summaryrefslogtreecommitdiffstats
path: root/luni/src/main/java/javax
Commit message (Collapse)AuthorAgeFilesLines
* Late binding: add Cipher#init checksKenny Root2015-07-231-82/+208
| | | | | | | | | | | | | | | | | | | | | | | | Cipher should check that the chosen CipherSpi actually supports initalization with the given parameters. If not, it should return the first exception that it ran into so that the developer can have an idea of why the initialization failed. This is most likely do to unsupported key or algorithm parameters. Collapse some functions into one so it's easier to keep track of the exception that should be thrown should all else fail. Also since we try to initialize during the CipherSpi selection, there is no need to initialize the returned CipherSpi again. Also remove an instanceof check to be in line with other implementations that just throw a ClassCastException since we now will try other providers before falling back to throwing the unchecked exception. This might actually provide better debug messages for a developer working on a CipherSpi provider. (cherry picked from commit f591462f7901011b2bce61c3cbbdc54840e5b4bc) Bug: 22573249 Change-Id: Ieec97a8f00e9c0c3889520a3ec9f8bc4e514b35a
* javax.crypto.Cipher: try less specific Cipher/Mode/Padding combinations ↵Sergio Giro2015-07-131-23/+19
| | | | | | | | | | | before throwing InvalidKeyException Also, return saved spi in getSpi instead of recomputing a new one Bug: 22208820 (cherry picked from commit 8157603ccf1ff124c5bebc8755404a9a825f47d3) Change-Id: I30a06ef7d9234769b5592a0c7d665c8afa2a8ff8
* Merge "Mark deprecated ciphers visually" into mnc-devKenny Root2015-06-122-146/+162
|\
| * Mark deprecated ciphers visuallyKenny Root2015-06-122-146/+162
| | | | | | | | | | | | | | | | To make it easier to spot non-deprecated ciphers in the sea of deprecated ciphers, try to visually distinguish it with CSS styling. Bug: 21522548 Change-Id: I802024a3c33f0da394163c393ebd45a3d0bf75d0
* | libcore: throw InvalidKeyException instead of ProviderExceptionSergio Giro2015-06-093-46/+112
|/ | | | | | | | | | | | In java.security javax.crypto and java.security classes with late binding, when guessing the provider and none of the available ones supports the specified key Bug: 18987633 (cherry pick from e38b83dd96281d178b01476b67d354655bf2de62) Change-Id: I5931046e9044984baf724157138bf3a7c7ef5e90
* Update offered ciphersKenny Root2015-06-042-102/+102
| | | | | | | | Dropped support for non-ephemeral Diffie-Hellman cipher suites, anonymous authentication, some DES cipher suites, and export cipher suites. Bug: 21522548 Change-Id: Ie2048d303890935969cc7c1ac7bc9d93705c7a90
* Replace hyphen with en dashKenny Root2015-06-032-112/+112
| | | | | | | | | | Since this is a number range, the appropriate punctuation is actually en dash. (cherry picked from commit 814e15db27ab930f59c8e6731b901a6c82b8e262) Bug: 21522548 Change-Id: I99fe4c3a45b2df00671af4b6b82b21aa2c265820
* Revert "Expose getSpi from crypto operations as hidden API."Alex Klyubin2015-05-193-9/+3
| | | | | | | | | | | | This reverts commit 050e672aaaaa8f8c57788e8d551f43c5fbffe339. The users of public getSpi have been migrated to getCurrentSpi introduced in 5d15925a79b8beddfafa8de2ede7fff360a386cb. (cherry-picked from commit c52bf74f7e53b9f58bbeb29f4d248e7dba7d15ce) Bug: 18088752 Change-Id: Ied72c8a62a49d9fba8b7bc2d3ef2e30da7daa6e4
* Expose getCurrentSpi from crypto operations as hidden API.Alex Klyubin2015-05-183-0/+40
| | | | | | | | | | | | | | | | | | | | | | | 050e672aaaaa8f8c57788e8d551f43c5fbffe339 exposed the existing getSpi method of Cipher, Signature, Mac, and KeyAgreement as hidden API. Unfortunately, the getSpi method creates an SPI instance if one is not yet set. This changes the state of the crypto operation and does does not lend itself well to being used for read-only querying of the SPI from a crypto operation. This CL addresses the issue by adding a getCurrentSpi hidden API to these crypto operations. getCurrentSpi simply returns the current SPI instance, if any, and does not modify the state of the crypto operation. A follow-up CL will revert 050e672aaaaa8f8c57788e8d551f43c5fbffe339 which will no longer be needed. This is not reverted here to avoid breaking the build. (cherry-picked from commit 5d15925a79b8beddfafa8de2ede7fff360a386cb) Bug: 18088752 Change-Id: I8de4c121c9a395b3687b173d0bba4e1931ebf958
* X509Certificate: Narrow down the scope of caught exceptions.Narayan Kamath2015-04-221-2/+2
