You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@river.apache.org by pe...@apache.org on 2012/01/24 00:29:11 UTC
svn commit: r1235063 - in /river/jtsk/skunk/peterConcurrentPolicy:
bouncy-castle/ qa/ qa/jtreg/certs/
qa/jtreg/net/jini/jeri/tcp/localHostExposure/
qa/jtreg/net/jini/jeri/transport/multihomed/
qa/jtreg/net/jini/security/Security/implicitGrants/ qa/jtre...
Author: peter_firmstone
Date: Mon Jan 23 23:29:10 2012
New Revision: 1235063
URL: http://svn.apache.org/viewvc?rev=1235063&view=rev
Log:
River-404
Commenced writing a bouncy castle self signed certificate generator to replace DSTC JCSI.
Made changes to some policy files to support constructing ConcurrentPolicyFile (which requires a getPolicy, permission, because ConcurrentPolicyFile uses doPrivileged calls to read policy files and System properties, user code could otherwise use it to gain policy information).
Added:
river/jtsk/skunk/peterConcurrentPolicy/bouncy-castle/
river/jtsk/skunk/peterConcurrentPolicy/bouncy-castle/bcmail-jdk16-146.jar (with props)
river/jtsk/skunk/peterConcurrentPolicy/bouncy-castle/bcpg-jdk16-146.jar (with props)
river/jtsk/skunk/peterConcurrentPolicy/bouncy-castle/bcprov-jdk16-146.jar (with props)
river/jtsk/skunk/peterConcurrentPolicy/bouncy-castle/bctest-jdk16-146.jar (with props)
river/jtsk/skunk/peterConcurrentPolicy/bouncy-castle/bctsp-jdk16-146.jar (with props)
Modified:
river/jtsk/skunk/peterConcurrentPolicy/qa/build.xml
river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/certs/ (props changed)
river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/certs/CA.java
river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/net/jini/jeri/tcp/localHostExposure/TestNameService.java
river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/net/jini/jeri/transport/multihomed/TestNameService.java
river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/net/jini/security/Security/implicitGrants/Test.java
river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/net/jini/security/Security/implicitGrants/policy
river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/net/jini/security/policy/DynamicPolicyProvider/basePolicyNotFound/policy
river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/net/jini/security/policy/DynamicPolicyProvider/domainCaching/policy
river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/net/jini/security/policy/DynamicPolicyProvider/dynamicBasePolicy/Test.java
river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/net/jini/security/policy/DynamicPolicyProvider/dynamicBasePolicy/policy
river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/net/jini/security/policy/DynamicPolicyProvider/nullCases/policy
river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/net/jini/security/policy/DynamicPolicyProvider/principalGrants/policy
river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/net/jini/security/policy/DynamicPolicyProvider/selfGrants/policy.0
river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/net/jini/security/policy/PolicyFileProvider/basePolicyNotFound/policy
river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/net/jini/security/policy/PolicyFileProvider/basicGrants/policy.0
river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/net/jini/security/policy/PolicyFileProvider/nullCases/policy
river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/net/jini/security/policy/PolicyFileProvider/umbrellaGrants/policy
river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/net/jini/security/porter/policy
river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/security/GrantPermission.java
river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/security/policy/DynamicPolicyProvider.java
river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/url/httpmd/Handler.java
river/jtsk/skunk/peterConcurrentPolicy/src/org/apache/river/api/security/ConcurrentPolicyFile.java
river/jtsk/skunk/peterConcurrentPolicy/src/org/apache/river/api/security/URIGrant.java
Added: river/jtsk/skunk/peterConcurrentPolicy/bouncy-castle/bcmail-jdk16-146.jar
URL: http://svn.apache.org/viewvc/river/jtsk/skunk/peterConcurrentPolicy/bouncy-castle/bcmail-jdk16-146.jar?rev=1235063&view=auto
==============================================================================
Binary file - no diff available.
Propchange: river/jtsk/skunk/peterConcurrentPolicy/bouncy-castle/bcmail-jdk16-146.jar
------------------------------------------------------------------------------
svn:mime-type = application/octet-stream
Added: river/jtsk/skunk/peterConcurrentPolicy/bouncy-castle/bcpg-jdk16-146.jar
URL: http://svn.apache.org/viewvc/river/jtsk/skunk/peterConcurrentPolicy/bouncy-castle/bcpg-jdk16-146.jar?rev=1235063&view=auto
==============================================================================
Binary file - no diff available.
Propchange: river/jtsk/skunk/peterConcurrentPolicy/bouncy-castle/bcpg-jdk16-146.jar
------------------------------------------------------------------------------
svn:mime-type = application/octet-stream
Added: river/jtsk/skunk/peterConcurrentPolicy/bouncy-castle/bcprov-jdk16-146.jar
URL: http://svn.apache.org/viewvc/river/jtsk/skunk/peterConcurrentPolicy/bouncy-castle/bcprov-jdk16-146.jar?rev=1235063&view=auto
==============================================================================
Binary file - no diff available.
Propchange: river/jtsk/skunk/peterConcurrentPolicy/bouncy-castle/bcprov-jdk16-146.jar
------------------------------------------------------------------------------
svn:mime-type = application/octet-stream
Added: river/jtsk/skunk/peterConcurrentPolicy/bouncy-castle/bctest-jdk16-146.jar
URL: http://svn.apache.org/viewvc/river/jtsk/skunk/peterConcurrentPolicy/bouncy-castle/bctest-jdk16-146.jar?rev=1235063&view=auto
==============================================================================
Binary file - no diff available.
Propchange: river/jtsk/skunk/peterConcurrentPolicy/bouncy-castle/bctest-jdk16-146.jar
------------------------------------------------------------------------------
svn:mime-type = application/octet-stream
Added: river/jtsk/skunk/peterConcurrentPolicy/bouncy-castle/bctsp-jdk16-146.jar
URL: http://svn.apache.org/viewvc/river/jtsk/skunk/peterConcurrentPolicy/bouncy-castle/bctsp-jdk16-146.jar?rev=1235063&view=auto
==============================================================================
Binary file - no diff available.
