references ...
as intended. I have verified a docs build with the fix produced the
desired output.
I came across this javadoc issue while working on a fix for JDK-8072734:
Turn on doclint checking in the build of modules in the jdk repo. Fixing
JDK-8075034 will allow full doclint checking on the module containing
javax.xml.crypto.dsig.
Thanks,
-Joe
diff -r bd800bc5d699
src/java.xml.crypto/share/classes/javax/xml/crypto/dsig/Manifest.java
---
a/src/java.xml.crypto/share/classes/javax/xml/crypto/dsig/Manifest.java
Wed Mar 11 08:33:12 2015 -0700
+++
b/src/java.xml.crypto/share/classes/javax/xml/crypto/dsig/Manifest.java
Wed Mar 11 19:25:51 2015 -0700
@@ -52,7 +52,7 @@
*
* XMLSignatureFactory factory = XMLSignatureFactory.getInstance("DOM");
* Reference ref = factory.newReference("#reference-1",
DigestMethod.SHA1);
- * List references = Collections.singletonList(ref);
+ * List<Reference> references = Collections.singletonList(ref);
* Manifest manifest = factory.newManifest(references, "manifest-1");
*
*
diff -r bd800bc5d699
src/java.xml.crypto/share/classes/javax/xml/crypto/dsig/XMLObject.java
---
a/src/java.xml.crypto/share/classes/javax/xml/crypto/dsig/XMLObject.java
Wed Mar 11 08:33:12 2015 -0700
+++
b/src/java.xml.crypto/share/classes/javax/xml/crypto/dsig/XMLObject.java
Wed Mar 11 19:25:51 2015 -0700
@@ -65,7 +65,7 @@
*
* XMLSignatureFactory fac = XMLSignatureFactory.getInstance("DOM");
* Manifest manifest = fac.newManifest(references);
- * List content = Collections.singletonList(manifest);
+ * List<XMLStructure> content =
Collections.singletonList(manifest);
* XMLObject object = factory.newXMLObject(content, "object-1",
null, null);
*
*
From sean.mullan at oracle.com Thu Mar 12 11:51:44 2015
From: sean.mullan at oracle.com (Sean Mullan)
Date: Thu, 12 Mar 2015 07:51:44 -0400
Subject: JDK 9 RFR of JDK-8075034: Bad javadoc tags in
javax.xml.crypto.dsig
In-Reply-To: <5500FA69.1070300@oracle.com>
References: <5500FA69.1070300@oracle.com>
Message-ID: <55017DD0.7030705@oracle.com>
Looks good.
Thanks,
Sean
On 03/11/2015 10:31 PM, joe darcy wrote:
> Hello,
>
> Please review the patch below to correct JDK-8075034: Bad javadoc tags
> in javax.xml.crypto.dsig.
>
> In several cases, the javadoc uses unescaped "<" and ">" characters
> which is flagged as a problem by doclint. In addition, the javadoc as it
> currently stands renders improperly and omits the generics information;
> in other words, the code in the javadoc gets listed as
>
> List references ....
>
> rather than
>
> List references ...
>
> as intended. I have verified a docs build with the fix produced the
> desired output.
>
> I came across this javadoc issue while working on a fix for JDK-8072734:
> Turn on doclint checking in the build of modules in the jdk repo. Fixing
> JDK-8075034 will allow full doclint checking on the module containing
> javax.xml.crypto.dsig.
>
> Thanks,
>
> -Joe
>
> diff -r bd800bc5d699
> src/java.xml.crypto/share/classes/javax/xml/crypto/dsig/Manifest.java
> ---
> a/src/java.xml.crypto/share/classes/javax/xml/crypto/dsig/Manifest.java
> Wed Mar 11 08:33:12 2015 -0700
> +++
> b/src/java.xml.crypto/share/classes/javax/xml/crypto/dsig/Manifest.java
> Wed Mar 11 19:25:51 2015 -0700
> @@ -52,7 +52,7 @@
> *
> * XMLSignatureFactory factory =
> XMLSignatureFactory.getInstance("DOM");
> * Reference ref = factory.newReference("#reference-1",
> DigestMethod.SHA1);
> - * List references = Collections.singletonList(ref);
> + * List<Reference> references = Collections.singletonList(ref);
> * Manifest manifest = factory.newManifest(references, "manifest-1");
> *
> *
> diff -r bd800bc5d699
> src/java.xml.crypto/share/classes/javax/xml/crypto/dsig/XMLObject.java
> ---
> a/src/java.xml.crypto/share/classes/javax/xml/crypto/dsig/XMLObject.java
> Wed Mar 11 08:33:12 2015 -0700
> +++
> b/src/java.xml.crypto/share/classes/javax/xml/crypto/dsig/XMLObject.java
> Wed Mar 11 19:25:51 2015 -0700
> @@ -65,7 +65,7 @@
> *
> * XMLSignatureFactory fac = XMLSignatureFactory.getInstance("DOM");
> * Manifest manifest = fac.newManifest(references);
> - * List content = Collections.singletonList(manifest);
> + * List<XMLStructure> content =
> Collections.singletonList(manifest);
> * XMLObject object = factory.newXMLObject(content, "object-1",
> null, null);
> *
> *
>
From sean.mullan at oracle.com Thu Mar 12 15:29:07 2015
From: sean.mullan at oracle.com (Sean Mullan)
Date: Thu, 12 Mar 2015 11:29:07 -0400
Subject: [9] Review Request: 8028266 Tidy warnings cleanup
for packages java.security/javax.security
In-Reply-To: <54FEEBE8.8050907@oracle.com>
References: <5354EEE8.8040303@oracle.com>
<535588E8.5080200@oracle.com> <535671A3.2070804@oracle.com>
<54FEEBE8.8050907@oracle.com>
Message-ID: <5501B0C3.40704@oracle.com>
This looks fine to me. Note that the warning in PKCS8EncodedKeySpec has
already been fixed -- see JDK-8074788.
--Sean
On 03/10/2015 09:04 AM, alexander stepanov wrote:
> Hello Bradford,
>
> I have finally to fix tidy warnings for java.security, javax.security,
> javax.crypto and javax.net packages (sorry for repeated request).
>
> Could you please review the webrev updated?
> http://cr.openjdk.java.net/~avstepan/8028266/webrev.02/
>
> It was re-generated because of changes in JDK code layout and contains
> fixes for JDK-8040260, JDK-8028266.
>
> Could please anyone from JCE team suggest what should be done for the
> next step if the fixes are satisfactory?
>
> Thanks,
> Alexander
>
>
> On 22.04.2014 16:41, alexander stepanov wrote:
>> Hello Bradford,
>>
>> Thanks,
>>
>> Could you please review again:
>> http://cr.openjdk.java.net/~yan/JDK-8028266/webrev.01/
>>
>> > Who is going to help you with that?
>> I didn't communicate with JCE team before. So could you please appoint
>> me someone to contact? Thanks.
>>
>> Regards,
>> Alexander
>>
>>
>> On 22.04.2014 1:08, Bradford Wetmore wrote:
>>> We usually update the copyright dates:
>>>
>>> * Copyright (c) 1997, 2014, Oracle and/or its affiliates. All rights
>>> reserved.
>>>
>>> javax/security/auth/kerberos/package-info.java
>>> ==============================================
>>>
>>> "yes", or "no", case-insensitive.
>>> ->
>>> "yes", or "no", and values are case-insensitive.
>>>
>>> I noticed in several places that while your changes are ok, it
>>> doesn't update the value instead of switching to {@code value}.
>>>
>>> In a previous webrev, I mentioned that you'll need to work with
>>> someone to update the built JCE binaries for the javax.crypto
>>> changes. Who is going to help you with that?
>>>
>>> Brad
>>>
>>>
>>>
>>> On 4/21/2014 3:11 AM, alexander stepanov wrote:
>>>> Hello,
>>>>
>>>> Could you please review the fix for the following bug:
>>>> https://bugs.openjdk.java.net/browse/JDK-8028266
>>>>
>>>> Webrev corresponding:
>>>> http://cr.openjdk.java.net/~yan/JDK-8028266/webrev.00/
>>>>
>>>> Just a minor cleanup of javadoc to avoid tidy warnings; no other code
>>>> affected.
>>>>
>>>> Thanks.
>>>>
>>>> Regards,
>>>> Alexander
>>
>
From alexander.v.stepanov at oracle.com Fri Mar 13 14:08:56 2015
From: alexander.v.stepanov at oracle.com (alexander stepanov)
Date: Fri, 13 Mar 2015 17:08:56 +0300
Subject: [9] Review Request: 8028266 Tidy warnings cleanup
for packages java.security/javax.security
In-Reply-To: <5501B0C3.40704@oracle.com>
References: <5354EEE8.8040303@oracle.com>
<535588E8.5080200@oracle.com> <535671A3.2070804@oracle.com>
<54FEEBE8.8050907@oracle.com> <5501B0C3.40704@oracle.com>
Message-ID: <5502EF78.7060601@oracle.com>
Hello Sean,
Thank you.
Regards,
Alexander
On 12.03.2015 18:29, Sean Mullan wrote:
> This looks fine to me. Note that the warning in PKCS8EncodedKeySpec
> has already been fixed -- see JDK-8074788.
>
> --Sean
>
> On 03/10/2015 09:04 AM, alexander stepanov wrote:
>> Hello Bradford,
>>
>> I have finally to fix tidy warnings for java.security, javax.security,
>> javax.crypto and javax.net packages (sorry for repeated request).
>>
>> Could you please review the webrev updated?
>> http://cr.openjdk.java.net/~avstepan/8028266/webrev.02/
>>
>> It was re-generated because of changes in JDK code layout and contains
>> fixes for JDK-8040260, JDK-8028266.
>>
>> Could please anyone from JCE team suggest what should be done for the
>> next step if the fixes are satisfactory?
>>
>> Thanks,
>> Alexander
>>
>>
>> On 22.04.2014 16:41, alexander stepanov wrote:
>>> Hello Bradford,
>>>
>>> Thanks,
>>>
>>> Could you please review again:
>>> http://cr.openjdk.java.net/~yan/JDK-8028266/webrev.01/
>>>
>>> > Who is going to help you with that?
>>> I didn't communicate with JCE team before. So could you please appoint
>>> me someone to contact? Thanks.
>>>
>>> Regards,
>>> Alexander
>>>
>>>
>>> On 22.04.2014 1:08, Bradford Wetmore wrote:
>>>> We usually update the copyright dates:
>>>>
>>>> * Copyright (c) 1997, 2014, Oracle and/or its affiliates. All rights
>>>> reserved.
>>>>
>>>> javax/security/auth/kerberos/package-info.java
>>>> ==============================================
>>>>
>>>> "yes", or "no", case-insensitive.
>>>> ->
>>>> "yes", or "no", and values are case-insensitive.
>>>>
>>>> I noticed in several places that while your changes are ok, it
>>>> doesn't update the value instead of switching to {@code value}.
>>>>
>>>> In a previous webrev, I mentioned that you'll need to work with
>>>> someone to update the built JCE binaries for the javax.crypto
>>>> changes. Who is going to help you with that?
>>>>
>>>> Brad
>>>>
>>>>
>>>>
>>>> On 4/21/2014 3:11 AM, alexander stepanov wrote:
>>>>> Hello,
>>>>>
>>>>> Could you please review the fix for the following bug:
>>>>> https://bugs.openjdk.java.net/browse/JDK-8028266
>>>>>
>>>>> Webrev corresponding:
>>>>> http://cr.openjdk.java.net/~yan/JDK-8028266/webrev.00/
>>>>>
>>>>> Just a minor cleanup of javadoc to avoid tidy warnings; no other code
>>>>> affected.
>>>>>
>>>>> Thanks.
>>>>>
>>>>> Regards,
>>>>> Alexander
>>>
>>
From sean.mullan at oracle.com Fri Mar 13 15:43:56 2015
From: sean.mullan at oracle.com (Sean Mullan)
Date: Fri, 13 Mar 2015 11:43:56 -0400
Subject: RFR: [Update 2] 8074064 : OCSPResponse.SingleResponse objects
do not parse singleExtensions
In-Reply-To: <5500BD4A.6070505@oracle.com>
References: <54F4FAC0.2040703@oracle.com>
<54F63330.8030104@oracle.com> <54F64D7E.4080802@oracle.com>
<54F78C26.8090207@oracle.com> <55005369.207@oracle.com>
<5500BD4A.6070505@oracle.com>
Message-ID: <550305BC.7000303@oracle.com>
On 03/11/2015 06:10 PM, Jamil Nimeh wrote:
> Okay, an updated webrev has been posted that addresses Sean's comments
> (thanks, BTW).
>
> http://cr.openjdk.java.net/~jnimeh/reviews/8074064/webrev.04/
Code changes look good, but I had not reviewed the test so here are a
few more comments on that part.
- for the path, can you remove "Tests" from the directory name?
Everything is a test so that seems redundant to me. So the new path
would be test/sun/security/provider/certpath/OCSP
- Why do you need the DEBUG boolean property? When would you ever want
to turn this off? Most of the debug info is valuable (like "Single
Extension count mismatch ...") so when something fails you would always
want to see it in the logs.
- readFile should create the FileReader in a try-with-resources block so
it is closed.
- line 165 needs a 4-space indent
--Sean
>
> --Jamil
>
> On 03/11/2015 07:38 AM, Sean Mullan wrote:
>> Hi Jamil,
>>
>> Just a few comments, mostly minor.
>>
>> * OCSPResponse
>>
>> 768: there is an extra space in the indentation
>>
>> 811: use Collections.emptyMap instead of new HashMap<>() as that does
>> not allocate a new Map object.
>>
>> 813-15,861-63: Use Map.values instead of Map.keySet, ex:
>>
>> for (Extension ext : singleExtensions.values()) {
>> sb.append("singleExtension: " + ext + "\n");
>> }
>>
>> 784-807: I think this code could be compressed a bit to avoid calling
>> parseExtensions twice. You can eliminate lines 786-92, if you do
>> something like this (I think), starting at line 784:
>>
>> if (tmp.available() > 0) {
>> derVal = tmp.getDerValue();
>> } else {
>> derVal == null;
>> }
>>
>> then what is now line 794 becomes:
>>
>> if (derVal != null && derVal.isContextSpecific((byte)1)) {
>>
>> --Sean
>>
>> On 03/04/2015 05:50 PM, Jamil Nimeh wrote:
>>> One more round of updates. Only the test code and the test inputs have
>>> changed. Test input is now Base64 format, with comment headers that
>>> display the OCSP response pretty-print (or an asn1parse of the
>>> BasicOCSPResponse for malformed response test cases).
>>>
>>> http://cr.openjdk.java.net/~jnimeh/reviews/8074064/webrev.03/index.html
>>>
>>> Thanks, Vinnie for the feedback and suggestions!
>>> --Jamil
>>>
>>> On 03/03/2015 04:10 PM, Jamil Nimeh wrote:
>>>> Okay, I've got an updated webrev for this issue:
>>>> http://cr.openjdk.java.net/~jnimeh/reviews/8074064/webrev.02/index.html
>>>>
>>>> Thanks,
>>>> --Jamil
>>>>
>>>> On 03/03/2015 02:18 PM, Jamil Nimeh wrote:
>>>>> Hello all, I've come across a couple edge cases that this fix doesn't
>>>>> cover properly. I'll put out another webrev in a bit that should
>>>>> tighten up the singleResponse parsing, particularly with the optional
>>>>> fields. It will also include a couple other negative test input
>>>>> samples.
>>>>>
>>>>> Thanks,
>>>>> --Jamil
>>>>>
>>>>> On 03/02/2015 04:05 PM, Jamil Nimeh wrote:
>>>>>> Hello all, this review fixes an issue in OCSPResponse where it does
>>>>>> not parse singleExtensions in the SingleResponse structure. I also
>>>>>> fixed two minor deviations from the OCSP.RevocationStatus interface
>>>>>> when getRevocationTime and getRevocationReason are called on good
>>>>>> responses.
>>>>>>
>>>>>> Bug: https://bugs.openjdk.java.net/browse/JDK-8074064
>>>>>> Review:
>>>>>> http://cr.openjdk.java.net/~jnimeh/reviews/8074064/webrev.01/index.html
>>>>>>
>>>>>>
>>>>>> Thank you,
>>>>>> --Jamil
>>>>>
>>>>
>>>
>
From jamil.j.nimeh at oracle.com Fri Mar 13 16:04:01 2015
From: jamil.j.nimeh at oracle.com (Jamil Nimeh)
Date: Fri, 13 Mar 2015 09:04:01 -0700
Subject: RFR: [Update 2] 8074064 : OCSPResponse.SingleResponse objects
do not parse singleExtensions
In-Reply-To: <550305BC.7000303@oracle.com>
References: <54F4FAC0.2040703@oracle.com>
<54F63330.8030104@oracle.com> <54F64D7E.4080802@oracle.com>
<54F78C26.8090207@oracle.com> <55005369.207@oracle.com>
<5500BD4A.6070505@oracle.com> <550305BC.7000303@oracle.com>
Message-ID: <55030A71.7050203@oracle.com>
On 03/13/2015 08:43 AM, Sean Mullan wrote:
> On 03/11/2015 06:10 PM, Jamil Nimeh wrote:
>> Okay, an updated webrev has been posted that addresses Sean's comments
>> (thanks, BTW).
>>
>> http://cr.openjdk.java.net/~jnimeh/reviews/8074064/webrev.04/
>
> Code changes look good, but I had not reviewed the test so here are a
> few more comments on that part.
>
> - for the path, can you remove "Tests" from the directory name?
> Everything is a test so that seems redundant to me. So the new path
> would be test/sun/security/provider/certpath/OCSP
Yeah, I guess it is redundant, isn't it? I can change that. I probably
should do the same with a bunch of my OCSP stapling unit tests too.
>
> - Why do you need the DEBUG boolean property? When would you ever want
> to turn this off? Most of the debug info is valuable (like "Single
> Extension count mismatch ...") so when something fails you would
> always want to see it in the logs.
>
Force of habit. Some of my other tests, particularly in the SSL arena,
have debug output that can get very chatty, above and beyond what would
be useful for normal log output. For a test like this though, what you
say makes sense. I'll rip that out and just go with normal
System.out.println output.
> - readFile should create the FileReader in a try-with-resources block
> so it is closed.
Oh wow. I should've caught that.
>
> - line 165 needs a 4-space indent
>
All these will be fixed up in a jiffy.
> --Sean
>
>>
>> --Jamil
>>
>> On 03/11/2015 07:38 AM, Sean Mullan wrote:
>>> Hi Jamil,
>>>
>>> Just a few comments, mostly minor.
>>>
>>> * OCSPResponse
>>>
>>> 768: there is an extra space in the indentation
>>>
>>> 811: use Collections.emptyMap instead of new HashMap<>() as that does
>>> not allocate a new Map object.
>>>
>>> 813-15,861-63: Use Map.values instead of Map.keySet, ex:
>>>
>>> for (Extension ext : singleExtensions.values()) {
>>> sb.append("singleExtension: " + ext + "\n");
>>> }
>>>
>>> 784-807: I think this code could be compressed a bit to avoid calling
>>> parseExtensions twice. You can eliminate lines 786-92, if you do
>>> something like this (I think), starting at line 784:
>>>
>>> if (tmp.available() > 0) {
>>> derVal = tmp.getDerValue();
>>> } else {
>>> derVal == null;
>>> }
>>>
>>> then what is now line 794 becomes:
>>>
>>> if (derVal != null && derVal.isContextSpecific((byte)1)) {
>>>
>>> --Sean
>>>
>>> On 03/04/2015 05:50 PM, Jamil Nimeh wrote:
>>>> One more round of updates. Only the test code and the test inputs
>>>> have
>>>> changed. Test input is now Base64 format, with comment headers that
>>>> display the OCSP response pretty-print (or an asn1parse of the
>>>> BasicOCSPResponse for malformed response test cases).
>>>>
>>>> http://cr.openjdk.java.net/~jnimeh/reviews/8074064/webrev.03/index.html
>>>>
>>>>
>>>> Thanks, Vinnie for the feedback and suggestions!
>>>> --Jamil
>>>>
>>>> On 03/03/2015 04:10 PM, Jamil Nimeh wrote:
>>>>> Okay, I've got an updated webrev for this issue:
>>>>> http://cr.openjdk.java.net/~jnimeh/reviews/8074064/webrev.02/index.html
>>>>>
>>>>>
>>>>> Thanks,
>>>>> --Jamil
>>>>>
>>>>> On 03/03/2015 02:18 PM, Jamil Nimeh wrote:
>>>>>> Hello all, I've come across a couple edge cases that this fix
>>>>>> doesn't
>>>>>> cover properly. I'll put out another webrev in a bit that should
>>>>>> tighten up the singleResponse parsing, particularly with the
>>>>>> optional
>>>>>> fields. It will also include a couple other negative test input
>>>>>> samples.
>>>>>>
>>>>>> Thanks,
>>>>>> --Jamil
>>>>>>
>>>>>> On 03/02/2015 04:05 PM, Jamil Nimeh wrote:
>>>>>>> Hello all, this review fixes an issue in OCSPResponse where it does
>>>>>>> not parse singleExtensions in the SingleResponse structure. I also
>>>>>>> fixed two minor deviations from the OCSP.RevocationStatus interface
>>>>>>> when getRevocationTime and getRevocationReason are called on good
>>>>>>> responses.
>>>>>>>
>>>>>>> Bug: https://bugs.openjdk.java.net/browse/JDK-8074064
>>>>>>> Review:
>>>>>>> http://cr.openjdk.java.net/~jnimeh/reviews/8074064/webrev.01/index.html
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Thank you,
>>>>>>> --Jamil
>>>>>>
>>>>>
>>>>
>>
From mandy.chung at oracle.com Fri Mar 13 18:37:36 2015
From: mandy.chung at oracle.com (Mandy Chung)
Date: Fri, 13 Mar 2015 11:37:36 -0700
Subject: Review Request: 8074428, 8074429, 8074430 jdk.pack200, jdk.jartool,
jdk.policytool modules
In-Reply-To: <54FF28A4.9080303@oracle.com>
References: <54F7ADCE.50900@oracle.com> <54FF28A4.9080303@oracle.com>
Message-ID: <55032E70.1040302@oracle.com>
This module contains both pack200 and unpack200 tools although it only
contains the native implementation of unpacker. Naming it as
jdk.unpack200 would give an impression that it contains the unpacker
only which isn't the case.
Like the API java.util.jar.Pack200 class, it's about Pack200 format and
it has both Pack200.Packer and Pack200.Unpacker nested interfaces
jdk.pack200 represents the tools for Pack200 format that sounds fine to me.
Mandy
On 3/10/2015 10:23 AM, Kumar Srinivasan wrote:
> The changes look ok to me, however I am wondering if the module
> could be called jdk.unpack200 and not jdk.pack200 ? since it
> contains only the unpacker, and the bin utilities are pack200 and
> unpack200.
>
> Kumar
>
> On 3/4/2015 5:13 PM, Mandy Chung wrote:
>> As listed in an open issue in JEP 200:
>>
>> The jdk.dev and jdk.runtime modules contain miscellaneous tools that do
>> not obviously belong to any other module; these modules will eventually
>> be either renamed or refactored.
>>
>> Currently there are jdk.javadoc, jdk.jconsole, jdk.jcmd modules in
>> the JDK that are organized around its primary tool. Such organization
>> is easy to name, document and understand. This patch proposes to
>> move tools from jdk.runtime and jdk.dev to jdk.pack200, jdk.jartool,
>> jdk.policytool modules.
>>
>> Overall Webrev that will be convenient to review the build change
>> and modules.xml change.
