(10) RFR of JDK-8184234: sun.security.provider.AuthPolicyFile$PolicyEntry.toString() throws MissingResourceException

[Hamlin Li]

Would you please review the below patch?

bug: https://bugs.openjdk.java.net/browse/JDK-8184234

webrev: http://cr.openjdk.java.net/~mli/8184234/webrev.00/


Thank you

-Hamlin

Re: (10) RFR of JDK-8184165: sun.security.provider.PolicyFile$PolicyEntry.toString() throws MissingResourceException

[Hamlin Li]

I manually checked *Resources.java under sun/security and usage of them, 
my investigation shows that overall quality of "static" resource usage 
is good (by "static" I mean it uses hard code resource string like 
rb.getString("") rather than rb.getString(aStringVariable) ), except 
of this issue and another new issue: 
https://bugs.openjdk.java.net/browse/JDK-8184234, in which similar issue 
in sun.security.provider.AuthPolicyFile$PolicyEntry is reported.


For new issue JDK-8184234, it existed since jdk6 to 10.

Thank you

-Hamlin


On 2017/7/12 11:36, Hamlin Li wrote:



On 2017/7/12 11:06, Weijun Wang wrote:

On Jul 12, 2017, at 11:03 AM, Hamlin Li  wrote:

Hi Max,

On 2017/7/12 10:50, Weijun Wang wrote:

Change looks fine.

Please remember to add a noreg-trivial label.

Added the label, and will push the change.
Also, can you do some more investigation when this starts to 
happen? The bug says affected versions are 9 and 10 but 
PolicyFile.java has been there long long ago. Was there a regression?
The same code is there since jdk6 
(http://hg.openjdk.java.net/jdk6/jdk6/jdk) , I did not check jdk5...
I don't think it's a regression, it should be just a missing 
resource, as the failure only occurs when accessing very details of 
sun.security.provider.PolicyFile by reflection, I guess people 
seldom do that.

Is it easy to verify?

I asked if it’s a regression because I remember some time last year 
there is some rearrangement of codes in this area.

I just checked jdk6, 7, 8. You're right, there is a regression in jdk 8.
In summary,
  in jdk6, the issue exists;
  in jdk7 some resources were added which I believe fixed this issue; 
(too many, I can not list it here.)
  in jdk8 the added resources were totally removed, and another 2 
resources are added:
> {"duplicate.keystore.domain.name","duplicate keystore domain 
name: {0}"},

> {"duplicate.keystore.name","duplicate keystore name: {0}"},

But currently I don't know how big the change impacts, as there are 
many resource usage under sun/security which use 
sun/security/util/[Resources|AuthResources].java


sun/security/util/Resources in jdk6, 
http://hg.openjdk.java.net/jdk6/jdk6/jdk/file/62df9772b849/src/share/classes/sun/security/util/Resources.java
sun/security/util/Resources in jdk7, 
http://hg.openjdk.java.net/jdk7/jdk7/jdk/file/9b8c96f96a0f/src/share/classes/sun/security/util/Resources.java
sun/security/util/Resources in jdk8, 
http://hg.openjdk.java.net/jdk8/jdk8/jdk/file/687fd7c7986d/src/share/classes/sun/security/util/Resources.java


Thank you
-Hamlin


--Max


Thank you
-Hamlin

Thanks
Max

On Jul 12, 2017, at 10:28 AM, Hamlin Li  
wrote:


Would you please review the below patch?

bug: https://bugs.openjdk.java.net/browse/JDK-8184165

webrev: http://cr.openjdk.java.net/~mli/8184165/webrev.00/


Thank you

-Hamlin

Re: (10) RFR of JDK-8184165: sun.security.provider.PolicyFile$PolicyEntry.toString() throws MissingResourceException

[Hamlin Li]

On 2017/7/12 11:06, Weijun Wang wrote:

On Jul 12, 2017, at 11:03 AM, Hamlin Li  wrote:

Hi Max,

On 2017/7/12 10:50, Weijun Wang wrote:

Change looks fine.

