diff options
author | Kenny Root <kroot@google.com> | 2014-05-05 10:28:58 -0700 |
---|---|---|
committer | Kenny Root <kroot@google.com> | 2014-11-05 13:50:08 -0800 |
commit | 2a64eecc02ffb5b991fb5c367eab777b1325eef8 (patch) | |
tree | 334e57a2781022c00b443e8660d242513cd99111 | |
parent | dac964172756e29cbcfc8636a4722967decbea55 (diff) | |
download | bouncycastle-2a64eecc02ffb5b991fb5c367eab777b1325eef8.tar.gz |
Avoid things that cause CertBlacklist to be preinitializedandroid-5.1.1_r5android-5.1.1_r28android-5.1.1_r22android-5.1.1_r17android-5.1.1_r12lollipop-mr1-wfc-releaselollipop-mr1-dev
Move the CertBlacklist instance to a NoPreloadHolder, then move the
System.getenv call in CertBlacklist to a constructor so it's not called
during class initialization.
(cherry picked from commit 7a21b9a68f2c90bdde986a98a55816d0cf3ea73e)
Bug: 18013422
Change-Id: I39d0f43f948dec243d2d7cb79726d0642638b77a
3 files changed, 29 insertions, 25 deletions
diff --git a/bcprov/src/main/java/org/bouncycastle/jce/provider/CertBlacklist.java b/bcprov/src/main/java/org/bouncycastle/jce/provider/CertBlacklist.java index 39ba0ff9..c62966d5 100644 --- a/bcprov/src/main/java/org/bouncycastle/jce/provider/CertBlacklist.java +++ b/bcprov/src/main/java/org/bouncycastle/jce/provider/CertBlacklist.java @@ -34,12 +34,6 @@ import org.bouncycastle.crypto.digests.AndroidDigestFactory; import org.bouncycastle.util.encoders.Hex; public class CertBlacklist { - - private static final String ANDROID_DATA = System.getenv("ANDROID_DATA"); - private static final String BLACKLIST_ROOT = ANDROID_DATA + "/misc/keychain/"; - public static final String DEFAULT_PUBKEY_BLACKLIST_PATH = BLACKLIST_ROOT + "pubkey_blacklist.txt"; - public static final String DEFAULT_SERIAL_BLACKLIST_PATH = BLACKLIST_ROOT + "serial_blacklist.txt"; - private static final Logger logger = Logger.getLogger(CertBlacklist.class.getName()); // public for testing @@ -47,13 +41,19 @@ public class CertBlacklist { public final Set<byte[]> pubkeyBlacklist; public CertBlacklist() { - this(DEFAULT_PUBKEY_BLACKLIST_PATH, DEFAULT_SERIAL_BLACKLIST_PATH); + String androidData = System.getenv("ANDROID_DATA"); + String blacklistRoot = androidData + "/misc/keychain/"; + String defaultPubkeyBlacklistPath = blacklistRoot + "pubkey_blacklist.txt"; + String defaultSerialBlacklistPath = blacklistRoot + "serial_blacklist.txt"; + + pubkeyBlacklist = readPublicKeyBlackList(defaultPubkeyBlacklistPath); + serialBlacklist = readSerialBlackList(defaultSerialBlacklistPath); } /** Test only interface, not for public use */ public CertBlacklist(String pubkeyBlacklistPath, String serialBlacklistPath) { - serialBlacklist = readSerialBlackList(serialBlacklistPath); pubkeyBlacklist = readPublicKeyBlackList(pubkeyBlacklistPath); + serialBlacklist = readSerialBlackList(serialBlacklistPath); } private static boolean isHex(String value) { diff --git a/bcprov/src/main/java/org/bouncycastle/jce/provider/PKIXCertPathValidatorSpi.java b/bcprov/src/main/java/org/bouncycastle/jce/provider/PKIXCertPathValidatorSpi.java index af764f30..d8efa6a6 100644 --- a/bcprov/src/main/java/org/bouncycastle/jce/provider/PKIXCertPathValidatorSpi.java +++ b/bcprov/src/main/java/org/bouncycastle/jce/provider/PKIXCertPathValidatorSpi.java @@ -37,7 +37,9 @@ public class PKIXCertPathValidatorSpi extends CertPathValidatorSpi { // BEGIN android-added - private final static CertBlacklist blacklist = new CertBlacklist(); + private static class NoPreloadHolder { + private final static CertBlacklist blacklist = new CertBlacklist(); + } // END android-added public CertPathValidatorResult engineValidate( @@ -87,7 +89,7 @@ public class PKIXCertPathValidatorSpi if (cert != null) { BigInteger serial = cert.getSerialNumber(); - if (blacklist.isSerialNumberBlackListed(serial)) { + if (NoPreloadHolder.blacklist.isSerialNumberBlackListed(serial)) { // emulate CRL exception message in RFC3280CertPathUtilities.checkCRLs String message = "Certificate revocation of serial 0x" + serial.toString(16); System.out.println(message); @@ -274,7 +276,7 @@ public class