| | | | | | | | Also, fix the package name of the corresponding test so that vogar isn't confused. bug: 19245702 Change-Id: I647f0c9ca4c81bb41d4b64088b60f37ebc671e84
* Merge "Expose getSpi from crypto operations as hidden API."Alex Klyubin2015-04-033-3/+9
|\
| * Expose getSpi from crypto operations as hidden API.Alex Klyubin2015-03-243-3/+9
| | | | | | | | | | | | | | | | | | | | | | | | | | This makes it possible for platform code to obtain the current SPI implementation of Cipher, Signature, Mac, and KeyAgreement instances. The current use case is to access additional information about these crypto operations when they are backed by Android KeyStore. NOTE: The getSpi API will not and cannot become public framework API. Bug: 18088752 Change-Id: If575726d288eebc73ffa3209c316fad071a087fd
* | Merge "Remove a misleading comment."Neil Fuller2015-03-261-3/+0
|\ \ | |/ |/|
| * Remove a misleading comment.Neil Fuller2015-03-131-3/+0
| | | | | | | | Change-Id: I7a5c8095e98f1449fb4efc98061c488fd0b573e2
* | Merge "Libcore: Avoid double-checked locking"Andreas Gampe2015-03-163-70/+68
|\ \
| * | Libcore: Avoid double-checked lockingAndreas Gampe2015-03-153-70/+68
| |/ | | | | | | Change-Id: I77605ad05ac5e9dfac07f40a2280221f9c641c65
* | Late binding: specified Provider forces its useKenny Root2015-03-163-3/+3
|/ | | | | | | | | | If a Provider is specified in a call to Signature#getInstance, Cipher#getInstance, KeyAgreement#getInstance, or Mac#getInstance, it should return that provider no matter if the properties on that provider say it should support it. Bug: 19730263 Change-Id: I56045e4cb470a0e1aa0e108a443e04043467c475
* Reflect removal of DSS cipher suites in Javadocs.Alex Klyubin2015-03-122-31/+29
| | | | | | | | | Now that Android 5.1 (API Level 22) is out, Javadocs can mention that DSS TLS/SSL cipher suites were removed after API Level 22. See fef7818155899c092e6741de049fb7601dfcaf73. Bug: 17409664 Change-Id: Ibd9da7d3056358492f25695f4949e460f1c98d48
* Make Cipher.update return null for empty input.Alex Klyubin2015-01-231-3/+2
| | | | | | | | | Cipher.update(byte[], int, int inputLen) is supposed to return null when inputLen is zero. This CL makes it so. Prior to this CL, this method returned an empty byte array. Bug: 19100173 Change-Id: I5698f11f76a17dd8fc2509be5d8ec9369a888eaf
* Use okhttp's OkHostnameVerifier as the default.Alex Klyubin2014-12-042-203/+10
| | | | | | | | | | | | | | | | Prior to this change, okhttp's OkHostnameVerifier was used by default for HttpsURLConnection instances unless changed via HttpsURLConnection.setDefaultHostnameVerifier. However, HttpsURLConnection.getDefaultHostnameVerifier by default returned a different HostnameVerifier -- DefaultHostnameVerifier from libcore. This CL fixes this discrepancy by getting rid of libcore's DefaultHostnameVerifier and making HttpsURLConnection.getDefaultHostnameVerifier return okhttp's OkHostnameVerifier by default. Bug: 18481199 Change-Id: I2ba83251f6b76b0c6c7fdccb73a10965c60e1ebe
* CTS tests for the platform-default HostnameVerifier.Alex Klyubin2014-11-241-2/+3
| | | | | | | | | | | This repurposes tests for DefaultHostnameVerifier class to test the platform-default HostnameVerifier (as provided by HttpsURLConnection.getDefaultHostnameVerifier()). This is to ensure that its contract remains stable and tested, regardless of which implementation is used by default. Bug: 18481199 Change-Id: Iaaf2f2274f8412eca2544d1e62c2523028914e07
* Adjust tests for removal of DSS TLS/SSL cipher suites.Alex Klyubin2014-11-172-0/+2
| | | | | | | | This is in preparation for migration from OpenSSL to BoringSSL. BoringSSL does not support DSS. Bug: 17409664 Change-Id: I6b2ac5f7c7b9c41416650cdbdce2deed03372f49
* Remove workaround for *.clients.google.com hostname verication.Alex Klyubin2014-11-101-4/+1
| | | | | | | | | | | | | This removes the workaround for TLS/SSL server certificate presented by android.clients.google.com without Server Name Indication (SNI) not matching android.clients.google.com (8576f309825e23add080f2a50345ec1884939c39). This type of service/provider-specific workaround does not belong into the core library. Applications relying on this workaround will now need to use SNI or a custom HostnameVerifier. Bug: 5426333 Change-Id: I4e9b887358eefc73d3cd6a7f6f9a6aacebbfa12e
* am 5309a0c2: Merge "autoclose all <a name> tags so they don\'t disappear on ↵Elliott Hughes2014-10-241-6/+6
