[11u]: RFR: Backport of 8215694: keytool cannot generate RSASSA-PSS certificates

Hohensee, Paul hohensee at amazon.com
Fri Jun 28 20:07:02 UTC 2019

In CertAndKeyGen.java, does generate() need a throws declaration? Otherwise looks good.

We've been talking about backporting patches with CSRs and have done at least one. Imo, 8076190 and 8213400 are good backport candidates since the spec changes are minor.



On 6/28/19, 12:33 AM, "jdk-updates-dev on behalf of Langer, Christoph" <jdk-updates-dev-bounces at openjdk.java.net on behalf of christoph.langer at sap.com> wrote:

    Hi again,
    I had to make some additions to get the test sun/security/tools/keytool/PSS.java to work.
    Firstly, I had to include the testlibrary utility class 'test/lib/jdk/test/lib/security/DerUtils.java' from the change for JDK-8076190. Then I had to add some code to src/java.base/share/classes/sun/security/tools/keytool/CertAndKeyGen.java from JDK-8213400 to tolerate a keyBits value of -1. This is exercised in the PSS test when keytool is called with "-genkeypair -keyalg RSASSA-PSS -sigalg RSASSA-PSS" without specifying the -keysize parameter.
    Backporting JDK-8076190 or JDK-8213400 over to JDK11 is not possible due to their nature (CSR attached, behavioral change).
    The webrevs were updated in-place:
    > -----Original Message-----
    > From: jdk-updates-dev <jdk-updates-dev-bounces at openjdk.java.net> On
    > Behalf Of Langer, Christoph
    > Sent: Mittwoch, 26. Juni 2019 17:30
    > To: jdk-updates-dev at openjdk.java.net
    > Cc: security-dev <security-dev at openjdk.java.net>
    > Subject: [CAUTION] [11u]: RFR: Backport of 8215694: keytool cannot
    > generate RSASSA-PSS certificates
    > Hi,
    > please help reviewing the backport of JDK- 8215694: keytool cannot generate
    > RSASSA-PSS certificates. The patch doesn't apply cleanly but the rejects are
    > only minor. The Item is needed as prerequisite to apply JDK-8216039.
    > Bug: https://bugs.openjdk.java.net/browse/JDK-8215694
    > Original Change: http://hg.openjdk.java.net/jdk/jdk12/rev/bdb29aa5fd31
    > Rejects when applying original change:
    > http://cr.openjdk.java.net/~clanger/webrevs/8215694.rejects.patch
    > Full Webrev:
    > http://cr.openjdk.java.net/~clanger/webrevs/8215694.11u.full.0/
    > Incremental Webrev of added modifications:
    > http://cr.openjdk.java.net/~clanger/webrevs/8215694.11u.manual.0/
    > Thanks
    > Christoph

More information about the security-dev mailing list