>> http://cr.openjdk.java.net/~mchung/jdk9/webrevs/8074428%2b8074429%2b8074430/webrev.00/
>>
>>
>> Separate webrevs for each issue:
>> 1. pack200, unpack200 to jdk.pack200
>>
>> http://cr.openjdk.java.net/~mchung/jdk9/webrevs/8074428%2b8074429%2b8074430/8074428/webrev.00/
>>
>>
>> 2. jar, jarsigner to jdk.jartool
>>
>> http://cr.openjdk.java.net/~mchung/jdk9/webrevs/8074428%2b8074429%2b8074430/8074429/webrev.00/
>>
>>
>> 3. policytool to jdk.policytool
>>
>> http://cr.openjdk.java.net/~mchung/jdk9/webrevs/8074428%2b8074429%2b8074430/8074430/webrev.00/
>>
>>
>> There are remaining tools in jdk.dev that will be handled separately.
>> jdk.dev will disappear when all of the remaining tools find its home.
>>
>> Mandy
>>
>
From jamil.j.nimeh at oracle.com Sat Mar 14 06:17:35 2015
From: jamil.j.nimeh at oracle.com (Jamil Nimeh)
Date: Fri, 13 Mar 2015 23:17:35 -0700
Subject: RFR: JDK-6996366 : convert MacAlg to an enum
In-Reply-To: <5500D5EA.9060902@oracle.com>
References: <5500D5EA.9060902@oracle.com>
Message-ID: <5503D27F.8040107@oracle.com>
Ping?
On 03/11/2015 04:55 PM, Jamil Nimeh wrote:
> Hello all,
>
> This bug moves the internal MacAlg concrete class to an enum, and
> alters the CipherSuite constructor to no longer use String parsing on
> the cipher suite name to determine the MacAlg. Instead, the
> constructor now requires the caller to pass in a MacAlg, similar to
> how it already takes a KeyExchange and BulkCipher.
>
> Bug: https://bugs.openjdk.java.net/browse/JDK-6996366
> Webrev: http://cr.openjdk.java.net/~jnimeh/reviews/6996366/webrev.01/
>
> Thanks,
> --Jamil
From xuelei.fan at oracle.com Sat Mar 14 08:08:34 2015
From: xuelei.fan at oracle.com (Xuelei Fan)
Date: Sat, 14 Mar 2015 16:08:34 +0800
Subject: RFR: JDK-6996366 : convert MacAlg to an enum
In-Reply-To: <5500D5EA.9060902@oracle.com>
References: <5500D5EA.9060902@oracle.com>
Message-ID: <5503EC82.5020808@oracle.com>
Looks fine to me.
Do you want to consider a similar conversion on BulkCipher? Maybe in a
new bug.
Thanks,
Xuelei
On 3/12/2015 7:55 AM, Jamil Nimeh wrote:
> Hello all,
>
> This bug moves the internal MacAlg concrete class to an enum, and alters
> the CipherSuite constructor to no longer use String parsing on the
> cipher suite name to determine the MacAlg. Instead, the constructor now
> requires the caller to pass in a MacAlg, similar to how it already takes
> a KeyExchange and BulkCipher.
>
> Bug: https://bugs.openjdk.java.net/browse/JDK-6996366
> Webrev: http://cr.openjdk.java.net/~jnimeh/reviews/6996366/webrev.01/
>
> Thanks,
> --Jamil
From jamil.j.nimeh at oracle.com Sat Mar 14 10:54:52 2015
From: jamil.j.nimeh at oracle.com (Jamil Nimeh)
Date: Sat, 14 Mar 2015 03:54:52 -0700
Subject: RFR: JDK-6996366 : convert MacAlg to an enum
In-Reply-To: <5503EC82.5020808@oracle.com>
References: <5500D5EA.9060902@oracle.com> <5503EC82.5020808@oracle.com>
Message-ID: <5504137C.7000004@oracle.com>
Or we could just take care of it now, since I'm already making enums out
of things.
http://cr.openjdk.java.net/~jnimeh/reviews/6996366/webrev.02/
I don't see any differences in jtreg results across the 211 ssl tests I
ran so that seems like a good sign. I've got a jprt run going now to
see if anything happens there. Let me know what you think.
--Jamil
On 03/14/2015 01:08 AM, Xuelei Fan wrote:
> Looks fine to me.
>
> Do you want to consider a similar conversion on BulkCipher? Maybe in a
> new bug.
>
> Thanks,
> Xuelei
>
> On 3/12/2015 7:55 AM, Jamil Nimeh wrote:
>> Hello all,
>>
>> This bug moves the internal MacAlg concrete class to an enum, and alters
>> the CipherSuite constructor to no longer use String parsing on the
>> cipher suite name to determine the MacAlg. Instead, the constructor now
>> requires the caller to pass in a MacAlg, similar to how it already takes
>> a KeyExchange and BulkCipher.
>>
>> Bug: https://bugs.openjdk.java.net/browse/JDK-6996366
>> Webrev: http://cr.openjdk.java.net/~jnimeh/reviews/6996366/webrev.01/
>>
>> Thanks,
>> --Jamil
From xuelei.fan at oracle.com Sat Mar 14 11:13:09 2015
From: xuelei.fan at oracle.com (Xuelei Fan)
Date: Sat, 14 Mar 2015 19:13:09 +0800
Subject: RFR: JDK-6996366 : convert MacAlg to an enum
In-Reply-To: <5504137C.7000004@oracle.com>
References: <5500D5EA.9060902@oracle.com> <5503EC82.5020808@oracle.com>
<5504137C.7000004@oracle.com>
Message-ID: <550417C5.2030501@oracle.com>
On 3/14/2015 6:54 PM, Jamil Nimeh wrote:
> Or we could just take care of it now, since I'm already making enums out
> of things.
>
> http://cr.openjdk.java.net/~jnimeh/reviews/6996366/webrev.02/
>
Looks fine to me.
> I don't see any differences in jtreg results across the 211 ssl tests I
> ran so that seems like a good sign. I've got a jprt run going now to
> see if anything happens there. Let me know what you think.
>
It's OK as the JPRT jobs passed. Please add a "noreg-cleanup" tag as
this is a refactoring of existing code and need no additional test.
Thanks,
Xuelei
> --Jamil
>
> On 03/14/2015 01:08 AM, Xuelei Fan wrote:
>> Looks fine to me.
>>
>> Do you want to consider a similar conversion on BulkCipher? Maybe in a
>> new bug.
>>
>> Thanks,
>> Xuelei
>>
>> On 3/12/2015 7:55 AM, Jamil Nimeh wrote:
>>> Hello all,
>>>
>>> This bug moves the internal MacAlg concrete class to an enum, and alters
>>> the CipherSuite constructor to no longer use String parsing on the
>>> cipher suite name to determine the MacAlg. Instead, the constructor now
>>> requires the caller to pass in a MacAlg, similar to how it already takes
>>> a KeyExchange and BulkCipher.
>>>
>>> Bug: https://bugs.openjdk.java.net/browse/JDK-6996366
>>> Webrev: http://cr.openjdk.java.net/~jnimeh/reviews/6996366/webrev.01/
>>>
>>> Thanks,
>>> --Jamil
>
From weijun.wang at oracle.com Sat Mar 14 23:34:42 2015
From: weijun.wang at oracle.com (Wang Weijun)
Date: Sun, 15 Mar 2015 07:34:42 +0800
Subject: RFR: JDK-6996366 : convert MacAlg to an enum
In-Reply-To: <550417C5.2030501@oracle.com>
References: <5500D5EA.9060902@oracle.com> <5503EC82.5020808@oracle.com>
<5504137C.7000004@oracle.com> <550417C5.2030501@oracle.com>
Message-ID: <08807220-176A-4CD7-B810-7841F68332EB@oracle.com>
One disadvantage of enum to constant is that third-party library will not be able to extend it. I noticed this when I was trying to extend TLS to use non-certificate-based ciphersuites by providing more KeyExchange values. That work is stalled now but if we want to do it later this should be considered. Can MacAlg also be extended?
--Max
>>
>> http://cr.openjdk.java.net/~jnimeh/reviews/6996366/webrev.02/
>>
From weijun.wang at oracle.com Mon Mar 16 03:12:57 2015
From: weijun.wang at oracle.com (Wang Weijun)
Date: Mon, 16 Mar 2015 11:12:57 +0800
Subject: RFR 8074835/8074836: Resolve disabled warnings for libj2gss/libosxkrb5
Message-ID:
Hi All
Please review the change at
http://cr.openjdk.java.net/~weijun/8074836/webrev.00/
Thanks
Max
From weijun.wang at oracle.com Mon Mar 16 03:46:46 2015
From: weijun.wang at oracle.com (Wang Weijun)
Date: Mon, 16 Mar 2015 11:46:46 +0800
Subject: On stream-based GSSContext methods in RFC 5653
In-Reply-To:
References:
<54CE9F5B.9070808@mit.edu> <54CEE8E5.5080701@oracle.com>
<54D2FCD5.6060404@oracle.com> <54D3190D.8080003@mit.edu>
<54D31FD0.9030508@oracle.com> <54D39523.5070700@mit.edu>
<54D404FE.8010009@oracle.com> <54D40D6A.7010704@mit.edu>
<54D4100E.7070200@oracle.com>
Message-ID:
Hi All
I discussed with my colleagues on the stream-based methods and we think they are not well-designed:
1. A library should not define a wire protocol and assume the peer is using the same. http://tools.ietf.org/html/draft-ietf-kitten-gss-loop-05 requires the application to define it.
2. It's impossible to implement these methods correctly when the mechanism token has no self-framing or the library has no knowledge of the token format (for example,
as a bridge talking to another GSS library).
Therefore, I propose to deprecate these methods in an I-D. By deprecation, I'd like to remove the methods from the main content and describe the reason in a "Changes since RFC 5653" section. The specification for the methods will be moved to an appendix or the "Changes since RFC 5653" section will contain links to sections inside RFC 5653.
In Oracle JDK and OpenJDK, we would like to mark these methods as @deprecated. The existing implementations will be still supported.
Thanks
Max
From erik.joelsson at oracle.com Mon Mar 16 08:31:38 2015
From: erik.joelsson at oracle.com (Erik Joelsson)
Date: Mon, 16 Mar 2015 09:31:38 +0100
Subject: RFR 8074835/8074836: Resolve disabled warnings for
libj2gss/libosxkrb5
In-Reply-To:
References:
Message-ID: <550694EA.3060603@oracle.com>
Looks good to me. Thanks for fixing warnings!
/Erik
On 2015-03-16 04:12, Wang Weijun wrote:
> Hi All
>
> Please review the change at
>
> http://cr.openjdk.java.net/~weijun/8074836/webrev.00/
>
> Thanks
> Max
>
From artem.smotrakov at oracle.com Mon Mar 16 10:47:25 2015
From: artem.smotrakov at oracle.com (Artem Smotrakov)
Date: Mon, 16 Mar 2015 13:47:25 +0300
Subject: [9] request for review: 8048147: Privilege tests with JAAS
Subject.doAs
Message-ID: <5506B4BD.2000004@oracle.com>
Hello,
Please review a couple of new tests for privilege checks on Subject.doAs().
https://bugs.openjdk.java.net/browse/JDK-8048147
http://cr.openjdk.java.net/~asmotrak/8048147/webrev.00/
Artem
From magnus.ihse.bursie at oracle.com Mon Mar 16 14:04:38 2015
From: magnus.ihse.bursie at oracle.com (Magnus Ihse Bursie)
Date: Mon, 16 Mar 2015 15:04:38 +0100
Subject: RFR 8074835/8074836: Resolve disabled warnings for
libj2gss/libosxkrb5
In-Reply-To:
References:
Message-ID: <5506E2F6.3060005@oracle.com>
On 2015-03-16 04:12, Wang Weijun wrote:
> Hi All
>
> Please review the change at
>
> http://cr.openjdk.java.net/~weijun/8074836/webrev.00/
>
> Thanks
> Max
>
Looks good to me. Thanks for fixing this.
I'm just curious about the new deprecated-declarations warning. I didn't
see it when I excluded the warnings for the library in the first place.
Did it show up when you fixed the other warnings, or did you see it all
the time? If so, what compiler version are you using?
/Magnus
From weijun.wang at oracle.com Mon Mar 16 15:19:41 2015
From: weijun.wang at oracle.com (Wang Weijun)
Date: Mon, 16 Mar 2015 23:19:41 +0800
Subject: RFR 8074835/8074836: Resolve disabled warnings for
libj2gss/libosxkrb5
In-Reply-To: <5506E2F6.3060005@oracle.com>
References:
<5506E2F6.3060005@oracle.com>
Message-ID: <342E2791-8CC9-44BC-99A9-1DC7365D357C@oracle.com>
> On Mar 16, 2015, at 22:04, Magnus Ihse Bursie wrote:
>
> On 2015-03-16 04:12, Wang Weijun wrote:
>> Hi All
>>
>> Please review the change at
>>
>> http://cr.openjdk.java.net/~weijun/8074836/webrev.00/
>>
>> Thanks
>> Max
>>
>
> Looks good to me. Thanks for fixing this.
>
> I'm just curious about the new deprecated-declarations warning. I didn't see it when I excluded the warnings for the library in the first place. Did it show up when you fixed the other warnings, or did you see it all the time? If so, what compiler version are you using?
All the time.
It's in /System/Library/Frameworks/Kerberos.framework/Headers/krb5.h. All those "KERBEROS_APPLE_DEPRECATED("use GSS.framework")" words.
$ /usr/bin/clang -v
Apple LLVM version 6.0 (clang-600.0.57) (based on LLVM 3.5svn)
Target: x86_64-apple-darwin14.1.0
Thread model: posix
--Max
>
> /Magnus
From weijun.wang at oracle.com Tue Mar 17 09:39:13 2015
From: weijun.wang at oracle.com (Wang Weijun)
Date: Tue, 17 Mar 2015 17:39:13 +0800
Subject: [9] request for review: 8048147: Privilege tests with JAAS
Subject.doAs
In-Reply-To: <5506B4BD.2000004@oracle.com>
References: <5506B4BD.2000004@oracle.com>
Message-ID:
Hi Artem
The tests are good but I am thinking if we can simplify them.
There are too many duplicate actions here, for example, packing the same classes again and again to the same jar file, and the 4 ***Test.java files are quite similar. Is it possible to create a single Test.java to do everything in a single main()?
Is it possible to convert javac calls to @compile or @build? Is it possible to convert jar calls to ZipOutputStream calls in the same VM? Or maybe instead of using jar files is it possible to put the classes into different sub-directories and point classpath to them? Is it possible to convert java calls to @run?
Finally, you create a new nested directory. Is it because there is already a "doAs" there? I'd rather see a doAs2 containing these new tests. The new Utils.java can also be put inside this directory.
BTW, the auth.policy file was so old and I wonder if we still need to test it.
Thanks
Max
> On Mar 16, 2015, at 18:47, Artem Smotrakov wrote:
>
> Hello,
>
> Please review a couple of new tests for privilege checks on Subject.doAs().
>
> https://bugs.openjdk.java.net/browse/JDK-8048147
> http://cr.openjdk.java.net/~asmotrak/8048147/webrev.00/
>
> Artem
From weijun.wang at oracle.com Tue Mar 17 10:02:12 2015
From: weijun.wang at oracle.com (Wang Weijun)
Date: Tue, 17 Mar 2015 18:02:12 +0800
Subject: RFR 8074935: jdk8 keytool doesn't validate pem files for RFC 1421
correctness, as jdk7 did
Message-ID: <9C3DEB27-8B39-446D-9CAC-21EAE4C24D40@oracle.com>
Hi All
Please review the code change at
http://cr.openjdk.java.net/~weijun/8074935/webrev.00/
In jdk8, we use Base64.getMimeDecoder() to parse PEM-encoded certs and it ignores every character not in the base-64 alphabet. PEM is more restricted and as I know openssl rejects PEM with illegal chars (Ex, "!" as in bug report and test). This fix will also reject them.
I also updated the encode side so that the output is always 64 chars wide, which is a requirement of PEM (http://en.wikipedia.org/wiki/Base64#Privacy-enhanced_mail).
Thanks
Max
From jason.uh at oracle.com Wed Mar 18 01:34:34 2015
From: jason.uh at oracle.com (Jason Uh)
Date: Tue, 17 Mar 2015 18:34:34 -0700
Subject: [9] RFR: 7145757: CertificateExtensions uses non-consistent key names
Message-ID: <5508D62A.9010507@oracle.com>
Please review this fix, which changes the internal map in
sun.security.x509.CertificateExtensions and CRLExtensions to always use
the OID as the key.
As stated in the JBS issue:
> The sun.security.x509.CertificateExtensions class maintains a Map map field to store all the extensions it manages. The key of map uses the name (say, "BasicConstraints") of the extension, or the OID when the type of the extension is unknown.
With this change, the map will consistently use the OID as the key.
webrev: http://cr.openjdk.java.net/~juh/7145757/00/
bug: https://bugs.openjdk.java.net/browse/JDK-7145757
Thanks,
Jason
From artem.smotrakov at oracle.com Wed Mar 18 09:21:04 2015
From: artem.smotrakov at oracle.com (Artem Smotrakov)
Date: Wed, 18 Mar 2015 12:21:04 +0300
Subject: [9] request for review: 8048147: Privilege tests with JAAS
Subject.doAs
In-Reply-To:
References: <5506B4BD.2000004@oracle.com>
Message-ID: <55094380.6040809@oracle.com>
Hi Max,
Thank you for the review, it really helped to simplify the tests. I
combined your suggestions, please take a look:
http://cr.openjdk.java.net/~asmotrak/8048147/webrev.01/
Artem
On 03/17/2015 12:39 PM, Wang Weijun wrote:
> Hi Artem
>
> The tests are good but I am thinking if we can simplify them.
>
> There are too many duplicate actions here, for example, packing the same classes again and again to the same jar file, and the 4 ***Test.java files are quite similar. Is it possible to create a single Test.java to do everything in a single main()?
>
> Is it possible to convert javac calls to @compile or @build? Is it possible to convert jar calls to ZipOutputStream calls in the same VM? Or maybe instead of using jar files is it possible to put the classes into different sub-directories and point classpath to them? Is it possible to convert java calls to @run?
>
> Finally, you create a new nested directory. Is it because there is already a "doAs" there? I'd rather see a doAs2 containing these new tests. The new Utils.java can also be put inside this directory.
>
> BTW, the auth.policy file was so old and I wonder if we still need to test it.
>
> Thanks
> Max
>
>> On Mar 16, 2015, at 18:47, Artem Smotrakov wrote:
>>
>> Hello,
>>
>> Please review a couple of new tests for privilege checks on Subject.doAs().
>>
>> https://bugs.openjdk.java.net/browse/JDK-8048147
>> http://cr.openjdk.java.net/~asmotrak/8048147/webrev.00/
>>
>> Artem
From weijun.wang at oracle.com Wed Mar 18 09:39:39 2015
From: weijun.wang at oracle.com (Wang Weijun)
Date: Wed, 18 Mar 2015 17:39:39 +0800
Subject: [9] request for review: 8048147: Privilege tests with JAAS
Subject.doAs
In-Reply-To: <55094380.6040809@oracle.com>
References: <5506B4BD.2000004@oracle.com>
<55094380.6040809@oracle.com>
Message-ID: <493ED341-AE33-488B-B326-B02B224D882E@oracle.com>
It looks like the classes are loaded from test.classes since there is nowhere setting classpath to those jars. Maybe you cannot rely on "@run main".
--Max
> On Mar 18, 2015, at 17:21, Artem Smotrakov wrote:
>
> Hi Max,
>
> Thank you for the review, it really helped to simplify the tests. I combined your suggestions, please take a look:
>
> http://cr.openjdk.java.net/~asmotrak/8048147/webrev.01/
>
> Artem
>
> On 03/17/2015 12:39 PM, Wang Weijun wrote:
>> Hi Artem
>>
>> The tests are good but I am thinking if we can simplify them.
>>
>> There are too many duplicate actions here, for example, packing the same classes again and again to the same jar file, and the 4 ***Test.java files are quite similar. Is it possible to create a single Test.java to do everything in a single main()?
>>
>> Is it possible to convert javac calls to @compile or @build? Is it possible to convert jar calls to ZipOutputStream calls in the same VM? Or maybe instead of using jar files is it possible to put the classes into different sub-directories and point classpath to them? Is it possible to convert java calls to @run?
>>
>> Finally, you create a new nested directory. Is it because there is already a "doAs" there? I'd rather see a doAs2 containing these new tests. The new Utils.java can also be put inside this directory.
>>
>> BTW, the auth.policy file was so old and I wonder if we still need to test it.
>>
>> Thanks
>> Max
>>
>>> On Mar 16, 2015, at 18:47, Artem Smotrakov wrote:
>>>
>>> Hello,
>>>
>>> Please review a couple of new tests for privilege checks on Subject.doAs().
>>>
>>> https://bugs.openjdk.java.net/browse/JDK-8048147
>>> http://cr.openjdk.java.net/~asmotrak/8048147/webrev.00/
>>>
>>> Artem
>
From weijun.wang at oracle.com Wed Mar 18 09:43:31 2015
From: weijun.wang at oracle.com (Wang Weijun)
Date: Wed, 18 Mar 2015 17:43:31 +0800
Subject: [9] request for review: 8048147: Privilege tests with JAAS
Subject.doAs
In-Reply-To: <493ED341-AE33-488B-B326-B02B224D882E@oracle.com>
References: <5506B4BD.2000004@oracle.com>
<55094380.6040809@oracle.com>
<493ED341-AE33-488B-B326-B02B224D882E@oracle.com>
Message-ID: <08FAF349-7C9A-46EC-9A9F-C3AF8D1FBB89@oracle.com>
Honestly, writing a shell script test would be much cleaner, although it does not have the same performance as a Java test.
Copying Jon, there should be cases where a script should be preferred.
--Max
> On Mar 18, 2015, at 17:39, Wang Weijun wrote:
>
> It looks like the classes are loaded from test.classes since there is nowhere setting classpath to those jars. Maybe you cannot rely on "@run main".
>
> --Max
>
>> On Mar 18, 2015, at 17:21, Artem Smotrakov wrote:
>>
>> Hi Max,
>>
>> Thank you for the review, it really helped to simplify the tests. I combined your suggestions, please take a look:
>>
>> http://cr.openjdk.java.net/~asmotrak/8048147/webrev.01/
>>
>> Artem
>>
>> On 03/17/2015 12:39 PM, Wang Weijun wrote:
>>> Hi Artem
>>>
>>> The tests are good but I am thinking if we can simplify them.
>>>
>>> There are too many duplicate actions here, for example, packing the same classes again and again to the same jar file, and the 4 ***Test.java files are quite similar. Is it possible to create a single Test.java to do everything in a single main()?
>>>
>>> Is it possible to convert javac calls to @compile or @build? Is it possible to convert jar calls to ZipOutputStream calls in the same VM? Or maybe instead of using jar files is it possible to put the classes into different sub-directories and point classpath to them? Is it possible to convert java calls to @run?
>>>
>>> Finally, you create a new nested directory. Is it because there is already a "doAs" there? I'd rather see a doAs2 containing these new tests. The new Utils.java can also be put inside this directory.
>>>
>>> BTW, the auth.policy file was so old and I wonder if we still need to test it.
>>>
>>> Thanks
>>> Max
>>>
>>>> On Mar 16, 2015, at 18:47, Artem Smotrakov wrote:
>>>>
>>>> Hello,
>>>>
>>>> Please review a couple of new tests for privilege checks on Subject.doAs().
