[8u] RFR: 8206925: Support the certificate_authorities extension

Andrew Hughes gnu.andrew at redhat.com
Wed May 19 16:58:49 UTC 2021 

On 12:23 Tue 20 Apr     , Severin Gehwolf wrote:
> Hi,
> 
> Please review this OpenJDK 8u backport of the certificate_authorities
> extensionj. The OpenJDK 11u patch didn't apply cleanly after path
> unshuffeling, but was fairly trivial to resolve. Conflicts caused by:
> 
> 1. X509Authentication.java copyright line conflict only. Resolved
>    manually.
> 2. SSLContextTemplate.java private interface methods not allowed in
>    JDK 8. It's a JDK 9+ feature via JEP 213. Changed modifier to
>    default. Note: this is code used in tests only.
> 3. TooManyCAs.java. Added -Djdk.tls.client.protocols=TLSv1.3 to the
>    test invocations since JDK 8u doesn't enable TLSv1.3 on the
>    client side by default. See JDK-8248721, CSR of the TLSv1.3 8u
>    backport.
> 
> Other than that, the patch is identical to the OpenJDK 11.0.12 version
> of this patch.
> 
> This introduces a new system property,
> jdk.tls.client.enableCAExtension, for compatibilty reasons. CSR has
> been reused from the Oracle JDK backport. See below.
> 
> Bug: https://bugs.openjdk.java.net/browse/JDK-8206925
> CSR: https://bugs.openjdk.java.net/browse/JDK-8248709
> webrev: https://cr.openjdk.java.net/~sgehwolf/webrevs/JDK-8206925/jdk8/02/webrev/
> 
> Testing: sun/security/ssl tests and tier1. No new regressions.
>          New tests pass.
> 
> Thoughts?
> 
> Thanks,
> Severin
> 

There are some odd whitespace differences showing up in the diff between
the 8u & 11u versions of SSLContextTemplate.java, but seems ok.  Approved.

Please note that, where a manual backport bug is created, the fix
request should go on the backport bug, so we don't have things split
between two different bugs.

Thanks,
-- 
Andrew :)

Senior Free Java Software Engineer
OpenJDK Package Owner
Red Hat, Inc. (http://www.redhat.com)

PGP Key: ed25519/0xCFDA0F9B35964222 (hkp://keys.gnupg.net)
Fingerprint = 5132 579D D154 0ED2 3E04  C5A0 CFDA 0F9B 3596 4222
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: not available
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20210519/70f68673/signature.asc>

More information about the security-dev mailing list