a/jdk/test/javax/security/auth/callback/Mutability.java b/jdk/test/javax/security/auth/callback/Mutability.java new file mode 100644 index 0000000000..2c77a4e3ab --- /dev/null +++ b/jdk/test/javax/security/auth/callback/Mutability.java @@ -0,0 +1,96 @@ +/* + * Copyright (c) 2020, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +/* + * @test + * @bug 8242330 + * @library /lib/testlibrary + * @summary Arrays should be cloned in several JAAS Callback classes + */ + +import javax.security.auth.callback.ChoiceCallback; +import javax.security.auth.callback.ConfirmationCallback; + +import static jdk.testlibrary.Asserts.assertEQ; + +public class Mutability { + public static void main(String[] args) { + + // #1. ConfirmationCallback.new(3) + String[] i11 = {"1", "2"}; + ConfirmationCallback c1 = new ConfirmationCallback( + ConfirmationCallback.INFORMATION, + i11, + 0); + + // Modify argument of constructor + i11[0] = "x"; + String[] o11 = c1.getOptions(); + assertEQ(o11[0], "1"); + // Modify output + o11[0] = "y"; + String[] o12 = c1.getOptions(); + assertEQ(o12[0], "1"); + + // #2. ConfirmationCallback.new(4) + String[] i21 = {"1", "2"}; + ConfirmationCallback c2 = new ConfirmationCallback( + "Hi", + ConfirmationCallback.INFORMATION, + i21, + 0); + + // Modify argument of constructor + i21[0] = "x"; + assertEQ(c2.getOptions()[0], "1"); + + // #3. ChoiceCallback.new + String[] i31 = {"1", "2"}; + ChoiceCallback c3 = new ChoiceCallback( + "Hi", + i31, + 0, + true); + + // Modify argument of constructor + i31[0] = "x"; + String[] o31 = c3.getChoices(); + assertEQ(o31[0], "1"); + // Modify output of getChoices + o31[0] = "y"; + String[] o32 = c3.getChoices(); + assertEQ(o32[0], "1"); + + int[] s31 = {0, 1}; + c3.setSelectedIndexes(s31); + + // Modify argument of setSelectedIndexes + s31[0] = 1; + int[] s32 = c3.getSelectedIndexes(); + assertEQ(s32[0], 0); + // Modify output of getSelectedIndexes + s32[1] = 0; + int[] s33 = c3.getSelectedIndexes(); + assertEQ(s33[1], 1); + } +} From 50d9af9b9371bedf971ee8c4c73283391f0ebb82 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ji=C5=99=C3=AD=20Van=C4=9Bk?= Date: Mon, 25 Sep 2023 14:05:03 +0000 Subject: [PATCH 04/13] 8283441: C2: segmentation fault in ciMethodBlocks::make_block_at(int) Reviewed-by: mbalao Backport-of: 947869609ce6b74d4d28f79724b823d8781adbed --- hotspot/src/share/vm/c1/c1_GraphBuilder.cpp | 12 ++++-- hotspot/src/share/vm/ci/ciMethodBlocks.cpp | 17 +++++--- .../src/share/vm/compiler/methodLiveness.cpp | 9 ++-- hotspot/test/compiler/parsing/Custom.jasm | 38 +++++++++++++++++ ...UnreachableBlockFallsThroughEndOfCode.java | 42 +++++++++++++++++++ 5 files changed, 106 insertions(+), 12 deletions(-) create mode 100644 hotspot/test/compiler/parsing/Custom.jasm create mode 100644 hotspot/test/compiler/parsing/UnreachableBlockFallsThroughEndOfCode.java diff --git a/hotspot/src/share/vm/c1/c1_GraphBuilder.cpp b/hotspot/src/share/vm/c1/c1_GraphBuilder.cpp index 5def6693b6..800535f97e 100644 --- a/hotspot/src/share/vm/c1/c1_GraphBuilder.cpp +++ b/hotspot/src/share/vm/c1/c1_GraphBuilder.cpp @@ -206,8 +206,10 @@ void BlockListBuilder::handle_exceptions(BlockBegin* current, int cur_bci) { } void BlockListBuilder::handle_jsr(BlockBegin* current, int sr_bci, int next_bci) { - // start a new block after jsr-bytecode and link this block into cfg - make_block_at(next_bci, current); + if (next_bci < method()->code_size()) { + // start a new block after jsr-bytecode and link this block into cfg + make_block_at(next_bci, current); + } // start a new block at the subroutine entry at mark it with special flag BlockBegin* sr_block = make_block_at(sr_bci, current); @@ -227,6 +229,8 @@ void BlockListBuilder::set_leaders() { // branch target and a modification of the successor lists. BitMap bci_block_start = method()->bci_block_start(); + int end_bci = method()->code_size(); + ciBytecodeStream s(method()); while (s.next() != ciBytecodeStream::EOBC()) { int cur_bci = s.cur_bci(); @@ -297,7 +301,9 @@ void BlockListBuilder::set_leaders() { case Bytecodes::_if_acmpne: // fall through case Bytecodes::_ifnull: // fall through case Bytecodes::_ifnonnull: - make_block_at(s.next_bci(), current); + if (s.next_bci() < end_bci) { + make_block_at(s.next_bci(), current); + } make_block_at(s.get_dest(), current); current = NULL; break; diff --git a/hotspot/src/share/vm/ci/ciMethodBlocks.cpp b/hotspot/src/share/vm/ci/ciMethodBlocks.cpp index 614e75dc3b..2285eb0a5b 100644 --- a/hotspot/src/share/vm/ci/ciMethodBlocks.cpp +++ b/hotspot/src/share/vm/ci/ciMethodBlocks.cpp @@ -1,5 +1,5 @@ /* - * Copyright (c) 2006, 2011, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2006, 2022, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -33,12 +33,13 @@ ciBlock *ciMethodBlocks::block_containing(int bci) { + assert(bci >= 0 && bci < _code_size, "valid bytecode range"); ciBlock *blk = _bci_to_block[bci]; return blk; } bool ciMethodBlocks::is_block_start(int bci) { - assert(bci >=0 && bci < _code_size, "valid bytecode range"); + assert(bci >= 0 && bci < _code_size, "valid bytecode range"); ciBlock *b = _bci_to_block[bci]; assert(b != NULL, "must have block for bytecode"); return b->start_bci() == bci; @@ -146,7 +147,9 @@ void ciMethodBlocks::do_analysis() { case Bytecodes::_ifnonnull : { cur_block->set_control_bci(bci); - ciBlock *fall_through = make_block_at(s.next_bci()); + if (s.next_bci() < limit_bci) { + ciBlock *fall_through = make_block_at(s.next_bci()); + } int dest_bci = s.get_dest(); ciBlock *dest = make_block_at(dest_bci); break; @@ -166,7 +169,9 @@ void ciMethodBlocks::do_analysis() { case Bytecodes::_jsr : { cur_block->set_control_bci(bci); - ciBlock *ret = make_block_at(s.next_bci()); + if (s.next_bci() < limit_bci) { + ciBlock *ret = make_block_at(s.next_bci()); + } int dest_bci = s.get_dest(); ciBlock *dest = make_block_at(dest_bci); break; @@ -224,7 +229,9 @@ void ciMethodBlocks::do_analysis() { case Bytecodes::_jsr_w : { cur_block->set_control_bci(bci); - ciBlock *ret = make_block_at(s.next_bci()); + if (s.next_bci() < limit_bci) { + ciBlock *ret = make_block_at(s.next_bci()); + } int dest_bci = s.get_far_dest(); ciBlock *dest = make_block_at(dest_bci); break; diff --git a/hotspot/src/share/vm/compiler/methodLiveness.cpp b/hotspot/src/share/vm/compiler/methodLiveness.cpp index eda1ab156b..7fb496dc96 100644 --- a/hotspot/src/share/vm/compiler/methodLiveness.cpp +++ b/hotspot/src/share/vm/compiler/methodLiveness.cpp @@ -268,10 +268,11 @@ void MethodLiveness::init_basic_blocks() { case Bytecodes::_ifnull: case Bytecodes::_ifnonnull: // Two way branch. Set predecessors at each destination. - dest = _block_map->at(bytes.next_bci()); - assert(dest != NULL, "must be a block immediately following this one."); - dest->add_normal_predecessor(current_block); - + if (bytes.next_bci() < method_len) { + dest = _block_map->at(bytes.next_bci()); + assert(dest != NULL, "must be a block immediately following this one."); + dest->add_normal_predecessor(current_block); + } dest = _block_map->at(bytes.get_dest()); assert(dest != NULL, "branch desination must start a block."); dest->add_normal_predecessor(current_block); diff --git a/hotspot/test/compiler/parsing/Custom.jasm b/hotspot/test/compiler/parsing/Custom.jasm new file mode 100644 index 0000000000..73a2b1ff91 --- /dev/null +++ b/hotspot/test/compiler/parsing/Custom.jasm @@ -0,0 +1,38 @@ +/* + * Copyright (c) 2022, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +package compiler/parsing; + +super public class Custom { + + public static Method test:"(I)V" stack 2 locals 1 { + return; +Loop: + // Unreachable block + iload_0; + bipush 100; + if_icmpge Loop; + // Falls through + } + +} diff --git a/hotspot/test/compiler/parsing/UnreachableBlockFallsThroughEndOfCode.java b/hotspot/test/compiler/parsing/UnreachableBlockFallsThroughEndOfCode.java new file mode 100644 index 0000000000..9dfb488d8c --- /dev/null +++ b/hotspot/test/compiler/parsing/UnreachableBlockFallsThroughEndOfCode.java @@ -0,0 +1,42 @@ +/* + * Copyright (c) 2022, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + * + */ + +/* + * @test UnreachableBlockFallsThroughEndOfCode.java + * @bug 8283441 + * @compile Custom.jasm UnreachableBlockFallsThroughEndOfCode.java + * @summary Compiling method that falls off the end of the code array + * @run main/othervm -XX:TieredStopAtLevel=1 -Xbatch compiler.parsing.UnreachableBlockFallsThroughEndOfCode + * @run main/othervm -XX:-TieredCompilation -Xbatch compiler.parsing.UnreachableBlockFallsThroughEndOfCode + */ + +package compiler.parsing; + +public class UnreachableBlockFallsThroughEndOfCode { + public static void main(String[] strArr) { + for (int i = 0; i < 20000; i++) { + Custom.test(i); + } + } +} From 9d59e5b0a94f65bb9a60f23fc472db3a7c0c81f7 Mon Sep 17 00:00:00 2001 From: Martin Balao Date: Tue, 19 Sep 2023 14:43:20 +0000 Subject: [PATCH 05/13] 8295685: Update Libpng to 1.6.38 Reviewed-by: andrew Backport-of: d183dc25f7360c3012726acf8c03874df6fc41a4 --- THIRD_PARTY_README | 68 ++++++++++++++++--- corba/THIRD_PARTY_README | 68 ++++++++++++++++--- hotspot/THIRD_PARTY_README | 68 ++++++++++++++++--- jaxp/THIRD_PARTY_README | 68 ++++++++++++++++--- jaxws/THIRD_PARTY_README | 68 ++++++++++++++++--- jdk/THIRD_PARTY_README | 68 ++++++++++++++++--- jdk/src/share/native/sun/awt/libpng/CHANGES | 10 ++- jdk/src/share/native/sun/awt/libpng/LICENSE | 4 +- jdk/src/share/native/sun/awt/libpng/README | 8 +-- jdk/src/share/native/sun/awt/libpng/png.c | 14 ++-- jdk/src/share/native/sun/awt/libpng/png.h | 26 +++---- jdk/src/share/native/sun/awt/libpng/pngconf.h | 8 +-- jdk/src/share/native/sun/awt/libpng/pngget.c | 14 ++-- .../share/native/sun/awt/libpng/pnglibconf.h | 4 +- jdk/src/share/native/sun/awt/libpng/pngpriv.h | 65 ++++++++---------- jdk/src/share/native/sun/awt/libpng/pngread.c | 3 - .../share/native/sun/awt/libpng/pngrtran.c | 2 +- .../share/native/sun/awt/libpng/pngrutil.c | 36 +++++----- jdk/src/share/native/sun/awt/libpng/pngset.c | 13 ++-- .../share/native/sun/awt/libpng/pngstruct.h | 12 +--- langtools/THIRD_PARTY_README | 68 ++++++++++++++++--- nashorn/THIRD_PARTY_README | 68 ++++++++++++++++--- 22 files changed, 583 insertions(+), 180 deletions(-) diff --git a/THIRD_PARTY_README b/THIRD_PARTY_README index 0dbfc173da..f71e8f9b49 100644 --- a/THIRD_PARTY_README +++ b/THIRD_PARTY_README @@ -1472,7 +1472,7 @@ included with JDK 8 and OpenJDK 8 source distributions. ------------------------------------------------------------------------------- -%% This notice is provided with respect to libpng 1.6.37, which may be +%% This notice is provided with respect to libpng 1.6.38, which may be included with JRE 8, JDK 8, and OpenJDK 8. --- begin of LICENSE --- @@ -1483,11 +1483,11 @@ COPYRIGHT NOTICE, DISCLAIMER, and LICENSE PNG Reference Library License version 2 --------------------------------------- - * Copyright (c) 1995-2019 The PNG Reference Library Authors. - * Copyright (c) 2018-2019 Cosmin Truta. - * Copyright (c) 2000-2002, 2004, 2006-2018 Glenn Randers-Pehrson. - * Copyright (c) 1996-1997 Andreas Dilger. - * Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc. +Copyright (c) 1995-2022 The PNG Reference Library Authors. +Copyright (c) 2018-2022 Cosmin Truta +Copyright (c) 1998-2018 Glenn Randers-Pehrson +Copyright (c) 1996-1997 Andreas Dilger +Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc. The software is supplied "as is", without warranty of any kind, express or implied, including, without limitation, the warranties @@ -1614,10 +1614,10 @@ be appreciated. TRADEMARK: -The name "libpng" has not been registered by the Copyright owner +The name "libpng" has not been registered by the Copyright owners as a trademark in any jurisdiction. However, because libpng has been distributed and maintained world-wide, continually since 1995, -the Copyright owner claims "common-law trademark protection" in any +the Copyright owners claim "common-law trademark protection" in any jurisdiction where common-law trademark is recognized. OSI CERTIFICATION: @@ -1639,6 +1639,58 @@ Glenn Randers-Pehrson glennrp at users.sourceforge.net July 15, 2018 +AUTHORS File Information: + +PNG REFERENCE LIBRARY AUTHORS +============================= + +This is the list of PNG Reference Library ("libpng") Contributing +Authors, for copyright and licensing purposes. + + * Andreas Dilger + * Cosmin Truta + * Dave Martindale + * Eric S. Raymond + * Gilles Vollant + * Glenn Randers-Pehrson + * Greg Roelofs + * Guy Eric Schalnat + * James Yu + * John Bowler + * Kevin Bracey + * Magnus Holmgren + * Mandar Sahastrabuddhe + * Mans Rullgard + * Matt Sarett + * Mike Klein + * Pascal Massimino + * Paul Schmidt + * Qiang Zhou + * Sam Bushell + * Samuel Williams + * Simon-Pierre Cadieux + * Tim Wegner + * Tom Lane + * Tom Tanner + * Vadim Barkov + * Willem van Schaik + * Zhijie Liang + * Arm Holdings + - Richard Townsend + * Google Inc. + - Matt Sarett + - Mike Klein + - Dan Field + - Sami Boukortt + +The build projects, the build scripts, the test scripts, and other +files in the "ci", "projects", "scripts" and "tests" directories, have +other copyright owners, but are released under the libpng license. + +Some files in the "contrib" directory, and some tools-generated files +that are distributed with libpng, have other copyright owners, and are +released under other open source licenses. + --- end of LICENSE --- ------------------------------------------------------------------------------- diff --git a/corba/THIRD_PARTY_README b/corba/THIRD_PARTY_README index d19de8ae6c..ae4f4d796b 100644 --- a/corba/THIRD_PARTY_README +++ b/corba/THIRD_PARTY_README @@ -1472,7 +1472,7 @@ included with JDK 8 and OpenJDK 8 source distributions. ------------------------------------------------------------------------------- -%% This notice is provided with respect to libpng 1.6.37, which may be +%% This notice is provided with respect to libpng 1.6.38, which may be included with JRE 8, JDK 8, and OpenJDK 8. --- begin of LICENSE --- @@ -1483,11 +1483,11 @@ COPYRIGHT NOTICE, DISCLAIMER, and LICENSE PNG Reference Library License version 2 --------------------------------------- - * Copyright (c) 1995-2019 The PNG Reference Library Authors. - * Copyright (c) 2018-2019 Cosmin Truta. - * Copyright (c) 2000-2002, 2004, 2006-2018 Glenn Randers-Pehrson. - * Copyright (c) 1996-1997 Andreas Dilger. - * Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc. +Copyright (c) 1995-2022 The PNG Reference Library Authors. +Copyright (c) 2018-2022 Cosmin Truta +Copyright (c) 1998-2018 Glenn Randers-Pehrson +Copyright (c) 1996-1997 Andreas Dilger +Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc. The software is supplied "as is", without warranty of any kind, express or implied, including, without limitation, the warranties @@ -1614,10 +1614,10 @@ be appreciated. TRADEMARK: -The name "libpng" has not been registered by the Copyright owner +The name "libpng" has not been registered by the Copyright owners as a trademark in any jurisdiction. However, because libpng has been distributed and maintained world-wide, continually since 1995, -the Copyright owner claims "common-law trademark protection" in any +the Copyright owners claim "common-law trademark protection" in any jurisdiction where common-law trademark is recognized. OSI CERTIFICATION: @@ -1639,6 +1639,58 @@ Glenn Randers-Pehrson glennrp at users.sourceforge.net July 15, 2018 +AUTHORS File Information: + +PNG REFERENCE LIBRARY AUTHORS +============================= + +This is the list of PNG Reference Library ("libpng") Contributing +Authors, for copyright and licensing purposes. + + * Andreas Dilger + * Cosmin Truta + * Dave Martindale + * Eric S. Raymond + * Gilles Vollant + * Glenn Randers-Pehrson + * Greg Roelofs + * Guy Eric Schalnat + * James Yu + * John Bowler + * Kevin Bracey + * Magnus Holmgren + * Mandar Sahastrabuddhe + * Mans Rullgard + * Matt Sarett + * Mike Klein + * Pascal Massimino + * Paul Schmidt + * Qiang Zhou + * Sam Bushell + * Samuel Williams + * Simon-Pierre Cadieux + * Tim Wegner + * Tom Lane + * Tom Tanner + * Vadim Barkov + * Willem van Schaik + * Zhijie Liang + * Arm Holdings + - Richard Townsend + * Google Inc. + - Matt Sarett + - Mike Klein + - Dan Field + - Sami Boukortt + +The build projects, the build scripts, the test scripts, and other +files in the "ci", "projects", "scripts" and "tests" directories, have +other copyright owners, but are released under the libpng license. + +Some files in the "contrib" directory, and some tools-generated files +that are distributed with libpng, have other copyright owners, and are +released under other open source licenses. + --- end of LICENSE --- ------------------------------------------------------------------------------- diff --git a/hotspot/THIRD_PARTY_README b/hotspot/THIRD_PARTY_README index d19de8ae6c..ae4f4d796b 100644 --- a/hotspot/THIRD_PARTY_README +++ b/hotspot/THIRD_PARTY_README @@ -1472,7 +1472,7 @@ included with JDK 8 and OpenJDK 8 source distributions. ------------------------------------------------------------------------------- -%% This notice is provided with respect to libpng 1.6.37, which may be +%% This notice is provided with respect to libpng 1.6.38, which may be included with JRE 8, JDK 8, and OpenJDK 8. --- begin of LICENSE --- @@ -1483,11 +1483,11 @@ COPYRIGHT NOTICE, DISCLAIMER, and LICENSE PNG Reference Library License version 2 --------------------------------------- - * Copyright (c) 1995-2019 The PNG Reference Library Authors. - * Copyright (c) 2018-2019 Cosmin Truta. - * Copyright (c) 2000-2002, 2004, 2006-2018 Glenn Randers-Pehrson. - * Copyright (c) 1996-1997 Andreas Dilger. - * Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc. +Copyright (c) 1995-2022 The PNG Reference Library Authors. +Copyright (c) 2018-2022 Cosmin Truta +Copyright (c) 1998-2018 Glenn Randers-Pehrson +Copyright (c) 1996-1997 Andreas Dilger +Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc. The software is supplied "as is", without warranty of any kind, express or implied, including, without limitation, the warranties @@ -1614,10 +1614,10 @@ be appreciated. TRADEMARK: -The name "libpng" has not been registered by the Copyright owner +The name "libpng" has not been registered by the Copyright owners as a trademark in any jurisdiction. However, because libpng has been distributed and maintained world-wide, continually since 1995, -the Copyright owner claims "common-law trademark protection" in any +the Copyright owners claim "common-law trademark protection" in any jurisdiction where common-law trademark is recognized. OSI CERTIFICATION: @@ -1639,6 +1639,58 @@ Glenn Randers-Pehrson glennrp at users.sourceforge.net July 15, 2018 +AUTHORS File Information: + +PNG REFERENCE LIBRARY AUTHORS +============================= + +This is the list of PNG Reference Library ("libpng") Contributing +Authors, for copyright and licensing purposes. + + * Andreas Dilger + * Cosmin Truta + * Dave Martindale + * Eric S. Raymond + * Gilles Vollant + * Glenn Randers-Pehrson + * Greg Roelofs + * Guy Eric Schalnat + * James Yu + * John Bowler + * Kevin Bracey + * Magnus Holmgren + * Mandar Sahastrabuddhe + * Mans Rullgard + * Matt Sarett + * Mike Klein + * Pascal Massimino + * Paul Schmidt + * Qiang Zhou + * Sam Bushell + * Samuel Williams + * Simon-Pierre Cadieux + * Tim Wegner + * Tom Lane + * Tom Tanner + * Vadim Barkov + * Willem van Schaik + * Zhijie Liang + * Arm Holdings + - Richard Townsend + * Google Inc. + - Matt Sarett + - Mike Klein + - Dan Field + - Sami Boukortt + +The build projects, the build scripts, the test scripts, and other +files in the "ci", "projects", "scripts" and "tests" directories, have +other copyright owners, but are released under the libpng license. + +Some files in the "contrib" directory, and some tools-generated files +that are distributed with libpng, have other copyright owners, and are +released under other open source licenses. + --- end of LICENSE --- ------------------------------------------------------------------------------- diff --git a/jaxp/THIRD_PARTY_README b/jaxp/THIRD_PARTY_README index d19de8ae6c..ae4f4d796b 100644 --- a/jaxp/THIRD_PARTY_README +++ b/jaxp/THIRD_PARTY_README @@ -1472,7 +1472,7 @@ included with JDK 8 and OpenJDK 8 source distributions. ------------------------------------------------------------------------------- -%% This notice is provided with respect to libpng 1.6.37, which may be +%% This notice is provided with respect to libpng 1.6.38, which may be included with JRE 8, JDK 8, and OpenJDK 8. --- begin of LICENSE --- @@ -1483,11 +1483,11 @@ COPYRIGHT NOTICE, DISCLAIMER, and LICENSE PNG Reference Library License version 2 --------------------------------------- - * Copyright (c) 1995-2019 The PNG Reference Library Authors. - * Copyright (c) 2018-2019 Cosmin Truta. - * Copyright (c) 2000-2002, 2004, 2006-2018 Glenn Randers-Pehrson. - * Copyright (c) 1996-1997 Andreas Dilger. - * Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc. +Copyright (c) 1995-2022 The PNG Reference Library Authors. +Copyright (c) 2018-2022 Cosmin Truta +Copyright (c) 1998-2018 Glenn Randers-Pehrson +Copyright (c) 1996-1997 Andreas Dilger +Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc. The software is supplied "as is", without warranty of any kind, express or implied, including, without limitation, the warranties @@ -1614,10 +1614,10 @@ be appreciated. TRADEMARK: -The name "libpng" has not been registered by the Copyright owner +The name "libpng" has not been registered by the Copyright owners as a trademark in any jurisdiction. However, because libpng has been distributed and maintained world-wide, continually since 1995, -the Copyright owner claims "common-law trademark protection" in any +the Copyright owners claim "common-law trademark protection" in any jurisdiction where common-law trademark is recognized. OSI CERTIFICATION: @@ -1639,6 +1639,58 @@ Glenn Randers-Pehrson glennrp at users.sourceforge.net July 15, 2018 +AUTHORS File Information: + +PNG REFERENCE LIBRARY AUTHORS +============================= + +This is the list of PNG Reference Library ("libpng") Contributing +Authors, for copyright and licensing purposes. + + * Andreas Dilger + * Cosmin Truta + * Dave Martindale + * Eric S. Raymond + * Gilles Vollant + * Glenn Randers-Pehrson + * Greg Roelofs + * Guy Eric Schalnat + * James Yu + * John Bowler + * Kevin Bracey + * Magnus Holmgren + * Mandar Sahastrabuddhe + * Mans Rullgard + * Matt Sarett + * Mike Klein + * Pascal Massimino + * Paul Schmidt + * Qiang Zhou + * Sam Bushell + * Samuel Williams + * Simon-Pierre Cadieux + * Tim Wegner + * Tom Lane + * Tom Tanner + * Vadim Barkov + * Willem van Schaik + * Zhijie Liang + * Arm Holdings + - Richard Townsend + * Google Inc. + - Matt Sarett + - Mike Klein + - Dan Field + - Sami Boukortt + +The build projects, the build scripts, the test scripts, and other +files in the "ci", "projects", "scripts" and "tests" directories, have +other copyright owners, but are released under the libpng license. + +Some files in the "contrib" directory, and some tools-generated files +that are distributed with libpng, have other copyright owners, and are +released under other open source licenses. + --- end of LICENSE --- ------------------------------------------------------------------------------- diff --git a/jaxws/THIRD_PARTY_README b/jaxws/THIRD_PARTY_README index d19de8ae6c..ae4f4d796b 100644 --- a/jaxws/THIRD_PARTY_README +++ b/jaxws/THIRD_PARTY_README @@ -1472,7 +1472,7 @@ included with JDK 8 and OpenJDK 8 source distributions. ------------------------------------------------------------------------------- -%% This notice is provided with respect to libpng 1.6.37, which may be +%% This notice is provided with respect to libpng 1.6.38, which may be included with JRE 8, JDK 8, and OpenJDK 8. --- begin of LICENSE --- @@ -1483,11 +1483,11 @@ COPYRIGHT NOTICE, DISCLAIMER, and LICENSE PNG Reference Library License version 2 --------------------------------------- - * Copyright (c) 1995-2019 The PNG Reference Library Authors. - * Copyright (c) 2018-2019 Cosmin Truta. - * Copyright (c) 2000-2002, 2004, 2006-2018 Glenn Randers-Pehrson. - * Copyright (c) 1996-1997 Andreas Dilger. - * Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc. +Copyright (c) 1995-2022 The PNG Reference Library Authors. +Copyright (c) 2018-2022 Cosmin Truta +Copyright (c) 1998-2018 Glenn Randers-Pehrson +Copyright (c) 1996-1997 Andreas Dilger +Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc. The software is supplied "as is", without warranty of any kind, express or implied, including, without limitation, the warranties @@ -1614,10 +1614,10 @@ be appreciated. TRADEMARK: -The name "libpng" has not been registered by the Copyright owner +The name "libpng" has not been registered by the Copyright owners as a trademark in any jurisdiction. However, because libpng has been distributed and maintained world-wide, continually since 1995, -the Copyright owner claims "common-law trademark protection" in any +the Copyright owners claim "common-law trademark protection" in any jurisdiction where common-law trademark is recognized. OSI CERTIFICATION: @@ -1639,6 +1639,58 @@ Glenn Randers-Pehrson glennrp at users.sourceforge.net July 15, 2018 +AUTHORS File Information: + +PNG REFERENCE LIBRARY AUTHORS +============================= + +This is the list of PNG Reference Library ("libpng") Contributing +Authors, for copyright and licensing purposes. + + * Andreas Dilger + * Cosmin Truta + * Dave Martindale + * Eric S. Raymond + * Gilles Vollant + * Glenn Randers-Pehrson + * Greg Roelofs + * Guy Eric Schalnat + * James Yu + * John Bowler + * Kevin Bracey + * Magnus Holmgren + * Mandar Sahastrabuddhe + * Mans Rullgard + * Matt Sarett + * Mike Klein + * Pascal Massimino + * Paul Schmidt + * Qiang Zhou + * Sam Bushell + * Samuel Williams + * Simon-Pierre Cadieux + * Tim Wegner + * Tom Lane + * Tom Tanner + * Vadim Barkov + * Willem van Schaik + * Zhijie Liang + * Arm Holdings + - Richard Townsend + * Google Inc. + - Matt Sarett + - Mike Klein + - Dan Field + - Sami Boukortt + +The build projects, the build scripts, the test scripts, and other +files in the "ci", "projects", "scripts" and "tests" directories, have +other copyright owners, but are released under the libpng license. + +Some files in the "contrib" directory, and some tools-generated files +that are distributed with libpng, have other copyright owners, and are +released under other open source licenses. + --- end of LICENSE --- ------------------------------------------------------------------------------- diff --git a/jdk/THIRD_PARTY_README b/jdk/THIRD_PARTY_README index d19de8ae6c..ae4f4d796b 100644 --- a/jdk/THIRD_PARTY_README +++ b/jdk/THIRD_PARTY_README @@ -1472,7 +1472,7 @@ included with JDK 8 and OpenJDK 8 source distributions. ------------------------------------------------------------------------------- -%% This notice is provided with respect to libpng 1.6.37, which may be +%% This notice is provided with respect to libpng 1.6.38, which may be included with JRE 8, JDK 8, and OpenJDK 8. --- begin of LICENSE --- @@ -1483,11 +1483,11 @@ COPYRIGHT NOTICE, DISCLAIMER, and LICENSE PNG Reference Library License version 2 --------------------------------------- - * Copyright (c) 1995-2019 The PNG Reference Library Authors. - * Copyright (c) 2018-2019 Cosmin Truta. - * Copyright (c) 2000-2002, 2004, 2006-2018 Glenn Randers-Pehrson. - * Copyright (c) 1996-1997 Andreas Dilger. - * Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc. +Copyright (c) 1995-2022 The PNG Reference Library Authors. +Copyright (c) 2018-2022 Cosmin Truta +Copyright (c) 1998-2018 Glenn Randers-Pehrson +Copyright (c) 1996-1997 Andreas Dilger +Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc. The software is supplied "as is", without warranty of any kind, express or implied, including, without limitation, the warranties @@ -1614,10 +1614,10 @@ be appreciated. TRADEMARK: -The name "libpng" has not been registered by the Copyright owner +The name "libpng" has not been registered by the Copyright owners as a trademark in any jurisdiction. However, because libpng has been distributed and maintained world-wide, continually since 1995, -the Copyright owner claims "common-law trademark protection" in any +the Copyright owners claim "common-law trademark protection" in any jurisdiction where common-law trademark is recognized. OSI CERTIFICATION: @@ -1639,6 +1639,58 @@ Glenn Randers-Pehrson glennrp at users.sourceforge.net July 15, 2018 +AUTHORS File Information: + +PNG REFERENCE LIBRARY AUTHORS +============================= + +This is the list of PNG Reference Library ("libpng") Contributing +Authors, for copyright and licensing purposes. + + * Andreas Dilger + * Cosmin Truta + * Dave Martindale + * Eric S. Raymond + * Gilles Vollant + * Glenn Randers-Pehrson + * Greg Roelofs + * Guy Eric Schalnat + * James Yu + * John Bowler + * Kevin Bracey + * Magnus Holmgren + * Mandar Sahastrabuddhe + * Mans Rullgard + * Matt Sarett + * Mike Klein + * Pascal Massimino + * Paul Schmidt + * Qiang Zhou + * Sam Bushell + * Samuel Williams + * Simon-Pierre Cadieux + * Tim Wegner + * Tom Lane + * Tom Tanner + * Vadim Barkov + * Willem van Schaik + * Zhijie Liang + * Arm Holdings + - Richard Townsend + * Google Inc. + - Matt Sarett + - Mike Klein + - Dan Field + - Sami Boukortt + +The build projects, the build scripts, the test scripts, and other +files in the "ci", "projects", "scripts" and "tests" directories, have +other copyright owners, but are released under the libpng license. + +Some files in the "contrib" directory, and some tools-generated files +that are distributed with libpng, have other copyright owners, and are +released under other open source licenses. + --- end of LICENSE --- ------------------------------------------------------------------------------- diff --git a/jdk/src/share/native/sun/awt/libpng/CHANGES b/jdk/src/share/native/sun/awt/libpng/CHANGES index f0b0a9342c..9a86869681 100644 --- a/jdk/src/share/native/sun/awt/libpng/CHANGES +++ b/jdk/src/share/native/sun/awt/libpng/CHANGES @@ -2295,7 +2295,7 @@ Version 1.4.0beta58 [May 14, 2009] Clarified usage of sig_bit versus sig_bit_p in example.c (Vincent Torri) Version 1.4.0beta59 [May 15, 2009] - Reformated sources in libpng style (3-space intentation, comment format) + Reformated sources in libpng style (3-space indentation, comment format) Fixed typo in libpng docs (PNG_FILTER_AVE should be PNG_FILTER_AVG) Added sections about the git repository and our coding style to the documentation @@ -3886,7 +3886,7 @@ Version 1.6.0beta06 [January 24, 2012] Version 1.6.0beta07 [January 28, 2012] Eliminated Intel icc/icl compiler warnings. The Intel (GCC derived) compiler issues slightly different warnings from those issued by the - current vesions of GCC. This eliminates those warnings by + current versions of GCC. This eliminates those warnings by adding/removing casts and small code rewrites. Updated configure.ac from autoupdate: added --enable-werror option. Also some layout regularization and removal of introduced tab characters @@ -6103,6 +6103,12 @@ Version 1.6.37 [April 14, 2019] Added makefiles for AddressSanitizer-enabled builds. Cleaned up various makefiles. +Version 1.6.38 [September 14, 2022] + Added configurations and scripts for continuous integration. + Fixed various errors in the handling of tRNS, hIST and eXIf. + Implemented many stability improvements across all platforms. + Updated the internal documentation. + Send comments/corrections/commendations to png-mng-implement at lists.sf.net. Subscription is required; visit https://lists.sourceforge.net/lists/listinfo/png-mng-implement diff --git a/jdk/src/share/native/sun/awt/libpng/LICENSE b/jdk/src/share/native/sun/awt/libpng/LICENSE index e0c5b531cf..c8ad24eecf 100644 --- a/jdk/src/share/native/sun/awt/libpng/LICENSE +++ b/jdk/src/share/native/sun/awt/libpng/LICENSE @@ -4,8 +4,8 @@ COPYRIGHT NOTICE, DISCLAIMER, and LICENSE PNG Reference Library License version 2 --------------------------------------- - * Copyright (c) 1995-2019 The PNG Reference Library Authors. - * Copyright (c) 2018-2019 Cosmin Truta. + * Copyright (c) 1995-2022 The PNG Reference Library Authors. + * Copyright (c) 2018-2022 Cosmin Truta. * Copyright (c) 2000-2002, 2004, 2006-2018 Glenn Randers-Pehrson. * Copyright (c) 1996-1997 Andreas Dilger. * Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc. diff --git a/jdk/src/share/native/sun/awt/libpng/README b/jdk/src/share/native/sun/awt/libpng/README index cfc1f0e3dc..e6e72aa547 100644 --- a/jdk/src/share/native/sun/awt/libpng/README +++ b/jdk/src/share/native/sun/awt/libpng/README @@ -1,12 +1,12 @@ -README for libpng version 1.6.37 - April 14, 2019 -================================================= +README for libpng version 1.6.38 +================================ See the note about version numbers near the top of png.h. See INSTALL for instructions on how to install libpng. Libpng comes in several distribution formats. Get libpng-*.tar.gz or -libpng-*.tar.xz or if you want UNIX-style line endings in the text -files, or lpng*.7z or lpng*.zip if you want DOS-style line endings. +libpng-*.tar.xz if you want UNIX-style line endings in the text files, +or lpng*.7z or lpng*.zip if you want DOS-style line endings. Version 0.89 was the first official release of libpng. Don't let the fact that it's the first release fool you. The libpng library has been diff --git a/jdk/src/share/native/sun/awt/libpng/png.c b/jdk/src/share/native/sun/awt/libpng/png.c index 3740c3cd21..ba608f128a 100644 --- a/jdk/src/share/native/sun/awt/libpng/png.c +++ b/jdk/src/share/native/sun/awt/libpng/png.c @@ -29,7 +29,7 @@ * However, the following notice accompanied the original version of this * file and, per its terms, should not be removed: * - * Copyright (c) 2018-2019 Cosmin Truta + * Copyright (c) 2018-2022 Cosmin Truta * Copyright (c) 1998-2002,2004,2006-2018 Glenn Randers-Pehrson * Copyright (c) 1996-1997 Andreas Dilger * Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc. @@ -42,7 +42,7 @@ #include "pngpriv.h" /* Generate a compiler error if there is an old png.h in the search path. */ -typedef png_libpng_version_1_6_37 Your_png_h_is_not_version_1_6_37; +typedef png_libpng_version_1_6_38 Your_png_h_is_not_version_1_6_38; #ifdef __GNUC__ /* The version tests may need to be added to, but the problem warning has @@ -748,7 +748,7 @@ png_init_io(png_structrp png_ptr, png_FILE_p fp) * * Where UNSIGNED_MAX is the appropriate maximum unsigned value, so when the * negative integral value is added the result will be an unsigned value - * correspnding to the 2's complement representation. + * corresponding to the 2's complement representation. */ void PNGAPI png_save_int_32(png_bytep buf, png_int_32 i) @@ -843,8 +843,8 @@ png_get_copyright(png_const_structrp png_ptr) return PNG_STRING_COPYRIGHT #else return PNG_STRING_NEWLINE \ - "libpng version 1.6.37" PNG_STRING_NEWLINE \ - "Copyright (c) 2018-2019 Cosmin Truta" PNG_STRING_NEWLINE \ + "libpng version 1.6.38" PNG_STRING_NEWLINE \ + "Copyright (c) 2018-2022 Cosmin Truta" PNG_STRING_NEWLINE \ "Copyright (c) 1998-2002,2004,2006-2018 Glenn Randers-Pehrson" \ PNG_STRING_NEWLINE \ "Copyright (c) 1996-1997 Andreas Dilger" PNG_STRING_NEWLINE \ @@ -1871,12 +1871,12 @@ png_icc_profile_error(png_const_structrp png_ptr, png_colorspacerp colorspace, # ifdef PNG_WARNINGS_SUPPORTED else { - char number[PNG_NUMBER_BUFFER_SIZE]; /* +24 = 114*/ + char number[PNG_NUMBER_BUFFER_SIZE]; /* +24 = 114 */ pos = png_safecat(message, (sizeof message), pos, png_format_number(number, number+(sizeof number), PNG_NUMBER_FORMAT_x, value)); - pos = png_safecat(message, (sizeof message), pos, "h: "); /*+2 = 116*/ + pos = png_safecat(message, (sizeof message), pos, "h: "); /* +2 = 116 */ } # endif /* The 'reason' is an arbitrary message, allow +79 maximum 195 */ diff --git a/jdk/src/share/native/sun/awt/libpng/png.h b/jdk/src/share/native/sun/awt/libpng/png.h index e5e87d3b81..aeff31573c 100644 --- a/jdk/src/share/native/sun/awt/libpng/png.h +++ b/jdk/src/share/native/sun/awt/libpng/png.h @@ -29,9 +29,9 @@ * However, the following notice accompanied the original version of this * file and, per its terms, should not be removed: * - * libpng version 1.6.37 - April 14, 2019 + * libpng version 1.6.38 - September 14, 2022 * - * Copyright (c) 2018-2019 Cosmin Truta + * Copyright (c) 2018-2022 Cosmin Truta * Copyright (c) 1998-2002,2004,2006-2018 Glenn Randers-Pehrson * Copyright (c) 1996-1997 Andreas Dilger * Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc. @@ -43,7 +43,7 @@ * libpng versions 0.89, June 1996, through 0.96, May 1997: Andreas Dilger * libpng versions 0.97, January 1998, through 1.6.35, July 2018: * Glenn Randers-Pehrson - * libpng versions 1.6.36, December 2018, through 1.6.37, April 2019: + * libpng versions 1.6.36, December 2018, through 1.6.38, September 2022: * Cosmin Truta * See also "Contributing Authors", below. */ @@ -55,8 +55,8 @@ * PNG Reference Library License version 2 * --------------------------------------- * - * * Copyright (c) 1995-2019 The PNG Reference Library Authors. - * * Copyright (c) 2018-2019 Cosmin Truta. + * * Copyright (c) 1995-2022 The PNG Reference Library Authors. + * * Copyright (c) 2018-2022 Cosmin Truta. * * Copyright (c) 2000-2002, 2004, 2006-2018 Glenn Randers-Pehrson. * * Copyright (c) 1996-1997 Andreas Dilger. * * Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc. @@ -267,7 +267,7 @@ * ... * 1.5.30 15 10530 15.so.15.30[.0] * ... - * 1.6.37 16 10637 16.so.16.37[.0] + * 1.6.38 16 10638 16.so.16.38[.0] * * Henceforth the source version will match the shared-library major and * minor numbers; the shared-library major version number will be used for @@ -306,8 +306,8 @@ */ /* Version information for png.h - this should match the version in png.c */ -#define PNG_LIBPNG_VER_STRING "1.6.37" -#define PNG_HEADER_VERSION_STRING " libpng version 1.6.37 - April 14, 2019\n" +#define PNG_LIBPNG_VER_STRING "1.6.38" +#define PNG_HEADER_VERSION_STRING " libpng version 1.6.38 - September 14, 2022\n" #define PNG_LIBPNG_VER_SONUM 16 #define PNG_LIBPNG_VER_DLLNUM 16 @@ -315,7 +315,7 @@ /* These should match the first 3 components of PNG_LIBPNG_VER_STRING: */ #define PNG_LIBPNG_VER_MAJOR 1 #define PNG_LIBPNG_VER_MINOR 6 -#define PNG_LIBPNG_VER_RELEASE 37 +#define PNG_LIBPNG_VER_RELEASE 38 /* This should be zero for a public release, or non-zero for a * development version. [Deprecated] @@ -346,7 +346,7 @@ * From version 1.0.1 it is: * XXYYZZ, where XX=major, YY=minor, ZZ=release */ -#define PNG_LIBPNG_VER 10637 /* 1.6.37 */ +#define PNG_LIBPNG_VER 10638 /* 1.6.38 */ /* Library configuration: these options cannot be changed after * the library has been built. @@ -456,7 +456,7 @@ extern "C" { /* This triggers a compiler error in png.c, if png.c and png.h * do not agree upon the version number. */ -typedef char* png_libpng_version_1_6_37; +typedef char* png_libpng_version_1_6_38; /* Basic control structions. Read libpng-manual.txt or libpng.3 for more info. * @@ -1474,7 +1474,7 @@ PNG_EXPORT(66, void, png_set_crc_action, (png_structrp png_ptr, int crit_action, * mainly useful for testing, as the defaults should work with most users. * Those users who are tight on memory or want faster performance at the * expense of compression can modify them. See the compression library - * header file (zlib.h) for an explination of the compression functions. + * header file (zlib.h) for an explanation of the compression functions. */ /* Set the filtering method(s) used by libpng. Currently, the only valid @@ -1529,7 +1529,7 @@ PNG_FIXED_EXPORT(209, void, png_set_filter_heuristics_fixed, * 0 - 9, corresponding directly to the zlib compression levels 0 - 9 * (0 - no compression, 9 - "maximal" compression). Note that tests have * shown that zlib compression levels 3-6 usually perform as well as level 9 - * for PNG images, and do considerably fewer caclulations. In the future, + * for PNG images, and do considerably fewer calculations. In the future, * these values may not correspond directly to the zlib compression levels. */ #ifdef PNG_WRITE_CUSTOMIZE_COMPRESSION_SUPPORTED diff --git a/jdk/src/share/native/sun/awt/libpng/pngconf.h b/jdk/src/share/native/sun/awt/libpng/pngconf.h index e6c993b857..e95fa34ad7 100644 --- a/jdk/src/share/native/sun/awt/libpng/pngconf.h +++ b/jdk/src/share/native/sun/awt/libpng/pngconf.h @@ -29,9 +29,9 @@ * However, the following notice accompanied the original version of this * file and, per its terms, should not be removed: * - * libpng version 1.6.37 + * libpng version 1.6.38 * - * Copyright (c) 2018-2019 Cosmin Truta + * Copyright (c) 2018-2022 Cosmin Truta * Copyright (c) 1998-2002,2004,2006-2016,2018 Glenn Randers-Pehrson * Copyright (c) 1996-1997 Andreas Dilger * Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc. @@ -208,8 +208,8 @@ * compiler-specific macros to the values required to change the calling * conventions of the various functions. */ -#if defined(_Windows) || defined(_WINDOWS) || defined(WIN32) ||\ - defined(_WIN32) || defined(__WIN32__) || defined(__CYGWIN__) +#if defined(_WIN32) || defined(__WIN32__) || defined(__NT__) || \ + defined(__CYGWIN__) /* Windows system (DOS doesn't support DLLs). Includes builds under Cygwin or * MinGW on any architecture currently supported by Windows. Also includes * Watcom builds but these need special treatment because they are not diff --git a/jdk/src/share/native/sun/awt/libpng/pngget.c b/jdk/src/share/native/sun/awt/libpng/pngget.c index 4e5f6c962a..454d4e8227 100644 --- a/jdk/src/share/native/sun/awt/libpng/pngget.c +++ b/jdk/src/share/native/sun/awt/libpng/pngget.c @@ -1179,7 +1179,7 @@ png_get_unknown_chunks(png_const_structrp png_ptr, png_inforp info_ptr, #ifdef PNG_READ_RGB_TO_GRAY_SUPPORTED png_byte PNGAPI -png_get_rgb_to_gray_status (png_const_structrp png_ptr) +png_get_rgb_to_gray_status(png_const_structrp png_ptr) { return (png_byte)(png_ptr ? png_ptr->rgb_to_gray_status : 0); } @@ -1220,27 +1220,27 @@ png_get_compression_buffer_size(png_const_structrp png_ptr) /* These functions were added to libpng 1.2.6 and were enabled * by default in libpng-1.4.0 */ png_uint_32 PNGAPI -png_get_user_width_max (png_const_structrp png_ptr) +png_get_user_width_max(png_const_structrp png_ptr) { return (png_ptr ? png_ptr->user_width_max : 0); } png_uint_32 PNGAPI -png_get_user_height_max (png_const_structrp png_ptr) +png_get_user_height_max(png_const_structrp png_ptr) { return (png_ptr ? png_ptr->user_height_max : 0); } /* This function was added to libpng 1.4.0 */ png_uint_32 PNGAPI -png_get_chunk_cache_max (png_const_structrp png_ptr) +png_get_chunk_cache_max(png_const_structrp png_ptr) { return (png_ptr ? png_ptr->user_chunk_cache_max : 0); } /* This function was added to libpng 1.4.1 */ png_alloc_size_t PNGAPI -png_get_chunk_malloc_max (png_const_structrp png_ptr) +png_get_chunk_malloc_max(png_const_structrp png_ptr) { return (png_ptr ? png_ptr->user_chunk_malloc_max : 0); } @@ -1249,13 +1249,13 @@ png_get_chunk_malloc_max (png_const_structrp png_ptr) /* These functions were added to libpng 1.4.0 */ #ifdef PNG_IO_STATE_SUPPORTED png_uint_32 PNGAPI -png_get_io_state (png_const_structrp png_ptr) +png_get_io_state(png_const_structrp png_ptr) { return png_ptr->io_state; } png_uint_32 PNGAPI -png_get_io_chunk_type (png_const_structrp png_ptr) +png_get_io_chunk_type(png_const_structrp png_ptr) { return png_ptr->chunk_name; } diff --git a/jdk/src/share/native/sun/awt/libpng/pnglibconf.h b/jdk/src/share/native/sun/awt/libpng/pnglibconf.h index efe99f7840..b3dc39a45b 100644 --- a/jdk/src/share/native/sun/awt/libpng/pnglibconf.h +++ b/jdk/src/share/native/sun/awt/libpng/pnglibconf.h @@ -31,9 +31,9 @@ * However, the following notice accompanied the original version of this * file and, per its terms, should not be removed: */ -/* libpng version 1.6.37 */ +/* libpng version 1.6.38 */ -/* Copyright (c) 2018-2019 Cosmin Truta */ +/* Copyright (c) 2018-2022 Cosmin Truta */ /* Copyright (c) 1998-2002,2004,2006-2018 Glenn Randers-Pehrson */ /* This code is released under the libpng license. */ diff --git a/jdk/src/share/native/sun/awt/libpng/pngpriv.h b/jdk/src/share/native/sun/awt/libpng/pngpriv.h index 73e1e9371a..ed44512ef2 100644 --- a/jdk/src/share/native/sun/awt/libpng/pngpriv.h +++ b/jdk/src/share/native/sun/awt/libpng/pngpriv.h @@ -29,7 +29,7 @@ * However, the following notice accompanied the original version of this * file and, per its terms, should not be removed: * - * Copyright (c) 2018-2019 Cosmin Truta + * Copyright (c) 2018-2022 Cosmin Truta * Copyright (c) 1998-2002,2004,2006-2018 Glenn Randers-Pehrson * Copyright (c) 1996-1997 Andreas Dilger * Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc. @@ -202,7 +202,7 @@ # else /* !defined __ARM_NEON__ */ /* The 'intrinsics' code simply won't compile without this -mfpu=neon: */ -# if !defined(__aarch64__) +# if !defined(__aarch64__) && !defined(_M_ARM64) /* The assembler code currently does not work on ARM64 */ # define PNG_ARM_NEON_IMPLEMENTATION 2 # endif /* __aarch64__ */ @@ -213,6 +213,8 @@ /* Use the intrinsics code by default. */ # define PNG_ARM_NEON_IMPLEMENTATION 1 # endif +#else /* PNG_ARM_NEON_OPT == 0 */ +# define PNG_ARM_NEON_IMPLEMENTATION 0 #endif /* PNG_ARM_NEON_OPT > 0 */ #ifndef PNG_MIPS_MSA_OPT @@ -291,11 +293,15 @@ # ifndef PNG_MIPS_MSA_IMPLEMENTATION # define PNG_MIPS_MSA_IMPLEMENTATION 1 # endif +#else +# define PNG_MIPS_MSA_IMPLEMENTATION 0 #endif /* PNG_MIPS_MSA_OPT > 0 */ #if PNG_POWERPC_VSX_OPT > 0 # define PNG_FILTER_OPTIMIZATIONS png_init_filter_functions_vsx # define PNG_POWERPC_VSX_IMPLEMENTATION 1 +#else +# define PNG_POWERPC_VSX_IMPLEMENTATION 0 #endif @@ -520,16 +526,7 @@ static_cast(static_cast(value)) #else # define png_voidcast(type, value) (value) -# ifdef _WIN64 -# ifdef __GNUC__ - typedef unsigned long long png_ptruint; -# else - typedef unsigned __int64 png_ptruint; -# endif -# else - typedef unsigned long png_ptruint; -# endif -# define png_constcast(type, value) ((type)(png_ptruint)(const void*)(value)) +# define png_constcast(type, value) ((type)(void*)(const void*)(value)) # define png_aligncast(type, value) ((void*)(value)) # define png_aligncastconst(type, value) ((const void*)(value)) #endif /* __cplusplus */ @@ -571,9 +568,8 @@ # include #endif -#if defined(WIN32) || defined(_Windows) || defined(_WINDOWS) || \ - defined(_WIN32) || defined(__WIN32__) -# include /* defines _WINDOWS_ macro */ +#if defined(_WIN32) || defined(__WIN32__) || defined(__NT__) +# include #endif #endif /* PNG_VERSION_INFO_ONLY */ @@ -582,24 +578,20 @@ * functions that are passed far data must be model-independent. */ -/* Memory model/platform independent fns */ +/* Platform-independent functions */ #ifndef PNG_ABORT -# ifdef _WINDOWS_ -# define PNG_ABORT() ExitProcess(0) -# else -# define PNG_ABORT() abort() -# endif +# define PNG_ABORT() abort() #endif /* These macros may need to be architecture dependent. */ -#define PNG_ALIGN_NONE 0 /* do not use data alignment */ -#define PNG_ALIGN_ALWAYS 1 /* assume unaligned accesses are OK */ +#define PNG_ALIGN_NONE 0 /* do not use data alignment */ +#define PNG_ALIGN_ALWAYS 1 /* assume unaligned accesses are OK */ #ifdef offsetof -# define PNG_ALIGN_OFFSET 2 /* use offsetof to determine alignment */ +# define PNG_ALIGN_OFFSET 2 /* use offsetof to determine alignment */ #else # define PNG_ALIGN_OFFSET -1 /* prevent the use of this */ #endif -#define PNG_ALIGN_SIZE 3 /* use sizeof to determine alignment */ +#define PNG_ALIGN_SIZE 3 /* use sizeof to determine alignment */ #ifndef PNG_ALIGN_TYPE /* Default to using aligned access optimizations and requiring alignment to a @@ -613,26 +605,25 @@ /* This is used because in some compiler implementations non-aligned * structure members are supported, so the offsetof approach below fails. * Set PNG_ALIGN_SIZE=0 for compiler combinations where unaligned access - * is good for performance. Do not do this unless you have tested the result - * and understand it. + * is good for performance. Do not do this unless you have tested the + * result and understand it. */ -# define png_alignof(type) (sizeof (type)) +# define png_alignof(type) (sizeof(type)) #else # if PNG_ALIGN_TYPE == PNG_ALIGN_OFFSET -# define png_alignof(type) offsetof(struct{char c; type t;}, t) +# define png_alignof(type) offsetof(struct{char c; type t;}, t) # else -# if PNG_ALIGN_TYPE == PNG_ALIGN_ALWAYS -# define png_alignof(type) (1) -# endif - /* Else leave png_alignof undefined to prevent use thereof */ +# if PNG_ALIGN_TYPE == PNG_ALIGN_ALWAYS +# define png_alignof(type) 1 +# endif + /* Else leave png_alignof undefined to prevent use thereof */ # endif #endif -/* This implicitly assumes alignment is always to a power of 2. */ +/* This implicitly assumes alignment is always a multiple of 2. */ #ifdef png_alignof -# define png_isaligned(ptr, type)\ - (((type)((const char*)ptr-(const char*)0) & \ - (type)(png_alignof(type)-1)) == 0) +# define png_isaligned(ptr, type) \ + (((type)(size_t)((const void*)(ptr)) & (type)(png_alignof(type)-1)) == 0) #else # define png_isaligned(ptr, type) 0 #endif diff --git a/jdk/src/share/native/sun/awt/libpng/pngread.c b/jdk/src/share/native/sun/awt/libpng/pngread.c index b558c5716f..3631e60f36 100644 --- a/jdk/src/share/native/sun/awt/libpng/pngread.c +++ b/jdk/src/share/native/sun/awt/libpng/pngread.c @@ -3480,7 +3480,6 @@ png_image_read_background(png_voidp argument) for (pass = 0; pass < passes; ++pass) { - png_bytep row = png_voidcast(png_bytep, display->first_row); unsigned int startx, stepx, stepy; png_uint_32 y; @@ -3585,8 +3584,6 @@ png_image_read_background(png_voidp argument) inrow += 2; /* gray and alpha channel */ } - - row += display->row_bytes; } } } diff --git a/jdk/src/share/native/sun/awt/libpng/pngrtran.c b/jdk/src/share/native/sun/awt/libpng/pngrtran.c index efe7135553..843eb5fff2 100644 --- a/jdk/src/share/native/sun/awt/libpng/pngrtran.c +++ b/jdk/src/share/native/sun/awt/libpng/pngrtran.c @@ -49,7 +49,7 @@ #ifdef PNG_ARM_NEON_IMPLEMENTATION # if PNG_ARM_NEON_IMPLEMENTATION == 1 # define PNG_ARM_NEON_INTRINSICS_AVAILABLE -# if defined(_MSC_VER) && defined(_M_ARM64) +# if defined(_MSC_VER) && !defined(__clang__) && defined(_M_ARM64) # include # else # include diff --git a/jdk/src/share/native/sun/awt/libpng/pngrutil.c b/jdk/src/share/native/sun/awt/libpng/pngrutil.c index 5c6244116a..d41a6d09b2 100644 --- a/jdk/src/share/native/sun/awt/libpng/pngrutil.c +++ b/jdk/src/share/native/sun/awt/libpng/pngrutil.c @@ -29,7 +29,7 @@ * However, the following notice accompanied the original version of this * file and, per its terms, should not be removed: * - * Copyright (c) 2018 Cosmin Truta + * Copyright (c) 2018-2022 Cosmin Truta * Copyright (c) 1998-2002,2004,2006-2018 Glenn Randers-Pehrson * Copyright (c) 1996-1997 Andreas Dilger * Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc. @@ -329,7 +329,6 @@ png_read_buffer(png_structrp png_ptr, png_alloc_size_t new_size, int warn) if (buffer != NULL && new_size > png_ptr->read_buffer_size) { - png_ptr->read_buffer = NULL; png_ptr->read_buffer = NULL; png_ptr->read_buffer_size = 0; png_free(png_ptr, buffer); @@ -2104,21 +2103,22 @@ png_handle_eXIf(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length) png_byte buf[1]; png_crc_read(png_ptr, buf, 1); info_ptr->eXIf_buf[i] = buf[0]; - if (i == 1 && buf[0] != 'M' && buf[0] != 'I' - && info_ptr->eXIf_buf[0] != buf[0]) + if (i == 1) { - png_crc_finish(png_ptr, length); - png_chunk_benign_error(png_ptr, "incorrect byte-order specifier"); - png_free(png_ptr, info_ptr->eXIf_buf); - info_ptr->eXIf_buf = NULL; - return; + if ((buf[0] != 'M' && buf[0] != 'I') || + (info_ptr->eXIf_buf[0] != buf[0])) + { + png_crc_finish(png_ptr, length - 2); + png_chunk_benign_error(png_ptr, "incorrect byte-order specifier"); + png_free(png_ptr, info_ptr->eXIf_buf); + info_ptr->eXIf_buf = NULL; + return; + } } } - if (png_crc_finish(png_ptr, 0) != 0) - return; - - png_set_eXIf_1(png_ptr, info_ptr, length, info_ptr->eXIf_buf); + if (png_crc_finish(png_ptr, 0) == 0) + png_set_eXIf_1(png_ptr, info_ptr, length, info_ptr->eXIf_buf); png_free(png_ptr, info_ptr->eXIf_buf); info_ptr->eXIf_buf = NULL; @@ -2154,8 +2154,9 @@ png_handle_hIST(png_structrp png_ptr, png_inforp info_ptr, png_uint_32 length) num = length / 2 ; - if (num != (unsigned int) png_ptr->num_palette || - num > (unsigned int) PNG_MAX_PALETTE_LENGTH) + if (length != num * 2 || + num != (unsigned int)png_ptr->num_palette || + num > (unsigned int)PNG_MAX_PALETTE_LENGTH) { png_crc_finish(png_ptr, length); png_chunk_benign_error(png_ptr, "invalid"); @@ -4649,14 +4650,13 @@ defined(PNG_USER_TRANSFORM_PTR_SUPPORTED) */ { png_bytep temp = png_ptr->big_row_buf + 32; - int extra = (int)((temp - (png_bytep)0) & 0x0f); + size_t extra = (size_t)temp & 0x0f; png_ptr->row_buf = temp - extra - 1/*filter byte*/; temp = png_ptr->big_prev_row + 32; - extra = (int)((temp - (png_bytep)0) & 0x0f); + extra = (size_t)temp & 0x0f; png_ptr->prev_row = temp - extra - 1/*filter byte*/; } - #else /* Use 31 bytes of padding before and 17 bytes after row_buf. */ png_ptr->row_buf = png_ptr->big_row_buf + 31; diff --git a/jdk/src/share/native/sun/awt/libpng/pngset.c b/jdk/src/share/native/sun/awt/libpng/pngset.c index 1b075795b6..ea7decaa06 100644 --- a/jdk/src/share/native/sun/awt/libpng/pngset.c +++ b/jdk/src/share/native/sun/awt/libpng/pngset.c @@ -29,7 +29,7 @@ * However, the following notice accompanied the original version of this * file and, per its terms, should not be removed: * - * Copyright (c) 2018 Cosmin Truta + * Copyright (c) 2018-2022 Cosmin Truta * Copyright (c) 1998-2018 Glenn Randers-Pehrson * Copyright (c) 1996-1997 Andreas Dilger * Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc. @@ -1047,6 +1047,9 @@ png_set_tRNS(png_structrp png_ptr, png_inforp info_ptr, info_ptr->trans_alpha = png_voidcast(png_bytep, png_malloc(png_ptr, PNG_MAX_PALETTE_LENGTH)); memcpy(info_ptr->trans_alpha, trans_alpha, (size_t)num_trans); + + info_ptr->valid |= PNG_INFO_tRNS; + info_ptr->free_me |= PNG_FREE_TRNS; } png_ptr->trans_alpha = info_ptr->trans_alpha; } @@ -1354,7 +1357,7 @@ png_set_unknown_chunk_location(png_const_structrp png_ptr, png_inforp info_ptr, #ifdef PNG_MNG_FEATURES_SUPPORTED png_uint_32 PNGAPI -png_permit_mng_features (png_structrp png_ptr, png_uint_32 mng_features) +png_permit_mng_features(png_structrp png_ptr, png_uint_32 mng_features) { png_debug(1, "in png_permit_mng_features"); @@ -1661,7 +1664,7 @@ png_set_invalid(png_const_structrp png_ptr, png_inforp info_ptr, int mask) #ifdef PNG_SET_USER_LIMITS_SUPPORTED /* This function was added to libpng 1.2.6 */ void PNGAPI -png_set_user_limits (png_structrp png_ptr, png_uint_32 user_width_max, +png_set_user_limits(png_structrp png_ptr, png_uint_32 user_width_max, png_uint_32 user_height_max) { /* Images with dimensions larger than these limits will be @@ -1677,7 +1680,7 @@ png_set_user_limits (png_structrp png_ptr, png_uint_32 user_width_max, /* This function was added to libpng 1.4.0 */ void PNGAPI -png_set_chunk_cache_max (png_structrp png_ptr, png_uint_32 user_chunk_cache_max) +png_set_chunk_cache_max(png_structrp png_ptr, png_uint_32 user_chunk_cache_max) { if (png_ptr != NULL) png_ptr->user_chunk_cache_max = user_chunk_cache_max; @@ -1685,7 +1688,7 @@ png_set_chunk_cache_max (png_structrp png_ptr, png_uint_32 user_chunk_cache_max) /* This function was added to libpng 1.4.1 */ void PNGAPI -png_set_chunk_malloc_max (png_structrp png_ptr, +png_set_chunk_malloc_max(png_structrp png_ptr, png_alloc_size_t user_chunk_malloc_max) { if (png_ptr != NULL) diff --git a/jdk/src/share/native/sun/awt/libpng/pngstruct.h b/jdk/src/share/native/sun/awt/libpng/pngstruct.h index 1f53e0534a..f153bdec60 100644 --- a/jdk/src/share/native/sun/awt/libpng/pngstruct.h +++ b/jdk/src/share/native/sun/awt/libpng/pngstruct.h @@ -29,7 +29,7 @@ * However, the following notice accompanied the original version of this * file and, per its terms, should not be removed: * - * Copyright (c) 2018-2019 Cosmin Truta + * Copyright (c) 2018-2022 Cosmin Truta * Copyright (c) 1998-2002,2004,2006-2018 Glenn Randers-Pehrson * Copyright (c) 1996-1997 Andreas Dilger * Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc. @@ -362,18 +362,8 @@ struct png_struct_def size_t current_buffer_size; /* amount of data now in current_buffer */ int process_mode; /* what push library is currently doing */ int cur_palette; /* current push library palette index */ - #endif /* PROGRESSIVE_READ */ -#if defined(__TURBOC__) && !defined(_Windows) && !defined(__FLAT__) -/* For the Borland special 64K segment handler */ - png_bytepp offset_table_ptr; - png_bytep offset_table; - png_uint_16 offset_table_number; - png_uint_16 offset_table_count; - png_uint_16 offset_table_count_free; -#endif - #ifdef PNG_READ_QUANTIZE_SUPPORTED png_bytep palette_lookup; /* lookup table for quantizing */ png_bytep quantize_index; /* index translation for palette files */ diff --git a/langtools/THIRD_PARTY_README b/langtools/THIRD_PARTY_README index d19de8ae6c..ae4f4d796b 100644 --- a/langtools/THIRD_PARTY_README +++ b/langtools/THIRD_PARTY_README @@ -1472,7 +1472,7 @@ included with JDK 8 and OpenJDK 8 source distributions. ------------------------------------------------------------------------------- -%% This notice is provided with respect to libpng 1.6.37, which may be +%% This notice is provided with respect to libpng 1.6.38, which may be included with JRE 8, JDK 8, and OpenJDK 8. --- begin of LICENSE --- @@ -1483,11 +1483,11 @@ COPYRIGHT NOTICE, DISCLAIMER, and LICENSE PNG Reference Library License version 2 --------------------------------------- - * Copyright (c) 1995-2019 The PNG Reference Library Authors. - * Copyright (c) 2018-2019 Cosmin Truta. - * Copyright (c) 2000-2002, 2004, 2006-2018 Glenn Randers-Pehrson. - * Copyright (c) 1996-1997 Andreas Dilger. - * Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc. +Copyright (c) 1995-2022 The PNG Reference Library Authors. +Copyright (c) 2018-2022 Cosmin Truta +Copyright (c) 1998-2018 Glenn Randers-Pehrson +Copyright (c) 1996-1997 Andreas Dilger +Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc. The software is supplied "as is", without warranty of any kind, express or implied, including, without limitation, the warranties @@ -1614,10 +1614,10 @@ be appreciated. TRADEMARK: -The name "libpng" has not been registered by the Copyright owner +The name "libpng" has not been registered by the Copyright owners as a trademark in any jurisdiction. However, because libpng has been distributed and maintained world-wide, continually since 1995, -the Copyright owner claims "common-law trademark protection" in any +the Copyright owners claim "common-law trademark protection" in any jurisdiction where common-law trademark is recognized. OSI CERTIFICATION: @@ -1639,6 +1639,58 @@ Glenn Randers-Pehrson glennrp at users.sourceforge.net July 15, 2018 +AUTHORS File Information: + +PNG REFERENCE LIBRARY AUTHORS +============================= + +This is the list of PNG Reference Library ("libpng") Contributing +Authors, for copyright and licensing purposes. + + * Andreas Dilger + * Cosmin Truta + * Dave Martindale + * Eric S. Raymond + * Gilles Vollant + * Glenn Randers-Pehrson + * Greg Roelofs + * Guy Eric Schalnat + * James Yu + * John Bowler + * Kevin Bracey + * Magnus Holmgren + * Mandar Sahastrabuddhe + * Mans Rullgard + * Matt Sarett + * Mike Klein + * Pascal Massimino + * Paul Schmidt + * Qiang Zhou + * Sam Bushell + * Samuel Williams + * Simon-Pierre Cadieux + * Tim Wegner + * Tom Lane + * Tom Tanner + * Vadim Barkov + * Willem van Schaik + * Zhijie Liang + * Arm Holdings + - Richard Townsend + * Google Inc. + - Matt Sarett + - Mike Klein + - Dan Field + - Sami Boukortt + +The build projects, the build scripts, the test scripts, and other +files in the "ci", "projects", "scripts" and "tests" directories, have +other copyright owners, but are released under the libpng license. + +Some files in the "contrib" directory, and some tools-generated files +that are distributed with libpng, have other copyright owners, and are +released under other open source licenses. + --- end of LICENSE --- ------------------------------------------------------------------------------- diff --git a/nashorn/THIRD_PARTY_README b/nashorn/THIRD_PARTY_README index d19de8ae6c..ae4f4d796b 100644 --- a/nashorn/THIRD_PARTY_README +++ b/nashorn/THIRD_PARTY_README @@ -1472,7 +1472,7 @@ included with JDK 8 and OpenJDK 8 source distributions. ------------------------------------------------------------------------------- -%% This notice is provided with respect to libpng 1.6.37, which may be +%% This notice is provided with respect to libpng 1.6.38, which may be included with JRE 8, JDK 8, and OpenJDK 8. --- begin of LICENSE --- @@ -1483,11 +1483,11 @@ COPYRIGHT NOTICE, DISCLAIMER, and LICENSE PNG Reference Library License version 2 --------------------------------------- - * Copyright (c) 1995-2019 The PNG Reference Library Authors. - * Copyright (c) 2018-2019 Cosmin Truta. - * Copyright (c) 2000-2002, 2004, 2006-2018 Glenn Randers-Pehrson. - * Copyright (c) 1996-1997 Andreas Dilger. - * Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc. +Copyright (c) 1995-2022 The PNG Reference Library Authors. +Copyright (c) 2018-2022 Cosmin Truta +Copyright (c) 1998-2018 Glenn Randers-Pehrson +Copyright (c) 1996-1997 Andreas Dilger +Copyright (c) 1995-1996 Guy Eric Schalnat, Group 42, Inc. The software is supplied "as is", without warranty of any kind, express or implied, including, without limitation, the warranties @@ -1614,10 +1614,10 @@ be appreciated. TRADEMARK: -The name "libpng" has not been registered by the Copyright owner +The name "libpng" has not been registered by the Copyright owners as a trademark in any jurisdiction. However, because libpng has been distributed and maintained world-wide, continually since 1995, -the Copyright owner claims "common-law trademark protection" in any +the Copyright owners claim "common-law trademark protection" in any jurisdiction where common-law trademark is recognized. OSI CERTIFICATION: @@ -1639,6 +1639,58 @@ Glenn Randers-Pehrson glennrp at users.sourceforge.net July 15, 2018 +AUTHORS File Information: + +PNG REFERENCE LIBRARY AUTHORS +============================= + +This is the list of PNG Reference Library ("libpng") Contributing +Authors, for copyright and licensing purposes. + + * Andreas Dilger + * Cosmin Truta + * Dave Martindale + * Eric S. Raymond + * Gilles Vollant + * Glenn Randers-Pehrson + * Greg Roelofs + * Guy Eric Schalnat + * James Yu + * John Bowler + * Kevin Bracey + * Magnus Holmgren + * Mandar Sahastrabuddhe + * Mans Rullgard + * Matt Sarett + * Mike Klein + * Pascal Massimino + * Paul Schmidt + * Qiang Zhou + * Sam Bushell + * Samuel Williams + * Simon-Pierre Cadieux + * Tim Wegner + * Tom Lane + * Tom Tanner + * Vadim Barkov + * Willem van Schaik + * Zhijie Liang + * Arm Holdings + - Richard Townsend + * Google Inc. + - Matt Sarett + - Mike Klein + - Dan Field + - Sami Boukortt + +The build projects, the build scripts, the test scripts, and other +files in the "ci", "projects", "scripts" and "tests" directories, have +other copyright owners, but are released under the libpng license. + +Some files in the "contrib" directory, and some tools-generated files +that are distributed with libpng, have other copyright owners, and are +released under other open source licenses. + --- end of LICENSE --- ------------------------------------------------------------------------------- From dc7013e0d9853cfe99307eb8d2fc4e5f76e14b4a Mon Sep 17 00:00:00 2001 From: Alexei Voitylov Date: Fri, 1 Sep 2023 21:51:00 +0000 Subject: [PATCH 06/13] 8297856: Improve handling of Bidi characters Reviewed-by: mbalao, andrew Backport-of: 244b89fc786894cb8cca742f91875ebb98b603ff --- jdk/src/share/classes/sun/text/bidi/BidiBase.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/jdk/src/share/classes/sun/text/bidi/BidiBase.java b/jdk/src/share/classes/sun/text/bidi/BidiBase.java index f13155d06d..6485bea94e 100644 --- a/jdk/src/share/classes/sun/text/bidi/BidiBase.java +++ b/jdk/src/share/classes/sun/text/bidi/BidiBase.java @@ -3391,7 +3391,7 @@ public class BidiBase { levelStart + " is out of range 0 to " + (objects.length-1)); } - if (0 > count || objects.length < (objectStart+count)) { + if (0 > count || objects.length - count < objectStart) { throw new IllegalArgumentException("Value count " + levelStart + " is out of range 0 to " + (objects.length - objectStart)); From 6930f190778e62c88ee0d7d382f61515031563e4 Mon Sep 17 00:00:00 2001 From: Dmitry Cherepanov Date: Thu, 14 Sep 2023 12:54:18 +0400 Subject: [PATCH 07/13] 8303384: Improved communication in CORBA Reviewed-by: mbalao, andrew --- .../corba/se/impl/orbutil/IORCheckImpl.java | 109 ++++++++++++++++++ .../corba/se/impl/orbutil/ORBConstants.java | 6 + .../corba/se/idl/toJavaPortable/Stub.java | 8 +- 3 files changed, 118 insertions(+), 5 deletions(-) create mode 100644 corba/src/share/classes/com/sun/corba/se/impl/orbutil/IORCheckImpl.java diff --git a/corba/src/share/classes/com/sun/corba/se/impl/orbutil/IORCheckImpl.java b/corba/src/share/classes/com/sun/corba/se/impl/orbutil/IORCheckImpl.java new file mode 100644 index 0000000000..9f44957e86 --- /dev/null +++ b/corba/src/share/classes/com/sun/corba/se/impl/orbutil/IORCheckImpl.java @@ -0,0 +1,109 @@ +/* + * Copyright (c) 2023, Azul Systems, Inc. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. Oracle designates this + * particular file as subject to the "Classpath" exception as provided + * by Oracle in the LICENSE file that accompanied this code. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ +package com.sun.corba.se.impl.orbutil; + +import java.io.InvalidObjectException; +import java.security.AccessController; +import java.util.*; + +import sun.security.action.GetPropertyAction; + +public final class IORCheckImpl { + + private static final Set stubsToCheck; + + static { + boolean checkLocalStubs = + !getBooleanProperty(ORBConstants.DISABLE_IOR_CHECK_FOR_LOCAL_STUBS, + getBooleanProperty(ORBConstants.ALLOW_DESERIALIZE_OBJECT, false)); + + boolean checkRemoteStubs = + getBooleanProperty(ORBConstants.ENABLE_IOR_CHECK_FOR_REMOTE_STUBS, false); + + stubsToCheck = getStubsToCheck(checkLocalStubs, checkRemoteStubs); + } + + private static Set getStubsToCheck(boolean checkLocalStubs, boolean checkRemoteStubs) { + if (!checkLocalStubs && !checkRemoteStubs) { + return Collections.emptySet(); + } + List stubs = new ArrayList<>(); + if (checkLocalStubs) { + stubs.addAll(getLocalStubs()); + } + if (checkRemoteStubs) { + stubs.addAll(getRemoteStubs()); + } + return Collections.unmodifiableSet(new HashSet<>(stubs)); + } + + private static List getLocalStubs() { + String[] localStubs = { + "org.omg.DynamicAny._DynAnyFactoryStub", + "org.omg.DynamicAny._DynAnyStub", + "org.omg.DynamicAny._DynArrayStub", + "org.omg.DynamicAny._DynEnumStub", + "org.omg.DynamicAny._DynFixedStub", + "org.omg.DynamicAny._DynSequenceStub", + "org.omg.DynamicAny._DynStructStub", + "org.omg.DynamicAny._DynUnionStub", + "org.omg.DynamicAny._DynValueStub" + }; + return Arrays.asList(localStubs); + } + + private static List getRemoteStubs() { + String[] remoteStubs = { + "com.sun.corba.se.spi.activation._ActivatorStub", + "com.sun.corba.se.spi.activation._InitialNameServiceStub", + "com.sun.corba.se.spi.activation._LocatorStub", + "com.sun.corba.se.spi.activation._RepositoryStub", + "com.sun.corba.se.spi.activation._ServerManagerStub", + "com.sun.corba.se.spi.activation._ServerStub", + "org.omg.CosNaming._BindingIteratorStub", + "org.omg.CosNaming._NamingContextExtStub", + "org.omg.CosNaming._NamingContextStub", + "org.omg.PortableServer._ServantActivatorStub", + "org.omg.PortableServer._ServantLocatorStub" + }; + return Arrays.asList(remoteStubs); + } + + /* + * The str parameter is expected to start with "IOR:". + * Otherwise, the method throws the InvalidObjectException exception. + */ + public static void check(String str, String stubClassName) throws InvalidObjectException { + if (stubsToCheck.contains(stubClassName) && !str.startsWith(ORBConstants.STRINGIFY_PREFIX)) { + throw new InvalidObjectException("IOR: expected"); + } + } + + private static boolean getBooleanProperty(String property, boolean defaultValue) { + String value = AccessController.doPrivileged( + new GetPropertyAction(property, String.valueOf(defaultValue))); + return "true".equalsIgnoreCase(value); + } +} diff --git a/corba/src/share/classes/com/sun/corba/se/impl/orbutil/ORBConstants.java b/corba/src/share/classes/com/sun/corba/se/impl/orbutil/ORBConstants.java index a621d88aa4..9779e5c997 100644 --- a/corba/src/share/classes/com/sun/corba/se/impl/orbutil/ORBConstants.java +++ b/corba/src/share/classes/com/sun/corba/se/impl/orbutil/ORBConstants.java @@ -317,8 +317,14 @@ public class ORBConstants { public static final String DYNAMIC_STUB_FACTORY_FACTORY_CLASS = SUN_PREFIX + "ORBDynamicStubFactoryFactoryClass" ; + // This property is provided for backward compatibility reasons public static final String ALLOW_DESERIALIZE_OBJECT = SUN_PREFIX + "ORBAllowDeserializeObject" ; + // Disables the IOR check for the ORB constrained stubs + public static final String DISABLE_IOR_CHECK_FOR_LOCAL_STUBS = ORG_OMG_PREFIX + "DynamicAny.disableIORCheck" ; + // Enables the IOR check for the Remote CORBA services stubs + public static final String ENABLE_IOR_CHECK_FOR_REMOTE_STUBS = ORG_OMG_CORBA_PREFIX + "IDL.Stubs.enableIORCheck"; + // Constants for NameService properties ************************************ public static final int DEFAULT_INITIAL_PORT = 900; diff --git a/corba/src/share/classes/com/sun/tools/corba/se/idl/toJavaPortable/Stub.java b/corba/src/share/classes/com/sun/tools/corba/se/idl/toJavaPortable/Stub.java index 89c809672e..62d4261911 100644 --- a/corba/src/share/classes/com/sun/tools/corba/se/idl/toJavaPortable/Stub.java +++ b/corba/src/share/classes/com/sun/tools/corba/se/idl/toJavaPortable/Stub.java @@ -101,6 +101,7 @@ public class Stub implements AuxGen Util.mkdir (pkg); name = pkg + '/' + name; } + stubClassName = name.replace('/', '.'); stream = Util.getStream (name.replace ('/', File.separatorChar) + ".java", i); } // openStream @@ -342,11 +343,7 @@ public class Stub implements AuxGen stream.println (" private void readObject (java.io.ObjectInputStream s) throws java.io.IOException"); stream.println (" {"); stream.println (" String str = s.readUTF ();"); - if ("DynAnyFactory".equals (i.name ())) { - stream.println (" if (!str.startsWith(com.sun.corba.se.impl.orbutil.ORBConstants.STRINGIFY_PREFIX) &&"); - stream.println (" !Boolean.getBoolean(com.sun.corba.se.impl.orbutil.ORBConstants.ALLOW_DESERIALIZE_OBJECT))"); - stream.println (" throw new java.io.InvalidObjectException(\"IOR: expected\");"); - } + stream.println (" com.sun.corba.se.impl.orbutil.IORCheckImpl.check(str, \"" + stubClassName + "\");"); stream.println (" String[] args = null;"); stream.println (" java.util.Properties props = null;"); stream.println (" org.omg.CORBA.ORB orb = org.omg.CORBA.ORB.init (args, props);"); @@ -382,4 +379,5 @@ public class Stub implements AuxGen protected String classSuffix = ""; protected boolean localStub = false; private boolean isAbstract = false; + private String stubClassName = null; } // class Stub From 9b6da14435a1c39d9a64b872357467bc54cd1df2 Mon Sep 17 00:00:00 2001 From: Martin Balao Date: Tue, 26 Sep 2023 00:01:11 +0000 Subject: [PATCH 08/13] 8305815: Update Libpng to 1.6.39 Reviewed-by: phh, andrew Backport-of: c1f759e9d01d646eac69442452151b0467eab306 --- THIRD_PARTY_README | 5 +- corba/THIRD_PARTY_README | 5 +- hotspot/THIRD_PARTY_README | 5 +- jaxp/THIRD_PARTY_README | 5 +- jaxws/THIRD_PARTY_README | 5 +- jdk/THIRD_PARTY_README | 5 +- jdk/src/share/native/sun/awt/libpng/CHANGES | 12 ++ jdk/src/share/native/sun/awt/libpng/LICENSE | 2 +- jdk/src/share/native/sun/awt/libpng/README | 137 +++++++++--------- jdk/src/share/native/sun/awt/libpng/png.c | 6 +- jdk/src/share/native/sun/awt/libpng/png.h | 16 +- jdk/src/share/native/sun/awt/libpng/pngconf.h | 2 +- .../share/native/sun/awt/libpng/pnglibconf.h | 2 +- jdk/src/share/native/sun/awt/libpng/pngpriv.h | 2 +- .../share/native/sun/awt/libpng/pngrutil.c | 2 +- langtools/THIRD_PARTY_README | 5 +- nashorn/THIRD_PARTY_README | 5 +- 17 files changed, 121 insertions(+), 100 deletions(-) diff --git a/THIRD_PARTY_README b/THIRD_PARTY_README index f71e8f9b49..99a20eb52d 100644 --- a/THIRD_PARTY_README +++ b/THIRD_PARTY_README @@ -1472,7 +1472,7 @@ included with JDK 8 and OpenJDK 8 source distributions. ------------------------------------------------------------------------------- -%% This notice is provided with respect to libpng 1.6.38, which may be +%% This notice is provided with respect to libpng 1.6.39, which may be included with JRE 8, JDK 8, and OpenJDK 8. --- begin of LICENSE --- @@ -1678,9 +1678,10 @@ Authors, for copyright and licensing purposes. * Arm Holdings - Richard Townsend * Google Inc. + - Dan Field + - Leon Scroggins III - Matt Sarett - Mike Klein - - Dan Field - Sami Boukortt The build projects, the build scripts, the test scripts, and other diff --git a/corba/THIRD_PARTY_README b/corba/THIRD_PARTY_README index ae4f4d796b..f26a5f3ec5 100644 --- a/corba/THIRD_PARTY_README +++ b/corba/THIRD_PARTY_README @@ -1472,7 +1472,7 @@ included with JDK 8 and OpenJDK 8 source distributions. ------------------------------------------------------------------------------- -%% This notice is provided with respect to libpng 1.6.38, which may be +%% This notice is provided with respect to libpng 1.6.39, which may be included with JRE 8, JDK 8, and OpenJDK 8. --- begin of LICENSE --- @@ -1678,9 +1678,10 @@ Authors, for copyright and licensing purposes. * Arm Holdings - Richard Townsend * Google Inc. + - Dan Field + - Leon Scroggins III - Matt Sarett - Mike Klein - - Dan Field - Sami Boukortt The build projects, the build scripts, the test scripts, and other diff --git a/hotspot/THIRD_PARTY_README b/hotspot/THIRD_PARTY_README index ae4f4d796b..f26a5f3ec5 100644 --- a/hotspot/THIRD_PARTY_README +++ b/hotspot/THIRD_PARTY_README @@ -1472,7 +1472,7 @@ included with JDK 8 and OpenJDK 8 source distributions. ------------------------------------------------------------------------------- -%% This notice is provided with respect to libpng 1.6.38, which may be +%% This notice is provided with respect to libpng 1.6.39, which may be included with JRE 8, JDK 8, and OpenJDK 8. --- begin of LICENSE --- @@ -1678,9 +1678,10 @@ Authors, for copyright and licensing purposes. * Arm Holdings - Richard Townsend * Google Inc. + - Dan Field + - Leon Scroggins III - Matt Sarett - Mike Klein - - Dan Field - Sami Boukortt The build projects, the build scripts, the test scripts, and other diff --git a/jaxp/THIRD_PARTY_README b/jaxp/THIRD_PARTY_README index ae4f4d796b..f26a5f3ec5 100644 --- a/jaxp/THIRD_PARTY_README +++ b/jaxp/THIRD_PARTY_README @@ -1472,7 +1472,7 @@ included with JDK 8 and OpenJDK 8 source distributions. ------------------------------------------------------------------------------- -%% This notice is provided with respect to libpng 1.6.38, which may be +%% This notice is provided with respect to libpng 1.6.39, which may be included with JRE 8, JDK 8, and OpenJDK 8. --- begin of LICENSE --- @@ -1678,9 +1678,10 @@ Authors, for copyright and licensing purposes. * Arm Holdings - Richard Townsend * Google Inc. + - Dan Field + - Leon Scroggins III - Matt Sarett - Mike Klein - - Dan Field - Sami Boukortt The build projects, the build scripts, the test scripts, and other diff --git a/jaxws/THIRD_PARTY_README b/jaxws/THIRD_PARTY_README index ae4f4d796b..f26a5f3ec5 100644 --- a/jaxws/THIRD_PARTY_README +++ b/jaxws/THIRD_PARTY_README @@ -1472,7 +1472,7 @@ included with JDK 8 and OpenJDK 8 source distributions. ------------------------------------------------------------------------------- -%% This notice is provided with respect to libpng 1.6.38, which may be +%% This notice is provided with respect to libpng 1.6.39, which may be included with JRE 8, JDK 8, and OpenJDK 8. --- begin of LICENSE --- @@ -1678,9 +1678,10 @@ Authors, for copyright and licensing purposes. * Arm Holdings - Richard Townsend * Google Inc. + - Dan Field + - Leon Scroggins III - Matt Sarett - Mike Klein - - Dan Field - Sami Boukortt The build projects, the build scripts, the test scripts, and other diff --git a/jdk/THIRD_PARTY_README b/jdk/THIRD_PARTY_README index ae4f4d796b..f26a5f3ec5 100644 --- a/jdk/THIRD_PARTY_README +++ b/jdk/THIRD_PARTY_README @@ -1472,7 +1472,7 @@ included with JDK 8 and OpenJDK 8 source distributions. ------------------------------------------------------------------------------- -%% This notice is provided with respect to libpng 1.6.38, which may be +%% This notice is provided with respect to libpng 1.6.39, which may be included with JRE 8, JDK 8, and OpenJDK 8. --- begin of LICENSE --- @@ -1678,9 +1678,10 @@ Authors, for copyright and licensing purposes. * Arm Holdings - Richard Townsend * Google Inc. + - Dan Field + - Leon Scroggins III - Matt Sarett - Mike Klein - - Dan Field - Sami Boukortt The build projects, the build scripts, the test scripts, and other diff --git a/jdk/src/share/native/sun/awt/libpng/CHANGES b/jdk/src/share/native/sun/awt/libpng/CHANGES index 9a86869681..468e1119a1 100644 --- a/jdk/src/share/native/sun/awt/libpng/CHANGES +++ b/jdk/src/share/native/sun/awt/libpng/CHANGES @@ -6109,6 +6109,18 @@ Version 1.6.38 [September 14, 2022] Implemented many stability improvements across all platforms. Updated the internal documentation. +Version 1.6.39 [November 20, 2022] + Changed the error handler of oversized chunks (i.e. larger than + PNG_USER_CHUNK_MALLOC_MAX) from png_chunk_error to png_benign_error. + Fixed a buffer overflow error in contrib/tools/pngfix. + Fixed a memory leak (CVE-2019-6129) in contrib/tools/pngcp. + Disabled the ARM Neon optimizations by default in the CMake file, + following the default behavior of the configure script. + Allowed configure.ac to work with the trunk version of autoconf. + Removed the support for "install" targets from the legacy makefiles; + removed the obsolete makefile.cegcc. + Cleaned up the code and updated the internal documentation. + Send comments/corrections/commendations to png-mng-implement at lists.sf.net. Subscription is required; visit https://lists.sourceforge.net/lists/listinfo/png-mng-implement diff --git a/jdk/src/share/native/sun/awt/libpng/LICENSE b/jdk/src/share/native/sun/awt/libpng/LICENSE index c8ad24eecf..7ac90160ed 100644 --- a/jdk/src/share/native/sun/awt/libpng/LICENSE +++ b/jdk/src/share/native/sun/awt/libpng/LICENSE @@ -131,4 +131,4 @@ The Contributing Authors and Group 42, Inc. specifically permit, without fee, and encourage the use of this source code as a component to supporting the PNG file format in commercial products. If you use this source code in a product, acknowledgment is not required but would -be appreciated. +be appreciated. \ No newline at end of file diff --git a/jdk/src/share/native/sun/awt/libpng/README b/jdk/src/share/native/sun/awt/libpng/README index e6e72aa547..097a3c2184 100644 --- a/jdk/src/share/native/sun/awt/libpng/README +++ b/jdk/src/share/native/sun/awt/libpng/README @@ -1,4 +1,4 @@ -README for libpng version 1.6.38 +README for libpng version 1.6.39 ================================ See the note about version numbers near the top of png.h. @@ -106,73 +106,74 @@ subscribe). Files in this distribution: - ANNOUNCE => Announcement of this version, with recent changes - AUTHORS => List of contributing authors - CHANGES => Description of changes between libpng versions - KNOWNBUG => List of known bugs and deficiencies - LICENSE => License to use and redistribute libpng - README => This file - TODO => Things not implemented in the current library - TRADEMARK => Trademark information - example.c => Example code for using libpng functions - libpng.3 => manual page for libpng (includes libpng-manual.txt) - libpng-manual.txt => Description of libpng and its functions - libpngpf.3 => manual page for libpng's private functions - png.5 => manual page for the PNG format - png.c => Basic interface functions common to library - png.h => Library function and interface declarations (public) - pngpriv.h => Library function and interface declarations (private) - pngconf.h => System specific library configuration (public) - pngstruct.h => png_struct declaration (private) - pnginfo.h => png_info struct declaration (private) - pngdebug.h => debugging macros (private) - pngerror.c => Error/warning message I/O functions - pngget.c => Functions for retrieving info from struct - pngmem.c => Memory handling functions - pngbar.png => PNG logo, 88x31 - pngnow.png => PNG logo, 98x31 - pngpread.c => Progressive reading functions - pngread.c => Read data/helper high-level functions - pngrio.c => Lowest-level data read I/O functions - pngrtran.c => Read data transformation functions - pngrutil.c => Read data utility functions - pngset.c => Functions for storing data into the info_struct - pngtest.c => Library test program - pngtest.png => Library test sample image - pngtrans.c => Common data transformation functions - pngwio.c => Lowest-level write I/O functions - pngwrite.c => High-level write functions - pngwtran.c => Write data transformations - pngwutil.c => Write utility functions - arm => Contains optimized code for the ARM platform - powerpc => Contains optimized code for the PowerPC platform - contrib => Contributions - arm-neon => Optimized code for ARM-NEON platform - powerpc-vsx => Optimized code for POWERPC-VSX platform - examples => Example programs - gregbook => source code for PNG reading and writing, from - Greg Roelofs' "PNG: The Definitive Guide", - O'Reilly, 1999 - libtests => Test programs - mips-msa => Optimized code for MIPS-MSA platform - pngminim => Minimal decoder, encoder, and progressive decoder - programs demonstrating use of pngusr.dfa - pngminus => Simple pnm2png and png2pnm programs - pngsuite => Test images - testpngs - tools => Various tools - visupng => Contains a MSVC workspace for VisualPng - intel => Optimized code for INTEL-SSE2 platform - mips => Optimized code for MIPS platform - projects => Contains project files and workspaces for - building a DLL - owatcom => Contains a WATCOM project for building libpng - visualc71 => Contains a Microsoft Visual C++ (MSVC) - workspace for building libpng and zlib - vstudio => Contains a Microsoft Visual C++ (MSVC) - workspace for building libpng and zlib - scripts => Directory containing scripts for building libpng: - (see scripts/README.txt for the list of scripts) + ANNOUNCE => Announcement of this version, with recent changes + AUTHORS => List of contributing authors + CHANGES => Description of changes between libpng versions + INSTALL => Instructions to install libpng + LICENSE => License to use and redistribute libpng + README => This file + TODO => Things not implemented in the current library + TRADEMARK => Trademark information + example.c => Example code for using libpng functions + libpng.3 => Manual page for libpng (includes libpng-manual.txt) + libpng-manual.txt => Description of libpng and its functions + libpngpf.3 => Manual page for libpng's private functions (deprecated) + png.5 => Manual page for the PNG format + png.c => Basic interface functions common to library + png.h => Library function and interface declarations (public) + pngpriv.h => Library function and interface declarations (private) + pngconf.h => System specific library configuration (public) + pngstruct.h => png_struct declaration (private) + pnginfo.h => png_info struct declaration (private) + pngdebug.h => debugging macros (private) + pngerror.c => Error/warning message I/O functions + pngget.c => Functions for retrieving info from struct + pngmem.c => Memory handling functions + pngbar.png => PNG logo, 88x31 + pngnow.png => PNG logo, 98x31 + pngpread.c => Progressive reading functions + pngread.c => Read data/helper high-level functions + pngrio.c => Lowest-level data read I/O functions + pngrtran.c => Read data transformation functions + pngrutil.c => Read data utility functions + pngset.c => Functions for storing data into the info_struct + pngtest.c => Library test program + pngtest.png => Library test sample image + pngtrans.c => Common data transformation functions + pngwio.c => Lowest-level write I/O functions + pngwrite.c => High-level write functions + pngwtran.c => Write data transformations + pngwutil.c => Write utility functions + arm/ => Optimized code for the ARM platform + intel/ => Optimized code for the INTEL-SSE2 platform + mips/ => Optimized code for the MIPS platform + powerpc/ => Optimized code for the PowerPC platform + ci/ => Scripts for continuous integration + contrib/ => External contributions + arm-neon/ => Optimized code for the ARM-NEON platform + mips-msa/ => Optimized code for the MIPS-MSA platform + powerpc-vsx/ => Optimized code for the POWERPC-VSX platform + examples/ => Example programs + gregbook/ => Source code for PNG reading and writing, from + "PNG: The Definitive Guide" by Greg Roelofs, + O'Reilly, 1999 + libtests/ => Test programs + oss-fuzz/ => Files used by the OSS-Fuzz project for fuzz-testing + libpng + pngminim/ => Minimal decoder, encoder, and progressive decoder + programs demonstrating the use of pngusr.dfa + pngminus/ => Simple pnm2png and png2pnm programs + pngsuite/ => Test images + testpngs/ => Test images + tools/ => Various tools + visupng/ => VisualPng, a Windows viewer for PNG images + projects/ => Project files and workspaces for various IDEs + owatcom/ => OpenWatcom project + visualc71/ => Microsoft Visual C++ 7.1 workspace + vstudio/ => Microsoft Visual Studio workspace + scripts/ => Scripts and makefiles for building libpng + (see scripts/README.txt for the complete list) + tests/ => Test scripts Good luck, and happy coding! diff --git a/jdk/src/share/native/sun/awt/libpng/png.c b/jdk/src/share/native/sun/awt/libpng/png.c index ba608f128a..30181b6ff7 100644 --- a/jdk/src/share/native/sun/awt/libpng/png.c +++ b/jdk/src/share/native/sun/awt/libpng/png.c @@ -42,7 +42,7 @@ #include "pngpriv.h" /* Generate a compiler error if there is an old png.h in the search path. */ -typedef png_libpng_version_1_6_38 Your_png_h_is_not_version_1_6_38; +typedef png_libpng_version_1_6_39 Your_png_h_is_not_version_1_6_39; #ifdef __GNUC__ /* The version tests may need to be added to, but the problem warning has @@ -843,7 +843,7 @@ png_get_copyright(png_const_structrp png_ptr) return PNG_STRING_COPYRIGHT #else return PNG_STRING_NEWLINE \ - "libpng version 1.6.38" PNG_STRING_NEWLINE \ + "libpng version 1.6.39" PNG_STRING_NEWLINE \ "Copyright (c) 2018-2022 Cosmin Truta" PNG_STRING_NEWLINE \ "Copyright (c) 1998-2002,2004,2006-2018 Glenn Randers-Pehrson" \ PNG_STRING_NEWLINE \ @@ -2738,7 +2738,7 @@ png_check_IHDR(png_const_structrp png_ptr, int /* PRIVATE */ png_check_fp_number(png_const_charp string, size_t size, int *statep, - png_size_tp whereami) + size_t *whereami) { int state = *statep; size_t i = *whereami; diff --git a/jdk/src/share/native/sun/awt/libpng/png.h b/jdk/src/share/native/sun/awt/libpng/png.h index aeff31573c..3d9fa03de6 100644 --- a/jdk/src/share/native/sun/awt/libpng/png.h +++ b/jdk/src/share/native/sun/awt/libpng/png.h @@ -29,7 +29,7 @@ * However, the following notice accompanied the original version of this * file and, per its terms, should not be removed: * - * libpng version 1.6.38 - September 14, 2022 + * libpng version 1.6.39 - November 20, 2022 * * Copyright (c) 2018-2022 Cosmin Truta * Copyright (c) 1998-2002,2004,2006-2018 Glenn Randers-Pehrson @@ -43,7 +43,7 @@ * libpng versions 0.89, June 1996, through 0.96, May 1997: Andreas Dilger * libpng versions 0.97, January 1998, through 1.6.35, July 2018: * Glenn Randers-Pehrson - * libpng versions 1.6.36, December 2018, through 1.6.38, September 2022: + * libpng versions 1.6.36, December 2018, through 1.6.39, November 2022: * Cosmin Truta * See also "Contributing Authors", below. */ @@ -267,7 +267,7 @@ * ... * 1.5.30 15 10530 15.so.15.30[.0] * ... - * 1.6.38 16 10638 16.so.16.38[.0] + * 1.6.39 16 10639 16.so.16.39[.0] * * Henceforth the source version will match the shared-library major and * minor numbers; the shared-library major version number will be used for @@ -306,8 +306,8 @@ */ /* Version information for png.h - this should match the version in png.c */ -#define PNG_LIBPNG_VER_STRING "1.6.38" -#define PNG_HEADER_VERSION_STRING " libpng version 1.6.38 - September 14, 2022\n" +#define PNG_LIBPNG_VER_STRING "1.6.39" +#define PNG_HEADER_VERSION_STRING " libpng version 1.6.39 - November 20, 2022\n" #define PNG_LIBPNG_VER_SONUM 16 #define PNG_LIBPNG_VER_DLLNUM 16 @@ -315,7 +315,7 @@ /* These should match the first 3 components of PNG_LIBPNG_VER_STRING: */ #define PNG_LIBPNG_VER_MAJOR 1 #define PNG_LIBPNG_VER_MINOR 6 -#define PNG_LIBPNG_VER_RELEASE 38 +#define PNG_LIBPNG_VER_RELEASE 39 /* This should be zero for a public release, or non-zero for a * development version. [Deprecated] @@ -346,7 +346,7 @@ * From version 1.0.1 it is: * XXYYZZ, where XX=major, YY=minor, ZZ=release */ -#define PNG_LIBPNG_VER 10638 /* 1.6.38 */ +#define PNG_LIBPNG_VER 10639 /* 1.6.39 */ /* Library configuration: these options cannot be changed after * the library has been built. @@ -456,7 +456,7 @@ extern "C" { /* This triggers a compiler error in png.c, if png.c and png.h * do not agree upon the version number. */ -typedef char* png_libpng_version_1_6_38; +typedef char* png_libpng_version_1_6_39; /* Basic control structions. Read libpng-manual.txt or libpng.3 for more info. * diff --git a/jdk/src/share/native/sun/awt/libpng/pngconf.h b/jdk/src/share/native/sun/awt/libpng/pngconf.h index e95fa34ad7..d11e9ac346 100644 --- a/jdk/src/share/native/sun/awt/libpng/pngconf.h +++ b/jdk/src/share/native/sun/awt/libpng/pngconf.h @@ -29,7 +29,7 @@ * However, the following notice accompanied the original version of this * file and, per its terms, should not be removed: * - * libpng version 1.6.38 + * libpng version 1.6.39 * * Copyright (c) 2018-2022 Cosmin Truta * Copyright (c) 1998-2002,2004,2006-2016,2018 Glenn Randers-Pehrson diff --git a/jdk/src/share/native/sun/awt/libpng/pnglibconf.h b/jdk/src/share/native/sun/awt/libpng/pnglibconf.h index b3dc39a45b..f6923c01e9 100644 --- a/jdk/src/share/native/sun/awt/libpng/pnglibconf.h +++ b/jdk/src/share/native/sun/awt/libpng/pnglibconf.h @@ -31,7 +31,7 @@ * However, the following notice accompanied the original version of this * file and, per its terms, should not be removed: */ -/* libpng version 1.6.38 */ +/* libpng version 1.6.39 */ /* Copyright (c) 2018-2022 Cosmin Truta */ /* Copyright (c) 1998-2002,2004,2006-2018 Glenn Randers-Pehrson */ diff --git a/jdk/src/share/native/sun/awt/libpng/pngpriv.h b/jdk/src/share/native/sun/awt/libpng/pngpriv.h index ed44512ef2..ec47329806 100644 --- a/jdk/src/share/native/sun/awt/libpng/pngpriv.h +++ b/jdk/src/share/native/sun/awt/libpng/pngpriv.h @@ -1974,7 +1974,7 @@ PNG_INTERNAL_FUNCTION(void,png_ascii_from_fixed,(png_const_structrp png_ptr, * the problem character.) This has not been tested within libpng. */ PNG_INTERNAL_FUNCTION(int,png_check_fp_number,(png_const_charp string, - size_t size, int *statep, png_size_tp whereami),PNG_EMPTY); + size_t size, int *statep, size_t *whereami),PNG_EMPTY); /* This is the same but it checks a complete string and returns true * only if it just contains a floating point number. As of 1.5.4 this diff --git a/jdk/src/share/native/sun/awt/libpng/pngrutil.c b/jdk/src/share/native/sun/awt/libpng/pngrutil.c index d41a6d09b2..524297c5a1 100644 --- a/jdk/src/share/native/sun/awt/libpng/pngrutil.c +++ b/jdk/src/share/native/sun/awt/libpng/pngrutil.c @@ -3214,7 +3214,7 @@ png_check_chunk_length(png_const_structrp png_ptr, png_uint_32 length) { png_debug2(0," length = %lu, limit = %lu", (unsigned long)length,(unsigned long)limit); - png_chunk_error(png_ptr, "chunk data is too large"); + png_benign_error(png_ptr, "chunk data is too large"); } } diff --git a/langtools/THIRD_PARTY_README b/langtools/THIRD_PARTY_README index ae4f4d796b..f26a5f3ec5 100644 --- a/langtools/THIRD_PARTY_README +++ b/langtools/THIRD_PARTY_README @@ -1472,7 +1472,7 @@ included with JDK 8 and OpenJDK 8 source distributions. ------------------------------------------------------------------------------- -%% This notice is provided with respect to libpng 1.6.38, which may be +%% This notice is provided with respect to libpng 1.6.39, which may be included with JRE 8, JDK 8, and OpenJDK 8. --- begin of LICENSE --- @@ -1678,9 +1678,10 @@ Authors, for copyright and licensing purposes. * Arm Holdings - Richard Townsend * Google Inc. + - Dan Field + - Leon Scroggins III - Matt Sarett - Mike Klein - - Dan Field - Sami Boukortt The build projects, the build scripts, the test scripts, and other diff --git a/nashorn/THIRD_PARTY_README b/nashorn/THIRD_PARTY_README index ae4f4d796b..f26a5f3ec5 100644 --- a/nashorn/THIRD_PARTY_README +++ b/nashorn/THIRD_PARTY_README @@ -1472,7 +1472,7 @@ included with JDK 8 and OpenJDK 8 source distributions. ------------------------------------------------------------------------------- -%% This notice is provided with respect to libpng 1.6.38, which may be +%% This notice is provided with respect to libpng 1.6.39, which may be included with JRE 8, JDK 8, and OpenJDK 8. --- begin of LICENSE --- @@ -1678,9 +1678,10 @@ Authors, for copyright and licensing purposes. * Arm Holdings - Richard Townsend * Google Inc. + - Dan Field + - Leon Scroggins III - Matt Sarett - Mike Klein - - Dan Field - Sami Boukortt The build projects, the build scripts, the test scripts, and other From 32ec85f1ee2c9d1cc5109d4c4678d2aadf6dbf09 Mon Sep 17 00:00:00 2001 From: Yuri Nesterenko Date: Wed, 6 Sep 2023 15:20:03 -0700 Subject: [PATCH 09/13] 8309966: Enhanced TLS connections Reviewed-by: mbalao, andrew Backport-of: d25ee81f56d67f2c51ba8b8c59f470c6f88ae47f --- .../security/cert/CertPathHelperImpl.java | 11 +- .../java/security/cert/X509CertSelector.java | 14 +- .../provider/certpath/CertPathHelper.java | 14 +- .../provider/certpath/ForwardBuilder.java | 65 ---------- .../provider/certpath/ForwardState.java | 50 -------- .../provider/certpath/SunCertPathBuilder.java | 121 +++++++++++++----- 6 files changed, 96 insertions(+), 179 deletions(-) diff --git a/jdk/src/share/classes/java/security/cert/CertPathHelperImpl.java b/jdk/src/share/classes/java/security/cert/CertPathHelperImpl.java index c56a5f1458..54cc8af3ac 100644 --- a/jdk/src/share/classes/java/security/cert/CertPathHelperImpl.java +++ b/jdk/src/share/classes/java/security/cert/CertPathHelperImpl.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2002, 2020, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2002, 2023, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -25,12 +25,10 @@ package java.security.cert; -import java.util.*; +import java.util.Date; import sun.security.provider.certpath.CertPathHelper; -import sun.security.x509.GeneralNameInterface; - /** * Helper class that allows the Sun CertPath provider to access * implementation dependent APIs in CertPath framework. @@ -55,11 +53,6 @@ class CertPathHelperImpl extends CertPathHelper { } } - protected void implSetPathToNames(X509CertSelector sel, - Set names) { - sel.setPathToNamesInternal(names); - } - protected void implSetDateAndTime(X509CRLSelector sel, Date date, long skew) { sel.setDateAndTime(date, skew); } diff --git a/jdk/src/share/classes/java/security/cert/X509CertSelector.java b/jdk/src/share/classes/java/security/cert/X509CertSelector.java index 905e45401e..74e4c5c2ac 100644 --- a/jdk/src/share/classes/java/security/cert/X509CertSelector.java +++ b/jdk/src/share/classes/java/security/cert/X509CertSelector.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2000, 2014, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2000, 2023, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -90,10 +90,6 @@ public class X509CertSelector implements CertSelector { private final static ObjectIdentifier ANY_EXTENDED_KEY_USAGE = ObjectIdentifier.newInternal(new int[] {2, 5, 29, 37, 0}); - static { - CertPathHelperImpl.initialize(); - } - private BigInteger serialNumber; private X500Principal issuer; private X500Principal subject; @@ -1177,14 +1173,6 @@ public class X509CertSelector implements CertSelector { } } - // called from CertPathHelper - void setPathToNamesInternal(Set names) { - // set names to non-null dummy value - // this breaks getPathToNames() - pathToNames = Collections.>emptySet(); - pathToGeneralNames = names; - } - /** * Adds a name to the pathToNames criterion. The {@code X509Certificate} * must not include name constraints that would prohibit building a diff --git a/jdk/src/share/classes/sun/security/provider/certpath/CertPathHelper.java b/jdk/src/share/classes/sun/security/provider/certpath/CertPathHelper.java index 7c02007422..ebc2200f0e 100644 --- a/jdk/src/share/classes/sun/security/provider/certpath/CertPathHelper.java +++ b/jdk/src/share/classes/sun/security/provider/certpath/CertPathHelper.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2002, 2020, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2002, 2023, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -26,14 +26,10 @@ package sun.security.provider.certpath; import java.util.Date; -import java.util.Set; import java.security.cert.TrustAnchor; -import java.security.cert.X509CertSelector; import java.security.cert.X509CRLSelector; -import sun.security.x509.GeneralNameInterface; - /** * Helper class that allows access to JDK specific known-public methods in the * java.security.cert package. It relies on a subclass in the @@ -55,18 +51,10 @@ public abstract class CertPathHelper { // empty } - protected abstract void implSetPathToNames(X509CertSelector sel, - Set names); - protected abstract void implSetDateAndTime(X509CRLSelector sel, Date date, long skew); protected abstract boolean implIsJdkCA(TrustAnchor anchor); - static void setPathToNames(X509CertSelector sel, - Set names) { - instance.implSetPathToNames(sel, names); - } - public static void setDateAndTime(X509CRLSelector sel, Date date, long skew) { instance.implSetDateAndTime(sel, date, skew); } diff --git a/jdk/src/share/classes/sun/security/provider/certpath/ForwardBuilder.java b/jdk/src/share/classes/sun/security/provider/certpath/ForwardBuilder.java index 2afb2f9a85..0035164734 100644 --- a/jdk/src/share/classes/sun/security/provider/certpath/ForwardBuilder.java +++ b/jdk/src/share/classes/sun/security/provider/certpath/ForwardBuilder.java @@ -48,7 +48,6 @@ import sun.security.x509.AccessDescription; import sun.security.x509.AuthorityInfoAccessExtension; import sun.security.x509.AuthorityKeyIdentifierExtension; import static sun.security.x509.PKIXExtensions.*; -import sun.security.x509.SubjectAlternativeNameExtension; import sun.security.x509.X500Name; import sun.security.x509.X509CertImpl; @@ -258,14 +257,6 @@ class ForwardBuilder extends Builder { */ caSelector.setSubject(currentState.issuerDN); - /* - * Match on subjectNamesTraversed (both DNs and AltNames) - * (checks that current cert's name constraints permit it - * to certify all the DNs and AltNames that have been traversed) - */ - CertPathHelper.setPathToNames - (caSelector, currentState.subjectNamesTraversed); - /* * check the validity period */ @@ -704,19 +695,6 @@ class ForwardBuilder extends Builder { // Don't bother to verify untrusted certificate more. currState.untrustedChecker.check(cert, Collections.emptySet()); - /* - * Abort if we encounter the same certificate or a certificate with - * the same public key, subject DN, and subjectAltNames as a cert - * that is already in path. - */ - for (X509Certificate cpListCert : certPathList) { - if (repeated(cpListCert, cert)) { - throw new CertPathValidatorException( - "cert with repeated subject, public key, and " + - "subjectAltNames detected"); - } - } - /* check if trusted cert */ boolean isTrustedCert = trustedCerts.contains(cert); @@ -794,49 +772,6 @@ class ForwardBuilder extends Builder { } } - /** - * Return true if two certificates are equal or have the same subject, - * public key, and subject alternative names. - */ - private static boolean repeated( - X509Certificate currCert, X509Certificate nextCert) { - if (currCert.equals(nextCert)) { - return true; - } - return (currCert.getSubjectX500Principal().equals( - nextCert.getSubjectX500Principal()) && - currCert.getPublicKey().equals(nextCert.getPublicKey()) && - altNamesEqual(currCert, nextCert)); - } - - /** - * Return true if two certificates have the same subject alternative names. - */ - private static boolean altNamesEqual( - X509Certificate currCert, X509Certificate nextCert) { - X509CertImpl curr, next; - try { - curr = X509CertImpl.toImpl(currCert); - next = X509CertImpl.toImpl(nextCert); - } catch (CertificateException ce) { - return false; - } - - SubjectAlternativeNameExtension currAltNameExt = - curr.getSubjectAlternativeNameExtension(); - SubjectAlternativeNameExtension nextAltNameExt = - next.getSubjectAlternativeNameExtension(); - if (currAltNameExt != null) { - if (nextAltNameExt == null) { - return false; - } - return Arrays.equals(currAltNameExt.getExtensionValue(), - nextAltNameExt.getExtensionValue()); - } else { - return (nextAltNameExt == null); - } - } - /** * Verifies whether the input certificate completes the path. * First checks the cert against each trust anchor that was specified, diff --git a/jdk/src/share/classes/sun/security/provider/certpath/ForwardState.java b/jdk/src/share/classes/sun/security/provider/certpath/ForwardState.java index 9d7af9b169..9a5088babf 100644 --- a/jdk/src/share/classes/sun/security/provider/certpath/ForwardState.java +++ b/jdk/src/share/classes/sun/security/provider/certpath/ForwardState.java @@ -31,17 +31,11 @@ import java.security.cert.CertPathValidatorException; import java.security.cert.PKIXCertPathChecker; import java.security.cert.X509Certificate; import java.util.ArrayList; -import java.util.HashSet; import java.util.List; import java.util.ListIterator; import javax.security.auth.x500.X500Principal; import sun.security.util.Debug; -import sun.security.x509.SubjectAlternativeNameExtension; -import sun.security.x509.GeneralNames; -import sun.security.x509.GeneralName; -import sun.security.x509.GeneralNameInterface; -import sun.security.x509.X500Name; import sun.security.x509.X509CertImpl; /** @@ -61,9 +55,6 @@ class ForwardState implements State { /* The last cert in the path */ X509CertImpl cert; - /* The set of subjectDNs and subjectAltNames of all certs in the path */ - HashSet subjectNamesTraversed; - /* * The number of intermediate CA certs which have been traversed so * far in the path @@ -73,7 +64,6 @@ class ForwardState implements State { /* Flag indicating if state is initial (path is just starting) */ private boolean init = true; - /* the untrusted certificates checker */ UntrustedChecker untrustedChecker; @@ -104,8 +94,6 @@ class ForwardState implements State { sb.append("\n issuerDN of last cert: ").append(issuerDN); sb.append("\n traversedCACerts: ").append(traversedCACerts); sb.append("\n init: ").append(String.valueOf(init)); - sb.append("\n subjectNamesTraversed: \n").append - (subjectNamesTraversed); sb.append("\n selfIssued: ").append (String.valueOf(selfIssued)); sb.append("]\n"); @@ -120,7 +108,6 @@ class ForwardState implements State { public void initState(List certPathCheckers) throws CertPathValidatorException { - subjectNamesTraversed = new HashSet(); traversedCACerts = 0; /* @@ -170,32 +157,6 @@ class ForwardState implements State { } } - /* update subjectNamesTraversed only if this is the EE cert or if - this cert is not self-issued */ - if (init || !selfIssued) { - X500Principal subjName = cert.getSubjectX500Principal(); - subjectNamesTraversed.add(X500Name.asX500Name(subjName)); - - try { - SubjectAlternativeNameExtension subjAltNameExt - = icert.getSubjectAlternativeNameExtension(); - if (subjAltNameExt != null) { - GeneralNames gNames = subjAltNameExt.get( - SubjectAlternativeNameExtension.SUBJECT_NAME); - for (GeneralName gName : gNames.names()) { - subjectNamesTraversed.add(gName.getName()); - } - } - } catch (IOException e) { - if (debug != null) { - debug.println("ForwardState.updateState() unexpected " - + "exception"); - e.printStackTrace(); - } - throw new CertPathValidatorException(e); - } - } - init = false; } @@ -203,10 +164,6 @@ class ForwardState implements State { * Clone current state. The state is cloned as each cert is * added to the path. This is necessary if backtracking occurs, * and a prior state needs to be restored. - * - * Note that this is a SMART clone. Not all fields are fully copied, - * because some of them will - * not have their contents modified by subsequent calls to updateState. */ @Override @SuppressWarnings("unchecked") // Safe casts assuming clone() works correctly @@ -226,13 +183,6 @@ class ForwardState implements State { } } - /* - * Shallow copy traversed names. There is no need to - * deep copy contents, since the elements of the Set - * are never modified by subsequent calls to updateState(). - */ - clonedState.subjectNamesTraversed - = (HashSet)subjectNamesTraversed.clone(); return clonedState; } catch (CloneNotSupportedException e) { throw new InternalError(e.toString(), e); diff --git a/jdk/src/share/classes/sun/security/provider/certpath/SunCertPathBuilder.java b/jdk/src/share/classes/sun/security/provider/certpath/SunCertPathBuilder.java index fd4eb9543e..fd5a01a923 100644 --- a/jdk/src/share/classes/sun/security/provider/certpath/SunCertPathBuilder.java +++ b/jdk/src/share/classes/sun/security/provider/certpath/SunCertPathBuilder.java @@ -33,6 +33,7 @@ import java.security.cert.*; import java.security.cert.CertPathValidatorException.BasicReason; import java.security.cert.PKIXReason; import java.util.ArrayList; +import java.util.Arrays; import java.util.Collection; import java.util.Collections; import java.util.List; @@ -42,6 +43,7 @@ import javax.security.auth.x500.X500Principal; import sun.security.provider.certpath.PKIX.BuilderParams; import static sun.security.x509.PKIXExtensions.*; +import sun.security.x509.SubjectAlternativeNameExtension; import sun.security.x509.X509CertImpl; import sun.security.util.Debug; @@ -265,7 +267,7 @@ public final class SunCertPathBuilder extends CertPathBuilderSpi { */ Collection certs = builder.getMatchingCerts(currentState, buildParams.certStores()); - List vertices = addVertices(certs, adjList); + List vertices = addVertices(certs, adjList, cpList); if (debug != null) { debug.println("SunCertPathBuilder.depthFirstSearchForward(): " + "certs.size=" + vertices.size()); @@ -325,33 +327,9 @@ public final class SunCertPathBuilder extends CertPathBuilderSpi { * cert (which is signed by the trusted public key), but * don't add it yet to the cpList */ - if (builder.trustAnchor.getTrustedCert() == null) { - appendedCerts.add(0, cert); - } - - Set initExpPolSet = - Collections.singleton(PolicyChecker.ANY_POLICY); - - PolicyNodeImpl rootNode = new PolicyNodeImpl(null, - PolicyChecker.ANY_POLICY, null, false, initExpPolSet, false); - - List checkers = new ArrayList<>(); - PolicyChecker policyChecker - = new PolicyChecker(buildParams.initialPolicies(), - appendedCerts.size(), - buildParams.explicitPolicyRequired(), - buildParams.policyMappingInhibited(), - buildParams.anyPolicyInhibited(), - buildParams.policyQualifiersRejected(), - rootNode); - checkers.add(policyChecker); - - // add the algorithm checker - checkers.add(new AlgorithmChecker(builder.trustAnchor, - buildParams.timestamp(), buildParams.variant())); - PublicKey rootKey = cert.getPublicKey(); if (builder.trustAnchor.getTrustedCert() == null) { + appendedCerts.add(0, cert); rootKey = builder.trustAnchor.getCAPublicKey(); if (debug != null) debug.println( @@ -363,11 +341,35 @@ public final class SunCertPathBuilder extends CertPathBuilderSpi { (cert.getSubjectX500Principal(), rootKey, null); // add the basic checker + List checkers = new ArrayList<>(); BasicChecker basicChecker = new BasicChecker(anchor, buildParams.date(), buildParams.sigProvider(), true); checkers.add(basicChecker); + Set initExpPolSet = + Collections.singleton(PolicyChecker.ANY_POLICY); + + PolicyNodeImpl rootNode = new PolicyNodeImpl(null, + PolicyChecker.ANY_POLICY, null, false, initExpPolSet, false); + + PolicyChecker policyChecker + = new PolicyChecker(buildParams.initialPolicies(), + appendedCerts.size(), + buildParams.explicitPolicyRequired(), + buildParams.policyMappingInhibited(), + buildParams.anyPolicyInhibited(), + buildParams.policyQualifiersRejected(), + rootNode); + checkers.add(policyChecker); + + // add the constraints checker + checkers.add(new ConstraintsChecker(appendedCerts.size())); + + // add the algorithm checker + checkers.add(new AlgorithmChecker(builder.trustAnchor, + buildParams.timestamp(), buildParams.variant())); + buildParams.setCertPath(cf.generateCertPath(appendedCerts)); @@ -563,18 +565,79 @@ public final class SunCertPathBuilder extends CertPathBuilderSpi { * adjacency list. */ private static List addVertices(Collection certs, - List> adjList) + List> adjList, + List cpList) { List l = adjList.get(adjList.size() - 1); for (X509Certificate cert : certs) { - Vertex v = new Vertex(cert); - l.add(v); + boolean repeated = false; + for (X509Certificate cpListCert : cpList) { + /* + * Ignore if we encounter the same certificate or a + * certificate with the same public key, subject DN, and + * subjectAltNames as a cert that is already in path. + */ + if (repeated(cpListCert, cert)) { + if (debug != null) { + debug.println("cert with repeated subject, " + + "public key, and subjectAltNames detected"); + } + repeated = true; + break; + } + } + if (!repeated) { + l.add(new Vertex(cert)); + } } return l; } + /** + * Return true if two certificates are equal or have the same subject, + * public key, and subject alternative names. + */ + private static boolean repeated( + X509Certificate currCert, X509Certificate nextCert) { + if (currCert.equals(nextCert)) { + return true; + } + return (currCert.getSubjectX500Principal().equals( + nextCert.getSubjectX500Principal()) && + currCert.getPublicKey().equals(nextCert.getPublicKey()) && + altNamesEqual(currCert, nextCert)); + } + + /** + * Return true if two certificates have the same subject alternative names. + */ + private static boolean altNamesEqual( + X509Certificate currCert, X509Certificate nextCert) { + X509CertImpl curr, next; + try { + curr = X509CertImpl.toImpl(currCert); + next = X509CertImpl.toImpl(nextCert); + } catch (CertificateException ce) { + return false; + } + + SubjectAlternativeNameExtension currAltNameExt = + curr.getSubjectAlternativeNameExtension(); + SubjectAlternativeNameExtension nextAltNameExt = + next.getSubjectAlternativeNameExtension(); + if (currAltNameExt != null) { + if (nextAltNameExt == null) { + return false; + } + return Arrays.equals(currAltNameExt.getExtensionValue(), + nextAltNameExt.getExtensionValue()); + } else { + return (nextAltNameExt == null); + } + } + /** * Returns true if trust anchor certificate matches specified * certificate constraints. From 33f3f1c76562c4a3073ce4d1fba60e93c7f56fac Mon Sep 17 00:00:00 2001 From: Yuri Nesterenko Date: Fri, 11 Aug 2023 14:30:49 +0300 Subject: [PATCH 10/13] 8284910: Buffer clean in PasswordCallback Reviewed-by: mbalao, andrew Backport-of: 89fd6d34f859d61d9cf5a1edf9419eee7c338390 --- .../auth/callback/PasswordCallback.java | 38 ++++++++++-- .../PasswordCallback/CheckCleanerBound.java | 61 +++++++++++++++++++ .../PasswordCallback/PasswordCleanup.java | 52 ++++++++++++++++ 3 files changed, 145 insertions(+), 6 deletions(-) create mode 100644 jdk/test/javax/security/auth/callback/PasswordCallback/CheckCleanerBound.java create mode 100644 jdk/test/javax/security/auth/callback/PasswordCallback/PasswordCleanup.java diff --git a/jdk/src/share/classes/javax/security/auth/callback/PasswordCallback.java b/jdk/src/share/classes/javax/security/auth/callback/PasswordCallback.java index 0e8fb7bd79..0578be39c4 100644 --- a/jdk/src/share/classes/javax/security/auth/callback/PasswordCallback.java +++ b/jdk/src/share/classes/javax/security/auth/callback/PasswordCallback.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 1999, 2013, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1999, 2022, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -25,6 +25,9 @@ package javax.security.auth.callback; +import java.util.Arrays; +import sun.misc.Cleaner; + /** *