Please remember to add a noreg-trivial label.

Added the label, and will push the change.

Also, can you do some more investigation when this starts to happen? The bug 
says affected versions are 9 and 10 but PolicyFile.java has been there long 
long ago. Was there a regression?

The same code is there since jdk6 (http://hg.openjdk.java.net/jdk6/jdk6/jdk) , 
I did not check jdk5...
I don't think it's a regression, it should be just a missing resource, as the 
failure only occurs when accessing very details of 
sun.security.provider.PolicyFile by reflection, I guess people seldom do that.

Is it easy to verify?

I asked if it’s a regression because I remember some time last year there is 
some rearrangement of codes in this area.

I just checked jdk6, 7, 8. You're right, there is a regression in jdk 8.
In summary,
  in jdk6, the issue exists;
  in jdk7 some resources were added which I believe fixed this issue; 
(too many, I can not list it here.)
  in jdk8 the added resources were totally removed, and another 2 
resources are added:
> {"duplicate.keystore.domain.name","duplicate keystore domain 
name: {0}"},

> {"duplicate.keystore.name","duplicate keystore name: {0}"},

But currently I don't know how big the change impacts, as there are many 
resource usage under sun/security which use 
sun/security/util/[Resources|AuthResources].java


sun/security/util/Resources in jdk6, 
http://hg.openjdk.java.net/jdk6/jdk6/jdk/file/62df9772b849/src/share/classes/sun/security/util/Resources.java
sun/security/util/Resources in jdk7, 
http://hg.openjdk.java.net/jdk7/jdk7/jdk/file/9b8c96f96a0f/src/share/classes/sun/security/util/Resources.java
sun/security/util/Resources in jdk8, 
http://hg.openjdk.java.net/jdk8/jdk8/jdk/file/687fd7c7986d/src/share/classes/sun/security/util/Resources.java


Thank you
-Hamlin


--Max


Thank you
-Hamlin

Thanks
Max


On Jul 12, 2017, at 10:28 AM, Hamlin Li  wrote:

Would you please review the below patch?

bug: https://bugs.openjdk.java.net/browse/JDK-8184165

webrev: http://cr.openjdk.java.net/~mli/8184165/webrev.00/


Thank you

-Hamlin

Re: (10) RFR of JDK-8184165: sun.security.provider.PolicyFile$PolicyEntry.toString() throws MissingResourceException

[Weijun Wang]

> On Jul 12, 2017, at 11:03 AM, Hamlin Li  wrote:
> 
> Hi Max,
> 
> On 2017/7/12 10:50, Weijun Wang wrote:
>> Change looks fine.
>> 
>> Please remember to add a noreg-trivial label.
> Added the label, and will push the change.
>> Also, can you do some more investigation when this starts to happen? The bug 
>> says affected versions are 9 and 10 but PolicyFile.java has been there long 
>> long ago. Was there a regression?
> The same code is there since jdk6 (http://hg.openjdk.java.net/jdk6/jdk6/jdk) 
> , I did not check jdk5...
> I don't think it's a regression, it should be just a missing resource, as the 
> failure only occurs when accessing very details of 
> sun.security.provider.PolicyFile by reflection, I guess people seldom do that.

Is it easy to verify?

I asked if it’s a regression because I remember some time last year there is 
some rearrangement of codes in this area.

--Max

> 
> Thank you
> -Hamlin
>> 
>> Thanks
>> Max
>> 
>>> On Jul 12, 2017, at 10:28 AM, Hamlin Li  wrote:
>>> 
>>> Would you please review the below patch?
>>> 
>>> bug: https://bugs.openjdk.java.net/browse/JDK-8184165
>>> 
>>> webrev: http://cr.openjdk.java.net/~mli/8184165/webrev.00/
>>> 
>>> 
>>> Thank you
>>> 
>>> -Hamlin
>>> 
> 

Re: (10) RFR of JDK-8184165: sun.security.provider.PolicyFile$PolicyEntry.toString() throws MissingResourceException

[Hamlin Li]

Hi Max,

On 2017/7/12 10:50, Weijun Wang wrote:

Change looks fine.