>>>>
>>>> https://bugs.openjdk.java.net/browse/JDK-8048147
>>>> http://cr.openjdk.java.net/~asmotrak/8048147/webrev.00/
>>>>
>>>> Artem
>>
>
From artem.smotrakov at oracle.com Wed Mar 18 11:31:14 2015
From: artem.smotrakov at oracle.com (Artem Smotrakov)
Date: Wed, 18 Mar 2015 14:31:14 +0300
Subject: [9] request for review: 8048147: Privilege tests with JAAS
Subject.doAs
In-Reply-To: <08FAF349-7C9A-46EC-9A9F-C3AF8D1FBB89@oracle.com>
References: <5506B4BD.2000004@oracle.com>
<55094380.6040809@oracle.com>
<493ED341-AE33-488B-B326-B02B224D882E@oracle.com>
<08FAF349-7C9A-46EC-9A9F-C3AF8D1FBB89@oracle.com>
Message-ID: <55096202.9010100@oracle.com>
Yes, it looks like the classes are loaded from test.classes, here is a
piece of jtr file
CLASSPATH=/home/artem/tools/jtreg/4.1/lib/javatest.jar:/home/artem/tools/jtreg/4.1/lib/jtreg.jar:/home/artem/projects/security_test_colocation/jaas_subject_doas/results/reg/JTwork/classes/javax/security/auth/Subject/doAs:/home/artem/projects/security_test_colocation/jaas_subject_doas/jdk9_dev/jdk/test/javax/security/auth/Subject/doAs
\\
/home/artem/jdk/jdk1.9.0b51/bin/java \\
-Dtest.vm.opts= \\
-Dtest.jdk=/home/artem/jdk/jdk1.9.0b51 \\
-Dtest.timeout.factor=1.0 \\
-Dtest.src.path=/home/artem/projects/security_test_colocation/jaas_subject_doas/jdk9_dev/jdk/test/javax/security/auth/Subject/doAs
\\
-Dtest.compiler.opts= \\
-Dcompile.jdk=/home/artem/jdk/jdk1.9.0b51 \\
-Dtest.classes=/home/artem/projects/security_test_colocation/jaas_subject_doas/results/reg/JTwork/classes/javax/security/auth/Subject/doAs
\\
-Dtest.class.path=/home/artem/projects/security_test_colocation/jaas_subject_doas/results/reg/JTwork/classes/javax/security/auth/Subject/doAs
\\
-Dtest.java.opts= \\
-Dtest.src=/home/artem/projects/security_test_colocation/jaas_subject_doas/jdk9_dev/jdk/test/javax/security/auth/Subject/doAs
\\
-Dtest.tool.vm.opts= \\
-Djava.security.policy==/home/artem/projects/security_test_colocation/jaas_subject_doas/results/reg/JTwork/scratch/policy.expect.ace_new
\\
-Djava.security.manager=default \\
com.sun.javatest.regtest.MainWrapper
/home/artem/projects/security_test_colocation/jaas_subject_doas/results/reg/JTwork/classes/javax/security/auth/Subject/doAs/NestedActions.jta
expectACE
I am not sure that it is possible to modify classpath for othervm tests.
http://openjdk.java.net/jtreg/faq.html#question4.2
...
4.2. How do I set the CLASSPATH environment variable for my test?
The harness sets the CLASSPATH for the compile, main, and applet actions
to be the system class path plus the test's source and classes directory.
It is possible to set the classpath for the main/othervm action via the
-classpath option to java. Any other modification of the CLASSPATH must
be done using the shell action.
...
"@run main/othervm -classpath ..." doesn't seem to work because it can't
find com.sun.javatest.regtest.MainWrapper
The tests can be updated to start a new process with ProcessTools, or
use a script.
Artem
On 03/18/2015 12:43 PM, Wang Weijun wrote:
> Honestly, writing a shell script test would be much cleaner, although it does not have the same performance as a Java test.
>
> Copying Jon, there should be cases where a script should be preferred.
>
> --Max
>
>> On Mar 18, 2015, at 17:39, Wang Weijun wrote:
>>
>> It looks like the classes are loaded from test.classes since there is nowhere setting classpath to those jars. Maybe you cannot rely on "@run main".
>>
>> --Max
>>
>>> On Mar 18, 2015, at 17:21, Artem Smotrakov wrote:
>>>
>>> Hi Max,
>>>
>>> Thank you for the review, it really helped to simplify the tests. I combined your suggestions, please take a look:
>>>
>>> http://cr.openjdk.java.net/~asmotrak/8048147/webrev.01/
>>>
>>> Artem
>>>
>>> On 03/17/2015 12:39 PM, Wang Weijun wrote:
>>>> Hi Artem
>>>>
>>>> The tests are good but I am thinking if we can simplify them.
>>>>
>>>> There are too many duplicate actions here, for example, packing the same classes again and again to the same jar file, and the 4 ***Test.java files are quite similar. Is it possible to create a single Test.java to do everything in a single main()?
>>>>
>>>> Is it possible to convert javac calls to @compile or @build? Is it possible to convert jar calls to ZipOutputStream calls in the same VM? Or maybe instead of using jar files is it possible to put the classes into different sub-directories and point classpath to them? Is it possible to convert java calls to @run?
>>>>
>>>> Finally, you create a new nested directory. Is it because there is already a "doAs" there? I'd rather see a doAs2 containing these new tests. The new Utils.java can also be put inside this directory.
>>>>
>>>> BTW, the auth.policy file was so old and I wonder if we still need to test it.
>>>>
>>>> Thanks
>>>> Max
>>>>
>>>>> On Mar 16, 2015, at 18:47, Artem Smotrakov wrote:
>>>>>
>>>>> Hello,
>>>>>
>>>>> Please review a couple of new tests for privilege checks on Subject.doAs().
>>>>>
>>>>> https://bugs.openjdk.java.net/browse/JDK-8048147
>>>>> http://cr.openjdk.java.net/~asmotrak/8048147/webrev.00/
>>>>>
>>>>> Artem
From weijun.wang at oracle.com Wed Mar 18 15:08:05 2015
From: weijun.wang at oracle.com (Wang Weijun)
Date: Wed, 18 Mar 2015 23:08:05 +0800
Subject: [9] request for review: 8048147: Privilege tests with JAAS
Subject.doAs
In-Reply-To: <55096202.9010100@oracle.com>
References: <5506B4BD.2000004@oracle.com>
<55094380.6040809@oracle.com>
<493ED341-AE33-488B-B326-B02B224D882E@oracle.com>
<08FAF349-7C9A-46EC-9A9F-C3AF8D1FBB89@oracle.com>
<55096202.9010100@oracle.com>
Message-ID: <97A64FC5-2EC3-41CE-8878-09CBBC692127@oracle.com>
> On Mar 18, 2015, at 19:31, Artem Smotrakov wrote:
>
> The tests can be updated to start a new process with ProcessTools, or use a script.
Choose anyone you like.
Maybe you can a few experiments to see what is the difference between a script test and a Java test that launches processes.
I'm a little surprised that with the classpath not pointing to jars the test still succeeds. The jars should have been granted different permissions. Maybe the test is not designed smart enough to detect the problem?
--Max
>
> Artem
From jason.uh at oracle.com Wed Mar 18 21:52:44 2015
From: jason.uh at oracle.com (Jason Uh)
Date: Wed, 18 Mar 2015 14:52:44 -0700
Subject: [9] RFR: 8074531: Remove javax.security.cert.X509Certificate usage
in internal networking packages
Message-ID: <5509F3AC.4030809@oracle.com>
Please review this change, which removes methods in internal net
packages that use the deprecated javax.security.cert.X509Certificate type.
webrev: http://cr.openjdk.java.net/~juh/8074531/00/
bug: https://bugs.openjdk.java.net/browse/JDK-8074531
Thanks,
Jason
From weijun.wang at oracle.com Wed Mar 18 23:09:08 2015
From: weijun.wang at oracle.com (Wang Weijun)
Date: Thu, 19 Mar 2015 07:09:08 +0800
Subject: [9] RFR: 7145757: CertificateExtensions uses non-consistent key
names
In-Reply-To: <5508D62A.9010507@oracle.com>
References: <5508D62A.9010507@oracle.com>
Message-ID:
Hi Jason
I was thinking about changing all set/get calls to using OID so inside CertificateExtensions and CRLExtensions you won't need to care about name conversions. Is that possible?
Also I see you adding some IOException throwing and catching. Is there any case you actually see them? I would think if that really happen there might be some programming error.
--Max
> On Mar 18, 2015, at 09:34, Jason Uh wrote:
>
> Please review this fix, which changes the internal map in sun.security.x509.CertificateExtensions and CRLExtensions to always use the OID as the key.
>
> As stated in the JBS issue:
>> The sun.security.x509.CertificateExtensions class maintains a Map map field to store all the extensions it manages. The key of map uses the name (say, "BasicConstraints") of the extension, or the OID when the type of the extension is unknown.
>
> With this change, the map will consistently use the OID as the key.
>
> webrev: http://cr.openjdk.java.net/~juh/7145757/00/
> bug: https://bugs.openjdk.java.net/browse/JDK-7145757
>
> Thanks,
> Jason
From jason.uh at oracle.com Wed Mar 18 23:40:56 2015
From: jason.uh at oracle.com (Jason Uh)
Date: Wed, 18 Mar 2015 16:40:56 -0700
Subject: [9] RFR: 7145757: CertificateExtensions uses non-consistent key
names
In-Reply-To:
References: <5508D62A.9010507@oracle.com>
Message-ID: <550A0D08.1020901@oracle.com>
Hi Max,
On 03/18/2015 04:09 PM, Wang Weijun wrote:
> Hi Jason
>
> I was thinking about changing all set/get calls to using OID so inside CertificateExtensions and CRLExtensions you won't need to care about name conversions. Is that possible?
It might be, but it'd call for more extensive changes. Currently, when
certificates are parsed, the extensions are added using the name, and
when they are retrieved, they are also specified by name -- for example,
X509CertImpl.getBasicConstraints() calls a get() method with the
BasicConstraints alias as the lookup parameter.
It's been a while, but the last we spoke about this, I think you wanted
to keep the changes for this contained within CertificateExtensions and
CRLExtensions. If that's still the case, we'll have to do this name
conversion. If not, I could try changing things outside of these classes.
> Also I see you adding some IOException throwing and catching. Is there any case you actually see them? I would think if that really happen there might be some programming error.
I added the IOExceptions mainly to keep CRLExtensions consistent with
CertificateExtensions. I thought it was a little odd that they weren't
being thrown, but they may not need to be there for CRLExtensions. I can
take them out.
> --Max
>
>> On Mar 18, 2015, at 09:34, Jason Uh wrote:
>>
>> Please review this fix, which changes the internal map in sun.security.x509.CertificateExtensions and CRLExtensions to always use the OID as the key.
>>
>> As stated in the JBS issue:
>>> The sun.security.x509.CertificateExtensions class maintains a Map map field to store all the extensions it manages. The key of map uses the name (say, "BasicConstraints") of the extension, or the OID when the type of the extension is unknown.
>>
>> With this change, the map will consistently use the OID as the key.
>>
>> webrev: http://cr.openjdk.java.net/~juh/7145757/00/
>> bug: https://bugs.openjdk.java.net/browse/JDK-7145757
>>
>> Thanks,
>> Jason
>
From weijun.wang at oracle.com Thu Mar 19 01:06:58 2015
From: weijun.wang at oracle.com (Wang Weijun)
Date: Thu, 19 Mar 2015 09:06:58 +0800
Subject: [9] RFR: 7145757: CertificateExtensions uses non-consistent key
names
In-Reply-To: <550A0D08.1020901@oracle.com>
References: <5508D62A.9010507@oracle.com>
<550A0D08.1020901@oracle.com>
Message-ID: <523E4097-9101-438A-AE21-50754131B2C3@oracle.com>
Yes, it will be extensive, but since we already make all keys OID, we should always call those set/get() with OIDs for performance. In case we might miss some, inside the implementation of get/set(), we can still accept names.
Also, it seems there is no need for a nameCache everywhere, you can probably maintain a global one inside OIDMap.
As for the IOException, I think it's because CRLExtensions does not have getExtension() that returns null. Now that you create another inconsistence that X509CRLImpl.getExtension() is starting to throw IOE while X509CertImpl.getExtension() does not.
--Max
> On Mar 19, 2015, at 07:40, Jason Uh wrote:
>
> Hi Max,
>
> On 03/18/2015 04:09 PM, Wang Weijun wrote:
>> Hi Jason
>>
>> I was thinking about changing all set/get calls to using OID so inside CertificateExtensions and CRLExtensions you won't need to care about name conversions. Is that possible?
>
> It might be, but it'd call for more extensive changes. Currently, when certificates are parsed, the extensions are added using the name, and when they are retrieved, they are also specified by name -- for example, X509CertImpl.getBasicConstraints() calls a get() method with the BasicConstraints alias as the lookup parameter.
>
> It's been a while, but the last we spoke about this, I think you wanted to keep the changes for this contained within CertificateExtensions and CRLExtensions. If that's still the case, we'll have to do this name conversion. If not, I could try changing things outside of these classes.
>
>> Also I see you adding some IOException throwing and catching. Is there any case you actually see them? I would think if that really happen there might be some programming error.
>
> I added the IOExceptions mainly to keep CRLExtensions consistent with CertificateExtensions. I thought it was a little odd that they weren't being thrown, but they may not need to be there for CRLExtensions. I can take them out.
>
>> --Max
>>
>>> On Mar 18, 2015, at 09:34, Jason Uh wrote:
>>>
>>> Please review this fix, which changes the internal map in sun.security.x509.CertificateExtensions and CRLExtensions to always use the OID as the key.
>>>
>>> As stated in the JBS issue:
>>>> The sun.security.x509.CertificateExtensions class maintains a Map map field to store all the extensions it manages. The key of map uses the name (say, "BasicConstraints") of the extension, or the OID when the type of the extension is unknown.
>>>
>>> With this change, the map will consistently use the OID as the key.
>>>
>>> webrev: http://cr.openjdk.java.net/~juh/7145757/00/
>>> bug: https://bugs.openjdk.java.net/browse/JDK-7145757
>>>
>>> Thanks,
>>> Jason
>>
From weijun.wang at oracle.com Thu Mar 19 02:56:57 2015
From: weijun.wang at oracle.com (Weijun Wang)
Date: Thu, 19 Mar 2015 10:56:57 +0800
Subject: [kitten] On stream-based GSSContext methods in RFC 5653
In-Reply-To: <20150319023703.GA8099@localhost>
References: <54CEE8E5.5080701@oracle.com> <54D2FCD5.6060404@oracle.com>
<54D3190D.8080003@mit.edu> <54D31FD0.9030508@oracle.com>
<54D39523.5070700@mit.edu> <54D404FE.8010009@oracle.com>
<54D40D6A.7010704@mit.edu> <54D4100E.7070200@oracle.com>
<20150319023703.GA8099@localhost>
Message-ID: <550A3AF9.4020701@oracle.com>
So what's your suggestion on their future?
A: Remove them and say "they are removed" in a "Changed since" section.
B: Move them to an appendix and say "they will not be developed anymore
and please do not use them".
C: Keep them in the old section and say "they will not be developed
anymore and please do not use them".
Thanks
Max
On 3/19/2015 10:37, Nico Williams wrote:
> On Mon, Mar 16, 2015 at 11:46:46AM +0800, Wang Weijun wrote:
>> I discussed with my colleagues on the stream-based methods and we
>> think they are not well-designed:
>
> I agree.
>
From zaiyao.liu at oracle.com Thu Mar 19 06:04:02 2015
From: zaiyao.liu at oracle.com (zaiyao liu)
Date: Thu, 19 Mar 2015 14:04:02 +0800
Subject: [JDK-9] RFR: 8048618 Tests for PKCS12 write operations
In-Reply-To: <5531F555-9EFC-4AEE-BE34-DCA7E9CDC0BD@oracle.com>
References: <55090E13.6080701@oracle.com>
<5531F555-9EFC-4AEE-BE34-DCA7E9CDC0BD@oracle.com>
Message-ID: <550A66D2.60706@oracle.com>
Hi Max,
Thanks for review,
please check the update:
http://cr.openjdk.java.net/~zailiu/8048618/webrev01/test/java/security/KeyStore/PKCS12/WriteP12Test.java.html
Thanks again.
Kevin
? 2015/3/18 14:23, Wang Weijun ??:
>
> 33 * WriteP12CertChainBad: same as WriteP12CertChain but chains order is
> 34 * user-ca-lead, the order is wrong so expects to fail.
>
> Really? What is the exception?
this line will catch the exception.
167 } catch (KeyStoreException e) {
> Another suggestion, please move the text in the summary before the actual codes inside main() as comments. It's hard to page up and page down to find out what the tests are doing.
Fixed, thanks.
> Thanks
> Max
>
>
>> On Mar 18, 2015, at 13:33, zaiyao liu wrote:
>>
>> Hi Max,
>>
>> Please help to review this test:
>>
>> JDK issue:https://bugs.openjdk.java.net/browse/JDK-8048618
>> Webrev:http://cr.openjdk.java.net/~zailiu/8048618/webrev/
>>
>> Thanks
>>
>> Kevin
From artem.smotrakov at oracle.com Thu Mar 19 11:39:21 2015
From: artem.smotrakov at oracle.com (Artem Smotrakov)
Date: Thu, 19 Mar 2015 14:39:21 +0300
Subject: [9] request for review: 8048147: Privilege tests with JAAS
Subject.doAs
In-Reply-To: <97A64FC5-2EC3-41CE-8878-09CBBC692127@oracle.com>
References: <5506B4BD.2000004@oracle.com>
<55094380.6040809@oracle.com>
<493ED341-AE33-488B-B326-B02B224D882E@oracle.com>
<08FAF349-7C9A-46EC-9A9F-C3AF8D1FBB89@oracle.com>
<55096202.9010100@oracle.com>
<97A64FC5-2EC3-41CE-8878-09CBBC692127@oracle.com>
Message-ID: <550AB569.80402@oracle.com>
Hi Max,
I agree that sometimes use of a shell script makes a test clearer. On
the other hand, if we are trying to create pure Java tests, it increases
overall coverage of Java APIs.
I updated the tests to use ProcessTools, and simplified a little bit
policy files for negative tests to make them clearer. Please take a look:
http://cr.openjdk.java.net/~asmotrak/8048147/webrev.02/
Artem
On 03/18/2015 06:08 PM, Wang Weijun wrote:
>> On Mar 18, 2015, at 19:31, Artem Smotrakov wrote:
>>
>> The tests can be updated to start a new process with ProcessTools, or use a script.
> Choose anyone you like.
>
> Maybe you can a few experiments to see what is the difference between a script test and a Java test that launches processes.
>
> I'm a little surprised that with the classpath not pointing to jars the test still succeeds. The jars should have been granted different permissions. Maybe the test is not designed smart enough to detect the problem?
>
> --Max
>
>> Artem
From weijun.wang at oracle.com Thu Mar 19 14:33:33 2015
From: weijun.wang at oracle.com (Wang Weijun)
Date: Thu, 19 Mar 2015 22:33:33 +0800
Subject: [9] request for review: 8048147: Privilege tests with JAAS
Subject.doAs
In-Reply-To: <550AB569.80402@oracle.com>
References: <5506B4BD.2000004@oracle.com>
<55094380.6040809@oracle.com>
<493ED341-AE33-488B-B326-B02B224D882E@oracle.com>
<08FAF349-7C9A-46EC-9A9F-C3AF8D1FBB89@oracle.com>
<55096202.9010100@oracle.com>
<97A64FC5-2EC3-41CE-8878-09CBBC692127@oracle.com>
<550AB569.80402@oracle.com>
Message-ID: <354B2ADB-0FBD-45AC-8CBB-E27744779F3C@oracle.com>
This looks fine.
One comment,
156 cmds.add("-Duser.dir=" + WORK_DIR);
Looks unnecessary. In fact, I've never seen people setting user.dir on the command line.
Another comment,
80 * @run main NestedActions jar ReadPropertyExceptionAction.jar
81 * ReadPropertyExceptionAction.class ReadPropertyException.class
82 *
83 * run tests
Will line 83 make any trouble? I remember bare words (not in a tag) will be absorbed by the previous action so the lines above will be interpreted as
@run main NestedActions jar ReadPropertyExceptionAction.jar ReadPropertyExceptionAction.class ReadPropertyException.class run tests
Or maybe that blank line can end an a tag? Anyway I dare not use this.
Thanks
Max
> On Mar 19, 2015, at 19:39, Artem Smotrakov wrote:
>
> Hi Max,
>
> I agree that sometimes use of a shell script makes a test clearer. On the other hand, if we are trying to create pure Java tests, it increases overall coverage of Java APIs.
>
> I updated the tests to use ProcessTools, and simplified a little bit policy files for negative tests to make them clearer. Please take a look:
>
> http://cr.openjdk.java.net/~asmotrak/8048147/webrev.02/
>
> Artem
>
> On 03/18/2015 06:08 PM, Wang Weijun wrote:
>>> On Mar 18, 2015, at 19:31, Artem Smotrakov wrote:
>>>
>>> The tests can be updated to start a new process with ProcessTools, or use a script.
>> Choose anyone you like.
>>
>> Maybe you can a few experiments to see what is the difference between a script test and a Java test that launches processes.
>>
>> I'm a little surprised that with the classpath not pointing to jars the test still succeeds. The jars should have been granted different permissions. Maybe the test is not designed smart enough to detect the problem?
>>
>> --Max
>>
>>> Artem
>
From nico at cryptonector.com Thu Mar 19 02:37:04 2015
From: nico at cryptonector.com (Nico Williams)
Date: Wed, 18 Mar 2015 21:37:04 -0500
Subject: [kitten] On stream-based GSSContext methods in RFC 5653
In-Reply-To:
References: <54CEE8E5.5080701@oracle.com> <54D2FCD5.6060404@oracle.com>
<54D3190D.8080003@mit.edu> <54D31FD0.9030508@oracle.com>
<54D39523.5070700@mit.edu> <54D404FE.8010009@oracle.com>
<54D40D6A.7010704@mit.edu> <54D4100E.7070200@oracle.com>
Message-ID: <20150319023703.GA8099@localhost>
On Mon, Mar 16, 2015 at 11:46:46AM +0800, Wang Weijun wrote:
> I discussed with my colleagues on the stream-based methods and we
> think they are not well-designed:
I agree.
From nico at cryptonector.com Thu Mar 19 15:01:16 2015
From: nico at cryptonector.com (Nico Williams)
Date: Thu, 19 Mar 2015 10:01:16 -0500
Subject: [kitten] On stream-based GSSContext methods in RFC 5653
In-Reply-To: <550A3AF9.4020701@oracle.com>
References: <54D3190D.8080003@mit.edu> <54D31FD0.9030508@oracle.com>
<54D39523.5070700@mit.edu> <54D404FE.8010009@oracle.com>
<54D40D6A.7010704@mit.edu> <54D4100E.7070200@oracle.com>
<20150319023703.GA8099@localhost> <550A3AF9.4020701@oracle.com>
Message-ID: <20150319150115.GC8099@localhost>
On Thu, Mar 19, 2015 at 10:56:57AM +0800, Weijun Wang wrote:
> So what's your suggestion on their future?
>
> A: Remove them and say "they are removed" in a "Changed since" section.
Remove them and mention that they used to be there and they have been
removed, "do not use".
Nico
--
From joe.darcy at oracle.com Fri Mar 20 01:12:44 2015
From: joe.darcy at oracle.com (joe darcy)
Date: Thu, 19 Mar 2015 18:12:44 -0700
Subject: JDK 9 RFR of JDK-8075567: Mark intermittently failuring security-libs
tests
Message-ID: <550B740C.9010004@oracle.com>
Hello,
Per a policy to mark intermittently failing tests (see
http://mail.openjdk.java.net/pipermail/core-libs-dev/2015-March/032383.html),
please review the changes below to mark two security libs tests as
failing intermittently:
sun/security/mscapi/ShortRSAKey1024.sh
sun/security/mscapi/SignUsingNONEwithRSA.sh
To find these tests, I went through unresolved security-libs bugs
looking for test failures that had information updated within the last
six months or so.
Please add or remove the intermittent jtreg keyword to security tests
appropriately going forward.
Also, please consider the general recommendation to rewrite shell tests
as Java programs. The langtools team was able to remove nearly all shell
tests in their test suite.
Thanks,
-Joe
diff -r cd4aea326e89 test/sun/security/mscapi/ShortRSAKey1024.sh
--- a/test/sun/security/mscapi/ShortRSAKey1024.sh Thu Mar 19 13:18:49
2015 -0700
+++ b/test/sun/security/mscapi/ShortRSAKey1024.sh Thu Mar 19 17:59:43
2015 -0700
@@ -30,6 +30,7 @@
# @run shell ShortRSAKey1024.sh 1024
# @run shell ShortRSAKey1024.sh 768
# @run shell ShortRSAKey1024.sh 512
+# @key intermittent
# set a few environment variables so that the shell-script can run
stand-alone
# in the source directory
diff -r cd4aea326e89 test/sun/security/mscapi/SignUsingNONEwithRSA.sh
--- a/test/sun/security/mscapi/SignUsingNONEwithRSA.sh Thu Mar 19
13:18:49 2015 -0700
+++ b/test/sun/security/mscapi/SignUsingNONEwithRSA.sh Thu Mar 19
17:59:43 2015 -0700
@@ -28,6 +28,7 @@
# @bug 6578658
# @run shell SignUsingNONEwithRSA.sh
# @summary Sign using the NONEwithRSA signature algorithm from SunMSCAPI
+# @key intermittent
# set a few environment variables so that the shell-script can run
stand-alone
# in the source directory
From weijun.wang at oracle.com Fri Mar 20 03:24:20 2015
From: weijun.wang at oracle.com (Wang Weijun)
Date: Fri, 20 Mar 2015 11:24:20 +0800
Subject: On stream-based GSSContext methods in RFC 5653
In-Reply-To:
References:
<54CE9F5B.9070808@mit.edu> <54CEE8E5.5080701@oracle.com>
<54D2FCD5.6060404@oracle.com> <54D3190D.8080003@mit.edu>
<54D31FD0.9030508@oracle.com> <54D39523.5070700@mit.edu>
<54D404FE.8010009@oracle.com> <54D40D6A.7010704@mit.edu>
<54D4100E.7070200@oracle.com>
<,
<>>
Message-ID: <96E28C34-69BC-411B-A9FB-C352E270D648@oracle.com>
Hi Thomas
On Mar 20, 2015, at 10:15, Thomas Maslen wrote:
>
> My personal 0.02.
>
> First, my overall reaction to this is pretty much the same as my reaction to the GSSException change proposed in the rfc5653bis draft: I believe that this aspect of 2853 / 5653 isn't broken and so I'm leery of "fixing" it -- but I don't feel strongly about it and I don't really object to it (much), I mostly just want to make sure that we look before we leap.
The GSSException case is not broken. It's just that the Java binding does not have the same feature as the C binding, at least for the token-based methods. You may say people can find a way to send the error token using the stream-based methods without any API change, but since we never documented anything before it could bring unexpected behavior to current users. Also, it is too automatic and a user might want to send a normal token but not send an error token.
>
> [But I do agree that if (a) we deprecate the stream-based GSSContext methods and (b) we care about being able to both throw a GSSException and return an error token, then (c) yes, in that case the GSSException change would then be necessary].
>
> To me, neither item 1 nor item 2 below is problematic for the stream-based methods. Perhaps the assumptions that I'm using are different than yours?
For me, the main reason of (a) is that GSS-API is defined around tokens and sending/receiving these tokens should be left to applications. Using them, documenting them, and implementing them, are all unnecessarily complicated.
>
> What I mean by that is:
>
> I agree that if you took the raw InputStream from e.g. Socket.getInputStream() and passed it to a stream-based GSSContext method then yes, it would be problematic.
The javadoc for the methods seems to suggest that
* while (!context.isEstablished()) {
*
* context.initSecContext(is, os);
*
* // send output token if generated
* os.flush();
* }
>
> But don't do that. Instead:
>
> (1) Read the token-length field from the raw InputStream. (There must be a token-length field, or something equivalent to it -- if there wasn't, you wouldn't be able to use the byte[]-based GSSContext methods either)
>
> (2) Use that length field to construct a wrapper InputStream (probably a subclass of FilterInputStream) that lets you read that number of bytes and then returns EOF (even though the underlying raw InputStream probably still has data available). Yes, I'm definitely glossing over some details about ensuring that you always advance the underlying stream to the end of the token, but that's just a SMOP.
>
> (3) Pass that wrapper InputStream (not the underlying raw InputStream) to the stream-based GSSContext method.
>
> The advantage of doing this, c.f. just using the byte[]-based methods, is efficiency: with the byte[]-based methods you have to read the token length, then allocate a byte[] that's at least that large and System.arraycopy() all those bytes into it. [Unless, of course, you have already paid the price to read the entire application-protocol message into a byte[] -- in that case, sure, it makes sense to use the byte[]-based GSSContext methods].
>
> So I believe that the InputStream parameters are useful because they allow a more efficient implementation than using byte[].
This is somehow what the example inside RFC 5653 7.4.8 is suggesting
ByteArrayOutputStream os = new ByteArrayOutputStream();
ByteArrayInputStream is = null;
do {
// Re-create os?
context.initSecContext(is, os);
// send token if present
if (os.size() > 0)
sendToken(os);
// check if we should expect more tokens
if (context.isEstablished())
break;
// another token expected from peer
is = recvToken();
} while (true);
but then the recvToken in the example above should not be defined as a ByteArrayInputStream.
>
> I admit that the argument for the OutputStream parameters is much weaker (hypothetically they could be useful if the application protocol used chunked framing such as ASN.1 indefinite-length encoding, but in reality application protocols probably just use simple framing with a token-length field at the beginning and so yeah, the OutputStream doesn't buy you anything, you may as well just go ahead and return a byte[]).
Exactly, I don't know how to emit that length field before sending the bytes into the stream. Creating a method like the following is ugly.
byte[] initSecContext(InputStream ins)
>
>
> I agree that the "GSS-API authentication tokens contain a definite start and end" wording in RFC 2853 / 5653 makes it sound as though perhaps the original authors mistakenly believed that all GSSAPI context tokens included their own framing (if so, then the stream-based methods were just a mistake caused by a flawed assumption, and it would be good to correct that mistake). I'm a Johnny-come-lately to this and I don't know what the original authors actually thought / meant, but I choose to believe that no, they weren't confused about the (non-)framing of GSSAPI context tokens and so no, the stream-based GSSContext methods weren't a mistake; rather, I believe that they were thinking about InputStream wrappers such as the one I outlined above, so the stream-based GSSContext methods are valid (and shouldn't be deprecated), and the only thing that needs to be fixed is the misleading wording, not the Java methods.
I don't know now. I am also late to this.
>
> If we do go ahead with deprecating the stream-based methods then yes, I'm fine with the changes that you outlined below:
>
>> [...] I propose to deprecate these methods in an I-D.
>> [...] In Oracle JDK and OpenJDK, we would like to mark these methods as @deprecated. The existing implementations will be still supported.
>
> Good.
>
> Incidentally, w.r.t. Oracle JDK / OpenJDK: the current implementation assumes that all context-initiation tokens (not just the initial token but also all subsequent context-initiation tokens) _do_ include framing (a GSSHeader). There are a couple of special-case exceptions (for the SPNEGO mechanism and for the SunNativeGSS provider), but in general the code requires that all input tokens have a GSSHeader (and will error out, probably with DEFECTIVE_TOKEN, if they don't), and always prepends a GSSHeader to any outgoing tokens that GSSContextSpi returns.
>
> So, even if the stream-based methods are deprecated, the current implementation will still only support GSSAPI mechanisms where every context-initiation token has GSSHeader framing. My guess is that removing that limitation would entail breaking the sun.security.jgss.spi (again).
We don't plan to make any change. What we can say now is that they have a problem and could go wrong. If we add a new mechanism later that does not have a self-framing, we might have to consume all bytes available and treat it as the input token.
--Max
>
>
>
> ________________________________________
> From: Wang Weijun [weijun.wang at oracle.com]
> Sent: Sunday, March 15, 2015 20:46
> To: kitten at ietf.org; OpenJDK Dev list
> Cc: Thomas Maslen; Benjamin Kaduk
> Subject: On stream-based GSSContext methods in RFC 5653
>
> Hi All
>
> I discussed with my colleagues on the stream-based methods and we think they are not well-designed:
>
> 1. A library should not define a wire protocol and assume the peer is using the same. http://tools.ietf.org/html/draft-ietf-kitten-gss-loop-05 requires the application to define it.
>
> 2. It's impossible to implement these methods correctly when the mechanism token has no self-framing or the library has no knowledge of the token format (for example,
> as a bridge talking to another GSS library).
>
> Therefore, I propose to deprecate these methods in an I-D. By deprecation, I'd like to remove the methods from the main content and describe the reason in a "Changes since RFC 5653" section. The specification for the methods will be moved to an appendix or the "Changes since RFC 5653" section will contain links to sections inside RFC 5653.
>
> In Oracle JDK and OpenJDK, we would like to mark these methods as @deprecated. The existing implementations will be still supported.
>
> Thanks
> Max
From artem.smotrakov at oracle.com Fri Mar 20 06:49:48 2015
From: artem.smotrakov at oracle.com (Artem Smotrakov)
Date: Fri, 20 Mar 2015 09:49:48 +0300
Subject: [9] request for review: 8048147: Privilege tests with JAAS
Subject.doAs
In-Reply-To: <354B2ADB-0FBD-45AC-8CBB-E27744779F3C@oracle.com>
References: <5506B4BD.2000004@oracle.com>
<55094380.6040809@oracle.com>
<493ED341-AE33-488B-B326-B02B224D882E@oracle.com>
<08FAF349-7C9A-46EC-9A9F-C3AF8D1FBB89@oracle.com>
<55096202.9010100@oracle.com>
<97A64FC5-2EC3-41CE-8878-09CBBC692127@oracle.com>
<550AB569.80402@oracle.com>
<354B2ADB-0FBD-45AC-8CBB-E27744779F3C@oracle.com>
Message-ID: <550BC30C.3030400@oracle.com>
Hi Max,
Please see inline.
On 03/19/2015 05:33 PM, Wang Weijun wrote:
> This looks fine.
>
> One comment,
>
> 156 cmds.add("-Duser.dir=" + WORK_DIR);
>
> Looks unnecessary. In fact, I've never seen people setting user.dir on the command line.
Agree. I removed this.
>
> Another comment,
>
> 80 * @run main NestedActions jar ReadPropertyExceptionAction.jar
> 81 * ReadPropertyExceptionAction.class ReadPropertyException.class
> 82 *
> 83 * run tests
>
> Will line 83 make any trouble? I remember bare words (not in a tag) will be absorbed by the previous action so the lines above will be interpreted as
>
> @run main NestedActions jar ReadPropertyExceptionAction.jar ReadPropertyExceptionAction.class ReadPropertyException.class run tests
>
> Or maybe that blank line can end an a tag? Anyway I dare not use this.
Yes, it makes a trouble. I removed this, but didn't update the webrev.
Sorry about that and thanks for attention.
Please take a look at
http://cr.openjdk.java.net/~asmotrak/8048147/webrev.03/
Artem
>
> Thanks
> Max
>
>> On Mar 19, 2015, at 19:39, Artem Smotrakov wrote:
>>
>> Hi Max,
>>
>> I agree that sometimes use of a shell script makes a test clearer. On the other hand, if we are trying to create pure Java tests, it increases overall coverage of Java APIs.
>>
>> I updated the tests to use ProcessTools, and simplified a little bit policy files for negative tests to make them clearer. Please take a look:
>>
>> http://cr.openjdk.java.net/~asmotrak/8048147/webrev.02/
>>
>> Artem
>>
>> On 03/18/2015 06:08 PM, Wang Weijun wrote:
>>>> On Mar 18, 2015, at 19:31, Artem Smotrakov wrote:
>>>>
>>>> The tests can be updated to start a new process with ProcessTools, or use a script.
>>> Choose anyone you like.
>>>
>>> Maybe you can a few experiments to see what is the difference between a script test and a Java test that launches processes.
>>>
>>> I'm a little surprised that with the classpath not pointing to jars the test still succeeds. The jars should have been granted different permissions. Maybe the test is not designed smart enough to detect the problem?
>>>
>>> --Max
>>>
>>>> Artem
From weijun.wang at oracle.com Fri Mar 20 07:38:10 2015
From: weijun.wang at oracle.com (Wang Weijun)
Date: Fri, 20 Mar 2015 15:38:10 +0800
Subject: [9] request for review: 8048147: Privilege tests with JAAS
Subject.doAs
In-Reply-To: <550BC30C.3030400@oracle.com>
References: <5506B4BD.2000004@oracle.com>
<55094380.6040809@oracle.com>
<493ED341-AE33-488B-B326-B02B224D882E@oracle.com>
<08FAF349-7C9A-46EC-9A9F-C3AF8D1FBB89@oracle.com>
<55096202.9010100@oracle.com>
<97A64FC5-2EC3-41CE-8878-09CBBC692127@oracle.com>
<550AB569.80402@oracle.com>
<354B2ADB-0FBD-45AC-8CBB-E27744779F3C@oracle.com>
<550BC30C.3030400@oracle.com>
Message-ID:
I see no problem now.
Would you like me to push it for you? Please provide me the changeset comment you want to use.
Thanks
Max
> On Mar 20, 2015, at 14:49, Artem Smotrakov wrote:
>
> Hi Max,
>
> Please see inline.
>
> On 03/19/2015 05:33 PM, Wang Weijun wrote:
>> This looks fine.
>>
>> One comment,
>>
>> 156 cmds.add("-Duser.dir=" + WORK_DIR);
>>
>> Looks unnecessary. In fact, I've never seen people setting user.dir on the command line.
> Agree. I removed this.
>>
>> Another comment,
>>
>> 80 * @run main NestedActions jar ReadPropertyExceptionAction.jar
>> 81 * ReadPropertyExceptionAction.class ReadPropertyException.class
>> 82 *
>> 83 * run tests
>>
>> Will line 83 make any trouble? I remember bare words (not in a tag) will be absorbed by the previous action so the lines above will be interpreted as
>>
>> @run main NestedActions jar ReadPropertyExceptionAction.jar ReadPropertyExceptionAction.class ReadPropertyException.class run tests
>>
>> Or maybe that blank line can end an a tag? Anyway I dare not use this.
> Yes, it makes a trouble. I removed this, but didn't update the webrev. Sorry about that and thanks for attention.
>
> Please take a look at http://cr.openjdk.java.net/~asmotrak/8048147/webrev.03/
>
> Artem
>>
>> Thanks
>> Max
>>
>>> On Mar 19, 2015, at 19:39, Artem Smotrakov wrote:
>>>
>>> Hi Max,
>>>
>>> I agree that sometimes use of a shell script makes a test clearer. On the other hand, if we are trying to create pure Java tests, it increases overall coverage of Java APIs.
>>>
>>> I updated the tests to use ProcessTools, and simplified a little bit policy files for negative tests to make them clearer. Please take a look:
>>>
>>> http://cr.openjdk.java.net/~asmotrak/8048147/webrev.02/
>>>
>>> Artem
>>>
>>> On 03/18/2015 06:08 PM, Wang Weijun wrote:
>>>>> On Mar 18, 2015, at 19:31, Artem Smotrakov wrote:
>>>>>
>>>>> The tests can be updated to start a new process with ProcessTools, or use a script.
>>>> Choose anyone you like.
>>>>
>>>> Maybe you can a few experiments to see what is the difference between a script test and a Java test that launches processes.
>>>>
>>>> I'm a little surprised that with the classpath not pointing to jars the test still succeeds. The jars should have been granted different permissions. Maybe the test is not designed smart enough to detect the problem?
>>>>
>>>> --Max
>>>>
>>>>> Artem
From artem.smotrakov at oracle.com Fri Mar 20 07:54:21 2015
From: artem.smotrakov at oracle.com (Artem Smotrakov)
Date: Fri, 20 Mar 2015 10:54:21 +0300
Subject: [9] request for review: 8048147: Privilege tests with JAAS
Subject.doAs
In-Reply-To:
References: <5506B4BD.2000004@oracle.com>
<55094380.6040809@oracle.com>
<493ED341-AE33-488B-B326-B02B224D882E@oracle.com>
<08FAF349-7C9A-46EC-9A9F-C3AF8D1FBB89@oracle.com>
<55096202.9010100@oracle.com>
<97A64FC5-2EC3-41CE-8878-09CBBC692127@oracle.com>
<550AB569.80402@oracle.com>
<354B2ADB-0FBD-45AC-8CBB-E27744779F3C@oracle.com>
<550BC30C.3030400@oracle.com>
Message-ID: <550BD22D.2060904@oracle.com>
Yes, please push it.
8048147: Privilege tests with JAAS Subject.doAs
Reviewed-by: weijun
My username is asmotrak
http://openjdk.java.net/census#asmotrak
Artem
On 03/20/2015 10:38 AM, Wang Weijun wrote:
> I see no problem now.
>
> Would you like me to push it for you? Please provide me the changeset comment you want to use.
>
> Thanks
> Max
>
>> On Mar 20, 2015, at 14:49, Artem Smotrakov wrote:
>>
>> Hi Max,
>>
>> Please see inline.
>>
>> On 03/19/2015 05:33 PM, Wang Weijun wrote:
>>> This looks fine.
>>>
>>> One comment,
>>>
>>> 156 cmds.add("-Duser.dir=" + WORK_DIR);
>>>
>>> Looks unnecessary. In fact, I've never seen people setting user.dir on the command line.
>> Agree. I removed this.
>>> Another comment,
>>>
>>> 80 * @run main NestedActions jar ReadPropertyExceptionAction.jar
>>> 81 * ReadPropertyExceptionAction.class ReadPropertyException.class
>>> 82 *
>>> 83 * run tests
>>>
>>> Will line 83 make any trouble? I remember bare words (not in a tag) will be absorbed by the previous action so the lines above will be interpreted as
>>>
>>> @run main NestedActions jar ReadPropertyExceptionAction.jar ReadPropertyExceptionAction.class ReadPropertyException.class run tests
>>>
>>> Or maybe that blank line can end an a tag? Anyway I dare not use this.
>> Yes, it makes a trouble. I removed this, but didn't update the webrev. Sorry about that and thanks for attention.
>>
>> Please take a look at http://cr.openjdk.java.net/~asmotrak/8048147/webrev.03/
>>
>> Artem
>>> Thanks
>>> Max
>>>
>>>> On Mar 19, 2015, at 19:39, Artem Smotrakov wrote:
>>>>
>>>> Hi Max,
>>>>
>>>> I agree that sometimes use of a shell script makes a test clearer. On the other hand, if we are trying to create pure Java tests, it increases overall coverage of Java APIs.
>>>>
>>>> I updated the tests to use ProcessTools, and simplified a little bit policy files for negative tests to make them clearer. Please take a look:
>>>>
>>>> http://cr.openjdk.java.net/~asmotrak/8048147/webrev.02/
>>>>
>>>> Artem
>>>>
>>>> On 03/18/2015 06:08 PM, Wang Weijun wrote:
>>>>>> On Mar 18, 2015, at 19:31, Artem Smotrakov wrote:
>>>>>>
>>>>>> The tests can be updated to start a new process with ProcessTools, or use a script.
>>>>> Choose anyone you like.
>>>>>
>>>>> Maybe you can a few experiments to see what is the difference between a script test and a Java test that launches processes.
>>>>>
>>>>> I'm a little surprised that with the classpath not pointing to jars the test still succeeds. The jars should have been granted different permissions. Maybe the test is not designed smart enough to detect the problem?
>>>>>
>>>>> --Max
>>>>>
>>>>>> Artem
From weijun.wang at oracle.com Fri Mar 20 14:39:04 2015
From: weijun.wang at oracle.com (Wang Weijun)
Date: Fri, 20 Mar 2015 22:39:04 +0800
Subject: RFR 8047789: auth.login.LoginContext needs to be updated to work with
modules
Message-ID: <83DE38C5-ED13-46A4-A75E-7D8748B2EFC9@oracle.com>
Please review the code changes at
http://cr.openjdk.java.net/~weijun/8047789/webrev.03/
LoginContext is updated to use ServiceLoader to load configured LoginModules, and fallback to reflection if it cannot find one. Please notice that the fix does not include configuration of existing LoginModules since the current jdk9/dev module system does not support multiple modules implementing the same interface. Suppose it does, these 2 extra files will do the configuration:
src/jdk.security.auth/META-INF/services/javax.security.auth.spi.LoginModule
com.sun.security.auth.module.Krb5LoginModule
com.sun.security.auth.module.UnixLoginModule
com.sun.security.auth.module.JndiLoginModule
com.sun.security.auth.module.KeyStoreLoginModule
com.sun.security.auth.module.LdapLoginModule
com.sun.security.auth.module.NTLoginModule
src/java.management/META-INF/services/javax.security.auth.spi.LoginModule
com.sun.jmx.remote.security.FileLoginModule
I am hearing that jigsaw will provide a new way for service configuration.
Compatibility issue: Before this code change, any class that includes the necessary methods (initialize, login, logout, abort, commit) can be configured as a login module, which does not necessarily implement the LoginModule interface itself. After this code change, it must implement the interface.
We might need to update the JAAS programming guide in Java SE documentation to describe the new loading mechanism.
Thanks
Max
From Alan.Bateman at oracle.com Fri Mar 20 15:38:35 2015
From: Alan.Bateman at oracle.com (Alan Bateman)
Date: Fri, 20 Mar 2015 15:38:35 +0000
Subject: RFR 8047789: auth.login.LoginContext needs to be updated to work
with modules
In-Reply-To: <83DE38C5-ED13-46A4-A75E-7D8748B2EFC9@oracle.com>
References: <83DE38C5-ED13-46A4-A75E-7D8748B2EFC9@oracle.com>
Message-ID: <550C3EFB.50401@oracle.com>
On 20/03/2015 14:39, Wang Weijun wrote:
> Please review the code changes at
>
> http://cr.openjdk.java.net/~weijun/8047789/webrev.03/
>
> LoginContext is updated to use ServiceLoader to load configured LoginModules, and fallback to reflection if it cannot find one. Please notice that the fix does not include configuration of existing LoginModules since the current jdk9/dev module system does not support multiple modules implementing the same interface. Suppose it does, these 2 extra files will do the configuration:
>
>
Just to clarify this, there isn't a module system in JDK 9 yet. The
issue here is just having several resources named
META-INF/services/javax.security.auth.spi.LoginModule as the build needs
to concatenate the entries to create one services configuration file.
This is a temporary issue of course and same named resources won't be an
issue once all resources in the jimage container are keyed on module.
Also as you said, we don't expect services configuration files will be
needed anyway.
-Alan.
From mandy.chung at oracle.com Fri Mar 20 20:12:39 2015
From: mandy.chung at oracle.com (Mandy Chung)
Date: Fri, 20 Mar 2015 13:12:39 -0700
Subject: RFR 8047789: auth.login.LoginContext needs to be updated to work
with modules
In-Reply-To: <83DE38C5-ED13-46A4-A75E-7D8748B2EFC9@oracle.com>
References: <83DE38C5-ED13-46A4-A75E-7D8748B2EFC9@oracle.com>
Message-ID: <550C7F37.8050206@oracle.com>
On 3/20/15 7:39 AM, Wang Weijun wrote:
> Please review the code changes at
>
> http://cr.openjdk.java.net/~weijun/8047789/webrev.03/
It looks okay to me. Removing some use of reflection seems
a good thing.
One observation: invoke(String methodName) now calls the method
statically and the implementation has conditional code depending
on which of the four methods. It seems that you could do some
refactoring to define 4 different methods for example:
571 invokePriv(LOGIN_METHOD) -> invokeLoginMethod
This is an separate issue. Just to mention for future cleanup
to consider.
Mandy
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From jamil.j.nimeh at oracle.com Fri Mar 20 22:00:34 2015
From: jamil.j.nimeh at oracle.com (Jamil Nimeh)
Date: Fri, 20 Mar 2015 15:00:34 -0700
Subject: Code review of JDK-8072385,
Only the first DNSName entry is checked for endpoint identification
In-Reply-To: <54FE8691.9060405@oracle.com>
References: <54F71BE5.2050205@oracle.com> <54FE39AB.1080503@oracle.com>
<54FE72C0.9000602@oracle.com> <54FE8691.9060405@oracle.com>
Message-ID: <550C9882.4060908@oracle.com>
Hi Xuelei, this looks good to me.
--Jamil
On 3/9/2015 10:52 PM, Xuelei Fan wrote:
> On 3/10/2015 12:27 PM, Jamil Nimeh wrote:
>> Hi Xuelei, I can't be an official reviewer, but I did look over the code
>> and it looks pretty good to me.
> I think it is OK to push if you reviewed the code.
>
>> I did have a couple questions though:
>>
>> * Line 1570
>> o Since the getSubjectAltNames() method is generic enough to take
>> any int type it might be worthwhile to put some comments into
>> the header stating that only those subjectAltName types that use
>> String data should be passed into this function (see follow-on
>> question below).
> Good point. I added a note comment and updated the webrev.
>
>> * Line 1580
>> o If, for some reason, a maintainer were to ever pass in a
>> different altname value, like 4 (X400Address), wouldn't the code
>> cause a ClassCastException when trying to cast the returned
>> byte[] to a String? Would it be worthwhile to either do a
>> instanceof check on the returned value before the cast or catch
>> the CCE before it goes up the stack? Or is it your desire to
>> let the CCE be thrown? I ask only because earlier in
>> isIdentityEquivalent() you take the time to catch parsing
>> exceptions and handle it with a log message rather than let it
>> unwind the stack. Would it be worthwhile to do something
>> similar with a CCE down in getSubjectAltNames()?
>>
> It's better to check the instance for a good coding experiences.
>
> It's safe here as for subjectAltName type of DNS and IPAddress, the data
> type is String. See the spec of
> X509Certificate.getSubjectAlternativeNames().
>
> We have the similar code in sun/security/util/HostnameChecker.java.
>
> Thanks,
> Xuelei
>
>> But even as-is, this still looks good to me.
>>
>> --Jamil
>>
>> On 03/09/2015 05:24 PM, Xuelei Fan wrote:
>>> Ping ...
>>>
>>> wbrev: http://cr.openjdk.java.net/~xuelei/8072385/webrev.00/
>>>
>>> On 3/4/2015 10:51 PM, Xuelei Fan wrote:
>>>> Hi,
>>>>
>>>> Please review the fix for:
>>>> https://bugs.openjdk.java.net/browse/JDK-8072385
>>>>
>>>> In SunJSSE implementation, during endpoint identification, there is a
>>>> bug in SubjectAlternativeName matching that only the fist DNSName are
>>>> checked. As may impact some business where host-name alias are used.
>>>>
>>>> The patch is attached.
>>>>
>>>> Thanks,
>>>> Xuelei
>>>>
From jason.uh at oracle.com Fri Mar 20 23:10:43 2015
From: jason.uh at oracle.com (Jason Uh)
Date: Fri, 20 Mar 2015 16:10:43 -0700
Subject: [9] RFR: 7194452: Remove "Reverse" PKIX CertPathBuilder implementation
Message-ID: <550CA8F3.2070007@oracle.com>
Please review this change to remove the "Reverse" CertPathBuilder mode,
which has never been supported and is undocumented.
webrev: http://cr.openjdk.java.net/~juh/7194452/00/
bug: https://bugs.openjdk.java.net/browse/JDK-7194452
Thanks,
Jason
From Thomas.Maslen at software.dell.com Fri Mar 20 02:15:08 2015
From: Thomas.Maslen at software.dell.com (Thomas Maslen)
Date: Fri, 20 Mar 2015 02:15:08 +0000
Subject: On stream-based GSSContext methods in RFC 5653
In-Reply-To:
References:
<54CE9F5B.9070808@mit.edu> <54CEE8E5.5080701@oracle.com>
<54D2FCD5.6060404@oracle.com> <54D3190D.8080003@mit.edu>
<54D31FD0.9030508@oracle.com> <54D39523.5070700@mit.edu>
<54D404FE.8010009@oracle.com> <54D40D6A.7010704@mit.edu>
<54D4100E.7070200@oracle.com>
,
Message-ID:
My personal 0.02.
First, my overall reaction to this is pretty much the same as my reaction to the GSSException change proposed in the rfc5653bis draft: I believe that this aspect of 2853 / 5653 isn't broken and so I'm leery of "fixing" it -- but I don't feel strongly about it and I don't really object to it (much), I mostly just want to make sure that we look before we leap.
[But I do agree that if (a) we deprecate the stream-based GSSContext methods and (b) we care about being able to both throw a GSSException and return an error token, then (c) yes, in that case the GSSException change would then be necessary].
To me, neither item 1 nor item 2 below is problematic for the stream-based methods. Perhaps the assumptions that I'm using are different than yours?
What I mean by that is:
I agree that if you took the raw InputStream from e.g. Socket.getInputStream() and passed it to a stream-based GSSContext method then yes, it would be problematic.
But don't do that. Instead:
(1) Read the token-length field from the raw InputStream. (There must be a token-length field, or something equivalent to it -- if there wasn't, you wouldn't be able to use the byte[]-based GSSContext methods either)
(2) Use that length field to construct a wrapper InputStream (probably a subclass of FilterInputStream) that lets you read that number of bytes and then returns EOF (even though the underlying raw InputStream probably still has data available). Yes, I'm definitely glossing over some details about ensuring that you always advance the underlying stream to the end of the token, but that's just a SMOP.
(3) Pass that wrapper InputStream (not the underlying raw InputStream) to the stream-based GSSContext method.
The advantage of doing this, c.f. just using the byte[]-based methods, is efficiency: with the byte[]-based methods you have to read the token length, then allocate a byte[] that's at least that large and System.arraycopy() all those bytes into it. [Unless, of course, you have already paid the price to read the entire application-protocol message into a byte[] -- in that case, sure, it makes sense to use the byte[]-based GSSContext methods].
So I believe that the InputStream parameters are useful because they allow a more efficient implementation than using byte[].
I admit that the argument for the OutputStream parameters is much weaker (hypothetically they could be useful if the application protocol used chunked framing such as ASN.1 indefinite-length encoding, but in reality application protocols probably just use simple framing with a token-length field at the beginning and so yeah, the OutputStream doesn't buy you anything, you may as well just go ahead and return a byte[]).
I agree that the "GSS-API authentication tokens contain a definite start and end" wording in RFC 2853 / 5653 makes it sound as though perhaps the original authors mistakenly believed that all GSSAPI context tokens included their own framing (if so, then the stream-based methods were just a mistake caused by a flawed assumption, and it would be good to correct that mistake). I'm a Johnny-come-lately to this and I don't know what the original authors actually thought / meant, but I choose to believe that no, they weren't confused about the (non-)framing of GSSAPI context tokens and so no, the stream-based GSSContext methods weren't a mistake; rather, I believe that they were thinking about InputStream wrappers such as the one I outlined above, so the stream-based GSSContext methods are valid (and shouldn't be deprecated), and the only thing that needs to be fixed is the misleading wording, not the Java methods.
If we do go ahead with deprecating the stream-based methods then yes, I'm fine with the changes that you outlined below:
> [...] I propose to deprecate these methods in an I-D.
> [...] In Oracle JDK and OpenJDK, we would like to mark these methods as @deprecated. The existing implementations will be still supported.
Good.
Incidentally, w.r.t. Oracle JDK / OpenJDK: the current implementation assumes that all context-initiation tokens (not just the initial token but also all subsequent context-initiation tokens) _do_ include framing (a GSSHeader). There are a couple of special-case exceptions (for the SPNEGO mechanism and for the SunNativeGSS provider), but in general the code requires that all input tokens have a GSSHeader (and will error out, probably with DEFECTIVE_TOKEN, if they don't), and always prepends a GSSHeader to any outgoing tokens that GSSContextSpi returns.
So, even if the stream-based methods are deprecated, the current implementation will still only support GSSAPI mechanisms where every context-initiation token has GSSHeader framing. My guess is that removing that limitation would entail breaking the sun.security.jgss.spi (again).
________________________________________
From: Wang Weijun [weijun.wang at oracle.com]
Sent: Sunday, March 15, 2015 20:46
To: kitten at ietf.org; OpenJDK Dev list
Cc: Thomas Maslen; Benjamin Kaduk
Subject: On stream-based GSSContext methods in RFC 5653
Hi All
I discussed with my colleagues on the stream-based methods and we think they are not well-designed:
1. A library should not define a wire protocol and assume the peer is using the same. http://tools.ietf.org/html/draft-ietf-kitten-gss-loop-05 requires the application to define it.
2. It's impossible to implement these methods correctly when the mechanism token has no self-framing or the library has no knowledge of the token format (for example,
as a bridge talking to another GSS library).
Therefore, I propose to deprecate these methods in an I-D. By deprecation, I'd like to remove the methods from the main content and describe the reason in a "Changes since RFC 5653" section. The specification for the methods will be moved to an appendix or the "Changes since RFC 5653" section will contain links to sections inside RFC 5653.
In Oracle JDK and OpenJDK, we would like to mark these methods as @deprecated. The existing implementations will be still supported.
Thanks
Max
From Alan.Bateman at oracle.com Sat Mar 21 10:54:19 2015
From: Alan.Bateman at oracle.com (Alan Bateman)
Date: Sat, 21 Mar 2015 10:54:19 +0000
Subject: RFR 8047789: auth.login.LoginContext needs to be updated to work
with modules
In-Reply-To: <83DE38C5-ED13-46A4-A75E-7D8748B2EFC9@oracle.com>
References: <83DE38C5-ED13-46A4-A75E-7D8748B2EFC9@oracle.com>
Message-ID: <550D4DDB.6080303@oracle.com>
On 20/03/2015 14:39, Wang Weijun wrote:
> Please review the code changes at
>
> http://cr.openjdk.java.net/~weijun/8047789/webrev.03/
>
> :
>
> Compatibility issue: Before this code change, any class that includes the necessary methods (initialize, login, logout, abort, commit) can be configured as a login module, which does not necessarily implement the LoginModule interface itself. After this code change, it must implement the interface.
>
> We might need to update the JAAS programming guide in Java SE documentation to describe the new loading mechanism.
>
I think the changes look reasonable too. A minor suggestion is to change
the existing comment "instantiate the LoginModule" to "locate and
instantiate ...".
On the compatibility issue then someone creating a JAAS configuration
file that lists a that is not a LoginModule will cause CCE
but this pops out as a LoginException with the CCE as cause now - right?
This may be something for release notes.
It would be good to get the JAAS documentation updated too.
-Alan
From weijun.wang at oracle.com Sat Mar 21 23:47:30 2015
From: weijun.wang at oracle.com (Wang Weijun)
Date: Sun, 22 Mar 2015 07:47:30 +0800
Subject: [JDK-9] RFR: 8048618 Tests for PKCS12 write operations
In-Reply-To: <550A66D2.60706@oracle.com>
References: <55090E13.6080701@oracle.com>
<5531F555-9EFC-4AEE-BE34-DCA7E9CDC0BD@oracle.com>
<550A66D2.60706@oracle.com>
Message-ID:
Looks fine.
One small issue: LEAD_CERT does not have a "\n" before the "-----END" line. Although X509Factory accepts it this is not correct.
--Max
> On Mar 19, 2015, at 14:04, zaiyao liu wrote:
>
> Hi Max,
>
> Thanks for review,
> please check the update: http://cr.openjdk.java.net/~zailiu/8048618/webrev01/test/java/security/KeyStore/PKCS12/WriteP12Test.java.html
>
> Thanks again.
> Kevin
> ? 2015/3/18 14:23, Wang Weijun ??:
>>
>> 33 * WriteP12CertChainBad: same as WriteP12CertChain but chains order is
>> 34 * user-ca-lead, the order is wrong so expects to fail.
>>
>> Really? What is the exception?
> this line will catch the exception.
>
> 167 } catch (KeyStoreException e) {
>
>> Another suggestion, please move the text in the summary before the actual codes inside main() as comments. It's hard to page up and page down to find out what the tests are doing.
> Fixed, thanks.
>> Thanks
>> Max
>>
>>
>>> On Mar 18, 2015, at 13:33, zaiyao liu wrote:
>>>
>>> Hi Max,
>>>
>>> Please help to review this test:
>>>
>>> JDK issue:https://bugs.openjdk.java.net/browse/JDK-8048618
>>> Webrev:http://cr.openjdk.java.net/~zailiu/8048618/webrev/
>>>
>>> Thanks
>>>
>>> Kevin
>
From weijun.wang at oracle.com Sun Mar 22 00:03:11 2015
From: weijun.wang at oracle.com (Wang Weijun)
Date: Sun, 22 Mar 2015 08:03:11 +0800
Subject: Code review of JDK-8072385,
Only the first DNSName entry is checked for endpoint identification
In-Reply-To: <550C9882.4060908@oracle.com>
References: <54F71BE5.2050205@oracle.com> <54FE39AB.1080503@oracle.com>
<54FE72C0.9000602@oracle.com> <54FE8691.9060405@oracle.com>
<550C9882.4060908@oracle.com>
Message-ID:
Looks fine to me too.
The isEquivalent() method name is not very precise IMHO, maybe hasSame()? Of course, if has same is what isEquivalent means then it's OK. :-)
Thanks
Max
> On Mar 21, 2015, at 06:00, Jamil Nimeh wrote:
>
> Hi Xuelei, this looks good to me.
>
> --Jamil
>
> On 3/9/2015 10:52 PM, Xuelei Fan wrote:
>> On 3/10/2015 12:27 PM, Jamil Nimeh wrote:
>>> Hi Xuelei, I can't be an official reviewer, but I did look over the code
>>> and it looks pretty good to me.
>> I think it is OK to push if you reviewed the code.
>>
>>> I did have a couple questions though:
>>>
>>> * Line 1570
>>> o Since the getSubjectAltNames() method is generic enough to take
>>> any int type it might be worthwhile to put some comments into
>>> the header stating that only those subjectAltName types that use
>>> String data should be passed into this function (see follow-on
>>> question below).
>> Good point. I added a note comment and updated the webrev.
>>
>>> * Line 1580
>>> o If, for some reason, a maintainer were to ever pass in a
>>> different altname value, like 4 (X400Address), wouldn't the code
>>> cause a ClassCastException when trying to cast the returned
>>> byte[] to a String? Would it be worthwhile to either do a
>>> instanceof check on the returned value before the cast or catch
>>> the CCE before it goes up the stack? Or is it your desire to
>>> let the CCE be thrown? I ask only because earlier in
>>> isIdentityEquivalent() you take the time to catch parsing
>>> exceptions and handle it with a log message rather than let it
>>> unwind the stack. Would it be worthwhile to do something
>>> similar with a CCE down in getSubjectAltNames()?
>>>
>> It's better to check the instance for a good coding experiences.
>>
>> It's safe here as for subjectAltName type of DNS and IPAddress, the data
>> type is String. See the spec of
>> X509Certificate.getSubjectAlternativeNames().
>>
>> We have the similar code in sun/security/util/HostnameChecker.java.
>>
>> Thanks,
>> Xuelei
>>
>>> But even as-is, this still looks good to me.
>>>
>>> --Jamil
>>>
>>> On 03/09/2015 05:24 PM, Xuelei Fan wrote:
>>>> Ping ...
>>>>
>>>> wbrev: http://cr.openjdk.java.net/~xuelei/8072385/webrev.00/
>>>>
>>>> On 3/4/2015 10:51 PM, Xuelei Fan wrote:
>>>>> Hi,
>>>>>
>>>>> Please review the fix for:
>>>>> https://bugs.openjdk.java.net/browse/JDK-8072385
>>>>>
>>>>> In SunJSSE implementation, during endpoint identification, there is a
>>>>> bug in SubjectAlternativeName matching that only the fist DNSName are
>>>>> checked. As may impact some business where host-name alias are used.
>>>>>
>>>>> The patch is attached.
>>>>>
>>>>> Thanks,
>>>>> Xuelei
>>>>>
>
From sean.mullan at oracle.com Sun Mar 22 14:41:33 2015
From: sean.mullan at oracle.com (Sean Mullan)
Date: Sun, 22 Mar 2015 10:41:33 -0400
Subject: RFR 8074935: jdk8 keytool doesn't validate pem files for RFC
1421 correctness, as jdk7 did
In-Reply-To: <9C3DEB27-8B39-446D-9CAC-21EAE4C24D40@oracle.com>
References: <9C3DEB27-8B39-446D-9CAC-21EAE4C24D40@oracle.com>
Message-ID: <550ED49D.10207@oracle.com>
Looks ok, though the copyright date on BadPem.java is incorrect.
--Sean
On 03/17/2015 06:02 AM, Wang Weijun wrote:
> Hi All
>
> Please review the code change at
>
> http://cr.openjdk.java.net/~weijun/8074935/webrev.00/
>
> In jdk8, we use Base64.getMimeDecoder() to parse PEM-encoded certs and it ignores every character not in the base-64 alphabet. PEM is more restricted and as I know openssl rejects PEM with illegal chars (Ex, "!" as in bug report and test). This fix will also reject them.
>
> I also updated the encode side so that the output is always 64 chars wide, which is a requirement of PEM (http://en.wikipedia.org/wiki/Base64#Privacy-enhanced_mail).
>
> Thanks
> Max
>
From sean.mullan at oracle.com Sun Mar 22 15:04:51 2015
From: sean.mullan at oracle.com (Sean Mullan)
Date: Sun, 22 Mar 2015 11:04:51 -0400
Subject: JDK 9 RFR of JDK-8075567: Mark intermittently failuring
security-libs tests
In-Reply-To: <550B740C.9010004@oracle.com>
References: <550B740C.9010004@oracle.com>
Message-ID: <550EDA13.1010204@oracle.com>
Looks fine to me, Joe.
--Sean
On 03/19/2015 09:12 PM, joe darcy wrote:
> Hello,
>
> Per a policy to mark intermittently failing tests (see
> http://mail.openjdk.java.net/pipermail/core-libs-dev/2015-March/032383.html),
> please review the changes below to mark two security libs tests as
> failing intermittently:
>
> sun/security/mscapi/ShortRSAKey1024.sh
> sun/security/mscapi/SignUsingNONEwithRSA.sh
>
> To find these tests, I went through unresolved security-libs bugs
> looking for test failures that had information updated within the last
> six months or so.
>
> Please add or remove the intermittent jtreg keyword to security tests
> appropriately going forward.
>
> Also, please consider the general recommendation to rewrite shell tests
> as Java programs. The langtools team was able to remove nearly all shell
> tests in their test suite.
>
> Thanks,
>
> -Joe
>
> diff -r cd4aea326e89 test/sun/security/mscapi/ShortRSAKey1024.sh
> --- a/test/sun/security/mscapi/ShortRSAKey1024.sh Thu Mar 19 13:18:49
> 2015 -0700
> +++ b/test/sun/security/mscapi/ShortRSAKey1024.sh Thu Mar 19 17:59:43
> 2015 -0700
> @@ -30,6 +30,7 @@
> # @run shell ShortRSAKey1024.sh 1024
> # @run shell ShortRSAKey1024.sh 768
> # @run shell ShortRSAKey1024.sh 512
> +# @key intermittent
>
> # set a few environment variables so that the shell-script can run
> stand-alone
> # in the source directory
> diff -r cd4aea326e89 test/sun/security/mscapi/SignUsingNONEwithRSA.sh
> --- a/test/sun/security/mscapi/SignUsingNONEwithRSA.sh Thu Mar 19
> 13:18:49 2015 -0700
> +++ b/test/sun/security/mscapi/SignUsingNONEwithRSA.sh Thu Mar 19
> 17:59:43 2015 -0700
> @@ -28,6 +28,7 @@
> # @bug 6578658
> # @run shell SignUsingNONEwithRSA.sh
> # @summary Sign using the NONEwithRSA signature algorithm from SunMSCAPI
> +# @key intermittent
>
> # set a few environment variables so that the shell-script can run
> stand-alone
> # in the source directory
>
From zaiyao.liu at oracle.com Mon Mar 23 02:05:28 2015
From: zaiyao.liu at oracle.com (zaiyao liu)
Date: Mon, 23 Mar 2015 10:05:28 +0800
Subject: [JDK-9] RFR: 8048618 Tests for PKCS12 write operations
In-Reply-To:
References: <55090E13.6080701@oracle.com>
<5531F555-9EFC-4AEE-BE34-DCA7E9CDC0BD@oracle.com>
<550A66D2.60706@oracle.com>
Message-ID: <550F74E8.5000106@oracle.com>
Hi Max,
Thanks for review, please check the update:
http://cr.openjdk.java.net/~zailiu/8048618/webrev.02/test/java/security/KeyStore/PKCS12/WriteP12Test.java.html
Please help to push code after you finished review with following full
comments:
8048618: Tests for PKCS12 write operations.
Reviewed-by: weijun
Contributed-by: Zaiyao Liu
Thanks again.
Kevin
? 2015/3/22 7:47, Wang Weijun ??:
> Looks fine.
>
> One small issue: LEAD_CERT does not have a "\n" before the "-----END" line. Although X509Factory accepts it this is not correct.
>
> --Max
>
>> On Mar 19, 2015, at 14:04, zaiyao liu wrote:
>>
>> Hi Max,
>>
>> Thanks for review,
>> please check the update: http://cr.openjdk.java.net/~zailiu/8048618/webrev01/test/java/security/KeyStore/PKCS12/WriteP12Test.java.html
>>
>> Thanks again.
>> Kevin
>> ? 2015/3/18 14:23, Wang Weijun ??:
>>> 33 * WriteP12CertChainBad: same as WriteP12CertChain but chains order is
>>> 34 * user-ca-lead, the order is wrong so expects to fail.
>>>
>>> Really? What is the exception?
>> this line will catch the exception.
>>
>> 167 } catch (KeyStoreException e) {
>>
>>> Another suggestion, please move the text in the summary before the actual codes inside main() as comments. It's hard to page up and page down to find out what the tests are doing.
>> Fixed, thanks.
>>> Thanks
>>> Max
>>>
>>>
>>>> On Mar 18, 2015, at 13:33, zaiyao liu wrote:
>>>>
>>>> Hi Max,
>>>>
>>>> Please help to review this test:
>>>>
>>>> JDK issue:https://bugs.openjdk.java.net/browse/JDK-8048618
>>>> Webrev:http://cr.openjdk.java.net/~zailiu/8048618/webrev/
>>>>
>>>> Thanks
>>>>
>>>> Kevin
From fweimer at redhat.com Mon Mar 23 08:33:18 2015
From: fweimer at redhat.com (Florian Weimer)
Date: Mon, 23 Mar 2015 09:33:18 +0100
Subject: RFR 8074935: jdk8 keytool doesn't validate pem files for RFC
1421 correctness, as jdk7 did
In-Reply-To: <9C3DEB27-8B39-446D-9CAC-21EAE4C24D40@oracle.com>
References: <9C3DEB27-8B39-446D-9CAC-21EAE4C24D40@oracle.com>
Message-ID: <550FCFCE.2060904@redhat.com>
On 03/17/2015 11:02 AM, Wang Weijun wrote:
> Hi All
>
> Please review the code change at
>
> http://cr.openjdk.java.net/~weijun/8074935/webrev.00/
>
> In jdk8, we use Base64.getMimeDecoder() to parse PEM-encoded certs and it ignores every character not in the base-64 alphabet. PEM is more restricted and as I know openssl rejects PEM with illegal chars (Ex, "!" as in bug report and test). This fix will also reject them.
