GitLab

This makes TLS/SSL primitives operate as expected when no
X509TrustManager or X509KeyManager is provided. Instead of blowing up
with KeyManagementException or NullPointerException (or similar) when
X509TrustManager or X509KeyManager is not provided, this CL makes
SSLContext.init accept such setup, and makes SSLSocket and SSLEngine
reject certificate chains, select no private keys/aliases, and accept
no certificate issuers.

Bug: 13563574
Change-Id: I8de58377a09025258357dd4da9f6cb1b6f2dab80

To help with shipping the JSSE with apps that want to bundle it, move
it to a new package so that the tangles in other parts of the library
can be untangled.

Change-Id: I810b6861388635301e28aee5b9b47b8e6b35b430

Before the code would squash excecptions into null values, then turn
the values back into KeyManagementException. Now the code preservers
the underlying exception as the cause of the KeyManagementException.

(cherry picked from commit b6d100ca03dd4c576c6735ce510cecc70d2e6617)

Change-Id: Ia833145839578760ed9b49c626e8d4ab86ceacbe

Change-Id: Idaaa1952d1b6148c51b3da5d1771105e8bde8a03

frameworks/base

   Remove getCaCertificates and findIssuer from IKeyChainService,
   these are now done via libcore's TrustedCertificateStore (as part
   of the default TrustManager implementation)

	keystore/java/android/security/IKeyChainService.aidl

   Simplify KeyChain API. Now that the CA certificates are visible
   through the default TrustManager, the KeyChain is solely focused on
   retrieving PrivateKeys and their associated certificates. The
   calling API for KeyChain to simply a single KeyChain.get() call
   that returns a KeyChainResult, removing the need for a KeyChain
   instance that needs to be closed.

	keystore/java/android/security/KeyChain.java
	keystore/java/android/security/KeyChainResult.java

master/libcore

    Remove getDefaultIndexedPKIXParameters and
    getIndexedPKIXParameters which was used as part of the prototype
    of looking up CAs via the KeyChain but is obsoleted by the new
    default TrustManager implementation.

	luni/src/main/java/org/apache/harmony/xnet/provider/jsse/SSLParametersImpl.java
	luni/src/main/java/org/apache/harmony/xnet/provider/jsse/TrustManagerImpl.java

packages/apps/KeyChain

    Tracking simplified IKeyChainService, removing now unneeded
    implementation, updating tests.

	src/com/android/keychain/KeyChainService.java
	tests/src/com/android/keychain/tests/KeyChainServiceTest.java
	tests/src/com/android/keychain/tests/KeyChainTestActivity.java

Change-Id: I5c0df3b67248bb8014c85a5997098d5e70fbc505

Allow access to default IndexedPKIXParameters, similar to access to
default TrustManager. Needed to allow framework to add/remove trusted
CAs at runtime.

	luni/src/main/java/org/apache/harmony/xnet/provider/jsse/SSLParametersImpl.java
	luni/src/main/java/org/apache/harmony/xnet/provider/jsse/TrustManagerImpl.java

Add test support for looking up a cert by an issuer for use in key chain tests.

	support/src/test/java/libcore/java/security/TestKeyStore.java

Add test support SSLSocketFactory that sets desired client auth on
each created socket. For use with MockWebServer for key chain testing.

	support/src/test/java/libcore/javax/net/ssl/TestSSLContext.java

Change-Id: Iecdbd40c67f1673bda25a52b4e229156c805d564

I've changed useful ones to regular comments or TODOs, as appropriate.

I've left ones in code like java.util.concurrent where we really are
tracking an upstream source, making the change markers useful.

I've left a handful of others where I intend to actually investigate
the implied TODOs before deciding how to resolve them.

Change-Id: Iaf71059b818596351cf8ee5a3cf3c85586051fa6

Overhaul of TrustManagerImpl
- PKIXParameters can now be final in TrustManagerImpl because we
  always immediately create an IndexedPKIXParameters instead of only
  doing it in SSLParametersImpl.createDefaultTrustManager.
- Use new KeyStore constructor for IndexedPKIXParameters to remove
  duplicate logic for creating set of TrustAnchors from a KeyStore.
- Improved checkTrusted/cleanupCertChain to remove special cases for
  directly trusting the end cert or pruning only self signed certs. To
  support b/2530852, we need to stop prune the chain as soon as we
  find any trust anchor (using newly improved
  TrustManagerImpl.isTrustAnchor), which could be at the beginning,
  middle, or end. That means cleanupCertChain can return an empty
  chain if everything was trusted directly. (and we don't need to do
  extra checks on exception cases to see if the problem was just that
  the trust anchor was in the chain)
- isDirectlyTrusted -> isTrustAnchor here as well, using new
  IndexedPKIXParameters.isTrustAnchor APIs
- Fix incorrect assumption in getAcceptedIssuers that all TrustAnchor
  instances have non-null results for getTrustedCert.

	luni/src/main/java/org/apache/harmony/xnet/provider/jsse/TrustManagerImpl.java

    Removed indexing in createDefaultTrustManager since we always index now

	luni/src/main/java/org/apache/harmony/xnet/provider/jsse/SSLParametersImpl.java

Overhaul of IndexedPKIXParameters
- Single map from subject X500Principal to TrustAnchors
  instead of two different X500Principal keyed maps to check
- Removed map based on encoded cert. For b/2530852, we want to treat
  certs as equal if they have the same name and public key, not
  byte-for-byte equality, which can be done with the remaining map.
  Revamped isDirectlyTrusted into isTrustAnchor(cert) to perform this
  new name/key based comparison.
- Added helper isTrustAnchor(cert, anchors) to reuse code in
  non-IndexedPKIXParameters case in TrustManagerImpl.
- Added constructor from KeyStore
- Moved anchor indexing code to index() from old constructor

	luni/src/main/java/org/apache/harmony/xnet/provider/jsse/IndexedPKIXParameters.java

TestKeyStore.getPrivateKey allowed some existing test simplification.

	luni/src/test/java/libcore/java/security/KeyStoreTest.java
	luni/src/test/java/org/apache/harmony/xnet/provider/jsse/NativeCryptoTest.java
	support/src/test/java/libcore/java/security/TestKeyStore.java

Added missing "fail()" before catching expected exceptions.

	luni/src/test/java/libcore/java/security/KeyStoreTest.java

Expanded KeyManagerFactoryTest to excercise ManagerFactoryParameters b/1628001

	luni/src/test/java/libcore/javax/net/ssl/KeyManagerFactoryTest.java

Added KeyStoreBuilderParametersTest because I thought I saw a bug in
KeyStoreBuilderParameters, but this convinced me otherwise.

	luni/src/test/java/libcore/javax/net/ssl/KeyStoreBuilderParametersTest.java

New TrustManagerFactory test modeled on expanded KeyManagerFactoryTest.
test_TrustManagerFactory_intermediate specifically is targeting the
new functionality of b/2530852 to handling trust anchors within the
chain.

	luni/src/test/java/libcore/javax/net/ssl/TrustManagerFactoryTest.java
	support/src/test/java/libcore/java/security/StandardNames.java

Some initial on tests for Elliptic Curve (b/3058375) after the RI
started reporting it was supported. Removed old @KnownFailure
tags. Skipped a test on the RI that it can't handle. Improved some
assert messages.

	luni/src/test/java/libcore/javax/net/ssl/SSLEngineTest.java
	luni/src/test/java/libcore/javax/net/ssl/SSLSocketTest.java
	support/src/test/java/libcore/java/security/StandardNames.java
	support/src/test/java/libcore/java/security/TestKeyStore.java

Removed unneeded bytes->javax->bytes->java case of which can just go bytes->java directly.
	luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSocketImpl.java

Removed super()
	luni/src/main/java/javax/net/ssl/KeyStoreBuilderParameters.java

Made Security.secprops final
	luni/src/main/java/java/security/Security.java

Pulled SamplingProfiler fix from dalvik-dev branch
    git cherry-pick --no-commit f9dc3450e8f23cab91efc9df99bb860221ac3d6c
	dalvik/src/main/java/dalvik/system/SamplingProfiler.java