Propchange: river/jtsk/skunk/peterConcurrentPolicy/bouncy-castle/bctsp-jdk16-146.jar
------------------------------------------------------------------------------
svn:mime-type = application/octet-stream
Modified: river/jtsk/skunk/peterConcurrentPolicy/qa/build.xml
URL: http://svn.apache.org/viewvc/river/jtsk/skunk/peterConcurrentPolicy/qa/build.xml?rev=1235063&r1=1235062&r2=1235063&view=diff
==============================================================================
--- river/jtsk/skunk/peterConcurrentPolicy/qa/build.xml (original)
+++ river/jtsk/skunk/peterConcurrentPolicy/qa/build.xml Mon Jan 23 23:29:10 2012
@@ -58,7 +58,7 @@
<property name="jtreg.home" location="${env.JT_HOME}" />
<!-- probably should rename the environment variable, to enable using the correct -->
<!-- jdk version for the jtreg tests which depend on jdk1.5 -->
- <property name="jdk1.5.home" location="/usr/jdk/jdk1.5.0_15"/>
+ <property name="jdk1.5.home" location="/usr/jdk/jdk1.6.0_30"/>
<property name="jtlib.tmp" location="${jtreg.dir}/JTlib-tmp"/>
<!-- classpath for use by ClassDep in this build -->
@@ -214,9 +214,10 @@
reportdir="${jtreg.dir}/JTreport" workdir="${jtreg.dir}/JTwork"
jdk="${jdk1.5.home}">
<arg value="-cpa:${jtlib.tmp}/jsk-policy.jar${path.separator}${jtlib.tmp}/jsk-lib.jar${path.separator}${jtlib.tmp}/jsk-platform.jar${path.separator}${jtlib.tmp}/jsk-resources.jar${path.separator}${jtlib.tmp}/phoenix-init.jar${path.separator}${jtlib.tmp}/tools.jar"/>
- <arg value="-timeout:2"/>
+ <arg value="-timeout:4"/>
<!--<arg value="-Djsk.home=${river.home}"/>-->
<arg value="-Djtlib.tmp=${jtlib.tmp}"/>
+ <arg value="-Dscratch.dir=${jtreg.dir}/JTwork/scratch"/>
<!--<arg value="-status:fail"/>-->
<!--<arg value="-Djava.security.debug=access,failure"/>-->
<!--<arg value="-Dsun.security.krb5.debug=true"/>-->
@@ -224,7 +225,9 @@
<!--<arg value="net/jini/jeri/kerberos/UnitTests/runTestPerformance.sh" />-->
<!--<arg value="-Bug:6307813"/>-->
<!--<arg value="net/jini/security/policy/DynamicPolicyProvider/dynamicBasePolicy/Test.java"/>-->
+ <!--<arg value="net/jini/security/Security/implicitGrants/Test.java"/>-->
<!--<arg value="net/jini/security/GrantPermission/implies/Test.java" />-->
+ <arg value="net/jini/url/httpmd/TestEqual.java"/>
</jtreg>
<move todir="${river.lib.dir}">
<filelist dir="${jtreg.dir}/JTlib-tmp">
Propchange: river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/certs/
------------------------------------------------------------------------------
--- svn:ignore (added)
+++ svn:ignore Mon Jan 23 23:29:10 2012
@@ -0,0 +1,19 @@
+OID.java
+PBEKeyImpl.java
+ConsoleKeyTool.java
+PKCS12KeyDerivation.java
+NetscapeCertType.java
+CertGenerator.java
+PKCS5KeyDerivation.java
+PBEKeyDerivation.java
+ConsoleCATool.java
+ContentInfo.java
+ToolException.java
+ConfigException.java
+BasicConstraints.java
+SubjectKeyIdentifier.java
+PKCS8EncryptedPrivateKey.java
+AlgorithmId.java
+RevokedCertificate.java
+Config.java
+UTCTime.java
Modified: river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/certs/CA.java
URL: http://svn.apache.org/viewvc/river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/certs/CA.java?rev=1235063&r1=1235062&r2=1235063&view=diff
==============================================================================
--- river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/certs/CA.java (original)
+++ river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/certs/CA.java Mon Jan 23 23:29:10 2012
@@ -15,9 +15,38 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
-import com.dstc.security.pki.ConsoleCATool;
-import com.dstc.security.provider.DSTC;
+//import com.dstc.security.pki.ConsoleCATool;
+//import com.dstc.security.provider.DSTC;
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.math.BigInteger;
+import java.security.InvalidKeyException;
+import java.security.KeyPair;
+import java.security.KeyPairGenerator;
+import java.security.NoSuchAlgorithmException;
+import java.security.NoSuchProviderException;
+import java.security.PrivateKey;
+import java.security.PublicKey;
+import java.security.SecureRandom;
import java.security.Security;
+import java.security.SignatureException;
+import java.security.cert.Certificate;
+import java.security.cert.CertificateException;
+import java.util.Date;
+import java.util.Properties;
+import java.util.logging.Level;
+import java.util.logging.Logger;
+import javax.security.auth.x500.X500Principal;
+import org.bouncycastle.cert.X509CertificateHolder;
+import org.bouncycastle.cert.X509v1CertificateBuilder;
+import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
+import org.bouncycastle.cert.jcajce.JcaX509v1CertificateBuilder;
+import org.bouncycastle.jce.provider.BouncyCastleProvider;
+import org.bouncycastle.operator.ContentSigner;
+import org.bouncycastle.operator.OperatorCreationException;
+import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
/**
* Run the DSTC Certificate Authority console after installing the provider.
@@ -26,7 +55,87 @@ import java.security.Security;
*/
public class CA {
public static void main(String[] args) {
- Security.insertProviderAt(new DSTC(), 1);
- com.dstc.security.pki.ConsoleCATool.main(args);
+ //Security.insertProviderAt(new DSTC(), 1);
+ //com.dstc.security.pki.ConsoleCATool.main(args);
+ String configFile = System.getProperty("jcsi.ca.conf", "${user.home}${/}.jcsi${/}ca.properties");
+ Properties p = new Properties();
+ File conf = new File(configFile);
+ try {
+ InputStream in = new FileInputStream(conf);
+ p.load(in);
+ } catch (IOException ex) {
+ ex.printStackTrace(System.err);
+ }
+ Security.insertProviderAt(new BouncyCastleProvider(), 1);
+ KeyPairGenerator keyGen = null;
+ String algorithm = p.getProperty("jcsi.ca.keyAlg", "RSA");
+ int keyLen = Integer.parseInt(p.getProperty("jcsi.ca.keyLength", "256"));
+ try {
+ keyGen = KeyPairGenerator.getInstance(algorithm, "BC");
+ } catch (NoSuchAlgorithmException ex) {
+ ex.printStackTrace(System.err);
+ } catch (NoSuchProviderException ex) {
+ ex.printStackTrace(System.err);
+ }
+ SecureRandom random = new SecureRandom();
+ keyGen.initialize(keyLen, random);
+ KeyPair keys = keyGen.generateKeyPair();
+ PublicKey publicKey = keys.getPublic();
+ PrivateKey privKey = keys.getPrivate(); // The key used to sign our Certificate.
