[jdk17u-dev] RFR: 8262186: Call X509KeyManager.chooseClientAlias once for all key types

Paul Hohensee phh at openjdk.org
Thu Oct 19 20:50:08 UTC 2023 

On Mon, 16 Oct 2023 13:24:43 GMT, Goetz Lindenmaier <goetz at openjdk.org> wrote:

> I backport this for parity with 17.0.10-oracle.
> 
> The first commit contains the parts applied clean. 
> The second one contains two chunks I had to resolve, and some additional adaptions.
> 
> I had to resolve CertificateRequest.java because "8268199: Correct certificate requests" was already backported to 17, but was applied in head after this change.
> This block was in the way of a clean patch:
> 
> 17u: 
> 
>               } else {
>                     // Any auth object will have a possession generator and
>                     // we need to make sure the key types for that generator
>                     // share at least one common algorithm with the CR's
>                     // allowed key types.
>                     if (ka.possessionGenerator instanceof
>                             X509PossessionGenerator xpg) {
>                         if (Collections.disjoint(crKeyTypes,
>                                 Arrays.asList(xpg.keyTypes))) {
>                             if (SSLLogger.isOn &&
>                                     SSLLogger.isOn("ssl,handshake")) {
>                                 SSLLogger.warning(
>                                         "Unsupported authentication scheme: " +
>                                                 ss.name);
>                             }
>                             checkedKeyTypes.add(ss.keyAlgorithm);
>                             continue;
>                         }
>                     }
>                 }
> 
> 
> Actually, this block was adapted in the backport of 8268199 because this change, 8262186, was not in 17 at that time.
> Also, the adapted code does not compile any more because X509PossessionGenerator is removed by this change.
> Thus I changed it to the original code of "8268199: Correct certificate requests":
> 
> 
> } else {
>                     // Any auth object will have a set of allowed key types.
>                     // This set should share at least one common algorithm with
>                     // the CR's allowed key types.
>                     if (Collections.disjoint(crKeyTypes,
>                             Arrays.asList(ka.keyTypes))) {
>                         if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) {
>                             SSLLogger.warning(
>                                     "Unsupported authentication scheme: " +
>                                             ss.name);
>                         }
>                         continue;
>                     }
>                }
> 
> 
> 
> After some further related adaptions the code looks...

Marked as reviewed by phh (Reviewer).

-------------

PR Review: https://git.openjdk.org/jdk17u-dev/pull/1885#pullrequestreview-1688623241

More information about the jdk-updates-dev mailing list