Bug: 2530852
Change-Id: I95e0c7ee6a2f66b6986b3a9da9583d1ae52f94dd

Change-Id: Id5a042873acc0a8185567ca18ce009c06e54f38d

Make SSLParametersImpl's defaultKeyManager, defaultTrustManager,
defaultSecureRandom, and defaultParameters all use the single check
idiom for initialization. Move such initialization for
defaultKeyManager and defaultTrustManager out of SSLParametersImpl
constructor into static functions, replacing original
getDefaultTrustManager simple accessor with code that performs lazy
initialization.

	luni/src/main/java/org/apache/harmony/xnet/provider/jsse/SSLParametersImpl.java

dirrect -> direct
	luni/src/main/java/org/apache/harmony/xnet/provider/jsse/SSLParametersImpl.java
	luni/src/main/java/org/apache/harmony/xnet/provider/jsse/SSLSocketImpl.java

hanshake -> handshake
	luni/src/main/java/org/apache/harmony/xnet/provider/jsse/SSLRecordProtocol.java
	luni/src/main/java/org/apache/harmony/xnet/provider/jsse/HandshakeProtocol.java
	luni/src/main/java/org/apache/harmony/xnet/provider/jsse/SSLSocketImpl.java

Bug: 2954292
Change-Id: I19bae541613666903b57fccf3e8bfef65b74d6cf

Rename internal SSLParameters to SSLParametersImpl to avoid collision with new javax.net.ssl.SSLParameters

Bug: 2672817
Change-Id: Iadf21b848eaf8850fce22721b9ba3739ab2e9fca

Summary:
- RI 6 support for javax.net.ssl
- SSLEngine fixes based on new SSLEngineTest
- fix Cipher.checkMode bug recently introduced in dalvik-dev

Details:

Fix Cipher.checkMode that was preventing most javax.net.ssl tests from working

	luni/src/main/java/javax/crypto/Cipher.java

RI 6 has introduced the concept of a "Default" SSLContext. This is
accessed via SSLContext.getDefault() and also
SSLContext.getInstance("Default"). Harmony had its own
DefaultSSLContext but it was not created via an SSLContextSpi. It also
was a single shared instance whereas the new RI6 Default SSLContext
shares internal SSLSessionContext instances between different Default
SSLContexts.

    Refactored the old code into an SSLContextImpl subclass that
    allows it to be created via SSLContext.getInstance. SSLContextImpl
    ensures that we only ever create one set of SSLSessionContext
    instances for the Default context.

	luni/src/main/java/javax/net/ssl/DefaultSSLContext.java
	luni/src/main/java/org/apache/harmony/xnet/provider/jsse/DefaultSSLContextImpl.java
	luni/src/main/java/org/apache/harmony/xnet/provider/jsse/SSLContextImpl.java

    Added SSLContext.getDefault and SSLContext.setDefault

	luni/src/main/java/javax/net/ssl/SSLContext.java

    Replace dependencies of old DefaultSSLContext with use of SSLContext.getDefault

	luni/src/main/java/javax/net/ssl/SSLServerSocketFactory.java
	luni/src/main/java/javax/net/ssl/SSLSocketFactory.java

    Register "SSLContext.Default" as DefaultSSLContextImpl class for SSLContext.getInstance()

	luni/src/main/java/org/apache/harmony/xnet/provider/jsse/JSSEProvider.java

    Added constant for new "Default" standard name and added it to
    SSL_CONTEXT_PROTOCOLS. New tests based on SSL_CONTEXT_PROTOCOLS
    made it clear that neither Android or RI support SSLv2 so removed
    it from SSL_CONTEXT_PROTOCOLS and SSL_SOCKET_PROTOCOLS. Added
    constant for TLS as well which was previously scattered all over
    tests. Remove SSLv2Hello from SSL_SOCKET_PROTOCOLS for Android
    since with OpenSSL disablign SSLv2 means you can not use
    SSLv2Hello either.

	support/src/test/java/javax/net/ssl/StandardNames.java

    Added tests for SSLContext.getDefault and
    SSLContext.setDefault. Changed existing tests to work on all
    protocols including new "Default".

	luni/src/test/java/javax/net/ssl/SSLContextTest.java

RI 6 has introduced the notion of SSLParameters which encapsulate SSL
the handshake parameters of desired cipher suites, protocols, and
client authentication requirements.

    The main new class SSLParameters is basically just a bag of fields
    with accessors and a couple simple constructors. The only things
    of note are that it clones all String arrays on input and output
    and the setters for the two boolean fields ensure that only one is
    true at a time.

	luni/src/main/java/javax/net/ssl/SSLParameters.java

    Added SSLContext.getDefaultSSLParameters and
    SSLContext.getSupportedSSLParameters which simply delegate to the
    SSLContextSpi.

	luni/src/main/java/javax/net/ssl/SSLContext.java

    Added abstract SSLContextSpi.engineGetDefaultSSLParameters and
    SSLContext.engineGetSupportedSSLParameters.

	luni/src/main/java/javax/net/ssl/SSLContextSpi.java

    Added engineGetDefaultSSLParameters and
    engineGetSupportedSSLParameters implementation. The RI documents
    in SSLContextSpi that these are implemented by default by creating
    a socket via the SSLContext's SocketFactory and asking for the
    enabled/supported cipher suites and protocols respectively, so
    that is what is done. The doc mentions throwing
    UnsupportedOperationException if there is a problem, so we do that
    as well.

	luni/src/main/java/org/apache/harmony/xnet/provider/jsse/SSLContextImpl.java

    Added {SSLEngine,SSLSocket}.{getSSLParameters,setSSLParameters}
    which are analogous.

	luni/src/main/java/javax/net/ssl/SSLEngine.java
	luni/src/main/java/javax/net/ssl/SSLSocket.java

   Added SSLParametersTest

	luni/src/test/java/javax/net/ssl/SSLParametersTest.java
	luni/src/test/java/javax/net/ssl/AllTests.java

   Added SSLContext.get{Default,Supported}SSLParameters tests

	luni/src/test/java/javax/net/ssl/SSLContextTest.java

   Added SSLSocket.{getSSLParameters,setSSLParameters} tests and added
   some extra asserts to test_SSLSocketPair_create based on experience
   with test_SSLEnginePair_create.

	luni/src/test/java/javax/net/ssl/SSLSocketTest.java

   Dummy implementation of new SSLContextSpi for test classes.

	support/src/test/java/org/apache/harmony/security/tests/support/MySSLContextSpi.java
	support/src/test/java/org/apache/harmony/xnet/tests/support/MySSLContextSpi.java

Other minor RI 6 API changes:

    RI 6 removed Serializable from HandshakeCompletedEvent and SSLSessionBindingEvent

	luni/src/main/java/javax/net/ssl/HandshakeCompletedEvent.java
	luni/src/main/java/javax/net/ssl/SSLSessionBindingEvent.java

    RI 6 added generic types to the KeyStoreBuilderParameters List
    constructor and accessor as well as to
    SSLSessionContext.getIds. Fixed tests to compile with generic types.

	luni/src/main/java/javax/net/ssl/KeyStoreBuilderParameters.java
	luni/src/main/java/javax/net/ssl/SSLSessionContext.java
	luni/src/test/java/tests/api/javax/net/ssl/KeyStoreBuilderParametersTest.java

SSLEngine improvements. Since I was changing SSLEngine, I wrote an
SSLEngineTest based on my SSLSocketTest to do some simply sanity
checking. It expose a number of issues. I've fixed the small ones,
marked the rest as known failures.

