date:20240502

On Thu, 2 May 2024 21:07:03 GMT, Weijun Wang  wrote:

> The revised text is much clearer. For the last sentence, I would suggest 
> rephrasing "In order to prevent profile properties from being overridden" to 
> "In order to override properties defined in the main file". Isn't that your 
> real purpose? :-)

Sounds good. Changed.

-

PR Comment: https://git.openjdk.org/jdk/pull/16483#issuecomment-2091681331

Re: RFR: 8319332: Security properties files inclusion [v13]

> The implementation of this proposal is based on the requirements, 
> specification and design choices described in the [JDK-8319332] ticket and 
> its respective CSR [JDK-8319333]. What follows are implementation notes 
> organized per functional component, with the purpose of assisting to navigate 
> the code changes in this pull-request.
> 
> ## Security properties loading (overview)
> 
> A new static class named `SecPropLoader` (nested within 
> `java.security.Security`) is introduced to handle the loading of all security 
> properties. Its method `loadAll` is the first one to be called, at 
> `java.security.Security` static class initialization. The master security 
> properties file is then loaded by `loadMaster`. When additional security 
> properties files are allowed (the security property 
> `security.overridePropertiesFile` is set to `true`) and the 
> `java.security.properties` system property is passed, the method `loadExtra` 
> handles the extra load.
> 
> The master properties file is loaded in `OVERRIDE` mode, meaning that the map 
> of properties is originally empty. Any failure occurred while loading these 
> properties is considered fatal. The extra properties file 
> (`java.security.properties`) may be loaded in `OVERRIDE` or `APPEND` mode. 
> Any failure in this case is ignored. This behavior maintains compatibility 
> with the previous implementation.
> 
> While the `java.security.properties` system property is documented to accept 
> an URL type of value, filesystem path values are supported in the same way 
> that they were prior to this enhancement. Values are then interpreted as 
> paths and, only if that fails, are considered URLs. In the latter case, there 
> is one more attempt after opening the stream to check if there is a local 
> file path underneath (e.g. the URL has the form of 
> `file:///path/to/a/local/file`). The reason for preferring paths over URLs is 
> to support relative path file inclusion in properties files.
> 
> ## Loading security properties from paths (`loadFromPath` method)
> 
> When loading a properties file from a path, the normalized file location is 
> stored in the static field `currentPath`. This value is the current base to 
> resolve any relative path encountered while handling an _include_ definition. 
> Normalized paths are also saved in the `activePaths` set to detect recursive 
> cycles. As we move down or up in the _includes_ stack, `currentPath` and 
> `activePaths` values are updated.
> 
> ## Loading security properties from URLs (`loadFromUrl` method)
> 
> The extra properties file can be loaded from a URL. ...

Francisco Ferrari Bihurriet has updated the pull request incrementally with one 
additional commit since the last revision:

  Profiles documentation adjustments.
  
  Co-authored-by: Francisco Ferrari 
  Co-authored-by: Martin Balao 

-

Changes:
  - all: https://git.openjdk.org/jdk/pull/16483/files
  - new: https://git.openjdk.org/jdk/pull/16483/files/0b81f5c4..6fd9181a

Webrevs:
 - full: https://webrevs.openjdk.org/?repo=jdk=16483=12
 - incr: https://webrevs.openjdk.org/?repo=jdk=16483=11-12

  Stats: 2 lines in 1 file changed: 0 ins; 0 del; 2 mod
  Patch: https://git.openjdk.org/jdk/pull/16483.diff
  Fetch: git fetch https://git.openjdk.org/jdk.git pull/16483/head:pull/16483

PR: https://git.openjdk.org/jdk/pull/16483

Re: RFR: 8319332: Security properties files inclusion [v12]

On Thu, 2 May 2024 20:34:22 GMT, Francisco Ferrari Bihurriet 
 wrote:

>> The implementation of this proposal is based on the requirements, 
>> specification and design choices described in the [JDK-8319332] ticket and 
>> its respective CSR [JDK-8319333]. What follows are implementation notes 
>> organized per functional component, with the purpose of assisting to 
>> navigate the code changes in this pull-request.
>> 
>> ## Security properties loading (overview)
>> 
>> A new static class named `SecPropLoader` (nested within 
>> `java.security.Security`) is introduced to handle the loading of all 
>> security properties. Its method `loadAll` is the first one to be called, at 
>> `java.security.Security` static class initialization. The master security 
>> properties file is then loaded by `loadMaster`. When additional security 
>> properties files are allowed (the security property 
>> `security.overridePropertiesFile` is set to `true`) and the 
>> `java.security.properties` system property is passed, the method `loadExtra` 
>> handles the extra load.
>> 
>> The master properties file is loaded in `OVERRIDE` mode, meaning that the 
>> map of properties is originally empty. Any failure occurred while loading 
>> these properties is considered fatal. The extra properties file 
>> (`java.security.properties`) may be loaded in `OVERRIDE` or `APPEND` mode. 
>> Any failure in this case is ignored. This behavior maintains compatibility 
>> with the previous implementation.
>> 
>> While the `java.security.properties` system property is documented to accept 
>> an URL type of value, filesystem path values are supported in the same way 
>> that they were prior to this enhancement. Values are then interpreted as 
>> paths and, only if that fails, are considered URLs. In the latter case, 
>> there is one more attempt after opening the stream to check if there is a 
>> local file path underneath (e.g. the URL has the form of 
>> `file:///path/to/a/local/file`). The reason for preferring paths over URLs 
>> is to support relative path file inclusion in properties files.
>> 
>> ## Loading security properties from paths (`loadFromPath` method)
>> 
>> When loading a properties file from a path, the normalized file location is 
>> stored in the static field `currentPath`. This value is the current base to 
>> resolve any relative path encountered while handling an _include_ 
>> definition. Normalized paths are also saved in the `activePaths` set to 
>> detect recursive cycles. As we move down or up in the _includes_ stack, 
>> `currentPath` and `activePaths` values are updated.
>> 
>> ## Loading security properties from URLs (`loadFromUrl` method)
>> 
>> The extra properti...
>
> Francisco Ferrari Bihurriet has updated the pull request incrementally with 
> one additional commit since the last revision:
> 
>   Profiles documentation adjustments.
>   
>   Co-authored-by: Francisco Ferrari 
>   Co-authored-by: Martin Balao 

