Re: RFR JDK-8219989 : Retire the com.sun.net.ssl.internal.ssl.Provider name

Hi Xuelei, Looks good to me. Hai-May > On Mar 12, 2020, at 10:39 AM, Xuelei Fan wrote: > > Hi, > > Could I get the following update reviewed? > > Bug#: https://bugs.openjdk.java.net/browse/JDK-8219989 > Webrev: http://cr.openjdk.java.net/~xuelei/8219989/webrev.00/ > Release note task: htt

Re: RFR JDK-8227024 : Remove the deprecated javax.security.cert APIs

Hi Xuelei, Looks good to me. Hai-May > On Mar 12, 2020, at 10:34 AM, Xuelei Fan wrote: > > And the release note task: > https://bugs.openjdk.java.net/browse/JDK-8240968 > > Xuelei > > On 3/12/2020 9:47 AM, Xuelei Fan wrote: >> Hi, >> Could I get the following update reviewed? >> CSR: https

RFR[15]: 8186143: keytool -ext option doesn’t accept wildcards for DNS subject alternatives names

Hi, I need a code review for - Bug: https://bugs.openjdk.java.net/browse/JDK-8186143 Webrev: http://cr.openjdk.java.net/~weijun/8186143/webrev.00/ The keytool -ext option doesn’t accept wildcards for DNS subject alternatives names in certificates. Certificates with wildcarded domains are useful

Re: RFR[15]: 8186143: keytool -ext option doesn’t accept wildcards for DNS subject alternatives names

f letters, digits, and hyphens’. Line 95 test case will give us a different error from “a*.com”. That is, ‘DNSName with blank components is not permitted’. The existing badNames test case does not have “a*.com”, and I will add it too. Thanks, Hai-May > --Jamil > > On 3/13/2020 9:25 AM,

RFR[15]: 8172404: Tools should warn if weak algorithms are used before restricting them

Hi, I'd like to request a review for: Bug: https://bugs.openjdk.java.net/browse/JDK-8172404 CSR: https://bugs.openjdk.java.net/browse/JDK-8238640 It’d be useful to start warning users that cer

Re: RFR[15]: 8172404: Tools should warn if weak algorithms are used before restricting them

Here is the webrev: http://cr.openjdk.java.net/~weijun/8172404/webrev.00/ Thanks, Hai-May > On Apr 4, 2020, at 11:41 PM, Hai-May Chao wrote: > > Hi, > > I'd like to request a review for: > > Bug: https://bugs.openjdk.java.net/browse/JDK-8172404 > <https://

Re: RFR 8242184: CRL generation error with RSASSA-PSS

Hi Max, Changes look good to me. Hai-May > On Apr 6, 2020, at 8:11 PM, Weijun Wang wrote: > > Please review the fix at > > http://cr.openjdk.java.net/~weijun/8242184/webrev.00/ > > The major change is inside X509CRLImpl.java to allow params setting and > reading. > > I also take this ch

Re: RFR 8242260: Remove customizable ContentSigner from jarsigner

Hi Max, Changes look good to me. Is there a man page bug being filed for this? Thanks, Hai-May > On Apr 7, 2020, at 1:04 AM, Weijun Wang wrote: > > I am thinking about removing the `jarsigner -altsigner -altsignerpath` > options and underlying classes: > >JBS : https://bugs.ope

Re: RFR[15]: 8172404: Tools should warn if weak algorithms are used before restricting them

key)); > 1349 } > 1350 } > > You can move line 1335 before line 1334 since the size is also used in the > else block on lines 1342-1344. > > Thanks, > Max > >> On Apr 6, 2020, at 12:51 AM, Hai-May Chao wrote: >> >> Here is the webrev: >

Re: RFR 8242811: AlgorithmId::getDefaultAlgorithmParameterSpec returns incompatible PSSParameterSpec for an RSASSA-PSS key

Changes good to me. Hai-May > On Apr 17, 2020, at 3:27 PM, Valerie Peng wrote: > > > Changes look good~ > > Valerie > > On 4/15/2020 3:34 AM, Weijun Wang wrote: >> Please take a review at >> >>https://cr.openjdk.java.net/~weijun/8242811/webrev.00/ >> >> The AlgorithmId::getDefaultAlgo

RFR[15] 8242060: Add revocation checking to jarsigner

Hi, I’d like to request a review for: JBS: https://bugs.openjdk.java.net/browse/JDK-8242060 CSR: https://bugs.openjdk.java.net/browse/JDK-8244046 Webrev: https://cr.openjdk.java.net/~hchao/8242060/webrev.00/ The jarsigner command currently does certificate chain validation, but does not check r

Re: RFR[15] 8242060: Add revocation checking to jarsigner

Hi, With small change added to ‘Usages.java' test, here is the updated webrev: https://cr.openjdk.java.net/~hchao/8242060/webrev.01/ Thanks, Hai-May > On Apr 30, 2020, at 4:29 PM, Hai-May Chao wrote: > > Hi, > > I’d like to request a review for: > > JBS: htt