   Renamed some TLS_ cipher suites to SSL_ to match JSSE standard
   names. These were all old suites no longer supported by RI or
   OpenSSL which is why they were missed in an earlier cleanup of this
   type in this class. Also fixed SSLEngine supported cipher suites
   list not to include SSL_NULL_WITH_NULL_NULL which is not a valid
   suite to negotiate.

	luni/src/main/java/org/apache/harmony/xnet/provider/jsse/CipherSuite.java

   SSLEngine instances can have null host values, which caused a
   NullPointerException in the ClientSessionContext implementation.

	luni/src/main/java/org/apache/harmony/xnet/provider/jsse/ClientSessionContext.java

   SSLEngine tests were failing because SSLParameters was throwing
   NullPointerException instead of IllegalArgument exception on null
   element values. Fixed null pointer message style while I was here.

	luni/src/main/java/org/apache/harmony/xnet/provider/jsse/SSLParameters.java

    Fixed SSLEngine instances to default to server mode like RI

	luni/src/main/java/org/apache/harmony/xnet/provider/jsse/SSLContextImpl.java

   Fixed KEY_TYPES based on SSLEngine implementation. Removed dead
   code NativeCrypto.getEnabledProtocols which was recently made
   obsolete. Cleaned up null exception messages to follow our convention.

	luni/src/main/java/org/apache/harmony/xnet/provider/jsse/NativeCrypto.java

   Added SSLEngineTest which parallels SSLSocketTest in its
   coverage. Similarly added TestSSLEnginePair which loosely parallels
   TestSSLSocketPair.

	luni/src/test/java/javax/net/ssl/SSLEngineTest.java
	luni/src/test/java/javax/net/ssl/AllTests.java
	support/src/test/java/javax/net/ssl/TestSSLEnginePair.java

   SSLEngineTest betters exposed the differences between SSLSocket and
   SSLEngine supported cipher suites. StandardNames now has an
   CIPHER_SUITES_SSLENGINE definition which denotes what is missing
   and what is extra and why in the SSLEngine implementation.

	support/src/test/java/javax/net/ssl/StandardNames.java

    Created StandardNames.assert{Valid,Supported}{CipherSuites,Protocols}
    to factor out some code test code that is also used by new tests.

	support/src/test/java/javax/net/ssl/StandardNames.java
	luni/src/test/java/javax/net/ssl/SSLSocketFactoryTest.java
	luni/src/test/java/javax/net/ssl/SSLSocketTest.java

    Remove SSLSocketTest known failure and add new SSLEngineTest known failures

	expectations/knownfailures.txt

SSL_OP_NO_TICKET change was recently merged from master which required some fixes.

    For the moment, sslServerSocketSupportsSessionTickets always returns false.

	support/src/test/java/javax/net/ssl/TestSSLContext.java

    Fixed flakey test_SSLSocket_HandshakeCompletedListener which had a
    race because the client thread look in the server session context
    for an session by id potentially before the server thread had a
    chance to store its session. Made noticable because of
    SSL_OP_NO_TICKET recently merged from master (before this code
    path was host only, not device)

	luni/src/test/java/javax/net/ssl/SSLSocketTest.java

    Fix checkjni issue where we need to check for pending exception in
    OpenSSL callback.  Possibly introduced by recent merge of
    SSL_OP_NO_TICKET from master.

	luni/src/main/native/org_apache_harmony_xnet_provider_jsse_NativeCrypto.cpp

Expectation updates

    Remove SSLSocketTest known failure and add new SSLEngineTest known failures

	expectations/knownfailures.txt

    Tag test_SSLSocket_getSupportedCipherSuites_connect as large

	expectations/taggedtests.txt

Misc changes:

   opening brace on wrong line

	luni/src/main/java/org/apache/harmony/xnet/provider/jsse/ServerSessionContext.java

   Long line cleanup while debugging

	luni/src/main/java/org/apache/harmony/xnet/provider/jsse/HandshakeProtocol.java
	luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLServerSocketFactoryImpl.java
	luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSocketFactoryImpl.java
	support/src/test/java/javax/net/ssl/TestKeyStore.java

   Removed bogus import

	luni/src/test/java/javax/net/ssl/SSLSessionContextTest.java

   Comment clarify while debugging

	luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSocketImpl.java

   Ctor -> Constructor in comment

	luni/src/main/java/org/apache/harmony/xnet/provider/jsse/SSLEngineImpl.java

   Fixed naming of SocketTest_Test_create to TestSocketPair_Create to match renamed classes

	luni/src/test/java/javax/net/ssl/SSLSocketTest.java

Change-Id: I99505e97d6047eeabe4a0b93202075a0b2d486ec

Enable Diffie-Hellman cipher suites in NativeCrypto (and in
StandardNames to match for testing). This means we now have the same
default cipher suite list as RI 5.

	luni/src/main/java/org/apache/harmony/xnet/provider/jsse/NativeCrypto.java
	support/src/test/java/javax/net/ssl/StandardNames.java

Enabling DH made it obvious that the RI check for enable cipher suites
on SSLServerSocket.accept was not as stringent as first
thought. Apparently they don't care if all enabled cipher suites have
certificates/keys, just that at least one of them will work, even if
its anonymous. Factored out the logic to check this into
checkEnabledCipherSuites for clarity along with the supporting
checkForPrivateKey. Also only check if the socket is in server mode,
since its fine to have nothing configured for server acting as a
client for handshake purposes.

	luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLServerSocketImpl.java

The real work to enable Diffie-Hellman was to use
SSL_CTX_set_tmp_dh_callback to set a callback to get DH
parameters. There are two ways to create the parameters. The first is
to use DH_generate_parameters_ex which is very slow (minutes) as is
recommended as install time option. The second is to use
DSA_generate_parameters_ex followed by DSA_dup_DH, which is faster for
a single call, but must be done every time, so slower overall. We
currently take the second approach to just have DH working.

	luni/src/main/native/org_apache_harmony_xnet_provider_jsse_NativeCrypto.cpp

Changed ephemeral RSA keys to be stored per SSL in AppData, not in a static global.

	luni/src/main/native/org_apache_harmony_xnet_provider_jsse_NativeCrypto.cpp

Fix LS_ to TLS_ typo in commented out constant. Removed easy to miss wrapping in array definition.

	luni/src/main/java/org/apache/harmony/xnet/provider/jsse/CipherSuite.java

Renamed CipherSuites defaultPretendant to defaultCipherSuites which
led to renaming the CipherSuites constants to follow the coding style.

	luni/src/main/java/org/apache/harmony/xnet/provider/jsse/CipherSuite.java
	luni/src/main/java/org/apache/harmony/xnet/provider/jsse/ClientHandshakeImpl.java
	luni/src/main/java/org/apache/harmony/xnet/provider/jsse/DigitalSignature.java
	luni/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLServerSocketImpl.java
	luni/src/main/java/org/apache/harmony/xnet/provider/jsse/SSLParameters.java
	luni/src/main/java/org/apache/harmony/xnet/provider/jsse/ServerHandshakeImpl.java
	luni/src/main/java/org/apache/harmony/xnet/provider/jsse/ServerKeyExchange.java

Change-Id: Ia38de48cabb699b24fe6e341ba79f34e3da8b543

Gentlemen, you may now set your editors to "strip trailing whitespace"...