Underlying security services instantiate and pass a * {@code PasswordCallback} to the {@code handle} @@ -40,18 +43,22 @@ public class PasswordCallback implements Callback, java.io.Serializable { * @serial * @since 1.4 */ - private String prompt; + private final String prompt; + /** * @serial * @since 1.4 */ - private boolean echoOn; + private final boolean echoOn; + /** * @serial * @since 1.4 */ private char[] inputPassword; + private transient Cleaner cleaner; + /** * Construct a {@code PasswordCallback} with a prompt * and a boolean specifying whether the password should be displayed @@ -112,7 +119,18 @@ public class PasswordCallback implements Callback, java.io.Serializable { * @see #getPassword */ public void setPassword(char[] password) { + // Cleanup the last buffered password copy. + if (cleaner != null) { + cleaner.clean(); + cleaner = null; + } + + // Set the retrieved password. this.inputPassword = (password == null ? null : password.clone()); + + if (this.inputPassword != null) { + cleaner = Cleaner.create(this, cleanerFor(inputPassword)); + } } /** @@ -134,9 +152,17 @@ public class PasswordCallback implements Callback, java.io.Serializable { * Clear the retrieved password. */ public void clearPassword() { - if (inputPassword != null) { - for (int i = 0; i < inputPassword.length; i++) - inputPassword[i] = ' '; + // Cleanup the last retrieved password copy. + if (cleaner != null) { + cleaner.clean(); + cleaner = null; } } + + private static Runnable cleanerFor(char[] password) { + return () -> { + Arrays.fill(password, ' '); + }; + } + } diff --git a/jdk/test/javax/security/auth/callback/PasswordCallback/CheckCleanerBound.java b/jdk/test/javax/security/auth/callback/PasswordCallback/CheckCleanerBound.java new file mode 100644 index 0000000000..cc995893f6 --- /dev/null +++ b/jdk/test/javax/security/auth/callback/PasswordCallback/CheckCleanerBound.java @@ -0,0 +1,61 @@ +/* + * Copyright (C) 2022 THL A29 Limited, a Tencent company. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +/* + * @test + * @bug 8284910 + * @summary Check that the cleaner is not bound to the PasswordCallback object + */ + +import javax.security.auth.callback.PasswordCallback; +import java.util.WeakHashMap; + +public final class CheckCleanerBound { + private final static WeakHashMap weakHashMap = + new WeakHashMap<>(); + + public static void main(String[] args) throws Exception { + // Create an object + PasswordCallback passwordCallback = + new PasswordCallback("Password: ", false); + passwordCallback.setPassword("ThisIsAPassword".toCharArray()); + + weakHashMap.put(passwordCallback, null); + passwordCallback = null; + + // Check if the PasswordCallback object could be collected. + // Wait to trigger the cleanup. + for (int i = 0; i < 10 && weakHashMap.size() != 0; i++) { + System.gc(); + } + + // Check if the object has been collected. The collection will not + // happen if the cleaner implementation in PasswordCallback is bound + // to the PasswordCallback object. + if (weakHashMap.size() > 0) { + throw new RuntimeException( + "PasswordCallback object is not released"); + } + } +} + diff --git a/jdk/test/javax/security/auth/callback/PasswordCallback/PasswordCleanup.java b/jdk/test/javax/security/auth/callback/PasswordCallback/PasswordCleanup.java new file mode 100644 index 0000000000..ea8b1d1c14 --- /dev/null +++ b/jdk/test/javax/security/auth/callback/PasswordCallback/PasswordCleanup.java @@ -0,0 +1,52 @@ +/* + * Copyright (C) 2022 THL A29 Limited, a Tencent company. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as + * published by the Free Software Foundation. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * version 2 for more details (a copy is included in the LICENSE file that + * accompanied this code). + * + * You should have received a copy of the GNU General Public License version + * 2 along with this work; if not, write to the Free Software Foundation, + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. + * + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA + * or visit www.oracle.com if you need additional information or have any + * questions. + */ + +/* + * @test + * @bug 8284910 + * @summary Check that PasswordCallback.clearPassword() clears the password + */ + +import javax.security.auth.callback.PasswordCallback; +import java.util.Arrays; + +public final class PasswordCleanup { + public static void main(String[] args) throws Exception { + // Create an object + PasswordCallback passwordCallback = + new PasswordCallback("Password: ", false); + passwordCallback.setPassword("ThisIsAPassword".toCharArray()); + char[] originPassword = passwordCallback.getPassword(); + + // Use password clear method. + passwordCallback.clearPassword(); + + // Check that the password is cleared. + char[] clearedPassword = passwordCallback.getPassword(); + if (Arrays.equals(originPassword, clearedPassword)) { + throw new RuntimeException( + "PasswordCallback.clearPassword() does not clear passwords"); + } + } +} + From dee2d2de8e939a09f5abebc478b919fdb289748e Mon Sep 17 00:00:00 2001 From: Yuri Nesterenko Date: Mon, 25 Sep 2023 11:19:17 +0300 Subject: [PATCH 11/13] 8286503: Enhance security classes Reviewed-by: mbalao, andrew Backport-of: 7f5e120a631ffda3e6d5efc03bae572b21877b69 --- .../com/sun/crypto/provider/DESKey.java | 23 ++++++-- .../com/sun/crypto/provider/DESedeKey.java | 24 ++++++-- .../com/sun/crypto/provider/DHPrivateKey.java | 33 +++++++++-- .../com/sun/crypto/provider/DHPublicKey.java | 33 +++++++++-- .../com/sun/crypto/provider/PBEKey.java | 34 ++++++++--- .../sun/crypto/provider/PBKDF2KeyImpl.java | 40 ++++++++++--- .../provider/TlsMasterSecretGenerator.java | 26 +++++++-- .../com/sun/security/auth/LdapPrincipal.java | 31 +++++++++- .../sun/security/auth/NTDomainPrincipal.java | 29 ++++++++-- .../classes/com/sun/security/auth/NTSid.java | 38 ++++++++++-- .../sun/security/auth/NTUserPrincipal.java | 30 ++++++++-- .../auth/UnixNumericGroupPrincipal.java | 31 ++++++++-- .../auth/UnixNumericUserPrincipal.java | 29 ++++++++-- .../com/sun/security/auth/UnixPrincipal.java | 29 ++++++++-- .../com/sun/security/auth/UserPrincipal.java | 20 ++++++- .../classes/java/security/CodeSigner.java | 15 +++-- .../javax/crypto/spec/SecretKeySpec.java | 26 ++++++++- .../auth/callback/ChoiceCallback.java | 51 ++++++++++++++--- .../auth/callback/ConfirmationCallback.java | 46 ++++++++++----- .../auth/callback/PasswordCallback.java | 26 ++++++++- .../sun/security/ec/ECPrivateKeyImpl.java | 19 +++++- .../sun/security/ec/ECPublicKeyImpl.java | 21 ++++++- .../classes/sun/security/pkcs11/Token.java | 21 ++++++- .../security/provider/DSAPublicKeyImpl.java | 26 +++++++-- .../sun/security/provider/PolicyFile.java | 30 +++++++++- .../sun/security/provider/SecureRandom.java | 54 +++++++++++++++--- .../provider/certpath/X509CertPath.java | 22 +++++-- .../security/rsa/RSAPrivateCrtKeyImpl.java | 21 ++++++- .../sun/security/rsa/RSAPrivateKeyImpl.java | 28 +++++++-- .../sun/security/rsa/RSAPublicKeyImpl.java | 23 +++++++- .../sun/security/x509/X509CertImpl.java | 29 ++++++---- .../sun/security/mscapi/CPrivateKey.java | 23 +++++++- .../sun/security/mscapi/CPublicKey.java | 24 +++++++- jdk/test/java/security/KeyRep/RSA.pre.1.5.key | Bin 1803 -> 0 bytes jdk/test/java/security/KeyRep/SerialOld.java | 14 +++-- 35 files changed, 811 insertions(+), 158 deletions(-) delete mode 100644 jdk/test/java/security/KeyRep/RSA.pre.1.5.key diff --git a/jdk/src/share/classes/com/sun/crypto/provider/DESKey.java b/jdk/src/share/classes/com/sun/crypto/provider/DESKey.java index 90d4b83336..54eafe56c4 100644 --- a/jdk/src/share/classes/com/sun/crypto/provider/DESKey.java +++ b/jdk/src/share/classes/com/sun/crypto/provider/DESKey.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997, 2015, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1997, 2023, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -25,6 +25,8 @@ package com.sun.crypto.provider; +import java.io.IOException; +import java.io.InvalidObjectException; import java.security.MessageDigest; import java.security.KeyRep; import java.security.InvalidKeyException; @@ -40,7 +42,7 @@ import javax.crypto.spec.DESKeySpec; final class DESKey implements SecretKey { - static final long serialVersionUID = 7724971015953279128L; + private static final long serialVersionUID = 7724971015953279128L; private byte[] key; @@ -99,7 +101,7 @@ final class DESKey implements SecretKey { for (int i = 1; i < this.key.length; i++) { retval += this.key[i] * i; } - return(retval ^= "des".hashCode()); + return(retval ^ "des".hashCode()); } public boolean equals(Object obj) { @@ -120,14 +122,23 @@ final class DESKey implements SecretKey { } /** - * readObject is called to restore the state of this key from - * a stream. + * Restores the state of this object from the stream. + * + * @param s the {@code ObjectInputStream} from which data is read + * @throws IOException if an I/O error occurs + * @throws ClassNotFoundException if a serialized class cannot be loaded */ private void readObject(java.io.ObjectInputStream s) - throws java.io.IOException, ClassNotFoundException + throws IOException, ClassNotFoundException { s.defaultReadObject(); + if ((key == null) || (key.length != DESKeySpec.DES_KEY_LEN)) { + throw new InvalidObjectException("Wrong key size"); + } key = key.clone(); + + DESKeyGenerator.setParityBit(key, 0); + } /** diff --git a/jdk/src/share/classes/com/sun/crypto/provider/DESedeKey.java b/jdk/src/share/classes/com/sun/crypto/provider/DESedeKey.java index 8f0251d048..3a6569f28a 100644 --- a/jdk/src/share/classes/com/sun/crypto/provider/DESedeKey.java +++ b/jdk/src/share/classes/com/sun/crypto/provider/DESedeKey.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997, 2015, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1997, 2023, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -25,6 +25,8 @@ package com.sun.crypto.provider; +import java.io.IOException; +import java.io.InvalidObjectException; import java.security.MessageDigest; import java.security.KeyRep; import java.security.InvalidKeyException; @@ -40,7 +42,7 @@ import javax.crypto.spec.DESedeKeySpec; final class DESedeKey implements SecretKey { - static final long serialVersionUID = 2463986565756745178L; + private static final long serialVersionUID = 2463986565756745178L; private byte[] key; @@ -99,7 +101,7 @@ final class DESedeKey implements SecretKey { for (int i = 1; i < this.key.length; i++) { retval += this.key[i] * i; } - return(retval ^= "desede".hashCode()); + return(retval ^ "desede".hashCode()); } public boolean equals(Object obj) { @@ -121,14 +123,24 @@ final class DESedeKey implements SecretKey { } /** - * readObject is called to restore the state of this key from - * a stream. + * Restores the state of this object from the stream. + * + * @param s the {@code ObjectInputStream} from which data is read + * @throws IOException if an I/O error occurs + * @throws ClassNotFoundException if a serialized class cannot be loaded */ private void readObject(java.io.ObjectInputStream s) - throws java.io.IOException, ClassNotFoundException + throws IOException, ClassNotFoundException { s.defaultReadObject(); + if ((key == null) || (key.length != DESedeKeySpec.DES_EDE_KEY_LEN)) { + throw new InvalidObjectException("Wrong key size"); + } key = key.clone(); + + DESKeyGenerator.setParityBit(key, 0); + DESKeyGenerator.setParityBit(key, 8); + DESKeyGenerator.setParityBit(key, 16); } /** diff --git a/jdk/src/share/classes/com/sun/crypto/provider/DHPrivateKey.java b/jdk/src/share/classes/com/sun/crypto/provider/DHPrivateKey.java index c87cc1c5d6..e1ea506fdb 100644 --- a/jdk/src/share/classes/com/sun/crypto/provider/DHPrivateKey.java +++ b/jdk/src/share/classes/com/sun/crypto/provider/DHPrivateKey.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997, 2013, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1997, 2023, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -40,15 +40,13 @@ import sun.security.util.*; * algorithm. * * @author Jan Luehe - * - * * @see DHPublicKey * @see java.security.KeyAgreement */ final class DHPrivateKey implements PrivateKey, javax.crypto.interfaces.DHPrivateKey, Serializable { - static final long serialVersionUID = 7565477590005668886L; + private static final long serialVersionUID = 7565477590005668886L; // only supported version of PKCS#8 PrivateKeyInfo private static final BigInteger PKCS8_VERSION = BigInteger.ZERO; @@ -63,10 +61,10 @@ javax.crypto.interfaces.DHPrivateKey, Serializable { private byte[] encodedKey; // the prime modulus - private BigInteger p; + private final BigInteger p; // the base generator - private BigInteger g; + private final BigInteger g; // the private-value length (optional) private int l; @@ -319,4 +317,27 @@ javax.crypto.interfaces.DHPrivateKey, Serializable { getFormat(), getEncoded()); } + + /** + * Restores the state of this object from the stream. + *