Please remember to add a noreg-trivial label.

Added the label, and will push the change.

Also, can you do some more investigation when this starts to happen? The bug 
says affected versions are 9 and 10 but PolicyFile.java has been there long 
long ago. Was there a regression?
The same code is there since jdk6 
(http://hg.openjdk.java.net/jdk6/jdk6/jdk) , I did not check jdk5...
I don't think it's a regression, it should be just a missing resource, 
as the failure only occurs when accessing very details of 
sun.security.provider.PolicyFile by reflection, I guess people seldom do 
that.


Thank you
-Hamlin


Thanks
Max


On Jul 12, 2017, at 10:28 AM, Hamlin Li  wrote:

Would you please review the below patch?

bug: https://bugs.openjdk.java.net/browse/JDK-8184165

webrev: http://cr.openjdk.java.net/~mli/8184165/webrev.00/


Thank you

-Hamlin

Re: (10) RFR of JDK-8184165: sun.security.provider.PolicyFile$PolicyEntry.toString() throws MissingResourceException

[Weijun Wang]

Change looks fine.

Please remember to add a noreg-trivial label.

Also, can you do some more investigation when this starts to happen? The bug 
says affected versions are 9 and 10 but PolicyFile.java has been there long 
long ago. Was there a regression?

Thanks
Max

> On Jul 12, 2017, at 10:28 AM, Hamlin Li  wrote:
> 
> Would you please review the below patch?
> 
> bug: https://bugs.openjdk.java.net/browse/JDK-8184165
> 
> webrev: http://cr.openjdk.java.net/~mli/8184165/webrev.00/
> 
> 
> Thank you
> 
> -Hamlin
> 

(10) RFR of JDK-8184165: sun.security.provider.PolicyFile$PolicyEntry.toString() throws MissingResourceException

[Hamlin Li]

Would you please review the below patch?

bug: https://bugs.openjdk.java.net/browse/JDK-8184165

webrev: http://cr.openjdk.java.net/~mli/8184165/webrev.00/


Thank you

-Hamlin

Re: RFR: 8184208: update class="striped" tables for accessibility

[Jonathan Gibbons]

On 07/11/2017 04:02 PM, Brian Burkhalter wrote:
On Jul 11, 2017, at 2:39 PM, Jonathan Gibbons 
mailto:jonathan.gibb...@oracle.com>> wrote:


Please review this auto-generated update to improve the accessibility 
of many of the tables

in the API docs for the java.base module.


Looks all right to me.

All the modifiied tables have been visually checked with an 
accessibility checker.


There does not however appear to be a visual difference between the 
JDK 9 javadoc and the javadoc generated in a JDK 10 clone with this 
patch applied.


Brian


Brian,

Yes, the differences will show up when using a screen reader or some 
form of accessibility checker. There should not be any noticeable 
difference  for most users.


-- Jon

Re: RFR: 8184208: update class="striped" tables for accessibility

[Brian Burkhalter]

On Jul 11, 2017, at 2:39 PM, Jonathan Gibbons  
wrote:

> Please review this auto-generated update to improve the accessibility of many 
> of the tables
> in the API docs for the java.base module.

Looks all right to me.

> All the modifiied tables have been visually checked with an accessibility 
> checker.

There does not however appear to be a visual difference between the JDK 9 
javadoc and the javadoc generated in a JDK 10 clone with this patch applied.

Brian

RFR: 8184208: update class="striped" tables for accessibility

[Jonathan Gibbons]

Please review this auto-generated update to improve the accessibility of 
many of the tables

in the API docs for the java.base module.

