Merge changes from topic "certblocklist" am: c251ff6d14 am: 6d618a826f
Original change: https://android-review.googlesource.com/c/platform/external/bouncycastle/+/1380341
Change-Id: Ic08d3886c839acdae8b3c87ed71ae46ea5f0cf5c
diff --git a/bcprov/src/main/java/org/bouncycastle/jce/provider/CertBlacklist.java b/bcprov/src/main/java/org/bouncycastle/jce/provider/CertBlocklist.java
similarity index 81%
rename from bcprov/src/main/java/org/bouncycastle/jce/provider/CertBlacklist.java
rename to bcprov/src/main/java/org/bouncycastle/jce/provider/CertBlocklist.java
index 1094b3b..48e5ba0 100644
--- a/bcprov/src/main/java/org/bouncycastle/jce/provider/CertBlacklist.java
+++ b/bcprov/src/main/java/org/bouncycastle/jce/provider/CertBlocklist.java
@@ -33,27 +33,28 @@
import org.bouncycastle.crypto.digests.AndroidDigestFactory;
import org.bouncycastle.util.encoders.Hex;
-public class CertBlacklist {
- private static final Logger logger = Logger.getLogger(CertBlacklist.class.getName());
+public class CertBlocklist {
+ private static final Logger logger = Logger.getLogger(CertBlocklist.class.getName());
// public for testing
- public final Set<BigInteger> serialBlacklist;
- public final Set<byte[]> pubkeyBlacklist;
+ public final Set<BigInteger> serialBlocklist;
+ public final Set<byte[]> pubkeyBlocklist;
- public CertBlacklist() {
+ public CertBlocklist() {
String androidData = System.getenv("ANDROID_DATA");
- String blacklistRoot = androidData + "/misc/keychain/";
- String defaultPubkeyBlacklistPath = blacklistRoot + "pubkey_blacklist.txt";
- String defaultSerialBlacklistPath = blacklistRoot + "serial_blacklist.txt";
+ String blocklistRoot = androidData + "/misc/keychain/";
+ // TODO(b/162575432): change these paths to use inclusive language
+ String defaultPubkeyBlocklistPath = blocklistRoot + "pubkey_blacklist.txt";
+ String defaultSerialBlocklistPath = blocklistRoot + "serial_blacklist.txt";
- pubkeyBlacklist = readPublicKeyBlackList(defaultPubkeyBlacklistPath);
- serialBlacklist = readSerialBlackList(defaultSerialBlacklistPath);
+ pubkeyBlocklist = readPublicKeyBlockList(defaultPubkeyBlocklistPath);
+ serialBlocklist = readSerialBlockList(defaultSerialBlocklistPath);
}
/** Test only interface, not for public use */
- public CertBlacklist(String pubkeyBlacklistPath, String serialBlacklistPath) {
- pubkeyBlacklist = readPublicKeyBlackList(pubkeyBlacklistPath);
- serialBlacklist = readSerialBlackList(serialBlacklistPath);
+ public CertBlocklist(String pubkeyBlocklistPath, String serialBlocklistPath) {
+ pubkeyBlocklist = readPublicKeyBlockList(pubkeyBlocklistPath);
+ serialBlocklist = readSerialBlockList(serialBlocklistPath);
}
private static boolean isHex(String value) {
@@ -74,12 +75,12 @@
return isHex(value);
}
- private static String readBlacklist(String path) {
+ private static String readBlocklist(String path) {
try {
return readFileAsString(path);
} catch (FileNotFoundException ignored) {
} catch (IOException e) {
- logger.log(Level.WARNING, "Could not read blacklist", e);
+ logger.log(Level.WARNING, "Could not read blocklist", e);
}
return "";
}
@@ -120,7 +121,7 @@
}
}
- private static final Set<BigInteger> readSerialBlackList(String path) {
+ private static Set<BigInteger> readSerialBlockList(String path) {
/* Start out with a base set of known bad values.