+
+ String issuerDN = p.getProperty("jcsi.ca.issuerDN");
+ int validDays
+ = Integer.parseInt(p.getProperty("jcsi.ca.validityPeriod"));
+ String signerAlgorithm = p.getProperty("jcsi.ca.sigAlg", "SHA1withRSA");
+
+ //
+ ContentSigner sigGen = null;
+ try {
+ sigGen = new JcaContentSignerBuilder(signerAlgorithm).setProvider("BC").build(privKey);
+ } catch (OperatorCreationException ex) {
+ ex.printStackTrace(System.err);
+ }
+
+ X500Principal issuer = new X500Principal(issuerDN);
+
+ X500Principal subject = issuer; // Self signed.
+ long time = System.currentTimeMillis();
+ BigInteger serial = BigInteger.valueOf(time);
+ Date notBefore = new Date(time - 50000);
+ Date notAfter = new Date(time + validDays* 86400000);
+ X509v1CertificateBuilder certBuilder =
+ new JcaX509v1CertificateBuilder(
+ issuer,
+ serial,
+ notBefore,
+ notAfter,
+ subject,
+ publicKey);
+
+ X509CertificateHolder certHolder = certBuilder.build(sigGen);
+ JcaX509CertificateConverter converter = new JcaX509CertificateConverter();
+ Certificate cert = null;
+ try {
+ cert = converter.getCertificate(certHolder);
+ } catch (CertificateException ex) {
+ ex.printStackTrace(System.err);
+ }
+ try {
+ cert.verify(publicKey);
+ // TODO: write private key and certificate to files.
+ } catch (CertificateException ex) {
+ ex.printStackTrace(System.err);
+ } catch (NoSuchAlgorithmException ex) {
+ ex.printStackTrace(System.err);
+ } catch (InvalidKeyException ex) {
+ ex.printStackTrace(System.err);
+ } catch (NoSuchProviderException ex) {
+ ex.printStackTrace(System.err);
+ } catch (SignatureException ex) {
+ ex.printStackTrace(System.err);
+ }
+
}
+
+
}
Modified: river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/net/jini/jeri/tcp/localHostExposure/TestNameService.java
URL: http://svn.apache.org/viewvc/river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/net/jini/jeri/tcp/localHostExposure/TestNameService.java?rev=1235063&r1=1235062&r2=1235063&view=diff
==============================================================================
--- river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/net/jini/jeri/tcp/localHostExposure/TestNameService.java (original)
+++ river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/net/jini/jeri/tcp/localHostExposure/TestNameService.java Mon Jan 23 23:29:10 2012
@@ -15,6 +15,7 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
+import java.net.InetAddress;
import java.net.UnknownHostException;
import sun.net.spi.nameservice.NameService;
@@ -28,8 +29,19 @@ public class TestNameService implements
return lastNameLookup;
}
}
+
+ /* Java 6 version */
+ public InetAddress [] lookupAllHostAddr(String host) throws UnknownHostException{
+ byte [][] allHostAdd = lookAllHostAddr(host);
+ int l = allHostAdd.length;
+ InetAddress [] result = new InetAddress[l];
+ for (int i = 0; i<l; i++){
+ result[i] = InetAddress.getByAddress(allHostAdd[i]);
+ }
+ return result;
+ }
- public byte[][] lookupAllHostAddr(String host)
+ private byte[][] lookAllHostAddr(String host)
throws UnknownHostException
{
// System.err.println("FORWARD: " + host);
Modified: river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/net/jini/jeri/transport/multihomed/TestNameService.java
URL: http://svn.apache.org/viewvc/river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/net/jini/jeri/transport/multihomed/TestNameService.java?rev=1235063&r1=1235062&r2=1235063&view=diff
==============================================================================
--- river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/net/jini/jeri/transport/multihomed/TestNameService.java (original)
+++ river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/net/jini/jeri/transport/multihomed/TestNameService.java Mon Jan 23 23:29:10 2012
@@ -58,8 +58,20 @@ public class TestNameService implements
// do nothing
}
}
+
+ /* Java 6 version */
+ public InetAddress [] lookupAllHostAddr(String host) throws UnknownHostException{
+ byte [][] allHostAdd = lookAllHostAddr(host);
+ int l = allHostAdd.length;
+ InetAddress [] result = new InetAddress[l];
+ for (int i = 0; i<l; i++){
+ result[i] = InetAddress.getByAddress(allHostAdd[i]);
+ }
+ return result;
+ }
- public byte[][] lookupAllHostAddr(String host)
+ /* Java 5 version of provider, renamed and privatised */
+ private byte[][] lookAllHostAddr(String host)
throws UnknownHostException
{
// System.err.println("FORWARD: " + host);
Modified: river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/net/jini/security/Security/implicitGrants/Test.java
URL: http://svn.apache.org/viewvc/river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/net/jini/security/Security/implicitGrants/Test.java?rev=1235063&r1=1235062&r2=1235063&view=diff
==============================================================================
--- river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/net/jini/security/Security/implicitGrants/Test.java (original)
+++ river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/net/jini/security/Security/implicitGrants/Test.java Mon Jan 23 23:29:10 2012
@@ -49,6 +49,10 @@ public class Test {
TestLibrary.installClassInCodebase("Foo", "cb2")});
cl1 = Class.forName("Foo", true, ldr1);
cl2 = Class.forName("Foo", true, ldr2);
+ ProtectionDomain pd2 = cl2.getProtectionDomain();
+ if (policy.implies(pd2, pA)) throw new Error();
+ if (policy.implies(pd2, pB)) throw new Error();
+ if (policy.implies(pd2, pC)) throw new Error();
ClassLoader ldr3 = new URLClassLoader(new URL[]{
TestLibrary.installClassInCodebase("Setup", "cb3")});
@@ -62,13 +66,10 @@ public class Test {
{
throw new Error();
}
- ProtectionDomain pd2 = cl2.getProtectionDomain();
- if (policy.implies(pd2, pA) ||
- policy.implies(pd2, pB) ||
- policy.implies(pd2, pC))
- {
- throw new Error();
- }
+ //ProtectionDomain pd2 = cl2.getProtectionDomain();
+ if (policy.implies(pd2, pA)) throw new Error();
+ if (policy.implies(pd2, pB)) throw new Error();
+ if (policy.implies(pd2, pC)) throw new Error();
final Principal prX = new StringPrincipal("X"),
prY = new StringPrincipal("Y"),
Modified: river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/net/jini/security/Security/implicitGrants/policy
URL: http://svn.apache.org/viewvc/river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/net/jini/security/Security/implicitGrants/policy?rev=1235063&r1=1235062&r2=1235063&view=diff
==============================================================================
--- river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/net/jini/security/Security/implicitGrants/policy (original)
+++ river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/net/jini/security/Security/implicitGrants/policy Mon Jan 23 23:29:10 2012
@@ -25,10 +25,11 @@ grant {
permission java.lang.RuntimePermission "setSecurityManager";
permission java.security.SecurityPermission "getProperty.*";
permission java.security.SecurityPermission "setPolicy";
+ permission java.security.SecurityPermission "getPolicy";
permission java.util.PropertyPermission "*", "read";
permission javax.security.auth.AuthPermission "doAs";
};
-grant codeBase "file:.${/}cb3${/}" {
+grant codeBase "file:${scratch.dir}${/}cb3${/}*" {
permission java.security.AllPermission;
};
Modified: river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/net/jini/security/policy/DynamicPolicyProvider/basePolicyNotFound/policy