The revised text is much clearer. For the last sentence, I would suggest 
rephrasing "In order to prevent profile properties from being overridden" to 
"In order to override properties defined in the main file". Isn't that your 
real purpose? :-)

-

PR Comment: https://git.openjdk.org/jdk/pull/16483#issuecomment-2091599627

Re: Potential issues with javax.crypto under StructuredTaskScope/JDK22

2024-05-02 Thread Wei-Jun Wang

Can you try recording the challenge and the answer in each round and then 
recalculate them in a plain single thread standalone program to verify if the 
answers are still the same? (Hopefully this calculation is deterministic).

--Weijun

> On May 2, 2024, at 4:18 PM, Chris Marshall  wrote:
> 
> Hi Alan,
> 
> The code is completely unchanged between JDK21 and JDK22; it is using virtual 
> threads and StructuredTaskScope in both cases (and also, via a different 
> path, platform threads in both cases).
> 
> I should perhaps have given a bit more background about why I think that the 
> crypto classes are at fault. The UserSRP auth class I linked to sends a 
> message to AWS (via an AWS API, ultimately made as an HTTP call) which 
> includes some information about the user. Amazon’s server responds (over 
> HTTP) with a “challenge” which includes some pieces of information. Using 
> those pieces of information plus knowledge of the password, the class I 
> linked to derives an answer to the challenge, which is then sent (via HTTP) 
> to AWS. AWS can verify that the response could only have been generated by 
> someone with knowledge of the password, and they will respond with a valid 
> bearer token, which can be used as an authorization header to HTTP calls (to 
> our internal services, which can validate the bearer token). In this way, our 
> services can communicate between themselves without any passwords ever being 
> transmitted anywhere. In the following diagram, the arrows represent HTTP 
> request/responses between us and AWS
> 
>   Us —-> (info) —> AWS
> 
>   Us <—- (challenge) <—- AWS
> 
>   Us —> (answer) —> AWS
> 
>   Us <— (bearer token | wrong user/pwd) <—- AWS
> 
> “Wrong username or password” indicates that the response calculated by the 
> linked class is not correct.
> 
> I don’t believe (though I’m not an expert, so could be wrong) that this has 
> anything to do with javax.security APIs
> 
> Chris 
> 
>> On 2 May 2024, at 19:59, Alan Bateman  wrote:
>> 
>>  
>> 
>> On 02/05/2024 19:33, Chris Marshall wrote:
>>> : 
>>> 
>>> Last week I upgraded the application to be compiled by JDK22, and run on 
>>> JDK22. Immediately, we started to see failures from within the User-SRP 
>>> auth code only when it was run on a virtual thread from within a 
>>> StructuredTaskScope. The failures are merely that the code appears to have 
>>> calculated the wrong authentication response (i.e. AWS Cognito returns a 
>>> message to the effect that we have the wrong username or password). It is 
>>> not possible that this could be the case, because the same application, 
>>> using the same username/password combo is able to successfully authenticate 
>>> to AWS Cognito using User-SRP auth from a platform thread.
>>> 
>> Thanks for reporting a potential issue.
>> 
>> You say that the code was running correctly on JDK 21. Was this in the 
>> context of virtual threads and using StructuredTaskScope? I'm trying to 
>> understand from your mail if you were using virtual threads with JDK 21 and 
>> whether you were using StructuredTaskScope in JDK 21 too.
>> 
>> "wrong username or password" hints that maybe this is some kinda of 
>> inheritance issue, I'm specifically thinking of the inherit access control 
>> context. Would it be possible to search the code and libraries that are in 
>> use here to see if they are using the javax.security.auth.Subject API? It's 
>> just a wild guess at this point but I think might give some clues as to 
>> where inheritance might be coming from.
>> 
>> -Alan
>> 
>>

Re: RFR: 8319332: Security properties files inclusion [v11]

On Thu, 2 May 2024 19:07:50 GMT, Weijun Wang  wrote:

>> src/java.base/share/conf/security/java.security line 69:
>> 
>>> 67: # statement will override any matching property defined in a profile. 
>>> In order
>>> 68: # to avoid this behavior, the include statement may be placed at the 
>>> end of
>>> 69: # this file.
>> 
>> It's probably better to place the newly added "Security properties defined 
>> after an include statement..." in an individual paragraph since it's not 
>> limited to "the latter case" (or you mean "last"?). Then you might not want 
>> to use the "profile" word since it's not defined elsewhere.
>
> Instead of "to avoid this behavior", how about "if you want the properties 
> defined in the included file to override those in the main file"?

We reorganized the documentation, split it into paragraphs, numbered examples 
and made some other changes. Changes include an explanation of what it means to 
"inline" a file in terms of overrides (for security properties defined both 
before and after the include statement). Please have a look.

