Thank you Daniel for the comment. All are great points.
> On Mar 17, 2021, at 1:56 AM, Daniel Jeliński wrote:
>
> Hi Xuelei,
> I reviewed the RFC above (I hope I'm not too late!) and have some
> concerns about the security properties of the proposed solution.
> Essentially they would apply to
> Improve the readability by adding more comments in the ECDH public key
> validation implementation in JDK.
Xue-Lei Andrew Fan has updated the pull request incrementally with one
additional commit since the last revision:
typo correct of unmapable character in the comment line
On Fri, 2 Apr 2021 01:56:15 GMT, Weijun Wang wrote:
> Maybe we don't need to resolve it in this code change. If we look carefully
> at RFC 8410 Sections 10.1 and 10.2, it shows the X25519 certificate in 10.2
> is using the signer's SKID in 10.1 as its own SKID and it has no AKID.
> Currently,
On Fri, 2 Apr 2021 01:56:15 GMT, Weijun Wang wrote:
>> Only a few minor comments. Approved.
>
> Maybe we don't need to resolve it in this code change. If we look carefully
> at RFC 8410 Sections 10.1 and 10.2, it shows the X25519 certificate in 10.2
> is using the signer's SKID in 10.1 as its
On Fri, 2 Apr 2021 01:44:03 GMT, Weijun Wang wrote:
>> Hai-May Chao has updated the pull request incrementally with one additional
>> commit since the last revision:
>>
>> update with review comments
>
> Only a few minor comments. Approved.
Maybe we don't need to resolve it in this code
On Thu, 1 Apr 2021 23:36:04 GMT, Hai-May Chao wrote:
>> Please review the changes that adds the -signer option to keytool
>> -genkeypair command. As key agreement algorithms do not have a signing
>> algorithm, the specified signer's private key will be used to sign and
>> generate a key
> Please review the changes that adds the -signer option to keytool -genkeypair
> command. As key agreement algorithms do not have a signing algorithm, the
> specified signer's private key will be used to sign and generate a key
> agreement certificate.
> CSR review is at:
On Thu, 1 Apr 2021 21:27:52 GMT, Weijun Wang wrote:
>> Hai-May Chao has updated the pull request incrementally with one additional
>> commit since the last revision:
>>
>> Updated with review comments
>
> src/java.base/share/classes/sun/security/tools/keytool/CertAndKeyGen.java
> line 104:
Hi Martin,
looks good to me.
Best regards
Christoph
From: Doerr, Martin
Sent: Dienstag, 30. März 2021 14:01
To: jdk-updates-dev ; security-dev
Cc: Langer, Christoph
Subject: [11u] RFR: 8254631: Better support ALPN byte wire values in SunJSSE
Hi,
JDK-8254631 is backported to
On Thu, 1 Apr 2021 17:04:33 GMT, Weijun Wang wrote:
>> As `RecoveryKey()` will make sure if the entry exists in the keystore and is
>> a `PrivateKeyEntry`, removed this checking and updated to check for if
>> `signerCert` is null.
>
> Yes, it must be a private key entry. On the other hand, I
On Thu, 1 Apr 2021 20:37:47 GMT, Hai-May Chao wrote:
>> Please review the changes that adds the -signer option to keytool
>> -genkeypair command. As key agreement algorithms do not have a signing
>> algorithm, the specified signer's private key will be used to sign and
>> generate a key
On Thu, 1 Apr 2021 16:49:19 GMT, Weijun Wang wrote:
>> Not sure the reason why a change is needed for the existing logic.
>
> With a signer, it makes no sense to create a single-cert array at the
> beginning. I am suggesting:
> X509Certificate newCert = keypair.getSelfCertificate(...);
>
On Thu, 1 Apr 2021 16:53:31 GMT, Weijun Wang wrote:
>> Hai-May Chao has updated the pull request incrementally with one additional
>> commit since the last revision:
>>
>> Updated with review comments
>
> src/java.base/share/classes/sun/security/tools/keytool/CertAndKeyGen.java
> line 88:
>
> Please review the changes that adds the -signer option to keytool -genkeypair
> command. As key agreement algorithms do not have a signing algorithm, the
> specified signer's private key will be used to sign and generate a key
> agreement certificate.
