[jdk11u-dev] RFR: 8242151: Improve OID mapping and reuse among JDK security providers for aliases registration

Goetz Lindenmaier goetz at openjdk.org
Mon May 29 10:50:14 UTC 2023 

This change required some work to get it backported. 
I touched the following files to resolve or get the code/test working:

src/java.base/share/classes/com/sun/crypto/provider/SunJCE.java

These entries are not in 11:
        List<String> macSHA512_224Aliases = createAliasesWithOid(macOidBase + "12");
        List<String> macSHA512_256Aliases = createAliasesWithOid(macOidBase + "13");

        String nistHashAlgsOidBase = "2.16.840.1.101.3.4.2.";
        List<String> macSHA3_224Aliases =
            createAliasesWithOid(nistHashAlgsOidBase + "13");
        List<String> macSHA3_256Aliases =
            createAliasesWithOid(nistHashAlgsOidBase + "14");
        List<String> macSHA3_384Aliases =
            createAliasesWithOid(nistHashAlgsOidBase + "15");
        List<String> macSHA3_512Aliases =
            createAliasesWithOid(nistHashAlgsOidBase + "16");

Thus I could not remove them.
Also, the Hmac keys differ. Some are not in 11.

src/java.base/share/classes/java/security/cert/CertificateRevokedException.java
Copyright.

src/java.base/share/classes/sun/security/pkcs/PKCS7.java
src/java.base/share/classes/sun/security/pkcs/PKCS9Attribute.java
Already applied in "8268801: Improve PKCS attribute handling"

src/java.base/share/classes/sun/security/pkcs12/PKCS12KeyStore.java
Resolve imports due to context.

src/java.base/share/classes/sun/security/provider/KeyProtector.java
Copyright

src/java.base/share/classes/sun/security/ssl/SunJSSE.java
Resolved due to context.

src/java.base/share/classes/sun/security/ssl/X509KeyManagerImpl.java
Copyright.

src/java.base/share/classes/sun/security/tools/keytool/Main.java
Basically applied by hand.

src/java.base/share/classes/sun/security/util/ConstraintsParameters.java
This file was turned into an interface by "8249906: Enhance opening JARs" which
moved the implementation to CertPathConstraintsParameters.java and DisabledAlgorithmConstraints.
8249906 was applied later than this change, but is already in 11.

The method getNamedCurveFromKey(Key key) was moved to DisabledAlgorithmConstraints, I
applied the hunk there similar as in 17.

src/java.base/share/classes/sun/security/util/CurveDB.java
I had to resolve because "8226307: Curve names should be case-insensitive" is not in 11.

src/java.base/share/classes/sun/security/util/KnownOIDs.java,
Already in 11, a small difference in line 428 which seem fine to me.

src/java.base/share/classes/sun/security/util/ObjectIdentifier.java
Most parts already backported by "8268801: Improve PKCS attribute handling"

src/java.base/share/classes/sun/security/util/SecurityProviderConstants.java
Trivial resolve due to context.

src/java.base/share/classes/sun/security/x509/AVA.java
Copyright

src/java.base/share/classes/sun/security/x509/AlgorithmId.java
I had to resolve bigger parts of this.
In addition, I removed the three cases added in "8266929: Unable to use algorithms from 3p providers"
These entries are in KnownOid.java and should still properly be handled.

src/java.base/share/classes/sun/security/x509/OIDName.java
Copyright

src/java.security.jgss/share/classes/sun/security/jgss/GSSNameImpl.java
src/java.security.jgss/share/classes/sun/security/jgss/wrapper/GSSNameElement.java
src/java.security.jgss/share/classes/sun/security/jgss/wrapper/NativeGSSContext.java
Copyright

src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
Resolved, there was ChaCha20 in the context.

For ChaCha20, I implemented the change myself:
removing the s() call and changeing the outer
call from d() to dA().
KnownID.java contains these mappings.

src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java
One hunk is not needed because "8166597: Crypto support for the EdDSA Signature Algorithm" is not in 11.
Another I had to resolve.

src/jdk.crypto.ec/share/classes/sun/security/ec/XECParameters.java
Simple resolve due to context.

src/jdk.crypto.ec/share/classes/sun/security/ec/ed/EdDSAParameters.java
Skipped. File comes with "8166597: Crypto support for the EdDSA Signature Algorithm" which is not in 11.

test/jdk/sun/security/pkcs/pkcs9/UnknownAttribute.java
Already backported ? 

test/jdk/sun/security/pkcs12/ParamsPreferences.java
This test already received two further backports obviously subsuming the
changes of this one.

test/jdk/sun/security/pkcs12/ParamsTest.java
Test was renamed to KeytoolOpensslInteropTest.java in "8266182: Automate manual steps listed in the test jdk/sun/security/pkcs12/ParamsTest.java"
That test is already reworked. Only applied some minor fixes.

test/jdk/sun/security/tools/jarsigner/TimestampCheck.java
Test does not use the pattern to change any more.

test/jdk/sun/security/tools/keytool/KeyToolTest.java
Trivial resolves

To make tests compile, I had to adpat calls to
new ObjectIdentifier() in DerUtils.java, TsaSigner.java
to make it compile.

-------------

Depends on: https://git.openjdk.org/jdk11u-dev/pull/1898

Commit messages:
 - Merge branch 'goetz_backport_8239264' into goetz_backport_8242151
 - Fix build and tests
 - Resolve
 - Backport 080b3b83ebffe5149fbc9ac48e921fb51e9c3c63
 - remove of1()

Changes: https://git.openjdk.org/jdk11u-dev/pull/1908/files
 Webrev: https://webrevs.openjdk.org/?repo=jdk11u-dev&pr=1908&range=00
  Issue: https://bugs.openjdk.org/browse/JDK-8242151
  Stats: 2060 lines in 75 files changed: 306 ins; 772 del; 982 mod
  Patch: https://git.openjdk.org/jdk11u-dev/pull/1908.diff
  Fetch: git fetch https://git.openjdk.org/jdk11u-dev.git pull/1908/head:pull/1908

PR: https://git.openjdk.org/jdk11u-dev/pull/1908

More information about the jdk-updates-dev mailing list