URL: http://svn.apache.org/viewvc/river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/net/jini/security/policy/DynamicPolicyProvider/basePolicyNotFound/policy?rev=1235063&r1=1235062&r2=1235063&view=diff
==============================================================================
--- river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/net/jini/security/policy/DynamicPolicyProvider/basePolicyNotFound/policy (original)
+++ river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/net/jini/security/policy/DynamicPolicyProvider/basePolicyNotFound/policy Mon Jan 23 23:29:10 2012
@@ -15,4 +15,5 @@ grant {
permission java.lang.RuntimePermission "setSecurityManager";
permission java.security.SecurityPermission "getProperty.*";
permission java.security.SecurityPermission "setProperty.*";
+ permission java.security.SecurityPermission "getPolicy";
};
Modified: river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/net/jini/security/policy/DynamicPolicyProvider/domainCaching/policy
URL: http://svn.apache.org/viewvc/river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/net/jini/security/policy/DynamicPolicyProvider/domainCaching/policy?rev=1235063&r1=1235062&r2=1235063&view=diff
==============================================================================
--- river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/net/jini/security/policy/DynamicPolicyProvider/domainCaching/policy (original)
+++ river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/net/jini/security/policy/DynamicPolicyProvider/domainCaching/policy Mon Jan 23 23:29:10 2012
@@ -14,6 +14,7 @@ grant {
permission java.lang.RuntimePermission "accessClassInPackage.*";
permission java.util.PropertyPermission "*", "read";
permission java.security.SecurityPermission "getProperty.*";
+ permission java.security.SecurityPermission "getPolicy";
permission java.io.FilePermission ".", "read,write,delete";
permission java.io.FilePermission ".${/}-", "read,write,delete";
permission java.io.FilePermission "${test.classes}", "read,write,delete";
Modified: river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/net/jini/security/policy/DynamicPolicyProvider/dynamicBasePolicy/Test.java
URL: http://svn.apache.org/viewvc/river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/net/jini/security/policy/DynamicPolicyProvider/dynamicBasePolicy/Test.java?rev=1235063&r1=1235062&r2=1235063&view=diff
==============================================================================
--- river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/net/jini/security/policy/DynamicPolicyProvider/dynamicBasePolicy/Test.java (original)
+++ river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/net/jini/security/policy/DynamicPolicyProvider/dynamicBasePolicy/Test.java Mon Jan 23 23:29:10 2012
@@ -50,9 +50,9 @@ public class Test {
}
p = new RuntimePermission("C");
+ if (policy1.implies(pd, p)) throw new Error();
policy2.grant(cl, null, new Permission[]{ p });
- if (policy1.implies(pd, p) || !policy2.implies(pd, p)) {
- throw new Error();
- }
+ if (policy1.implies(pd, p)) throw new Error();
+ if (!policy2.implies(pd, p)) throw new Error();
}
}
Modified: river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/net/jini/security/policy/DynamicPolicyProvider/dynamicBasePolicy/policy
URL: http://svn.apache.org/viewvc/river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/net/jini/security/policy/DynamicPolicyProvider/dynamicBasePolicy/policy?rev=1235063&r1=1235062&r2=1235063&view=diff
==============================================================================
--- river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/net/jini/security/policy/DynamicPolicyProvider/dynamicBasePolicy/policy (original)
+++ river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/net/jini/security/policy/DynamicPolicyProvider/dynamicBasePolicy/policy Mon Jan 23 23:29:10 2012
@@ -16,4 +16,5 @@ grant {
permission java.lang.RuntimePermission "accessClassInPackage.*";
permission java.lang.RuntimePermission "getProtectionDomain";
permission java.security.SecurityPermission "getProperty.*";
+ permission java.security.SecurityPermission "getPolicy";
};
Modified: river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/net/jini/security/policy/DynamicPolicyProvider/nullCases/policy
URL: http://svn.apache.org/viewvc/river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/net/jini/security/policy/DynamicPolicyProvider/nullCases/policy?rev=1235063&r1=1235062&r2=1235063&view=diff
==============================================================================
--- river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/net/jini/security/policy/DynamicPolicyProvider/nullCases/policy (original)
+++ river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/net/jini/security/policy/DynamicPolicyProvider/nullCases/policy Mon Jan 23 23:29:10 2012
@@ -13,4 +13,5 @@ grant {
permission java.lang.RuntimePermission "accessClassInPackage.*";
permission java.lang.RuntimePermission "setSecurityManager";
permission java.security.SecurityPermission "getProperty.*";
+ permission java.security.SecurityPermission "getPolicy";
};
Modified: river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/net/jini/security/policy/DynamicPolicyProvider/principalGrants/policy
URL: http://svn.apache.org/viewvc/river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/net/jini/security/policy/DynamicPolicyProvider/principalGrants/policy?rev=1235063&r1=1235062&r2=1235063&view=diff
==============================================================================
--- river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/net/jini/security/policy/DynamicPolicyProvider/principalGrants/policy (original)
+++ river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/net/jini/security/policy/DynamicPolicyProvider/principalGrants/policy Mon Jan 23 23:29:10 2012
@@ -23,4 +23,5 @@ grant {
permission java.lang.RuntimePermission "setSecurityManager";
permission java.util.PropertyPermission "*", "read";
permission java.security.SecurityPermission "getProperty.*";
+ permission java.security.SecurityPermission "getPolicy";
};
Modified: river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/net/jini/security/policy/DynamicPolicyProvider/selfGrants/policy.0
URL: http://svn.apache.org/viewvc/river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/net/jini/security/policy/DynamicPolicyProvider/selfGrants/policy.0?rev=1235063&r1=1235062&r2=1235063&view=diff
==============================================================================
--- river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/net/jini/security/policy/DynamicPolicyProvider/selfGrants/policy.0 (original)
+++ river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/net/jini/security/policy/DynamicPolicyProvider/selfGrants/policy.0 Mon Jan 23 23:29:10 2012
@@ -20,4 +20,5 @@ grant {
permission java.util.PropertyPermission "test.src", "read";
permission java.security.SecurityPermission "getProperty.*";
permission java.security.SecurityPermission "setPolicy";
+ permission java.security.SecurityPermission "getPolicy";
};
Modified: river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/net/jini/security/policy/PolicyFileProvider/basePolicyNotFound/policy