Re: RFR[15] 8242060: Add revocation checking to jarsigner

he whole test is finishing very fast now. > > Looks good otherwise. Please add a release-note and open a follow-on issue to > update the man page with the new option. Done (Release note: JDK-8244285, and man page: JDK-8244274). Updated webrev: https://cr.openjdk.java.net/~hchao/8242060/we

Re: RFR[15] 8242060: Add revocation checking to jarsigner

use 0.0.0.0 for both OCSP and CRLDP? I assume it will return > immediately, just hope it's not an uncaught RuntimeException. > > --Max > >> >> Looks good otherwise. Please add a release-note and open a follow-on issue >> to update the man page with the new option. &

Re: RFR[15] 8242060: Add revocation checking to jarsigner

uggested), for OCSP, by the time when OCSP.getOCSPBytes() comes in to report the OCSP event, the reporter has been cleared. And this would be same problem for CRL. So it cannot be called immediately. Thanks, Hai-May > > Thanks, > Max > >> On May 3, 2020, at 2:19 AM, Hai-May Cha

Re: RFR[15] 8242060: Add revocation checking to jarsigner

> On May 4, 2020, at 6:01 PM, Weijun Wang wrote: > > > >> On May 5, 2020, at 3:48 AM, Hai-May Chao wrote: >> >> Hi Max, >> >>> On May 2, 2020, at 5:25 PM, Weijun Wang wrote: >>> >>> In jarsigner/Main, you can just ca

Re: RFR[15] 8242060: Add revocation checking to jarsigner

> On May 4, 2020, at 10:23 PM, Weijun Wang wrote: > > > >> On May 5, 2020, at 12:36 PM, Hai-May Chao wrote: >> >> >> >>> On May 4, 2020, at 6:01 PM, Weijun Wang wrote: >>> >>> >>> >>>> On May 5, 2020

Re: RFR[15] 8242060: Add revocation checking to jarsigner

> On May 5, 2020, at 6:16 AM, Sean Mullan wrote: > > On 5/2/20 2:19 PM, Hai-May Chao wrote: >>> Looks good otherwise. Please add a release-note and open a follow-on issue >>> to update the man page with the new option. >> Done (Release note: JDK-8244285, a

RFR[15] 8245151: jarsigner should not raise duplicate warnings on verification

Hi, I’d like to request a review for - JBS: https://bugs.openjdk.java.net/browse/JDK-8245151 Webrev: https://cr.openjdk.java.net/~hchao/8245151/webrev.00/ The change is to provide a distinct warning for jarsigner -verify command when it detects weak timestamp digest algorithms are used (by -tsa

RFR[15] 8245665: Test WeakAlg.java should only make sure no warning for weak signature algorithms by keytool on root CA

Hi, I’d like to request q review for - JBS: https://bugs.openjdk.java.net/browse/JDK-8245665 Webrev: https://cr.openjdk.java.net/~hchao/8245665/webrev.00/ Keytool only emits warnings for the root CA in cacerts using the weak key, but not for using the weak algorithm. So test case WeakAlg.java s

Re: RFR[15] 8245665: Test WeakAlg.java should only make sure no warning for weak signature algorithms by keytool on root CA

ere to see how it works. > > Thanks, > Max > >> On May 23, 2020, at 11:01 AM, Hai-May Chao wrote: >> >> Hi, >> >> I’d like to request q review for - >> >> JBS: https://bugs.openjdk.java.net/browse/JDK-8245665 >> Webrev: https://cr.openjdk

RFR 8244148: keytool -printcert and -printcrl should support the -trustcacerts and -keystore options

Hi, I’d like to request a review for: JBS: https://bugs.openjdk.java.net/browse/JDK-8244148 CSR: https://bugs.openjdk.java.net/browse/JDK-8246269 Webrev: http://cr.openjdk.java.net/~hchao/8244148/webrev.00/ The change is to add the support of -trustcacerts and -keystore options to -printcert an

Re: RFR 8244148: keytool -printcert and -printcrl should support the -trustcacerts and -keystore options

I’d like to suggest a separate bug be filed to cover the cacerts enhancement that you suggested. Thanks, Hai-May > Thanks, > Max > > >> On Jun 2, 2020, at 2:37 AM, Hai-May Chao wrote: >> >> Hi, >> >> I’d like to request a review for: >> >>

Re: RFR 8244148: keytool -printcert and -printcrl should support the -trustcacerts and -keystore options

t importing a certificate reply would not work. >> It turns out that its caks.size() is zero detected at establishCertChain() >> in keytool/Main.java after root cert has been imported to that cacerts. At >> this point I’d like to suggest a separate bug be filed to cover the cacerts >

Re: RFR 8244148: keytool -printcert and -printcrl should support the -trustcacerts and -keystore options

> and line 133 are exactly the same, line 109 and line 138 are exactly the > same, and you haven't made any change to these 2 files in between. > > Same for line 80 and line 96 of TrustedCRL.java. > > Everything else is fine. > > Thanks, > Max > >

Re: RFR 8244148: keytool -printcert and -printcrl should support the -trustcacerts and -keystore options

> > Thanks, > Max > >> On Jun 8, 2020, at 4:01 AM, Hai-May Chao wrote: >> >> Updated webrev - >> >> https://cr.openjdk.java.net/~hchao/8244148/webrev.02/ >> >> Thanks, >> Hai-May >> >> >>> On Jun 5, 2020, at 1

Re: RFR 8244148: keytool -printcert and -printcrl should support the -trustcacerts and -keystore options

de the exact diff of the man page files > either inside the CSR itself or as a comment. > Included the diff of the manpage in the CSR. Thanks, Hai-May > Thanks, > Max > >> On Jun 9, 2020, at 10:51 PM, Hai-May Chao wrote: >> >> >> >>> On

Re: RFR 8244148: keytool -printcert and -printcrl should support the -trustcacerts and -keystore options

Hi John, Updated Webrev - https://cr.openjdk.java.net/~hchao/8244148/webrev.03/ > On Jun 11, 2020, at 1:45 AM, sha.ji...@oracle.com wrote: > > Hi Hai-May, > > On 2020/6/8 04:01, Hai-May Chao wrote: >> Updated webrev - >> >> https://cr.openjdk.java.net/~hc

Re: RFR 8244148: keytool -printcert and -printcrl should support the -trustcacerts and -keystore options

emits warning when a certificate is not trusted and uses weak >> algorithms". Precisely, it's "uses a weak signature algorithm". >> >> --Max >> >> >>> On Jun 10, 2020, at 5:31 PM, Hai-May Chao wrote: >>> >>> >&

Re: [RFR] 8246806: Incorrect copyright header in KeyAgreementTest.java, GroupName.java

Hi Tony, Looks good. Hai-May > On Jul 7, 2020, at 5:01 PM, Anthony Scarpino > wrote: > > Hi, > > I need a code review to fix some copyright headers. The diffs are below > > thanks > > Tony > > -- > > +++ b/test/jdk/java/security/KeyAgreement/KeyAgreementTest.java > - * Copyright (c

RFR 8247960: jarsigner says "signer errors" for some normal warnings when -strict is set

Hi, I’d like to request a review for: JBS: https://bugs.openjdk.java.net/browse/JDK-8247960 Webrev: https://cr.openjdk.java.net/~hchao/8247960/webrev.00/ Jarsigner is changed to emit “with signer errors” only when there are errors detected during sign and verify with -strict specified. Thanks,

Re: RFR 8247960: jarsigner says "signer errors" for some normal warnings when -strict is set

Bugid added. Thanks, Hai-May > On Jul 15, 2020, at 12:06 PM, Sean Mullan wrote: > > I'll defer to Max on the code changes, but I noticed one thing on the test - > you should add the bugid to the @bug line of the test. > > --Sean > > On 7/14/20 4:09 PM, Hai-

Re: RFR 8247960: jarsigner says "signer errors" for some normal warnings when -strict is set

n(result)" line into branches of the if-else block on lines > 1254-1272. Current change has the checking for sign and verify. Keep it as-is that you agreed. https://cr.openjdk.java.net/~hchao/8247960/webrev.01/ Thanks, Hai-May > > No other comments. > > Thanks

Re: RFR 8247960: jarsigner says "signer errors" for some normal warnings when -strict is set

verified."); > +} > Webrev updated as suggested. > Everything else looks fine. > > Also, I remember you meant to fix 2 bugs with a single changeset. What should > the full commit message be? Fix in a single changeset, so use this bug as the commit message please.

Re: RFR [16] [JDK-8248745] Add jarsigner and keytool tests for restricted algorithms

Hi Muneer, Looks good with one minor comment. #58: suggest that the SECURITY_WARNING will also include “and is disabled” at the end to make it clear. Thanks, Hai-May > On Jul 27, 2020, at 9:15 AM, abdul.kolarku...@oracle.com wrote: > > Hi All, > > This is a new test int the area of jarsigner

Re: RFR [16] [JDK-8248745] Add jarsigner and keytool tests for restricted algorithms

gt; > On 04/08/20 11:58 pm, Hai-May Chao wrote: >> Hi Muneer, >> >> Looks good with one minor comment. >> >> #58: suggest that the SECURITY_WARNING will also include “and is disabled” >> at the end to make it clear. >> >> Thanks, >

