[security-dev 00267]: Re: SSLContextFactory

[Brad Wetmore]

Thanks for the reminder.  With all going on here (sounds like a "broken 
record", I realize!), it again fell off my radar.  As soon as I finish a 
project this week, I'll try to have another look at it.


brad


Jerome Louvel wrote:

Hi Brad,

Is there any update regarding this idea of SSLContextFactory?

We have integrated Bruno's library in our Restlet 1.1 version and find 
it very useful. It would be great to have similar support straight from 
the JDK.


Best regards,
Jerome Louvel
http://www.restlet.org


Brad Wetmore a écrit :

Hi Bruno,

Just to give you a quick update, some of us are still having a look 
over it.  We've been a little backed up lately.  (JavaOne, a 
campus-wide shutdown, vacations here in the US:  oh, and the normal 
day-to-day stuff!  ;))


Brad


Bruno Harbulot wrote:

Hello,

I only found out recently about Sean Mullan's blog entry named 
"Security Feature Planning for JDK 7" (written almost two years ago) 
. 
After I contacted him, he kindly suggested this mailing-list could be 
the right place to discuss security features in JDK 7.


I've recently been trying to improve SSL support in a couple of 
open-source projects. This led me to build a small library, which 
I've called 'jsslutils' .
The idea behind this library is to provide an SSLContextFactory which 
can help configure an SSLContext for applications such as Restlet 
 (Grizzly, Simple or Jetty connectors) or 
Jetty . Sub-classes of 
SSLContextFactory can provide extra features such as helping with the 
configuration of CRLs, or customization of the Key/TrustManagers. (If 
you wish to try it out, there are some jUnit tests in the subversion 
repository.)
I would be interested in having your opinions regarding an 
SSLContextFactory, and whether something similar may have already 
been discussed. Looking at the JDK 7 API, there doesn't seem to be an 
such a class/interface. This has been a rather useful feature for my 
application so far, and it should make it easy to support CRLs for 
example in something like Jetty. However, I'm not sure whether it 
would be good to have something like this SSLContextFactory in JDK 7. 
Perhaps there are other better ways to achieve these goals.


One of the main problems I still find is that few applications 
support setting up the SSLContext, which makes it sometimes difficult 
to configure more advanced features such as CRLs. Java 6 provides a 
way to set a default SSLContext, but this is not ideal. Sometimes, 
various connectors in the application may want to use different 
SSLContexts (perhaps with different truststores and keystores). For 
example, I would like to be able to set a specific SSLContext when 
using JavaMail, but I haven't found any documentation making it 
possible to set up the truststore and keystores independently, 
instead, it seems to rely on the default system properties.



Best wishes,

Bruno.




--
Jerome Louvel
http://www.noelios.com

[security-dev 00266]: Re: native ECC provider to be included in J2SE ?

[Brad Wetmore]

Are there any decision to include any native ECC provider like NSS ?


There might have been some discussion at some point, but as far as I 
know, there have never been any plans recently (last 3-4 years) to 
bundle a third party native crypto provider into JDK.


Our current recommendation is to use the PKCS11 provider wrapper 
mechanism found in JDKs 1.5 and above.  In JSSE, the ECC ciphersuites 
are enabled once a ECC impl is found.


http://blogs.sun.com/andreas/entry/elliptic_curve_cryptography_in_java
http://blogs.sun.com/andreas/entry/ecc_updates_and_rfc_4492

If I can keep my head down long enough, we're still planning to do a 
Java ECC impl in the SunJCE provider.


Hope this helps.

Brad

[security-dev 00265]: hg: jdk7/jsn/langtools: 6627362: javac generates code that uses array.clone, which is not available on JavaCard; ...