*
@@ -147,13 +148,13 @@
));
// attempt to augment it with values taken from gservices
- String serialBlacklist = readBlacklist(path);
- if (!serialBlacklist.equals("")) {
- for(String value : serialBlacklist.split(",")) {
+ String serialBlocklist = readBlocklist(path);
+ if (!serialBlocklist.equals("")) {
+ for(String value : serialBlocklist.split(",")) {
try {
bl.add(new BigInteger(value, 16));
} catch (NumberFormatException e) {
- logger.log(Level.WARNING, "Tried to blacklist invalid serial number " + value, e);
+ logger.log(Level.WARNING, "Tried to blocklist invalid serial number " + value, e);
}
}
}
@@ -162,7 +163,7 @@
return Collections.unmodifiableSet(bl);
}
- private static final Set<byte[]> readPublicKeyBlackList(String path) {
+ private static Set<byte[]> readPublicKeyBlockList(String path) {
// start out with a base set of known bad values
Set<byte[]> bl = new HashSet<byte[]>(Arrays.asList(
@@ -197,14 +198,14 @@
));
// attempt to augment it with values taken from gservices
- String pubkeyBlacklist = readBlacklist(path);
- if (!pubkeyBlacklist.equals("")) {
- for (String value : pubkeyBlacklist.split(",")) {
+ String pubkeyBlocklist = readBlocklist(path);
+ if (!pubkeyBlocklist.equals("")) {
+ for (String value : pubkeyBlocklist.split(",")) {
value = value.trim();
if (isPubkeyHash(value)) {
bl.add(value.getBytes());
} else {
- logger.log(Level.WARNING, "Tried to blacklist invalid pubkey " + value);
+ logger.log(Level.WARNING, "Tried to blocklist invalid pubkey " + value);
}
}
}
@@ -212,22 +213,22 @@
return bl;
}
- public boolean isPublicKeyBlackListed(PublicKey publicKey) {
+ public boolean isPublicKeyBlockListed(PublicKey publicKey) {
byte[] encoded = publicKey.getEncoded();
Digest digest = AndroidDigestFactory.getSHA1();
digest.update(encoded, 0, encoded.length);
byte[] out = new byte[digest.getDigestSize()];
digest.doFinal(out, 0);
- for (byte[] blacklisted : pubkeyBlacklist) {
- if (Arrays.equals(blacklisted, Hex.encode(out))) {
+ for (byte[] blocklisted : pubkeyBlocklist) {
+ if (Arrays.equals(blocklisted, Hex.encode(out))) {
return true;
}
}
return false;
}
- public boolean isSerialNumberBlackListed(BigInteger serial) {
- return serialBlacklist.contains(serial);
+ public boolean isSerialNumberBlockListed(BigInteger serial) {
+ return serialBlocklist.contains(serial);
}
}
diff --git a/bcprov/src/main/java/org/bouncycastle/jce/provider/PKIXCertPathValidatorSpi.java b/bcprov/src/main/java/org/bouncycastle/jce/provider/PKIXCertPathValidatorSpi.java
index 1665952..5e1905e 100644
--- a/bcprov/src/main/java/org/bouncycastle/jce/provider/PKIXCertPathValidatorSpi.java
+++ b/bcprov/src/main/java/org/bouncycastle/jce/provider/PKIXCertPathValidatorSpi.java
@@ -45,11 +45,11 @@
public PKIXCertPathValidatorSpi()
{
}
- // BEGIN Android-added: Avoid loading blacklist during class init
+ // BEGIN Android-added: Avoid loading blocklist during class init
private static class NoPreloadHolder {
- private final static CertBlacklist blacklist = new CertBlacklist();
+ private final static CertBlocklist blocklist = new CertBlocklist();
}
- // END Android-added: Avoid loading blacklist during class init
+ // END Android-added: Avoid loading blocklist during class init
public CertPathValidatorResult engineValidate(
CertPath certPath,
@@ -105,13 +105,13 @@
{
throw new CertPathValidatorException("Certification path is empty.", null, certPath, -1);
}
- // BEGIN Android-added: Support blacklisting known-bad certs
+ // BEGIN Android-added: Support blocklisting known-bad certs
{
X509Certificate cert = (X509Certificate) certs.get(0);
if (cert != null) {
BigInteger serial = cert.getSerialNumber();
- if (NoPreloadHolder.blacklist.isSerialNumberBlackListed(serial)) {
+ if (NoPreloadHolder.blocklist.isSerialNumberBlockListed(serial)) {
// emulate CRL exception message in RFC3280CertPathUtilities.checkCRLs
String message = "Certificate revocation of serial 0x" + serial.toString(16);
System.out.println(message);
@@ -120,7 +120,7 @@
}
}
}
- // END Android-added: Support blacklisting known-bad certs
