Hi Sean
There's a bug on spec inside javax.security.cert.X509Certificate
-START BUG REPORT-
6634644 broken fragment, should use @link
Broken fragment in api doc, following lines in javax/security/cert/
X509Certificate.java should be fixed.
line 366: * See getIssuerDN for
Name
Hi Andrew
The current CredentialsCache.getInstance() on Windows should always
return the file cache, right? Inside the acquireDefaultCreds()
method, if cache.getDefaultCreds() returns a non-null object which
has the correct eType, then LSA is never read.
Take this for example:
1. User lo
Hi Andrew
Want to confirm something with you: There are some kinds of Kerberos
tickets inside the LSA cache that you can never get the encoded form,
right?
I've seen a ticket in kerbtray.exe that's flagged FORWARDED, but
never find out how to get its encoded form, therefore cannot use it
e)
A 100% Java implementation should be available in JDK 7.
Max
On Jan 14, 2008, at 9:59 PM, deepak sahu wrote:
hi friends
Do u find ECC implemented completely in jdk6?
if yes,plz help me find it out.i.e ource file
On 1/14/08, Max (Weijun) Wang <[EMAIL PROTECTED]> wrote:
Hi Andrew
Want to confi
it into KERB_EXTERNAL_TICKET.
Max
On Jan 14, 2008, at 10:07 PM, Andrew Fan wrote:
Max (Weijun) Wang wrote:
Hi Andrew
Want to confirm something with you: There are some kinds of
Kerberos tickets inside the LSA cache that you can never get the
encoded form, right?
I don't hav
Hi All
Currently, the JDK works like this (in sun.security.krb5.Config):
1. If the java.security.krb5.kdc system property is set, return it
2. If [libdefaults] default_realm exists in krb5.conf, return it
3. Using DNS (if allowed)
a. Find the full qualified host name of the localhost
b. Fi
Playing with JSSE now.
I'm sending a byte[100] on client side using 100 calls of write(int).
When receiving them on the server side using read(byte[100]), I need
to call it 100 times and each time it only returns 1.
Does this mean the client generates one SSL packet for each write()
call?
Hi All
I'm planning to write a technical doc on JGSS programming on Windows.
http://docs.google.com/Doc?id=dct969xx_0gbzzcp2n
please tell me what kinds of topics you believe should be included, say,
JGSS programming on client
JGSS programming on server
JNDI thru JGSS
HTTP/SPE
Hi All
Please take a review.
Bug:
http://bugs.sun.com/view_bug.do?bug_id=6711509
Code changes:
diff --git a/src/share/classes/sun/security/tools/PolicyTool.java b/
src/share/classes/sun/security/tools/PolicyTool.java
--- a/src/share/classes/sun/security/tools/PolicyTool.java
+++ b/src/sha
The bug id should have been 6740833.
Max
On Sep 4, 2008, at 7:26 PM, Mark Wielaard wrote:
Hi,
On Wed, 2008-09-03 at 14:16 -0700, Mark Reinhold wrote:
Date: Wed, 03 Sep 2008 13:08:38 -0700
From: [EMAIL PROTECTED]
Last night there was a changeset introduced to the JSN gate that
contained an
Hi Valerie
Sun JDK's impl is different (see inline vs IBM). For options in
Krb5LoginModule, I think there're 3 rules:
1. No conflict. e.g. only use ccache but storeKey, obviously there's
no key to store here
2. Useful. e.g. if useKeyTab=false, then keyTabName is useless so it
shouldn't ap
Hi All
Can you take a review of this RFE?
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
bug: http://bugs.sun.com/view_bug.do?bug_id=6780416
webrev: http://hgrev.appspot.com/show?id=3077
The spec of the 3 new commands/options is inside the evaluation
section of the
If you are more familiar with the standard webrev format, I have a
copy here:
http://cr.openjdk.java.net/~weijun/6780416/webrev.00/
On Feb 18, 2009, at 5:05 PM, Max (Weijun) Wang wrote:
Hi All
Can you take a review of this RFE?