URL: http://svn.apache.org/viewvc/river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/net/jini/security/policy/PolicyFileProvider/basePolicyNotFound/policy?rev=1235063&r1=1235062&r2=1235063&view=diff
==============================================================================
--- river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/net/jini/security/policy/PolicyFileProvider/basePolicyNotFound/policy (original)
+++ river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/net/jini/security/policy/PolicyFileProvider/basePolicyNotFound/policy Mon Jan 23 23:29:10 2012
@@ -15,4 +15,5 @@ grant {
permission java.lang.RuntimePermission "setSecurityManager";
permission java.security.SecurityPermission "getProperty.*";
permission java.security.SecurityPermission "setProperty.*";
+ permission java.security.SecurityPermission "getPolicy";
};
Modified: river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/net/jini/security/policy/PolicyFileProvider/basicGrants/policy.0
URL: http://svn.apache.org/viewvc/river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/net/jini/security/policy/PolicyFileProvider/basicGrants/policy.0?rev=1235063&r1=1235062&r2=1235063&view=diff
==============================================================================
--- river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/net/jini/security/policy/PolicyFileProvider/basicGrants/policy.0 (original)
+++ river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/net/jini/security/policy/PolicyFileProvider/basicGrants/policy.0 Mon Jan 23 23:29:10 2012
@@ -17,6 +17,7 @@ grant {
"java.security.policy", "read,write";
permission java.util.PropertyPermission "test.src", "read";
permission java.security.SecurityPermission "getProperty.*";
+ permission java.security.SecurityPermission "getPolicy";
};
grant codeBase "file:/foo/*" {
Modified: river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/net/jini/security/policy/PolicyFileProvider/nullCases/policy
URL: http://svn.apache.org/viewvc/river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/net/jini/security/policy/PolicyFileProvider/nullCases/policy?rev=1235063&r1=1235062&r2=1235063&view=diff
==============================================================================
--- river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/net/jini/security/policy/PolicyFileProvider/nullCases/policy (original)
+++ river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/net/jini/security/policy/PolicyFileProvider/nullCases/policy Mon Jan 23 23:29:10 2012
@@ -13,4 +13,5 @@ grant {
permission java.lang.RuntimePermission "accessClassInPackage.*";
permission java.lang.RuntimePermission "setSecurityManager";
permission java.security.SecurityPermission "getProperty.*";
+ permission java.security.SecurityPermission "getPolicy";
};
Modified: river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/net/jini/security/policy/PolicyFileProvider/umbrellaGrants/policy
URL: http://svn.apache.org/viewvc/river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/net/jini/security/policy/PolicyFileProvider/umbrellaGrants/policy?rev=1235063&r1=1235062&r2=1235063&view=diff
==============================================================================
--- river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/net/jini/security/policy/PolicyFileProvider/umbrellaGrants/policy (original)
+++ river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/net/jini/security/policy/PolicyFileProvider/umbrellaGrants/policy Mon Jan 23 23:29:10 2012
@@ -1,7 +1,7 @@
/* @summary Test PolicyFileProvider expansion of UmbrellaGrantPermissions
*/
-grant codeBase "file:${java.home}/lib/ext/*" {
+grant codeBase "file:${{java.ext.dirs}}/*" {
permission java.security.AllPermission;
};
@@ -13,6 +13,7 @@ grant {
permission java.lang.RuntimePermission "accessClassInPackage.*";
permission java.lang.RuntimePermission "setSecurityManager";
permission java.security.SecurityPermission "getProperty.*";
+ permission java.security.SecurityPermission "getPolicy";
};
grant codeBase "file:/foo.jar" {
Modified: river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/net/jini/security/porter/policy
URL: http://svn.apache.org/viewvc/river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/net/jini/security/porter/policy?rev=1235063&r1=1235062&r2=1235063&view=diff
==============================================================================
--- river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/net/jini/security/porter/policy (original)
+++ river/jtsk/skunk/peterConcurrentPolicy/qa/jtreg/net/jini/security/porter/policy Mon Jan 23 23:29:10 2012
@@ -1,5 +1,5 @@
-grant codeBase "file:${java.home}/lib/ext/*" {
- permission java.security.AllPermission;
+grant codeBase "file:${{java.ext.dirs}}/*" {
+ permission java.security.AllPermission;
};
grant codeBase "file:${jtlib.tmp}/*" {
Modified: river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/security/GrantPermission.java
URL: http://svn.apache.org/viewvc/river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/security/GrantPermission.java?rev=1235063&r1=1235062&r2=1235063&view=diff
==============================================================================
--- river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/security/GrantPermission.java (original)
+++ river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/security/GrantPermission.java Mon Jan 23 23:29:10 2012
@@ -765,9 +765,9 @@ public final class GrantPermission exten
private static final ObjectStreamField[] serialPersistentFields = {
new ObjectStreamField("perms", List.class, true)
};
-
- private Collection<Permission> perms =
- new TreeSet<Permission>(new PermissionComparator());
+
+ // Serial form.
+ private List<Permission> perms = new ArrayList<Permission>();
private Implier implier = new Implier();
public synchronized void add(Permission p) {
@@ -778,10 +778,11 @@ public final class GrantPermission exten
throw new SecurityException(
"can't add to read-only PermissionCollection");
}
- if (!perms.contains(p)){
- perms.add(p);
- implier.add((GrantPermission) p);
- }
+ // No longer rely on TreeSet to ensure correctness, just don't
+ // add twice, in other words check must be external.
+ perms.add(p);
+ implier.add((GrantPermission) p);
+
}
public synchronized Enumeration<Permission> elements() {
Modified: river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/security/policy/DynamicPolicyProvider.java
URL: http://svn.apache.org/viewvc/river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/security/policy/DynamicPolicyProvider.java?rev=1235063&r1=1235062&r2=1235063&view=diff
==============================================================================
--- river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/security/policy/DynamicPolicyProvider.java (original)
+++ river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/security/policy/DynamicPolicyProvider.java Mon Jan 23 23:29:10 2012
@@ -174,6 +174,14 @@ public class DynamicPolicyProvider exten
"net.jini.security.policy.DynamicPolicyProvider.revocation";
private static final Logger logger = Logger.getLogger("net.jini.security.policy");
+ private static final ProtectionDomain policyDomain =
+ AccessController.doPrivileged(new PrivilegedAction<ProtectionDomain>(){
+
+ public ProtectionDomain run() {
+ return DynamicPolicyProvider.class.getProtectionDomain();
+ }
+ });
+
/*
* Copy referent before use.