Change-Id: I85b2f6c80e5fbef1af6cab11789790b078c11b1b

    Moved initialization of SSLContextImpl clientSessionContext and
    serverSessionContext from engineInit time (in SSLParameters
    constructor) to constructor time, making them final.  This is to
    fix javax.net.ssl.SSLContextTest which was failing because it
    tried to access this before init was called, which worked fine on
    the RI. The SSLParameters now simply takes the preallocated
    session contexts as arguments. SSLParameters.getDefault() now
    needs to create its own session contexts when an SSLContext is not
    used, which is how Harmony does it.

	luni/src/main/java/org/apache/harmony/xnet/provider/jsse/SSLContextImpl.java
	luni/src/main/java/org/apache/harmony/xnet/provider/jsse/SSLParameters.java

    Removed KnownFailure from SSLContextTest as its 100% working.

	luni/src/test/java/javax/net/ssl/SSLContextTest.java

    Changed persistentCache fields of ClientSessionContext and
    ServerSessionContext from final to private and added a public
    setter. This replaces passing the persistentCache implementation
    in via the constructor. For momentarily backward compatibility
    with frameworks/base, the now deprecated 5 argument engineInit
    method now uses these setters for backward compatability. The
    SSLParameters previously took these persistent caches as arguments
    in order to pass them to the session context contructors, but as
    SSLParameters no longer creates these, they are no longer relevant.

	luni/src/main/java/org/apache/harmony/xnet/provider/jsse/ClientSessionContext.java
	luni/src/main/java/org/apache/harmony/xnet/provider/jsse/ServerSessionContext.java
	luni/src/main/java/org/apache/harmony/xnet/provider/jsse/SSLContextImpl.java
	luni/src/main/java/org/apache/harmony/xnet/provider/jsse/SSLParameters.java

    While moving the call of the AbstractSessionContext constructor
    from SSLParameters to SSLContextImpl after removing the persistent
    cache arguments, I realized there was no longer any reason to take
    any arguments. I pushed the initization of sslCtxNativePointer to
    the point of declaration.

	luni/src/main/java/org/apache/harmony/xnet/provider/jsse/AbstractSessionContext.java
	luni/src/main/java/org/apache/harmony/xnet/provider/jsse/ClientSessionContext.java
	luni/src/main/java/org/apache/harmony/xnet/provider/jsse/ServerSessionContext.java

Change-Id: Ied2903a2f369bf4e521e702bf58f32f21cb97d17

Merge xml except xmlpull and kxml into luni

Summary:
- SSLSocket.startHandshake now generalized to handle both client and
  server handshaking as well as client/server role reversal
- handshake_cutthrough.patch is properly integrated with support
  delayed handshake completion now integrated with delayed updates to
  session cache and callbacks to HandshakeCompletedListeners
- Many fixes to SSLSession, which is the end product of the handshake
- Generally more RI and SSLEngine compliant behavior.
- More native code deletion through unification of client/server
  handshake, unification of client/server certificate chain
  verification, etc. More native code moved from various OpenSSL
  classes to cleaner NativeCrypto interfaces that more directly mirror
  the OpenSSL interfaces.

Details:

Delay SSL_new call until handshake time when we know for sure whether
the OpenSSLSocket will be used in client or server mode and we can
allocate the SSL_new from the apppriate client or server SSL_CTX used
for session caching.

    Now that no SSL is allocated for an OpenSSLServerSocketImpl,
    store enabledProtocols and enabledCipherSuites in instance String
    arrays. Use new NativeCrypto.checkEnabled* methdods for argument
    validation. OpenSSLServerSocketImpl passes these enabled arrays to
    a new OpenSSLSocket constructor during accept(). Removed finalizer
    from OpenSSLServerSocketImpl since it no longer has any native
    storage and socket is already closed by PlainSocketImpl finalizer.

	X-net/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLServerSocketImpl.java
	x-net/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSocketImpl.java

    OpenSSLSocket major overhaul to properly implement handshaking
    including switching client and server roles and session ID caching
    with handshake_cutthrough.patch.
    - now implements NativeCrypto.HandshakeCompletedListeners for
      properly timed callback when handshake_cutthrough.patch delays
      handshake completion until first SSLSocket.getInputStream()
      read.
    - similar enabledProtocols/enabledCipherSuites changes as
      OpenSSLServerSocketImpl since we need to store the state
      somewhere other than an openssl SSL struct until we are sure if
      we are doing a client or server handshake.
    - added handshake completed field so that startHandshake can tell
      if handshake was completed during SSL_do_handshake or will be
      completed later by a call to HandshakeCompletedCallback.handshakeCompleted.
    - removed nativegetsession as the equivalent value is now returned by SSL_do_handshake
    - removed nativecipherauthenticationmethod as the value is now passed to verifyCertificateChain
    - startHandshake is now a wrapper that forces a fully synchronous handshake
    - startHandshake(boolean) is the the most changed method in this
      changelist, combinding both the old startHandshake logic, but
      also the OpenSSLSocketImpl.accept code as well. Notable
      differences from the old code:
      * now responsible for SSL_new
      * single code path for client/server handshaking dealing with SSLSession caching
      * now handles server certificate requests previously in
        OpenSSLServerSocketImpl, since a client can request to act
        like a server and therefore need to be able to make suck
        demands on its peer.
      * supports turning off handshake_cutthrough at a callers request
        via explicit call to startHandshake()
      * certificate verification happens during an upcall from openssl
        during SSL_do_handshake to verifyCertificateChain for both
        client and server cases. previously there was not quite right
        upcall support on the server side and post-handshake checking
        on the client, which did not allow for a proper alert to be
        sent to the peer informing them of the issue, which the RI and
        SSLEngine code do.
      * Similarly, setEnableSessionCreation(false) did not send an
        alert to the peer as the RI and SSLEngine code in the client
        case. In the server case, nothing was previously done.
      * The use of local certificates was not determined from
        introspecting the SSL struct post-handshake. This is now
        partially implemented and will be completed in a later change.
    - SSLSocket.{shutdownInput,shutdownOutput} are now restored to the
      proper behavior of throwing UnsupportedOperationException.
    - Gutted OpenSSLSocketImpl finalizer. The comment explains in
      detail the trouble of having the finalizer do anything more than
      touch its the instances own state due to unpredictable order of
      finalization and the future possability of parallel
      finalization.

        x-net/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSocketImpl.java

    SSLSession fixes
    - Made OpenSSLSessionImpl.sessionContext non-final so it could be
      nulled by SSLSession.invalidate to match RI behavior.
    - As noted in AbstractSessionContext discussion, removed
      OpenSSLSessionImpl constructor that took SSLParameters, instead
      we take the possibly null localCertificates
      directly. OpenSSLSessionImpl.getLocalCertificates now simply
      returns the localCertificates member variable instead of
      incorrectly trying to query the KeyManager for certificates that
      may not have been used.
    - OpenSSLSessionImpl now caches its native ID to avoid numerious
      native calls but also now provides as resetId which will update
      the cache when a delayed handshake happens due to the
      handshake_cutthrough.patch
    - Fixed bug in getPeerPrincipal that it wasn't calling
      getPeerCertificates to initialize peerCertificates field.
    - freeImpl is now 'public static' in preparation for move to NativeCrypto.

	x-net/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSessionImpl.java

    The old SSLSessionImpl class that is still used for representing
    the invalid session now returns
       isValid => false
    and
       getProtocol => "NONE"
    to match the RI.

	x-net/src/main/java/org/apache/harmony/xnet/provider/jsse/SSLSessionImpl.java

    NativeCrypto improvements
    - Adding NativeCrypto.SSL_{get,set,clear}_mode similar to
      NativeCrypto.SSL_{get,set,clear}_options along with
      SSL_MODE_HANDSHAKE_CUTTHROUGH constant which is used to
      explicitly disable/enable the Android handshake_cutthrough.patch
      behavior.
    - Added missing NativeCrypto.SSL_clear_options and used to properly
      implement NativeCrypto.setEnabledProtocols.
    - Added NativeCrypto.checkEnabledProtocols and
      NativeCrypto.checkEnabledCipherSuites helpers to implement
      exception compatability with the RI. While some of this code is
      refactored from existing NativeCrypto code, it is now also used
      by OpenSSLServerSocketImpl and OpenSSLSocketImpl which maintain
      their own String[]s of what is enabled until startHandshake time. (see below)
    - Changed NativeCrypto.findSuite to use foreach style loop for clarity.
    - Moved OpenSSLServerSocketImpl nativesetclientauth and
      SSL_VERIFY_* constants to NativeCrypto.SSL_set_verify
    - Added NativeCrypto.SSL_set_session based on part of old OpenSSLSocketImpl.nativeconnect
    - Added NativeCrypto.SSL_set_session_creation_enabled to properly implement
      SSLSocket.setEnableSessionCreation(false) which uses new
      external/openssl/patches/jsse.patch functionality.
    - New NativeCrypto.SSL_do_handshake consolidates
      OpenSSLSocketImpl.{nativeconnect, nativeaccept} while properly
      implementing SSLSocket.setUseClientMode(false) for clients and
      SSLSocket.setUseClientMode(true) for servers.
    - New NativeCrypto.SSL_get_certificate is determine if local
      certificate requested by peer. While functional, currently
      NativeCrypto.SSL_new always sets a value via SSL_use_certificate
      instead of relying on a callback set via SSL_CTX_set_client_cert_cb.
    - Changed NativeCrypto.CertificateChainVerifier.verifyCertificateChain
      to throw a checked CertificateException to match TrustManager.{checkServerTrusted,
      checkClientTrusted}. It also takes an authMethod so avoid the need to call
      the old OpenSSLSocketImpl.nativecipherauthenticationmethod.
    - Added NativeCrypto.HandshakeCompletedCallback which has its
      handshakeCompleted method called from OpenSSL when the now
      delayed handshake_cutthrough.patch handshake is completed so
      SSLSession caching can be delayed until a session ID is available
      and to provide a better time for HandshakeCompletedListeners to
      be notified.