|\ | | | | | | | | | | | | web site" * commit '5309a0c2567efb1f349171906c023f3f02846280': autoclose all <a name> tags so they don't disappear on web site
| * autoclose all <a name> tags so they don't disappear on web sitesmain@google.com2014-10-221-6/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | <a> tags with the name attribute---used to create a page anchor---must be closed immediately and not contain any text because, in order to make the appropriate content visible below the site's "sticky header" when the anchor is followed, CSS is used to hide the <a name> element and position it up higher by an offset equal to the height of the sticky header. So, do not place text inside an <a> tag with the name attribute. (cherry-pick of 936306df62d7d44a806fbeb789c6432e7c325981.) Change-Id: Icae1b1f0716aa02d003f921b8e430ad3c99f26d0
* | am e6a6e935: Add support for TLS_FALLBACK_SCSVKenny Root2014-10-062-0/+10
|\ \ | | | | | | | | | | | | * commit 'e6a6e935e98f426c7000b2bf4086f87101f4441c': Add support for TLS_FALLBACK_SCSV
| * | Add support for TLS_FALLBACK_SCSVKenny Root2014-10-062-0/+10
| | | | | | | | | | | | | | | Bug: 17750026 Change-Id: I8dec89ae59a6f745f63120b11b4f6dbe9b21a139
* | | am 3a025d3d: Merge "Enable hostname verification for absolute hostnames."Kenny Root2014-09-301-0/+8
|\ \ \ | | |/ | |/| | | | | | | * commit '3a025d3db9334bab5e1e80da7c69a5f69cdd2f84': Enable hostname verification for absolute hostnames.
| * | Merge "Enable hostname verification for absolute hostnames."Kenny Root2014-09-301-0/+8
| |\ \
| | * | Enable hostname verification for absolute hostnames.Alex Klyubin2014-09-171-0/+8
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This makes the DefaultHostnameVerifier (the platform default HostnameVerifier) match relative hostname patterns from CN and DNS SubjectAltNames fields of TLS/SSL server certificates against absolute hostnames. Absolute hostname patterns will still never match relative hostnames because it is not known to what absolute name a relative name was resolved by DNS. For example, if hostname is "www.android.com." and server certificate is for "www.android.com", hostname verification will now pass. Whereas, if hostname is "www.android.com" and server certificate is for "www.android.com.", hostname verification will still fail. All of this is needed because server certificates do not normally contain absolute hostnames or hostname patterns. At the same time, connections via absolute hostnames should be supported and even preferred in most cases, to avoid DNS search suffixes being added. Bug: 17482685 Change-Id: I3f2006fa1110004b18ce627675334d2a54805c7a
* | | | am 76d38635: Merge "Reject wildcard certs for single-label domain names."Kenny Root2014-09-301-0/+27
|\ \ \ \ | |/ / / | | | / | |_|/ |/| | * commit '76d38635d9eb6b03251913a993f038da1a3759bc': Reject wildcard certs for single-label domain names.
| * | Reject wildcard certs for single-label domain names.Alex Klyubin2014-09-241-0/+27
| |/ | | | | | | | | | | | | | | | | Rejecting wildcard certs for two- (e.g., *.com) or three-label (e.g., *.co.uk) domain name patterns requires having a frequently updated Prefix Suffix List. Bug: 17552202 Change-Id: Iecd1dc8e22a51f4d779821094c5f55b310171a74
| * Merge "SSLSocketFactory: don't reload the default if class name is same"Kenny Root2014-07-241-20/+30
| |\
| | * SSLSocketFactory: don't reload the default if class name is sameKenny Root2014-07-231-20/+30
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Don't bother to reload the default SocketFactory if the requested classname didn't change since the last time. Also make the warning when classloading fails more terse. Most of the time the ClassLoader is wrong, so giving them a hint via ClassLoader#toString is sufficient. Bug: 16468683 Change-Id: I36844e942ccadda993c9f5a1523b2a66280903f3
* | | Reinstate the workaround for android.clients.google.com.Alex Klyubin2014-07-311-1/+4
| | | | | | | | | | | | | | | | | | | | | | | | Apps still depend on this because the platform cannot guarantee that SNI is used. Bug: 5426333 Bug: 16635883 Change-Id: I4fd2090c681e814d7caeb1f94aa3604bc2ddd77c
* | | am 98701d71: Merge "Add a way to get all values of an attribute of DN." into ↵Alex Klyubin2014-07-251-0/+70
|\ \ \ | | | | | | | | | | | | | | | | | | | | | | | | lmp-dev * commit '98701d71d629b425cb03423708130b384bc88bbe': Add a way to get all values of an attribute of DN.
