[jdk11u-dev] RFR: 8274471: Add support for RSASSA-PSS in OCSP Response

Martin Doerr mdoerr at openjdk.java.net
Tue Mar 1 22:24:02 UTC 2022 

On Sat, 22 Jan 2022 09:13:30 GMT, Alexey Pavlyutkin <duke at openjdk.java.net> wrote:

> I'd like to backport
> 
> 8274471: Add support for RSASSA-PSS in OCSP Response
> 8179503: Java should support GET OCSP calls (dependency)
> 
> to jdk11u-dev. 
> 
> The patches fix internal error upon verification of OCSP Response signed with RSASSA-PSS. 
> 
> The following changes were done to original patches:
> 
> 8179503: 
> 
> src/java.base/share/classes/sun/security/provider/certpath/OCSP.java
> - resolved baseline conflict that took place due to absent revocation checking code
> 
> test/jdk/java/security/cert/CertPathValidator/OCSP/GetAndPostTests.java
> - unsupported `ObjectIdentifier.of()` substituted with `new ObjectIdentifier`
> 
> 8274471:
> 
> src/java.base/share/classes/sun/security/provider/certpath/OCSP.java
> - changes to absent revokation checking code ignored
> 
> src/java.base/share/classes/sun/security/util/SignatureUtil.java
> - the following non-existing methods transferred from jdk17:
>     `public static Signature fromKey(String sigAlg, PrivateKey key, String provider);`
>     `public static Signature fromKey(String sigAlg, PrivateKey key, Provider provider);`
>     `private static Signature autoInitInternal(String alg, PrivateKey key, Signature s);`
>     `public static AlgorithmId fromSignature(Signature sigEngine, PrivateKey key);`
> - `EdEcKey` (unsupported in jdk11) hook removed from fromSignature() method
> - copied `SignatureUtil.autoInitInternal()` method updated to use `AlgorithmId.getDefaultAlgorithmParameterSpec()` instead of `SignatureUtil.getDefaultParamSpec()`
> - imported AlgorithmId class
> 
> test/jdk/java/security/testlibrary/SimpleOCSPServer.java
> - imported SignatureUtil class
> 
> Verified (20.04 LTS/amd64) with attached [Test8274471.java.zip](https://github.com/openjdk/jdk17u/files/7514663/Test8274471.java.zip). Regression: jdk_security

Would it be possible to backport both changes individually (i.e. JDK-8179503 first and JDK-8274471 as dependent PR)?
That would make it easier to review and keep the integration history clean.

-------------

PR: https://git.openjdk.java.net/jdk11u-dev/pull/788

More information about the jdk-updates-dev mailing list