Re: RFR: 8238157: Remove intermittent key from AmazonCA.java

Looks good. Thanks, Hai-May > On Aug 26, 2020, at 10:13 AM, Rajan Halade wrote: > > Please review this update to remove key intermittent from AmazonCA test. This > test no longer fails intermittently. > > @@ -24,7 +24,6 @@ > /* > * @test > * @bug 8233223 > - * @key intermittent > * @s

Re: RFR: 8250968: Symlinks attributes not preserved when using jarsigner on zip files

JarSigner.java #953: The output debug message can be removed from the code. JavaUtilZipFileAccess.java #44: Change posixPerms to extraAttrs. ZipFile.java #661: Suggest to keep the comment and update it with the additional 4 bits for symlink. The rest of code changes and CSR look good. Thanks, Ha

RFR: 8252377: Incorrect encoding for EC AlgorithmIdentifier

This change fixes the DER encoding for ECDSA AlgorithmIdentifier to omit the parameters field instead of encoding a Null tag. - Commit messages: - 8252377: Incorrect encoding for EC AlgorithmIdentifier Changes: https://git.openjdk.java.net/jdk/pull/312/files Webrev: https://webrev

Re: RFR: 8252377: Incorrect encoding for EC AlgorithmIdentifier

On Wed, 23 Sep 2020 02:49:29 GMT, Weijun Wang wrote: >> This change fixes the DER encoding for ECDSA AlgorithmIdentifier to omit the >> parameters field instead of encoding a >> Null tag. > > I don't quite understand what the test is for. The bug is about encoding but > the test seems to be dec

Re: RFR: 8252377: Incorrect encoding for EC AlgorithmIdentifier [v2]

> This change fixes the DER encoding for ECDSA AlgorithmIdentifier to omit the > parameters field instead of encoding a > Null tag. Hai-May Chao has updated the pull request incrementally with one additional commit since the last revision: Updated test case to use

Re: RFR: 8252377: Incorrect encoding for EC AlgorithmIdentifier [v2]

On Fri, 25 Sep 2020 00:45:09 GMT, Weijun Wang wrote: >> Hai-May Chao has updated the pull request incrementally with one additional >> commit since the last revision: >> >> Updated test case to use DerUtils > > src/java.base/share/classes/sun/security/

Re: RFR: 8252377: Incorrect encoding for EC AlgorithmIdentifier [v3]

> This change fixes the DER encoding for ECDSA AlgorithmIdentifier to omit the > parameters field instead of encoding a > Null tag. Hai-May Chao has updated the pull request incrementally with one additional commit since the last revision: Added comment for RFC -

Integrated: 8252377: Incorrect encoding for EC AlgorithmIdentifier

On Tue, 22 Sep 2020 22:21:20 GMT, Hai-May Chao wrote: > This change fixes the DER encoding for ECDSA AlgorithmIdentifier to omit the > parameters field instead of encoding a > Null tag. This pull request has now been integrated. Changeset: 0e855fe5 Author: Hai-May Chao Committe

Re: RFR: 8153005: Upgrade the default PKCS12 encryption/MAC algorithms

On Thu, 1 Oct 2020 20:02:34 GMT, Weijun Wang wrote: > Default algorithms are bumped to be based on PBES2 with AES-256 and SHA-256. > Please also review the CSR at > https://bugs.openjdk.java.net/browse/JDK-8228481. Looks good. Only minor comments. src/java.base/share/classes/sun/security/pkcs1

Re: RFR: 8153005: Upgrade the default PKCS12 encryption/MAC algorithms

On Wed, 7 Oct 2020 22:08:19 GMT, Hai-May Chao wrote: >> Default algorithms are bumped to be based on PBES2 with AES-256 and SHA-256. >> Please also review the CSR at >> https://bugs.openjdk.java.net/browse/JDK-8228481. > > Looks good. Only minor comments. CSR looks

Re: RFR: 8007632: DES/3DES keys support in PKCS12 keystore [v3]

On Tue, 27 Oct 2020 17:59:38 GMT, Weijun Wang wrote: >> Alexey Bakhtin has updated the pull request incrementally with one >> additional commit since the last revision: >> >> Fix order of OIDs > > Marked as reviewed by weijun (Reviewer). Change looks good. - PR: https://git.ope

Re: RFR: 8244154: Update SunPKCS11 provider with PKCS11 v3.0 header files

On Wed, 28 Oct 2020 21:35:25 GMT, Valerie Peng wrote: > Could someone please help review this PKCS#11 v3.0 header files update? > > Changes are straight-forward as below: > 1) Updated pkcs11.h, pkcs11f.h, pkcs11t.h to v3.0 > 2) Updated java side w/ the new constants definitions and name/error co

Re: RFR: 8255494: PKCS7 should use digest algorithm to verify the signature

On Wed, 28 Oct 2020 21:01:44 GMT, Weijun Wang wrote: > This is a regression made by > [JDK-8242068](https://bugs.openjdk.java.net/browse/JDK-8242068). When the > digest algorithm is not the same as the hash part of the signature algorithm, > we used to combine the digest algorithm with the key

