[jdk11u-dev] RFR: 8274471: Add support for RSASSA-PSS in OCSP Response
Paul Hohensee
phh at openjdk.org
Fri May 26 20:22:58 UTC 2023
On Tue, 23 May 2023 17:40:03 GMT, Alexey Pavlyutkin <duke at openjdk.org> wrote:
> Hi!
>
> Here is backport of [JDK-8274471](https://bugs.openjdk.org/browse/JDK-8274471) adding support of RSASSA-PSS signature to OCSP Response. Original patch applied with the following changes
>
> **`src/java.base/share/classes/sun/security/provider/certpath/OCSP.java`**
> - import of `java.security.cert.TrustAnchor` and `sun.security.validator.Validator` packages didn't removed cuz they are still in use;
> - added import of `java.nio.charset.StandardCharsets.UTF_8` promoting `UTF_8` constant;
> - the changes to revocation checking were skipped
>
> **`src/java.base/share/classes/sun/security/util/SignatureUtil.java`**
> - added import of `java.security.interfaces.RSAKey` and `sun.security.x509.AlgorithmId` packages;
> - support of `SHAKE256/512` dropped;
> - `EdEC` hooks dropped;
> - syntax of `switch` statements adjusted;
>
> **`src/java.base/share/classes/sun/security/x509/AlgorithmId.java`**
> - `public byte[] getEncodedParams()` does not throw anymore
>
> **`test/jdk/java/security/testlibrary/CertificateBuilder.java`**
> **`test/jdk/java/security/testlibrary/SimpleOCSPServer.java`**
> - added import of `sun.security.util.SignatureUtil` package
>
> Verification/regression (amd64/LTS 20.04): `jdk_security` including updated tests
I'm not an expert in this area, but the backport looks good, including the addition of a big chunk of code in SignatureUtil.java from [JDK-8242068](https://bugs.openjdk.org/browse/JDK-8242068), which latter is huge and would anyway require a spec change.
-------------
Marked as reviewed by phh (Reviewer).
PR Review: https://git.openjdk.org/jdk11u-dev/pull/1891#pullrequestreview-1446904232
More information about the jdk-updates-dev
mailing list