[jdk17u-dev] RFR: 8262186: Call X509KeyManager.chooseClientAlias once for all key types
Goetz Lindenmaier
goetz at openjdk.org
Mon Oct 16 13:41:43 UTC 2023
I backport this for parity with 17.0.10-oracle.
The first commit contains the parts applied clean.
The second one contains two chunks I had to resolve, and some additional adaptions.
I had to resolve CertificateRequest.java because "8268199: Correct certificate requests" was already backported to 17, but was applied in head after this change.
This block was in the way of a clean patch:
17u:
} else {
// Any auth object will have a possession generator and
// we need to make sure the key types for that generator
// share at least one common algorithm with the CR's
// allowed key types.
if (ka.possessionGenerator instanceof
X509PossessionGenerator xpg) {
if (Collections.disjoint(crKeyTypes,
Arrays.asList(xpg.keyTypes))) {
if (SSLLogger.isOn &&
SSLLogger.isOn("ssl,handshake")) {
SSLLogger.warning(
"Unsupported authentication scheme: " +
ss.name);
}
checkedKeyTypes.add(ss.keyAlgorithm);
continue;
}
}
}
Actually, this block was adapted in the backport of 8268199 because this change, 8262186, was not in 17 at that time.
Also, the adapted code does not compile any more because X509PossessionGenerator is removed by this change.
Thus I changed it to the original code of "8268199: Correct certificate requests":
} else {
// Any auth object will have a set of allowed key types.
// This set should share at least one common algorithm with
// the CR's allowed key types.
if (Collections.disjoint(crKeyTypes,
Arrays.asList(ka.keyTypes))) {
if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
SSLLogger.warning(
"Unsupported authentication scheme: " +
ss.name);
}
continue;
}
}
After some further related adaptions the code looks the same in 17 as in head if going back to "8268199: Correct certificate requests".
This is expected as both repos contain the same changes for both resolved files at that point:
17: https://github.com/openjdk/jdk17u-dev/commits/master/src/java.base/share/classes/sun/security/ssl/CertificateRequest.java
head: https://github.com/openjdk/jdk/commits/master/src/java.base/share/classes/sun/security/ssl/CertificateRequest.java
("8271730: Client authentication using RSASSA-PSS ..." brings a chunk to 17 that was lost in the backport of "8268199: Correct certificate requests").
In X509Authentication.java a larger chunk did not apply because the backport of "8268199: Correct certificate requests" removed private statements from the decl of X509PossessionGenerator. The chunk applies clean after undoing this change.
-------------
Commit messages:
- Resolved parts
- Backport 3d657eb0a626e33995af5d5ddf12b26d06317962
Changes: https://git.openjdk.org/jdk17u-dev/pull/1885/files
Webrev: https://webrevs.openjdk.org/?repo=jdk17u-dev&pr=1885&range=00
Issue: https://bugs.openjdk.org/browse/JDK-8262186
Stats: 398 lines in 4 files changed: 227 ins; 88 del; 83 mod
Patch: https://git.openjdk.org/jdk17u-dev/pull/1885.diff
Fetch: git fetch https://git.openjdk.org/jdk17u-dev.git pull/1885/head:pull/1885
PR: https://git.openjdk.org/jdk17u-dev/pull/1885
More information about the jdk-updates-dev
mailing list