Merge remote-tracking branch 'origin/master'

CONTRIBUTORS.html

@@ -334,7 +334,7 @@
 <li>Cagdas Cirit &lt;cagdascirit&#064gmail.com&gt; subjectAlternativeName fix for x509CertStoreSelector.</li>
 <li>Harakiri &lt;harakiri_23&#064yahoo.com&gt; datahandler patch for attached parts in SMIME signatures.</li>
 <li>Pedro Henriques &lt;pmahenriques&#064gmail.com&gt; explicit bounds checking for DESKeyGenerator, code simplification for OAEPEncoding.</li>
-<li>Lothar Kimmeringer &lt;job&#064kimmeringer.de&gt; verbose mode for ASN1Dump, support for DERExternal, DNS performance fix for S/MIME API, corrections for DLExternal and testing.</li>
+<li>Lothar Kimmeringer &lt;job&#064kimmeringer.de&gt; verbose mode for ASN1Dump, support for DERExternal, DNS performance fix for S/MIME API, corrections for DLExternal and testing. Identified an issue with Properties utils ignoring system properties in some cases.</li>
 <li>Richard Farr &lt;rfarr.se&#064gmail.com&gt; initial SRP-6a implementation.</li>
 <li>Thomas Castiglione &lt;castiglione&#064au.ibm.com&gt; patch to encoding for CRMF OptionalValidity.</li>
 <li>Elisabetta Romani &lt;eromani&#064sogei.it&gt; patch for recognising multiple counter signatures.</li>

core/src/main/java/org/bouncycastle/util/Properties.java

@@ -18,11 +18,10 @@ public class Properties
 {
     private Properties()
     {
-
     }
 
     private static final ThreadLocal threadProperties = new ThreadLocal();
-                          
+
     /**
      * Return whether a particular override has been set to true.
      *
@@ -35,12 +34,7 @@ public static boolean isOverrideSet(String propertyName)
         {
             String p = getPropertyValue(propertyName);
 
-            if (p != null)
-            {
-                return "true".equals(Strings.toLowerCase(p));
-            }
-
-            return false;
+            return "true".equalsIgnoreCase(p);
         }
         catch (AccessControlException e)
         {
@@ -53,7 +47,7 @@ public static boolean isOverrideSet(String propertyName)
      *
      * @param propertyName the property name for the override.
      * @param enable true if the override should be enabled, false if it should be disabled.
-     * @return true if the override was already set, false otherwise.
+     * @return true if the override was already set true, false otherwise.
      */
     public static boolean setThreadOverride(String propertyName, boolean enable)
     {
@@ -63,43 +57,39 @@ public static boolean setThreadOverride(String propertyName, boolean enable)
         if (localProps == null)
         {
             localProps = new HashMap();
+
+            threadProperties.set(localProps);
         }
 
         localProps.put(propertyName, enable ? "true" : "false");
 
-        threadProperties.set(localProps);
-
         return isSet;
     }
 
     /**
-     * Enable the specified override property in the current thread only.
+     * Remove any value for the specified override property for the current thread only.
      *
      * @param propertyName the property name for the override.
-     * @return true if the override set true in thread local, false otherwise.
+     * @return true if the override was already set true in thread local, false otherwise.
      */
     public static boolean removeThreadOverride(String propertyName)
     {
-        boolean isSet = isOverrideSet(propertyName);
-
         Map localProps = (Map)threadProperties.get();
-        if (localProps == null)
+        if (localProps != null)
         {
-            return false;
-        }
-
-        localProps.remove(propertyName);
+            String p = (String)localProps.remove(propertyName);
+            if (p != null)
+            {
+                if (localProps.isEmpty())
+                {
+                    threadProperties.remove();
+                }
 
-        if (localProps.isEmpty())
-        {
-            threadProperties.remove();
-        }
-        else
-        {
-            threadProperties.set(localProps);
+                return "true".equalsIgnoreCase(p);
+            }
         }
 
