From briefkasten at uebber.de Mon Feb 4 08:02:13 2008 From: briefkasten at uebber.de (Christian Uebber) Date: Mon, 4 Feb 2008 17:02:13 +0100 Subject: [security-dev 00062]: Re: DTLS design In-Reply-To: References: <474F6A8F.1050906@sun.com> <479EE956.9030700@sun.com> <3BBA6A01-3EDB-4528-886A-7A3BE893BD22@uebber.de> Message-ID: <6930FEE2-649F-4516-A138-6F10D8C1C5A9@uebber.de> A separate reliable UDP transport class/channel is obsolete. Retransmission and fragmentation can be handled transparently by an updated version of SSLEngine's Handshaker using regular unreliable DatagramChannels for transport. My first sketch was a little hasty. I've started coding on a copy of SSLEngineImpl called DTLSEngineImpl. In the end I should be able to merge the changes almost seamlessly into SSLEngineImpl, though. But threading issues need careful testing first. As it turned out SSLEngine's class diagram is not as transport independent as I'd have liked. SSLEngines are created through SSLContexts (which are also reusable for DTLS), which still have some dependencies to SSLSockets. I'm planning to return null in those cases. Right now I'm still figuring out how to get a call to SSLContext.getInstance("DTLS") connected to the correct setup of my own code's classes for DTLS. The backend classes contain less comments and some legacy workarounds which make it harder to read. But I'm getting there. I'll keep you updated... Christian Am 29.01.2008 um 14:56 schrieb Christian Uebber: > I've finished a first sketch. The application knows about when the > engine is handshaking by checking SSLEngineResult.HandshakeStatus. > All we need to do is to provide a reliable UDP transport class > (including fragmentation and reassembly) as defined in the DTLS > spec, which MUST be used for transporting when the engine is not in > the state of NOT_HANDSHAKING. Anything else could be seamlessly > integrated into SSLEngine. > > It would be nicer if this transport class wasn't specific to DTLS as > current and future connectionless protocols could provide comparable > features, but for DTLS 1.0 compliance I don't see a better way right > now. We are not forced to make this specific class mandatory, so > future implementations could just plug in alternatives when the > standard evolves. > > Christian From Bradford.Wetmore at Sun.COM Mon Feb 4 14:52:17 2008 From: Bradford.Wetmore at Sun.COM (Brad Wetmore) Date: Mon, 04 Feb 2008 14:52:17 -0800 Subject: [security-dev 00063]: Re: Application of blind signature concept on ECDSA and incorporating that into JDK 7 In-Reply-To: <47A263BB.8010905@sun.com> References: <6fce480801130437o76df35b9k1d88ce8d783fdb7a@mail.gmail.com> <47A263BB.8010905@sun.com> Message-ID: <47A79721.9050400@sun.com> deepak sahu wrote previously: >> We have fullfledged concept fo how to generate points on EC and are >> working on new blind signature concept. >> We have also implemented our idea in java. and in an email today: > What I want to know is where we can apply the concept of blind > signature in java. It's not really clear what you are proposing and thus hard to judge whether it would appropriate for inclusion in the OpenJDK. I was originally thinking that what you'd like the group to consider is to add a BlindSignature API/engine to the JDK, and that one of the possible implementations could be this new algorithm you're working on. But in today's email when you mentioned "...where we can apply...", I was wondering if you were instead looking for existing components in the JDK that could receive benefit from using a blinding algorithm. I'm not sure about the utility of a general BlindingSignature class, at least not in the way I'm thinking what such an object might look like (i.e. where a provider takes a datastream and does both blinding/signing). If you're pumping in the actual object/datastream, a malicious provider could simply capture the data, negating the blinding