Shouldn't you add a Base64.getPemDecoder() with these semantics? I
think this decoder would be useful in other contexts as well.
--
Florian Weimer / Red Hat Product Security
From sean.mullan at oracle.com Mon Mar 23 18:57:14 2015
From: sean.mullan at oracle.com (Sean Mullan)
Date: Mon, 23 Mar 2015 14:57:14 -0400
Subject: [9] RFR: 8074531: Remove javax.security.cert.X509Certificate
usage in internal networking packages
In-Reply-To: <5509F3AC.4030809@oracle.com>
References: <5509F3AC.4030809@oracle.com>
Message-ID: <5510620A.4040209@oracle.com>
Hi Jason,
* HttpsURLConnection.java, HttpsURLConnectionOldImpl.java
This looks fine but as a next-step, we may be able to completely remove
these classes, which have been deprecated for a long time and are
implementation-specific. Can you check with Brad/Xuelei and open a
separate issue to remove them if so?
Otherwise, looks good.
--Sean
On 03/18/2015 05:52 PM, Jason Uh wrote:
> Please review this change, which removes methods in internal net
> packages that use the deprecated javax.security.cert.X509Certificate type.
>
> webrev: http://cr.openjdk.java.net/~juh/8074531/00/
> bug: https://bugs.openjdk.java.net/browse/JDK-8074531
>
> Thanks,
> Jason
From weijun.wang at oracle.com Tue Mar 24 09:47:10 2015
From: weijun.wang at oracle.com (Wang Weijun)
Date: Tue, 24 Mar 2015 17:47:10 +0800
Subject: RFR 8056174: New APIs for jar signing
Message-ID: <6747D17B-1BBF-48E6-9283-A07DCE6347C1@oracle.com>
Hi All
Please review the code change at
http://cr.openjdk.java.net/~weijun/8056174/webrev.00/
It provides a new jdk.Exported API JarSigner to perform jar signing. The class contains popular functions of the jarsigner tool. The jarsigner tool is unchanged and currently independent of the new class.
The root repo also needs a little change:
diff --git a/common/bin/unshuffle_list.txt b/common/bin/unshuffle_list.txt
--- a/common/bin/unshuffle_list.txt
+++ b/common/bin/unshuffle_list.txt
@@ -1305,6 +1304,7 @@
jdk/src/jdk.httpserver/share/classes/com/sun/net/httpserver : jdk/src/share/classes/com/sun/net/httpserver
jdk/src/jdk.httpserver/share/classes/sun/net/httpserver : jdk/src/share/classes/sun/net/httpserver
jdk/src/jdk.jartool/share/classes/com/sun/jarsigner : jdk/src/share/classes/com/sun/jarsigner
+jdk/src/jdk.jartool/share/classes/jdk/security/jarsigner : jdk/src/share/classes/jdk/security/jarsigner
jdk/src/jdk.jartool/share/classes/sun/security/tools/jarsigner : jdk/src/share/classes/sun/security/tools/jarsigner
jdk/src/jdk.jartool/share/classes/sun/tools/jar : jdk/src/share/classes/sun/tools/jar
jdk/src/jdk.jcmd/share/classes/sun/tools/jcmd : jdk/src/share/classes/sun/tools/jcmd
diff --git a/modules.xml b/modules.xml
--- a/modules.xml
+++ b/modules.xml
@@ -1634,6 +1645,9 @@
com.sun.jarsigner
+
+ jdk.security.jarsigner
+
jdk.javadoc
Thanks
Max
From weijun.wang at oracle.com Tue Mar 24 10:13:32 2015
From: weijun.wang at oracle.com (Wang Weijun)
Date: Tue, 24 Mar 2015 18:13:32 +0800
Subject: RFR 8047789: auth.login.LoginContext needs to be updated to work
with modules
In-Reply-To: <550D4DDB.6080303@oracle.com>
References: <83DE38C5-ED13-46A4-A75E-7D8748B2EFC9@oracle.com>
<550D4DDB.6080303@oracle.com>
Message-ID: <310D4B79-8ABF-4656-A246-6710B69EB65A@oracle.com>
> On Mar 21, 2015, at 18:54, Alan Bateman wrote:
>
> On the compatibility issue then someone creating a JAAS configuration file that lists a that is not a LoginModule will cause CCE but this pops out as a LoginException with the CCE as cause now - right? This may be something for release notes.
Correct. Added.
--Max
From ecki at zusammenkunft.net Tue Mar 24 11:28:24 2015
From: ecki at zusammenkunft.net (Bernd)
Date: Tue, 24 Mar 2015 12:28:24 +0100
Subject: DH Key sizes (again)
Message-ID:
Hello,
it is good to see Java 8 support EDH with 1024 and 2048 bit keys. However
it is still a problem that there is no negotiation in the TLS handshake and
so a flexible client should be able to accept different key siztes. Apache
since 2.4.7 sends 2048/3072 and 4096. And starting with 2.4.10 it sends
even 6k and 8k (standard) primes.
I see a comment in the source that the DH provider needs to be improved to
actually handle those. So I wonder if there are any plans for this? Is
there a good way to request it? Would filing a RFE on bugreport.java.com be
the right place?
Gruss
Bernd
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From janwillem.janssen at luminis.eu Tue Mar 24 12:53:07 2015
From: janwillem.janssen at luminis.eu (Jan Willem Janssen)
Date: Tue, 24 Mar 2015 12:53:07 +0000
Subject: custom critical X509v3 extensions
Message-ID:
Hi,
When a X509TrustManager validates an endpoint certificate containing a
critical custom extension the sun.security.validator.EndEntityChecker
will always fail. While this is correct behaviour, and according to
the spec, there appears no way of adding support for custom critical
extensions on endpoint certificates?!
--
Met vriendelijke groeten | Kind regards
Jan Willem Janssen | Software Architect
+31 631 765 814
My world is revolving around INAETICS and Amdatu
Luminis Technologies B.V.
Churchillplein 1
7314 BZ Apeldoorn
+31 88 586 46 00
http://www.luminis-technologies.com
http://www.luminis.eu
KvK (CoC) 09 16 28 93
BTW (VAT) NL8169.78.566.B.01
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 817 bytes
Desc: Message signed with OpenPGP using GPGMail
URL:
From sean.mullan at oracle.com Tue Mar 24 13:12:19 2015
From: sean.mullan at oracle.com (Sean Mullan)
Date: Tue, 24 Mar 2015 09:12:19 -0400
Subject: custom critical X509v3 extensions
In-Reply-To:
References:
Message-ID: <551162B3.9090202@oracle.com>
On 03/24/2015 08:53 AM, Jan Willem Janssen wrote:
> Hi,
>
> When a X509TrustManager validates an endpoint certificate containing a
> critical custom extension the sun.security.validator.EndEntityChecker
> will always fail. While this is correct behaviour, and according to
> the spec, there appears no way of adding support for custom critical
> extensions on endpoint certificates?!
The CertPath API allows you to create your own PKIXCertPathChecker to
process custom extensions. This could then be added to the
CertPathTrustManagerParameters (via the addCertPathChecker method of
PKIXParameters), but it looks like there is no hook in the
EndEntityChecker to call the PKIXCertPathCheckers. I'll file a bug.
--Sean
>
> --
> Met vriendelijke groeten | Kind regards
>
> Jan Willem Janssen | Software Architect
> +31 631 765 814
>
> My world is revolving around INAETICS and Amdatu
>
> Luminis Technologies B.V.
> Churchillplein 1
> 7314 BZ Apeldoorn
> +31 88 586 46 00
>
> http://www.luminis-technologies.com
> http://www.luminis.eu
>
> KvK (CoC) 09 16 28 93
> BTW (VAT) NL8169.78.566.B.01
>
From janwillem.janssen at luminis.eu Wed Mar 25 08:00:58 2015
From: janwillem.janssen at luminis.eu (Jan Willem Janssen)
Date: Wed, 25 Mar 2015 08:00:58 +0000
Subject: custom critical X509v3 extensions
In-Reply-To: <551162B3.9090202@oracle.com>
References:
<551162B3.9090202@oracle.com>
Message-ID:
> On 24 Mar 2015, at 14:12, Sean Mullan wrote:
>
> On 03/24/2015 08:53 AM, Jan Willem Janssen wrote:
>>
>> When a X509TrustManager validates an endpoint certificate containing a
>> critical custom extension the sun.security.validator.EndEntityChecker
>> will always fail. While this is correct behaviour, and according to
>> the spec, there appears no way of adding support for custom critical
>> extensions on endpoint certificates?!
>
> The CertPath API allows you to create your own PKIXCertPathChecker to process custom extensions. This could then be added to the CertPathTrustManagerParameters (via the addCertPathChecker method of PKIXParameters), but it looks like there is no hook in the EndEntityChecker to call the PKIXCertPathCheckers.
Yes, that is also what I was doing, but was a little surprised that EndEntityChecker didn?t take any of those custom PKIXCertPathCheckers into consideration.
> I'll file a bug.
Thanks for the clarification, Sean!
--
Met vriendelijke groeten | Kind regards
Jan Willem Janssen | Software Architect
+31 631 765 814
My world is revolving around INAETICS and Amdatu
Luminis Technologies B.V.
Churchillplein 1
7314 BZ Apeldoorn
+31 88 586 46 00
http://www.luminis-technologies.com
http://www.luminis.eu
KvK (CoC) 09 16 28 93
BTW (VAT) NL8169.78.566.B.01
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 817 bytes
Desc: Message signed with OpenPGP using GPGMail
URL:
From sean.coffey at oracle.com Wed Mar 25 13:52:45 2015
From: sean.coffey at oracle.com (=?UTF-8?B?U2XDoW4gQ29mZmV5?=)
Date: Wed, 25 Mar 2015 13:52:45 +0000
Subject: RFR (xs) 8059588: deadlock in java/io/PrintStream when verbose
javax.net.debug flags are set
Message-ID: <5512BDAD.3010901@oracle.com>
This issue was reported while debugging a pkcs11 issue. While I can't
reproduce it, the captured stack trace does show a deadlock issue. Fix
is to simply stop using the SessionManager class lock to record and
print the maxActiveSessions in use and replace it with a local lock.
bug: https://bugs.openjdk.java.net/browse/JDK-8059588
webrev : http://cr.openjdk.java.net/~coffeys/webrev.8059588/webrev/
Regards,
Sean.
From sean.mullan at oracle.com Wed Mar 25 19:17:18 2015
From: sean.mullan at oracle.com (Sean Mullan)
Date: Wed, 25 Mar 2015 15:17:18 -0400
Subject: RFR 8047789: auth.login.LoginContext needs to be updated to work
with modules
In-Reply-To: <550D4DDB.6080303@oracle.com>
References: <83DE38C5-ED13-46A4-A75E-7D8748B2EFC9@oracle.com>
<550D4DDB.6080303@oracle.com>
Message-ID: <551309BE.6050108@oracle.com>
On 03/21/2015 06:54 AM, Alan Bateman wrote:
> On 20/03/2015 14:39, Wang Weijun wrote:
>> Please review the code changes at
>>
>> http://cr.openjdk.java.net/~weijun/8047789/webrev.03/
>>
This looks good to me too.
> It would be good to get the JAAS documentation updated too.
Yes, we should update the specification of the JavaLoginConfig type and
the relevant JAAS tutorials and programming guides to describe the use
of ServiceLoader to find LoginModule implementations. Can you file a
followon issue in the docs/guides component and add a "securitydocs" label?
--Sean
From weijun.wang at oracle.com Thu Mar 26 05:28:42 2015
From: weijun.wang at oracle.com (Weijun Wang)
Date: Thu, 26 Mar 2015 13:28:42 +0800
Subject: RFR 8075575/8075576: 2 com/sun/security/auth tests failed in certain
env
Message-ID: <5513990A.5080207@oracle.com>
Please review the change at
http://cr.openjdk.java.net/~weijun/8075575/webrev.00
The test checks for certain English text in the output, and cannot find
if running in another locale. Tests now forced running in English.
I've tried modifying the tests to check for localized texts returning
from ResourceBundle.getgetBundle().getString(). The test is not easy to
read and in one test MessageFormat.format() needs to be called. I
abandon this attempt and choose the current fix.
Thanks
Max
From mandy.chung at oracle.com Thu Mar 26 16:26:00 2015
From: mandy.chung at oracle.com (Mandy Chung)
Date: Thu, 26 Mar 2015 09:26:00 -0700
Subject: RFR 8056174: New APIs for jar signing
In-Reply-To: <6747D17B-1BBF-48E6-9283-A07DCE6347C1@oracle.com>
References: <6747D17B-1BBF-48E6-9283-A07DCE6347C1@oracle.com>
Message-ID: <55143318.8050407@oracle.com>
On 3/24/2015 2:47 AM, Wang Weijun wrote:
> Hi All
>
> Please review the code change at
>
> http://cr.openjdk.java.net/~weijun/8056174/webrev.00/
>
> It provides a new jdk.Exported API JarSigner to perform jar signing. The class contains popular functions of the jarsigner tool. The jarsigner tool is unchanged and currently independent of the new class.
Passing comment when skimming on the webrev:
JarSignerException.ErrorCode - do you expect the caller will want
to process error handling differently with different type of error?
I wonder if the error message would be good enough wrapping the
Throwable cause. Should JarSignerException be an unchecked exception?
One other thing to mention: @jdk.Exported will go away some time.
For now it's okay to use it and will be cleaned up together with
other JDK exported APIs when time comes.
> The root repo also needs a little change:
>
> diff --git a/common/bin/unshuffle_list.txt b/common/bin/unshuffle_list.txt
This is a new package that you don't need to include in the
unshuffle_list.txt (that's mainly for backporting use).
> diff --git a/modules.xml b/modules.xml
> --- a/modules.xml
> +++ b/modules.xml
> @@ -1634,6 +1645,9 @@
>
> com.sun.jarsigner
>
> +
> + jdk.security.jarsigner
> +
>
>
> jdk.javadoc
>
Looks fine.
Mandy
From anthony.scarpino at oracle.com Thu Mar 26 17:46:58 2015
From: anthony.scarpino at oracle.com (Anthony Scarpino)
Date: Thu, 26 Mar 2015 10:46:58 -0700
Subject: Code Review Request: 8064546 CipherInputStream throws
BadPaddingException if stream is not fully read
Message-ID: <55144612.4090308@oracle.com>
Hi,
I'd like a review of the below webrev:
http://cr.openjdk.java.net/~ascarpino/8064546/webrev/
The code change is very simple, where close() should not throw
exceptions. Most of the code change is comments that are just informational
The attached test goes through all the scenarios making sure AEAD and
non-AEAD ciphers operate as expected.
thanks
Tony
From sean.mullan at oracle.com Thu Mar 26 19:32:36 2015
From: sean.mullan at oracle.com (Sean Mullan)
Date: Thu, 26 Mar 2015 15:32:36 -0400
Subject: DH Key sizes (again)
In-Reply-To:
References:
Message-ID: <55145ED4.9040403@oracle.com>
Hi Bernd,
On 03/24/2015 07:28 AM, Bernd wrote:
> Hello,
>
> it is good to see Java 8 support EDH with 1024 and 2048 bit keys.
> However it is still a problem that there is no negotiation in the TLS
> handshake and so a flexible client should be able to accept different
> key siztes. Apache since 2.4.7 sends 2048/3072 and 4096. And starting
> with 2.4.10 it sends even 6k and 8k (standard) primes.
>
> I see a comment in the source that the DH provider needs to be improved
> to actually handle those. So I wonder if there are any plans for this?
> Is there a good way to request it? Would filing a RFE on
> bugreport.java.com be the right place?
There is currently an open issue for this:
https://bugs.openjdk.java.net/browse/JDK-8072452
Let me look into what our plans are for this and get back to you. I
agree it is important to resolve.
--Sean
From sean.mullan at oracle.com Thu Mar 26 20:41:22 2015
From: sean.mullan at oracle.com (Sean Mullan)
Date: Thu, 26 Mar 2015 16:41:22 -0400
Subject: RFR 8056174: New APIs for jar signing
In-Reply-To: <6747D17B-1BBF-48E6-9283-A07DCE6347C1@oracle.com>
References: <6747D17B-1BBF-48E6-9283-A07DCE6347C1@oracle.com>
Message-ID: <55146EF2.2010005@oracle.com>
On 03/24/2015 05:47 AM, Wang Weijun wrote:
> Hi All
>
> Please review the code change at
>
> http://cr.openjdk.java.net/~weijun/8056174/webrev.00/
>
> It provides a new jdk.Exported API JarSigner to perform jar signing. The class contains popular functions of the jarsigner tool. The jarsigner tool is unchanged and currently independent of the new class.
* AlgorithmId
- checKeyAlgSigAlgkMatch
Should this be named "checkKeyAndSigAlgMatch"?
* Builder
- why are methods public when class is package-private?
* JarSigner
- For digestAlg and sigAlg you should add a pointer to the relevant
section of the Standard Algorithm Names guide for a list of standard
algorithms that can be specified.
* JarSignerException
- is there ever a reason to add a ctor that takes a String for the
exception message?
* API
- copyright should be 2015
* options.sh
- how is this relevant if jarsigner has not been updated to use the new
API yet? Also, we should avoid adding more shell script tests.
--Sean
From jason.uh at oracle.com Thu Mar 26 22:37:56 2015
From: jason.uh at oracle.com (Jason Uh)
Date: Thu, 26 Mar 2015 15:37:56 -0700
Subject: [9] RFR: 7145757: CertificateExtensions uses non-consistent key
names
In-Reply-To: <523E4097-9101-438A-AE21-50754131B2C3@oracle.com>
References: <5508D62A.9010507@oracle.com>
<550A0D08.1020901@oracle.com>
<523E4097-9101-438A-AE21-50754131B2C3@oracle.com>
Message-ID: <55148A44.1040700@oracle.com>
Please review this revision:
http://cr.openjdk.java.net/~juh/7145757/01/
* all get()/set() calls to CertificateExtensions and CRLExtensions
is by OID
* get()/set() from X509CertImpl/Info continue to work by name.
ex: X509CertImpl.get("x509.info.extensions.")
* a global nameCache is maintained in OIDMap as suggested
* no IOException from CRLExtensions
* fixed a bug on line 753 of X509CertImpl to allow extension deletion
Thanks,
Jason
On 03/18/2015 06:06 PM, Wang Weijun wrote:
> Yes, it will be extensive, but since we already make all keys OID, we should always call those set/get() with OIDs for performance. In case we might miss some, inside the implementation of get/set(), we can still accept names.
>
> Also, it seems there is no need for a nameCache everywhere, you can probably maintain a global one inside OIDMap.
>
> As for the IOException, I think it's because CRLExtensions does not have getExtension() that returns null. Now that you create another inconsistence that X509CRLImpl.getExtension() is starting to throw IOE while X509CertImpl.getExtension() does not.
>
> --Max
>
>> On Mar 19, 2015, at 07:40, Jason Uh wrote:
>>
>> Hi Max,
>>
>> On 03/18/2015 04:09 PM, Wang Weijun wrote:
>>> Hi Jason
>>>
>>> I was thinking about changing all set/get calls to using OID so inside CertificateExtensions and CRLExtensions you won't need to care about name conversions. Is that possible?
>>
>> It might be, but it'd call for more extensive changes. Currently, when certificates are parsed, the extensions are added using the name, and when they are retrieved, they are also specified by name -- for example, X509CertImpl.getBasicConstraints() calls a get() method with the BasicConstraints alias as the lookup parameter.
>>
>> It's been a while, but the last we spoke about this, I think you wanted to keep the changes for this contained within CertificateExtensions and CRLExtensions. If that's still the case, we'll have to do this name conversion. If not, I could try changing things outside of these classes.
>>
>>> Also I see you adding some IOException throwing and catching. Is there any case you actually see them? I would think if that really happen there might be some programming error.
>>
>> I added the IOExceptions mainly to keep CRLExtensions consistent with CertificateExtensions. I thought it was a little odd that they weren't being thrown, but they may not need to be there for CRLExtensions. I can take them out.
>>
>>> --Max
>>>
>>>> On Mar 18, 2015, at 09:34, Jason Uh wrote:
>>>>
>>>> Please review this fix, which changes the internal map in sun.security.x509.CertificateExtensions and CRLExtensions to always use the OID as the key.
>>>>
>>>> As stated in the JBS issue:
>>>>> The sun.security.x509.CertificateExtensions class maintains a Map map field to store all the extensions it manages. The key of map uses the name (say, "BasicConstraints") of the extension, or the OID when the type of the extension is unknown.
>>>>
>>>> With this change, the map will consistently use the OID as the key.
>>>>
>>>> webrev: http://cr.openjdk.java.net/~juh/7145757/00/
>>>> bug: https://bugs.openjdk.java.net/browse/JDK-7145757
>>>>
>>>> Thanks,
>>>> Jason
>>>
>
From weijun.wang at oracle.com Fri Mar 27 04:18:16 2015
From: weijun.wang at oracle.com (Wang Weijun)
Date: Fri, 27 Mar 2015 12:18:16 +0800
Subject: RFR 8056174: New APIs for jar signing
In-Reply-To: <55146EF2.2010005@oracle.com>
References: <6747D17B-1BBF-48E6-9283-A07DCE6347C1@oracle.com>
<55146EF2.2010005@oracle.com>
Message-ID: <3B75C91A-7B6C-4A23-9EC9-8454F05F94E2@oracle.com>
> On Mar 27, 2015, at 04:41, Sean Mullan wrote:
>
> On 03/24/2015 05:47 AM, Wang Weijun wrote:
>> Hi All
>>
>> Please review the code change at
>>
>> http://cr.openjdk.java.net/~weijun/8056174/webrev.00/
>>
>> It provides a new jdk.Exported API JarSigner to perform jar signing. The class contains popular functions of the jarsigner tool. The jarsigner tool is unchanged and currently independent of the new class.
>
> * AlgorithmId
>
> - checKeyAlgSigAlgkMatch
>
> Should this be named "checkKeyAndSigAlgMatch"?
OK.
>
> * Builder
>
> - why are methods public when class is package-private?
I forgot to move the class into sun.security.tools.jarsigner and make it public. Then it's accessible from both JarSigner (the API) and sun.security.tools.jarsigner.Main (the tool).
>
> * JarSigner
>
> - For digestAlg and sigAlg you should add a pointer to the relevant section of the Standard Algorithm Names guide for a list of standard algorithms that can be specified.
Yes.
>
> * JarSignerException
>
> - is there ever a reason to add a ctor that takes a String for the exception message?
I added your comments from the other mail below.
> Passing comment when skimming on the webrev:
>
> JarSignerException.ErrorCode - do you expect the caller will want
> to process error handling differently with different type of error?
>
> I wonder if the error message would be good enough wrapping the
> Throwable cause.
Yes, I agree a ctor with arguments (message, cause) is enough. The type of cause is actually equivalent to the ErrorCode. The new message argument should be localized.
> Should JarSignerException be an unchecked exception?