	x-net/src/main/java/org/apache/harmony/xnet/provider/jsse/NativeCrypto.java
	x-net/src/main/native/org_apache_harmony_xnet_provider_jsse_NativeCrypto.cpp

    Some other changes specific to the naitve side of the code
    - Added JNITRACE calls (enabled at compile time with JNI_TRACE)
      for future debugging.
    - throw SSLException subclass of IOException instead IOException
      itself for better RI compatability
	x-net/src/main/native/org_apache_harmony_xnet_provider_jsse_NativeCrypto.cpp
    - changed from old struct app_data to new class AppData at enh's request

    Remove dubious usage of SSLParameters within AbstractSessionContext
    to pass through to OpenSSLSessionImpl constructor for use in
    calling getLocalCertificates for sessions created from a byte array
    with AbstractSessionContext.toSession. Our
    AbstractSessionContext.toBytes doesn't currently include the local
    certificates in its output, so it cannot be expected to have in toSession.

	x-net/src/main/java/org/apache/harmony/xnet/provider/jsse/AbstractSessionContext.java
	x-net/src/main/java/org/apache/harmony/xnet/provider/jsse/ClientSessionContext.java
	x-net/src/main/java/org/apache/harmony/xnet/provider/jsse/ServerSessionContext.java
	x-net/src/main/java/org/apache/harmony/xnet/provider/jsse/SSLParameters.java

Test maintenance

    openssl 1.0.0 adds support for RFC 4507 session tickets which
    remove the need for server side session state. These tests needed
    to be updated for this new behavior. If IS_RI is true, they still
    follow the old behavior.

	luni/src/test/java/javax/net/ssl/SSLSessionContextTest.java
	luni/src/test/java/javax/net/ssl/SSLSessionTest.java
	luni/src/test/java/javax/net/ssl/SSLSocketTest.java

    Update KnownFailures and add specific comments at point of failure
    about what remains to be fixed.

	luni/src/test/java/javax/net/ssl/SSLSessionTest.java

    Added tests to cover the use of standard cipher suite
    names. Historically Android has used OpenSSL string constants for
    cipher suite names, but JSSE actually specifies supported and
    expected names.

	luni/src/test/java/javax/net/ssl/SSLSocketFactoryTest.java
	luni/src/test/java/javax/net/ssl/SSLSocketTest.java

    Create new support/src/test/java/javax/net/ssl with old Helper
    support code pulled from javax.net.ssl tests:
      SSLContextTest.Helper -> TestSSLContext
      SSLSocketTest.Helper -> TestSSLSocketPair
      SSLSessionTest.Helper -> TestSSLSessions
    Also added new StandardNames here, which contains a collection of
    expected constants for test validation.

	luni/src/test/java/javax/net/ssl/SSLContextTest.java
	luni/src/test/java/javax/net/ssl/SSLSocketTest.java
	luni/src/test/java/javax/net/ssl/SSLSessionTest.java
	support/src/test/java/javax/net/ssl/TestSSLContext.java
	support/src/test/java/javax/net/ssl/TestSSLSocketPair.java
	support/src/test/java/javax/net/ssl/TestSSLSessions.java
	support/src/test/java/javax/net/ssl/StandardNames.java

    Removed some now fixed KnownFailures and unneeded !IS_RI
    code. Marked some [Un]KnownFailures where exceptions are thrown
    and visible in the output but aren't correctly causing the test to
    fail. Fixed assertNonNull to assertTrue in
    test_SSLSocketTest_Test_create. Added
    stress_test_SSLSocketTest_Test_create to track down test
    flakiness, leading to rewrite of SSLSocket finalization.

	luni/src/test/java/javax/net/ssl/SSLSocketTest.java

    Reenable javax.net.ssl.AllTests now that it is does not hang

	luni/src/test/java/tests/AllTests.java

    Improve error messages while debugging overflow problem.
    Added new assert when debugging new RFC 4507 behavior.
    Removed KnownFailure annotation for now working test case.
	x-net/src/test/java/tests/api/javax/net/ssl/SSLSessionTest.java

Client code changes

   Now that startHandshake implies synchronous vs Android's default async handshake, remove unneeded explict calls to SSLSocket.startHandshake

	luni/src/main/java/org/apache/harmony/luni/internal/net/www/protocol/http/HttpConnection.java

   Removed IBM 1.4.x codepath that involved startHandshake

	x-net/src/main/java/javax/net/ssl/DefaultHostnameVerifier.java

Unrelated

   Remove unneed SSLSocket.setUseClientMode while removing unneeded SSLSocket.startHandshake

	luni/src/main/java/org/apache/harmony/luni/internal/net/www/protocol/http/HttpConnection.java

   Removed warnings due to now missing modules in classpath

	run-core-tests

Change-Id: I6e149ae259b3feccdfb0673209c85cfeb60befc8

Summary:

  b/1758225: Revisit OpenSSL locking
    Removed the locking original put in to address b/1678800 which
    had been causing problems for the HeapWorker thread which was
    timing out waiting for the lock in the finalizers while other
    threads were connecting.

  b/1678800: Reliability tool: Crash in libcrypto @ https://opac.ntu.ac.uk
    Properly fixed the native crash by avoid sharing SSL_SESSION objects
    between SSL_CTX objects

Testing:
- adb shell run-core-tests --verbose tests.xnet.AllTests
- adb shell run-core-tests --verbose javax.net.ssl.AllTests
- Test app that reloads https://opac.ntu.ac.uk

Details:
    Each AbstractSessionContext now has an associated SSL_CTX,
    referenced through the sslCtxNativePointer. SSL_CTX on the native
    side defines the scope of SSL_SESSION caching, and this brings the
    Java SSLSessionContext caching into alignment with the native
    code. OpenSSLSessionImpl now uses AbstractSessionContext instead
    of SSLSessionContext for access to the underlying SSL_CTX.

	x-net/src/main/java/org/apache/harmony/xnet/provider/jsse/AbstractSessionContext.java
	x-net/src/main/java/org/apache/harmony/xnet/provider/jsse/ClientSessionContext.java
	x-net/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSessionImpl.java
	x-net/src/main/java/org/apache/harmony/xnet/provider/jsse/SSLParameters.java
	x-net/src/main/java/org/apache/harmony/xnet/provider/jsse/ServerSessionContext.java

    Added AbstractSessionContext.putSession so OpenSSLSocketImpl/OpenSSLSessionImpl can
    directly assign to the current AbstractSessionContext (whether it
    be a ClientSessionContext or a ServerSessionContext) without
    casting.

	x-net/src/main/java/org/apache/harmony/xnet/provider/jsse/AbstractSessionContext.java
	x-net/src/main/java/org/apache/harmony/xnet/provider/jsse/ClientSessionContext.java
	x-net/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSocketImpl.java
	x-net/src/main/java/org/apache/harmony/xnet/provider/jsse/ServerSessionContext.java

  Cleaning up use of SSL_CTX and SSL instances in SSLSocket/SSLServerSocket implementation

    The major change is that openssl SSL instances are allocated for
    the life of the matching Java object, replacing the SSL_CTX and
    the SSL objects that had previously been allocated only starting
    at handshake time. We should never have been sharing SSL_SESSION
    instances between SSL_CTX instances, which was the source of the
    native crashes dating back to cupcake which the
    OpenSSLSocket.class locking had been preventing.