[bradford . wetmore]

Changeset: 3437676858e3
Author:jjg
Date:  2008-08-01 15:23 -0700
URL:   http://hg.openjdk.java.net/jdk7/jsn/langtools/rev/3437676858e3

6627362: javac generates code that uses array.clone, which is not available on 
JavaCard
6627364: javac needs Float and Double on the bootclasspath even when not 
directly used
6627366: javac needs Cloneable and Serializable on the classpath even when not 
directly used
Reviewed-by: darcy

! src/share/classes/com/sun/tools/javac/code/Symtab.java
! src/share/classes/com/sun/tools/javac/comp/Lower.java
! test/tools/javac/5045412/Bar.java
! test/tools/javac/5045412/Foo.java
- test/tools/javac/5045412/out
+ test/tools/javac/6627362/T6627362.java
+ test/tools/javac/6627362/x/E.java
+ test/tools/javac/6627362/x/Object.java
+ test/tools/javac/synthesize/Boolean.java
+ test/tools/javac/synthesize/Byte.java
+ test/tools/javac/synthesize/Character.java
+ test/tools/javac/synthesize/Cloneable.java
+ test/tools/javac/synthesize/Double.java
+ test/tools/javac/synthesize/Float.java
+ test/tools/javac/synthesize/Integer.java
+ test/tools/javac/synthesize/Long.java
+ test/tools/javac/synthesize/Main.java
+ test/tools/javac/synthesize/Number.java
+ test/tools/javac/synthesize/Object.java
+ test/tools/javac/synthesize/Serializable.java
+ test/tools/javac/synthesize/Short.java
+ test/tools/javac/synthesize/Test.java
+ test/tools/javac/synthesize/Void.java

[security-dev 00264]: hg: jdk7/jsn/jdk: 10 new changesets

[bradford . wetmore]

Changeset: 8c667d55b79e
Author:dfuchs
Date:  2008-07-29 19:21 +0200
URL:   http://hg.openjdk.java.net/jdk7/jsn/jdk/rev/8c667d55b79e

6402254: Revisit ModelMBean DescriptorSupport implementation of equals and 
hashCode.
Reviewed-by: emcmanus

! src/share/classes/com/sun/jmx/mbeanserver/Util.java
! src/share/classes/javax/management/ImmutableDescriptor.java
! src/share/classes/javax/management/modelmbean/DescriptorSupport.java

Changeset: 498c2de672c1
Author:wetmore
Date:  2008-07-29 16:57 -0700
URL:   http://hg.openjdk.java.net/jdk7/jsn/jdk/rev/498c2de672c1

Merge


Changeset: 914370f03119
Author:dfuchs
Date:  2008-07-31 12:41 +0200
URL:   http://hg.openjdk.java.net/jdk7/jsn/jdk/rev/914370f03119

6730926: Document that create/registerMBean can throw RuntimeMBeanException 
from postRegister
Reviewed-by: emcmanus

! src/share/classes/com/sun/jmx/interceptor/DefaultMBeanServerInterceptor.java
! src/share/classes/javax/management/MBeanRegistration.java
! src/share/classes/javax/management/MBeanServer.java
! src/share/classes/javax/management/MBeanServerConnection.java
+ test/javax/management/MBeanServer/PostExceptionTest.java

Changeset: 7622f1de1486
Author:dfuchs
Date:  2008-07-31 14:20 +0200
URL:   http://hg.openjdk.java.net/jdk7/jsn/jdk/rev/7622f1de1486

6689505: Improve MBeanServerNotification.toString
Reviewed-by: emcmanus

! src/share/classes/javax/management/MBeanServerNotification.java
+ test/javax/management/MBeanServer/MBeanServerNotificationTest.java

Changeset: 8f52c4d1d934
Author:sjiang
Date:  2008-07-31 15:31 +0200
URL:   http://hg.openjdk.java.net/jdk7/jsn/jdk/rev/8f52c4d1d934

5108776: Add reliable event handling to the JMX API
6218920: API bug - impossible to delete last MBeanServerForwarder on a connector
Reviewed-by: emcmanus