-

PR Review Comment: https://git.openjdk.org/jdk/pull/16483#discussion_r1588320508

Re: RFR: 8319332: Security properties files inclusion [v12]

> The implementation of this proposal is based on the requirements, 
> specification and design choices described in the [JDK-8319332] ticket and 
> its respective CSR [JDK-8319333]. What follows are implementation notes 
> organized per functional component, with the purpose of assisting to navigate 
> the code changes in this pull-request.
> 
> ## Security properties loading (overview)
> 
> A new static class named `SecPropLoader` (nested within 
> `java.security.Security`) is introduced to handle the loading of all security 
> properties. Its method `loadAll` is the first one to be called, at 
> `java.security.Security` static class initialization. The master security 
> properties file is then loaded by `loadMaster`. When additional security 
> properties files are allowed (the security property 
> `security.overridePropertiesFile` is set to `true`) and the 
> `java.security.properties` system property is passed, the method `loadExtra` 
> handles the extra load.
> 
> The master properties file is loaded in `OVERRIDE` mode, meaning that the map 
> of properties is originally empty. Any failure occurred while loading these 
> properties is considered fatal. The extra properties file 
> (`java.security.properties`) may be loaded in `OVERRIDE` or `APPEND` mode. 
> Any failure in this case is ignored. This behavior maintains compatibility 
> with the previous implementation.
> 
> While the `java.security.properties` system property is documented to accept 
> an URL type of value, filesystem path values are supported in the same way 
> that they were prior to this enhancement. Values are then interpreted as 
> paths and, only if that fails, are considered URLs. In the latter case, there 
> is one more attempt after opening the stream to check if there is a local 
> file path underneath (e.g. the URL has the form of 
> `file:///path/to/a/local/file`). The reason for preferring paths over URLs is 
> to support relative path file inclusion in properties files.
> 
> ## Loading security properties from paths (`loadFromPath` method)
> 
> When loading a properties file from a path, the normalized file location is 
> stored in the static field `currentPath`. This value is the current base to 
> resolve any relative path encountered while handling an _include_ definition. 
> Normalized paths are also saved in the `activePaths` set to detect recursive 
> cycles. As we move down or up in the _includes_ stack, `currentPath` and 
> `activePaths` values are updated.
> 
> ## Loading security properties from URLs (`loadFromUrl` method)
> 
> The extra properties file can be loaded from a URL. ...

Francisco Ferrari Bihurriet has updated the pull request incrementally with one 
additional commit since the last revision:

  Profiles documentation adjustments.
  
  Co-authored-by: Francisco Ferrari 
  Co-authored-by: Martin Balao 

-

Changes:
  - all: https://git.openjdk.org/jdk/pull/16483/files
  - new: https://git.openjdk.org/jdk/pull/16483/files/e906e3cf..0b81f5c4

Webrevs:
 - full: https://webrevs.openjdk.org/?repo=jdk=16483=11
 - incr: https://webrevs.openjdk.org/?repo=jdk=16483=10-11

  Stats: 40 lines in 1 file changed: 7 ins; 6 del; 27 mod
  Patch: https://git.openjdk.org/jdk/pull/16483.diff
  Fetch: git fetch https://git.openjdk.org/jdk.git pull/16483/head:pull/16483

PR: https://git.openjdk.org/jdk/pull/16483

Re: Potential issues with javax.crypto under StructuredTaskScope/JDK22

2024-05-02 Thread Chris Marshall

Hi Alan,

The code is completely unchanged between JDK21 and JDK22; it is using virtual 
threads and StructuredTaskScope in both cases (and also, via a different path, 
platform threads in both cases).

I should perhaps have given a bit more background about why I think that the 
crypto classes are at fault. The UserSRP auth class I linked to sends a message 
to AWS (via an AWS API, ultimately made as an HTTP call) which includes some 
information about the user. Amazon’s server responds (over HTTP) with a 
“challenge” which includes some pieces of information. Using those pieces of 
information plus knowledge of the password, the class I linked to derives an 
answer to the challenge, which is then sent (via HTTP) to AWS. AWS can verify 
that the response could only have been generated by someone with knowledge of 
the password, and they will respond with a valid bearer token, which can be 
used as an authorization header to HTTP calls (to our internal services, which 
can validate the bearer token). In this way, our services can communicate 
between themselves without any passwords ever being transmitted anywhere. In 
the following diagram, the arrows represent HTTP request/responses between us 
and AWS

  Us —-> (info) —> AWS

  Us <—- (challenge) <—- AWS

  Us —> (answer) —> AWS

  Us <— (bearer token | wrong user/pwd) <—- AWS

“Wrong username or password” indicates that the response calculated by the 
linked class is not correct.

I don’t believe (though I’m not an expert, so could be wrong) that this has 
anything to do with javax.security APIs

Chris

On 2 May 2024, at 19:59, Alan Bateman  wrote:



On 02/05/2024 19:33, Chris Marshall wrote:
:

Last week I upgraded the application to be compiled by JDK22, and run on JDK22. 
Immediately, we started to see failures from within the User-SRP auth code only 
when it was run on a virtual thread from within a StructuredTaskScope. The 
failures are merely that the code appears to have calculated the wrong 
authentication response (i.e. AWS Cognito returns a message to the effect that 
we have the wrong username or password). It is not possible that this could be 
the case, because the same application, using the same username/password combo 
is able to successfully authenticate to AWS Cognito using User-SRP auth from a 
platform thread.

Thanks for reporting a potential issue.

You say that the code was running correctly on JDK 21. Was this in the context 
of virtual threads and using StructuredTaskScope? I'm trying to understand from 
your mail if you were using virtual threads with JDK 21 and whether you were 
using StructuredTaskScope in JDK 21 too.

"wrong username or password" hints that maybe this is some kinda of inheritance 
issue, I'm specifically thinking of the inherit access control context. Would 
it be possible to search the code and libraries that are in use here to see if 
they are using the javax.security.auth.Subject API? It's just a wild guess at 
this point but I think might give some clues as to where inheritance might be 
coming from.

