AW: [External] : Re: [11u] RFR: 8267599: Revert the change to the default PKCS12 macAlgorithm and macIterationCount props for 11u/8u/7u

Thank you, Sean, for your review and all your help! Best regards, Martin Von: Seán Coffey Datum: Freitag, 28. Mai 2021 um 18:51 An: Doerr, Martin , jdk-updates-...@openjdk.java.net , security-dev , Hohensee, Paul Betreff: Re: [External] : Re: [11u] RFR: 8267599: Revert the change

Re: [11u] RFR: 8267599: Revert the change to the default PKCS12 macAlgorithm and macIterationCount props for 11u/8u/7u

Hi, here’s my new webrev for reverting the pkcs12.macAlgorithm and macIterationCount changes from the JDK-8153005 backport: http://cr.openjdk.java.net/~mdoerr/8267599_revert_8153005_11u/webrev.01/ Oracle’s JBS issue:

AW: [External] : AW: [11u] RFR: 8267599: Revert the change to the default PKCS12 macAlgorithm and macIterationCount props for 11u/8u/7u

Hi Sean, thank you very much! I was concerned to miss anything. But it is really that simple  I’ll prepare a new webrev. Best regards, Martin Von: Seán Coffey Datum: Freitag, 28. Mai 2021 um 16:36 An: Doerr, Martin , jdk-updates-...@openjdk.java.net , security-dev , Hohensee, Paul

AW: [11u] RFR: 8267599: Revert the change to the default PKCS12 macAlgorithm and macIterationCount props for 11u/8u/7u

, Martin Von: Seán Coffey Datum: Freitag, 28. Mai 2021 um 15:42 An: Doerr, Martin , jdk-updates-...@openjdk.java.net , security-dev , Hohensee, Paul Betreff: Re: [11u] RFR: 8267599: Revert the change to the default PKCS12 macAlgorithm and macIterationCount props for 11u/8u/7u Martin, you seem

[11u] RFR: 8267599: Revert the change to the default PKCS12 macAlgorithm and macIterationCount props for 11u/8u/7u

Hi, Oracle has reverted the changes from JDK-8153005 backport in 11.0.12-oracle for interoperability reasons. See: https://bugs.openjdk.java.net/browse/JDK-8267599 and CSR: https://bugs.openjdk.java.net/browse/JDK-8267701 I had to adapt the small test addition from JDK-8266293 (see "// 8266293"

AW: [11u] RFR: 8266293: Key protection using PBEWithMD5AndDES fails with "java.security.InvalidAlgorithmParameterException: Salt must be 8 bytes long"

Hi Götz, thank you for the review! Best regards, Martin Von: Lindenmaier, Goetz Datum: Mittwoch, 19. Mai 2021 um 12:10 An: Doerr, Martin , jdk-updates-...@openjdk.java.net , security-dev Betreff: RE: [11u] RFR: 8266293: Key protection using PBEWithMD5AndDES fails

[11u] RFR: 8266293: Key protection using PBEWithMD5AndDES fails with "java.security.InvalidAlgorithmParameterException: Salt must be 8 bytes long"

Hi, JDK-8266293 is backported to 11.0.12-oracle. The included test shows that the fix is required in 11u. Bug: https://bugs.openjdk.java.net/browse/JDK-8266293 Original change: https://git.openjdk.java.net/jdk/commit/04f71126479f9c39aa71e8aebe7196d72fc16796 It applies almost cleanly. Only the

AW: [11u] RFR: 8153005: Upgrade the default PKCS12 encryption/MAC algorithms

Hi Paul, thank you for the review! I´ll remove the extra blank line before pushing. Best regards, Martin Von: Hohensee, Paul Datum: Mittwoch, 12. Mai 2021 um 00:00 An: Doerr, Martin , jdk-updates-...@openjdk.java.net , security-dev Cc: Langer, Christoph Betreff: Re: [11u] RFR: 8153005