    - NativeCrypto now has better defined and independant wrappers on
      openssl functionality. A followon checkin should move the
      remaining openssl JNI code here with the intent of being able to
      write and end-to-end test of the openssl code using NativeCrypto
      without the JSSE implementation classes. The following gives a
      list of the new native functions with a mapping to the old
      implementation code. The new code has a more functional style
      where SSL_CTX and SSL instances are passed and returned as
      arguments, not extracted from Java instances

      SSL_CTX_new                       OpenSSLSocketImpl.nativeinit, OpenSSLServerSocketImpl.nativeinit, SSLParameters.nativeinitsslctx
      SSL_CTX_get_ciphers_list          OpenSSLSocketImpl.nativeGetEnabledCipherSuites
      SSL_CTX_free                      OpenSSLSocketImpl.nativefree, OpenSSLServerSocketImpl.nativefree

      SSL_new                           OpenSSLSocketImpl.nativeinit, OpenSSLSocketImpl.init, OpenSSLServerSocketImpl.nativeinit, OpenSSLServerSocketImpl.init
      SSL_get_options                   OpenSSLSocketImpl.nativesetenabledprotocols
      SSL_set_options                   OpenSSLSocketImpl.nativesetenabledprotocols
      SSL_get_ciphers                   OpenSSLSocketImpl.nativeGetEnabledCipherSuites
      SSL_set_cipher_list               OpenSSLSocketImpl.nativeSetEnabledCipherSuites
      SSL_free                          OpenSSLSocketImpl.nativefree, OpenSSLServerSocketImpl.nativefree

    - While the focus in NativeCrypto is on native code, it also
      contains some helpers/wrappers especially for code that doesn't
      depend on specific SSL_CTX, SSL instances or that needs to do
      massaging of data formats between Java and OpenSSL. Some of
      these had previously been duplicated in the client and server
      versions of the code. For example:

        getSupportedCipherSuites	OpenSSLSocketImpl.nativegetsupportedciphersuites, OpenSSLServerSocketImpl.nativegetsupportedciphersuites
        getSupportedProtocols		OpenSSLSocketImpl.getSupportedProtocols, OpenSSLServerSocketImpl.getSupportedProtocols
        getEnabledProtocols             OpenSSLSocketImpl.getEnabledProtocols,OpenSSLServerSocketImpl.getEnabledProtocols
        setEnabledProtocols             OpenSSLSocketImpl.setEnabledProtocols
        setEnabledCipherSuites		OpenSSLSocketImpl.setEnabledCipherSuites

    - Moved JNI initialization from OpenSSLSocketImpl to NativeCrypto
      which is the future home of all the openssl related native code.

        clinit                          OpenSSLSocketImpl.nativeinitstatic

    - NativeCrypto.CertificateChainVerifier is a new interface to
      decouple callbacks from openssl from a specific dependence on a
      OpenSSLSocketImpl.verify_callback method. Changed to return
      boolean instead of int.

    - Renamed OpenSSLSocketImpl.ssl to OpenSSLSocketImpl.sslNativePointer for consistency

    - Changed OpenSSLSocketImpl nativeconnect, nativegetsslsession,
      nativecipherauthenticationmethod, nativeaccept, nativeread,
      nativewrite, nativeinterrupt, nativeclose, nativefree to take
      arguments instead of inspect object state in preparation for
      moving to NativeCrypto

    - other notable NativeCrypto changes included
      * adding SSL_SESSION_get_peer_cert_chain,
        SSL_SESSION_get_version, and SSL_get_version (and
        get_ssl_version) which are "missing methods" in openssl
      * ssl_msg_callback_LOG callback and get_content_type for handshake debugging
      * removing jfieldID's for our classes now that we pass in values in arguments
      * changed aliveAndKicking to be volative since we poll on it to communicate between threads
      * changed from C style declarations at beginning of block to C++ at first use on methods with major changes
      * stop freeing SSL instances on error, only SSL_clear it
      * improved session reuse logging when reproducing b/1678800
      * change verify_callback to return verifyCertificateChain result

	x-net/src/main/java/org/apache/harmony/xnet/provider/jsse/NativeCrypto.java
	x-net/src/main/native/org_apache_harmony_xnet_provider_jsse_NativeCrypto.cpp
	x-net/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLServerSocketImpl.java
	x-net/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSocketFactoryImpl.java

    When we accept a server socket, we pass the existing SSL state
    instance from the server socket to the newly accepted socket via
    the constructor where it is copied with SSL_dup, instead of
    through both the constructor and later the accept method.

	x-net/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSocketImpl.java
	x-net/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLServerSocketImpl.java

    Cleaned up nativesetclientauth from using SSL_CTX to SSL, passing
    ssl as argument in preparation for future movement to
    NativeCrypto.

	x-net/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLServerSocketImpl.java

    Removed ssl_op_no cache for rarely used enabled protocol methods
    so that code could more easily be shared in NativeCrypto between
    client and server.

	x-net/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLServerSocketImpl.java
	x-net/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSocketImpl.java

    Changed public getId, getCreationTime, getPeerCertificates,
    getCipherSuite, getProtocol from being instance methods that
    looked at the OpenSSLSessionImpl object state to be static mthods
    that take the native pointers as arguments in preparation for
    moving to NativeCrypto. Rename session -> sslSessionNativePointer
    for consistency.  Inlined initializeNative, which wasn't really
    the native code.

	x-net/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSessionImpl.java

    Removed lock on OpenSSLSocketImpl.class lock from around
    OpenSSLSocketImpl's use of nativeconnect, nativegetsslsession, and
    nativecipherauthenticationmethod as well as OpenSSLSessionImpl's
    use of freeImpl, fixing b/1758225: Revisit OpenSSL locking

	x-net/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSocketImpl.java
	x-net/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSessionImpl.java

Unrelated changes

    Removed unused ssl_ctx, nativeinitsslctx, getSSLCTX
	x-net/src/main/java/org/apache/harmony/xnet/provider/jsse/SSLParameters.java

    Fix bug in both putSession implementations where we cached
    sessions with zero length id. Also change indexById to pass in id
    in client implementation.

	x-net/src/main/java/org/apache/harmony/xnet/provider/jsse/ClientSessionContext.java
	x-net/src/main/java/org/apache/harmony/xnet/provider/jsse/ServerSessionContext.java

    Make sure we clone SSLParameters passed to the SSLSocketFactory
    and SSLServerSocketFactory so that muting the client instance does
    not change the server instance and vice versa. Explicitly set
    setUseClientMode(false) on the server SSLParameters. These changes
    are to bring things more into alignment with the original harmony
    classes which properly support client/server role switching during
    handshaking.

	x-net/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLServerSocketFactoryImpl.java

    Make locks object fields final

	x-net/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSocketImpl.java

    Moved updateInstanceCount(1) logic and sslParameters assignment to init method

	x-net/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSocketImpl.java

    Changed getCachedClientSession to respect getUseClientMode

	x-net/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSocketImpl.java

    Spelling of listensers to listeners in javadoc

	x-net/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSocketImpl.java

    Spelling SSLInputStream to SSLOutputStream in comment

	x-net/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSocketImpl.java

    Changed shutdownInput and shutdownOutput to call to the underlying socket

	x-net/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSocketImpl.java

    Set sslNativePointer to 0 when freeing underlying SSL object

	x-net/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSocketImpl.java

    Removed IOException logging in getSession, which is expected to
    simply return SSL_NULL_WITH_NULL_NULL when there are problems.

