[8u] RFR 8233228: Disable weak named curves by default in TLS, CertPath, and Signed JAR

Alexander Scherbatiy alexander.scherbatiy at bell-sw.com
Mon Dec 7 17:49:18 UTC 2020


Hello,

Could you review the updated backport of JDK-8233228 to 8u.

   8u webrev: 
http://cr.openjdk.java.net/~alexsch/sercher/8233228/webrev.02/jdk.patch

The only difference between the updated backport and the previous 
webrev.01 version
is that the public modifier is removed from "static String[] 
getNamesByOID(String oid)" method
of CurveDB class.

All classes which use CurveDB.getNamesByOID(oid) method
are placed in the same package as CurveDB and the original jdk11u patch
has the package-private CurveDB.getNamesByOID(oid) method.

Thanks,
Alexander.

On 12/3/20 7:36 PM, Alexander Scherbatiy wrote:
> Hello,
>
> Could you review the updated backport of JDK-8233228 to 8u.
>
>   8u webrev: 
> http://cr.openjdk.java.net/~alexsch/sercher/8233228/webrev.01
>
> The classes ECParameters, NamedCurve, and CurveDB needs to be moved 
> from sun.security.ec packageto sun.security.util
> because sun.security.ec is placed in sunec.jar and these classes are 
> not accessible
> from ConstraintsParameters, DisabledAlgorithmConstraints which are 
> stored in rt.jar.
>
> Moving ECParameters, NamedCurve, and CurveDB classes is sent as a part 
> of a separate request [1]
>    JDK-8035166: Remove dependency on EC classes from pkcs11 provider
>
> The patch for JDK-8035166 needs to be applied first and the patch for 
> JDK-8233228 on top of it.
>
> The tests compact3, java_security, java_security_infra, needs_jdk, and 
> needs_jre were run.
>
> In total they contain the following crypto and security tests:
>   sun/security/tools/jarsigner/*
>   com/sun/crypto/provider/*
>   com/sun/security/*
>   java/security/*
>   javax/crypto/*
>   javax/net/ssl/*
>   javax/security/*
>   javax/xml/crypto/*
>   sun/security/*
>   security/infra/java/security/*
>
> The are no new failures comparing to the build without the fix.
>
> [1] 
> https://mail.openjdk.java.net/pipermail/jdk8u-dev/2020-December/013171.html
>
> Thanks,
> Alexander
>
> On 12/2/20 8:34 AM, Andrew Hughes wrote:
>> On 22:14 Tue 01 Dec     , Alexander Scherbatiy wrote:
>>> ​Hello,
>>>
>>> Could you review the backport of P2 JDK-8233228 to 8u.
>>>
>>> Bug: https://bugs.openjdk.java.net/browse/JDK-8233228
>>> 11u patch: 
>>> https://hg.openjdk.java.net/jdk-updates/jdk11u/rev/a17295342862
>>> 8u webrev: 
>>> http://cr.openjdk.java.net/~alexsch/sercher/8233228/webrev.00
>>>
>>>
>>> 8233228 backport to 8u (compared to 11u):
>>> * sun.security.ec.ECParameters -> sun.security.util.ECParameters
>>> * sun.security.ec.NamedCurve   -> sun.security.util.NamedCurve
>>> * sun.security.ec.CurveDB      -> sun.security.util.CurveDB
>>> * security/tools/keytool fixed context difference
>>> * DisabledAlgorithmConstraints.java fixed context difference
>>> * Manual merge in ConstraintsParameters.java (XECKey, 
>>> NamedParameterSpec are
>>> not available in 8u).
>>> * CurveDB.SPLIT_PATTERN, CurveDB.getSupportedCurves() made public
>>> * NamedCurve class, getName(), getObjectId() made public
>>> * ECParameters.getAlgorithmParameters() made public
>>> * files java.security-<platform> are separate in each platform, applied
>>> identical changes in all
>>>
>> Why is it necessary to move the package these files are in?
>>
>> If we really need to do this, it should be done as a separate backport
>> of JDK-8035166, but I'm not yet convinced this is necessary, given the
>> disruption it will cause to code that relies on the code being in the
>> current locations.
>>
>>> The are no new failures in hotspot and compact3 tests comparing to 
>>> the build
>>> without the fix.
>> I'm not sure how HotSpot tests would relate to a crypto change. What 
>> crypto
>> tests were run?
>>
>>> Thanks,
>>> Alexander.
>>>
>> Thanks,


More information about the jdk8u-dev mailing list