[11u] RFR: 8153005: Upgrade the default PKCS12 encryption/MAC algorithms

Hi, JDK-8153005 is backported to 11.0.12-oracle. I'd like to backport it for parity. It doesn't apply cleanly. Bug: https://bugs.openjdk.java.net/browse/JDK-8153005 CSR covering 11u: https://bugs.openjdk.java.net/browse/JDK-8228481 Original change:

RE: [11u] RFR: 8226374: Restrict TLS signature schemes and named groups

That one was hard to see. Pushed. Thanks, Martin > -Original Message- > From: Hohensee, Paul > Sent: Donnerstag, 8. April 2021 23:36 > To: Doerr, Martin ; Langer, Christoph > ; jdk-updates-dev d...@openjdk.java.net>; security-dev > Cc: Lindenmaier, Goetz >

RE: [11u] RFR: 8226374: Restrict TLS signature schemes and named groups

gt; -Original Message- > From: Hohensee, Paul > Sent: Donnerstag, 8. April 2021 01:01 > To: Langer, Christoph ; Doerr, Martin > ; jdk-updates-dev d...@openjdk.java.net>; security-dev > Cc: Lindenmaier, Goetz > Subject: RE: [11u] RFR: 8226374: Restrict TLS signa

[11u] RFR: 8226374: Restrict TLS signature schemes and named groups

Hi, JDK-8226374 is backported to 11.0.12-oracle. I'd like to backport it for parity. It doesn't apply cleanly. I've taken the 13u backport as source because it resolves the wrong backport order with JDK-8242141. Bug: https://bugs.openjdk.java.net/browse/JDK-8226374 11u CSR:

RE: [11u] RFR: 8254631: Better support ALPN byte wire values in SunJSSE

Hi Christoph, thanks for the review and the approval! Best regards, Martin From: Langer, Christoph Sent: Donnerstag, 1. April 2021 23:50 To: Doerr, Martin ; jdk-updates-dev ; security-dev Subject: RE: [11u] RFR: 8254631: Better support ALPN byte wire values in SunJSSE Hi Martin, looks

[11u] RFR: 8206925: Support the certificate_authorities extension

Hi, JDK-8206925 was backported to 11.0.10-oracle, but it's still missing in the Open Source version. I'd like to backport it for parity. It does apply cleanly, but I had to modify it, because the following change is not in 11u: https://bugs.openjdk.java.net/browse/JDK-8215712 Bug:

[11u] RFR: 8254631: Better support ALPN byte wire values in SunJSSE

Hi, JDK-8254631 is backported to 11.0.12-oracle. I'd like to backport it for parity. It applies cleanly, but the javadoc parts don't compile with 11u. They are not compatible with 11u and are documented to be dropped in the CSR (linked below). As also documented in the CSR, the old behavior can

RE: [11u] RFR: 8206925: Support the certificate_authorities extension

2021 15:48 To: Doerr, Martin ; jdk-updates-...@openjdk.java.net; security-dev ; Severin Gehwolf ; Andrew Haley Cc: Lindenmaier, Goetz Subject: RE: [11u] RFR: 8206925: Support the certificate_authorities extension Hi Martin, your backport looks good. I see the new tests pass and our testing does

[11u] RFR: 8243559: Remove root certificates with 1024-bit keys

Hi, JDK-8243559 is backported to 11.0.12-oracle. I'd like to backport it for parity. I had to integrate changes to the test VerifyCACerts.java manually: - Add bug ID. - Adapt COUNT. - Compute new CHECKSUM. - Remove verisigntsaca and thawtepremiumserverca in the last hunk. Bug:

RE: [11u] RFR: 8243559: Remove root certificates with 1024-bit keys

Hi Severin, thank you for the review! Best regards, Martin > -Original Message- > From: Severin Gehwolf > Sent: Dienstag, 16. März 2021 15:12 > To: Doerr, Martin ; jdk-updates- > d...@openjdk.java.net; security-dev > Cc: Lindenmaier, Goetz ; Langer, Christoph >

