[8u] RFR 8233228: Disable weak named curves by default in TLS, CertPath, and Signed JAR
Andrew Hughes
gnu.andrew at redhat.com
Wed Dec 2 05:34:30 UTC 2020
On 22:14 Tue 01 Dec , Alexander Scherbatiy wrote:
>
> Hello,
>
> Could you review the backport of P2 JDK-8233228 to 8u.
>
> Bug: https://bugs.openjdk.java.net/browse/JDK-8233228
> 11u patch: https://hg.openjdk.java.net/jdk-updates/jdk11u/rev/a17295342862
> 8u webrev: http://cr.openjdk.java.net/~alexsch/sercher/8233228/webrev.00
>
>
> 8233228 backport to 8u (compared to 11u):
> * sun.security.ec.ECParameters -> sun.security.util.ECParameters
> * sun.security.ec.NamedCurve -> sun.security.util.NamedCurve
> * sun.security.ec.CurveDB -> sun.security.util.CurveDB
> * security/tools/keytool fixed context difference
> * DisabledAlgorithmConstraints.java fixed context difference
> * Manual merge in ConstraintsParameters.java (XECKey, NamedParameterSpec are
> not available in 8u).
> * CurveDB.SPLIT_PATTERN, CurveDB.getSupportedCurves() made public
> * NamedCurve class, getName(), getObjectId() made public
> * ECParameters.getAlgorithmParameters() made public
> * files java.security-<platform> are separate in each platform, applied
> identical changes in all
>
Why is it necessary to move the package these files are in?
If we really need to do this, it should be done as a separate backport
of JDK-8035166, but I'm not yet convinced this is necessary, given the
disruption it will cause to code that relies on the code being in the
current locations.
> The are no new failures in hotspot and compact3 tests comparing to the build
> without the fix.
I'm not sure how HotSpot tests would relate to a crypto change. What crypto
tests were run?
>
> Thanks,
> Alexander.
>
Thanks,
--
Andrew :)
Senior Free Java Software Engineer
OpenJDK Package Owner
Red Hat, Inc. (http://www.redhat.com)
PGP Key: ed25519/0xCFDA0F9B35964222 (hkp://keys.gnupg.net)
Fingerprint = 5132 579D D154 0ED2 3E04 C5A0 CFDA 0F9B 3596 4222
More information about the jdk8u-dev
mailing list