-        return isSet;
+        return false;
     }
 
     public static BigInteger asBigInteger(String propertyName)
@@ -134,16 +124,20 @@ public static Set<String> asKeySet(String propertyName)
 
     public static String getPropertyValue(final String propertyName)
     {
+        Map localProps = (Map)threadProperties.get();
+        if (localProps != null)
+        {
+            String p = (String)localProps.get(propertyName);
+            if (p != null)
+            {
+                return p;
+            }
+        }
+
         return (String)AccessController.doPrivileged(new PrivilegedAction()
         {
             public Object run()
             {
-                Map localProps = (Map)threadProperties.get();
-                if (localProps != null)
-                {
-                    return localProps.get(propertyName);
-                }
-
                 return System.getProperty(propertyName);
             }
         });

docs/releasenotes.html

@@ -30,6 +30,7 @@ <h3>2.1.2 Defects Fixed</h3>
 <li>DLExternal would encode using DER encoding for tagged SETs. This has been fixed.</li>
 <li>ChaCha20Poly1305 could fail for large (&gt;~2GB) files. This has been fixed.</li>
 <li>ChaCha20Poly1305 could fail for small updates when used via the provider. This has been fixed.</li>
+<li>Properties.getPropertyValue could ignore system property when other local overrides set. This has been fixed.</li>
 </ul>
 <h3>2.1.3 Additional Features and Functionality</h3>
 <ul>

tls/src/main/java/org/bouncycastle/jsse/provider/ProvAlgorithmChecker.java

@@ -96,7 +96,12 @@ public void check(Certificate cert, Collection<String> unresolvedCritExts) throw
 
         X509Certificate subjectCert = (X509Certificate)cert;
 
-        if (null != issuerCert)
+        if (null == issuerCert)
+        {
+            // NOTE: This would be redundant with the 'taCert' check in 'checkCertPathExtras'
+            //checkIssued(helper, algorithmConstraints, subjectCert);
+        }
+        else
         {
             checkIssuedBy(helper, algorithmConstraints, subjectCert, issuerCert);
         }
@@ -107,7 +112,7 @@ public void check(Certificate cert, Collection<String> unresolvedCritExts) throw
     static void checkCertPathExtras(JcaJceHelper helper, BCAlgorithmConstraints algorithmConstraints,
         X509Certificate[] chain, KeyPurposeId ekuOID, int kuBit) throws CertPathValidatorException
     {
-        X509Certificate taCert = chain[chain.length - 1]; 
+        X509Certificate taCert = chain[chain.length - 1];
 
         if (chain.length > 1)
         {
@@ -161,8 +166,7 @@ private static void checkEndEntity(JcaJceHelper helper, BCAlgorithmConstraints a
     {
         if (!supportsExtendedKeyUsage(eeCert, ekuOID))
         {
-            throw new CertPathValidatorException(
-                "Certificate doesn't support '" + ekuOID + "' ExtendedKeyUsage");
+            throw new CertPathValidatorException("Certificate doesn't support '" + ekuOID + "' ExtendedKeyUsage");
         }
 
         if (!supportsKeyUsage(eeCert, kuBit))
@@ -280,7 +284,8 @@ private static boolean supportsExtendedKeyUsage(X509Certificate cert, KeyPurpose
         {
             List<String> eku = cert.getExtendedKeyUsage();
 
-            return null == eku || eku.contains(ekuOID.getId()) || eku.contains(KeyPurposeId.anyExtendedKeyUsage.getId());
+            return null == eku || eku.contains(ekuOID.getId())
+                || eku.contains(KeyPurposeId.anyExtendedKeyUsage.getId());
         }
         catch (CertificateParsingException e)
         {

tls/src/main/java/org/bouncycastle/jsse/provider/ProvX509KeyManager.java

@@ -226,6 +226,15 @@ static boolean isSuitableCertificate(boolean forServer, String keyType, X509Cert
 
         if (isSuitableKeyUsage(KeyUsage.digitalSignature, c))
         {
+            if ("Ed25519".equalsIgnoreCase(keyType))
+            {
+                return "Ed25519".equalsIgnoreCase(pub.getAlgorithm());
+            }
+            if ("Ed448".equalsIgnoreCase(keyType))
+            {
+                return "Ed448".equalsIgnoreCase(pub.getAlgorithm());
+            }
+
             if (forServer)
             {
                 if (keyType.equalsIgnoreCase("ECDHE_ECDSA"))