6780416: New keytool commands/options: -gencert
res, and then update the document link.
Does this sound rational?
Thanks
Max
Xuelei
Max (Weijun) Wang wrote:
Hi All
Can you take a review of this RFE?
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
bug: http://bugs.sun.com/view_bug.do?bug_id=6780416
ll.
I will look at KeyTool.java tomorrow, others looks fine for me by now.
Good.
Thanks
Max
Xuelei
Max (Weijun) Wang wrote:
Hi All
Can you take a review of this RFE?
6780416: New keytool commands/options: -gencert, -printcertreq, -ext
bug: http://bugs.sun.com/view_bug.do?bug_id=6780416
On Feb 20, 2009, at 7:05 AM, Brad Wetmore wrote:
Some groups have already generated lists of "starter bugs" that
might contain useful ideas to get started.
Do we have the list?
Max
Hi Vinnie
I've forward-ported the OpenSSL-style cert fix to JDK 7, updated an
existing test[1], and add a new regression test. can you please take a
review? The diff of X509Factory.java is identical to the one I showed
you last month.
Synopsis: keytool can be more flexible on format of PE
Fix looks fine.
BTW, SSLSocketFactory has another method
createSocket(Socket s, String host,
int port, boolean autoClose)
How does it behave? and, will you clarify its javadoc on the host
argument?
Max
On Feb 23, 2009, at 1:07 PM, Xuelei Fan wrote:
I need to
I see. Everything is OK now.
On Feb 23, 2009, at 1:46 PM, Xuelei Fan wrote:
Max (Weijun) Wang wrote:
Fix looks fine.
BTW, SSLSocketFactory has another method
createSocket(Socket s, String host,
int port, boolean autoClose)
How does it behave?
Because there is a
Hi All
Looking at this bug now:
jarsigner needs enhanced cert validation(options)
http://bugs.sun.com/view_bug.do?bug_id=6802846
I've exchanged some emails with the bug reporter (BCC'ed :) ).
Basically we found these problems with the current jarsigner:
1. Does not care much about warn
It looks fine.
On Mar 7, 2009, at 12:50 AM, Sean Mullan wrote:
Hi Max,
Can you review: http://cr.openjdk.java.net/~mullan/6787130/webrev/
Thanks,
Sean
On Mar 5, 2009, at 4:41 PM, Xuelei Fan wrote:
"sun.security.jgss.mechanism", it is a undocumented property, right?
I think it is hard to explain why SPNEGO is request, but KRB5
given, it is not the expected behavior. Why not thrown a GSSException?
No, user sets this property so that SPNEG
Ping again, any suggestions?
Thanks
Max
On Nov 25, 2008, at 3:01 PM, Weijun Wang wrote:
Hi All
The current implementation of HTTP Negotiate authentication has not
enabled credential delegation (it simply acquires a new one using
either
a cached TGT or username/password from Authenticator).
or was designed as cascade-able.
Thanks
Max
- Michael
Max (Weijun) Wang wrote:
Ping again, any suggestions?
Thanks
Max
On Nov 25, 2008, at 3:01 PM, Weijun Wang wrote:
Hi All
The current implementation of HTTP Negotiate authentication has not
enabled credential delegation (it simply acq
On Apr 14, 2009, at 5:59 PM, Christopher Hegarty - Sun Microsystems
Ireland wrote:
Hi Max,
I only looked at the networking part of the changes. They look fine,
I just have a few questions/comments:
1) sun.net.www.protocol.http.HttpURLConnection
Can you use the same HttpCallerInfo inst
ht before the service principal name is
created.
I also add a test, putting two Kerberos KDC, one HTTP server, one
proxy
server in a single regression test is fun!
Thanks
Mx
On Apr 14, 2009, at 8:55 PM, Max (Weijun) Wang wrote:
On Apr 14, 2009, at 5:59 PM, Christopher Hegarty - Sun Microsys
Hi Christian
The patch is very good, and much clearer than the previous
implementation. I will include it in the fix.