Re: RFR: 8244154: Update SunPKCS11 provider with PKCS11 v3.0 header files

On Fri, 30 Oct 2020 21:39:42 GMT, Valerie Peng wrote: >> src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/Functions.java >> line 1095: >> >>> 1093: addMech(CKM_SP800_108_FEEDBACK_KDF, >>> "CKM_SP800_108_FEEDBACK_KDF"); >>> 1094: addMech(CKM_SP800_108_DOUBLE

Re: RFR: 8244154: Update SunPKCS11 provider with PKCS11 v3.0 header files

On Fri, 30 Oct 2020 21:44:00 GMT, Valerie Peng wrote: >> src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11Constants.java >> line 987: >> >>> 985: public static final long CKM_SP800_108_FEEDBACK_KDF = >>> 0x03adL; >>> 986: public static final long CKM_SP

Re: RFR: 8273236: keytool does not accurately warn about algorithms that are disabled but have additional constraints [v5]

; and `checkKey` parameters. For the keyusage in the EE certificate of a > certificate chains, set the variant accordingly when calling > `CertPathConstraintsParameters` constructor. Hai-May Chao has updated the pull request incrementally with one additional commit since the last revis

Re: RFR: 8273236: keytool does not accurately warn about algorithms that are disabled but have additional constraints [v4]

On Tue, 25 Jan 2022 14:38:32 GMT, Sean Mullan wrote: >> Hai-May Chao has updated the pull request incrementally with one additional >> commit since the last revision: >> >> Update to get denyAfter and init caks > > src/java.base/share/classes/sun/security/too

Re: RFR: 8273236: keytool does not accurately warn about algorithms that are disabled but have additional constraints [v4]

On Mon, 24 Jan 2022 21:21:58 GMT, Hai-May Chao wrote: >> `keytool` currently uses a simpler scheme in `DisabledAlgorithmConstraints` >> class when performing algorithm constraints checks. This change is to >> enhance `keytool` to make use

Re: RFR: 8273236: keytool does not accurately warn about algorithms that are disabled but have additional constraints [v6]

; and `checkKey` parameters. For the keyusage in the EE certificate of a > certificate chains, set the variant accordingly when calling > `CertPathConstraintsParameters` constructor. Hai-May Chao has updated the pull request incrementally with one additional commit since the last revision

Re: RFR: 8273236: keytool does not accurately warn about algorithms that are disabled but have additional constraints [v7]

; and `checkKey` parameters. For the keyusage in the EE certificate of a > certificate chains, set the variant accordingly when calling > `CertPathConstraintsParameters` constructor. Hai-May Chao has updated the pull request incrementally with one additional commit since the last

Re: RFR: 8273236: keytool does not accurately warn about algorithms that are disabled but have additional constraints [v5]

On Tue, 25 Jan 2022 22:40:36 GMT, Sean Mullan wrote: >> Hai-May Chao has updated the pull request incrementally with one additional >> commit since the last revision: >> >> Revert to get denyAfter from exception and reload caks > > src/java.base/s

Re: RFR: 8273236: keytool does not accurately warn about algorithms that are disabled but have additional constraints [v5]

On Wed, 26 Jan 2022 05:45:58 GMT, Hai-May Chao wrote: >> src/java.base/share/classes/sun/security/util/DisabledAlgorithmConstraints.java >> line 759: >> >>> 757: "denyAfter constraint check failed: " + >>> algorithm

Re: RFR: 8273236: keytool does not accurately warn about algorithms that are disabled but have additional constraints [v8]

; and `checkKey` parameters. For the keyusage in the EE certificate of a > certificate chains, set the variant accordingly when calling > `CertPathConstraintsParameters` constructor. Hai-May Chao has updated the pull request incrementally with one additional commit since the last revisi

Re: RFR: 8273236: keytool does not accurately warn about algorithms that are disabled but have additional constraints [v7]

On Wed, 26 Jan 2022 14:30:13 GMT, Sean Mullan wrote: >> Hai-May Chao has updated the pull request incrementally with one additional >> commit since the last revision: >> >> Reformat denyAfter date in exception message to -MM-DD > > src/java.base/share/clas

Re: RFR: 8273236: keytool does not accurately warn about algorithms that are disabled but have additional constraints [v5]

On Wed, 26 Jan 2022 05:56:31 GMT, Hai-May Chao wrote: >> Done. Removed the extra info (-MM-DD form) from the exception message >> that was set in `DisabledAlgorithmConstraints` class, and re-formated the >> `denyAfterDate` into -MM-DD format i

Re: RFR: 8273236: keytool does not accurately warn about algorithms that are disabled but have additional constraints [v7]

