[8u] RFR 8233228: Disable weak named curves by default in TLS, CertPath, and Signed JAR
Alexander Scherbatiy
alexander.scherbatiy at bell-sw.com
Mon Dec 7 17:49:18 UTC 2020
Hello,
Could you review the updated backport of JDK-8233228 to 8u.
8u webrev:
http://cr.openjdk.java.net/~alexsch/sercher/8233228/webrev.02/jdk.patch
The only difference between the updated backport and the previous
webrev.01 version
is that the public modifier is removed from "static String[]
getNamesByOID(String oid)" method
of CurveDB class.
All classes which use CurveDB.getNamesByOID(oid) method
are placed in the same package as CurveDB and the original jdk11u patch
has the package-private CurveDB.getNamesByOID(oid) method.
Thanks,
Alexander.
On 12/3/20 7:36 PM, Alexander Scherbatiy wrote:
> Hello,
>
> Could you review the updated backport of JDK-8233228 to 8u.
>
> 8u webrev:
> http://cr.openjdk.java.net/~alexsch/sercher/8233228/webrev.01
>
> The classes ECParameters, NamedCurve, and CurveDB needs to be moved
> from sun.security.ec packageto sun.security.util
> because sun.security.ec is placed in sunec.jar and these classes are
> not accessible
> from ConstraintsParameters, DisabledAlgorithmConstraints which are
> stored in rt.jar.
>
> Moving ECParameters, NamedCurve, and CurveDB classes is sent as a part
> of a separate request [1]
> JDK-8035166: Remove dependency on EC classes from pkcs11 provider
>
> The patch for JDK-8035166 needs to be applied first and the patch for
> JDK-8233228 on top of it.
>
> The tests compact3, java_security, java_security_infra, needs_jdk, and
> needs_jre were run.
>
> In total they contain the following crypto and security tests:
> sun/security/tools/jarsigner/*
> com/sun/crypto/provider/*
> com/sun/security/*
> java/security/*
> javax/crypto/*
> javax/net/ssl/*
> javax/security/*
> javax/xml/crypto/*
> sun/security/*
> security/infra/java/security/*
>
> The are no new failures comparing to the build without the fix.
>
> [1]
> https://mail.openjdk.java.net/pipermail/jdk8u-dev/2020-December/013171.html
>
> Thanks,
> Alexander
>
> On 12/2/20 8:34 AM, Andrew Hughes wrote:
>> On 22:14 Tue 01 Dec , Alexander Scherbatiy wrote:
>>> Hello,
>>>
>>> Could you review the backport of P2 JDK-8233228 to 8u.
>>>
>>> Bug: https://bugs.openjdk.java.net/browse/JDK-8233228
>>> 11u patch:
>>> https://hg.openjdk.java.net/jdk-updates/jdk11u/rev/a17295342862
>>> 8u webrev:
>>> http://cr.openjdk.java.net/~alexsch/sercher/8233228/webrev.00
>>>
>>>
>>> 8233228 backport to 8u (compared to 11u):
>>> * sun.security.ec.ECParameters -> sun.security.util.ECParameters
>>> * sun.security.ec.NamedCurve -> sun.security.util.NamedCurve
>>> * sun.security.ec.CurveDB -> sun.security.util.CurveDB
>>> * security/tools/keytool fixed context difference
>>> * DisabledAlgorithmConstraints.java fixed context difference
>>> * Manual merge in ConstraintsParameters.java (XECKey,
>>> NamedParameterSpec are
>>> not available in 8u).
>>> * CurveDB.SPLIT_PATTERN, CurveDB.getSupportedCurves() made public
>>> * NamedCurve class, getName(), getObjectId() made public
>>> * ECParameters.getAlgorithmParameters() made public
>>> * files java.security-<platform> are separate in each platform, applied
>>> identical changes in all
>>>
>> Why is it necessary to move the package these files are in?
>>
>> If we really need to do this, it should be done as a separate backport
>> of JDK-8035166, but I'm not yet convinced this is necessary, given the
>> disruption it will cause to code that relies on the code being in the
>> current locations.
>>
>>> The are no new failures in hotspot and compact3 tests comparing to
>>> the build
>>> without the fix.
>> I'm not sure how HotSpot tests would relate to a crypto change. What
>> crypto
>> tests were run?
>>
>>> Thanks,
>>> Alexander.
>>>
>> Thanks,
More information about the jdk8u-dev
mailing list