Hi Sean,

thank you for your quick reply. I was already hoping to get such feedback.

I had read the CSR and I had already thought that you guys didn’t revert the 
complete change.
My problem is that I can’t see what exactly you have done.
I’m concerned about making it insecure by creating a mixture of old and new 
behavior. How can I ensure to get the same behavior as 11.0.12-oracle?
Would it be possible to publish your security file and PKCS12KeyStore.java?
Otherwise, wouldn’t it be safer to stick with the old behavior until we switch 
to the new one in a future release?

Best regards,
Martin


Von: Seán Coffey <sean.cof...@oracle.com>
Datum: Freitag, 28. Mai 2021 um 15:42
An: Doerr, Martin <martin.do...@sap.com>, jdk-updates-...@openjdk.java.net 
<jdk-updates-...@openjdk.java.net>, security-dev 
<security-dev@openjdk.java.net>, Hohensee, Paul <hohen...@amazon.com>
Betreff: Re: [11u] RFR: 8267599: Revert the change to the default PKCS12 
macAlgorithm and macIterationCount props for 11u/8u/7u
Martin,

you seem to be suggesting a full revert of the JDK-8153005 changes. Note
that the Oracle JDK changes only relate to to the default PKCS12
macAlgorithm and macIterationCount (back to HmacPBESHA1 and 100000
respectively). While there are other interoperability concerns with the
keystore.pkcs12.certProtectionAlgorithm and
keystore.pkcs12.keyProtectionAlgorithm values [1], they relate to JDK
8u/7u where PKCS12 is not the default keystore type.

regards,
Sean.

[1] https://bugs.openjdk.java.net/browse/JDK-8267837

On 28/05/2021 13:52, Doerr, Martin wrote:
> Hi,
>
> Oracle has reverted the changes from JDK-8153005 backport in 11.0.12-oracle 
> for interoperability reasons. See:
> https://bugs.openjdk.java.net/browse/JDK-8267599
> and CSR:
> https://bugs.openjdk.java.net/browse/JDK-8267701
>
> I had to adapt the small test addition from JDK-8266293 (see "// 8266293" 
> comment in ParamsPreferences.java):
> http://cr.openjdk.java.net/~mdoerr/8267599_revert_8153005_11u/webrev.00/
>
> Please review.
> Comments?
>
> Best regards,
> Martin
>

Reply via email to