-Alan

Re: RFR: 8319332: Security properties files inclusion [v11]

On Thu, 2 May 2024 19:09:07 GMT, Weijun Wang  wrote:

>> Francisco Ferrari Bihurriet has updated the pull request incrementally with 
>> one additional commit since the last revision:
>> 
>>   Profiles documentation adjustments.
>>   
>>   Co-authored-by: Francisco Ferrari 
>>   Co-authored-by: Martin Balao 
>
> src/java.base/share/conf/security/java.security line 35:
> 
>> 33: # this file with a filesystem path value. The effect of each definition
>> 34: # is to include a referred security properties file inline, adding all
>> 35: # its properties and values. Included files, as well as files pointed by
> 
> Not sure if "properties and values" are precise. A "property" already 
> contains its "key" and "value", right?

Ok

-

PR Review Comment: https://git.openjdk.org/jdk/pull/16483#discussion_r1588228364

Re: RFR: 8319332: Security properties files inclusion [v11]

On Thu, 2 May 2024 19:06:00 GMT, Weijun Wang  wrote:

>> Francisco Ferrari Bihurriet has updated the pull request incrementally with 
>> one additional commit since the last revision:
>> 
>>   Profiles documentation adjustments.
>>   
>>   Co-authored-by: Francisco Ferrari 
>>   Co-authored-by: Martin Balao 
>
> src/java.base/share/conf/security/java.security line 69:
> 
>> 67: # statement will override any matching property defined in a profile. In 
>> order
>> 68: # to avoid this behavior, the include statement may be placed at the end 
>> of
>> 69: # this file.
> 
> It's probably better to place the newly added "Security properties defined 
> after an include statement..." in an individual paragraph since it's not 
> limited to "the latter case" (or you mean "last"?). Then you might not want 
> to use the "profile" word since it's not defined elsewhere.

Instead of "to avoid this behavior", how about "if you want the properties 
defined in the included file to override those in the main file"?

-

PR Review Comment: https://git.openjdk.org/jdk/pull/16483#discussion_r1588204601

Re: RFR: 8319332: Security properties files inclusion [v11]

On Thu, 2 May 2024 16:45:09 GMT, Francisco Ferrari Bihurriet 
 wrote:

>> The implementation of this proposal is based on the requirements, 
>> specification and design choices described in the [JDK-8319332] ticket and 
>> its respective CSR [JDK-8319333]. What follows are implementation notes 
>> organized per functional component, with the purpose of assisting to 
>> navigate the code changes in this pull-request.
>> 
>> ## Security properties loading (overview)
>> 
>> A new static class named `SecPropLoader` (nested within 
>> `java.security.Security`) is introduced to handle the loading of all 
>> security properties. Its method `loadAll` is the first one to be called, at 
>> `java.security.Security` static class initialization. The master security 
>> properties file is then loaded by `loadMaster`. When additional security 
>> properties files are allowed (the security property 
>> `security.overridePropertiesFile` is set to `true`) and the 
>> `java.security.properties` system property is passed, the method `loadExtra` 
>> handles the extra load.
>> 
>> The master properties file is loaded in `OVERRIDE` mode, meaning that the 
>> map of properties is originally empty. Any failure occurred while loading 
>> these properties is considered fatal. The extra properties file 
>> (`java.security.properties`) may be loaded in `OVERRIDE` or `APPEND` mode. 
>> Any failure in this case is ignored. This behavior maintains compatibility 
>> with the previous implementation.
>> 
>> While the `java.security.properties` system property is documented to accept 
>> an URL type of value, filesystem path values are supported in the same way 
>> that they were prior to this enhancement. Values are then interpreted as 
>> paths and, only if that fails, are considered URLs. In the latter case, 
>> there is one more attempt after opening the stream to check if there is a 
>> local file path underneath (e.g. the URL has the form of 
>> `file:///path/to/a/local/file`). The reason for preferring paths over URLs 
>> is to support relative path file inclusion in properties files.
>> 
>> ## Loading security properties from paths (`loadFromPath` method)
>> 
>> When loading a properties file from a path, the normalized file location is 
>> stored in the static field `currentPath`. This value is the current base to 
>> resolve any relative path encountered while handling an _include_ 
>> definition. Normalized paths are also saved in the `activePaths` set to 
>> detect recursive cycles. As we move down or up in the _includes_ stack, 
>> `currentPath` and `activePaths` values are updated.
>> 
>> ## Loading security properties from URLs (`loadFromUrl` method)
>> 
>> The extra properti...
>
> Francisco Ferrari Bihurriet has updated the pull request incrementally with 
> one additional commit since the last revision:
> 
>   Profiles documentation adjustments.
>   
>   Co-authored-by: Francisco Ferrari 
>   Co-authored-by: Martin Balao 

I still suggest you include all the new lines in `java.security` in the 
specification section of the the CSR in **raw code mode**. I know most of the 
content is already there but The CSR reviewers might care about the exact 
wording.

src/java.base/share/conf/security/java.security line 35:

> 33: # this file with a filesystem path value. The effect of each definition
> 34: # is to include a referred security properties file inline, adding all
> 35: # its properties and values. Included files, as well as files pointed by

Not sure if "properties and values" are precise. A "property" already contains 
its "key" and "value", right?

src/java.base/share/conf/security/java.security line 69:

> 67: # statement will override any matching property defined in a profile. In 
> order
> 68: # to avoid this behavior, the include statement may be placed at the end 
> of
> 69: # this file.

It's probably better to place the newly added "Security properties defined 
after an include statement..." in an individual paragraph since it's not 
limited to "the latter case" (or you mean "last"?). Then you might not want to 
use the "profile" word since it's not defined elsewhere.