Thanks
Max
On Apr 20, 2009, at 8:44 PM, Christian Thalinger wrote:
On Tue, 2009-02-17 at 12:30 -0600, Brad Wetmore wrote:
You'd want to talk to Max (Weijun) as he has prima
e
regarding the content is too hug.
OK. I would support 0x83 and 0x84. The multiple byte tag is never
supported by DerValue related classes, so I guess it's not necessary
to add it here.
Thanks
Max
Weijun Wang wrote:
Hi Sean and/or Andrew
Can any of you take a review at this bug fi
3. 584 ~ EOF
You assume that the tag occupy only one byte, that's incorrect,
the tag would occupy more than one byte when it is bigger than 30.
The assume would make the following length parser code incorrect.
You assume that the end of indefinite length is only one zero
byte, that's incor
Webrev looks fine.
no new regression test, trivial changes, hard to write a new test.
This code change is very trivial. But, is there any test for OCSP and
HTTP timestamping? I think with Michael's HttpServer class in JDK 6,
maybe you can see if it's easy to add one or two tests.
Thank
Code looks fine.
It seems a Name's first string has never been empty, we haven't
noticed any infinite loop before.
Max
On Jul 13, 2009, at 10:33 PM, Xuelei Fan wrote:
Hi Max,
Would you please review a simple bug fix of JNDI when you available?
webrev: http://cr.openjdk.java.net/~xuelei/6
Hi Valerie
I take a look at krb5 codes and find many classes Cloneable.
These 6 can be easily changed to immutable:
Realm.java
AuthorizationData.java
AuthorizationDataEntry.java
HostAddress.java
HostAddresses.java
Ticket.java
This one has internal states, but I see no one clone it:
On Aug 27, 2009, at 9:52 PM, Andrew John Hughes wrote:
The problem is more the fact that it's an additional copy rather than
using the system installation, which means it has to be patched for
bugs and security fixes separately. For IcedTea, I'll look at
providing and using the option of using
On Aug 28, 2009, at 9:56 AM, Andrew John Hughes wrote:
2009/8/28 Max (Weijun) Wang :
On Aug 27, 2009, at 9:52 PM, Andrew John Hughes wrote:
The problem is more the fact that it's an additional copy rather
than
using the system installation, which means it has to be patched for
bug
On Aug 28, 2009, at 10:17 PM, Andrew John Hughes wrote:
2009/8/28 Max (Weijun) Wang :
On Aug 28, 2009, at 9:56 AM, Andrew John Hughes wrote:
2009/8/28 Max (Weijun) Wang :
On Aug 27, 2009, at 9:52 PM, Andrew John Hughes wrote:
The problem is more the fact that it's an additional
Hi Valerie
Please take a review for the fix at
http://cr.openjdk.java.net/~weijun/6882687/webrev.00
Brad
This would fix the IgnoreChannelBindings test failure on CYGWIN.
Thanks
Max
Begin forwarded message:
From: weijun.w...@sun.com
Date: September 17, 2009 1:12:13 AM GMT+08:00
Hi Andrew
Please take a review on this code change:
http://cr.openjdk.java.net/~weijun/6880321/webrev.00/
Thanks
Max
*Change Request ID*: 6880321
*Synopsis*: sun.security.provider.JavaKeyStore abuse of OOM
Exception handling
=== *Description*
=
On Sep 22, 2009, at 4:09 PM, Florian Weimer wrote:
* Max Wang:
Please take a review on this code change:
http://cr.openjdk.java.net/~weijun/6880321/webrev.00/
This code is still unreliable. You cannot hide OutOfMemoryError this
way. The error could even be thrown in a completely unrel
Hi
Please take a review at --
http://cr.openjdk.java.net/~weijun/6893158/webrev.00
The original EncryptionKey.findKey is still used at other places for
client side (initiator). They won't touch the kvno field.
Thanks
Max
Begin forwarded message:
From: weijun.w...@sun.com
Date: October
Hi Valerie
The CCC is finally approved. Please take a review at the code changes:
http://cr.openjdk.java.net/~weijun/6853328/webrev.00/
Or, have you reviewed this before? It's been a long time since the
webrev is created but I cannot find your reply in my old mails.