In traditional Java style, it should be checked. Normally unchecked exception should not be expected if running normally, but here we will see TSA connection error, algorithm name error, etc.
In fact I originally suggested unchecked exception, but my main reason is that a checked permission is not friendly with lambda and a little old fashioned.
>
> * API
>
> - copyright should be 2015
>
> * options.sh
>
> - how is this relevant if jarsigner has not been updated to use the new API yet? Also, we should avoid adding more shell script tests.
Not relevant, I'll remove it.
Thanks
Max
>
> --Sean
>
>
From weijun.wang at oracle.com Fri Mar 27 10:53:52 2015
From: weijun.wang at oracle.com (Wang Weijun)
Date: Fri, 27 Mar 2015 18:53:52 +0800
Subject: [9] RFR: 7145757: CertificateExtensions uses non-consistent key
names
In-Reply-To: <55148A44.1040700@oracle.com>
References: <5508D62A.9010507@oracle.com>
<550A0D08.1020901@oracle.com>
<523E4097-9101-438A-AE21-50754131B2C3@oracle.com>
<55148A44.1040700@oracle.com>
Message-ID:
> On Mar 27, 2015, at 06:37, Jason Uh wrote:
>
> Please review this revision:
> http://cr.openjdk.java.net/~juh/7145757/01/
>
> * a global nameCache is maintained in OIDMap as suggested
Can you just use the existing OIDMap.getId() method? It looks like your getCachedOid(name) is the same as getId("x509.info.extensions." + name).
In fact, since the OIDMap only contains mapping of extensions, I'd suggest renaming it to ExtensionMap and change the name inside to short names (without the "x509.info.extensions." prefix).
--Max
From sean.mullan at oracle.com Fri Mar 27 18:58:26 2015
From: sean.mullan at oracle.com (Sean Mullan)
Date: Fri, 27 Mar 2015 14:58:26 -0400
Subject: RFR (xs) 8059588: deadlock in java/io/PrintStream when verbose
javax.net.debug flags are set
In-Reply-To: <5512BDAD.3010901@oracle.com>
References: <5512BDAD.3010901@oracle.com>
Message-ID: <5515A852.5040806@oracle.com>
This looks fine, just one comment. Can you put braces around the if
debug statement on lines 117-118 (just to be safe).
--Sean
On 03/25/2015 09:52 AM, Se?n Coffey wrote:
> This issue was reported while debugging a pkcs11 issue. While I can't
> reproduce it, the captured stack trace does show a deadlock issue. Fix
> is to simply stop using the SessionManager class lock to record and
> print the maxActiveSessions in use and replace it with a local lock.
>
> bug: https://bugs.openjdk.java.net/browse/JDK-8059588
> webrev : http://cr.openjdk.java.net/~coffeys/webrev.8059588/webrev/
>
> Regards,
> Sean.
From sean.coffey at oracle.com Fri Mar 27 19:05:41 2015
From: sean.coffey at oracle.com (=?UTF-8?B?U2XDoW4gQ29mZmV5?=)
Date: Fri, 27 Mar 2015 19:05:41 +0000
Subject: RFR (xs) 8059588: deadlock in java/io/PrintStream when verbose
javax.net.debug flags are set
In-Reply-To: <5515A852.5040806@oracle.com>
References: <5512BDAD.3010901@oracle.com> <5515A852.5040806@oracle.com>
Message-ID: <5515AA05.1010308@oracle.com>
Thanks Sean. Yes - I'll add those braces before pushing.
regards,
Sean.
On 27/03/2015 18:58, Sean Mullan wrote:
> This looks fine, just one comment. Can you put braces around the if
> debug statement on lines 117-118 (just to be safe).
>
> --Sean
>
> On 03/25/2015 09:52 AM, Se?n Coffey wrote:
>> This issue was reported while debugging a pkcs11 issue. While I can't
>> reproduce it, the captured stack trace does show a deadlock issue. Fix
>> is to simply stop using the SessionManager class lock to record and
>> print the maxActiveSessions in use and replace it with a local lock.
>>
>> bug: https://bugs.openjdk.java.net/browse/JDK-8059588
>> webrev : http://cr.openjdk.java.net/~coffeys/webrev.8059588/webrev/
>>
>> Regards,
>> Sean.
From bradford.wetmore at oracle.com Fri Mar 27 19:27:43 2015
From: bradford.wetmore at oracle.com (Bradford Wetmore)
Date: Fri, 27 Mar 2015 12:27:43 -0700
Subject: RFR (xs) 8059588: deadlock in java/io/PrintStream when verbose
javax.net.debug flags are set
In-Reply-To: <5515AA05.1010308@oracle.com>
References: <5512BDAD.3010901@oracle.com> <5515A852.5040806@oracle.com>
<5515AA05.1010308@oracle.com>
Message-ID: <5515AF2F.6070605@oracle.com>
Sean,
Is this a java.security.debug or a javax.net.debug issue as mentioned in
the synopsis? It imports from sun.security.util.Debug, which is
java.security.debug, not javax.net.debug.
In the bug, both variables were set.
...deleted...
-Djavax.net.debug=ssl,handshake,record,keygen,session,defaultctx,sslctx,ses
sioncache,keymanager,trustmanager -Dcom.oracle.security.ucrypto.debug=true
-Djava.security.debug=all -Djsse.S
Probably the synopsis should be changed.
Brad
On 3/27/2015 12:05 PM, Se?n Coffey wrote:
> Thanks Sean. Yes - I'll add those braces before pushing.
>
> regards,
> Sean.
>
> On 27/03/2015 18:58, Sean Mullan wrote:
>> This looks fine, just one comment. Can you put braces around the if
>> debug statement on lines 117-118 (just to be safe).
>>
>> --Sean
>>
>> On 03/25/2015 09:52 AM, Se?n Coffey wrote:
>>> This issue was reported while debugging a pkcs11 issue. While I can't
>>> reproduce it, the captured stack trace does show a deadlock issue. Fix
>>> is to simply stop using the SessionManager class lock to record and
>>> print the maxActiveSessions in use and replace it with a local lock.
>>>
>>> bug: https://bugs.openjdk.java.net/browse/JDK-8059588
>>> webrev : http://cr.openjdk.java.net/~coffeys/webrev.8059588/webrev/
>>>
>>> Regards,
>>> Sean.
>
From sean.coffey at oracle.com Fri Mar 27 19:30:28 2015
From: sean.coffey at oracle.com (=?UTF-8?B?U2XDoW4gQ29mZmV5?=)
Date: Fri, 27 Mar 2015 19:30:28 +0000
Subject: RFR (xs) 8059588: deadlock in java/io/PrintStream when verbose
javax.net.debug flags are set
In-Reply-To: <5515AF2F.6070605@oracle.com>
References: <5512BDAD.3010901@oracle.com> <5515A852.5040806@oracle.com>
<5515AA05.1010308@oracle.com> <5515AF2F.6070605@oracle.com>
Message-ID: <5515AFD4.4080509@oracle.com>
Brad,
you're correct. The debug flag for pkcs11 is enabled via
java.security.debug=pkcs11 - I'll update the bug synopsis. The changeset
has already been pushed though.
regards,
Sean.
On 27/03/2015 19:27, Bradford Wetmore wrote:
> Sean,
>
> Is this a java.security.debug or a javax.net.debug issue as mentioned
> in the synopsis? It imports from sun.security.util.Debug, which is
> java.security.debug, not javax.net.debug.
>
> In the bug, both variables were set.
>
> ...deleted...
> -Djavax.net.debug=ssl,handshake,record,keygen,session,defaultctx,sslctx,ses
>
> sioncache,keymanager,trustmanager
> -Dcom.oracle.security.ucrypto.debug=true
> -Djava.security.debug=all -Djsse.S
>
> Probably the synopsis should be changed.
>
> Brad
>
>
>
> On 3/27/2015 12:05 PM, Se?n Coffey wrote:
>> Thanks Sean. Yes - I'll add those braces before pushing.
>>
>> regards,
>> Sean.
>>
>> On 27/03/2015 18:58, Sean Mullan wrote:
>>> This looks fine, just one comment. Can you put braces around the if
>>> debug statement on lines 117-118 (just to be safe).
>>>
>>> --Sean
>>>
>>> On 03/25/2015 09:52 AM, Se?n Coffey wrote:
>>>> This issue was reported while debugging a pkcs11 issue. While I can't
>>>> reproduce it, the captured stack trace does show a deadlock issue. Fix
>>>> is to simply stop using the SessionManager class lock to record and
>>>> print the maxActiveSessions in use and replace it with a local lock.
>>>>
>>>> bug: https://bugs.openjdk.java.net/browse/JDK-8059588
>>>> webrev : http://cr.openjdk.java.net/~coffeys/webrev.8059588/webrev/
>>>>
>>>> Regards,
>>>> Sean.
>>
From mandy.chung at oracle.com Fri Mar 27 20:30:30 2015
From: mandy.chung at oracle.com (Mandy Chung)
Date: Fri, 27 Mar 2015 13:30:30 -0700
Subject: RFR 8056174: New APIs for jar signing
In-Reply-To: <3B75C91A-7B6C-4A23-9EC9-8454F05F94E2@oracle.com>
References: <6747D17B-1BBF-48E6-9283-A07DCE6347C1@oracle.com> <55146EF2.2010005@oracle.com>
<3B75C91A-7B6C-4A23-9EC9-8454F05F94E2@oracle.com>
Message-ID: <5515BDE6.4090807@oracle.com>
On 3/26/15 9:18 PM, Wang Weijun wrote:
>>
>> JarSignerException.ErrorCode - do you expect the caller will want
>> to process error handling differently with different type of error?
>>
>> I wonder if the error message would be good enough wrapping the
>> Throwable cause.
> Yes, I agree a ctor with arguments (message, cause) is enough. The type of cause is actually equivalent to the ErrorCode. The new message argument should be localized.
Generally, JDK tool emitted messages are localized but exception messages
are not localized. I notice that some security exception messages are
localized (sun/security/util/Resources.java and sun/security/util/AuthResources.java)
that may make sense for example parsing policy file.
I think the application using this API should be handling the localization
not in the exception message.
>
>> Should JarSignerException be an unchecked exception?
> In traditional Java style, it should be checked. Normally unchecked exception should not be expected if running normally, but here we will see TSA connection error, algorithm name error, etc.
>
> In fact I originally suggested unchecked exception, but my main reason is that a checked permission is not friendly with lambda and a little old fashioned.
This exception is thrown at error cases. It looks like when the
exception is raised, there is no action the caller can do other
than outputting an error message and exit, right? Then
unchecked exception would be more appropriate (see Effective Java
item 59).
Mandy
From jason.uh at oracle.com Fri Mar 27 21:19:16 2015
From: jason.uh at oracle.com (Jason Uh)
Date: Fri, 27 Mar 2015 14:19:16 -0700
Subject: [9] RFR: 7145757: CertificateExtensions uses non-consistent key
names
In-Reply-To:
References: <5508D62A.9010507@oracle.com>
<550A0D08.1020901@oracle.com>
<523E4097-9101-438A-AE21-50754131B2C3@oracle.com>
<55148A44.1040700@oracle.com>
Message-ID: <5515C954.8010306@oracle.com>
On 03/27/2015 03:53 AM, Wang Weijun wrote:
>
>> On Mar 27, 2015, at 06:37, Jason Uh wrote:
>>
>> Please review this revision:
>> http://cr.openjdk.java.net/~juh/7145757/01/
>>
>> * a global nameCache is maintained in OIDMap as suggested
>
> Can you just use the existing OIDMap.getId() method? It looks like your getCachedOid(name) is the same as getId("x509.info.extensions." + name).
>
> In fact, since the OIDMap only contains mapping of extensions, I'd suggest renaming it to ExtensionMap and change the name inside to short names (without the "x509.info.extensions." prefix).
OK, thanks for that suggestion. I thought there was some significance to
using the "full" name in OIDMap, but if that's not necessary, it makes
things more flexible. Here is the latest revision that uses only the
existing OIDMap (now called ExtensionsMap).
http://cr.openjdk.java.net/~juh/7145757/02/
Thanks,
Jason
> --Max
>
From weijun.wang at oracle.com Sat Mar 28 14:45:55 2015
From: weijun.wang at oracle.com (Wang Weijun)
Date: Sat, 28 Mar 2015 22:45:55 +0800
Subject: [9] RFR: 7145757: CertificateExtensions uses non-consistent key
names
In-Reply-To: <5515C954.8010306@oracle.com>
References: <5508D62A.9010507@oracle.com>
<550A0D08.1020901@oracle.com>
<523E4097-9101-438A-AE21-50754131B2C3@oracle.com>
<55148A44.1040700@oracle.com>
<5515C954.8010306@oracle.com>
Message-ID:
> On Mar 28, 2015, at 05:19, Jason Uh wrote:
>
>
>
> On 03/27/2015 03:53 AM, Wang Weijun wrote:
>>
>>> On Mar 27, 2015, at 06:37, Jason Uh wrote:
>>>
>>> Please review this revision:
>>> http://cr.openjdk.java.net/~juh/7145757/01/
>>>
>>> * a global nameCache is maintained in OIDMap as suggested
>>
>> Can you just use the existing OIDMap.getId() method? It looks like your getCachedOid(name) is the same as getId("x509.info.extensions." + name).
>>
>> In fact, since the OIDMap only contains mapping of extensions, I'd suggest renaming it to ExtensionMap and change the name inside to short names (without the "x509.info.extensions." prefix).
>
> OK, thanks for that suggestion. I thought there was some significance to using the "full" name in OIDMap,
I think it was designed to be more powerful (see how OtherName uses it) but unfortunately it hasn't been so. Now that with jdk9/module it is no more accessible from outside the JDK, we can simplify it.
> but if that's not necessary, it makes things more flexible. Here is the latest revision that uses only the existing OIDMap (now called ExtensionsMap).
>
> http://cr.openjdk.java.net/~juh/7145757/02/
Will read it.
Thanks
Max
>
> Thanks,
> Jason
>
>> --Max
>>
From weijun.wang at oracle.com Sat Mar 28 15:17:59 2015
From: weijun.wang at oracle.com (Wang Weijun)
Date: Sat, 28 Mar 2015 23:17:59 +0800
Subject: RFR 8056174: New APIs for jar signing
In-Reply-To: <5515BDE6.4090807@oracle.com>
References: <6747D17B-1BBF-48E6-9283-A07DCE6347C1@oracle.com>
<55146EF2.2010005@oracle.com>
<3B75C91A-7B6C-4A23-9EC9-8454F05F94E2@oracle.com>
<5515BDE6.4090807@oracle.com>
Message-ID:
> On Mar 28, 2015, at 04:30, Mandy Chung wrote:
>
> On 3/26/15 9:18 PM, Wang Weijun wrote:
>>>
>>> JarSignerException.ErrorCode - do you expect the caller will want
>>> to process error handling differently with different type of error?
>>>
>>> I wonder if the error message would be good enough wrapping the
>>> Throwable cause.
>> Yes, I agree a ctor with arguments (message, cause) is enough. The type of cause is actually equivalent to the ErrorCode. The new message argument should be localized.
>
> Generally, JDK tool emitted messages are localized but exception messages
> are not localized. I notice that some security exception messages are
> localized (sun/security/util/Resources.java and sun/security/util/AuthResources.java)
> that may make sense for example parsing policy file.
(Not really, the policy file format is not localized, why should its error msg be?)
>
> I think the application using this API should be handling the localization
> not in the exception message.
Suppose someone writes a GUI tool as a wrapper of this API. It is not easy for it to understand all exception messages and localize them. Throwable has a getLocalizedMessage() method, I'll see if I can use it.
Actually, since this exception should always be generated inside JDK, shall I just remove all constructors from the public API? (Suppose there is an easy way to construct it without a public ctor). Is there such an example?
>
>>
>>> Should JarSignerException be an unchecked exception?
>> In traditional Java style, it should be checked. Normally unchecked exception should not be expected if running normally, but here we will see TSA connection error, algorithm name error, etc.
>>
>> In fact I originally suggested unchecked exception, but my main reason is that a checked permission is not friendly with lambda and a little old fashioned.
>
> This exception is thrown at error cases. It looks like when the
> exception is raised, there is no action the caller can do other
> than outputting an error message and exit, right? Then
> unchecked exception would be more appropriate (see Effective Java
> item 59).
Great answer. I now think it should be unchecked.
Thanks
Max
>
> Mandy
>
>
From weijun.wang at oracle.com Mon Mar 30 15:24:24 2015
From: weijun.wang at oracle.com (Wang Weijun)
Date: Mon, 30 Mar 2015 23:24:24 +0800
Subject: Lambda in security manager initialization fail
Message-ID: <9AC801D9-750C-4168-B1A6-76C16886E3A1@oracle.com>
I have a customized security manager:
import java.security.AccessController;
import java.security.PrivilegedAction;
public class A3 extends SecurityManager {
public A3() {
// 1. Using lambda
AccessController.doPrivileged((PrivilegedAction)
() -> null);
// 2. Using inner class
AccessController.doPrivileged(new PrivilegedAction() {
@Override
public Void run() {
return null;
}
});
}
}
If I use the inner class, everything is OK. If the lambda, I see this error:
$ java -Djava.security.manager=A3
Error occurred during initialization of VM
java.lang.ExceptionInInitializerError
at java.lang.invoke.BoundMethodHandle.(BoundMethodHandle.java:829)
at java.lang.invoke.LambdaForm.createIdentityForms(LambdaForm.java:1753)
at java.lang.invoke.LambdaForm.(LambdaForm.java:1808)
at java.lang.invoke.DirectMethodHandle.makePreparedLambdaForm(DirectMethodHandle.java:223)
at java.lang.invoke.DirectMethodHandle.preparedLambdaForm(DirectMethodHandle.java:188)
at java.lang.invoke.DirectMethodHandle.preparedLambdaForm(DirectMethodHandle.java:177)
at java.lang.invoke.DirectMethodHandle.make(DirectMethodHandle.java:84)
at java.lang.invoke.MethodHandles$Lookup.getDirectMethodCommon(MethodHandles.java:1655)
at java.lang.invoke.MethodHandles$Lookup.getDirectMethodNoSecurityManager(MethodHandles.java:1612)
at java.lang.invoke.MethodHandles$Lookup.getDirectMethodForConstant(MethodHandles.java:1797)
at java.lang.invoke.MethodHandles$Lookup.linkMethodHandleConstant(MethodHandles.java:1746)
at java.lang.invoke.MethodHandleNatives.linkMethodHandleConstant(MethodHandleNatives.java:477)
at A3.(A3.java:6)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
at java.lang.Class.newInstance(Class.java:444)
at sun.misc.Launcher.(Launcher.java:96)
at sun.misc.Launcher.(Launcher.java:57)
at java.lang.ClassLoader.initSystemClassLoader(ClassLoader.java:1440)
at java.lang.ClassLoader.getSystemClassLoader(ClassLoader.java:1425)
Caused by: java.lang.NullPointerException
at sun.invoke.util.BytecodeDescriptor.parseSig(BytecodeDescriptor.java:83)
at sun.invoke.util.BytecodeDescriptor.parseMethod(BytecodeDescriptor.java:54)
at sun.invoke.util.BytecodeDescriptor.parseMethod(BytecodeDescriptor.java:41)
at java.lang.invoke.MethodType.fromMethodDescriptorString(MethodType.java:1065)
at java.lang.invoke.BoundMethodHandle$Factory.makeCbmhCtor(BoundMethodHandle.java:817)
at java.lang.invoke.BoundMethodHandle$Factory.makeCtors(BoundMethodHandle.java:772)
at java.lang.invoke.BoundMethodHandle$SpeciesData.initForBootstrap(BoundMethodHandle.java:358)
at java.lang.invoke.BoundMethodHandle$SpeciesData.(BoundMethodHandle.java:447)
at java.lang.invoke.BoundMethodHandle.(BoundMethodHandle.java:829)
at java.lang.invoke.LambdaForm.createIdentityForms(LambdaForm.java:1753)
at java.lang.invoke.LambdaForm.(LambdaForm.java:1808)
at java.lang.invoke.DirectMethodHandle.makePreparedLambdaForm(DirectMethodHandle.java:223)
at java.lang.invoke.DirectMethodHandle.preparedLambdaForm(DirectMethodHandle.java:188)
at java.lang.invoke.DirectMethodHandle.preparedLambdaForm(DirectMethodHandle.java:177)
at java.lang.invoke.DirectMethodHandle.make(DirectMethodHandle.java:84)
at java.lang.invoke.MethodHandles$Lookup.getDirectMethodCommon(MethodHandles.java:1655)
at java.lang.invoke.MethodHandles$Lookup.getDirectMethodNoSecurityManager(MethodHandles.java:1612)
at java.lang.invoke.MethodHandles$Lookup.getDirectMethodForConstant(MethodHandles.java:1797)
at java.lang.invoke.MethodHandles$Lookup.linkMethodHandleConstant(MethodHandles.java:1746)
at java.lang.invoke.MethodHandleNatives.linkMethodHandleConstant(MethodHandleNatives.java:477)
at A3.(A3.java:6)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
at java.lang.Class.newInstance(Class.java:444)
Any reason why?
