Re: [Internet]Re: "Pluggable" key serialization in JCE/JCA

2022-03-27 Thread Anthony Scarpino 
Thanks for all the info. We don’t have experience with JOSE or COSE, I think we 
need to digest some of this data before making a future step 

Not knowing this technology until you brought it up a few days ago, a few 
questions i have are how is this used and how common?  Would I see this used 
for more secure sites like banks or shopping through the browser or it more 
common sites. Is it only browser-based or are their other used cases?  Bernd 
mentioned QR codes, is COSE used inside the QR code or the authentication for 
the user to get to their QR code?

Thanks

Tony

> On Mar 26, 2022, at 11:48 PM, Anders Rundgren  
> wrote:
> 
> On 2022-03-26 23:14, Bernd Eckenfels wrote:
>> Just for completeness, the standard for key transport in JOSE is JWK 
>> (RFC7517).
>> In COSE it is a COSE_Key(Set) as defined in RFC8152 sect13.
>> BTW the most widely used CBOR/COSE application are probably the QR codes 
>> around Covid and Vaccination certificates of the EU.
> 
> Thanx Bernd and Michael for the additional clarifications!
> 
> Now to the thing that spurred this discussion: 
> https://datatracker.ietf.org/doc/html/rfc8037
> 
>   This document defines how to use the Diffie-Hellman algorithms
>   "X25519" and "X448" as well as the signature algorithms "Ed25519" and
>   "Ed448" from the IRTF CFRG elliptic curves work in JSON Object
>   Signing and Encryption (JOSE).
> 
> When RFC 8037 was created the assumption was that the "OKP" key container 
> {sh|c}ould be used for other crypto systems having the same parameter set.  
> This is now an active proposal:
> https://www.ietf.org/archive/id/draft-looker-cose-bls-key-representations-00.html
> 
> Obviously everything works just fine if you look at the container in 
> isolation. However, it means that "OKP" encoder/decoder code must be updated 
> for every new reuse ("overloading").  To be meaningful these new algorithms 
> would also have to coerced into the existing XEC or EdDSA interfaces.
> 
> IMO, this would be VERY UNFORTUNATE since it is incompatible with the 
> provider concept as well as with object oriented crypto APIs.  I'm therefore 
> suggesting that key containers for specific crypto systems should have unique 
> names.  In this particular case "BLS" seems logical.  In Java it could 
> eventually be mapped to BLSPublicKey and BLSPrivateKey.
> 
> WDYT?
> 
> There is no need for a JEP at this stage, only some kind of indication of 
> what the JDK crypto team see as the best way forward from your horizon.  The 
> same discussion has emerged for Post Quantum Crypto algorithms.
> 
> Thanx,
> Anders

Re: protecting security-sensitive operations on multi-tenant servers

2022-03-27 Thread Rick Hillegas 
Thanks, Alan. I don't have a lot of visibility into how Derby's security 
mechanisms are deployed. We only hear from users when they have 
problems--and we don't field many security-related issues. I will put 
your advice into our release notes: move your application into a 
container so that you will be protected when the Security Manager is 
removed.


Thanks,
-Rick

On 3/27/22 7:22 AM, Alan Bateman wrote:



On 27/03/2022 14:45, Rick Hillegas wrote:
From the silence, I assume that there isn't any advice I can give 
Derby users. At this time the Security Manager is the only mechanism 
for protecting an application against these threats. Users should 
ignore the deprecation diagnostics and set 
-Djava.security.manager=allow.


I think it's more that the SM was never the right solution for this 
type of isolation. Also some of the "operations" that you list, 
creating class loaders, de-registering JDBC drivers, ... suggest there 
may be potentially malicious code in these environments too. Do you 
know if these are legacy deployments or Derby users that haven't 
explored OS containers to isolate applications on the same hardware?


-Alan

Re: RFR: 8283727: P11KeyGenerator has import statement with two semicolons after JDK-8267319

2022-03-27 Thread Christoph Langer 
On Sun, 27 Mar 2022 13:07:54 GMT, Sean Mullan  wrote:

> Regarding the bug, the `noreg-self` label is used for fixes to tests. 
> `noreg-trivial` seems more appropriate for this issue.

You're right, I changed this. Thanks also for the review.

-

PR: https://git.openjdk.java.net/jdk/pull/7976

Re: protecting security-sensitive operations on multi-tenant servers

2022-03-27 Thread Alan Bateman 




On 27/03/2022 14:45, Rick Hillegas wrote:
From the silence, I assume that there isn't any advice I can give 
Derby users. At this time the Security Manager is the only mechanism 
for protecting an application against these threats. Users should 
ignore the deprecation diagnostics and set -Djava.security.manager=allow.


I think it's more that the SM was never the right solution for this type 
of isolation. Also some of the "operations" that you list, creating 
class loaders, de-registering JDBC drivers, ... suggest there may be 
potentially malicious code in these environments too. Do you know if 
these are legacy deployments or Derby users that haven't explored OS 
containers to isolate applications on the same hardware?


-Alan

Re: protecting security-sensitive operations on multi-tenant servers

2022-03-27 Thread Rick Hillegas 
From the silence, I assume that there isn't any advice I can give Derby 
users. At this time the Security Manager is the only mechanism for 
protecting an application against these threats. Users should ignore the 
deprecation diagnostics and set -Djava.security.manager=allow.


On 3/24/22 2:27 PM, Rick Hillegas wrote:
The Apache Derby community is getting ready to vet a new release which 
can be used on Java 17. Before buttoning down the release, I wanted to 
check in on current best practices for defending enterprise 
applications against the threats which the Java Security Manager 
parries. There may be some work we could do to better prepare our 
users for a future without a Security Manager.


In particular, what are current best Java practices for protecting a 
multi-tenant server against abuse of the following security-sensitive 
operations:


o Reading and setting of system properties.

o Creation of class loaders.

o File access

o Network access

o De-registration of JDBC drivers

Thanks,
-Rick

Re: RFR: 8283727: P11KeyGenerator has import statement with two semicolons after JDK-8267319

2022-03-27 Thread Sean Mullan 
On Sun, 27 Mar 2022 08:48:12 GMT, Christoph Langer  wrote:

> Remove double semicolon

Marked as reviewed by mullan (Reviewer).

Regarding the bug, the `noreg-self` label is used for fixes to tests. 
`noreg-trivial` seems more appropriate for this issue.

-

PR: https://git.openjdk.java.net/jdk/pull/7976

RFR: 8283727: P11KeyGenerator has import statement with two semicolons after JDK-8267319

2022-03-27 Thread Christoph Langer 
Remove double semicolon

-

Commit messages:
 - JDK-8283727

Changes: https://git.openjdk.java.net/jdk/pull/7976/files
 Webrev: https://webrevs.openjdk.java.net/?repo=jdk&pr=7976&range=00
  Issue: https://bugs.openjdk.java.net/browse/JDK-8283727
  Stats: 1 line in 1 file changed: 0 ins; 0 del; 1 mod
  Patch: https://git.openjdk.java.net/jdk/pull/7976.diff
  Fetch: git fetch https://git.openjdk.java.net/jdk pull/7976/head:pull/7976

PR: https://git.openjdk.java.net/jdk/pull/7976