RFR JDK-8233954, UnsatisfiedLinkError or NoSuchAlgorithmException after removing sunec.dll

[Xuelei Fan]

Hi,

Could I get the following update reviewed?
http://cr.openjdk.java.net/~xuelei/8233954/webrev.00/

For better performance, since JDK 11, the SunJSSE provider only check 
the EC availability for EC AlgorithmParameters algorithm for supported 
named groups and signature algorithms.  However, the SunEC has a special 
feature that it could support EC AlgorithmParameters algorithm, but not 
the key generate, key exchange, signature algorithms.  As cause problems 
if the special feature get enabled, for example remove the native JDK 
lib as the bug described


This update will check more algorithms when check if a named group or 
signature algorithm is supported or not.


No new regression test.  The test code in the bug description could be 
used to reproduce the problem and check the fix.


Thanks,
Xuelei

Re: RFR: 8231507: Update Apache Santuario (XML Signature) to version 2.1.4

[Weijun Wang]

Hi Fedor,

Sorry for the delay. Everything looks fine except that the version info in 
santuario.md should be updated. I've also updated XMLDSigRI.java to match the 
recent code change for JDK-8232357. A new webrev is now available at

   http://cr.openjdk.java.net/~weijun/8231507/webrev.00/

If no one else has any more comment, I'll push this change myself.

Thanks,
Max

> On Oct 10, 2019, at 10:48 PM, Fedor Burdun  wrote:
> 
> Hi Weijun,
> 
> I am glad to be helpful for community.
> Thanks a lot for your notes.
> 
> In addition to all mentioned above and due to (8151893: Add security property 
> to configure XML Signature secure validation mode)
> it seems the checking of Policy.restrictRetrievalMethodLoops also should be 
> reverted?
> Please correct me if I'm wrong and it should not.
> 
> Andrew Brygin volunteered to be sponsor for this code change.
> 
> New webrev: http://cr.openjdk.java.net/~fijiol/8231507/webrev.01/
> Tests: test/jdk/javax/xml/crypto/dsig/
> 
> Best regards,
> Fedor
> 
> 
> 
> 
> От: Weijun Wang 
> Отправлено: 10 октября 2019 г. 13:08
> Кому: Fedor Burdun
> Копия: security-dev@openjdk.java.net
> Тема: Re: RFR: 8231507: Update Apache Santuario (XML Signature) to version 
> 2.1.4
>  
> Hi Fedor,
> 
> First, thanks a lot for the contribution. Overall the code change looks fine, 
> but I have several comments:
> 
> 1. The change in EncryptionConstants.java is not necessary. In this module we 
> only do the signature part, but not encryption.
> 
> 2. For the same reason, 5 new methods in XMLUtils.java about encryption.
> 
> 3. In DOMRetrievalMethod.java, please revert to the use of 
> "Policy.restrictNumTransforms(newTransforms.size())". The java.xml.crypto 
> module inside OpenJDK is a little different from Santuario here and it uses a 
> java.security property named "jdk.xml.dsig.secureValidationPolicy".
> 
> 4. XMLDSigRI.java contains no actual change and can be kept unchanged.
> 
> Have you found a committer to sponsor your code change? If not, I'll be happy 
> to do it.
> 
> Thanks,
> Max
> 
> 
> > On Oct 8, 2019, at 12:35 AM, Fedor Burdun  wrote:
> > 
> > Dear all,
> > 
> > Would you please review the following change?
> > Bug: https://bugs.openjdk.java.net/browse/JDK-8231507
> > Webrev: http://cr.openjdk.java.net/~fijiol/8231507/webrev.00/
> > 
> > This change upgrades Apache Santuario library to version 2.1.4
> > 
> > Best regards,
> > Fedor

[14] RFR: 8233228: Support named curves for all disabledAlgorithms

[Anthony Scarpino]

I need a review of a disabled algorithms code change that allows EC 
curve names to be disabled for all the disabledAlgorithm properties.


https://cr.openjdk.java.net/~ascarpino/8233228/webrev/

Tony

Re: RFR 8234377: new BitArray(0).toString() throws ArrayIndexOutOfBoundsException

[Bradford Wetmore]

Looks ok to me also.

Brad


On 11/19/2019 5:13 AM, Sean Mullan wrote:

Looks fine.

--Sean

On 11/19/19 1:32 AM, Weijun Wang wrote:

Please take a review at

    http://cr.openjdk.java.net/~weijun/8234377/webrev.00/

The BitArray::toString didn't expect the length could be zero and 
always tries to print out the last octet.


Thanks,
Max

RFR: 8233801:GCMEmptyIv.java test fails on Solaris 11.4

[Seán Coffey]

Seeing an internal test failure on Solaris 11.4. Appears connected with 
the recent upgrade of PKCS11 libraries to v2.40. The test coverage has 
increased since SunPKCS11-Solaris now supports  AES/GCM. Unfortunately 
the bug details are not public but I'll give a summary here.


The new test code coverage provokes a CKR_MECHANISM_PARAM_INVALID error 
from the underlying provider and the test expects 
InvalidAlgorithmParameterException to be thrown by the Provider. 
InvalidKeyException is currently thrown by SunPKCS11-Solaris. The patch 
is quite trivial:



+++ b/src/share/classes/sun/security/pkcs11/P11AEADCipher.java
@@ -322,6 +322,9 @@
 try {
 initialize();
 } catch (PKCS11Exception e) {
+ if (e.getErrorCode() == CKR_MECHANISM_PARAM_INVALID) {
+ throw new InvalidAlgorithmParameterException("Bad params", e);
+ }
 throw new InvalidKeyException("Could not initialize 
cipher", e);

 }
 }


regards,
Sean.

Re: RFR 8234377: new BitArray(0).toString() throws ArrayIndexOutOfBoundsException

[Sean Mullan]

Looks fine.

--Sean

On 11/19/19 1:32 AM, Weijun Wang wrote:

Please take a review at

http://cr.openjdk.java.net/~weijun/8234377/webrev.00/

The BitArray::toString didn't expect the length could be zero and always tries 
to print out the last octet.

Thanks,
Max