effect. It seems to me you'd want the blinding in your application layer that you trust, and have the providers sign the blinded data using a normal Signature object. But again, more info here would be good. >> Any one can guide us in including this RFE into jdk7 The security group (security-dev@) is the right group, but we need to understand what's really being proposed. And of course, whenever dealing in ECC (Elliptic Curve Cryptography), we will have to be very careful about patent issues. As you probably know from: http://openjdk.java.net/contribute/ contributions to the OpenJDK effort are governed by the Sun Contributor Agreement (SCA). If you're not already familiar with that information, please have a look. In your email, you mentioned "we have..." so I assume there's more than one of you. One of the things I needed to check on was how group contributions are handled. There's a FAQ on the SCA at: http://www.sun.com/software/opensource/contributor_agreement.jsp Are you part of a company, a university effort, a group of individuals, or something else? If you're a group of individuals, I'm guessing each person would probably have to sign the SCA, but I'd need to check that. I hope this helps. Brad P.S. FYI, for JDK7/OpenJDK7 we are currently working on a java version of the general ECC algorithms for the Sun/SunJCE providers, and will be based on the NSS implementation. From sgodsell at hotmail.com Wed Feb 6 20:57:16 2008 From: sgodsell at hotmail.com (Sean Godsell) Date: Wed, 6 Feb 2008 23:57:16 -0500 Subject: [security-dev 00064]: Javasss (Safe secure sandbox) Message-ID: Hello again openjdk people, I have added a number of new features and cleaned up some of the functions that were added previously. Javasss enhances the openjdk in a number of areas. The following is a list of enhancements: - Overwrite and lock users file paths to a specific base path - All temporary files can automatically be created in the base path without any program change to existing applications - You can limit the amount of storage being used in a path or file - You can limit the # of file and directories being created in path - You can make any path read only or read/write - You can allow or deny whether libraries can be loaded from a path. - You can allow or deny whether native methods can be used from a path. - You can have multiple paths to allow users to read or write to with different limiting storage and or # or files and directories. - You can limit the number of threads and thread priority. - You can limit the maximum # of windows being created. - You can allow or deny hosts and ports being used. - You can allow or deny execution of runtime process. - You can limit the amount of socket traffic throughput in bytes per second - All items can be controlled in a simple properties file - Allow threads to have different paths, and/or lock every new thread with certain paths - Allow users to configure thread paths using a key. - Existing programs and applications can run without any changes or modifications. A security manager cannot even do half the items previously listed. There is complete source code and examples at the following site: http://sourceforge.net/projects/javasss/ Sean Godsell _________________________________________________________________ From Bradford.Wetmore at Sun.COM Mon Feb 11 14:23:55 2008 From: Bradford.Wetmore at Sun.COM (Brad Wetmore) Date: Mon, 11 Feb 2008 14:23:55 -0800 Subject: [security-dev 00065]: Re: Initial OpenJDK 6 code on the way In-Reply-To: <47B0C9C4.2000902@sun.com> References: <47B0A7D2.5080106@sun.com> <7BEE245B-1F70-4183-A823-E743AC392BA2@pobox.com> <47B0C9C4.2000902@sun.com> Message-ID: <47B0CAFB.6080703@sun.com> (From a thread in discuss at o.j.n, I'm cc'ing security-dev at o.j.n) David Herron wrote: > OpenJDK 6 began from OpenJDK b20 and undid some changes with the goal of > getting it to a point where it passes JCK6a. We aren't