+ * JDK 1.5+ objects use KeyReps instead. + * + * @param stream the {@code ObjectInputStream} from which data is read + * @throws IOException if an I/O error occurs + * @throws ClassNotFoundException if a serialized class cannot be loaded + */ + private void readObject(ObjectInputStream stream) + throws IOException, ClassNotFoundException { + stream.defaultReadObject(); + if ((key == null) || (key.length == 0)) { + throw new InvalidObjectException("key not deserializable"); + } + this.key = key.clone(); + if ((encodedKey == null) || (encodedKey.length == 0)) { + throw new InvalidObjectException( + "encoded key not deserializable"); + } + this.encodedKey = encodedKey.clone(); + } } diff --git a/jdk/src/share/classes/com/sun/crypto/provider/DHPublicKey.java b/jdk/src/share/classes/com/sun/crypto/provider/DHPublicKey.java index 7293c94576..4e7d0f03ca 100644 --- a/jdk/src/share/classes/com/sun/crypto/provider/DHPublicKey.java +++ b/jdk/src/share/classes/com/sun/crypto/provider/DHPublicKey.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997, 2013, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1997, 2023, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -40,15 +40,13 @@ import sun.security.util.*; * A public key in X.509 format for the Diffie-Hellman key agreement algorithm. * * @author Jan Luehe - * - * * @see DHPrivateKey * @see java.security.KeyAgreement */ final class DHPublicKey implements PublicKey, javax.crypto.interfaces.DHPublicKey, Serializable { - static final long serialVersionUID = 7647557958927458271L; + private static final long serialVersionUID = 7647557958927458271L; // the public key private BigInteger y; @@ -60,10 +58,10 @@ javax.crypto.interfaces.DHPublicKey, Serializable { private byte[] encodedKey; // the prime modulus - private BigInteger p; + private final BigInteger p; // the base generator - private BigInteger g; + private final BigInteger g; // the private-value length (optional) private int l; @@ -320,4 +318,27 @@ javax.crypto.interfaces.DHPublicKey, Serializable { getFormat(), getEncoded()); } + + /** + * Restores the state of this object from the stream. + *

