svn commit: r1866702 - in /axis/axis1/java/trunk: axis-rt-core/src/main/java/org/apache/axis/components/net/JSSESocketFactory.java pom.xml
Author: robertlazarski
Date: Mon Sep 9 17:44:23 2019
New Revision: 1866702
URL: http://svn.apache.org/viewvc?rev=1866702&view=rev
Log:
Apply patch for AXIS-2905, remove animal sniffer API check plugin from the
pom.xml because patch requires JDK classes marked with 'Since 1.5' and internal
the internal Apache build on Travis runs JDK 8
Modified:
axis/axis1/java/trunk/axis-rt-core/src/main/java/org/apache/axis/components/net/JSSESocketFactory.java
axis/axis1/java/trunk/pom.xml
Modified:
axis/axis1/java/trunk/axis-rt-core/src/main/java/org/apache/axis/components/net/JSSESocketFactory.java
URL:
http://svn.apache.org/viewvc/axis/axis1/java/trunk/axis-rt-core/src/main/java/org/apache/axis/components/net/JSSESocketFactory.java?rev=1866702&r1=1866701&r2=1866702&view=diff
==
---
axis/axis1/java/trunk/axis-rt-core/src/main/java/org/apache/axis/components/net/JSSESocketFactory.java
(original)
+++
axis/axis1/java/trunk/axis-rt-core/src/main/java/org/apache/axis/components/net/JSSESocketFactory.java
Mon Sep 9 17:44:23 2019
@@ -15,12 +15,6 @@
*/
package org.apache.axis.components.net;
-import org.apache.axis.utils.Messages;
-import org.apache.axis.utils.XMLUtils;
-import org.apache.axis.utils.StringUtils;
-
-import javax.net.ssl.SSLSocket;
-import javax.net.ssl.SSLSocketFactory;
import java.io.BufferedWriter;
import java.io.IOException;
import java.io.InputStream;
@@ -28,7 +22,33 @@ import java.io.OutputStream;
import java.io.OutputStreamWriter;
import java.io.PrintWriter;
import java.net.Socket;
+import java.security.cert.Certificate;
+import java.security.cert.CertificateParsingException;
+import java.security.cert.X509Certificate;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.Collection;
import java.util.Hashtable;
+import java.util.Iterator;
+import java.util.LinkedList;
+import java.util.List;
+import java.util.Locale;
+import java.util.regex.Pattern;
+
+import javax.naming.InvalidNameException;
+import javax.naming.NamingException;
+import javax.naming.directory.Attribute;
+import javax.naming.directory.Attributes;
+import javax.naming.ldap.LdapName;
+import javax.naming.ldap.Rdn;
+import javax.net.ssl.SSLException;
+import javax.net.ssl.SSLSession;
+import javax.net.ssl.SSLSocket;
+import javax.net.ssl.SSLSocketFactory;
+
+import org.apache.axis.utils.Messages;
+import org.apache.axis.utils.StringUtils;
+import org.apache.axis.utils.XMLUtils;
/**
@@ -41,6 +61,10 @@ import java.util.Hashtable;
*/
public class JSSESocketFactory extends DefaultSocketFactory implements
SecureSocketFactory {
+// This is a a sorted list, if you insert new elements do it orderdered.
+private final static String[] BAD_COUNTRY_2LDS =
+{"ac", "co", "com", "ed", "edu", "go", "gouv", "gov", "info",
+"lg", "ne", "net", "or", "org"};
/** Field sslFactory */
protected SSLSocketFactory sslFactory = null;
@@ -187,6 +211,279 @@ public class JSSESocketFactory extends D
if (log.isDebugEnabled()) {
log.debug(Messages.getMessage("createdSSL00"));
}
+verifyHostName(host, (SSLSocket) sslSocket);
return sslSocket;
}
+/**
+ * Verifies that the given hostname in certicifate is the hostname we are
trying to connect to.
+ * This resolves CVE-2012-5784 and CVE-2014-3596
+ * @param host
+ * @param ssl
+ * @throws IOException
+ */
+
+ private static void verifyHostName(String host, SSLSocket ssl)
+ throws IOException {
+ if (host == null) {
+ throw new IllegalArgumentException("host to verify was
null");
+ }
+
+ SSLSession session = ssl.getSession();
+ if (session == null) {
+// In our experience this only happens under IBM 1.4.x when
+// spurious (unrelated) certificates show up in the server's chain.
+// Hopefully this will unearth the real problem:
+ InputStream in = ssl.getInputStream();
+ in.available();
+/*
+ If you're looking at the 2 lines of code above because you're
+ running into a problem, you probably have two options:
+
+#1. Clean up the certificate chain that your server
+ is presenting (e.g. edit "/etc/apache2/server.crt" or
+ wherever it is your server's certificate chain is
+ defined).