Thanks
Max
On Oct 20
Hi Pavel
Your change looks fine.
The test in OpenJDK was already fixed long time ago:
http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6643094
http://hg.openjdk.java.net/jdk7/tl/jdk/rev/59
I'll create a sub bug id targeting OpenJDK-6 and backport the fix.
Thanks
Max
On Dec 3, 2009, at
Hi Joe
I'll backport the fix to openjdk-6.
In fact, I haven't made any changes to openjdk-6 except for SSR
releases. Just browse hg.openjdk.java.net and find only one openjdk-6
entrance:
http://hg.openjdk.java.net/jdk6/jdk6-gate/jdk/
So there's no sub repo for different groups and this
Seems there are more to clean:
PolicyFile's ignoreIdentityScope() now default false, it should simply
be always false and removed.
JarSigner still includes IN_SCOPE words.
Is Identity still usable now?
Thanks
Max
On Dec 8, 2009, at 2:21 AM, vincent.r...@sun.com wrote:
Changeset: 327adb1
Hi Xuelei
Please take a review at --
http://cr.openjdk.java.net/~weijun/6908628/webrev.00
Thanks
Max
Begin forwarded message:
From: weijun.w...@sun.com
Date: December 9, 2009 10:44:23 AM GMT+08:00
*Synopsis*: ObjectIdentifier s11n test fails
*Change Request ID*: 6908628
*Synopsis*: Obj
cal variable "goodkdcs" in its list(String) method which actually
contains all kdcs for the specific realm in the end.
Thanks,
Valerie
On 11/22/09 22:10, Max (Weijun) Wang wrote:
Hi Valerie
Please take a review on this fix:
http://cr.openjdk.java.net/~weijun/6906201/webrev.00
As the MIT words says, the MS bug was fixed in Vista SP2. However, I
tried it on a Vista SP1 and it seems the bug is already fixed there.
Therefore I only check the main version number in th
Hi All
I'm planning to support keytab refresh in Java, which means the
keytab's content is always reloaded right after AP-REQ is received on
the acceptor side.
One benefit is that when the service is started, the keytab file
needn't include the keys for the service, or, it can simply be n
Hi
Please take a review at the CCC:
http://ccc.sfbay.sun.com/6894072
Thanks
Max
On Dec 22, 2009, at 12:25 PM, Max (Weijun) Wang wrote:
Hi All
I'm planning to support keytab refresh in Java, which means the
keytab's content is always reloaded right after AP-REQ is receive
4072
so we can review it as well?
(is this the code, or a design document?)
Thanks,
-mathieu
On Mon, Jan 4, 2010 at 15:00, requ...@openjdk.java.net> wrote:
Date: Mon, 04 Jan 2010 13:47:13 +0800
From: "Max (Weijun) Wang"
Subject: [security-dev 01488]: Re: RFC: keytab automatic re
Please take a review:
http://cr.openjdk.java.net/~weijun/6917791/webrev.00
Before the fix, the hexdump of a keytab only encodes one character for
byte smaller than 16. This means 0x12 can be {1,2} or {12}. After the
fix, a byte is always encoded in 2 characters.
Thanks
Max
Begin forwar
Hi All
Please take a review at --
http://cr.openjdk.java.net/~weijun/6919610/webrev.00
Bug description follows.
Thanks
Max
*Change Request ID*: 6919610
*Synopsis*: KeyTabInputStream uses static field for per-instance value
Product: java
Category: jgss
Subcategory: krb5plugin
Type:
Hi All
Please take a review on this draft before I send it for CCC:
http://cr.openjdk.java.net/~weijun/spec/NTLMSASL.0.1
The spec includes a raw NTLM API defined in com.sun.* namespace and describes
the newly added SASL mech.
Thanks
Max
Brad Wetmore wrote:
> Thanks.
>
> brad
>
>
> Max (Weijun) Wang wrote:
>> I'll file the bug and fix it.
