[11u]: RFR: Backport of 8215694: keytool cannot generate RSASSA-PSS certificates

[Langer, Christoph]

Hi again,

I had to make some additions to get the test sun/security/tools/keytool/PSS.java to work.

Firstly, I had to include the testlibrary utility class 'test/lib/jdk/test/lib/security/DerUtils.java' from the change for JDK-8076190. Then I had to add some code to src/java.base/share/classes/sun/security/tools/keytool/CertAndKeyGen.java from JDK-8213400 to tolerate a keyBits value of -1. This is exercised in the PSS test when keytool is called with "-genkeypair -keyalg RSASSA-PSS -sigalg RSASSA-PSS" without specifying the -keysize parameter.

Backporting JDK-8076190 or JDK-8213400 over to JDK11 is not possible due to their nature (CSR attached, behavioral change).

The webrevs were updated in-place:

http://cr.openjdk.java.net/~clanger/webrevs/8215694.11u.full.0/
http://cr.openjdk.java.net/~clanger/webrevs/8215694.11u.manual.0/


/Christoph

> -----Original Message-----
> From: jdk-updates-dev <jdk-updates-dev-bounces at openjdk.java.net> On
> Behalf Of Langer, Christoph
> Sent: Mittwoch, 26. Juni 2019 17:30
> To: jdk-updates-dev at openjdk.java.net
> Cc: security-dev <security-dev at openjdk.java.net>
> Subject: [CAUTION] [11u]: RFR: Backport of 8215694: keytool cannot
> generate RSASSA-PSS certificates
> 
> Hi,
> 
> please help reviewing the backport of JDK- 8215694: keytool cannot generate
> RSASSA-PSS certificates. The patch doesn't apply cleanly but the rejects are
> only minor. The Item is needed as prerequisite to apply JDK-8216039.
> 
> Bug: https://bugs.openjdk.java.net/browse/JDK-8215694
> Original Change: http://hg.openjdk.java.net/jdk/jdk12/rev/bdb29aa5fd31
> Rejects when applying original change:
> http://cr.openjdk.java.net/~clanger/webrevs/8215694.rejects.patch
> Full Webrev:
> http://cr.openjdk.java.net/~clanger/webrevs/8215694.11u.full.0/
> Incremental Webrev of added modifications:
> http://cr.openjdk.java.net/~clanger/webrevs/8215694.11u.manual.0/
> 
> Thanks
> Christoph