[11u] RFR: 8249159: Downport test rework for SSLSocketTemplate from 8224650

Lindenmaier, Goetz goetz.lindenmaier at sap.com
Mon Jul 13 07:24:02 UTC 2020 

Hi Matthias,

Yes, you are right.  The old test contains the following certificates:

  In array trustedCertStrs
    SHA256withECDSA, curve prime256v1
    SHA256withRSA, 2048 bits
    SHA256withDSA, 2048 bits

  In array endEntityCertStrs:
    SHA256withECDSA, curve prime256v1
    SHA256withRSA, 2048 bits
    SHA256withRSA, curv prime256v1
    SHA256withDSA, 2048 bits

The new enum lists the following certificates. I marked
those added by this change with +:
   CA_ECDSA_SECP256R1(  SHA256withECDSA, curve secp256r1
+ CA_ECDSA_SECP384R1(  SHA384withECDSA, curve secp384r1
+ CA_ECDSA_SECP521R1(  SHA512withECDSA, curve secp521r1
   CA_RSA_2048(         SHA256withRSA, 2048 bits
   CA_DSA_2048(         SHA256withDSA, 2048 bits
   EE_ECDSA_SECP256R1(  SHA256withECDSA, curve secp256r1
+ EE_ECDSA_SECP384R1(  SHA384withECDSA, curve secp384r1
+ EE_ECDSA_SECP521R1(  SHA512withECDSA, curve secp521r1
   EE_RSA_2048(         SHA256withRSA, 2048 bits
   EE_EC_RSA_SECP256R1( SHA256withRSA, curve secp256r1
   EE_DSA_2048(         SHA256withDSA, 2048 bits

Only the certificates that were in the old test
are added to the arrays TRUSTED_CERTS and END_ENTITY_CERTS,
so the test still exercises the same certificates. I double checked
that the actual certificates equal, too.
The others are used by the test which I did not downport.

I'd like to keep them, having them does no harm but simplifies
downports.  What do you think?

Best regards,
  Goetz.


From: Baesken, Matthias <matthias.baesken at sap.com>
Sent: Friday, July 10, 2020 1:09 PM
To: Lindenmaier, Goetz <goetz.lindenmaier at sap.com>; 'jdk-updates-dev at openjdk.java.net' <jdk-updates-dev at openjdk.java.net>
Subject: Re: [11u] RFR: 8249159: Downport test rework for SSLSocketTemplate from 8224650


I would like to bring this test rework from 14 to 11.

It is part of https://bugs.openjdk.java.net/browse/JDK-8224650 .

8224650 contains the rework of SSLSocketTemplates.java and

adds a new test.



In the old version of SSLSocketTemplates.java certificates, names and keys

are held in separate arrays that must correlate by indexes correctly. The new

version uses enums to keep common information in one place. The new

version is much easier to maintain. Also, downports that just add new enums

are easier to handle.



The new test NamedGroupsWithCipherSuite.java does not pass in 11 because

the feature tested (JDK-8171279) is only in 13.



I would like to downport the rework because it makes JDK-8246330 apply

clean. I do not want to downport the new test as it fails. Therefore I opened

an Enhancement issue of it's own for this, https://bugs.openjdk.java.net/browse/JDK-8249159 .



Please review this webrev:

http://cr.openjdk.java.net/~goetz/wr20/8249159-rework_SSLSocketTemplate-jdk11/01/

It contains the changes of SSLSocketTemplate from JDK-8224650. They applied clean.

It does not contain the new test.



SSLSocketTemplate.java passes with this test.



Best regards,

  Goetz.
---------------------------------------------------------

Hi Götz ,  while  the patch downport looks mostly fine,  I wonder about one  point.
It looks to me like the certs  tested  changed a bit  with your change .  If this is really intentional  , please confirm and consider your change as reviewed .
Otherwise I wonder about  for example this cert, I only find it in the new  version  ( did not check all the certs   but   noticed this  one  ).

Best regards, Matthias

http://cr.openjdk.java.net/~goetz/wr20/8249159-rework_SSLSocketTemplate-jdk11/01/test/jdk/javax/net/ssl/templates/SSLSocketTemplate.java.frames.html


636         CA_ECDSA_SECP384R1(
637                 "EC",
638                 // SHA384withECDSA, curve secp384r1
639                 // Validity
640                 //     Not Before: Jun 24 08:15:06 2019 GMT
641                 //     Not After : Jun 19 08:15:06 2039 GMT
642                 // Subject Key Identifier:
643                 //     0a:93:a9:a0:bf:e7:d5:48:9d:4f:89:15:c6:51:98:80:05:51:4e:4e
644                 "-----BEGIN CERTIFICATE-----\n" +
645                 "MIICCDCCAY6gAwIBAgIUCpOpoL/n1UidT4kVxlGYgAVRTk4wCgYIKoZIzj0EAwMw\n" +
646                 "OzELMAkGA1UEBhMCVVMxDTALBgNVBAoMBEphdmExHTAbBgNVBAsMFFN1bkpTU0Ug\n" +
647                 "VGVzdCBTZXJpdmNlMB4XDTE5MDYyNDA4MTUwNloXDTM5MDYxOTA4MTUwNlowOzEL\n" +
648                 "MAkGA1UEBhMCVVMxDTALBgNVBAoMBEphdmExHTAbBgNVBAsMFFN1bkpTU0UgVGVz\n" +
649                 "dCBTZXJpdmNlMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAENVQN1wXWFdgC6u/dDdiC\n" +
650                 "y+WtMTF66oL/0BSm+1ZqsogamzCryawOcHgiuXgWzx5CQ3LuOC+tDFyXpGfHuCvb\n" +
651                 "dkzxPrP5n9NrR8/uRPe5l1KOUbchviU8z9cTP+LZxnZDo1MwUTAdBgNVHQ4EFgQU\n" +
652                 "SktSFArR1p/5mXV0kyo0RxIVa/UwHwYDVR0jBBgwFoAUSktSFArR1p/5mXV0kyo0\n" +
653                 "RxIVa/UwDwYDVR0TAQH/BAUwAwEB/zAKBggqhkjOPQQDAwNoADBlAjBZvoNmq3/v\n" +
654                 "RD2gBTyvxjS9h0rsMRLHDnvul/KWngytwGPTOBo0Y8ixQXSjdKoc3rkCMQDkiNgx\n" +
655                 "IDxuHedmrLQKIPnVcthTmwv7//jHiqGoKofwChMo2a1P+DQdhszmeHD/ARQ=\n" +
656                 "-----END CERTIFICATE-----",

More information about the jdk-updates-dev mailing list