| * \ \ Merge "Add a way to get all values of an attribute of DN." into lmp-devAlex Klyubin2014-07-241-0/+70
| |\ \ \
| | * | | Add a way to get all values of an attribute of DN.Alex Klyubin2014-07-241-0/+70
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This is needed to switch Apache HTTP hostname verification from its own Distinguished Name (DN) parsing code to this library's DistinguishedNameParser. Bug: 16510257 Change-Id: Iedd27cec162167dad11a4fe477d4eaa3eba004b7
* | | | | am fa7f9bad: SSLSocketFactory: don\'t reload the default if class name is sameKenny Root2014-07-251-20/+30
|\ \ \ \ \ | |/ / / / | | | / / | |_|/ / |/| | | * commit 'fa7f9bad0ae25224a366828c538bd1f0c179b56b': SSLSocketFactory: don't reload the default if class name is same
| * | | SSLSocketFactory: don't reload the default if class name is sameKenny Root2014-07-251-20/+30
| |/ / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Don't bother to reload the default SocketFactory if the requested classname didn't change since the last time. Also make the warning when classloading fails more terse. Most of the time the ClassLoader is wrong, so giving them a hint via ClassLoader#toString is sufficient. (cherry picked from commit 3885890273828ed02caa5de671341faca81a4e89) Bug: 16468683 Change-Id: I36844e942ccadda993c9f5a1523b2a66280903f3
| * | TLS-PSK cipher suites enabled when PSKKeyManager is provided.Alex Klyubin2014-07-152-8/+14
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This documents and tests that TLS-PSK cipher suites are enabled if a PSKKeyManager is provided to SSLContext during its initialization. Bug: 15073623 (cherry picked from commit b5730a183c0ef94946bb04222f6219f83adef8f5) Change-Id: Idb84b985301b575f4989f2c2a673b64e4e4930ea
| * | reconcile aosp (510a147e8b463fc2678aed6ad4f8095cc891eea8) after branching. ↵Ed Heyl2014-07-142-16/+16
| | | | | | | | | | | | | | | | | | Please do not merge. Change-Id: I11aabb0a603a77d86697b600fe4379817076af7f
| * | reconcile aosp (86eae8dd1e7405394f0e9efe1252575ef9a9674c) after branching. ↵Ed Heyl2014-07-142-0/+18
| | | | | | | | | | | | | | | | | | Please do not merge. Change-Id: Iae444b6b2840916ef9a4d0962a55a74f650bd5a5
| * | RemoveBrian Carlstrom2014-07-074-161/+0
| | | | | | | | | | | | Change-Id: I143d0b26b116e75892223e74b6c22b6c8db05466
| * | am e8a95806: @hide.Elliott Hughes2014-06-164-0/+5
| |\ \ | | | | | | | | | | | | | | | | * commit 'e8a958066d95a4e15a9834e8b9067d106efd9b53': @hide.
| | * | @hide.Elliott Hughes2014-06-164-0/+5
| | | | | | | | | | | | Change-Id: Ieacf34a7b850910e70ae54f738608509e2c39e2e
| * | | am c0a8f479: am 9adf681e: am 4352ab40: Merge "Document and assert support ↵Alex Klyubin2014-05-292-0/+60
| |\ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | for TLS-PSK cipher suites." * commit 'c0a8f479a47de31427211ea7952b3b92c0c650c2': Document and assert support for TLS-PSK cipher suites.
| * \ \ \ am a8a3743a: am daa5c14e: am b106b5f3: Merge "Update SSLEngine Javadoc to ↵Alex Klyubin2014-05-281-53/+358
| |\ \ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | reflect recent changes." * commit 'a8a3743a541db271b25e25f179e105a48397c129': Update SSLEngine Javadoc to reflect recent changes.
| * \ \ \ \ am 8efbeb67: am 0509b224: am cbc04230: Merge "Fix a sorting bug in SSLSocket ↵Alex Klyubin2014-05-231-4/+4
| |\ \ \ \ \ | | |_|_|/ / | |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | javadoc." * commit '8efbeb67cec988289eb1eb2dd5a46154b3ef3a52': Fix a sorting bug in SSLSocket javadoc.
| * | | | | Unhide new SSL APIsKenny Root2014-05-064-5/+0
| | | | | | | | | | | | | | | | | | | | | | | | Change-Id: Iac7db4586372a9b912e5c94fb2ab88c6bf305c35
generated by cgit v1.1 at 2025-07-07 08:53:24 +0000