> CSR review is at:
> This PR is to introduce a new random number API for the JDK. The primary API
> is found in RandomGenerator and RandomGeneratorFactory. Further description
> can be found in the JEP https://openjdk.java.net/jeps/356 .
>
> javadoc can be found at
>
Improve the readability by adding more comments in the ECDH public key
validation implementation in JDK.
-
Commit messages:
- 8264606: More comment for ECDH public key validation
Changes: https://git.openjdk.java.net/jdk/pull/3313/files
Webrev:
On Thu, 1 Apr 2021 16:34:43 GMT, Hai-May Chao wrote:
>> Please review the changes that adds the -signer option to keytool
>> -genkeypair command. As key agreement algorithms do not have a signing
>> algorithm, the specified signer's private key will be used to sign and
>> generate a key
On Thu, 1 Apr 2021 16:25:49 GMT, Hai-May Chao wrote:
>> src/java.base/share/classes/sun/security/tools/keytool/Main.java line 1941:
>>
>>> 1939: signerFlag = true;
>>> 1940:
>>> 1941: if (keyStore.containsAlias(signerAlias) == false) {
>>
>> It's probably more precise
On Thu, 1 Apr 2021 16:34:43 GMT, Hai-May Chao wrote:
>> Please review the changes that adds the -signer option to keytool
>> -genkeypair command. As key agreement algorithms do not have a signing
>> algorithm, the specified signer's private key will be used to sign and
>> generate a key
On Thu, 1 Apr 2021 16:26:39 GMT, Hai-May Chao wrote:
>> src/java.base/share/classes/sun/security/tools/keytool/Main.java line 2013:
>>
>>> 2011: }
>>> 2012:
>>> 2013: X509Certificate[] chain = new X509Certificate[1];
>>
>> Since the chain might contain one, I'd suggest we just
On Thu, 1 Apr 2021 16:25:13 GMT, Hai-May Chao wrote:
>> src/java.base/share/classes/sun/security/tools/keytool/CertAndKeyGen.java
>> line 114:
>>
>>> 112: }
>>> 113:
>>> 114: /**
>>
>> The original constructor can be modified to call
>> `this(keyType,sigAlg,providerName,null,null)`.
> Please review the changes that adds the -signer option to keytool -genkeypair
> command. As key agreement algorithms do not have a signing algorithm, the
> specified signer's private key will be used to sign and generate a key
> agreement certificate.
> CSR review is at:
On Wed, 31 Mar 2021 13:36:39 GMT, Weijun Wang wrote:
>> Hai-May Chao has updated the pull request incrementally with one additional
>> commit since the last revision:
>>
>> Updated with review comments
>
> Some comments on the CSR:
> 1. In the "Solution" section, we might need to point out
On Wed, 31 Mar 2021 21:47:24 GMT, Anthony Scarpino
wrote:
> Hi,
>
> I need a review of the locking change to the RSA blinding code. The problem
> was reported that multithreaded performance suffered because there was one
> global lock on the many blindings operation. The change reduces
> This enhancement contains the following code changes:
>
> 1. Create a new public API `javax/xml/crypto/dsig/spec/RSAPSSParameterSpec`
> and remove the internal one.
> 2. Update marshaling and unmarshaling code inside `DOMRSAPSSSignatureMethod`
> so it understands extra fields in
On Tue, 30 Mar 2021 20:24:49 GMT, Weijun Wang wrote:
>> I wonder if the @implSpec is clear enough that this will be returned. I
>> might suggest adding a similar @implSpec in this method that basically
>> states what you said above.
>
> I'm not sure if it's appropriate to specify the default
> This PR is to introduce a new random number API for the JDK. The primary API
> is found in RandomGenerator and RandomGeneratorFactory. Further description
> can be found in the JEP https://openjdk.java.net/jeps/356 .
>
> javadoc can be found at
>
27 matches
Mail list logo