+
+ OR
+
+#2. Upgrade to an IBM 1.5.x or greater JVM, or switch to
a
+ non-IBM JVM.
+ */
+
+// If ssl.getInputStream().available() didn't cause an exception,
+// maybe at least now the session is available?
+ session
svn commit: r1866705 - /axis/axis1/java/trunk/axis-rt-core/src/main/java/org/apache/axis/utils/bytecode/ClassReader.java
Author: robertlazarski
Date: Mon Sep 9 18:38:03 2019
New Revision: 1866705
URL: http://svn.apache.org/viewvc?rev=1866705&view=rev
Log:
Apply patch for AXIS-2929, JDK 8,9,10,11 support
Modified:
axis/axis1/java/trunk/axis-rt-core/src/main/java/org/apache/axis/utils/bytecode/ClassReader.java
Modified:
axis/axis1/java/trunk/axis-rt-core/src/main/java/org/apache/axis/utils/bytecode/ClassReader.java
URL:
http://svn.apache.org/viewvc/axis/axis1/java/trunk/axis-rt-core/src/main/java/org/apache/axis/utils/bytecode/ClassReader.java?rev=1866705&r1=1866704&r2=1866705&view=diff
==
---
axis/axis1/java/trunk/axis-rt-core/src/main/java/org/apache/axis/utils/bytecode/ClassReader.java
(original)
+++
axis/axis1/java/trunk/axis-rt-core/src/main/java/org/apache/axis/utils/bytecode/ClassReader.java
Mon Sep 9 18:38:03 2019
@@ -59,6 +59,16 @@ public class ClassReader extends ByteArr
private static final int CONSTANT_Double = 6;
private static final int CONSTANT_NameAndType = 12;
private static final int CONSTANT_Utf8 = 1;
+
+/*java 8 9 10 11 new tokens
https://docs.oracle.com/javase/specs/jvms/se11/html/jvms-4.html*/
+private static final int CONSTANT_MethodHandle = 15;
+private static final int CONSTANT_MethodType = 16;
+private static final int CONSTANT_Dynamic = 17;
+private static final int CONSTANT_InvokeDynamic= 18;
+private static final int CONSTANT_Module = 19;
+private static final int CONSTANT_Package = 20;
+/*end of ava 8 9 10 11 new tokens*/
+
/**
* the constant pool. constant pool indices in the class file
* directly index into this array. The value stored in this array
@@ -347,11 +357,30 @@ public class ClassReader extends ByteArr
int len = readShort();
skipFully(len);
break;
+case CONSTANT_MethodHandle:
+
+read(); // reference kind
+readShort(); // reference index
+break;
+
+case CONSTANT_MethodType:
+
+readShort(); // descriptor index
+break;
+
+case CONSTANT_Dynamic:
+readShort(); // bootstrap method attr index
+readShort(); // name and type index
+break;
+case CONSTANT_InvokeDynamic:
+
+readShort(); // bootstrap method attr index
+readShort(); // name and type index
+break;
default:
// corrupt class file
-throw new IllegalStateException(
-Messages.getMessage("unexpectedBytes00"));
+throw new IllegalStateException("Error looking for
paramter names in bytecode: unexpected bytes in file, tag:"+c);
}
}
}
svn commit: r1866709 - /axis/axis2/java/core/trunk/modules/kernel/src/org/apache/axis2/description/java2wsdl/bytecode/ClassReader.java
Author: robertlazarski
Date: Mon Sep 9 20:37:11 2019
New Revision: 1866709
URL: http://svn.apache.org/viewvc?rev=1866709&view=rev
Log:
Apply patch for AXIS2-5935, JDK 8,9,10,11 support
Modified:
axis/axis2/java/core/trunk/modules/kernel/src/org/apache/axis2/description/java2wsdl/bytecode/ClassReader.java
Modified:
axis/axis2/java/core/trunk/modules/kernel/src/org/apache/axis2/description/java2wsdl/bytecode/ClassReader.java
URL:
http://svn.apache.org/viewvc/axis/axis2/java/core/trunk/modules/kernel/src/org/apache/axis2/description/java2wsdl/bytecode/ClassReader.java?rev=1866709&r1=1866708&r2=1866709&view=diff
==
---
axis/axis2/java/core/trunk/modules/kernel/src/org/apache/axis2/description/java2wsdl/bytecode/ClassReader.java
(original)
+++
axis/axis2/java/core/trunk/modules/kernel/src/org/apache/axis2/description/java2wsdl/bytecode/ClassReader.java
Mon Sep 9 20:37:11 2019
@@ -59,6 +59,18 @@ public class ClassReader extends ByteArr
private static final int CONSTANT_Double = 6;
private static final int CONSTANT_NameAndType = 12;
private static final int CONSTANT_Utf8 = 1;
+
+ /*java 8 9 10 11 new tokens