The changes are just to the HTML markup for selected tables;
there is no change to the wording of any documentation.

This update was generated by a utility program that looks for tables 
using the

CSS style class "striped", and updates those tables as follows:

* header cells () in the  now declare scope="col"
* the first data cell () in each row in the  are changed to 
and declare scope="row".
Although these cells are changed from  to , the CSS still 
uses font-weight-normal for

these cells.

The changes are in line with HTML 5 and WCAG 2.0.

This update does not include the following tables, which will be done 
separately (manually)


* tables with CSS class "borderless" (18), "plain" (37), or no class (6)
* tables in java.time.chrono (5): although these table use "striped",
the first column does not contain unique values, and is therefore 
unsuited for the

automated update

All the modifiied tables have been visually checked with an 
accessibility checker.


JBS: https://bugs.openjdk.java.net/browse/JDK-8184208
Webrev: http://cr.openjdk.java.net/~jjg/8184208/webrev.00/
API: http://cr.openjdk.java.net/~jjg/8184208/api.00/

-- Jon

RE: [RFR] 8174849: Change SHA1 certpath restrictions - issue with 3rd party JCE provider

[Langer, Christoph]

Hi Sean,

thanks for coming back on this.

> > I'd like to ping you again upon that question. In the meanwhile I have
> produced a standalone test case and could verify that changing to x509Cert
> vs. the original cert for obtaining the SigAlgName would be a fix. I can share
> the test with you, however, you'll need the security provider 'IAIK' which is
> not OpenSource but can be obtained for free for educational/research
> purposes here [1].
> >
> > Shall I open a Bug for that and propose a fix? Or is using the x509Cert at 
> > this
> place the wrong thing to do here for reasons? I'd appreciate some feedback.
> 
> Technically, I don't think this is a bug. IAIK is using a non-standard
> algorithm for the signature algorithm of the certificate. The Standard
> Algorithm Names specification [1] says that "SHA1withRSA" is the correct
> name.
> 
> The JDK algorithm constraints implementation should not have to
> accommodate non-compliant certificates.
> 
> Tony and I don't quite recall why this change was made as part of
> JDK-8174849, but in general the conversion to
> sun.security.x509.X509CertImpl is done so that we can access parts of
> the certificate in a more performance friendly manner or if they are not
> accessible via the standard APIs. This is not one of those cases.
> However, I can't think of any specific reason right now we could not use
> X509CertImpl instead but would like to think about it some more.
> 
> Have you asked IAIK about their non-compliance?
> 
> [1]
> http://download.java.net/java/jdk9/docs/specs/security/standard-
> names.html#signature-algorithms

Well, probably you are right that it is not a bug - at least when you look at 
the documentation of Java9 (the link that you have cited).

However, if we look at the documentation of X509Certificate, it's not that 
clear, resp. it wasn't for pre JDK9 releases. JDK9 mentions in [1] an algorithm 
name example of "SHA256withRSA". However, the documentation for 8 [2] and 
probably all older JDKs talks about an example of "SHA-1/DSA". So this older 
type of algorithm names must have existed at some time - and it used to work 
with JDKs <= 8. However, the security standard names documentation already 
existed for JDK8 and probably earlier.

As for the reason why IAIK has not changed that (yet), maybe Dieter on cc can 
comment. He mentioned to me that some discussion about that had been done 
within IAIK but the change was never really dared.

So, I guess I would be fine if this could at least be changed for JDKs <= 8 for 
compatibility reasons. I can understand if for JDK >= 9 we say this is a new 
release and the standard algorithm names shall be enforced. Wouldn't that be a 
good compromise?

In any case, from what you are saying, I take that I can safely patch our JDK 
distribution with this change without doing a bad thing to security in general, 
wouldn't you agree?