+ src/share/classes/com/sun/jmx/event/DaemonThreadFactory.java
+ src/share/classes/com/sun/jmx/event/EventBuffer.java
+ src/share/classes/com/sun/jmx/event/EventClientFactory.java
+ src/share/classes/com/sun/jmx/event/EventConnection.java
+ src/share/classes/com/sun/jmx/event/EventParams.java
+ src/share/classes/com/sun/jmx/event/LeaseManager.java
+ src/share/classes/com/sun/jmx/event/LeaseRenewer.java
+ src/share/classes/com/sun/jmx/event/ReceiverBuffer.java
+ src/share/classes/com/sun/jmx/event/RepeatedSingletonJob.java
+ src/share/classes/com/sun/jmx/interceptor/MBeanServerSupport.java
+ src/share/classes/com/sun/jmx/interceptor/SingleMBeanForwarder.java
! src/share/classes/com/sun/jmx/interceptor/package.html
! src/share/classes/com/sun/jmx/mbeanserver/MBeanInjector.java
! src/share/classes/com/sun/jmx/mbeanserver/MBeanSupport.java
+ src/share/classes/com/sun/jmx/mbeanserver/PerThreadGroupPool.java
! src/share/classes/com/sun/jmx/mbeanserver/Util.java
! src/share/classes/com/sun/jmx/remote/internal/ClientNotifForwarder.java
! src/share/classes/com/sun/jmx/remote/internal/ProxyInputStream.java
! src/share/classes/com/sun/jmx/remote/internal/ProxyRef.java
! src/share/classes/com/sun/jmx/remote/internal/ServerNotifForwarder.java
! src/share/classes/com/sun/jmx/remote/security/FileLoginModule.java
! src/share/classes/com/sun/jmx/remote/util/EnvHelp.java
+ src/share/classes/com/sun/jmx/remote/util/EventClientConnection.java
! src/share/classes/com/sun/jmx/snmp/tasks/ThreadService.java
! src/share/classes/javax/management/ImmutableDescriptor.java
! src/share/classes/javax/management/MBeanServer.java
! src/share/classes/javax/management/MBeanServerConnection.java
! src/share/classes/javax/management/MXBean.java
! src/share/classes/javax/management/QueryParser.java
! src/share/classes/javax/management/StringValueExp.java
+ src/share/classes/javax/management/event/EventClient.java
+ src/share/classes/javax/management/event/EventClientDelegate.java
+ src/share/classes/javax/management/event/EventClientDelegateMBean.java
+ src/share/classes/javax/management/event/EventClientNotFoundException.java
+ src/share/classes/javax/management/event/EventConsumer.java
+ src/share/classes/javax/management/event/EventForwarder.java
+ src/share/classes/javax/management/event/EventReceiver.java
+ src/share/classes/javax/management/event/EventRelay.java
+ src/share/classes/javax/management/event/EventSubscriber.java
+ src/share/classes/javax/management/event/FetchingEventForwarder.java
+ src/share/classes/javax/management/event/FetchingEventRelay.java
+ src/share/classes/javax/management/event/ListenerInfo.java
+ src/share/classes/javax/management/event/NotificationManager.java
+ src/share/classes/javax/management/event/RMIPushEventForwarder.java
+ src/share/classes/javax/management/event/RMIPushEventRelay.java
+ src/share/classes/javax/management/event/RMIPushServer.java
+ src/share/classes/javax/management/event/package-info.java
! src/share/classes/javax/management/loading/MLet.java
! src/share/classes/javax/management/modelmbean/ModelMBeanInfoSupport.java
! src/share/classes/javax/management/modelmbean/RequiredModelMBean.java
! s

[security-dev 00263]: hg: jdk7/jsn/corba: 6732815: CORBA_2_3 java sources not explicitly compiled

[bradford . wetmore]

Changeset: e9dad83f035c
Author:ohair
Date:  2008-08-01 13:37 -0700
URL:   http://hg.openjdk.java.net/jdk7/jsn/corba/rev/e9dad83f035c

6732815: CORBA_2_3 java sources not explicitly compiled
Reviewed-by: tbell

! make/org/omg/CORBA/Makefile

[security-dev 00262]: Code review: Failure when SPNEGO request non-Mutual

[Weijun Wang]

Hi All

Please review this code fix:

   The bug: http://bugs.sun.com/view_bug.do?bug_id=6733095
   Synopsis: Failure when SPNEGO request non-Mutual
   Webrev URL: http://hgrev.appspot.com/show?id=201

   Description:

   Using SPNEGO, when the client calls reqMutualAuth(false)
   with Kerberos as the mech, the current implementation fails.

   The reason is that when reqMutualAuth(false) is called,
   the negotiation process of the underlying mech contains
   only one token, which means the server's first call to
   Kerberos' acceptSecContext() already returns null.
   Unfortunately, the current SPNEGO implementation needs
   this output be non-null, therefore the failure.

   There's also a tiny error in byte[] acceptSecContext(byte[])
   of GSSContextImpl that returns an empty byte array when
   the correct output should have been null.

Sorry, no regression tests due to complicated server setup.

Thanks
Weijun