Thanks
Max
From peter.levart at gmail.com Mon Mar 30 20:01:42 2015
From: peter.levart at gmail.com (Peter Levart)
Date: Mon, 30 Mar 2015 22:01:42 +0200
Subject: Lambda in security manager initialization fail
In-Reply-To: <9AC801D9-750C-4168-B1A6-76C16886E3A1@oracle.com>
References: <9AC801D9-750C-4168-B1A6-76C16886E3A1@oracle.com>
Message-ID: <5519ABA6.2030409@gmail.com>
Hi Max,
On 03/30/2015 05:24 PM, Wang Weijun wrote:
> I have a customized security manager:
>
> import java.security.AccessController;
> import java.security.PrivilegedAction;
>
> public class A3 extends SecurityManager {
> public A3() {
> // 1. Using lambda
> AccessController.doPrivileged((PrivilegedAction)
> () -> null);
> // 2. Using inner class
> AccessController.doPrivileged(new PrivilegedAction() {
> @Override
> public Void run() {
> return null;
> }
> });
> }
> }
>
> If I use the inner class, everything is OK. If the lambda, I see this error:
>
> $ java -Djava.security.manager=A3
> Error occurred during initialization of VM
> java.lang.ExceptionInInitializerError
> at java.lang.invoke.BoundMethodHandle.(BoundMethodHandle.java:829)
> at java.lang.invoke.LambdaForm.createIdentityForms(LambdaForm.java:1753)
> at java.lang.invoke.LambdaForm.(LambdaForm.java:1808)
> at java.lang.invoke.DirectMethodHandle.makePreparedLambdaForm(DirectMethodHandle.java:223)
> at java.lang.invoke.DirectMethodHandle.preparedLambdaForm(DirectMethodHandle.java:188)
> at java.lang.invoke.DirectMethodHandle.preparedLambdaForm(DirectMethodHandle.java:177)
> at java.lang.invoke.DirectMethodHandle.make(DirectMethodHandle.java:84)
> at java.lang.invoke.MethodHandles$Lookup.getDirectMethodCommon(MethodHandles.java:1655)
> at java.lang.invoke.MethodHandles$Lookup.getDirectMethodNoSecurityManager(MethodHandles.java:1612)
> at java.lang.invoke.MethodHandles$Lookup.getDirectMethodForConstant(MethodHandles.java:1797)
> at java.lang.invoke.MethodHandles$Lookup.linkMethodHandleConstant(MethodHandles.java:1746)
> at java.lang.invoke.MethodHandleNatives.linkMethodHandleConstant(MethodHandleNatives.java:477)
> at A3.(A3.java:6)
> at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
> at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
> at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
> at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
> at java.lang.Class.newInstance(Class.java:444)
> at sun.misc.Launcher.(Launcher.java:96)
> at sun.misc.Launcher.(Launcher.java:57)
> at java.lang.ClassLoader.initSystemClassLoader(ClassLoader.java:1440)
> at java.lang.ClassLoader.getSystemClassLoader(ClassLoader.java:1425)
> Caused by: java.lang.NullPointerException
> at sun.invoke.util.BytecodeDescriptor.parseSig(BytecodeDescriptor.java:83)
> at sun.invoke.util.BytecodeDescriptor.parseMethod(BytecodeDescriptor.java:54)
> at sun.invoke.util.BytecodeDescriptor.parseMethod(BytecodeDescriptor.java:41)
> at java.lang.invoke.MethodType.fromMethodDescriptorString(MethodType.java:1065)
> at java.lang.invoke.BoundMethodHandle$Factory.makeCbmhCtor(BoundMethodHandle.java:817)
> at java.lang.invoke.BoundMethodHandle$Factory.makeCtors(BoundMethodHandle.java:772)
> at java.lang.invoke.BoundMethodHandle$SpeciesData.initForBootstrap(BoundMethodHandle.java:358)
> at java.lang.invoke.BoundMethodHandle$SpeciesData.(BoundMethodHandle.java:447)
> at java.lang.invoke.BoundMethodHandle.(BoundMethodHandle.java:829)
> at java.lang.invoke.LambdaForm.createIdentityForms(LambdaForm.java:1753)
> at java.lang.invoke.LambdaForm.(LambdaForm.java:1808)
> at java.lang.invoke.DirectMethodHandle.makePreparedLambdaForm(DirectMethodHandle.java:223)
> at java.lang.invoke.DirectMethodHandle.preparedLambdaForm(DirectMethodHandle.java:188)
> at java.lang.invoke.DirectMethodHandle.preparedLambdaForm(DirectMethodHandle.java:177)
> at java.lang.invoke.DirectMethodHandle.make(DirectMethodHandle.java:84)
> at java.lang.invoke.MethodHandles$Lookup.getDirectMethodCommon(MethodHandles.java:1655)
> at java.lang.invoke.MethodHandles$Lookup.getDirectMethodNoSecurityManager(MethodHandles.java:1612)
> at java.lang.invoke.MethodHandles$Lookup.getDirectMethodForConstant(MethodHandles.java:1797)
> at java.lang.invoke.MethodHandles$Lookup.linkMethodHandleConstant(MethodHandles.java:1746)
> at java.lang.invoke.MethodHandleNatives.linkMethodHandleConstant(MethodHandleNatives.java:477)
> at A3.(A3.java:6)
> at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
> at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
> at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
> at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
> at java.lang.Class.newInstance(Class.java:444)
>
> Any reason why?
>
> Thanks
> Max
>
>
I'm including mlvm-dev list because I think this is caused by unusual
initialization sequence triggered by initialization of java.lang.invoke
infrastructure because lambdas use invokedynamic and method handles. The
part of stack trace that is interesting is this:
Caused by: java.lang.NullPointerException
at sun.invoke.util.BytecodeDescriptor.parseSig(BytecodeDescriptor.java:83)
at sun.invoke.util.BytecodeDescriptor.parseMethod(BytecodeDescriptor.java:54)
at sun.invoke.util.BytecodeDescriptor.parseMethod(BytecodeDescriptor.java:41)
at java.lang.invoke.MethodType.fromMethodDescriptorString(MethodType.java:1065)
at java.lang.invoke.BoundMethodHandle$Factory.makeCbmhCtor(BoundMethodHandle.java:817)
makeCbmhCtor calls MethodType.fromMethodDescriptorString(..., null) with
null ClassLoader, which propagates to the following
BytecodeDescriptor.parseMethod method:
static List> parseMethod(String bytecodeSignature,
int start, int end, ClassLoader loader) {
if (loader == null)
loader = ClassLoader.getSystemClassLoader();
String str = bytecodeSignature;
int[] i = {start};
ArrayList> ptypes = new ArrayList>();
if (i[0] < end && str.charAt(i[0]) == '(') {
++i[0]; // skip '('
while (i[0] < end && str.charAt(i[0]) != ')') {
Class> pt = parseSig(str, i, end, loader);
if (pt == null || pt == void.class)
parseError(str, "bad argument type");
ptypes.add(pt);
}
++i[0]; // skip ')'
} else {
parseError(str, "not a method type");
}
Class> rtype = parseSig(str, i, end, loader);
if (rtype == null || i[0] != end)
parseError(str, "bad return type");
ptypes.add(rtype);
return ptypes;
}
this method checks for null 'loader' and replaces it with the result of
ClassLoader.getSystemClassLoader(). But invoking this method is actually
re-entering it, as this whole stack trace is started from within the
call to that method:
....
....
at sun.misc.Launcher.(Launcher.java:96)
at sun.misc.Launcher.(Launcher.java:57)
at java.lang.ClassLoader.initSystemClassLoader(ClassLoader.java:1440)
at java.lang.ClassLoader.getSystemClassLoader(ClassLoader.java:1425)
...this re-entering of ClassLoader.getSystemClassLoader() also re-enters
Launcher.getLauncher():
private static synchronized void initSystemClassLoader() {
if (!sclSet) {
if (scl != null)
throw new IllegalStateException("recursive invocation");
sun.misc.Launcher l = sun.misc.Launcher.getLauncher();
if (l != null) {
Throwable oops = null;
scl = l.getClassLoader();
try {
scl = AccessController.doPrivileged(
new SystemClassLoaderAction(scl));
} catch (PrivilegedActionException pae) {
oops = pae.getCause();
if (oops instanceof InvocationTargetException) {
oops = oops.getCause();
}
}
if (oops != null) {
if (oops instanceof Error) {
throw (Error) oops;
} else {
// wrap the exception
throw new Error(oops);
}
}
}
sclSet = true;
}
}
...which returns null and the whole initialization of 'scl' is skipped,
therefore ClassLoader.getSystemClassLoader() returns null, which is
later passed to BytecodeDescriptor.parseSig(...., null) which throws NPE
when dereferencing it.
This re-entering of ClassLoader.getSystemClassLoader() is caused by
Launcher which instantiates a custom SecurityManager, which uses lambdas
which triggers java.lang.invoke infrastructure initialization which uses
ClassLoader.getSystemClassLoader().
I think that java.lang.invoke infrastructure initialization should not
need to have access to system class loader. All types it deals with are
loadable by bootstrap class loader. I too have already encountered a
problem because of that and my suggestion was to create an internal
method similar to MethodType.fromMethodDescriptorString() that would
treat null ClassLoader as bootstrap class loader and use this method for
internal initialization instead of the public one:
http://cr.openjdk.java.net/~plevart/jdk9-dev/MethodType.fromDescriptor/webrev.01/
With this patch, your A3 security manager using lambdas works normally.
Regards, Peter
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From brian.goetz at oracle.com Mon Mar 30 20:12:43 2015
From: brian.goetz at oracle.com (Brian Goetz)
Date: Mon, 30 Mar 2015 16:12:43 -0400
Subject: Lambda in security manager initialization fail
In-Reply-To: <9AC801D9-750C-4168-B1A6-76C16886E3A1@oracle.com>
References: <9AC801D9-750C-4168-B1A6-76C16886E3A1@oracle.com>
Message-ID: <5519AE3B.9050300@oracle.com>
The NPE is at BytecodeDescriptor.parseSig#83, which says:
return loader.loadClass(name);
so the null ref seems likely to be loader. The loader is initially
passed in from BoundMethodHandle#817, which provides a null loader,
indicating that it wants the system loader. At the start of
parseMethod, we see:
if (loader == null)
loader = ClassLoader.getSystemClassLoader();
so the loader variable that is being deref'ed is the result of
ClassLoader.getSystemClassLoader, which must be null in order to NPE
here. ClassLoader.getSystemClassLoader checks for a security manager,
but since you're still initializing the security manager, this is likely
to be null. So you're going to get the value of `scl` after
`initSystemClassLoader` has completed.
Overall this smells of a bootstrapping issue; you're calling into the MH
machinery possibly before the classloading machinery (and definitely
before the security manager) is fully initialized, and you're getting
back a null from ClassLoader.getSystemClassLoader.
HTH,
-Brian
On 3/30/2015 11:24 AM, Wang Weijun wrote:
> I have a customized security manager:
>
> import java.security.AccessController;
> import java.security.PrivilegedAction;
>
> public class A3 extends SecurityManager {
> public A3() {
> // 1. Using lambda
> AccessController.doPrivileged((PrivilegedAction)
> () -> null);
> // 2. Using inner class
> AccessController.doPrivileged(new PrivilegedAction() {
> @Override
> public Void run() {
> return null;
> }
> });
> }
> }
>
> If I use the inner class, everything is OK. If the lambda, I see this error:
>
> $ java -Djava.security.manager=A3
> Error occurred during initialization of VM
> java.lang.ExceptionInInitializerError
> at java.lang.invoke.BoundMethodHandle.(BoundMethodHandle.java:829)
> at java.lang.invoke.LambdaForm.createIdentityForms(LambdaForm.java:1753)
> at java.lang.invoke.LambdaForm.(LambdaForm.java:1808)
> at java.lang.invoke.DirectMethodHandle.makePreparedLambdaForm(DirectMethodHandle.java:223)
> at java.lang.invoke.DirectMethodHandle.preparedLambdaForm(DirectMethodHandle.java:188)
> at java.lang.invoke.DirectMethodHandle.preparedLambdaForm(DirectMethodHandle.java:177)
> at java.lang.invoke.DirectMethodHandle.make(DirectMethodHandle.java:84)
> at java.lang.invoke.MethodHandles$Lookup.getDirectMethodCommon(MethodHandles.java:1655)
> at java.lang.invoke.MethodHandles$Lookup.getDirectMethodNoSecurityManager(MethodHandles.java:1612)
> at java.lang.invoke.MethodHandles$Lookup.getDirectMethodForConstant(MethodHandles.java:1797)
> at java.lang.invoke.MethodHandles$Lookup.linkMethodHandleConstant(MethodHandles.java:1746)
> at java.lang.invoke.MethodHandleNatives.linkMethodHandleConstant(MethodHandleNatives.java:477)
> at A3.(A3.java:6)
> at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
> at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
> at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
> at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
> at java.lang.Class.newInstance(Class.java:444)
> at sun.misc.Launcher.(Launcher.java:96)
> at sun.misc.Launcher.(Launcher.java:57)
> at java.lang.ClassLoader.initSystemClassLoader(ClassLoader.java:1440)
> at java.lang.ClassLoader.getSystemClassLoader(ClassLoader.java:1425)
> Caused by: java.lang.NullPointerException
> at sun.invoke.util.BytecodeDescriptor.parseSig(BytecodeDescriptor.java:83)
> at sun.invoke.util.BytecodeDescriptor.parseMethod(BytecodeDescriptor.java:54)
> at sun.invoke.util.BytecodeDescriptor.parseMethod(BytecodeDescriptor.java:41)
> at java.lang.invoke.MethodType.fromMethodDescriptorString(MethodType.java:1065)
> at java.lang.invoke.BoundMethodHandle$Factory.makeCbmhCtor(BoundMethodHandle.java:817)
> at java.lang.invoke.BoundMethodHandle$Factory.makeCtors(BoundMethodHandle.java:772)
> at java.lang.invoke.BoundMethodHandle$SpeciesData.initForBootstrap(BoundMethodHandle.java:358)
> at java.lang.invoke.BoundMethodHandle$SpeciesData.(BoundMethodHandle.java:447)
> at java.lang.invoke.BoundMethodHandle.(BoundMethodHandle.java:829)
> at java.lang.invoke.LambdaForm.createIdentityForms(LambdaForm.java:1753)
> at java.lang.invoke.LambdaForm.(LambdaForm.java:1808)
> at java.lang.invoke.DirectMethodHandle.makePreparedLambdaForm(DirectMethodHandle.java:223)
> at java.lang.invoke.DirectMethodHandle.preparedLambdaForm(DirectMethodHandle.java:188)
> at java.lang.invoke.DirectMethodHandle.preparedLambdaForm(DirectMethodHandle.java:177)
> at java.lang.invoke.DirectMethodHandle.make(DirectMethodHandle.java:84)
> at java.lang.invoke.MethodHandles$Lookup.getDirectMethodCommon(MethodHandles.java:1655)
> at java.lang.invoke.MethodHandles$Lookup.getDirectMethodNoSecurityManager(MethodHandles.java:1612)
> at java.lang.invoke.MethodHandles$Lookup.getDirectMethodForConstant(MethodHandles.java:1797)
> at java.lang.invoke.MethodHandles$Lookup.linkMethodHandleConstant(MethodHandles.java:1746)
> at java.lang.invoke.MethodHandleNatives.linkMethodHandleConstant(MethodHandleNatives.java:477)
> at A3.(A3.java:6)
> at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
> at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
> at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
> at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
> at java.lang.Class.newInstance(Class.java:444)
>
> Any reason why?
>
> Thanks
> Max
>
>
From Alan.Bateman at oracle.com Mon Mar 30 20:29:54 2015
From: Alan.Bateman at oracle.com (Alan Bateman)
Date: Mon, 30 Mar 2015 21:29:54 +0100
Subject: Lambda in security manager initialization fail
In-Reply-To: <5519ABA6.2030409@gmail.com>
References: <9AC801D9-750C-4168-B1A6-76C16886E3A1@oracle.com>
<5519ABA6.2030409@gmail.com>
Message-ID: <5519B242.1070403@oracle.com>
On 30/03/2015 21:01, Peter Levart wrote:
> :
>
> I think that java.lang.invoke infrastructure initialization should not
> need to have access to system class loader. All types it deals with
> are loadable by bootstrap class loader. I too have already encountered
> a problem because of that and my suggestion was to create an internal
> method similar to MethodType.fromMethodDescriptorString() that would
> treat null ClassLoader as bootstrap class loader and use this method
> for internal initialization instead of the public one:
>
> http://cr.openjdk.java.net/~plevart/jdk9-dev/MethodType.fromDescriptor/webrev.01/
>
>
> With this patch, your A3 security manager using lambdas works normally.
Another one that has come once or twice is using method references in
code that executes early in the startup. There are boxing cases that use
TypeConvertingMethodAdapter.boxingDescriptor and hence the formatter
code that tries to locate locale providers using the system class
loader. This can lead to recursive initialization issues that pop out as
BootstrapMethodError. So if we are making this area more robust then
this might need to be looked at too.
-Alan
From weijun.wang at oracle.com Tue Mar 31 03:40:23 2015
From: weijun.wang at oracle.com (Wang Weijun)
Date: Tue, 31 Mar 2015 11:40:23 +0800
Subject: [9] RFR: 7145757: CertificateExtensions uses non-consistent key
names
In-Reply-To:
References: <5508D62A.9010507@oracle.com>
<550A0D08.1020901@oracle.com>
<523E4097-9101-438A-AE21-50754131B2C3@oracle.com>
<55148A44.1040700@oracle.com>
<5515C954.8010306@oracle.com>
Message-ID:
CRLExtensions.java
==================
116 Class> extClass = ExtensionsMap.getClass(ext.getExtensionId());
117 if (extClass == null) { // Unsupported extension
118 if (ext.isCritical())
119 unsupportedCritExt = true;
120 if (map.put(ext.getId(), ext) != null)
121 throw new CRLException("Duplicate extensions not allowed");
122 return;
123 }
124 Constructor> cons = extClass.getConstructor(PARAMS);
125 Object[] passed = new Object[] {Boolean.valueOf(ext.isCritical()),
126 ext.getExtensionValue()};
127 CertAttrSet> crlExt = (CertAttrSet>)cons.newInstance(passed);
128 if (map.put(ext.getId(), (Extension)crlExt) != null) {
129 throw new CRLException("Duplicate extensions not allowed");
130 }
I see no reason to convert cons.newInstance(passed) first to one type then another. Also, the 2 throw statements can be combined to one.
195 public void set(String oid, Object obj) {
196 map.put(oid, (Extension) obj);
197 }
How about simply set(Object obj) or set(Extension ext)? You can always find oid from ext.getId(). This prevents unnoticed codes still using the name as keys.
I'd like to add a comment to the map field, something like
For known extensions listed in ExtensionMap, the value must be of a child type of Extension (defined in ExtensionMap).
This is quite critical for the getExtension() methods in X509CRLImpl to work correctly.
CertificateExtensions.java
==========================
Same as above, but in the comment of map, there is an extra case
Known extensions which is unparseable and not critical will be stored in an unparseableExtensions map.
Since we don't use names as keys, CertificateExtensions is not a typical CertAttrSet now. Remove the implements clause.
OtherName.java
==============
ExtensionMap will not support OtherName anymore. getGNI() should always return null. File a new RFE on how to implement OtherName in post-jdk9 era.
certAttributes.html
===================
229 Extensions can be added by implementing the
230 sun.security.x509.CertAttrSet
interface and
231 subclassing sun.security.x509.Extension
class.
232 Register the new extension using the ExtensionsMap class.
After jdk9, these interface/class will not be available outside jdk. File an enhancement on how to do this later.
ExtensionsMap.java
==================
195 public static void addAttribute(String name, String oid, Class> clazz)
196 throws CertificateException {
After jdk9, this method will not be available outside jdk. Mention this in the enhancement filed above.
Thanks
Max
> On Mar 28, 2015, at 22:45, Wang Weijun wrote:
>
>>
>> On Mar 28, 2015, at 05:19, Jason Uh wrote:
>>
>>
>>
>> On 03/27/2015 03:53 AM, Wang Weijun wrote:
>>>
>>>> On Mar 27, 2015, at 06:37, Jason Uh wrote:
>>>>
>>>> Please review this revision:
>>>> http://cr.openjdk.java.net/~juh/7145757/01/
>>>>
>>>> * a global nameCache is maintained in OIDMap as suggested
>>>
>>> Can you just use the existing OIDMap.getId() method? It looks like your getCachedOid(name) is the same as getId("x509.info.extensions." + name).
>>>
>>> In fact, since the OIDMap only contains mapping of extensions, I'd suggest renaming it to ExtensionMap and change the name inside to short names (without the "x509.info.extensions." prefix).
>>
>> OK, thanks for that suggestion. I thought there was some significance to using the "full" name in OIDMap,
>
> I think it was designed to be more powerful (see how OtherName uses it) but unfortunately it hasn't been so. Now that with jdk9/module it is no more accessible from outside the JDK, we can simplify it.
>
>> but if that's not necessary, it makes things more flexible. Here is the latest revision that uses only the existing OIDMap (now called ExtensionsMap).
>>
>> http://cr.openjdk.java.net/~juh/7145757/02/
>
> Will read it.
>
> Thanks
> Max
>
>>
>> Thanks,
>> Jason
>>
>>> --Max
From weijun.wang at oracle.com Tue Mar 31 03:57:31 2015
From: weijun.wang at oracle.com (Wang Weijun)
Date: Tue, 31 Mar 2015 11:57:31 +0800
Subject: CertificateExtensions
References:
Message-ID: <8592CB88-7F28-48BF-AC5B-E0C0C573E955@oracle.com>
Hi Sean
Are you OK with this?
> CertificateExtensions.java
> ==========================
>
> Since we don't use names as keys, CertificateExtensions is not a typical CertAttrSet now. Remove the implements clause.
Almost every class in the x509 package is built around the CertAttrSet and they together weave an elegant net. It will be nice if CertificateExtensions can only use the hierarchical names as keys, but unfortunately, it has to use OID sometimes.
My suggestion above breaks it from the CertAttrSet net. I won't dare to do this before jdk9 because people outside might use these classes, but now it's probably safe to do so.
Said that, CertificateExtensions is now an alien. Although its sibling CRLExtensions has always been one.
Thanks
Max
From Jenny.Lighthart at Polycom.com Tue Mar 31 17:09:15 2015
From: Jenny.Lighthart at Polycom.com (Lighthart, Jenny)
Date: Tue, 31 Mar 2015 10:09:15 -0700
Subject: Does TLS 1.2 with SunPKCS11-NSS provider work in FIPS mode
Message-ID: <5F5B900BF6A44E40939EEE937F9CA1251A7CD47773@CRPMBOXPRD09.polycom.com>
Hello Java Security Devs,
The following exception occurs while processing serverHelloDone during an attempt at TLS1.2 with NSS in FIPS mode (via modutil) .
java.security.NoSuchAlgorithmException: no such algorithm: SunTls12RsaPremasterSecret for provider SunPKCS11-NSS
Both the client and the server are running from a unit test using:
* JDK 1.8.0_31-b13
* nss-3.16.2.3-3
The same test runs fine in FIPS mode using TLS1.1 or TLS1.0. The same test also runs with TLS1.2 when the keystore is not in FIPS mode.
I am thinking that it is not supported. SunPKCS11-NSS provider needs to be updated with the SunTLS12* algorithms before this will work. The JSSE's ClientKeyExchange expects to be able to obtain a KeyGenerator specific to TLS1.2. When in FIPS mode, the crypto provider is SunPKCS11-NSS and it does not have the requested algorithm.
Can anyone confirm or deny this? Any ideas as to when it will be supported?
I've been all over the map trying to figure this one out. I am pretty sure at this point that it is not a problem with the NSS library. I can provide full stack trace and debug output as needed, but am hoping someone can answer first whether this configuration should be expected to work.
Thanks for your help,
Jenny
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From xuelei.fan at oracle.com Tue Mar 31 23:35:08 2015
From: xuelei.fan at oracle.com (Xuelei Fan)
Date: Wed, 01 Apr 2015 07:35:08 +0800
Subject: Does TLS 1.2 with SunPKCS11-NSS provider work in FIPS mode
In-Reply-To: <5F5B900BF6A44E40939EEE937F9CA1251A7CD47773@CRPMBOXPRD09.polycom.com>
References: <5F5B900BF6A44E40939EEE937F9CA1251A7CD47773@CRPMBOXPRD09.polycom.com>
Message-ID: <551B2F2C.9070803@oracle.com>
Hi Jenny,
As there is no PKCS#11 spec to support the mechanism, it is a known
issue to us:
https://bugs.openjdk.java.net/browse/JDK-8029661
Need to look into the new development of PKCS11 standards.
Regards,
Xuelei
On 4/1/2015 1:09 AM, Lighthart, Jenny wrote:
> Hello Java Security Devs,
>
>
>
> The following exception occurs while processing serverHelloDone during
> an attempt at TLS1.2 with NSS in FIPS mode (via modutil) .
>
>
>
> java.security.NoSuchAlgorithmException: no such algorithm:
> SunTls12RsaPremasterSecret for provider SunPKCS11-NSS
>
>
>
> Both the client and the server are running from a unit test using:
>
> ? JDK 1.8.0_31-b13
>
> ? nss-3.16.2.3-3
>
>
>
> The same test runs fine in FIPS mode using TLS1.1 or TLS1.0. The same
> test also runs with TLS1.2 when the keystore is not in FIPS mode.
>
>
>
> I am thinking that it is not supported. SunPKCS11-NSS provider needs to
> be updated with the SunTLS12* algorithms before this will work. The
> JSSE's ClientKeyExchange expects to be able to obtain a KeyGenerator
> specific to TLS1.2. When in FIPS mode, the crypto provider is
> SunPKCS11-NSS and it does not have the requested algorithm.
>
>
>
> Can anyone confirm or deny this? Any ideas as to when it will be supported?
>
>
>
> I've been all over the map trying to figure this one out. I am pretty
> sure at this point that it is not a problem with the NSS library. I can
> provide full stack trace and debug output as needed, but am hoping
> someone can answer first whether this configuration should be expected
> to work.
>
>
>
> Thanks for your help,
>
> Jenny
>