GitLab

Since mContext should not participate in the serialization process,
hide it with the transient qualifier. This will prevent the field from
initialization during the unserialization of this class. Then of course
the instance will be in a valid state.

(cherry picked from commit 8d57b9db)

Bug: 21437603
Change-Id: Ie9453c16d11820a91caff92c3f7b326d12f8a8f4

To avoid conflicts in the language spec and how Conscrypt does native
calls, we need to wrap all native references in a Java object reference.
Calling NativeCrypto's static native methods with a raw pointer doesn't
guarantee that the calling object won't be finalized during the method
running.

This pass fixes EVP_PKEY references, but more passes are needed.

Bug: 16656908
Change-Id: I5925da40cb37cd328b3a126404944f771732a43e

Bug: 14648280
Change-Id: I7bbf76e0d383d34fc5e5a49a8d45384e47f43f3a

We only need to catch BadPaddingException right now. Let the other
non-RuntimeException exceptions pass.

(cherry picked from commit 7c3263f1)

Bug: 13746671
Change-Id: I5b6878250d428b1ee953092967b7418003ee9216

If we have a chain of BIO, we want to free the entire chain. Otherwise,
we might accidentally leave references sitting around. This shouldn't
matter for our current use-case, but might help in the future.

Change-Id: I586937629e1e4f2e80b5feefe2f49a85e8a31d31

Java BigInteger is in two's complement, so it needs conversion for
negative numbers. We were mishandling it before and the previous change
just hacked around it. Actually convert to two's complement instead.

(cherry picked from commit 1744cf2b)

Bug: 13789608

Change-Id: I6bfe9577f0936678476193b55433b7d7dbc04400

We only need to catch BadPaddingException right now. Let the other
non-RuntimeException exceptions pass.

Change-Id: I5b6878250d428b1ee953092967b7418003ee9216

Java BigInteger is in two's complement, so it needs conversion for
negative numbers. We were mishandling it before and the previous change
just hacked around it. Actually convert to two's complement instead.

Change-Id: I6bfe9577f0936678476193b55433b7d7dbc04400

Any verification error can throw random things like BadPaddingException.
Swallow it and catch Exception for all these cases and rethrow as a
SignatureException to avoid acting as any kind of oracle.

Change-Id: I6b515148f86529fbe0895c9fdb0954306724ae54

The constructor BigInteger(byte[]) expects two's complement encoding,
but that's not what OpenSSL bn2bin returns.

Bug: 12761797
Change-Id: I6c71f6fb88c2b1df7c372bf697728dac26571634

Some methods are called from CTS. The ClassLoaders are different, so we
need to make these public so we don't get any IllegalAccessError during
CTS tests.

Change-Id: I5ac7931694fb1eceb86ae306fca07fb314643fa9

Instead of marshalling and unmarshalling to ASN.1 DER, just use
references to OpenSSL X509 objects everywhere applicable.

Change-Id: I1a28ae9232091ee199a9d4c7cd3c7bbd1efa1ca4

Remove lots of empty javadoc tags that were unused or invalid.
Remove some unused imports.
Mark a few input streams as intentionally unclosed.

Change-Id: I04d8642abd2b0f2e9be02e227658a1b9bd192d24

Make a key class that just holds the encoded key bytes along with the
algorithm identifier. Eclipse IDE made the entire class.

Change-Id: I40b198e0f01121d77bfd26b3420068700ab69614

To help with shipping the JSSE with apps that want to bundle it, move
it to a new package so that the tangles in other parts of the library
can be untangled.

Change-Id: I810b6861388635301e28aee5b9b47b8e6b35b430

X.509 does not have a notion of milliseconds so it was not being set
through the Calendar instances we used in OpenSSLX509Certificate, et al.
Instead it was getting whatever the current millisecond offset was from
the GregorianCalendar default constructor. That made two parsed
certificates unlikely to be equal when comparing since the milliseconds
were also checked.

(cherry picked from commit 3725893865ddbdd2e9cebc2ea2f7ecfc357fcfbb)

Bug: 8616647
Change-Id: Ia914856a560526718957607d69401eab8c2830cf

X.509 does not have a notion of milliseconds so it was not being set
through the Calendar instances we used in OpenSSLX509Certificate, et al.
Instead it was getting whatever the current millisecond offset was from
the GregorianCalendar default constructor. That made two parsed
certificates unlikely to be equal when comparing since the milliseconds
were also checked.

Bug: 8616647
Change-Id: I756088d946191417bb3afcba082bed5371ed731a

Also add a generic fallback for certificate verification when the specific
type of error is unknown.

(cherry picked from commit f04fc33c88d2ad1f06d58d50a0734c0ef511c5b9)

Bug: 8550441
Change-Id: Ica617074718ccac224c9ce3cc8b89502e2abb90d

Also add a generic fallback for certificate verification when the specific
type of error is unknown.

Bug: 8550441
Change-Id: Iee44be55c698a4a33450b569c12199747fdbcc49

OpenSSL checks KeyUsage for "Certificate Signing" when checking for a
CA, but Java just specifies that the getBasicConstraints call only looks
at the BasicConstraints itself.

(cherry picked from commit cd59afd3e34cb6b3645babdace22c03882e0ec19)

Bug: 8488314
Change-Id: I72f8d6679169480960630bd73745ebf4c55b383c

OpenSSL checks KeyUsage for "Certificate Signing" when checking for a
CA, but Java just specifies that the getBasicConstraints call only looks
at the BasicConstraints itself.

Bug: 8488314
Change-Id: I072cd2e9f1a9295a717f7587817149200113c65f

* JNI_TRACE debug messages were misleading in some cases.

* MD object reference was being passed as a jint

* kusage wasn't being checked for null

Change-Id: I15bcba4d8b7291dc232ea20671917bb0848c3180

Add support for generating CertPath with the
OpenSSLX509CertificateFactory implementation.

This only will encode withrPKCS7 currently. This means it fails the
CertPath serialization test because the serialization and
de-serialization code only uses a provider's default serialization
format. Since this provider is not the default provider and the
default provider uses PkiPath as its default format, the
OpenSSLX509CertPath still fails the tests.

This seems like a problem with the way CertPath is serialized. The
impact of this seems to be that a CertPath implementation must have
"PkiPath" as its default encoding.

Change-Id: Ie0e3577746345108301b02e7a1d4e8ea189f2bda

Initial implementation of parsing X.509 certificates and certificate
revocation lists (CRLs). This lacks support for generating CertPath
objects, but that will be added at a later time.

This currently isn't the default provider so anything that doesn't
explicitly request this provider will not get this implementation.

Change-Id: I07ae9f333763087cb6ce47e20e12ceeed750920d