*
@@ -205,7 +213,7 @@ public class DynamicPolicyProvider exten
private final Permission implementsPermissionGrant;
private final Guard protectionDomainPermission;
- private final ProtectionDomain policyDomain;
+
private final PermissionCollection policyPermissions;
/**
@@ -281,7 +289,6 @@ public class DynamicPolicyProvider exten
basePolicyIsRemote = basePolicy instanceof RemotePolicy ?true: false;
basePolicyIsConcurrent = basePolicy instanceof ConcurrentPolicy
? ((ConcurrentPolicy) basePolicy).isConcurrent() : false;
- policyDomain = getClass().getProtectionDomain();
policyPermissions = basePolicy.getPermissions(policyDomain);
policyPermissions.setReadOnly();
}
@@ -320,7 +327,6 @@ public class DynamicPolicyProvider exten
basePolicyIsRemote = basePolicy instanceof RemotePolicy ?true: false;
basePolicyIsConcurrent = basePolicy instanceof ConcurrentPolicy
? ((ConcurrentPolicy) basePolicy).isConcurrent() : false;
- policyDomain = getClass().getProtectionDomain();
policyPermissions = basePolicy.getPermissions(policyDomain);
policyPermissions.setReadOnly();
}
@@ -530,7 +536,6 @@ Put the policy providers and all referen
public boolean implies(ProtectionDomain domain, Permission permission) {
if (domain == policyDomain) return policyPermissions.implies(permission);
if (basePolicyIsDynamic || basePolicyIsRemote){
- // Total delegation revoke supported only by underlying policy.
if (basePolicy.implies(domain, permission)) return true;
}
if (permission == null) throw new NullPointerException("permission not allowed to be null");
@@ -671,32 +676,31 @@ Put the policy providers and all referen
return true;
}
- public void grant(Class cl, Principal[] principals, Permission[] permissions) {
+ public void grant(final Class cl, Principal[] principals, Permission[] permissions) {
if (principals == null){ principals = new Principal[0];}
checkNullElements(principals);
// This has to be after checkNullElements principals or we fail the NullCases test.
if (permissions == null || permissions.length == 0) {return;}
checkNullElements(permissions);
- if ( basePolicyIsDynamic ){
- /* Delegate, otherwise, if base policy is an instance of this class, we
- * may have multi combinations of permissions that together should
- * be true but become separated as this implementation will not
- * return any dynamically granted permissions via getPermissions(
- * because doing so would mean loosing revoke ability.
- */
- DynamicPolicy dp = (DynamicPolicy) basePolicy;
- dp.grant(cl, principals, permissions);
- return;
- }
+ // Not delgated to base policy.
SecurityManager sm = System.getSecurityManager();
if (sm != null){
sm.checkPermission(new GrantPermission(permissions));
}
- PermissionGrantBuilder pgb = PermissionGrantBuilder.newBuilder();
- PermissionGrant pe = pgb.clazz(cl).principals(principals)
- .permissions(permissions)
- .context(PermissionGrantBuilder.CLASSLOADER)
- .build();
+ final PermissionGrantBuilder pgb = PermissionGrantBuilder.newBuilder();
+ pgb.principals(principals)
+ .permissions(permissions)
+ .context(PermissionGrantBuilder.CLASSLOADER);
+ AccessController.doPrivileged(
+ new PrivilegedAction(){
+
+ public Object run() {
+ pgb.clazz(cl);
+ return null;
+ }
+
+ });
+ PermissionGrant pe = pgb.build();
dynamicPolicyGrants.add(pe);
if (loggable){
logger.log(Level.FINEST, "Granting: {0}", pe.toString());
@@ -705,9 +709,6 @@ Put the policy providers and all referen
// documentation inherited from DynamicPolicy.getGrants
public Permission[] getGrants(Class cl, Principal[] principals) {
- if (basePolicyIsDynamic){
- return ((DynamicPolicy)basePolicy).getGrants(cl, principals);
- }
ClassLoader loader = null;
if( cl != null ) {
loader = cl.getClassLoader();
@@ -732,10 +733,6 @@ Put the policy providers and all referen
public Permission[] revoke(Class cl, Principal[] principals) {
revokePermission.checkGuard(null);
- if (basePolicyIsDynamic && revokeable){
- RevocablePolicy bp = (RevocablePolicy) basePolicy;
- return bp.revoke(cl, principals);
- }
ClassLoader loader = null;
if( cl != null ) {
loader = cl.getClassLoader();
Modified: river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/url/httpmd/Handler.java
URL: http://svn.apache.org/viewvc/river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/url/httpmd/Handler.java?rev=1235063&r1=1235062&r2=1235063&view=diff
==============================================================================
--- river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/url/httpmd/Handler.java (original)
+++ river/jtsk/skunk/peterConcurrentPolicy/src/net/jini/url/httpmd/Handler.java Mon Jan 23 23:29:10 2012
@@ -226,6 +226,29 @@ public class Handler extends URLStreamHa
}
}
}
+
+ /**
+ * The default superclass implementation performs dns lookup to determine
+ * if hosts are equal, this allows two URL's with different hashCode's
+ * to be equal, breaking the hashCode equals contract.
+ *
+ * It also causes a test failure in the jtreg test suite.
+ *
+ *
+ * *** Start test: Mon Jan 23 08:11:26 EST 2012
+ * [jtreg] Test 9: TestEqual: httpmd://foo:88/bar/baz;p1=v1;md5=abcd?q#r, httpmd://alpha:88/bar/baz;p1=v1;md5=abcd?q#r
+ * [jtreg] FAIL: Should be: false
+ * [jtreg] Result: true
+ *
+ * URL.implies(URL url) is better suited to perform this function, why
+ * it was originally implemented in equals is unknown.