https://docs.oracle.com/javase/specs/jvms/se11/html/jvms-4.html*/
+ private static final int CONSTANT_MethodHandle = 15;
+private static final int CONSTANT_MethodType = 16;
+ private static final int CONSTANT_Dynamic = 17;
+private static final int CONSTANT_InvokeDynamic= 18;
+ private static final int CONSTANT_Module = 19;
+ private static final int CONSTANT_Package = 20;
+ /*end of ava 8 9 10 11 new tokens*/
+
+
+
/**
* the constant pool. constant pool indices in the class file
* directly index into this array. The value stored in this array
@@ -349,9 +361,31 @@ public class ClassReader extends ByteArr
skipFully(len);
break;
+case CONSTANT_MethodHandle:
+
+read(); // reference kind
+readShort(); // reference index
+break;
+
+case CONSTANT_MethodType:
+
+readShort(); // descriptor index
+break;
+
+ case CONSTANT_Dynamic:
+ readShort(); // bootstrap method attr index
+readShort(); // name and type index
+break;
+
+case CONSTANT_InvokeDynamic:
+
+readShort(); // bootstrap method attr index
+readShort(); // name and type index
+break;
+
default:
// corrupt class file
-throw new IllegalStateException("Error looking for
paramter names in bytecode: unexpected bytes in file");
+throw new IllegalStateException("Error looking for
paramter names in bytecode: unexpected bytes in file, tag:"+c);
}
}
}
svn commit: r1866711 - /axis/axis2/java/core/branches/1_7/modules/kernel/src/org/apache/axis2/description/java2wsdl/bytecode/ClassReader.java
Author: robertlazarski
Date: Mon Sep 9 20:52:14 2019
New Revision: 1866711
URL: http://svn.apache.org/viewvc?rev=1866711&view=rev
Log:
Apply patch for AXIS-5935 to 1_7 branch, for JDK 8,9,10,11 support
Modified:
axis/axis2/java/core/branches/1_7/modules/kernel/src/org/apache/axis2/description/java2wsdl/bytecode/ClassReader.java
Modified:
axis/axis2/java/core/branches/1_7/modules/kernel/src/org/apache/axis2/description/java2wsdl/bytecode/ClassReader.java
URL:
http://svn.apache.org/viewvc/axis/axis2/java/core/branches/1_7/modules/kernel/src/org/apache/axis2/description/java2wsdl/bytecode/ClassReader.java?rev=1866711&r1=1866710&r2=1866711&view=diff
==
---
axis/axis2/java/core/branches/1_7/modules/kernel/src/org/apache/axis2/description/java2wsdl/bytecode/ClassReader.java
(original)
+++
axis/axis2/java/core/branches/1_7/modules/kernel/src/org/apache/axis2/description/java2wsdl/bytecode/ClassReader.java
Mon Sep 9 20:52:14 2019
@@ -59,6 +59,18 @@ public class ClassReader extends ByteArr
private static final int CONSTANT_Double = 6;
private static final int CONSTANT_NameAndType = 12;
private static final int CONSTANT_Utf8 = 1;
+
+ /*java 8 9 10 11 new tokens
https://docs.oracle.com/javase/specs/jvms/se11/html/jvms-4.html*/
+ private static final int CONSTANT_MethodHandle = 15;
+private static final int CONSTANT_MethodType = 16;
+ private static final int CONSTANT_Dynamic = 17;
+private static final int CONSTANT_InvokeDynamic= 18;
+ private static final int CONSTANT_Module = 19;
+ private static final int CONSTANT_Package = 20;
+ /*end of ava 8 9 10 11 new tokens*/
+
+
+
/**
* the constant pool. constant pool indices in the class file
* directly index into this array. The value stored in this array
@@ -348,10 +360,29 @@ public class ClassReader extends ByteArr
int len = readShort();
skipFully(len);
break;
+case CONSTANT_MethodHandle:
+
+read(); // reference kind
+readShort(); // reference index
+break;
+
+case CONSTANT_MethodType:
+
+readShort(); // descriptor index
+break;
+ case CONSTANT_Dynamic:
+ readShort(); // bootstrap method attr
index
+readShort(); // name and type index
+break;
+case CONSTANT_InvokeDynamic:
+
+readShort(); // bootstrap method attr index
+readShort(); // name and type index
+break;
default:
// corrupt class file
-throw new IllegalStateException("Error looking for
paramter names in bytecode: unexpected bytes in file");
+throw new IllegalStateException("Error looking for
paramter names in bytecode: unexpected bytes in file, tag:"+c);
}
}
}