-

PR Comment: https://git.openjdk.org/jdk/pull/16483#issuecomment-2091305451
PR Review Comment: https://git.openjdk.org/jdk/pull/16483#discussion_r1588209026
PR Review Comment: https://git.openjdk.org/jdk/pull/16483#discussion_r1588197310

Re: Potential issues with javax.crypto under StructuredTaskScope/JDK22

2024-05-02 Thread Alan Bateman




On 02/05/2024 19:33, Chris Marshall wrote:

:

Last week I upgraded the application to be compiled by JDK22, and run 
on JDK22. Immediately, we started to see failures from within the 
User-SRP auth code /only when it was run on a virtual thread from 
within a StructuredTaskScope./ The failures are merely that the code 
appears to have calculated the wrong authentication response (i.e. AWS 
Cognito returns a message to the effect that we have the wrong 
username or password). It is not possible that this could be the case, 
because the same application, using the same username/password combo 
is able to successfully authenticate to AWS Cognito using User-SRP 
auth from a platform thread.



Thanks for reporting a potential issue.

You say that the code was running correctly on JDK 21. Was this in the 
context of virtual threads and using StructuredTaskScope? I'm trying to 
understand from your mail if you were using virtual threads with JDK 21 
and whether you were using StructuredTaskScope in JDK 21 too.


"wrong username or password" hints that maybe this is some kinda of 
inheritance issue, I'm specifically thinking of the inherit access 
control context. Would it be possible to search the code and libraries 
that are in use here to see if they are using the 
javax.security.auth.Subject API? It's just a wild guess at this point 
but I think might give some clues as to where inheritance might be 
coming from.


-Alan

Integrated: 8328864: NullPointerException in sun.security.jca.ProviderList.getService()

2024-05-02 Thread Ben Perez

On Thu, 11 Apr 2024 16:29:00 GMT, Ben Perez  wrote:

> Updated `getService` to check whether `getProvider` returns null when 
> checking for preferred providers and `continue` the loop if that is the case. 
> Added `NullPreferredList` test.

This pull request has now been integrated.

Changeset: cd3a6075
Author:Ben Perez 
Committer: Weijun Wang 
URL:   
https://git.openjdk.org/jdk/commit/cd3a607576bede17f48c3d5ebde2bf05f3b615ba
Stats: 48 lines in 3 files changed: 45 ins; 1 del; 2 mod

8328864: NullPointerException in sun.security.jca.ProviderList.getService()

Reviewed-by: weijun

-

PR: https://git.openjdk.org/jdk/pull/18746

Potential issues with javax.crypto under StructuredTaskScope/JDK22

2024-05-02 Thread Chris Marshall

Hi,

I work for an organisation which runs a number of applications inside an EKS
cluster hosted in AWS. In order for the applications to communicate, they
obtained bearer tokens from the AWS Cognito library, and in order to obtain the
tokens, we have coded up User-SRP auth. This code has been running happily on
JDK21 since October 2023, and before that in JDK17.

The User-SRP auth implementation (which we took from
https://github.com/rundeck/repository/blob/master/repository-cli/src/main/groovy/com/rundeck/repository/auth/AuthenticationHelper.java)
runs within our applications sometimes from within a platform thread, and in
other cases on a virtual thread from inside a StructuredTaskScope. Again, this
code has been live for over 6 months.

Last week I upgraded the application to be compiled by JDK22, and run on JDK22.
Immediately, we started to see failures from within the User-SRP auth code only
when it was run on a virtual thread from within a StructuredTaskScope. The
failures are merely that the code appears to have calculated the wrong
authentication response (i.e. AWS Cognito returns a message to the effect that
we have the wrong username or password). It is not possible that this could be
the case, because the same application, using the same username/password combo
is able to successfully authenticate to AWS Cognito using User-SRP auth from a
platform thread.

My conclusion has to be that, on JDK22, and only from a virtual thread (within
a StructuredTaskScope?), the javax.crypto classes being used are not behaving
as intended.

I realise that this is not much to go on; I am not a security expert, and nor
do I know much about User-SRP, and don't really know how to go about
constructing a reproducer for this. We cannot replicate the issue running
locally on our machines from Windows; it only seems to happen from the machines
inside our AWS cluster. This is the relevant information:

OS: Linux amd64/5.10.184-175.731.amzn2.x86_64

Java: Oracle Corporation OpenJDK 64-bit Server VM/22+36-2370

Classes used within User-SRP auth layer:

MessageDigest.getInstance("SHA-256")
SecureRandom.getInstance("SHA1PRNG")
Mac.getInstance("HmacSHA256")

I hope that this is helpful.

Chris

Re: RFR: 8319332: Security properties files inclusion [v10]

On Thu, 2 May 2024 15:57:36 GMT, Weijun Wang  wrote:

> Another comment: now that the backward compatibility code is added, is it 
> still necessary to update the `DynStatic.java` test?

@wangweij: it's no longer strictly necessary. However, we decided to leave it 
that way in order to lead by example with a well-formatted URI.

Keeping `DynStatic.java` in this way, the wrongly formatted URIs passed to the 
`java.security.security` system property are all properly covered by _"Backward 
compatibility check"_ code comments.

-

PR Comment: https://git.openjdk.org/jdk/pull/16483#issuecomment-2091062323

Re: RFR: 8319332: Security properties files inclusion [v10]

On Thu, 2 May 2024 14:59:54 GMT, Weijun Wang  wrote:

> In the new `java.security` text, you have "the file profile.security must 
> exist". This is not necessary, right? I think what you meant to say is that 
> "if the system property is not defined, then it will be expanded to an empty 
> string and the file 'profie.security' must exist otherwise there will be an 
> error".

Yes, you're right. We were thinking of a more common scenario but we have now 
made adjustments to document both options in the example.

