From: Seán Coffey [mailto:sean.cof...@oracle.com]
> Sent: Freitag, 14. Juli 2017 12:17
> To: Anthony Scarpino ; Sean Mullan
> ; Langer, Christoph
> Cc: OpenJDK Security
> Subject: Re: [RFR] 8174849: Change SHA1 certpath restrictions - issue with 3rd
> party JCE provider
>
&
Tony,
I think we should log a JDK 8u bug for this issue if one doesn't already
exist. If the buggy SigAlgName was allowed in 8u updates already, then
it should be continued to be allowed for compatibility reasons IMO.
There might be time to revert that change in 8u152.
For 9, then maybe we c
On 07/12/2017 07:45 AM, Sean Mullan wrote:
On 7/11/17 3:10 PM, Langer, Christoph wrote:
In any case, from what you are saying, I take that I can safely patch
our JDK distribution with this change without doing a bad thing to
security in general, wouldn't you agree?
Yes, I agree.
Also, note
On 07/13/2017 11:26 AM, Anthony Scarpino wrote:
On 07/12/2017 11:59 PM, Langer, Christoph wrote:
I then suggest to also revert JDK10 and 9 to use
X509CertImpl.getSigAlgName() forthe time being until some better
check to go for the encoded AlgorithmId. Would you be fine with
that
Looking back at
On 07/12/2017 11:59 PM, Langer, Christoph wrote:
Hi Sean,
So, I guess I would be fine if this could at least be changed for JDKs <= 8 for
compatibility reasons. I can understand if for JDK >= 9 we say this is a new
release and the standard algorithm names shall be enforced. Wouldn't that
be a
Hi Sean,
> > So, I guess I would be fine if this could at least be changed for JDKs <= 8
> > for
> compatibility reasons. I can understand if for JDK >= 9 we say this is a new
> release and the standard algorithm names shall be enforced. Wouldn't that
> be a good compromise?
>
> Yes. In fact I t
On 7/11/17 3:10 PM, Langer, Christoph wrote:
Well, probably you are right that it is not a bug - at least when you look at
the documentation of Java9 (the link that you have cited).
However, if we look at the documentation of X509Certificate, it's not that clear, resp. it wasn't for
pre JDK9 r
istoph ; Anthony Scarpino
Cc: OpenJDK Security ; Dieter Bratko
Betreff: Re: [RFR] 8174849: Change SHA1 certpath restrictions - issue with 3rd
party JCE provider
Hi Christoph,
On 7/11/17 5:43 AM, Langer, Christoph wrote:
> Hi,
>
> I'd like to ping you again upon that question. In t
Hi Sean,
thanks for coming back on this.
> > I'd like to ping you again upon that question. In the meanwhile I have
> produced a standalone test case and could verify that changing to x509Cert
> vs. the original cert for obtaining the SigAlgName would be a fix. I can share
> the test with you, ho
Langer, Christoph
Sent: Sonntag, 9. Juli 2017 07:57
To: 'Anthony Scarpino' ; 'Sean Mullan'
Cc: OpenJDK Security ; 'Dieter Bratko'
Subject: RE: [RFR] 8174849: Change SHA1 certpath restrictions - issue with 3rd
party JCE provider
Hi Tony et. al.,
I'm wondering why
rity ; 'Dieter Bratko'
>
> Subject: RE: [RFR] 8174849: Change SHA1 certpath restrictions - issue with 3rd
> party JCE provider
>
> Hi Tony et. al.,
>
> I'm wondering why in the commit for 8174849
> (http://hg.openjdk.java.net/jdk9/dev/jdk/rev/d911fe42d2da) th
Hi Tony et. al.,
I'm wondering why in the commit for 8174849
(http://hg.openjdk.java.net/jdk9/dev/jdk/rev/d911fe42d2da) this line sneaked in:
---
a/src/java.base/share/classes/sun/security/provider/certpath/AlgorithmChecker.java
Wed Feb 15 12:11:03 2017 -0800
+++
b/src/java.base/share/classe
12 matches
Mail list logo