quite there yet, > and that's still the goal. And in case anyone is wondering, some of the *POST* b20 changes have been backported into OpenJDK 6, such as the crypto (aka JCE) code. Brad From sgodsell at hotmail.com Tue Feb 12 13:50:59 2008 From: sgodsell at hotmail.com (Sean Godsell) Date: Tue, 12 Feb 2008 16:50:59 -0500 Subject: [security-dev 00066]: Javasss (Safe secure sandbox) for jdk 6 and openjdk 7 Message-ID: Hello once again openjdk people, Previously Javass required openjdk 7. Now it supports jdk 6 update 3. The following is a list of enhancements: - Overwrite and lock users file paths to a specific base path (like chroot in unix) - All temporary files can automatically be created in the base path without any program change to existing applications - You can limit the amount of storage being used in a path or file - You can limit the # of file and directories being created in path - You can make any path read only or read/write - You can allow or deny whether libraries can be loaded from a path. - You can allow or deny whether native methods can be used from a path. - You can have multiple paths to allow users to read or write to with different limiting storage and or # or files and directories. - You can limit the number of threads and thread priority. - You can limit the maximum # of windows being created. - You can allow or deny hosts and ports being used. - You can allow or deny execution of runtime process. - You can limit the amount of socket traffic throughput in bytes per second - All items can be controlled in a simple properties file - Allow threads to have different paths, and/or lock every new thread with certain paths - Allow users to configure thread paths using a key. - Existing programs and applications can run without any changes or modifications. A security manager cannot even do half the items previously listed. There is complete source code and examples are at the following site: http://javasss.sourceforge.net/ Sean Godsell _________________________________________________________________ From Weijun.Wang at Sun.COM Wed Feb 27 02:02:13 2008 From: Weijun.Wang at Sun.COM (Weijun Max Wang) Date: Wed, 27 Feb 2008 18:02:13 +0800 Subject: [security-dev 00067]: JSSE performance survey Message-ID: <47C53525.4030102@sun.com> Hi Everyone We, the Java SE security group at Sun, are planning to do some performance analysis on various security components in Java. The first target is JSSE. I'm thinking of JGSS/Kerberos and AccessController permission check also. Do you have any particular experiences (or known issues, with workarounds, and/or solutions) to share? Thanks Max From mr at sun.com Fri Feb 29 22:31:20 2008 From: mr at sun.com (mr at sun.com) Date: Sat, 01 Mar 2008 06:31:20 +0000 Subject: [security-dev 00068]: hg: jdk7/jsn: 2 new changesets Message-ID: <20080301063120.CF3AE26FE6@hg.openjdk.java.net> Changeset: 0a5c5386a678 Author: xdono Date: 2007-12-04 16:28 -0800 URL: http://hg.openjdk.java.net/jdk7/jsn/rev/0a5c5386a678 Added tag jdk7-b24 for changeset cfeea66a3fa8 + .hgtags Changeset: c57bef8dda9c Author: mr Date: 2008-02-29 20:03 -0800 URL: http://hg.openjdk.java.net/jdk7/jsn/rev/c57bef8dda9c 6669216: Add jcheck configuration directories Reviewed-by: ohair, xdono + .jcheck/conf From mr at sun.com Fri Feb 29 22:31:32 2008 From: mr at sun.com (mr at sun.com) Date: Sat, 01 Mar 2008 06:31:32 +0000 Subject: [security-dev 00069]: hg: jdk7/jsn/corba: 2 new changesets Message-ID: <20080301063134.56EE226FED@hg.openjdk.java.net> Changeset: 474c23b174e9 Author: xdono Date: 2007-12-04 16:28 -0800 URL: http://hg.openjdk.java.net/jdk7/jsn/corba/rev/474c23b174e9 Added tag jdk7-b24 for changeset 55540e827aef + .hgtags Changeset: fec639c69db2 Author: mr Date: 2008-02-29 20:03 -0800 URL: http://hg.openjdk.java.net/jdk7/jsn/corba/rev/fec639c69db2 6669216: Add jcheck configuration directories Reviewed-by: ohair, xdono + .jcheck/conf From mr