[jdk11u-dev] RFR: 8242151: Improve OID mapping and reuse among JDK security providers for aliases registration

Martin Balao mbalao at openjdk.org
Tue Jun 6 17:58:09 UTC 2023 

On Mon, 29 May 2023 10:34:44 GMT, Goetz Lindenmaier <goetz at openjdk.org> wrote:

> This change required some work to get it backported. 
> I touched the following files to resolve or get the code/test working:
> 
> src/java.base/share/classes/com/sun/crypto/provider/SunJCE.java
> 
> These entries are not in 11:
>         List<String> macSHA512_224Aliases = createAliasesWithOid(macOidBase + "12");
>         List<String> macSHA512_256Aliases = createAliasesWithOid(macOidBase + "13");
> 
>         String nistHashAlgsOidBase = "2.16.840.1.101.3.4.2.";
>         List<String> macSHA3_224Aliases =
>             createAliasesWithOid(nistHashAlgsOidBase + "13");
>         List<String> macSHA3_256Aliases =
>             createAliasesWithOid(nistHashAlgsOidBase + "14");
>         List<String> macSHA3_384Aliases =
>             createAliasesWithOid(nistHashAlgsOidBase + "15");
>         List<String> macSHA3_512Aliases =
>             createAliasesWithOid(nistHashAlgsOidBase + "16");
> 
> Thus I could not remove them.
> Also, the Hmac keys differ. Some are not in 11.
> 
> src/java.base/share/classes/java/security/cert/CertificateRevokedException.java
> Copyright.
> 
> src/java.base/share/classes/sun/security/pkcs/PKCS7.java
> src/java.base/share/classes/sun/security/pkcs/PKCS9Attribute.java
> Already applied in "8268801: Improve PKCS attribute handling"
> 
> src/java.base/share/classes/sun/security/pkcs12/PKCS12KeyStore.java
> Resolve imports due to context.
> 
> src/java.base/share/classes/sun/security/provider/KeyProtector.java
> Copyright
> 
> src/java.base/share/classes/sun/security/ssl/SunJSSE.java
> Resolved due to context.
> 
> src/java.base/share/classes/sun/security/ssl/X509KeyManagerImpl.java
> Copyright.
> 
> src/java.base/share/classes/sun/security/tools/keytool/Main.java
> Basically applied by hand.
> 
> src/java.base/share/classes/sun/security/util/ConstraintsParameters.java
> This file was turned into an interface by "8249906: Enhance opening JARs" which
> moved the implementation to CertPathConstraintsParameters.java and DisabledAlgorithmConstraints.
> 8249906 was applied later than this change, but is already in 11.
> 
> The method getNamedCurveFromKey(Key key) was moved to DisabledAlgorithmConstraints, I
> applied the hunk there similar as in 17.
> 
> src/java.base/share/classes/sun/security/util/CurveDB.java
> I had to resolve because "8226307: Curve names should be case-insensitive" is not in 11.
> 
> src/java.base/share/classes/sun/security/util/KnownOIDs.java,
> Already in 11, a small difference in line 428 which seem fine to me.
> 
> src/java.base/share/classes/sun/security/util/ObjectIdentifier.java
> Most parts already backported by "8268801...

Hi Goetz,

Thanks for proposing this backport.

A few minor comments:

  * In sun/security/util/ConstraintsParameters.java:
    * If there weren't any changes to the file, we should probably keep the current copyright date in the header.

  * In sun/security/util/CurveDB.java:
    * I have the impression that we don't need to call "trim" anymore because the curve name and aliases come from KnownOIDs and do not have any spaces at the beginning or end. This was necessary before because we were splitting strings such as "secp192r1 [NIST P-192, X9.62 prime192v1]" to get the name and aliases separately. You can check how this same information now comes from "secp192r1("1.2.840.10045.3.1.1", "secp192r1", "NIST P-192", "X9.62 prime192v1")" in KnownOIDs.

  * In sun/security/util/ObjectIdentifier.java:
    * Is it possible to remove "public ObjectIdentifier(int[] values)" and "public static ObjectIdentifier newInternal(int[] values)" now? This could be part of 8239264 backport perhaps. This will make help to check that there are no current uses and enforce that it's not used in the future.

  * In sun/security/x509/AlgorithmId.java:
    * There are a couple of OIDs which were not part of jdk11u: ed25519_oid and ed448_oid.
 
  * In sun/security/x509/OIDName.java:
    * Should we bump the copyright date?

  * In sun/security/jgss/GSSNameImpl.java:
    * Should we bump the copyright date?

  * In sun/security/jgss/wrapper/GSSNameElement.java:
    * Should we bump the copyright date?

  * In sun/security/jgss/wrapper/NativeGSSContext.java:
    * Should we bump the copyright date?

  * In sun/security/ec/SunEC.java:
    * I think that we can remove the import of java.util.regex.Pattern because it's unused.

  * In sun/security/pkcs12/ParamsPreferences.java:
    * I'd add that 8242151 is related to this test.
 
  * In sun/security/tools/keytool/KeyToolTest.java:
    * Copyright date bump?
    * Shouldn't we indicate that it's related to 8242151?

  * Shouldn't we indicate that KeytoolOpensslInteropTest.java is related to 8242151?

Other than that, looks good to me.

Regards,
Martin.-

-------------

PR Comment: https://git.openjdk.org/jdk11u-dev/pull/1908#issuecomment-1579213906

More information about the jdk-updates-dev mailing list