Thanks & best regards
Christoph

[1] 
http://download.java.net/java/jdk9/docs/api/java/security/cert/X509Certificate.html#getSigAlgName--
[2] 
https://docs.oracle.com/javase/8/docs/api/javax/security/cert/X509Certificate.html#getSigAlgName--

Re: [RFR] 8174849: Change SHA1 certpath restrictions - issue with 3rd party JCE provider

[Sean Mullan]

Hi Christoph,

On 7/11/17 5:43 AM, Langer, Christoph wrote:

Hi,

I'd like to ping you again upon that question. In the meanwhile I have produced 
a standalone test case and could verify that changing to x509Cert vs. the 
original cert for obtaining the SigAlgName would be a fix. I can share the test 
with you, however, you'll need the security provider 'IAIK' which is not 
OpenSource but can be obtained for free for educational/research purposes here 
[1].

Shall I open a Bug for that and propose a fix? Or is using the x509Cert at this 
place the wrong thing to do here for reasons? I'd appreciate some feedback.


Technically, I don't think this is a bug. IAIK is using a non-standard 
algorithm for the signature algorithm of the certificate. The Standard 
Algorithm Names specification [1] says that "SHA1withRSA" is the correct 
name.


The JDK algorithm constraints implementation should not have to 
accommodate non-compliant certificates.


Tony and I don't quite recall why this change was made as part of 
JDK-8174849, but in general the conversion to 
sun.security.x509.X509CertImpl is done so that we can access parts of 
the certificate in a more performance friendly manner or if they are not 
accessible via the standard APIs. This is not one of those cases. 
However, I can't think of any specific reason right now we could not use 
X509CertImpl instead but would like to think about it some more.


Have you asked IAIK about their non-compliance?

Thanks,
Sean

[1] 
http://download.java.net/java/jdk9/docs/specs/security/standard-names.html#signature-algorithms




Thanks & Best regards
Christoph


[1] http://jcewww.iaik.tu-graz.ac.at/sic/Products/Core_Crypto_Toolkits/JCA_JCE
  

-Original Message-
From: Langer, Christoph
Sent: Sonntag, 9. Juli 2017 07:57
To: 'Anthony Scarpino' ; 'Sean Mullan'

Cc: OpenJDK Security ; 'Dieter Bratko'

Subject: RE: [RFR] 8174849: Change SHA1 certpath restrictions - issue with 3rd
party JCE provider

Hi Tony et. al.,

I'm wondering why in the commit for 8174849
(http://hg.openjdk.java.net/jdk9/dev/jdk/rev/d911fe42d2da) this line
sneaked in:

---
a/src/java.base/share/classes/sun/security/provider/certpath/AlgorithmChe
cker.java   Wed Feb 15 12:11:03 2017 -0800
+++
b/src/java.base/share/classes/sun/security/provider/certpath/AlgorithmCh
ecker.java  Wed Feb 15 12:55:20 2017 -0800
@@ -276,7 +276,7 @@
  AlgorithmParameters currSigAlgParams = algorithmId.getParameters();
  PublicKey currPubKey = cert.getPublicKey();
-String currSigAlg = x509Cert.getSigAlgName();
+String currSigAlg = ((X509Certificate)cert).getSigAlgName();

  // Check the signature algorithm and parameters against constraints.
  if (!constraints.permits(SIGNATURE_PRIMITIVE_SET, currSigAlg,

The proposed webrev only contains the change to java.security and there is
no other hint on that anywhere public.

I'm asking because I'm seeing an issue with a 3rd party JCE provider at the
moment. There is an "SHA1withRSA" certificate involved but the provider in
use at my customer returns the String "SHA1/RSA" as SigAlgName. Don't
know how much this conforms with the spec, but it is as it is. So the permits
check will fail with that String. I believe, if the SigAlgName would be taken
from the converted x509Cert as before, we'd get SHA1withRSA and would be
fine, though I didn't test that yet. So, what speaks against that line being
reverted?