RE: [11u] RFR: 8243559: Remove root certificates with 1024-bit keys

Hi Severin, sorry, seems like I had pasted the wrong one. Here's the correct one: http://cr.openjdk.java.net/~mdoerr/8243559_root_ca_11u/webrev.00/ Best regards, Martin > -Original Message- > From: Severin Gehwolf > Sent: Dienstag, 16. März 2021 11:21 > To: Doerr, Martin ;

RE: [11u] RFR: 8256421: Add 2 HARICA roots to cacerts truststore

Hi Christoph, thanks for the review and the approval! Best regards, Martin From: Langer, Christoph Sent: Donnerstag, 18. Februar 2021 14:11 To: Doerr, Martin ; security-dev ; jdk-updates-...@openjdk.java.net Cc: Lindenmaier, Goetz Subject: RE: [11u] RFR: 8256421: Add 2 HARICA roots

RE: [11u] RFR: 8244683: A TSA server used by tests

Hi Götz, thanks for the review! Best regards, Martin From: Lindenmaier, Goetz Sent: Montag, 8. Februar 2021 14:18 To: Doerr, Martin ; security-dev ; jdk-updates-...@openjdk.java.net Cc: Langer, Christoph Subject: RE: [11u] RFR: 8244683: A TSA server used by tests Hi Martin, Thanks

[11u] RFR: 8256421: Add 2 HARICA roots to cacerts truststore

Hi, JDK-8256421 is backported to 11.0.11-oracle. I'd like to backport it for parity. It doesn't apply cleanly. I'm using the jdk16u backport. See "Fix Request (jdk16u)" comment. VerifyCACerts.java: I had to change the COUNT manually: -private static final int COUNT = 95; +private static

[11u] RFR: 8244683: A TSA server used by tests

Hi, JDK-8244683 is backported to 11.0.11-oracle. I'd like to backport it for parity. It doesn't apply cleanly. TimestampCheck.java: - The parts which get removed contain minor differences (see [1]) - Resolution: Take new version. TsaHandler.java and TsaSigner.java: - New code contains usages of

RE: RFR(S): 8220348: [ntintel] asserts about copying unalinged array

is the only affected platform, I prefer not to touch other ones. Are you ok with webrev.00 as it is? Best regards, Martin From: Langer, Christoph Sent: Donnerstag, 5. Dezember 2019 12:16 To: Doerr, Martin Cc: core-libs-...@openjdk.java.net; security-dev ; Lindenmaier, Goetz ; Thomas Stüfe Subject

RE: RFR(S): 8220348: [ntintel] asserts about copying unalinged array

: Thomas Stüfe Sent: Mittwoch, 4. Dezember 2019 17:56 To: Doerr, Martin Cc: core-libs-...@openjdk.java.net; security-dev ; Lindenmaier, Goetz Subject: Re: RFR(S): 8220348: [ntintel] asserts about copying unalinged array Hi Martin, this makes sense. This is the right way to force alignment. I do

RFR(S): 8220348: [ntintel] asserts about copying unalinged array

Hi, I'd like to propose a fix for an old issue on 32 bit Windows (also for an 11u backport): https://bugs.openjdk.java.net/browse/JDK-8220348 Some jdk native methods use jni_SetLongArrayRegion with a stack allocated buffer. jni_SetLongArrayRegion uses Copy::conjoint_jlongs_atomic which

RE: [11u] RFR: 8208698: Improved ECC Implementation

Hi Christoph, looks like quite some manual resolution just because of a small conflicting change in one file. Backport looks good, but please backport it together with JDK-8217344. After that, ECDHKeyAgreement.java should be identical to the jdk13 version. Best regards, Martin > -Original

RE: [8u] RFR: 8189131: Open-source the Oracle JDK Root Certificates (Integration for JEP 319: Root Certificates)

Hi Christoph, this looks good to me. I don't know if anybody has issues with the failing tests. Should they get added to a problem list? Best regards, Martin -Original Message- From: jdk8u-dev On Behalf Of Langer, Christoph Sent: Dienstag, 7. Mai 2019 16:15 To: