[11u] RFR: 8153005: Upgrade the default PKCS12 encryption/MAC algorithms
Hohensee, Paul
hohensee at amazon.com
Tue May 11 22:00:24 UTC 2021
There’s an extra blank line inserted at the end of java.security. Otherwise lgtm.
I’m fine with using KnownOIDs.java from tip. One might object that now it’s in a different location and must be kept sync’ed with tip, but I don’t agree because the backported version must be updated only when a test that needs the update is backported, and if that’s needed it’ll be obvious what to do.
Thanks,
Paul
From: security-dev <security-dev-retn at openjdk.java.net> on behalf of "Doerr, Martin" <martin.doerr at sap.com>
Date: Friday, April 30, 2021 at 9:35 AM
To: "jdk-updates-dev at openjdk.java.net" <jdk-updates-dev at openjdk.java.net>, security-dev <security-dev at openjdk.java.net>
Cc: "Langer, Christoph" <christoph.langer at sap.com>
Subject: [11u] RFR: 8153005: Upgrade the default PKCS12 encryption/MAC algorithms
Hi,
JDK-8153005 is backported to 11.0.12-oracle. I'd like to backport it for parity.
It doesn't apply cleanly.
Bug:
https://bugs.openjdk.java.net/browse/JDK-8153005
CSR covering 11u:
https://bugs.openjdk.java.net/browse/JDK-8228481
Original change:
https://github.com/openjdk/jdk/commit/f77a6585
11u rejected hunks:
http://cr.openjdk.java.net/~mdoerr/8153005_PKCS12_11u/8153005_PKCS12_rej.txt
Resolution:
- Regular code is trivial to resolve, but the tests are tricky and the hunks were mostly integrated manually.
- Introduce test/lib/jdk/test/lib/KnownOIDs.java as copy from jdk head src/java.base/share/classes/sun/security/util/KnownOIDs.java with last change from Oct 2020. Put into package jdk.test.lib and using System.out as debug output stream. This should make future backports easier, too.
- DerUtils.java: ObjectIdentifier interface is diffent in 11u (different constructors).
- Hunks in GenerateAll.java were skipped because the affected code is not in 11u (JDK-8242068).
11u backport:
http://cr.openjdk.java.net/~mdoerr/8153005_PKCS12_11u/webrev.00/
Please review.
Best regards,
Martin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20210511/90b09537/attachment.htm>
More information about the security-dev
mailing list