+ */
+ protected boolean hostsEqual(URL u1, URL u2) {
+ if (u1.getHost() != null && u2.getHost() != null)
+ return u1.getHost().equalsIgnoreCase(u2.getHost());
+ else
+ return u1.getHost() == null && u2.getHost() == null;
+ }
/**
* Compares two HTTPMD URLs to see if they refer to the same file. Performs
@@ -317,15 +340,15 @@ public class Handler extends URLStreamHa
}
/* Generate the host part */
- InetAddress addr = getHostAddress(u);
- if (addr != null) {
- h += addr.hashCode();
- } else {
+// InetAddress addr = getHostAddress(u);
+// if (addr != null) {
+// h += addr.hashCode();
+// } else {
String host = u.getHost();
if (host != null) {
h += host.toLowerCase().hashCode();
}
- }
+// }
/*
* Generate the path part, ignoring case in the message digest and
Modified: river/jtsk/skunk/peterConcurrentPolicy/src/org/apache/river/api/security/ConcurrentPolicyFile.java
URL: http://svn.apache.org/viewvc/river/jtsk/skunk/peterConcurrentPolicy/src/org/apache/river/api/security/ConcurrentPolicyFile.java?rev=1235063&r1=1235062&r2=1235063&view=diff
==============================================================================
--- river/jtsk/skunk/peterConcurrentPolicy/src/org/apache/river/api/security/ConcurrentPolicyFile.java (original)
+++ river/jtsk/skunk/peterConcurrentPolicy/src/org/apache/river/api/security/ConcurrentPolicyFile.java Mon Jan 23 23:29:10 2012
@@ -36,6 +36,7 @@ import java.security.Permission;
import java.security.PermissionCollection;
import java.security.Permissions;
import java.security.Policy;
+import java.security.PrivilegedAction;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.security.ProtectionDomain;
@@ -182,7 +183,13 @@ public class ConcurrentPolicyFile extend
private static final Guard guard = new SecurityPermission("getPolicy");
- private final ProtectionDomain myDomain;
+ private static final ProtectionDomain myDomain =
+ AccessController.doPrivileged(new PrivilegedAction<ProtectionDomain>(){
+
+ public ProtectionDomain run() {
+ return ConcurrentPolicyFile.class.getProtectionDomain();
+ }
+ });
private final Comparator<Permission> comparator;
@@ -205,7 +212,6 @@ public class ConcurrentPolicyFile extend
protected ConcurrentPolicyFile(PolicyParser dpr, Comparator<Permission> comp) throws PolicyInitializationException {
guard.checkGuard(null);
parser = dpr;
- myDomain = this.getClass().getProtectionDomain();
comparator = comp;
/*
* The bootstrap policy makes implies decisions until this constructor
Modified: river/jtsk/skunk/peterConcurrentPolicy/src/org/apache/river/api/security/URIGrant.java
URL: http://svn.apache.org/viewvc/river/jtsk/skunk/peterConcurrentPolicy/src/org/apache/river/api/security/URIGrant.java?rev=1235063&r1=1235062&r2=1235063&view=diff
==============================================================================
--- river/jtsk/skunk/peterConcurrentPolicy/src/org/apache/river/api/security/URIGrant.java (original)
+++ river/jtsk/skunk/peterConcurrentPolicy/src/org/apache/river/api/security/URIGrant.java Mon Jan 23 23:29:10 2012
@@ -356,8 +356,7 @@ class URIGrant extends CertificateGrant
// compatbility with URL.getFile
String thisFile = grant.getPath();
String thatFile = implied.getPath();
- if (thatFile == null) return false;
-
+ if (thatFile == null || thisFile == null) return false;
if (thisFile.endsWith("/-")) { //javadoc:3.6."/-" //$NON-NLS-1$
if (!thatFile.startsWith(thisFile.substring(0, thisFile
.length() - 2))) {
@@ -384,7 +383,7 @@ class URIGrant extends CertificateGrant
}
}
}
-
+
//javadoc:3.7
// A URL Anchor is a URI Fragment.
if (grant.getFragment() != null) {
Re: svn commit: r1235063 - in /river/jtsk/skunk/peterConcurrentPolicy:
bouncy-castle/ qa/ qa/jtreg/certs/ qa/jtreg/net/jini/jeri/tcp/localHostExposure/
qa/jtreg/net/jini/jeri/transport/multihomed/ qa/jtreg/net/jini/security/Security/implicitGrants/
qa/jtre...
Posted by Peter Firmstone <ji...@zeus.net.au>.
Simon IJskes - QCG wrote:
> On 24-01-12 00:29, peter_firmstone@apache.org wrote:
>>
>> Commenced writing a bouncy castle self signed certificate generator
>> to replace DSTC JCSI.
>>
>
> You know you can generate self signed certificates with the java jdk
> keytool?
>
> Gr. Sim
>
Hmm, it uses keytool, but doesn't use keytool to generate the keys and
certificate. The private key is encrypted and password protected before
writing to file. I just figured it was best to replicate it blindly
without asking why.
Cheers,
Peter.
Re: svn commit: r1235063 - in /river/jtsk/skunk/peterConcurrentPolicy:
bouncy-castle/ qa/ qa/jtreg/certs/ qa/jtreg/net/jini/jeri/tcp/localHostExposure/
qa/jtreg/net/jini/jeri/transport/multihomed/ qa/jtreg/net/jini/security/Security/implicitGrants/
qa/jtre...
Posted by Peter Firmstone <ji...@zeus.net.au>.
Simon IJskes - QCG wrote:
> On 24-01-12 00:29, peter_firmstone@apache.org wrote:
>>
>> Commenced writing a bouncy castle self signed certificate generator
>> to replace DSTC JCSI.
>>
>
> You know you can generate self signed certificates with the java jdk
> keytool?
>
> Gr. Sim
>
The tool used to generate two test Certificate Authorities and used
these to sign user certificates that were generated separately by
keytool. The CertificateAuthorities certs are self signed, but the user
certs aren't. Keytool generates the certificate requests, and the CA
tool used to generate the certificate chains, then keytool was used to
import these certificate chains into the users trust stores.
Cheers,
Peter.
Re: svn commit: r1235063 - in /river/jtsk/skunk/peterConcurrentPolicy:
bouncy-castle/ qa/ qa/jtreg/certs/ qa/jtreg/net/jini/jeri/tcp/localHostExposure/
qa/jtreg/net/jini/jeri/transport/multihomed/ qa/jtreg/net/jini/security/Security/implicitGrants/
qa/jtre...
Posted by Peter Firmstone <ji...@zeus.net.au>.
Simon IJskes - QCG wrote:
> On 24-01-12 00:29, peter_firmstone@apache.org wrote:
>>
>> Commenced writing a bouncy castle self signed certificate generator
>> to replace DSTC JCSI.
>>
>
> You know you can generate self signed certificates with the java jdk
> keytool?
>
> Gr. Sim
>
I'm not sure if I've got the order correct although make reported
errors, I'm going to run the jtreg tests again anyway and see what breaks.