On Wed, 26 Jan 2022 14:30:22 GMT, Sean Mullan wrote: >> Hai-May Chao has updated the pull request incrementally with one additional >> commit since the last revision: >> >> Reformat denyAfter date in exception message to -MM-DD > > Marked as reviewed by mu

Integrated: 8273236: keytool does not accurately warn about algorithms that are disabled but have additional constraints

On Wed, 12 Jan 2022 02:15:45 GMT, Hai-May Chao wrote: > `keytool` currently uses a simpler scheme in `DisabledAlgorithmConstraints` > class when performing algorithm constraints checks. This change is to enhance > `keytool` to make use of the ne

Re: RFR: 8281175: Add a -providerPath option to jarsigner [v2]

On Thu, 3 Feb 2022 18:32:42 GMT, Weijun Wang wrote: >> Add the `-providerPath` option to jarsigner to be consistent with keytool. > > Weijun Wang has updated the pull request incrementally with one additional > commit since the last revision: > > no need to append to null Code change looks g

Re: RFR: 8281175: Add a -providerPath option to jarsigner [v2]

On Thu, 3 Feb 2022 18:32:42 GMT, Weijun Wang wrote: >> Add the `-providerPath` option to jarsigner to be consistent with keytool. > > Weijun Wang has updated the pull request incrementally with one additional > commit since the last revision: > > no need to append to null Marked as reviewed

Re: RFR: 8280890: Cannot use '-Djava.system.class.loader' with class loader in signed JAR

On Tue, 1 Feb 2022 21:54:29 GMT, Sean Mullan wrote: > This fixes a bootstrapping issue if a custom system class loader is set with > the `-Djava.system.class.loader` option and the custom class loader is inside > a signed JAR. In order to load the custom class loader, the runtime must > verif

Re: RFR: 8281289: Improve with List.copyOf

On Fri, 4 Feb 2022 23:02:21 GMT, Xue-Lei Andrew Fan wrote: > Please review this trivial code clean up, for a little bit better performance. Marked as reviewed by hchao (Committer). Looks good to me. - PR: https://git.openjdk.java.net/jdk/pull/7356

RFR: 8265765: DomainKeyStore may stop enumerating aliases if a constituting KeyStore is empty

This is to fix `DomainKeyStore::engineAliases` to take into account that there may be empty keystore(s) within the collection of keystores of a domain keystore. - Commit messages: - 8265765: DomainKeyStore may stop enumerating aliases if a constituting KeyStore is empty Changes:

Re: RFR: 8265765: DomainKeyStore may stop enumerating aliases if a constituting KeyStore is empty

On Tue, 8 Feb 2022 23:03:41 GMT, Weijun Wang wrote: >> This is to fix `DomainKeyStore::engineAliases` to take into account that >> there may be empty keystore(s) within the collection of keystores of a >> domain keystore. > > Looks good to me. > > Do you want to play with text blocks in the te

Re: RFR: 8265765: DomainKeyStore may stop enumerating aliases if a constituting KeyStore is empty [v2]

> This is to fix `DomainKeyStore::engineAliases` to take into account that > there may be empty keystore(s) within the collection of keystores of a domain > keystore. Hai-May Chao has updated the pull request incrementally with one additional commit since the last revision: Testcas

Integrated: 8265765: DomainKeyStore may stop enumerating aliases if a constituting KeyStore is empty

On Tue, 8 Feb 2022 17:13:53 GMT, Hai-May Chao wrote: > This is to fix `DomainKeyStore::engineAliases` to take into account that > there may be empty keystore(s) within the collection of keystores of a domain > keystore. This pull request has now been integrated. Changeset: 178b96

RFR: 8277474: jarsigner does not check if algorithm parameters are disabled

This fixes jarsigner to enforce checking against algorithm constraint properties so when the signature algorithms parameters use disabled or legacy algorithms, it will emit warnings accordingly. If the algorithm used in parameters is disabled, jarsigner treats the jar as unsigned. -

Withdrawn: 8277474: jarsigner does not check if algorithm parameters are disabled

On Tue, 22 Feb 2022 20:18:19 GMT, Hai-May Chao wrote: > This fixes jarsigner to enforce checking against algorithm constraint > properties so when the signature algorithms parameters use disabled or legacy > algorithms, it will emit warnings accordingly. If the algorithm used in >

RFR: 8277474: jarsigner does not check if algorithm parameters are disabled

This fixes jarsigner to enforce checking against algorithm constraint properties so when the signature algorithms parameters use disabled or legacy algorithms, it will emit warnings accordingly. If the algorithm used in parameters is disabled, jarsigner treats the jar as unsigned. -

Re: RFR: 8281234: The -protected option is not always checked in keytool and jarsigner [v2]

On Fri, 4 Feb 2022 01:19:51 GMT, Weijun Wang wrote: >> The option means there is no need to provide a password when loading a >> keystore. In some places in jarsigner and keytool, even with the option >> specified, password is still prompted for or warnings are still shown. > > Weijun Wang has