at sun.com Fri Feb 29 22:31:58 2008 From: mr at sun.com (mr at sun.com) Date: Sat, 01 Mar 2008 06:31:58 +0000 Subject: [security-dev 00070]: hg: jdk7/jsn/hotspot: 2 new changesets Message-ID: <20080301063203.B8E8526FF4@hg.openjdk.java.net> Changeset: 92489cdc94d1 Author: xdono Date: 2007-12-04 16:28 -0800 URL: http://hg.openjdk.java.net/jdk7/jsn/hotspot/rev/92489cdc94d1 Added tag jdk7-b24 for changeset a61af66fc99e + .hgtags Changeset: 7836be3e92d0 Author: mr Date: 2008-02-29 20:03 -0800 URL: http://hg.openjdk.java.net/jdk7/jsn/hotspot/rev/7836be3e92d0 6669216: Add jcheck configuration directories Reviewed-by: ohair, xdono + .jcheck/conf From mr at sun.com Fri Feb 29 22:33:12 2008 From: mr at sun.com (mr at sun.com) Date: Sat, 01 Mar 2008 06:33:12 +0000 Subject: [security-dev 00071]: hg: jdk7/jsn/jaxp: 2 new changesets Message-ID: <20080301063315.BCF9B26FFB@hg.openjdk.java.net> Changeset: 9e3c1ad7cdb9 Author: xdono Date: 2007-12-04 16:28 -0800 URL: http://hg.openjdk.java.net/jdk7/jsn/jaxp/rev/9e3c1ad7cdb9 Added tag jdk7-b24 for changeset 6ce5f4757bde + .hgtags Changeset: 49a4bc7b0aa0 Author: mr Date: 2008-02-29 20:03 -0800 URL: http://hg.openjdk.java.net/jdk7/jsn/jaxp/rev/49a4bc7b0aa0 6669216: Add jcheck configuration directories Reviewed-by: ohair, xdono + .jcheck/conf From mr at sun.com Fri Feb 29 22:33:29 2008 From: mr at sun.com (mr at sun.com) Date: Sat, 01 Mar 2008 06:33:29 +0000 Subject: [security-dev 00072]: hg: jdk7/jsn/jaxws: 2 new changesets Message-ID: <20080301063332.968F126004@hg.openjdk.java.net> Changeset: 7d53d3bd7879 Author: xdono Date: 2007-12-04 16:28 -0800 URL: http://hg.openjdk.java.net/jdk7/jsn/jaxws/rev/7d53d3bd7879 Added tag jdk7-b24 for changeset 0961a4a21176 + .hgtags Changeset: 018781e80410 Author: mr Date: 2008-02-29 20:03 -0800 URL: http://hg.openjdk.java.net/jdk7/jsn/jaxws/rev/018781e80410 6669216: Add jcheck configuration directories Reviewed-by: ohair, xdono + .jcheck/conf From mr at sun.com Fri Feb 29 22:33:46 2008 From: mr at sun.com (mr at sun.com) Date: Sat, 01 Mar 2008 06:33:46 +0000 Subject: [security-dev 00073]: hg: jdk7/jsn/jdk: 2 new changesets Message-ID: <20080301063420.547C72600B@hg.openjdk.java.net> Changeset: 99a06bc7fdb5 Author: xdono Date: 2007-12-04 16:28 -0800 URL: http://hg.openjdk.java.net/jdk7/jsn/jdk/rev/99a06bc7fdb5 Added tag jdk7-b24 for changeset 37a05a11f281 + .hgtags Changeset: 8266cb7549d3 Author: mr Date: 2008-02-29 20:04 -0800 URL: http://hg.openjdk.java.net/jdk7/jsn/jdk/rev/8266cb7549d3 6669216: Add jcheck configuration directories Reviewed-by: ohair, xdono + .jcheck/conf From mr at sun.com Fri Feb 29 22:36:08 2008 From: mr at sun.com (mr at sun.com) Date: Sat, 01 Mar 2008 06:36:08 +0000 Subject: [security-dev 00074]: hg: jdk7/jsn/langtools: 2 new changesets Message-ID: <20080301063611.A494D26016@hg.openjdk.java.net> Changeset: e4dae1993f8b Author: xdono Date: 2007-12-04 16:28 -0800 URL: http://hg.openjdk.java.net/jdk7/jsn/langtools/rev/e4dae1993f8b Added tag jdk7-b24 for changeset 9a66ca7c79fa + .hgtags Changeset: e5e9fa6fa29c Author: mr Date: 2008-02-29 20:04 -0800 URL: http://hg.openjdk.java.net/jdk7/jsn/langtools/rev/e5e9fa6fa29c 6669216: Add jcheck configuration directories Reviewed-by: ohair, xdono + .jcheck/conf From mr at sun.com Fri Feb 29 23:01:06 2008 From: mr at sun.com (mr at sun.com) Date: Sat, 01 Mar 2008 07:01:06 +0000 Subject: [security-dev 00075]: hg: jdk7/tl: 2 new changesets Message-ID: <20080301070106.D21DF260EE@hg.openjdk.java.net> Changeset: 0a5c5386a678 Author: xdono Date: 2007-12-04 16:28 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/rev/0a5c5386a678 Added tag jdk7-b24 for changeset cfeea66a3fa8 + .hgtags Changeset: c57bef8dda9c Author: mr Date: 2008-02-29 20:03 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/rev/c57bef8dda9c 6669216: Add jcheck configuration directories Reviewed-by: ohair, xdono + .jcheck/conf From mr at sun.com Fri Feb 29 23:01:20 