>>
>> Thanks
>> Max
>>
>> On Feb 3, 2010, at 8:43 AM, Brad Wetmore wrote:
>>
>>> Max,
>>>
>>> I'm pre
On Feb 3, 2010, at 2:44 AM, Bill Shannon wrote:
> Max (Weijun) Wang wrote on 02/ 1/10 10:49 PM:
>> Hi All
>> Please take a review on this draft before I send it for CCC:
>> http://cr.openjdk.java.net/~weijun/spec/NTLMSASL.0.1
>> The spec includes a raw NTLM API def
, 2010, at 11:45 AM, Nicolas Williams wrote:
> On Tue, Feb 02, 2010 at 02:49:54PM +0800, Max (Weijun) Wang wrote:
>> Hi All
>>
>> Please take a review on this draft before I send it for CCC:
>>
>> http://cr.openjdk.java.net/~weijun/spec/NTLMSASL.0.1
>>
>
PER, NICKEL, SILVER }
...
}
Thanks
Max
[1] http://java.sun.com/docs/books/jls/third_edition/html/classes.html#8.9
>
> Brad
>
>
>
> Max (Weijun) Wang wrote:
>> Hi Brad (or others)
>>
>> I've just fixed it, please take a review:
>>
at about 4 page-up from the
>> bottom:
>>
>>public class CoinTest {
>>...
>>private enum CoinColor { COPPER, NICKEL, SILVER }
>>...
>>}
>>
>> Thanks
>> Max
>>
>> [1] http://java.sun.com/docs/books
gt;>> On Wed, Feb 03, 2010 at 08:34:13AM -0800, Natalie Li wrote:
>>>
>>>> Max (Weijun) Wang wrote:
>>>>
>>>>> Hi Nico
>>>>>
>>>>> Is there a separate OID for NTLM as a GSS-API mech?
>>>>>
side
> The use of NTLM or NTLMv2 authentication is not negotiated between the client
> and server. Hence, authentication might fail if the server mandates NTLMv2
> authentication while the client uses NTLM authentication.
Yes, this is what I say "manually setup this config on the clie
Hi Sean
Fixed, please take a review:
http://cr.openjdk.java.net/~weijun/6925639/webrev.00
The -dname option is added into 3 places.
Thanks
Max
On Feb 12, 2010, at 1:22 AM, sean.mul...@sun.com wrote:
> *Change Request ID*: 6925639
>
> *Synopsis*: keytool -genkeypair -help missing dname op
ch is a child of IOException) when there're not enough bytes.
I also use a temporary List to hold the certificate list.
Thanks
Max
On Sep 22, 2009, at 6:10 PM, Xuelei Fan wrote:
> Max (Weijun) Wang wrote:
>>
>> On Sep 22, 2009, at 4:09 PM, Florian Weimer wrote:
>>
&
Max,
>
> I think you still need to catch OOME exception in case of the resource
> exhaustation. OOME is unchecked exception, it should be converted to IOE as
> the old logic.
>
> Andrew
>
> On 2/26/2010 2:09 PM, Max (Weijun) Wang wrote:
>> Hi Florian and Andr
Hi Valerie
Can you please take a review on this fix?
http://cr.openjdk.java.net/~weijun/6844909/webrev.00
Basically, when "allow_weak_crypto = false" is set in krb5.conf's
[libdefaults], DES-related etypes will not be used. Note that this setting also
removes any weak etypes in the default_
236 still mentions these weak crypto etypes
> regardless. Shouldn't it be updated?
>
> Thanks,
> Valerie
> On 02/28/10 23:07, Max (Weijun) Wang wrote:
>> Hi Valerie
>>
>> Can you please take a review on this fix?
>>
>>
>> http://cr.openjdk
Hi Vinnie
Turns out it's not related to LDAP at all. Just a small coding error, already
confirmed by customer. Please take a review:
http://cr.openjdk.java.net/~weijun/6923681/webrev.00
Bug is:
http://bugs.sun.com/view_bug.do?bug_id=6923681
No reg test. Trivial code update.
Why hasn't
65 matches
Mail list logo