Re: RFR: 8277474: jarsigner does not check if algorithm parameters are disabled [v2]

signed. Hai-May Chao has updated the pull request incrementally with one additional commit since the last revision: Removed unneeded import and updated -verbose output - Changes: - all: https://git.openjdk.java.net/jdk/pull/7582/files - new: https://git.openjdk.java.net/jdk/pul

Re: RFR: 8277474: jarsigner does not check if algorithm parameters are disabled [v2]

On Wed, 2 Mar 2022 15:30:22 GMT, Sean Mullan wrote: >> Hai-May Chao has updated the pull request incrementally with one additional >> commit since the last revision: >> >> Removed unneeded import and updated -verbose output > > src/jdk.jartool/share/classe

Re: RFR: 8277474: jarsigner does not check if algorithm parameters are disabled [v2]

On Wed, 2 Mar 2022 16:20:53 GMT, Weijun Wang wrote: >> Hai-May Chao has updated the pull request incrementally with one additional >> commit since the last revision: >> >> Removed unneeded import and updated -verbose output > > src/jdk.jartool/share/classe

Re: RFR: 8277474: jarsigner does not check if algorithm parameters are disabled [v3]

signed. Hai-May Chao has updated the pull request incrementally with two additional commits since the last revision: - Updated -verbose output - Updated -verbose output - Changes: - all: https://git.openjdk.java.net/jdk/pull/7582/files - new: https://git.openjdk.java.net/j

Re: RFR: 8277474: jarsigner does not check if algorithm parameters are disabled [v3]

On Wed, 2 Mar 2022 19:54:13 GMT, Weijun Wang wrote: >> What does it look like now? Also, you might need to create a mapping in >> `Resources.java` because "using" should only be shown when system language >> is English. > > Also, what if it's another algorithm using another type of parameters?

Re: RFR: 8277474: jarsigner does not check if algorithm parameters are disabled [v4]

signed. Hai-May Chao has updated the pull request incrementally with one additional commit since the last revision: Removed unused string - Changes: - all: https://git.openjdk.java.net/jdk/pull/7582/files - new: https://git.openjdk.java.net/jdk/pull/7582/files/516d8bf0..2a73d

Re: RFR: 8277474: jarsigner does not check if algorithm parameters are disabled [v5]

signed. Hai-May Chao has updated the pull request incrementally with one additional commit since the last revision: Use algname in output - Changes: - all: https://git.openjdk.java.net/jdk/pull/7582/files - new: https://git.openjdk.java.net/jdk/pull/7582/files/2a73d1ef..d2cd7

Re: RFR: 8277474: jarsigner does not check if algorithm parameters are disabled [v4]

On Thu, 3 Mar 2022 19:35:21 GMT, Weijun Wang wrote: >> Hai-May Chao has updated the pull request incrementally with one additional >> commit since the last revision: >> >> Removed unused string > > src/jdk.jartool/share/classes/sun/security/tools/jarsigner/Main

Re: RFR: 8277474: jarsigner does not check if algorithm parameters are disabled [v6]

signed. Hai-May Chao has updated the pull request incrementally with one additional commit since the last revision: No need to do toUpperCase - Changes: - all: https://git.openjdk.java.net/jdk/pull/7582/files - new: https://git.openjdk.java.net/jdk/pull/7582/files/d2cd7e

Integrated: 8277474: jarsigner does not check if algorithm parameters are disabled

On Tue, 22 Feb 2022 22:00:05 GMT, Hai-May Chao wrote: > This fixes jarsigner to enforce checking against algorithm constraint > properties so when the signature algorithms parameters use disabled or legacy > algorithms, it will emit warnings accordingly. If the algorithm used in >

RFR: 8282633: jarsigner output does not explain why an EC key is disabled if its curve has been disabled

When a named curve is disabled in `jdk.disabled.namedCurves` property which is included in `jdk.jar.disabledAlgorithms` and `jdk.certpath.disabledAlgorithms`, `jarsigner` should display the disabled named curve as a result of its disabled algorithm constraint checking. This clarifies why an EC k

Re: RFR: 8282633: jarsigner output does not explain why an EC key is disabled if its curve has been disabled

On Mon, 14 Mar 2022 17:41:28 GMT, Hai-May Chao wrote: > When a named curve is disabled in `jdk.disabled.namedCurves` property which > is included in `jdk.jar.disabledAlgorithms` and > `jdk.certpath.disabledAlgorithms`, `jarsigner` should display the disabled > named curve as a r

Re: RFR: 8282633: jarsigner output does not explain why an EC key is disabled if its curve has been disabled [v2]

> clarifies why an EC key is disabled in its warning and verbose output. Hai-May Chao has updated the pull request incrementally with one additional commit since the last revision: Check curve in jdk.security.legacyAlgorithms, and update testcase - Changes:

Re: RFR: 8282633: jarsigner output does not explain why an EC key is disabled if its curve has been disabled

On Tue, 15 Mar 2022 01:16:59 GMT, Weijun Wang wrote: >> When a named curve is disabled in `jdk.disabled.namedCurves` property which >> is included in `jdk.jar.disabledAlgorithms` and >> `jdk.certpath.disabledAlgorithms`, `jarsigner` should display the disabled >> named curve as a result of its

Integrated: 8282633: jarsigner output does not explain why an EC key is disabled if its curve has been disabled

On Mon, 14 Mar 2022 17:41:28 GMT, Hai-May Chao wrote: > When a named curve is disabled in `jdk.disabled.namedCurves` property which > is included in `jdk.jar.disabledAlgorithms` and > `jdk.certpath.disabledAlgorithms`, `jarsigner` should display the disabled > named curve as a r

Re: RFR: 8283665: Two Jarsigner tests needs to be updated with JDK-8267319

On Fri, 25 Mar 2022 05:11:18 GMT, Valerie Peng wrote: > Max, can you please help review this fix? It updates the two jarsigner tests > which are added to the main trunk during the code review of JDK-8267319. > > Mach5 run succeeds. > Thanks, > Valerie Marked as reviewed by hchao (Committer).

Re: RFR: 8283691: Classes in java.security still reference deprecated classes in spec

On Fri, 25 Mar 2022 15:34:23 GMT, Weijun Wang wrote: > Some spec cleanup. Marked as reviewed by hchao (Committer). - PR: https://git.openjdk.java.net/jdk/pull/7961

RFR: 8255552: Add DES/3DES/MD5 to jdk.security.legacyAlgorithms

Please review these changes to add DES/3DES/MD5 to `jdk.security.legacyAlgorithms` security property, and to add the legacy algorithm constraint checking to `keytool` commands that are associated with secret key entries stored in the keystore. These `keytool` commands are -genseckey, -importpas

Re: RFR: 8285683: Missing @ since 11 in java.security.spec.MGF1ParameterSpec fields

On Tue, 26 Apr 2022 22:55:29 GMT, Bradford Wetmore wrote: > Two new constant fields `MGF1ParameterSpec.SHA512_224` and > `MGF1ParameterSpec.SHA512_256` didn't have `@since 11` tag added as part of > [JDK-8146293](https://bugs.openjdk.java.net/browse/JDK-8146293). > > This bug addresses this i

Re: RFR: 8225433: Clarify behavior of PKIXParameters.setRevocationEnabled when PKIXRevocationChecker is used [v2]

On Wed, 27 Apr 2022 12:48:29 GMT, Sean Mullan wrote: >> This change improves the specification for the case when a >> `PKIXRevocationChecker` is supplied as one of the `CertPathChecker` >> parameters. Specifically, it makes it more clear that a >> `PKIXRevocationChecker` overrides the default

Re: RFR: 8255552: Add DES/3DES/MD5 to jdk.security.legacyAlgorithms [v2]

re update.” from the existing > warnings for the asymmetric keys/certificates. > Will also file a CSR. Hai-May Chao has updated the pull request incrementally with one additional commit since the last revision: SecretKeyConstraintsParameters subclass created and property descripti

Re: RFR: 8255552: Add DES/3DES/MD5 to jdk.security.legacyAlgorithms [v2]

On Wed, 27 Apr 2022 19:34:04 GMT, Sean Mullan wrote: >> Hai-May Chao has updated the pull request incrementally with one additional >> commit since the last revision: >> >> SecretKeyConstraintsParameters subclass created and property description >> updated &

Re: RFR: 8255552: Add DES/3DES/MD5 to jdk.security.legacyAlgorithms [v2]

On Wed, 27 Apr 2022 21:04:59 GMT, Weijun Wang wrote: >> Changes requested by mullan (Reviewer). > > @seanjmullan Since we use symmetric keys to encrypt entries and add integrity > check, should this enhancement cover them as well? For example, if a PKCS12 > keystore is created with `-J-Dkeystor

Re: RFR: 8255552: Add DES/3DES/MD5 to jdk.security.legacyAlgorithms [v2]

On Wed, 27 Apr 2022 19:35:04 GMT, Sean Mullan wrote: >> Hai-May Chao has updated the pull request incrementally with one additional >> commit since the last revision: >> >> SecretKeyConstraintsParameters subclass created and property description >> updated &

Re: RFR: 8255552: Add DES/3DES/MD5 to jdk.security.legacyAlgorithms [v2]

On Thu, 28 Apr 2022 13:25:13 GMT, Sean Mullan wrote: >> Hai-May Chao has updated the pull request incrementally with one additional >> commit since the last revision: >> >> SecretKeyConstraintsParameters subclass created and property description >> update

  1   2   3   >