+ * JDK 1.5+ objects use KeyReps instead. + * + * @param stream the {@code ObjectInputStream} from which data is read + * @throws IOException if an I/O error occurs + * @throws ClassNotFoundException if a serialized class cannot be loaded + */ + private void readObject(ObjectInputStream stream) + throws IOException, ClassNotFoundException { + stream.defaultReadObject(); + if ((key == null) || (key.length == 0)) { + throw new InvalidObjectException("key not deserializable"); + } + this.key = key.clone(); + if ((encodedKey == null) || (encodedKey.length == 0)) { + throw new InvalidObjectException( + "encoded key not deserializable"); + } + this.encodedKey = encodedKey.clone(); + } } diff --git a/jdk/src/share/classes/com/sun/crypto/provider/PBEKey.java b/jdk/src/share/classes/com/sun/crypto/provider/PBEKey.java index 7fb66e5597..69c9d00e58 100644 --- a/jdk/src/share/classes/com/sun/crypto/provider/PBEKey.java +++ b/jdk/src/share/classes/com/sun/crypto/provider/PBEKey.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 1997, 2018, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1997, 2023, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -25,6 +25,8 @@ package com.sun.crypto.provider; +import java.io.IOException; +import java.io.InvalidObjectException; import java.security.MessageDigest; import java.security.KeyRep; import java.security.spec.InvalidKeySpecException; @@ -41,11 +43,11 @@ import javax.crypto.spec.PBEKeySpec; */ final class PBEKey implements SecretKey { - static final long serialVersionUID = -2234768909660948176L; + private static final long serialVersionUID = -2234768909660948176L; private byte[] key; - private String type; + private final String type; /** * Creates a PBE key from a given PBE key specification. @@ -94,7 +96,7 @@ final class PBEKey implements SecretKey { for (int i = 1; i < this.key.length; i++) { retval += this.key[i] * i; } - return(retval ^= getAlgorithm().toLowerCase(Locale.ENGLISH).hashCode()); + return(retval ^ getAlgorithm().toLowerCase(Locale.ENGLISH).hashCode()); } public boolean equals(Object obj) { @@ -128,14 +130,32 @@ final class PBEKey implements SecretKey { } /** - * readObject is called to restore the state of this key from - * a stream. + * Restores the state of this object from the stream. + * + * @param s the {@code ObjectInputStream} from which data is read + * @throws IOException if an I/O error occurs + * @throws ClassNotFoundException if a serialized class cannot be loaded */ private void readObject(java.io.ObjectInputStream s) - throws java.io.IOException, ClassNotFoundException + throws IOException, ClassNotFoundException { s.defaultReadObject(); + if (key == null) { + throw new InvalidObjectException( + "PBEKey couldn't be deserialized"); + } key = key.clone(); + + // Accept "\0" to signify "zero-length password with no terminator". + if (!(key.length == 1 && key[0] == 0)) { + for (int i = 0; i < key.length; i++) { + if ((key[i] < '\u0020') || (key[i] > '\u007E')) { + throw new InvalidObjectException( + "PBEKey had non-ASCII chars"); + } + } + } + } diff --git a/jdk/src/share/classes/com/sun/crypto/provider/PBKDF2KeyImpl.java b/jdk/src/share/classes/com/sun/crypto/provider/PBKDF2KeyImpl.java index 506cc731be..a039c2e77a 100644 --- a/jdk/src/share/classes/com/sun/crypto/provider/PBKDF2KeyImpl.java +++ b/jdk/src/share/classes/com/sun/crypto/provider/PBKDF2KeyImpl.java @@ -25,7 +25,7 @@ package com.sun.crypto.provider; -import java.io.ObjectStreamException; +import java.io.*; import java.nio.ByteBuffer; import java.nio.CharBuffer; import java.nio.charset.Charset; @@ -52,14 +52,14 @@ import javax.crypto.spec.PBEKeySpec; */ final class PBKDF2KeyImpl implements javax.crypto.interfaces.PBEKey { - static final long serialVersionUID = -2234868909660948157L; + private static final long serialVersionUID = -2234868909660948157L; private char[] passwd; - private byte[] salt; - private int iterCount; + private final byte[] salt; + private final int iterCount; private byte[] key; - private Mac prf; + private final Mac prf; private static byte[] getPasswordBytes(char[] passwd) { Charset utf8 = Charset.forName("UTF-8"); @@ -131,12 +131,13 @@ final class PBKDF2KeyImpl implements javax.crypto.interfaces.PBEKey { int intR = keyLength - (intL - 1)*hlen; // residue byte[] ui = new byte[hlen]; byte[] ti = new byte[hlen]; + String algName = prf.getAlgorithm(); // SecretKeySpec cannot be used, since password can be empty here. SecretKey macKey = new SecretKey() { private static final long serialVersionUID = 7874493593505141603L; @Override public String getAlgorithm() { - return prf.getAlgorithm(); + return algName; } @Override public String getFormat() { @@ -149,18 +150,26 @@ final class PBKDF2KeyImpl implements javax.crypto.interfaces.PBEKey { @Override public int hashCode() { return Arrays.hashCode(password) * 41 + - prf.getAlgorithm().toLowerCase(Locale.ENGLISH).hashCode(); + algName.toLowerCase(Locale.ENGLISH).hashCode(); } @Override public boolean equals(Object obj) { if (this == obj) return true; if (this.getClass() != obj.getClass()) return false; SecretKey sk = (SecretKey)obj; - return prf.getAlgorithm().equalsIgnoreCase( + return algName.equalsIgnoreCase( sk.getAlgorithm()) && MessageDigest.isEqual(password, sk.getEncoded()); } + // This derived key can't be deserialized. + private void readObject(ObjectInputStream stream) + throws IOException, ClassNotFoundException { + throw new InvalidObjectException( + "PBKDF2KeyImpl SecretKeys are not " + + "directly deserializable"); + } }; + prf.init(macKey); byte[] ibytes = new byte[4]; @@ -282,4 +291,19 @@ final class PBKDF2KeyImpl implements javax.crypto.interfaces.PBEKey { super.finalize(); } } + + /** + * Restores the state of this object from the stream. + *