	x-net/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSocketImpl.java

    Disabled "Using factory" message on successful creation of
    SocketFactory which was a bit noisy running tests. However, added
    logging in failure case including the related exception:

	x-net/src/main/java/javax/net/ssl/SSLSocketFactory.java

    Disabled logging of OpenSSL session deallocation

	x-net/src/main/native/org_apache_harmony_xnet_provider_jsse_NativeCrypto.cpp

    Register SSLContextImpl as a source of SSL and SSL3 SSLContexts,
    not just TLS and TLSv1.
	x-net/src/main/java/org/apache/harmony/xnet/provider/jsse/JSSEProvider.java

    Fix whitespace in comment

	x-net/src/main/java/org/apache/harmony/xnet/provider/jsse/CertificateRequest.java

Change-Id: I99975ae22599c7df0d249fa013ae7ea7c9c08051

Notable changes
 - synchronization added where it was needed!
 - try/finally added to reliably tear down in DefaultSSLContext
 - ContextImpl deleted, it wasn't necessary
 - methods reordered to make statics first in the class
 - PrivilegedActions parameterized with <Void>
 - DigitalSignature now throws AssertionErrors in impossible states
   and throws AlertExceptions on invalid keys (rather than dumping
   a stacktrace)
 - ValueKeys added to SSLSessionImpl instead of TwoKeyMaps
 - SSLSessionImpl.clone() simplified to do a traditional clone

Squashed commit of the following:

commit 2d9e43d542ab7086af271bf52e847c582decbab1
Merge: 8b79eb4 a8dc377
Author: Jesse Wilson <jessewilson@google.com>
Date:   Tue Aug 25 15:25:21 2009 -0700