2008 From: mr at sun.com (mr at sun.com) Date: Sat, 01 Mar 2008 07:01:20 +0000 Subject: [security-dev 00076]: hg: jdk7/tl/corba: 2 new changesets Message-ID: <20080301070122.5C23C260F5@hg.openjdk.java.net> Changeset: 474c23b174e9 Author: xdono Date: 2007-12-04 16:28 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/corba/rev/474c23b174e9 Added tag jdk7-b24 for changeset 55540e827aef + .hgtags Changeset: fec639c69db2 Author: mr Date: 2008-02-29 20:03 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/corba/rev/fec639c69db2 6669216: Add jcheck configuration directories Reviewed-by: ohair, xdono + .jcheck/conf From mr at sun.com Fri Feb 29 23:01:48 2008 From: mr at sun.com (mr at sun.com) Date: Sat, 01 Mar 2008 07:01:48 +0000 Subject: [security-dev 00077]: hg: jdk7/tl/hotspot: 2 new changesets Message-ID: <20080301070153.C9D70260FC@hg.openjdk.java.net> Changeset: 92489cdc94d1 Author: xdono Date: 2007-12-04 16:28 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/hotspot/rev/92489cdc94d1 Added tag jdk7-b24 for changeset a61af66fc99e + .hgtags Changeset: 7836be3e92d0 Author: mr Date: 2008-02-29 20:03 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/hotspot/rev/7836be3e92d0 6669216: Add jcheck configuration directories Reviewed-by: ohair, xdono + .jcheck/conf From mr at sun.com Fri Feb 29 23:02:39 2008 From: mr at sun.com (mr at sun.com) Date: Sat, 01 Mar 2008 07:02:39 +0000 Subject: [security-dev 00078]: hg: jdk7/tl/jaxp: 2 new changesets Message-ID: <20080301070242.F009126103@hg.openjdk.java.net> Changeset: 9e3c1ad7cdb9 Author: xdono Date: 2007-12-04 16:28 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/jaxp/rev/9e3c1ad7cdb9 Added tag jdk7-b24 for changeset 6ce5f4757bde + .hgtags Changeset: 49a4bc7b0aa0 Author: mr Date: 2008-02-29 20:03 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/jaxp/rev/49a4bc7b0aa0 6669216: Add jcheck configuration directories Reviewed-by: ohair, xdono + .jcheck/conf From mr at sun.com Fri Feb 29 23:02:58 2008 From: mr at sun.com (mr at sun.com) Date: Sat, 01 Mar 2008 07:02:58 +0000 Subject: [security-dev 00079]: hg: jdk7/tl/jaxws: 2 new changesets Message-ID: <20080301070301.9CAA22610A@hg.openjdk.java.net> Changeset: 7d53d3bd7879 Author: xdono Date: 2007-12-04 16:28 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/jaxws/rev/7d53d3bd7879 Added tag jdk7-b24 for changeset 0961a4a21176 + .hgtags Changeset: 018781e80410 Author: mr Date: 2008-02-29 20:03 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/jaxws/rev/018781e80410 6669216: Add jcheck configuration directories Reviewed-by: ohair, xdono + .jcheck/conf From mr at sun.com Fri Feb 29 23:03:17 2008 From: mr at sun.com (mr at sun.com) Date: Sat, 01 Mar 2008 07:03:17 +0000 Subject: [security-dev 00080]: hg: jdk7/tl/jdk: 2 new changesets Message-ID: <20080301070353.B6CF526111@hg.openjdk.java.net> Changeset: 99a06bc7fdb5 Author: xdono Date: 2007-12-04 16:28 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/jdk/rev/99a06bc7fdb5 Added tag jdk7-b24 for changeset 37a05a11f281 + .hgtags Changeset: 8266cb7549d3 Author: mr Date: 2008-02-29 20:04 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/jdk/rev/8266cb7549d3 6669216: Add jcheck configuration directories Reviewed-by: ohair, xdono + .jcheck/conf From mr at sun.com Fri Feb 29 23:05:35 2008 From: mr at sun.com (mr at sun.com) Date: Sat, 01 Mar 2008 07:05:35 +0000 Subject: [security-dev 00081]: hg: jdk7/tl/langtools: 2 new changesets Message-ID: <20080301070539.3717326118@hg.openjdk.java.net> Changeset: e4dae1993f8b Author: xdono Date: 2007-12-04 16:28 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/langtools/rev/e4dae1993f8b Added tag jdk7-b24 for changeset 9a66ca7c79fa + .hgtags Changeset: e5e9fa6fa29c Author: mr Date: 2008-02-29 20:04 -0800 URL: http://hg.openjdk.java.net/jdk7/tl/langtools/rev/e5e9fa6fa29c 6669216: Add jcheck configuration directories Reviewed-by: ohair, xdono + .jcheck/conf