+ * Deserialization of this class is not supported. + * + * @param stream the {@code ObjectInputStream} from which data is read + * @throws IOException if an I/O error occurs + * @throws ClassNotFoundException if a serialized class cannot be loaded + */ + private void readObject(ObjectInputStream stream) + throws IOException, ClassNotFoundException { + throw new InvalidObjectException( + "PBKDF2KeyImpl keys are not directly deserializable"); + } } diff --git a/jdk/src/share/classes/com/sun/crypto/provider/TlsMasterSecretGenerator.java b/jdk/src/share/classes/com/sun/crypto/provider/TlsMasterSecretGenerator.java index 9a6308f344..ac6cc2ecf8 100644 --- a/jdk/src/share/classes/com/sun/crypto/provider/TlsMasterSecretGenerator.java +++ b/jdk/src/share/classes/com/sun/crypto/provider/TlsMasterSecretGenerator.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2005, 2017, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2005, 2023, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -25,6 +25,9 @@ package com.sun.crypto.provider; +import java.io.IOException; +import java.io.InvalidObjectException; +import java.io.ObjectInputStream; import java.security.*; import java.security.spec.AlgorithmParameterSpec; @@ -59,11 +62,11 @@ public final class TlsMasterSecretGenerator extends KeyGeneratorSpi { protected void engineInit(AlgorithmParameterSpec params, SecureRandom random) throws InvalidAlgorithmParameterException { - if (params instanceof TlsMasterSecretParameterSpec == false) { + if (!(params instanceof TlsMasterSecretParameterSpec)) { throw new InvalidAlgorithmParameterException(MSG); } this.spec = (TlsMasterSecretParameterSpec)params; - if ("RAW".equals(spec.getPremasterSecret().getFormat()) == false) { + if (!"RAW".equals(spec.getPremasterSecret().getFormat())) { throw new InvalidAlgorithmParameterException( "Key format must be RAW"); } @@ -182,6 +185,21 @@ public final class TlsMasterSecretGenerator extends KeyGeneratorSpi { return key.clone(); } - } + /** + * Restores the state of this object from the stream. + * + * @param stream the {@code ObjectInputStream} from which data is read + * @throws IOException if an I/O error occurs + * @throws ClassNotFoundException if a serialized class cannot be loaded + */ + private void readObject(ObjectInputStream stream) + throws IOException, ClassNotFoundException { + stream.defaultReadObject(); + if ((key == null) || (key.length == 0)) { + throw new InvalidObjectException("TlsMasterSecretKey is null"); + } + key = key.clone(); + } + } } diff --git a/jdk/src/share/classes/com/sun/security/auth/LdapPrincipal.java b/jdk/src/share/classes/com/sun/security/auth/LdapPrincipal.java index 6a324eeacc..7d1380feba 100644 --- a/jdk/src/share/classes/com/sun/security/auth/LdapPrincipal.java +++ b/jdk/src/share/classes/com/sun/security/auth/LdapPrincipal.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2006, 2013, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2006, 2023, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -25,6 +25,9 @@ package com.sun.security.auth; +import java.io.IOException; +import java.io.InvalidObjectException; +import java.io.ObjectInputStream; import java.security.Principal; import javax.naming.InvalidNameException; import javax.naming.ldap.LdapName; @@ -136,4 +139,30 @@ public final class LdapPrincipal implements Principal, java.io.Serializable { private LdapName getLdapName(String name) throws InvalidNameException { return new LdapName(name); } + + /** + * Restores the state of this object from the stream. + * + * @param stream the {@code ObjectInputStream} from which data is read + * @throws IOException if an I/O error occurs + * @throws ClassNotFoundException if a serialized class cannot be loaded + */ + private void readObject(ObjectInputStream stream) + throws IOException, ClassNotFoundException { + stream.defaultReadObject(); + if ((name == null) || (nameString == null)) { + throw new InvalidObjectException( + "null name/nameString is illegal"); + } + try { + if (!name.equals(getLdapName(nameString))) { + throw new InvalidObjectException("Inconsistent names"); + } + } catch (InvalidNameException e) { + InvalidObjectException nse = new InvalidObjectException( + "Invalid Name"); + nse.initCause(e); + throw nse; + } + } } diff --git a/jdk/src/share/classes/com/sun/security/auth/NTDomainPrincipal.java b/jdk/src/share/classes/com/sun/security/auth/NTDomainPrincipal.java index eb7730cd5a..c1e8361d65 100644 --- a/jdk/src/share/classes/com/sun/security/auth/NTDomainPrincipal.java +++ b/jdk/src/share/classes/com/sun/security/auth/NTDomainPrincipal.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 1999, 2013, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1999, 2023, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -25,6 +25,9 @@ package com.sun.security.auth; +import java.io.IOException; +import java.io.InvalidObjectException; +import java.io.ObjectInputStream; import java.security.Principal; /** @@ -131,9 +134,7 @@ public class NTDomainPrincipal implements Principal, java.io.Serializable { return false; NTDomainPrincipal that = (NTDomainPrincipal)o; - if (name.equals(that.getName())) - return true; - return false; + return name.equals(that.getName()); } /** @@ -146,4 +147,24 @@ public class NTDomainPrincipal implements Principal, java.io.Serializable { public int hashCode() { return this.getName().hashCode(); } + + /** + * Restores the state of this object from the stream. + * + * @param stream the {@code ObjectInputStream} from which data is read + * @throws IOException if an I/O error occurs + * @throws ClassNotFoundException if a serialized class cannot be loaded + */ + private void readObject(ObjectInputStream stream) + throws IOException, ClassNotFoundException { + stream.defaultReadObject(); + if (name == null) { + java.text.MessageFormat form = new java.text.MessageFormat + (sun.security.util.ResourcesMgr.getString + ("invalid.null.input.value", + "sun.security.util.AuthResources")); + Object[] source = {"name"}; + throw new InvalidObjectException(form.format(source)); + } + } } diff --git a/jdk/src/share/classes/com/sun/security/auth/NTSid.java b/jdk/src/share/classes/com/sun/security/auth/NTSid.java index 28b40b9302..d5e063a714 100644 --- a/jdk/src/share/classes/com/sun/security/auth/NTSid.java +++ b/jdk/src/share/classes/com/sun/security/auth/NTSid.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 1999, 2013, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1999, 2023, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -25,6 +25,9 @@ package com.sun.security.auth; +import java.io.IOException; +import java.io.InvalidObjectException; +import java.io.ObjectInputStream; import java.security.Principal; /** @@ -85,7 +88,7 @@ public class NTSid implements Principal, java.io.Serializable { ("Invalid.NTSid.value", "sun.security.util.AuthResources")); } - sid = new String(stringSid); + sid = stringSid; } /** @@ -140,10 +143,7 @@ public class NTSid implements Principal, java.io.Serializable { return false; NTSid that = (NTSid)o; - if (sid.equals(that.sid)) { - return true; - } - return false; + return sid.equals(that.sid); } /** @@ -156,4 +156,30 @@ public class NTSid implements Principal, java.io.Serializable { public int hashCode() { return sid.hashCode(); } + + /** + * Restores the state of this object from the stream. + * + * @param stream the {@code ObjectInputStream} from which data is read + * @throws IOException if an I/O error occurs + * @throws ClassNotFoundException if a serialized class cannot be loaded + */ + private void readObject(ObjectInputStream stream) + throws IOException, ClassNotFoundException { + stream.defaultReadObject(); + if (sid == null) { + java.text.MessageFormat form = new java.text.MessageFormat + (sun.security.util.ResourcesMgr.getString + ("invalid.null.input.value", + "sun.security.util.AuthResources")); + Object[] source = {"stringSid"}; + throw new InvalidObjectException(form.format(source)); + } + if (sid.length() == 0) { + throw new InvalidObjectException + (sun.security.util.ResourcesMgr.getString + ("Invalid.NTSid.value", + "sun.security.util.AuthResources")); + } + } } diff --git a/jdk/src/share/classes/com/sun/security/auth/NTUserPrincipal.java b/jdk/src/share/classes/com/sun/security/auth/NTUserPrincipal.java index 91be069aa1..78015fa860 100644 --- a/jdk/src/share/classes/com/sun/security/auth/NTUserPrincipal.java +++ b/jdk/src/share/classes/com/sun/security/auth/NTUserPrincipal.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 1999, 2013, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1999, 2023, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -25,6 +25,9 @@ package com.sun.security.auth; +import java.io.IOException; +import java.io.InvalidObjectException; +import java.io.ObjectInputStream; import java.security.Principal; /** @@ -125,9 +128,7 @@ public class NTUserPrincipal implements Principal, java.io.Serializable { return false; NTUserPrincipal that = (NTUserPrincipal)o; - if (name.equals(that.getName())) - return true; - return false; + return name.equals(that.getName()); } /** @@ -140,4 +141,25 @@ public class NTUserPrincipal implements Principal, java.io.Serializable { public int hashCode() { return this.getName().hashCode(); } + + + /** + * Restores the state of this object from the stream. + * + * @param stream the {@code ObjectInputStream} from which data is read + * @throws IOException if an I/O error occurs + * @throws ClassNotFoundException if a serialized class cannot be loaded + */ + private void readObject(ObjectInputStream stream) + throws IOException, ClassNotFoundException { + stream.defaultReadObject(); + if (name == null) { + java.text.MessageFormat form = new java.text.MessageFormat + (sun.security.util.ResourcesMgr.getString + ("invalid.null.input.value", + "sun.security.util.AuthResources")); + Object[] source = {"name"}; + throw new InvalidObjectException(form.format(source)); + } + } } diff --git a/jdk/src/share/classes/com/sun/security/auth/UnixNumericGroupPrincipal.java b/jdk/src/share/classes/com/sun/security/auth/UnixNumericGroupPrincipal.java index db5775ab32..046d75f23d 100644 --- a/jdk/src/share/classes/com/sun/security/auth/UnixNumericGroupPrincipal.java +++ b/jdk/src/share/classes/com/sun/security/auth/UnixNumericGroupPrincipal.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2000, 2023, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -25,6 +25,9 @@ package com.sun.security.auth; +import java.io.IOException; +import java.io.InvalidObjectException; +import java.io.ObjectInputStream; import java.security.Principal; /** @@ -201,10 +204,8 @@ public class UnixNumericGroupPrincipal implements return false; UnixNumericGroupPrincipal that = (UnixNumericGroupPrincipal)o; - if (this.getName().equals(that.getName()) && - this.isPrimaryGroup() == that.isPrimaryGroup()) - return true; - return false; + return this.getName().equals(that.getName()) && + this.isPrimaryGroup() == that.isPrimaryGroup(); } /** @@ -217,4 +218,24 @@ public class UnixNumericGroupPrincipal implements public int hashCode() { return toString().hashCode(); } + + /** + * Restores the state of this object from the stream. + * + * @param stream the {@code ObjectInputStream} from which data is read + * @throws IOException if an I/O error occurs + * @throws ClassNotFoundException if a serialized class cannot be loaded + */ + private void readObject(ObjectInputStream stream) + throws IOException, ClassNotFoundException { + stream.defaultReadObject(); + if (name == null) { + java.text.MessageFormat form = new java.text.MessageFormat + (sun.security.util.ResourcesMgr.getString + ("invalid.null.input.value", + "sun.security.util.AuthResources")); + Object[] source = {"name"}; + throw new InvalidObjectException(form.format(source)); + } + } } diff --git a/jdk/src/share/classes/com/sun/security/auth/UnixNumericUserPrincipal.java b/jdk/src/share/classes/com/sun/security/auth/UnixNumericUserPrincipal.java index c6dfd7eaf1..b8a8633d3c 100644 --- a/jdk/src/share/classes/com/sun/security/auth/UnixNumericUserPrincipal.java +++ b/jdk/src/share/classes/com/sun/security/auth/UnixNumericUserPrincipal.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2000, 2023, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -25,6 +25,9 @@ package com.sun.security.auth; +import java.io.IOException; +import java.io.InvalidObjectException; +import java.io.ObjectInputStream; import java.security.Principal; /** @@ -161,9 +164,7 @@ public class UnixNumericUserPrincipal implements return false; UnixNumericUserPrincipal that = (UnixNumericUserPrincipal)o; - if (this.getName().equals(that.getName())) - return true; - return false; + return this.getName().equals(that.getName()); } /** @@ -176,4 +177,24 @@ public class UnixNumericUserPrincipal implements public int hashCode() { return name.hashCode(); } + + /** + * Restores the state of this object from the stream. + * + * @param stream the {@code ObjectInputStream} from which data is read + * @throws IOException if an I/O error occurs + * @throws ClassNotFoundException if a serialized class cannot be loaded + */ + private void readObject(ObjectInputStream stream) + throws IOException, ClassNotFoundException { + stream.defaultReadObject(); + if (name == null) { + java.text.MessageFormat form = new java.text.MessageFormat + (sun.security.util.ResourcesMgr.getString + ("invalid.null.input.value", + "sun.security.util.AuthResources")); + Object[] source = {"name"}; + throw new InvalidObjectException(form.format(source)); + } + } } diff --git a/jdk/src/share/classes/com/sun/security/auth/UnixPrincipal.java b/jdk/src/share/classes/com/sun/security/auth/UnixPrincipal.java index 4aefaf9b7f..de7af16db0 100644 --- a/jdk/src/share/classes/com/sun/security/auth/UnixPrincipal.java +++ b/jdk/src/share/classes/com/sun/security/auth/UnixPrincipal.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2000, 2023, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -25,6 +25,9 @@ package com.sun.security.auth; +import java.io.IOException; +import java.io.InvalidObjectException; +import java.io.ObjectInputStream; import java.security.Principal; /** @@ -126,9 +129,7 @@ public class UnixPrincipal implements Principal, java.io.Serializable { return false; UnixPrincipal that = (UnixPrincipal)o; - if (this.getName().equals(that.getName())) - return true; - return false; + return this.getName().equals(that.getName()); } /** @@ -141,4 +142,24 @@ public class UnixPrincipal implements Principal, java.io.Serializable { public int hashCode() { return name.hashCode(); } + + /** + * Restores the state of this object from the stream. + * + * @param stream the {@code ObjectInputStream} from which data is read + * @throws IOException if an I/O error occurs + * @throws ClassNotFoundException if a serialized class cannot be loaded + */ + private void readObject(ObjectInputStream stream) + throws IOException, ClassNotFoundException { + stream.defaultReadObject(); + if (name == null) { + java.text.MessageFormat form = new java.text.MessageFormat + (sun.security.util.ResourcesMgr.getString + ("invalid.null.input.value", + "sun.security.util.AuthResources")); + Object[] source = {"name"}; + throw new InvalidObjectException(form.format(source)); + } + } } diff --git a/jdk/src/share/classes/com/sun/security/auth/UserPrincipal.java b/jdk/src/share/classes/com/sun/security/auth/UserPrincipal.java index f4e7555ab1..2d39ca5621 100644 --- a/jdk/src/share/classes/com/sun/security/auth/UserPrincipal.java +++ b/jdk/src/share/classes/com/sun/security/auth/UserPrincipal.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2005, 2013, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2005, 2023, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -25,6 +25,9 @@ package com.sun.security.auth; +import java.io.IOException; +import java.io.InvalidObjectException; +import java.io.ObjectInputStream; import java.security.Principal; /** @@ -110,4 +113,19 @@ public final class UserPrincipal implements Principal, java.io.Serializable { public String toString() { return name; } + + /** + * Restores the state of this object from the stream. + * + * @param stream the {@code ObjectInputStream} from which data is read + * @throws IOException if an I/O error occurs + * @throws ClassNotFoundException if a serialized class cannot be loaded + */ + private void readObject(ObjectInputStream stream) + throws IOException, ClassNotFoundException { + stream.defaultReadObject(); + if (name == null) { + throw new InvalidObjectException("null name is illegal"); + } + } } diff --git a/jdk/src/share/classes/java/security/CodeSigner.java b/jdk/src/share/classes/java/security/CodeSigner.java index 37c12b153b..6724040875 100644 --- a/jdk/src/share/classes/java/security/CodeSigner.java +++ b/jdk/src/share/classes/java/security/CodeSigner.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 2003, 2013, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 2003, 2023, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -156,9 +156,9 @@ public final class CodeSigner implements Serializable { public String toString() { StringBuffer sb = new StringBuffer(); sb.append("("); - sb.append("Signer: " + signerCertPath.getCertificates().get(0)); + sb.append("Signer: ").append(signerCertPath.getCertificates().get(0)); if (timestamp != null) { - sb.append("timestamp: " + timestamp); + sb.append("timestamp: ").append(timestamp); } sb.append(")"); return sb.toString(); @@ -166,8 +166,11 @@ public final class CodeSigner implements Serializable { // Explicitly reset hash code value to -1 private void readObject(ObjectInputStream ois) - throws IOException, ClassNotFoundException { - ois.defaultReadObject(); - myhash = -1; + throws IOException, ClassNotFoundException { + ois.defaultReadObject(); + if (signerCertPath == null) { + throw new InvalidObjectException("signerCertPath is null"); + } + myhash = -1; } } diff --git a/jdk/src/share/classes/javax/crypto/spec/SecretKeySpec.java b/jdk/src/share/classes/javax/crypto/spec/SecretKeySpec.java index c97e4a5348..b97bc68cca 100644 --- a/jdk/src/share/classes/javax/crypto/spec/SecretKeySpec.java +++ b/jdk/src/share/classes/javax/crypto/spec/SecretKeySpec.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 1998, 2015, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1998, 2023, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -25,6 +25,9 @@ package javax.crypto.spec; +import java.io.IOException; +import java.io.InvalidObjectException; +import java.io.ObjectInputStream; import java.security.MessageDigest; import java.security.spec.KeySpec; import java.util.Locale; @@ -234,4 +237,25 @@ public class SecretKeySpec implements KeySpec, SecretKey { return MessageDigest.isEqual(this.key, thatKey); } + + /** + * Restores the state of this object from the stream. + * + * @param stream the {@code ObjectInputStream} from which data is read + * @throws IOException if an I/O error occurs + * @throws ClassNotFoundException if a serialized class cannot be loaded + */ + private void readObject(ObjectInputStream stream) + throws IOException, ClassNotFoundException { + stream.defaultReadObject(); + + if (key == null || algorithm == null) { + throw new InvalidObjectException("Missing argument"); + } + + this.key = key.clone(); + if (key.length == 0) { + throw new InvalidObjectException("Invalid key length"); + } + } } diff --git a/jdk/src/share/classes/javax/security/auth/callback/ChoiceCallback.java b/jdk/src/share/classes/javax/security/auth/callback/ChoiceCallback.java index 3887f0953d..4310e25dd7 100644 --- a/jdk/src/share/classes/javax/security/auth/callback/ChoiceCallback.java +++ b/jdk/src/share/classes/javax/security/auth/callback/ChoiceCallback.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 1999, 2020, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1999, 2023, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -25,6 +25,10 @@ package javax.security.auth.callback; +import java.io.IOException; +import java.io.InvalidObjectException; +import java.io.ObjectInputStream; + /** *