+ // END Android-added: Support blocklisting known-bad certs
//
// (b)
@@ -302,15 +302,15 @@
for (index = certs.size() - 1; index >= 0; index--)
{
- // BEGIN Android-added: Support blacklisting known-bad certs
- if (NoPreloadHolder.blacklist.isPublicKeyBlackListed(workingPublicKey)) {
+ // BEGIN Android-added: Support blocklisting known-bad certs
+ if (NoPreloadHolder.blocklist.isPublicKeyBlockListed(workingPublicKey)) {
// emulate CRL exception message in RFC3280CertPathUtilities.checkCRLs
String message = "Certificate revocation of public key " + workingPublicKey;
System.out.println(message);
AnnotatedException e = new AnnotatedException(message);
throw new CertPathValidatorException(e.getMessage(), e, certPath, index);
}
- // END Android-added: Support blacklisting known-bad certs
+ // END Android-added: Support blocklisting known-bad certs
// try
// {
//
diff --git a/repackaged/bcprov/src/main/java/com/android/org/bouncycastle/jce/provider/CertBlacklist.java b/repackaged/bcprov/src/main/java/com/android/org/bouncycastle/jce/provider/CertBlocklist.java
similarity index 81%
rename from repackaged/bcprov/src/main/java/com/android/org/bouncycastle/jce/provider/CertBlacklist.java
rename to repackaged/bcprov/src/main/java/com/android/org/bouncycastle/jce/provider/CertBlocklist.java
index 3a3d53e..a7689e0 100644
--- a/repackaged/bcprov/src/main/java/com/android/org/bouncycastle/jce/provider/CertBlacklist.java
+++ b/repackaged/bcprov/src/main/java/com/android/org/bouncycastle/jce/provider/CertBlocklist.java
@@ -37,27 +37,28 @@
/**
* @hide This class is not part of the Android public SDK API
*/
-public class CertBlacklist {
- private static final Logger logger = Logger.getLogger(CertBlacklist.class.getName());
+public class CertBlocklist {
+ private static final Logger logger = Logger.getLogger(CertBlocklist.class.getName());
// public for testing
- public final Set<BigInteger> serialBlacklist;
- public final Set<byte[]> pubkeyBlacklist;
+ public final Set<BigInteger> serialBlocklist;
+ public final Set<byte[]> pubkeyBlocklist;
- public CertBlacklist() {
+ public CertBlocklist() {
String androidData = System.getenv("ANDROID_DATA");
- String blacklistRoot = androidData + "/misc/keychain/";
- String defaultPubkeyBlacklistPath = blacklistRoot + "pubkey_blacklist.txt";
- String defaultSerialBlacklistPath = blacklistRoot + "serial_blacklist.txt";
+ String blocklistRoot = androidData + "/misc/keychain/";
+ // TODO(b/162575432): change these paths to use inclusive language
+ String defaultPubkeyBlocklistPath = blocklistRoot + "pubkey_blacklist.txt";
+ String defaultSerialBlocklistPath = blocklistRoot + "serial_blacklist.txt";
- pubkeyBlacklist = readPublicKeyBlackList(defaultPubkeyBlacklistPath);
- serialBlacklist = readSerialBlackList(defaultSerialBlacklistPath);
+ pubkeyBlocklist = readPublicKeyBlockList(defaultPubkeyBlocklistPath);
+ serialBlocklist = readSerialBlockList(defaultSerialBlocklistPath);
}
/** Test only interface, not for public use */
- public CertBlacklist(String pubkeyBlacklistPath, String serialBlacklistPath) {
- pubkeyBlacklist = readPublicKeyBlackList(pubkeyBlacklistPath);
- serialBlacklist = readSerialBlackList(serialBlacklistPath);
+ public CertBlocklist(String pubkeyBlocklistPath, String serialBlocklistPath) {
+ pubkeyBlocklist = readPublicKeyBlockList(pubkeyBlocklistPath);
+ serialBlocklist = readSerialBlockList(serialBlocklistPath);
}
private static boolean isHex(String value) {
@@ -78,12 +79,12 @@
return isHex(value);
}
- private static String readBlacklist(String path) {
+ private static String readBlocklist(String path) {
try {
return readFileAsString(path);
} catch (FileNotFoundException ignored) {
} catch (IOException e) {
- logger.log(Level.WARNING, "Could not read blacklist", e);
+ logger.log(Level.WARNING, "Could not read blocklist", e);
}
return "";
}
@@ -124,7 +125,7 @@
}
}
- private static final Set<BigInteger> readSerialBlackList(String path) {
+ private static Set<BigInteger> readSerialBlockList(String path) {
/* Start out with a base set of known bad values.