    Merge branch 'x-net_802921' into x-net_dalvik

    Conflicts:
    	libcore/x-net/.classpath
    	libcore/x-net/.settings/org.eclipse.jdt.core.prefs
    	libcore/x-net/build.xml
    	libcore/x-net/src/main/java/javax/net/DefaultServerSocketFactory.java
    	libcore/x-net/src/main/java/javax/net/DefaultSocketFactory.java
    	libcore/x-net/src/main/java/javax/net/ServerSocketFactory.java
    	libcore/x-net/src/main/java/javax/net/SocketFactory.java
    	libcore/x-net/src/main/java/javax/net/ssl/CertPathTrustManagerParameters.java
    	libcore/x-net/src/main/java/javax/net/ssl/DefaultHostnameVerifier.java
    	libcore/x-net/src/main/java/javax/net/ssl/DefaultSSLContext.java
    	libcore/x-net/src/main/java/javax/net/ssl/DefaultSSLSocketFactory.java
    	libcore/x-net/src/main/java/javax/net/ssl/HandshakeCompletedEvent.java
    	libcore/x-net/src/main/java/javax/net/ssl/HandshakeCompletedListener.java
    	libcore/x-net/src/main/java/javax/net/ssl/HostnameVerifier.java
    	libcore/x-net/src/main/java/javax/net/ssl/HttpsURLConnection.java
    	libcore/x-net/src/main/java/javax/net/ssl/KeyManager.java
    	libcore/x-net/src/main/java/javax/net/ssl/KeyManagerFactory.java
    	libcore/x-net/src/main/java/javax/net/ssl/KeyManagerFactorySpi.java
    	libcore/x-net/src/main/java/javax/net/ssl/KeyStoreBuilderParameters.java
    	libcore/x-net/src/main/java/javax/net/ssl/ManagerFactoryParameters.java
    	libcore/x-net/src/main/java/javax/net/ssl/SSLContext.java
    	libcore/x-net/src/main/java/javax/net/ssl/SSLContextSpi.java
    	libcore/x-net/src/main/java/javax/net/ssl/SSLEngine.java
    	libcore/x-net/src/main/java/javax/net/ssl/SSLEngineResult.java
    	libcore/x-net/src/main/java/javax/net/ssl/SSLException.java
    	libcore/x-net/src/main/java/javax/net/ssl/SSLHandshakeException.java
    	libcore/x-net/src/main/java/javax/net/ssl/SSLKeyException.java
    	libcore/x-net/src/main/java/javax/net/ssl/SSLPeerUnverifiedException.java
    	libcore/x-net/src/main/java/javax/net/ssl/SSLPermission.java
    	libcore/x-net/src/main/java/javax/net/ssl/SSLProtocolException.java
    	libcore/x-net/src/main/java/javax/net/ssl/SSLServerSocket.java
    	libcore/x-net/src/main/java/javax/net/ssl/SSLServerSocketFactory.java
    	libcore/x-net/src/main/java/javax/net/ssl/SSLSession.java
    	libcore/x-net/src/main/java/javax/net/ssl/SSLSessionBindingEvent.java
    	libcore/x-net/src/main/java/javax/net/ssl/SSLSessionBindingListener.java
    	libcore/x-net/src/main/java/javax/net/ssl/SSLSessionContext.java
    	libcore/x-net/src/main/java/javax/net/ssl/SSLSocket.java
    	libcore/x-net/src/main/java/javax/net/ssl/SSLSocketFactory.java
    	libcore/x-net/src/main/java/javax/net/ssl/TrustManager.java
    	libcore/x-net/src/main/java/javax/net/ssl/TrustManagerFactory.java
    	libcore/x-net/src/main/java/javax/net/ssl/TrustManagerFactorySpi.java
    	libcore/x-net/src/main/java/javax/net/ssl/X509ExtendedKeyManager.java
    	libcore/x-net/src/main/java/javax/net/ssl/X509KeyManager.java
    	libcore/x-net/src/main/java/javax/net/ssl/X509TrustManager.java
    	libcore/x-net/src/main/java/javax/net/ssl/package-info.java
    	libcore/x-net/src/main/java/org/apache/harmony/xnet/provider/jsse/ClientHandshakeImpl.java
    	libcore/x-net/src/main/java/org/apache/harmony/xnet/provider/jsse/HandshakeProtocol.java
    	libcore/x-net/src/main/java/org/apache/harmony/xnet/provider/jsse/JSSEProvider.java
    	libcore/x-net/src/main/java/org/apache/harmony/xnet/provider/jsse/KeyManagerImpl.java
    	libcore/x-net/src/main/java/org/apache/harmony/xnet/provider/jsse/OpenSSLSocketImplWrapper.java
    	libcore/x-net/src/main/java/org/apache/harmony/xnet/provider/jsse/SSLContextImpl.java
    	libcore/x-net/src/main/java/org/apache/harmony/xnet/provider/jsse/SSLServerSocketFactoryImpl.java
    	libcore/x-net/src/main/java/org/apache/harmony/xnet/provider/jsse/SSLServerSocketImpl.java
    	libcore/x-net/src/main/java/org/apache/harmony/xnet/provider/jsse/SSLSessionContextImpl.java
    	libcore/x-net/src/main/java/org/apache/harmony/xnet/provider/jsse/SSLSessionImpl.java
    	libcore/x-net/src/main/java/org/apache/harmony/xnet/provider/jsse/SSLSocketFactoryImpl.java
    	libcore/x-net/src/main/java/org/apache/harmony/xnet/provider/jsse/SSLSocketImpl.java
    	libcore/x-net/src/main/java/org/apache/harmony/xnet/provider/jsse/SSLSocketInputStream.java
    	libcore/x-net/src/main/java/org/apache/harmony/xnet/provider/jsse/SSLSocketOutputStream.java
    	libcore/x-net/src/test/api/java/org/apache/harmony/xnet/tests/javax/net/ssl/CertPathTrustManagerParametersTest.java
    	libcore/x-net/src/test/api/java/org/apache/harmony/xnet/tests/javax/net/ssl/HandshakeCompletedEventTest.java
    	libcore/x-net/src/test/api/java/org/apache/harmony/xnet/tests/javax/net/ssl/HttpsURLConnectionTest.java
    	libcore/x-net/src/test/api/java/org/apache/harmony/xnet/tests/javax/net/ssl/KeyStoreBuilderParametersTest.java
    	libcore/x-net/src/test/api/java/org/apache/harmony/xnet/tests/javax/net/ssl/SSLContext1Test.java
    	libcore/x-net/src/test/api/java/org/apache/harmony/xnet/tests/javax/net/ssl/SSLEngineTest.java
    	libcore/x-net/src/test/api/java/org/apache/harmony/xnet/tests/javax/net/ssl/SSLPermissionTest.java
    	libcore/x-net/src/test/api/java/org/apache/harmony/xnet/tests/javax/net/ssl/SSLServerSocketTest.java
    	libcore/x-net/src/test/api/java/org/apache/harmony/xnet/tests/javax/net/ssl/SSLSocketTest.java
    	libcore/x-net/src/test/api/java/org/apache/harmony/xnet/tests/javax/net/ssl/TrustManagerFactory1Test.java
    	libcore/x-net/src/test/api/java/org/apache/harmony/xnet/tests/javax/net/ssl/serialization/HandshakeCompletedEventTest.java
    	libcore/x-net/src/test/api/java/org/apache/harmony/xnet/tests/javax/net/ssl/serialization/SSLExceptionTest.java
    	libcore/x-net/src/test/api/java/org/apache/harmony/xnet/tests/javax/net/ssl/serialization/SSLHandshakeExceptionTest.java
    	libcore/x-net/src/test/api/java/org/apache/harmony/xnet/tests/javax/net/ssl/serialization/SSLKeyExceptionTest.java
    	libcore/x-net/src/test/api/java/org/apache/harmony/xnet/tests/javax/net/ssl/serialization/SSLPeerUnverifiedExceptionTest.java
    	libcore/x-net/src/test/api/java/org/apache/harmony/xnet/tests/javax/net/ssl/serialization/SSLProtocolExceptionTest.java
    	libcore/x-net/src/test/api/java/org/apache/harmony/xnet/tests/javax/net/ssl/serialization/SSLSessionBindingEventTest.java
    	libcore/x-net/src/test/impl/java.injected/javax/net/ServerSocketFactoryTest.java
    	libcore/x-net/src/test/impl/java.injected/javax/net/SocketFactoryTest.java
    	libcore/x-net/src/test/impl/java.injected/javax/net/ssl/DefaultSSLServerSocketFactoryTest.java
    	libcore/x-net/src/test/impl/java.injected/javax/net/ssl/DefaultSSLSocketFactoryTest.java
    	libcore/x-net/src/test/impl/java.injected/javax/net/ssl/HttpsURLConnection_ImplTest.java
    	libcore/x-net/src/test/impl/java.injected/javax/net/ssl/SSLServerSocketFactoryTest.java
    	libcore/x-net/src/test/impl/java.injected/javax/net/ssl/SSLSocketFactoryTest.java
    	libcore/x-net/src/test/impl/java.injected/org/apache/harmony/xnet/provider/jsse/CipherSuiteTest.java
    	libcore/x-net/src/test/impl/java.injected/org/apache/harmony/xnet/provider/jsse/DigitalSignatureTest.java
    	libcore/x-net/src/test/impl/java.injected/org/apache/harmony/xnet/provider/jsse/HandshakeProtocolTest.java
    	libcore/x-net/src/test/impl/java.injected/org/apache/harmony/xnet/provider/jsse/KeyManagerImplTest.java
    	libcore/x-net/src/test/impl/java.injected/org/apache/harmony/xnet/provider/jsse/SSLEngineImplTest.java
    	libcore/x-net/src/test/impl/java.injected/org/apache/harmony/xnet/provider/jsse/SSLServerSocketImplTest.java
    	libcore/x-net/src/test/impl/java.injected/org/apache/harmony/xnet/provider/jsse/SSLSessionContextImplTest.java
    	libcore/x-net/src/test/impl/java.injected/org/apache/harmony/xnet/provider/jsse/SSLSessionImplTest.java
    	libcore/x-net/src/test/impl/java.injected/org/apache/harmony/xnet/provider/jsse/SSLSocketFactoriesTest.java
    	libcore/x-net/src/test/impl/java.injected/org/apache/harmony/xnet/provider/jsse/SSLSocketFunctionalTest.java
    	libcore/x-net/src/test/impl/java.injected/org/apache/harmony/xnet/provider/jsse/SSLSocketImplTest.java
    	libcore/x-net/src/test/impl/java.injected/org/apache/harmony/xnet/provider/jsse/SSLStreamedInputTest.java
    	libcore/x-net/src/test/impl/java.injected/org/apache/harmony/xnet/provider/jsse/ServerHandshakeImplTest.java
    	libcore/x-net/src/test/impl/java.injected/org/apache/harmony/xnet/provider/jsse/TrustManagerImplTest.java
    	libcore/x-net/src/test/impl/java/org/apache/harmony/xnet/tests/provider/jsse/DigitalSignatureTest.java
    	libcore/x-net/src/test/impl/java/org/apache/harmony/xnet/tests/provider/jsse/KeyManagerFactoryImplTest.java
    	libcore/x-net/src/test/impl/java/org/apache/harmony/xnet/tests/provider/jsse/ProtocolVersionTest.java
    	libcore/x-net/src/test/impl/java/org/apache/harmony/xnet/tests/provider/jsse/TrustManagerFactoryImplTest.java
    	libcore/x-net/src/test/java/javax/net/ssl/KeyManagerFactorySpiTests.java
    	libcore/x-net/src/test/java/javax/net/ssl/MyKeyManagerFactorySpi.java
    	libcore/x-net/src/test/java/javax/net/ssl/MySSLContextSpi.java
    	libcore/x-net/src/test/java/javax/net/ssl/MyTrustManagerFactorySpi.java
    	libcore/x-net/src/test/java/javax/net/ssl/SSLContextSpiTests.java
    	libcore/x-net/src/test/java/javax/net/ssl/TrustManagerFactorySpiTests.java
    	libcore/x-net/src/test/java/tests/api/javax/net/ssl/KeyManagerFactory1Test.java
    	libcore/x-net/src/test/java/tests/api/javax/net/ssl/KeyManagerFactory2Test.java
    	libcore/x-net/src/test/java/tests/api/javax/net/ssl/SSLContext2Test.java
    	libcore/x-net/src/test/java/tests/api/javax/net/ssl/SSLSessionBindingEventTest.java
    	libcore/x-net/src/test/java/tests/api/javax/net/ssl/TrustManagerFactory2Test.java
    	libcore/x-net/src/test/support/common/java/org/apache/harmony/xnet/tests/support/MyKeyManagerFactorySpi.java
    	libcore/x-net/src/test/support/common/java/org/apache/harmony/xnet/tests/support/MySSLContextSpi.java
    	libcore/x-net/src/test/support/common/java/org/apache/harmony/xnet/tests/support/MyTrustManagerFactorySpi.java

commit 8b79eb40a27f0b336d5516606d43162ecead09ca
Author: Jesse Wilson <jessewilson@google.com>
Date:   Tue Aug 25 12:58:17 2009 -0700

    x-net_dalvik

commit a8dc3778cd2a1a5d6d0cfff6eec22e7bfbdb9c14
Author: Jesse Wilson <jessewilson@google.com>
Date:   Tue Aug 25 12:56:55 2009 -0700

    x-net_802921

commit 07ca0ed8aa5927c909f880559c17d162c111608e
Author: Jesse Wilson <jessewilson@google.com>
Date:   Tue Aug 25 12:56:07 2009 -0700

    x-net_527399

commit 9b44ccfc38c2fc2a6cf2c3cc39a13cc5bce635ba
Author: Jesse Wilson <jessewilson@google.com>
Date:   Tue Aug 25 11:14:01 2009 -0700

    Small changes missed in the original submission of 22482.

Each time we start an SSL session, we have to find the trust anchor. This used to be an O(N) operation. If the trust anchor we're looking for was close to N, finding it could take a couple seconds. This change makes the operation O(1).