Underlying security services instantiate and pass a * {@code ChoiceCallback} to the {@code handle} @@ -46,7 +50,7 @@ public class ChoiceCallback implements Callback, java.io.Serializable { * @serial the list of choices * @since 1.4 */ - private final String[] choices; + private String[] choices; /** * @serial the choice to be used as the default choice * @since 1.4 @@ -103,15 +107,15 @@ public class ChoiceCallback implements Callback, java.io.Serializable { defaultChoice < 0 || defaultChoice >= choices.length) throw new IllegalArgumentException(); + this.prompt = prompt; + this.defaultChoice = defaultChoice; + this.multipleSelectionsAllowed = multipleSelectionsAllowed; + + this.choices = choices.clone(); for (int i = 0; i < choices.length; i++) { if (choices[i] == null || choices[i].length() == 0) throw new IllegalArgumentException(); } - - this.prompt = prompt; - this.choices = choices.clone(); - this.defaultChoice = defaultChoice; - this.multipleSelectionsAllowed = multipleSelectionsAllowed; } /** @@ -208,4 +212,37 @@ public class ChoiceCallback implements Callback, java.io.Serializable { public int[] getSelectedIndexes() { return selections == null ? null : selections.clone(); } + + /** + * Restores the state of this object from the stream. + * + * @param stream the {@code ObjectInputStream} from which data is read + * @throws IOException if an I/O error occurs + * @throws ClassNotFoundException if a serialized class cannot be loaded + */ + private void readObject(ObjectInputStream stream) + throws IOException, ClassNotFoundException { + stream.defaultReadObject(); + + if ((prompt == null) || prompt.isEmpty() || + (choices == null) || (choices.length == 0) || + (defaultChoice < 0) || (defaultChoice >= choices.length)) { + throw new InvalidObjectException( + "Missing/invalid prompt/choices"); + } + + choices = choices.clone(); + for (int i = 0; i < choices.length; i++) { + if ((choices[i] == null) || choices[i].isEmpty()) + throw new InvalidObjectException("Null/empty choices"); + } + + if (selections != null) { + selections = selections.clone(); + if (!multipleSelectionsAllowed && (selections.length != 1)) { + throw new InvalidObjectException( + "Multiple selections not allowed"); + } + } + } } diff --git a/jdk/src/share/classes/javax/security/auth/callback/ConfirmationCallback.java b/jdk/src/share/classes/javax/security/auth/callback/ConfirmationCallback.java index 005ff6333f..f6149e45c5 100644 --- a/jdk/src/share/classes/javax/security/auth/callback/ConfirmationCallback.java +++ b/jdk/src/share/classes/javax/security/auth/callback/ConfirmationCallback.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 1999, 2020, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1999, 2023, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -25,6 +25,9 @@ package javax.security.auth.callback; +import java.io.IOException; +import java.io.ObjectInputStream; + /** *