-

PR Comment: https://git.openjdk.org/jdk/pull/16483#issuecomment-2091034333

Re: RFR: 8319332: Security properties files inclusion [v11]

> The implementation of this proposal is based on the requirements, 
> specification and design choices described in the [JDK-8319332] ticket and 
> its respective CSR [JDK-8319333]. What follows are implementation notes 
> organized per functional component, with the purpose of assisting to navigate 
> the code changes in this pull-request.
> 
> ## Security properties loading (overview)
> 
> A new static class named `SecPropLoader` (nested within 
> `java.security.Security`) is introduced to handle the loading of all security 
> properties. Its method `loadAll` is the first one to be called, at 
> `java.security.Security` static class initialization. The master security 
> properties file is then loaded by `loadMaster`. When additional security 
> properties files are allowed (the security property 
> `security.overridePropertiesFile` is set to `true`) and the 
> `java.security.properties` system property is passed, the method `loadExtra` 
> handles the extra load.
> 
> The master properties file is loaded in `OVERRIDE` mode, meaning that the map 
> of properties is originally empty. Any failure occurred while loading these 
> properties is considered fatal. The extra properties file 
> (`java.security.properties`) may be loaded in `OVERRIDE` or `APPEND` mode. 
> Any failure in this case is ignored. This behavior maintains compatibility 
> with the previous implementation.
> 
> While the `java.security.properties` system property is documented to accept 
> an URL type of value, filesystem path values are supported in the same way 
> that they were prior to this enhancement. Values are then interpreted as 
> paths and, only if that fails, are considered URLs. In the latter case, there 
> is one more attempt after opening the stream to check if there is a local 
> file path underneath (e.g. the URL has the form of 
> `file:///path/to/a/local/file`). The reason for preferring paths over URLs is 
> to support relative path file inclusion in properties files.
> 
> ## Loading security properties from paths (`loadFromPath` method)
> 
> When loading a properties file from a path, the normalized file location is 
> stored in the static field `currentPath`. This value is the current base to 
> resolve any relative path encountered while handling an _include_ definition. 
> Normalized paths are also saved in the `activePaths` set to detect recursive 
> cycles. As we move down or up in the _includes_ stack, `currentPath` and 
> `activePaths` values are updated.
> 
> ## Loading security properties from URLs (`loadFromUrl` method)
> 
> The extra properties file can be loaded from a URL. ...

Francisco Ferrari Bihurriet has updated the pull request incrementally with one 
additional commit since the last revision:

  Profiles documentation adjustments.
  
  Co-authored-by: Francisco Ferrari 
  Co-authored-by: Martin Balao 

-

Changes:
  - all: https://git.openjdk.org/jdk/pull/16483/files
  - new: https://git.openjdk.org/jdk/pull/16483/files/a9b0ecbd..e906e3cf

Webrevs:
 - full: https://webrevs.openjdk.org/?repo=jdk=16483=10
 - incr: https://webrevs.openjdk.org/?repo=jdk=16483=09-10

  Stats: 12 lines in 1 file changed: 7 ins; 0 del; 5 mod
  Patch: https://git.openjdk.org/jdk/pull/16483.diff
  Fetch: git fetch https://git.openjdk.org/jdk.git pull/16483/head:pull/16483

PR: https://git.openjdk.org/jdk/pull/16483

Re: RFR: 8319332: Security properties files inclusion [v10]

On Thu, 2 May 2024 14:07:13 GMT, Francisco Ferrari Bihurriet 
 wrote:

>> The implementation of this proposal is based on the requirements, 
>> specification and design choices described in the [JDK-8319332] ticket and 
>> its respective CSR [JDK-8319333]. What follows are implementation notes 
>> organized per functional component, with the purpose of assisting to 
>> navigate the code changes in this pull-request.
>> 
>> ## Security properties loading (overview)
>> 
>> A new static class named `SecPropLoader` (nested within 
>> `java.security.Security`) is introduced to handle the loading of all 
>> security properties. Its method `loadAll` is the first one to be called, at 
>> `java.security.Security` static class initialization. The master security 
>> properties file is then loaded by `loadMaster`. When additional security 
>> properties files are allowed (the security property 
>> `security.overridePropertiesFile` is set to `true`) and the 
>> `java.security.properties` system property is passed, the method `loadExtra` 
>> handles the extra load.
>> 
>> The master properties file is loaded in `OVERRIDE` mode, meaning that the 
>> map of properties is originally empty. Any failure occurred while loading 
>> these properties is considered fatal. The extra properties file 
>> (`java.security.properties`) may be loaded in `OVERRIDE` or `APPEND` mode. 
>> Any failure in this case is ignored. This behavior maintains compatibility 
>> with the previous implementation.
>> 
>> While the `java.security.properties` system property is documented to accept 
>> an URL type of value, filesystem path values are supported in the same way 
>> that they were prior to this enhancement. Values are then interpreted as 
>> paths and, only if that fails, are considered URLs. In the latter case, 
>> there is one more attempt after opening the stream to check if there is a 
>> local file path underneath (e.g. the URL has the form of 
>> `file:///path/to/a/local/file`). The reason for preferring paths over URLs 
>> is to support relative path file inclusion in properties files.
>> 
>> ## Loading security properties from paths (`loadFromPath` method)
>> 
>> When loading a properties file from a path, the normalized file location is 
>> stored in the static field `currentPath`. This value is the current base to 
>> resolve any relative path encountered while handling an _include_ 
>> definition. Normalized paths are also saved in the `activePaths` set to 
>> detect recursive cycles. As we move down or up in the _includes_ stack, 
>> `currentPath` and `activePaths` values are updated.
>> 
>> ## Loading security properties from URLs (`loadFromUrl` method)
>> 
>> The extra properti...
>
> Francisco Ferrari Bihurriet has updated the pull request with a new target 
> base due to a merge or a rebase. The pull request now contains 16 commits:
> 
>  - Update java.security documentation and fix test
>
>Adjust java.security documentation to match the latest CSR update,
>explaining the definition of security profiles based on non-strict
>system property expansion.
>
>Skip specialCharsIncludes test case in platforms whose filesystem
>does not support paths containing Unicode characters.
>
>Co-authored-by: Francisco Ferrari 
>Co-authored-by: Martin Balao 
>  - Merge 'openjdk/master' into JDK-8319332
>  - Improve backward compatibility testing
>
>Co-authored-by: Francisco Ferrari 
>Co-authored-by: Martin Balao 
>  - Extend backward compatibility support
>
>Co-authored-by: Francisco Ferrari 
>Co-authored-by: Martin Balao 
>  - Merge 'openjdk/master' into JDK-8319332
>  - Merge 'openjdk/master' into JDK-8319332
>  - Merge 'openjdk/master' into JDK-8319332
>
>Conflict in ConfigFileTest.java solved by keeping our file, which had
>been previously adjusted.
>
>Commands:
>  git merge upstream/master
>  git restore --ours -- test/jdk/java/security/Security/ConfigFileTest.java
>  git add test/jdk/java/security/Security/ConfigFileTest.java
>  git merge --continue
>  - 8319332: Adjust code for JDK-8319673 changes
>
>JDK-8319673: Few security tests ignore VM flags
>
>Next, we will merge the openjdk/master branch and ignore the conflict in
>this file.
>
>Co-authored-by: Martin Balao 
>Co-authored-by: Francisco Ferrari Bihurriet 
>  - 8319332: Update copyright and ConfigFileTest.java.
>
>Bump copyright year to 2024 in all the modified files.
>
>Remove leaked host name from children JVMs debug command.
>
>Extract Executor::addSystemPropertiesAsJvmArgs from Executor::execute
>and rename 'allJvmArgs' to 'command'. Also split class name and
>RUNNER_ARG addition to 'command' as two separated command.add() calls.
>
>Co-authored-by: Martin Balao 
>Co-authored-by: Francisco Ferrari Bihurriet 
>  - Merge 'openjdk/master' into JDK-8319332
>  - ... and 6 more:

Re: RFR: 8319332: Security properties files inclusion [v10]

On Thu, 2 May 2024 14:07:13 GMT, Francisco Ferrari Bihurriet 
 wrote:

>> The implementation of this proposal is based on the requirements, 
>> specification and design choices described in the [JDK-8319332] ticket and 
>> its respective CSR [JDK-8319333]. What follows are implementation notes 
>> organized per functional component, with the purpose of assisting to 
>> navigate the code changes in this pull-request.
>> 
>> ## Security properties loading (overview)
>> 
>> A new static class named `SecPropLoader` (nested within 
>> `java.security.Security`) is introduced to handle the loading of all 
>> security properties. Its method `loadAll` is the first one to be called, at 
>> `java.security.Security` static class initialization. The master security 
>> properties file is then loaded by `loadMaster`. When additional security 
>> properties files are allowed (the security property 
>> `security.overridePropertiesFile` is set to `true`) and the 
>> `java.security.properties` system property is passed, the method `loadExtra` 
>> handles the extra load.
>> 
>> The master properties file is loaded in `OVERRIDE` mode, meaning that the 
>> map of properties is originally empty. Any failure occurred while loading 
>> these properties is considered fatal. The extra properties file 
>> (`java.security.properties`) may be loaded in `OVERRIDE` or `APPEND` mode. 
>> Any failure in this case is ignored. This behavior maintains compatibility 
>> with the previous implementation.
>> 
>> While the `java.security.properties` system property is documented to accept 
>> an URL type of value, filesystem path values are supported in the same way 
>> that they were prior to this enhancement. Values are then interpreted as 
>> paths and, only if that fails, are considered URLs. In the latter case, 
>> there is one more attempt after opening the stream to check if there is a 
>> local file path underneath (e.g. the URL has the form of 
>> `file:///path/to/a/local/file`). The reason for preferring paths over URLs 
>> is to support relative path file inclusion in properties files.
>> 
>> ## Loading security properties from paths (`loadFromPath` method)
>> 
>> When loading a properties file from a path, the normalized file location is 
>> stored in the static field `currentPath`. This value is the current base to 
>> resolve any relative path encountered while handling an _include_ 
>> definition. Normalized paths are also saved in the `activePaths` set to 
>> detect recursive cycles. As we move down or up in the _includes_ stack, 
>> `currentPath` and `activePaths` values are updated.
>> 
>> ## Loading security properties from URLs (`loadFromUrl` method)
>> 
>> The extra properti...
>
> Francisco Ferrari Bihurriet has updated the pull request with a new target 
> base due to a merge or a rebase. The pull request now contains 16 commits:
> 
>  - Update java.security documentation and fix test
>
>Adjust java.security documentation to match the latest CSR update,
>explaining the definition of security profiles based on non-strict
>system property expansion.
>
>Skip specialCharsIncludes test case in platforms whose filesystem
>does not support paths containing Unicode characters.
>
>Co-authored-by: Francisco Ferrari 
>Co-authored-by: Martin Balao 
>  - Merge 'openjdk/master' into JDK-8319332
>  - Improve backward compatibility testing
>
>Co-authored-by: Francisco Ferrari 
>Co-authored-by: Martin Balao 
>  - Extend backward compatibility support
>
>Co-authored-by: Francisco Ferrari 
>Co-authored-by: Martin Balao 
>  - Merge 'openjdk/master' into JDK-8319332
>  - Merge 'openjdk/master' into JDK-8319332
>  - Merge 'openjdk/master' into JDK-8319332
>
>Conflict in ConfigFileTest.java solved by keeping our file, which had
>been previously adjusted.
>
>Commands:
>  git merge upstream/master
>  git restore --ours -- test/jdk/java/security/Security/ConfigFileTest.java
>  git add test/jdk/java/security/Security/ConfigFileTest.java
>  git merge --continue
>  - 8319332: Adjust code for JDK-8319673 changes
>
>JDK-8319673: Few security tests ignore VM flags
>
>Next, we will merge the openjdk/master branch and ignore the conflict in
>this file.
>
>Co-authored-by: Martin Balao 
>Co-authored-by: Francisco Ferrari Bihurriet 
>  - 8319332: Update copyright and ConfigFileTest.java.
>
>Bump copyright year to 2024 in all the modified files.
>
>Remove leaked host name from children JVMs debug command.
>
>Extract Executor::addSystemPropertiesAsJvmArgs from Executor::execute
>and rename 'allJvmArgs' to 'command'. Also split class name and
>RUNNER_ARG addition to 'command' as two separated command.add() calls.
>
>Co-authored-by: Martin Balao 
>Co-authored-by: Francisco Ferrari Bihurriet 
>  - Merge 'openjdk/master' into JDK-8319332
>  - ... and 6 more:

Re: RFR: 8319332: Security properties files inclusion [v10]

On Thu, 2 May 2024 14:07:13 GMT, Francisco Ferrari Bihurriet 
 wrote:

>> The implementation of this proposal is based on the requirements, 
>> specification and design choices described in the [JDK-8319332] ticket and 
>> its respective CSR [JDK-8319333]. What follows are implementation notes 
>> organized per functional component, with the purpose of assisting to 
>> navigate the code changes in this pull-request.
>> 
>> ## Security properties loading (overview)
>> 
>> A new static class named `SecPropLoader` (nested within 
>> `java.security.Security`) is introduced to handle the loading of all 
>> security properties. Its method `loadAll` is the first one to be called, at 
>> `java.security.Security` static class initialization. The master security 
>> properties file is then loaded by `loadMaster`. When additional security 
>> properties files are allowed (the security property 
>> `security.overridePropertiesFile` is set to `true`) and the 
>> `java.security.properties` system property is passed, the method `loadExtra` 
>> handles the extra load.
>> 
>> The master properties file is loaded in `OVERRIDE` mode, meaning that the 
>> map of properties is originally empty. Any failure occurred while loading 
>> these properties is considered fatal. The extra properties file 
>> (`java.security.properties`) may be loaded in `OVERRIDE` or `APPEND` mode. 
>> Any failure in this case is ignored. This behavior maintains compatibility 
>> with the previous implementation.
>> 
>> While the `java.security.properties` system property is documented to accept 
>> an URL type of value, filesystem path values are supported in the same way 
>> that they were prior to this enhancement. Values are then interpreted as 
>> paths and, only if that fails, are considered URLs. In the latter case, 
>> there is one more attempt after opening the stream to check if there is a 
>> local file path underneath (e.g. the URL has the form of 
>> `file:///path/to/a/local/file`). The reason for preferring paths over URLs 
>> is to support relative path file inclusion in properties files.
>> 
>> ## Loading security properties from paths (`loadFromPath` method)
>> 
>> When loading a properties file from a path, the normalized file location is 
>> stored in the static field `currentPath`. This value is the current base to 
>> resolve any relative path encountered while handling an _include_ 
>> definition. Normalized paths are also saved in the `activePaths` set to 
>> detect recursive cycles. As we move down or up in the _includes_ stack, 
>> `currentPath` and `activePaths` values are updated.
>> 
>> ## Loading security properties from URLs (`loadFromUrl` method)
>> 
>> The extra properti...
>
> Francisco Ferrari Bihurriet has updated the pull request with a new target 
> base due to a merge or a rebase. The pull request now contains 16 commits:
> 
>  - Update java.security documentation and fix test
>
>Adjust java.security documentation to match the latest CSR update,
>explaining the definition of security profiles based on non-strict
>system property expansion.
>
>Skip specialCharsIncludes test case in platforms whose filesystem
>does not support paths containing Unicode characters.
>
>Co-authored-by: Francisco Ferrari 
>Co-authored-by: Martin Balao 
>  - Merge 'openjdk/master' into JDK-8319332
>  - Improve backward compatibility testing
>
>Co-authored-by: Francisco Ferrari 
>Co-authored-by: Martin Balao 
>  - Extend backward compatibility support
>
>Co-authored-by: Francisco Ferrari 
>Co-authored-by: Martin Balao 
>  - Merge 'openjdk/master' into JDK-8319332
>  - Merge 'openjdk/master' into JDK-8319332
>  - Merge 'openjdk/master' into JDK-8319332
>
>Conflict in ConfigFileTest.java solved by keeping our file, which had
>been previously adjusted.
>
>Commands:
>  git merge upstream/master
>  git restore --ours -- test/jdk/java/security/Security/ConfigFileTest.java
>  git add test/jdk/java/security/Security/ConfigFileTest.java
>  git merge --continue
>  - 8319332: Adjust code for JDK-8319673 changes
>
>JDK-8319673: Few security tests ignore VM flags
>
>Next, we will merge the openjdk/master branch and ignore the conflict in
>this file.
>
>Co-authored-by: Martin Balao 
>Co-authored-by: Francisco Ferrari Bihurriet 
>  - 8319332: Update copyright and ConfigFileTest.java.
>
>Bump copyright year to 2024 in all the modified files.
>
>Remove leaked host name from children JVMs debug command.
>
>Extract Executor::addSystemPropertiesAsJvmArgs from Executor::execute
>and rename 'allJvmArgs' to 'command'. Also split class name and
>RUNNER_ARG addition to 'command' as two separated command.add() calls.
>
>Co-authored-by: Martin Balao 
>Co-authored-by: Francisco Ferrari Bihurriet 
>  - Merge 'openjdk/master' into JDK-8319332
>  - ... and 6 more:

Re: RFR: 8319332: Security properties files inclusion [v10]