PKIXCertPathValidatorSpi for (index = certs.size() - 1; index >= 0; index--) { // BEGIN android-added - if (blacklist.isPublicKeyBlackListed(workingPublicKey)) { + if (NoPreloadHolder.blacklist.isPublicKeyBlackListed(workingPublicKey)) { // emulate CRL exception message in RFC3280CertPathUtilities.checkCRLs String message = "Certificate revocation of public key " + workingPublicKey; System.out.println(message); diff --git a/patches/bcprov.patch b/patches/bcprov.patch index 0880f971..a22ef4d6 100644 --- a/patches/bcprov.patch +++ b/patches/bcprov.patch @@ -7085,12 +7085,6 @@ diff -Naur bcprov-jdk15on-150.orig/org/bouncycastle/jce/provider/CertBlacklist.j +import org.bouncycastle.util.encoders.Hex; + +public class CertBlacklist { -+ -+ private static final String ANDROID_DATA = System.getenv("ANDROID_DATA"); -+ private static final String BLACKLIST_ROOT = ANDROID_DATA + "/misc/keychain/"; -+ public static final String DEFAULT_PUBKEY_BLACKLIST_PATH = BLACKLIST_ROOT + "pubkey_blacklist.txt"; -+ public static final String DEFAULT_SERIAL_BLACKLIST_PATH = BLACKLIST_ROOT + "serial_blacklist.txt"; -+ + private static final Logger logger = Logger.getLogger(CertBlacklist.class.getName()); + + // public for testing @@ -7098,13 +7092,19 @@ diff -Naur bcprov-jdk15on-150.orig/org/bouncycastle/jce/provider/CertBlacklist.j + public final Set<byte[]> pubkeyBlacklist; + + public CertBlacklist() { -+ this(DEFAULT_PUBKEY_BLACKLIST_PATH, DEFAULT_SERIAL_BLACKLIST_PATH); ++ String androidData = System.getenv("ANDROID_DATA"); ++ String blacklistRoot = androidData + "/misc/keychain/"; ++ String defaultPubkeyBlacklistPath = blacklistRoot + "pubkey_blacklist.txt"; ++ String defaultSerialBlacklistPath = blacklistRoot + "serial_blacklist.txt"; ++ ++ pubkeyBlacklist = readPublicKeyBlackList(defaultPubkeyBlacklistPath); ++ serialBlacklist = readSerialBlackList(defaultSerialBlacklistPath); + } + + /** Test only interface, not for public use */ + public CertBlacklist(String pubkeyBlacklistPath, String serialBlacklistPath) { -+ serialBlacklist = readSerialBlackList(serialBlacklistPath); + pubkeyBlacklist = readPublicKeyBlackList(pubkeyBlacklistPath); ++ serialBlacklist = readSerialBlackList(serialBlacklistPath); + } + + private static boolean isHex(String value) { @@ -8179,17 +8179,19 @@ diff -Naur bcprov-jdk15on-150.orig/org/bouncycastle/jce/provider/PKIXCertPathVal import java.security.InvalidAlgorithmParameterException; import java.security.PublicKey; import java.security.cert.CertPath; -@@ -33,6 +36,9 @@ +@@ -33,6 +36,11 @@ public class PKIXCertPathValidatorSpi extends CertPathValidatorSpi { + // BEGIN android-added -+ private final static CertBlacklist blacklist = new CertBlacklist(); ++ private static class NoPreloadHolder { ++ private final static CertBlacklist blacklist = new CertBlacklist(); ++ } + // END android-added public CertPathValidatorResult engineValidate( CertPath certPath, -@@ -75,6 +81,22 @@ +@@ -75,6 +83,22 @@ { throw new CertPathValidatorException("Certification path is empty.", null, certPath, 0); } @@ -8199,7 +8201,7 @@ diff -Naur bcprov-jdk15on-150.orig/org/bouncycastle/jce/provider/PKIXCertPathVal + + if (cert != null) { + BigInteger serial = cert.getSerialNumber(); -+ if (blacklist.isSerialNumberBlackListed(serial)) { ++ if (NoPreloadHolder.blacklist.isSerialNumberBlackListed(serial)) { + // emulate CRL exception message in RFC3280CertPathUtilities.checkCRLs + String message = "Certificate revocation of serial 0x" + serial.toString(16); + System.out.println(message); @@ -8212,12 +8214,12 @@ diff -Naur bcprov-jdk15on-150.orig/org/bouncycastle/jce/provider/PKIXCertPathVal // // (b) -@@ -251,6 +273,15 @@ +@@ -251,6 +275,15 @@ for (index = certs.size() - 1; index >= 0; index--) { + // BEGIN android-added -+ if (blacklist.isPublicKeyBlackListed(workingPublicKey)) { ++ if (NoPreloadHolder.blacklist.isPublicKeyBlackListed(workingPublicKey)) { + // emulate CRL exception message in RFC3280CertPathUtilities.checkCRLs + String message = "Certificate revocation of public key " + workingPublicKey; + System.out.println(message); |