Underlying security services instantiate and pass a * {@code ConfirmationCallback} to the {@code handle} @@ -145,7 +148,7 @@ public class ConfirmationCallback implements Callback, java.io.Serializable { * @serial * @since 1.4 */ - private final String[] options; + private String[] options; /** * @serial * @since 1.4 @@ -253,16 +256,16 @@ public class ConfirmationCallback implements Callback, java.io.Serializable { defaultOption < 0 || defaultOption >= options.length) throw new IllegalArgumentException(); + this.prompt = null; + this.messageType = messageType; + this.optionType = UNSPECIFIED_OPTION; + this.defaultOption = defaultOption; + + this.options = options.clone(); for (int i = 0; i < options.length; i++) { if (options[i] == null || options[i].length() == 0) throw new IllegalArgumentException(); } - - this.prompt = null; - this.messageType = messageType; - this.optionType = UNSPECIFIED_OPTION; - this.options = options.clone(); - this.defaultOption = defaultOption; } /** @@ -376,16 +379,16 @@ public class ConfirmationCallback implements Callback, java.io.Serializable { defaultOption < 0 || defaultOption >= options.length) throw new IllegalArgumentException(); + this.prompt = prompt; + this.messageType = messageType; + this.optionType = UNSPECIFIED_OPTION; + this.defaultOption = defaultOption; + + this.options = options.clone(); for (int i = 0; i < options.length; i++) { if (options[i] == null || options[i].length() == 0) throw new IllegalArgumentException(); } - - this.prompt = prompt; - this.messageType = messageType; - this.optionType = UNSPECIFIED_OPTION; - this.options = options.clone(); - this.defaultOption = defaultOption; } /** @@ -505,4 +508,19 @@ public class ConfirmationCallback implements Callback, java.io.Serializable { public int getSelectedIndex() { return selection; } + + /** + * Restores the state of this object from the stream. + * + * @param stream the {@code ObjectInputStream} from which data is read + * @throws IOException if an I/O error occurs + * @throws ClassNotFoundException if a serialized class cannot be loaded + */ + private void readObject(ObjectInputStream stream) + throws IOException, ClassNotFoundException { + stream.defaultReadObject(); + if (options != null) { + options = options.clone(); + } + } } diff --git a/jdk/src/share/classes/javax/security/auth/callback/PasswordCallback.java b/jdk/src/share/classes/javax/security/auth/callback/PasswordCallback.java index 0578be39c4..6333804d86 100644 --- a/jdk/src/share/classes/javax/security/auth/callback/PasswordCallback.java +++ b/jdk/src/share/classes/javax/security/auth/callback/PasswordCallback.java @@ -1,5 +1,5 @@ /* - * Copyright (c) 1999, 2022, Oracle and/or its affiliates. All rights reserved. + * Copyright (c) 1999, 2023, Oracle and/or its affiliates. All rights reserved. * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. * * This code is free software; you can redistribute it and/or modify it @@ -25,6 +25,9 @@ package javax.security.auth.callback; +import java.io.IOException; +import java.io.InvalidObjectException; +import java.io.ObjectInputStream; import java.util.Arrays; import sun.misc.Cleaner; @@ -165,4 +168,25 @@ public class PasswordCallback implements Callback, java.io.Serializable { }; } + /** + * Restores the state of this object from the stream. + * + * @param stream the {@code ObjectInputStream} from which data is read + * @throws IOException if an I/O error occurs + * @throws ClassNotFoundException if a serialized class cannot be loaded + */ + private void readObject(ObjectInputStream stream) + throws IOException, ClassNotFoundException { + stream.defaultReadObject(); + + if (prompt == null || prompt.isEmpty()) { + throw new InvalidObjectException("Missing prompt"); + } + + if (inputPassword != null) { + inputPassword = inputPassword.clone(); + cleaner = Cleaner.create(this, cleanerFor(inputPassword)); + } + } + } diff --git a/jdk/src/share/classes/sun/security/ec/ECPrivateKeyImpl.java b/jdk/src/share/classes/sun/security/ec/ECPrivateKeyImpl.java index e423850cc3..3f5bda39b8 100644 --- a/jdk/src/share/classes/sun/security/ec/ECPrivateKeyImpl.java +++ b/jdk/src/share/classes/sun/security/ec/ECPrivateKeyImpl.java @@ -26,6 +26,8 @@ package sun.security.ec; import java.io.IOException; +import java.io.InvalidObjectException; +import java.io.ObjectInputStream; import java.math.BigInteger; import java.security.*; @@ -43,7 +45,7 @@ import sun.security.pkcs.PKCS8Key; /** * Key implementation for EC private keys. - * + *

* ASN.1 syntax for EC private keys from SEC 1 v1.5 (draft): * * 

@@ -213,4 +215,19 @@ public final class ECPrivateKeyImpl extends PKCS8Key implements ECPrivateKey {
             throw new InvalidKeyException("Invalid EC private key", e);
         }
     }
+
+    /**
+     * Restores the state of this object from the stream.
+     * 

+     * Deserialization of this object is not supported.
+     *
+     * @param  stream the {@code ObjectInputStream} from which data is read
+     * @throws IOException if an I/O error occurs
+     * @throws ClassNotFoundException if a serialized class cannot be loaded
+     */
+    private void readObject(ObjectInputStream stream)
+            throws IOException, ClassNotFoundException {
+        throw new InvalidObjectException(
+                "ECPrivateKeyImpl keys are not directly deserializable");
+    }
 }
diff --git a/jdk/src/share/classes/sun/security/ec/ECPublicKeyImpl.java b/jdk/src/share/classes/sun/security/ec/ECPublicKeyImpl.java
index f17d52c46b..6da122fe62 100644
--- a/jdk/src/share/classes/sun/security/ec/ECPublicKeyImpl.java
+++ b/jdk/src/share/classes/sun/security/ec/ECPublicKeyImpl.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2006, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2006, 2023, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -27,6 +27,8 @@ package sun.security.ec;
 
 import java.io.IOException;
 
+import java.io.InvalidObjectException;
+import java.io.ObjectInputStream;
 import java.security.*;
 import java.security.interfaces.*;
 import java.security.spec.*;
@@ -122,10 +124,25 @@ public final class ECPublicKeyImpl extends X509Key implements ECPublicKey {
             + "\n  parameters: " + params;
     }
 
-    protected Object writeReplace() throws java.io.ObjectStreamException {
+    private Object writeReplace() throws java.io.ObjectStreamException {
         return new KeyRep(KeyRep.Type.PUBLIC,
                         getAlgorithm(),
                         getFormat(),
                         getEncoded());
     }
+
+    /**
+     * Restores the state of this object from the stream.
+     * 

+     * Deserialization of this object is not supported.
+     *
+     * @param  stream the {@code ObjectInputStream} from which data is read
+     * @throws IOException if an I/O error occurs
+     * @throws ClassNotFoundException if a serialized class cannot be loaded
+     */
+    private void readObject(ObjectInputStream stream)
+            throws IOException, ClassNotFoundException {
+        throw new InvalidObjectException(
+                "ECPublicKeyImpl keys are not directly deserializable");
+    }
 }
diff --git a/jdk/src/share/classes/sun/security/pkcs11/Token.java b/jdk/src/share/classes/sun/security/pkcs11/Token.java
index 39d301ae7b..f9db262b0a 100644
--- a/jdk/src/share/classes/sun/security/pkcs11/Token.java
+++ b/jdk/src/share/classes/sun/security/pkcs11/Token.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2003, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2023, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -416,11 +416,26 @@ class Token implements Serializable {
 
     private Object writeReplace() throws ObjectStreamException {
         if (isValid() == false) {
-            throw new NotSerializableException("Token has been removed");
+            throw new InvalidObjectException("Token has been removed");
         }
         return new TokenRep(this);
     }
 
+    /**
+     * Restores the state of this object from the stream.
+     * 

+     * Deserialization of this object is not supported.
+     *
+     * @param  stream the {@code ObjectInputStream} from which data is read
+     * @throws IOException if an I/O error occurs
+     * @throws ClassNotFoundException if a serialized class cannot be loaded
+     */
+    private void readObject(ObjectInputStream stream)
+            throws IOException, ClassNotFoundException {
+        throw new InvalidObjectException(
+                "Tokens are not directly deserializable");
+    }
+
     // serialized representation of a token
     // tokens can only be de-serialized within the same VM invocation
     // and if the token has not been removed in the meantime
@@ -443,7 +458,7 @@ class Token implements Serializable {
                     }
                 }
             }
-            throw new NotSerializableException("Could not find token");
+            throw new InvalidObjectException("Could not find token");
         }
     }
 
diff --git a/jdk/src/share/classes/sun/security/provider/DSAPublicKeyImpl.java b/jdk/src/share/classes/sun/security/provider/DSAPublicKeyImpl.java
index 7ccc1c0239..a97a901f87 100644
--- a/jdk/src/share/classes/sun/security/provider/DSAPublicKeyImpl.java
+++ b/jdk/src/share/classes/sun/security/provider/DSAPublicKeyImpl.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2005, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2005, 2023, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -25,17 +25,20 @@
 
 package sun.security.provider;
 
+import java.io.IOException;
+import java.io.InvalidObjectException;
+import java.io.ObjectInputStream;
 import java.math.BigInteger;
 import java.security.KeyRep;
 import java.security.InvalidKeyException;
 
 /**
  * An X.509 public key for the Digital Signature Algorithm.
- *
+ * 

  * The difference between DSAPublicKeyImpl and DSAPublicKey is that
  * DSAPublicKeyImpl calls writeReplace with KeyRep, and DSAPublicKey
  * calls writeObject.
- *
+ * 

  * See the comments in DSAKeyFactory, 4532506, and 6232513.
  *
  */
@@ -70,10 +73,25 @@ public final class DSAPublicKeyImpl extends DSAPublicKey {
         super(encoded);
     }
 
-    protected Object writeReplace() throws java.io.ObjectStreamException {
+    private Object writeReplace() throws java.io.ObjectStreamException {
         return new KeyRep(KeyRep.Type.PUBLIC,
                         getAlgorithm(),
                         getFormat(),
                         getEncoded());
     }
+
+    /**
+     * Restores the state of this object from the stream.
+     * 

+     * Deserialization of this object is not supported.
+     *
+     * @param  stream the {@code ObjectInputStream} from which data is read
+     * @throws IOException if an I/O error occurs
+     * @throws ClassNotFoundException if a serialized class cannot be loaded
+     */
+    private void readObject(ObjectInputStream stream)
+            throws IOException, ClassNotFoundException {
+        throw new InvalidObjectException(
+                "DSAPublicKeyImpl keys are not directly deserializable");
+    }
 }
diff --git a/jdk/src/share/classes/sun/security/provider/PolicyFile.java b/jdk/src/share/classes/sun/security/provider/PolicyFile.java
index 097451da74..a980277883 100644
--- a/jdk/src/share/classes/sun/security/provider/PolicyFile.java
+++ b/jdk/src/share/classes/sun/security/provider/PolicyFile.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 2022, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2023, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -2214,8 +2214,17 @@ public class PolicyFile extends java.security.Policy {
                 this.actions.equals(that.actions)))
                 return false;
 
-            if (this.certs.length != that.certs.length)
+            if ((this.certs == null) && (that.certs == null)) {
+                return true;
+            }
+
+            if ((this.certs == null) || (that.certs == null)) {
                 return false;
+            }
+
+            if (this.certs.length != that.certs.length) {
+                return false;
+            }
 
             int i,j;
             boolean match;
@@ -2285,7 +2294,7 @@ public class PolicyFile extends java.security.Policy {
         }
 
         public Certificate[] getCerts() {
-            return certs;
+            return (certs == null ? null : certs.clone());
         }
 
         /**
@@ -2298,6 +2307,21 @@ public class PolicyFile extends java.security.Policy {
         @Override public String toString() {
             return "(SelfPermission " + type + " " + name + " " + actions + ")";
         }
+
+        /**
+         * Restores the state of this object from the stream.
+         *
+         * @param  stream the {@code ObjectInputStream} from which data is read
+         * @throws IOException if an I/O error occurs
+         * @throws ClassNotFoundException if a serialized class cannot be loaded
+         */
+        private void readObject(ObjectInputStream stream)
+                throws IOException, ClassNotFoundException {
+            stream.defaultReadObject();
+            if (certs != null) {
+                this.certs = certs.clone();
+            }
+        }
     }
 
     /**
diff --git a/jdk/src/share/classes/sun/security/provider/SecureRandom.java b/jdk/src/share/classes/sun/security/provider/SecureRandom.java
index 4f7d7c3aad..5ffc81b16f 100644
--- a/jdk/src/share/classes/sun/security/provider/SecureRandom.java
+++ b/jdk/src/share/classes/sun/security/provider/SecureRandom.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1998, 2014, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1998, 2023, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -26,6 +26,7 @@
 package sun.security.provider;
 
 import java.io.IOException;
+import java.io.InvalidObjectException;
 import java.security.MessageDigest;
 import java.security.SecureRandomSpi;
 import java.security.NoSuchAlgorithmException;
@@ -186,7 +187,7 @@ implements java.io.Serializable {
     /**
      * This static object will be seeded by SeedGenerator, and used
      * to seed future instances of SHA1PRNG SecureRandoms.
-     *
+     * 