Thanks & Best regards
Christoph


-Original Message-
From: security-dev [mailto:security-dev-boun...@openjdk.java.net] On
Behalf Of Anthony Scarpino
Sent: Montag, 13. Februar 2017 22:48
To: OpenJDK Security 
Subject: [RFR] 8174849: Change SHA1 certpath restrictions

Hi,

I need a quick review on a simple certpath config change.

http://cr.openjdk.java.net/~ascarpino/8174849/webrev/

thanks

Tony

RE: [RFR] 8174849: Change SHA1 certpath restrictions - issue with 3rd party JCE provider

[Langer, Christoph]

Hi,

I'd like to ping you again upon that question. In the meanwhile I have produced 
a standalone test case and could verify that changing to x509Cert vs. the 
original cert for obtaining the SigAlgName would be a fix. I can share the test 
with you, however, you'll need the security provider 'IAIK' which is not 
OpenSource but can be obtained for free for educational/research purposes here 
[1].

Shall I open a Bug for that and propose a fix? Or is using the x509Cert at this 
place the wrong thing to do here for reasons? I'd appreciate some feedback.

Thanks & Best regards
Christoph


[1] http://jcewww.iaik.tu-graz.ac.at/sic/Products/Core_Crypto_Toolkits/JCA_JCE
 
> -Original Message-
> From: Langer, Christoph
> Sent: Sonntag, 9. Juli 2017 07:57
> To: 'Anthony Scarpino' ; 'Sean Mullan'
> 
> Cc: OpenJDK Security ; 'Dieter Bratko'
> 
> Subject: RE: [RFR] 8174849: Change SHA1 certpath restrictions - issue with 3rd
> party JCE provider
> 
> Hi Tony et. al.,
> 
> I'm wondering why in the commit for 8174849
> (http://hg.openjdk.java.net/jdk9/dev/jdk/rev/d911fe42d2da) this line
> sneaked in:
> 
> ---
> a/src/java.base/share/classes/sun/security/provider/certpath/AlgorithmChe
> cker.java Wed Feb 15 12:11:03 2017 -0800
> +++
> b/src/java.base/share/classes/sun/security/provider/certpath/AlgorithmCh
> ecker.javaWed Feb 15 12:55:20 2017 -0800
> @@ -276,7 +276,7 @@
>  AlgorithmParameters currSigAlgParams = algorithmId.getParameters();
>  PublicKey currPubKey = cert.getPublicKey();
> -String currSigAlg = x509Cert.getSigAlgName();
> +String currSigAlg = ((X509Certificate)cert).getSigAlgName();
> 
>  // Check the signature algorithm and parameters against constraints.
>  if (!constraints.permits(SIGNATURE_PRIMITIVE_SET, currSigAlg,
> 
> The proposed webrev only contains the change to java.security and there is
> no other hint on that anywhere public.
> 
> I'm asking because I'm seeing an issue with a 3rd party JCE provider at the
> moment. There is an "SHA1withRSA" certificate involved but the provider in
> use at my customer returns the String "SHA1/RSA" as SigAlgName. Don't
> know how much this conforms with the spec, but it is as it is. So the permits
> check will fail with that String. I believe, if the SigAlgName would be taken
> from the converted x509Cert as before, we'd get SHA1withRSA and would be
> fine, though I didn't test that yet. So, what speaks against that line being
> reverted?
> 
> Thanks & Best regards
> Christoph
> 
> > -Original Message-
> > From: security-dev [mailto:security-dev-boun...@openjdk.java.net] On
> > Behalf Of Anthony Scarpino
> > Sent: Montag, 13. Februar 2017 22:48
> > To: OpenJDK Security 
> > Subject: [RFR] 8174849: Change SHA1 certpath restrictions
> >
> > Hi,
> >
> > I need a quick review on a simple certpath config change.
> >
> > http://cr.openjdk.java.net/~ascarpino/8174849/webrev/
> >
> > thanks
> >
> > Tony