*
@@ -151,13 +152,13 @@
));
// attempt to augment it with values taken from gservices
- String serialBlacklist = readBlacklist(path);
- if (!serialBlacklist.equals("")) {
- for(String value : serialBlacklist.split(",")) {
+ String serialBlocklist = readBlocklist(path);
+ if (!serialBlocklist.equals("")) {
+ for(String value : serialBlocklist.split(",")) {
try {
bl.add(new BigInteger(value, 16));
} catch (NumberFormatException e) {
- logger.log(Level.WARNING, "Tried to blacklist invalid serial number " + value, e);
+ logger.log(Level.WARNING, "Tried to blocklist invalid serial number " + value, e);
}
}
}
@@ -166,7 +167,7 @@
return Collections.unmodifiableSet(bl);
}
- private static final Set<byte[]> readPublicKeyBlackList(String path) {
+ private static Set<byte[]> readPublicKeyBlockList(String path) {
// start out with a base set of known bad values
Set<byte[]> bl = new HashSet<byte[]>(Arrays.asList(
@@ -201,14 +202,14 @@
));
// attempt to augment it with values taken from gservices
- String pubkeyBlacklist = readBlacklist(path);
- if (!pubkeyBlacklist.equals("")) {
- for (String value : pubkeyBlacklist.split(",")) {
+ String pubkeyBlocklist = readBlocklist(path);
+ if (!pubkeyBlocklist.equals("")) {
+ for (String value : pubkeyBlocklist.split(",")) {
value = value.trim();
if (isPubkeyHash(value)) {
bl.add(value.getBytes());
} else {
- logger.log(Level.WARNING, "Tried to blacklist invalid pubkey " + value);
+ logger.log(Level.WARNING, "Tried to blocklist invalid pubkey " + value);
}
}
}
@@ -216,22 +217,22 @@
return bl;
}
- public boolean isPublicKeyBlackListed(PublicKey publicKey) {
+ public boolean isPublicKeyBlockListed(PublicKey publicKey) {
byte[] encoded = publicKey.getEncoded();
Digest digest = AndroidDigestFactory.getSHA1();
digest.update(encoded, 0, encoded.length);
byte[] out = new byte[digest.getDigestSize()];
digest.doFinal(out, 0);
- for (byte[] blacklisted : pubkeyBlacklist) {
- if (Arrays.equals(blacklisted, Hex.encode(out))) {
+ for (byte[] blocklisted : pubkeyBlocklist) {
+ if (Arrays.equals(blocklisted, Hex.encode(out))) {
return true;
}
}
return false;
}
- public boolean isSerialNumberBlackListed(BigInteger serial) {
- return serialBlacklist.contains(serial);
+ public boolean isSerialNumberBlockListed(BigInteger serial) {
+ return serialBlocklist.contains(serial);
}
}
diff --git a/repackaged/bcprov/src/main/java/com/android/org/bouncycastle/jce/provider/PKIXCertPathValidatorSpi.java b/repackaged/bcprov/src/main/java/com/android/org/bouncycastle/jce/provider/PKIXCertPathValidatorSpi.java
index f9491f7..6fcc609 100644
--- a/repackaged/bcprov/src/main/java/com/android/org/bouncycastle/jce/provider/PKIXCertPathValidatorSpi.java
+++ b/repackaged/bcprov/src/main/java/com/android/org/bouncycastle/jce/provider/PKIXCertPathValidatorSpi.java
@@ -47,11 +47,11 @@
public PKIXCertPathValidatorSpi()
{
}
- // BEGIN Android-added: Avoid loading blacklist during class init
+ // BEGIN Android-added: Avoid loading blocklist during class init
private static class NoPreloadHolder {
- private final static CertBlacklist blacklist = new CertBlacklist();
+ private final static CertBlocklist blocklist = new CertBlocklist();
}
- // END Android-added: Avoid loading blacklist during class init
+ // END Android-added: Avoid loading blocklist during class init
public CertPathValidatorResult engineValidate(
CertPath certPath,
@@ -107,13 +107,13 @@
{
throw new CertPathValidatorException("Certification path is empty.", null, certPath, -1);
}
- // BEGIN Android-added: Support blacklisting known-bad certs
+ // BEGIN Android-added: Support blocklisting known-bad certs
{
X509Certificate cert = (X509Certificate) certs.get(0);
if (cert != null) {
BigInteger serial = cert.getSerialNumber();
- if (NoPreloadHolder.blacklist.isSerialNumberBlackListed(serial)) {
+ if (NoPreloadHolder.blocklist.isSerialNumberBlockListed(serial)) {
// emulate CRL exception message in RFC3280CertPathUtilities.checkCRLs
String message = "Certificate revocation of serial 0x" + serial.toString(16);
System.out.println(message);
@@ -122,7 +122,7 @@
}
}
}
- // END Android-added: Support blacklisting known-bad certs
+ // END Android-added: Support blocklisting known-bad certs
//
// (b)
@@ -304,15 +304,15 @@
for (index = certs.size() - 1; index >= 0; index--)
{
- // BEGIN Android-added: Support blacklisting known-bad certs
- if (NoPreloadHolder.blacklist.isPublicKeyBlackListed(workingPublicKey)) {
+ // BEGIN Android-added: Support blocklisting known-bad certs
+ if (NoPreloadHolder.blocklist.isPublicKeyBlockListed(workingPublicKey)) {
// emulate CRL exception message in RFC3280CertPathUtilities.checkCRLs
String message = "Certificate revocation of public key " + workingPublicKey;
System.out.println(message);
AnnotatedException e = new AnnotatedException(message);
throw new CertPathValidatorException(e.getMessage(), e, certPath, index);
}
- // END Android-added: Support blacklisting known-bad certs
+ // END Android-added: Support blocklisting known-bad certs
// try
// {
//