      * Bloch, Effective Java Second Edition: Item 71
      */
     private static class SeederHolder {
@@ -261,17 +262,23 @@ implements java.io.Serializable {
     }
 
     /*
-     * readObject is called to restore the state of the random object from
-     * a stream.  We have to create a new instance of MessageDigest, because
+     * This method is called to restore the state of the random object from
+     * a stream.
+     * 

+     * We have to create a new instance of {@code MessageDigest}, because
      * it is not included in the stream (it is marked "transient").
-     *
-     * Note that the engineNextBytes() method invoked on the restored random
-     * object will yield the exact same (random) bytes as the original.
+     * 

+     * Note that the {@code engineNextBytes()} method invoked on the restored
+     * random object will yield the exact same (random) bytes as the original.
      * If you do not want this behaviour, you should re-seed the restored
-     * random object, using engineSetSeed().
+     * random object, using {@code engineSetSeed()}.
+     *
+     * @param  s the {@code ObjectInputStream} from which data is read
+     * @throws IOException if an I/O error occurs
+     * @throws ClassNotFoundException if a serialized class cannot be loaded
      */
     private void readObject(java.io.ObjectInputStream s)
-        throws IOException, ClassNotFoundException {
+            throws IOException, ClassNotFoundException {
 
         s.defaultReadObject ();
 
@@ -290,5 +297,34 @@ implements java.io.Serializable {
                     "internal error: SHA-1 not available.", exc);
             }
         }
+
+        // Various consistency checks
+        if ((remainder == null) && (remCount > 0)) {
+            throw new InvalidObjectException(
+                    "Remainder indicated, but no data available");
+        }
+
+        // Not yet allocated state
+        if (state == null) {
+            if (remainder == null) {
+                return;
+            } else {
+                throw new InvalidObjectException(
+                        "Inconsistent buffer allocations");
+            }
+        }
+
+        // Sanity check on sizes/pointer
+        if ((state.length != DIGEST_SIZE) ||
+                ((remainder != null) && (remainder.length != DIGEST_SIZE)) ||
+                (remCount < 0 ) || (remCount >= DIGEST_SIZE)) {
+            throw new InvalidObjectException(
+                    "Inconsistent buffer sizes/state");
+        }
+
+        state = state.clone();
+        if (remainder != null) {
+            remainder = remainder.clone();
+        }
     }
 }
diff --git a/jdk/src/share/classes/sun/security/provider/certpath/X509CertPath.java b/jdk/src/share/classes/sun/security/provider/certpath/X509CertPath.java
index f738b5f5fe..79cde0d72f 100644
--- a/jdk/src/share/classes/sun/security/provider/certpath/X509CertPath.java
+++ b/jdk/src/share/classes/sun/security/provider/certpath/X509CertPath.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2000, 2012, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2000, 2023, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -25,10 +25,7 @@
 
 package sun.security.provider.certpath;
 
-import java.io.ByteArrayInputStream;
-import java.io.ByteArrayOutputStream;
-import java.io.IOException;
-import java.io.InputStream;
+import java.io.*;
 import java.security.cert.CertificateEncodingException;
 import java.security.cert.Certificate;
 import java.security.cert.CertificateException;
@@ -394,4 +391,19 @@ public class X509CertPath extends CertPath {
     public List getCertificates() {
         return certs;
     }
+
+    /**
+     * Restores the state of this object from the stream.
+     * 

+     * Deserialization of this object is not supported.
+     *
+     * @param  stream the {@code ObjectInputStream} from which data is read
+     * @throws IOException if an I/O error occurs
+     * @throws ClassNotFoundException if a serialized class cannot be loaded
+     */
+    private void readObject(ObjectInputStream stream)
+            throws IOException, ClassNotFoundException {
+        throw new InvalidObjectException(
+                "X509CertPaths are not directly deserializable");
+    }
 }
diff --git a/jdk/src/share/classes/sun/security/rsa/RSAPrivateCrtKeyImpl.java b/jdk/src/share/classes/sun/security/rsa/RSAPrivateCrtKeyImpl.java
index b3c1fae967..4cb407e250 100644
--- a/jdk/src/share/classes/sun/security/rsa/RSAPrivateCrtKeyImpl.java
+++ b/jdk/src/share/classes/sun/security/rsa/RSAPrivateCrtKeyImpl.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2003, 2020, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2023, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -26,6 +26,8 @@
 package sun.security.rsa;
 
 import java.io.IOException;
+import java.io.InvalidObjectException;
+import java.io.ObjectInputStream;
 import java.math.BigInteger;
 
 import java.security.*;
@@ -43,7 +45,7 @@ import static sun.security.rsa.RSAUtil.KeyType;
  * RSA private key implementation for "RSA", "RSASSA-PSS" algorithms in CRT form.
  * For non-CRT private keys, see RSAPrivateKeyImpl. We need separate classes
  * to ensure correct behavior in instanceof checks, etc.
- *
+ * 

  * Note: RSA keys must be at least 512 bits long
  *
  * @see RSAPrivateKeyImpl
@@ -291,4 +293,19 @@ public final class RSAPrivateCrtKeyImpl
             throw new InvalidKeyException("Invalid RSA private key", e);
         }
     }
+
+    /**
+     * Restores the state of this object from the stream.
+     * 

+     * Deserialization of this object is not supported.
+     *
+     * @param  stream the {@code ObjectInputStream} from which data is read
+     * @throws IOException if an I/O error occurs
+     * @throws ClassNotFoundException if a serialized class cannot be loaded
+     */
+    private void readObject(ObjectInputStream stream)
+            throws IOException, ClassNotFoundException {
+        throw new InvalidObjectException(
+                "RSAPrivateCrtKeyImpl keys are not directly deserializable");
+    }
 }
diff --git a/jdk/src/share/classes/sun/security/rsa/RSAPrivateKeyImpl.java b/jdk/src/share/classes/sun/security/rsa/RSAPrivateKeyImpl.java
index df5abc1bfd..b443caf91f 100644
--- a/jdk/src/share/classes/sun/security/rsa/RSAPrivateKeyImpl.java
+++ b/jdk/src/share/classes/sun/security/rsa/RSAPrivateKeyImpl.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2003, 2020, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2023, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -26,6 +26,8 @@
 package sun.security.rsa;
 
 import java.io.IOException;
+import java.io.InvalidObjectException;
+import java.io.ObjectInputStream;
 import java.math.BigInteger;
 
 import java.security.*;
@@ -38,10 +40,11 @@ import sun.security.pkcs.PKCS8Key;
 
 /**
  * RSA private key implementation for "RSA", "RSASSA-PSS" algorithms in non-CRT
- * form (modulus, private exponent only). For CRT private keys, see
- * RSAPrivateCrtKeyImpl. We need separate classes to ensure correct behavior
- * in instanceof checks, etc.
- *
+ * form (modulus, private exponent only).
+ * 

+ * For CRT private keys, see RSAPrivateCrtKeyImpl. We need separate classes
+ * to ensure correct behavior in instanceof checks, etc.
+ * 

  * Note: RSA keys must be at least 512 bits long
  *
  * @see RSAPrivateCrtKeyImpl
@@ -127,4 +130,19 @@ public final class RSAPrivateKeyImpl extends PKCS8Key implements RSAPrivateKey {
                + " bits" + "\n  params: " + keyParams + "\n  modulus: " + n
                + "\n  private exponent: " + d;
     }
+
+    /**
+     * Restores the state of this object from the stream.
+     * 

+     * Deserialization of this object is not supported.
+     *
+     * @param  stream the {@code ObjectInputStream} from which data is read
+     * @throws IOException if an I/O error occurs
+     * @throws ClassNotFoundException if a serialized class cannot be loaded
+     */
+    private void readObject(ObjectInputStream stream)
+            throws IOException, ClassNotFoundException {
+        throw new InvalidObjectException(
+                "RSAPrivateKeyImpl keys are not directly deserializable");
+    }
 }
diff --git a/jdk/src/share/classes/sun/security/rsa/RSAPublicKeyImpl.java b/jdk/src/share/classes/sun/security/rsa/RSAPublicKeyImpl.java
index ebd035e06a..279fc19ede 100644
--- a/jdk/src/share/classes/sun/security/rsa/RSAPublicKeyImpl.java
+++ b/jdk/src/share/classes/sun/security/rsa/RSAPublicKeyImpl.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2003, 2020, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2023, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -26,6 +26,8 @@
 package sun.security.rsa;
 
 import java.io.IOException;
+import java.io.InvalidObjectException;
+import java.io.ObjectInputStream;
 import java.math.BigInteger;
 
 import java.security.*;
@@ -40,7 +42,7 @@ import static sun.security.rsa.RSAUtil.KeyType;
 
 /**
  * RSA public key implementation for "RSA", "RSASSA-PSS" algorithms.
- *
+ * 

  * Note: RSA keys must be at least 512 bits long
  *
  * @see RSAPrivateCrtKeyImpl
@@ -198,10 +200,25 @@ public final class RSAPublicKeyImpl extends X509Key implements RSAPublicKey {
                + "\n  public exponent: " + e;
     }
 
-    protected Object writeReplace() throws java.io.ObjectStreamException {
+    private Object writeReplace() throws java.io.ObjectStreamException {
         return new KeyRep(KeyRep.Type.PUBLIC,
                         getAlgorithm(),
                         getFormat(),
                         getEncoded());
     }
+
+    /**
+     * Restores the state of this object from the stream.
+     * 

+     * Deserialization of this object is not supported.
+     *
+     * @param  stream the {@code ObjectInputStream} from which data is read
+     * @throws IOException if an I/O error occurs
+     * @throws ClassNotFoundException if a serialized class cannot be loaded
+     */
+    private void readObject(ObjectInputStream stream)
+            throws IOException, ClassNotFoundException {
+        throw new InvalidObjectException(
+                "RSAPublicKeyImpl keys are not directly deserializable");
+    }
 }
diff --git a/jdk/src/share/classes/sun/security/x509/X509CertImpl.java b/jdk/src/share/classes/sun/security/x509/X509CertImpl.java
index 012bb8cf82..818ae1e261 100644
--- a/jdk/src/share/classes/sun/security/x509/X509CertImpl.java
+++ b/jdk/src/share/classes/sun/security/x509/X509CertImpl.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1996, 2020, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1996, 2023, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -25,13 +25,7 @@
 
 package sun.security.x509;
 
-import java.io.BufferedReader;
-import java.io.BufferedInputStream;
-import java.io.ByteArrayOutputStream;
-import java.io.IOException;
-import java.io.InputStream;
-import java.io.InputStreamReader;
-import java.io.OutputStream;
+import java.io.*;
 import java.math.BigInteger;
 import java.security.*;
 import java.security.spec.AlgorithmParameterSpec;
@@ -679,7 +673,7 @@ public class X509CertImpl extends X509Certificate implements DerEncoder {
 
     /**
      * Return the requested attribute from the certificate.
-     *
+     * 

      * Note that the X509CertInfo is not cloned for performance reasons.
      * Callers must ensure that they do not modify it. All other
      * attributes are cloned.
@@ -1597,7 +1591,7 @@ public class X509CertImpl extends X509Certificate implements DerEncoder {
         for (GeneralName gname : names.names()) {
             GeneralNameInterface name = gname.getName();
             List nameEntry = new ArrayList<>(2);
-            nameEntry.add(Integer.valueOf(name.getType()));
+            nameEntry.add(name.getType());
             switch (name.getType()) {
             case GeneralNameInterface.NAME_RFC822:
                 nameEntry.add(((RFC822Name) name).getName());
@@ -2019,4 +2013,19 @@ public class X509CertImpl extends X509Certificate implements DerEncoder {
         buf.append(hexChars[high]);
         buf.append(hexChars[low]);
     }
+
+    /**
+     * Restores the state of this object from the stream.
+     * 

+     * Deserialization of this object is not supported.
+     *
+     * @param  stream the {@code ObjectInputStream} from which data is read
+     * @throws IOException if an I/O error occurs
+     * @throws ClassNotFoundException if a serialized class cannot be loaded
+     */
+    private void readObject(ObjectInputStream stream)
+            throws IOException, ClassNotFoundException {
+        throw new InvalidObjectException(
+                "X509CertImpls are not directly deserializable");
+    }
 }
diff --git a/jdk/src/windows/classes/sun/security/mscapi/CPrivateKey.java b/jdk/src/windows/classes/sun/security/mscapi/CPrivateKey.java
index 60fb4fb672..cea2f93ed5 100644
--- a/jdk/src/windows/classes/sun/security/mscapi/CPrivateKey.java
+++ b/jdk/src/windows/classes/sun/security/mscapi/CPrivateKey.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2005, 2020, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2005, 2023, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -25,6 +25,9 @@
 
 package sun.security.mscapi;
 
+import java.io.IOException;
+import java.io.InvalidObjectException;
+import java.io.ObjectInputStream;
 import java.security.PrivateKey;
 
 /**
@@ -74,6 +77,22 @@ class CPrivateKey extends CKey implements PrivateKey {
     // This class is not serializable
     private void writeObject(java.io.ObjectOutputStream out)
             throws java.io.IOException {
-        throw new java.io.NotSerializableException();
+        throw new java.io.InvalidObjectException(
+                "CPrivateKeys are not serializable");
+    }
+
+    /**
+     * Restores the state of this object from the stream.
+     * 

+     * Deserialization of this object is not supported.
+     *
+     * @param  stream the {@code ObjectInputStream} from which data is read
+     * @throws IOException if an I/O error occurs
+     * @throws ClassNotFoundException if a serialized class cannot be loaded
+     */
+    private void readObject(ObjectInputStream stream)
+            throws IOException, ClassNotFoundException {
+        throw new InvalidObjectException(
+                "CPrivateKeys are not deserializable");
     }
 }
diff --git a/jdk/src/windows/classes/sun/security/mscapi/CPublicKey.java b/jdk/src/windows/classes/sun/security/mscapi/CPublicKey.java
index 8a81c5dc32..93c11c8d56 100644
--- a/jdk/src/windows/classes/sun/security/mscapi/CPublicKey.java
+++ b/jdk/src/windows/classes/sun/security/mscapi/CPublicKey.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2005, 2020, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2005, 2023, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -25,6 +25,9 @@
 
 package sun.security.mscapi;
 
+import java.io.IOException;
+import java.io.InvalidObjectException;
+import java.io.ObjectInputStream;
 import java.math.BigInteger;
 import java.security.AlgorithmParameters;
 import java.security.KeyException;
@@ -108,7 +111,7 @@ public abstract class CPublicKey extends CKey implements PublicKey {
 
         public String toString() {
             StringBuffer sb = new StringBuffer();
-            sb.append(algorithm + "PublicKey [size=").append(keyLength)
+            sb.append(algorithm).append("PublicKey [size=").append(keyLength)
                     .append("]\n  ECPoint: ").append(getW())
                     .append("\n  params: ").append(getParams());
             return sb.toString();
@@ -127,7 +130,7 @@ public abstract class CPublicKey extends CKey implements PublicKey {
 
         public String toString() {
             StringBuffer sb = new StringBuffer();
-            sb.append(algorithm + "PublicKey [size=").append(keyLength)
+            sb.append(algorithm).append("PublicKey [size=").append(keyLength)
                     .append(" bits, type=");
             if (handles.hCryptKey != 0) {
                 sb.append(getKeyType(handles.hCryptKey))
@@ -221,6 +224,21 @@ public abstract class CPublicKey extends CKey implements PublicKey {
                         getEncoded());
     }
 
+    /**
+     * Restores the state of this object from the stream.
+     * 

+     * Deserialization of this object is not supported.
+     *
+     * @param  stream the {@code ObjectInputStream} from which data is read
+     * @throws IOException if an I/O error occurs
+     * @throws ClassNotFoundException if a serialized class cannot be loaded
+     */
+    private void readObject(ObjectInputStream stream)
+            throws IOException, ClassNotFoundException {
+        throw new InvalidObjectException(
+                "CPublicKeys are not deserializable");
+    }
+
     // Returns the CAPI or CNG representation of the key.
     native byte[] getPublicKeyBlob(long hCryptProv, long hCryptKey)
             throws KeyException;
diff --git a/jdk/test/java/security/KeyRep/RSA.pre.1.5.key b/jdk/test/java/security/KeyRep/RSA.pre.1.5.key
deleted file mode 100644
index 0c15a06c9cd1422eeb75657122a85db1111a1485..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 1803
zcmZ4UmVvdnh(REy#I0-cTtjYPQX=x=4Vi1#a6H7Amoifus^GZ_FQ;UGs
zGo}x?&x^Zy-moU9WY8S*=Lr)lZoBf_KY1%pc
z^DSY`F;m?Ocug7l4qg1^75AoV`PY8`@CULxJy$8%|Ls^akx7x^tJHI$TV2WAFBM|u
zS}d27tgt$HOtH}0Ejilwl8LwHbfA*u^Ed4JJ@-Nm%X_cCDgS=ld6Blw_nZJvlb-*w
z$0dwQGl5F_zuB4W-?(e8wSV@uh?(m9H-FAv_~S!=Fnd`eN6nA<^-Kz00a34Ry;zu7
zl(Zl>=ZGl7O|t=QFY^sw#b)ln-SJ?~Tg{WX*K6_=H;
zzhn5@>Bjd~Zmj?&GZAp|1|=0eL{jPbGhcqC^>0~b1~yLyj-<>I=ls&V5>EzBAk!x`
zFTEtglR-Ewv#7YlFF&s;wJ6`IvLw~7G}n`XCnvu=wYVfWwZthCsDZ6GGd-^~H=2Pn
zH!(dgv!pZyoRT5u?t5(!@-R
zB?^SnDN%+HN~S~^LMS^BWeB0{07~nMD1{fSNQD)EQBC2DNxBEy>IQme?hZMMa5~sAVHaKL<+LSRQ8(gH|Rodovh#P^&bo09h#rB7^~H
C((W$+

diff --git a/jdk/test/java/security/KeyRep/SerialOld.java b/jdk/test/java/security/KeyRep/SerialOld.java
index 3732609872..a3792e1e8c 100644
--- a/jdk/test/java/security/KeyRep/SerialOld.java
+++ b/jdk/test/java/security/KeyRep/SerialOld.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2003, 2005, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2022, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -23,14 +23,13 @@
 
 /*
  * @test 1.1, 03/08/13
- * @bug 4532506
+ * @bug 4532506 8301126
  * @summary Serializing KeyPair on one VM (Sun),
  *      and Deserializing on another (IBM) fails
  * @run main/othervm/policy=SerialOld.policy SerialOld
  */
 
 import java.io.*;
-import java.security.*;
 
 public class SerialOld {
     public static void main(String[] args) throws Exception {
@@ -40,10 +39,15 @@ public class SerialOld {
         deserializeTigerKey("DSA");
         deserializeTigerKey("RSA");
 
-        // verify pre-tiger keys still deserialize in our VM
+        // verify pre-tiger keys still deserialize in our VM.
+
+        // There used to be a RSA test here, but the serialized file contained
+        // classes introduced in JDK 5.0 (sun.security.rsa.RSA*).  The older
+        // RSA keys from JDK 1.4.2 were of class JSA_* which were removed when
+        // sun.security.rsa was introduced.  (See JDK-8301126 for more
+        // details.)  The test/data has been removed.
 
         deserializeKey("DSA");
-        deserializeKey("RSA");
         deserializeKey("DH");
         deserializeKey("AES");
         deserializeKey("Blowfish");

From 47a816eab013aa94237887d401bdbe32073c0afa Mon Sep 17 00:00:00 2001
From: Volker Simonis 
Date: Fri, 1 Sep 2023 14:43:16 +0000
Subject: [PATCH 12/13] 8315135: Memory leak in the native implementation of
 Pack200.Unpacker.unpack()

Reviewed-by: andrew
Backport-of: b77c161e7509aa3b09ebf3e6b2b1490c0667bbdc
---
 .../sun/java/util/jar/pack/NativeUnpack.java  |  2 +-
 .../sun/java/util/jar/pack/UnpackerImpl.java  |  5 ++
 .../native/com/sun/java/util/jar/pack/jni.cpp |  5 +-
 jdk/test/tools/pack200/UnpackMalformed.java   | 55 +++++++++++++++++++
 4 files changed, 65 insertions(+), 2 deletions(-)
 create mode 100644 jdk/test/tools/pack200/UnpackMalformed.java

diff --git a/jdk/src/share/classes/com/sun/java/util/jar/pack/NativeUnpack.java b/jdk/src/share/classes/com/sun/java/util/jar/pack/NativeUnpack.java
index 52864dfb02..a04b440525 100644
--- a/jdk/src/share/classes/com/sun/java/util/jar/pack/NativeUnpack.java
+++ b/jdk/src/share/classes/com/sun/java/util/jar/pack/NativeUnpack.java
@@ -60,7 +60,7 @@ class NativeUnpack {
 
     // Resets the engine and frees all resources.
     // Returns total number of bytes consumed by the engine.
-    private synchronized native long finish();
+    synchronized native long finish();
 
     // Setting state in the unpacker.
     protected  synchronized native boolean setOption(String opt, String value);
diff --git a/jdk/src/share/classes/com/sun/java/util/jar/pack/UnpackerImpl.java b/jdk/src/share/classes/com/sun/java/util/jar/pack/UnpackerImpl.java
index 7bc6281fd9..b5028f9d95 100644
--- a/jdk/src/share/classes/com/sun/java/util/jar/pack/UnpackerImpl.java
+++ b/jdk/src/share/classes/com/sun/java/util/jar/pack/UnpackerImpl.java
@@ -139,6 +139,11 @@ public class UnpackerImpl extends TLGlobals implements Pack200.Unpacker {
                 } catch (UnsatisfiedLinkError | NoClassDefFoundError ex) {
                     // failover to java implementation
                     (new DoUnpack()).run(in0, out);
+                } finally {
+                    if (_nunp != null) {
+                       // Free up native memory and JNI handles to prevent leaks
+                       ((NativeUnpack) _nunp).finish();
+                    }
                 }
                 in0.close();
                 Utils.markJarFile(out);
diff --git a/jdk/src/share/native/com/sun/java/util/jar/pack/jni.cpp b/jdk/src/share/native/com/sun/java/util/jar/pack/jni.cpp
index e9109cbec9..5fbc7261fb 100644
--- a/jdk/src/share/native/com/sun/java/util/jar/pack/jni.cpp
+++ b/jdk/src/share/native/com/sun/java/util/jar/pack/jni.cpp
@@ -309,9 +309,12 @@ Java_com_sun_java_util_jar_pack_NativeUnpack_getUnusedInput(JNIEnv *env, jobject
 
 JNIEXPORT jlong JNICALL
 Java_com_sun_java_util_jar_pack_NativeUnpack_finish(JNIEnv *env, jobject pObj) {
-  unpacker* uPtr = get_unpacker(env, pObj, false);
+  // There's no need to create a new unpacker here if we don't already have one
+  // just to immediatly free it afterwards.
+  unpacker* uPtr = get_unpacker(env, pObj, /* noCreate= */ true);
   CHECK_EXCEPTION_RETURN_VALUE(uPtr, NULL);
   size_t consumed = uPtr->input_consumed();
+  // free_unpacker() will set the unpacker field on 'pObj' to null
   free_unpacker(env, pObj, uPtr);
   return consumed;
 }
diff --git a/jdk/test/tools/pack200/UnpackMalformed.java b/jdk/test/tools/pack200/UnpackMalformed.java
new file mode 100644
index 0000000000..70a84acdf2
--- /dev/null
+++ b/jdk/test/tools/pack200/UnpackMalformed.java
@@ -0,0 +1,55 @@
+/*
+ * Copyright Amazon.com Inc. or its affiliates. All Rights Reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ *
+ */
+
+/*
+ * @test
+ * @bug 8315135
+ * @run main/othervm/timeout=300 -Dcom.sun.java.util.jar.pack.disable.native=false -Xmx8m UnpackMalformed
+ */
+
+import java.io.ByteArrayInputStream;
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+import java.util.jar.JarOutputStream;
+import java.util.jar.Pack200;
+
+@SuppressWarnings("removal")
+public class UnpackMalformed {
+    public static void main(String[] args) {
+        try {
+            ByteArrayInputStream in = new ByteArrayInputStream("foobar".getBytes());
+            for (int i=0; i < 1_000; i++) {
+                try {
+                    JarOutputStream out = new JarOutputStream(new ByteArrayOutputStream());
+                    Pack200.Unpacker unpacker = Pack200.newUnpacker();
+                    unpacker.unpack(in, out);
+                } catch (IOException e) {
+                }
+            }
+        } catch (OutOfMemoryError e) {
+            System.out.println(e);
+            throw e;
+        }
+    }
+}

From 9499e54ebbab17b0f5e48be27c0c7f90806a3c40 Mon Sep 17 00:00:00 2001
From: Yuri Nesterenko 
Date: Thu, 28 Sep 2023 11:56:25 +0300
Subject: [PATCH 13/13] 8317040: Exclude cleaner test failing on older releases

Reviewed-by: mbalao, andrew, clanger
---
 jdk/test/ProblemList.txt | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/jdk/test/ProblemList.txt b/jdk/test/ProblemList.txt
index 48c100b0c3..48e818ec23 100644
--- a/jdk/test/ProblemList.txt
+++ b/jdk/test/ProblemList.txt
@@ -324,6 +324,8 @@ security/infra/java/security/cert/CertPathValidator/certification/ActalisCA.java
 
 sun/security/mscapi/SignedObjectChain.java                      8176183 windows-all
 
+javax/security/auth/callback/PasswordCallback/CheckCleanerBound.java 8285785,8286045,8287596 generic-all
+
 ############################################################################
 
 # jdk_sound