Cheers,
Peter.
bash-3.00$ make compile
/usr/jdk/jdk1.6.0_30/bin/javac \
-d . \
-classpath
.:../../../bouncy-castle/bcprov-jdk16-146.jar:../../../bouncy-castle/bcmail-jdk16-146.jar
\
*.java
bash-3.00$ ./run-ca.sh ./test-ca1.properties
bash-3.00$ ls keys
old test-ca1.cert test-ca1.key
bash-3.00$ ./run-ca.sh ./test-ca2.properties
bash-3.00$ ls
CA.class keys keystest-ca1.key
Makefile run-ca.sh test-ca2.properties
CA.java keystest-ca1.cert keystores
password test-ca1.properties
bash-3.00$ rm keyst
keystest-ca1.cert keystest-ca1.key keystores/
bash-3.00$ rm keystest-ca1.*
bash-3.00$ ls
CA.class keys Makefile
run-ca.sh test-ca2.properties
CA.java keystores password
test-ca1.properties
bash-3.00$ ls keys
old test-ca1.cert test-ca1.key test-ca2.cert test-ca2.key
bash-3.00$ ls keystores
test-ca.truststore test-user1A.keystore test-user1D.keystore
test-user2B.keystore test-user2E.keystore
test-ca1.truststore test-user1B.keystore test-user1E.keystore
test-user2C.keystore users.truststore
test-ca2.truststore test-user1C.keystore test-user2A.keystore
test-user2D.keystore
bash-3.00$ ls
CA.class keys Makefile
run-ca.sh test-ca2.properties
CA.java keystores password
test-ca1.properties
bash-3.00$ mv keystores keystores.old
bash-3.00$ mkdir keystores
bash-3.00$ ls keystores.old/
test-ca.truststore test-user1A.keystore test-user1D.keystore
test-user2B.keystore test-user2E.keystore
test-ca1.truststore test-user1B.keystore test-user1E.keystore
test-user2C.keystore users.truststore
test-ca2.truststore test-user1C.keystore test-user2A.keystore
test-user2D.keystore
bash-3.00$ ls keystores.old/users.truststore
keystores.old/users.truststore
bash-3.00$ ant create
Buildfile: build.xml does not exist!
Build failed
bash-3.00$ make create
rm -f keystores/*.*store
rm -rf requests
mkdir requests
for c in 1 2; do \
for u in A B C D E; do \
echo Creating Test User $c$u; \
/usr/jdk/jdk1.6.0_30/bin/keytool -storepass keypass -keypass
keypass -validity 3650 \
-genkey \
-keystore keystores/test-user$c$u.keystore \
-alias test-user$c$u \
-dname "CN=Test User $c$u, OU=Jini Group, O=Sun Microsystems
Inc, L=Burlington, ST=MA, C=US"; \
/usr/jdk/jdk1.6.0_30/bin/keytool -storepass keypass -keypass
keypass -validity 3650 \
-certreq \
-keystore keystores/test-user$c$u.keystore \
-alias test-user$c$u \
-file requests/test-user$c$u.request; \
done; \
done
Creating Test User 1A
Creating Test User 1B
Creating Test User 1C
Creating Test User 1D
Creating Test User 1E
Creating Test User 2A
Creating Test User 2B
Creating Test User 2C
Creating Test User 2D
Creating Test User 2E
bash-3.00$ make create_users_truststore
rm -f keystores/users.truststore
for c in 1 2; do \
for u in A B C D E; do \
/usr/jdk/jdk1.6.0_30/bin/keytool -storepass keypass -keypass
keypass -validity 3650 \
-export \
-keystore keystores/test-user$c$u.keystore \
-alias test-user$c$u -file /tmp/tmp.cert; \
/usr/jdk/jdk1.6.0_30/bin/keytool -storepass keypass -keypass
keypass -validity 3650 \
-import \
-keystore keystores/users.truststore \
-alias test-user$c$u -noprompt -file /tmp/tmp.cert; \
done; \
done
Certificate stored in file </tmp/tmp.cert>
Certificate was added to keystore
Certificate stored in file </tmp/tmp.cert>
Certificate was added to keystore
Certificate stored in file </tmp/tmp.cert>
Certificate was added to keystore
Certificate stored in file </tmp/tmp.cert>
Certificate was added to keystore
Certificate stored in file </tmp/tmp.cert>
Certificate was added to keystore
Certificate stored in file </tmp/tmp.cert>
Certificate was added to keystore
Certificate stored in file </tmp/tmp.cert>
Certificate was added to keystore
Certificate stored in file </tmp/tmp.cert>
Certificate was added to keystore
Certificate stored in file </tmp/tmp.cert>
Certificate was added to keystore
Certificate stored in file </tmp/tmp.cert>
Certificate was added to keystore
rm -f /tmp/tmp.cert
bash-3.00$ make import
for c in 1 2; do \
/usr/jdk/jdk1.6.0_30/bin/keytool -storepass keypass -keypass keypass
-validity 3650 \
-import \
-noprompt \
-keystore keystores/test-ca$c.truststore \
-alias test-ca$c \
-file keys/test-ca$c.cert; \
/usr/jdk/jdk1.6.0_30/bin/keytool -storepass keypass -keypass keypass
-validity 3650 \
-import \
-noprompt \
-keystore keystores/test-ca.truststore \
-alias test-ca$c \
-file keys/test-ca$c.cert; \
for u in A B C D E; do \
/usr/jdk/jdk1.6.0_30/bin/keytool -storepass keypass -keypass
keypass -validity 3650 \
-import \
-noprompt \
-keystore keystores/test-user$c$u.keystore \
-alias test-user$c$u \
-file requests/test-user$c$u.chain; \
done; \
done
Certificate was added to keystore
Certificate was added to keystore
keytool error: java.io.FileNotFoundException: requests/test-user1A.chain
(No such file or directory)
*** Error code 1
make: Fatal error: Command failed for target `import'
bash-3.00$ ls requests/
test-user1A.request test-user1C.request test-user1E.request
test-user2B.request test-user2D.request
test-user1B.request test-user1D.request test-user2A.request
test-user2C.request test-user2E.request
bash-3.00$
Re: svn commit: r1235063 - in /river/jtsk/skunk/peterConcurrentPolicy:
bouncy-castle/ qa/ qa/jtreg/certs/ qa/jtreg/net/jini/jeri/tcp/localHostExposure/
qa/jtreg/net/jini/jeri/transport/multihomed/ qa/jtreg/net/jini/security/Security/implicitGrants/
qa/jtre...
Posted by Simon IJskes - QCG <si...@qcg.nl>.
On 24-01-12 00:29, peter_firmstone@apache.org wrote:
>
> Commenced writing a bouncy castle self signed certificate generator to replace DSTC JCSI.
>
You know you can generate self signed certificates with the java jdk
keytool?
Gr. Sim
--
QCG, Software voor het MKB, 071-5890970, http://www.qcg.nl
Quality Consultancy Group b.v., Leiderdorp, Kvk Den Haag: 28088397